Merge pull request #39 from jeemok/next

v2.0

.github/workflows/node.js.yml

@@ -27,4 +27,5 @@ jobs:
         node-version: ${{ matrix.node-version }}
     - run: npm ci
     - run: npm run lint
-    - run: npm run test
+    - run: npm run test
+    - run: npm run audit

.nsprc.sample

@@ -1,20 +1,17 @@
 {
     "1337": {
-        "ignore": true,
-        "reason": "Ignored since we don't use xxx method",
+        "active": true,
+        "notes": "Ignored since we don't use xxx method",
         "expiry": 1615462134681
     },
     "4501": {
-        "ignore": false,
-        "reason": "This will be fixed by the library maintainers by June 14"
+        "active": false,
+        "notes": "This will be fixed by the library maintainers by June 14"
     },
     "4502": {
-        "ignore": true
+        "active": true
     },
     "980": "This will be fixed by the library maintainers by June 14",
     "1024": "",
-    "5": false,
-    "3": null,
-    "2": undefined,
-    "Note": "Any non number key will be ignored"
+    "Note": "Any non number key will not be excepted"
 }

CHANGELOG.md

@@ -1,32 +1,63 @@
+## 2.0.4 (June 22, 2021)
+
+### Notable changes
+
+* Simplified the workflow and improved overall performance by running lesser in the process.
+* Added [`table`](https://www.npmjs.com/package/table) module to display summaries (Initially used [`cli-table`](https://www.npmjs.com/package/cli-table) for its small size, however the issues in the repo concerns me in its display quality in other OS. Hence, chosen `table` module despite its package size is much bigger)
+* Added table display for security report
+* Added table display of exceptions from `.nsprc` file
+* Cleaned up test cases structure to be more straight forward and easier to maintain
+
+### Breaking changes
+
+* Renamed `--ignore -i` flag to `--exclude -x` for better clarity.
+* Removed `--display-full` flag that was used to ignore the maximum display limit. Now with the summary table it would be unlikely to display large size of information.
+* Removed `--display-notes` flag that was used for displaying exception notes. Now it is included in the exceptions table.
+* Renamed `ignore` field to `active` in `.nsprc` file for better clarity.
+* Renamed `reason` field to `notes` in `.nsprc` file for better clarity.
+
+### Others
+
+* Removed logging of flags used in the command
+* Added NPM audit into the CI pipeline
+* Added `.github/FUNDING.yml`
+* Updated `README.md`
+
+### Closed issues
+
+* [#20](https://github.com/jeemok/better-npm-audit/issues/20) Provide more output when parsing exceptions file
+* [#27](https://github.com/jeemok/better-npm-audit/issues/27) Hide excepted vulnerabilities from output
+* [#28](https://github.com/jeemok/better-npm-audit/issues/28) Missing [ in truncation message
+
+---
+
 ## 1.12.1 (June 21, 2021)
 
 * Added `FUNDING.yml`
 * Updated `README.md`
 
 ## 1.12.0 (June 18, 2021)
 
-* [Display warning when exceptionIds are unused](https://github.com/jeemok/better-npm-audit/pull/38)
+* [#38](https://github.com/jeemok/better-npm-audit/pull/38) Display warning when `exceptionIds` are unused
 
 ## 1.11.2 (June 11, 2021)
 
-* [Fixed security CVE-2020-28469: Bump glob-parent from 5.1.1 to 5.1.2](https://github.com/jeemok/better-npm-audit/pull/37)
+* [#37](https://github.com/jeemok/better-npm-audit/pull/37) Fixed security CVE-2020-28469: Bump glob-parent from 5.1.1 to 5.1.2
 
 ## 1.11.1 (June 11, 2021)
 
 * Updated `README.md`
 
 ## 1.11.0 (June 11, 2021)
 
-* [Added environment variable support `process.env.NPM_CONFIG_AUDIT_LEVEL` to set the audit level](https://github.com/jeemok/better-npm-audit/pull/36)
+* [#36](https://github.com/jeemok/better-npm-audit/pull/36) Added environment variable support `process.env.NPM_CONFIG_AUDIT_LEVEL` to set the audit level
 
 ## 1.10.1 (June 7, 2021)
 
 * Updated `--full` flag logging from `[full log mode enabled]` to `[report display limit disabled]`
-* [Added new flag `--display-notes` to display reasons for the exceptions](https://github.com/jeemok/better-npm-audit/issues/32)
+* [#32](https://github.com/jeemok/better-npm-audit/issues/32) Added new flag `--display-notes` to display reasons for the exceptions
 
 ## 1.9.3 (June 6, 2021)
 
-### Features
-
-* [Added CHANGELOG.md](https://github.com/jeemok/better-npm-audit/issues/31)
+* [#31](https://github.com/jeemok/better-npm-audit/issues/31) Added `CHANGELOG.md`
 * Updated `README.md`

README.md

@@ -1,6 +1,6 @@
 # Better NPM Audit
 
-Made to allow skipping certain vulnerabilities, and any extra handling that are not supported by the default `npm audit` in the future.
+The goal of this project is to help to reshape npm audit into the way the community would like, by the community itself. Giving another option for everyone and encourage more people to do security audits.
 
