{"id":13463217,"url":"https://github.com/IBM/audit-ci","last_synced_at":"2025-03-25T06:31:43.117Z","repository":{"id":33293089,"uuid":"157441460","full_name":"IBM/audit-ci","owner":"IBM","description":"Audit NPM, Yarn, PNPM, and Bun dependencies in continuous integration environments, preventing integration if vulnerabilities are found at or above a configurable threshold while ignoring allowlisted advisories","archived":false,"fork":false,"pushed_at":"2024-09-16T10:43:45.000Z","size":6090,"stargazers_count":267,"open_issues_count":12,"forks_count":43,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-03-23T00:03:22.704Z","etag":null,"topics":["audit","audit-ci","bun","ci","github-actions","npm","pnpm","security","yarn"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/IBM.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":"audit-ci.jsonc","citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-11-13T20:23:26.000Z","updated_at":"2025-03-20T11:54:56.000Z","dependencies_parsed_at":"2023-02-18T10:01:10.583Z","dependency_job_id":"14353fc4-983d-41ab-9d99-d991b7fdbe0f","html_url":"https://github.com/IBM/audit-ci","commit_stats":{"total_commits":384,"total_committers":29,"mean_commits":"13.241379310344827","dds":0.4921875,"last_synced_commit":"aa1f7926e3f4f6b3c58fedae83f9953149050aad"},"previous_names":[],"tags_count":53,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IBM%2Faudit-ci","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IBM%2Faudit-ci/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IBM%2Faudit-ci/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IBM%2Faudit-ci/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/IBM","download_url":"https://codeload.github.com/IBM/audit-ci/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245212260,"owners_count":20578442,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","audit-ci","bun","ci","github-actions","npm","pnpm","security","yarn"],"created_at":"2024-07-31T13:00:48.290Z","updated_at":"2025-03-25T06:31:39.036Z","avatar_url":"https://github.com/IBM.png","language":"TypeScript","funding_links":[],"categories":["security","Dependencies"],"sub_categories":["Serializers"],"readme":"# audit-ci\n\n[![npm version](https://badge.fury.io/js/audit-ci.svg)](https://badge.fury.io/js/audit-ci)\n[![CircleCI](https://circleci.com/gh/IBM/audit-ci/tree/main.svg?style=svg)](https://circleci.com/gh/IBM/audit-ci/tree/main)\n[![GitHub CI](https://github.com/IBM/audit-ci/actions/workflows/build.yml/badge.svg)](https://github.com/IBM/audit-ci/actions/workflows/build.yml)\n[![CodeQL](https://github.com/IBM/audit-ci/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/IBM/audit-ci/actions/workflows/codeql-analysis.yml)\n\nThis module is intended to be consumed by your favourite continuous integration tool to\nhalt execution if `npm audit`, `yarn audit`, or `pnpm audit` finds vulnerabilities at or above the specified\nthreshold while ignoring allowlisted advisories.\n\n\u003e Note: Use our [codemod](#codemod) to update to [`audit-ci` v6.0.0](https://github.com/IBM/audit-ci/releases/tag/v6.0.0)\n\n## Requirements\n\n- Node \u003e=16\n- _(Optional)_ Yarn ^1.12.3 || Yarn \u003e=2.4.0 \u0026\u0026 \u003c4.0.0\n- _(Optional)_ PNPM \u003e=4.3.0\n- _(Optional)_ Bun\n\n## Limitations\n\n- Yarn Classic workspaces does not audit `devDependencies`. See [this issue](https://github.com/yarnpkg/yarn/issues/7047) for more information.\n- Yarn v4 is not supported because it provides similar functionality to `audit-ci`.\n For more information, see the [documentation on `yarn npm audit`](https://yarnpkg.com/cli/npm/audit#options).\n If you'd like `audit-ci` to support Yarn v4, voice your opinion on [this issue](https://github.com/IBM/audit-ci/issues/332).