feat: initial commit

.eslintrc.json

@@ -0,0 +1,31 @@
+{
+  "env": {
+    "es6": true,
+    "node": true,
+    "jest": true
+  },
+  "extends": [
+    "eslint:recommended",
+    "plugin:import/recommended",
+    "plugin:jest/recommended",
+    "prettier"
+  ],
+  "plugins": ["import", "jest", "prettier"],
+  "rules": {
+    "import/no-extraneous-dependencies": "error",
+    "no-underscore-dangle": "error",
+    "no-console": "off",
+    "no-empty": "off",
+    "no-useless-escape": "off",
+    "no-unused-vars": "off",
+    "import/prefer-default-export": "off",
+    "import/no-named-as-default": "off",
+    "linebreak-style": "off",
+    "prettier/prettier": "error",
+    "complexity": "off",
+    "import/unambiguous": "off",
+    "prefer-const": "error",
+    "no-var": "error",
+    "jest/no-identical-title": "warn"
+  }
+}

.github/workflows/test.yml

@@ -0,0 +1,27 @@
+name: Test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [12.x]
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v1
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: yarn install --frozen-lockfile
+      - run: yarn ci
+        env:
+          SNYK_TOKEN: ${{secrets.SNYK_TOKEN}}
+          CI: true

.gitignore

@@ -0,0 +1,18 @@
+# deps
+node_modules
+
+# package manager files
+yarn-error.log
+package-lock.json
+
+# generated by web storm
+.idea
+
+# azure packs
+*.zip
+
+# editor config files
+.DS_Store
+.vscode
+
+lib

.npmignore

@@ -0,0 +1,8 @@
+*
+!bin/*
+!lib/*
+!docs/CHANGELOG.md
+!LICENSE
+!package.json
+!README.md
+!yarn.lock

.npmrc

@@ -0,0 +1 @@
+registry = "https://registry.npmjs.org"

