diff options
| author | Mark Stacey <markjstacey@gmail.com> | 2019-07-25 06:54:16 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-07-25 06:54:16 +0800 |
| commit | 754f98aea227fd14709062d7fddde85c744f15b8 (patch) | |
| tree | 3acfddaf0abe125b3e6d4264b80b4fb99053134a | |
| parent | 049df23104132fea1d87ab6cf8a2be1fa55bd3f5 (diff) | |
| download | tangerine-wallet-browser-754f98aea227fd14709062d7fddde85c744f15b8.tar tangerine-wallet-browser-754f98aea227fd14709062d7fddde85c744f15b8.tar.gz tangerine-wallet-browser-754f98aea227fd14709062d7fddde85c744f15b8.tar.bz2 tangerine-wallet-browser-754f98aea227fd14709062d7fddde85c744f15b8.tar.lz tangerine-wallet-browser-754f98aea227fd14709062d7fddde85c744f15b8.tar.xz tangerine-wallet-browser-754f98aea227fd14709062d7fddde85c744f15b8.tar.zst tangerine-wallet-browser-754f98aea227fd14709062d7fddde85c744f15b8.zip | |
Fix `npm-audit` script (#6908)
The npm audit script was auditing all dependencies, then filtering the
results to just the advisories concerning production dependencies. This
was done by checking the boolean `dev` and `optional` properties of each
`findings` entry in each advisory.
The `dev` and `optional` properties are now missing, which is resulting
in dev advisories being mistakenly identified as affecting production.
This check has been removed, and instead the `--production` flag is used
when calling `npm audit`. This accomplishes the same goal without
relying as much upon the audit output format.
The `--production` flag was added in `npm` `v6.10.0`, so `npm` has been
updated to the current latest stable (`v6.10.2`) for the `test-deps`
job. It was also updated on the `prep-deps-npm` job to ensure
consistency in behaviour. The other jobs only use `npm run` which hasn't
changed substantially in some time, so compatibility isn't really a
concern for those.
`audit.json` has also been added to `.gitignore`. It was accidentally
checked in once while working on this branch.
| -rw-r--r-- | .circleci/config.yml | 6 | ||||
| -rwxr-xr-x | .circleci/scripts/npm-audit | 4 | ||||
| -rw-r--r-- | .circleci/scripts/npm-audit-check.js | 2 | ||||
| -rw-r--r-- | .gitignore | 2 |
4 files changed, 11 insertions, 3 deletions
diff --git a/.circleci/config.yml b/.circleci/config.yml index 757db54e3..46ce9ef51 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -96,6 +96,9 @@ jobs: steps: - checkout - run: + name: Update npm + command: sudo npm install -g npm@6.10.2 + - run: name: Install deps via npm command: | npm ci @@ -176,6 +179,9 @@ jobs: - attach_workspace: at: . - run: + name: Update npm + command: sudo npm install -g npm@6.10.2 + - run: name: npm audit command: .circleci/scripts/npm-audit diff --git a/.circleci/scripts/npm-audit b/.circleci/scripts/npm-audit index 00a6876ff..f38be2f0a 100755 --- a/.circleci/scripts/npm-audit +++ b/.circleci/scripts/npm-audit @@ -4,9 +4,9 @@ set -e set -u set -o pipefail -if ! npm audit +if ! npm audit --production then - ! npm audit --json > audit.json + ! npm audit --production --json > audit.json printf '%s\n' '' node .circleci/scripts/npm-audit-check.js fi diff --git a/.circleci/scripts/npm-audit-check.js b/.circleci/scripts/npm-audit-check.js index 2fb408add..90bbebbd2 100644 --- a/.circleci/scripts/npm-audit-check.js +++ b/.circleci/scripts/npm-audit-check.js @@ -13,7 +13,7 @@ for (const advisory of advisories) { continue } - count += advisory.findings.some((finding) => (!finding.dev && !finding.optional)) + count += advisory.findings.length } if (count > 0) { diff --git a/.gitignore b/.gitignore index 132ba4338..71531d89e 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,8 @@ npm-debug.log node_modules yarn.lock +audit.json + app/bower_components test/bower_components package |