fix: print quick audit report for human output

This was broken when the support/funding functionality changed the return value to no longer track the promise for the quick audit printing. It was not caught by tests, because they were only running against the --json output, and not verifying the quick audit results in any way. Added a test to track the --json quick audit results (which were not broken, but someday could become so) and the human printed quick audit results (which were broken). Paired with @ruyadorno @mikemimik
npm · Nov 15, 2019 · 9190f3f · 9190f3f
1 parent 9c7161d
commit 9190f3f
Show file tree

Hide file tree

Showing 4 changed files with 127 additions and 8 deletions.
diff --git a/lib/install.js b/lib/install.js
@@ -877,9 +877,6 @@ Installer.prototype.printInstalledForHuman = function (diffs, auditResult) {
   report += ' in ' + ((Date.now() - this.started) / 1000) + 's'
 
   output(report)
-  if (auditResult) {
-    audit.printInstallReport(auditResult)
-  }
 
   function packages (num) {
     return num + ' package' + (num > 1 ? 's' : '')
@@ -910,6 +907,10 @@ Installer.prototype.printInstalledForHuman = function (diffs, auditResult) {
   if (printFundingReport.length) {
     output(printFundingReport)
   }
+
+  if (auditResult) {
+    return audit.printInstallReport(auditResult)
+  }
 }
 
 Installer.prototype.printInstalledForJSON = function (diffs, auditResult) {

diff --git a/lib/install/fund.js b/lib/install/fund.js
@@ -39,8 +39,8 @@ function getPrintFundingReport ({ fund, idealTree }, opts) {
 
   return padding('') + length + ' ' +
     packageQuantity(length) +
-    ' looking for funding.' +
-    padding('Run "npm fund" to find out more.')
+    ' looking for funding' +
+    padding('  run `npm fund` for details\n')
 }
 
 function getPrintFundingReportJSON ({ fund, idealTree }) {

diff --git a/test/tap/audit.js b/test/tap/audit.js
@@ -27,6 +27,66 @@ function tmock (t) {
   })
 }
 
+const quickAuditResult = {
+  actions: [],
+  advisories: {
+    '1316': {
+      findings: [
+        {
+          version: '1.0.0',
+          paths: [
+            'baddep'
+          ]
+        }
+      ],
+      'id': 1316,
+      'created': '2019-11-14T15:29:41.991Z',
+      'updated': '2019-11-14T19:35:30.677Z',
+      'deleted': null,
+      'title': 'Arbitrary Code Execution',
+      'found_by': {
+        'link': '',
+        'name': 'François Lajeunesse-Robert',
+        'email': ''
+      },
+      'reported_by': {
+        'link': '',
+        'name': 'François Lajeunesse-Robert',
+        'email': ''
+      },
+      'module_name': 'baddep',
+      'cves': [],
+      'vulnerable_versions': '<4.5.2',
+      'patched_versions': '>=4.5.2',
+      'overview': 'a nice overview of the advisory',
+      'recommendation': 'how you should fix it',
+      'references': '',
+      'access': 'public',
+      'severity': 'high',
+      'cwe': 'CWE-79',
+      'metadata': {
+        'module_type': '',
+        'exploitability': 6,
+        'affected_components': ''
+      },
+      'url': 'https://npmjs.com/advisories/1234542069'
+    }
+  },
+  'muted': [],
+  'metadata': {
+    'vulnerabilities': {
+      'info': 0,
+      'low': 0,
+      'moderate': 0,
+      'high': 1,
+      'critical': 0
+    },
+    'dependencies': 1,
+    'devDependencies': 0,
+    'totalDependencies': 1
+  }
+}
+
 test('exits with zero exit code for vulnerabilities below the `audit-level` flag', t => {
   const fixture = new Tacks(new Dir({
     'package.json': new File({
@@ -40,7 +100,7 @@ test('exits with zero exit code for vulnerabilities below the `audit-level` flag
   fixture.create(testDir)
   return tmock(t).then(srv => {
     srv.filteringRequestBody(req => 'ok')
-    srv.post('/-/npm/v1/security/audits/quick', 'ok').reply(200, 'yeah')
+    srv.post('/-/npm/v1/security/audits/quick', 'ok').reply(200, quickAuditResult)
     srv.get('/baddep').twice().reply(200, {
       name: 'baddep',
       'dist-tags': {
@@ -75,6 +135,8 @@ test('exits with zero exit code for vulnerabilities below the `audit-level` flag
       '--registry', common.registry,
       '--cache', path.join(testDir, 'npm-cache')
     ], EXEC_OPTS).then(([code, stdout, stderr]) => {
+      const result = JSON.parse(stdout)
+      t.same(result.audit, quickAuditResult, 'printed quick audit result')
       srv.filteringRequestBody(req => 'ok')
       srv.post('/-/npm/v1/security/audits', 'ok').reply(200, {
         actions: [{
@@ -102,6 +164,62 @@ test('exits with zero exit code for vulnerabilities below the `audit-level` flag
   })
 })
 
+test('shows quick audit results summary for human', t => {
+  const fixture = new Tacks(new Dir({
+    'package.json': new File({
+      name: 'foo',
+      version: '1.0.0',
+      dependencies: {
+        baddep: '1.0.0'
+      }
+    })
+  }))
+  fixture.create(testDir)
+  return tmock(t).then(srv => {
+    srv.filteringRequestBody(req => 'ok')
+    srv.post('/-/npm/v1/security/audits/quick', 'ok').reply(200, quickAuditResult)
+    srv.get('/baddep').twice().reply(200, {
+      name: 'baddep',
+      'dist-tags': {
+        'latest': '1.2.3'
+      },
+      versions: {
+        '1.0.0': {
+          name: 'baddep',
+          version: '1.0.0',
+          _hasShrinkwrap: false,
+          dist: {
+            shasum: 'deadbeef',
+            tarball: common.registry + '/idk/-/idk-1.0.0.tgz'
+          }
+        },
+        '1.2.3': {
+          name: 'baddep',
+          version: '1.2.3',
+          _hasShrinkwrap: false,
+          dist: {
+            shasum: 'deadbeef',
+            tarball: common.registry + '/idk/-/idk-1.2.3.tgz'
+          }
+        }
+      }
+    })
+    return common.npm([
+      'install',
+      '--audit',
+      '--no-json',
+      '--package-lock-only',
+      '--registry', common.registry,
+      '--cache', path.join(testDir, 'npm-cache')
+    ], EXEC_OPTS).then(([code, stdout, stderr]) => {
+      t.match(stdout, new RegExp('added 1 package and audited 1 package in .*\\n' +
+        'found 1 high severity vulnerability\\n' +
+        '  run `npm audit fix` to fix them, or `npm audit` for details\\n'),
+      'shows quick audit result')
+    })
+  })
+})
+
 test('exits with non-zero exit code for vulnerabilities at the `audit-level` flag', t => {
   const fixture = new Tacks(new Dir({
     'package.json': new File({

diff --git a/test/tap/install.fund.js b/test/tap/install.fund.js
@@ -55,7 +55,7 @@ test('print appropriate message for a single package', (t) => {
         ]
       }
     }),
-    `${EOL}1 package is looking for funding.${EOL}Run "npm fund" to find out more.`,
+    `${EOL}1 package is looking for funding${EOL}  run \`npm fund\` for details${EOL}`,
     'should print single package message'
   )
   t.end()
@@ -93,7 +93,7 @@ test('print appropriate message for many packages', (t) => {
         ]
       }
     }),
-    `${EOL}3 packages are looking for funding.${EOL}Run "npm fund" to find out more.`,
+    `${EOL}3 packages are looking for funding${EOL}  run \`npm fund\` for details${EOL}`,
     'should print many package message'
   )
   t.end()