From 3e4ba3af532f8384c7e1fb12ebd79cd068bfc895 Mon Sep 17 00:00:00 2001 From: Brian Muenzenmeyer Date: Thu, 29 Aug 2024 18:24:40 +0000 Subject: [PATCH] feat!(audit): default to None, not Low BREAKING CHANGE: by default, npm audit will no longer run. Tools like dependabot and Mend should inform maintainers of vulnerabilities. Putting this into publication tooling as a default is optimistic at best - as often times transient, false-positive dependncies are a fact of life. --- DOCS.md | 2 +- cmd/vela-npm/main.go | 2 +- internal/npm/config.go | 4 ++-- internal/npm/config_test.go | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/DOCS.md b/DOCS.md index b83720b..8d3ab36 100644 --- a/DOCS.md +++ b/DOCS.md @@ -176,7 +176,7 @@ The following parameters are used to configure the image: | `email` | email for communication with npm | `false` | `N/A` | `PARAMETER_EMAIL`
`NPM_EMAIL` | | `token` | auth token for communication with npm | `false` | `N/A` | `PARAMETER_TOKEN`
`TOKEN` | | `registry` | npm instance to communicate with | `false` | `https://registry.npmjs.org` | `PARAMETER_REGISTRY`
`NPM_REGISTRY` | -| `audit_level` | level at which the audit check should fail (valid options: `low`, `moderate`, `high`, `critical`, `none` to skip) | `false` | `low` | `PARAMETER_AUDIT_LEVEL`
`AUDIT_LEVEL` | +| `audit_level` | level at which the audit check should fail (valid options: `low`, `moderate`, `high`, `critical`, `none` to skip) | `false` | `none` | `PARAMETER_AUDIT_LEVEL`
`AUDIT_LEVEL` | | `strict_ssl` | whether or not to do SSL key validation during communication | `false` | `true` | `PARAMETER_STRICT_SSL`
`STRICT_SSL` | | `always_auth` | force npm to always require authentication | `false` | `false` | `PARAMETER_ALWAYS_AUTH`
`ALWAYS_AUTH` | | `skip_ping` | whether or not to skip `npm ping` authentication command | `false` | `false` | `PARAMETER_SKIP_PING`
`SKIP_PING` | diff --git a/cmd/vela-npm/main.go b/cmd/vela-npm/main.go index 152054f..cead276 100644 --- a/cmd/vela-npm/main.go +++ b/cmd/vela-npm/main.go @@ -136,7 +136,7 @@ func main() { &cli.StringFlag{ Name: "audit-level", Usage: "The level at which an npm audit will fail - options: (none|low|moderate|high|critical)", - Value: "low", + Value: "none", EnvVars: []string{"PARAMETER_AUDIT_LEVEL", "PARAMETER_AUDIT", "PLUGIN_AUDIT_LEVEL", "PLUGIN_AUDIT", "AUDIT_LEVEL", "AUDIT"}, FilePath: string("/vela/parameters/npm/audit_level,/vela/secrets/npm/audit_level"), DefaultText: "N/A", diff --git a/internal/npm/config.go b/internal/npm/config.go index a6aa615..71ac241 100644 --- a/internal/npm/config.go +++ b/internal/npm/config.go @@ -92,9 +92,9 @@ func (p *Config) Validate() error { case "n", "no", "none": p.AuditLevel = None default: - log.Warn("audit_level is not recognized, the npm default (low)") + log.Warn("audit_level is not recognized, setting to None") - p.AuditLevel = Low + p.AuditLevel = None } log.WithFields(log.Fields{ diff --git a/internal/npm/config_test.go b/internal/npm/config_test.go index 57b366e..590385d 100644 --- a/internal/npm/config_test.go +++ b/internal/npm/config_test.go @@ -91,7 +91,7 @@ func TestConfig_Validate_NormalizeAuditLevel_Default(t *testing.T) { t.Error(err) } - if c.AuditLevel != Low { + if c.AuditLevel != None { t.Error("AuditLevel not defaulted") } }