check-package-lock 1.11.0 → 1.12.0

package/.editorconfig

@@ -1,16 +1,16 @@
-; This file is for unifying the coding style for different editors and IDEs.
-; More information at https://editorconfig.org
-
-root = true
-
-[*]
-charset = utf-8
-end_of_line = lf
-indent_size = 4
-indent_style = space
-insert_final_newline = true
-trim_trailing_whitespace = true
-
-[*.yml]
-indent_style = space
-indent_size = 2
+; This file is for unifying the coding style for different editors and IDEs.
+; More information at https://editorconfig.org
+
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.yml]
+indent_style = space
+indent_size = 2

package/.gitattributes

@@ -0,0 +1,8 @@
+# all files must use unix line delimiters
+* text eol=lf
+
+# binary
+*.jpg binary
+*.webp binary
+*.heic binary
+*.png binary

package/.github/dependabot.yml

@@ -1,11 +1,16 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
-version: 2
-updates:
-  - package-ecosystem: "npm"
-    directory: "/"
-    schedule:
-      interval: "daily"
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    cooldown:
+      default-days: 7
+    open-pull-requests-limit: 10
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: daily
+    cooldown:
+      default-days: 7
+    open-pull-requests-limit: 10

package/.github/workflows/ci.yml

@@ -0,0 +1,95 @@
+name: CI
+
+on:
+  push:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  build:
+    name: Build and Test
+    runs-on: ubuntu-latest
+    environment: Development
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        # https://github.com/step-security/harden-runner/releases
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        # https://github.com/actions/checkout/releases
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        # https://github.com/zizmorcore/zizmor-action/releases
+        with:
+          persona: pedantic
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run CVE Lite CLI
+        uses: OWASP/cve-lite-cli@b4a69139a2f62ec3a9a85782c146ff702055d7f2 # v1.23.1
+        # https://github.com/OWASP/cve-lite-cli/releases
+        with:
+          fail-on: critical
+
+      - name: Setup Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        # https://github.com/actions/setup-node/releases
+        with:
+          node-version: "lts/*"
+          cache: npm
+
+      - name: Install safe-chain
+        run: curl --fail --silent --show-error --retry 3 --location https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
+
+      # this must fail if safe-chain is working
+      - name: Test safe-chain
+        run: |
+          npm safe-chain-verify
+          ! npm install safe-chain-test
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/node@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0
+        # https://github.com/snyk/actions/releases
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Check line endings
+        uses: fernandrone/linelint@7907a5dca0c28ea7dd05c6d8d8cacded713aca11 # 0.0.6
+        # https://github.com/fernandrone/linelint/releases
+
+      - name: Check EOL
+        uses: AODocs/check-eol@88fd9052e8ea211254a4de371011026603a329dc # v1.1
+        # https://github.com/AODocs/check-eol/releases
+
+      - name: Lint
+        run: ./node_modules/.bin/eslint '*.js' 'test/*.js'
+
+      - name: Run tests with coverage
+        run: ./node_modules/.bin/nyc npm test
+
+      - name: Generate coverage report
+        run: ./node_modules/.bin/nyc report --reporter=text-lcov > coverage.lcov
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        # https://github.com/codecov/codecov-action/releases
+        with:
+          fail_ci_if_error: true
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

package/.github/workflows/scorecard.yml

@@ -0,0 +1,51 @@
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '32 5 * * 0'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      security-events: write # Needed to upload the results to code-scanning dashboard.
+      id-token: write # Needed to publish results and get a badge (see publish_results below).
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        # https://github.com/actions/upload-artifact/releases
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
+        # https://github.com/github/codeql-action/releases
+        with:
+          sarif_file: results.sarif

package/.linelint.yml

@@ -0,0 +1,10 @@
+# list of paths to ignore, uses gitignore syntaxes (executes before any rule)
+ignore:
+  - node_modules/
+rules:
+  # checks if file ends in a newline character
+  end-of-file:
+    # set to true to enable this rule
+    enable: true
+    # if true also checks if file ends in a single newline character
+    single-new-line: true

package/LICENSE

@@ -1,22 +1,21 @@
-MIT License
-
-Copyright (c) 2019 Henrik Gemal
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-
+MIT License
+
+Copyright (c) 2019 Henrik Gemal
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/package.json

