npm - npm-pkg-lint - Versions diffs - 4.4.2 → 4.5.0 - Mend

npm-pkg-lint 4.4.2 → 4.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -111,6 +111,28 @@ Verifies the presence of files specified in:
 - `bin`
 - `man`
+## `exports` paths
+Requires all values in `exports` to start with `./`.
+**Why?** The Node.js specification requires export paths to be relative paths starting with `./`.
+Values not starting with `./` will be treated as package names by some runtimes and bundlers, which is almost certainly not the intent.
+## `import` before `require` in `exports`
+Requires `import` and `module`, if either is present alongside `require`, to come before `require` in `exports`.
+**Why?** Some runtimes and bundlers evaluate conditions in order and stop at the first match.
+If `require` is listed before `import` (or `module`), ESM-capable consumers that support both may unexpectedly pick up the CJS build.
+`module` is treated as an alias for `import` as it serves the same purpose for bundlers such as webpack.
+## `default` in `exports`
+Requires `default`, if present, to be the last condition in `exports`.
+**Why?** The `default` condition is a catch-all fallback.
+If it is listed before more specific conditions (e.g. `require` or `import`) those conditions will never be reached by runtimes that support them.
 ## TypeScript `types` in `exports`
 Requires `types` to be the first condition in `exports`.
@@ -135,6 +157,23 @@ Requires only one of the two fields `types` and `typings` to be used, not both.
 **Why?** `typings` is an alias for `types` and if both are set it is unclear which is to be used (and could potentially be set to different values).
+## Protocol dependencies
+Disallows dependencies that resolve outside the registry across all dependency fields (`dependencies`, `devDependencies`, `peerDependencies`, `optionalDependencies`).
+**Why?** Protocol specifiers such as `file:`, `link:`, `github:` or `git+https:` reference local paths or remote git repositories instead of versioned registry packages.
+Published packages should only depend on registry packages so that consumers can reliably install the same code.
+Disallowed protocols:
+- `file:` - local filesystem path
+- `link:` - symlink
+- `github:` / `gitlab:` / `bitbucket:` - platform shorthand
+- `git:` / `git+https:` / `git+http:` / `git+ssh:` / `git+file:` - arbitrary git URL
+- `http:` / `https:` - direct URL tarball
+- `user/repo` - Github shorthand (without `github:` prefix)
+- `user@host:path` - git URL (e.g. `git@github.com:user/repo.git`)
 ## Disallowed dependencies
 Disallows certain packages from being included as `dependencies` (use `devDependencies` or `peerDependencies` instead).

package/dist/index.js CHANGED Viewed

@@ -11374,8 +11374,8 @@ function isDisallowedDependency(pkg, dependency) {
   return match(disallowedDependencies, dependency);
 }
-// src/rules/exports-types-order.ts
-var ruleId4 = "exports-types-order";
+// src/rules/exports-default-order.ts
+var ruleId4 = "exports-default-order";
 var severity2 = Severity.ERROR;
 function* validateOrder(pkgAst, value, path8) {
   if (!value || typeof value === "string") {
@@ -11385,13 +11385,13 @@ function* validateOrder(pkgAst, value, path8) {
   if (keys.length === 0) {
     return;
   }
-  if (keys.includes("types") && keys[0] !== "types") {
-    const { line, column } = jsonLocation(pkgAst, "member", "exports", ...path8, "types");
+  if (keys.includes("default") && keys.at(-1) !== "default") {
+    const { line, column } = jsonLocation(pkgAst, "member", "exports", ...path8, "default");
     const property = path8.map((it2) => `["${it2}"]`).join("");
     yield {
       ruleId: ruleId4,
       severity: severity2,
-      message: `"types" must be the first condition in "exports${property}"`,
+      message: `"default" must be the last condition in "exports${property}"`,
       line,
       column
     };
