ci: Enable npm audit check

2 files changed, 36 insertions, 0 deletions

diff --git a/.circleci/scripts/npm-audit b/.circleci/scripts/npm-audit
new file mode 100755
index 000000000..00a6876ff
--- /dev/null
+++ b/.circleci/scripts/npm-audit
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -e
+set -u
+set -o pipefail
+
+if ! npm audit
+then
+    ! npm audit --json > audit.json
+    printf '%s\n' ''
+    node .circleci/scripts/npm-audit-check.js
+fi
diff --git a/.circleci/scripts/npm-audit-check.js b/.circleci/scripts/npm-audit-check.js
new file mode 100644
index 000000000..2fb408add
--- /dev/null
+++ b/.circleci/scripts/npm-audit-check.js
@@ -0,0 +1,24 @@
+const path = require('path')
+const audit = require(path.join(__dirname, '..', '..', 'audit.json'))
+const error = audit.error
+const advisories = Object.keys(audit.advisories || []).map((k) => audit.advisories[k])
+
+if (error) {
+  process.exit(1)
+}
+
+let count = 0
+for (const advisory of advisories) {
+  if (advisory.severity === 'low') {
+    continue
+  }
+
+  count += advisory.findings.some((finding) => (!finding.dev && !finding.optional))
+}
+
+if (count > 0) {
+  console.log(`Audit shows ${count} moderate or high severity advisories _in the production dependencies_`)
+  process.exit(1)
+} else {
+  console.log(`Audit shows _zero_ moderate or high severity advisories _in the production dependencies_`)
+}