test(travis): Switch security audit checks from nsp-check to npm audit

Author: rpl

.nsprc

@@ -1,3 +1,11 @@
 {
-  "exceptions": ["https://nodesecurity.io/advisories/566"]
+  "exceptions": [
+    "https://npmjs.com/advisories/118",
+    "https://npmjs.com/advisories/577",
+    "https://npmjs.com/advisories/612",
+    "https://npmjs.com/advisories/678",
+    "https://npmjs.com/advisories/720",
+    "https://npmjs.com/advisories/725",
+    "https://npmjs.com/advisories/745"
+  ]
 }

.travis.yml

@@ -8,19 +8,45 @@ os:
 node_js:
 - '6'
 - '8'
+- '10'
 
 # Skip node_js 6 on travis windows workers (as it often fails because
 # travis fails to init the node_js 6 environment).
 matrix:
+  fast_finish: true
   exclude:
   - node_js: '6'
     os: windows
+  - node_js: '8'
+    os: windows
 
-before_script:
-# If this command fails and you can't fix it, file an issue and add an exception to .nsprc
-- if [[ "$TRAVIS_OS_NAME" != 'windows' ]]; then npm run nsp-check; fi
+jobs:
+  include:
+  - stage: npm audit and lint github PR title
+    ## Keep this in sync with the last version listed in the node_js property.
+    node_js: '10'
+    os: linux
+    script:
+    - npm run audit-deps
+    - npm run travis-pr-title-lint
+  - stage: deploy on npm
+    ## Keep this in sync with the last version listed in the node_js property.
+    node_js: '10'
+    os: linux
+    script: echo "Deploying to npm..."
+    ## Make sure we have a production build.
+    before_deploy: NODE_ENV=production npm run build
+    deploy:
+      provider: npm
+      email: [email protected]
+      # Note that cleanup runs *after* the before_deploy script.
+      skip_cleanup: true
+      # This is the API key for npm user 'addons-robot'
+      api_key:
+        secure: CVUpq7hp1/CvAD40vA0cm+5jI7Izlsb83mCNrAt7Qcjb4orFWTHUxE3Y0a5wGS2gAIr5l/hd/CruXdy4EfMVS6GyW5qhTeWxS0b36+t542z4Xlk9eY4UvB5DdKMJKH8RT+Sz8E/Sx6fhISgvQW48rGJCq3ePaH54mLkXLRJW7HqZxSnrAGc8XLiTJOUPKhOzo4AALXvLKDB+doTtHtSDFD+G+kpABMlJBw849V4mGVi/oUpK5Z/tnCjBBKIaU2Cw//2rE0Wo2mN4osq9eUHxNNTA4fTZoEONaDN/zeYhp3IjYc4cRVK611xnhITLW8CJwRSFJYaoPDB0S1sHOuIcl026SC36m01m7vb0RdxzxhTRBcdClSgo0VcqWHjGjZ5knR1s3ztUcOgVbkcuyQ7x03jp7DEe52sH86myzpWpymu6StRXQix4YjkDoGMFczhPmOP+fWYUex87VCsF1f3rdXJSQmtFuM4Tm11E4WoZGaLB5cgKTNZodJ5v6+UK5u3mop59fIJsIrFF+NKCJNnHvegchiLyGiOJb5wYWpnP4/O2XXNvDEtSPJBRGT/fcHVnYBr6hAl6ux/z4ND3xX77hKKnqQk+CrR28aQpURBNJMKFgtW2DcABAXTZ16ezhXsPlIp6/2GXu0VozTTnwPCRhvsl+s+dqqJu0faxSo+vB7s=
+      on:
+        tags: true
 
-# Keep this in sync with appveyor.yml
 script:
 ## run eslint, flow and the unit test suite.
 - COVERAGE=y NODE_ENV=production npm test
@@ -44,29 +70,12 @@ script:
 - npm config delete python
 - rm artifacts/production/package.json
 
-## lint the github PR title.
-- if [[ "$TRAVIS_OS_NAME" != 'windows' ]]; then npm run travis-pr-title-lint; fi
-
 after_script: npm run publish-coverage
 
-before_deploy:
-## Make sure we have a production build.
-- NODE_ENV=production npm run build
 
