Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(npm-cli): add npmAuditRegistry config option #3583

Merged
merged 3 commits into from
Oct 20, 2021
Merged

feat(npm-cli): add npmAuditRegistry config option #3583

merged 3 commits into from
Oct 20, 2021

Conversation

jdanil
Copy link
Contributor

@jdanil jdanil commented Oct 17, 2021

What's the problem this PR addresses?

yarn npm audit fails when using artifactory as a registry and when no recommendations are available.

Closes #3520.
Closes #3569.

How did you fix it?

Introduced a new npmAuditRegistry config option. On further testing against an artifactory server, I found that npm was also erroring out.

npm v6 throws...

npm ERR! code ENOAUDIT
npm ERR! audit Your configured registry (https://artifactory.mycompany.com/artifactory/api/npm/npm-repository-name/) may not support audit requests, or the audit endpoint may be temporarily unavailable.

npm v7 throws...

npm WARN audit 500 Internal Server Error - POST https://artifactory.mycompany.com/artifactory/api/npm/npm-repository-name/-/npm/v1/security/audits/quick
{
  errors: [
    {
      status: 500,
      message: 'Repo is offline. Cannot use the HTTP client.'
    }
  ]
}
npm ERR! audit endpoint returned an error

We still want to default to using the custom registry as using a public registry may unintentionally leak private information. It also seems that private registries can modify the generated reports before responding to the request (https://jfrog.com/blog/protect-your-code-with-npm-audit-jfrog-xray/).

If the private registry does not support audit, we know that the default registries do. This provides an escape hatch for users to configure a custom audit registry.

Also added a null check to advisory recommendations to protect against the case where a patch does not yet exist.

Also updated the auth type to BEST_EFFORT as suggested by @ejsmith03. It looks like the public registries work regardless, and this also bypasses the Invalid authentication (as an anonymous user) error returned by the private registry.

Checklist

  • I have set the packages that need to be released for my changes to be effective.
  • I will check that all automated PR checks pass before the PR gets reviewed.

jdanil
jdanil commented Oct 17, 2021
View reviewed changes
packages/plugin-npm-cli/sources/npmAuditUtils.ts
@@ -183,7 +183,7 @@ export function getReportTree(result: npmAuditTypes.AuditResponse, severity?: np
},
Recommendation: {
label: `Recommendation`,
value: formatUtils.tuple(formatUtils.Type.NO_HINT, advisory.recommendation.replace(/\n/g, ` `)),
value: formatUtils.tuple(formatUtils.Type.NO_HINT, advisory.recommendation?.replace(/\n/g, ` `)),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this change clipanion will simply print Recommendation: null if a recommendation is not provided.

@arcanis arcanis merged commit c57f788 into yarnpkg:master Oct 20, 2021
@arcanis
Copy link
Member

arcanis commented Oct 20, 2021

Good work!

@jdanil jdanil mentioned this pull request Oct 23, 2021
Merged
3 tasks
@jdanil jdanil mentioned this pull request Apr 14, 2022
Merged
3 tasks
@paul-soporan paul-soporan mentioned this pull request Jul 19, 2022
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arcanis arcanis arcanis left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@jdanil @arcanis