\n- Bun is supported by exporting the `bun.lockb` into a Yarn v1 `yarn.lock` file.\n Accordingly, auditing a `bun.lockb` file with `audit-ci` requires Yarn v1.\n\n## Set up\n\n_(Recommended)_ Install `audit-ci` during your CI environment using `npx`, `yarn dlx`, or `pnpm dlx` immediately after checking out the project's repository.\n\n```sh\n# Use the option for your project's package manager, pinning to a major version to avoid breaking changes\nnpx audit-ci@^7 --config ./audit-ci.jsonc\nyarn dlx audit-ci@^7 --config ./audit-ci.jsonc\npnpm dlx audit-ci@^7 --config ./audit-ci.jsonc\n```\n\nAlternatively, `audit-ci` can be installed as a devDependency.\nThe downside of this approach is that the CI may run a `postinstall` script of a compromised package before running `audit-ci`.\n\n```sh\n# Use the option for your project's package manager\nnpm install -D audit-ci\nyarn add -D audit-ci\npnpm install -D audit-ci\nbun install -D audit-ci\n```\n\nThe next section gives examples using `audit-ci` in various CI environments.\nIt assumes moderate, high, and critical severity vulnerabilities prevent build continuation.\nAlso, it suppresses an advisory of `axios` and a transitive advisory of `react-scripts`.\n\n```jsonc\n// audit-ci.jsonc\n{\n // $schema provides code completion hints to IDEs.\n \"$schema\": \"https://github.com/IBM/audit-ci/raw/main/docs/schema.json\",\n \"moderate\": true,\n \"allowlist\": [\n // Axios denial of service https://github.com/advisories/GHSA-42xw-2xvc-qx8m\n \"GHSA-42xw-2xvc-qx8m\",\n // The following are for the latest create-react-app\n // https://github.com/advisories/GHSA-rp65-9cf3-cjxr\n // Alternatively, allowlist \"GHSA-rp65-9cf3-cjxr\" to suppress this nth-check advisory across all paths\n // or \"*|react-scripts\u003e*\" to suppress advisories for all transitive dependencies of \"react-scripts\".\n \"GHSA-rp65-9cf3-cjxr|react-scripts\u003e@svgr/webpack\u003e@svgr/plugin-svgo\u003esvgo\u003ecss-select\u003enth-check\",\n ],\n}\n```\n\n### Bun\n\nBun supports exporting the `bun.lockb` into a Yarn v1 `yarn.lock` file.\n\n```sh\nbun install -y\n```\n\nAfterwards, you can run `audit-ci` with the `yarn` package manager.\n\n### Allowlisting\n\nAllowlists are a mechanism to suppress an advisory warning from the audit. A team may want to suppress an advisory when:\n\n- A fix has already been started\n- There is no bandwidth to fix the advisory\n- The risk is tolerable for the project\n- The advisory is inaccurate or incorrect\n- The vulnerable code is not actually used\n\nAn allowlist may contain multiple allowlist records. There are three categories of allowlist record formats:\n\n- `module` allowlist record (example: `axios`, suppresses all advisories _directly_ caused by `axios`, **not transitive advisories**)\n- `advisory` allowlist record (example: `GHSA-42xw-2xvc-qx8m`, suppresses all instances of advisory based on the GitHub advisory identifier)\n- `path` allowlist record (example: `GHSA-rp65-9cf3-cjxr|react-scripts\u003e@svgr/webpack\u003e@svgr/plugin-svgo\u003esvgo\u003ecss-select\u003enth-check`, the specific and full advisory path **with wildcard support**)\n\nWhen `audit-ci` identifies new advisories at or above the configured level, the CI pipeline will fail.\n\n```txt\nFound vulnerable advisory paths:\nGHSA-pw2r-vq6v-hr8c|axios\u003efollow-redirects\nGHSA-74fj-2j2h-c42q|axios\u003efollow-redirects\nGHSA-4w2v-q235-vp99|axios\nGHSA-42xw-2xvc-qx8m|axios\nGHSA-cph5-m8f7-6c5x|axios\nFailed security audit due to high, moderate vulnerabilities.\nVulnerable advisories are:\nhttps://github.com/advisories/GHSA-pw2r-vq6v-hr8c\nhttps://github.com/advisories/GHSA-74fj-2j2h-c42q\nhttps://github.com/advisories/GHSA-4w2v-q235-vp99\nhttps://github.com/advisories/GHSA-42xw-2xvc-qx8m\nhttps://github.com/advisories/GHSA-cph5-m8f7-6c5x\nExiting...