Skip to content

Commit 0ffdf7d

Browse files
peter-zhong-replitpeter-zhong-replit
authored
propagate --no-audit for npm and yarn (#366)
* don't audit * only npm it seems * Remove 'Unreleased' section from CHANGELOG Removed the 'Unreleased' section and its details from the CHANGELOG.
1 parent 0a32d05 commit 0ffdf7d

File tree

15 files changed

+84
-19
lines changed

15 files changed

+84
-19
lines changed

README.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -380,6 +380,12 @@ Here are useful things to know that aren't obvious:
380380
add`, `upm remove`, `upm lock`, and `upm install` (it is just
381381
`--force` for `upm install` due to lack of ambiguity) in order to
382382
ignore the cache for cases (1) and (2).
383+
* **Security audits:** The `upm add` command accepts a `--skip-audit`
384+
(or `-s`) flag to skip security audits during package installation.
385+
This flag only has an effect for the npm backend, which runs
386+
security audits by default. For all other package managers, this
387+
flag is ignored (as they don't have native audit functionality that
388+
runs during installation, or don't support disabling it).
383389

384390
### Environment variables respected
385391

internal/api/types.go

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -259,12 +259,16 @@ type LanguageBackend struct {
259259
// required for initalizing specfiles, we can break that out
260260
// to a seperate step.
261261
//
262+
// The skipAudit parameter indicates whether to skip security
263+
// audits during installation (currently only supported by
264+
// npm; ignored by other backends).
265+
//
262266
// If QuirksAddRemoveAlsoInstalls, then also lock and install.
263267
// In this case this method must also create the lockfile if
264268
// it does not exist already.
265269
//
266270
// This field is mandatory.
267-
Add func(context.Context, map[PkgName]PkgCoordinates, string)
271+
Add func(context.Context, map[PkgName]PkgCoordinates, string, bool)
268272

269273
// Remove packages from the specfile. The map is guaranteed to
270274
// have at least one package, and all of the packages are

internal/backends/dart/dart.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -257,7 +257,7 @@ func readSpecFile() dartPubspecYaml {
257257
return specs
258258
}
259259

260-
func dartAdd(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string) {
260+
func dartAdd(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string, skipAudit bool) {
261261
//nolint:ineffassign,wastedassign,staticcheck
262262
span, ctx := tracer.StartSpanFromContext(ctx, "dartAdd")
263263
defer span.Finish()

internal/backends/dotnet/dotnet.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ var DotNetBackend = api.LanguageBackend{
2525
Remove: func(ctx context.Context, pkgs map[api.PkgName]bool) {
2626
removePackages(ctx, pkgs, findSpecFile(), util.RunCmd)
2727
},
28-
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string) {
28+
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string, skipAudit bool) {
2929
addPackages(ctx, pkgs, projectName, util.RunCmd)
3030
},
3131
Search: search,

internal/backends/elisp/elisp.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -87,7 +87,7 @@ var ElispBackend = api.LanguageBackend{
8787
}
8888
return info
8989
},
90-
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string) {
90+
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string, skipAudit bool) {
9191
//nolint:ineffassign,wastedassign,staticcheck
9292
span, ctx := tracer.StartSpanFromContext(ctx, "elisp add")
9393
defer span.Finish()

internal/backends/java/java.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -121,7 +121,7 @@ func isAvailable() bool {
121121
return err == nil
122122
}
123123

124-
func addPackages(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string) {
124+
func addPackages(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string, skipAudit bool) {
125125
//nolint:ineffassign,wastedassign,staticcheck
126126
span, ctx := tracer.StartSpanFromContext(ctx, "Java add package")
127127
defer span.Finish()

