npm - npm-pkg-lint - Versions diffs - 4.5.3 → 4.6.1 - Mend

npm-pkg-lint 4.5.3 → 4.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -412,3 +412,23 @@ The following `package.json`:
 ```
 will yield an error becase `@tsconfig/node14` is for NodeJS v14 but the `engines.node` constraints the version to v12.
+## `package-lock.json` lockfile
+Requires `package-lock.json`, if present, to pass the following checks:
+- Lockfile version must be 3.
+- All packages must be resolved from `https://registry.npmjs.org/`.
+**Why?** Lockfile version 3 (introduced with npm v7) includes the full dependency tree in a more compact and efficient format.
+Older lockfile versions (1 and 2) are either missing information or include redundant data that version 3 supersedes.
+Using version 3 ensures compatibility with modern npm tooling and avoids the ambiguity of the legacy formats.
+**Why?** Packages resolved from private registries, git URLs, or local paths indicate non-standard dependencies that may not be reproducible in all environments.
+All published production dependencies should be resolvable from the public npm registry to ensure consumers can reliably install the same code.
+To upgrade an existing lockfile to version 3 run:
+```sh
+npm install --lockfile-version 3 --package-lock-only
+```

package/dist/index.js CHANGED Viewed

@@ -349,7 +349,7 @@ var require_argparse = __commonJS({
     var _UNRECOGNIZED_ARGS_ATTR = "_unrecognized_args";
     var assert = __require("assert");
     var util = __require("util");
-    var fs7 = __require("fs");
+    var fs8 = __require("fs");
     var sub = require_sub();
     var path8 = __require("path");
     var repr = util.inspect;
@@ -1838,7 +1838,7 @@ var require_argparse = __commonJS({
           start,
           end,
           highWaterMark,
-          fs8
+          fs9
         ] = _parse_opts(arguments, {
           flags: "r",
           encoding: void 0,
@@ -1871,7 +1871,7 @@ var require_argparse = __commonJS({
         if (start !== void 0) this._options.start = start;
         if (end !== void 0) this._options.end = end;
         if (highWaterMark !== void 0) this._options.highWaterMark = highWaterMark;
-        if (fs8 !== void 0) this._options.fs = fs8;
+        if (fs9 !== void 0) this._options.fs = fs9;
       }
       call(string) {
         if (string === "-") {
@@ -1886,7 +1886,7 @@ var require_argparse = __commonJS({
         }
         let fd;
         try {
-          fd = fs7.openSync(string, this._flags, this._options.mode);
+          fd = fs8.openSync(string, this._flags, this._options.mode);
         } catch (e) {
           let args = { filename: string, error: e.message };
           let message = "can't open '%(filename)s': %(error)s";
@@ -1894,9 +1894,9 @@ var require_argparse = __commonJS({
         }
         let options = Object.assign({ fd, flags: this._flags }, this._options);
         if (this._flags.includes("r")) {
-          return fs7.createReadStream(void 0, options);
+          return fs8.createReadStream(void 0, options);
         } else if (this._flags.includes("w")) {
-          return fs7.createWriteStream(void 0, options);
+          return fs8.createWriteStream(void 0, options);
         } else {
           let msg = sub('argument "%s" with mode %r', string, this._flags);
           throw new TypeError(msg);
@@ -2755,7 +2755,7 @@ var require_argparse = __commonJS({
             new_arg_strings.push(arg_string);
           } else {
             try {
-              let args_file = fs7.readFileSync(arg_string.slice(1), "utf8");
+              let args_file = fs8.readFileSync(arg_string.slice(1), "utf8");
               let arg_strings2 = [];
               for (let arg_line of splitlines(args_file)) {
                 for (let arg of this.convert_arg_line_to_args(arg_line)) {