@@ -11400,12 +11400,187 @@ function* validateOrder(pkgAst, value, path8) {
     yield* validateOrder(pkgAst, value[key], [...path8, key]);
   }
 }
-function* exportsTypesOrder(pkg, pkgAst) {
+function* exportsDefaultOrder(pkg, pkgAst) {
   if (pkg.exports) {
     yield* validateOrder(pkgAst, pkg.exports, []);
   }
 }
+// src/rules/exports-import-require-order.ts
+var ruleId5 = "exports-import-require-order";
+var severity3 = Severity.ERROR;
+function* validateOrder2(pkgAst, value, path8) {
+  if (!value || typeof value === "string") {
+    return;
+  }
+  const keys = Object.keys(value);
+  if (keys.includes("require")) {
+    for (const esm of ["import", "module"]) {
+      if (keys.includes(esm) && keys.indexOf(esm) > keys.indexOf("require")) {
+        const { line, column } = jsonLocation(pkgAst, "member", "exports", ...path8, esm);
+        const property = path8.map((it2) => `["${it2}"]`).join("");
+        yield {
+          ruleId: ruleId5,
+          severity: severity3,
+          message: `"${esm}" must come before "require" in "exports${property}"`,
+          line,
+          column
+        };
+      }
+    }
+  }
+  for (const key of keys) {
+    yield* validateOrder2(pkgAst, value[key], [...path8, key]);
+  }
+}
+function* exportsImportRequireOrder(pkg, pkgAst) {
+  if (pkg.exports) {
+    yield* validateOrder2(pkgAst, pkg.exports, []);
+  }
+}
+// src/rules/exports-path.ts
+var ruleId6 = "exports-path";
+var severity4 = Severity.ERROR;
+function* validatePath(pkgAst, value, path8) {
+  if (value === null) {
+    return;
+  }
+  if (typeof value === "string") {
+    if (!value.startsWith("./")) {
+      const { line, column } = jsonLocation(pkgAst, "value", "exports", ...path8);
+      const property = path8.map((it2) => `["${it2}"]`).join("");
+      yield {
+        ruleId: ruleId6,
+        severity: severity4,
+        message: `"exports${property}" value "${value}" must start with "./"`,
+        line,
+        column
+      };
+    }
+    return;
+  }
+  for (const [key, val] of Object.entries(value)) {
+    yield* validatePath(pkgAst, val, [...path8, key]);
+  }
+}
+function* exportsPath(pkg, pkgAst) {
+  if (pkg.exports) {
+    yield* validatePath(pkgAst, pkg.exports, []);
+  }
+}
+// src/rules/exports-types-order.ts
+var ruleId7 = "exports-types-order";
+var severity5 = Severity.ERROR;
+function* validateOrder3(pkgAst, value, path8) {
+  if (!value || typeof value === "string") {
+    return;
+  }
+  const keys = Object.keys(value);
+  if (keys.length === 0) {
+    return;
+  }
+  if (keys.includes("types") && keys[0] !== "types") {
+    const { line, column } = jsonLocation(pkgAst, "member", "exports", ...path8, "types");
+    const property = path8.map((it2) => `["${it2}"]`).join("");
+    yield {
+      ruleId: ruleId7,
+      severity: severity5,
+      message: `"types" must be the first condition in "exports${property}"`,
+      line,
+      column
+    };
+  }
+  for (const key of keys) {
+    yield* validateOrder3(pkgAst, value[key], [...path8, key]);
+  }
+}
+function* exportsTypesOrder(pkg, pkgAst) {
+  if (pkg.exports) {
+    yield* validateOrder3(pkgAst, pkg.exports, []);
+  }
+}
+// src/rules/no-protocol-dependencies.ts
+var ruleId8 = "no-protocol-dependencies";
+var severity6 = Severity.ERROR;
+var disallowed = [
+  "bitbucket:",
+  "file:",
+  "git+file:",
+  "git+http:",
+  "git+https:",
+  "git+ssh:",
+  "git:",
+  "github:",
+  "gitlab:",
+  "http:",
+  "https:",
+  "link:"
+];
+var depFields = [
+  "dependencies",
+  "devDependencies",
+  "peerDependencies",
+  "optionalDependencies"
+];
+function getProtocol(version2) {
+  for (const protocol of disallowed) {
+    if (version2.startsWith(protocol)) {
+      return protocol;
+    }
+  }
+  return null;
+}
+var githubShorthandRe = /^[A-Za-z][\w-]*\/[\w.-]+(?:#.+)?$/;
+var gitUrlRe = /^[^@]+@[^:]+:.+/;
+function isGithubShorthand(version2) {
