@ckeditor/ckeditor5-dev-ci 54.6.1 → 54.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +8 -5
- package/bin/trigger-snyk-scan.js +15 -5
- package/lib/run-snyk-command.js +7 -2
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -132,22 +132,25 @@ These commands accept a mix of environment variables and command line arguments.
|
|
|
132
132
|
- ⚙️ **`ckeditor5-dev-ci-trigger-snyk-scan`**
|
|
133
133
|
|
|
134
134
|
Publishes Snyk code and dependency snapshots for the current branch.
|
|
135
|
-
It configures the Snyk CLI to use the EU endpoint and the provided organization, then runs `snyk code test
|
|
135
|
+
It configures the Snyk CLI to use the EU endpoint and the provided organization, then runs `snyk code test` and `snyk monitor` commands.
|
|
136
136
|
|
|
137
137
|
**Environment variables:**
|
|
138
138
|
- `SNYK_TOKEN` — Snyk token used for authentication.
|
|
139
|
+
- `DEBUG` — *(Optional)* When set, appends `-d` to `snyk code test` and `snyk monitor` for verbose output, and removes `--silent` from the `pnpm` invocation.
|
|
139
140
|
|
|
140
141
|
**CircleCI-provided variables:**
|
|
141
142
|
- `CIRCLE_BRANCH` — Git branch used as Snyk's `target-reference`.
|
|
142
143
|
|
|
143
144
|
**Parameters:**
|
|
144
|
-
- `--
|
|
145
|
+
- `--depth` — *(Optional)* Detection depth passed to `snyk monitor` as `--detection-depth`. Defaults to `2`.
|
|
146
|
+
- `--exclude` — *(Optional, repeatable)* Additional directory or file name to exclude from Snyk's dependency snapshot. Use multiple times, for example `--exclude=build --exclude=dist`. The provided values are **merged** with the built-in defaults (`external`, `tests`, `node_modules`, `release`, `scripts`).
|
|
145
147
|
- `--organization` — Snyk organization ID or slug.
|
|
146
148
|
|
|
147
149
|
**Behavior:**
|
|
148
|
-
-
|
|
149
|
-
-
|
|
150
|
-
-
|
|
150
|
+
- Always excludes `external`, `tests`, `node_modules`, `release` and `scripts` from dependency snapshot detection. Any paths provided via `--exclude` are merged with these defaults (duplicates are ignored).
|
|
151
|
+
- Passes `--detection-depth` (default: `2`) to `snyk monitor` to limit how deep Snyk scans for manifest files, which avoids performance issues caused by deeply nested `node_modules` trees.
|
|
152
|
+
- Accepts exit code `1` from `snyk code test`, so code snapshots are still published when vulnerabilities are found.
|
|
153
|
+
- Requires exit code `0` from `snyk monitor`, because any other code means the dependency snapshot was not created.
|
|
151
154
|
|
|
152
155
|
## Changelog
|
|
153
156
|
|
package/bin/trigger-snyk-scan.js
CHANGED
|
@@ -9,14 +9,19 @@ import { parseArgs } from 'node:util';
|
|
|
9
9
|
import runSnykCommand from '../lib/run-snyk-command.js';
|
|
10
10
|
|
|
11
11
|
const SNYK_ENDPOINT = 'https://api.eu.snyk.io';
|
|
12
|
+
const DEFAULT_EXCLUDE = [ 'node_modules', 'external', 'release', 'scripts', 'tests' ];
|
|
12
13
|
|
|
13
14
|
try {
|
|
14
|
-
const { CIRCLE_BRANCH, SNYK_TOKEN } = process.env;
|
|
15
|
+
const { CIRCLE_BRANCH, SNYK_TOKEN, DEBUG } = process.env;
|
|
15
16
|
|
|
16
17
|
const { values } = parseArgs( {
|
|
17
18
|
options: {
|
|
19
|
+
depth: {
|
|
20
|
+
default: '2',
|
|
21
|
+
type: 'string'
|
|
22
|
+
},
|
|
18
23
|
exclude: {
|
|
19
|
-
default: [
|
|
24
|
+
default: [],
|
|
20
25
|
multiple: true,
|
|
21
26
|
type: 'string'
|
|
22
27
|
},
|
|
@@ -39,6 +44,8 @@ try {
|
|
|
39
44
|
throw new Error( 'Missing environment variable: CIRCLE_BRANCH' );
|
|
40
45
|
}
|
|
41
46
|
|
|
47
|
+
const exclude = [ ...new Set( [ ...DEFAULT_EXCLUDE, ...values.exclude ] ) ];
|
|
48
|
+
|
|
42
49
|
await runSnykCommand( [ 'config', 'set', `endpoint=${ SNYK_ENDPOINT }` ] );
|
|
43
50
|
await runSnykCommand( [ 'config', 'set', `org=${ values.organization }` ] );
|
|
44
51
|
|
|
@@ -48,7 +55,8 @@ try {
|
|
|
48
55
|
'test',
|
|
49
56
|
'--report',
|
|
50
57
|
'--project-name=Code analysis',
|
|
51
|
-
`--target-reference=${ CIRCLE_BRANCH }
|
|
58
|
+
`--target-reference=${ CIRCLE_BRANCH }`,
|
|
59
|
+
...( DEBUG ? [ '-d' ] : [] )
|
|
52
60
|
],
|
|
53
61
|
|
|
54
62
|
/**
|
|
@@ -62,8 +70,10 @@ try {
|
|
|
62
70
|
[
|
|
63
71
|
'monitor',
|
|
64
72
|
'--all-projects',
|
|
65
|
-
`--exclude=${
|
|
66
|
-
`--
|
|
73
|
+
`--exclude=${ exclude.join( ',' ) }`,
|
|
74
|
+
`--detection-depth=${ values.depth }`,
|
|
75
|
+
`--target-reference=${ CIRCLE_BRANCH }`,
|
|
76
|
+
...( DEBUG ? [ '-d' ] : [] )
|
|
67
77
|
],
|
|
68
78
|
|
|
69
79
|
/**
|
package/lib/run-snyk-command.js
CHANGED
|
@@ -3,6 +3,7 @@
|
|
|
3
3
|
* For licensing, see LICENSE.md.
|
|
4
4
|
*/
|
|
5
5
|
|
|
6
|
+
import path from 'node:path';
|
|
6
7
|
import { spawn } from 'node:child_process';
|
|
7
8
|
|
|
8
9
|
/**
|
|
@@ -14,10 +15,14 @@ import { spawn } from 'node:child_process';
|
|
|
14
15
|
* @returns {Promise<void>}
|
|
15
16
|
*/
|
|
16
17
|
export default function runSnykCommand( snykArguments, allowedExitCodes = [ 0 ] ) {
|
|
18
|
+
const snykExecutablePath = path.resolve( import.meta.dirname, '..', 'node_modules', '.bin', 'snyk' );
|
|
19
|
+
const pnpmFlags = process.env.DEBUG ? [] : [ '--silent' ];
|
|
20
|
+
|
|
17
21
|
return new Promise( ( resolve, reject ) => {
|
|
18
|
-
const childProcess = spawn( 'pnpm', [
|
|
22
|
+
const childProcess = spawn( 'pnpm', [ ...pnpmFlags, 'exec', snykExecutablePath, ...snykArguments ], {
|
|
19
23
|
cwd: process.cwd(),
|
|
20
|
-
stdio: 'inherit'
|
|
24
|
+
stdio: 'inherit',
|
|
25
|
+
shell: process.platform === 'win32'
|
|
21
26
|
} );
|
|
22
27
|
|
|
23
28
|
childProcess.on( 'error', reject );
|