From a679cdc28b0873a3be41ec8e0e6446af2feb09a1 Mon Sep 17 00:00:00 2001 From: Quinn Turner Date: Fri, 20 May 2022 12:46:18 -0300 Subject: [PATCH] docs: Pin running audit-ci to major version (#273) --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 5cf4dbf9..433de645 100644 --- a/README.md +++ b/README.md @@ -150,7 +150,7 @@ An allowlist record may include any number of wildcards such as `*|react-scripts steps: - uses: actions/checkout@v2 - name: Audit for vulnerabilities - run: npx audit-ci --config ./audit-ci.jsonc + run: npx audit-ci@^6 --config ./audit-ci.jsonc ``` _(Recommended)_ Run `audit-ci` immediately after checking out the git repository to reduce the risk of executing a `postinstall` script from a compromised NPM package. @@ -176,7 +176,7 @@ steps: # command: if [[ ! -z $CIRCLE_PULL_REQUEST ]] ; then npx audit-ci --config ./audit-ci.jsonc ; fi - run: name: run-audit-ci - command: npx audit-ci --config ./audit-ci.jsonc + command: npx audit-ci@^6 --config ./audit-ci.jsonc - run: name: install-npm command: "npm install --no-audit" @@ -190,14 +190,14 @@ Auditing only on PR builds is [recommended](#qa) scripts: # This script should be the first that runs to reduce the risk of # executing a script from a compromised NPM package. - - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npx audit-ci --config ./audit-ci.jsonc; fi + - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npx audit-ci@^6 --config ./audit-ci.jsonc; fi ``` For `Travis-CI` not using PR builds: ```yml scripts: - - npx audit-ci --config ./audit-ci.jsonc + - npx audit-ci@^6 --config ./audit-ci.jsonc ``` ## Options @@ -300,7 +300,7 @@ With a `JSON5` config file: Or, with the CLI with `yarn dlx`: ```sh -yarn dlx audit-ci -l -a "GHSA-38f5-ghc2-fcmv" lodash base64url --show-found false +yarn dlx audit-ci@^6 -l -a "GHSA-38f5-ghc2-fcmv" lodash base64url --show-found false ``` ### Prevents build with critical vulnerabilities showing the full report @@ -318,7 +318,7 @@ With a `JSONC` config file: Or, with the CLI with `pnpm dlx`: ```sh -pnpm dlx audit-ci --critical --report-type full +pnpm dlx audit-ci@^6 --critical --report-type full ``` ### Continues build regardless of vulnerabilities, but show the summary report @@ -335,7 +335,7 @@ With a `JSONC` config file: Or, with the CLI: ```sh -npx audit-ci --report-type summary +npx audit-ci@^6 --report-type summary ``` ### Example config file and different directory usage @@ -362,7 +362,7 @@ npx audit-ci --report-type summary ``` ```sh -npx audit-ci --directory test/npm-config-file --config test/npm-config-file/audit-ci.jsonc +npx audit-ci@^6 --directory test/npm-config-file --config test/npm-config-file/audit-ci.jsonc ``` #### test/pnpm-config-file/audit-ci.json5 @@ -383,7 +383,7 @@ npx audit-ci --directory test/npm-config-file --config test/npm-config-file/audi ``` ```sh -npx audit-ci --directory test/pnpm-config-file --config test/pnpm-config-file/audit-ci.json5 +npx audit-ci@^6 --directory test/pnpm-config-file --config test/pnpm-config-file/audit-ci.json5 ``` ## Codemod