@pnpm/deps.compliance.audit 1002.0.14

package/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2015-2016 Rico Sta. Cruz and other contributors
+Copyright (c) 2016-2026 Zoltan Kochan and other contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,15 @@
+# @pnpm/audit
+
+> Audit a lockfile
+
+[![npm version](https://img.shields.io/npm/v/@pnpm/audit.svg)](https://www.npmjs.com/package/@pnpm/audit)
+
+## Installation
+
+```sh
+pnpm add @pnpm/audit
+```
+
+## License
+
+MIT

package/lib/index.d.ts

@@ -0,0 +1,22 @@
+import { PnpmError } from '@pnpm/error';
+import type { GetAuthHeader } from '@pnpm/fetching.types';
+import type { EnvLockfile, LockfileObject } from '@pnpm/lockfile.types';
+import { type AgentOptions, type RetryTimeoutOptions } from '@pnpm/network.fetch';
+import type { DependenciesField } from '@pnpm/types';
+import type { AuditReport } from './types.js';
+export * from './types.js';
+export declare function audit(lockfile: LockfileObject, getAuthHeader: GetAuthHeader, opts: {
+    agentOptions?: AgentOptions;
+    envLockfile?: EnvLockfile | null;
+    include?: {
+        [dependenciesField in DependenciesField]: boolean;
+    };
+    lockfileDir: string;
+    registry: string;
+    retry?: RetryTimeoutOptions;
+    timeout?: number;
+    virtualStoreDirMaxLength: number;
+}): Promise<AuditReport>;
+export declare class AuditEndpointNotExistsError extends PnpmError {
+    constructor(endpoint: string);
+}

package/lib/index.js

@@ -0,0 +1,52 @@
+import { PnpmError } from '@pnpm/error';
+import { fetchWithAgent } from '@pnpm/network.fetch';
+import { lockfileToAuditTree } from './lockfileToAuditTree.js';
+export * from './types.js';
+export async function audit(lockfile, getAuthHeader, opts) {
+    const auditTree = await lockfileToAuditTree(lockfile, { envLockfile: opts.envLockfile, include: opts.include, lockfileDir: opts.lockfileDir });
+    const registry = opts.registry.endsWith('/') ? opts.registry : `${opts.registry}/`;
+    const auditUrl = `${registry}-/npm/v1/security/audits`;
+    const quickAuditUrl = `${registry}-/npm/v1/security/audits/quick`;
+    const authHeaderValue = getAuthHeader(registry);
+    const requestBody = JSON.stringify(auditTree);
+    const requestHeaders = {
+        'Content-Type': 'application/json',
+        ...getAuthHeaders(authHeaderValue),
+    };
+    const requestOptions = {
+        agentOptions: opts.agentOptions ?? {},
+        body: requestBody,
+        headers: requestHeaders,
+        method: 'POST',
+        retry: opts.retry,
+        timeout: opts.timeout,
+    };
+    const quickRes = await fetchWithAgent(quickAuditUrl, requestOptions);
+    if (quickRes.status === 200) {
+        return quickRes.json();
+    }
+    const res = await fetchWithAgent(auditUrl, requestOptions);
+    if (res.status === 200) {
+        return res.json();
+    }
+    if (quickRes.status === 404 && res.status === 404) {
+        throw new AuditEndpointNotExistsError(quickAuditUrl);
+    }
+    throw new PnpmError('AUDIT_BAD_RESPONSE', `The audit endpoint (at ${quickAuditUrl}) responded with ${quickRes.status}: ${await quickRes.text()}. Fallback endpoint (at ${auditUrl}) responded with ${res.status}: ${await res.text()}`);
+}
+function getAuthHeaders(authHeaderValue) {
+    const headers = {};
+    if (authHeaderValue) {
+        headers['authorization'] = authHeaderValue;
+    }
+    return headers;
+}
+export class AuditEndpointNotExistsError extends PnpmError {
+    constructor(endpoint) {
+        const message = `The audit endpoint (at ${endpoint}) is doesn't exist.`;
+        super('AUDIT_ENDPOINT_NOT_EXISTS', message, {
+            hint: 'This issue is probably because you are using a private npm registry and that endpoint doesn\'t have an implementation of audit.',
+        });
+    }
+}
+//# sourceMappingURL=index.js.map

package/lib/lockfileToAuditTree.d.ts

@@ -0,0 +1,24 @@
+import type { EnvLockfile, LockfileObject } from '@pnpm/lockfile.types';
+import type { DependenciesField } from '@pnpm/types';
+export interface AuditNode {
+    version?: string;
+    integrity?: string;
+    requires?: Record<string, string>;
+    dependencies?: {
+        [name: string]: AuditNode;
+    };
+    dev: boolean;
+}
+export interface AuditTree extends AuditNode {
+    name?: string;
+    install: string[];
+    remove: string[];
+    metadata: unknown;
+}
+export declare function lockfileToAuditTree(lockfile: LockfileObject, opts: {
+    envLockfile?: EnvLockfile | null;
+    include?: {
+        [dependenciesField in DependenciesField]: boolean;
+    };
+    lockfileDir: string;
+}): Promise<AuditTree>;