@@ -3203,11 +3203,11 @@ var require_argparse = __commonJS({
 // node_modules/tmp/lib/tmp.js
 var require_tmp = __commonJS({
   "node_modules/tmp/lib/tmp.js"(exports, module) {
-    var fs7 = __require("fs");
+    var fs8 = __require("fs");
     var os3 = __require("os");
     var path8 = __require("path");
     var crypto2 = __require("crypto");
-    var _c = { fs: fs7.constants, os: os3.constants };
+    var _c = { fs: fs8.constants, os: os3.constants };
     var RANDOM_CHARS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
     var TEMPLATE_PATTERN = /XXXXXX/;
     var DEFAULT_TRIES = 3;
@@ -3219,13 +3219,13 @@ var require_tmp = __commonJS({
     var FILE_MODE = 384;
     var EXIT = "exit";
     var _removeObjects = [];
-    var FN_RMDIR_SYNC = fs7.rmdirSync.bind(fs7);
+    var FN_RMDIR_SYNC = fs8.rmdirSync.bind(fs8);
     var _gracefulCleanup = false;
     function rimraf(dirPath, callback) {
-      return fs7.rm(dirPath, { recursive: true }, callback);
+      return fs8.rm(dirPath, { recursive: true }, callback);
     }
     function FN_RIMRAF_SYNC(dirPath) {
-      return fs7.rmSync(dirPath, { recursive: true });
+      return fs8.rmSync(dirPath, { recursive: true });
     }
     function tmpName(options, callback) {
       const args = _parseArguments(options, callback), opts = args[0], cb = args[1];
@@ -3235,7 +3235,7 @@ var require_tmp = __commonJS({
         (function _getUniqueName() {
           try {
             const name = _generateTmpName(sanitizedOptions);
-            fs7.stat(name, function(err2) {
+            fs8.stat(name, function(err2) {
               if (!err2) {
                 if (tries-- > 0) return _getUniqueName();
                 return cb(new Error("Could not get a unique tmp filename, max tries reached " + name));
@@ -3255,7 +3255,7 @@ var require_tmp = __commonJS({
       do {
         const name = _generateTmpName(sanitizedOptions);
         try {
-          fs7.statSync(name);
+          fs8.statSync(name);
         } catch (e) {
           return name;
         }
@@ -3266,10 +3266,10 @@ var require_tmp = __commonJS({
       const args = _parseArguments(options, callback), opts = args[0], cb = args[1];
       tmpName(opts, function _tmpNameCreated(err, name) {
         if (err) return cb(err);
-        fs7.open(name, CREATE_FLAGS, opts.mode || FILE_MODE, function _fileCreated(err2, fd) {
+        fs8.open(name, CREATE_FLAGS, opts.mode || FILE_MODE, function _fileCreated(err2, fd) {
           if (err2) return cb(err2);
           if (opts.discardDescriptor) {
-            return fs7.close(fd, function _discardCallback(possibleErr) {
+            return fs8.close(fd, function _discardCallback(possibleErr) {
               return cb(possibleErr, name, void 0, _prepareTmpFileRemoveCallback(name, -1, opts, false));
             });
           } else {
@@ -3283,9 +3283,9 @@ var require_tmp = __commonJS({
       const args = _parseArguments(options), opts = args[0];
       const discardOrDetachDescriptor = opts.discardDescriptor || opts.detachDescriptor;
       const name = tmpNameSync(opts);
-      let fd = fs7.openSync(name, CREATE_FLAGS, opts.mode || FILE_MODE);
+      let fd = fs8.openSync(name, CREATE_FLAGS, opts.mode || FILE_MODE);
       if (opts.discardDescriptor) {
-        fs7.closeSync(fd);
+        fs8.closeSync(fd);
         fd = void 0;
       }
       return {
@@ -3298,7 +3298,7 @@ var require_tmp = __commonJS({
       const args = _parseArguments(options, callback), opts = args[0], cb = args[1];
       tmpName(opts, function _tmpNameCreated(err, name) {
         if (err) return cb(err);
-        fs7.mkdir(name, opts.mode || DIR_MODE, function _dirCreated(err2) {
+        fs8.mkdir(name, opts.mode || DIR_MODE, function _dirCreated(err2) {
           if (err2) return cb(err2);
           cb(null, name, _prepareTmpDirRemoveCallback(name, opts, false));
