check-package-lock 1.12.0 → 1.14.0

package/.claude/settings.local.json

@@ -0,0 +1,10 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(npm show *)",
+      "Bash(./node_modules/.bin/eslint '*.js' 'test/*.js')",
+      "Bash(npm test *)",
+      "Bash(./node_modules/.bin/nyc npm *)"
+    ]
+  }
+}

package/.github/workflows/ci.yml

@@ -7,15 +7,16 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
-  security-events: write
+permissions: {}
 
 jobs:
   build:
     name: Build and Test
     runs-on: ubuntu-latest
     environment: Development
+    permissions:
+      contents: read
+      security-events: write # to report vulnerabilities
 
     steps:
       - name: Harden Runner
@@ -81,15 +82,16 @@ jobs:
         run: ./node_modules/.bin/eslint '*.js' 'test/*.js'
 
       - name: Run tests with coverage
-        run: ./node_modules/.bin/nyc npm test
+        run: ./node_modules/.bin/c8 ./node_modules/.bin/mocha
 
       - name: Generate coverage report
-        run: ./node_modules/.bin/nyc report --reporter=text-lcov > coverage.lcov
+        run: ./node_modules/.bin/c8 report --reporter=lcov
 
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
         # https://github.com/codecov/codecov-action/releases
         with:
+          files: coverage/lcov.info
           fail_ci_if_error: true
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

package/.github/workflows/scorecard.yml

@@ -10,8 +10,12 @@ on:
   push:
     branches: [ "main" ]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 # Declare default permissions as read only.
-permissions: read-all
+permissions: {}
 
 jobs:
   analysis:

package/README.md

@@ -1,46 +1,42 @@
-# check-package-lock
-Checks the package-lock.json file for http:// links
-
-## What does it do?
-check-package-lock can check if the package-lock.json file contain insecure http:// links
-
-## Usage
-To check the package-lock.json file in the current folder:
-```
-npm install -g check-package-lock
-check-package-lock
-```
-
-To check the package-lock.json file in another folder:
-```
-npm install -g check-package-lock
-check-package-lock --folder 'nodefolder'
-```
-
-## Exit codes
-```
-0 = No errors
-1 = Errors were founds in the package-lock.json files
-2 = package-lock.json was not found
-3 = Folder specified does not exists
-4 = Folder specified is not a folder
-```
-
-## CI - Continuous Integration
-check-package-lock can be used in CI environments to check your package-lock.json file before merging a pull request
-
-## Badges
-
-[![CircleCI](https://circleci.com/gh/gemal/node-check-package-lock.svg?style=svg)](https://circleci.com/gh/gemal/node-check-package-lock)
-
-[![codecov](https://codecov.io/gh/gemal/node-check-package-lock/branch/master/graph/badge.svg)](https://codecov.io/gh/gemal/node-check-package-lock)
-
-[![StyleCI](https://github.styleci.io/repos/183420925/shield)](https://github.styleci.io/repos/183420925)
-
-[![Known Vulnerabilities](https://snyk.io/test/github/gemal/node-check-package-lock/badge.svg)](https://snyk.io/test/github/gemal/node-check-package-lock)
-
-[![Total alerts](https://img.shields.io/lgtm/alerts/g/gemal/node-check-package-lock.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/gemal/node-check-package-lock/alerts/)
-
-[![CodeFactor](https://www.codefactor.io/repository/github/gemal/node-check-package-lock/badge)](https://www.codefactor.io/repository/github/gemal/node-check-package-lock)
-
-[![DeepScan grade](https://deepscan.io/api/teams/14204/projects/17307/branches/392368/badge/grade.svg)](https://deepscan.io/dashboard#view=project&tid=14204&pid=17307&bid=392368)
+# check-package-lock
+Checks the package-lock.json file for http:// links
+
+## What does it do?
+check-package-lock can check if the package-lock.json file contain insecure http:// links
+
+## Usage
+To check the package-lock.json file in the current folder:
+```
+npm install -g check-package-lock
+check-package-lock
+```
+
+To check the package-lock.json file in another folder:
+```
+npm install -g check-package-lock
+check-package-lock --folder 'nodefolder'
+```
+
+## Exit codes
+```
+0 = No errors
+1 = Errors were founds in the package-lock.json files
+2 = package-lock.json was not found
+3 = Folder specified does not exists
+4 = Folder specified is not a folder
+```
+
+## CI - Continuous Integration
+check-package-lock can be used in CI environments to check your package-lock.json file before merging a pull request
+
+## Badges
+
+[![codecov](https://codecov.io/gh/gemal/node-check-package-lock/branch/master/graph/badge.svg)](https://codecov.io/gh/gemal/node-check-package-lock)
+
+[![StyleCI](https://github.styleci.io/repos/183420925/shield)](https://github.styleci.io/repos/183420925)
+
+[![Known Vulnerabilities](https://snyk.io/test/github/gemal/node-check-package-lock/badge.svg)](https://snyk.io/test/github/gemal/node-check-package-lock)
+
+[![CodeFactor](https://www.codefactor.io/repository/github/gemal/node-check-package-lock/badge)](https://www.codefactor.io/repository/github/gemal/node-check-package-lock)
+
+[![DeepScan grade](https://deepscan.io/api/teams/14204/projects/17307/branches/392368/badge/grade.svg)](https://deepscan.io/dashboard#view=project&tid=14204&pid=17307&bid=392368)

package/eslint.config.js

@@ -1,17 +1,15 @@
-import globals from "globals";
-import js from "@eslint/js";
-
-
-export default [
-  {
-    languageOptions: {
-      globals: {
-        process: "readonly",
-        describe: "readonly",
-        it: "readonly",
-        ...globals.browser
-      }
-    }
-  },
-  js.configs.recommended,
-];
+import globals from "globals";
+import js from "@eslint/js";
+
+export default [
+  {
+    languageOptions: {
+      globals: {
+        ...globals.node,
+        describe: "readonly",
+        it: "readonly",
+      }
+    }
+  },
+  js.configs.recommended,
+];

package/index.js

@@ -1,68 +1,46 @@
-#!/usr/bin/env node
-
-'use strict';
-
-import fs from 'fs';
-import path from 'path';
-import { program } from 'commander';
-import { fileURLToPath } from 'url';
-
-// Define __filename and __dirname for ES modules
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-
-/**
- * Check a folder.
- * @return {number}
- */
-function checkFolder() {
-    let fullpath = '';
-    if (options.folder) {
-        fullpath = options.folder + path.sep;
-    }
-    const pack = fullpath + 'package-lock.json';
-    if (fs.existsSync(pack)) {
-        const filecontent = fs.readFileSync(pack, { encoding: 'utf-8' });
-        if (filecontent.indexOf('http://registry.npmjs.org') > -1) { // lgtm [js/incomplete-url-substring-sanitization]
-            console.log(pack + ' is NOT OK. It contains references to http://registry.npmjs.org');
-            console.log('In order to fix this do:');
-            console.log('- Delete the package-lock.json file');
-            console.log('- Delete the node_modules folder');
-            console.log('- Run <npm cache clean --force>');
-            console.log('- Run <npm install>');
-            return 1;
-        } else {
-            console.log(pack + ' is OK');
-            return 0;
-        }
-    } else {
-        console.log(pack + ' does not exist');
-        return 2;
-    }
-}
-
-program
-    .version(JSON.parse(fs.readFileSync(path.join(__dirname, 'package.json'))).version)
-    .description('Checks the package-lock.json file for http:// links')
-    .option('-f, --folder <folder>', 'Folder with package-lock.json file')
-    .parse(process.argv);
-
-const options = program.opts();
-if (options.folder) {
-    if (fs.existsSync(options.folder)) {
-        const stats = fs.statSync(options.folder);
-        if (stats.isDirectory()) {
-            const err = checkFolder();
-            process.exitCode = err;
-        } else {
-            console.log('Oops! Folder is not a real folder: ' + options.folder);
-            process.exitCode = 4;
-        }
-    } else {
-        console.log('Oops! Folder does not exist: ' + options.folder);
-        process.exitCode = 3;
-    }
-} else {
-    const err = checkFolder();
-    process.exitCode = err;
-}
+#!/usr/bin/env node
+
+import fs from 'node:fs';
+import path from 'node:path';
+import { program } from 'commander';
+
+function checkFolder(folder) {
+    const packPath = folder ? path.join(folder, 'package-lock.json') : 'package-lock.json';
+    if (!fs.existsSync(packPath)) {
+        console.log(`${packPath} does not exist`);
+        return 2;
+    }
+    const filecontent = fs.readFileSync(packPath, { encoding: 'utf-8' });
+    if (/"http:\/\/registry\.npmjs\.org[/"']/.test(filecontent)) {
+        console.log(`${packPath} is NOT OK. It contains references to http://registry.npmjs.org`);
+        console.log('In order to fix this do:');
+        console.log('- Delete the package-lock.json file');
+        console.log('- Delete the node_modules folder');
+        console.log('- Run <npm cache clean --force>');
+        console.log('- Run <npm install>');
+        return 1;
+    }
+    console.log(`${packPath} is OK`);
+    return 0;
+}
+
+program
+    .version(JSON.parse(fs.readFileSync(path.join(import.meta.dirname, 'package.json'))).version)
+    .description('Checks the package-lock.json file for http:// links')
+    .option('-f, --folder <folder>', 'Folder with package-lock.json file')
+    .parse(process.argv);
+
+const options = program.opts();
+if (options.folder) {
+    if (!fs.existsSync(options.folder)) {
+        console.log(`Oops! Folder does not exist: ${options.folder}`);
+        process.exitCode = 3;
+    } else if (!fs.statSync(options.folder).isDirectory()) {
+        console.log(`Oops! Folder is not a real folder: ${options.folder}`);
+        process.exitCode = 4;
+    } else {
+        process.exitCode = checkFolder(options.folder);
+    }
+} else {
+    process.exitCode = checkFolder();
+}

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "check-package-lock",
-    "version": "1.12.0",
+    "version": "1.14.0",
     "description": "Checks the package-lock.json file for insecure http:// links",
     "main": "index.js",
     "repository": {
@@ -8,7 +8,8 @@
         "url": "https://github.com/gemal/node-check-package-lock.git"
     },
     "scripts": {
-        "test": "mocha"
+        "test": "mocha",
+        "eslint": "eslint *.js test/*.js"
     },
     "type": "module",
     "author": "Henrik Gemal <henrik@gemal.dk> (https://gemal.dk/)",
@@ -31,16 +32,14 @@
     ],
     "homepage": "https://github.com/gemal/node-check-package-lock",
     "dependencies": {
-        "commander": "^12.1.0"
+        "commander": "^15.0.0"
     },
     "devDependencies": {
-        "@eslint/js": "^9.13.0",
-        "chai": "^5.1.2",
-        "child_process": "^1.0.2",
-        "eslint": "^9.13.0",
-        "expect": "^29.2.2",
-        "globals": "^15.11.0",
-        "mocha": "^10.0.0",
-        "nyc": "^17.1.0"
+        "@eslint/js": "^10.0.1",
+        "c8": "^11.0.0",
+        "chai": "^6.2.2",
+        "eslint": "^10.5.0",
+        "globals": "^17.6.0",
+        "mocha": "^11.7.6"
     }
 }

package/test/index.js

@@ -1,56 +1,52 @@
-import { expect } from 'chai';
-import path from 'path';
-import { exec } from "node:child_process";
-import { fileURLToPath } from 'url';
-
-// Define __filename and __dirname in ES modules
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-
-describe('index.js', function() {
-    this.timeout(8000);
-
-    function runTest(args, expectedExitCode, expectedOutput, done) {
-        const command = `node ${path.join(__dirname, '../index.js')} ${args.join(' ')}`;
-        exec(command, { cwd: path.join(__dirname, '../') }, (error, stdout) => {
-            if (error) {
-                expect(error.code).to.equal(expectedExitCode);
-            } else {
-                expect(stdout).to.match(expectedOutput);
-            }
-            done();
-        });
-    }
-
-    it('should exit 1 having problems', function(done) {
-        runTest(['--folder', 'test/test1'], 1, /package-lock.json is NOT OK/, done);
-    });
-
-    it('should exit 0 having no problems', function(done) {
-        runTest(['--folder', 'test/test2'], 0, /package-lock.json is OK/, done);
-    });
-
-    it('should exit 0 having no problems with slash', function(done) {
-        runTest(['--folder', 'test/test2/'], 0, /package-lock.json is OK/, done);
-    });
-
-    it('should exit 0 having no problems without folder', function(done) {
-        runTest([], 0, /package-lock.json is OK/, done);
-    });
-
-    it('should exit 1 having problems', function(done) {
-        runTest(['--folder', 'test/test3'], 1, /package-lock.json is NOT OK/, done);
-    });
-
-    it('should exit 1 having problems with no file', function(done) {
-        runTest(['--folder', 'test'], 2, /package-lock.json does not exists/, done);
-    });
-
-    it('should exit 3 if folder does not exist', function(done) {
-        runTest(['--folder', '404'], 3, /Oops! Folder does not exists: 404\n/, done);
-    });
-
-    it('should exit 4 if folder is not a folder', function(done) {
-        runTest(['--folder', 'test/index.js'], 4, /Oops! Folder is not a real folder: test\/index.js\n/, done);
-    });
-});
+import { expect } from 'chai';
+import path from 'node:path';
+import { exec } from 'node:child_process';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+describe('index.js', function() {
+    this.timeout(8000);
+
+    function runTest(args, expectedExitCode, expectedOutput, done) {
+        const command = `node ${path.join(__dirname, '../index.js')} ${args.join(' ')}`;
+        exec(command, { cwd: path.join(__dirname, '../') }, (error, stdout) => {
+            const exitCode = error ? error.code : 0;
+            expect(exitCode).to.equal(expectedExitCode);
+            expect(stdout).to.match(expectedOutput);
+            done();
+        });
+    }
+
+    it('should exit 1 having problems in test1', function(done) {
+        runTest(['--folder', 'test/test1'], 1, /package-lock.json is NOT OK/, done);
+    });
+
+    it('should exit 0 having no problems', function(done) {
+        runTest(['--folder', 'test/test2'], 0, /package-lock.json is OK/, done);
+    });
+
+    it('should exit 0 having no problems with slash', function(done) {
+        runTest(['--folder', 'test/test2/'], 0, /package-lock.json is OK/, done);
+    });
+
+    it('should exit 0 having no problems without folder', function(done) {
+        runTest([], 0, /package-lock.json is OK/, done);
+    });
+
+    it('should exit 1 having problems in test3', function(done) {
+        runTest(['--folder', 'test/test3'], 1, /package-lock.json is NOT OK/, done);
+    });
+
+    it('should exit 2 having problems with no file', function(done) {
+        runTest(['--folder', 'test'], 2, /package-lock.json does not exist/, done);
+    });
+
+    it('should exit 3 if folder does not exist', function(done) {
+        runTest(['--folder', '404'], 3, /Oops! Folder does not exist: 404/, done);
+    });
+
+    it('should exit 4 if folder is not a folder', function(done) {
+        runTest(['--folder', 'test/index.js'], 4, /Oops! Folder is not a real folder: test\/index.js/, done);
+    });
+});