-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[plugin-npm-cli]: Add ability to exclude packages, or ignore specific advisories in yarn npm audit
#4356
[plugin-npm-cli]: Add ability to exclude packages, or ignore specific advisories in yarn npm audit
#4356
Conversation
Syntax-wise I'd prefer if we had |
This would probably be better suited as a configuration setting rather than a CLI flag. |
42d33f4
to
91ce239
Compare
I used cli flag to stay consistent with other audit tools out there. Potentially having both cli flag and configuration setting would benefit more? |
--ignore
flag to yarn npm audit
--exclude
flag to yarn npm audit
91ce239
to
167e94c
Compare
--exclude
flag to yarn npm audit
yarn npm audit
I've pushed all the features I was thinking of to this PR. I'm happy to do any further cleanup (such as adding these flags as configuration settings as well) if you would like. Let me know what you think :) |
This looks like a great addition. We've been running yarn's audit via audit-ci just so we can filter out some advisories. My initial thoughts would have been for this to be exposed as configuration (as @merceyz suggested) instead of (or in addition to) CLI options. Either way, looking forward to being able to drop one more dependency :) |
167e94c
to
4452b91
Compare
Thanks @jdanil. Is there any examples of where configuration options have been used in the past that you can point me at? I can then update this to use both CLI flags and configuration options. |
Apologies for the delay. I was on vacation. I've pushed a patch to load these from a configuration file as well as via cli flags. Let me know if you need anything more to get this through :) |
Made a few stylistic updates but overall looks good to me, thanks! Since |
Ah yes I was thinking of tests before I left on vacation. I'll make up some and push those today. Good to have them there for future people to build off :). |
Will work on tests another day. |
6e1de9a
to
781c8bc
Compare
b50bc0c
to
217600d
Compare
This patch adds a `--exclude` flag to the `yarn npm audit` command in the `nmp-cli` plugin. This flag can be passed multiple times, and any package listed will be removed from the list of packages audited.
This patch adds a `--ignore` flag to `yarn npm audit`, which is an array of ID's to ignore from the audit report. In addition, the ID is presented in the tree output (as well as the JSON).
Adds configuration options to specify packages to exclude from `yarn npm audit` and to specify advisories to ignore from the results.
217600d
to
58f306e
Compare
Hey @arcanis @merceyz @jdanil, I've made all the changes suggested, and also made a few test cases (though could definitely do more). I'm not overly familiar with Jest for testing so I think I may leave it as is. Would you be happy merging this as is, and I can make another PR when I find motivation to finish the rest of the test cases. I'd be keen to get this into production so that we can use it in our pipelines :). Cheers, Hugh |
Hi folks, just checking in to see what needs doing to get this merged. Cheers, Hugh |
I think it should be good for this iteration, thanks! If you find time for a followup, implementing the integration tests would be really nice 😃 |
Author of audit-ci here, glad Yarn made progress here! This makes Yarn the first package manager to natively support allowlisting advisories. One decision that Similarly, GitHub identifiers are a bit more useful now that NPM's advisory database redirects to GitHub's advisory database. Personally, I would recommend supporting the GitHub identifier and suggest it over the NPM identifier. |
Hey folks, I'm just wondering whether I missed something from this MR or not. This doesn't seem to have landed in the stable release yet (or I may just misunderstand how the releases work). Can someone let me know what needs doing to get this into stable? Cheers, Hugh |
We started work on v4 and only backported bugfixes, not new features, though considering we haven't had a feature release in about seven months we should probably reconsider that. |
Ah OK. If I had known that when I started the PR process I probably wouldn't have contributed anything and instead done something in-house to meet the same objectives. Perhaps being upfront with contributors about timelines would be nice next time. Not everyone runs bleeding edge. I hope that some day my team will be able to use this feature :) |
@merceyz have you had any more consideration in doing a feature release? I'm hoping that I'll be able to make use of this PR that I spent time contributing to your project. |
@hughdavenport you could very well use the RCs, which are just as stable as the 3.x release (only difference being that we have a couple more breaking changes to land, so in theory further upgrades may worth a look at the migration notes; in practice those changes will be rare). As you know we're currently working on a major release, and any cherry-picking takes resources we'd prefer to spend on progressing towards the major. That's why we publish the RCs, to provide a reasonable middle ground for people wanting to use the bleeding edge features. |
"@yarnpkg/cli": patch | ||
"@yarnpkg/plugin-npm-cli": patch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These should have been marked as minor
as this added a feature.
… advisories in `yarn npm audit` (#4356) * [plugin-npm-cli]: Add ability to exclude packages from `yarn npm audit` This patch adds a `--exclude` flag to the `yarn npm audit` command in the `nmp-cli` plugin. This flag can be passed multiple times, and any package listed will be removed from the list of packages audited. * [plugin-npm-cli] Add ability to ignore advisories in `yarn npm audit` This patch adds a `--ignore` flag to `yarn npm audit`, which is an array of ID's to ignore from the audit report. In addition, the ID is presented in the tree output (as well as the JSON). * Version bump * chore: Fix types * [plugin-npm-cli] Add configuration options for --exclude and --ignore Adds configuration options to specify packages to exclude from `yarn npm audit` and to specify advisories to ignore from the results. * Update audit.ts * Update audit.ts * [plugin-npm-cli] Update docs * [plugin-npm-cli] Add support for glob patterns in --exclude and --ignore * [plugin-npm-cli] Add some unit tests and stubs for integration tests Co-authored-by: Maël Nison <nison.mael@gmail.com>
@hughdavenport This has now been backported and released in v3.3.0. |
What's the problem this PR addresses?
Closes #4355
...
How did you fix it?
This PR adds a
--exclude
flag to theyarn npm audit
command in thenmp-cli
plugin. This flag can be passed multiple times, and any packagelisted will be removed from the list of packages audited.
This PR also adds a
--ignore
flag toyarn npm audit
, which is an arrayof ID's to ignore from the audit report.
In addition, the ID is presented in the tree output (as well as the JSON).
...
Checklist