npm-pkg-lint 3.3.0 → 3.4.0

package/README.md

@@ -19,7 +19,8 @@ Core principles:
 
 ```
 usage: index.js [-h] [-v] [-t TARBALL] [-p PKGFILE] [--cache CACHE]
-                [--allow-types-dependencies] [--ignore-missing-fields]
+                [--allow-dependency DEPENDENCY] [--allow-types-dependencies]
+                [--ignore-missing-fields]
 
 Opiniated linter for NPM package tarball and package.json metadata
 
@@ -31,8 +32,11 @@ optional arguments:
   -p PKGFILE, --pkgfile PKGFILE
                         specify package.json location
   --cache CACHE         specify cache directory
+  --allow-dependency DEPENDENCY
+                        explicitly allow given dependency (can be given
+                        multiple times or as a comma-separated list)
   --allow-types-dependencies
-                        allow dependencies to `@types/*`
+                        allow production dependencies to `@types/*`
   --ignore-missing-fields
                         ignore errors for missing fields (but still checks for
                         empty and valid)
@@ -99,29 +103,7 @@ Examples of disallowed packages:
 
 By default `@types/*` is disallowed but this can be disabled with `--allow-types-dependencies`.
 
-## Obsolete dependencies
-
-Disallows certain packages from being included as `dependencies`, `devDependencies` or `peerDependencies` entirely.
-These dependencies have native replacements supported by all supported NodeJS versions.
-
-**Why?** Obsolete packages have native replacements and thus only clutter the dependency graphs thus increasing the time to install, the size on disk and produces noise with tools analyzing `package-lock.json`.
-
-Examples of obsolete packages:
-
-- `mkdirp` - `fs#mkdir` supports the `recursive` flag since NodeJS v10.
-- `stable` - `Array#sort` is stable since NodeJS v12.
-
-## Deprecated dependencies
-
-Disallows deprecated packages from being included as `dependencies`, `devDependencies` or `peerDependencies` entirely.
-These dependences are explicitly marked as deprecated by the package author.
-
-**Why?** Deprecated packages should be removed or replaced with alternatives as they are often unmaintained and might contain security vulnerabilities.
-
-Examples of obsolete packages:
-
-- `mkdirp` - `fs#mkdir` supports the `recursive` flag since NodeJS v10.
-- `stable` - `Array#sort` is stable since NodeJS v12.
+If needed, `--allow-dependency` can be used to ignore one or more dependencies.
 
 ### ESLint
 
@@ -210,6 +192,30 @@ If your `package.json` contains the `"prettier"` keyword the Prettier packages c
 }
 ```
 
+## Obsolete dependencies
+
+Disallows certain packages from being included as `dependencies`, `devDependencies` or `peerDependencies` entirely.
+These dependencies have native replacements supported by all supported NodeJS versions.
+
+**Why?** Obsolete packages have native replacements and thus only clutter the dependency graphs thus increasing the time to install, the size on disk and produces noise with tools analyzing `package-lock.json`.
+
+Examples of obsolete packages:
+
+- `mkdirp` - `fs#mkdir` supports the `recursive` flag since NodeJS v10.
+- `stable` - `Array#sort` is stable since NodeJS v12.
+
+## Deprecated dependencies
+
+Disallows deprecated packages from being included as `dependencies`, `devDependencies` or `peerDependencies` entirely.
+These dependences are explicitly marked as deprecated by the package author.
+
+**Why?** Deprecated packages should be removed or replaced with alternatives as they are often unmaintained and might contain security vulnerabilities.
+
+Examples of obsolete packages:
+
+- `mkdirp` - `fs#mkdir` supports the `recursive` flag since NodeJS v10.
+- `stable` - `Array#sort` is stable since NodeJS v12.
+
 ## Shebang
 
 Require all binaries to have UNIX-style shebang at the beginning of the file.

package/dist/index.js

@@ -12365,7 +12365,7 @@ var require_merge_stream = __commonJS({
 var import_argparse = __toESM(require_argparse(), 1);
 import { existsSync, createWriteStream as createWriteStream2, readFileSync as readFileSync2, promises as fs4 } from "fs";
 import path7 from "path";
-import { fileURLToPath as fileURLToPath3 } from "url";
+import { fileURLToPath as fileURLToPath4 } from "url";
 
 // node_modules/find-up/index.js
 import path2 from "path";
@@ -13327,14 +13327,14 @@ function validateUrl(key, value) {
   if (value !== value.trim()) {
     throw new Error(`"${key}.url" must not have leading or trailing whitespace`);
   }
-  const url2 = new URL(value);
-  if (url2.protocol === "git+http:" || url2.protocol === "http:") {
+  const url = new URL(value);
+  if (url.protocol === "git+http:" || url.protocol === "http:") {
     throw new Error(`"${key}.url" must use "git+https://" instead of "http://"`);
   }
-  if (url2.protocol !== "git+https:") {
+  if (url.protocol !== "git+https:") {
     throw new Error(`"${key}.url" must use "git+https://" protocol`);
   }
-  if (url2.host === "") {
+  if (url.host === "") {
     throw new Error(`"${key}.url" be a valid url`);
   }
 }
@@ -13407,7 +13407,7 @@ function stripFinalNewline(input) {
 // node_modules/execa/node_modules/npm-run-path/index.js
 import process3 from "process";
 import path3 from "path";
-import url from "url";
+import { fileURLToPath as fileURLToPath3 } from "url";
 
