Fail shell script at npm install if there are high severity vulnerabilities

Question

I want to fail the packaging script for my application if the npm install shows vulnerabilities with high severity.

Example:

added 137 packages from 151 contributors and audited 4041 packages in 8.689s
found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

What I have now I'm doing it with grep, but this does not sound like a good solution because minor output adjustments of the audit can break it without finding it out immediately.

function npm-prod-install-audit() {
    if npm install --no-optional --only=prod | grep "high severity";then
        echo "Audit failed! 🖐 Please update your packages."
        exit 1
    else
        echo "Audit passed ✅";
    fi
}

Is there any proper solution on this?

Answer 1

We can do something like this if you are trying to fail the build and force the engineers to fix the bugs.

Add the following as part of your scripts section in package.json file

"audit:high_and_critical": "audit_high_and_critical() { cmd=\" yarn audit \" /bin/bash -c 'command $cmd || exit_code=\"$?\" && ((\"$exit_code\" >= \"${LEVEL:=8}\")) && exit 1 || exit 0'; }; audit_high_and_critical"

Answer 2

You can use npm audit https://docs.npmjs.com/cli/audit. It will exit with non-zero return code if there are vulnerabilities found. You can control on which level you want to fail by using --audit-level=(low|moderate|high|critical).