@npmcli/arborist 2.8.2 → 2.9.0

package/lib/audit-report.js

@@ -1,6 +1,7 @@
 // an object representing the set of vulnerabilities in a tree
 /* eslint camelcase: "off" */
 
+const localeCompare = require('@isaacs/string-locale-compare')('en')
 const npa = require('npm-package-arg')
 const pickManifest = require('npm-pick-manifest')
 
@@ -63,8 +64,9 @@ class AuditReport extends Map {
           prod = false
         }
       }
-      if (prod)
+      if (prod) {
         dependencies.prod++
+      }
     }
 
     // if it doesn't have any topVulns, then it's fixable with audit fix
@@ -78,7 +80,7 @@ class AuditReport extends Map {
     }
 
     obj.vulnerabilities = vulnerabilities
-      .sort(([a], [b]) => a.localeCompare(b, 'en'))
+      .sort(([a], [b]) => localeCompare(a, b))
       .reduce((set, [name, vuln]) => {
         set[name] = vuln
         return set
@@ -104,8 +106,9 @@ class AuditReport extends Map {
   async run () {
     this.report = await this[_getReport]()
     this.log.silly('audit report', this.report)
-    if (this.report)
+    if (this.report) {
       await this[_init]()
+    }
     return this
   }
 
@@ -119,8 +122,9 @@ class AuditReport extends Map {
 
     const promises = []
     for (const [name, advisories] of Object.entries(this.report)) {
-      for (const advisory of advisories)
+      for (const advisory of advisories) {
         promises.push(this.calculator.calculate(name, advisory))
+      }
     }
 
     // now the advisories are calculated with a set of versions
@@ -136,43 +140,51 @@ class AuditReport extends Map {
       // adding multiple advisories with the same range is fine, but no
       // need to search for nodes we already would have added.
       const k = `${name}@${range}`
-      if (seen.has(k))
+      if (seen.has(k)) {
         continue
+      }
 
       seen.add(k)
 
       const vuln = this.get(name) || new Vuln({ name, advisory })
-      if (this.has(name))
+      if (this.has(name)) {
         vuln.addAdvisory(advisory)
+      }
       super.set(name, vuln)
 
       const p = []
       for (const node of this.tree.inventory.query('packageName', name)) {
-        if (!shouldAudit(node, this[_omit], this.filterSet))
+        if (!shouldAudit(node, this[_omit], this.filterSet)) {
           continue
+        }
 
         // if not vulnerable by this advisory, keep searching
-        if (!advisory.testVersion(node.version))
+        if (!advisory.testVersion(node.version)) {
           continue
+        }
 
         // we will have loaded the source already if this is a metavuln
-        if (advisory.type === 'metavuln')
+        if (advisory.type === 'metavuln') {
           vuln.addVia(this.get(advisory.dependency))
+        }
 
         // already marked this one, no need to do it again
-        if (vuln.nodes.has(node))
+        if (vuln.nodes.has(node)) {
           continue
+        }
 
         // haven't marked this one yet.  get its dependents.
         vuln.nodes.add(node)
         for (const { from: dep, spec } of node.edgesIn) {
-          if (dep.isTop && !vuln.topNodes.has(dep))
+          if (dep.isTop && !vuln.topNodes.has(dep)) {
             this[_checkTopNode](dep, vuln, spec)
-          else {
+          } else {
             // calculate a metavuln, if necessary
-            p.push(this.calculator.calculate(dep.packageName, advisory).then(meta => {
-              if (meta.testVersion(dep.version, spec))
+            const calc = this.calculator.calculate(dep.packageName, advisory)
+            p.push(calc.then(meta => {
+              if (meta.testVersion(dep.version, spec)) {
                 advisories.add(meta)
+              }
             }))
           }
         }
@@ -193,9 +205,11 @@ class AuditReport extends Map {
       // the nodes it references, then remove it from the advisory list.
       // happens when using omit with old audit endpoint.
       for (const advisory of vuln.advisories) {
-        const relevant = [...vuln.nodes].some(n => advisory.testVersion(n.version))
-        if (!relevant)
+        const relevant = [...vuln.nodes]
+          .some(n => advisory.testVersion(n.version))
+        if (!relevant) {
           vuln.deleteAdvisory(advisory)
+        }
       }
     }
     process.emit('timeEnd', 'auditReport:init')
@@ -221,18 +235,21 @@ class AuditReport extends Map {
     // this will always be set to at least {name, versions:{}}
     const paku = vuln.packument
 
