feat!(audit): default to None, not Low

BREAKING CHANGE: by default, npm audit will no longer run. Tools like dependabot and Mend should inform maintainers of vulnerabilities. Putting this into publication tooling as a default is optimistic at best - as often times transient, false-positive dependncies are a fact of life.
go-vela · Aug 29, 2024 · 3e4ba3a · 3e4ba3a
1 parent 112b9c7
commit 3e4ba3a
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 5 deletions.
diff --git a/DOCS.md b/DOCS.md
@@ -176,7 +176,7 @@ The following parameters are used to configure the image:
 | `email`         | email for communication with npm                                                                                   | `false`  | `N/A`                        | `PARAMETER_EMAIL`<br>`NPM_EMAIL`         |
 | `token`         | auth token for communication with npm                                                                              | `false`  | `N/A`                        | `PARAMETER_TOKEN`<br>`TOKEN`             |
 | `registry`      | npm instance to communicate with                                                                                   | `false`  | `https://registry.npmjs.org` | `PARAMETER_REGISTRY`<br>`NPM_REGISTRY`   |
-| `audit_level`   | level at which the audit check should fail (valid options: `low`, `moderate`, `high`, `critical`, `none` to skip)  | `false`  | `low`                        | `PARAMETER_AUDIT_LEVEL`<br>`AUDIT_LEVEL` |
+| `audit_level`   | level at which the audit check should fail (valid options: `low`, `moderate`, `high`, `critical`, `none` to skip)  | `false`  | `none`                       | `PARAMETER_AUDIT_LEVEL`<br>`AUDIT_LEVEL` |
 | `strict_ssl`    | whether or not to do SSL key validation during communication                                                       | `false`  | `true`                       | `PARAMETER_STRICT_SSL`<br>`STRICT_SSL`   |
 | `always_auth`   | force npm to always require authentication                                                                         | `false`  | `false`                      | `PARAMETER_ALWAYS_AUTH`<br>`ALWAYS_AUTH` |
 | `skip_ping`     | whether or not to skip `npm ping` authentication command                                                           | `false`  | `false`                      | `PARAMETER_SKIP_PING`<br>`SKIP_PING`     |

diff --git a/cmd/vela-npm/main.go b/cmd/vela-npm/main.go
@@ -136,7 +136,7 @@ func main() {
 			&cli.StringFlag{
 				Name:        "audit-level",
 				Usage:       "The level at which an npm audit will fail - options: (none|low|moderate|high|critical)",
-				Value:       "low",
+				Value:       "none",
 				EnvVars:     []string{"PARAMETER_AUDIT_LEVEL", "PARAMETER_AUDIT", "PLUGIN_AUDIT_LEVEL", "PLUGIN_AUDIT", "AUDIT_LEVEL", "AUDIT"},
 				FilePath:    string("/vela/parameters/npm/audit_level,/vela/secrets/npm/audit_level"),
 				DefaultText: "N/A",

diff --git a/internal/npm/config.go b/internal/npm/config.go
@@ -92,9 +92,9 @@ func (p *Config) Validate() error {
 	case "n", "no", "none":
 		p.AuditLevel = None
 	default:
-		log.Warn("audit_level is not recognized, the npm default (low)")
+		log.Warn("audit_level is not recognized, setting to None")
 
-		p.AuditLevel = Low
+		p.AuditLevel = None
 	}
 
 	log.WithFields(log.Fields{

diff --git a/internal/npm/config_test.go b/internal/npm/config_test.go
@@ -91,7 +91,7 @@ func TestConfig_Validate_NormalizeAuditLevel_Default(t *testing.T) {
 		t.Error(err)
 	}
 
-	if c.AuditLevel != Low {
+	if c.AuditLevel != None {
 		t.Error("AuditLevel not defaulted")
 	}
 }