Yarn: [New Feature] [yarn audit --filter] Filter the exit code based on the provided severity level
Do you want to request a feature or report a bug?
This is a feature request, building on top of https://github.com/yarnpkg/yarn/issues/7260 and https://github.com/yarnpkg/yarn/issues/7174.
What is the current behavior?
By running yarn audit the command exits with a non-zero number that is the sum of found severities:
1 for INFO
2 for LOW
4 for MODERATE
8 for HIGH
16 for CRITICAL
as explained https://github.com/yarnpkg/yarn/pull/6819.
By running yarn audit --level <LEVEL> will limit the audit table to vulnerabilities of the corresponding level and above but It will not affect the exit code of the command (as explained https://classic.yarnpkg.com/en/docs/cli/audit/#toc-commands)
What is the expected behavior?
The command exiting with code 0 if no issue has been found with the provided level of filtering (if specified) by either updating the current --level option or have another one (e.g. --filter?) that does that.
The reason for asking this new feature is to have a smoother programmatic experience with CI tools, where the team accept the risk and can decide which level of severity should stop the build pipeline and which one should not.
Let's say we go with --filter
Example: if the codebase has 2 vulnerabilities: 0 high, 1 moderate, 1 low
yarn auditexits with non-zero code - FAILUREyarn audit --filter lowexits with non-zero code - FAILUREyarn audit --filter moderateexits with non-zero code - FAILUREyarn audit --filter highexits with code0- SUCCESS
Please mention your node.js, yarn and operating system version.
Node: v10.13.0
Yarn: v1.16.0
OS: CentOS 7 (Linux x86_64 GNU/Linux)
or
Node: v10.14.2
Yarn: v1.16.0
OS: macOS Sierra v10.12.6 (Darwin Kernel Version 16.7.0 x86_64)
or
Node: v12.18.0
Yarn: v1.22.4
OS: macOS Mojave v10.14.6 (Darwin Kernel Version 18.7.0 x86_64)
Related to this subject
simonespa
All 9 comments
As suggested by @DanielRuf I'm updating this issue to a feature request to reopen the conversation on having the exit code of yarn audit reflecting the filtering level for scripted integration (GitHub PR checks, CI, etc).
simonespa
on 10 Jul 2019
Hi @bestander @kittens I'm looking for a contributor interested in championing this feature if interested.
Thanks
simonespa
on 16 Aug 2019
This is something that would be very helpful for us. Any progress on this? Any way I'd be able to help move this feature request forward?
tylerthehaas
on 8 Apr 2020
Hey @tylerthehaas no progress yet I'm afraid. Are we allowed to just raise a PR or should we wait for a maintainer to triage this and eventually schedule it?
simonespa
on 9 Jun 2020
Raised in https://github.com/yarnpkg/berry/issues/1461 too.
simonespa
on 9 Jun 2020
@simonespa Idk. but I'd definitely be willing to put some work in on this. I am fearful with berry coming out that Yarn v1 wont get the attention it deserves.
tylerthehaas
on 9 Jun 2020
We encountered a similar issue as @pitgrap in #7260 with the gradle-node-plugin. In general there might be several cases where the proposed workaround from #7260 to fiddle about the exit code might not be possible, so this feature would be very valuable.
rd-stefan-neuhaus
on 9 Oct 2020
@tylerthehaas @rd-stefan-neuhaus this same issue raised in Berry https://github.com/yarnpkg/berry/issues/1461 has a related PR in progress https://github.com/yarnpkg/berry/pull/1892 raised by @jdanil
simonespa
on 14 Oct 2020
FYI: the above mentioned PR has been merged and the issue closed. Closing this too.
simonespa
on 30 Oct 2020
Related issues
torifat
路
3Comments
seansfkelley
路
3Comments
AzGoalie
路
3Comments
sebmck
路
3Comments
Ambroos
路
3Comments
Most helpful comment
@tylerthehaas @rd-stefan-neuhaus this same issue raised in Berry https://github.com/yarnpkg/berry/issues/1461 has a related PR in progress https://github.com/yarnpkg/berry/pull/1892 raised by @jdanil