use improved-yarn-audit and exclude 1002401 and 1002581 (#12310)

* use improved-yarn-audit and exclude 1002401
3 years ago · cd26cab8fe
parent 56f800057b
commit cd26cab8fe
4 changed files with 10 additions and 1 deletions
--- a/.circleci/scripts/yarn-audit.sh
+++ b/.circleci/scripts/yarn-audit.sh
@ -3,7 +3,9 @@
 set -u
 set -o pipefail

-yarn audit --level moderate --groups dependencies
+# use `improved-yarn-audit` since that allows for exclude
+# exclude 1002401 until we remove use of 3Box, 1002581 until we can find a better solution
+yarn run improved-yarn-audit --ignore-dev-deps --min-severity moderate --exclude 1002401,1002581
 audit_status="$?"

 # Use a bitmask to ignore INFO and LOW severity audit results
--- a/.depcheckrc.yml
+++ b/.depcheckrc.yml
@ -29,6 +29,7 @@ ignores:
  - "source-map-explorer"
  # development tool
  - "yarn-deduplicate"
+  - "improved-yarn-audit"
  # storybook
  - "@storybook/core"
  - "@storybook/addon-backgrounds"
--- a/package.json
+++ b/package.json
@ -283,6 +283,7 @@
    "gulp-watch": "^5.0.1",
    "gulp-zip": "^4.0.0",
    "history": "^5.0.0",
+    "improved-yarn-audit": "^2.3.3",
    "jest": "^26.6.3",
    "jsdom": "^11.2.0",
    "koa": "^2.7.0",
--- a/yarn.lock
+++ b/yarn.lock
@ -14621,6 +14621,11 @@ import-local@^3.0.2:
    pkg-dir "^4.2.0"
    resolve-cwd "^3.0.0"

+improved-yarn-audit@^2.3.3:
+  version "2.3.3"
+  resolved "https://registry.yarnpkg.com/improved-yarn-audit/-/improved-yarn-audit-2.3.3.tgz#da0be78be4b678c73733066c9ccd21e1958fae8c"
+  integrity sha512-chZ7zPKGsA+CZeMExNPf9WZhETJLkC+u8cQlkQC9XyPZqQPctn3FavefTjXBXmX3Azin8WcoAbaok1FvjkLf6A==
+
 imurmurhash@^0.1.4:
  version "0.1.4"
  resolved "https://registry.yarnpkg.com/imurmurhash/-/imurmurhash-0.1.4.tgz#9218b9b2b928a238b13dc4fb6b6d576f231453ea"