Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: new --exclude and --ignore CLI options. #345

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,8 @@ success Already up-to-date.
| `--symlink` | Symlink type for `node_modules` ref | `junction` for Windows, `dir` otherwise | |
| `--temp` | Directory for temporary assets | `<cwd>/node_modules/.cache/yarn-audit-fix` | |
| `--verbose` | Switch log level to verbose/debug | `false` | |
| `--exclude` | Array of glob patterns of packages to exclude from audit | | |
| `--ignore` | Array of glob patterns of advisory IDs to ignore in the audit report | | |

### ENV
All mentioned above CLI options can be replaced with the corresponding env variables with leading **YAF** prefix. For example:
Expand Down Expand Up @@ -338,6 +340,13 @@ yarn add yarn-audit-fix -D --ignore-engines
```

### Response Code: 400 (Bad Request)

In some cases **yarn npm audit** fails because the `yarn.lock` file contains a transitive dependency in unreadable format:
```
'example-dependency': 'npm:[email protected]'
```

This will results in:
```shell
invoke yarn npm audit --all --json --recursive
➤ YN0035: Bad Request
Expand All @@ -347,6 +356,10 @@ invoke yarn npm audit --all --json --recursive
```
https://github.com/yarnpkg/berry/issues/4117

A workaround is available using the `exclude` option:
1. Update project **yarn** to >=3.3.0 (lower version doesn't support this parameter for **yarn npm audit**).
2. Apply `npx yarn-audit-fix --exclude example-dependency`. This will cause **yarn** to ignore `example-dependency` while creating the audit report.

## Contributing
Feel free to open any issues: bugs, feature requests or other questions.
You're always welcome to suggest a PR. Just fork this repo, write some code, add some tests and push your changes.
Expand Down
24 changes: 24 additions & 0 deletions src/main/ts/cli.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,18 @@ import { Command, Option } from 'commander'

import { run } from './runner'

const parseMultipleValueArg = (
value: string,
previous: string | string[] | undefined,
) => {
if (!previous) {
return value
}

const previousArray = Array.isArray(previous) ? previous : [previous]
return previousArray.concat([value])
}

const env = process.env
const flags = new Command()
.addOption(
Expand All @@ -22,6 +34,12 @@ const flags = new Command()
'Get an idea of what audit fix will do',
env.YAF_DRY_RUN,
)
.option(
'--exclude <path>',
'Array of glob patterns of packages to exclude from audit',
parseMultipleValueArg,
env.YAF_EXCLUDE,
)
.addOption(
new Option('--flow [flow]', 'Define how `yarn.lock` is modified')
.choices(['convert', 'patch'])
Expand All @@ -32,6 +50,12 @@ const flags = new Command()
'Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones',
env.YAF_FORCE,
)
.option(
'--ignore <id>',
'Array of glob patterns of advisory IDs to ignore in the audit report',
parseMultipleValueArg,
env.YAF_IGNORE,
)
.option(
'--ignore-engines [bool]',
'Ignore engines check',
Expand Down
8 changes: 7 additions & 1 deletion src/main/ts/lockfile/v2.ts
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,13 @@ export const audit = (
},
},
}
const _flags = formatFlags(mapFlags(flags, mapping), 'groups', 'verbose')
const _flags = formatFlags(
mapFlags(flags, mapping),
'exclude',
'ignore',
'groups',
'verbose',
)
const report = invoke(
bins.yarn,
['npm', 'audit', '--all', '--json', '--recursive', ..._flags],
Expand Down
10 changes: 10 additions & 0 deletions src/main/ts/stages.ts
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,14 @@ export const printRuntimeDigest: TCallback = ({
)
}

// NOTE yarn > v3.3.0 fixed plugin-npm-cli minor compatibility
// https://github.com/yarnpkg/berry/pull/4356#issuecomment-1316653931
if (semver.gt('3.3.0', versions.yarn) && (flags.exclude || flags.ignore)) {
console.warn(
`This project yarn version ${versions.yarn} doesn't support the 'exclude' and 'ignore' flags. Please upgrade to yarn 3.3.0 or higher to use those flags`,
)
}

if (semver.gt(versions.yafLatest, versions.yaf)) {
console.warn(
`yarn-audit-fix version ${versions.yaf} is out of date. Install the latest ${versions.yafLatest} for better results`,
Expand Down Expand Up @@ -155,7 +163,9 @@ export const npmAuditFix: TCallback = ({ temp, flags, bins }) => {
{ ...defaultFlags, ...flags },
'audit-level',
'dry-run',
'exclude',
'force',
'ignore',
'loglevel',
'legacy-peer-deps',
'only',
Expand Down
12 changes: 9 additions & 3 deletions src/main/ts/util.ts
Original file line number Diff line number Diff line change
Expand Up @@ -71,10 +71,16 @@ export const formatFlags = (flags: TFlags, ...picklist: string[]): string[] =>
const flag = formatFlag(key)

if (checkValue(key, value, omitlist, picklist)) {
memo.push(flag)
if (!Array.isArray(value)) {
memo.push(flag)

if (value !== true) {
memo.push(value)
if (value !== true) {
memo.push(String(value))
}
} else {
value.forEach((val) => {
memo.push(flag, String(val))
})
}
}

Expand Down
11 changes: 10 additions & 1 deletion src/test/ts/runner.ts
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ const noop = () => {
}
const fixtures = resolve(__dirname, '../fixtures/')
const registryUrl = 'https://example.com'
const dependency = 'example-package'
const scopedDependency = '@scope/package'
const strMatching = (start = '', end = '') =>
expect.stringMatching(new RegExp(`^${start}.+${end}$`))
const readFixture = (name: string): string =>
Expand Down Expand Up @@ -184,6 +186,10 @@ describe('yarn-audit-fix', () => {
'--verbose',
'--registry',
registryUrl,
'--exclude',
dependency,
'--exclude',
scopedDependency,
'--prefix',
expect.stringMatching(temp),
].filter((v) => v !== undefined),
Expand Down Expand Up @@ -241,7 +247,7 @@ describe('yarn-audit-fix', () => {
it('invokes cmd queue with proper args', async () => {
await run({
flow: 'patch',
temp
temp,
})

checkTempAssets()
Expand Down Expand Up @@ -282,6 +288,7 @@ describe('yarn-audit-fix', () => {
'package-lock-only': true,
registry: registryUrl,
flow: 'convert',
exclude: [dependency, scopedDependency],
ignoreEngines: true,
temp,
})
Expand Down Expand Up @@ -315,6 +322,8 @@ describe('yarn-audit-fix', () => {
'--package-lock-only=false',
`--registry=${registryUrl}`,
'--flow=convert',
`--exclude=${dependency}`,
`--exclude=${scopedDependency}`,
'--ignore-engines',
)
await reimport('../../main/ts/cli')
Expand Down
12 changes: 12 additions & 0 deletions src/test/ts/util.ts
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,18 @@ describe('util', () => {
['force', 'audit-level', 'only', 'bar', 'b'],
['--force', '--audit-level', 'moderate', '--only', 'dev'],
],
[{ exclude: [] }, ['exclude'], []],
[
{ exclude: ['@scope/package'] },
['exclude'],
['--exclude', '@scope/package'],
],
[
{ exclude: ['@scope/package', 'another-package'] },
['exclude'],
['--exclude', '@scope/package', '--exclude', 'another-package'],
],
[{ verbose: true, exclude: [] }, [], ['--verbose']],
]

cases.forEach(([input, picklist, output]) => {
Expand Down
Loading