fix(audit): don't add package with no fixes to the overrides (#3649)

.changeset/rude-cameras-guess.md

@@ -0,0 +1,5 @@
+---
+"@pnpm/plugin-commands-audit": patch
+---
+
+If a package has no fixes, do not add it to the overrides.

packages/plugin-commands-audit/src/fix.ts

@@ -20,8 +20,12 @@ export default async function fix (dir: string, auditReport: AuditReport) {
 }
 
 function createOverrides (advisories: AuditAdvisory[]) {
-  return fromPairs(advisories.map((advisory) => [
-    `${advisory.module_name}@${advisory.vulnerable_versions}`,
-    advisory.patched_versions,
-  ]))
+  return fromPairs(
+    advisories
+      .filter(({ vulnerable_versions }) => vulnerable_versions !== '>=0.0.0') // eslint-disable-line
+      .map((advisory) => [
+        `${advisory.module_name}@${advisory.vulnerable_versions}`,
+        advisory.patched_versions,
+      ])
+  )
 }

packages/plugin-commands-audit/test/__snapshots__/index.ts.snap

@@ -133,6 +133,17 @@ exports[`audit --audit-level 1`] = `
 ├─────────────────────┼─────────────────────────────────────────┤
 │ More info           │ https://npmjs.com/advisories/1763       │
 └─────────────────────┴─────────────────────────────────────────┘
+┌─────────────────────┬───────────────────────────────────┐
+│ moderate            │ Tmp files readable by other users │
+├─────────────────────┼───────────────────────────────────┤
+│ Package             │ sync-exec                         │
+├─────────────────────┼───────────────────────────────────┤
+│ Vulnerable versions │ >=0.0.0                           │
+├─────────────────────┼───────────────────────────────────┤
+│ Patched versions    │ <0.0.0                            │
+├─────────────────────┼───────────────────────────────────┤
+│ More info           │ https://npmjs.com/advisories/310  │
+└─────────────────────┴───────────────────────────────────┘
 ┌─────────────────────┬──────────────────────────────────┐
 │ moderate            │ Prototype Pollution              │
 ├─────────────────────┼──────────────────────────────────┤
@@ -188,8 +199,8 @@ exports[`audit --audit-level 1`] = `
 ├─────────────────────┼──────────────────────────────────────┤
 │ More info           │ https://npmjs.com/advisories/1751    │
 └─────────────────────┴──────────────────────────────────────┘
-24 vulnerabilities found
-Severity: 7 low | 5 moderate | 10 high | 2 critical"
+25 vulnerabilities found
+Severity: 7 low | 6 moderate | 10 high | 2 critical"
 `;
 
 exports[`audit --dev 1`] = `
@@ -204,6 +215,17 @@ exports[`audit --dev 1`] = `
 ├─────────────────────┼───────────────────────────────────┤
 │ More info           │ https://npmjs.com/advisories/1594 │
 └─────────────────────┴───────────────────────────────────┘
+┌─────────────────────┬───────────────────────────────────┐
+│ moderate            │ Tmp files readable by other users │
+├─────────────────────┼───────────────────────────────────┤
+│ Package             │ sync-exec                         │
+├─────────────────────┼───────────────────────────────────┤
+│ Vulnerable versions │ >=0.0.0                           │
+├─────────────────────┼───────────────────────────────────┤
+│ Patched versions    │ <0.0.0                            │
+├─────────────────────┼───────────────────────────────────┤
+│ More info           │ https://npmjs.com/advisories/310  │
+└─────────────────────┴───────────────────────────────────┘
 ┌─────────────────────┬──────────────────────────────────┐
 │ moderate            │ Denial of Service                │
 ├─────────────────────┼──────────────────────────────────┤
@@ -215,8 +237,8 @@ exports[`audit --dev 1`] = `
 ├─────────────────────┼──────────────────────────────────┤
 │ More info           │ https://npmjs.com/advisories/880 │
 └─────────────────────┴──────────────────────────────────┘
-2 vulnerabilities found
-Severity: 1 moderate | 1 high"
+3 vulnerabilities found
+Severity: 2 moderate | 1 high"
 `;
 
 exports[`audit 1`] = `
@@ -352,6 +374,17 @@ exports[`audit 1`] = `
 ├─────────────────────┼─────────────────────────────────────────┤
 │ More info           │ https://npmjs.com/advisories/1763       │
 └─────────────────────┴─────────────────────────────────────────┘
+┌─────────────────────┬───────────────────────────────────┐
+│ moderate            │ Tmp files readable by other users │
+├─────────────────────┼───────────────────────────────────┤
+│ Package             │ sync-exec                         │
+├─────────────────────┼───────────────────────────────────┤
+│ Vulnerable versions │ >=0.0.0                           │
+├─────────────────────┼───────────────────────────────────┤
+│ Patched versions    │ <0.0.0                            │
+├─────────────────────┼───────────────────────────────────┤
+│ More info           │ https://npmjs.com/advisories/310  │
+└─────────────────────┴───────────────────────────────────┘
 ┌─────────────────────┬──────────────────────────────────┐
 │ moderate            │ Prototype Pollution              │
 ├─────────────────────┼──────────────────────────────────┤
@@ -473,6 +506,6 @@ exports[`audit 1`] = `
 ├─────────────────────┼──────────────────────────────────────┤
 │ More info           │ https://npmjs.com/advisories/1662    │
 └─────────────────────┴──────────────────────────────────────┘
-24 vulnerabilities found
-Severity: 7 low | 5 moderate | 10 high | 2 critical"
+25 vulnerabilities found
+Severity: 7 low | 6 moderate | 10 high | 2 critical"
 `;

packages/plugin-commands-audit/test/fix.ts

@@ -23,6 +23,7 @@ test('overrides are added for vulnerable dependencies', async () => {
 
   const manifest = await loadJsonFile<ProjectManifest>(path.join(tmp, 'package.json'))
   expect(manifest.pnpm?.overrides?.['axios@<0.18.1']).toBe('>=0.18.1')
+  expect(manifest.pnpm?.overrides?.['sync-exec@>=0.0.0']).toBeFalsy()
 })
 
 test('no overrides are added if no vulnerabilities are found', async () => {

packages/plugin-commands-audit/test/fixtures/has-vulnerabilities/package.json

@@ -6,5 +6,8 @@
   },
   "devDependencies": {
     "axios": "0.15"
+  },
+  "optionalDependencies": {
+    "sync-exec": "0.6.2"
   }
 }