Add --extra-args to fix #298

README.md

@@ -271,6 +271,7 @@ scripts:
 |      | --retry-count     | The number of attempts audit-ci calls an unavailable registry before failing (default `5`)            |
 |      | --config          | Path to the audit-ci configuration file                                                               |
 |      | --skip-dev        | Skip auditing devDependencies (default `false`)                                                       |
+|      | --extra-args      | Extra arguments to pass to the underlying audit command (default: `[]`)                               |
 
 ### Config file specification
 
@@ -385,6 +386,23 @@ Or, with the CLI:
 npx audit-ci@^6 --report-type summary
 ```
 
+### Pass additional args to Yarn to exclude a certain package from audit
+
+With a `JSONC` config file, in a project on Yarn v3.3.0 or later:
+
+```jsonc
+{
+  "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
+  "extra-args": ["--exclude", "example"]
+}
+```
+
+Or, with the CLI:
+
+```sh
+npx audit-ci@^6 --extra-args '\--exclude' example
+```
+
 ### Example config file and different directory usage
 
 #### test/npm-config-file/audit-ci.jsonc

docs/schema.d.ts

@@ -112,4 +112,11 @@ export interface Schema {
    * @default false
    */
   "skip-dev"?: boolean;
+
+  /**
+   * Extra arguments to pass to the underlying audit command.
+   *
+   * @default []
+   */
+  "extra-args"?: string[];
 }

docs/schema.json

@@ -58,6 +58,14 @@
           "description": "The directory containing the package.json to audit.",
           "type": "string"
         },
+        "extra-args": {
+          "default": [],
+          "description": "Extra arguments to pass to the underlying audit command.",
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        },
         "high": {
           "default": false,
           "description": "Prevent integration with high or higher vulnerabilities.",

lib/config.ts

@@ -25,6 +25,15 @@ function mapReportTypeInput(
   }
 }
 
+function mapExtraArgumentsInput(
+  config: Pick<AuditCiPreprocessedConfig, "extra-args">
+) {
+  // These args will often be flags for another command, so we
+  // want to have some way of escaping args that start with a -.
+  // We'll look for and remove a single backslash at the start, if present.
+  return config["extra-args"].map((a) => a.replace(/^\\/, ""));
+}
+
 export type AuditCiPreprocessedConfig = {
   /** Exit for low or above vulnerabilities */
   l: boolean;
@@ -78,6 +87,8 @@ export type AuditCiPreprocessedConfig = {
   "pass-enoaudit": boolean;
   /** skip devDependencies */
   "skip-dev": boolean;
+  /** extra positional args for underlying audit command */
+  "extra-args": string[];
 };
 
 // Rather than exporting a weird union type, we resolve the type to a simple object.
@@ -163,6 +174,7 @@ function mapArgvToAuditCiConfig(argv: AuditCiPreprocessedConfig) {
     }),
     "report-type": mapReportTypeInput(argv),
     allowlist: allowlist,
+    "extra-args": mapExtraArgumentsInput(argv),
   };
   return result;
 }
@@ -276,6 +288,11 @@ export async function runYargs(): Promise<AuditCiConfig> {
         describe: "Skip devDependencies",
         type: "boolean",
       },
+      "extra-args": {
+        default: [],
+        describe: "Pass additional arguments to the underlying audit command",
+        type: "array",
+      },
     })
     .help("help");
 

lib/npm-auditer.ts

@@ -12,6 +12,7 @@ async function runNpmAudit(
     registry,
     _npm,
     "skip-dev": skipDevelopmentDependencies,
+    "extra-args": extraArguments,
   } = config;
   const npmExec = _npm || "npm";
 
@@ -32,6 +33,9 @@ async function runNpmAudit(
   if (skipDevelopmentDependencies) {
     arguments_.push("--production");
   }
+  if (extraArguments) {
+    arguments_.push(...extraArguments);
+  }
   const options = { cwd: directory };
   await runProgram(npmExec, arguments_, options, outListener, errorListener);
   if (stderrBuffer.length > 0) {

lib/pnpm-auditer.ts

@@ -16,6 +16,7 @@ async function runPnpmAudit(
     registry,
     _pnpm,
     "skip-dev": skipDevelopmentDependencies,
+    "extra-args": extraArguments,
   } = config;
   const pnpmExec = _pnpm || "pnpm";
 
@@ -45,6 +46,9 @@ async function runPnpmAudit(
   if (skipDevelopmentDependencies) {
     arguments_.push("--prod");
   }
+  if (extraArguments) {
+    arguments_.push(...extraArguments);
+  }
   const options = { cwd: directory };
   await runProgram(pnpmExec, arguments_, options, outListener, errorListener);
   if (stderrBuffer.length > 0) {

lib/yarn-auditer.ts

@@ -59,6 +59,7 @@ export async function audit(
     "output-format": outputFormat,
     _yarn,
     directory,
+    "extra-args": extraArguments,
   } = config;
   const yarnExec = _yarn || "yarn";
   let missingLockFile = false;
@@ -210,6 +211,9 @@ export async function audit(
       );
     }
   }
+  if (extraArguments) {
+    arguments_.push(...extraArguments);
+  }
   await runProgram(yarnExec, arguments_, options, outListener, errorListener);
   if (missingLockFile) {
     console.warn(

test/yarn-auditer.spec.js

@@ -372,10 +372,10 @@ describe("yarn-auditer", function testYarnAuditer() {
     expect(summary).to.eql(
       summaryWithDefault({
         failedLevelsFound: ["high", "moderate"],
-        advisoriesFound: ["GHSA-rvg8-pwq2-xj7q", "GHSA-38f5-ghc2-fcmv"],
+        advisoriesFound: ["GHSA-38f5-ghc2-fcmv", "GHSA-rvg8-pwq2-xj7q"],
         advisoryPathsFound: [
-          "GHSA-rvg8-pwq2-xj7q|audit-ci-yarn-workspace-moderate-vulnerability>base64url",
           "GHSA-38f5-ghc2-fcmv|audit-ci-yarn-workspace-high-vulnerability>cryo",
+          "GHSA-rvg8-pwq2-xj7q|audit-ci-yarn-workspace-moderate-vulnerability>base64url",
         ],
       })
     );
@@ -409,14 +409,14 @@ describe("yarn-auditer", function testYarnAuditer() {
         summaryWithDefault({
           failedLevelsFound: ["critical", "high", "moderate"],
           advisoriesFound: [
-            "GHSA-rvg8-pwq2-xj7q",
             "GHSA-28xh-wpgr-7fm8",
             "GHSA-38f5-ghc2-fcmv",
+            "GHSA-rvg8-pwq2-xj7q",
           ],
           advisoryPathsFound: [
-            "GHSA-rvg8-pwq2-xj7q|base64url",
             "GHSA-28xh-wpgr-7fm8|open",
             "GHSA-38f5-ghc2-fcmv|cryo",
+            "GHSA-rvg8-pwq2-xj7q|base64url",
           ],
         })
       );
@@ -437,10 +437,34 @@ describe("yarn-auditer", function testYarnAuditer() {
       expect(summary).to.eql(
         summaryWithDefault({
           failedLevelsFound: ["high", "moderate"],
-          advisoriesFound: ["GHSA-rvg8-pwq2-xj7q", "GHSA-38f5-ghc2-fcmv"],
+          advisoriesFound: ["GHSA-38f5-ghc2-fcmv", "GHSA-rvg8-pwq2-xj7q"],
           advisoryPathsFound: [
+            "GHSA-38f5-ghc2-fcmv|cryo",
             "GHSA-rvg8-pwq2-xj7q|base64url",
+          ],
+        })
+      );
+    }
+  );
+  (canRunYarnBerry ? it : it.skip)(
+    "reports summary with vulnerabilities in yarn berry workspaces with extra-args: --environment production",
+    async () => {
+      const summary = await audit(
+        config({
+          directory: testDirectory("yarn-berry-workspace"),
+          levels: { moderate: true },
+          "extra-args": ["--environment", "production"],
+          "report-type": "important",
+        }),
+        (_summary) => _summary
+      );
+      expect(summary).to.eql(
+        summaryWithDefault({
+          failedLevelsFound: ["high", "moderate"],
+          advisoriesFound: ["GHSA-38f5-ghc2-fcmv", "GHSA-rvg8-pwq2-xj7q"],
+          advisoryPathsFound: [
             "GHSA-38f5-ghc2-fcmv|cryo",
+            "GHSA-rvg8-pwq2-xj7q|base64url",
           ],
         })
       );