fix(audit): auditing only a given type of dependencies (#3211)

close #3152
2026-05-12 01:54:53 -04:00 · 2021-03-02 01:36:40 +02:00
parent c47f6033c5
commit 5175460a0c
3 changed files with 16 additions and 34 deletions
--- a/.changeset/three-balloons-build.md
+++ b/.changeset/three-balloons-build.md
@@ -0,0 +1,5 @@
+---
+"@pnpm/plugin-commands-audit": major
+---
+
+Filter dependency types via the `dev`/`production`/`optional` options instead of the `included` option.
--- a/packages/plugin-commands-audit/src/audit.ts
+++ b/packages/plugin-commands-audit/src/audit.ts
@@ -4,7 +4,7 @@ import { Config, types as allTypes, UniversalOptions } from '@pnpm/config'
 import { WANTED_LOCKFILE } from '@pnpm/constants'
 import PnpmError from '@pnpm/error'
 import { readWantedLockfile } from '@pnpm/lockfile-file'
-import { IncludedDependencies, Registries } from '@pnpm/types'
+import { Registries } from '@pnpm/types'
 import { table } from '@zkochan/table'
 import chalk = require('chalk')
 import R = require('ramda')
@@ -90,18 +90,22 @@ export function help () {
 export async function handler (
  opts: Pick<UniversalOptions, 'dir'> & {
    auditLevel?: 'low' | 'moderate' | 'high' | 'critical'
-    include: IncludedDependencies
    json?: boolean
    lockfileDir?: string
    registries: Registries
-  } & Pick<Config, 'fetchRetries' | 'fetchRetryMaxtimeout' | 'fetchRetryMintimeout' | 'fetchRetryFactor'>
+  } & Pick<Config, 'fetchRetries' | 'fetchRetryMaxtimeout' | 'fetchRetryMintimeout' | 'fetchRetryFactor' | 'production' | 'dev' | 'optional'>
 ) {
  const lockfile = await readWantedLockfile(opts.lockfileDir ?? opts.dir, { ignoreIncompatible: true })
  if (!lockfile) {
    throw new PnpmError('AUDIT_NO_LOCKFILE', `No ${WANTED_LOCKFILE} found: Cannot audit a project without a lockfile`)
  }
+  const include = {
+    dependencies: opts.production !== false,
+    devDependencies: opts.dev !== false,
+    optionalDependencies: opts.optional !== false,
+  }
  const auditReport = await audit(lockfile, {
-    include: opts.include,
+    include,
    registry: opts.registries.default,
    retry: {
      factor: opts.fetchRetryFactor,
--- a/packages/plugin-commands-audit/test/index.ts
+++ b/packages/plugin-commands-audit/test/index.ts
@@ -8,11 +8,6 @@ const skipOnNode10 = process.version.split('.')[0] === 'v10' ? test.skip : test
 skipOnNode10('audit', async () => {
  const { output, exitCode } = await audit.handler({
    dir: path.join(__dirname, 'packages/has-vulnerabilities'),
-    include: {
-      dependencies: true,
-      devDependencies: true,
-      optionalDependencies: true,
-    },
    registries: {
      default: 'https://registry.npmjs.org/',
    },
@@ -24,11 +19,8 @@ skipOnNode10('audit', async () => {
 test('audit --dev', async () => {
  const { output, exitCode } = await audit.handler({
    dir: path.join(__dirname, 'packages/has-vulnerabilities'),
-    include: {
-      dependencies: false,
-      devDependencies: true,
-      optionalDependencies: false,
-    },
+    dev: true,
+    production: false,
    registries: {
      default: 'https://registry.npmjs.org/',
    },
@@ -42,11 +34,6 @@ test('audit --audit-level', async () => {
  const { output, exitCode } = await audit.handler({
    auditLevel: 'moderate',
    dir: path.join(__dirname, 'packages/has-vulnerabilities'),
-    include: {
-      dependencies: true,
-      devDependencies: true,
-      optionalDependencies: true,
-    },
    registries: {
      default: 'https://registry.npmjs.org/',
    },
@@ -59,11 +46,6 @@ test('audit --audit-level', async () => {
 test('audit: no vulnerabilities', async () => {
  const { output, exitCode } = await audit.handler({
    dir: path.join(__dirname, '../../../fixtures/has-outdated-deps'),
-    include: {
-      dependencies: true,
-      devDependencies: true,
-      optionalDependencies: true,
-    },
    registries: {
      default: 'https://registry.npmjs.org/',
    },
@@ -76,11 +58,6 @@ test('audit: no vulnerabilities', async () => {
 test('audit --json', async () => {
  const { output, exitCode } = await audit.handler({
    dir: path.join(__dirname, 'packages/has-vulnerabilities'),
-    include: {
-      dependencies: true,
-      devDependencies: true,
-      optionalDependencies: true,
-    },
    json: true,
    registries: {
      default: 'https://registry.npmjs.org/',
@@ -96,11 +73,7 @@ test.skip('audit does not exit with code 1 if the found vulnerabilities are havi
  const { output, exitCode } = await audit.handler({
    auditLevel: 'high',
    dir: path.join(__dirname, 'packages/has-vulnerabilities'),
-    include: {
-      dependencies: false,
-      devDependencies: true,
-      optionalDependencies: false,
-    },
+    dev: true,
    registries: {
      default: 'https://registry.npmjs.org/',
    },