New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Return semantic exit code for audit #6819
Return semantic exit code for audit #6819
Conversation
eb62499
to
b3d9e3a
Compare
Technically it should be a major bump, but I wouldn't be opposed to put that into the next minor. What do you think, @rally25rs? |
Hi @arcanis, I don't think anybody relies on the current implementation, since it doesn't really matter if you have 1, 10 or 99 vulnerabilities. In my opinion, the only thing that makes sense with the current implementation, is to check if the exit status is zero (no vulnerabilities), or non-zero (there are vulnerabilities). Anyway, it seems like everyone is building some wrappers around the current implementation in their CI pipelines to find out if they have vulnerabilities of certain levels. Ours looks like this at the moment and has to completely ignore the exit code of
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this change. Good idea! 👍
I added the appropriate docs website change: yarnpkg/website#894 |
Summary
Resolve #6748
yarn audit
currently returns the number of found vulnerabilities. This can lead to an overflow and a false negative. E.g., if the number of vulnerable dependencies is equal to 256, the exit code will be equal 0. Furthermore, it is not very practical, as this number does not indicate the severity level of found vulnerabilities.This pull request modifies this behavior by returning a number that is a sum of found severities:
That is, if only INFO and MODERATE vulnerabilities were found, then the exit code will be
1+4 = 5
.With this change it would be possible to check for particular severity levels. E.g., if someone wants to know, if there are HIGH and CRITICAL dependencies, then one could check for exit code >= 8.
Test plan
Current behavior:
New behavior: