@npmcli/arborist 2.8.2 → 2.9.0

package/lib/tracker.js

@@ -11,35 +11,37 @@ module.exports = cls => class Tracker extends cls {
 
   addTracker (section, subsection = null, key = null) {
     // TrackerGroup type object not found
-    if (!this.log.newGroup)
+    if (!this.log.newGroup) {
       return
+    }
 
-    if (section === null || section === undefined)
+    if (section === null || section === undefined) {
       this[_onError](`Tracker can't be null or undefined`)
+    }
 
-    if (key === null)
+    if (key === null) {
       key = subsection
+    }
 
     const hasTracker = this[_progress].has(section)
     const hasSubtracker = this[_progress].has(`${section}:${key}`)
 
-    if (hasTracker && subsection === null)
+    if (hasTracker && subsection === null) {
       // 0. existing tracker, no subsection
       this[_onError](`Tracker "${section}" already exists`)
-
-    else if (!hasTracker && subsection === null) {
+    } else if (!hasTracker && subsection === null) {
       // 1. no existing tracker, no subsection
       // Create a new tracker from this.log
       // starts progress bar
-      if (this[_progress].size === 0)
+      if (this[_progress].size === 0) {
         this.log.enableProgress()
+      }
 
       this[_progress].set(section, this.log.newGroup(section))
-    } else if (!hasTracker && subsection !== null)
+    } else if (!hasTracker && subsection !== null) {
       // 2. no parent tracker and subsection
       this[_onError](`Parent tracker "${section}" does not exist`)
-
-    else if (!hasTracker || !hasSubtracker) {
+    } else if (!hasTracker || !hasSubtracker) {
       // 3. existing parent tracker, no subsection tracker
       // Create a new subtracker in this[_progress] from parent tracker
       this[_progress].set(`${section}:${key}`,
@@ -52,14 +54,17 @@ module.exports = cls => class Tracker extends cls {
 
   finishTracker (section, subsection = null, key = null) {
     // TrackerGroup type object not found
-    if (!this.log.newGroup)
+    if (!this.log.newGroup) {
       return
+    }
 
-    if (section === null || section === undefined)
+    if (section === null || section === undefined) {
       this[_onError](`Tracker can't be null or undefined`)
+    }
 
-    if (key === null)
+    if (key === null) {
       key = subsection
+    }
 
     const hasTracker = this[_progress].has(section)
     const hasSubtracker = this[_progress].has(`${section}:${key}`)
@@ -71,8 +76,9 @@ module.exports = cls => class Tracker extends cls {
       // not have any remaining children
       const keys = this[_progress].keys()
       for (const key of keys) {
-        if (key.match(new RegExp(section + ':')))
+        if (key.match(new RegExp(section + ':'))) {
           this.finishTracker(section, key)
+        }
       }
 
       // remove parent tracker
@@ -81,13 +87,13 @@ module.exports = cls => class Tracker extends cls {
 
       // remove progress bar if all
       // trackers are finished
-      if (this[_progress].size === 0)
+      if (this[_progress].size === 0) {
         this.log.disableProgress()
-    } else if (!hasTracker && subsection === null)
+      }
+    } else if (!hasTracker && subsection === null) {
       // 1. no existing parent tracker, no subsection
       this[_onError](`Tracker "${section}" does not exist`)
-
-    else if (!hasTracker || hasSubtracker) {
+    } else if (!hasTracker || hasSubtracker) {
       // 2. subtracker exists
       // Finish subtracker and remove from this[_progress]
       this[_progress].get(`${section}:${key}`).finish()

package/lib/tree-check.js

@@ -5,8 +5,9 @@ const checkTree = (tree, checkUnreachable = true) => {
 
   // this can only happen in tests where we have a "tree" object
   // that isn't actually a tree.
-  if (!tree.root || !tree.root.inventory)
+  if (!tree.root || !tree.root.inventory) {
     return tree
+  }
 
   const { inventory } = tree.root
   const seen = new Set()
@@ -21,8 +22,9 @@ const checkTree = (tree, checkUnreachable = true) => {
       'root=' + !!(node && node.isRoot),
     ])
 
