refactor(plugin-js-packages): make optional dependencies opt-in, adju…

…st weights

packages/plugin-js-packages/README.md

@@ -59,7 +59,7 @@ It supports the following package managers:
      // ...
      plugins: [
        // ...
-       await jsPackagesPlugin({ packageManager: ['yarn'], checks: ['audit'] }),
+       await jsPackagesPlugin({ packageManager: ['yarn-classic'], checks: ['audit'], dependencyGroups: ['prod'] }),
      ],
    };
    ```
@@ -112,11 +112,12 @@ The plugin accepts the following parameters:
 
 - `packageManager`: The package manager you are using. Supported values: `npm`, `yarn-classic` (v1), `yarn-modern` (v2+), `pnpm`.
 - (optional) `checks`: Array of checks to be run. Supported commands: `audit`, `outdated`. Both are configured by default.
+- (optional) `dependencyGroups`: Array of dependency groups to be checked. `prod` and `dev` are configured by default. `optional` are opt-in.
 - (optional) `auditLevelMapping`: If you wish to set a custom level of issue severity based on audit vulnerability level, you may do so here. Any omitted values will be filled in by defaults. Audit levels are: `critical`, `high`, `moderate`, `low` and `info`. Issue severities are: `error`, `warn` and `info`. By default the mapping is as follows: `critical` and `high` → `error`; `moderate` and `low` → `warning`; `info` → `info`.
 
 ### Audits and group
 
-This plugin provides a group per check for a convenient declaration in your config. Each group contains audits for all supported groups of dependencies (`prod`, `dev` and `optional`).
+This plugin provides a group per check for a convenient declaration in your config. Each group contains audits for all selected groups of dependencies that are supported (`prod`, `dev` or `optional`).
 
 ```ts
      // ...
@@ -144,7 +145,7 @@ This plugin provides a group per check for a convenient declaration in your conf
      ],
 ```
 
-Each dependency group has its own audit. If you want to check only a subset of dependencies (e.g. run audit and outdated for production dependencies) or assign different weights to them, you can do so in the following way:
+Each dependency group has its own audit. If you want to assign different weights to the audits or record different dependency groups for different checks (the bigger set needs to be included in the plugin configuration), you can do so in the following way:
 
 ```ts
      // ...

packages/plugin-js-packages/src/lib/config.ts

@@ -3,6 +3,7 @@ import { IssueSeverity, issueSeveritySchema } from '@code-pushup/models';
 import { defaultAuditLevelMapping } from './constants';
 
 export const dependencyGroups = ['prod', 'dev', 'optional'] as const;
+const dependencyGroupSchema = z.enum(dependencyGroups);
 export type DependencyGroup = (typeof dependencyGroups)[number];
 
 const packageCommandSchema = z.enum(['audit', 'outdated']);
@@ -51,6 +52,10 @@ export const jsPackagesPluginConfigSchema = z.object({
   packageManager: packageManagerIdSchema.describe(
     'Package manager to be used.',
   ),
+  dependencyGroups: z
+    .array(dependencyGroupSchema)
+    .min(1)
+    .default(['prod', 'dev']),
   auditLevelMapping: z
     .record(packageAuditLevelSchema, issueSeveritySchema, {
       description:

packages/plugin-js-packages/src/lib/config.unit.test.ts

@@ -14,6 +14,7 @@ describe('jsPackagesPluginConfigSchema', () => {
         auditLevelMapping: { moderate: 'error' },
         checks: ['audit'],
         packageManager: 'yarn-classic',
+        dependencyGroups: ['prod'],
       } satisfies JSPackagesPluginConfig),
     ).not.toThrow();
   });
@@ -33,6 +34,7 @@ describe('jsPackagesPluginConfigSchema', () => {
     expect(config).toEqual<FinalJSPackagesPluginConfig>({
       checks: ['audit', 'outdated'],
       packageManager: 'npm',
+      dependencyGroups: ['prod', 'dev'],
       auditLevelMapping: {
         critical: 'error',
         high: 'error',
@@ -51,6 +53,15 @@ describe('jsPackagesPluginConfigSchema', () => {
       }),
     ).toThrow('too_small');
   });
+
+  it('should throw for no passed dependency group', () => {
+    expect(() =>
+      jsPackagesPluginConfigSchema.parse({
+        packageManager: 'yarn-classic',
+        dependencyGroups: [],
+      }),
+    ).toThrow('too_small');
+  });
 });
 
 describe('fillAuditLevelMapping', () => {

packages/plugin-js-packages/src/lib/constants.ts

@@ -22,12 +22,13 @@ export const dependencyGroupToLong: Record<
   optional: 'optionalDependencies',
 };
 
+/* eslint-disable no-magic-numbers */
 export const dependencyGroupWeights: Record<DependencyGroup, number> = {
-  // eslint-disable-next-line no-magic-numbers
-  prod: 3,
-  dev: 1,
-  optional: 1,
+  prod: 80,
+  dev: 15,
+  optional: 5,
 };
+/* eslint-enable no-magic-numbers */
 
 export const dependencyDocs: Record<DependencyGroup, string> = {
   prod: 'https://classic.yarnpkg.com/docs/dependency-types#toc-dependencies',

packages/plugin-js-packages/src/lib/js-packages-plugin.ts

@@ -36,6 +36,7 @@ export async function jsPackagesPlugin(
 ): Promise<PluginConfig> {
   const jsPackagesPluginConfig = jsPackagesPluginConfigSchema.parse(config);
   const checks = [...new Set(jsPackagesPluginConfig.checks)];
+  const depGroups = [...new Set(jsPackagesPluginConfig.dependencyGroups)];
   const id = jsPackagesPluginConfig.packageManager;
   const pm = packageManagers[id];
 
@@ -53,23 +54,31 @@ export async function jsPackagesPlugin(
     docsUrl: pm.docs.homepage,
     packageName: name,
     version,
-    audits: createAudits(id, checks),
-    groups: createGroups(id, checks),
+    audits: createAudits(id, checks, depGroups),
+    groups: createGroups(id, checks, depGroups),
     runner: await createRunnerConfig(runnerScriptPath, jsPackagesPluginConfig),
   };
 }
 
-function createGroups(id: PackageManagerId, checks: PackageCommand[]): Group[] {
+function createGroups(
+  id: PackageManagerId,
+  checks: PackageCommand[],
+  depGroups: DependencyGroup[],
+): Group[] {
   const pm = packageManagers[id];
   const supportedAuditDepGroups =
     pm.audit.supportedDepGroups ?? dependencyGroups;
+  const compatibleAuditDepGroups = depGroups.filter(group =>
+    supportedAuditDepGroups.includes(group),
+  );
+
   const groups: Record<PackageCommand, Group> = {
     audit: {
       slug: `${pm.slug}-audit`,
       title: `${pm.name} audit`,
       description: `Group containing ${pm.name} vulnerabilities.`,
       docsUrl: pm.docs.audit,
-      refs: supportedAuditDepGroups.map(depGroup => ({
+      refs: compatibleAuditDepGroups.map(depGroup => ({
         slug: `${pm.slug}-audit-${depGroup}`,
         weight: dependencyGroupWeights[depGroup],
       })),