.nvmrc

@@ -0,0 +1 @@
+14

.snyk

@@ -0,0 +1,2 @@
+ignore: {}
+patch: {}

LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 ASOS
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,84 @@
+<p align="center">
+  <h1 align="center">Snyker</h1>
+</p>
+<p align="center">
+An opinionated CLI wrapper around <a href="https://snyk.io/">Snyk</a> for purging vulnerabilities from Node projects
+</p>
+<p align="center">
+   <a href="https://github.com/asos/snyker/tags/"><img src="https://img.shields.io/github/tag/asos/snyker" alt="Current version" /></a>
+   <img src="https://github.com/asos/snyker/workflows/Test/badge.svg" alt="Current test status" />
+   <a href="http://makeapullrequest.com"><img src="https://img.shields.io/badge/PRs-welcome-brightgreen.svg" alt="PRs are welcome" /></a>
+   <a href="https://github.com/asos/snyker/issues/"><img src="https://img.shields.io/github/issues/asos/snyker" alt="snyker issues" /></a>
+   <img src="https://img.shields.io/github/stars/asos/snyker" alt="snyker stars" />
+   <img src="https://img.shields.io/github/forks/asos/snyker" alt="snyker forks" />
+   <img src="https://img.shields.io/github/license/asos/snyker" alt="snyker license" />
+   <a href="https://github.com/asos/snyker/graphs/commit-activity"><img src="https://img.shields.io/badge/Maintained%3F-yes-green.svg" alt="snyker is maintained" /></a>
+</p>
+<p align="center">
+  <i>You're not you when you've got hundreds of vulnerable paths</i>
+</p>
+
+---
+
+## Getting Started
+
+```bash
+# Start fixing vulnerabilities straight away using NPX
+npx snyker
+
+# Add to your global NPM packages
+npm i -g snyker
+
+# Or to your global Yarn packages
+yarn global add snyker
+```
+
+## About
+
+The Snyk CLI is great for reporting vulnerabilities and providing top level dependency upgrades and patches, but struggles when the vulnerability rests within a nested sub-dependency. This is despite the fact that many sub-dependencies have reasonable flexibility in the version ranges they allow for their own dependencies.
+
+This CLI takes a brute-force approach to solving this limitation of Snyk. It purges the `.snyk` file from a project, checks for vulnerable paths using Snyk, then forces `yarn` / `npm` to try to upgrade any dependency along the vulnerable paths before finally ignoring any vulnerability that cannot be fixed in the previous steps. If a patch is available for any outstanding vulnerability then it is also added to the Snyk policy.
+
+Note that this tool obeys your defined package version ranges and therefore can't fix anything that requires a major upgrade if you are only permitting minor or patch upgrades.
+
+This tool also does not make use of Snyk's ability to perform package major upgrades. It will simply ignore vulnerabilities that cannot be fixed in the aforementioned steps. _It is on you to sanity check anything that this tool decides to ignore._
+
+Snyker will list the known vulnerabilities it has been unable to fix. If Snyk reports that there are major upgrades available to fix one or more of the outstanding vulnerabilities, Snyker will output a recommended `yarn` / `npm` command for performing the upgrade(s).
+
+It is recommended that you use this tool alongside the official Snyk wizard CLI, not replace it completely.
+
+## Usage
+
+### Options
+
+```console
+snyker --retries 3 --lockfile package-lock.json
+```
+
+| Flag                  | Description                                                            | Default     |
+| --------------------- | ---------------------------------------------------------------------- | ----------- |
+| `--lockfile <string>` | Specify the lockfile to use (e.g. `yarn.lock` or `package-lock.json`). | `yarn.lock` |
+| `--retries <int>`     | Will set the number of times to retry logical steps of Snyker.         | `2`         |
+
+### Post Execution
+
+It is recommended that you manually perform the following to ensure that you apply any upgrades that are available and currently unsupported by this CLI.
+
+```console
+rm .snyk
+snyk wizard --dev
+```
+
+## Contributing
+
+Please check out the [CONTRIBUTING](./docs/CONTRIBUTING.md) docs.
+
+## Changelog
+
+Please check out the [CHANGELOG](./docs/CHANGELOG.md) docs.
+
+---
+
+## License
+
+Snyker is licensed under the [MIT License](./LICENSE.md).

bin/snyker

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+require("../lib/")();

docs/CHANGELOG.md

@@ -0,0 +1,84 @@
+# ChangeLog
+
+## [3.4.0] - 13-05-2021
+
+- feat: snyk authentication errors are now captured and logged specifically
+
+## [3.3.0] - 01-03-2021
+
+- feat: honour previous `created` and `reason` fields for a vulnerability
+
+## [3.2.0] - 24-03-2021
+
+- chore: upgrade snyk dependency
+
+## [3.1.0] - 22-10-2020
+
+- build(deps): bump bl from 4.0.2 to 4.0.3 (#3)
+- feat: upgrade snyk dependency
+
+## [3.0.1] - 17-07-2020
+
+- fix: patch paths shouldn't include repo itself.
+
+## [3.0.0] - 17-07-2020
+
+- feat: automatically apply available patches when outstanding vulnerabilities.
+- fix: ensure `snyk ignore` is awaited properly before proceeding.
+
+## [2.0.7] - 16-07-2020
+
+- fix: add handling of npm 5.0 EINTEGRITY problems with sha1.
+- feat: use force with second `npm install`.
+- revert: logging of `snyk ignore` to inherited stdio.
+
+## [2.0.6] - 16-07-2020
+
+- fix: remove duplicates from vulnerability listing and upgrade recommendation command.
+
+## [2.0.5] - 16-07-2020
+
+- fix: use `module.id` as back-compatible API for old versions of Node.
+- feat: add `--ignore-engines` and `--ignore-platform` so doesn't fail on Node 8 and 10 with `yarn`.
+
+## [2.0.4] - 12-07-2020
+
+- docs: add code of conduct, security doc and some other doc tidy-up.
+
+## [2.0.3] - 10-07-2020
+
+- feat: bump snyk version to resolve truncated response issues.
+
+## [2.0.2] - 10-07-2020
+
+- feat: bump up buffer size
+
+## [2.0.1] - 10-07-2020
+
+- fix: snyk module path
+
+## [2.0.0] - 09-07-2020
+
+- fix: up spawned process buffer size.
+- feat: update snyker logging format.
+- feat: yarn and npm installs logged to console.
+- feat: log ignored vulnerabilities.
+- feat: log recommended commands for manual upgrades (i.e. major upgrades).
+
+## [1.1.0] - 11-05-2020
+
+- `snyk test` commands to make use of the `--prune-repeated-dependencies` flag.
+
+## [1.0.2] - 27-04-2020
+
+- Added Rollup for bundling / minification.
+
+## [1.0.1] - 26-04-2020
+
+- Added `yarn snyker` and `yarn snyker:npm` to `yarn ci` to add integration testing.
+- Touch-ups to the Docs.
+- Add auth token to CI.
+
+## [1.0.0] - 26-04-2020
+
+- Added Changelog and updated Docs.

