Filter and retry yarn/npm audit command with Jest.
yarn audit, and
npm audit commands are useful for detecting packages in use that have vulnerabilites. But they don't allow filtering. For example you may have a vulnerability in a package you are only using in development, and the nature of that vulnerability is more often than not only unsafe when used in production. Updating the dependency to fix the vulnerability may break things. That is where
jest-package-audit comes in, it wraps the
yarn audit and
npm audit commands and checks each vulnerabilty they flag against an array of allowed vulnerability names e.g.
Another added benefit of
jest-package-audit is the ability to retry tests if they fail. This is useful as the audit endpoints can sometimes timeout out or randomly give 503 HTTP Status codes back. Using jest.retryTimes you can overcome this by retrying say 5 times.
jest-package-audit only works with Jest >= 23 as it depends on async matchers.
yarn add @xerox/jest-package-audit --dev# ornpm install @xerox/jest-package-audit --save-dev
- Create a new test file for package auditing:
// audit.test.js;expect;jest; // Optionaljest; // The audit command can take a while...;
Input options should be passed to the
expect function when using
toPassPackageAudit, they define how the actual
yarn audit or
npm audit command is run.
||Current working directory to run the audit command in.||The closest folder with a
||Which command to run, e.g.
Output options should be passed to the
toPassPackageAudit function, they define how the output of
yarn audit or
npm audit is processed.
||An array of package names to allow if they have vulnerabilities.||
Please be aware that we provide no liability for any security issues, or any other issues for that matter, encountered when using this package. It is provided as open-source software under the MIT license. So please read the source code and make sure you understand the implications of allowing vulnerable modules to pass through the