Integration with npm audit or similar

[Eccenux]

Would be nice if iridium would be able to do npm audit (or something like that) to figure out which versions must be updated.

As I understand update-all updates everything to latest versions. This is fine when you have time, but audit only points to things you really should update soon.

[Idered]

Just so you know : update all or single update bumps package to latest version specified by range. This was changed in latest version. I still need to figure out interface for update with range ignore

Do you know any open api which allows to scan package.json like npm audit does?

[Idered]

Ok, you can call npm audit via api https://dzone.com/articles/how-to-use-npm-rest-api-to-get-audit-npm-audit-res I just need to verify that.

[Idered]

It's working! I just have no idea yet how to present this in UI

Here's sample response

{
  "actions": [
    {
      "isMajor": true,
      "action": "install",
      "resolves": [
        {
          "id": 1076,
          "path": "marked",
          "dev": false,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "marked",
      "target": "3.0.4"
    }
  ],
  "advisories": {
    "1076": {
      "findings": [
        {
          "version": "0.6.3",
          "paths": [
            "marked"
          ]
        }
      ],
      "found_by": {
        "link": "",
        "name": "Bart Grantham"
      },
      "module_name": "marked",
      "reported_by": {
        "link": "",
        "name": "Bart Grantham"
      },
      "cves": [],
      "references": "[GitHub Advisory](https://github.com/advisories/GHSA-ch52-vgq2-943f)\n",
      "updated": "2021-09-23T08:01:54.751Z",
      "id": 1076,
      "deleted": null,
      "severity": "low",
      "created": "2019-07-17T20:26:14.214Z",
      "metadata": {
        "module_type": "",
        "exploitability": 5,
        "affected_components": ""
      },
      "vulnerable_versions": ">=0.4.0 <0.7.0",
      "overview": "Affected versions of `marked` are vulnerable to Regular Expression Denial o
f Service (ReDoS). The `_label` subrule may significantly degrade parsing performance of malfo
rmed input.",
      "cwe": "CWE-400",
      "patched_versions": ">=0.7.0",
      "title": "Regular Expression Denial of Service",
      "recommendation": "Upgrade to version 0.7.0 or later.",
      "access": "public",
      "url": "https://npmjs.com/advisories/1076"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 1,
      "moderate": 0,
      "high": 0,
      "critical": 0
    },
    "dependencies": 1,
    "devDependencies": 0,
    "optionalDependencies": 0,
    "totalDependencies": 1
  }
}

[Eccenux]

Hm... Maybe you could display this as a table with actions? I saw you have this database thing which displays some tables with columns. Seems like a nice component to use here 🙂

Columns:

• Severity (severity).
• Vulnerability (title).
• Package (module_name).
• More info (url).

I assume each advisories is something that will have as many records as you would have rows in the table.

I think actions could be similar as for updates. You could maybe add global actions to: fix all, fix moderate and high, fix high.