OBP-Frontend/fix_security.sh at main · OpenBankProject/OBP-Frontend · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/bin/bash
################################################################################
# OBP-Frontend security auto-fix
#
# Applies non-breaking fixes to dep vulnerabilities via `npm audit fix`.
# Output streams to stdout AND is written to ./security-fix.log (overwritten).
#
# DOES NOT run `npm audit fix --force` — that can introduce breaking major
# version bumps. Review the remaining findings and run --force manually if you
# want to take that risk.
#
# Usage: ./fix_security.sh
#
# Side effects:
#   - Modifies package-lock.json (possibly package.json too).
#   - May install/remove node_modules/* directories.
#   - Safe to re-run; `npm audit fix` is idempotent.
################################################################################

set -u

REPO_ROOT="$(cd "$(dirname "$0")" && pwd)"
LOG="$REPO_ROOT/security-fix.log"

if [ -t 1 ]; then
	BOLD=$'\033[1m'; RED=$'\033[31m'; GREEN=$'\033[32m'; DIM=$'\033[2m'; RESET=$'\033[0m'
else
	BOLD=; RED=; GREEN=; DIM=; RESET=
fi

section() { printf '\n%s==> %s%s\n' "$BOLD" "$1" "$RESET"; }
note()    { printf '%s  %s%s\n' "$DIM" "$1" "$RESET"; }

run_fix() {
	echo "OBP-Frontend security auto-fix — $(date -u '+%Y-%m-%dT%H:%M:%SZ')"
	echo "Repo: $REPO_ROOT"
	cd "$REPO_ROOT"

	if ! command -v npm >/dev/null 2>&1; then
		echo "${RED}npm not found in PATH — cannot continue.${RESET}"
		exit 1
	fi

	############################################################################
	section "1. Before — npm audit summary"
	npm audit --workspaces --audit-level=low 2>&1 | tail -5 || true

	############################################################################
	section "2. Running npm audit fix (non-breaking)"
	note "Modifies package-lock.json. Review the diff before committing."
	npm audit fix --workspaces 2>&1 || true

	############################################################################
	section "3. After — npm audit summary"
	after_out=$(npm audit --workspaces --audit-level=low 2>&1 || true)
	echo "$after_out" | tail -5

	############################################################################
	section "4. Remaining findings (if any)"
	# Extract the JSON vuln counts to decide if --force is worth suggesting.
	remaining=$(npm audit --workspaces --json 2>/dev/null | sed -n 's/.*"total"\s*:\s*\([0-9]*\).*/\1/p' | head -1)
	if [ -z "${remaining:-}" ] || [ "$remaining" = "0" ]; then
		echo "${GREEN}✓ No remaining vulnerabilities.${RESET}"
	else
		echo "${RED}!! $remaining vulnerabilit(y|ies) remain.${RESET}"
		echo "   These typically require one of:"
		echo "     npm audit fix --force       (accepts breaking major-version bumps)"
		echo "     npm audit                    (see specific advisories)"
		echo "     manual dependency change    (swap or pin a problematic package)"
		echo "   Review each before deciding."
	fi

	############################################################################
	section "Done"
	echo "Diff to review:"
	echo "  git diff -- package-lock.json apps/*/package.json packages/*/package.json"
	echo
	echo "If everything looks good:"
	echo "  git add package-lock.json apps/*/package.json packages/*/package.json"
	echo "  git commit -m 'chore(deps): npm audit fix'"
	echo
	echo "To roll back:"
	echo "  git restore package-lock.json apps/*/package.json packages/*/package.json"
	echo "  npm install"
}

run_fix 2>&1 | tee "$LOG"
echo
echo "Full results written to: $LOG"