-    if (!vuln.testSpec(spec))
+    if (!vuln.testSpec(spec)) {
       return true
+    }
 
     // similarly, even if we HAVE a packument, but we're looking for it
     // somewhere other than the registry, and we got something vulnerable,
     // then we're stuck with it.
     const specObj = npa(spec)
-    if (!specObj.registry)
+    if (!specObj.registry) {
       return false
+    }
 
-    if (specObj.subSpec)
+    if (specObj.subSpec) {
       spec = specObj.subSpec.rawSpec
+    }
 
     // We don't provide fixes for top nodes other than root, but we
     // still check to see if the node is fixable with a different version,
@@ -287,8 +304,9 @@ class AuditReport extends Map {
 
   async [_getReport] () {
     // if we're not auditing, just return false
-    if (this.options.audit === false || this.tree.inventory.size === 1)
+    if (this.options.audit === false || this.tree.inventory.size === 1) {
       return null
+    }
 
     process.emit('time', 'auditReport:getReport')
     try {
@@ -299,8 +317,9 @@ class AuditReport extends Map {
 
         // no sense asking if we don't have anything to audit,
         // we know it'll be empty
-        if (!Object.keys(body).length)
+        if (!Object.keys(body).length) {
           return null
+        }
 
         const res = await fetch('/-/npm/v1/security/advisories/bulk', {
           ...this.options,
@@ -353,13 +372,15 @@ const prepareBulkData = (tree, omit, filterSet) => {
   for (const name of tree.inventory.query('packageName')) {
     const set = new Set()
     for (const node of tree.inventory.query('packageName', name)) {
-      if (!shouldAudit(node, omit, filterSet))
+      if (!shouldAudit(node, omit, filterSet)) {
         continue
+      }
 
       set.add(node.version)
     }
-    if (set.size)
+    if (set.size) {
       payload[name] = [...set]
+    }
   }
   return payload
 }

package/lib/calc-dep-flags.js

@@ -11,7 +11,8 @@ const calcDepFlags = (tree, resetRoot = true) => {
     tree,
     visit: node => calcDepFlagsStep(node),
     filter: node => node,
-    getChildren: (node, tree) => [...tree.edgesOut.values()].map(edge => edge.to),
+    getChildren: (node, tree) =>
+      [...tree.edgesOut.values()].map(edge => edge.to),
   })
   return ret
 }
@@ -39,8 +40,9 @@ const calcDepFlagsStep = (node) => {
 
   node.edgesOut.forEach(({peer, optional, dev, to}) => {
     // if the dep is missing, then its flags are already maximally unset
-    if (!to)
+    if (!to) {
       return
+    }
 
     // everything with any kind of edge into it is not extraneous
     to.extraneous = false
@@ -59,28 +61,34 @@ const calcDepFlagsStep = (node) => {
       !node.optional && !optional
     const unsetPeer = !node.peer && !peer
 
-    if (unsetPeer)
+    if (unsetPeer) {
       unsetFlag(to, 'peer')
+    }
 
-    if (unsetDevOpt)
+    if (unsetDevOpt) {
       unsetFlag(to, 'devOptional')
+    }
 
-    if (unsetDev)
+    if (unsetDev) {
       unsetFlag(to, 'dev')
+    }
 
-    if (unsetOpt)
+    if (unsetOpt) {
       unsetFlag(to, 'optional')
+    }
   })
 
   return node
 }
 
 const resetParents = (node, flag) => {
-  if (node[flag])
+  if (node[flag]) {
     return
+  }
 
-  for (let p = node; p && (p === node || p[flag]); p = p.resolveParent)
+  for (let p = node; p && (p === node || p[flag]); p = p.resolveParent) {
     p[flag] = false
+  }
 }
 
 // typically a short walk, since it only traverses deps that
@@ -92,8 +100,9 @@ const unsetFlag = (node, flag) => {
       tree: node,
       visit: node => {
         node.extraneous = node[flag] = false
-        if (node.isLink)
+        if (node.isLink) {
           node.target.extraneous = node.target[flag] = false
+        }
       },
       getChildren: node => [...node.target.edgesOut.values()]
         .filter(edge => edge.to && edge.to[flag] &&

package/lib/can-place-dep.js

@@ -35,6 +35,7 @@
 // then we will return REPLACE rather than CONFLICT, and Arborist will queue
 // the replaced node for resolution elsewhere.
 