-    if (!node || seen.has(node) || node.then)
+    if (!node || seen.has(node) || node.then) {
       return
+    }
 
     seen.add(node)
 
@@ -116,14 +118,18 @@ const checkTree = (tree, checkUnreachable = true) => {
     check(fsParent, node, 'fsParent')
     check(target, node, 'target')
     log.push(['CHILDREN', node.location, ...node.children.keys()])
-    for (const kid of node.children.values())
+    for (const kid of node.children.values()) {
       check(kid, node, 'children')
-    for (const kid of node.fsChildren)
+    }
+    for (const kid of node.fsChildren) {
       check(kid, node, 'fsChildren')
-    for (const link of node.linksIn)
+    }
+    for (const link of node.linksIn) {
       check(link, node, 'linksIn')
-    for (const top of node.tops)
+    }
+    for (const top of node.tops) {
       check(top, node, 'tops')
+    }
     log.push(['DONE', node.location])
   }
   check(tree)

package/lib/version-from-tgz.js

@@ -4,8 +4,9 @@ const {basename} = require('path')
 const {parse} = require('url')
 module.exports = (name, tgz) => {
   const base = basename(tgz)
-  if (!base.endsWith('.tgz'))
+  if (!base.endsWith('.tgz')) {
     return null
+  }
 
   const u = parse(tgz)
   if (/^https?:/.test(u.protocol)) {
@@ -35,8 +36,9 @@ module.exports = (name, tgz) => {
 }
 
 const versionFromBaseScopeName = (base, scope, name) => {
-  if (!base.startsWith(name + '-'))
+  if (!base.startsWith(name + '-')) {
     return null
+  }
 
   const parsed = semver.parse(base.substring(name.length + 1, base.length - 4))
   return parsed ? {

package/lib/vuln.js

@@ -14,6 +14,7 @@
 const {satisfies, simplifyRange} = require('semver')
 const semverOpt = { loose: true, includePrerelease: true }
 
+const localeCompare = require('@isaacs/string-locale-compare')('en')
 const npa = require('npm-package-arg')
 const _range = Symbol('_range')
 const _simpleRange = Symbol('_simpleRange')
@@ -28,8 +29,9 @@ const severities = new Map([
   [null, -1],
 ])
 
-for (const [name, val] of severities.entries())
+for (const [name, val] of severities.entries()) {
   severities.set(val, name)
+}
 
 class Vuln {
   constructor ({ name, advisory }) {
@@ -43,7 +45,7 @@ class Vuln {
     this[_simpleRange] = null
     this.nodes = new Set()
     // assume a fix is available unless it hits a top node
-    // that locks it in place, setting this to false or {isSemVerMajor, version}.
+    // that locks it in place, setting this false or {isSemVerMajor, version}.
     this[_fixAvailable] = true
     this.addAdvisory(advisory)
     this.packument = advisory.packument
@@ -65,39 +67,55 @@ class Vuln {
     // - true: fix does not require -f
     for (const v of this.via) {
       // don't blow up on loops
-      if (v.fixAvailable === f)
+      if (v.fixAvailable === f) {
         continue
+      }
 
-      if (f === false)
+      if (f === false) {
         v.fixAvailable = f
-      else if (v.fixAvailable === true)
+      } else if (v.fixAvailable === true) {
         v.fixAvailable = f
-      else if (typeof f === 'object' && (
-        typeof v.fixAvailable !== 'object' || !v.fixAvailable.isSemVerMajor))
+      } else if (typeof f === 'object' && (
+        typeof v.fixAvailable !== 'object' || !v.fixAvailable.isSemVerMajor)) {
         v.fixAvailable = f
+      }
     }
   }
 
+  get isDirect () {
+    for (const node of this.nodes.values()) {
+      for (const edge of node.edgesIn) {
+        if (edge.from.isProjectRoot || edge.from.isWorkspace) {
+          return true
+        }
+      }
+    }
+    return false
+  }
+
   testSpec (spec) {
     const specObj = npa(spec)
-    if (!specObj.registry)
+    if (!specObj.registry) {
       return true
+    }
 
-    if (specObj.subSpec)
+    if (specObj.subSpec) {
       spec = specObj.subSpec.rawSpec
+    }
 
     for (const v of this.versions) {
-      if (satisfies(v, spec) && !satisfies(v, this.range, semverOpt))
+      if (satisfies(v, spec) && !satisfies(v, this.range, semverOpt)) {
         return false
+      }
     }
     return true
   }
 
   toJSON () {
-    // sort so that they're always in a consistent order
     return {
       name: this.name,
       severity: this.severity,
+      isDirect: this.isDirect,
       // just loop over the advisories, since via is only Vuln objects,
       // and calculated advisories have all the info we need
       via: [...this.advisories].map(v => v.type === 'metavuln' ? v.dependency : {
@@ -106,12 +124,10 @@ class Vuln {
         vulnerableVersions: undefined,
         id: undefined,
       }).sort((a, b) =>
-        String(a.source || a).localeCompare(String(b.source || b, 'en'))),
-      effects: [...this.effects].map(v => v.name)
-        .sort(/* istanbul ignore next */(a, b) => a.localeCompare(b, 'en')),
+        localeCompare(String(a.source || a), String(b.source || b))),
+      effects: [...this.effects].map(v => v.name).sort(localeCompare),
       range: this.simpleRange,
-      nodes: [...this.nodes].map(n => n.location)
-        .sort(/* istanbul ignore next */(a, b) => a.localeCompare(b, 'en')),
+      nodes: [...this.nodes].map(n => n.location).sort(localeCompare),
       fixAvailable: this[_fixAvailable],
     }
   }
@@ -135,14 +151,16 @@ class Vuln {
     this[_range] = null
     this[_simpleRange] = null
     // refresh severity
-    for (const advisory of this.advisories)
+    for (const advisory of this.advisories) {
       this.addAdvisory(advisory)
+    }
 
     // remove any effects that are no longer relevant
     const vias = new Set([...this.advisories].map(a => a.dependency))
     for (const via of this.via) {
-      if (!vias.has(via.name))
+      if (!vias.has(via.name)) {
         this.deleteVia(via)
+      }
     }
   }
 
@@ -151,8 +169,9 @@ class Vuln {
     const sev = severities.get(advisory.severity)
     this[_range] = null
     this[_simpleRange] = null
-    if (sev > severities.get(this.severity))
+    if (sev > severities.get(this.severity)) {
       this.severity = advisory.severity
+    }
   }
 
   get range () {
@@ -161,8 +180,9 @@ class Vuln {
   }
 
   get simpleRange () {
-    if (this[_simpleRange] && this[_simpleRange] === this[_range])
+    if (this[_simpleRange] && this[_simpleRange] === this[_range]) {
       return this[_simpleRange]
+    }
 
     const versions = [...this.advisories][0].versions
     const range = this.range
@@ -171,12 +191,14 @@ class Vuln {
   }
 
   isVulnerable (node) {
-    if (this.nodes.has(node))
+    if (this.nodes.has(node)) {
       return true
+    }
 
     const { version } = node.package
-    if (!version)
+    if (!version) {
       return false
+    }
 
     for (const v of this.advisories) {
       if (v.testVersion(version)) {

package/lib/yarn-lock.js

@@ -28,13 +28,14 @@
 // is an impenetrable 10kloc of webpack flow output, which is overkill
 // for something relatively simple and tailored to Arborist's use case.
 
