npm audit fix (#261)

* npm audit fix * Update package-lock.json * Ignore dev dependency audit warnings * eliminate double audit
razee-io · Sep 22, 2021 · 18f54eb · 18f54eb
1 parent 156fd17
commit 18f54eb
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 69 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -7,10 +7,10 @@ services:
 
 before_install:
   - echo "$DOCKERHUB_TOKEN" | docker login -u "icdevops" --password-stdin
-  
+
 script:
-  # Audit npm packages. Fail build whan a PR audit fails, otherwise report the vulnerability and proceed.
-  - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npm audit; else npm audit || true; fi
+  # Audit npm packages. Fail build whan a PR audit fails, otherwise report the vulnerability and proceed.  See audit-ci for details of allowlisted packages etc.
+  - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npx audit-ci --config ./audit-ci.json; else npx audit-ci --config ./audit-ci.json || true; fi
   - npm run lint
   - npm test
   - docker build --rm -t "quay.io/razee/remoteresources3decrypt:${TRAVIS_COMMIT}" .

diff --git a/audit-ci.json b/audit-ci.json
@@ -0,0 +1,5 @@
+{
+  "low": true,
+  "_skip-dev": "Avoid vuln in 'underscore', pulled in by jsonlint dev dependency.",
+  "skip-dev": "true"
+}
diff --git a/package-lock.json b/package-lock.json