-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(npm-cli): count all instances of ignored advisories #5194
fix(npm-cli): count all instances of ignored advisories #5194
Conversation
I selected the packages that need a release as best I could, but I am not 100% sure that the list is complete. If a declined package needs to be updated as well, let me know and I will update the file accordingly. |
@merceyz any idea why that specific windows integration test would exceed the timeout in some tests? |
Windows sometimes timeouts, we just retry it, it's fine as long as the failing tests don't look related to your changes. The change seems globally fine, but can you add an extra test to avoid regressions? |
I guess I can, but given that there is basically no infrastructure around testing
Could you perhaps greenlight this PR and I pinky-promise to create another PR with the tests? I understand if that's not an option, but otherwise this fix will take a fair while before being ready. |
62f2895
to
4874dc0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Re #5194 (comment)
Yeah, you shouldn't have to setup all the infrastructure required to test this.
So, uh.. how does this get merged then? :D |
@merceyz sorry to ping you like this, but can this get merged? |
I was giving @arcanis some time to object and since he hasn't I'm fine with merging this but the (unrelated) failing Netlify build is stopping me. |
Fix bug where ignored advisories would still count if multiple paths were affected
What's the problem this PR addresses?
When a package was used in multiple dependency chains, ignoring the relevant advisory via
--ignore
ornpmAuditIgnoreAdvisories
only reduced the vulnerability count by 1, whereas every chain including the affected package counted towards the vulnerability count separately. Thereforeyarn npm audit --recursive
exits with a non-zero exit code, even though all found advisories were marked as ignored. This broke our CI pipeline, which relies on the exit code of the audit run to check if any vulnerabilities are present.Closes #5104
How did you fix it?
Instead of reducing the vulnerability count by 1 per ignored advisory, it now gets reduced by the number of all affected paths of the ignored advisory entry.
Checklist