Support allowlisting private packages by module about audit-ci HOT 7 CLOSED

Hey @quinnturner, I'm interested on working on this if thats okay? 😄

from audit-ci.

Hey @andrewdetorres, yep, I would accept a PR that adds this functionality! If you have questions, feel free to drop them here 😄

from audit-ci.

Hey @quinnturner,

After taking a look into this issue, the way that the code works with module name allowlist is that the package name with the vulnerability should be used. In the example above GHSA-pw2r-vq6v-hr8c|proxy-client-ts>axios>follow-redirects this should be follow-redirects instead of proxy-client-ts.

Having the root package in the allowlist would be a cool feature so you don't have to write out the full path. Is this something you would like to consider as a feature? 😄

from audit-ci.

Root module advisory allow listing is supported with *|module-name>*. I believe the problem is that since these are private packages, the private package is not listed in the audit. Unfortunately, that means adding context of the private dependency in the audit response.

I haven't reviewed how the package manager's audit responds to private dependencies. If they still handle the transitive dependencies, there may we a way to workaround it with a different allowlist without much or any code.

from audit-ci.

It appears that the above syntax *|module-name>* works with private packages. Having tested this with our own private package and the advisories were correctly ignored.

The root module advisory allow listing support seems slightly hidden in the docs. I'm happy to make a contribution to make this more clear if you're happy for me to go ahead with that?

from audit-ci.

I am always interested in making the documentation better! Allowlisting all transitive dependencies of a package is not usually recommended workflow because legitimate advisories may slip through, so the wording would have to be considered. However, I am open to PRs!

from audit-ci.

I am closing for now because of the improved documentation. While this is still technically an issue, it can be worked around and "fixing it" involves mutating the received audit. If "natively" solving this receives a lot of positive desire, I will consider reopening!

from audit-ci.