Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE] Add audit resolve/fix management #525

Closed
mikemimik opened this issue Nov 26, 2019 · 6 comments
Closed

[FEATURE] Add audit resolve/fix management #525

mikemimik opened this issue Nov 26, 2019 · 6 comments
Labels
Enhancement new feature or improvement Release 7.x work is associated with a specific npm 7 release semver:major backwards-incompatible breaking changes

Comments

@mikemimik
Copy link
Contributor

What / Why

Would be great to have an interactive update command for npm audit fix

Where

  • npm audit fix

How

Current Behavior

  • Not interactive

Expected Behavior

  • Cool interactive menu

References

@mikemimik mikemimik added semver:major backwards-incompatible breaking changes Release 7.x work is associated with a specific npm 7 release labels Nov 26, 2019
@ruyadorno
Copy link
Contributor

ruyadorno commented Jan 13, 2020

(just documenting some of the discussions from chats and video conferences)

We should def decouple the interactivity from the audit fix management, it'd be nice to create some sort of local db layer resolve file (so that it can be checked into version control systems) that keeps track of audits and expose a set of sub commands to list, set, unset audit warnings - let's not add interactivity to the mix just yet 😊

Ideas:

$ npm audit list
1325 [high]     handlebars: Prototype Pollution
1324 [high]     handlebars: Arbitrary Code Execution
788  [moderate] js-yaml: Denial of Service

$ npm audit get 788
Status: Pending
Level: Moderate
Type: Denial of Service
Package name: js-yaml
Dependency of: tap [dev]
Path: tap > tap-parser > js-yaml
More info: https://npmjs.com/advisories/788

$ npm audit set 788 --status=Read

$ npm audit list
1325 [high]     handlebars: Prototype Pollution
1324 [high]     handlebars: Arbitrary Code Execution

$ npm audit get 788
Status: Read
Level: Moderate
Type: Denial of Service
Package name: js-yaml
Dependency of: tap [dev]
Path: tap > tap-parser > js-yaml
More info: https://npmjs.com/advisories/788

As you can see from the example above, npm audit list would only list audit items that has a status of Pending, setting a status to something else would exclude that item from the audit results.

The legacy npm audit can stay mostly the same but can also use the status in order to omit reports, etc.

@ruyadorno
Copy link
Contributor

Open RFC: npm/rfcs#18

@ruyadorno
Copy link
Contributor

Existing userland solution: https://www.npmjs.com/package/npm-audit-resolver

@ruyadorno ruyadorno changed the title [FEATURE] Create interactive audit fix [FEATURE] Add audit resolve/fix management Jan 13, 2020
@ruyadorno ruyadorno added the Enhancement new feature or improvement label Jan 13, 2020
@ruyadorno
Copy link
Contributor

ruyadorno commented Jan 14, 2020

Having this in place it would be trivial to have userland modules that uses https://github.com/ruyadorno/ipt to take the npm audit list output, build an interactive interface and set the read/fix/ignore status upon selecting an item.

@naugtur
Copy link

naugtur commented Jan 23, 2020

Hi, npm-audit-resolver author here.

I've refactored the resolver and extracted a core package. There might be some work left to perfect the API it exposes, but the core package is designated to be used in npm audit to support ignoring and other features.

The interactive command would remain userland as-is. That was made very clear in the RFC and other communication - npm cli doesn't want to be interactive.

What do you think?

@ruyadorno
Copy link
Contributor

closing this in favor of continuing the conversation over at npm/rfcs#18

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Enhancement new feature or improvement Release 7.x work is associated with a specific npm 7 release semver:major backwards-incompatible breaking changes
Projects
None yet
Development

No branches or pull requests

3 participants