Comments (3)
quinnturner
commented on July 25, 2024
From what I can tell, it seems that Yargs does not support object arrays. In retrospect, I can imagine it is difficult to pass an array of objects through the CLI, so it may not be implemented.
I am not sure yet how I'd like to proceed. I firmly push toward using configuration files because the allowlist makes this a helpful library nowadays. From what I recall, most package managers now natively support audit levels. Yarn 3.3.0 or 3.3.1 ish will support allowlisting using the NPM identifier (which is less valuable than the GitHub identifier).
With that in mind, one option is to migrate towards another config-focused library and entirely remove CLI argument support. I wouldn't say that is ideal as it's a breaking change especially since a considerable population of open-source projects use it for solely auditing levels and not the allowlisting.
Open to ideas!
from audit-ci.
kyletsang
commented on July 25, 2024
I dug a bit deeper and it seems like yargs doesn't like the output of the object array when parsed with jju. It does accept the one from JSON.parse.
Interestingly, if we pass the null_prototype: false option into jju's parse function, then it starts working. I tested this on my project and it works. I "think" this should be safe?
I'll open a PR so you can view the diff
from audit-ci.
quinnturner
commented on July 25, 2024
I came to the exact same conclusion 😄 reviewing now!
from audit-ci.
Related Issues (20)
- Drop support for Node <12 HOT 1
- Long summary output for only one vulnerable advisory HOT 6
- Cannot convert undefined or null to object Exiting HOT 9
- Support allowlisting private packages by module HOT 7
- Recommend pinning to commit SHA or release tag HOT 3
- Add expiration time for allow list items HOT 1
- Allow notes for allowlist items HOT 2
- [Feature] Support Gitlab SAST report-type HOT 2
- Let the severity level influence the json output HOT 1
- Fail on unmatched ignores HOT 1
- Add support for registry flag for PNPM HOT 1
- Support Yarn's `--exclude` HOT 2
- Handle errors from Yarn Berry more gracefully HOT 2
- Tests should include all major Yarn versions HOT 2
- packages starting with "@" are not working in allowlist HOT 2
- Replace event-stream with something secure and supported HOT 4
- The audit report format changed? HOT 2
- CI commands fail because no version 7 HOT 1
- Support Yarn v4 HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from audit-ci.