feat: root project vulnerability scan now optional

README.md

@@ -112,6 +112,8 @@ Options:
       --fo, --fail-on         Fail policy JSON string   [string] [default: "[]"]
   -s, --summary               Print a summary of the audit results to the
                               console                  [boolean] [default: true]
+      --root-vulnerabilites   Include vulnerabilities for the root project
+                                                      [boolean] [default: false]
       --skip-license-issues   Skip scanning for license issues
                                                       [boolean] [default: false]
       --skip-meta-issues      Skip scanning for meta issues
@@ -125,7 +127,7 @@ Options:
       --skip-report           Don't output the report json file
                                                       [boolean] [default: false]
       --skip-all              Don't output any file   [boolean] [default: false]
-      --show-tips             Show usage tips         [boolean] [default: true]
+      --show-tips             Show usage tips          [boolean] [default: true]
 ```
 
 ### Documentation

src/cli/cmds/audit.js

@@ -94,6 +94,12 @@ exports.builder = (yargs) =>
       hidden: true,
       type: 'boolean',
     })
+    .option('root-vulnerabilites', {
+      demandOption: false,
+      default: false,
+      describe: 'Include vulnerabilities for the root project',
+      type: 'boolean',
+    })
     .option('skip-license-issues', {
       demandOption: false,
       default: false,
@@ -198,6 +204,10 @@ exports.handler = async (argv) => {
           : argv.showVersions,
       rootIsShell:
         typeof fileConfig.rootIsShell !== 'undefined' ? fileConfig.rootIsShell : argv.rootIsShell,
+      includeRootVulnerabilities:
+        typeof fileConfig.includeRootVulnerabilities !== 'undefined'
+          ? fileConfig.includeRootVulnerabilities
+          : argv.rootVulnerabilities,
       maxDepth: fileConfig.maxDepth || argv.maxDepth,
       licensePolicy:
         fileConfig.licensePolicy || (argv.licensePolicy && JSON.parse(argv.licensePolicy)),

src/index.js

@@ -23,7 +23,7 @@ const getReport = async ({
   rootIsShell = false,
   skipLicenseIssues = false,
   skipMetaIssues = false,
-  skipRootAdvisories = false,
+  includeRootVulnerabilities = false,
   showVersions = false,
   width = 1500,
 } = {}) => {
@@ -81,15 +81,21 @@ const getReport = async ({
     errors.push(error);
   }
 
-  if (!skipRootAdvisories) {
-    try {
-      rootVulnerabilities = await getRegistryAudit(
-        packageGraph.name,
-        packageGraph.version,
-        packageGraph,
+  if (includeRootVulnerabilities) {
+    if (!packageGraph.name || !packageGraph.version) {
+      errors.push(
+        new Error('Cannot scan root vulnerabilities: root package name and version are required.'),
       );
-    } catch (error) {
-      errors.push(error);
+    } else {
+      try {
+        rootVulnerabilities = await getRegistryAudit(
+          packageGraph.name,
+          packageGraph.version,
+          packageGraph,
+        );
+      } catch (error) {
+        errors.push(error);
+      }
     }
   }
   onProgress({type: 'end', stage: 'vulnerabilities'});