Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: allow audit --fix to skip installing overrides based on pnpm.auditConfig.ignoreCves array in the manifest #5592

Merged
merged 6 commits into from Nov 8, 2022
Merged

feat: allow audit --fix to skip installing overrides based on pnpm.auditConfig.ignoreCves array in the manifest #5592

merged 6 commits into from Nov 8, 2022

Conversation

CobyPear
Copy link
Contributor

@CobyPear CobyPear commented Nov 5, 2022
edited

  • Add an allowList field to the ProjectManifest type
  • Skip install of overrides for CVEs in the allowList when using audit --fix and an allowList exists
  • Add has-allowlist fixture and test

Motivation

Some vulnerabilities are tolerable or the patch version breaks an upstream dependency.
This feature allows users to mark certain CVEs as tolerable. pnpm audit --fix will skip the override for CVEs in the allowList.

@welcome
Copy link

welcome bot commented Nov 5, 2022

💖 Thanks for opening this pull request! 💖
Please be patient and we will get back to you as soon as we can.

@CobyPear CobyPear mentioned this pull request Nov 5, 2022
Merged
zkochan
zkochan requested changes Nov 5, 2022
View reviewed changes
packages/plugin-commands-audit/src/fix.ts Outdated Show resolved Hide resolved
packages/plugin-commands-audit/src/fix.ts Outdated Show resolved Hide resolved
packages/plugin-commands-audit/src/fix.ts Outdated Show resolved Hide resolved
@CobyPear CobyPear requested a review from zkochan November 5, 2022 19:46
zkochan
zkochan requested changes Nov 5, 2022
View reviewed changes
Copy link
Member

@zkochan zkochan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These ignored CVEs should also be ignored by the pnpm audit command. Because otherwise it will exit with an error code, which would break CI workflows that use pnpm audit.

Also, I pushed some changes.

@CobyPear
Copy link
Contributor Author

CobyPear commented Nov 5, 2022

These ignored CVEs should also be ignored by the pnpm audit command. Because otherwise it will exit with an error code, which would break CI workflows that use pnpm audit.

Also, I pushed some changes.

Ah that makes sense! I will give that a shot, however I am having some problems pulling down your changes. Any tips? My local says I am up to date with the remote.

@zkochan
Copy link
Member

zkochan commented Nov 5, 2022

Try with Github CLI https://cli.github.com/

@CobyPear
Copy link
Contributor Author

CobyPear commented Nov 5, 2022

Ah thank you! The sync command seemed to have fixed whatever was not working with a normal fetch.

@CobyPear
Copy link
Contributor Author

CobyPear commented Nov 8, 2022

I was having trouble with a few of the snapshot tests but I think this is as close as I may get either way (hoping it is some sort of local issue). Only one was failing with a different number of lines, the other 2 were failing but the data was the same only out of order.

@CobyPear CobyPear requested a review from zkochan November 8, 2022 00:04
CobyPear and others added 5 commits November 8, 2022 02:35
@CobyPear @zkochan
feat: (plugin-commands-audit,types) add allowList to audit --fix
6c0e8a9 
- Add an allowList field to the ProjectManifest type
- Skip install of overrides for CVEs in the allowList
- Add has-allowlist fixture and test
@CobyPear @zkochan
refactor: updates from code review
3051ece 
- Change config option to auditConfig.ignoreCves
- Update test to ignore 3 overrides
- Refactor filter callback
- Rename fixture
@zkochan
refactor: audit
2eb4134
@CobyPear @zkochan
feat: ensure audit doesn't fail on ignored CVEs
7fb6372
@zkochan
test(audit): fix
36481ad
@zkochan zkochan changed the title feat: Allow audit --fix to skip installing overrides based on allowList array in the manifest feat: allow audit --fix to skip installing overrides based on allowList array in the manifest Nov 8, 2022
@zkochan zkochan changed the title feat: allow audit --fix to skip installing overrides based on allowList array in the manifest feat: allow audit --fix to skip installing overrides based on pnpm.auditConfig.ignoreCves array in the manifest Nov 8, 2022
@zkochan zkochan merged commit 702e847 into pnpm:main Nov 8, 2022
@welcome
Copy link

welcome bot commented Nov 8, 2022

Congrats on merging your first pull request! 🎉🎉🎉

@CobyPear CobyPear deleted the feat-audit-fix-allow-list branch November 8, 2022 01:34
@zkochan zkochan added this to the v7.15 milestone Nov 14, 2022
@princekumar-d princekumar-d mentioned this pull request Dec 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zkochan zkochan zkochan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v7.15
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@CobyPear @zkochan