+  return !version2.includes(":") && githubShorthandRe.test(version2);
+}
+function isGitUrl(version2) {
+  return gitUrlRe.test(version2);
+}
+function* noProtocolDependencies(pkg, pkgAst) {
+  for (const field of depFields) {
+    const deps = pkg[field];
+    if (!deps) {
+      continue;
+    }
+    for (const [name, version2] of Object.entries(deps)) {
+      const protocol = getProtocol(version2);
+      if (protocol) {
+        const { line, column } = jsonLocation(pkgAst, "member", field, name);
+        yield {
+          ruleId: ruleId8,
+          severity: severity6,
+          message: `"${name}" uses the "${protocol}" protocol specifier which is not allowed in published packages`,
+          line,
+          column
+        };
+      } else if (isGithubShorthand(version2)) {
+        const { line, column } = jsonLocation(pkgAst, "member", field, name);
+        yield {
+          ruleId: ruleId8,
+          severity: severity6,
+          message: `"${name}" uses the GitHub shorthand "${version2}" which is not allowed in published packages`,
+          line,
+          column
+        };
+      } else if (isGitUrl(version2)) {
+        const { line, column } = jsonLocation(pkgAst, "member", field, name);
+        yield {
+          ruleId: ruleId8,
+          severity: severity6,
+          message: `"${name}" uses a git URL "${version2}" which is not allowed in published packages`,
+          line,
+          column
+        };
+      }
+    }
+  }
+}
 // src/rules/obsolete-dependency.ts
 var obsolete = [
   { package: "make-dir", message: `use native "fs.mkdir(..., { recursive: true })" instead` },
@@ -11446,14 +11621,14 @@ var nodeVersions = [
 ];
 // src/rules/outdated-engines.ts
-var ruleId5 = "outdated-engines";
-var severity3 = Severity.ERROR;
+var ruleId9 = "outdated-engines";
+var severity7 = Severity.ERROR;
 function* outdatedEngines(pkg, pkgAst, ignoreNodeVersion) {
   if (!pkg.engines?.node) {
     const { line: line2, column: column2 } = pkg.engines ? jsonLocation(pkgAst, "member", "engines") : { line: 1, column: 1 };
     yield {
-      ruleId: ruleId5,
-      severity: severity3,
+      ruleId: ruleId9,
+      severity: severity7,
       message: "Missing engines.node field",
       line: line2,
       column: column2
@@ -11464,8 +11639,8 @@ function* outdatedEngines(pkg, pkgAst, ignoreNodeVersion) {
   const range = pkg.engines.node;
   if (!import_semver2.default.validRange(range)) {
     yield {
-      ruleId: ruleId5,
-      severity: severity3,
+      ruleId: ruleId9,
+      severity: severity7,
       message: `engines.node "${range}" is not a valid semver range`,
       line,
       column
@@ -11491,8 +11666,8 @@ function* outdatedEngines(pkg, pkgAst, ignoreNodeVersion) {
     const nodeRelease = major > 0 ? major : `0.${String(minor)}`;
     const message = `engines.node is satisfied by Node ${String(nodeRelease)} (EOL since ${descriptor.eol})`;
     yield {
-      ruleId: ruleId5,
-      severity: severity3,
+      ruleId: ruleId9,
+      severity: severity7,
       message,
       line,
       column
@@ -11504,8 +11679,8 @@ function* outdatedEngines(pkg, pkgAst, ignoreNodeVersion) {
     const version2 = `v${String(ignoreNodeVersion)}.x`;
     const message = `--ignore-node-version=${option} used but engines.node="${range}" does not match ${version2} or the version is not EOL yet`;
     yield {
-      ruleId: ruleId5,
-      severity: severity3,
+      ruleId: ruleId9,
+      severity: severity7,
       message,
       line,
       column
@@ -11514,16 +11689,16 @@ function* outdatedEngines(pkg, pkgAst, ignoreNodeVersion) {
 }
 // src/rules/prefer-types.ts
-var ruleId6 = "prefer-types";
-var severity4 = Severity.ERROR;
+var ruleId10 = "prefer-types";
+var severity8 = Severity.ERROR;
 function* preferTypes(pkg, pkgAst) {
   if (!pkg.typings || pkg.types) {
     return;
   }
   const { line, column } = jsonLocation(pkgAst, "member", "typings");
   yield {
-    ruleId: ruleId6,
-    severity: severity4,
+    ruleId: ruleId10,
+    severity: severity8,
     message: `Prefer "types" over "typings"`,
     line,
     column
@@ -11531,8 +11706,8 @@ function* preferTypes(pkg, pkgAst) {
 }
 // src/rules/shadowed-types.ts
-var ruleId7 = "shadowed-types";
-var severity5 = Severity.ERROR;
+var ruleId11 = "shadowed-types";
+var severity9 = Severity.ERROR;
 function walkConditions(conditions) {
   if (!conditions || typeof conditions === "string") {
     return [];
@@ -11566,8 +11741,8 @@ function* validateTypeSubpath(pkgAst, subpaths, field, value) {
   }
   const { line, column } = jsonLocation(pkgAst, "member", field);
   yield {
-    ruleId: ruleId7,
-    severity: severity5,
+    ruleId: ruleId11,
+    severity: severity9,
     message: `"${field}" cannot be resolved when respecting "exports" field`,
     line,
     column
@@ -11589,8 +11764,8 @@ function* shadowedTypes(pkg, pkgAst) {
 // src/rules/types-node-matching-engine.ts
 var import_semver3 = __toESM(require_semver2(), 1);
-var ruleId8 = "types-node-matching-engine";
-var severity6 = Severity.ERROR;
+var ruleId12 = "types-node-matching-engine";
+var severity10 = Severity.ERROR;
 function* typesNodeMatchingEngine(pkg, pkgAst) {
   if (!pkg.engines?.node) {
     return;
@@ -11614,8 +11789,8 @@ function* typesNodeMatchingEngine(pkg, pkgAst) {
       const actualVersion = `v${String(typesVersion.major)}`;
       const expectedVersion = `v${String(nodeVersion.major)}`;
       yield {
-        ruleId: ruleId8,
-        severity: severity6,
+        ruleId: ruleId12,
+        severity: severity10,
         message: `@types/node ${actualVersion} does not equal engines.node ${expectedVersion}`,
         line,
         column
@@ -11626,7 +11801,7 @@ function* typesNodeMatchingEngine(pkg, pkgAst) {
 // src/rules/verify-engine-constraint.ts
 var import_semver4 = __toESM(require_semver2(), 1);
-var ruleId9 = "invalid-engine-constraint";
+var ruleId13 = "invalid-engine-constraint";
 async function* getDeepDependencies(pkg, visited, dependency) {
   if (dependency) {
     if (visited.has(dependency)) {
@@ -11664,7 +11839,7 @@ async function verifyDependency(dependency, minDeclared, declaredConstraint) {
   }
   if (!import_semver4.default.satisfies(minDeclared, constraint)) {
     return {
-      ruleId: ruleId9,
+      ruleId: ruleId13,
       severity: 2,
       message: `the transitive dependency "${dependency}" (node ${constraint}) does not satisfy the declared node engine "${declaredConstraint}"`,
       line: 1,
@@ -11693,7 +11868,7 @@ async function verifyEngineConstraint(pkg) {
     } catch (err) {
       if (isNpmInfoError(err) && err.code === "E404") {
         messages.push({
-          ruleId: ruleId9,
+          ruleId: ruleId13,
           severity: 1,
           message: `the transitive dependency "${dependency}" is not published to the NPM registry`,
           line: 1,
@@ -11857,6 +12032,7 @@ function validUrl(key, value) {
 // src/package-json.ts
 var fields = {
   description: [present, typeString, nonempty],
+  files: [present, typeArray],
   keywords: [present, typeArray, nonempty],
   homepage: [present, typeString, validUrl],
   bugs: [present, validUrl],
@@ -11952,9 +12128,13 @@ async function verifyPackageJson(pkg, pkgAst, filePath, options = { allowedDepen
     ...conflictingTypesTypings(pkg, pkgAst),
     ...await deprecatedDependency(pkg, pkgAst, options),
     ...await verifyEngineConstraint(pkg),
+    ...exportsDefaultOrder(pkg, pkgAst),
+    ...exportsImportRequireOrder(pkg, pkgAst),
+    ...exportsPath(pkg, pkgAst),
     ...exportsTypesOrder(pkg, pkgAst),
     ...verifyFields(pkg, pkgAst, options),
     ...verifyDependencies(pkg, pkgAst, options),
+    ...noProtocolDependencies(pkg, pkgAst),
     ...outdatedEngines(pkg, pkgAst, ignoreNodeVersion),
     ...preferTypes(pkg, pkgAst),
     ...shadowedTypes(pkg, pkgAst),