Security News
pnpm 10.0.0 Blocks Lifecycle Scripts by Default
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
@codejedi365/gitlab-npm-audit-parser
Advanced tools
NPM Audit parser for GitLab dependency scanning
Usage: gitlab-npm-audit-parser [options]
Input: Stdin via pipe
npm audit --json | gitlab-npm-audit-parser ...
cat <file> | gitlab-npm-audit-parser ...
Options:
-V, --version output the version number
-o, --out <path> output filename, defaults to gl-dependency-scanning-report.json
-h, --help output usage information
Perform the data translation from an npm audit --json
report output to the
GitLab.com standardized JSON schema format specifically for ingest of dependency
scanning reports of a project.
GitLab requires a common schema to ingest scanning reports from multiple
different dependency auditing tools across different languages. In the
JavaScript/TypeScript ecosystem, most of us use npm audit
to verify project
dependencies but the JSON report is not ingestable by GitLab.com. It requires
this package as middleware to translate an npm audit --json
report into the
standard dependency audit schema before it can be uploaded and ingested as a
dependency_scanning artifact. Ingested artifacts can then be used as data
sources to generate interactive content embedded in a pipeline results view or
Merge Request (MR) webpage.
Why this library? Because it's fast! We used Webpack to generate a self-contained bundle which means we have 0 dependencies to download for production! With NPX you can use this library direct from the cloud with minimal delay at 15.7KB package size. We use Gitlab's published schema repository directly to help construct the output code. For Developers, we also employ linting & automated testing on the codebase to improve the development experience.
INGEST | SUPPORTED? | OUTPUT |
---|---|---|
npm-audit-report@^1.0.0 | yes | JSON file (dependency-scanning-report-format@v14.0.3) |
npm-audit-report@^2.0.0 | yes | JSON file (dependency-scanning-report-format@v14.0.3) |
GitLab.org publishes their security report format to their own Package Repository which is attached to their schema generation repository: gitlab-org/security-report-schemas. This project targets the currently released report-format for Dependency Scanning.
Install this package into your devDependencies or use npx
directly to download
the package at runtime. If you opt to download for use at run time, make sure to
include the correct scope name for the package since there are multiple versions
of this package on npmjs.com.
I recommend the runtime option since this package is only needed in a GitLab specific pipeline and not necessary to be locally installed for developer use.
# 1. Downloads at runtime use
npm audit --json | npx @codejedi365/gitlab-npm-audit-parser -o gl-dependency-scanning.json
# 2. Install in devDependencies
npm install --save-dev @codejedi365/gitlab-npm-audit-parser
Add the following job to .gitlab-ci.yml
. If you used #2 and it is in your
devDependencies you may remove the @<scope>
prefix from the following.
dependency scanning:
image: node:10-alpine
script:
- npm ci
- npm audit --json | npx @codejedi365/gitlab-npm-audit-parser -o
gl-dependency-scanning.json
artifacts:
reports:
dependency_scanning: gl-dependency-scanning.json
NOTE: If you use a npm run-script
to call npm audit
due to set project
parameters, this library will ignore any prefixed stdout data prior to the first
open bracket for the JSON output. This way npm run --silent
is no longer
required.
Vulnerability | PKG | Category | In Production Pkg? | Notes |
---|---|---|---|---|
RegExp DoS | trim@<0.0.3 | High | No (DevDependency/Linter) | waiting for remark-parse@^9.x.x release, owner will not patch v8.0.3 |
nvm
for node version management (see .nvmrc
for version requirement)nvm install-latest-npm
npm@^7.0.0
# Production build (CLI bundle) & Executes all test cases
npm run test:prod
# Verifies build process once, then runs tests against local files
npm test
npm run test:dev # enable test watch mode
# Monitor build process & interactive lint
npm run build-watch
# | INGEST FILE | OUTPUT FILE | |
---|---|---|---|
1. | ./test/v1_report.json | => | ./test/snapshots/GL-report.1.json |
2. | ./test/v2_report.json | => | ./test/snapshots/GL-report.2.json |
Add -i|--in|--input <file>
option for handling file input
Add support for input redirector <(cat file.txt)
.
Add testing, dependency, & closer integration with npm-audit-report
library
Configure a bot to monitor changes/updates to schema & audit reporter repository
COMING SOON! gitlab-depscan-merger: a solution to create 1 ingestable dependency_scanning report from multiple audit reports overcoming the GitLab pipeline limitation.
Check out my other projects at @codejedi365 on GitHub.com
FAQs
NPM Audit parser for GitLab dependency scanning
The npm package @codejedi365/gitlab-npm-audit-parser receives a total of 246 weekly downloads. As such, @codejedi365/gitlab-npm-audit-parser popularity was classified as not popular.
We found that @codejedi365/gitlab-npm-audit-parser demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.