 notifications:
   irc:
     channels:
     - irc.mozilla.org#amo-bots
     on_success: change
     on_failure: always
-deploy:
-  provider: npm
-  email: [email protected]
-  # Note that cleanup runs *after* the before_deploy script.
-  skip_cleanup: true
-  # This is the API key for npm user 'addons-robot'
-  api_key:
-    secure: CVUpq7hp1/CvAD40vA0cm+5jI7Izlsb83mCNrAt7Qcjb4orFWTHUxE3Y0a5wGS2gAIr5l/hd/CruXdy4EfMVS6GyW5qhTeWxS0b36+t542z4Xlk9eY4UvB5DdKMJKH8RT+Sz8E/Sx6fhISgvQW48rGJCq3ePaH54mLkXLRJW7HqZxSnrAGc8XLiTJOUPKhOzo4AALXvLKDB+doTtHtSDFD+G+kpABMlJBw849V4mGVi/oUpK5Z/tnCjBBKIaU2Cw//2rE0Wo2mN4osq9eUHxNNTA4fTZoEONaDN/zeYhp3IjYc4cRVK611xnhITLW8CJwRSFJYaoPDB0S1sHOuIcl026SC36m01m7vb0RdxzxhTRBcdClSgo0VcqWHjGjZ5knR1s3ztUcOgVbkcuyQ7x03jp7DEe52sH86myzpWpymu6StRXQix4YjkDoGMFczhPmOP+fWYUex87VCsF1f3rdXJSQmtFuM4Tm11E4WoZGaLB5cgKTNZodJ5v6+UK5u3mop59fIJsIrFF+NKCJNnHvegchiLyGiOJb5wYWpnP4/O2XXNvDEtSPJBRGT/fcHVnYBr6hAl6ux/z4ND3xX77hKKnqQk+CrR28aQpURBNJMKFgtW2DcABAXTZ16ezhXsPlIp6/2GXu0VozTTnwPCRhvsl+s+dqqJu0faxSo+vB7s=
-  on:
-    tags: true
-    condition: $TRAVIS_OS_NAME = 'linux'

package.json

@@ -20,7 +20,7 @@
     "test:functional": "grunt test:functional:run",
     "copy-dist-files-to-artifacts-dir": "grunt copy-dist-files-to-artifacts-dir",
     "publish-coverage": "grunt coveralls",
-    "nsp-check": "nsp check --reporter summary",
+    "audit-deps": "node ./scripts/audit-deps",
     "changelog": "conventional-changelog -p angular -u",
     "changelog-lint": "conventional-changelog-lint --from master",
     "changelog-lint-from-stdin": "conventional-changelog-lint",
@@ -121,10 +121,10 @@
     "load-grunt-tasks": "4.0.0",
     "mocha": "5.2.0",
     "mocha-multi": "1.0.1",
-    "nsp": "3.2.1",
     "object.entries": "1.0.4",
     "object.values": "1.0.4",
     "prettyjson": "1.2.1",
+    "shelljs": "0.8.3",
     "sinon": "6.1.2",
     "webpack": "3.11.0",
     "webpack-dev-server": "2.11.1",

scripts/audit-deps

@@ -0,0 +1,75 @@
+#!/usr/bin/env node
+
+// This nodejs script loads the .nsprc's "exceptions" list (as `nsp check` used to support) and
+// and then filters the output of `npm audit --json` to check if any of the security advisories
+// detected should be a blocking issue and force the travis CI job to fail.
+//
+// We can remove this script if/once npm audit will support this feature natively
+// (See https://github.com/npm/npm/issues/20565).
+
+const shell = require('shelljs');
+
+const npmVersion = parseInt(shell.exec('npm --version', {silent: true}).stdout.split('.')[0], 10);
+const npmCmd = npmVersion >= 6 ? 'npm' : 'npx npm@latest';
+
+if (npmCmd.startsWith('npx') && !shell.which('npx')) {
+  shell.echo('Sorry, this script requires npm >= 6 or npx installed globally');
+  shell.exit(1);
+}
+
+if (!shell.test('-f', 'package-lock.json')) {
+  console.log('audit-deps is generating the missing package-lock.json file');
+  shell.exec(`${npmCmd} i --package-lock-only`);
+}
+
+// Collect audit results and split them into blocking and ignored issues.
+
+const auditRes = shell.exec(`${npmCmd} audit --json`, {silent: true});
+const blockingIssues = [];
+const ignoredIssues = [];
+
+if (auditRes.code !== 0) {
+  const exceptions = JSON.parse(shell.cat('.nsprc')).exceptions;
+  const auditReport = JSON.parse(auditRes.stdout);
+
+  for (let advId of Object.keys(auditReport.advisories)) {
+    const adv = auditReport.advisories[advId];
+
+    if (exceptions.includes(adv.url)) {
+      ignoredIssues.push(adv)
+      continue;
+    }
+    blockingIssues.push(adv);
+  }
+}
+
+// Reporting.
+
+function formatFinding(desc) {
+  const details = `(dev: ${desc.dev}, optional: ${desc.optional}, bundled: ${desc.bundled})`;
+  return `${desc.version} ${details}\n    ${desc.paths.join('\n    ')}`;
+}
+
+function formatAdvisory(adv) {
+  const findings = adv.findings.map(formatFinding).map(msg => `  ${msg}`).join('\n');
+  return `${adv.module_name} (${adv.url}):\n${findings}`;
+}
+
+if (ignoredIssues.length > 0) {
+  console.log('\n== audit-deps: ignored security issues (based on .nsprc exceptions)\n');
+
+  for (let adv of ignoredIssues) {
+    console.log(formatAdvisory(adv));
+  }
+}
+
+if (blockingIssues.length > 0) {
+  console.log('\n== audit-deps: blocking security issues\n');
+
+  for (let adv of blockingIssues) {
+    console.log(formatAdvisory(adv));
+  }
+
+  // Exit with error if blocking security issues has been found.
+  process.exit(1);
+}