audit-ci icon indicating copy to clipboard operation
audit-ci copied to clipboard

Published 20 hours ago verified publisher icon IBM

Allow notes for allowlist items

Open villesau opened this issue 2 years ago • 2 comments

Usually it is good to let other devs to know why something has been ignored. That's why being able to leave notes next to the ignore is important. It might be that the vulnerability does not affect the repo, or then there is no fix available, or it might be something else.

For the reference, this is how better-npm-audit does it: https://github.com/jeemok/better-npm-audit#using-nsprc-file-to-manage-exceptions

villesau avatar Jun 10 '22 14:06 villesau

Thanks for the feedback! I see no reason why we can't support a similar nsprc file format (at least, within the already existing allowlist array).

"allowlist": [
  "GHSA-42xw-2xvc-qx8m",
  "GHSA-rp65-9cf3-cjxr": {
    "active": true,
    "notes": "Ignored since we don't use xxx method",
    "expiry": 1615462134681
  }
]

Until that's implemented, we do support comments within the JSON. If you're going to use comments, I recommend using the file extension .jsonc for compatibility with IDEs.

quinnturner avatar Jun 10 '22 20:06 quinnturner

Thanks for the hint! Indeed a comment is a good workaround for this for the time being.

villesau avatar Jun 10 '22 21:06 villesau