Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

minder

MatthewCharlton20MIT1.1.2

Runs NPM or Yarn audit and can be configured to fail tasks if the audit finds vulnerable packages

CI, security, audit

readme

Minder

A Node application to audit project dependencies with security issues before they make it into production

Overview

minder is a wrapper for npm audit and yarn audit.
You can configure minder to call either npm audit or yarn audit and set it to fail CI builds or a pre-commit hook if the audit finds packages with security issues matching your configured severity level.
You can also output the results to an HTML report courtesy of npm-audit-html and yarn-audit-html.

Getting Started

Usage: minder

You can create a config file to commit with your project. minder looks for a file named minder.config.json in the current working directory from which the script was called.
Example: 

{
  "severity": "high",
  "report": true,
  "html-report-filepath": "audit-report.html",
  "registry": "https://registry.npmjs.org/",
  "whitelisted-advisories": ["803"]
}

Explaination of options

Option Description
severity configure what severity you would like to fail on. Must be one of: "info", "low", "moderate", "high" or "critical"
package-manager choose what package manager audit endpoint to use. Must be one of: "npm" or "yarn"
registry choose what registry URL the audit payload will be sent to
report choose to output a HTML report of the audit results. Must be one of: true or false
html-report-filepath set a custom file name of HTML report, only applicable if "report" is set to true
audit-fail-build sets the exit code to 1 when true or 0 when false. Must be one of: true or false
whitelisted-advisories array of advisory IDs to allow/ignore. Must be an array of strings

If no config file is passed then the following defaults will be used:

Option Default value
severity "critical"
package-manager "npm"
registry ""
report false
html-report-filepath ""
audit-fail-build false
whitelisted-advisories []

Add a plugin

You can also extend functionality by writing your own plugin. minder looks for a file named minder-plugin.js in the current working directory from which the script was called.
The audit response is passed as the first parameter and the config overrides as the second.

Example:

module.exports = function minderPlugin(data, config) {
  console.log(`Do something with: ${data} and ${config}`);
};

Built With

  • npm-audit-html - NPM Audit HTML Report Generator
  • yarn-audit-html - Yarn Audit HTML Report Generator
  • npm-run - Runs locally-installed node module executables. Used to trigger the HTML Reports

License

This project is licensed under the MIT License - see the LICENSE file for details