pnpm-audit-hook 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +39 -13
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -2,29 +2,35 @@
|
|
|
2
2
|
|
|
3
3
|
A pnpm hook that audits dependencies for vulnerabilities **before packages are downloaded**. It queries the GitHub Advisory Database for vulnerabilities and optionally enriches severity data from NVD, blocking installs when critical or high severity issues are found.
|
|
4
4
|
|
|
5
|
+
## Quick Start
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
pnpm add -D pnpm-audit-hook && pnpm exec pnpm-audit-setup
|
|
9
|
+
```
|
|
10
|
+
|
|
11
|
+
Done! Every `pnpm install` will now audit packages before downloading.
|
|
12
|
+
|
|
5
13
|
## Installation
|
|
6
14
|
|
|
7
|
-
###
|
|
15
|
+
### Per-Project (Recommended)
|
|
8
16
|
|
|
9
17
|
```bash
|
|
10
|
-
# Install
|
|
18
|
+
# 1. Install
|
|
11
19
|
pnpm add -D pnpm-audit-hook
|
|
12
20
|
|
|
13
|
-
#
|
|
21
|
+
# 2. Setup (creates .pnpmfile.cjs in your project)
|
|
14
22
|
pnpm exec pnpm-audit-setup
|
|
15
23
|
```
|
|
16
24
|
|
|
17
|
-
|
|
25
|
+
### Global (All Projects)
|
|
18
26
|
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
To enable for all pnpm projects on your machine:
|
|
27
|
+
Enable vulnerability auditing for all pnpm projects on your machine:
|
|
22
28
|
|
|
23
29
|
```bash
|
|
24
30
|
# Install globally
|
|
25
31
|
pnpm add -g pnpm-audit-hook
|
|
26
32
|
|
|
27
|
-
# Create global hooks directory
|
|
33
|
+
# Create global hooks directory and copy files
|
|
28
34
|
mkdir -p ~/.pnpm-hooks
|
|
29
35
|
cp $(pnpm root -g)/pnpm-audit-hook/dist ~/.pnpm-hooks/ -r
|
|
30
36
|
cp $(pnpm root -g)/pnpm-audit-hook/.pnpmfile.cjs ~/.pnpm-hooks/
|
|
@@ -33,7 +39,7 @@ cp $(pnpm root -g)/pnpm-audit-hook/.pnpmfile.cjs ~/.pnpm-hooks/
|
|
|
33
39
|
pnpm config set global-pnpmfile ~/.pnpm-hooks/.pnpmfile.cjs
|
|
34
40
|
```
|
|
35
41
|
|
|
36
|
-
###
|
|
42
|
+
### From Source
|
|
37
43
|
|
|
38
44
|
```bash
|
|
39
45
|
git clone https://github.com/asx8678/pnpm-audit-hook.git
|
|
@@ -45,14 +51,34 @@ cp -r dist /path/to/your/project/
|
|
|
45
51
|
cp .pnpmfile.cjs /path/to/your/project/
|
|
46
52
|
```
|
|
47
53
|
|
|
48
|
-
##
|
|
54
|
+
## Verify Installation
|
|
55
|
+
|
|
56
|
+
```bash
|
|
57
|
+
# This should work (safe package)
|
|
58
|
+
pnpm add lodash
|
|
59
|
+
|
|
60
|
+
# This should be BLOCKED (known vulnerable)
|
|
61
|
+
pnpm add event-stream@3.3.6
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
If vulnerabilities are found, the install fails **before** any packages are downloaded.
|
|
65
|
+
|
|
66
|
+
## Uninstall
|
|
67
|
+
|
|
68
|
+
### Per-Project
|
|
49
69
|
|
|
50
70
|
```bash
|
|
51
|
-
|
|
52
|
-
pnpm
|
|
71
|
+
rm .pnpmfile.cjs
|
|
72
|
+
pnpm remove pnpm-audit-hook
|
|
53
73
|
```
|
|
54
74
|
|
|
55
|
-
|
|
75
|
+
### Global
|
|
76
|
+
|
|
77
|
+
```bash
|
|
78
|
+
pnpm config delete global-pnpmfile
|
|
79
|
+
rm -rf ~/.pnpm-hooks
|
|
80
|
+
pnpm remove -g pnpm-audit-hook
|
|
81
|
+
```
|
|
56
82
|
|
|
57
83
|
## Configuration
|
|
58
84
|
|
package/package.json
CHANGED