From a4475de4cd95c1f76c7e614eaa4c268d7bd9a915 Mon Sep 17 00:00:00 2001 From: "COURIER, CALEB [AG/1000]" Date: Tue, 18 Jun 2019 08:54:33 -0500 Subject: [PATCH] enable production flag for npm audit Note: SemVer minor -- @isaacs Close: https://github.com/npm/cli/pull/202 --- lib/audit.js | 4 +- test/tap/audit.js | 203 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 205 insertions(+), 2 deletions(-) diff --git a/lib/audit.js b/lib/audit.js index 2cabef9d27d0d..37b54d6eca140 100644 --- a/lib/audit.js +++ b/lib/audit.js @@ -39,7 +39,7 @@ module.exports = auditCmd const usage = require('./utils/usage') auditCmd.usage = usage( 'audit', - '\nnpm audit [--json]' + + '\nnpm audit [--json] [--production]' + '\nnpm audit fix ' + '[--force|--package-lock-only|--dry-run|--production|--only=(dev|prod)]' ) @@ -175,7 +175,7 @@ function auditCmd (args, cb) { const requires = Object.assign( {}, (pkgJson && pkgJson.dependencies) || {}, - (pkgJson && pkgJson.devDependencies) || {} + (!opts.production && pkgJson && pkgJson.devDependencies) || {} ) return lockVerify(npm.prefix).then((result) => { if (result.status) return audit.generate(sw, requires) diff --git a/test/tap/audit.js b/test/tap/audit.js index 69406041a45e6..3194ba473bd62 100644 --- a/test/tap/audit.js +++ b/test/tap/audit.js @@ -252,6 +252,209 @@ test('exits with non-zero exit code for vulnerabilities at the `audit-level` fla }) }) +test('exits with zero exit code for vulnerabilities in devDependencies when running with production flag', t => { + const fixture = new Tacks(new Dir({ + 'package.json': new File({ + name: 'foo', + version: '1.0.0', + dependencies: { + gooddep: '1.0.0' + }, + devDependencies: { + baddep: '1.0.0' + } + }) + })) + fixture.create(testDir) + return tmock(t).then(srv => { + srv.filteringRequestBody(req => 'ok') + srv.post('/-/npm/v1/security/audits/quick', 'ok').reply(200, 'yeah') + srv.get('/gooddep').twice().reply(200, { + name: 'gooddep', + 'dist-tags': { + 'latest': '1.2.3' + }, + versions: { + '1.0.0': { + name: 'gooddep', + version: '1.0.0', + _hasShrinkwrap: false, + dist: { + shasum: 'deadbeef', + tarball: common.registry + '/idk/-/idk-1.0.0.tgz' + } + }, + '1.2.3': { + name: 'gooddep', + version: '1.2.3', + _hasShrinkwrap: false, + dist: { + shasum: 'deadbeef', + tarball: common.registry + '/idk/-/idk-1.2.3.tgz' + } + } + } + }) + srv.get('/baddep').twice().reply(200, { + name: 'baddep', + 'dist-tags': { + 'latest': '1.2.3' + }, + versions: { + '1.0.0': { + name: 'baddep', + version: '1.0.0', + _hasShrinkwrap: false, + dist: { + shasum: 'deadbeef', + tarball: common.registry + '/idk/-/idk-1.0.0.tgz' + } + }, + '1.2.3': { + name: 'baddep', + version: '1.2.3', + _hasShrinkwrap: false, + dist: { + shasum: 'deadbeef', + tarball: common.registry + '/idk/-/idk-1.2.3.tgz' + } + } + } + }) + return common.npm([ + 'install', + '--audit', + '--json', + '--production', + '--package-lock-only', + '--registry', common.registry, + '--cache', path.join(testDir, 'npm-cache') + ], EXEC_OPTS).then(([code, stdout, stderr]) => { + srv.filteringRequestBody(req => 'ok') + srv.post('/-/npm/v1/security/audits', 'ok').reply(200, { + actions: [], + metadata: { + vulnerabilities: {} + } + }) + return common.npm([ + 'audit', + '--json', + '--production', + '--registry', common.registry, + '--cache', path.join(testDir, 'npm-cache') + ], EXEC_OPTS).then(([code, stdout, stderr]) => { + t.equal(code, 0, 'exited OK') + }) + }) + }) +}) + +test('exits with non-zero exit code for vulnerabilities in dependencies when running with production flag', t => { + const fixture = new Tacks(new Dir({ + 'package.json': new File({ + name: 'foo', + version: '1.0.0', + dependencies: { + baddep: '1.0.0' + }, + devDependencies: { + gooddep: '1.0.0' + } + }) + })) + fixture.create(testDir) + return tmock(t).then(srv => { + srv.filteringRequestBody(req => 'ok') + srv.post('/-/npm/v1/security/audits/quick', 'ok').reply(200, 'yeah') + srv.get('/baddep').twice().reply(200, { + name: 'baddep', + 'dist-tags': { + 'latest': '1.2.3' + }, + versions: { + '1.0.0': { + name: 'baddep', + version: '1.0.0', + _hasShrinkwrap: false, + dist: { + shasum: 'deadbeef', + tarball: common.registry + '/idk/-/idk-1.0.0.tgz' + } + }, + '1.2.3': { + name: 'baddep', + version: '1.2.3', + _hasShrinkwrap: false, + dist: { + shasum: 'deadbeef', + tarball: common.registry + '/idk/-/idk-1.2.3.tgz' + } + } + } + }) + srv.get('/gooddep').twice().reply(200, { + name: 'gooddep', + 'dist-tags': { + 'latest': '1.2.3' + }, + versions: { + '1.0.0': { + name: 'gooddep', + version: '1.0.0', + _hasShrinkwrap: false, + dist: { + shasum: 'deadbeef', + tarball: common.registry + '/idk/-/idk-1.0.0.tgz' + } + }, + '1.2.3': { + name: 'gooddep', + version: '1.2.3', + _hasShrinkwrap: false, + dist: { + shasum: 'deadbeef', + tarball: common.registry + '/idk/-/idk-1.2.3.tgz' + } + } + } + }) + return common.npm([ + 'install', + '--audit', + '--json', + '--production', + '--package-lock-only', + '--registry', common.registry, + '--cache', path.join(testDir, 'npm-cache') + ], EXEC_OPTS).then(([code, stdout, stderr]) => { + srv.filteringRequestBody(req => 'ok') + srv.post('/-/npm/v1/security/audits', 'ok').reply(200, { + actions: [{ + action: 'update', + module: 'baddep', + target: '1.2.3', + resolves: [{path: 'baddep'}] + }], + metadata: { + vulnerabilities: { + low: 1 + } + } + }) + return common.npm([ + 'audit', + '--json', + '--production', + '--registry', common.registry, + '--cache', path.join(testDir, 'npm-cache') + ], EXEC_OPTS).then(([code, stdout, stderr]) => { + t.equal(code, 1, 'exited OK') + }) + }) + }) +}) + test('cleanup', t => { return rimraf(testDir) })