From 8bb92075a65f67da7f74d8fbbd0d27bcf70b560f Mon Sep 17 00:00:00 2001 From: LarrMarburger Date: Tue, 8 Aug 2023 20:02:09 +0200 Subject: [PATCH] Fix failing security tests This commit changes the behavior of auditing to audit only production dependencies. Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744. This commit also removes exiting with output of `npm audit` command to fix exiting with textual output, leading to failures. --- .github/workflows/checks.security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/checks.security.yaml b/.github/workflows/checks.security.yaml index 4d03041..543c05e 100644 --- a/.github/workflows/checks.security.yaml +++ b/.github/workflows/checks.security.yaml @@ -19,4 +19,4 @@ jobs: uses: ./.github/actions/setup-node - name: NPM audit - run: exit "$(npm audit)" # Since node 15.x, it does not fail with error if we don't explicitly exit + run: npm audit --omit=dev