@@ -79,7 +88,7 @@ function createGroups(id: PackageManagerId, checks: PackageCommand[]): Group[] {
       title: `${pm.name} outdated dependencies`,
       description: `Group containing outdated ${pm.name} dependencies.`,
       docsUrl: pm.docs.outdated,
-      refs: dependencyGroups.map(depGroup => ({
+      refs: depGroups.map(depGroup => ({
         slug: `${pm.slug}-outdated-${depGroup}`,
         weight: dependencyGroupWeights[depGroup],
       })),
@@ -89,15 +98,22 @@ function createGroups(id: PackageManagerId, checks: PackageCommand[]): Group[] {
   return checks.map(check => groups[check]);
 }
 
-function createAudits(id: PackageManagerId, checks: PackageCommand[]): Audit[] {
+function createAudits(
+  id: PackageManagerId,
+  checks: PackageCommand[],
+  depGroups: DependencyGroup[],
+): Audit[] {
   const { slug } = packageManagers[id];
   return checks.flatMap(check => {
-    const supportedDepGroups =
+    const supportedAuditDepGroups =
+      packageManagers[id].audit.supportedDepGroups ?? dependencyGroups;
+
+    const compatibleDepGroups =
       check === 'audit'
-        ? packageManagers[id].audit.supportedDepGroups ?? dependencyGroups
-        : dependencyGroups;
+        ? depGroups.filter(group => supportedAuditDepGroups.includes(group))
+        : depGroups;
 
-    return supportedDepGroups.map(depGroup => ({
+    return compatibleDepGroups.map(depGroup => ({
       slug: `${slug}-${check}-${depGroup}`,
       title: getAuditTitle(slug, check, depGroup),
       description: getAuditDescription(check, depGroup),

packages/plugin-js-packages/src/lib/js-packages-plugin.unit.test.ts

@@ -55,53 +55,78 @@ describe('jsPackagesPlugin', () => {
     );
   });
 
-  it('should create an audit for each dependency group', async () => {
+  it('should create an audit for default dependency groups', async () => {
     await expect(
-      jsPackagesPlugin({ packageManager: 'yarn-classic', checks: ['audit'] }),
+      jsPackagesPlugin({
+        packageManager: 'yarn-classic',
+        checks: ['audit'],
+      }),
     ).resolves.toStrictEqual(
       expect.objectContaining({
         audits: [
           expect.objectContaining({ slug: 'yarn-classic-audit-prod' }),
           expect.objectContaining({ slug: 'yarn-classic-audit-dev' }),
-          expect.objectContaining({ slug: 'yarn-classic-audit-optional' }),
         ],
         groups: [
           expect.objectContaining<Partial<Group>>({
             slug: 'yarn-classic-audit',
             refs: [
-              { slug: 'yarn-classic-audit-prod', weight: 3 },
-              { slug: 'yarn-classic-audit-dev', weight: 1 },
-              { slug: 'yarn-classic-audit-optional', weight: 1 },
+              { slug: 'yarn-classic-audit-prod', weight: 80 },
+              { slug: 'yarn-classic-audit-dev', weight: 15 },
             ],
           }),
         ],
       }),
     );
   });
 
-  // Note: Yarn v2 does not support audit for optional dependencies
-  it('should omit unsupported dependency groups', async () => {
+  it('should create an audit for selected dependency groups', async () => {
     await expect(
-      jsPackagesPlugin({ packageManager: 'yarn-modern', checks: ['audit'] }),
+      jsPackagesPlugin({
+        packageManager: 'yarn-classic',
+        checks: ['audit'],
+        dependencyGroups: ['prod', 'optional'],
+      }),
     ).resolves.toStrictEqual(
       expect.objectContaining({
         audits: [
-          expect.objectContaining({ slug: 'yarn-modern-audit-prod' }),
-          expect.objectContaining({ slug: 'yarn-modern-audit-dev' }),
+          expect.objectContaining({ slug: 'yarn-classic-audit-prod' }),
+          expect.objectContaining({ slug: 'yarn-classic-audit-optional' }),
         ],
         groups: [
           expect.objectContaining<Partial<Group>>({
-            slug: 'yarn-modern-audit',
+            slug: 'yarn-classic-audit',
             refs: [
-              { slug: 'yarn-modern-audit-prod', weight: 3 },
-              { slug: 'yarn-modern-audit-dev', weight: 1 },
+              { slug: 'yarn-classic-audit-prod', weight: 80 },
+              { slug: 'yarn-classic-audit-optional', weight: 5 },
             ],
           }),
         ],
       }),
     );
   });
 
+  // Note: Yarn v2 does not support audit for optional dependencies
+  it('should omit unsupported dependency groups', async () => {
+    await expect(
+      jsPackagesPlugin({
+        packageManager: 'yarn-modern',
+        checks: ['audit'],
+        dependencyGroups: ['prod', 'optional'],
+      }),
+    ).resolves.toStrictEqual(
+      expect.objectContaining({
+        audits: [expect.objectContaining({ slug: 'yarn-modern-audit-prod' })],
+        groups: [
+          expect.objectContaining<Partial<Group>>({
+            slug: 'yarn-modern-audit',
