Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Pin running audit-ci to major version #273

Merged
merged 1 commit into from May 20, 2022
Merged

docs: Pin running audit-ci to major version #273

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 9 additions & 9 deletions README.md
View file
Open in desktop
Expand Up @@ -150,7 +150,7 @@ An allowlist record may include any number of wildcards such as `*|react-scripts
steps:
- uses: actions/checkout@v2
- name: Audit for vulnerabilities
run: npx audit-ci --config ./audit-ci.jsonc
run: npx audit-ci@^6 --config ./audit-ci.jsonc
```

_(Recommended)_ Run `audit-ci` immediately after checking out the git repository to reduce the risk of executing a `postinstall` script from a compromised NPM package.
Expand All @@ -176,7 +176,7 @@ steps:
# command: if [[ ! -z $CIRCLE_PULL_REQUEST ]] ; then npx audit-ci --config ./audit-ci.jsonc ; fi
- run:
name: run-audit-ci
command: npx audit-ci --config ./audit-ci.jsonc
command: npx audit-ci@^6 --config ./audit-ci.jsonc
- run:
name: install-npm
command: "npm install --no-audit"
Expand All @@ -190,14 +190,14 @@ Auditing only on PR builds is [recommended](#qa)
scripts:
# This script should be the first that runs to reduce the risk of
# executing a script from a compromised NPM package.
- if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npx audit-ci --config ./audit-ci.jsonc; fi
- if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npx audit-ci@^6 --config ./audit-ci.jsonc; fi
```

For `Travis-CI` not using PR builds:

```yml
scripts:
- npx audit-ci --config ./audit-ci.jsonc
- npx audit-ci@^6 --config ./audit-ci.jsonc
```

## Options
Expand Down Expand Up @@ -300,7 +300,7 @@ With a `JSON5` config file:
Or, with the CLI with `yarn dlx`:

```sh
yarn dlx audit-ci -l -a "GHSA-38f5-ghc2-fcmv" lodash base64url --show-found false
yarn dlx audit-ci@^6 -l -a "GHSA-38f5-ghc2-fcmv" lodash base64url --show-found false
```

### Prevents build with critical vulnerabilities showing the full report
Expand All @@ -318,7 +318,7 @@ With a `JSONC` config file:
Or, with the CLI with `pnpm dlx`:

```sh
pnpm dlx audit-ci --critical --report-type full
pnpm dlx audit-ci@^6 --critical --report-type full
```

### Continues build regardless of vulnerabilities, but show the summary report
Expand All @@ -335,7 +335,7 @@ With a `JSONC` config file:
Or, with the CLI:

```sh
npx audit-ci --report-type summary
npx audit-ci@^6 --report-type summary
```

### Example config file and different directory usage
Expand All @@ -362,7 +362,7 @@ npx audit-ci --report-type summary
```

```sh
npx audit-ci --directory test/npm-config-file --config test/npm-config-file/audit-ci.jsonc
npx audit-ci@^6 --directory test/npm-config-file --config test/npm-config-file/audit-ci.jsonc
```

#### test/pnpm-config-file/audit-ci.json5
Expand All @@ -383,7 +383,7 @@ npx audit-ci --directory test/npm-config-file --config test/npm-config-file/audi
```

```sh
npx audit-ci --directory test/pnpm-config-file --config test/pnpm-config-file/audit-ci.json5
npx audit-ci@^6 --directory test/pnpm-config-file --config test/pnpm-config-file/audit-ci.json5
```

## Codemod
Expand Down