Skip to content

audit: env selection for report#125

Closed
larsgw wants to merge 2 commits intonpm:release-nextfrom
larsgw:patch-13
Closed

audit: env selection for report#125
larsgw wants to merge 2 commits intonpm:release-nextfrom
larsgw:patch-13

Conversation

@larsgw
Copy link
Copy Markdown
Contributor

@larsgw larsgw commented Dec 17, 2018

Select dependency environments with --only, --also and --production for
reports as well, instead of just for audit fix. Still reports the
filtered advisories, but changes the exit code (as is done with
advisories below --audit-level). Tests need updating due to the new way
of counting vulnerabilities.

See https://npm.community/t/3959

@larsgw
audit: env selection for report
a7810b9 
Select dependency environments with --only, --also and --production for 
reports as well, instead of just for audit fix. Still reports the 
filtered advisories, but changes the exit code (as is done with 
advisories below --audit-level). Tests need updating due to the new way 
of counting vulnerabilities.

See https://npm.community/t/3959
@larsgw larsgw requested a review from a team as a code owner December 17, 2018 20:56
@sneakypete81
Copy link
Copy Markdown

sneakypete81 commented Dec 17, 2018

Thanks very much for doing this.

Still reports the filtered advisories

Maybe I've misunderstood, but if I run npm audit --only=prod I wouldn't expect to see any advisories from dev dependencies.

@larsgw
Copy link
Copy Markdown
Contributor Author

larsgw commented Dec 17, 2018
edited
Loading

Maybe I've misunderstood, but if I run npm audit --only=prod I wouldn't expect to see any advisories from dev dependencies.

@sneakypete81 I know, but that requires either modifying the audit report, which could have unintended side effects, or changing all the reporters. Since --audit-level also reports advisories under the set severity (correct me if I'm wrong), this seemed like warranted behavior.

@mikecbrant
Copy link
Copy Markdown

mikecbrant commented Dec 19, 2018

Anxiously awaiting merge. Thanks, @larsgw

@zkat zkat added semver:minor new backwards-compatible feature needs-discussion labels Jan 7, 2019
@evilpacket
Copy link
Copy Markdown

evilpacket commented Jan 8, 2019

I did a quick test of --audit-level and it worked as I would intend it to.

I would expect these flags to be passed along to the reporters and for them to act appropriately, such as @sneakypete81 suggests when I say --only=prod to not show advisories that pertain to dev dependencies.

Looks like npm audit help would also need some updating to represent the new flags but I'm not sure the standard that's been set forth by the cli team for these things.

@iarna
Copy link
Copy Markdown
Contributor

iarna commented Jan 8, 2019

As Adam suggests, docs should be added to doc/cli/npm-audit.md and doc/misc/npm-config.md

Reporter filters go in https://github.com/npm/npm-audit-report/pulls and should be PRed there (please add a note here when they are)

@larsgw
Copy link
Copy Markdown
Contributor Author

larsgw commented Jan 17, 2019
edited
Loading

I added the docs. --audit-level doesn't filter the reports on my end (v6.5.0), should I add that as well as the env filters?

Details 
$ npm ini -y
$ npm i underscore.string@3.3.4
$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm install underscore.string@3.3.5  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ underscore.string                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ underscore.string                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ underscore.string                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/745                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


found 1 moderate severity vulnerability in 3 scanned packages
  run `npm audit fix` to fix 1 of them.

$ echo $?
1

$ npm audit --audit-level high
                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm install underscore.string@3.3.5  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ underscore.string                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ underscore.string                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ underscore.string                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/745                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


found 1 moderate severity vulnerability in 3 scanned packages
  run `npm audit fix` to fix 1 of them.

$ echo $?
0

@zkat zkat force-pushed the release-next branch 5 times, most recently from db63b89 to b09bc8c Compare January 23, 2019 18:36
DrSensor added a commit to DrSensor/bot-byte that referenced this pull request Jan 30, 2019
@DrSensor
ci: employ npm magic tricks 😅
402c4be 
- npm/cli#125
- npm/npm#20575
mischah added a commit to micromata/Baumeister that referenced this pull request Feb 7, 2019
@mischah
feature: Remove security npm script since nsp is dead and gone
0031941 
The security script might come back when this is merged and released:
npm/cli#125
@mischah mischah mentioned this pull request Feb 7, 2019
Merged
mischah added a commit to micromata/Baumeister that referenced this pull request Feb 7, 2019
@mischah
feature: Remove security npm script since nsp is dead and gone
a8052eb 
The security script might come back when this is merged and released:
npm/cli#125
mischah added a commit to micromata/Baumeister that referenced this pull request Feb 8, 2019
@mischah
feature: Remove security npm script since nsp is dead and gone
ef784e7 
The security script might come back when this is merged and released:
npm/cli#125
mischah added a commit to micromata/cli-error-notifier that referenced this pull request Feb 11, 2019
@mischah
chore: Remove security npm script since nsp is dead and gone
291a765 
The security script might come back when this is merged and released:
npm/cli#125
mischah added a commit to micromata/cli-error-notifier that referenced this pull request Feb 11, 2019
@mischah
chore: Remove security npm script since nsp is dead and gone
888a82c 
The security script might come back when this is merged and released:
npm/cli#125
@ngraef ngraef mentioned this pull request Feb 14, 2019
Closed
@perrosen
Copy link
Copy Markdown

perrosen commented Feb 18, 2019

Any movement on this? Is there something I can do to help speeding this up? This is one of my most wanted features for npm audit since launch. Seeing CI builds fail because of dev dependencies is becoming a real annoyance.