@@ -1,49 +1,46 @@
-{
-    "name": "check-package-lock",
-    "version": "1.11.0",
-    "description": "Checks the package-lock.json file for insecure http:// links",
-    "main": "index.js",
-    "repository": {
-        "type": "git",
-        "url": "https://github.com/gemal/node-check-package-lock"
-    },
-    "scripts": {
-        "test": "mocha"
-    },
-    "type": "module",
-    "author": "Henrik Gemal <henrik@gemal.dk> (http://gemal.dk/)",
-    "license": "MIT",
-    "bin": {
-        "check-package-lock": "index.js"
-    },
-    "bugs": {
-        "url": "https://github.com/gemal/node-check-package-lock/issues"
-    },
-    "keywords": [
-        "package",
-        "package-lock",
-        "check",
-        "cli",
-        "lock",
-        "http",
-        "automate",
-        "ci"
-    ],
-    "homepage": "https://github.com/gemal/node-check-package-lock",
-    "dependencies": {
-        "commander": "^12.1.0"
-    },
-    "devDependencies": {
-        "@eslint/js": "^9.13.0",
-        "chai": "^5.1.2",
-        "child_process": "^1.0.2",
-        "codecov": "^3.8.2",
-        "eslint": "^9.13.0",
-        "expect": "^29.2.2",
-        "globals": "^15.11.0",
-        "lintspaces-cli": "^1.0.0",
-        "mocha": "^10.0.0",
-        "nyc": "^17.1.0",
-        "snyk": "^1.594.0"
-    }
-}
+{
+    "name": "check-package-lock",
+    "version": "1.12.0",
+    "description": "Checks the package-lock.json file for insecure http:// links",
+    "main": "index.js",
+    "repository": {
+        "type": "git",
+        "url": "https://github.com/gemal/node-check-package-lock.git"
+    },
+    "scripts": {
+        "test": "mocha"
+    },
+    "type": "module",
+    "author": "Henrik Gemal <henrik@gemal.dk> (https://gemal.dk/)",
+    "license": "MIT",
+    "bin": {
+        "check-package-lock": "index.js"
+    },
+    "bugs": {
+        "url": "https://github.com/gemal/node-check-package-lock/issues"
+    },
+    "keywords": [
+        "package",
+        "package-lock",
+        "check",
+        "cli",
+        "lock",
+        "http",
+        "automate",
+        "ci"
+    ],
+    "homepage": "https://github.com/gemal/node-check-package-lock",
+    "dependencies": {
+        "commander": "^12.1.0"
+    },
+    "devDependencies": {
+        "@eslint/js": "^9.13.0",
+        "chai": "^5.1.2",
+        "child_process": "^1.0.2",
+        "eslint": "^9.13.0",
+        "expect": "^29.2.2",
+        "globals": "^15.11.0",
+        "mocha": "^10.0.0",
+        "nyc": "^17.1.0"
+    }
+}

package/renovate.json

@@ -0,0 +1,6 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "config:recommended"
+    ]
+}

package/.circleci/config.yml

@@ -1,47 +0,0 @@
-version: 2
-jobs:
-  build:
-    docker:
-      # Use node image
-      - image: cimg/node:lts
-
-    # code folder
-    working_directory: ~/repo
-
-    steps:
-      # check out code
-      - checkout
-
-      # restore cache dependencies
-      - restore_cache:
-          keys:
-            - v1-dependencies-{{ checksum "package.json" }}
-            # fallback to using the latest cache if no exact match is found
-            - v1-dependencies-
-
-      # install and cache packages
-      - run: npm install
-      - save_cache:
-          paths:
-            - node_modules
-          key: v1-dependencies-{{ checksum "package.json" }}
-
-      # audit the packages
-      - run: npm audit
-      - run: npm ls
-
-      # security test
-      - run: ./node_modules/.bin/snyk test
-
-      # correct line endings
-      - run: find ./ -path ./node_modules -prune -o -name '*.css' -o -name '*.json' -o -name '*.md' -o -name '*.js' -o -name '*.yml' | xargs ./node_modules/.bin/lintspaces --endofline 'lf' --newline --trailingspaces --verbose
-
-      # lint
-      - run: ./node_modules/.bin/eslint '*.js' 'test/*.js'
-
-      # run tests
-      - run: ./node_modules/.bin/nyc npm test
-
-      # upload code coverage
-      - run: ./node_modules/.bin/nyc report --reporter=text-lcov > coverage.lcov
-      - run: ./node_modules/.bin/codecov

package/.eslintrc.json

@@ -1,20 +0,0 @@
-{
-    "env": {
-        "es6": true,
-        "node": true
-    },
-    "extends": ["eslint:recommended", "google"],
-    "globals": {
-        "Atomics": "readonly",
-        "SharedArrayBuffer": "readonly",
-        "it": true,
-        "describe": true
-    },
-    "parserOptions": {
-        "ecmaVersion": 2018
-    },
-    "rules": {
-      "max-len": ["error", {"code": 120}],
-      "indent": ["error", 4]
-    }
-}