chore(ci): add script to respect ignored modules in yarn audit.

JakeHaitsma · Feb 17, 2024 · aded209 · aded209 · JakeHaitsma · Feb 17, 2024
1 parent 89453dd
commit aded209
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 1 deletion.
diff --git a/.auditignore b/.auditignore
@@ -0,0 +1 @@
+ip
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -58,7 +58,7 @@ jobs:
       - name: Install dependencies
         run: yarn
       - name: Audit
-        run: yarn audit
+        run: yarn audit-withignores
       - name: Build
         run: yarn build
       - name: Release

diff --git a/package.json b/package.json
@@ -24,6 +24,7 @@
   ],
   "types": "./dist/pixi-bitmap-text-input.d.ts",
   "scripts": {
+    "audit-withignores": "node util/auditWithIgnores.mjs",
     "dev": "vite --host",
     "build": "rimraf dist && tsc && vite build && dts-bundle-generator --config ./dts-bundle-generator.config.ts",
     "test": "vitest",

diff --git a/util/auditWithIgnores.mjs b/util/auditWithIgnores.mjs
@@ -0,0 +1,71 @@
+import { spawn } from "child_process";
+import fs from "fs";
+
+const audit = spawn("yarn", ["audit", "--json"]);
+
+let output = "";
+
+audit.stdout.on("data", data => {
+  output += data;
+});
+
+audit.stderr.on("data", data => {
+  console.error(`stderr: ${data}`);
+});
+
+audit.on("error", error => {
+  console.error(`Error: ${error.message}`);
+});
+
+audit.on("close", code => {
+  if (code > 16) {
+    process.exit(code);
+  }
+
+  const results = output
+    .split("\n")
+    .filter(line => line)
+    .map(line => JSON.parse(line));
+
+  generateFilteredAuditResults(results);
+});
+
+function getIgnoredModules() {
+  const auditignore = fs.readFileSync(".auditignore", "utf8");
+  return auditignore
+    .split("\n")
+    .filter(x => Boolean(x) && !x.startsWith("#"))
+    .map(x => x.trim());
+}
+
+function generateFilteredAuditResults(results) {
+  const allAdvisories = results.filter(x => x.type === "auditAdvisory");
+  const ignoredModules = getIgnoredModules().map(x => x.toLowerCase());
+  const filteredAdvisories = allAdvisories.filter(
+    x => !ignoredModules.includes(x.data.advisory.module_name.toLowerCase())
+  );
+  const severities = filteredAdvisories.map(x =>
+    x.data.advisory.severity.toLowerCase()
+  );
+
+  // From https://classic.yarnpkg.com/lang/en/docs/cli/audit/#toc-yarn-audit.
+  // 0 (no vulnerabilites) is handled separately.
+  const severityExitCodeMap = {
+    info: 1,
+    low: 2,
+    moderate: 4,
+    high: 8,
+    critical: 16,
+  };
+
+  const exitCode = Math.max(...severities.map(x => severityExitCodeMap[x]), 0);
+
+  if (exitCode === 0) {
+    console.log("🔒 No vulnerabilities found.");
+  } else {
+    console.log("🚨 Vulnerabilities found.");
+    console.table(filteredAdvisories.map(x => x.data.advisory));
+  }
+
+  process.exit(exitCode);
+}