npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@codejedi365/gitlab-npm-audit-parser

v2.0.0

Published

NPM Audit parser for GitLab dependency scanning

Downloads

1,401

Readme

GitLab parser for NPM Audit

Usage: gitlab-npm-audit-parser [options]

Input: Stdin via pipe
  npm audit --json | gitlab-npm-audit-parser ...
  cat <file> | gitlab-npm-audit-parser ...

Options:

  -V, --version     output the version number
  -o, --out <path>  output filename, defaults to gl-dependency-scanning-report.json
  -h, --help        output usage information

Package Objective

Perform the data translation from an npm audit --json report output to the GitLab.com standardized JSON schema format specifically for ingest of dependency scanning reports of a project.

Why?

GitLab requires a common schema to ingest scanning reports from multiple different dependency auditing tools across different languages. In the JavaScript/TypeScript ecosystem, most of us use npm audit to verify project dependencies but the JSON report is not ingestable by GitLab.com. It requires this package as middleware to translate an npm audit --json report into the standard dependency audit schema before it can be uploaded and ingested as a dependency_scanning artifact. Ingested artifacts can then be used as data sources to generate interactive content embedded in a pipeline results view or Merge Request (MR) webpage.

Why this library? Because it's fast! We used Webpack to generate a self-contained bundle which means we have 0 dependencies to download for production! With NPX you can use this library direct from the cloud with minimal delay at 15.7KB package size. We use Gitlab's published schema repository directly to help construct the output code. For Developers, we also employ linting & automated testing on the codebase to improve the development experience.

Compatibility

| INGEST | SUPPORTED? | OUTPUT | | ----------------------- | :--------: | ------------------------------------------------------ | | npm-audit-report@^1.0.0 | yes | JSON file ([email protected]) | | npm-audit-report@^2.0.0 | yes | JSON file ([email protected]) |

GitLab.org publishes their security report format to their own Package Repository which is attached to their schema generation repository: gitlab-org/security-report-schemas. This project targets the currently released report-format for Dependency Scanning.

How to use

Install this package into your devDependencies or use npx directly to download the package at runtime. If you opt to download for use at run time, make sure to include the correct scope name for the package since there are multiple versions of this package on npmjs.com.

I recommend the runtime option since this package is only needed in a GitLab specific pipeline and not necessary to be locally installed for developer use.

# 1. Downloads at runtime use
npm audit --json | npx @codejedi365/gitlab-npm-audit-parser -o gl-dependency-scanning.json

# 2. Install in devDependencies
npm install --save-dev @codejedi365/gitlab-npm-audit-parser

Add the following job to .gitlab-ci.yml. If you used #2 and it is in your devDependencies you may remove the @<scope> prefix from the following.

dependency scanning:
  image: node:10-alpine
  script:
    - npm ci
    - npm audit --json | npx @codejedi365/gitlab-npm-audit-parser -o
      gl-dependency-scanning.json
  artifacts:
    reports:
      dependency_scanning: gl-dependency-scanning.json

NOTE: If you use a npm run-script to call npm audit due to set project parameters, this library will ignore any prefixed stdout data prior to the first open bracket for the JSON output. This way npm run --silent is no longer required.

Vulnerability Report

| Vulnerability | PKG | Category | In Production Pkg? | Notes | | ------------- | :----------: | :------: | :-------------------------: | --------------------------------------------------------------------- | | RegExp DoS | trim@<0.0.3 | High | No (DevDependency/Linter) | waiting for remark-parse@^9.x.x release, owner will not patch v8.0.3 |

Contributors

Development Environment

  • Use nvm for node version management (see .nvmrc for version requirement)
  • Use latest npm version via nvm install-latest-npm

Guidelines

  • Code (including Markdown) must pass a linting checks
  • Developmental repository must be compatible with NodeJS v12 LTS & npm@^7.0.0
  • Distribution build must be compatible with v10
  • Must have successful build & pass all test cases in both Node.js v10 LTS, v12 LTS, & v14 LTS
  • Releases will have all non-breaking changes in dependencies up-to-date

Test

# Production build (CLI bundle) & Executes all test cases
npm run test:prod

# Verifies build process once, then runs tests against local files
npm test
npm run test:dev   # enable test watch mode

# Monitor build process & interactive lint
npm run build-watch

Examples

| # | INGEST FILE | | OUTPUT FILE | | --- | ----------------------- | --- | ----------------------------------- | | 1. | ./test/v1_report.json | => | ./test/snapshots/GL-report.1.json | | 2. | ./test/v2_report.json | => | ./test/snapshots/GL-report.2.json |

Future Features

  • Add -i|--in|--input <file> option for handling file input

  • Add support for input redirector <(cat file.txt).

  • Add testing, dependency, & closer integration with npm-audit-report library

  • Configure a bot to monitor changes/updates to schema & audit reporter repository

Extras

COMING SOON! gitlab-depscan-merger: a solution to create 1 ingestable dependency_scanning report from multiple audit reports overcoming the GitLab pipeline limitation.

Check out my other projects at @codejedi365 on GitHub.com