\n```\n\nAdvisories can be suppressed using several approaches. Each approach is useful in unique scenarios.\n\nFirst, the most granular and secure approach, using paths. If in the future the same advisory arises with a different path, the pipeline will fail.\n\n```jsonc\n\"allowlist\": [\n \"GHSA-pw2r-vq6v-hr8c|axios\u003efollow-redirects\",\n \"GHSA-74fj-2j2h-c42q|axios\u003efollow-redirects\",\n \"GHSA-4w2v-q235-vp99|axios\",\n \"GHSA-42xw-2xvc-qx8m|axios\",\n \"GHSA-cph5-m8f7-6c5x|axios\"\n]\n```\n\nThe next best approach is suppressing the advisories using advisory IDs. This approach may be useful if your team knows that the application is not (and will not be) affected by the advisory regardless of the path. Often, the same advisory can be present in many paths. Allowlisting by advisory ID is terser than the alternative of listing all paths.\n\n```jsonc\n\"allowlist\": [\n \"GHSA-pw2r-vq6v-hr8c\",\n \"GHSA-74fj-2j2h-c42q\",\n \"GHSA-4w2v-q235-vp99\",\n \"GHSA-42xw-2xvc-qx8m\",\n \"GHSA-cph5-m8f7-6c5x\"\n]\n```\n\nThe next approach is to allowlist the modules themselves. All current and future advisories are automatically suppressed when using module allowlist records. Compared to other suppression approaches, there's an increased risk of a new advisory impacting your application due to the broad suppression. Suppressing via a module allowlist record is often less useful than using path allowlist records + wildcards, as noted in the final approach.\n\n```jsonc\n\"allowlist\": [\n \"axios\",\n \"follow-redirects\"\n]\n```\n\nFinally, wildcards can be used within path allowlist records. Wildcards are useful for trusted development-only dependencies such as `react-scripts`. Unlike the module allowlist record of `react-scripts`, the path allowlist of `*|react-scripts\u003e*` suppresses transitive dependency advisories (dependencies of dependencies).\n\nWildcard matching works by:\n\n1. splitting the allowlist record at every wildcard\n1. constructing a regex matching anything at each wildcard location\n\nAn allowlist record may include any number of wildcards such as `*|react-scripts\u003e*\u003e*\u003eexample\u003e*`.\n\n#### Allowlist Formats\n\nThe simplest way to add an advisory to the allowlist is using a string:\n\n```jsonc\n\"allowlist\": [\n \"axios\"\n]\n```\n\nYou can also use an object notation ([NSPRecord](#nsprecord-fields)) in which you can add notes and control the expiration of this exception:\n\n```jsonc\n\"allowlist\": [\n {\n \"axios\": {\n \"active\": true,\n \"notes\": \"Ignore this until November 20th\",\n \"expiry\": \"20 November 2022 11:00\"\n }\n }\n]\n```\n\n`allowlist` supports both formats at the same time, so feel free to mix and match:\n\n```jsonc\n\"allowlist\": [\n {\n \"axios\": {\n \"active\": true,\n \"notes\": \"Ignore this until November 20th\",\n \"expiry\": \"20 November 2022 11:00\"\n }\n },\n \"base64url\"\n]\n```\n\n#### NSPRecord Fields\n\n| Attribute | Type | Description | Example |\n| --------- | ---------------- | --------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `active` | boolean | Whether the exception is active or not | `true` |\n| `expiry` | string \\| number | Human-readable date, or milliseconds since the UNIX Epoch | - `'2020-01-31'` \u003cbr\u003e - `'2020/01/31'` \u003cbr\u003e - `'01/31/2021, 11:03:58'` \u003cbr\u003e - `'1 March 2016 15:00'` \u003cbr\u003e - `'1 March 2016 3:00 pm'` \u003cbr\u003e - `'2012-01-26T13:51:50.417-07:00'` \u003cbr\u003e - `'Sun, 11 Jul 2021 03:03:13 GMT'` \u003cbr\u003e - `'Thu Jan 26 2017 11:00:00 GMT+1100 (Australian Eastern Daylight Time)'` \u003cbr\u003e - `327611110417` |\n| `notes` | string | Notes related to the vulnerability. |\n\n### GitHub Actions\n\n```yml\nsteps:\n - uses: actions/checkout@v2\n - name: Audit for vulnerabilities\n run: npx audit-ci@^7 --config ./audit-ci.jsonc\n```\n\n_(Recommended)_ Run `audit-ci` immediately after checking out the git repository to reduce the risk of executing a `postinstall` script from a compromised NPM package.