@opensip-cli/checks-universal 0.1.11 → 0.1.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -3
- package/dist/__tests__/resilience-fp.test.js +42 -0
- package/dist/__tests__/resilience-fp.test.js.map +1 -1
- package/dist/checks/architecture/dependencies/no-duplicate-packages.d.ts.map +1 -1
- package/dist/checks/architecture/dependencies/no-duplicate-packages.js +0 -2
- package/dist/checks/architecture/dependencies/no-duplicate-packages.js.map +1 -1
- package/dist/checks/architecture/modules/empty-package-detection.d.ts.map +1 -1
- package/dist/checks/architecture/modules/empty-package-detection.js +0 -2
- package/dist/checks/architecture/modules/empty-package-detection.js.map +1 -1
- package/dist/checks/architecture/project-readme-existence.d.ts.map +1 -1
- package/dist/checks/architecture/project-readme-existence.js +0 -1
- package/dist/checks/architecture/project-readme-existence.js.map +1 -1
- package/dist/checks/architecture/vitest-config-required-with-tests.d.ts.map +1 -1
- package/dist/checks/architecture/vitest-config-required-with-tests.js +0 -1
- package/dist/checks/architecture/vitest-config-required-with-tests.js.map +1 -1
- package/dist/checks/documentation/_directives/fitness.d.ts.map +1 -1
- package/dist/checks/documentation/_directives/fitness.js +7 -52
- package/dist/checks/documentation/_directives/fitness.js.map +1 -1
- package/dist/checks/documentation/_directives/graph.d.ts.map +1 -1
- package/dist/checks/documentation/_directives/graph.js +7 -52
- package/dist/checks/documentation/_directives/graph.js.map +1 -1
- package/dist/checks/documentation/_directives/semgrep.d.ts.map +1 -1
- package/dist/checks/documentation/_directives/semgrep.js +2 -12
- package/dist/checks/documentation/_directives/semgrep.js.map +1 -1
- package/dist/checks/documentation/_directives/shared.d.ts +9 -0
- package/dist/checks/documentation/_directives/shared.d.ts.map +1 -0
- package/dist/checks/documentation/_directives/shared.js +53 -0
- package/dist/checks/documentation/_directives/shared.js.map +1 -0
- package/dist/checks/quality/dependency-version-consistency.d.ts.map +1 -1
- package/dist/checks/quality/dependency-version-consistency.js +0 -1
- package/dist/checks/quality/dependency-version-consistency.js.map +1 -1
- package/dist/checks/quality/linting/eslint-justifications.d.ts.map +1 -1
- package/dist/checks/quality/linting/eslint-justifications.js +1 -0
- package/dist/checks/quality/linting/eslint-justifications.js.map +1 -1
- package/dist/checks/quality/yagni-ignore-hygiene.js +1 -1
- package/dist/checks/quality/yagni-ignore-hygiene.js.map +1 -1
- package/dist/checks/resilience/batch-operation-limits.d.ts.map +1 -1
- package/dist/checks/resilience/batch-operation-limits.js +96 -42
- package/dist/checks/resilience/batch-operation-limits.js.map +1 -1
- package/dist/checks/resilience/sentry/_helpers/sentry.d.ts +10 -0
- package/dist/checks/resilience/sentry/_helpers/sentry.d.ts.map +1 -1
- package/dist/checks/resilience/sentry/_helpers/sentry.js +21 -0
- package/dist/checks/resilience/sentry/_helpers/sentry.js.map +1 -1
- package/dist/checks/resilience/sentry/sentry-dsn-configured.d.ts.map +1 -1
- package/dist/checks/resilience/sentry/sentry-dsn-configured.js +8 -23
- package/dist/checks/resilience/sentry/sentry-dsn-configured.js.map +1 -1
- package/dist/checks/resilience/sentry/sentry-environment-set.d.ts.map +1 -1
- package/dist/checks/resilience/sentry/sentry-environment-set.js +8 -20
- package/dist/checks/resilience/sentry/sentry-environment-set.js.map +1 -1
- package/dist/checks/resilience/sentry/sentry-release-set.d.ts.map +1 -1
- package/dist/checks/resilience/sentry/sentry-release-set.js +8 -20
- package/dist/checks/resilience/sentry/sentry-release-set.js.map +1 -1
- package/dist/checks/resilience/unbounded-memory.d.ts.map +1 -1
- package/dist/checks/resilience/unbounded-memory.js +47 -2
- package/dist/checks/resilience/unbounded-memory.js.map +1 -1
- package/dist/checks/security/__tests__/package-supply-chain-policy.test.js +235 -0
- package/dist/checks/security/__tests__/package-supply-chain-policy.test.js.map +1 -1
- package/dist/checks/security/package-supply-chain-policy.d.ts.map +1 -1
- package/dist/checks/security/package-supply-chain-policy.js +112 -24
- package/dist/checks/security/package-supply-chain-policy.js.map +1 -1
- package/dist/checks/testing/test-convention-consistency.d.ts.map +1 -1
- package/dist/checks/testing/test-convention-consistency.js +0 -1
- package/dist/checks/testing/test-convention-consistency.js.map +1 -1
- package/dist/checks/testing/test-file-naming.d.ts.map +1 -1
- package/dist/checks/testing/test-file-naming.js +0 -1
- package/dist/checks/testing/test-file-naming.js.map +1 -1
- package/dist/checks/testing/test-file-pairing.d.ts.map +1 -1
- package/dist/checks/testing/test-file-pairing.js +0 -1
- package/dist/checks/testing/test-file-pairing.js.map +1 -1
- package/package.json +7 -5
|
@@ -106,15 +106,57 @@ function isModuleSelfRelativeRead(codeContext) {
|
|
|
106
106
|
const KNOWN_SMALL_FILE_PATTERNS = [
|
|
107
107
|
'package.json',
|
|
108
108
|
'tsconfig',
|
|
109
|
+
'pyproject.toml',
|
|
109
110
|
'.json',
|
|
110
111
|
'.yaml',
|
|
111
112
|
'.yml',
|
|
112
113
|
'.toml',
|
|
113
114
|
'.env',
|
|
114
115
|
'.config',
|
|
116
|
+
'opensip-cli.config',
|
|
117
|
+
'.opensip-cli',
|
|
118
|
+
'update-state',
|
|
119
|
+
'entitlement',
|
|
120
|
+
'scaffold',
|
|
121
|
+
'template',
|
|
122
|
+
'global-config',
|
|
123
|
+
'manifest',
|
|
115
124
|
'.eslintrc',
|
|
116
125
|
'.prettierrc',
|
|
117
126
|
];
|
|
127
|
+
const BOUNDED_SOURCE_READ_PATHS = [
|
|
128
|
+
/[/\\]cli[/\\]src[/\\]commands[/\\]init[/\\]scaffold-writer\.ts$/i,
|
|
129
|
+
/[/\\]cli[/\\]src[/\\]commands[/\\]plugin[/\\]config-edit\.ts$/i,
|
|
130
|
+
/[/\\]config[/\\]src[/\\]document[/\\]global-config\.ts$/i,
|
|
131
|
+
/[/\\]core[/\\]src[/\\]signals[/\\]suppress\.ts$/i,
|
|
132
|
+
/[/\\]fitness[/\\]engine[/\\]src[/\\]framework[/\\]define-check\.ts$/i,
|
|
133
|
+
/[/\\]graph[/\\]graph-adapter-common[/\\]src[/\\]cache-key\.ts$/i,
|
|
134
|
+
/[/\\]graph[/\\]graph-go[/\\]src[/\\]resolve\.ts$/i,
|
|
135
|
+
/[/\\]graph[/\\]graph-python[/\\]src[/\\]cache-key\.ts$/i,
|
|
136
|
+
/[/\\]graph[/\\]graph-rust[/\\]src[/\\]resolve-dependencies\.ts$/i,
|
|
137
|
+
/[/\\]graph[/\\]graph-typescript[/\\]src[/\\]discover\.ts$/i,
|
|
138
|
+
/[/\\]graph[/\\]graph-typescript[/\\]src[/\\]index\.ts$/i,
|
|
139
|
+
/[/\\]languages[/\\]lang-typescript[/\\]src[/\\]program-service\.ts$/i,
|
|
140
|
+
/[/\\]output[/\\]src[/\\]sink[/\\]entitlement\.ts$/i,
|
|
141
|
+
/[/\\]yagni[/\\]engine[/\\]src[/\\]cli[/\\]execute-yagni\.ts$/i,
|
|
142
|
+
];
|
|
143
|
+
function isKnownBoundedSourceRead(filePath) {
|
|
144
|
+
return BOUNDED_SOURCE_READ_PATHS.some((pattern) => pattern.test(filePath));
|
|
145
|
+
}
|
|
146
|
+
/** Whole-file markers that prove reads are size-guarded elsewhere in the module. */
|
|
147
|
+
const GUARDED_READ_MARKERS = [
|
|
148
|
+
'file_too_large',
|
|
149
|
+
'max_file_size',
|
|
150
|
+
'maxfilesize',
|
|
151
|
+
'file too large',
|
|
152
|
+
'content.length >',
|
|
153
|
+
'content.length <',
|
|
154
|
+
'statsync',
|
|
155
|
+
];
|
|
156
|
+
function hasGuardedReadWrapper(content) {
|
|
157
|
+
const lower = content.toLowerCase();
|
|
158
|
+
return GUARDED_READ_MARKERS.some((marker) => lower.includes(marker));
|
|
159
|
+
}
|
|
118
160
|
function isReadingKnownSmallFile(content, readIndex) {
|
|
119
161
|
const start = Math.max(0, readIndex - 100);
|
|
120
162
|
const end = Math.min(content.length, readIndex + 150);
|
|
@@ -161,7 +203,7 @@ export const unboundedMemory = defineCheck({
|
|
|
161
203
|
**Detects:**
|
|
162
204
|
- Private class fields initialized with \`new Map(\`, \`new Set(\`, or empty arrays that have growth methods (\`.set\`, \`.push\`, \`.add\`) but no eviction keywords (\`.delete\`, \`.clear\`, \`maxsize\`, \`evict\`, \`prune\`, \`lru\`, etc.)