+const localeCompare = require('@isaacs/string-locale-compare')('en')
 const semver = require('semver')
 const debug = require('./debug.js')
 const peerEntrySets = require('./peer-entry-sets.js')
@@ -64,19 +65,22 @@ class CanPlaceDep {
     } = options
 
     debug(() => {
-      if (!dep)
+      if (!dep) {
         throw new Error('no dep provided to CanPlaceDep')
+      }
 
-      if (!target)
+      if (!target) {
         throw new Error('no target provided to CanPlaceDep')
+      }
 
-      if (!edge)
+      if (!edge) {
         throw new Error('no edge provided to CanPlaceDep')
+      }
 
       this._treeSnapshot = JSON.stringify([...target.root.inventory.entries()]
         .map(([loc, {packageName, version, resolved}]) => {
           return [loc, packageName, version, resolved]
-        }).sort(([a], [b]) => a.localeCompare(b, 'en')))
+        }).sort(([a], [b]) => localeCompare(a, b)))
     })
 
     // the result of whether we can place it or not
@@ -108,14 +112,15 @@ class CanPlaceDep {
     this.edgeOverride = !dep.satisfies(edge)
 
     this.canPlace = this.checkCanPlace()
-    if (!this.canPlaceSelf)
+    if (!this.canPlaceSelf) {
       this.canPlaceSelf = this.canPlace
+    }
 
     debug(() => {
       const treeSnapshot = JSON.stringify([...target.root.inventory.entries()]
         .map(([loc, {packageName, version, resolved}]) => {
           return [loc, packageName, version, resolved]
-        }).sort(([a], [b]) => a.localeCompare(b, 'en')))
+        }).sort(([a], [b]) => localeCompare(a, b)))
       /* istanbul ignore if */
       if (this._treeSnapshot !== treeSnapshot) {
         throw Object.assign(new Error('tree changed in CanPlaceDep'), {
@@ -131,15 +136,18 @@ class CanPlaceDep {
 
     // if the dep failed to load, we're going to fail the build or
     // prune it out anyway, so just move forward placing/replacing it.
-    if (dep.errors.length)
+    if (dep.errors.length) {
       return current ? REPLACE : OK
+    }
 
     // cannot place peers inside their dependents, except for tops
-    if (targetEdge && targetEdge.peer && !target.isTop)
+    if (targetEdge && targetEdge.peer && !target.isTop) {
       return CONFLICT
+    }
 
-    if (targetEdge && !dep.satisfies(targetEdge) && targetEdge !== this.edge)
+    if (targetEdge && !dep.satisfies(targetEdge) && targetEdge !== this.edge) {
       return CONFLICT
+    }
 
     return current ? this.checkCanPlaceCurrent() : this.checkCanPlaceNoCurrent()
   }
@@ -150,8 +158,9 @@ class CanPlaceDep {
     const { preferDedupe, explicitRequest, current, target, edge, dep } = this
 
     if (dep.matches(current)) {
-      if (current.satisfies(edge) || this.edgeOverride)
+      if (current.satisfies(edge) || this.edgeOverride) {
         return explicitRequest ? REPLACE : KEEP
+      }
     }
 
     const { version: curVer } = current
@@ -163,19 +172,22 @@ class CanPlaceDep {
        * but it is theoretically possible if peer deps are pinned.  In
        * that case we treat it like any other conflict, and keep trying */
       const cpp = this.canPlacePeers(REPLACE)
-      if (cpp !== CONFLICT)
+      if (cpp !== CONFLICT) {
         return cpp
+      }
     }
 
     // ok, can't replace the current with new one, but maybe current is ok?
-    if (current.satisfies(edge) && (!explicitRequest || preferDedupe))
+    if (current.satisfies(edge) && (!explicitRequest || preferDedupe)) {
       return KEEP
+    }
 
     // if we prefer deduping, then try replacing newer with older
     if (preferDedupe && !tryReplace && dep.canReplace(current)) {
       const cpp = this.canPlacePeers(REPLACE)
-      if (cpp !== CONFLICT)
+      if (cpp !== CONFLICT) {
         return cpp
+      }
     }
 