\n\n### CircleCI\n\n```yml\n# ... excludes set up for job\nsteps:\n - checkout\n - run:\n name: update-npm\n command: \"sudo npm install -g npm\"\n - restore_cache:\n key: dependency-cache-{{ checksum \"package.json\" }}\n # This should run immediately after cloning\n # the risk of executing a script from a compromised NPM package.\n # If you use a pull-request-only workflow,\n # it's better to not run audit-ci on `main` and only run it on pull requests.\n # For more info: https://github.com/IBM/audit-ci/issues/69\n # For a PR-only workflow, use the below command instead of the above command:\n #\n # command: if [[ ! -z $CIRCLE_PULL_REQUEST ]] ; then npx audit-ci --config ./audit-ci.jsonc ; fi\n - run:\n name: run-audit-ci\n command: npx audit-ci@^7 --config ./audit-ci.jsonc\n - run:\n name: install-npm\n command: \"npm install --no-audit\"\n```\n\n### Travis-CI\n\nAuditing only on PR builds is [recommended](#qa)\n\n```yml\nscripts:\n # This script should be the first that runs to reduce the risk of\n # executing a script from a compromised NPM package.\n - if [ \"${TRAVIS_PULL_REQUEST}\" != \"false\" ]; then npx audit-ci@^7 --config ./audit-ci.jsonc; fi\n```\n\nFor `Travis-CI` not using PR builds:\n\n```yml\nscripts:\n - npx audit-ci@^7 --config ./audit-ci.jsonc\n```\n\n## Options\n\n\u003e _(Recommended)_ Prefer to use a JSONC or JSON5 config file for `audit-ci` over managing your config with CLI arguments.\n\u003e Using a config file supports workflows such as documenting your allowlist, centralized and easier config management,\n\u003e and code completion when using the `$schema` field.\n\n| Args | Alias | Description |\n| ---- | ----------------- | ----------------------------------------------------------------------------------------------------- |\n| -l | --low | Prevents integration with low or higher vulnerabilities (default `false`) |\n| -m | --moderate | Prevents integration with moderate or higher vulnerabilities (default `false`) |\n| -h | --high | Prevents integration with high or critical vulnerabilities (default `false`) |\n| -c | --critical | Prevents integration only with critical vulnerabilities (default `false`) |\n| -p | --package-manager | Choose a package manager [_choices_: `auto`, `npm`, `yarn`, `pnpm`] (default `auto`) |\n| -a | --allowlist | Vulnerable modules, advisories, and paths to allowlist from preventing integration (default `none`) |\n| -o | --output-format | The format of the output of audit-ci [_choices_: `text`, `json`] (default `text`) |\n| -d | --directory | The directory containing the package.json to audit (default `./`) |\n| | --pass-enoaudit | Pass if no audit is performed due to the registry returning ENOAUDIT (default `false`) |\n| | --show-found | Show allowlisted advisories that are found (default `true`) |\n| | --show-not-found | Show allowlisted advisories that are not found (default `true`) |\n| | --registry | The registry to resolve packages by name and version for auditing (default to unspecified) |\n| | --report-type | Format for the audit report results [_choices_: `important`, `summary`, `full`] (default `important`) |\n| | --retry-count | The number of attempts audit-ci calls an unavailable registry before failing (default `5`) |\n| | --config | Path to the audit-ci configuration file |\n| | --skip-dev | Skip auditing devDependencies (default `false`) |\n| | --extra-args | Extra arguments to pass to the underlying audit command (default: `[]`) |\n\n### Config file specification\n\nA config file can manage auditing preferences for `audit-ci`. The config file's keys match the CLI arguments.