From bf58d9b1be42eb478ffc33b3cd4a079448a8cc51 Mon Sep 17 00:00:00 2001 From: Darcy Clarke Date: Tue, 20 Sep 2022 01:49:28 +0000 Subject: [PATCH 1/3] add npm audit query rfc --- accepted/0000-npm-audit-queries.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 accepted/0000-npm-audit-queries.md diff --git a/accepted/0000-npm-audit-queries.md b/accepted/0000-npm-audit-queries.md new file mode 100644 index 000000000..7c27f1d34 --- /dev/null +++ b/accepted/0000-npm-audit-queries.md @@ -0,0 +1,19 @@ +# Add `--query` flag to `npm audit` + +### Motivation + +Today `npm audit` has a limited set of options to filter the packages that are included or excluded from it's scope. There has also been [very public, legitimate critcism about the signal to noise ratio](https://overreacted.io/npm-audit-broken-by-design/) of `npm audit`'s ouput. Unfortunately, this has lead many developers to turn off `npm audit` checks completely during installation (ex. `--no-audit`) or switching to alternative package managers who do not run audits by default. + +The current configuration options are based on `Arborist`'s underlying support for, & limited to, package types (ie. `--omit` & `--include` can be used today to filter by only `prod`, `dev`, `optional` & `peer` dependency types today). Expanding `npm audit`'s filter capabilities & leveraging the new, rebust [Dependency Selector Syntax](https://docs.npmjs.com/cli/v8/using-npm/dependency-selectors) - at the command-line/project-level - will help end-users define complex groups of dependencies to be included. + +### Solution + +Add support for a new `--query` flag to `npm audit` which takes a **Dependency Selector** as it's value. + +### Implementation + +When the `--query` flag is defined it will set `--omit` & `--include` values to empty & configure `Arborist` to run the `tree.querySelectorAll("")`. + +### Prior Art + +[Audit Resolutions](https://github.com/npm/rfcs/blob/f333557af40beecf49d60d222599f02e5f0947fc/accepted/0003-interactive-audit-resolver.md) is one of the oldest RFC's still open which has a similar scope/goal. In that RFC a `ADVISORY_NUMBER|DEPENDENCY_PATH` value is referenced as the ideal value to apply "resolutions". In this alternative, a **Dependency Selector** will be used which, today, already supports paths/ancestory via the direct decendant/child combinator (`>`). Advisory metadata & pseudo selector support (ex. `:cve()`, `:cwe()` & `:vulnerable`) was defined in the original [Dependency Selector Syntax RFC](https://github.com/npm/rfcs/blob/3d5b2130504139bdc8a3b599923aa07d2ff79c96/accepted/0000-dependency-selector-syntax.md) & is queued up to be worked on by the npm CLI team. From b6a94ac0769486b728a2e94c8ebbf218c6b07f0f Mon Sep 17 00:00:00 2001 From: Darcy Clarke Date: Mon, 19 Sep 2022 22:02:14 -0400 Subject: [PATCH 2/3] Update 0000-npm-audit-queries.md --- accepted/0000-npm-audit-queries.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/accepted/0000-npm-audit-queries.md b/accepted/0000-npm-audit-queries.md index 7c27f1d34..5936bf16c 100644 --- a/accepted/0000-npm-audit-queries.md +++ b/accepted/0000-npm-audit-queries.md @@ -1,4 +1,4 @@ -# Add `--query` flag to `npm audit` +# Add `--audit-query` flag to `npm audit` ### Motivation @@ -8,11 +8,11 @@ The current configuration options are based on `Arborist`'s underlying support ### Solution -Add support for a new `--query` flag to `npm audit` which takes a **Dependency Selector** as it's value. +Add support for a new `--audit-query` flag to `npm audit` which takes a **Dependency Selector** as it's value. ### Implementation -When the `--query` flag is defined it will set `--omit` & `--include` values to empty & configure `Arborist` to run the `tree.querySelectorAll("")`. +When the `--audit-query` flag is defined it will set `--omit` & `--include` values to empty & configure `Arborist` to run the `tree.querySelectorAll("")`. ### Prior Art From 3d40a4cc0fa15cf97ef8ef2c11badcfe5213a521 Mon Sep 17 00:00:00 2001 From: Darcy Clarke Date: Tue, 20 Sep 2022 19:56:54 -0400 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: Jordan Harband --- accepted/0000-npm-audit-queries.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/accepted/0000-npm-audit-queries.md b/accepted/0000-npm-audit-queries.md index 5936bf16c..550d5f307 100644 --- a/accepted/0000-npm-audit-queries.md +++ b/accepted/0000-npm-audit-queries.md @@ -4,7 +4,7 @@ Today `npm audit` has a limited set of options to filter the packages that are included or excluded from it's scope. There has also been [very public, legitimate critcism about the signal to noise ratio](https://overreacted.io/npm-audit-broken-by-design/) of `npm audit`'s ouput. Unfortunately, this has lead many developers to turn off `npm audit` checks completely during installation (ex. `--no-audit`) or switching to alternative package managers who do not run audits by default. -The current configuration options are based on `Arborist`'s underlying support for, & limited to, package types (ie. `--omit` & `--include` can be used today to filter by only `prod`, `dev`, `optional` & `peer` dependency types today). Expanding `npm audit`'s filter capabilities & leveraging the new, rebust [Dependency Selector Syntax](https://docs.npmjs.com/cli/v8/using-npm/dependency-selectors) - at the command-line/project-level - will help end-users define complex groups of dependencies to be included. +The current configuration options are based on `Arborist`'s underlying support for, & limited to, package types (ie. `--omit` & `--include` can be used today to filter by only `prod`, `dev`, `optional`, & `peer` dependency types today). Expanding `npm audit`'s filter capabilities & leveraging the new, robust [Dependency Selector Syntax](https://docs.npmjs.com/cli/v8/using-npm/dependency-selectors) - at the command-line/project-level - will help end-users define complex groups of dependencies to be included. ### Solution