tnobody / lerna-audit Goto Github PK
View Code? Open in Web Editor NEWMicro util to run npm audit in lerna monorepos
Micro util to run npm audit in lerna monorepos
Using lerna-audit (1.2.0) on my package.json
s generated by npm 6.14.5 results in the EOF newline being removed.
Looking at e.g. npm/npm#18545 or phetsims/perennial#156 I don't want to get into the territory if having the newline is "right" or not, but I think it would be in the interest of everyone if changes to those files were confined to version numbers.
$ git diff
──────────────────────────
modified: my-sub-package/package.json
──────────────────────────
@ my-sub-package/package.json:51 @
}
}
}
\ No newline at end of file
FWIW lerna-audit uses JSON.stringify()
to put the package.json
back together once it has done its job. Maybe this could become a little more involved, respecting the original presence of a newline - one way or another.
lerna-audit reorders the properties in package.json
files even when the --no-fix
flag is used and there are no vulnerabilities. As well as randomly changing files in the Git working directory, this causes problems when it's used as pre-publish check, as the publish then fails because the working directory is not clean.
I think it should restore the original unchanged files if the user specifies --no-fix
, or if no vulnerabilities were detected. What it actually does is re-save the file via arborist
in all scenarios other than an error being thrown, which is where the reordering comes from.
There are a couple of scenarios in which package.json
can change unexpectedly. The first is if your dependencies are not alphabetically ordered - arborist sorts them. The second is when your dependencies are only other Lerna packages - lerna-audit strips them all out of package.json for audit to run, leaving no dependencies. Arborist is asked to update this file, and as there are no existing dependencies to update, it just appends them at the end. Same for dev dependencies.
Ideally (in my opinion), lerna-audit would make minimal changes to package.json
even when fixing vulnerabilities.This reordering seems a little unexpected.
There is a somewhat-related issue + PR about a new version of arborist: #25. I'd suggest dropping it altogether: update the original JSON with the new version numbers and save the stringify-ed result.
I'm using lerna-audit 1.3.1.
As a user, I want lerna-audit to omit dependencies/devDependenies fields during update if they are empty, to keep my audited package.json as minimal as possible.
As a user, I want lerna-audit to restore the original package.json in case I abort the process, so that my package.json is not corrupted.
Additional information
When I abort the process currently, the resulting package.json lacks the lerna-internal-dependencies stored in memory. If you rerun the process, it might be successful, but the lerna-internal-dependencies are still lost. Therefore one should think about restoring the original package.json in case of a SIGKILL oder SIGINT.
We'd like to use this plugin as a purely scanning tool, that didn't automatically fix problems. This request is for a command line argument to allow that behavior.
I'm using lerna's --hoist
feature in a monorepo project and ran across this Lerna issue around audits. I was hoping that using this package would make running the audits easier and so I'm wondering is it expected that we run npm install
in the individual packages before running npx lerna-audit
? After running the individual installs and then re-running npx lerna-audit
the reports were generated.
Let's say I run lerna-audit
from the root of my directory with the --no-fix
option, and vulnerabilities are found, running echo $?
to check the execution status does not return a non zero status code.
For instance npm audit --audit-level=high
returns a status code of 1 if high | critical vulnerabilities are found.
Would you be open to adding the right status code outputs to this CLI tool along with the --audit-level
flag? This would come in handy when using with a build / CI system, I am happy to send a PR, please let me know.....
https://www.npmjs.com/package/audit-ci
Would it be possible to integrate this with the above, or similar package to integrate lerna-audit with CI pipelines?
Currently struggling to run an auto npm audit fix
on our lerna project which is configured to hoist. Have tried npx lerna-audit
but it seems to look for lock files in each package instead of following the lerna hoist conf route.
Cannot find module '@npmcli/arborist/lib/update-root-package-json'
For those who are desperate enough to use the --force
flag (e.g. npm audit fix --force
).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.