Yarn::Audit::Wrap
This is a ruby gem to parse the result of yarn audit --json
. You can filter
different levels of findings, and ignore specific findings for a set time.
It needs as input the json file, and a YAML configuration file with directives on individual findings to ignore.
Installation
Install the gem and add to the application's Gemfile by executing:
$ bundle add yarn-audit-wrap
If bundler is not being used to manage dependencies, install the gem by executing:
$ gem install yarn-audit-wrap
Usage
yarn-audit --file=<tmp/yarn-audit.json> --level=moderate,high,critical --ignorelist=<config/yarn-audit.yml>
All switches are optional, with defaults as shown above.
--help This.
--file json output from "yarn audit". Path is relative to app root.
--level comma separated list of severity strings (case insensitive).
INFO
LOW
MODERATE
HIGH
CRITICAL
or use "ALL" to select all levels.
--ignorelist path relative to app root, a YAML file containing list of packages to ignore, see below for format.
default = config/yarn-audit.yml
The ignorelist is a YAML file of an array of hashes
Sample YAML:
---
:ignore:
- github_advisory_id: GHSA-cj88-88mr-972w
:until: 2022-07-19
You can identify a finding by any key, github_advisory_id
, cve
, etc. Please use
the :until
key with a date in the future that will re-enable the finding to avoid
config pollution, as well as pushing for best-practices to remove vulnerable packages.
Possible future enhancements
The next logical step would be to implement a workflow that helps fix vulnerable npm packages.
There is currently no equivalent to npm audit --fix
for yarn, and ignoring the controversy
(https://github.com/yarnpkg/yarn/issues/7075), there are a number of workarounds
that are currently in place.
This will be the next step, but it is my hope that yarn implements the --fix
feature
and such a workaround will be unnecessary.
Development
After checking out the repo, run bin/setup
to install dependencies. Then, run rake test
to run the tests. You can also run bin/console
for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install
. To release a new version, update the version number in version.rb
, and then run bundle exec rake release
, which will create a git tag for the version, push git commits and the created tag, and push the .gem
file to rubygems.org.
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/edk/yarn-audit-wrap
License
The gem is available as open source under the terms of the MIT License.