-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature: configurable audit level #31
feature: configurable audit level #31
Conversation
`npm audit` currently exits with exit code 1 if any vulnerabilities are found of any level. Add a flag of `--audit-level` to `npm audit` to allow it to pass if only vulnerabilities below a certain level are found. Example: `npm audit --audit-level=high` will exit with 0 if only low or moderate level vulns are detected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm 👍 on this one, specially since all it does is modify the loglevel for failure. I'd like to get sign-off from @iarna and @npm/security-product to make sure this aligns with their ideas around audit, and the rest looks great. Thanks for writing tests and doing such a nicely-targeted feature! 🎉
p.s. feel free to ignore the CI failure. It's unrelated to your PR. |
I'm 👍 on this as it's a desired user feature to only break on certain levels of vulns and brings us closer to feature parity with legacy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, then! Woo!
I have created a wrapper for it, because `npm audit` itself _always_ fails if _any_ vulnerabilities are present, and we don't want to fail on low or moderate vulnerabilities. This issue has been PR'ed in npm, so if/when npm/cli#31 is merged and released then the command can be swapped for a basic `npm audit`.
implementation added in npm#31
[![Mend Renovate logo banner](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@npmcli/arborist](https://togithub.com/npm/cli) | [`6.2.10` -> `6.5.0`](https://renovatebot.com/diffs/npm/@npmcli%2farborist/6.2.10/6.5.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@npmcli%2farborist/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@npmcli%2farborist/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@npmcli%2farborist/6.2.10/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@npmcli%2farborist/6.2.10/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>npm/cli (@​npmcli/arborist)</summary> ### [`v6.5.0`](https://togithub.com/npm/cli/releases/tag/v6.5.0) [Compare Source](https://togithub.com/npm/cli/compare/v6.4.0...v6.5.0) ##### NEW FEATURES - [`fc1a8d185`](https://togithub.com/npm/cli/commit/fc1a8d185fc678cdf3784d9df9eef9094e0b2dec) Backronym `npm ci` to `npm clean-install`. ([@​zkat](https://togithub.com/zkat)) - [`4be51a9cc`](https://togithub.com/npm/cli/commit/4be51a9cc65635bb26fa4ce62233f26e0104bc20) [#​81](https://togithub.com/npm/cli/pull/81) Adds 'Homepage' to outdated --long output. ([@​jbottigliero](https://togithub.com/jbottigliero)) ##### BUGFIXES - [`89652cb9b`](https://togithub.com/npm/cli/commit/89652cb9b810f929f5586fc90cc6794d076603fb) [npm.community#1661](https://npm.community/t/https://npm.community/t/1661) Fix sign-git-commit options. They were previously totally wrong. ([@​zkat](https://togithub.com/zkat)) - [`414f2d1a1`](https://togithub.com/npm/cli/commit/414f2d1a1bdffc02ed31ebb48a43216f284c21d4) [npm.community#1742](https://npm.community/t/npm-audit-making-non-rfc-compliant-requests-to-server-resulting-in-400-bad-request-pr-with-fix/1742) Set lowercase headers for npm audit requests. ([@​maartenba](https://togithub.com/maartenba)) - [`a34246baf`](https://togithub.com/npm/cli/commit/a34246bafe73218dc9e3090df9ee800451db2c7d) [#​75](https://togithub.com/npm/cli/pull/75) Fix `npm edit` handling of scoped