@npmcli/template-oss 4.7.1 → 4.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/lib/check/check-engines.js +48 -0
  2. package/lib/check/index.js +1 -0
  3. package/lib/content/SECURITY.md +12 -1
  4. package/lib/content/_step-audit.yml +4 -2
  5. package/lib/content/ci.yml +0 -9
  6. package/package.json +2 -1
package/lib/check/check-engines.js ADDED
@@ -0,0 +1,48 @@
1
+ const semver = require('semver')
2
+ const { relative, join } = require('path')
3
+ const Arborist = require('@npmcli/arborist')
4
+
5
+ const run = async ({ root, path, pkg, config: { omitEngines = [] } }) => {
6
+ const pkgPath = join(relative(root, path), 'package.json')
7
+ const arb = new Arborist({ path })
8
+ const tree = await arb.loadActual({ forceActual: true })
9
+
10
+ const engines = pkg.engines.node
11
+ const deps = await tree.querySelectorAll(`#${pkg.name} > .prod:attr(engines, [node])`)
12
+
13
+ const invalid = []
14
+ for (const dep of deps) {
15
+ if (omitEngines.includes(dep.name)) {
16
+ continue
17
+ }
18
+
19
+ const depEngines = dep.target.package.engines.node
20
+ if (!semver.subset(engines, depEngines)) {
21
+ invalid.push({
22
+ name: `${dep.name}@${dep.version}`,
23
+ location: dep.location,
24
+ engines: depEngines,
25
+ })
26
+ }
27
+ }
28
+
29
+ if (invalid.length) {
30
+ const title = `The following production dependencies are not compatible with ` +
31
+ `\`engines.node: ${engines}\` found in \`${pkgPath}\`:`
32
+ return {
33
+ title,
34
+ body: invalid.map((dep) => [
35
+ `${dep.name}:`,
36
+ ` engines.node: ${dep.engines}`,
37
+ ` location: ${dep.location}`,
38
+ ].join('\n')).join('\n'),
39
+ solution: 'Remove them or move them to devDependencies.',
40
+ }
41
+ }
42
+ }
43
+
44
+ module.exports = {
45
+ run,
46
+ when: ({ pkg, config: c }) => c.applyModule && pkg.engines?.node,
47
+ name: 'check-engines',
48
+ }
package/lib/check/index.js CHANGED
@@ -6,4 +6,5 @@ module.exports = (root) => run(root, [
6
6
  require('./check-unwanted.js'),
7
7
  require('./check-gitignore.js'),
8
8
  require('./check-changelog.js'),
9
+ require('./check-engines.js'),
9
10
  ])
package/lib/content/SECURITY.md CHANGED
@@ -1 +1,12 @@
1
- Please send vulnerability reports through [hackerone](https://hackerone.com/github).
1
+ GitHub takes the security of our software products and services seriously, including the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub).
2
+
3
+ If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways.
4
+
5
+ If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly using [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).
6
+
7
+ If the vulnerability you have found is [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) and you would like for your finding to be considered for a bounty reward, please submit the vulnerability to us through [HackerOne](https://hackerone.com/github) in order to be eligible to receive a bounty award.
8
+
9
+ **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
10
+
11
+ Thanks for helping make GitHub safe for everyone.
12
+
package/lib/content/_step-audit.yml CHANGED
@@ -1,2 +1,4 @@
1
- - name: Run Audit
2
- run: {{ rootNpmPath }} audit
1
+ - name: Run Production Audit
2
+ run: {{ rootNpmPath }} audit --omit=dev
3
+ - name: Run Full Audit
4
+ run: {{ rootNpmPath }} audit --audit-level=none
package/lib/content/ci.yml CHANGED
@@ -4,15 +4,6 @@ on:
4
4
  {{> onCi }}
5
5
 
6
6
  jobs:
7
- engines:
8
- {{> jobMatrix
9
- jobName="Engines"
10
- jobDepFlags="--engines-strict"
11
- macCI=false
12
- windowsCI=false
13
- ciVersions=baseCiVersions
14
- }}
15
-
16
7
  lint:
17
8
  {{> job jobName="Lint" }}
18
9
  {{> stepLint jobRunFlags=pkgFlags }}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@npmcli/template-oss",
3
- "version": "4.7.1",
3
+ "version": "4.9.0",
4
4
  "description": "templated files used in npm CLI team oss projects",
5
5
  "main": "lib/content/index.js",
6
6
  "bin": {
@@ -36,6 +36,7 @@
36
36
  "@commitlint/cli": "^17.1.1",
37
37
  "@commitlint/config-conventional": "^17.1.0",
38
38
  "@isaacs/string-locale-compare": "^1.1.0",
39
+ "@npmcli/arborist": "^6.0.0",
39
40
  "@npmcli/git": "^4.0.0",
40
41
  "@npmcli/map-workspaces": "^3.0.0",
41
42
  "@npmcli/package-json": "^3.0.0",