@code-pushup/js-packages-plugin 0.26.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/README.md +190 -0
  2. package/bin.js +1040 -0
  3. package/index.js +910 -0
  4. package/package.json +49 -0
  5. package/src/bin.d.ts +1 -0
  6. package/src/index.d.ts +3 -0
  7. package/src/lib/config.d.ts +28 -0
  8. package/src/lib/constants.d.ts +9 -0
  9. package/src/lib/js-packages-plugin.d.ts +19 -0
  10. package/src/lib/runner/audit/constants.d.ts +2 -0
  11. package/src/lib/runner/audit/transform.d.ts +7 -0
  12. package/src/lib/runner/audit/types.d.ts +27 -0
  13. package/src/lib/runner/constants.d.ts +3 -0
  14. package/src/lib/runner/index.d.ts +4 -0
  15. package/src/lib/runner/outdated/constants.d.ts +3 -0
  16. package/src/lib/runner/outdated/transform.d.ts +29 -0
  17. package/src/lib/runner/outdated/types.d.ts +15 -0
package/README.md ADDED
@@ -0,0 +1,190 @@
1
+ # @code-pushup/js-packages-plugin
2
+
3
+ [![npm](https://img.shields.io/npm/v/%40code-pushup%2Fjs-packages-plugin.svg)](https://www.npmjs.com/package/@code-pushup/js-packages-plugin)
4
+ [![downloads](https://img.shields.io/npm/dm/%40code-pushup%2Fjs-packages-plugin)](https://npmtrends.com/@code-pushup/js-packages-plugin)
5
+ [![dependencies](https://img.shields.io/librariesio/release/npm/%40code-pushup/js-packages-plugin)](https://www.npmjs.com/package/@code-pushup/js-packages-plugin?activeTab=dependencies)
6
+
7
+ 📦 **Code PushUp plugin for JavaScript packages.** 🛡️
8
+
9
+ This plugin checks for known vulnerabilities and outdated dependencies.
10
+ It supports the following package managers:
11
+
12
+ - [NPM](https://docs.npmjs.com/)
13
+ - [Yarn v1](https://classic.yarnpkg.com/docs/) & [Yarn v2+](https://yarnpkg.com/getting-started)
14
+ - [PNPM](https://pnpm.io/pnpm-cli)
15
+
16
+ ## Getting started
17
+
18
+ 1. If you haven't already, install [@code-pushup/cli](../cli/README.md) and create a configuration file.
19
+
20
+ 2. Insert plugin configuration with your package manager. By default, both `audit` and `outdated` checks will be run. The result should look as follows:
21
+
22
+ ```js
23
+ import jsPackagesPlugin from '@code-pushup/js-packages-plugin';
24
+
25
+ export default {
26
+ // ...
27
+ plugins: [
28
+ // ...
29
+ await jsPackagesPlugin({ packageManager: 'npm' }), // replace with your package manager
30
+ ],
31
+ };
32
+ ```
33
+
34
+ You may run this plugin with a custom configuration for any supported package manager or command. A custom configuration will look similarly to the following:
35
+
36
+ ```js
37
+ import jsPackagesPlugin from '@code-pushup/js-packages-plugin';
38
+
39
+ export default {
40
+ // ...
41
+ plugins: [
42
+ // ...
43
+ await jsPackagesPlugin({ packageManager: ['yarn'], checks: ['audit'] }),
44
+ ],
45
+ };
46
+ ```
47
+
48
+ 3. (Optional) Reference individual audits or the provided plugin groups which you wish to include in custom categories (use `npx code-pushup print-config` to list audits and groups).
49
+
50
+ 💡 Assign weights based on what influence each command should have on the overall category score (assign weight 0 to only include as extra info, without influencing category score).
51
+
52
+ ```js
53
+ export default {
54
+ // ...
55
+ categories: [
56
+ {
57
+ slug: 'security',
58
+ title: 'Security',
59
+ refs: [
60
+ {
61
+ type: 'group',
62
+ plugin: 'npm-audit', // replace prefix with your package manager
63
+ slug: 'js-packages',
64
+ weight: 1,
65
+ },
66
+ ],
67
+ },
68
+ {
69
+ slug: 'up-to-date',
70
+ title: 'Up-to-date tools',
71
+ refs: [
72
+ {
73
+ type: 'group',
74
+ plugin: 'npm-outdated', // replace prefix with your package manager
75
+ slug: 'js-packages',
76
+ weight: 1,
77
+ },
78
+ // ...
