Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(github-actions): support npm for audit action #2297

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(github-actions): support npm for audit action #2297

wants to merge 1 commit into from

Conversation

fpaul-1A
Copy link
Contributor

@fpaul-1A fpaul-1A commented Oct 17, 2024
edited
Loading

Proposed change

Related issues

@fpaul-1A fpaul-1A requested a review from a team as a code owner October 17, 2024 09:36
@nx-cloud Nx Cloud
Copy link

nx-cloud bot commented Oct 17, 2024
edited
Loading

☁️ Nx Cloud Report

CI is running/has finished running commands for commit 9a8df69. As they complete they will appear below. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this CI Pipeline Execution

✅ Successfully ran 10 targets

Sent with 💌 from NxCloud.

@fpaul-1A fpaul-1A linked an issue Oct 17, 2024 that may be closed by this pull request
[Feature] Audit GH Action to support npm #2292
Open
@fpaul-1A fpaul-1A force-pushed the feat/audit-npm branch 2 times, most recently from 7de1f97 to 03e4ceb Compare October 17, 2024 12:42
vscaiceanu-1a
vscaiceanu-1a reviewed Oct 17, 2024
View reviewed changes
tools/github-actions/audit/action.yml Show resolved Hide resolved
tools/github-actions/audit/src/reports.ts Outdated Show resolved Hide resolved
tools/github-actions/audit/src/reports.ts Outdated Show resolved Hide resolved
tools/github-actions/audit/src/reports.ts Outdated Show resolved Hide resolved
tools/github-actions/audit/src/main.ts Show resolved Hide resolved
kpanot
kpanot reviewed Oct 17, 2024
View reviewed changes
tools/github-actions/audit/src/reports.ts Show resolved Hide resolved
tools/github-actions/audit/src/reports.ts Show resolved Hide resolved
tools/github-actions/audit/src/reports.ts Outdated Show resolved Hide resolved
tools/github-actions/audit/src/reports.ts Show resolved Hide resolved
tools/github-actions/audit/tsconfig.build.json Show resolved Hide resolved
tools/github-actions/audit/tsconfig.eslint.json Outdated Show resolved Hide resolved
@fpaul-1A fpaul-1A force-pushed the feat/audit-npm branch 2 times, most recently from 95330bd to b052bf7 Compare October 17, 2024 15:05
cpaulve-1A
cpaulve-1A reviewed Oct 18, 2024
View reviewed changes
tools/github-actions/audit/src/reports.ts
return { highestSeverityFound, nbVulnerabilities };
}

function updateReportWithVulnerability(currentReport: OtterAuditReport, severityThreshold: Severity, vulnerability: OtterAdvisory): OtterAuditReport {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think it makes sense to also update the highest vulnerability found here?
(and no handle it in a separate loop ?)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is only needed for Yarn4 because it doesn't provide a summary
The loop to find the highest severity actually loops only over 5 elements, it's not the same loop as the one on the list of vulnerabilities
So no, I don't think there is any reason not to trust the summary and compute the highest severity on our own

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kpanot kpanot kpanot left review comments

@vscaiceanu-1a vscaiceanu-1a vscaiceanu-1a left review comments

@cpaulve-1A cpaulve-1A cpaulve-1A left review comments

@matthieu-crouzet matthieu-crouzet matthieu-crouzet approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
enhancement New feature or request project:audit-gh-action project:cascading-gh-action project:get-npm-tag-gh-action project:new-version-gh-action
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Feature] Audit GH Action to support npm
5 participants
@fpaul-1A @kpanot @matthieu-crouzet @vscaiceanu-1a @cpaulve-1A