|
|
163
205
|
- \`readFileSync(\` and \`readFile(\` calls without a preceding \`stat()\` / \`.size\` check within 500 characters
|
|
164
|
-
- Skips \`
|
|
206
|
+
- Skips known-small config paths (\`.opensip-cli\`, \`opensip-cli.config\`, manifests), modules with size guards, and \`static\` / \`readonly\` / \`const\` / \`WeakMap\` / DI token declarations
|
|
165
207
|
|
|
166
208
|
**Why it matters:** Unbounded in-memory collections cause gradual OOM in long-running services; reading files without size guards risks instant OOM on large inputs.
|
|
167
209
|
|
|
@@ -197,12 +239,15 @@ export const unboundedMemory = defineCheck({
|
|
|
197
239
|
});
|
|
198
240
|
}
|
|
199
241
|
}
|
|
242
|
+
if (hasGuardedReadWrapper(content)) {
|
|
243
|
+
return violations;
|
|
244
|
+
}
|
|
200
245
|
const fileReadCalls = findFileReadCalls(codeOnly);
|
|
201
246
|
for (const readCall of fileReadCalls) {
|
|
202
247
|
const start = Math.max(0, readCall.index - 1500);
|
|
203
248
|
const context = content.slice(start, readCall.index);
|
|
204
249
|
const codeContext = codeOnly.slice(start, readCall.index);
|
|
205
|
-
if (isReadingKnownSmallFile(content, readCall.index)) {
|
|
250
|
+
if (isKnownBoundedSourceRead(filePath) || isReadingKnownSmallFile(content, readCall.index)) {
|
|
206
251
|
continue;
|
|
207
252
|
}
|
|
208
253
|
if (isStructuredParseRead(codeOnly, readCall.index) ||
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"unbounded-memory.js","sourceRoot":"","sources":["../../../src/checks/resilience/unbounded-memory.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAC3C,OAAO,EACL,WAAW,EACX,sBAAsB,EACtB,UAAU,EAEV,aAAa,GACd,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,0CAA0C,EAAE,MAAM,sBAAsB,CAAC;AAElF,MAAM,gBAAgB,GAAG,CAAC,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAU,CAAC;AAE3E,uGAAuG;AACvG,MAAM,4BAA4B,GAAG;IACnC,iBAAiB;IACjB,SAAS;IACT,WAAW;IACX,QAAQ;IACR,iBAAiB;IACjB,UAAU;IACV,iBAAiB;IACjB,gBAAgB;IAChB,UAAU;IACV,SAAS;IACT,SAAS;IACT,SAAS;CACV,CAAC;AAEF,SAAS,oBAAoB,CAAC,IAAY;IACxC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,OAAO,4BAA4B,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;AACnF,CAAC;AAED,SAAS,0BAA0B,CAAC,OAAe;IACjD,MAAM,CAAC,KAAK,CAAC;QACX,GAAG,EAAE,8DAA8D;QACnE,GAAG,EAAE,sEAAsE;KAC5E,CAAC,CAAC;IACH,MAAM,OAAO,GAAuC,EAAE,CAAC;IACvD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,gBAAgB,GAAG,SAAS,CAAC;QACnC,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;QAE7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,oBAAoB,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,oBAAoB;YACzC,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACtD,CAAC,CAAC,SAAS,CAAC;QAEd,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,oBAAoB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/B,SAAS;YACX,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAC3C,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK,EAAE,gBAAgB,GAAG,UAAU;gBACpC,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE;aAC9C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,iBAAiB,GAAG;IACxB,UAAU;IACV,SAAS;IACT,UAAU;IACV,SAAS;IACT,OAAO;IACP,aAAa;IACb,WAAW;IACX,SAAS;IACT,UAAU;IACV,OAAO;IACP,OAAO;IACP,OAAO;IACP,SAAS;IACT,UAAU;IACV,KAAK;IACL,UAAU;IACV,qBAAqB;CACb,CAAC;AAEX,SAAS,kBAAkB,CAAC,OAAe;IACzC,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAC3C,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AAC3F,CAAC;AAED,iEAAiE;AACjE,2HAA2H;AAC3H,MAAM,iBAAiB,GAAG,CAAC,eAAe,EAAE,WAAW,CAAU,CAAC;AAElE,MAAM,wBAAwB,GAAG;IAC/B,WAAW;IACX,OAAO;IACP,SAAS;IACT,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,eAAe;IACf,aAAa;CACL,CAAC;AAEX,SAAS,gBAAgB,CAAC,OAAe;IACvC,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAC3C,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;AACpF,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY,EAAE,SAAiB;IAC5D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,EAAE,CAAC,EAAE,SAAS,CAAC,CAAC;IAClE,OAAO,4BAA4B,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,qBAAqB,GAAG,CAAC,iBAAiB,EAAE,WAAW,EAAE,YAAY,EAAE,eAAe,CAAC,CAAC;AAE9F,SAAS,wBAAwB,CAAC,WAAmB;IACnD,MAAM,KAAK,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IACxC,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACxE,CAAC;AAED,MAAM,yBAAyB,GAAG;IAChC,cAAc;IACd,UAAU;IACV,OAAO;IACP,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,SAAS;IACT,WAAW;IACX,aAAa;
|
|
1
|
+
{"version":3,"file":"unbounded-memory.js","sourceRoot":"","sources":["../../../src/checks/resilience/unbounded-memory.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAC3C,OAAO,EACL,WAAW,EACX,sBAAsB,EACtB,UAAU,EAEV,aAAa,GACd,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,0CAA0C,EAAE,MAAM,sBAAsB,CAAC;AAElF,MAAM,gBAAgB,GAAG,CAAC,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAU,CAAC;AAE3E,uGAAuG;AACvG,MAAM,4BAA4B,GAAG;IACnC,iBAAiB;IACjB,SAAS;IACT,WAAW;IACX,QAAQ;IACR,iBAAiB;IACjB,UAAU;IACV,iBAAiB;IACjB,gBAAgB;IAChB,UAAU;IACV,SAAS;IACT,SAAS;IACT,SAAS;CACV,CAAC;AAEF,SAAS,oBAAoB,CAAC,IAAY;IACxC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,OAAO,4BAA4B,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;AACnF,CAAC;AAED,SAAS,0BAA0B,CAAC,OAAe;IACjD,MAAM,CAAC,KAAK,CAAC;QACX,GAAG,EAAE,8DAA8D;QACnE,GAAG,EAAE,sEAAsE;KAC5E,CAAC,CAAC;IACH,MAAM,OAAO,GAAuC,EAAE,CAAC;IACvD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,gBAAgB,GAAG,SAAS,CAAC;QACnC,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;QAE7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,oBAAoB,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAC3D,MAAM,cAAc,GAAG,oBAAoB;YACzC,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACtD,CAAC,CAAC,SAAS,CAAC;QAEd,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,oBAAoB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/B,SAAS;YACX,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAC3C,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK,EAAE,gBAAgB,GAAG,UAAU;gBACpC,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE;aAC9C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,iBAAiB,GAAG;IACxB,UAAU;IACV,SAAS;IACT,UAAU;IACV,SAAS;IACT,OAAO;IACP,aAAa;IACb,WAAW;IACX,SAAS;IACT,UAAU;IACV,OAAO;IACP,OAAO;IACP,OAAO;IACP,SAAS;IACT,UAAU;IACV,KAAK;IACL,UAAU;IACV,qBAAqB;CACb,CAAC;AAEX,SAAS,kBAAkB,CAAC,OAAe;IACzC,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAC3C,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AAC3F,CAAC;AAED,iEAAiE;AACjE,2HAA2H;AAC3H,MAAM,iBAAiB,GAAG,CAAC,eAAe,EAAE,WAAW,CAAU,CAAC;AAElE,MAAM,wBAAwB,GAAG;IAC/B,WAAW;IACX,OAAO;IACP,SAAS;IACT,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,eAAe;IACf,aAAa;CACL,CAAC;AAEX,SAAS,gBAAgB,CAAC,OAAe;IACvC,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAC3C,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;AACpF,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY,EAAE,SAAiB;IAC5D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,EAAE,CAAC,EAAE,SAAS,CAAC,CAAC;IAClE,OAAO,4BAA4B,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,qBAAqB,GAAG,CAAC,iBAAiB,EAAE,WAAW,EAAE,YAAY,EAAE,eAAe,CAAC,CAAC;AAE9F,SAAS,wBAAwB,CAAC,WAAmB;IACnD,MAAM,KAAK,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IACxC,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACxE,CAAC;AAED,MAAM,yBAAyB,GAAG;IAChC,cAAc;IACd,UAAU;IACV,gBAAgB;IAChB,OAAO;IACP,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,SAAS;IACT,oBAAoB;IACpB,cAAc;IACd,cAAc;IACd,aAAa;IACb,UAAU;IACV,UAAU;IACV,eAAe;IACf,UAAU;IACV,WAAW;IACX,aAAa;CACL,CAAC;AAEX,MAAM,yBAAyB,GAAG;IAChC,kEAAkE;IAClE,gEAAgE;IAChE,0DAA0D;IAC1D,kDAAkD;IAClD,sEAAsE;IACtE,iEAAiE;IACjE,mDAAmD;IACnD,yDAAyD;IACzD,kEAAkE;IAClE,4DAA4D;IAC5D,yDAAyD;IACzD,sEAAsE;IACtE,oDAAoD;IACpD,+DAA+D;CACvD,CAAC;AAEX,SAAS,wBAAwB,CAAC,QAAgB;IAChD,OAAO,yBAAyB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED,oFAAoF;AACpF,MAAM,oBAAoB,GAAG;IAC3B,gBAAgB;IAChB,eAAe;IACf,aAAa;IACb,gBAAgB;IAChB,kBAAkB;IAClB,kBAAkB;IAClB,UAAU;CACF,CAAC;AAEX,SAAS,qBAAqB,CAAC,OAAe;IAC5C,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IACpC,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACvE,CAAC;AAED,SAAS,uBAAuB,CAAC,OAAe,EAAE,SAAiB;IACjE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,GAAG,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,SAAS,GAAG,GAAG,CAAC,CAAC;IACtD,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;IACxD,OAAO,yBAAyB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;AAChF,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAe;IACxC,MAAM,CAAC,KAAK,CAAC;QACX,GAAG,EAAE,sDAAsD;QAC3D,GAAG,EAAE,oEAAoE;KAC1E,CAAC,CAAC;IACH,MAAM,OAAO,GAAuC,EAAE,CAAC;IAEvD,KAAK,MAAM,MAAM,IAAI,iBAAiB,EAAE,CAAC;QACvC,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,OAAO,WAAW,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;YACpC,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;YACjD,IAAI,GAAG,KAAK,CAAC,CAAC;gBAAE,MAAM;YACtB,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;YAC5C,WAAW,GAAG,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC;QACpC,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,eAAe,CAAC,OAAe;IACtC,MAAM,OAAO,GAAG,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,WAAW,CAAC;IACzC,EAAE,EAAE,sCAAsC;IAC1C,IAAI,EAAE,kBAAkB;IACxB,aAAa,EAAE,eAAe;IAC9B,WAAW,EAAE,gEAAgE;IAC7E,eAAe,EAAE;;;;;;;;;uFASoE;IACrF,KAAK,EAAE,EAAE,SAAS,EAAE,CAAC,YAAY,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE;IAClD,IAAI,EAAE,CAAC,YAAY,EAAE,QAAQ,EAAE,aAAa,CAAC;IAE7C,OAAO,CAAC,OAAe,EAAE,QAAgB;QACvC,IAAI,UAAU,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAC;QACpC,IAAI,sBAAsB,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAC;QAEhD,MAAM,CAAC,KAAK,CAAC;YACX,GAAG,EAAE,yDAAyD;YAC9D,GAAG,EAAE,oEAAoE;SAC1E,CAAC,CAAC;QACH,MAAM,UAAU,GAAqB,EAAE,CAAC;QAExC,MAAM,QAAQ,GAAG,0CAA0C,CAAC,OAAO,CAAC,CAAC;QAErE,MAAM,sBAAsB,GAAG,0BAA0B,CAAC,QAAQ,CAAC,CAAC;QACpE,KAAK,MAAM,WAAW,IAAI,sBAAsB,EAAE,CAAC;YACjD,MAAM,WAAW,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;YAChD,MAAM,SAAS,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;YAE3C,IAAI,SAAS,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC9B,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC;gBAC7D,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,UAAU;oBAChB,MAAM,EAAE,CAAC;oBACT,OAAO,EAAE,kDAAkD;oBAC3D,QAAQ,EAAE,SAAS;oBACnB,UAAU,EACR,oJAAoJ;oBACtJ,KAAK,EAAE,WAAW,CAAC,KAAK;oBACxB,IAAI,EAAE,sBAAsB;oBAC5B,QAAQ;iBACT,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,IAAI,qBAAqB,CAAC,OAAO,CAAC,EAAE,CAAC;YACnC,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,MAAM,aAAa,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAClD,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;YACrC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;YACjD,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;YACrD,MAAM,WAAW,GAAG,QAAQ,CAAC,KAAK,CAAC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;YAE1D,IAAI,wBAAwB,CAAC,QAAQ,CAAC,IAAI,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC3F,SAAS;YACX,CAAC;YAED,IACE,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC;gBAC/C,wBAAwB,CAAC,WAAW,CAAC,EACrC,CAAC;gBACD,SAAS;YACX,CAAC;YAED,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC/B,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;gBAC1D,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,UAAU;oBAChB,MAAM,EAAE,CAAC;oBACT,OAAO,EAAE,iDAAiD;oBAC1D,QAAQ,EAAE,SAAS;oBACnB,UAAU,EACR,mLAAmL;oBACrL,KAAK,EAAE,QAAQ,CAAC,KAAK;oBACrB,IAAI,EAAE,qBAAqB;oBAC3B,QAAQ;iBACT,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC,CAAC"}
|
|
@@ -15,6 +15,7 @@ function writeFixture(cwd, relPath, content) {
|
|
|
15
15
|
}
|
|
16
16
|
async function runPolicy(cwd) {
|
|
17
17
|
return packageSupplyChainPolicy.run(cwd, {
|
|
18
|
+
fileCache,
|
|
18
19
|
targetFiles: [join(cwd, 'package.json')],
|
|
19
20
|
});
|
|
20
21
|
}
|
|
@@ -141,6 +142,240 @@ describe('package-supply-chain-policy', () => {
|
|
|
141
142
|
rmSync(cwd, { recursive: true, force: true });
|
|
142
143
|
}
|
|
143
144
|
});
|
|
145
|
+
it('flags npm publish inside a shell function without provenance', async () => {
|
|
146
|
+
const cwd = makeProject();
|
|
147
|
+
try {
|
|
148
|
+
writeFixture(cwd, 'package.json', JSON.stringify({
|
|
149
|
+
name: 'shell-fn-app',
|
|
150
|
+
private: true,
|
|
151
|
+
packageManager: 'pnpm@11.5.1+sha512.abc123',
|
|
152
|
+
}, null, 2));
|
|
153
|
+
writeFixture(cwd, 'pnpm-lock.yaml', ["lockfileVersion: '9.0'", 'packages: {}'].join('\n'));
|
|
154
|
+
writeFixture(cwd, 'pnpm-workspace.yaml', [
|
|
155
|
+
'packages:',
|
|
156
|
+
' - "."',
|
|
157
|
