HUB-9924: PNPM Audit Resolver Package #7
Conversation
HUB-9924 (Implement a pnpm audit resolver script)
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new package @knime/pnpm-audit-resolver that automates the management of temporary security audit exceptions in PNPM projects by reading audit rules from a configuration file and automatically expiring them based on timestamps.
- Adds a utility that processes
audit-resolve.jsonconfigurations with time-bound security ignores - Automatically removes expired GHSA ignores from package.json audit configuration
- Provides a command-line tool for integration into CI/CD pipelines
Reviewed Changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/pnpm-audit-resolver/src/index.js | Main implementation that reads audit configurations and updates package.json |
| packages/pnpm-audit-resolver/package.json | Package configuration with scripts and binary definitions |
| packages/pnpm-audit-resolver/README.md | Documentation explaining usage and configuration format |
| packages/pnpm-audit-resolver/LICENSE | GPL v3 license with additional KNIME permissions |
| packages/pnpm-audit-resolver/CHANGELOG.md | Empty changelog file for the new package |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| try { | ||
| auditResolveRaw = await fs.readFile(auditResolvePath, "utf-8"); | ||
| } catch { | ||
| throw "Could not find 'audit-resolve.json' file in your root directory"; |
There was a problem hiding this comment.
Throwing a string is not recommended. Use a proper Error object instead: throw new Error(\"Could not find 'audit-resolve.json' file in your root directory\");
| throw "Could not find 'audit-resolve.json' file in your root directory"; | |
| throw new Error("Could not find 'audit-resolve.json' file in your root directory"); |
| { | ||
| "name": "@knime/pnpm-audit-resolver", | ||
| "version": "1.0.0", | ||
| "description": "Resolves audit issues be defining actions to it", |
There was a problem hiding this comment.
Grammatical error in description. Should be 'by defining actions for them' instead of 'be defining actions to it'.
| "description": "Resolves audit issues be defining actions to it", | |
| "description": "Resolves audit issues by defining actions for them", |
| } | ||
| }, | ||
| "bin": { | ||
| "audit-resolve": "./src/index.js" |
There was a problem hiding this comment.
The binary entry points to a file that lacks a shebang line. Add #!/usr/bin/env node as the first line of src/index.js to make it executable as a binary.
| throw "Could not find 'audit-resolve.json' file in your root directory"; | ||
| } | ||
|
|
||
| const auditData = JSON.parse(auditResolveRaw); |
There was a problem hiding this comment.
JSON.parse can throw if the file contains invalid JSON. Wrap this in a try-catch block to provide a more helpful error message for malformed audit-resolve.json files.
| const auditData = JSON.parse(auditResolveRaw); | |
| let auditData; | |
| try { | |
| auditData = JSON.parse(auditResolveRaw); | |
| } catch (err) { | |
| throw new Error( | |
| "Malformed 'audit-resolve.json': " + err.message | |
| ); | |
| } |
| const packageJsonRaw = await fs.readFile(packageJsonPath, "utf-8"); | ||
| const packageJson = JSON.parse(packageJsonRaw); |
There was a problem hiding this comment.
Missing error handling for reading and parsing package.json. These operations can fail if the file doesn't exist or contains invalid JSON.
| const packageJsonRaw = await fs.readFile(packageJsonPath, "utf-8"); | |
| const packageJson = JSON.parse(packageJsonRaw); | |
| let packageJsonRaw; | |
| try { | |
| packageJsonRaw = await fs.readFile(packageJsonPath, "utf-8"); | |
| } catch { | |
| throw "Could not find 'package.json' file in your root directory"; | |
| } | |
| let packageJson; | |
| try { | |
| packageJson = JSON.parse(packageJsonRaw); | |
| } catch { | |
| throw "Could not parse 'package.json': invalid JSON format"; | |
| } |
📦 PNPM Audit Resolver Integration
This PR introduces @knime/pnpm-audit-resolver, a utility that helps manage temporary security audit exceptions in PNPM projects. It is mainly for the CVEs that has no patch version released yet.
🔍 What it does
• Reads an audit-resolve.json file in the project root.
• Applies ignore rules for vulnerabilities (GHSA IDs) with a defined expiration.
• Automatically removes expired ignores so that exceptions don’t live longer than intended.
• Updates package.json to keep pnpm.auditConfig.ignoreGhsas in sync with valid rules.
✅ Benefits
• Ensures security ignores are time-bound and enforced automatically.
• Reduces the risk of forgotten audit exceptions.
• Keeps the audit process clean and reliable in CI/CD pipelines.
🛠️ Usage
1. Add an audit-resolve.json with decisions + expiration timestamps.
2. Run the resolver via pnpm audit:resolve.
Example audit-resolve.json: