knime · ahmed-ramzi · Mar 18, 2025 · Copilot · Sep 29, 2025 · Copilot
@@ -0,0 +1 @@
+# @knime/pnpm-audit-resolver
@@ -0,0 +1,48 @@
+# ![Image](https://www.knime.com/sites/default/files/knime_logo_github_40x40_4layers.png)@knime/pnpm-audit-resolver
+
+PNPM Audit Resolver
+
+## How It Works
+
+- The script looks for an `audit-resolve.json` file in your project’s root directory.
+- It reads each GHSA ID, a `decision` (e.g. `"ignore"`), and an expiration timestamp (`expiresAt`).
+- It compares the expiration timestamp with the current date (`Date.now()`):
+  - **If the GHSA is not expired** (i.e., `Date.now() < expiresAt`), it ensures that GHSA ID is listed in `pnpm.auditConfig.ignoreGhsas`.
+  - **If expired**, it removes that GHSA ID from the ignore list.
+- It then updates your `package.json` accordingly to ensure that temporary ignore rules are automatically removed once their grace period has passed.
+
+## Usage
+
+1. Create a file named `audit-resolve.json` in your project root. When you run `pnpm audit`, each entry has a `GHSA ID`. You should use this ID as a key, mapping to an object with:
+
+- decision: Typically "ignore".
+- expiresAt: A Unix timestamp (milliseconds) indicating when the ignore decision expires.
+
+```
+{
+  "GHSA-1234-abcd-wxyz": {
+    "decision": "ignore",
+    "expiresAt": 1726923450122
+  },
+  "GHSA-4321-dcba-zywx": {
+    "decision": "ignore",
+    "expiresAt": 1726923450122
+  }
+}
+```
+
+2. Use the exposed `audit-resolve` command line tool in your repository's `package.json` which can be used with pnpm to run the resolver script
+
+```
+{
+    "scripts":{
+        "audit:resolve": "pnpm audit-resolve"
+    }
+}
+```
+
+3. Append this command to the audit command, so that it always runs before the auditing
+
+```
+"audit": "pnpm audit:resolve && pnpm audit --prod",
+```
@@ -0,0 +1,30 @@
+{
+  "name": "@knime/pnpm-audit-resolver",
+  "version": "1.0.0",
+  "description": "Resolves audit issues be defining actions to it",
-  "description": "Resolves audit issues be defining actions to it",
+  "description": "Resolves audit issues by defining actions for them",
-  "description": "Resolves audit issues be defining actions to it",
+  "description": "Resolves audit issues by defining actions for them",
+  "homepage": "https://knime.github.io/webapps-common/",
+  "license": "GPL 3 and Additional Permissions according to Sec. 7 (SEE the file LICENSE)",
+  "author": "KNIME AG, Zurich, Switzerland",
+  "type": "module",
+  "scripts": {
+    "audit:resolve": "node src/index"
+  },
+  "main": "src/index.js",
+  "files": [
+    "src",
+    "CHANGELOG.md"
+  ],
+  "exports": {
+    ".": {
+      "import": "./src/index.js"
+    }
+  },
+  "bin": {
+    "audit-resolve": "./src/index.js"
+  },
+  "pnpm": {
+    "auditConfig": {
+      "ignoreGhsas": []
+    }
+  }
+}
@@ -0,0 +1,68 @@
+/* eslint-disable no-console */
+import fs from "fs/promises";
+import path from "path";
+
+const updateAuditConfig = async () => {
+  const rootDir = process.cwd();
+  const auditResolvePath = path.join(rootDir, "audit-resolve.json");
+  const packageJsonPath = path.join(rootDir, "package.json");
+
+  // Read and parse audit-resolve.json
+  let auditResolveRaw;
+  try {
+    auditResolveRaw = await fs.readFile(auditResolvePath, "utf-8");
+  } catch {
+    throw "Could not find 'audit-resolve.json' file in your root directory";
-    throw "Could not find 'audit-resolve.json' file in your root directory";
+    throw new Error("Could not find 'audit-resolve.json' file in your root directory");
-    throw "Could not find 'audit-resolve.json' file in your root directory";
+    throw new Error("Could not find 'audit-resolve.json' file in your root directory");
+  }
+
+  const auditData = JSON.parse(auditResolveRaw);
-  const auditData = JSON.parse(auditResolveRaw);
+  let auditData;
+  try {
+    auditData = JSON.parse(auditResolveRaw);
+  } catch (err) {
+    throw new Error(
+      "Malformed 'audit-resolve.json': " + err.message
+    );
+  }
-  const auditData = JSON.parse(auditResolveRaw);
+  let auditData;
+  try {
+    auditData = JSON.parse(auditResolveRaw);
+  } catch (err) {
+    throw new Error(
+      "Malformed 'audit-resolve.json': " + err.message
+    );
+  }
+
+  // Read and parse package.json
+  const packageJsonRaw = await fs.readFile(packageJsonPath, "utf-8");
+  const packageJson = JSON.parse(packageJsonRaw);
-  const packageJsonRaw = await fs.readFile(packageJsonPath, "utf-8");
-  const packageJson = JSON.parse(packageJsonRaw);
+  let packageJsonRaw;
+  try {
+    packageJsonRaw = await fs.readFile(packageJsonPath, "utf-8");
+  } catch {
+    throw "Could not find 'package.json' file in your root directory";
+  }
+  let packageJson;
+  try {
+    packageJson = JSON.parse(packageJsonRaw);
+  } catch {
+    throw "Could not parse 'package.json': invalid JSON format";
+  }
-  const packageJsonRaw = await fs.readFile(packageJsonPath, "utf-8");
-  const packageJson = JSON.parse(packageJsonRaw);
+  let packageJsonRaw;
+  try {
+    packageJsonRaw = await fs.readFile(packageJsonPath, "utf-8");
+  } catch {
+    throw "Could not find 'package.json' file in your root directory";
+  }
+  let packageJson;
+  try {
+    packageJson = JSON.parse(packageJsonRaw);
+  } catch {
+    throw "Could not parse 'package.json': invalid JSON format";
+  }
+
+  // Initialize pnpm audit config if not already present
+  packageJson.pnpm = packageJson.pnpm || {};
+  packageJson.pnpm.auditConfig = packageJson.pnpm.auditConfig || {};
+  let ignoreGhsas = Array.isArray(packageJson.pnpm.auditConfig.ignoreGhsas)
+    ? packageJson.pnpm.auditConfig.ignoreGhsas
+    : [];
+
+  const currentTime = Date.now();
+
+  // Process each audit resolution from audit-resolve.json
+  for (const [ghsaId, resolution] of Object.entries(auditData)) {
+    if (resolution.decision === "ignore") {
+      // If the ignore decision is still valid (not expired), add the GHSA id if it's missing
+      if (currentTime < resolution.expiresAt) {
+        if (!ignoreGhsas.includes(ghsaId)) {
+          ignoreGhsas.push(ghsaId);
+          console.log(`Added ${ghsaId} to ignore list.`);
+        }
+      } else {
+        // If expired, remove it from the list if present
+        if (ignoreGhsas.includes(ghsaId)) {
+          ignoreGhsas = ignoreGhsas.filter((id) => id !== ghsaId);
+          console.log(`Removed expired ${ghsaId} from ignore list.`);
+        }
+      }
+    } else {
+      console.log(`Decision for ${ghsaId} is not 'ignore'; skipping.`);
+    }
+  }
+
+  // Update the package.json audit configuration
+  packageJson.pnpm.auditConfig.ignoreGhsas = ignoreGhsas;
+
+  // Write the updated package.json back to disk
+  await fs.writeFile(
+    packageJsonPath,
+    JSON.stringify(packageJson, null, 2),
+    "utf-8",
+  );
+  console.log("Updated package.json audit configuration.");
+};
+
+updateAuditConfig().catch((error) => {
+  console.error("Error updating audit configuration:", error);
+});