mischah added a commit to micromata/generator-baumeister that referenced this pull request Feb 18, 2019
@mischah
chore: Remove prepublish npm script since nsp is dead and gone
dc55477 
The security check might come back when this is merged and released:
npm/cli#125
mischah added a commit to micromata/generator-baumeister that referenced this pull request Feb 18, 2019
@mischah
feature: Remove security npm script since nsp is dead and gone
71b9a5b 
The security script might come back when this is merged and released:
npm/cli#125
mischah added a commit to micromata/generator-baumeister that referenced this pull request Feb 18, 2019
@mischah
chore: Remove the generators prepublish npm script since nsp is dea…
22d008f 
…d and gone

The security check might come back when this is merged and released:
npm/cli#125
mischah added a commit to micromata/generator-baumeister that referenced this pull request Feb 18, 2019
@mischah
feature: Remove security npm script since nsp is dead and gone
c22c22e 
The security script might come back when this is merged and released:
npm/cli#125
@MNF
Copy link
Copy Markdown

MNF commented Dec 8, 2019
edited
Loading

Is it similar to implemented “Enable production flag for npm audit #202 ”?

@mportela mportela mentioned this pull request Dec 13, 2019
Closed
@adrianjost adrianjost mentioned this pull request Mar 4, 2020
Merged
1 task
@IPWright83
Copy link
Copy Markdown

IPWright83 commented Mar 10, 2020

Are there updates on this at all? I've got builds failing on our pipeline (and similarly don't want to auto fix them during the build), but it's all because of jest dependencies - which really don't matter at runtime.

@lucasfevi
Copy link
Copy Markdown

lucasfevi commented Mar 10, 2020

@IPWright83 there is now a production flag for npm audit on npm version v6.10+. Check the release notes: https://github.com/npm/cli/releases/tag/v6.10.0

@darcyclarke darcyclarke added the Priority Backlog a "backlogged" item that will be tracked in a Project Board label Mar 10, 2020
@SoerenHenning
Copy link
Copy Markdown

SoerenHenning commented Jun 9, 2020

Even though the --production flag is a nice improvement, we could only take full advantage of it if accompanied by a --development flag or so. Our use case is as follows: We would like to run npm audit as part of our build pipeline for both production and development dependencies. However, the build process should only fail for vulnerabilities in production. For vulnerabilities in dev dependencies, only a warning should be generated.

@darcyclarke darcyclarke added Release 6.x work is associated with a specific npm 6 release and removed Priority Backlog a "backlogged" item that will be tracked in a Project Board labels Oct 1, 2020
@darcyclarke darcyclarke modified the milestone: OSS - Sprint 17 Oct 5, 2020
@snyk-bot snyk-bot mentioned this pull request May 11, 2022
Open
@hojatA1 hojatA1 mentioned this pull request Jun 21, 2023
Open
@CALISOULB CALISOULB mentioned this pull request Nov 30, 2023
Open
This was referenced Nov 30, 2023
Open
Open
Open
@bumplzz69 bumplzz69 mentioned this pull request Nov 30, 2023
Open
@mtdev2 mtdev2 mentioned this pull request Nov 30, 2023
Open
@Bhanditz Bhanditz mentioned this pull request Nov 30, 2023
Open
@varmakarthik12 varmakarthik12 mentioned this pull request Nov 30, 2023
Open
@baby636 baby636 mentioned this pull request Dec 1, 2023
Open
@varmakarthik12 varmakarthik12 mentioned this pull request Dec 1, 2023
Open
@MrBrain295 MrBrain295 mentioned this pull request Dec 19, 2023
Open
@CALISOULB CALISOULB mentioned this pull request Dec 20, 2023
Open
Jah-yee pushed a commit to Jah-yee/cli that referenced this pull request Apr 16, 2026
@zerone0x @claude
feat: add Application Default Credentials (ADC) support (npm#125)
b38b760 
* feat: add Application Default Credentials (ADC) support (npm#103)

Extends the credential chain in get_token() to include ADC as a 4th source:
  1. GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE env var
  2. Encrypted credentials (~/.config/gws/credentials.enc)
  3. Plaintext credentials (~/.config/gws/credentials.json)
  4. ADC — GOOGLE_APPLICATION_CREDENTIALS env var, then
     ~/.config/gcloud/application_default_credentials.json

Both authorized_user and service_account ADC formats are detected via the
'type' field and parsed accordingly.  This means users can authenticate with:
  gcloud auth application-default login --client-id-file=client_secret.json

and gws will automatically pick up those credentials.

Closes npm#103

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(auth): address review feedback on ADC support

- Extract duplicated JSON credential parsing into parse_credential_file()
  helper to reduce duplication between GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE
  and ADC code paths; uses serde_json::from_value to avoid second string parse
- Fix well-known ADC path on macOS: dirs::config_dir() returns
  ~/Library/Application Support on macOS, not ~/.config; use
  dirs::home_dir().join('.config/gcloud/...') instead
- Hard-error when GOOGLE_APPLICATION_CREDENTIALS points to a missing file
  (was: silently fall through to 'No credentials found')
- Add test_load_credentials_adc_env_var_service_account covering service
  account credentials loaded via GOOGLE_APPLICATION_CREDENTIALS
- Remove unnecessary unsafe blocks from env var tests (set_var/remove_var
  are not unsafe functions; thread safety is already handled by serial_test)
- Update changeset to include GOOGLE_WORKSPACE_CLI_TOKEN at top of lookup
  order and clarify ADC fallback behaviour

Addresses review feedback from jpoehnelt on npm#125.

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@isaacs isaacs

Labels

Release 6.x work is associated with a specific npm 6 release semver:minor new backwards-compatible feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.