		@@ -1,3 +0,20 @@
		# [Unreleased](https://github.com/G-Rath/audit-app/compare/v0.6.0...HEAD) (YYYY-MM-DD)
		# [Unreleased](https://github.com/G-Rath/audit-app/compare/v0.7.0...HEAD) (YYYY-MM-DD)

		# [0.7.0](https://github.com/G-Rath/audit-app/compare/v0.6.0...v0.7.0) (2021-07-23)

		This version greatly improves NPM 7 support, including restoring dependency
		paths used for ignoring vulnerabilities to their full selves as they are with
		`yarn` and NPM 6.

		This also means workspaces (which are new in NPM 7) and `file:` dependencies are
		supported properly - there are a few quirks, but these exist in NPM as well and
		are a nature of using local file dependencies so cannot be easily avoided.

		All vulnerabilities should be reported, but nested `file:` dependencies may be
		listed both as nested & again as top-level dependencies.

		### Features

		- improve npm v7 support by walking the dependency tree ([b7694d8e][])

		# [0.6.0](https://github.com/G-Rath/audit-app/compare/v0.5.3...v0.6.0) (2021-07-16)
		@@ -4,0 +21,0 @@

lib/audit.d.ts

		@@ -9,3 +9,4 @@ import { Finding, Statistics } from './types';
		}
		export declare const toMapOfFindings: (findings: Finding[]) => Record<string, Finding>;
		export declare const audit: (dir: string, packageManager: SupportedPackageManager) => Promise<AuditResults>;
		export {};

lib/audit.js

		@@ -6,5 +6,6 @@ "use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.audit = exports.SupportedPackageManagers = void 0;
		exports.audit = exports.toMapOfFindings = exports.SupportedPackageManagers = void 0;
		const child_process_1 = require("child_process");
		const readline_transform_1 = __importDefault(require("readline-transform"));
		const processNpm7AuditOutput_1 = require("./processNpm7AuditOutput");
		exports.SupportedPackageManagers = ['npm', 'pnpm', 'yarn'];
		@@ -16,18 +17,2 @@ const extractDependencyStatistics = (metadata) => {
		};
		const extractDependencyStatisticsFromNpm7 = (metadata) => ({
		dependencies: metadata.dependencies.prod,
		devDependencies: metadata.dependencies.dev,
		optionalDependencies: metadata.dependencies.optional,
		totalDependencies: metadata.dependencies.total
		});
		const npm7AdvisoryToFinding = (advisory) => ({
		id: advisory.source,
		name: advisory.name,
		paths: [advisory.dependency],
		versions: [],
		range: advisory.range,
		severity: advisory.severity,
		title: advisory.title,
		url: advisory.url
		});
		const npm6AdvisoryToFinding = (advisory) => ({
		@@ -62,16 +47,4 @@ id: advisory.id,
		};
		/**
		* Finds all the advisories that are included with the given record of
		* `vulnerabilities` provided by the audit output of `npm` v7.
		*
		* @param {Record<string, Npm7Vulnerability>} vulnerabilities
		*
		* @return {Array<Npm7Advisory>}
		*/
		const findAdvisories = (vulnerabilities) => {
		return Object.values(vulnerabilities)
		.reduce((all, { via }) => all.concat(via), [])
		.filter((via) => typeof via === 'object');
		};
		const collectNpmAuditResults = async (stdout) => {
		exports.toMapOfFindings = toMapOfFindings;
		const collectNpmAuditResults = async (stdout, dir) => {
		let json = '';
		@@ -92,9 +65,6 @@ for await (const line of stdout) {
		if ('auditReportVersion' in auditOutput) {
		return {
		findings: toMapOfFindings(findAdvisories(auditOutput.vulnerabilities).map(via => npm7AdvisoryToFinding(via))),
		dependencyStatistics: extractDependencyStatisticsFromNpm7(auditOutput.metadata)
		};
		return processNpm7AuditOutput_1.processNpm7AuditOutput(auditOutput, dir);
		}
		return {
		findings: toMapOfFindings(Object.values(auditOutput.advisories).map(npm6AdvisoryToFinding)),
		findings: exports.toMapOfFindings(Object.values(auditOutput.advisories).map(npm6AdvisoryToFinding)),
		dependencyStatistics: extractDependencyStatistics(auditOutput.metadata)
		@@ -113,4 +83,4 @@ };
		], { cwd: dir });
		return resultsCollector(stdout.pipe(new readline_transform_1.default({ skipEmpty: true })));
		return resultsCollector(stdout.pipe(new readline_transform_1.default({ skipEmpty: true })), dir);
		};
		exports.audit = audit;