+            refs: [{ slug: 'yarn-modern-audit-prod', weight: 80 }],
+          }),
+        ],
+      }),
+    );
+  });
+
   it('should use an icon that matches the chosen package manager', async () => {
     await expect(
       jsPackagesPlugin({ packageManager: 'pnpm' }),

packages/plugin-js-packages/src/lib/package-managers/npm/npm.ts

@@ -1,8 +1,8 @@
+import { objectToKeys } from '@code-pushup/utils';
 import { DependencyGroup } from '../../config';
-import { AuditResult } from '../../runner/audit/types';
 import { filterAuditResult } from '../../runner/utils';
 import { COMMON_AUDIT_ARGS, COMMON_OUTDATED_ARGS } from '../constants';
-import { PackageManager } from '../types';
+import { AuditResults, PackageManager } from '../types';
 import { npmToAuditResult } from './audit-result';
 import { npmToOutdatedResult } from './outdated-result';
 
@@ -30,11 +30,23 @@ export const npmPackageManager: PackageManager = {
     ],
     unifyResult: npmToAuditResult,
     // prod dependencies need to be filtered out manually since v10
-    postProcessResult: (results: Record<DependencyGroup, AuditResult>) => ({
-      prod: results.prod,
-      dev: filterAuditResult(results.dev, 'name', results.prod),
-      optional: filterAuditResult(results.optional, 'name', results.prod),
-    }),
+    postProcessResult: (results: AuditResults) => {
+      const depGroups = objectToKeys(results);
+      const devFilter =
+        results.dev && results.prod
+          ? filterAuditResult(results.dev, 'name', results.prod)
+          : results.dev;
+      const optionalFilter =
+        results.optional && results.prod
+          ? filterAuditResult(results.optional, 'name', results.prod)
+          : results.optional;
+
+      return {
+        ...(depGroups.includes('prod') && { prod: results.prod }),
+        ...(depGroups.includes('dev') && { dev: devFilter }),
+        ...(depGroups.includes('optional') && { optional: optionalFilter }),
+      };
+    },
   },
   outdated: {
     commandArgs: [...COMMON_OUTDATED_ARGS, '--long'],

packages/plugin-js-packages/src/lib/package-managers/pnpm/pnpm.ts

@@ -1,8 +1,8 @@
+import { objectToKeys } from '@code-pushup/utils';
 import { DependencyGroup } from '../../config';
-import { AuditResult } from '../../runner/audit/types';
 import { filterAuditResult } from '../../runner/utils';
 import { COMMON_AUDIT_ARGS, COMMON_OUTDATED_ARGS } from '../constants';
-import { PackageManager } from '../types';
+import { AuditResults, PackageManager } from '../types';
 import { pnpmToAuditResult } from './audit-result';
 import { pnpmToOutdatedResult } from './outdated-result';
 
@@ -30,15 +30,23 @@ export const pnpmPackageManager: PackageManager = {
     ignoreExitCode: true,
     unifyResult: pnpmToAuditResult,
     // optional dependencies don't have an exclusive option so they need duplicates filtered out
-    postProcessResult: (results: Record<DependencyGroup, AuditResult>) => ({
-      prod: results.prod,
-      dev: results.dev,
-      optional: filterAuditResult(
-        filterAuditResult(results.optional, 'id', results.prod),
-        'id',
-        results.dev,
-      ),
-    }),
+    postProcessResult: (results: AuditResults) => {
+      const depGroups = objectToKeys(results);
+      const prodFilter =
+        results.optional && results.prod
+          ? filterAuditResult(results.optional, 'id', results.prod)
+          : results.optional;
+      const devFilter =
+        prodFilter && results.dev
+          ? filterAuditResult(prodFilter, 'id', results.dev)
+          : results.optional;
+
+      return {
+        ...(depGroups.includes('prod') && { prod: results.prod }),
+        ...(depGroups.includes('dev') && { dev: results.dev }),
+        ...(results.optional && { optional: devFilter }),
+      };
+    },
   },
   outdated: {
     commandArgs: COMMON_OUTDATED_ARGS,

packages/plugin-js-packages/src/lib/package-managers/types.ts

@@ -3,6 +3,8 @@ import { DependencyGroup, PackageManagerId } from '../config';
 import { AuditResult } from '../runner/audit/types';
 import { OutdatedResult } from '../runner/outdated/types';
 
+export type AuditResults = Partial<Record<DependencyGroup, AuditResult>>;
+
 export type PackageManager = {
   slug: PackageManagerId;
   name: string;
@@ -18,9 +20,7 @@ export type PackageManager = {
     ignoreExitCode?: boolean; // non-zero exit code will throw by default
     supportedDepGroups?: DependencyGroup[]; // all are supported by default
     unifyResult: (output: string) => AuditResult;
-    postProcessResult?: (
-      result: Record<DependencyGroup, AuditResult>,
-    ) => Record<DependencyGroup, AuditResult>;
+    postProcessResult?: (result: AuditResults) => AuditResults;
   };
   outdated: {
     commandArgs: string[];