internal/backends/nodejs/nodejs.go

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -412,14 +412,15 @@ var NodejsYarnBackend = api.LanguageBackend{
412412
},
413413
Search: nodejsSearch,
414414
Info: nodejsInfo,
415-
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string) {
415+
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string, skipAudit bool) {
416416
//nolint:ineffassign,wastedassign,staticcheck
417417
span, ctx := tracer.StartSpanFromContext(ctx, "yarn (init) add")
418418
defer span.Finish()
419419
if !util.Exists("package.json") {
420420
util.RunCmd([]string{"yarn", "init", "-y"})
421421
}
422422
cmd := []string{"yarn", "add"}
423+
// Note: Yarn (classic/v1) doesn't support --no-audit flag
423424
for name, coords := range pkgs {
424425
name := string(name)
425426
if found, ok := moduleToYarnpkgPackageAliases[name]; ok {
@@ -500,7 +501,7 @@ var NodejsPNPMBackend = api.LanguageBackend{
500501
},
501502
Search: nodejsSearch,
502503
Info: nodejsInfo,
503-
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string) {
504+
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string, skipAudit bool) {
504505
//nolint:ineffassign,wastedassign,staticcheck
505506
span, ctx := tracer.StartSpanFromContext(ctx, "pnpm (init) add")
506507
defer span.Finish()
@@ -605,14 +606,17 @@ var NodejsNPMBackend = api.LanguageBackend{
605606
},
606607
Search: nodejsSearch,
607608
Info: nodejsInfo,
608-
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string) {
609+
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string, skipAudit bool) {
609610
//nolint:ineffassign,wastedassign,staticcheck
610611
span, ctx := tracer.StartSpanFromContext(ctx, "npm (init) install")
611612
defer span.Finish()
612613
if !util.Exists("package.json") {
613614
util.RunCmd([]string{"npm", "init", "-y"})
614615
}
615616
cmd := []string{"npm", "install"}
617+
if skipAudit {
618+
cmd = append(cmd, "--no-audit")
619+
}
616620
for name, coords := range pkgs {
617621
name := string(name)
618622
if found, ok := moduleToNpmjsPackageAliases[name]; ok {
@@ -716,7 +720,7 @@ func makeBunBackend() api.LanguageBackend {
716720
},
717721
Search: nodejsSearch,
718722
Info: nodejsInfo,
719-
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string) {
723+
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string, skipAudit bool) {
720724
//nolint:ineffassign,wastedassign,staticcheck
721725
span, ctx := tracer.StartSpanFromContext(ctx, "bun (init) add")
722726
defer span.Finish()

internal/backends/php/php.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -241,7 +241,7 @@ var PhpComposerBackend = api.LanguageBackend{
241241
},
242242
Search: search,
243243
Info: info,
244-
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectVendorName string) {
244+
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectVendorName string, skipAudit bool) {
245245
//nolint:ineffassign,wastedassign,staticcheck
246246
span, ctx := tracer.StartSpanFromContext(ctx, "composer require")
247247
defer span.Finish()

internal/backends/python/python.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -521,7 +521,7 @@ func makePythonPoetryBackend() api.LanguageBackend {
521521

522522
Search: searchPypi,
523523
Info: info,
524-
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string) {
524+
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string, skipAudit bool) {
525525
//nolint:ineffassign,wastedassign,staticcheck
526526
span, ctx := tracer.StartSpanFromContext(ctx, "poetry (init) add")
527527
defer span.Finish()
@@ -669,7 +669,7 @@ func makePythonPipBackend() api.LanguageBackend {
669669

670670
Search: searchPypi,
671671
Info: info,
672-
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string) {
672+
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string, skipAudit bool) {
673673
//nolint:ineffassign,wastedassign,staticcheck
674674
span, ctx := tracer.StartSpanFromContext(ctx, "pip install")
675675
defer span.Finish()
@@ -1014,7 +1014,7 @@ func makePythonUvBackend() api.LanguageBackend {
10141014

10151015
Search: searchPypi,
10161016
Info: info,
1017-
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string) {
1017+
Add: func(ctx context.Context, pkgs map[api.PkgName]api.PkgCoordinates, projectName string, skipAudit bool) {
10181018
//nolint:ineffassign,wastedassign,staticcheck
10191019
span, ctx := tracer.StartSpanFromContext(ctx, "uv (init) add")
10201020
defer span.Finish()

internal/backends/rlang/rlang.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -130,7 +130,7 @@ var RlangBackend = api.LanguageBackend{
130130

131131
return api.PkgInfo{}
132132
},
133-
Add: func(ctx context.Context, packages map[api.PkgName]api.PkgCoordinates, projectName string) {
133+
Add: func(ctx context.Context, packages map[api.PkgName]api.PkgCoordinates, projectName string, skipAudit bool) {
134134
for name, coords := range packages {
135135
RAdd(ctx, RPackage{
136136
Name: string(name),

0 commit comments

Comments
 (0)