chore: manually add exception for esbuild vulnerability (#34875)

2025-02-20 14:47:44 -08:00 · 2025-02-20 14:47:44 -08:00 · c64f0ffa1d
parent 33c0a1b0ca
commit c64f0ffa1d
3 changed files with 56 additions and 2 deletions
--- a/.github/workflows/infra.yml
+++ b/.github/workflows/infra.yml
@ -35,7 +35,7 @@ jobs:
          exit 1
        fi
    - name: Audit prod NPM dependencies
-      run: npm audit --omit dev
+      run: node utils/check_audit.js
  lint-snippets:
    name: "Lint snippets"
    runs-on: ubuntu-latest
--- a/packages/trace-viewer/src/ui/consoleTab.tsx
+++ b/packages/trace-viewer/src/ui/consoleTab.tsx
@ -72,7 +72,7 @@ export function useConsoleTabModel(model: modelUtil.MultiTraceModel | undefined,
      const aTimestamp = 'time' in a ? a.time : a.timestamp;
      const bTimestamp = 'time' in b ? b.time : b.timestamp;
      return aTimestamp - bTimestamp;
-    })
+    });
    for (const event of logEvents) {
      if (event.type === 'console') {
        const body = event.args && event.args.length ? format(event.args) : formatAnsi(event.text);
--- a/utils/check_audit.js
+++ b/utils/check_audit.js
@ -0,0 +1,54 @@
+const { exec } = require('child_process');
+
+const URL_LIST = [
+  // Not encountered by Vite, thus we cannot hit it
+  'https://github.com/advisories/GHSA-67mh-4wv8-2f99'
+];
+
+const runNpmAudit = () => new Promise((resolve, reject) => {
+  exec('npm audit --omit dev --json', (error, stdout, stderr) => {
+    if (error && stderr) {
+      // npm audit returns a non-zero exit code if there are vulnerabilities
+      reject(`Audit error: ${error}\n${stdout}\n${stderr}`);
+      return;
+    }
+    resolve(stdout);
+  });
+});
+
+// interface Audit {
+//   [name: string]: AuditEntry;
+// }
+
+// interface AuditEntry {
+//   severity: string;
+//   range: string;
+//   via: Array<{
+//     url: string;
+//   } | string>;
+// }
+
+const checkAudit = async () => {
+  const audit = JSON.parse(await runNpmAudit());
+
+  const validVulnerabilities = Object.entries(audit.vulnerabilities).filter(([_name, entry]) => {
+    const originalVulnerabilities = entry.via.filter(viaEntry => typeof viaEntry === 'object' && !URL_LIST.includes(viaEntry.url));
+    return originalVulnerabilities.length > 0;
+  });
+
+  for (const [name, entry] of validVulnerabilities) {
+    console.error(`Vulnerability (${entry.severity}): ${name} ${entry.range}`);
+  }
+
+  if (validVulnerabilities.length > 0) {
+    process.exit(1);
+  }
+
+  console.log('No vulnerabilities found');
+};
+
+// You can manually run `npm audit --omit dev` to see the vulnerabilities in a human-friendly
+checkAudit().catch(error => {
+  console.error(error);
+  process.exit(1);
+});