package/lib/lockfileToAuditTree.js

@@ -0,0 +1,93 @@
+import path from 'node:path';
+import { DepType, detectDepTypes } from '@pnpm/lockfile.detect-dep-types';
+import { convertToLockfileObject } from '@pnpm/lockfile.fs';
+import { nameVerFromPkgSnapshot } from '@pnpm/lockfile.utils';
+import { lockfileWalkerGroupImporterSteps } from '@pnpm/lockfile.walker';
+import { safeReadProjectManifestOnly } from '@pnpm/workspace.project-manifest-reader';
+import { map as mapValues } from 'ramda';
+export async function lockfileToAuditTree(lockfile, opts) {
+    const importerWalkers = lockfileWalkerGroupImporterSteps(lockfile, Object.keys(lockfile.importers), { include: opts?.include });
+    const dependencies = {};
+    const depTypes = detectDepTypes(lockfile);
+    await Promise.all(importerWalkers.map(async (importerWalker) => {
+        const importerDeps = lockfileToAuditNode(depTypes, importerWalker.step);
+        // For some reason the registry responds with 500 if the keys in dependencies have slashes
+        // see issue: https://github.com/pnpm/pnpm/issues/2848
+        const depName = importerWalker.importerId.replace(/\//g, '__');
+        const manifest = await safeReadProjectManifestOnly(path.join(opts.lockfileDir, importerWalker.importerId));
+        dependencies[depName] = {
+            dependencies: importerDeps,
+            dev: false,
+            requires: toRequires(importerDeps),
+            version: manifest?.version ?? '0.0.0',
+        };
+    }));
+    if (opts.envLockfile) {
+        const envLockfileObject = envLockfileToLockfileObject(opts.envLockfile);
+        const envDepTypes = detectDepTypes(envLockfileObject);
+        for (const { importerId, step } of lockfileWalkerGroupImporterSteps(envLockfileObject, Object.keys(envLockfileObject.importers), { include: opts.include })) {
+            const deps = lockfileToAuditNode(envDepTypes, step);
+            if (Object.keys(deps).length > 0) {
+                dependencies[importerId] = wrapDepsGroup(deps);
+            }
+        }
+    }
+    const auditTree = {
+        name: undefined,
+        version: undefined,
+        dependencies,
+        dev: false,
+        install: [],
+        integrity: undefined,
+        metadata: {},
+        remove: [],
+        requires: toRequires(dependencies),
+    };
+    return auditTree;
+}
+function lockfileToAuditNode(depTypes, step) {
+    const dependencies = {};
+    for (const { depPath, pkgSnapshot, next } of step.dependencies) {
+        const { name, version } = nameVerFromPkgSnapshot(depPath, pkgSnapshot);
+        const subdeps = lockfileToAuditNode(depTypes, next());
+        const dep = {
+            dev: depTypes[depPath] === DepType.DevOnly,
+            integrity: pkgSnapshot.resolution.integrity,
+            version,
+        };
+        if (Object.keys(subdeps).length > 0) {
+            dep.dependencies = subdeps;
+            dep.requires = toRequires(subdeps);
+        }
+        dependencies[name] = dep;
+    }
+    return dependencies;
+}
+function toRequires(auditNodesByDepName) {
+    return mapValues((auditNode) => auditNode.version, auditNodesByDepName);
+}
+function wrapDepsGroup(deps) {
+    return {
+        dependencies: deps,
+        dev: false,
+        requires: toRequires(deps),
+        version: '0.0.0',
+    };
+}
+function envLockfileToLockfileObject(envLockfile) {
+    const envImporter = envLockfile.importers['.'];
+    const importers = {};
+    if (Object.keys(envImporter.configDependencies).length > 0) {
+        importers['configDependencies'] = { dependencies: envImporter.configDependencies };
+    }
+    if (envImporter.packageManagerDependencies) {
+        importers['packageManagerDependencies'] = { dependencies: envImporter.packageManagerDependencies };
+    }
+    return convertToLockfileObject({
+        lockfileVersion: envLockfile.lockfileVersion,
+        importers,
+        packages: envLockfile.packages,
+        snapshots: envLockfile.snapshots,
+    });
+}
+//# sourceMappingURL=lockfileToAuditTree.js.map

