ci: Enable npm audit check

.circleci/config.yml

@@ -17,9 +17,9 @@ workflows:
       - test-lint:
           requires:
             - prep-deps-npm
-      # - test-deps:
-      #     requires:
-      #       - prep-deps-npm
+      - test-deps:
+          requires:
+            - prep-deps-npm
       - test-e2e-chrome:
           requires:
             - prep-deps-npm
@@ -156,16 +156,16 @@ jobs:
           name: Test
           command: npm run lint
 
-  # test-deps:
-  #   docker:
-  #     - image: circleci/node:8.11.3-browsers
-  #   steps:
-  #     - checkout
-  #     - attach_workspace:
-  #         at: .
-  #     - run:
-  #         name: Test
-  #         command: sudo npm install -g npm@6 && npm audit
+  test-deps:
+    docker:
+      - image: circleci/node:8.15.1-browsers
+    steps:
+      - checkout
+      - attach_workspace:
+          at: .
+      - run:
+          name: npm audit
+          command: .circleci/scripts/npm-audit
 
   # test-e2e-beta-drizzle:
   #   docker:

.circleci/scripts/npm-audit

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -e
+set -u
+set -o pipefail
+
+if ! npm audit
+then
+    ! npm audit --json > audit.json
+    printf '%s\n' ''
+    node .circleci/scripts/npm-audit-check.js
+fi

.circleci/scripts/npm-audit-check.js

@@ -0,0 +1,24 @@
+const path = require('path')
+const audit = require(path.join(__dirname, '..', '..', 'audit.json'))
+const error = audit.error
+const advisories = Object.keys(audit.advisories || []).map((k) => audit.advisories[k])
+
+if (error) {
+  process.exit(1)
+}
+
+let count = 0
+for (const advisory of advisories) {
+  if (advisory.severity === 'low') {
+    continue
+  }
+
+  count += advisory.findings.some((finding) => (!finding.dev && !finding.optional))
+}
+
+if (count > 0) {
+  console.log(`Audit shows ${count} moderate or high severity advisories _in the production dependencies_`)
+  process.exit(1)
+} else {
+  console.log(`Audit shows _zero_ moderate or high severity advisories _in the production dependencies_`)
+}