refactor: updates from code review

- Change config option to auditConfig.ignoreCves - Update test to ignore 3 overrides - Refactor filter callback - Rename fixture
pnpm · Nov 5, 2022 · feb8552 · feb8552
1 parent 7d52ee2
commit feb8552
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 10 deletions.
diff --git a/packages/plugin-commands-audit/src/fix.ts b/packages/plugin-commands-audit/src/fix.ts
@@ -1,10 +1,11 @@
 import { AuditReport, AuditAdvisory } from '@pnpm/audit'
 import { readProjectManifest } from '@pnpm/read-project-manifest'
+import { difference } from 'ramda'
 import fromPairs from 'ramda/src/fromPairs'
 
 export async function fix (dir: string, auditReport: AuditReport) {
   const { manifest, writeProjectManifest } = await readProjectManifest(dir)
-  const vulnOverrides = createOverrides(Object.values(auditReport.advisories), manifest.pnpm?.allowList)
+  const vulnOverrides = createOverrides(Object.values(auditReport.advisories), manifest.pnpm?.auditConfig?.ignoreCves)
   if (Object.values(vulnOverrides).length === 0) return vulnOverrides
   await writeProjectManifest({
     ...manifest,
@@ -20,8 +21,11 @@ export async function fix (dir: string, auditReport: AuditReport) {
 }
 
 function createOverrides (advisories: AuditAdvisory[], allowList?: string[]) {
+  if (allowList) {
+    advisories = advisories.filter(({ cves }) => allowList ? difference(allowList, cves).length === allowList.length : false)
+  }
   return fromPairs(
-    advisories.filter(({ cves }) => allowList ? !allowList.join(',').includes(cves.join(',')) : true)
+    advisories
     .filter(({ vulnerable_versions, patched_versions }) => vulnerable_versions !== '>=0.0.0' && patched_versions !== '<0.0.0') // eslint-disable-line
       .map((advisory) => [
         `${advisory.module_name}@${advisory.vulnerable_versions}`,

diff --git a/packages/plugin-commands-audit/test/fix.ts b/packages/plugin-commands-audit/test/fix.ts
@@ -59,7 +59,7 @@ test('no overrides are added if no vulnerabilities are found', async () => {
 })
 
 test('CVEs found in the allow list are not added as overrides', async () => {
-  const tmp = f.prepare('has-allowlist')
+  const tmp = f.prepare('has-auditconfig')
 
   nock(registries.default)
     .post('/-/npm/v1/security/audits')
@@ -78,6 +78,7 @@ test('CVEs found in the allow list are not added as overrides', async () => {
 
   const manifest = await loadJsonFile<ProjectManifest>(path.join(tmp, 'package.json'))
   expect(manifest.pnpm?.overrides?.['axios@<=0.18.0']).toBeFalsy()
-  expect(manifest.pnpm?.overrides?.['axios@<=0.21.1']).toBeFalsy()
+  expect(manifest.pnpm?.overrides?.['axios@<0.21.1']).toBeFalsy()
+  expect(manifest.pnpm?.overrides?.['minimist@<0.2.1']).toBeFalsy()
   expect(manifest.pnpm?.overrides?.['url-parse@<1.5.6']).toBeTruthy()
 })
diff --git a/.../test/fixtures/has-allowlist/package.json → ...est/fixtures/has-auditconfig/package.json b/.../test/fixtures/has-allowlist/package.json → ...est/fixtures/has-auditconfig/package.json
@@ -11,10 +11,14 @@
     "sync-exec": "0.6.2"
   },
   "pnpm": {
-    "allowList": [
-      "CVE-2021-3749",
-      "CVE-2020-28168'",
-      "CVE-2019-10742"
-    ]
+    "auditConfig": {
+      "ignoreCves": [
+        "CVE-2019-10742",
+        "CVE-2020-28168",
+        "CVE-2021-3749",
+
+        "CVE-2020-7598"
+      ]
+    }
   }
 }
diff --git a/...est/fixtures/has-allowlist/pnpm-lock.yaml → ...t/fixtures/has-auditconfig/pnpm-lock.yaml b/...est/fixtures/has-allowlist/pnpm-lock.yaml → ...t/fixtures/has-auditconfig/pnpm-lock.yaml
diff --git a/packages/types/src/package.ts b/packages/types/src/package.ts
@@ -134,7 +134,9 @@ export type ProjectManifest = BaseManifest & {
     updateConfig?: {
       ignoreDependencies?: string[]
     }
-    allowList?: string[]
+    auditConfig?: {
+      ignoreCves?: string[]
+    }
   }
   private?: boolean
   resolutions?: Record<string, string>