File Explorer

/var/lang/lib/node_modules/npm/lib/commands
This explorer reads the filesystem of the server it runs on, so /workspace/user isn't present here. Browsing and the terminal still work against this server's own disk from /.
1 dir
67 files
audit.js3.1 KB · 122 lines
1const npmAuditReport = require('npm-audit-report')2const ArboristWorkspaceCmd = require('../arborist-cmd.js')3const auditError = require('../utils/audit-error.js')4const { log, output } = require('proc-log')5const reifyFinish = require('../utils/reify-finish.js')6const VerifySignatures = require('../utils/verify-signatures.js')7 8class Audit extends ArboristWorkspaceCmd {9  static description = 'Run a security audit'10  static name = 'audit'11  static params = [12    'audit-level',13    'dry-run',14    'force',15    'json',16    'package-lock-only',17    'package-lock',18    'omit',19    'include',20    'foreground-scripts',21    'ignore-scripts',22    ...super.params,23  ]24 25  static usage = ['[fix|signatures]']26 27  static async completion (opts) {28    const argv = opts.conf.argv.remain29 30    if (argv.length === 2) {31      return ['fix', 'signatures']32    }33 34    switch (argv[2]) {35      case 'fix':36      case 'signatures':37        return []38      default:39        throw Object.assign(new Error(argv[2] + ' not recognized'), {40          code: 'EUSAGE',41        })42    }43  }44 45  async exec (args) {46    if (args[0] === 'signatures') {47      await this.auditSignatures()48    } else {49      await this.auditAdvisories(args)50    }51  }52 53  async auditAdvisories (args) {54    const fix = args[0] === 'fix'55    if (this.npm.config.get('package-lock') === false && fix) {56      throw this.usageError('fix cannot be used without a package-lock')57    }58    const reporter = this.npm.config.get('json') ? 'json' : 'detail'59    const Arborist = require('@npmcli/arborist')60    const opts = {61      ...this.npm.flatOptions,62      audit: true,63      path: this.npm.prefix,64      reporter,65      workspaces: this.workspaceNames,66    }67 68    const arb = new Arborist(opts)69    await arb.audit({ fix })70    if (fix) {71      await reifyFinish(this.npm, arb)72    } else {73      // will throw if there's an error, because this is an audit command74      auditError(this.npm, arb.auditReport)75      const result = npmAuditReport(arb.auditReport, {76        ...opts,77        chalk: this.npm.chalk,78      })79      process.exitCode = process.exitCode || result.exitCode80      output.standard(result.report)81    }82  }83 84  async auditSignatures () {85    if (this.npm.global) {86      throw Object.assign(87        new Error('`npm audit signatures` does not support global packages'), {88          code: 'EAUDITGLOBAL',89        }90      )91    }92 93    log.verbose('audit', 'loading installed dependencies')94    const Arborist = require('@npmcli/arborist')95    const opts = {96      ...this.npm.flatOptions,97      path: this.npm.prefix,98      workspaces: this.workspaceNames,99    }100 101    const arb = new Arborist(opts)102    const tree = await arb.loadActual()103    let filterSet = new Set()104    if (opts.workspaces && opts.workspaces.length) {105      filterSet =106        arb.workspaceDependencySet(107          tree,108          opts.workspaces,109          this.npm.flatOptions.includeWorkspaceRoot110        )111    } else if (!this.npm.flatOptions.workspacesEnabled) {112      filterSet =113        arb.excludeWorkspacesDependencySet(tree)114    }115 116    const verify = new VerifySignatures(tree, filterSet, this.npm, { ...opts })117    await verify.run()118  }119}120 121module.exports = Audit122