79
+ ],
80
+ },
81
+ // ...
82
+ ],
83
+ };
84
+ ```
85
+
86
+ 4. Run the CLI with `npx code-pushup collect` and view or upload report (refer to [CLI docs](../cli/README.md)).
87
+
88
+ ## Plugin architecture
89
+
90
+ ### Plugin configuration specification
91
+
92
+ The plugin accepts the following parameters:
93
+
94
+ - `packageManager`: The package manager you are using. Supported values: `npm`, `yarn-classic` (v1), `yarn-modern` (v2+), `pnpm`.
95
+ - (optional) `checks`: Array of checks to be run. Supported commands: `audit`, `outdated`. Both are configured by default.
96
+ - (optional) `auditLevelMapping`: If you wish to set a custom level of issue severity based on audit vulnerability level, you may do so here. Any omitted values will be filled in by defaults. Audit levels are: `critical`, `high`, `moderate`, `low` and `info`. Issue severities are: `error`, `warn` and `info`. By default the mapping is as follows: `critical` and `high` → `error`; `moderate` and `low` → `warning`; `info` → `info`.
97
+
98
+ ### Audits and group
99
+
100
+ This plugin provides a group per check for a convenient declaration in your config.
101
+
102
+ ```ts
103
+ // ...
104
+ categories: [
105
+ {
106
+ slug: 'dependencies',
107
+ title: 'Package dependencies',
108
+ refs: [
109
+ {
110
+ type: 'group',
111
+ plugin: 'js-packages',
112
+ slug: 'npm-audit', // replace prefix with your package manager
113
+ weight: 1,
114
+ },
115
+ {
116
+ type: 'group',
117
+ plugin: 'js-packages',
118
+ slug: 'npm-outdated', // replace prefix with your package manager
119
+ weight: 1,
120
+ },
121
+ // ...
122
+ ],
123
+ },
124
+ // ...
125
+ ],
126
+ ```
127
+
128
+ Each dependency group has its own audit. If you want to check only a subset of dependencies (e.g. run audit and outdated for production dependencies) or assign different weights to them, you can do so in the following way:
129
+
130
+ ```ts
131
+ // ...
132
+ categories: [
133
+ {
134
+ slug: 'dependencies',
135
+ title: 'Package dependencies',
136
+ refs: [
137
+ {
138
+ type: 'audit',
139
+ plugin: 'js-packages',
140
+ slug: 'npm-audit-prod', // replace prefix with your package manager
141
+ weight: 2,
142
+ },
143
+ {
144
+ type: 'audit',
145
+ plugin: 'js-packages',
146
+ slug: 'npm-audit-dev', // replace prefix with your package manager
147
+ weight: 1,
148
+ },
149
+ {
150
+ type: 'audit',
151
+ plugin: 'js-packages',
152
+ slug: 'npm-outdated-prod', // replace prefix with your package manager
153
+ weight: 2,
154
+ },
155
+ // ...
156
+ ],
157
+ },
158
+ // ...
159
+ ],
160
+ ```
161
+
162
+ ## Score calculation
163
+
164
+ Audit output score is a numeric value in the range 0-1.
165
+
166
+ ### Security audit
167
+
168
+ The score for security audit is decreased for each vulnerability found based on its **severity**.
169
+
170
+ The mapping is as follows:
171
+
172
+ - Critical vulnerabilities set score to 0.
173
+ - High-severity vulnerabilities reduce score by 0.1.
174
+ - Moderate vulnerabilities reduce score by 0.05.
175
+ - Low-severity vulnerabilities reduce score by 0.02.
176
+ - Information-level vulnerabilities reduce score by 0.01.
177
+
178
+ Examples:
179
+
180
+ - 1+ **critical** vulnerabilities → score will be 0
181
+ - 1 high and 2 low vulnerabilities → score will be 1 - 0.1 - 2\*0.02 = 0.86
182
+
183
+ ### Outdated dependencies
184
+
185
+ In order for this audit not to drastically lower the score, the current logic is such that only dependencies with **major** outdated version lower the score by a proportional amount to the total amount of dependencies on your project.
186
+
187
+ Examples:
188
+
189
+ - 5 dependencies out of which 1 has an outdated **major** version → score will be (5 - 1) / 5 = 0.8
190
+ - 2 dependencies out of which 1 has an outdated minor version and one is up-to-date → score stay 1