From aded2095e46fd29e06d1734e0e3bc3d6ed6a42a2 Mon Sep 17 00:00:00 2001
From: Jake Haitsma <jacobhaitsma@gmail.com>
Date: Fri, 16 Feb 2024 22:29:38 -0500
Subject: [PATCH] chore(ci): add script to respect ignored modules in yarn
 audit.

---
 .auditignore              |  1 +
 .github/workflows/ci.yml  |  2 +-
 package.json              |  1 +
 util/auditWithIgnores.mjs | 71 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 .auditignore
 create mode 100644 util/auditWithIgnores.mjs

diff --git a/.auditignore b/.auditignore
new file mode 100644
index 0000000..93d111b
--- /dev/null
+++ b/.auditignore
@@ -0,0 +1 @@
+ip
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b171a02..ede55c4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -58,7 +58,7 @@ jobs:
       - name: Install dependencies
         run: yarn
       - name: Audit
-        run: yarn audit
+        run: yarn audit-withignores
       - name: Build
         run: yarn build
       - name: Release
diff --git a/package.json b/package.json
index a71a612..3849694 100644
--- a/package.json
+++ b/package.json
@@ -24,6 +24,7 @@
   ],
   "types": "./dist/pixi-bitmap-text-input.d.ts",
   "scripts": {
+    "audit-withignores": "node util/auditWithIgnores.mjs",
     "dev": "vite --host",
     "build": "rimraf dist && tsc && vite build && dts-bundle-generator --config ./dts-bundle-generator.config.ts",
     "test": "vitest",
diff --git a/util/auditWithIgnores.mjs b/util/auditWithIgnores.mjs
new file mode 100644
index 0000000..73bb0cc
--- /dev/null
+++ b/util/auditWithIgnores.mjs
@@ -0,0 +1,71 @@
+import { spawn } from "child_process";
+import fs from "fs";
+
+const audit = spawn("yarn", ["audit", "--json"]);
+
+let output = "";
+
+audit.stdout.on("data", data => {
+  output += data;
+});
+
+audit.stderr.on("data", data => {
+  console.error(`stderr: ${data}`);
+});
+
+audit.on("error", error => {
+  console.error(`Error: ${error.message}`);
+});
+
+audit.on("close", code => {
+  if (code > 16) {
+    process.exit(code);
+  }
+
+  const results = output
+    .split("\n")
+    .filter(line => line)
+    .map(line => JSON.parse(line));
+
+  generateFilteredAuditResults(results);
+});
+
+function getIgnoredModules() {
+  const auditignore = fs.readFileSync(".auditignore", "utf8");
+  return auditignore
+    .split("\n")
+    .filter(x => Boolean(x) && !x.startsWith("#"))
+    .map(x => x.trim());
+}
+
+function generateFilteredAuditResults(results) {
+  const allAdvisories = results.filter(x => x.type === "auditAdvisory");
+  const ignoredModules = getIgnoredModules().map(x => x.toLowerCase());
+  const filteredAdvisories = allAdvisories.filter(
+    x => !ignoredModules.includes(x.data.advisory.module_name.toLowerCase())
+  );
+  const severities = filteredAdvisories.map(x =>
+    x.data.advisory.severity.toLowerCase()
+  );
+
+  // From https://classic.yarnpkg.com/lang/en/docs/cli/audit/#toc-yarn-audit.
+  // 0 (no vulnerabilites) is handled separately.
+  const severityExitCodeMap = {
+    info: 1,
+    low: 2,
+    moderate: 4,
+    high: 8,
+    critical: 16,
+  };
+
+  const exitCode = Math.max(...severities.map(x => severityExitCodeMap[x]), 0);
+
+  if (exitCode === 0) {
+    console.log("🔒 No vulnerabilities found.");
+  } else {
+    console.log("🚨 Vulnerabilities found.");
+    console.table(filteredAdvisories.map(x => x.data.advisory));
+  }
+
+  process.exit(exitCode);
+}