fix(audit): don't error when the found vulnerabilities are allowed

close #2721
PR #2723

.changeset/fifty-avocados-sneeze.md

@@ -0,0 +1,5 @@
+---
+"@pnpm/plugin-commands-audit": patch
+---
+
+`pnpm audit --audit-level high` should not error if the found vulnerabilities are low and/or moderate.

packages/plugin-commands-audit/src/audit.ts

@@ -112,10 +112,9 @@ export async function handler (
   })
   const vulnerabilities = auditReport.metadata.vulnerabilities
   const totalVulnerabilityCount = Object.values(vulnerabilities).reduce((sum, vulnerabilitiesCount) => sum + vulnerabilitiesCount, 0)
-  const exitCode = totalVulnerabilityCount > 0 ? 1 : 0
   if (opts.json) {
     return {
-      exitCode,
+      exitCode: totalVulnerabilityCount > 0 ? 1 : 0,
       output: JSON.stringify(auditReport, null, 2),
     }
   }
@@ -135,7 +134,7 @@ export async function handler (
     ], TABLE_OPTIONS)
   }
   return {
-    exitCode,
+    exitCode: output ? 1 : 0,
     output: `${output}${reportSummary(auditReport.metadata.vulnerabilities, totalVulnerabilityCount)}`,
   }
 }

packages/plugin-commands-audit/test/index.ts

@@ -278,3 +278,25 @@ test('audit --json', async (t) => {
   t.equal(exitCode, 1)
   t.end()
 })
+
+test('audit does not exit with code 1 if the found vulnerabilities are having lower severity then what we asked for', async (t) => {
+  const { output, exitCode } = await audit.handler({
+    auditLevel: 'high',
+    dir: path.join(__dirname, 'packages/has-vulnerabilities'),
+    include: {
+      dependencies: false,
+      devDependencies: true,
+      optionalDependencies: false,
+    },
+    registries: {
+      default: 'https://registry.npmjs.org/',
+    },
+  })
+
+  t.equal(exitCode, 0)
+  t.equal(
+    stripAnsi(output),
+    `1 vulnerabilities found
+Severity: 1 moderate`)
+  t.end()
+})