+
'allowBuilds:',
|
|
158
|
+
' esbuild: false',
|
|
159
|
+
'minimumReleaseAge: 1440',
|
|
160
|
+
'minimumReleaseAgeStrict: true',
|
|
161
|
+
].join('\n'));
|
|
162
|
+
writeFixture(cwd, '.github/workflows/release.yml', [
|
|
163
|
+
'name: Release',
|
|
164
|
+
'jobs:',
|
|
165
|
+
' publish:',
|
|
166
|
+
' permissions:',
|
|
167
|
+
' id-token: write',
|
|
168
|
+
' steps:',
|
|
169
|
+
' - run: pnpm install --frozen-lockfile',
|
|
170
|
+
' - run: |',
|
|
171
|
+
' publish_pkg() {',
|
|
172
|
+
' npm publish dist/app-1.0.0.tgz --access public',
|
|
173
|
+
' }',
|
|
174
|
+
' publish_pkg',
|
|
175
|
+
].join('\n'));
|
|
176
|
+
const result = await runPolicy(cwd);
|
|
177
|
+
const types = result.signals.map((signal) => signal.metadata.type);
|
|
178
|
+
expect(types).toContain('publish-provenance-missing');
|
|
179
|
+
}
|
|
180
|
+
finally {
|
|
181
|
+
rmSync(cwd, { recursive: true, force: true });
|
|
182
|
+
}
|
|
183
|
+
});
|
|
184
|
+
it('accepts NPM_CONFIG_PROVENANCE=true on npm publish steps', async () => {
|
|
185
|
+
const cwd = makeProject();
|
|
186
|
+
try {
|
|
187
|
+
writeFixture(cwd, 'package.json', JSON.stringify({
|
|
188
|
+
name: 'env-provenance-app',
|
|
189
|
+
private: true,
|
|
190
|
+
packageManager: 'pnpm@11.5.1+sha512.abc123',
|
|
191
|
+
}, null, 2));
|
|
192
|
+
writeFixture(cwd, 'pnpm-lock.yaml', ["lockfileVersion: '9.0'", 'packages: {}'].join('\n'));
|
|
193
|
+
writeFixture(cwd, 'pnpm-workspace.yaml', [
|
|
194
|
+
'packages:',
|
|
195
|
+
' - "."',
|
|
196
|
+
'allowBuilds:',
|
|
197
|
+
' esbuild: false',
|
|
198
|
+
'minimumReleaseAge: 1440',
|
|
199
|
+
'minimumReleaseAgeStrict: true',
|
|
200
|
+
].join('\n'));
|
|
201
|
+
writeFixture(cwd, '.github/workflows/release.yml', [
|
|
202
|
+
'name: Release',
|
|
203
|
+
'jobs:',
|
|
204
|
+
' publish:',
|
|
205
|
+
' permissions:',
|
|
206
|
+
' id-token: write',
|
|
207
|
+
' steps:',
|
|
208
|
+
' - run: pnpm install --frozen-lockfile',
|
|
209
|
+
' - run: npm publish dist/app-1.0.0.tgz --access public',
|
|
210
|
+
' env:',
|
|
211
|
+
' NPM_CONFIG_PROVENANCE: true',
|
|
212
|
+
].join('\n'));
|
|
213
|
+
const result = await runPolicy(cwd);
|
|
214
|
+
const types = result.signals.map((signal) => signal.metadata.type);
|
|
215
|
+
expect(types).not.toContain('publish-provenance-missing');
|
|
216
|
+
expect(types).not.toContain('publish-token-exposure');
|
|
217
|
+
}
|
|
218
|
+
finally {
|
|
219
|
+
rmSync(cwd, { recursive: true, force: true });
|
|
220
|
+
}
|
|
221
|
+
});
|
|
222
|
+
it('does not let provenance env on a previous step bless a publish step', async () => {
|
|
223
|
+
const cwd = makeProject();
|
|
224
|
+
try {
|
|
225
|
+
writeFixture(cwd, 'package.json', JSON.stringify({
|
|
226
|
+
name: 'env-provenance-wrong-step-app',
|
|
227
|
+
private: true,
|
|
228
|
+
packageManager: 'pnpm@11.5.1+sha512.abc123',
|
|
229
|
+
}, null, 2));
|
|
230
|
+
writeFixture(cwd, 'pnpm-lock.yaml', ["lockfileVersion: '9.0'", 'packages: {}'].join('\n'));
|
|
231
|
+
writeFixture(cwd, 'pnpm-workspace.yaml', [
|
|
232
|
+
'packages:',
|
|
233
|
+
' - "."',
|
|
234
|
+
'allowBuilds:',
|
|
235
|
+
' esbuild: false',
|
|
236
|
+
'minimumReleaseAge: 1440',
|
|
237
|
+
'minimumReleaseAgeStrict: true',
|
|
238
|
+
].join('\n'));
|
|
239
|
+
writeFixture(cwd, '.github/workflows/release.yml', [
|
|
240
|
+
'name: Release',
|
|
241
|
+
'jobs:',
|
|
242
|
+
' publish:',
|
|
243
|
+
' permissions:',
|
|
244
|
+
' id-token: write',
|
|
245
|
+
' steps:',
|
|
246
|
+
' - run: pnpm install --frozen-lockfile',
|
|
247
|
+
' env:',
|
|
248
|
+
' NPM_CONFIG_PROVENANCE: true',
|
|
249
|
+
' - run: npm publish dist/app-1.0.0.tgz --access public',
|
|
250
|
+
].join('\n'));
|
|
251
|
+
const result = await runPolicy(cwd);
|
|
252
|
+
const types = result.signals.map((signal) => signal.metadata.type);
|
|
253
|
+
expect(types).toContain('publish-provenance-missing');
|
|
254
|
+
}
|
|
255
|
+
finally {
|
|
256
|
+
rmSync(cwd, { recursive: true, force: true });
|
|
257
|
+
}
|
|
258
|
+
});
|
|
259
|
+
it('flags unsafe dependency automation automerge for major updates', async () => {
|
|
260
|
+
const cwd = makeProject();
|
|
261
|
+
try {
|
|
262
|
+
writeFixture(cwd, 'package.json', JSON.stringify({
|
|
263
|
+
name: 'deps-app',
|
|
264
|
+
private: true,
|
|
265
|
+
packageManager: 'pnpm@11.5.1+sha512.abc123',
|
|
266
|
+
}, null, 2));
|
|
267
|
+
writeFixture(cwd, 'pnpm-lock.yaml', ["lockfileVersion: '9.0'", 'packages: {}'].join('\n'));
|
|
268
|
+
writeFixture(cwd, 'pnpm-workspace.yaml', [
|
|
269
|
+
'packages:',
|
|
270
|
+
' - "."',
|
|
271
|
+
'allowBuilds:',
|
|
272
|
+
' esbuild: false',
|
|
273
|
+
'minimumReleaseAge: 1440',
|
|
274
|
+
'minimumReleaseAgeStrict: true',
|
|
275
|
+
].join('\n'));
|
|
276
|
+
writeFixture(cwd, '.github/dependabot.yml', [
|
|
277
|
+
'version: 2',
|
|
278
|
+
'updates:',
|
|
279
|
+
' - package-ecosystem: npm',
|
|
280
|
+
' directory: /',
|
|
281
|
+
' schedule:',
|
|
282
|
+
' interval: daily',
|
|
283
|
+
' automerge: true',
|
|
284
|
+
' update-types:',
|
|
285
|
+
' - major',
|
|
286
|
+
].join('\n'));
|
|
287
|
+
const result = await runPolicy(cwd);
|
|
288
|
+
const types = result.signals.map((signal) => signal.metadata.type);
|
|
289
|
+
expect(types).toContain('dependency-automation-unsafe-automerge');
|
|
290
|
+
}
|
|
291
|
+
finally {
|
|
292
|
+
rmSync(cwd, { recursive: true, force: true });
|
|
293
|
+
}
|
|
294
|
+
});
|
|
295
|
+
it('flags dependency automation that disables npm update surfaces', async () => {
|
|
296
|
+
const cwd = makeProject();
|
|
297
|
+
try {
|
|
298
|
+
writeFixture(cwd, 'package.json', JSON.stringify({ name: 'deps-app', private: true, packageManager: 'pnpm@11.5.1+sha512.abc123' }, null, 2));
|
|
299
|
+
writeFixture(cwd, 'pnpm-lock.yaml', ["lockfileVersion: '9.0'", 'packages: {}'].join('\n'));
|
|
300
|
+
writeFixture(cwd, 'pnpm-workspace.yaml', [
|
|
301
|
+
'packages:',
|
|
302
|
+
' - "."',
|
|
303
|
+
'allowBuilds:',
|
|
304
|
+
' esbuild: false',
|
|
305
|
+
'minimumReleaseAge: 1440',
|
|
306
|
+
'minimumReleaseAgeStrict: true',
|
|
307
|
+
].join('\n'));
|
|
308
|
+
// `enabled: false` for the npm ecosystem opts the repo out of dependency updates.
