From 5e3b2144e7be25c9553c8f4abc3b98d0b6d9a8a8 Mon Sep 17 00:00:00 2001
From: Luca Greco <lgreco@mozilla.com>
Date: Tue, 26 Jul 2022 11:45:20 +0200
Subject: [PATCH] chore: Fix audit-deps script on the new npm audit format
 introduced in npm v8 (#2471)

---
 scripts/audit-deps.js | 60 ++++++++++++++++++++++++++++++++++---------
 1 file changed, 48 insertions(+), 12 deletions(-)

diff --git a/scripts/audit-deps.js b/scripts/audit-deps.js
index 5b643dc1c6..54ed4c385e 100755
--- a/scripts/audit-deps.js
+++ b/scripts/audit-deps.js
@@ -61,27 +61,63 @@ if (auditReport) {
     }
   }
 
-  for (const advId of Object.keys(auditReport.advisories)) {
-    const adv = auditReport.advisories[advId];
-
-    if (exceptions.includes(adv.url)) {
-      ignoredIssues.push(adv);
-      continue;
+  if (auditReport.auditReportVersion > 2) {
+    // Throw a more clear error when a new format that this script does not expect
+    // has been introduced.
+    console.error(
+      'ERROR: npm audit JSON is using a new format not yet supported.',
+      '\nPlease file a bug in the github repository and attach the following JSON data sample to it:',
+      `\n\n${JSON.stringify(auditReport, null, 2)}`
+    );
+  } else if (auditReport.auditReportVersion === 2) {
+    // New npm audit json format introduced in npm v8.
+    for (const vulnerablePackage of Object.keys(auditReport.vulnerabilities)) {
+      const item = auditReport.vulnerabilities[vulnerablePackage];
+
+      if (item.via.every((via) => exceptions.includes(via.url))) {
+        ignoredIssues.push(item);
+        continue;
+      }
+      blockingIssues.push(item);
+    }
+  } else {
+    // Old npm audit json format for npm versions < npm v8
+    for (const advId of Object.keys(auditReport.advisories)) {
+      const adv = auditReport.advisories[advId];
+
+      if (exceptions.includes(adv.url)) {
+        ignoredIssues.push(adv);
+        continue;
+      }
+      blockingIssues.push(adv);
     }
-    blockingIssues.push(adv);
   }
 }
 
 // Reporting.
 
-function formatFinding(desc) {
-  const details = `(dev: ${desc.dev}, optional: ${desc.optional}, bundled: ${desc.bundled})`;
-  return `${desc.version} ${details}\n    ${desc.paths.join('\n    ')}`;
+function formatAdvisoryV1(adv) {
+  function formatFinding(desc) {
+    return `${desc.version}, paths: ${desc.paths.join(', ')}`;
+  }
+  const findings = adv.findings.map(formatFinding).map((msg) => `  ${msg}`).join('\n');
+  return `${adv.module_name} (${adv.url}):\n${findings}`;
+}
+
+function formatAdvisoryV2(adv) {
+  function formatVia(via) {
+    return `${via.url}\n    ${via.dependency} ${via.range}\n    ${via.title}`;
+  }
+  const entryVia = adv.via.map(formatVia).map((msg) => `  ${msg}`).join('\n');
+  const fixAvailable = Boolean(adv.fixAvailable);
+  const entryDetails = `isDirect: ${adv.isDirect}, severity: ${adv.severity}, fixAvailable: ${fixAvailable}`;
+  return `${adv.name} (${entryDetails}):\n${entryVia}`;
 }
 
 function formatAdvisory(adv) {
-  const findings = adv.findings.map(formatFinding).map((msg) => `  ${msg}`).join('\n');
-  return `${adv.module_name} (${adv.url}):\n${findings}`;
+  return auditReport.auditReportVersion === 2
+    ? formatAdvisoryV2(adv)
+    : formatAdvisoryV1(adv);
 }
 
 if (ignoredIssues.length > 0) {