New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow audit --fix
to skip installing overrides based on pnpm.auditConfig.ignoreCves
array in the manifest
#5592
Conversation
💖 Thanks for opening this pull request! 💖 |
b09d10e
to
feb8552
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These ignored CVEs should also be ignored by the pnpm audit
command. Because otherwise it will exit with an error code, which would break CI workflows that use pnpm audit
.
Also, I pushed some changes.
Ah that makes sense! I will give that a shot, however I am having some problems pulling down your changes. Any tips? My local says I am up to date with the remote. |
Try with Github CLI https://cli.github.com/ |
Ah thank you! The sync command seemed to have fixed whatever was not working with a normal fetch. |
c01574e
to
919c05e
Compare
I was having trouble with a few of the snapshot tests but I think this is as close as I may get either way (hoping it is some sort of local issue). Only one was failing with a different number of lines, the other 2 were failing but the data was the same only out of order. |
- Add an allowList field to the ProjectManifest type - Skip install of overrides for CVEs in the allowList - Add has-allowlist fixture and test
- Change config option to auditConfig.ignoreCves - Update test to ignore 3 overrides - Refactor filter callback - Rename fixture
919c05e
to
36481ad
Compare
audit --fix
to skip installing overrides based on pnpm.auditConfig.ignoreCves
array in the manifest
Congrats on merging your first pull request! 🎉🎉🎉 |
allowList
field to the ProjectManifest typeMotivation
Some vulnerabilities are tolerable or the patch version breaks an upstream dependency.
This feature allows users to mark certain CVEs as tolerable.
pnpm audit --fix
will skip the override for CVEs in the allowList.