1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55const { exec } = require('child_process');
const URL_LIST = [
// Not encountered by Vite, thus we cannot hit it
'https://github.com/advisories/GHSA-67mh-4wv8-2f99'
];
const runNpmAudit = () => new Promise((resolve, reject) => {
exec('npm audit --omit dev --json', (error, stdout, stderr) => {
if (error && stderr) {
// npm audit returns a non-zero exit code if there are vulnerabilities
reject(`Audit error: ${error}\n${stdout}\n${stderr}`);
return;
}
resolve(stdout);
});
});
// interface Audit {
// [name: string]: AuditEntry;
// }
// interface AuditEntry {
// severity: string;
// range: string;
// via: Array<{
// url: string;
// } | string>;
// }
const checkAudit = async () => {
const audit = JSON.parse(await runNpmAudit());
const validVulnerabilities = Object.entries(audit.vulnerabilities).filter(([_name, entry]) => {
const originalVulnerabilities = entry.via.filter(viaEntry => typeof viaEntry === 'object' && !URL_LIST.includes(viaEntry.url));
return originalVulnerabilities.length > 0;
});
for (const [name, entry] of validVulnerabilities) {
console.error(`Vulnerability (${entry.severity}): ${name} ${entry.range}`);
}
if (validVulnerabilities.length > 0) {
process.exit(1);
}
console.log('No vulnerabilities found');
};
// You can manually run `npm audit --omit dev` to see the vulnerabilities in a human-friendly
checkAudit().catch(error => {
console.error(error);
process.exit(1);
});