Skip to content

Add npm audit and list output to OSV PR comments. #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Oct 11, 2025
Merged

Add npm audit and list output to OSV PR comments. #14

merged 10 commits into from
Oct 11, 2025

Conversation

@BigBlueHat
Copy link
Collaborator

@BigBlueHat BigBlueHat commented Oct 10, 2025
edited
Loading

This PR is to address @davidlehn's concerns around developers not knowing how to find the correct replacements for a vulnerable dependency. In addition to the CVE links provided by OSV (which have been there from the beginning), the scanner now also provides an npm audit report showing available replacement versions as well as an npm list result filtered on the vulnerable dependencies for the frequent case when the vulnerability is in a secondary (or "lower") dependency.

Hopefully this helps ease developer research time and speeds resolution of vulnerability issues.

@BigBlueHat
Add npm audit and list output to OSV PR comments.
64442e5
@BigBlueHat
Combine audit and list reports; refactoring.
8d54bd8 
This is headed toward being a shared GitHub Action, so it can be run on
both the old code and the new/latest code (without copying and pasting...).
@BigBlueHat
Add shared action for npm audit/list reporting.
7a382a6
@BigBlueHat
Use new shared audit/list action.
325a12e 
This also now generates reports for the old and new code separately.
@BigBlueHat
Continue past the initial shared action call.
19ba15d 
This action is new to the repo and it will fail on the old branch, so we
are continuing on error in that case.
@BigBlueHat
Set shell to bash in shared action.
6e8fdf5
@BigBlueHat
Use --package-lock-only on npm list.
4ae8602 
Otherwise we have to download the entire node_modules/ just to check the same data.
@BigBlueHat
Fix spacing in shared action.
9cf1201
@BigBlueHat
Set explicit output variable on shared action.
4c95459 
Local tests did not need this...but apparently the runner in the cloud does.
@BigBlueHat BigBlueHat merged commit 6a60895 into main Oct 11, 2025
@BigBlueHat BigBlueHat deleted the add-npm-audit-list branch October 11, 2025 20:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dlongley dlongley dlongley approved these changes

@davidlehn davidlehn Awaiting requested review from davidlehn

@tminard tminard Awaiting requested review from tminard

@mandyvenables mandyvenables Awaiting requested review from mandyvenables

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BigBlueHat @dlongley