chicken vs egg

[mandric]

Please tell me if I'm missing something but isn't npm install --save-dev audit-ci also an attack vector since it runs npm install and installs all packages? Isn't the whole point to avoid running npm install until you verify packages are not compromised with npm audit?

So running npm install --save-dev audit-ci is unsafe. The safest path to installing packages is something like (see below)?

npm audit audit-ci  # fails because npm audit does not take a packages as argument
npm install -g audit-ci
audit-ci [your specific args]
npm ci

[quinnturner]

You're definitely right. I will add that to the documentation.

EDIT: I am not sure how to address this problem, it is definitely a chicken-egg problem. One strong consideration would be to reduce the number of dependencies used by audit-ci to mitigate this risk.

[quinnturner]

One approach would be to do a global install as you mentioned but pipe the automatic audit response to something that can process the result; fail if audit-ci has a vulnerability and pass if not.

[quinnturner]

npm i -g audit-ci | grep "found 0 vulnerabilities"

Minimal testing, but I believe this will return an exit code of 1 if there are any vulnerabilities (regardless of level) in audit-ci

[mandric]

I guess another little test you can do without installing anything is:

npm audit --json | jq -e '.metadata.vulnerabilities.critical == 0'