@orangemug/oops 0.1.3 → 0.2.0

package/README.md

@@ -1,13 +1,15 @@
 # `@orangemug/oops`
+
 Have I got a compromised pacakge in my npm/pnpm/yarn cache?
 
 ## Usage
+
 Find out with `oops`
 
 ```bash
 npx @orangemug/oops --help
 # ./oops <dangerous_package_versions>
-# 
+#
 # Example: npx @orangemug/oops @ctrl/tinycolor:4.1.1 @ctrl/tinycolor:4.1.2
 ```
 
@@ -19,8 +21,12 @@ You can attach this command to a bug tracker ticket somewhere in your company/or
 > npx @orangemug/oops \
 >   @ctrl/tinycolor:4.1.1 \
 >   @ctrl/tinycolor:4.1.2
-> ``` 
+> ```
 
+The examples are from <https://orca.security/resources/blog/npm-malware-campaign-tinycolor/>
+
+It also support ranges such as `^4`
 
 ## Licence
+
 MIT

package/dist/npm/bin/index.js

@@ -3,6 +3,7 @@ import chalk from 'chalk';
 import { exec as exec$1 } from 'child_process';
 import { promisify } from 'util';
 import semver from 'semver';
+import validSemver from 'semver/ranges/valid.js';
 import minimist from 'minimist';
 
 const exec = promisify(exec$1);
@@ -28,7 +29,7 @@ async function npmDoesPackageExist(pkgName) {
 }
 async function yarnDoesPackageExist(pkgName) {
     const result = await exec(`yarn cache list --pattern ${pkgName}`);
-    const items = result.stdout.split("\n").map(line => line.split(/\s+/));
+    const items = result.stdout.split("\n").map((line) => line.split(/\s+/));
     const out = [];
     for (const item of items) {
         if (item[0] === pkgName) {
@@ -38,7 +39,7 @@ async function yarnDoesPackageExist(pkgName) {
     return out;
 }
 async function doesPackageExistInCache(pkgName, version) {
-    if (!semver.valid(version)) {
+    if (!validSemver(version)) {
         throw new Error(`Invalid version range "${version}"`);
     }
     const effectedVersions = {};
@@ -56,7 +57,7 @@ async function doesPackageExistInCache(pkgName, version) {
             }
             return 0;
         });
-        const filteredVersions = sorted.filter(pkgVersion => {
+        const filteredVersions = sorted.filter((pkgVersion) => {
             return semver.satisfies(pkgVersion, version);
         });
         effectedVersions[managerName] = filteredVersions;
@@ -68,6 +69,10 @@ async function run(packages) {
     let hasErrors = false;
     for (const pkg of packages) {
         const [pkgName, version] = pkg.split(":");
+        if (version === undefined || version === "") {
+            console.error(chalk.red(`'${pkg}' doesn't contain a version, add a version, for example '${pkg}:^2' (change the semver version)`));
+            process.exit(2);
+        }
         if (pkgName && version) {
             const output = await doesPackageExistInCache(pkgName, version);
             console.log(`${chalk.magenta(pkgName)}:${version}`);

package/dist/npm/cjs/index.js

@@ -3,6 +3,7 @@
 var child_process = require('child_process');
 var util = require('util');
 var semver = require('semver');
+var validSemver = require('semver/ranges/valid.js');
 
 const exec = util.promisify(child_process.exec);
 async function pnpmDoesPackageExist(pkgName) {
@@ -27,7 +28,7 @@ async function npmDoesPackageExist(pkgName) {
 }
 async function yarnDoesPackageExist(pkgName) {
     const result = await exec(`yarn cache list --pattern ${pkgName}`);
-    const items = result.stdout.split("\n").map(line => line.split(/\s+/));
+    const items = result.stdout.split("\n").map((line) => line.split(/\s+/));
     const out = [];
     for (const item of items) {
         if (item[0] === pkgName) {
@@ -37,7 +38,7 @@ async function yarnDoesPackageExist(pkgName) {
     return out;
 }
 async function doesPackageExistInCache(pkgName, version) {
-    if (!semver.valid(version)) {
+    if (!validSemver(version)) {
         throw new Error(`Invalid version range "${version}"`);
     }
     const effectedVersions = {};
@@ -55,7 +56,7 @@ async function doesPackageExistInCache(pkgName, version) {
             }
             return 0;
         });
-        const filteredVersions = sorted.filter(pkgVersion => {
+        const filteredVersions = sorted.filter((pkgVersion) => {
             return semver.satisfies(pkgVersion, version);
         });
         effectedVersions[managerName] = filteredVersions;

package/dist/npm/es/index.js

@@ -1,6 +1,7 @@
 import { exec as exec$1 } from 'child_process';
 import { promisify } from 'util';
 import semver from 'semver';
+import validSemver from 'semver/ranges/valid.js';
 
 const exec = promisify(exec$1);
 async function pnpmDoesPackageExist(pkgName) {
@@ -25,7 +26,7 @@ async function npmDoesPackageExist(pkgName) {
 }
 async function yarnDoesPackageExist(pkgName) {
     const result = await exec(`yarn cache list --pattern ${pkgName}`);
-    const items = result.stdout.split("\n").map(line => line.split(/\s+/));
+    const items = result.stdout.split("\n").map((line) => line.split(/\s+/));
     const out = [];
     for (const item of items) {
         if (item[0] === pkgName) {
@@ -35,7 +36,7 @@ async function yarnDoesPackageExist(pkgName) {
     return out;
 }
 async function doesPackageExistInCache(pkgName, version) {
-    if (!semver.valid(version)) {
+    if (!validSemver(version)) {
         throw new Error(`Invalid version range "${version}"`);
     }
     const effectedVersions = {};
@@ -53,7 +54,7 @@ async function doesPackageExistInCache(pkgName, version) {
             }
             return 0;
         });
-        const filteredVersions = sorted.filter(pkgVersion => {
+        const filteredVersions = sorted.filter((pkgVersion) => {
             return semver.satisfies(pkgVersion, version);
         });
         effectedVersions[managerName] = filteredVersions;

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "@orangemug/oops",
   "description": "Have I got a compromised pacakge in my cache?",
+  "version": "0.2.0",
   "repository": {
     "type": "git",
     "url": "https://github.com/orangemug/oops"
@@ -52,6 +53,5 @@
     "chalk": "^5.6.2",
     "minimist": "^1.2.8",
     "semver": "^7.7.4"
-  },
-  "version": "0.1.3"
+  }
 }