Add performing npm audit locally (#21151)

* Add performing npm audit locally

* Remove the fix attribute from the npm audit output

* Add the option to bypass the auditing step

* Add a command example to the contribute documentation

* Add the process exiting when we catch exception during auditing

Author: ivanduplenskikh

docs/contribute.md

@@ -100,6 +100,12 @@ npm run build
 node make.js build --task ShellScript
 ```
 
+## Build task with the bypassed auditing step
+
+```bash
+node make.js build --task ShellScript --BypassNpmAudit
+```
+
 ## Run Tests
 
 Tests for each task are located in Tests folder for each task.  To get additional debugging when you are running your tests, set the environment variable TASK_TEST_TRACE to 1.  This will cause additional logging to be printed to STDOUT.

make-util.js

@@ -1,15 +1,20 @@
-var check = require('validator').default;
-var fs = require('fs');
-var makeOptions = require('./make-options.json');
-var minimatch = require('minimatch');
-var ncp = require('child_process');
-var os = require('os');
-var path = require('path');
-var process = require('process');
-var semver = require('semver');
-var shell = require('shelljs');
-const { XMLParser } = require("fast-xml-parser");
-const Downloader = require("nodejs-file-downloader");
+const ncp = require('child_process');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const process = require('process');
+
+const { XMLParser } = require('fast-xml-parser');
+const minimatch = require('minimatch');
+const minimist = require('minimist');
+const Downloader = require('nodejs-file-downloader');
+const check = require('validator').default;
+const semver = require('semver');
+const shell = require('shelljs');
+
+const makeOptions = require('./make-options.json');
+
+const args = minimist(process.argv.slice(2));
 
 // global paths
 var repoPath = __dirname;
@@ -154,6 +159,42 @@ var getCommonPackInfo = function (modOutDir) {
 }
 exports.getCommonPackInfo = getCommonPackInfo;
 
+function performNpmAudit(taskPath) {
+    console.log('\n🛫 Running npm audit...');
+
+    if (process.env['TF_BUILD']) {
+        console.log(`\x1b[A\x1b[K⏭️  Skipping npm audit in build pipeline because it is not supported in the pipeline.`);
+        return;
+    }
+
+    if (args.BypassNpmAudit) {
+        console.log(`\x1b[A\x1b[K⏭️  Skipping npm audit because --BypassNpmAudit argument is set.`);
+        return;
+    }
+
+    try {
+        const auditResult = ncp.spawnSync('npm', ['audit', '--prefix', taskPath, '--audit-level=high'], {
+            stdio: 'pipe',
+            encoding: 'utf8',
+        });
+
+        if (auditResult.error) {
+            console.log(`\x1b[A\x1b[K❌ npm audit failed because the build task at "${taskPath}" has vulnerable dependencies.`);
+            console.log('👉 Please see details by running the command');
+            console.log(`\tnpm audit --prefix ${taskPath}`);
+            console.log('or execute the command with --BypassNpmAudit argument to skip the auditing');
+            console.log(`\tnode make.js --build --task ${args.task} --BypassNpmAudit`);
+            process.exit(1);
+        } else {
+            console.log('\x1b[A\x1b[K✅ npm audit completed successfully.');
+        }
+    } catch (error) {
+        console.error('\x1b[A\x1b[K❌ "performNpmAudit" failed.');
+        console.error(error.message);
+        process.exit(1);
+    }
+}
+
 var buildNodeTask = function (taskPath, outDir, isServerBuild) {
     var originalDir = shell.pwd().toString();
     cd(taskPath);
@@ -191,6 +232,8 @@ var buildNodeTask = function (taskPath, outDir, isServerBuild) {
         cd(taskPath);
     }
 
+    performNpmAudit(taskPath);
+
     // Use the tsc version supplied by the task if it is available, otherwise use the global default.
     if (overrideTscPath) {
         var tscExec = path.join(overrideTscPath, "bin", "tsc");