Update find-indirect-vulnerable-deps.cjs

bcgov · Jul 12, 2024 · 39b5d75 · 39b5d75
1 parent 5f3b370
commit 39b5d75
Showing 1 changed file with 24 additions and 12 deletions.
diff --git a/.github/helpers/npm-audit/find-indirect-vulnerable-deps.cjs b/.github/helpers/npm-audit/find-indirect-vulnerable-deps.cjs
@@ -1,29 +1,36 @@
-const fs = require('fs');
-const path = require('path');
+const fs = require("fs");
+const path = require("path");
 
 // Runs runNpmAudit and adds parent dependencies if they can be found in the package-lock.json
-const findIndirectVulnerableDependencies = async (auditResult, directoryPath) => {
+const findIndirectVulnerableDependencies = async (
+  auditResult,
+  directoryPath
+) => {
   try {
     const { vulnerabilities } = auditResult;
 
     if (vulnerabilities.length === 0) {
       // No vulnerabilities found
-      return { ...auditResult, parentDependencies: {} };
+      return { ...auditResult, parentDependencies: [] };
     }
 
-    const packageLockPath = path.join(process.cwd(), path.resolve(__dirname, `../../../${directoryPath}/package-lock.json`));
+    const packageLockPath = path.resolve(
+      __dirname,
+      `../../../${directoryPath}/package-lock.json`
+    );
+
     if (!fs.existsSync(packageLockPath)) {
-      throw new Error('package-lock.json not found in the current directory.');
+      throw new Error("package-lock.json not found in the current directory.");
     }
 
-    const packageLock = JSON.parse(fs.readFileSync(packageLockPath, 'utf-8'));
+    const packageLock = JSON.parse(fs.readFileSync(packageLockPath, "utf-8"));
     const vulnerableDeps = vulnerabilities
       .filter((vuln) => !vuln.isDirect)
       .map((vuln) => vuln.name);
 
-    const parentDependencies = {};
+    const parentDependencies = [];
 
-    const cleanDependencyName = (name) => name.replace(/^node_modules\//, '');
+    const cleanDependencyName = (name) => name.replace(/^node_modules\//, "");
 
     const findVulnerableChildren = (dependencies, parentChain = []) => {
       if (!dependencies) return;
@@ -35,11 +42,16 @@ const findIndirectVulnerableDependencies = async (auditResult, directoryPath) =>
           if (!parentDependencies[cleanDepName]) {
             parentDependencies[cleanDepName] = [];
           }
-          parentDependencies[cleanDepName].push(...parentChain.map(cleanDependencyName));
+          parentDependencies[cleanDepName].push(
+            ...parentChain.map(cleanDependencyName)
+          );
         }
 
         if (depData.dependencies) {
-          findVulnerableChildren(depData.dependencies, [...parentChain, cleanDepName]);
+          findVulnerableChildren(depData.dependencies, [
+            ...parentChain,
+            cleanDepName,
+          ]);
         }
       }
     };
@@ -67,7 +79,7 @@ const findIndirectVulnerableDependencies = async (auditResult, directoryPath) =>
       vulnerabilities: updatedVulnerabilities,
     };
   } catch (error) {
-    console.error('Error:', error);
+    console.error("Error:", error);
     throw error;
   }
 };