docs/CODEOWNERS

@@ -0,0 +1 @@
+* @asos-craigmorten

docs/CONTRIBUTING.md

@@ -0,0 +1,62 @@
+# Contributing to this repository
+
+First of all, thanks for taking the time to read this document and contributing to our codebase.
+
+Please read each section carefully!
+
+## Getting started
+
+The first thing to do before starting to work on your feature would be to have a conversation with the codeowners about it, we may have some pointers or examples that might make your life much easier!
+
+The other thing you will need before you start is to create an issue describing what it is that you're set to do, or if its a bug make sure there are clear reproduction steps on the description.
+
+Things to talk about in our first conversation:
+
+- Planned implementation
+- Test plan
+- Q&A
+
+## Working on your feature
+
+### Branching
+
+On this project we follow mainline development (or trunk based development), and our default branch is `main`.
+
+Therefore you need to branch from `main` and merge into `main`.
+
+We use the following convention for branch names `feature/short-description`, where short description is to have an idea what the branch is about and the `feature` part is for features, but it can vary on other kinds of issues.
+
+Here are some examples:
+
+- `feature/new-icon`, a new feature.
+- `fix/windows-bug`, a bug fix
+- `chore/upgrade-eslint`, a chore is something that doesn't add functionality to the user but needs to be done.
+
+### Coding style
+
+Generally try to match the style and conventions of the code around your changes. Ultimately we want code that is clear, concise, consistent and easy to read.
+
+Broadly we're in-tune with the following style guides:
+
+- JavaScript
+  - <https://github.com/prettier/prettier>
+  - <https://github.com/airbnb/javascript>
+  - <https://github.com/ryanmcdermott/clean-code-javascript>
+
+### Unit tests
+
+Before opening a PR, please run the following command to make sure your branch will build and pass all the tests:
+
+```console
+yarn ci
+```
+
+## Opening a PR
+
+Once you're confident your branch is ready to review, open a PR against `main` on this repo.
+
+Please make sure you fill the PR template correctly.
+
+## Merging and publishing
+
+When your feature branch/PR has been tested and has an approval, it is then ready to merge. Please contact the maintainer to action the merge.

docs/ISSUE_TEMPLATE.md

@@ -0,0 +1,5 @@
+# Issue
+
+## Details
+
+> Please add details of the feature / bug you wish to be addressed. If it is a bug please add steps to reproduce.

docs/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,12 @@
+# Issue
+
+[_ISSUE_ID_](https://github.com/asos/snyker/issues/_ISSUE_ID_)
+
+## Details
+
+Brief summary of PR purpose and code changes.
+
+## CheckList
+
+- [ ] PR starts with [_ISSUE_ID_].
+- [ ] Has been tested (where required) before merge to develop.