package/lib/types.d.ts

@@ -0,0 +1,88 @@
+export interface AuditVulnerabilityCounts {
+    info: number;
+    low: number;
+    moderate: number;
+    high: number;
+    critical: number;
+}
+export interface IgnoredAuditVulnerabilityCounts {
+    low: number;
+    moderate: number;
+    high: number;
+    critical: number;
+}
+export interface AuditResolution {
+    id: number;
+    path: string;
+    dev: boolean;
+    optional: boolean;
+    bundled: boolean;
+}
+export interface AuditAction {
+    action: string;
+    module: string;
+    target: string;
+    isMajor: boolean;
+    resolves: AuditResolution[];
+}
+export type AuditLevelString = 'low' | 'moderate' | 'high' | 'critical';
+export type AuditLevelNumber = 0 | 1 | 2 | 3;
+export interface AuditAdvisory {
+    findings: [
+        {
+            version: string;
+            paths: string[];
+            dev: boolean;
+            optional: boolean;
+            bundled: boolean;
+        }
+    ];
+    id: number;
+    created: string;
+    updated: string;
+    deleted?: boolean;
+    title: string;
+    found_by: {
+        name: string;
+    };
+    reported_by: {
+        name: string;
+    };
+    module_name: string;
+    cves: string[];
+    vulnerable_versions: string;
+    patched_versions: string;
+    overview: string;
+    recommendation: string;
+    references: string;
+    access: string;
+    severity: AuditLevelString;
+    cwe: string;
+    github_advisory_id: string;
+    metadata: {
+        module_type: string;
+        exploitability: number;
+        affected_components: string;
+    };
+    url: string;
+}
+export interface AuditMetadata {
+    vulnerabilities: AuditVulnerabilityCounts;
+    dependencies: number;
+    devDependencies: number;
+    optionalDependencies: number;
+    totalDependencies: number;
+}
+export interface AuditReport {
+    actions: AuditAction[];
+    advisories: {
+        [id: string]: AuditAdvisory;
+    };
+    muted: unknown[];
+    metadata: AuditMetadata;
+}
+export interface AuditActionRecommendation {
+    cmd: string;
+    isBreaking: boolean;
+    action: AuditAction;
+}

package/lib/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/package.json

@@ -0,0 +1,63 @@
+{
+  "name": "@pnpm/deps.compliance.audit",
+  "version": "1002.0.14",
+  "description": "Audit a lockfile",
+  "keywords": [
+    "pnpm",
+    "pnpm11",
+    "audit"
+  ],
+  "license": "MIT",
+  "funding": "https://opencollective.com/pnpm",
+  "repository": "https://github.com/pnpm/pnpm/tree/main/deps/compliance/audit",
+  "homepage": "https://github.com/pnpm/pnpm/tree/main/deps/compliance/audit#readme",
+  "bugs": {
+    "url": "https://github.com/pnpm/pnpm/issues"
+  },
+  "type": "module",
+  "main": "lib/index.js",
+  "types": "lib/index.d.ts",
+  "exports": {
+    ".": "./lib/index.js"
+  },
+  "files": [
+    "lib",
+    "!*.map"
+  ],
+  "dependencies": {
+    "ramda": "npm:@pnpm/ramda@0.28.1",
+    "@pnpm/error": "1000.0.5",
+    "@pnpm/fetching.types": "1000.2.0",
+    "@pnpm/lockfile.fs": "1001.1.21",
+    "@pnpm/lockfile.detect-dep-types": "1001.0.16",
+    "@pnpm/lockfile.types": "1002.0.2",
+    "@pnpm/lockfile.walker": "1001.0.16",
+    "@pnpm/network.fetch": "1000.2.6",
+    "@pnpm/types": "1000.9.0",
+    "@pnpm/lockfile.utils": "1003.0.3",
+    "@pnpm/workspace.project-manifest-reader": "1001.1.4"
+  },
+  "peerDependencies": {
+    "@pnpm/logger": ">=1001.0.0 <1002.0.0"
+  },
+  "devDependencies": {
+    "@types/ramda": "0.29.12",
+    "nock": "13.3.4",
+    "@pnpm/logger": "1001.0.1",
+    "@pnpm/test-fixtures": "1000.0.0",
+    "@pnpm/deps.compliance.audit": "1002.0.14",
+    "@pnpm/constants": "1001.3.1"
+  },
+  "engines": {
+    "node": ">=22.13"
+  },
+  "jest": {
+    "preset": "@pnpm/jest-config"
+  },
+  "scripts": {
+    "lint": "eslint \"src/**/*.ts\" \"test/**/*.ts\"",
+    "_test": "cross-env NODE_OPTIONS=\"$NODE_OPTIONS --experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" jest",
+    "test": "pnpm run compile && pnpm run _test",
+    "compile": "tsgo --build && pnpm run lint --fix"
+  }
+}