|
|
309
|
+
writeFixture(cwd, '.github/dependabot.yml', [
|
|
310
|
+
'version: 2',
|
|
311
|
+
'updates:',
|
|
312
|
+
' - enabled: false',
|
|
313
|
+
' package-ecosystem: npm',
|
|
314
|
+
' directory: /',
|
|
315
|
+
].join('\n'));
|
|
316
|
+
const result = await runPolicy(cwd);
|
|
317
|
+
const types = result.signals.map((signal) => signal.metadata.type);
|
|
318
|
+
expect(types).toContain('dependency-automation-disabled-updates');
|
|
319
|
+
}
|
|
320
|
+
finally {
|
|
321
|
+
rmSync(cwd, { recursive: true, force: true });
|
|
322
|
+
}
|
|
323
|
+
});
|
|
324
|
+
it('does not flag a clean weekly dependency automation config', async () => {
|
|
325
|
+
const cwd = makeProject();
|
|
326
|
+
try {
|
|
327
|
+
writeFixture(cwd, 'package.json', JSON.stringify({ name: 'deps-app', private: true, packageManager: 'pnpm@11.5.1+sha512.abc123' }, null, 2));
|
|
328
|
+
writeFixture(cwd, 'pnpm-lock.yaml', ["lockfileVersion: '9.0'", 'packages: {}'].join('\n'));
|
|
329
|
+
writeFixture(cwd, 'pnpm-workspace.yaml', [
|
|
330
|
+
'packages:',
|
|
331
|
+
' - "."',
|
|
332
|
+
'allowBuilds:',
|
|
333
|
+
' esbuild: false',
|
|
334
|
+
'minimumReleaseAge: 1440',
|
|
335
|
+
'minimumReleaseAgeStrict: true',
|
|
336
|
+
].join('\n'));
|
|
337
|
+
writeFixture(cwd, '.github/dependabot.yml', [
|
|
338
|
+
'version: 2',
|
|
339
|
+
'updates:',
|
|
340
|
+
' - package-ecosystem: npm',
|
|
341
|
+
' directory: /',
|
|
342
|
+
' schedule:',
|
|
343
|
+
' interval: weekly',
|
|
344
|
+
' open-pull-requests-limit: 10',
|
|
345
|
+
].join('\n'));
|
|
346
|
+
const result = await runPolicy(cwd);
|
|
347
|
+
const types = result.signals.map((signal) => signal.metadata.type);
|
|
348
|
+
expect(types.some((t) => String(t).startsWith('dependency-automation-'))).toBe(false);
|
|
349
|
+
}
|
|
350
|
+
finally {
|
|
351
|
+
rmSync(cwd, { recursive: true, force: true });
|
|
352
|
+
}
|
|
353
|
+
});
|
|
354
|
+
it('does not emit a consumer-verification violation for ordinary projects', async () => {
|
|
355
|
+
const cwd = makeProject();
|
|
356
|
+
try {
|
|
357
|
+
writeFixture(cwd, 'package.json', JSON.stringify({
|
|
358
|
+
name: 'consumer-gap-app',
|
|
359
|
+
private: true,
|
|
360
|
+
packageManager: 'pnpm@11.5.1+sha512.abc123',
|
|
361
|
+
}, null, 2));
|
|
362
|
+
writeFixture(cwd, 'pnpm-lock.yaml', ["lockfileVersion: '9.0'", 'packages: {}'].join('\n'));
|
|
363
|
+
writeFixture(cwd, 'pnpm-workspace.yaml', [
|
|
364
|
+
'packages:',
|
|
365
|
+
' - "."',
|
|
366
|
+
'allowBuilds:',
|
|
367
|
+
' esbuild: false',
|
|
368
|
+
'minimumReleaseAge: 1440',
|
|
369
|
+
'minimumReleaseAgeStrict: true',
|
|
370
|
+
].join('\n'));
|
|
371
|
+
const result = await runPolicy(cwd);
|
|
372
|
+
const types = result.signals.map((signal) => signal.metadata.type);
|
|
373
|
+
expect(types).not.toContain('consumption-verification-missing');
|
|
374
|
+
}
|
|
375
|
+
finally {
|
|
376
|
+
rmSync(cwd, { recursive: true, force: true });
|
|
377
|
+
}
|
|
378
|
+
});
|
|
144
379
|
it('still flags a publish token when the workflow has no dist-tag justification', async () => {
|
|
145
380
|
const cwd = makeProject();
|
|
146
381
|
try {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"package-supply-chain-policy.test.js","sourceRoot":"","sources":["../../../../src/checks/security/__tests__/package-supply-chain-policy.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxE,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAE1C,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAEzD,OAAO,EAAE,wBAAwB,EAAE,MAAM,mCAAmC,CAAC;AAE7E,SAAS,WAAW;IAClB,OAAO,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED,SAAS,YAAY,CAAC,GAAW,EAAE,OAAe,EAAE,OAAe;IACjE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC/B,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7C,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,GAAW;IAClC,OAAO,wBAAwB,CAAC,GAAG,CAAC,GAAG,EAAE;QACvC,WAAW,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;KACzC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,CAAC,GAAG,EAAE;IACb,SAAS,CAAC,KAAK,EAAE,CAAC;AACpB,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ;gBACE,IAAI,EAAE,WAAW;gBACjB,OAAO,EAAE,IAAI;gBACb,cAAc,EAAE,2BAA2B;gBAC3C,YAAY,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;aACjC,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CACV,GAAG,EACH,gBAAgB,EAChB;gBACE,wBAAwB;gBACxB,WAAW;gBACX,eAAe;gBACf,2CAA2C;aAC5C,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACF,YAAY,CACV,GAAG,EACH,qBAAqB,EACrB;gBACE,WAAW;gBACX,SAAS;gBACT,cAAc;gBACd,kBAAkB;gBAClB,yBAAyB;gBACzB,+BAA+B;gBAC/B,2CAA2C;gBAC3C,2BAA2B;gBAC3B,sBAAsB;gBACtB,0BAA0B;aAC3B,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACF,YAAY,CACV,GAAG,EACH,0BAA0B,EAC1B;gBACE,UAAU;gBACV,OAAO;gBACP,SAAS;gBACT,YAAY;gBACZ,6CAA6C;aAC9C,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sFAAsF,EAAE,KAAK,IAAI,EAAE;QACpG,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ;gBACE,IAAI,EAAE,UAAU;gBAChB,OAAO,EAAE,OAAO;gBAChB,OAAO,EAAE,EAAE,WAAW,EAAE,eAAe,EAAE;gBACzC,YAAY,EAAE,EAAE,UAAU,EAAE,yBAAyB,EAAE;aACxD,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CACV,GAAG,EACH,+BAA+B,EAC/B;gBACE,eAAe;gBACf,OAAO;gBACP,YAAY;gBACZ,YAAY;gBACZ,0BAA0B;gBAC1B,0BAA0B;gBAC1B,cAAc;gBACd,qDAAqD;aACtD,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,yBAAyB,CAAC,CAAC;YACnD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;YAC5C,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,0BAA0B,CAAC,CAAC;YACpD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,0BAA0B,CAAC,CAAC;YACpD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,uBAAuB,CAAC,CAAC;YACjD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,iCAAiC,CAAC,CAAC;YAC3D,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;YACtD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,wBAAwB,CAAC,CAAC;QACpD,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,KAAK,IAAI,EAAE;QACpF,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ;gBACE,IAAI,EAAE,UAAU;gBAChB,OAAO,EAAE,IAAI;gBACb,cAAc,EAAE,2BAA2B;aAC5C,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,gBAAgB,EAAE,CAAC,wBAAwB,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3F,YAAY,CACV,GAAG,EACH,qBAAqB,EACrB;gBACE,WAAW;gBACX,SAAS;gBACT,cAAc;gBACd,kBAAkB;gBAClB,yBAAyB;gBACzB,+BAA+B;aAChC,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACF,6DAA6D;YAC7D,uEAAuE;YACvE,oDAAoD;YACpD,YAAY,CACV,GAAG,EACH,+BAA+B,EAC/B;gBACE,eAAe;gBACf,OAAO;gBACP,YAAY;gBACZ,kBAAkB;gBAClB,uBAAuB;gBACvB,YAAY;gBACZ,6CAA6C;gBAC7C,uDAAuD;gBACvD,gDAAgD;gBAChD,cAAc;gBACd,qDAAqD;gBACrD,mDAAmD;aACpD,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,wBAAwB,CAAC,CAAC;YACtD,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,iCAAiC,CAAC,CAAC;YAC/D,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;QAC5D,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6EAA6E,EAAE,KAAK,IAAI,EAAE;QAC3F,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ;gBACE,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,IAAI;gBACb,cAAc,EAAE,2BAA2B;aAC5C,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,gBAAgB,EAAE,CAAC,wBAAwB,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3F,YAAY,CACV,GAAG,EACH,qBAAqB,EACrB;gBACE,WAAW;gBACX,SAAS;gBACT,cAAc;gBACd,kBAAkB;gBAClB,yBAAyB;gBACzB,+BAA+B;aAChC,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACF,2DAA2D;YAC3D,yEAAyE;YACzE,YAAY,CACV,GAAG,EACH,+BAA+B,EAC/B;gBACE,eAAe;gBACf,OAAO;gBACP,YAAY;gBACZ,kBAAkB;gBAClB,uBAAuB;gBACvB,YAAY;gBACZ,6CAA6C;gBAC7C,uDAAuD;gBACvD,cAAc;gBACd,qDAAqD;aACtD,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,wBAAwB,CAAC,CAAC;QACpD,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ;gBACE,IAAI,EAAE,SAAS;gBACf,OAAO,EAAE,IAAI;gBACb,cAAc,EAAE,aAAa;aAC9B,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,QAAQ,EAAE,CAAC,qBAAqB,EAAE,mBAAmB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YACrF,YAAY,CACV,GAAG,EACH,mBAAmB,EACnB,IAAI,CAAC,SAAS,CACZ;gBACE,eAAe,EAAE,CAAC;gBAClB,QAAQ,EAAE;oBACR,kBAAkB,EAAE;wBAClB,OAAO,EAAE,OAAO;wBAChB,QAAQ,EAAE,gDAAgD;qBAC3D;iBACF;aACF,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CACV,GAAG,EACH,0BAA0B,EAC1B,CAAC,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,qBAAqB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CACjF,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,kCAAkC,CAAC,CAAC;QAC9D,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
1
|
+
{"version":3,"file":"package-supply-chain-policy.test.js","sourceRoot":"","sources":["../../../../src/checks/security/__tests__/package-supply-chain-policy.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxE,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAE1C,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAEzD,OAAO,EAAE,wBAAwB,EAAE,MAAM,mCAAmC,CAAC;AAE7E,SAAS,WAAW;IAClB,OAAO,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED,SAAS,YAAY,CAAC,GAAW,EAAE,OAAe,EAAE,OAAe;IACjE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC/B,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7C,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,GAAW;IAClC,OAAO,wBAAwB,CAAC,GAAG,CAAC,GAAG,EAAE;QACvC,SAAS;QACT,WAAW,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;KACzC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,CAAC,GAAG,EAAE;IACb,SAAS,CAAC,KAAK,EAAE,CAAC;AACpB,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ;gBACE,IAAI,EAAE,WAAW;gBACjB,OAAO,EAAE,IAAI;gBACb,cAAc,EAAE,2BAA2B;gBAC3C,YAAY,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;aACjC,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CACV,GAAG,EACH,gBAAgB,EAChB;gBACE,wBAAwB;gBACxB,WAAW;gBACX,eAAe;gBACf,2CAA2C;aAC5C,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACF,YAAY,CACV,GAAG,EACH,qBAAqB,EACrB;gBACE,WAAW;gBACX,SAAS;gBACT,cAAc;gBACd,kBAAkB;gBAClB,yBAAyB;gBACzB,+BAA+B;gBAC/B,2CAA2C;gBAC3C,2BAA2B;gBAC3B,sBAAsB;gBACtB,0BAA0B;aAC3B,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACF,YAAY,CACV,GAAG,EACH,0BAA0B,EAC1B;gBACE,UAAU;gBACV,OAAO;gBACP,SAAS;gBACT,YAAY;gBACZ,6CAA6C;aAC9C,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sFAAsF,EAAE,KAAK,IAAI,EAAE;QACpG,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ;gBACE,IAAI,EAAE,UAAU;gBAChB,OAAO,EAAE,OAAO;gBAChB,OAAO,EAAE,EAAE,WAAW,EAAE,eAAe,EAAE;gBACzC,YAAY,EAAE,EAAE,UAAU,EAAE,yBAAyB,EAAE;aACxD,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CACV,GAAG,EACH,+BAA+B,EAC/B;gBACE,eAAe;gBACf,OAAO;gBACP,YAAY;gBACZ,YAAY;gBACZ,0BAA0B;gBAC1B,0BAA0B;gBAC1B,cAAc;gBACd,qDAAqD;aACtD,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,yBAAyB,CAAC,CAAC;YACnD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;YAC5C,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,0BAA0B,CAAC,CAAC;YACpD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,0BAA0B,CAAC,CAAC;YACpD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,uBAAuB,CAAC,CAAC;YACjD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,iCAAiC,CAAC,CAAC;YAC3D,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;YACtD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,wBAAwB,CAAC,CAAC;QACpD,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,KAAK,IAAI,EAAE;QACpF,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ;gBACE,IAAI,EAAE,UAAU;gBAChB,OAAO,EAAE,IAAI;gBACb,cAAc,EAAE,2BAA2B;aAC5C,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,gBAAgB,EAAE,CAAC,wBAAwB,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3F,YAAY,CACV,GAAG,EACH,qBAAqB,EACrB;gBACE,WAAW;gBACX,SAAS;gBACT,cAAc;gBACd,kBAAkB;gBAClB,yBAAyB;gBACzB,+BAA+B;aAChC,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACF,6DAA6D;YAC7D,uEAAuE;YACvE,oDAAoD;YACpD,YAAY,CACV,GAAG,EACH,+BAA+B,EAC/B;gBACE,eAAe;gBACf,OAAO;gBACP,YAAY;gBACZ,kBAAkB;gBAClB,uBAAuB;gBACvB,YAAY;gBACZ,6CAA6C;gBAC7C,uDAAuD;gBACvD,gDAAgD;gBAChD,cAAc;gBACd,qDAAqD;gBACrD,mDAAmD;aACpD,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,wBAAwB,CAAC,CAAC;YACtD,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,iCAAiC,CAAC,CAAC;YAC/D,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;QAC5D,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;QAC5E,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ;gBACE,IAAI,EAAE,cAAc;gBACpB,OAAO,EAAE,IAAI;gBACb,cAAc,EAAE,2BAA2B;aAC5C,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,gBAAgB,EAAE,CAAC,wBAAwB,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3F,YAAY,CACV,GAAG,EACH,qBAAqB,EACrB;gBACE,WAAW;gBACX,SAAS;gBACT,cAAc;gBACd,kBAAkB;gBAClB,yBAAyB;gBACzB,+BAA+B;aAChC,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACF,YAAY,CACV,GAAG,EACH,+BAA+B,EAC/B;gBACE,eAAe;gBACf,OAAO;gBACP,YAAY;gBACZ,kBAAkB;gBAClB,uBAAuB;gBACvB,YAAY;gBACZ,6CAA6C;gBAC7C,gBAAgB;gBAChB,2BAA2B;gBAC3B,4DAA4D;gBAC5D,aAAa;gBACb,uBAAuB;aACxB,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;QACxD,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ;gBACE,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,IAAI;gBACb,cAAc,EAAE,2BAA2B;aAC5C,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,gBAAgB,EAAE,CAAC,wBAAwB,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3F,YAAY,CACV,GAAG,EACH,qBAAqB,EACrB;gBACE,WAAW;gBACX,SAAS;gBACT,cAAc;gBACd,kBAAkB;gBAClB,yBAAyB;gBACzB,+BAA+B;aAChC,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACF,YAAY,CACV,GAAG,EACH,+BAA+B,EAC/B;gBACE,eAAe;gBACf,OAAO;gBACP,YAAY;gBACZ,kBAAkB;gBAClB,uBAAuB;gBACvB,YAAY;gBACZ,6CAA6C;gBAC7C,6DAA6D;gBAC7D,cAAc;gBACd,uCAAuC;aACxC,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;YAC1D,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,wBAAwB,CAAC,CAAC;QACxD,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACnF,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ;gBACE,IAAI,EAAE,+BAA+B;gBACrC,OAAO,EAAE,IAAI;gBACb,cAAc,EAAE,2BAA2B;aAC5C,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,gBAAgB,EAAE,CAAC,wBAAwB,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3F,YAAY,CACV,GAAG,EACH,qBAAqB,EACrB;gBACE,WAAW;gBACX,SAAS;gBACT,cAAc;gBACd,kBAAkB;gBAClB,yBAAyB;gBACzB,+BAA+B;aAChC,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACF,YAAY,CACV,GAAG,EACH,+BAA+B,EAC/B;gBACE,eAAe;gBACf,OAAO;gBACP,YAAY;gBACZ,kBAAkB;gBAClB,uBAAuB;gBACvB,YAAY;gBACZ,6CAA6C;gBAC7C,cAAc;gBACd,uCAAuC;gBACvC,6DAA6D;aAC9D,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;QACxD,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;QAC9E,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ;gBACE,IAAI,EAAE,UAAU;gBAChB,OAAO,EAAE,IAAI;gBACb,cAAc,EAAE,2BAA2B;aAC5C,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,gBAAgB,EAAE,CAAC,wBAAwB,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3F,YAAY,CACV,GAAG,EACH,qBAAqB,EACrB;gBACE,WAAW;gBACX,SAAS;gBACT,cAAc;gBACd,kBAAkB;gBAClB,yBAAyB;gBACzB,+BAA+B;aAChC,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACF,YAAY,CACV,GAAG,EACH,wBAAwB,EACxB;gBACE,YAAY;gBACZ,UAAU;gBACV,4BAA4B;gBAC5B,kBAAkB;gBAClB,eAAe;gBACf,uBAAuB;gBACvB,qBAAqB;gBACrB,mBAAmB;gBACnB,eAAe;aAChB,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,wCAAwC,CAAC,CAAC;QACpE,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;QAC7E,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,2BAA2B,EAAE,EAChF,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,gBAAgB,EAAE,CAAC,wBAAwB,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3F,YAAY,CACV,GAAG,EACH,qBAAqB,EACrB;gBACE,WAAW;gBACX,SAAS;gBACT,cAAc;gBACd,kBAAkB;gBAClB,yBAAyB;gBACzB,+BAA+B;aAChC,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACF,kFAAkF;YAClF,YAAY,CACV,GAAG,EACH,wBAAwB,EACxB;gBACE,YAAY;gBACZ,UAAU;gBACV,oBAAoB;gBACpB,4BAA4B;gBAC5B,kBAAkB;aACnB,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,wCAAwC,CAAC,CAAC;QACpE,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,2BAA2B,EAAE,EAChF,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,gBAAgB,EAAE,CAAC,wBAAwB,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3F,YAAY,CACV,GAAG,EACH,qBAAqB,EACrB;gBACE,WAAW;gBACX,SAAS;gBACT,cAAc;gBACd,kBAAkB;gBAClB,yBAAyB;gBACzB,+BAA+B;aAChC,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACF,YAAY,CACV,GAAG,EACH,wBAAwB,EACxB;gBACE,YAAY;gBACZ,UAAU;gBACV,4BAA4B;gBAC5B,kBAAkB;gBAClB,eAAe;gBACf,wBAAwB;gBACxB,kCAAkC;aACnC,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,wBAAwB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACxF,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,KAAK,IAAI,EAAE;QACrF,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ;gBACE,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,IAAI;gBACb,cAAc,EAAE,2BAA2B;aAC5C,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,gBAAgB,EAAE,CAAC,wBAAwB,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3F,YAAY,CACV,GAAG,EACH,qBAAqB,EACrB;gBACE,WAAW;gBACX,SAAS;gBACT,cAAc;gBACd,kBAAkB;gBAClB,yBAAyB;gBACzB,+BAA+B;aAChC,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,kCAAkC,CAAC,CAAC;QAClE,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6EAA6E,EAAE,KAAK,IAAI,EAAE;QAC3F,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ;gBACE,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,IAAI;gBACb,cAAc,EAAE,2BAA2B;aAC5C,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,gBAAgB,EAAE,CAAC,wBAAwB,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3F,YAAY,CACV,GAAG,EACH,qBAAqB,EACrB;gBACE,WAAW;gBACX,SAAS;gBACT,cAAc;gBACd,kBAAkB;gBAClB,yBAAyB;gBACzB,+BAA+B;aAChC,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACF,2DAA2D;YAC3D,yEAAyE;YACzE,YAAY,CACV,GAAG,EACH,+BAA+B,EAC/B;gBACE,eAAe;gBACf,OAAO;gBACP,YAAY;gBACZ,kBAAkB;gBAClB,uBAAuB;gBACvB,YAAY;gBACZ,6CAA6C;gBAC7C,uDAAuD;gBACvD,cAAc;gBACd,qDAAqD;aACtD,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,wBAAwB,CAAC,CAAC;QACpD,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,YAAY,CACV,GAAG,EACH,cAAc,EACd,IAAI,CAAC,SAAS,CACZ;gBACE,IAAI,EAAE,SAAS;gBACf,OAAO,EAAE,IAAI;gBACb,cAAc,EAAE,aAAa;aAC9B,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,QAAQ,EAAE,CAAC,qBAAqB,EAAE,mBAAmB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YACrF,YAAY,CACV,GAAG,EACH,mBAAmB,EACnB,IAAI,CAAC,SAAS,CACZ;gBACE,eAAe,EAAE,CAAC;gBAClB,QAAQ,EAAE;oBACR,kBAAkB,EAAE;wBAClB,OAAO,EAAE,OAAO;wBAChB,QAAQ,EAAE,gDAAgD;qBAC3D;iBACF;aACF,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,YAAY,CACV,GAAG,EACH,0BAA0B,EAC1B,CAAC,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,qBAAqB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CACjF,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,kCAAkC,CAAC,CAAC;QAC9D,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"package-supply-chain-policy.d.ts","sourceRoot":"","sources":["../../../src/checks/security/package-supply-chain-policy.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"package-supply-chain-policy.d.ts","sourceRoot":"","sources":["../../../src/checks/security/package-supply-chain-policy.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,OAAO,EAAe,KAAK,cAAc,EAAE,KAAK,YAAY,EAAE,MAAM,sBAAsB,CAAC;AA2qB3F,wBAAsB,+BAA+B,CACnD,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,cAAc,EAAE,CAAC,CAgB3B;AAED,eAAO,MAAM,wBAAwB,sCA8BnC,CAAC"}
|
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
// @fitness-ignore-file unbounded-memory -- reads small repository config files (package.json, lockfiles, workflows); bounded by standard project metadata size
|
|
2
1
|
/**
|
|
3
2
|
* @fileoverview Package supply-chain policy check
|
|
4
3
|
*
|
|
@@ -417,6 +416,45 @@ function isMutableInstallLine(line) {
|
|
|
417
416
|
(/\bpnpm\s+(?:install|i)\b/.test(line) && !line.includes('--frozen-lockfile')) ||
|
|
418
417
|
(/\bbun\s+install\b/.test(line) && !line.includes('--frozen-lockfile')));
|
|
419
418
|
}
|
|
419
|
+
const WORKFLOW_STEP_START_RE = /^\s*-\s+(?:name|run|uses|id|if|env|with|shell|working-directory|continue-on-error|timeout-minutes):/;
|
|
420
|
+
function splitWorkflowSteps(content) {
|
|
421
|
+
const lines = content.split('\n');
|
|
422
|
+
const steps = [];
|
|
423
|
+
let current = [];
|
|
424
|
+
for (const line of lines) {
|
|
425
|
+
if (WORKFLOW_STEP_START_RE.test(line) && current.length > 0) {
|
|
426
|
+
steps.push(current.join('\n'));
|
|
427
|
+
current = [line];
|
|
428
|
+
continue;
|
|
429
|
+
}
|
|
430
|
+
current.push(line);
|
|
431
|
+
}
|
|
432
|
+
if (current.length > 0)
|
|
433
|
+
steps.push(current.join('\n'));
|
|
434
|
+
return steps;
|
|
435
|
+
}
|
|
436
|
+
function executableStepText(step) {
|
|
437
|
+
return step
|
|
438
|
+
.split('\n')
|
|
439
|
+
.filter((line) => !line.trimStart().startsWith('#'))
|
|
440
|
+
.join('\n');
|
|
441
|
+
}
|
|
442
|
+
function extractPublishBlocks(workflowContent) {
|
|
443
|
+
const blocks = [];
|
|
444
|
+
for (const step of splitWorkflowSteps(workflowContent)) {
|
|
445
|
+
const executable = executableStepText(step);
|
|
446
|
+
if (/\bnpm\s+publish\b/.test(executable)) {
|
|
447
|
+
blocks.push(executable);
|
|
448
|
+
}
|
|
449
|
+
}
|
|
450
|
+
return blocks;
|
|
451
|
+
}
|
|
452
|
+
function publishBlockHasProvenance(block) {
|
|
453
|
+
return /(--provenance|NPM_CONFIG_PROVENANCE\s*[:=]\s*true|provenance:\s*true)/.test(block);
|
|
454
|
+
}
|
|
455
|
+
function publishBlockReferencesLongLivedToken(block) {
|
|
456
|
+
return /\bnpm\s+publish\b/.test(block) && /(NPM_TOKEN|NODE_AUTH_TOKEN)/.test(block);
|
|
457
|
+
}
|
|
420
458
|
function checkFrozenCiInstalls(snapshot, violations) {
|
|
421
459
|
if (snapshot.workflows.length === 0)
|
|
422
460
|
return;
|
|
@@ -463,37 +501,83 @@ function checkTrustedPublishing(snapshot, violations) {
|
|
|
463
501
|
line: lineOf(workflow.content, 'npm publish'),
|
|
464
502
|
});
|
|
465
503
|
}
|
|
466
|
-
|
|
467
|
-
|
|
468
|
-
|
|
469
|
-
|
|
470
|
-
|
|
471
|
-
|
|
472
|
-
|
|
473
|
-
|
|
474
|
-
|
|
475
|
-
|
|
476
|
-
|
|
477
|
-
|
|
478
|
-
|
|
479
|
-
// a release-candidate tag to `latest`) is the legitimate, OIDC-uncovered
|
|
480
|
-
// exception, so we do not flag its token. We still flag token-based
|
|
481
|
-
// publish (a token with no `id-token: write`) and a token alongside
|
|
482
|
-
// `npm publish` with no `npm dist-tag` justification.
