Merge pull request #1854 from brave/fix/audit-recurse

npm audit command should check vendor directories
brave · Oct 30, 2018 · 27776b0 · 27776b0
1 parent ff92a75
commit 27776b0
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 1 deletion.
diff --git a/package.json b/package.json
@@ -3,6 +3,7 @@
   "version": "0.57.3",
   "description": "Next generation Brave browser for macOS, Windows, Linux, and eventually Android",
   "scripts": {
+    "audit_deps": "node ./scripts/audit.js",
     "cibuild": "node ./scripts/commands.js cibuild",
     "init": "node ./scripts/sync.js --init",
     "create_dist": "node ./scripts/commands.js create_dist",
@@ -18,7 +19,7 @@
     "pull_l10n": "node ./scripts/commands.js pull_l10n",
     "chromium_rebase_l10n": "node ./scripts/commands.js chromium_rebase_l10n",
     "test": "node ./scripts/commands.js test",
-    "test-security": "npm audit && node ./scripts/commands.js start --enable_brave_update --network_log --user_data_dir_name=brave-network-test"
+    "test-security": "npm run audit_deps && node ./scripts/commands.js start --enable_brave_update --network_log --user_data_dir_name=brave-network-test"
   },
   "config": {
     "projects": {

diff --git a/scripts/audit.js b/scripts/audit.js
@@ -0,0 +1,30 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+const path = require('path')
+const fs = require('fs')
+const util = require('../lib/util')
+
+const baseDir = path.resolve(path.join(__dirname, '..'))
+const braveDir = path.join(baseDir, 'src', 'brave')
+const braveVendorDir = path.join(braveDir, 'vendor')
+
+/**
+ * Runs npm audit on a given directory located at pathname
+ */
+function npmAudit (pathname) {
+  if (fs.existsSync(path.join(pathname, 'package.json')) &&
+    fs.existsSync(path.join(pathname, 'package-lock.json'))) {
+    console.log('Auditing', pathname)
+    util.run('npm', ['audit'], { cwd: pathname })
+  } else {
+    console.log('Skipping audit of', pathname)
+  }
+}
+
+npmAudit(baseDir)
+npmAudit(braveDir)
+fs.readdirSync(braveVendorDir).forEach((dir) => {
+  npmAudit(path.join(braveVendorDir, dir))
+})