@cdxoo/npm-lockdown-proxy 0.0.1 → 0.0.2

package/README.md

@@ -4,27 +4,39 @@ A minimal npm registry proxy that blocks any package (or version) not on a white
 
 ## AI Disclosure
 
-This stuff was vibe coded with claude (pronounced "KLORT!!")
+This stuff was vibe coded with claude (pronounced "KLORT!!"). I hope I never have to actually mantain this...
 
 ## Run
 
 ```sh
-node proxy.js
-```
+# env var defaults are PORT=4873 WHITELIST=whitelist.json 
+npx @cdxoo/npm-lockdown-proxy 
 
-| Env var | Default | Description |
-|---|---|---|
-| `PORT` | `4873` | Port to listen on |
-| `WHITELIST` | `whitelist.json` | Path to whitelist file |
+# or
+
+npm install -g @cdxoo/npm-lockdown-proxy
+npm-lockdown-proxy
+npm-lockdown-proxy-create-whitelist-form-lockfile some-package-lock.json [--merge]
+
+```
 
 ## Use
 
 ```sh
 npm install <pkg> --registry http://localhost:4873
-# or set it globally
+# or
+echo "registry=http://localhost:4873" >> my-project/.npmrc # or ~/.npmrc
+# or
 npm config set registry http://localhost:4873
 ```
 
+## Server Env Vars
+
+| Env var | Default | Description |
+|---|---|---|
+| `PORT` | `4873` | Port to listen on |
+| `WHITELIST` | `whitelist.json` | Path to whitelist file |
+
 ## Whitelist format
 
 `whitelist.json` is an object. The value controls which versions are allowed:

package/package.json

@@ -1,9 +1,10 @@
 {
   "name": "@cdxoo/npm-lockdown-proxy",
-  "version": "0.0.1",
+  "version": "0.0.2",
   "description": "Minimal npm registry proxy with package/version whitelisting",
   "bin": {
-    "npm-lockdown-proxy": "./proxy.js"
+    "npm-lockdown-proxy": "./proxy.js",
+    "npm-lockdown-proxy-whitelist-from-lockfile": "./whitelist-from-lockfile.js"
   },
   "files": [
     "proxy.js"
@@ -24,5 +25,14 @@
   "publishConfig": {
     "access": "public"
   },
-  "dependencies": {}
+  "dependencies": {},
+  "keywords": [
+    "npm",
+    "registry",
+    "proxy",
+    "whitelist",
+    "lockdown",
+    "security",
+    "supply-chain"
+  ]
 }

package/proxy.js

@@ -15,19 +15,19 @@ function loadWhitelist() {
   try {
     raw = JSON.parse(fs.readFileSync(WHITELIST_FILE, 'utf8'));
   } catch {
-    console.warn(`WARNING: could not load whitelist from '${WHITELIST_FILE}' — all packages will be blocked`);
+    console.warn(`WARNING: could not load whitelist from '${WHITELIST_FILE}' - all packages will be blocked`);
     console.warn(`         Set the WHITELIST env var or create a whitelist.json in the working directory.`);
-    return {};
+    return new Map();
   }
-  // Normalise each entry to an array of allowed versions, or '*' for any.
-  const wl = {};
+  // Normalise each entry to a Set of allowed versions, or '*' for any.
+  const wl = new Map();
   for (const [pkg, versions] of Object.entries(raw)) {
     if (versions === '*') {
-      wl[pkg] = '*';
+      wl.set(pkg, '*');
     } else if (Array.isArray(versions)) {
-      wl[pkg] = versions;
+      wl.set(pkg, new Set(versions));
     } else {
-      wl[pkg] = [versions];
+      wl.set(pkg, new Set([versions]));
     }
   }
   return wl;
@@ -83,15 +83,15 @@ const server = http.createServer((req, res) => {
   const { pkg, version } = parseRequest(req.url.split('?')[0]);
 
   if (pkg !== null) {
-    if (!Object.keys(whitelist).includes(pkg)) {
+    if (!whitelist.has(pkg)) {
       console.log(`BLOCKED  ${req.method} ${req.url} - '${pkg}' not whitelisted`);
       return deny(res, `Package '${pkg}' is not on the whitelist`);
     }
 
-    const allowed = whitelist[pkg];
-    if (version !== null && allowed !== '*' && !allowed.includes(version)) {
+    const allowed = whitelist.get(pkg);
+    if (version !== null && allowed !== '*' && !allowed.has(version)) {
       console.log(`BLOCKED  ${req.method} ${req.url} - '${pkg}@${version}' not an allowed version`);