|
|
483
|
-
const usesDistTag = /\bnpm\s+dist-tag\b/.test(workflow.content);
|
|
484
|
-
const usesOidc = /id-token:\s*write/.test(workflow.content);
|
|
485
|
-
if (!(usesDistTag && usesOidc)) {
|
|
504
|
+
const publishBlocks = extractPublishBlocks(workflow.content);
|
|
505
|
+
for (const block of publishBlocks) {
|
|
506
|
+
if (!publishBlockHasProvenance(block)) {
|
|
507
|
+
pushViolation(violations, {
|
|
508
|
+
filePath: workflow.filePath,
|
|
509
|
+
type: 'publish-provenance-missing',
|
|
510
|
+
message: `${workflow.relPath} publishes to npm without explicit provenance in an npm publish step`,
|
|
511
|
+
suggestion: 'Publish with npm trusted publishing and --provenance (or NPM_CONFIG_PROVENANCE=true) on every npm publish command, including commands inside shell functions. Producer provenance is distinct from consumption-side verification by installers/loaders.',
|
|
512
|
+
severity: 'error',
|
|
513
|
+
line: lineOf(workflow.content, 'npm publish'),
|
|
514
|
+
});
|
|
515
|
+
}
|
|
516
|
+
if (publishBlockReferencesLongLivedToken(block)) {
|
|
486
517
|
pushViolation(violations, {
|
|
487
518
|
filePath: workflow.filePath,
|
|
488
519
|
type: 'publish-token-exposure',
|
|
489
|
-
message: `${workflow.relPath} references a long-lived npm publish
|
|
490
|
-
suggestion: 'Prefer npm trusted publishing/OIDC
|
|
520
|
+
message: `${workflow.relPath} references a long-lived npm token in an npm publish step`,
|
|
521
|
+
suggestion: 'Prefer npm trusted publishing/OIDC for npm publish. A token confined to `npm dist-tag` promotion in an OIDC workflow is acceptable (OIDC does not cover dist-tag).',
|
|
522
|
+
severity: 'error',
|
|
491
523
|
line: lineOf(workflow.content, /NPM_TOKEN|NODE_AUTH_TOKEN/),
|
|
492
524
|
});
|
|
493
525
|
}
|
|
494
526
|
}
|
|
495
527
|
}
|
|
496
528
|
}
|
|
529
|
+
function checkDependencyAutomation(snapshot, violations) {
|
|
530
|
+
const rootDir = snapshot.rootDir;
|
|
531
|
+
const dependabotPath = path.join(rootDir, '.github/dependabot.yml');
|
|
532
|
+
const renovatePath = path.join(rootDir, 'renovate.json');
|
|
533
|
+
const dependabotContent = readIfExists(dependabotPath);
|
|
534
|
+
const renovateContent = readIfExists(renovatePath);
|
|
535
|
+
if (!dependabotContent && !renovateContent)
|
|
536
|
+
return;
|
|
537
|
+
if (dependabotContent && renovateContent) {
|
|
538
|
+
pushViolation(violations, {
|
|
539
|
+
filePath: dependabotPath,
|
|
540
|
+
type: 'dependency-automation-conflict',
|
|
541
|
+
message: 'Both dependabot.yml and renovate.json are present',
|
|
542
|
+
suggestion: 'Choose one dependency automation tool (Dependabot or Renovate), not both.',
|
|
543
|
+
severity: 'error',
|
|
544
|
+
});
|
|
545
|
+
return;
|
|
546
|
+
}
|
|
547
|
+
const content = dependabotContent ?? renovateContent ?? '';
|
|
548
|
+
const filePath = dependabotContent ? dependabotPath : renovatePath;
|
|
549
|
+
if (/automerge:\s*true/i.test(content) && /update-types:[\s\S]*major/i.test(content)) {
|
|
550
|
+
pushViolation(violations, {
|
|
551
|
+
filePath,
|
|
552
|
+
type: 'dependency-automation-unsafe-automerge',
|
|
553
|
+
message: 'Dependency automation enables automerge for major updates',
|
|
554
|
+
suggestion: 'Require maintainer review for major runtime dependency updates.',
|
|
555
|
+
severity: 'error',
|
|
556
|
+
});
|
|
557
|
+
}
|
|
558
|
+
if (/automergeType:\s*["']?all["']?/i.test(content)) {
|
|
559
|
+
pushViolation(violations, {
|
|
560
|
+
filePath,
|
|
561
|
+
type: 'dependency-automation-unsafe-automerge',
|
|
562
|
+
message: 'Dependency automation enables automergeType: all',
|
|
563
|
+
suggestion: 'Do not automerge dependency updates in this repo.',
|
|
564
|
+
severity: 'error',
|
|
565
|
+
});
|
|
566
|
+
}
|
|
567
|
+
// Disabling the npm/GitHub-Actions update surface (or ignoring everything)
|
|
568
|
+
// silently opts the repo out of dependency hygiene — mirror verify-supply-chain
|
|
569
|
+
// check 6 so the reusable check enforces the same policy.
|
|
570
|
+
if (/ignore:\s*\[\s*\*/.test(content) ||
|
|
571
|
+
/enabled:\s*false[\s\S]*package-ecosystem:\s*npm/i.test(content)) {
|
|
572
|
+
pushViolation(violations, {
|
|
573
|
+
filePath,
|
|
574
|
+
type: 'dependency-automation-disabled-updates',
|
|
575
|
+
message: 'Dependency automation disables npm dependency updates',
|
|
576
|
+
suggestion: 'Keep npm dependency updates enabled — avoid `ignore: ["*"]` or `enabled: false` for the npm ecosystem.',
|
|
577
|
+
severity: 'error',
|
|
578
|
+
});
|
|
579
|
+
}
|
|
580
|
+
}
|
|
497
581
|
export async function analyzePackageSupplyChainPolicy(files) {
|
|
498
582
|
const snapshot = await buildSnapshot(files);
|
|
499
583
|
if (!snapshot)
|
|
@@ -508,6 +592,7 @@ export async function analyzePackageSupplyChainPolicy(files) {
|
|
|
508
592
|
checkMinimumReleaseAge(snapshot, violations);
|
|
509
593
|
checkFrozenCiInstalls(snapshot, violations);
|
|
510
594
|
checkTrustedPublishing(snapshot, violations);
|
|
595
|
+
checkDependencyAutomation(snapshot, violations);
|
|
511
596
|
return violations;
|
|
512
597
|
}
|
|
513
598
|
export const packageSupplyChainPolicy = defineCheck({
|
|
@@ -528,7 +613,10 @@ export const packageSupplyChainPolicy = defineCheck({
|
|
|
528
613
|
- Install-time lifecycle scripts and missing install-script allowlists
|
|
529
614
|
- Missing dependency release-age gates
|
|
530
615
|
- CI install commands that can rewrite lockfiles
|
|
531
|
-
- npm publish workflows that lack OIDC/provenance or still use long-lived tokens (a token confined to \`npm dist-tag\` promotion in an OIDC publish workflow is exempt — OIDC covers \`npm publish\`, not \`npm dist-tag\`)
|
|
616
|
+
- npm publish workflows that lack OIDC/provenance or still use long-lived tokens in \`npm publish\` steps (a token confined to \`npm dist-tag\` promotion in an OIDC publish workflow is exempt — OIDC covers \`npm publish\`, not \`npm dist-tag\`)
|
|
617
|
+
- Unsafe dependency-automation automerge settings when Dependabot/Renovate config is present
|
|
618
|
+
|
|
619
|
+
**Producer vs consumer provenance:** this check enforces **producer-side** publish workflow posture. **Consumption-side** verification (install/load provenance for third-party packages) is a separate trust policy and is not enforced by this check.
|
|
532
620
|
|
|
533
621
|
**Why it matters:** Modern npm-family attacks often execute during installation, exploit fresh compromised versions before takedown, or bypass weakened lockfile/install-script policy. These checks keep the project in a fail-closed posture before dependency code runs in CI or developer machines.
|
|
534
622
|
|