Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature: configurable audit level #31

Merged
merged 4 commits into from Aug 3, 2018

Conversation

@lennym
Copy link
Contributor

@lennym lennym commented Jul 27, 2018

This is a port of my old PR at npm/npm#20992

It allows npm audit to exit with a zero exit code if only vulnerabilities below a defined threshold are detected. The default is left at low so it should be wholly non-breaking.

More discussion at https://npm.community/t/allow-a-configurable-vuln-level-to-make-npm-audit-fail/245/5

lennym added 3 commits Jun 14, 2018
`npm audit` currently exits with exit code 1 if any vulnerabilities are found of any level.

Add a flag of `--audit-level` to `npm audit` to allow it to pass if only vulnerabilities below a certain level are found.

Example: `npm audit --audit-level=high` will exit with 0 if only low or moderate level vulns are detected.
Copy link
Contributor

@zkat zkat left a comment

I'm 👍 on this one, specially since all it does is modify the loglevel for failure. I'd like to get sign-off from @iarna and @npm/security-product to make sure this aligns with their ideas around audit, and the rest looks great. Thanks for writing tests and doing such a nicely-targeted feature! 🎉

@zkat zkat changed the base branch from latest to release-next Jul 30, 2018
@zkat
Copy link
Contributor

@zkat zkat commented Jul 30, 2018

p.s. feel free to ignore the CI failure. It's unrelated to your PR.

@evilpacket
Copy link

@evilpacket evilpacket commented Jul 30, 2018

I'm 👍 on this as it's a desired user feature to only break on certain levels of vulns and brings us closer to feature parity with legacy nsp

zkat
zkat approved these changes Jul 30, 2018
Copy link
Contributor

@zkat zkat left a comment

LGTM, then! Woo!

lennym added a commit to UKHomeOffice/asl that referenced this issue Aug 1, 2018
I have created a wrapper for it, because `npm audit` itself _always_ fails if _any_ vulnerabilities are present, and we don't want to fail on low or moderate vulnerabilities. This issue has been PR'ed in npm, so if/when npm/cli#31 is merged and released then the command can be swapped for a basic `npm audit`.
@zkat zkat merged commit 792c8c7 into npm:release-next Aug 3, 2018
1 of 2 checks passed
1 of 2 checks passed
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
@travis-ci[bot]
Travis CI - Pull Request Build Passed
Details
@lennym lennym deleted the feature/configurable-audit-level branch Aug 20, 2018
ngraef added a commit to ngraef/cli that referenced this issue Feb 13, 2019
implementation added in npm#31
isaacs added a commit that referenced this issue Jun 26, 2019
implementation added in #31
isaacs added a commit that referenced this issue Jun 28, 2019
implementation added in #31
isaacs added a commit that referenced this issue Jun 29, 2019
implementation added in #31
isaacs added a commit that referenced this issue Jun 30, 2019
implementation added in #31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants