HUB-9924: PNPM Audit Resolver Package

[ahmed-ramzi]

📦 PNPM Audit Resolver Integration

This PR introduces @knime/pnpm-audit-resolver, a utility that helps manage temporary security audit exceptions in PNPM projects. It is mainly for the CVEs that has no patch version released yet.

🔍 What it does
• Reads an audit-resolve.json file in the project root.
• Applies ignore rules for vulnerabilities (GHSA IDs) with a defined expiration.
• Automatically removes expired ignores so that exceptions don’t live longer than intended.
• Updates package.json to keep pnpm.auditConfig.ignoreGhsas in sync with valid rules.

✅ Benefits
• Ensures security ignores are time-bound and enforced automatically.
• Reduces the risk of forgotten audit exceptions.
• Keeps the audit process clean and reliable in CI/CD pipelines.

🛠️ Usage
1. Add an audit-resolve.json with decisions + expiration timestamps.
2. Run the resolver via pnpm audit:resolve.
Example audit-resolve.json:

{
  "GHSA-1234-abcd-wxyz": {
    "decision": "ignore",
    "expiresAt": 1726923450122
  }
}

[Copilot]

Pull Request Overview

This PR introduces a new package @knime/pnpm-audit-resolver that automates the management of temporary security audit exceptions in PNPM projects by reading audit rules from a configuration file and automatically expiring them based on timestamps.

• Adds a utility that processes audit-resolve.json configurations with time-bound security ignores
• Automatically removes expired GHSA ignores from package.json audit configuration
• Provides a command-line tool for integration into CI/CD pipelines

Reviewed Changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
packages/pnpm-audit-resolver/src/index.js	Main implementation that reads audit configurations and updates package.json
packages/pnpm-audit-resolver/package.json	Package configuration with scripts and binary definitions
packages/pnpm-audit-resolver/README.md	Documentation explaining usage and configuration format
packages/pnpm-audit-resolver/LICENSE	GPL v3 license with additional KNIME permissions
packages/pnpm-audit-resolver/CHANGELOG.md	Empty changelog file for the new package

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Throwing a string is not recommended. Use a proper Error object instead: throw new Error(\"Could not find 'audit-resolve.json' file in your root directory\");

Suggested change

	throw "Could not find 'audit-resolve.json' file in your root directory";
	throw new Error("Could not find 'audit-resolve.json' file in your root directory");

[Copilot]

Grammatical error in description. Should be 'by defining actions for them' instead of 'be defining actions to it'.

Suggested change

	"description": "Resolves audit issues be defining actions to it",
	"description": "Resolves audit issues by defining actions for them",

[Copilot]

The binary entry points to a file that lacks a shebang line. Add #!/usr/bin/env node as the first line of src/index.js to make it executable as a binary.

[Copilot]

JSON.parse can throw if the file contains invalid JSON. Wrap this in a try-catch block to provide a more helpful error message for malformed audit-resolve.json files.

Suggested change

	const auditData = JSON.parse(auditResolveRaw);
	let auditData;
	try {
	auditData = JSON.parse(auditResolveRaw);
	} catch (err) {
	throw new Error(
	"Malformed 'audit-resolve.json': " + err.message
	);
	}

[Copilot]

Missing error handling for reading and parsing package.json. These operations can fail if the file doesn't exist or contains invalid JSON.

Suggested change

	const packageJsonRaw = await fs.readFile(packageJsonPath, "utf-8");
	const packageJson = JSON.parse(packageJsonRaw);
	let packageJsonRaw;
	try {
	packageJsonRaw = await fs.readFile(packageJsonPath, "utf-8");
	} catch {
	throw "Could not find 'package.json' file in your root directory";
	}
	let packageJson;
	try {
	packageJson = JSON.parse(packageJsonRaw);
	} catch {
	throw "Could not parse 'package.json': invalid JSON format";
	}