     // Check for interesting cases!
@@ -185,29 +197,33 @@ class CanPlaceDep {
     const myDeepest = this.deepestNestingTarget
 
     // ok, i COULD be placed deeper, so leave the current one alone.
-    if (target !== myDeepest)
+    if (target !== myDeepest) {
       return CONFLICT
+    }
 
     // if we are not checking a peerDep, then we MUST place it here, in the
     // target that has a non-peer dep on it.
-    if (!edge.peer && target === edge.from)
+    if (!edge.peer && target === edge.from) {
       return this.canPlacePeers(REPLACE)
+    }
 
     // if we aren't placing a peer in a set, then we're done here.
     // This is ignored because it SHOULD be redundant, as far as I can tell,
     // with the deepest target and target===edge.from tests.  But until we
     // can prove that isn't possible, this condition is here for safety.
     /* istanbul ignore if - allegedly impossible */
-    if (!this.parent && !edge.peer)
+    if (!this.parent && !edge.peer) {
       return CONFLICT
+    }
 
     // check the deps in the peer group for each edge into that peer group
     // if ALL of them can be pushed deeper, or if it's ok to replace its
     // members with the contents of the new peer group, then we're good.
     let canReplace = true
     for (const [entryEdge, currentPeers] of peerEntrySets(current)) {
-      if (entryEdge === this.edge || entryEdge === this.peerEntryEdge)
+      if (entryEdge === this.edge || entryEdge === this.peerEntryEdge) {
         continue
+      }
 
       // First, see if it's ok to just replace the peerSet entirely.
       // we do this by walking out from the entryEdge, because in a case like
@@ -231,8 +247,9 @@ class CanPlaceDep {
       const entryNode = entryEdge.to
       const entryRep = dep.parent.children.get(entryNode.name)
       if (entryRep) {
-        if (entryRep.canReplace(entryNode, dep.parent.children.keys()))
+        if (entryRep.canReplace(entryNode, dep.parent.children.keys())) {
           continue
+        }
       }
 
       let canClobber = !entryRep
@@ -240,12 +257,14 @@ class CanPlaceDep {
         const peerReplacementWalk = new Set([entryNode])
         OUTER: for (const currentPeer of peerReplacementWalk) {
           for (const edge of currentPeer.edgesOut.values()) {
-            if (!edge.peer || !edge.valid)
+            if (!edge.peer || !edge.valid) {
               continue
+            }
             const rep = dep.parent.children.get(edge.name)
             if (!rep) {
-              if (edge.to)
+              if (edge.to) {
                 peerReplacementWalk.add(edge.to)
+              }
               continue
             }
             if (!rep.satisfies(edge)) {
@@ -255,14 +274,16 @@ class CanPlaceDep {
           }
         }
       }
-      if (canClobber)
+      if (canClobber) {
         continue
+      }
 
       // ok, we can't replace, but maybe we can nest the current set deeper?
       let canNestCurrent = true
       for (const currentPeer of currentPeers) {
-        if (!canNestCurrent)
+        if (!canNestCurrent) {
           break
+        }
 
         // still possible to nest this peerSet
         const curDeep = deepestNestingTarget(entryEdge.from, currentPeer.name)
@@ -270,14 +291,16 @@ class CanPlaceDep {
           canNestCurrent = false
           canReplace = false
         }
-        if (canNestCurrent)
+        if (canNestCurrent) {
           continue
+        }
       }
     }
 
     // if we can nest or replace all the current peer groups, we can replace.
-    if (canReplace)
+    if (canReplace) {
       return this.canPlacePeers(REPLACE)
+    }
 
     return CONFLICT
   }
@@ -293,8 +316,9 @@ class CanPlaceDep {
     if (current) {
       for (const edge of current.edgesIn.values()) {
         if (edge.from.isDescendantOf(target) && edge.valid) {
-          if (!dep.satisfies(edge))
+          if (!dep.satisfies(edge)) {
             return CONFLICT
+          }
         }
       }
     }
@@ -316,8 +340,9 @@ class CanPlaceDep {
   get allChildren () {
     const set = new Set(this.children)
     for (const child of set) {
-      for (const grandchild of child.children)
+      for (const grandchild of child.children) {
         set.add(grandchild)
+      }
     }
     return [...set]
   }
@@ -329,15 +354,17 @@ class CanPlaceDep {
   // check if peers can go here.  returns state or CONFLICT
   canPlacePeers (state) {
     this.canPlaceSelf = state
-    if (this._canPlacePeers)
+    if (this._canPlacePeers) {
       return this._canPlacePeers
+    }
 
