tnobody / lerna-audit Goto Github PK

Using lerna-audit (1.2.0) on my package.jsons generated by npm 6.14.5 results in the EOF newline being removed.

Looking at e.g. npm/npm#18545 or phetsims/perennial#156 I don't want to get into the territory if having the newline is "right" or not, but I think it would be in the interest of everyone if changes to those files were confined to version numbers.

$ git diff
──────────────────────────
modified: my-sub-package/package.json
──────────────────────────
@ my-sub-package/package.json:51 @
  }
}

}

\ No newline at end of file

FWIW lerna-audit uses JSON.stringify() to put the package.json back together once it has done its job. Maybe this could become a little more involved, respecting the original presence of a newline - one way or another.

lerna-audit reorders the properties in package.json files even when the --no-fix flag is used and there are no vulnerabilities. As well as randomly changing files in the Git working directory, this causes problems when it's used as pre-publish check, as the publish then fails because the working directory is not clean.

I think it should restore the original unchanged files if the user specifies --no-fix, or if no vulnerabilities were detected. What it actually does is re-save the file via arborist in all scenarios other than an error being thrown, which is where the reordering comes from.

There are a couple of scenarios in which package.json can change unexpectedly. The first is if your dependencies are not alphabetically ordered - arborist sorts them. The second is when your dependencies are only other Lerna packages - lerna-audit strips them all out of package.json for audit to run, leaving no dependencies. Arborist is asked to update this file, and as there are no existing dependencies to update, it just appends them at the end. Same for dev dependencies.

Ideally (in my opinion), lerna-audit would make minimal changes to package.json even when fixing vulnerabilities.This reordering seems a little unexpected.

There is a somewhat-related issue + PR about a new version of arborist: #25. I'd suggest dropping it altogether: update the original JSON with the new version numbers and save the stringify-ed result.

I'm using lerna-audit 1.3.1.

As a user, I want lerna-audit to omit dependencies/devDependenies fields during update if they are empty, to keep my audited package.json as minimal as possible.

As a user, I want lerna-audit to restore the original package.json in case I abort the process, so that my package.json is not corrupted.

Additional information
When I abort the process currently, the resulting package.json lacks the lerna-internal-dependencies stored in memory. If you rerun the process, it might be successful, but the lerna-internal-dependencies are still lost. Therefore one should think about restoring the original package.json in case of a SIGKILL oder SIGINT.

We'd like to use this plugin as a purely scanning tool, that didn't automatically fix problems. This request is for a command line argument to allow that behavior.

I'm using lerna's --hoist feature in a monorepo project and ran across this Lerna issue around audits. I was hoping that using this package would make running the audits easier and so I'm wondering is it expected that we run npm install in the individual packages before running npx lerna-audit? After running the individual installs and then re-running npx lerna-audit the reports were generated.

Let's say I run lerna-audit from the root of my directory with the --no-fix option, and vulnerabilities are found, running echo $? to check the execution status does not return a non zero status code.

For instance npm audit --audit-level=high returns a status code of 1 if high | critical vulnerabilities are found.

Would you be open to adding the right status code outputs to this CLI tool along with the --audit-level flag? This would come in handy when using with a build / CI system, I am happy to send a PR, please let me know.....

https://www.npmjs.com/package/audit-ci

Would it be possible to integrate this with the above, or similar package to integrate lerna-audit with CI pipelines?

Currently struggling to run an auto npm audit fix on our lerna project which is configured to hoist. Have tried npx lerna-audit but it seems to look for lock files in each package instead of following the lerna hoist conf route.

Cannot find module '@npmcli/arborist/lib/update-root-package-json'

For those who are desperate enough to use the --force flag (e.g. npm audit fix --force).