From 246ada0726cae800fdcf25617daa3c43cfa9292f Mon Sep 17 00:00:00 2001
From: William Durand <will+git@drnd.me>
Date: Mon, 20 Mar 2023 14:40:29 +0100
Subject: [PATCH] chore: fix audit-deps.js script to handle references to
 vulnerabilities

---
 scripts/audit-deps.js | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/scripts/audit-deps.js b/scripts/audit-deps.js
index 37ff69e578..df80de1cdc 100755
--- a/scripts/audit-deps.js
+++ b/scripts/audit-deps.js
@@ -79,6 +79,18 @@ if (auditReport) {
     // New npm audit json format introduced in npm v8.
     for (const vulnerablePackage of Object.keys(auditReport.vulnerabilities)) {
       const item = auditReport.vulnerabilities[vulnerablePackage];
+      // `item.via` can be either objects or (string) names of vulnerable
+      // packages in the audit json report. We need to normalize the data so
+      // that we always deal with a list of objects.
+      item.via = item.via.reduce((acc, via) => {
+        if (typeof via === 'object') {
+          acc.push(via);
+        } else {
+          acc.push(...auditReport.vulnerabilities[via].via);
+        }
+
+        return acc;
+      }, []);
 
       if (item.via.every((via) => exceptions.includes(via.url))) {
         ignoredIssues.push(item);