XRAY-138687 - [Curation] Implementing support for additional flags

[gauriy-tech]

• The pull request is targeting the dev branch.
• The code has been validated to compile successfully by running go vet ./....
• The code has been formatted properly using go fmt ./....
• All static analysis checks passed.
• All tests have passed. If this feature is not already covered by the tests, new tests have been added.
• Updated the Contributing page / ReadMe page / CI Workflow files if needed.
• All changes are detailed at the description. if not already covered at JFrog Documentation, new documentation have been added.

---

Added support for --legacy-peer-deps Done

Benefits :- It unblocks curation auditing for npm projects that can't install cleanly under npm 7+, which is a very common real-world situation — many projects maintain older dependencies or have transitive peer conflicts they haven't resolved. Without this flag, those projects would simply be unable to run jf ca at all.

---

--run-native flag for jf ca (Curation Audit)
Problem it solves
jf ca normally injects Artifactory as the npm registry during dependency resolution (writes .npmrc, runs npm install). This breaks for users who:

1. Use Volta (a Node.js toolchain manager whose npm shim gets bypassed)
2. Have a custom .npmrc that conflicts with JFrog's injection
3. Don't want jf ca to modify their project's node_modules or package-lock.json

What --run-native does
When passed, jf ca hands off dependency resolution entirely to the user's native npm environment:

1. Skips injecting Artifactory as the npm registry — npm runs as-is, respecting the user's .npmrc and Volta configuration
2. Skips deleting node_modules/package-lock.json before running — no destructive side effects on the project
3. No jf npm-config required — reads the Artifactory URL and repository name for Curation HEAD requests directly from the project's .npmrc (via npm config get registry), parsing /api/npm/ from it
4. Auth still comes from jf c — credentials are sourced from ~/.jfrog/jfrog-cli.conf, not from .npmrc

Constraints
npm registry in .npmrc must be an Artifactory npm registry (URL must contain /api/npm/)
Supports both standard (/artifactory/api/npm/) and reverse-proxy URLs (where /artifactory context root is stripped)
If the registry is not Artifactory, the command fails with a clear error

Error handling
If authentication fails (401), the audit stops immediately with a descriptive error pointing the user to run jf c to fix their server configuration — no misleading "0 blocked packages" result is shown

[attiasas]

We already have:

DepType:      components.NewStringFlag(DepType, "[npm] Defines npm dependencies type. Possible values are: all, devOnly and prodOnly."),

func (abp *AuditBasicParams) SetNpmScope(depType string) *AuditBasicParams {
	switch depType {
	case "devOnly":
		abp.args = []string{"--dev"}
	case "prodOnly":
		abp.args = []string{"--prod"}
	}
	return abp
}

Why not extend that?

[gauriy-tech]

Collaborator

Implemented

[attiasas]

If we use DepType Why do we also need the flag LegacyPeerDeps?
Why not adding DepType to CurationAudit and use it? (i.e support DepType in Curation Audit)
--legacy-peer-deps --> --dep-type=legacyPeerDeps

[attiasas]

Please check my comments.
In addition consider adding test cases for new options

[gauriy-tech]

I have read the CLA Document and I hereby sign the CLA

[attiasas]

LGTM

[github-actions]

---

🐸 JFrog Frogbot