\n\n```txt\n{\n \"$schema\": \"https://github.com/IBM/audit-ci/raw/main/docs/schema.json\",\n // Only use one of [\"low\": true, \"moderate\": true, \"high\": true, \"critical\": true]\n \"low\": \u003cboolean\u003e, // [Optional] defaults `false`\n \"moderate\": \u003cboolean\u003e, // [Optional] defaults `false`\n \"high\": \u003cboolean\u003e, // [Optional] defaults `false`\n \"critical\": \u003cboolean\u003e, // [Optional] defaults `false`\n \"allowlist\": \u003c(string | [NSPRecord](#nsprecord-fields))[]\u003e, // [Optional] default `[]`\n \"report-type\": \u003cstring\u003e, // [Optional] defaults `important`\n \"package-manager\": \u003cstring\u003e, // [Optional] defaults `\"auto\"`\n \"output-format\": \u003cstring\u003e, // [Optional] defaults `\"text\"`\n \"pass-enoaudit\": \u003cboolean\u003e, // [Optional] defaults `false`\n \"show-found\": \u003cboolean\u003e, // [Optional] defaults `true`\n \"show-not-found\": \u003cboolean\u003e, // [Optional] defaults `true`\n \"registry\": \u003cstring\u003e, // [Optional] defaults `undefined`\n \"retry-count\": \u003cnumber\u003e, // [Optional] defaults 5\n \"skip-dev\": \u003cboolean\u003e, // [Optional] defaults `false`\n \"extra-args\": \u003cstring\u003e[] // [Optional] defaults `[]`\n}\n```\n\n\u003e Refrain from using `\"directory\"` within the config file because `directory`\n\u003e is relative to where the command is run, rather than the directory where the config file exists.\n\n## Examples\n\n### Prevents build on moderate, high, or critical vulnerabilities with allowlist; ignores low\n\nWith a `JSONC` config file, execute with `npx audit-ci --config ./audit-ci.jsonc`.\n\n```jsonc\n// audit-ci.jsonc\n{\n // $schema provides code completion hints to IDEs.\n \"$schema\": \"https://github.com/IBM/audit-ci/raw/main/docs/schema.json\",\n \"moderate\": true,\n \"allowlist\": [\n // Axios denial of service https://github.com/advisories/GHSA-42xw-2xvc-qx8m\n \"GHSA-42xw-2xvc-qx8m\",\n // The following are for the latest create-react-app\n // https://github.com/advisories/GHSA-rp65-9cf3-cjxr\n // Alternatively, allowlist \"GHSA-rp65-9cf3-cjxr\" to suppress this nth-check advisory across all paths\n // or \"*|react-scripts\u003e*\" to suppress advisories for all transitive dependencies of \"react-scripts\".\n \"GHSA-rp65-9cf3-cjxr|react-scripts\u003e@svgr/webpack\u003e@svgr/plugin-svgo\u003esvgo\u003ecss-select\u003enth-check\",\n ],\n}\n```\n\nOr, with the CLI:\n\n```sh\nnpx audit-ci -m -a \"GHSA-42xw-2xvc-qx8m\" \"GHSA-rp65-9cf3-cjxr|react-scripts\u003e@svgr/webpack\u003e@svgr/plugin-svgo\u003esvgo\u003ecss-select\u003enth-check\"\n```\n\n### Prevents build on any vulnerability except advisory \"GHSA-38f5-ghc2-fcmv\" and all of lodash and base64url, don't show allowlisted\n\nWith a `JSON5` config file:\n\n```json5\n// JSON5 files support trailing commas and more succinct syntax than JSONC files.\n{\n $schema: \"https://github.com/IBM/audit-ci/raw/main/docs/schema.json\",\n low: true,\n allowlist: [\"GHSA-38f5-ghc2-fcmv\", \"lodash\", \"base64url\"],\n \"show-found\": false,\n}\n```\n\nOr, with the CLI with `yarn dlx`:\n\n```sh\nyarn dlx audit-ci@^7 -l -a \"GHSA-38f5-ghc2-fcmv\" lodash base64url --show-found false\n```\n\n### Prevents build with critical vulnerabilities showing the full report\n\nWith a `JSONC` config file:\n\n```jsonc\n{\n \"$schema\": \"https://github.com/IBM/audit-ci/raw/main/docs/schema.json\",\n \"critical\": true,\n \"report-type\": \"full\",\n}\n```\n\nOr, with the CLI with `pnpm dlx`:\n\n```sh\npnpm dlx audit-ci@^7 --critical --report-type full\n```\n\n### Continues build regardless of vulnerabilities, but show the summary report\n\nWith a `JSONC` config