Project

yarn-audit-wrap

0.0
No release in over a year
yarn-audit-wrapedk/yarn-audit-wrapHomepageDocumentationSource CodeBug TrackerWiki
Script to parse and manage different levels of vulnerabilities from `yarn audit` in rails projects. Also features a way to temporarily or permanently ignore vulnerabilities, due to false positives or no alternatives for unfixed packages.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
2,301
Stars
2
Forks
0
Watchers
1
 Releases
Current version
0.4.0
Total releases
4
First release
2022-07-27
Latest release
2023-02-27
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2022-09-19
Reverse Dependencies
0

 Dependencies

Development

debug
>= 0
guard
>= 0
guard-minitest
>= 0
guard-standardrb
>= 0
minitest-reporters
>= 0
pry
>= 0

Runtime

activesupport
~> 7.0
 Project Readme

Yarn::Audit::Wrap

This is a ruby gem to parse the result of yarn audit --json. You can filter different levels of findings, and ignore specific findings for a set time.

It needs as input the json file, and a YAML configuration file with directives on individual findings to ignore.

Installation

Install the gem and add to the application's Gemfile by executing:

$ bundle add yarn-audit-wrap

If bundler is not being used to manage dependencies, install the gem by executing:

$ gem install yarn-audit-wrap

Usage

yarn-audit --file=<tmp/yarn-audit.json> --level=moderate,high,critical --ignorelist=<config/yarn-audit.yml>

All switches are optional, with defaults as shown above.

--help         This.
--file         json output from "yarn audit". Path is relative to app root.
--level        comma separated list of severity strings (case insensitive).
               INFO
               LOW
               MODERATE
               HIGH
               CRITICAL
               or use "ALL" to select all levels.
--ignorelist   path relative to app root, a YAML file containing list of packages to ignore, see below for format.
              default = config/yarn-audit.yml

The ignorelist is a YAML file of an array of hashes

Sample YAML:

---
:ignore:
- github_advisory_id: GHSA-cj88-88mr-972w
  :until: 2022-07-19

You can identify a finding by any key, github_advisory_id, cve, etc. Please use the :until key with a date in the future that will re-enable the finding to avoid config pollution, as well as pushing for best-practices to remove vulnerable packages.

Possible future enhancements

The next logical step would be to implement a workflow that helps fix vulnerable npm packages. There is currently no equivalent to npm audit --fix for yarn, and ignoring the controversy (yarnpkg/yarn#7075), there are a number of workarounds that are currently in place.

This will be the next step, but it is my hope that yarn implements the --fix feature and such a workaround will be unnecessary.

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake test to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and the created tag, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/edk/yarn-audit-wrap

License

The gem is available as open source under the terms of the MIT License.