lib/types.d.ts

		@@ -132,2 +132,20 @@ export declare type Severity = 'info' \| 'low' \| 'moderate' \| 'high' \| 'critical';
		}
		export interface PackageJson {
		name?: string;
		version?: string;
		dependencies?: Record<string, string>;
		devDependencies?: Record<string, string>;
		peerDependencies?: Record<string, string>;
		optionalDependencies?: Record<string, string>;
		workspaces?: string[];
		}
		export interface NpmLockDependency {
		version: string;
		requires?: Record<string, string>;
		dependencies?: Record<string, NpmLockDependency>;
		}
		export interface NpmPackageLock {
		version: string;
		dependencies: Record<string, NpmLockDependency>;
		}
		export {};

package.json

		{
		"name": "audit-app",
		"version": "0.6.0",
		"version": "0.7.0",
		"description": "A cli tool for auditing apps & packages using their respective package managers.",
		@@ -50,2 +50,3 @@ "keywords": [
		"readline-transform": "^1.0.0",
		"semver": "^7.0.0",
		"strip-ansi": "^6.0.0",
		@@ -56,30 +57,31 @@ "wrap-ansi": "^7.0.0",
		"devDependencies": {
		"@jest/types": "^27.0.2",
		"@types/eslint": "^7.2.13",
		"@types/jest": "^26.0.23",
		"@types/node": "^14.17.3",
		"@types/readline-transform": "^1.0.0",
		"@jest/types": "^27.0.6",
		"@types/eslint": "^7.28.0",
		"@types/jest": "^26.0.24",
		"@types/node": "^14.17.5",
		"@types/readline-transform": "^1.0.1",
		"@types/semver": "^7.3.7",
		"@types/wrap-ansi": "^3.0.0",
		"@types/yargs": "^16.0.3",
		"@typescript-eslint/eslint-plugin": "^4.26.1",
		"@typescript-eslint/parser": "^4.26.1",
		"ajv": "^7.1.0",
		"eslint": "^7.28.0",
		"@types/yargs": "^16.0.4",
		"@typescript-eslint/eslint-plugin": "^4.28.4",
		"@typescript-eslint/parser": "^4.28.4",
		"ajv": "^8.6.2",
		"eslint": "^7.31.0",
		"eslint-config-ackama": "^2.1.2",
		"eslint-plugin-eslint-comments": "^3.2.0",
		"eslint-plugin-import": "^2.23.4",
		"eslint-plugin-jest": "^24.3.6",
		"eslint-plugin-jest": "^24.4.0",
		"eslint-plugin-jest-formatting": "^3.0.0",
		"eslint-plugin-node": "^11.1.0",
		"eslint-plugin-prettier": "^3.4.0",
		"jest": "^27.0.4",
		"jest": "^27.0.6",
		"memfs": "^3.2.0",
		"prettier": "^2.3.1",
		"prettier": "^2.3.2",
		"prettier-config-ackama": "^0.1.2",
		"ts-jest": "^27.0.3",
		"ts-jest": "^27.0.4",
		"ts-node": "^9.1.1",
		"ttypescript": "^1.5.12",
		"typescript": "^4.3.2",
		"typescript": "^4.3.5",
		"unionfs": "^4.4.0"
		}
		}

README.md

		@@ -8,15 +8,21 @@ # audit-app

		# NPM 7 Support
		# NPM 7 workspaces

		There is initial support for `npm@7`, but it has meant the audit report output
		has been changed significantly due to the difference in information provided in
		the new version.
		Workspaces (which are new in `npm@7`) should be supported at about the same
		level as `npm audit` itself supports them; standard dependencies should be just
		fine, but there may be edge-cases with `file:` dependencies due to limitations
		in resolving the dependency tree for these types of dependencies which affect
		`npm` itself.

		In particular, it's now no longer possible to calculate the full dependency path
		to a vulnerability without making additional calls to `npm`. As such, currently
		the paths used for ignoring vulnerabilities with `npm@7` are made up solely of
		the advisory number followed by the name of the package the advisory is for.
		For `audit-app`, these edge-cases _should_ primarily manifest as some
		vulnerabilities technically being reported twice, which shouldn't prevent using
		`audit-app`.

		This may be improved in the future.
		If you have any other issues with workspaces, please let us know!

		Also note that if you have a `file:` dependency that has the same name as a
		published `npm` package (e.g. `debug`), `npm` will assume it is that published
		package and so mark it affected by any advisories that may exist for the
		dependencies version.

		# Getting Started
		@@ -23,0 +29,0 @@

audit-app - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics

Dependency changes