Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add knownVulnerable semver range option #30

Closed
wants to merge 2 commits into from
Closed

feat: add knownVulnerable semver range option #30

wants to merge 2 commits into from

Conversation

isaacs
Copy link

@isaacs isaacs commented Apr 4, 2020

This provides the ability of the caller to set a 'knownVulnerable'
SemVer range, so that @npmcli/arborist can attempt to avoid known
vulnerable packages when performing audit fix operations.

@isaacs isaacs requested a review from claudiahdz April 4, 2020 02:47
@isaacs
feat: add 'avoid' semver range option
c64973d 
This provides the ability of the caller to set an 'avoid' SemVer range,
so that @npmcli/arborist can attempt to avoid known vulnerable packages
when performing audit fix operations.
@isaacs isaacs force-pushed the isaacs/known-vulnerable-option branch from 3893441 to c64973d Compare April 7, 2020 17:09
darcyclarke
darcyclarke approved these changes Apr 7, 2020
View reviewed changes
Copy link

@darcyclarke darcyclarke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ LGTM

@isaacs
Copy link
Author

isaacs commented Apr 7, 2020
edited

Changed the name of the field, since pickManifest doesn't need to know why you're avoiding those versions, only that you are.

Considering adding an avoidStrict: <Boolean> option to tell it to be a little more aggressive about avoiding the versions in that range, even to the point of returning a result outside the provided spec range, so that we can detect if a vulnerability fix is available, and if so, whether it's a semver major update or an allegedly-safe change to the dep range. When avoid strict is set:

  • Pick the manifest via the current method.
  • If result is not in the avoid range, then return it.
  • Else, if the spec is not already ^${result version}, then try to resolve with ^${result version}.
  • If result is not in the avoid range, then return it.
  • Else, try to resolve with *
  • If the result is not in the avoid range, then return it.
  • Else, throw "could not resolve" error.

@isaacs isaacs force-pushed the isaacs/known-vulnerable-option branch from 4d64aba to d70c77c Compare April 7, 2020 18:38
darcyclarke
darcyclarke approved these changes Apr 7, 2020
View reviewed changes
Copy link

@darcyclarke darcyclarke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Looks good to go.

@isaacs isaacs closed this in c268796 Apr 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@darcyclarke darcyclarke darcyclarke approved these changes

@claudiahdz claudiahdz Awaiting requested review from claudiahdz

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@isaacs @darcyclarke