+const localeCompare = require('@isaacs/string-locale-compare')('en')
 const consistentResolve = require('./consistent-resolve.js')
 const {dirname} = require('path')
 const {breadth} = require('treeverse')
 
 // sort a key/value object into a string of JSON stringified keys and vals
 const sortKV = obj => Object.keys(obj)
-  .sort((a, b) => a.localeCompare(b, 'en'))
+  .sort(localeCompare)
   .map(k => `    ${JSON.stringify(k)} ${JSON.stringify(obj[k])}`)
   .join('\n')
 
@@ -82,13 +83,15 @@ class YarnLock {
     const linere = /([^\r\n]*)\r?\n/gm
     let match
     let lineNum = 0
-    if (!/\n$/.test(data))
+    if (!/\n$/.test(data)) {
       data += '\n'
+    }
     while (match = linere.exec(data)) {
       const line = match[1]
       lineNum++
-      if (line.charAt(0) === '#')
+      if (line.charAt(0) === '#') {
         continue
+      }
       if (line === '') {
         this.endCurrent()
         continue
@@ -117,8 +120,9 @@ class YarnLock {
         const metadata = this.splitQuoted(line.trimLeft(), ' ')
         if (metadata.length === 2) {
           // strip off the legacy shasum hashes
-          if (metadata[0] === 'resolved')
+          if (metadata[0] === 'resolved') {
             metadata[1] = metadata[1].replace(/#.*/, '')
+          }
           this.current[metadata[0]] = metadata[1]
           continue
         }
@@ -141,9 +145,9 @@ class YarnLock {
     let o = 0
     for (let i = 0; i < split.length; i++) {
       const chunk = split[i]
-      if (/^".*"$/.test(chunk))
+      if (/^".*"$/.test(chunk)) {
         out[o++] = chunk.trim().slice(1, -1)
-      else if (/^"/.test(chunk)) {
+      } else if (/^"/.test(chunk)) {
         let collect = chunk.trimLeft().slice(1)
         while (++i < split.length) {
           const n = split[i]
@@ -152,12 +156,14 @@ class YarnLock {
           if (/[^\\](\\\\)*"$/.test(n)) {
             collect += n.trimRight().slice(0, -1)
             break
-          } else
+          } else {
             collect += n
+          }
         }
         out[o++] = collect
-      } else
+      } else {
         out[o++] = chunk.trim()
+      }
     }
     return out
   }
@@ -165,7 +171,7 @@ class YarnLock {
   toString () {
     return prefix + [...new Set([...this.entries.values()])]
       .map(e => e.toString())
-      .sort((a, b) => a.localeCompare(b, 'en')).join('\n\n') + '\n'
+      .sort(localeCompare).join('\n\n') + '\n'
   }
 
   fromTree (tree) {
@@ -175,7 +181,7 @@ class YarnLock {
       tree,
       visit: node => this.addEntryFromNode(node),
       getChildren: node => [...node.children.values(), ...node.fsChildren]
-        .sort((a, b) => a.depth - b.depth || a.name.localeCompare(b.name, 'en')),
+        .sort((a, b) => a.depth - b.depth || localeCompare(a.name, b.name)),
     })
     return this
   }
@@ -183,7 +189,7 @@ class YarnLock {
   addEntryFromNode (node) {
     const specs = [...node.edgesIn]
       .map(e => `${node.name}@${e.spec}`)
-      .sort((a, b) => a.localeCompare(b, 'en'))
+      .sort(localeCompare)
 
     // Note:
     // yarn will do excessive duplication in a case like this:
@@ -226,17 +232,19 @@ class YarnLock {
       // no previous entry for this spec at all, so it's new
       if (!prev) {
         // if we saw a match already, then assign this spec to it as well
-        if (priorEntry)
+        if (priorEntry) {
           priorEntry.addSpec(s)
-        else
+        } else {
           newSpecs.push(s)
+        }
         continue
       }
 
       const m = match(prev, n)
       // there was a prior entry, but a different thing.  skip this one
-      if (!m)
+      if (!m) {
         continue
+      }
 
