1
0
mirror of https://github.com/kremalicious/metamask-extension.git synced 2024-12-23 09:52:26 +01:00
metamask-extension/.circleci/scripts/yarn-audit.sh

25 lines
995 B
Bash
Raw Normal View History

Switch from `npm` to `yarn` (#6843) As a solution to the constant lockfile churn issues we've had with `npm`, the project now uses `yarn` to manage dependencies. The `package-lock.json` file has been replaced with `yarn.lock`, which was created using `yarn import`. It should approximate the contents of `package-lock.json` fairly well, though there may be some changes due to deduplication. The codeowners file has been updated to reference this new lockfile. All documentation and npm scripts have been updated to reference `yarn` rather than `npm`. Note that running scripts using `npm run` still works fine, but it seemed better to switch those to `yarn` as well to avoid confusion. The `npm-audit` Bash script has been replaced with `yarn-audit`. The output of `yarn audit` is a bit different than `npm audit` in that it returns a bitmask to describe which severity issues were found. This made it simpler to check the results directly from the Bash script, so the associated `npm-audit-check.js` script was no longer required. The output should be exactly the same, and the information is still sourced from the same place (the npm registry). The new `yarn-audit` script does have an external dependency: `jq`. However, `jq` is already assumed to be present by another CI script, and is present on all CI images we use. `jq` was not added to `package.json` as a dependency because there is no official package on the npm registry, just wrapper scripts. We don't need it anywhere exept on CI anyway. The section in `CONTRIBUTING` about how to develop inside the `node_modules` folder was removed, as the advice was a bit dated, and wasn't specific to this project anyway.
2019-07-30 20:36:23 +02:00
#!/usr/bin/env bash
set -e
Switch from `npm` to `yarn` (#6843) As a solution to the constant lockfile churn issues we've had with `npm`, the project now uses `yarn` to manage dependencies. The `package-lock.json` file has been replaced with `yarn.lock`, which was created using `yarn import`. It should approximate the contents of `package-lock.json` fairly well, though there may be some changes due to deduplication. The codeowners file has been updated to reference this new lockfile. All documentation and npm scripts have been updated to reference `yarn` rather than `npm`. Note that running scripts using `npm run` still works fine, but it seemed better to switch those to `yarn` as well to avoid confusion. The `npm-audit` Bash script has been replaced with `yarn-audit`. The output of `yarn audit` is a bit different than `npm audit` in that it returns a bitmask to describe which severity issues were found. This made it simpler to check the results directly from the Bash script, so the associated `npm-audit-check.js` script was no longer required. The output should be exactly the same, and the information is still sourced from the same place (the npm registry). The new `yarn-audit` script does have an external dependency: `jq`. However, `jq` is already assumed to be present by another CI script, and is present on all CI images we use. `jq` was not added to `package.json` as a dependency because there is no official package on the npm registry, just wrapper scripts. We don't need it anywhere exept on CI anyway. The section in `CONTRIBUTING` about how to develop inside the `node_modules` folder was removed, as the advice was a bit dated, and wasn't specific to this project anyway.
2019-07-30 20:36:23 +02:00
set -u
set -x
Switch from `npm` to `yarn` (#6843) As a solution to the constant lockfile churn issues we've had with `npm`, the project now uses `yarn` to manage dependencies. The `package-lock.json` file has been replaced with `yarn.lock`, which was created using `yarn import`. It should approximate the contents of `package-lock.json` fairly well, though there may be some changes due to deduplication. The codeowners file has been updated to reference this new lockfile. All documentation and npm scripts have been updated to reference `yarn` rather than `npm`. Note that running scripts using `npm run` still works fine, but it seemed better to switch those to `yarn` as well to avoid confusion. The `npm-audit` Bash script has been replaced with `yarn-audit`. The output of `yarn audit` is a bit different than `npm audit` in that it returns a bitmask to describe which severity issues were found. This made it simpler to check the results directly from the Bash script, so the associated `npm-audit-check.js` script was no longer required. The output should be exactly the same, and the information is still sourced from the same place (the npm registry). The new `yarn-audit` script does have an external dependency: `jq`. However, `jq` is already assumed to be present by another CI script, and is present on all CI images we use. `jq` was not added to `package.json` as a dependency because there is no official package on the npm registry, just wrapper scripts. We don't need it anywhere exept on CI anyway. The section in `CONTRIBUTING` about how to develop inside the `node_modules` folder was removed, as the advice was a bit dated, and wasn't specific to this project anyway.
2019-07-30 20:36:23 +02:00
set -o pipefail
# use `improved-yarn-audit` since that allows for exclude
# exclude 1002401 until we remove use of 3Box, 1002581 until we can find a better solution
yarn run improved-yarn-audit --ignore-dev-deps --min-severity moderate --exclude 1002401,1002581,GHSA-93q8-gq69-wqmw,GHSA-257v-vj4p-3w2h,GHSA-qrpm-p2h7-hrv2
Switch from `npm` to `yarn` (#6843) As a solution to the constant lockfile churn issues we've had with `npm`, the project now uses `yarn` to manage dependencies. The `package-lock.json` file has been replaced with `yarn.lock`, which was created using `yarn import`. It should approximate the contents of `package-lock.json` fairly well, though there may be some changes due to deduplication. The codeowners file has been updated to reference this new lockfile. All documentation and npm scripts have been updated to reference `yarn` rather than `npm`. Note that running scripts using `npm run` still works fine, but it seemed better to switch those to `yarn` as well to avoid confusion. The `npm-audit` Bash script has been replaced with `yarn-audit`. The output of `yarn audit` is a bit different than `npm audit` in that it returns a bitmask to describe which severity issues were found. This made it simpler to check the results directly from the Bash script, so the associated `npm-audit-check.js` script was no longer required. The output should be exactly the same, and the information is still sourced from the same place (the npm registry). The new `yarn-audit` script does have an external dependency: `jq`. However, `jq` is already assumed to be present by another CI script, and is present on all CI images we use. `jq` was not added to `package.json` as a dependency because there is no official package on the npm registry, just wrapper scripts. We don't need it anywhere exept on CI anyway. The section in `CONTRIBUTING` about how to develop inside the `node_modules` folder was removed, as the advice was a bit dated, and wasn't specific to this project anyway.
2019-07-30 20:36:23 +02:00
audit_status="$?"
# Use a bitmask to ignore INFO and LOW severity audit results
# See here: https://yarnpkg.com/lang/en/docs/cli/audit/
audit_status="$(( audit_status & 11100 ))"
if [[ "$audit_status" != 0 ]]
then
count="$(yarn audit --level moderate --groups dependencies --json | tail -1 | jq '.data.vulnerabilities.moderate + .data.vulnerabilities.high + .data.vulnerabilities.critical')"
printf "Audit shows %s moderate or high severity advisories _in the production dependencies_\n" "$count"
exit 1
else
printf "Audit shows _zero_ moderate or high severity advisories _in the production dependencies_\n"
fi