UNPKG

npm-audit-resolver/README.md

Version:

3.48 kBMarkdownView Raw

1# npm audit resolver
2*Now with yarn support too*
3
4`npm audit` is great. `npm audit fix` is also there if you didn't know. But sometimes you need to manage your security and make decisions about the dependencies you use.
5
6This tool creates a `audit-resolve.json` file in your app and interactively helps you manage security of your dependencies.
7
8*This package is meant for early adopters. Anything can change, but my team uses it for maintaining over 20 apps so there's likely to be a migration path.*
9
10I'm working on getting it built into npm. See [the RFC](https://github.com/npm/rfcs/pull/18)
11
12## Install
13
14Requires npm v6.1.0+ installed alongside
15
16```
17npm install -g npm-audit-resolver
18```
19
20## Usage
21
22Go into the project folder and run
23
24```
25resolve-audit
26```
27
28It goes through the results of `npm audit` and lets you decide what to do with the issues.
29The decisions you make are stored in `audit-resolve.json` to keep track of it in version control and have a log of who decided to do what and when.
30
31### Arguments 
32
33```
34--yarn switched to yarn package manager as the command to support
35--migrate forces migration to a new file and format even if no modifications are made to decisions
36```
37
38All other arguments are passed down to the npm/yarn audit call
39
40### Running in CI
41
42One of the problems this solves is running audit as part of your build pipeline.
43You don't want to break your CI for a few days waiting to get a fix on a dependency, but at the same time ignoring the whole class of issues or the audit result entirely means you'll rarely notice it at all.
44
45Run
46```
47check-audit
48```
49
50This command will only exit with an error if a human needs to make new decisions about vulnerabilities and commit the `audit-resolve.json` file. If all issues are addressed, your build can pass.
51
52For JSON output (similar to `npm audit --json`), run
53```
54check-audit --json
55```
56
57All other arguments are passed down to the npm/yarn audit call
58
59## Features
60
61Want to give it a go? Download this repo and run `npm run testdrive`
62
63When a vulnerability is found, you get to choose between the following options:
64
65- fix - Runs the fix proposed by npm audit and makes a note. If the same issue comes back because someone else on the team changed package-lock.json, you'll get a warning about that.
66- show details - Prints more information about the issues form the audit and asks what to do again
67- remind in 24h - Lets you ignore an issue temporarily to make the build pass until a fix is known
68- ignore - Adds the particular dependency paths and advisories to be ignored in the future. If the same issue in the same package comes up, but it's a dependency of another package, it won't get ignored. If a new issue is found in the package, it doesn't get ignored. You can decide if the decision expires or not.
69- delete - Removes your dependency that brought the vulnerability in its dependencies.
70- skip and quit, obviously
71
72audit-resolve.json is formatted, so git history has a trace of who addressed which vulnerability, when and how.
73
74### Why would I ignore security vulnerabilities?
75
76Because otherwise running `npm audit` as part of your CI is not practical.
77
78- dev dependencies! a DOS vulnerability in your test runner's dependency is not a showstopper
79- build tooling vulnerability
80- dependencies of a tool you use very narrowly and can prove it's safe
81- new vulnerability without a fix and you want to wait for a fix while running your builds (there's a remind me in 24h option available)

1	`# npm audit resolver`
2	`Now with yarn support too`
3
4	`npm audit` is great. `npm audit fix` is also there if you didn't know. But sometimes you need to manage your security and make decisions about the dependencies you use.
5
6	This tool creates a `audit-resolve.json` file in your app and interactively helps you manage security of your dependencies.
7
8	`This package is meant for early adopters. Anything can change, but my team uses it for maintaining over 20 apps so there's likely to be a migration path.`
9
10	`I'm working on getting it built into npm. See [the RFC](https://github.com/npm/rfcs/pull/18)`
11
12	`## Install`
13
14	`Requires npm v6.1.0+ installed alongside`
15
16	```
17	`npm install -g npm-audit-resolver`
18	```
19
20	`## Usage`
21
22	`Go into the project folder and run`
23
24	```
25	`resolve-audit`
26	```
27
28	It goes through the results of `npm audit` and lets you decide what to do with the issues.
29	The decisions you make are stored in `audit-resolve.json` to keep track of it in version control and have a log of who decided to do what and when.
30
31	`### Arguments`
32
33	```
34	`--yarn switched to yarn package manager as the command to support`
35	`--migrate forces migration to a new file and format even if no modifications are made to decisions`
36	```
37
38	`All other arguments are passed down to the npm/yarn audit call`
39
40	`### Running in CI`
41
42	`One of the problems this solves is running audit as part of your build pipeline.`
43	`You don't want to break your CI for a few days waiting to get a fix on a dependency, but at the same time ignoring the whole class of issues or the audit result entirely means you'll rarely notice it at all.`
44
45	`Run`
46	```
47	`check-audit`
48	```
49
50	This command will only exit with an error if a human needs to make new decisions about vulnerabilities and commit the `audit-resolve.json` file. If all issues are addressed, your build can pass.
51
52	For JSON output (similar to `npm audit --json`), run
53	```
54	`check-audit --json`
55	```
56
57	`All other arguments are passed down to the npm/yarn audit call`
58
59	`## Features`
60
61	Want to give it a go? Download this repo and run `npm run testdrive`
62
63	`When a vulnerability is found, you get to choose between the following options:`
64
65	`- fix - Runs the fix proposed by npm audit and makes a note. If the same issue comes back because someone else on the team changed package-lock.json, you'll get a warning about that.`
66	`- show details - Prints more information about the issues form the audit and asks what to do again`
67	`- remind in 24h - Lets you ignore an issue temporarily to make the build pass until a fix is known`
68	`- ignore - Adds the particular dependency paths and advisories to be ignored in the future. If the same issue in the same package comes up, but it's a dependency of another package, it won't get ignored. If a new issue is found in the package, it doesn't get ignored. You can decide if the decision expires or not.`
69	`- delete - Removes your dependency that brought the vulnerability in its dependencies.`
70	`- skip and quit, obviously`
71
72	`audit-resolve.json is formatted, so git history has a trace of who addressed which vulnerability, when and how.`
73
74	`### Why would I ignore security vulnerabilities?`
75
76	Because otherwise running `npm audit` as part of your CI is not practical.
77
78	`- dev dependencies! a DOS vulnerability in your test runner's dependency is not a showstopper`
79	`- build tooling vulnerability`
80	`- dependencies of a tool you use very narrowly and can prove it's safe`
81	`- new vulnerability without a fix and you want to wait for a fix while running your builds (there's a remind me in 24h option available)`