       // previous matches, but first time seeing it, so already has this spec.
       // go ahead and add all the previously unseen specs, though
@@ -259,8 +267,9 @@ class YarnLock {
     // if we never found a matching prior, then this is a whole new thing
     if (!priorEntry) {
       const entry = Object.assign(new YarnLockEntry(newSpecs), n)
-      for (const s of newSpecs)
+      for (const s of newSpecs) {
         this.entries.set(s, entry)
+      }
     } else {
       // pick up any new info that we got for this node, so that we can
       // decorate with integrity/resolved/etc.
@@ -270,12 +279,15 @@ class YarnLock {
 
   entryDataFromNode (node) {
     const n = {}
-    if (node.package.dependencies)
+    if (node.package.dependencies) {
       n.dependencies = node.package.dependencies
-    if (node.package.optionalDependencies)
+    }
+    if (node.package.optionalDependencies) {
       n.optionalDependencies = node.package.optionalDependencies
-    if (node.version)
+    }
+    if (node.version) {
       n.version = node.version
+    }
     if (node.resolved) {
       n.resolved = consistentResolve(
         node.resolved,
@@ -284,8 +296,9 @@ class YarnLock {
         true
       )
     }
-    if (node.integrity)
+    if (node.integrity) {
       n.integrity = node.integrity
+    }
 
     return n
   }
@@ -309,7 +322,7 @@ class YarnLockEntry {
   toString () {
     // sort objects to the bottom, then alphabetical
     return ([...this[_specs]]
-      .sort((a, b) => a.localeCompare(b, 'en'))
+      .sort(localeCompare)
       .map(JSON.stringify).join(', ') +
       ':\n' +
       Object.getOwnPropertyNames(this)
@@ -318,7 +331,7 @@ class YarnLockEntry {
           (a, b) =>
           /* istanbul ignore next - sort call order is unpredictable */
             (typeof this[a] === 'object') === (typeof this[b] === 'object')
-              ? a.localeCompare(b, 'en')
+              ? localeCompare(a, b)
               : typeof this[a] === 'object' ? 1 : -1)
         .map(prop =>
           typeof this[prop] !== 'object'

package/package.json

@@ -1,8 +1,9 @@
 {
   "name": "@npmcli/arborist",
-  "version": "2.8.2",
+  "version": "2.9.0",
   "description": "Manage node_modules trees",
   "dependencies": {
+    "@isaacs/string-locale-compare": "^1.0.1",
     "@npmcli/installed-package-contents": "^1.0.7",
     "@npmcli/map-workspaces": "^1.0.2",
     "@npmcli/metavuln-calculator": "^1.1.0",
@@ -36,13 +37,9 @@
     "walk-up-path": "^1.0.0"
   },
   "devDependencies": {
+    "@npmcli/lint": "^1.0.2",
     "benchmark": "^2.1.4",
     "chalk": "^4.1.0",
-    "eslint": "^7.9.0",
-    "eslint-plugin-import": "^2.22.0",
-    "eslint-plugin-node": "^11.1.0",
-    "eslint-plugin-promise": "^4.2.1",
-    "eslint-plugin-standard": "^4.0.1",
     "minify-registry-metadata": "^2.1.0",
     "tap": "^15.0.9",
     "tcompare": "^5.0.6"
@@ -50,18 +47,19 @@
   "scripts": {
     "test": "npm run test-only --",
     "test-only": "tap",
-    "posttest": "npm run lint",
+    "posttest": "npm run lint --",
     "snap": "tap",
-    "postsnap": "npm run lintfix",
+    "postsnap": "npm run lintfix --",
     "test-proxy": "ARBORIST_TEST_PROXY=1 tap --snapshot",
     "preversion": "npm test",
     "postversion": "npm publish",
     "prepublishOnly": "git push origin --follow-tags",
     "eslint": "eslint",
-    "lint": "npm run eslint -- \"lib/**/*.js\" \"test/arborist/*.js\" \"test/*.js\" \"bin/**/*.js\"",
+    "lint": "npm run npmclilint -- \"lib/**/*.*js\" \"bin/**/*.*js\" \"test/*.*js\" \"test/arborist/*.*js\"",
     "lintfix": "npm run lint -- --fix",
     "benchmark": "node scripts/benchmark.js",
-    "benchclean": "rm -rf scripts/benchmark/*/"
+    "benchclean": "rm -rf scripts/benchmark/*/",
+    "npmclilint": "npmcli-lint"
   },
   "repository": {
     "type": "git",