From 754f98aea227fd14709062d7fddde85c744f15b8 Mon Sep 17 00:00:00 2001 From: Mark Stacey Date: Wed, 24 Jul 2019 19:54:16 -0300 Subject: Fix `npm-audit` script (#6908) The npm audit script was auditing all dependencies, then filtering the results to just the advisories concerning production dependencies. This was done by checking the boolean `dev` and `optional` properties of each `findings` entry in each advisory. The `dev` and `optional` properties are now missing, which is resulting in dev advisories being mistakenly identified as affecting production. This check has been removed, and instead the `--production` flag is used when calling `npm audit`. This accomplishes the same goal without relying as much upon the audit output format. The `--production` flag was added in `npm` `v6.10.0`, so `npm` has been updated to the current latest stable (`v6.10.2`) for the `test-deps` job. It was also updated on the `prep-deps-npm` job to ensure consistency in behaviour. The other jobs only use `npm run` which hasn't changed substantially in some time, so compatibility isn't really a concern for those. `audit.json` has also been added to `.gitignore`. It was accidentally checked in once while working on this branch. --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) (limited to '.gitignore') diff --git a/.gitignore b/.gitignore index 132ba4338..71531d89e 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,8 @@ npm-debug.log node_modules yarn.lock +audit.json + app/bower_components test/bower_components package -- cgit v1.2.3