         });
@@ -3307,7 +3307,7 @@ var require_tmp = __commonJS({
     function dirSync(options) {
       const args = _parseArguments(options), opts = args[0];
       const name = tmpNameSync(opts);
-      fs7.mkdirSync(name, opts.mode || DIR_MODE);
+      fs8.mkdirSync(name, opts.mode || DIR_MODE);
       return {
         name,
         removeCallback: _prepareTmpDirRemoveCallback(name, opts, true)
@@ -3321,20 +3321,20 @@ var require_tmp = __commonJS({
         next();
       };
       if (0 <= fdPath[0])
-        fs7.close(fdPath[0], function() {
-          fs7.unlink(fdPath[1], _handler);
+        fs8.close(fdPath[0], function() {
+          fs8.unlink(fdPath[1], _handler);
         });
-      else fs7.unlink(fdPath[1], _handler);
+      else fs8.unlink(fdPath[1], _handler);
     }
     function _removeFileSync(fdPath) {
       let rethrownException = null;
       try {
-        if (0 <= fdPath[0]) fs7.closeSync(fdPath[0]);
+        if (0 <= fdPath[0]) fs8.closeSync(fdPath[0]);
       } catch (e) {
         if (!_isEBADF(e) && !_isENOENT(e)) throw e;
       } finally {
         try {
-          fs7.unlinkSync(fdPath[1]);
+          fs8.unlinkSync(fdPath[1]);
         } catch (e) {
           if (!_isENOENT(e)) rethrownException = e;
         }
@@ -3350,7 +3350,7 @@ var require_tmp = __commonJS({
       return sync ? removeCallbackSync : removeCallback;
     }
     function _prepareTmpDirRemoveCallback(name, opts, sync) {
-      const removeFunction = opts.unsafeCleanup ? rimraf : fs7.rmdir.bind(fs7);
+      const removeFunction = opts.unsafeCleanup ? rimraf : fs8.rmdir.bind(fs8);
       const removeFunctionSync = opts.unsafeCleanup ? FN_RIMRAF_SYNC : FN_RMDIR_SYNC;
       const removeCallbackSync = _prepareRemoveCallback(removeFunctionSync, name, sync);
       const removeCallback = _prepareRemoveCallback(removeFunction, name, sync, removeCallbackSync);
@@ -3413,24 +3413,24 @@ var require_tmp = __commonJS({
     }
     function _resolvePath(name, tmpDir, cb) {
       const pathToResolve = path8.isAbsolute(name) ? name : path8.join(tmpDir, name);
-      fs7.stat(pathToResolve, function(err) {
+      fs8.stat(pathToResolve, function(err) {
         if (err) {
-          fs7.realpath(path8.dirname(pathToResolve), function(err2, parentDir) {
+          fs8.realpath(path8.dirname(pathToResolve), function(err2, parentDir) {
             if (err2) return cb(err2);
             cb(null, path8.join(parentDir, path8.basename(pathToResolve)));
           });
         } else {
-          fs7.realpath(pathToResolve, cb);
+          fs8.realpath(pathToResolve, cb);
         }
       });
     }
     function _resolvePathSync(name, tmpDir) {
       const pathToResolve = path8.isAbsolute(name) ? name : path8.join(tmpDir, name);
       try {
-        fs7.statSync(pathToResolve);
-        return fs7.realpathSync(pathToResolve);
+        fs8.statSync(pathToResolve);
+        return fs8.realpathSync(pathToResolve);
       } catch (_err) {
-        const parentDir = fs7.realpathSync(path8.dirname(pathToResolve));
+        const parentDir = fs8.realpathSync(path8.dirname(pathToResolve));
         return path8.join(parentDir, path8.basename(pathToResolve));
       }
     }
@@ -3535,10 +3535,10 @@ var require_tmp = __commonJS({
       _gracefulCleanup = true;
     }
     function _getTmpDir(options, cb) {
-      return fs7.realpath(options && options.tmpdir || os3.tmpdir(), cb);
+      return fs8.realpath(options && options.tmpdir || os3.tmpdir(), cb);
     }
     function _getTmpDirSync(options) {
-      return fs7.realpathSync(options && options.tmpdir || os3.tmpdir());
+      return fs8.realpathSync(options && options.tmpdir || os3.tmpdir());
     }
     process.addListener(EXIT, _garbageCollector);
     Object.defineProperty(module.exports, "tmpdir", {