 [![NPM](https://nodei.co/npm/better-npm-audit.png)](https://npmjs.org/package/better-npm-audit)
 
@@ -22,7 +22,7 @@ NPM has upgraded to version 7 in late 2020 and has breaking changes on the `npm
 
 ## Installation
 
-    $ npm install better-npm-audit
+    $ npm install --save better-npm-audit
 
 or
 
@@ -32,42 +32,58 @@ or
 
 ## Usage
 
-### `package.json`
+### Run global
+
+```bash
+better-npm-audit audit
+```
+
+### Run with exceptions
+
+<img src="./.README/all_good.png" alt="Demo of table displaying the security report" />
+
+Unhandled or new exceptions will be highlighted:
+
+<img src="./.README/highlighted_exceptions.png" alt="Demo of table displaying the security report" />
+
+Unused exceptions will be notified:
+
+<img src="./.README/unused_exception.png" alt="Demo of displaying the unused exception" />
+
+### Add into package scripts
 
 ```JSON
 {
   "scripts": {
     "prepush": "npm run test && npm run audit",
-    "audit": "node node_modules/better-npm-audit audit"
+    "audit": "better-npm-audit audit audit"
   }
 }
 ```
 
-### Run global
+Now you can run locally or in your CI pipeline:
 
 ```bash
-better-npm-audit audit
+npm run audit
 ```
 
 <br />
 
 ## Options
 
-| Flag              | Short | Description                                                                                                                   |
-| ----------------- | ----- | ----------------------------------------------------------------------------------------------------------------------------- |
-| `--level`         | `-l`  | Same as the original `--audit-level` flag                                                                                     |
-| `--production`    | `-p`  | Skip checking `devDependencies`                                                                                               |
-| `--ignore`        | `-i`  | For skipping certain advisories                                                                                               |
-| `--full`          | `-f`  | Display full audit report. There is a character limit set to the audit report to prevent overwhelming details to the console. |
-| `--display-notes` | `-d`  | Display the reasons of matched exceptions from `.nsprc` file.                                                                 |
+| Flag           | Short | Description                                                                    |
+| -------------- | ----- | ------------------------------------------------------------------------------ |
+| `--exclude`    | `-x`  | Exceptions or the vulnerabilities ID(s) to exclude                             |
+| `--level`      | `-l`  | The minimum audit level to validate; Same as the original `--audit-level` flag |
+| `--production` | `-p`  | Skip checking the `devDependencies`                                            |
 
 <br />
 
 ## Environment Variables
 
-| Variable                             | Description                                                                                                       |
-| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------- |
-| `process.env.NPM_CONFIG_AUDIT_LEVEL` | Used in setting the audit level. <br /> *Note: this will be disregard if the audit level flag is passed onto the command.* |
+| Variable                 | Description                                                                                                                |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------------- |
+| `NPM_CONFIG_AUDIT_LEVEL` | Used in setting the audit level. <br /> _Note: this will be disregard if the audit level flag is passed onto the command._ |
 
 <br />
 
@@ -78,153 +94,32 @@ You may add a file `.nsprc` to your project root directory to manage the excepti
 ```json
 {
   "1337": {
-    "ignore": true,
-    "reason": "Ignored since we don't use xxx method",
+    "active": true,
+    "notes": "Ignored since we don't use xxx method",
     "expiry": 1615462134681
   },
   "4501": {
-    "ignore": false,
-    "reason": "Ignored since we don't use xxx method"
+    "active": false,
+    "notes": "Ignored since we don't use xxx method"
   },
   "980": "Ignored since we don't use xxx method",
-  "Note": "Any non number key will be ignored"
+  "Note": "Any non number key will not be excepted"
 }
 ```
 
-<br />
-
-## Examples
-
-**NPM v6**
-
-Running `node node_modules/better-npm-audit audit` with vulnerabilities, will receive the error:
-
-```bash
-2 vulnerabilities found. Node security advisories: 118,577
-```
-
-Added the ignore flags `node node_modules/better-npm-audit audit -i 118,577` and rerun:
-
-```bash
-Executing script: audit
-
-to be executed: "node node_modules/better-npm-audit audit -i 118,577"
-Exception Vulnerabilities IDs:  [ '118', '577' ]
-=== npm audit security report ===
-
-
-                                 Manual Review
-             Some vulnerabilities require your attention to resolve
-
-          Visit https://go.npm.me/audit-guide for additional guidance
-
+### Fields
 
