Bug in gitlab-ci.yml: yarn audit
Found a minor bug in gitlab-ci.yml.
From the docs: The exit code of yarn audit will be a mask of the severities.
- 1 for INFO
- 2 for LOW
- 4 for MODERATE
- 8 for HIGH
- 16 for CRITICAL
The current script only checks for an exit code of precisely 4:
yarn-audit:
stage: cve-scan
image: node:lts-alpine
script:
- yarn audit --level high || (test $? -eq 4 && echo "Moderate vulnerabilities found, proceeding anyway.")
Actually, the result is 1, due to a Zod denial of service vulnerability - which will prevent the pipeline from further execution (e.g. see this pipline for details).
To work as expected, the line in the script needs to be changed to
- yarn audit --level high || (test $? -lt 8 && echo "Moderate vulnerabilities found, proceeding anyway.")
I guess.
Edited by Jürgen Voskuhl