 // node_modules/execa/node_modules/path-key/index.js
 function pathKey(options = {}) {
@@ -13422,31 +13422,43 @@ function pathKey(options = {}) {
 }
 
 // node_modules/execa/node_modules/npm-run-path/index.js
-function npmRunPath(options = {}) {
-  const {
-    cwd = process3.cwd(),
-    path: path_ = process3.env[pathKey()],
-    execPath = process3.execPath
-  } = options;
-  let previous;
-  const cwdString = cwd instanceof URL ? url.fileURLToPath(cwd) : cwd;
-  let cwdPath = path3.resolve(cwdString);
+var npmRunPath = ({
+  cwd = process3.cwd(),
+  path: pathOption = process3.env[pathKey()],
+  preferLocal = true,
+  execPath = process3.execPath,
+  addExecPath = true
+} = {}) => {
+  const cwdString = cwd instanceof URL ? fileURLToPath3(cwd) : cwd;
+  const cwdPath = path3.resolve(cwdString);
   const result = [];
+  if (preferLocal) {
+    applyPreferLocal(result, cwdPath);
+  }
+  if (addExecPath) {
+    applyExecPath(result, execPath, cwdPath);
+  }
+  return [...result, pathOption].join(path3.delimiter);
+};
+var applyPreferLocal = (result, cwdPath) => {
+  let previous;
   while (previous !== cwdPath) {
     result.push(path3.join(cwdPath, "node_modules/.bin"));
     previous = cwdPath;
     cwdPath = path3.resolve(cwdPath, "..");
   }
-  result.push(path3.resolve(cwdString, execPath, ".."));
-  return [...result, path_].join(path3.delimiter);
-}
-function npmRunPathEnv({ env = process3.env, ...options } = {}) {
+};
+var applyExecPath = (result, execPath, cwdPath) => {
+  const execPathString = execPath instanceof URL ? fileURLToPath3(execPath) : execPath;
+  result.push(path3.resolve(cwdPath, execPathString, ".."));
+};
+var npmRunPathEnv = ({ env = process3.env, ...options } = {}) => {
   env = { ...env };
-  const path8 = pathKey({ env });
-  options.path = env[path8];
-  env[path8] = npmRunPath(options);
+  const pathName = pathKey({ env });
+  options.path = env[pathName];
+  env[pathName] = npmRunPath(options);
   return env;
-}
+};
 
 // node_modules/execa/node_modules/mimic-fn/index.js
 var copyProperty = (to, from, property, ignoreNonConfigurable) => {
@@ -15076,7 +15088,12 @@ var ruleId2 = "no-deprecated-dependency";
 function* getDependencies(pkg) {
   const { dependencies = {}, devDependencies = {}, peerDependencies = {} } = pkg;
   const allDependencies = { ...dependencies, ...devDependencies, ...peerDependencies };
-  for (const [key, version2] of Object.entries(allDependencies)) {
+  for (let [key, version2] of Object.entries(allDependencies)) {
+    if (version2.startsWith("npm:")) {
+      const [newKey, newVersion] = version2.slice("npm:".length).split("@", 2);
+      key = newKey;
+      version2 = newVersion;
+    }
     if (key === "@types/node") {
       continue;
     }
@@ -15297,8 +15314,8 @@ function* outdatedEngines(pkg) {
     if (!import_semver2.default.satisfies(expanded, range)) {
       continue;
     }
-    const nodeRelease = ((parsed == null ? void 0 : parsed.major) ?? 0) || `0.${(parsed == null ? void 0 : parsed.minor) ?? ""}`;
-    const message = `engines.node is satisfied by Node ${nodeRelease} (EOL since ${descriptor.eol})`;
+    const nodeRelease = ((parsed == null ? void 0 : parsed.major) ?? 0) || `0.${String((parsed == null ? void 0 : parsed.minor) ?? "")}`;
+    const message = `engines.node is satisfied by Node ${String(nodeRelease)} (EOL since ${descriptor.eol})`;
     yield {
       ruleId: ruleId4,
       severity: severity2,
@@ -15318,7 +15335,12 @@ async function* getDeepDependencies(pkg, dependency) {
   if (!pkgData) {
     return;
   }
-  for (const [key, version2] of Object.entries(pkgData.dependencies ?? {})) {
+  for (let [key, version2] of Object.entries(pkgData.dependencies ?? {})) {
+    if (version2.startsWith("npm:")) {
+      const [newKey, newVersion] = version2.slice("npm:".length).split("@", 2);
+      key = newKey;
+      version2 = newVersion;
+    }
     if (key === "@types/node") {
       continue;
     }
@@ -15412,10 +15434,12 @@ function* typesNodeMatchingEngine(pkg) {
     return;
   }
   if (typesVersion.major !== nodeVersion.major) {
+    const actualVersion = `v${String(typesVersion.major)}`;
+    const expectedVersion = `v${String(nodeVersion.major)}`;
     yield {
       ruleId: ruleId6,
       severity: severity3,
-      message: `@types/node v${typesVersion.major} does not equal engines.node v${nodeVersion.major}`,
+      message: `@types/node ${actualVersion} does not equal engines.node ${expectedVersion}`,
       line: 1,
       column: 1
     };
@@ -15458,19 +15482,31 @@ function verifyFields(pkg, options) {
   }
   return messages;
 }
+function getActualDependency(key, version2) {
+  if (version2.startsWith("npm:")) {
+    const [name] = version2.slice("npm:".length).split("@", 2);
+    return name;
+  }
+  return key;
+}
 function verifyDependencies(pkg, options) {
   const messages = [];
   const { dependencies = {}, devDependencies = {}, peerDependencies = {} } = pkg;
   const allDependencies = { ...dependencies, ...devDependencies, ...peerDependencies };
-  for (const dependency of Object.keys(dependencies)) {
+  for (const [key, version2] of Object.entries(dependencies)) {
+    const dependency = getActualDependency(key, version2);
+    if (options.allowedDependencies.has(dependency)) {
+      continue;
+    }
     if (options.allowTypesDependencies && dependency.match(/^@types\//)) {
       continue;
     }
     if (isDisallowedDependency(pkg, dependency)) {
+      const name = key === dependency ? dependency : `"${key}" ("npm:${dependency}")`;
       messages.push({
         ruleId: "disallowed-dependency",
         severity: 2,
-        message: `${dependency} should be a devDependency`,
+        message: `"${name}" should be a devDependency`,
         line: 1,
         column: 1
       });
@@ -15482,7 +15518,7 @@ function verifyDependencies(pkg, options) {
       messages.push({
         ruleId: "obsolete-dependency",
         severity: 2,
-        message: `${dependency} is obsolete and should no longer be used: ${obsolete2.message}`,
+        message: `"${dependency}" is obsolete and should no longer be used: ${obsolete2.message}`,
         line: 1,
         column: 1
       });
@@ -15490,7 +15526,7 @@ function verifyDependencies(pkg, options) {
   }
   return messages;
 }
-async function verifyPackageJson(pkg, filePath, options = {}) {
+async function verifyPackageJson(pkg, filePath, options = { allowedDependencies: /* @__PURE__ */ new Set() }) {
   const messages = [
     ...await deprecatedDependency(pkg),
     ...await verifyEngineConstraint(pkg),
@@ -15552,7 +15588,7 @@ async function verifyShebang(pkg, tarball) {
 }
 
 // src/verify.ts
-async function verify(pkg, pkgPath, tarball, options = {}) {
+async function verify(pkg, pkgPath, tarball, options) {
   return [
     ...await verifyTarball(pkg, tarball),
     ...await verifyPackageJson(pkg, pkgPath, options),
@@ -15571,7 +15607,7 @@ function tarballLocation(pkg, pkgPath) {
 }
 
 // src/index.ts
-var pkgFilepath = fileURLToPath3(new URL("../package.json", import.meta.url));
+var pkgFilepath = fileURLToPath4(new URL("../package.json", import.meta.url));
 var { version } = JSON.parse(readFileSync2(pkgFilepath, "utf-8"));
 var PACKAGE_JSON = "package.json";
 async function preloadStdin() {
@@ -15628,15 +15664,22 @@ async function run() {
   parser.add_argument("-t", "--tarball", { help: "specify tarball location" });
   parser.add_argument("-p", "--pkgfile", { help: "specify package.json location" });
   parser.add_argument("--cache", { help: "specify cache directory" });
+  parser.add_argument("--allow-dependency", {
+    action: "append",
+    default: [],
+    metavar: "DEPENDENCY",
+    help: "explicitly allow given dependency (can be given multiple times or as a comma-separated list)"
+  });
   parser.add_argument("--allow-types-dependencies", {
     action: "store_true",
-    help: "allow dependencies to `@types/*`"
+    help: "allow production dependencies to `@types/*`"
   });
   parser.add_argument("--ignore-missing-fields", {
     action: "store_true",
     help: "ignore errors for missing fields (but still checks for empty and valid)"
   });
   const args = parser.parse_args();
+  const allowedDependencies2 = new Set(args.allow_dependency.map((it) => it.split(",")).flat());
   if (args.cache) {
     await setCacheDirecory(args.cache);
   }
@@ -15662,6 +15705,7 @@ async function run() {
   }
   setupBlacklist(pkg.name);
   const options = {
+    allowedDependencies: allowedDependencies2,
     allowTypesDependencies: args.allow_types_dependencies,
     ignoreMissingFields: args.ignore_missing_fields
   };