-      return deny(res, `Version '${version}' of '${pkg}' is not on the whitelist (allowed: ${allowed.join(', ')})`);
+      return deny(res, `Version '${version}' of '${pkg}' is not on the whitelist (allowed: ${[...allowed].join(', ')})`);
     }
   }
 
@@ -122,5 +122,5 @@ const server = http.createServer((req, res) => {
 
 server.listen(PORT, () => {
   console.log(`npm proxy -> ${UPSTREAM} on http://localhost:${PORT}`);
-  console.log(`whitelist  ${WHITELIST_FILE} (${Object.keys(whitelist).length} packages)`);
+  console.log(`whitelist  ${WHITELIST_FILE} (${whitelist.size} packages)`);
 });

package/whitelist-from-lockfile.js

@@ -0,0 +1,102 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+
+const args = process.argv.slice(2).filter(a => a !== '--merge');
+const merge = process.argv.includes('--merge');
+const lockfile = args[0];
+const output = args[1] || 'whitelist.json';
+
+if (!lockfile) {
+  console.error('usage: npm-lockdown-proxy-whitelist-from-lockfile <package-lock.json> [whitelist.json] [--merge]');
+  process.exit(1);
+}
+
+const lock = JSON.parse(fs.readFileSync(lockfile, 'utf8'));
+
+if (lock.lockfileVersion < 2) {
+  console.error('error: lockfile version 2 or higher required (npm 7+)');
+  process.exit(1);
+}
+
+function confirm(prompt) {
+  process.stdout.write(prompt);
+  const fd = fs.openSync('/dev/tty', 'r');
+  const buf = Buffer.alloc(1);
+  let answer = '';
+  while (true) {
+    fs.readSync(fd, buf, 0, 1);
+    if (buf[0] === 0x0a) break; // newline
+    answer += buf.toString();
+  }
+  fs.closeSync(fd);
+  return answer.trim().toLowerCase() === 'y';
+}
+
+// Map<name, Set<version>>
+function parseLockfile(lock) {
+  const pkgs = new Map();
+  for (const [key, pkg] of Object.entries(lock.packages || {})) {
+    if (key === '') continue; // root package
+    if (pkg.link) continue;  // workspace symlinks
+    const name = key.replace(/^.*node_modules\//, '');
+    process.stdout.write(`\rparsing: ${name.padEnd(60)}`);
+    const versions = pkgs.get(name) ?? new Set();
+    versions.add(pkg.version);
+    pkgs.set(name, versions);
+  }
+  process.stdout.write('\r' + ' '.repeat(70) + '\r'); // clear line
+  return pkgs;
+}
+
+// Map<name, Set<version> | '*'>
+function loadWhitelist(file) {
+  const raw = JSON.parse(fs.readFileSync(file, 'utf8'));
+  const wl = new Map();
+  for (const [name, versions] of Object.entries(raw)) {
+    wl.set(name, versions === '*' ? '*' : new Set(versions));
+  }
+  return wl;
+}
+
+function serialize(wl) {
+  const out = {};
+  for (const [name, versions] of [...wl.entries()].sort((a, b) => a[0].localeCompare(b[0]))) {
+    out[name] = versions === '*' ? '*' : [...versions];
+  }
+  return JSON.stringify(out, null, 2);
+}
+
+const parsed = parseLockfile(lock);
+
+if (merge) {
+  if (!fs.existsSync(output)) {
+    console.error(`error: '${output}' does not exist, cannot merge`);
+    process.exit(1);
+  }
+  if (!confirm(`merge into '${output}'? [y/N] `)) {
+    console.log('aborted');
+    process.exit(0);
+  }
+  const existing = loadWhitelist(output);
+  for (const [name, versions] of parsed) {
+    if (!existing.has(name)) {
+      existing.set(name, versions);
+    } else if (existing.get(name) !== '*') {
+      const merged = existing.get(name);
+      for (const v of versions) merged.add(v);
+    }
+  }
+  fs.writeFileSync(output, serialize(existing));
+  console.log(`merged ${parsed.size} packages into ${output} (${existing.size} total)`);
+} else {
+  if (fs.existsSync(output)) {
+    if (!confirm(`'${output}' already exists, overwrite? [y/N] `)) {
+      console.log('aborted');
+      process.exit(0);
+    }
+  }
+  fs.writeFileSync(output, serialize(parsed));
+  console.log(`wrote ${parsed.size} packages to ${output}`);
+}