npm audit安全更新治理（严重级别-例外到期）最佳实践

实现示例type Finding = { module: string; severity: 'low' | 'moderate' | 'high' | 'critical'; advisory?: number }

type Policy = { block: Set<'high' | 'critical'>; warn: Set<'moderate'> }

function decide(f: Finding, p: Policy, exceptions: Map<string, number>, now: number): 'block' | 'warn' | 'pass' {

const key = `${f.module}:${f.severity}`

const until = exceptions.get(key) || 0

if (until >= now) return 'pass'

if (p.block.has(f.severity as any)) return 'block'

if (p.warn.has(f.severity as any)) return 'warn'

return 'pass'

}

function evaluate(list: Finding[], p: Policy, exceptions: Map<string, number>, now: number): { blocked: Finding[]; warned: Finding[]; passed: Finding[] } {

const blocked: Finding[] = []

const warned: Finding[] = []

const passed: Finding[] = []

for (const f of list) {

const d = decide(f, p, exceptions, now)

if (d === 'block') blocked.push(f)

else if (d === 'warn') warned.push(f)

else passed.push(f)

}

return { blocked, warned, passed }

}

审计与CI门禁阻断项直接失败并输出修复建议；例外需到期与审批人。审计包含模块、严重级别与决策，支持回溯。