[#3] Remove hardcoded snyk path (#4)

docs/CHANGELOG.md

@@ -1,5 +1,9 @@
 # ChangeLog
 
+## [4.0.2] - 16-12-2021
+
+- fix: don't rely on hardcoded paths to `snyk` binary
+
 ## [4.0.1] - 14-12-2021
 
 - docs: fix readme instructions to use `@asos` scope

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@asos/snyker",
-  "version": "4.0.1",
+  "version": "4.0.2",
   "description": "An opinionated, heavy-handed wrapper around Snyk.",
   "author": {
     "name": "Craig Morten",
@@ -24,6 +24,9 @@
     "doc": "docs",
     "lib": "lib"
   },
+  "engines": {
+    "npm": ">=5.2.0"
+  },
   "main": "lib/index.js",
   "bin": {
     "snyker": "bin/snyker"

src/index.js

@@ -270,10 +270,6 @@ const snyker = async () => {
 
   const lockFileName = argv.lockfile || "yarn.lock";
   const isYarn = lockFileName.includes("yarn");
-  const snykCliPath = path.join(
-    path.dirname(module.id),
-    "../node_modules/.bin/snyk"
-  );
 
   console.log(
     `[SNYKER: STEP 1]: Ensuring lockfile '${lockFileName}' is up to date.\n`
@@ -307,7 +303,8 @@ const snyker = async () => {
   console.log("[SNYKER: STEP 3]: Getting vulnerable paths from Snyk.");
 
   const depsToForceUpdate = await catchAndRetry(async () => {
-    const { stdout: snykTestOut } = await exec(snykCliPath, [
+    const { stdout: snykTestOut } = await exec("npx", [
+      "snyk",
       "test",
       "--dev",
       "--json",
@@ -347,7 +344,8 @@ const snyker = async () => {
   );
 
   const finalVulnerabilities = await catchAndRetry(async () => {
-    const { stdout: finalSnykTestOut } = await exec(snykCliPath, [
+    const { stdout: finalSnykTestOut } = await exec("npx", [
+      "snyk",
       "test",
       "--dev",
       "--json",
@@ -405,7 +403,7 @@ const snyker = async () => {
     console.log();
 
     for (const id of uniqueVulnerabilityIds) {
-      await exec(snykCliPath, ["ignore", `--id=${id}`]);
+      await exec("npx", ["snyk", "ignore", `--id=${id}`]);
     }
 
     if (upgradablePackages.length) {