packages. ([@​larsgw](https://togithub.com/larsgw))\* [`d3e8a7c72`](https://togithub.com/npm/cli/commit/d3e8a7c7240dd25379a5bcad324a367c58733c73) [npm.community#2303](https://npm.community/t/npm-ci-logs-success-to-stderr/2303) Make summary output for `npm ci` go to `stdout`, not `stderr`. ([@​alopezsanchez](https://togithub.com/alopezsanchez)) - [`71d8fb4a9`](https://togithub.com/npm/cli/commit/71d8fb4a94d65e1855f6d0c5f2ad2b7c3202e3c4) [npm.community#1377](https://npm.community/t/unhelpful-error-message-when-publishing-without-logging-in-error-eperm-operation-not-permitted-unlink/1377/3) Close the file descriptor during publish if exiting upload via an error. This will prevent strange error messages when the upload fails and make sure cleanup happens correctly. ([@​macdja38](https://togithub.com/macdja38)) ##### DOCS UPDATES - [`b1a8729c8`](https://togithub.com/npm/cli/commit/b1a8729c80175243fbbeecd164e9ddd378a09a50) [#​60](https://togithub.com/npm/cli/pull/60) Mention --otp flag when prompting for OTP. ([@​bakkot](https://togithub.com/bakkot)) - [`bcae4ea81`](https://togithub.com/npm/cli/commit/bcae4ea8173e489a76cc226bbd30dd9eabe21ec6) [#​64](https://togithub.com/npm/cli/pull/64) Clarify that git dependencies use the default branch, not just `master`. ([@​zckrs](https://togithub.com/zckrs)) - [`15da82690`](https://togithub.com/npm/cli/commit/15da8269032bf509ade3252978e934f2a61d4499) [#​72](https://togithub.com/npm/cli/pull/72) `bash_completion.d` dir is sometimes found in `/etc` not `/usr/local`. ([@​RobertKielty](https://togithub.com/RobertKielty)) - [`8a6ecc793`](https://togithub.com/npm/cli/commit/8a6ecc7936dae2f51638397ff5a1d35cccda5495) [#​74](https://togithub.com/npm/cli/pull/74) Update OTP documentation for `dist-tag add` to clarify `--otp` is needed right now. ([@​scotttrinh](https://togithub.com/scotttrinh)) - [`dcc03ec85`](https://togithub.com/npm/cli/commit/dcc03ec858bddd7aa2173b5a86b55c1c2385a2a3) [#​82](https://togithub.com/npm/cli/pull/82) Note that `prepare` runs when installing git dependencies. ([@​seishun](https://togithub.com/seishun)) - [`a91a470b7`](https://togithub.com/npm/cli/commit/a91a470b71e08ccf6a75d4fb8c9937789fa8d067) [#​83](https://togithub.com/npm/cli/pull/83) Specify that --dry-run isn't available in older versions of npm publish. ([@​kjin](https://togithub.com/kjin)) - [`1b2fabcce`](https://togithub.com/npm/cli/commit/1b2fabccede37242233755961434c52536224de5) [#​96](https://togithub.com/npm/cli/pull/96) Fix inline code tag issue in docs. ([@​midare](https://togithub.com/midare)) - [`6cc70cc19`](https://togithub.com/npm/cli/commit/6cc70cc1977e58a3e1ea48e660ffc6b46b390e59) [#​68](https://togithub.com/npm/cli/pull/68) Add semver link and a note on empty string format to `deprecate` doc. ([@​neverett](https://togithub.com/neverett)) - [`61dbbb7c3`](https://togithub.com/npm/cli/commit/61dbbb7c3474834031bce88c423850047e8131dc) Fix semver docs after version update. ([@​zkat](https://togithub.com/zkat)) - [`4acd45a3d`](https://togithub.com/npm/cli/commit/4acd45a3d0ce92f9999446226fe7dfb89a90ba2e) [#​78](https://togithub.com/npm/cli/pull/78) Correct spelling across various docs. ([@​hugovk](https://togithub.com/hugovk)) ##### DEPENDENCIES - [`4f761283e`](https://togithub.com/npm/cli/commit/4f761283e8896d0ceb5934779005646463a030e8) `figgy-pudding@3.5.1` ([@​zkat](https://togithub.com/zkat)) - [`3706db0bc`](https://togithub.com/npm/cli/commit/3706db0bcbc306d167bb902362e7f6962f2fe1a1) [npm.community#1764](https://npm.community/t/crash-invalid-config-key-requested-error/1764) `ssri@6.0.1` ([@​zkat](https://togithub.com/zkat)) - [`83c2b117d`](https://togithub.com/npm/cli/commit/83c2b117d0b760d0ea8d667e5e4bdfa6a7a7a8f6) `bluebird@3.5.2` ([@​petkaantonov](https://togithub.com/petkaantonov)) - [`2702f46bd`](https://togithub.com/npm/cli/commit/2702f46bd7284fb303ca2119d23c52536811d705) `ci-info@1.5.1` ([@​watson](https://togithub.com/watson)) - [`4db6c3898`](https://togithub.com/npm/cli/commit/4db6c3898b07100e3a324e4aae50c2fab4b93a04) `config-chain@1.1.1`:2 ([@​dawsbot](https://togithub.com/dawbot)) - [`70bee4f69`](https://togithub.com/npm/cli/commit/70bee4f69bb4ce4e18c48582fe2b48d8b4aba566) `glob@7.1.3` ([@​isaacs](https://togithub.com/isaacs)) - [`e469fd6be`](https://togithub.com/npm/cli/commit/e469fd6be95333dcaa7cf377ca3620994ca8d0de) `opener@1.5.1`: Fix browser opening under Windows Subsystem for Linux (WSL). ([@​thijsputman](https://togithub.com/thijsputman)) - [`03840dced`](https://togithub.com/npm/cli/commit/03840dced865abdca6e6449ea030962e5b19db0c) `semver@5.5.1` ([@​iarna](https://togithub.com/iarna)) - [`161dc0b41`](https://togithub.com/npm/cli/commit/161dc0b4177e76306a0e3b8660b3b496cc3db83b) `bluebird@3.5.3` ([@​petkaantonov](https://togithub.com/petkaantonov)) - [`bb6f94395`](https://togithub.com/npm/cli/commit/bb6f94395491576ec42996ff6665df225f6b4377) `graceful-fs@4.1.1`:5 ([@​isaacs](https://togithub.com/isaacs)) - [`43b1f4c91`](https://togithub.com/npm/cli/commit/43b1f4c91fa1d7b3ebb6aa2d960085e5f3ac7607) `tar@4.4.8` ([@​isaacs](https://togithub.com/isaacs)) - [`ab62afcc4`](https://togithub.com/npm/cli/commit/ab62afcc472de82c479bf91f560a0bbd6a233c80) `npm-packlist@1.1.1`:2 ([@​isaacs](https://togithub.com/isaacs)) - [`027f06be3`](https://togithub.com/npm/cli/commit/027f06be35bb09f390e46fcd2b8182539939d1f7) `ci-info@1.6.0` ([@​watson](https://togithub.com/watson)) ##### MISCELLANEOUS - [`27217dae8`](https://togithub.com/npm/cli/commit/27217dae8adbc577ee9cb323b7cfe9c6b2493aca) [#​70](https://togithub.com/npm/cli/pull/70) Automatically audit dependency licenses for npm itself. ([@​kemitchell](https://togithub.com/kemitchell)) ### [`v6.4.0`](https://togithub.com/npm/cli/releases/tag/v6.4.0) [Compare Source](https://togithub.com/npm/cli/compare/v6.3.0...v6.4.0) ##### NEW FEATURES - [`6e9f04b0b`](https://togithub.com/npm/cli/commit/6e9f04b0baed007169d4e0c341f097cf133debf7) [npm/cli#8](https://togithub.com/npm/cli/pull/8) Search for authentication token defined by environment variables by preventing the translation layer from env variable to npm option from breaking `:_authToken`. ([@​mkhl](https://togithub.com/mkhl)) - [`84bfd23e7`](https://togithub.com/npm/cli/commit/84bfd23e7d6434d30595594723a6e1976e84b022) [npm/cli#35](https://togithub.com/npm/cli/pull/35) Stop filtering out non-IPv4 addresses from `local-addrs`, making npm actually use IPv6 addresses when it must. ([@​valentin2105](https://togithub.com/valentin2105)) - [`792c8c709`](https://togithub.com/npm/cli/commit/792c8c709dc7a445687aa0c8cba5c50bc4ed83fd) [npm/cli#31](https://togithub.com/npm/cli/pull/31) configurable audit level for non-zero exit `npm audit` currently exits with exit code 1 if any vulnerabilities are found of any level. Add a flag of `--audit-level` to `npm audit` to allow it to pass if only vulnerabilities below a certain level are found. Example: `npm audit --audit-level=high` will exit with 0 if only low or moderate level vulns are detected. ([@​lennym](https://togithub.com/lennym)) ##### BUGFIXES - [`d81146181`](https://togithub.com/npm/cli/commit/d8114618137bb5b9a52a86711bb8dc18bfc8e60c) [npm/cli#32](https://togithub.com/npm/cli/pull/32) Don't check for updates to npm when we are updating npm itself. ([@​olore](https://togithub.com/olore)) ##### DEPENDENCY UPDATES A very special dependency update event! Since the [release of `node-gyp@3.8.0`](https://togithub.com/nodejs/node-gyp/pull/1521), an awkward version conflict that was preventing `request` from begin flattened was resolved. This means two things: 1. We've cut down the npm tarball size by another 200kb, to 4.6MB 2. `npm audit` now shows no vulnerabilities for npm itself! Thanks, [@​rvagg](https://togithub.com/rvagg)! - [`866d776c2`](https://togithub.com/npm/cli/commit/866d776c27f80a71309389aaab42825b2a0916f6) `request@2.87.0` ([@​simov](https://togithub.com/simov)) - [`f861c2b57`](https://togithub.com/npm/cli/commit/f861c2b579a9d4feae1653222afcefdd4f0e978f) `node-gyp@3.8.0` ([@​rvagg](https://togithub.com/rvagg)) - [`32e6947c6`](https://togithub.com/npm/cli/commit/32e6947c60db865257a0ebc2f7e754fedf7a6fc9) [npm/cli#39](https://togithub.com/npm/cli/pull/39) `colors@1.1.2`: REVERT REVERT, newer versions of this library are broken and print ansi codes even when disabled. ([@​iarna](https://togithub.com/iarna)) - [`beb96b92c`](https://togithub.com/npm/cli/commit/beb96b92caf061611e3faafc7ca10e77084ec335) `libcipm@2.0.1` ([@​zkat](https://togithub.com/zkat)) - [`348fc91ad`](https://togithub.com/npm/cli/commit/348fc91ad223ff91cd7bcf233018ea1d979a2af1) `validate-npm-package-license@3.0.4`: Fixes errors with empty or string-only license fields. ([@​Gudahtt](https://togithub.com/Gudahtt)) - [`e57d34575`](https://togithub.com/npm/cli/commit/e57d3457547ef464828fc6f82ae4750f3e511550) `iferr@1.0.2` ([@​shesek](https://togithub.com/shesek)) - [`46f1c6ad4`](https://togithub.com/npm/cli/commit/46f1c6ad4b2fd5b0d7ec879b76b76a70a3a2595c) `tar@4.4.6` ([@​isaacs](https://togithub.com/isaacs)) - [`50df1bf69`](https://togithub.com/npm/cli/commit/50df1bf691e205b9f13e0fff0d51a68772c40561) `hosted-git-info@2.7.1` ([@​iarna](https://togithub.com/iarna)) ([@​Erveon](https://togithub.com/Erveon)) ([@​huochunpeng](https://togithub.com/huochunpeng)) ##### DOCUMENTATION - [`af98e76ed`](https://togithub.com/npm/cli/commit/af98e76ed96af780b544962aa575585b3fa17b9a) [npm/cli#34](https://togithub.com/npm/cli/pull/34) Remove `npm publish` from list of commands not affected by `--dry-run`. ([@​joebowbeer](https://togithub.com/joebowbeer)) - [`e2b0f0921`](https://togithub.com/npm/cli/commit/e2b0f092193c08c00f12a6168ad2bd9d6e16f8ce) [npm/cli#36](https://togithub.com/npm/cli/pull/36) Tweak formatting in repository field examples. ([@​noahbenham](https://togithub.com/noahbenham)) - [`e2346e770`](https://togithub.com/npm/cli/commit/e2346e7702acccefe6d711168c2b0e0e272e194a) [npm/cli#14](https://togithub.com/npm/cli/pull/14) Used `process.env` examples to make accessing certain `npm run-scripts` environment variables more clear. ([@​mwarger](https://togithub.com/mwarger)) ### [`v6.3.0`](https://togithub.com/npm/cli/blob/HEAD/workspaces/arborist/CHANGELOG.md#630-2023-07-05) ##### Features - [`67459e7`](https://togithub.com/npm/cli/commit/67459e7b56a5e8d2b4f8eb3a0487183013c63b99) [#​6626](https://togithub.com/npm/cli/pull/6626) add `pkg fix` subcommand ([@​wraithgar](https://togithub.com/wraithgar)) ##### Bug Fixes - [`c61e037`](https://togithub.com/npm/cli/commit/c61e0376408240590bfc712fe9fdadd7dc9a48bc) [#​6626](https://togithub.com/npm/cli/pull/6626) use new load/create syntax for package-json ([@​wraithgar](https://togithub.com/wraithgar)) ##### Dependencies - [`b252164`](https://togithub.com/npm/cli/commit/b252164dd5c866bf2d25c96836ad829d4d6909ee) [#​6626](https://togithub.com/npm/cli/pull/6626) `@npmcli/package-json@4.0.0` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/redwoodjs/redwood). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuNDYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
[![Mend Renovate logo banner](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@npmcli/arborist](https://togithub.com/npm/cli) | [`6.2.10` -> `6.5.0`](https://renovatebot.com/diffs/npm/@npmcli%2farborist/6.2.10/6.5.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@npmcli%2farborist/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@npmcli%2farborist/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@npmcli%2farborist/6.2.10/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@npmcli%2farborist/6.2.10/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>npm/cli (@​npmcli/arborist)</summary> ### [`v6.5.0`](https://togithub.com/npm/cli/releases/tag/v6.5.0) [Compare Source](https://togithub.com/npm/cli/compare/v6.4.0...v6.5.0) ##### NEW FEATURES - [`fc1a8d185`](https://togithub.com/npm/cli/commit/fc1a8d185fc678cdf3784d9df9eef9094e0b2dec) Backronym `npm ci` to `npm clean-install`. ([@​zkat](https://togithub.com/zkat)) - [`4be51a9cc`](https://togithub.com/npm/cli/commit/4be51a9cc65635bb26fa4ce62233f26e0104bc20) [#​81](https://togithub.com/npm/cli/pull/81) Adds 'Homepage' to outdated --long output. ([@​jbottigliero](https://togithub.com/jbottigliero)) ##### BUGFIXES - [`89652cb9b`](https://togithub.com/npm/cli/commit/89652cb9b810f929f5586fc90cc6794d076603fb) [npm.community#1661](https://npm.community/t/https://npm.community/t/1661) Fix sign-git-commit options. They were previously totally wrong. ([@​zkat](https://togithub.com/zkat)) - [`414f2d1a1`](https://togithub.com/npm/cli/commit/414f2d1a1bdffc02ed31ebb48a43216f284c21d4) [npm.community#1742](https://npm.community/t/npm-audit-making-non-rfc-compliant-requests-to-server-resulting-in-400-bad-request-pr-with-fix/1742) Set lowercase headers for npm audit requests. ([@​maartenba](https://togithub.com/maartenba)) - [`a34246baf`](https://togithub.com/npm/cli/commit/a34246bafe73218dc9e3090df9ee800451db2c7d) [#​75](https://togithub.com/npm/cli/pull/75) Fix `npm edit` handling of scoped packages. ([@​larsgw](https://togithub.com/larsgw))\* [`d3e8a7c72`](https://togithub.com/npm/cli/commit/d3e8a7c7240dd25379a5bcad324a367c58733c73) [npm.community#2303](https://npm.community/t/npm-ci-logs-success-to-stderr/2303) Make summary output for `npm ci` go to `stdout`, not `stderr`. ([@​alopezsanchez](https://togithub.com/alopezsanchez)) - [`71d8fb4a9`](https://togithub.com/npm/cli/commit/71d8fb4a94d65e1855f6d0c5f2ad2b7c3202e3c4) [npm.community#1377](https://npm.community/t/unhelpful-error-message-when-publishing-without-logging-in-error-eperm-operation-not-permitted-unlink/1377/3) Close the file descriptor during publish if exiting upload via an error. This will prevent strange error messages when the upload fails and make sure cleanup happens correctly. ([@​macdja38](https://togithub.com/macdja38)) ##### DOCS UPDATES - [`b1a8729c8`](https://togithub.com/npm/cli/commit/b1a8729c80175243fbbeecd164e9ddd378a09a50) [#​60](https://togithub.com/npm/cli/pull/60) Mention --otp flag when prompting for OTP. ([@​bakkot](https://togithub.com/bakkot)) - [`bcae4ea81`](https://togithub.com/npm/cli/commit/bcae4ea8173e489a76cc226bbd30dd9eabe21ec6) [#​64](https://togithub.com/npm/cli/pull/64) Clarify that git dependencies use the default branch, not just `master`. ([@​zckrs](https://togithub.com/zckrs)) - [`15da82690`](https://togithub.com/npm/cli/commit/15da8269032bf509ade3252978e934f2a61d4499) [#​72](https://togithub.com/npm/cli/pull/72) `bash_completion.d` dir is sometimes found in `/etc` not `/usr/local`. ([@​RobertKielty](https://togithub.com/RobertKielty)) - [`8a6ecc793`](https://togithub.com/npm/cli/commit/8a6ecc7936dae2f51638397ff5a1d35cccda5495) [#​74](https://togithub.com/npm/cli/pull/74) Update OTP documentation for `dist-tag add` to clarify `--otp` is needed right now. ([@​scotttrinh](https://togithub.com/scotttrinh)) - [`dcc03ec85`](https://togithub.com/npm/cli/commit/dcc03ec858bddd7aa2173b5a86b55c1c2385a2a3) [#​82](https://togithub.com/npm/cli/pull/82) Note that `prepare` runs when installing git dependencies. ([@​seishun](https://togithub.com/seishun)) - [`a91a470b7`](https://togithub.com/npm/cli/commit/a91a470b71e08ccf6a75d4fb8c9937789fa8d067) [#​83](https://togithub.com/npm/cli/pull/83) Specify that --dry-run isn't available in older versions of npm publish. ([@​kjin](https://togithub.com/kjin)) - [`1b2fabcce`](https://togithub.com/npm/cli/commit/1b2fabccede37242233755961434c52536224de5) [#​96](https://togithub.com/npm/cli/pull/96) Fix inline code tag issue in docs. ([@​midare](https://togithub.com/midare)) - [`6cc70cc19`](https://togithub.com/npm/cli/commit/6cc70cc1977e58a3e1ea48e660ffc6b46b390e59) [#​68](https://togithub.com/npm/cli/pull/68) Add semver link and a note on empty string format to `deprecate` doc. ([@​neverett](https://togithub.com/neverett)) - [`61dbbb7c3`](https://togithub.com/npm/cli/commit/61dbbb7c3474834031bce88c423850047e8131dc) Fix semver docs after version update. ([@​zkat](https://togithub.com/zkat)) - [`4acd45a3d`](https://togithub.com/npm/cli/commit/4acd45a3d0ce92f9999446226fe7dfb89a90ba2e) [#​78](https://togithub.com/npm/cli/pull/78) Correct spelling across various docs. ([@​hugovk](https://togithub.com/hugovk)) ##### DEPENDENCIES - [`4f761283e`](https://togithub.com/npm/cli/commit/4f761283e8896d0ceb5934779005646463a030e8) `figgy-pudding@3.5.1` ([@​zkat](https://togithub.com/zkat)) - [`3706db0bc`](https://togithub.com/npm/cli/commit/3706db0bcbc306d167bb902362e7f6962f2fe1a1) [npm.community#1764](https://npm.community/t/crash-invalid-config-key-requested-error/1764) `ssri@6.0.1` ([@​zkat](https://togithub.com/zkat)) - [`83c2b117d`](https://togithub.com/npm/cli/commit/83c2b117d0b760d0ea8d667e5e4bdfa6a7a7a8f6) `bluebird@3.5.2` ([@​petkaantonov](https://togithub.com/petkaantonov)) - [`2702f46bd`](https://togithub.com/npm/cli/commit/2702f46bd7284fb303ca2119d23c52536811d705) `ci-info@1.5.1` ([@​watson](https://togithub.com/watson)) - [`4db6c3898`](https://togithub.com/npm/cli/commit/4db6c3898b07100e3a324e4aae50c2fab4b93a04) `config-chain@1.1.1`:2 ([@​dawsbot](https://togithub.com/dawbot)) - [`70bee4f69`](https://togithub.com/npm/cli/commit/70bee4f69bb4ce4e18c48582fe2b48d8b4aba566) `glob@7.1.3` ([@​isaacs](https://togithub.com/isaacs)) - [`e469fd6be`](https://togithub.com/npm/cli/commit/e469fd6be95333dcaa7cf377ca3620994ca8d0de) `opener@1.5.1`: Fix browser opening under Windows Subsystem for Linux (WSL). ([@​thijsputman](https://togithub.com/thijsputman)) - [`03840dced`](https://togithub.com/npm/cli/commit/03840dced865abdca6e6449ea030962e5b19db0c) `semver@5.5.1` ([@​iarna](https://togithub.com/iarna)) - [`161dc0b41`](https://togithub.com/npm/cli/commit/161dc0b4177e76306a0e3b8660b3b496cc3db83b) `bluebird@3.5.3` ([@​petkaantonov](https://togithub.com/petkaantonov)) - [`bb6f94395`](https://togithub.com/npm/cli/commit/bb6f94395491576ec42996ff6665df225f6b4377) `graceful-fs@4.1.1`:5 ([@​isaacs](https://togithub.com/isaacs)) - [`43b1f4c91`](https://togithub.com/npm/cli/commit/43b1f4c91fa1d7b3ebb6aa2d960085e5f3ac7607) `tar@4.4.8` ([@​isaacs](https://togithub.com/isaacs)) - [`ab62afcc4`](https://togithub.com/npm/cli/commit/ab62afcc472de82c479bf91f560a0bbd6a233c80) `npm-packlist@1.1.1`:2 ([@​isaacs](https://togithub.com/isaacs)) - [`027f06be3`](https://togithub.com/npm/cli/commit/027f06be35bb09f390e46fcd2b8182539939d1f7) `ci-info@1.6.0` ([@​watson](https://togithub.com/watson)) ##### MISCELLANEOUS - [`27217dae8`](https://togithub.com/npm/cli/commit/27217dae8adbc577ee9cb323b7cfe9c6b2493aca) [#​70](https://togithub.com/npm/cli/pull/70) Automatically audit dependency licenses for npm itself. ([@​kemitchell](https://togithub.com/kemitchell)) ### [`v6.4.0`](https://togithub.com/npm/cli/releases/tag/v6.4.0) [Compare Source](https://togithub.com/npm/cli/compare/v6.3.0...v6.4.0) ##### NEW FEATURES - [`6e9f04b0b`](https://togithub.com/npm/cli/commit/6e9f04b0baed007169d4e0c341f097cf133debf7) [npm/cli#8](https://togithub.com/npm/cli/pull/8) Search for authentication token defined by environment variables by preventing the translation layer from env variable to npm option from breaking `:_authToken`. ([@​mkhl](https://togithub.com/mkhl)) - [`84bfd23e7`](https://togithub.com/npm/cli/commit/84bfd23e7d6434d30595594723a6e1976e84b022) [npm/cli#35](https://togithub.com/npm/cli/pull/35) Stop filtering out non-IPv4 addresses from `local-addrs`, making npm actually use IPv6 addresses when it must. ([@​valentin2105](https://togithub.com/valentin2105)) - [`792c8c709`](https://togithub.com/npm/cli/commit/792c8c709dc7a445687aa0c8cba5c50bc4ed83fd) [npm/cli#31](https://togithub.com/npm/cli/pull/31) configurable audit level for non-zero exit `npm audit` currently exits with exit code 1 if any vulnerabilities are found of any level. Add a flag of `--audit-level` to `npm audit` to allow it to pass if only vulnerabilities below a certain level are found. Example: `npm audit --audit-level=high` will exit with 0 if only low or moderate level vulns are detected. ([@​lennym](https://togithub.com/lennym)) ##### BUGFIXES - [`d81146181`](https://togithub.com/npm/cli/commit/d8114618137bb5b9a52a86711bb8dc18bfc8e60c) [npm/cli#32](https://togithub.com/npm/cli/pull/32) Don't check for updates to npm when we are updating npm itself. ([@​olore](https://togithub.com/olore)) ##### DEPENDENCY UPDATES A very special dependency update event! Since the [release of `node-gyp@3.8.0`](https://togithub.com/nodejs/node-gyp/pull/1521), an awkward version conflict that was preventing `request` from begin flattened was resolved. This means two things: 1. We've cut down the npm tarball size by another 200kb, to 4.6MB 2. `npm audit` now shows no vulnerabilities for npm