Filtering of vulnerabilities #26
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Move functions used in multiple reporters into lib/utils.
Determine exit code in a consistent way across reporters that use an exit code. Reduce levels of indentation and duplicated code in the more complex reporters.
The passed config object can now specify the booleans `excludeDev` and `excludeProd` to hide vulnerabilities affecting only those kinds of dependency. The default in both cases is false to preserve previous behaviour. Prerequisite for npm/npm#20564.
The passed config object can now specify the string `severityThreshold` to hide less severe vulnerabilities. The (already-present) default 'info' threshold preserves the previous behaviour. Implements npm#13.
The actual number of vulnerabilities of each severity did not match the counters in the metadata. Made up enough new data using existing data as a template so actual numbers match the existing metadata numbers.
|
Closing out all issues and PRs from 2018 and 2019, since this module has been fundamentally refactored for version 2 (npm version 7). Happy to reopen if this is still a thing worth exploring (and it'll probably be easier now if so). If we're going to add fancy filtering stuff like this, probably the best approach is to go through the rfc process. Post an issue or PR over on https://github.com/npm/rfcs and we can run through the discussion process. Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is my attempt to implement filtering of reported vulnerabilities based on various configurable parameters. I realise this is fairly sizeable and I might be touching too much, so please feel free to suggest areas that could be split into independent PRs, simplified, improved, done differently, squashed, etc.
Currently this implements #13 and npm/npm#20564.
I'd also like to implement npm/npm#20565 (making full use of things like paths, not just the advisory ID), but I'm looking for input from others on which information will be stored in package.json and its structure.
Once the dust has settled here, I'll send a complementary PR to the cli repo for the changes needed there.