-  High            Regular Expression Denial of Service
+| Attribute | Description                                                                                                                                                                 | Default |
+| --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `active`  | Boolean type to determine if we should use it for exception; `true` or `false`                                                                                              | `true`  |
+| `expiry`  | Date time in milliseconds, the number of milliseconds since midnight 01 January, 1970 UTC.<br />You can use `new Date(2021, 1, 1).valueOf()` to get the milliseconds value. |         |
+| `notes`   | Notes related to the vulnerability; will be displayed in the table summary.                                                                                                 |
 
-  Package         minimatch
-
-  Patched in      >=3.0.2
-
-  Dependency of   semantic-ui
-
-  Path            semantic-ui > gulp > vinyl-fs > glob-stream > glob >
-                  minimatch
-
-  More info       https://nodesecurity.io/advisories/118
-
-
-  High            Regular Expression Denial of Service
-
-  Package         minimatch
-
-  Patched in      >=3.0.2
-
-  Dependency of   semantic-ui
-
-  Path            semantic-ui > gulp > vinyl-fs > glob-watcher > gaze >
-                  globule > minimatch
-
-  More info       https://nodesecurity.io/advisories/118
-
-
-  Low             Prototype Pollution
-
-  Package         lodash
-
-  Patched in      >=4.17.5
-
-  Dependency of   semantic-ui
-
-  Path            semantic-ui > gulp > vinyl-fs > glob-watcher > gaze >
-                  globule > lodash
-
-  More info       https://nodesecurity.io/advisories/577
-
-found 5 vulnerabilities (1 low, 4 high) in 30441 scanned packages
-  5 vulnerabilities require manual review. See the full report for details.
-
-🤝  All good
-```
+<br />
 
-**NPM v7**
+When using a `.nsprc` file, you will see this report display when it starts running:
 
-```bash
-# npm audit report
-
-bl  <=1.2.2 || 2.0.1 - 2.2.0 || 3.0.0 || 4.0.0 - 4.0.2
-Severity: high
-Remote Memory Exposure - https://npmjs.com/advisories/1555
-fix available via `npm audit fix`
-node_modules/bl
-
-dot-prop  <4.2.1 || >=5.0.0 <5.1.1
-Severity: high
-Prototype Pollution - https://npmjs.com/advisories/1213
-fix available via `npm audit fix`
-node_modules/dot-prop
-
-mem  <4.0.0
-Denial of Service - https://npmjs.com/advisories/1084
-fix available via `npm audit fix`
-node_modules/loopback-connector-rest/node_modules/mem
-  os-locale  2.0.0 - 3.0.0
-  Depends on vulnerable versions of mem
-  node_modules/loopback-connector-rest/node_modules/os-locale
-    strong-globalize  2.8.4 || 2.10.0 - 4.1.1
-    Depends on vulnerable versions of os-locale
-    node_modules/loopback-connector-rest/node_modules/strong-globalize
-
-swagger-ui  <=3.20.8
-Severity: moderate
-Reverse Tabnapping - https://npmjs.com/advisories/975
-Cross-Site Scripting - https://npmjs.com/advisories/976
-Cross-Site Scripting - https://npmjs.com/advisories/985
-fix available via `npm audit fix --force`
-Will install loopback-component-explorer@2.7.0, which is a breaking change
-node_modules/swagger-ui
-  loopback-component-explorer  >=3.0.0
-  Depends on vulnerable versions of swagger-ui
-  node_modules/loopback-component-explorer
-
-yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
-Prototype Pollution - https://npmjs.com/advisories/1500
-fix available via `npm audit fix`
-node_modules/mocha/node_modules/yargs-parser
-node_modules/yargs-unparser/node_modules/yargs-parser
-  mocha  1.21.5 - 6.2.2 || 7.0.0-esm1 - 7.1.0
-  Depends on vulnerable versions of mkdirp
-  Depends on vulnerable versions of yargs-parser
-  Depends on vulnerable versions of yargs-unparser
-  node_modules/mocha
-  yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
-  Depends on vulnerable versions of yargs-parser
-  node_modules/yargs-unparser/node_modules/yargs
-    yargs-unparser  1.1.0 - 1.5.0
-    Depends on vulnerable versions of yargs
-    node_modules/yargs-unparser
-
-18 vulnerabilities (14 low, 2 moderate, 2 high)
-```
+<img src="./.README/exceptions_table.png" alt="Demo of table displaying a list of exceptions" />
 
 <br />
 
@@ -234,15 +129,6 @@ You can find the changelog [here](https://github.com/jeemok/better-npm-audit/blo
 
 <br />
 
-## Next version
-
-You can install it by `npm install better-npm-audit@next`
-
-* [Readme](https://github.com/jeemok/better-npm-audit/blob/next/README.md)
-* [Changelog](https://github.com/jeemok/better-npm-audit/blob/next/CHANGELOG.md)
-
-<br />
-
 ## Special mentions
 
 - [@IanWright](https://github.com/IPWright83) for his solutions in improving the vulnerability validation for us to have the minimum-audit-level and production-mode flags.