* Checks out a particular revision of source code and dependencies, * audits dependencies and applies fixes to vulnerabilities. * Fixes for vulnerabilities should not affect build output since most * vulnerabilities reside in code which never gets reached during build. * However, fixing the vuln
(version, fixVulnerabilities)
| 96 | * @param {boolean} fixVulnerabilities Whether of not to attempt to fix known vulnerabilities |
| 97 | */ |
| 98 | async function checkoutVersion(version, fixVulnerabilities) { |
| 99 | log.ok(`Checking out version ${version}`); |
| 100 | // Use -- to disambiguate the tag (release version) and file paths |
| 101 | await rm('src', {force: true, recursive: true}); |
| 102 | await execute(`git restore --source v${version} -- package.json package-lock.json src/ tasks/`); |
| 103 | log.ok(`Installing dependencies`); |
| 104 | await execute('npm install --ignore-scripts'); |
| 105 | if (!fixVulnerabilities) { |
| 106 | log.ok(`Skipping dependency audit`); |
| 107 | return; |
| 108 | } |
| 109 | log.ok(`Dependency audit`); |
| 110 | const deps = JSON.parse(await execute('npm audit fix --force --ignore-scripts --json')); |
| 111 | if (deps.audit.auditReportVersion !== 2) { |
| 112 | throw new Error('Could not audit dependencies'); |
| 113 | } |
| 114 | if (deps.audit.metadata.vulnerabilities.total !== 0) { |
| 115 | throw new Error('Dependency vulnerability without a fix found, please audit manually'); |
| 116 | } |
| 117 | } |
| 118 | |
| 119 | async function checkoutHead() { |
| 120 | // Restore current files |