diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 411912f073..ba83b3ce2a 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -63,15 +63,37 @@ jobs: node-version: 20.11.0 pnpm-version: 9.5.0 - name: Install jq - run: sudo apt-get install jq + run: sudo apt-get install -y jq - run: | - pnpm audit --prod --json | jq ' + # Run pnpm audit and save the output to audit.json + pnpm audit --prod --json > audit.json + + # Check if the 'advisories' field exists and has entries + advisories_count=$(jq '.advisories | length // 0' audit.json) + if [ "$advisories_count" -eq "0" ]; then + echo "No actionable vulnerabilities" + exit 0 + fi + + # Extract critical vulnerabilities with patched versions + jq ' .advisories | to_entries | - map(select(.value.patched_versions != "<0.0.0" and .value.severity == "critical") | {package: .value.module_name, vulnerable: .value.vulnerable_versions, fixed_in: .value.patched_versions}) - ' > audit_fix_packages.json - if [ "$(jq 'length' audit_fix_packages.json)" -gt "0" ]; then + map( + select( + (.value.patched_versions != "<0.0.0") and + (.value.severity == "critical") + ) | + {package: .value.module_name, vulnerable: .value.vulnerable_versions, fixed_in: .value.patched_versions} + ) + ' audit.json > audit_fix_packages.json + + # Check if any critical vulnerabilities were found + fix_count=$(jq 'length' audit_fix_packages.json) + if [ "$fix_count" -gt "0" ]; then echo "Actionable vulnerabilities found in the following packages:" - jq -r '.[] | "\u001b[1m\(.package)\u001b[0m vulnerable in \u001b[31m\(.vulnerable)\u001b[0m fixed in \u001b[32m\(.fixed_in)\u001b[0m"' audit_fix_packages.json | while read -r line; do echo -e "$line"; done + jq -r '.[] | "\u001b[1m\(.package)\u001b[0m vulnerable in \u001b[31m\(.vulnerable)\u001b[0m fixed in \u001b[32m\(.fixed_in)\u001b[0m"' audit_fix_packages.json | while read -r line; do + echo -e "$line" + done echo "Please run \`pnpm --prod --fix\`" exit 1 else