check-package-lock 1.13.0 → 1.14.1

package/.github/workflows/ci.yml

@@ -79,18 +79,19 @@ jobs:
         # https://github.com/AODocs/check-eol/releases
 
       - name: Lint
-        run: ./node_modules/.bin/eslint '*.js' 'test/*.js'
+        run: npm run eslint
 
       - name: Run tests with coverage
-        run: ./node_modules/.bin/nyc npm test
+        run: ./node_modules/.bin/c8 ./node_modules/.bin/mocha
 
       - name: Generate coverage report
-        run: ./node_modules/.bin/nyc report --reporter=text-lcov > coverage.lcov
+        run: ./node_modules/.bin/c8 report --reporter=lcov
 
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
         # https://github.com/codecov/codecov-action/releases
         with:
+          files: coverage/lcov.info
           fail_ci_if_error: true
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

package/.github/workflows/release.yml

@@ -0,0 +1,115 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    environment: Development
+    # Skip if this push is the automated version bump commit
+    if: "!contains(github.event.head_commit.message, '[skip ci]')"
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        # https://github.com/step-security/harden-runner/releases
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        # https://github.com/actions/checkout/releases
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        # https://github.com/actions/setup-node/releases
+        with:
+          node-version: "lts/*"
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: npm run eslint
+
+      - name: Run tests
+        run: npm test
+
+  release:
+    name: Publish and Release
+    needs: test
+    runs-on: ubuntu-latest
+    environment: Release
+    if: "!contains(github.event.head_commit.message, '[skip ci]')"
+
+    permissions:
+      contents: write  # push version bump commit, create tags and GitHub releases
+      id-token: write  # npm provenance attestation
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        # https://github.com/step-security/harden-runner/releases
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        # https://github.com/actions/checkout/releases
+        with:
+          # persist-credentials needed to push the version bump commit back
+          persist-credentials: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        # https://github.com/actions/setup-node/releases
+        with:
+          node-version: "lts/*"
+          cache: npm
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Bump patch version
+        id: bump
+        run: |
+          npm version patch -m "chore: release %s [skip ci]"
+          VERSION=$(node -p "require('./package.json').version")
+          echo "version=v${VERSION}" >> $GITHUB_OUTPUT
+
+      - name: Push version bump
+        run: git push --follow-tags
+
+      - name: Publish to npm
+        run: npm publish --provenance --access public
+
+      - name: Create GitHub release
+        # zizmor: ignore[template-injection] VERSION is passed as env var, not interpolated into shell
+        run: |
+          gh release create "$VERSION" \
+            --title "$VERSION" \
+            --generate-notes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ steps.bump.outputs.version }}

package/.typo-ci.yml

@@ -1,6 +1,6 @@
-dictionaries:
-  - en
-
-excluded_words:
-  - endofline
-  - sep
+dictionaries:
+  - en
+
+excluded_words:
+  - endofline
+  - sep

package/eslint.config.js

@@ -1,17 +1,15 @@
-import globals from "globals";
-import js from "@eslint/js";
-
-
-export default [
-  {
-    languageOptions: {
-      globals: {
-        process: "readonly",
-        describe: "readonly",
-        it: "readonly",
-        ...globals.browser
-      }
-    }
-  },
-  js.configs.recommended,
-];
+import globals from "globals";
+import js from "@eslint/js";
+
+export default [
+  {
+    languageOptions: {
+      globals: {
+        ...globals.node,
+        describe: "readonly",
+        it: "readonly",
+      }
+    }
+  },
+  js.configs.recommended,
+];

package/index.js

@@ -3,9 +3,6 @@
 import fs from 'node:fs';
 import path from 'node:path';
 import { program } from 'commander';
-import { fileURLToPath } from 'node:url';
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
 function checkFolder(folder) {
     const packPath = folder ? path.join(folder, 'package-lock.json') : 'package-lock.json';
@@ -28,7 +25,7 @@ function checkFolder(folder) {
 }
 
 program
-    .version(JSON.parse(fs.readFileSync(path.join(__dirname, 'package.json'))).version)
+    .version(JSON.parse(fs.readFileSync(path.join(import.meta.dirname, 'package.json'))).version)
     .description('Checks the package-lock.json file for http:// links')
     .option('-f, --folder <folder>', 'Folder with package-lock.json file')
     .parse(process.argv);

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "check-package-lock",
-    "version": "1.13.0",
+    "version": "1.14.1",
     "description": "Checks the package-lock.json file for insecure http:// links",
     "main": "index.js",
     "repository": {
@@ -36,12 +36,10 @@
     },
     "devDependencies": {
         "@eslint/js": "^10.0.1",
+        "c8": "^11.0.0",
         "chai": "^6.2.2",
-        "child_process": "^1.0.2",
         "eslint": "^10.5.0",
-        "expect": "^30.4.1",
         "globals": "^17.6.0",
-        "mocha": "^11.7.6",
-        "nyc": "^18.0.0"
+        "mocha": "^11.7.6"
     }
 }

package/test/test1/package-lock.json

@@ -1,3 +1,3 @@
-{
-    "resolved": "http://registry.npmjs.org/blablabla"
-}
+{
+    "resolved": "http://registry.npmjs.org/blablabla"
+}

package/test/test2/package-lock.json

@@ -1,3 +1,3 @@
-{
-    "resolved": "https://registry.npmjs.org/blablabla"
-}
+{
+    "resolved": "https://registry.npmjs.org/blablabla"
+}

package/test/test3/package-lock.json

@@ -1,4 +1,4 @@
-{
-    "resolved": "https://registry.npmjs.org/blablabla",
-    "resolve": "http://registry.npmjs.org"
-}
+{
+    "resolved": "https://registry.npmjs.org/blablabla",
+    "resolve": "http://registry.npmjs.org"
+}

package/.claude/settings.local.json

@@ -1,9 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "Bash(npm show *)",
-      "Bash(./node_modules/.bin/eslint '*.js' 'test/*.js')",
-      "Bash(npm test *)"
-    ]
-  }
-}