@@ -5489,7 +5489,7 @@ var require_semver2 = __commonJS({
 });
 // src/index.ts
-import { createWriteStream, existsSync, promises as fs6, readFileSync } from "node:fs";
+import { createWriteStream, existsSync, promises as fs7, readFileSync } from "node:fs";
 import path7 from "node:path";
 import { fileURLToPath as fileURLToPath4 } from "node:url";
@@ -12152,6 +12152,89 @@ async function verifyPackageJson(pkg, pkgAst, filePath, options = { allowedDepen
   ];
 }
+// src/package-lock.ts
+import { promises as fs6 } from "node:fs";
+var REGISTRY_URL = "https://registry.npmjs.org/";
+function isErrnoException(err) {
+  return err instanceof Error && "code" in err;
+}
+function isPackageLockVersion3(lockfile) {
+  return lockfile.lockfileVersion === 3;
+}
+function isValidResolved(pkg) {
+  return pkg.resolved === void 0 || pkg.resolved.startsWith(REGISTRY_URL);
+}
+async function readLockfile(lockfilePath) {
+  try {
+    return await fs6.readFile(lockfilePath, "utf-8");
+  } catch (err) {
+    if (isErrnoException(err) && err.code === "ENOENT") {
+      return null;
+    }
+    throw err;
+  }
+}
+async function verifyPackageLock() {
+  const lockfilePath = await findUp("package-lock.json");
+  if (!lockfilePath) {
+    return [];
+  }
+  const content = await readLockfile(lockfilePath);
+  if (content === null) {
+    return [];
+  }
+  const lockfile = JSON.parse(content);
+  const ast = parse(content);
+  if (!isPackageLockVersion3(lockfile)) {
+    const { line, column } = jsonLocation(ast, "value", "lockfileVersion");
+    return [
+      {
+        messages: [
+          {
+            ruleId: "package-lock-version",
+            severity: 2,
+            message: `package-lock.json has lockfileVersion ${lockfile.lockfileVersion} but expected 3`,
+            line,
+            column
+          }
+        ],
+        filePath: lockfilePath,
+        errorCount: 1,
+        warningCount: 0,
+        fixableErrorCount: 0,
+        fixableWarningCount: 0
+      }
+    ];
+  }
+  const { packages } = lockfile;
+  const results = [];
+  for (const [name, pkg] of Object.entries(packages)) {
+    if (pkg.link) {
+      continue;
+    }
+    if (!isValidResolved(pkg)) {
+      const { line, column } = jsonLocation(ast, "value", "packages", name, "resolved");
+      results.push({
+        messages: [
+          {
+            ruleId: "package-lock-registry",
+            severity: 2,
+            message: `package "${name}" is resolved from "${String(pkg.resolved)}" instead of the npm registry`,
+            line,
+            column
+          }
+        ],
+        filePath: lockfilePath,
+        errorCount: 1,
+        warningCount: 0,
+        fixableErrorCount: 0,
+        fixableWarningCount: 0
+      });
+    }
+  }
+  return results;
+}
 // src/shebang.ts
 function getBinaries(pkg) {
   if (!pkg.bin) {
@@ -12193,6 +12276,7 @@ async function verify(pkg, pkgAst, pkgPath, tarball, options) {
   return [
     ...await verifyTarball(pkg, tarball),
     ...await verifyPackageJson(pkg, pkgAst, pkgPath, options),
+    ...await verifyPackageLock(),
     ...await verifyShebang(pkg, tarball)
   ];
 }
@@ -12221,7 +12305,7 @@ async function preloadStdin() {
 }
 async function getPackageJson(args, regenerateReportName) {
   if (args.pkgfile) {
-    const content = await fs6.readFile(args.pkgfile, "utf-8");
+    const content = await fs7.readFile(args.pkgfile, "utf-8");
     const pkg = JSON.parse(content);
     const pkgAst = parse(content);
     return {
@@ -12246,7 +12330,7 @@ async function getPackageJson(args, regenerateReportName) {
   }
   const pkgPath = await findUp(PACKAGE_JSON);
   if (pkgPath) {
-    const content = await fs6.readFile(pkgPath, "utf-8");
+    const content = await fs7.readFile(pkgPath, "utf-8");
     const pkg = JSON.parse(content);
     const pkgAst = parse(content);
     return {