     // TODO: represent peerPath in ERESOLVE error somehow?
     const peerPath = [...this.peerPath, this.dep]
     let sawConflict = false
     for (const peerEdge of this.dep.edgesOut.values()) {
-      if (!peerEdge.peer || !peerEdge.to || peerPath.includes(peerEdge.to))
+      if (!peerEdge.peer || !peerEdge.to || peerPath.includes(peerEdge.to)) {
         continue
+      }
       const peer = peerEdge.to
       // it may be the case that the *initial* dep can be nested, but a peer
       // of that dep needs to be placed shallower, because the target has
@@ -354,13 +381,15 @@ class CanPlaceDep {
       })
       /* istanbul ignore next */
       debug(() => {
-        if (this.children.some(c => c.dep === cpp.dep))
+        if (this.children.some(c => c.dep === cpp.dep)) {
           throw new Error('checking same dep repeatedly')
+        }
       })
       this.children.push(cpp)
 
-      if (cpp.canPlace === CONFLICT)
+      if (cpp.canPlace === CONFLICT) {
         sawConflict = true
+      }
     }
 
     this._canPlacePeers = sawConflict ? CONFLICT : state

package/lib/case-insensitive-map.js

@@ -10,8 +10,9 @@ module.exports = class Map extends OGMap {
   constructor (items = []) {
     super()
     this[_keys] = new OGMap()
-    for (const [key, val] of items)
+    for (const [key, val] of items) {
       this.set(key, val)
+    }
   }
 
   [_normKey] (key) {
@@ -26,8 +27,9 @@ module.exports = class Map extends OGMap {
 
   set (key, val) {
     const normKey = this[_normKey](key)
-    if (this[_keys].has(normKey))
+    if (this[_keys].has(normKey)) {
       super.delete(this[_keys].get(normKey))
+    }
     this[_keys].set(normKey, key)
     return super.set(key, val)
   }

package/lib/consistent-resolve.js

@@ -5,8 +5,9 @@
 const npa = require('npm-package-arg')
 const relpath = require('./relpath.js')
 const consistentResolve = (resolved, fromPath, toPath, relPaths = false) => {
-  if (!resolved)
+  if (!resolved) {
     return null
+  }
 
   try {
     const hostedOpt = { noCommittish: false }

package/lib/deepest-nesting-target.js

@@ -5,11 +5,13 @@
 const deepestNestingTarget = (start, name) => {
   for (const target of start.ancestry()) {
     // note: this will skip past the first target if edge is peer
-    if (target.isProjectRoot || !target.resolveParent || target.globalTop)
+    if (target.isProjectRoot || !target.resolveParent || target.globalTop) {
       return target
+    }
     const targetEdge = target.edgesOut.get(name)
-    if (!targetEdge || !targetEdge.peer)
+    if (!targetEdge || !targetEdge.peer) {
       return target
+    }
   }
 }
 

package/lib/dep-valid.js

@@ -44,8 +44,9 @@ const depValid = (child, requested, requestor) => {
 
   switch (requested.type) {
     case 'range':
-      if (requested.fetchSpec === '*')
+      if (requested.fetchSpec === '*') {
         return true
+      }
       // fallthrough
     case 'version':
       // if it's a version or a range other than '*', semver it
@@ -108,17 +109,20 @@ const depValid = (child, requested, requestor) => {
 }
 
 const tarballValid = (child, requested, requestor) => {
-  if (child.isLink)
+  if (child.isLink) {
     return false
+  }
 
-  if (child.resolved)
+  if (child.resolved) {
     return child.resolved.replace(/\\/g, '/') === `file:${requested.fetchSpec.replace(/\\/g, '/')}`
+  }
 
   // if we have a legacy mutated package.json file.  we can't be 100%
   // sure that it resolved to the same file, but if it was the same
   // request, that's a pretty good indicator of sameness.
-  if (child.package._requested)
+  if (child.package._requested) {
     return child.package._requested.saveSpec === requested.saveSpec
+  }
 
   // ok, we're probably dealing with some legacy cruft here, not much
   // we can do at this point unfortunately.