I am using NPM audit on my Azure Pipeline build using the following custom command
npm audit --registry=https://registry.npmjs.org/ | Select-String -Pattern ( "Critical") -Context 0,10
The idea here is that I only want to fail this step if there are any critical issues picked up by the audit.
Using this command locally within the command line works fine. But running it as a custom npm command in the pipeline still results in the full npm audit running and returning some moderate errors which cause the step to fail.
I feel I'm missing some formatting on the command but I'm not sure what it is.
Does any one else have experience of using NPM audit in a pipeline while successfully supressing certain error severities?
The reason the task is failing is not because of what the task is logging, but because npm audit is exiting with a non-zero code, which means a failure.
I suggest that instead, you add the --audit-level parameter to the npm audit command, to change whether it will finish with failure code or not:
By default, the audit command will exit with a non-zero code if any vulnerability is found. It may be useful in CI environments to include the --audit-level parameter to specify the minimum vulnerability level that will cause the command to fail. This option does not filter the report output, it simply changes the command's failure threshold.
Related
Having a weird issue in TeamCity npm steps where we update our internal npm packages. When the build is run it does not run the npm update command even though the log says it executes the command. But running the exact same build again triggers the command correctly (image 2).
Tried having the update command together with the following npm install and build commands in a single step and also as in the example images having them in separate steps but all scenarios give the same result; the update commands don't run every other time but all other npm commands runs correctly and trigger the build again makes the update commands execute. Why?!?!
The build is failing with:
"Error: Npm failed with return code: 9009"
When we look at, here's what we noticed:
Till date (where there were no issues), build used to run on nmp 6.9.0 and node v10.16.3
Since the build started failing, we noticed the versions got auto-upgraded to npm/6.12.0 node/v12.13.0.
Please advise how to revert back to older versions, or do if we need to see this issue in a different dimension?
You can use Nojd.js tool installer task to specify the version you want. Then set the Version Spec as below.
You will get the node/v10.16.3 and npm/6.9.0.
You should add this task before the npm task. If not, the default version of node.js and npm would be below.
If your project can build successfully in local, you can use self-hosted agent to build.
Hope this helps.
I've updated my npm version, and I think npm audit is a new feature. When I run npm audit fix some of my packages versions are changed from package.json. I just want keep the packages as same as my coworkers
To answer the original question, if you really want to skip auditing completely when installing (for whatever reason, in my case I wanted to troubleshoot an exception when installing) you can use --no-audit flag:
npm install --no-audit
npm audit fix is not must to get your app up and running. I use this command when I want to make sure that there is no potential security vulnerability so that git hub won't have any object against my project. In case you still want to use audit fix without changing rest files, try this commands
Run audit fix without modifying node_modules, but still updating the pkglock:
$ npm audit fix --package-lock-only
Skip updating devDependencies:
$ npm audit fix --only=prod
Do a dry run to get an idea of what audit fix will do, and also output install information in JSON format:
$ npm audit fix --dry-run --json
Check out this link for your future reference:
https://docs.npmjs.com/cli/audit
I want to create a VSTS build with npm package auditing capabilities using npm audit. I added a few tasks to run npm audit. The command runs and I can see the details in the console/logs for all the packages. However, the task fails complaining about not finding a logs file. Any idea on how I can get the builds to stop working if I find a high vulnerability package?
EDIT
This is the final line in the result when I run npm audit locally
Notice how it displays vulnerabilities in categories. I want the build to not proceed if there is a non-zero value for High vulnerability.
I got the same error, but then realize that I am using incorrect custom command for npm task:
it was "npm install gulp -g", but should be "install gulp -g" (without npm).
For me it helps.
There isn’t the way to stop/fail build directly if there is a non-zero value for High vulnerability.
The workaround is that you can do it through PowerShell with Build log REST api to analysis whether there is related information in the log, then fail the build (Write-error …) (Run the powershell through PowerShell task)
I'm trying to configure team city to run angular 5 application build.
I have powershell step with this script (it's in the build step definition not separate file). npm run build runs ng build
npm install
npm run build
For some reason even if ng build fails team city build won't fail. Status code from npm run is not propagated back to powershell.
See below screen:
TeamCity Fails the build if got a status code != 0 or when got stderr.
You should add Failure Conditions for verifying that the log has an error.
Edit Configuration Settings -> Failure Conditions -> Add failure condition
Select Fail build on specific text in build log
Secelt options Contains and exact text. Set "npm ERR"
in Failure message write "Error was found in build log"
save
Now your build will be FAILED if build log contains this text.
Also, check an error message is logged by build runner