fix(ci): replace retired pnpm audit hook

2026-05-06 17:20:45 +00:00 · 2026-04-15 01:10:02 +01:00
parent 3aae0fb16d
commit 55ee327981
3 changed files with 580 additions and 2 deletions
--- a/test/scripts/pnpm-audit-prod.test.ts
+++ b/test/scripts/pnpm-audit-prod.test.ts
@@ -0,0 +1,183 @@
+import { mkdtemp, rm, writeFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import path from "node:path";
+import { describe, expect, it } from "vitest";
+import {
+  collectProdResolvedPackagesFromLockfile,
+  createBulkAdvisoryPayload,
+  filterFindingsBySeverity,
+  parseSnapshotKey,
+  runPnpmAuditProd,
+  stripVersionDecorators,
+} from "../../scripts/pre-commit/pnpm-audit-prod.mjs";
+
+describe("pnpm-audit-prod", () => {
+  it("parses scoped snapshot keys with peer suffixes", () => {
+    expect(parseSnapshotKey("@scope/pkg@1.2.3(peer@4.5.6)")).toEqual({
+      packageName: "@scope/pkg",
+      reference: "1.2.3(peer@4.5.6)",
+      version: "1.2.3",
+    });
+  });
+
+  it("strips peer and patch decorators from resolved versions", () => {
+    expect(stripVersionDecorators("7.0.0-rc.9(patch_hash=abc123)(sharp@0.34.5)")).toBe(
+      "7.0.0-rc.9",
+    );
+    expect(stripVersionDecorators("1.2.3")).toBe("1.2.3");
+  });
+
+  it("collects the production graph from pnpm lockfile snapshots", () => {
+    const lockfile = `lockfileVersion: '9.0'
+
+importers:
+  .:
+    dependencies:
+      pkg-a:
+        version: 1.0.0
+    devDependencies:
+      dev-only:
+        version: 9.9.9
+  extensions/demo:
+    dependencies:
+      '@scope/pkg':
+        version: 2.0.0(peer@4.0.0)
+      workspace-lib:
+        version: link:../../packages/workspace-lib
+
+snapshots:
+  pkg-a@1.0.0:
+    dependencies:
+      transitive: 3.0.0(patch_hash=abc123)
+  transitive@3.0.0(patch_hash=abc123): {}
+  '@scope/pkg@2.0.0(peer@4.0.0)':
+    optionalDependencies:
+      opt-dep: 4.0.0
+  opt-dep@4.0.0: {}
+`;
+
+    const payload = createBulkAdvisoryPayload(collectProdResolvedPackagesFromLockfile(lockfile));
+    expect(payload).toEqual({
+      "@scope/pkg": ["2.0.0"],
+      "opt-dep": ["4.0.0"],
+      "pkg-a": ["1.0.0"],
+      transitive: ["3.0.0"],
+    });
+  });
+
+  it("resolves npm alias snapshots to the real package name", () => {
+    const lockfile = `lockfileVersion: '9.0'
+
+importers:
+  .:
+    dependencies:
+      request:
+        version: npm:@cypress/request@3.0.10
+
+snapshots:
+  '@cypress/request@3.0.10': {}
+`;
+
+    const payload = createBulkAdvisoryPayload(collectProdResolvedPackagesFromLockfile(lockfile));
+    expect(payload).toEqual({
+      "@cypress/request": ["3.0.10"],
+    });
+  });
+
+  it("filters advisory findings by minimum severity", () => {
+    const findings = filterFindingsBySeverity(
+      {
+        axios: [
+          {
+            id: "GHSA-low",
+            severity: "moderate",
+            title: "moderate issue",
+          },
+          {
+            id: "GHSA-high",
+            severity: "high",
+            title: "high issue",
+            url: "https://github.com/advisories/GHSA-high",
+          },
+        ],
+      },
+      "high",
+    );
+
+    expect(findings).toEqual([
+      {
+        id: "GHSA-high",
+        packageName: "axios",
+        severity: "high",
+        title: "high issue",
+        url: "https://github.com/advisories/GHSA-high",
+        vulnerableVersions: null,
+      },
+    ]);
+  });
+
+  it("returns a failing exit code when bulk advisories include high severity findings", async () => {
+    const tempDir = await mkdtemp(path.join(tmpdir(), "openclaw-audit-prod-"));
+    await writeFile(
+      path.join(tempDir, "pnpm-lock.yaml"),
+      `lockfileVersion: '9.0'
+
+importers:
+  .:
+    dependencies:
+      axios:
+        version: 1.0.0
+
+snapshots:
+  axios@1.0.0: {}
+`,
+      "utf8",
+    );
+
+    try {
+      const stdoutChunks: string[] = [];
+      const stderrChunks: string[] = [];
+      const exitCode = await runPnpmAuditProd({
+        rootDir: tempDir,
+        fetchImpl: async () =>
+          new Response(
+            JSON.stringify({
+              axios: [
+                {
+                  id: "GHSA-test",
+                  severity: "high",
+                  title: "test issue",
+                  vulnerable_versions: "<=1.0.0",
+                  url: "https://github.com/advisories/GHSA-test",
+                },
+              ],
+            }),
+            {
+              status: 200,
+              headers: {
+                "content-type": "application/json",
+              },
+            },
+          ),
+        stdout: {
+          write(chunk: string) {
+            stdoutChunks.push(chunk);
+            return true;
+          },
+        } as NodeJS.WriteStream,
+        stderr: {
+          write(chunk: string) {
+            stderrChunks.push(chunk);
+            return true;
+          },
+        } as NodeJS.WriteStream,
+      });
+
+      expect(exitCode).toBe(1);
+      expect(stdoutChunks).toEqual([]);
+      expect(stderrChunks.join("")).toContain("Found 1 high or higher advisories");
+    } finally {
+      await rm(tempDir, { recursive: true, force: true });
+    }
+  });
+});