file:\n\n```jsonc\n{\n \"$schema\": \"https://github.com/IBM/audit-ci/raw/main/docs/schema.json\",\n \"report-type\": \"summary\",\n}\n```\n\nOr, with the CLI:\n\n```sh\nnpx audit-ci@^7 --report-type summary\n```\n\n### Pass additional args to Yarn Berry to exclude a certain package from audit\n\nWith a `JSONC` config file, in a project on Yarn Berry v3.3.0 or later:\n\n```jsonc\n{\n \"$schema\": \"https://github.com/IBM/audit-ci/raw/main/docs/schema.json\",\n \"extra-args\": [\"--exclude\", \"example\"],\n}\n```\n\nOr, with the CLI:\n\n```sh\nnpx audit-ci@^7 --extra-args '\\--exclude' example\n```\n\n### Example config file and different directory usage\n\n#### test/npm-config-file/audit-ci.jsonc\n\n```jsonc\n{\n \"$schema\": \"https://github.com/IBM/audit-ci/raw/main/docs/schema.json\",\n \"low\": true,\n \"package-manager\": \"auto\",\n \"allowlist\": [\n \"GHSA-333w-rxj3-f55r\",\n \"GHSA-vfvf-mqq8-rwqc\",\n \"example1\",\n \"example2\",\n \"GHSA-6354-6mhv-mvv5|example3\",\n \"GHSA-42xw-2xvc-qx8m|example4\",\n \"GHSA-42xw-2xvc-qx8m|example5\u003eexample4\",\n \"*|example6\u003e*\",\n ],\n \"registry\": \"https://registry.npmjs.org\",\n}\n```\n\n```sh\nnpx audit-ci@^7 --directory test/npm-config-file --config test/npm-config-file/audit-ci.jsonc\n```\n\n#### test/pnpm-config-file/audit-ci.json5\n\n```json5\n{\n $schema: \"https://github.com/IBM/audit-ci/raw/main/docs/schema.json\",\n moderate: true,\n \"package-manager\": \"pnpm\",\n allowlist: [\n \"GHSA-vfvf-mqq8-rwqc\",\n \"example2\",\n \"GHSA-6354-6mhv-mvv5|example3\",\n \"GHSA-42xw-2xvc-qx8m|example5\u003eexample4\",\n \"*|example6\u003e*\",\n ],\n}\n```\n\n```sh\nnpx audit-ci@^7 --directory test/pnpm-config-file --config test/pnpm-config-file/audit-ci.json5\n```\n\n## Codemod\n\n```sh\nnpx @quinnturner/audit-ci-codemod\n```\n\n\u003chttps://github.com/quinnturner/audit-ci-codemod\u003e\n\n[`audit-ci` v6.0.0](https://github.com/IBM/audit-ci/releases/tag/v6.0.0) changed the identifiers used for auditing from the NPM identifiers to GitHub identifiers.\nNPM identifiers are considered unstable to rely on, as they frequently change.\nMeanwhile, GitHub identifiers are stable.\nTo accommodate for a potentially tedious migration, a codemod is available to update your configuration in-place.\n\n```txt\n$ npx @quinnturner/audit-ci-codemod\nNeed to install the following packages:\n @quinnturner/audit-ci-codemod\nOk to proceed? (y) y\n? What's the path for the audit-ci config? audit-ci.jsonc\nPerformed migration from advisories, whitelist, and path-whitelist to allowlist\nPerformed migration from NPM advisories to GitHub advisories\n```\n\n## Q\u0026A\n\n### Why run `audit-ci` on PR builds for `Travis-CI` and not the push builds?\n\nIf `audit-ci` is run on the PR build and not on the push build, you can continue to push new code and create PRs parallel to the actual vulnerability fix.\nHowever, they can't be merged until the fix is implemented.\nSince `audit-ci` performs the audit on the PR build,\nit will always have the most up-to-date dependencies vs. the push build, which would require a manual merge with `main` before passing the audit.\n\n### What do I do when NPM/Yarn is breaking my build while returning ENOAUDIT?\n\nThe config option `--pass-enoaudit` allows passing if no audit is performed due to the registry returning ENOAUDIT.\nIt is `false` by default to reduce the risk of merging in a vulnerable package.\nHowever, if the convenience of passing is more important for your project then you can add `--pass-enoaudit` into the CLI or add it to the config.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FIBM%2Faudit-ci","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FIBM%2Faudit-ci","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FIBM%2Faudit-ci/lists"}