Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: optional --skip-dev flag to exclude devDependencies #186

Merged
merged 5 commits into from
Jun 14, 2021
Merged

Feature: optional --skip-dev flag to exclude devDependencies #186

merged 5 commits into from
Jun 14, 2021

Conversation

WhatIfWeDigDeeper
Copy link
Contributor

Feature

Both npm and yarn support excluding devDependencies from auditing.

npm

npm audit --production

yarn

yarn npm audit --environment production

yarn classic

yarn audit --groups dependencies

Proposed Solution

npx audit-ci --skip-dev

audit-ci supports an optional allowlist where vulnerabilities can be set by advisory id, advisory id & module name, advisory id and module path, or by module name. This PR adds a convenience option to skip all devDependencies by accessing the underlying capability of npm and yarn.

By making this an opt-in feature, audit-ci would still be nudging users to include devDependencies in the audit. This differs from the discussion in this closed issue as it would support both npm and yarn and would not require implementing severity levels as it simply acts as a passthrough.

@quinnturner quinnturner self-requested a review June 14, 2021 12:02
quinnturner
quinnturner requested changes Jun 14, 2021
View reviewed changes
Copy link
Member

@quinnturner quinnturner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is excellent. I have added one comment that requires action related to documentation before merging. Thank you for this contribution!

README.md Show resolved Hide resolved
@quinnturner quinnturner self-requested a review June 14, 2021 13:33
@quinnturner
Copy link
Member

Awesome! Going to try to release it with this change assuming that it can get resolved quickly: #184

@quinnturner quinnturner merged commit 9701fb8 into IBM:master Jun 14, 2021
@quinnturner quinnturner mentioned this pull request Jun 14, 2021
Closed
@quinnturner
Copy link
Member

Released in v4.1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@quinnturner quinnturner quinnturner approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@WhatIfWeDigDeeper @quinnturner