itself! Thanks, [@​rvagg](https://togithub.com/rvagg)! - [`866d776c2`](https://togithub.com/npm/cli/commit/866d776c27f80a71309389aaab42825b2a0916f6) `request@2.87.0` ([@​simov](https://togithub.com/simov)) - [`f861c2b57`](https://togithub.com/npm/cli/commit/f861c2b579a9d4feae1653222afcefdd4f0e978f) `node-gyp@3.8.0` ([@​rvagg](https://togithub.com/rvagg)) - [`32e6947c6`](https://togithub.com/npm/cli/commit/32e6947c60db865257a0ebc2f7e754fedf7a6fc9) [npm/cli#39](https://togithub.com/npm/cli/pull/39) `colors@1.1.2`: REVERT REVERT, newer versions of this library are broken and print ansi codes even when disabled. ([@​iarna](https://togithub.com/iarna)) - [`beb96b92c`](https://togithub.com/npm/cli/commit/beb96b92caf061611e3faafc7ca10e77084ec335) `libcipm@2.0.1` ([@​zkat](https://togithub.com/zkat)) - [`348fc91ad`](https://togithub.com/npm/cli/commit/348fc91ad223ff91cd7bcf233018ea1d979a2af1) `validate-npm-package-license@3.0.4`: Fixes errors with empty or string-only license fields. ([@​Gudahtt](https://togithub.com/Gudahtt)) - [`e57d34575`](https://togithub.com/npm/cli/commit/e57d3457547ef464828fc6f82ae4750f3e511550) `iferr@1.0.2` ([@​shesek](https://togithub.com/shesek)) - [`46f1c6ad4`](https://togithub.com/npm/cli/commit/46f1c6ad4b2fd5b0d7ec879b76b76a70a3a2595c) `tar@4.4.6` ([@​isaacs](https://togithub.com/isaacs)) - [`50df1bf69`](https://togithub.com/npm/cli/commit/50df1bf691e205b9f13e0fff0d51a68772c40561) `hosted-git-info@2.7.1` ([@​iarna](https://togithub.com/iarna)) ([@​Erveon](https://togithub.com/Erveon)) ([@​huochunpeng](https://togithub.com/huochunpeng)) ##### DOCUMENTATION - [`af98e76ed`](https://togithub.com/npm/cli/commit/af98e76ed96af780b544962aa575585b3fa17b9a) [npm/cli#34](https://togithub.com/npm/cli/pull/34) Remove `npm publish` from list of commands not affected by `--dry-run`. ([@​joebowbeer](https://togithub.com/joebowbeer)) - [`e2b0f0921`](https://togithub.com/npm/cli/commit/e2b0f092193c08c00f12a6168ad2bd9d6e16f8ce) [npm/cli#36](https://togithub.com/npm/cli/pull/36) Tweak formatting in repository field examples. ([@​noahbenham](https://togithub.com/noahbenham)) - [`e2346e770`](https://togithub.com/npm/cli/commit/e2346e7702acccefe6d711168c2b0e0e272e194a) [npm/cli#14](https://togithub.com/npm/cli/pull/14) Used `process.env` examples to make accessing certain `npm run-scripts` environment variables more clear. ([@​mwarger](https://togithub.com/mwarger)) ### [`v6.3.0`](https://togithub.com/npm/cli/blob/HEAD/workspaces/arborist/CHANGELOG.md#630-2023-07-05) ##### Features - [`67459e7`](https://togithub.com/npm/cli/commit/67459e7b56a5e8d2b4f8eb3a0487183013c63b99) [#​6626](https://togithub.com/npm/cli/pull/6626) add `pkg fix` subcommand ([@​wraithgar](https://togithub.com/wraithgar)) ##### Bug Fixes - [`c61e037`](https://togithub.com/npm/cli/commit/c61e0376408240590bfc712fe9fdadd7dc9a48bc) [#​6626](https://togithub.com/npm/cli/pull/6626) use new load/create syntax for package-json ([@​wraithgar](https://togithub.com/wraithgar)) ##### Dependencies - [`b252164`](https://togithub.com/npm/cli/commit/b252164dd5c866bf2d25c96836ad829d4d6909ee) [#​6626](https://togithub.com/npm/cli/pull/6626) `@npmcli/package-json@4.0.0` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/redwoodjs/redwood). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuNDYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This is a port of my old PR at npm/npm#20992
It allows
npm audit
to exit with a zero exit code if only vulnerabilities below a defined threshold are detected. The default is left atlow
so it should be wholly non-breaking.More discussion at https://npm.community/t/allow-a-configurable-vuln-level-to-make-npm-audit-fail/245/5