npq 2.0.22 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -19,13 +19,14 @@
19
19
 
20
20
 
21
21
  Media coverage about npq:
22
+ - As mentioned on [Thomas Gentilhomme](https://github.com/fraxken)'s French book of [Become a Node.js Developer](https://docs.google.com/document/d/1JHgmEFkc8Py4XSuCB8_DQ5FFEJoogyeninFK6ucTd4o/edit#)
22
23
  - Tao Bojlén's [A web of trust for npm](https://www.btao.org/2020/10/02/npm-trust.html)
23
24
  - Zander's [favorite list of command line tools](https://zander.wtf/blog/terminal-commands)
24
25
  - Ran Bar Zik's [npq review to install safe modules](https://internet-israel.com/%D7%A4%D7%99%D7%AA%D7%95%D7%97-%D7%90%D7%99%D7%A0%D7%98%D7%A8%D7%A0%D7%98/%D7%91%D7%A0%D7%99%D7%99%D7%AA-%D7%90%D7%AA%D7%A8%D7%99-%D7%90%D7%99%D7%A0%D7%98%D7%A8%D7%A0%D7%98-%D7%9C%D7%9E%D7%A4%D7%AA%D7%97%D7%99%D7%9D/%D7%91%D7%93%D7%99%D7%A7%D7%94-%D7%A2%D7%9D-npq-%D7%9B%D7%93%D7%99-%D7%9C%D7%95%D7%95%D7%93%D7%90-%D7%94%D7%AA%D7%A7%D7%A0%D7%94-%D7%AA%D7%A7%D7%99%D7%A0%D7%94-%D7%A9%D7%9C-%D7%9E%D7%95%D7%93%D7%95/)
25
26
  - ostechnix's [How To Safely Install Packages Using Npm Or Yarn On Linux](https://ostechnix.com/how-to-safely-install-packages-using-npm-or-yarn-on-linux)
26
27
  - debricked's [How to evaluate the security of your NPM Package dependencies](https://debricked.com/blog/2020/03/11/how-to-evaluate-the-security-of-your-npm-package-dependencies)
27
- - JavaScript January advent calendar's post on [Open Source From Heaven, Modules From Hell](https://www.javascriptjanuary.com/blog/open-source-from-heaven-modules-from-hell)
28
- - Liran Tal's [Malicious Modules — what you need to know when installing npm packages](https://medium.com/@liran.tal/malicious-modules-what-you-need-to-know-when-installing-npm-packages-12b2f56d3685)
28
+ - JavaScript January advent calendar's post on [Open Source From Heaven, Modules From Hell](https://www.lirantal.com/blog/2019-01-26)
29
+ - Liran Tal's [Malicious Modules — what you need to know when installing npm packages](https://www.lirantal.com/blog/malicious-modules-what-you-need-to-know-when-installing-npm-packages-12b2f56d3685)
29
30
 
30
31
 
31
32
  ## About
@@ -90,8 +91,10 @@ Note: `npq` by default will offload all commands and their arguments to the `npm
90
91
  | Marshall Name | Description | Notes
91
92
  | --- | --- | ---
92
93
  | age | Will show a warning for a package if its age on npm is less than 22 days | Checks a package creation date, not a specific version
94
+ | author | Will show a warning if a package has been found without an author field | Checks the latest version for an author
93
95
  | downloads | Will show a warning for a package if its download count in the last month is less than 20
94
96
  | readme | Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff
97
+ | repo | Will show a warning if a package has been found without a valid and working repository URL | Checks the latest version for a repository URL
95
98
  | scripts | Will show a warning if a package has a pre/post install script which could potentially be malicious
96
99
  | snyk | Will show a warning if a package has been found with vulnerabilities in snyk's database | For snyk to work you need to either have the `snyk` npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it
97
100
  | license | Will show a warning if a package has been found without a license field | Checks the latest version for a license
@@ -106,6 +109,12 @@ Example, to disable snyk:
106
109
  MARSHALL_DISABLE_SNYK=1 npq install express
107
110
  ```
108
111
 
112
+ ### Run checks on package without installing it:
113
+
114
+ ```sh
115
+ npq install express --dry-run
116
+ ```
117
+
109
118
  ### Using with TravisCI
110
119
 
111
120
  An example of using lockfile-lint with a `.travis.yml` configuration as part of your build:
@@ -13,11 +13,14 @@ inquirer.prompt = jest.fn().mockResolvedValue({ install: true })
13
13
 
14
14
  let mockGetShellConfig
15
15
  let mockIsRunningInYarn
16
+ let mockGetNpmVersion
16
17
 
17
18
  beforeEach(() => {
18
19
  mockGetShellConfig = jest.spyOn(helpers, 'getShellConfig').mockImplementation(() => ({ name: 'testShell', profilePath: TEST_PROFILE_PATH, aliases: TEST_ALIAS }))
19
20
  // Our install script does not run when installing with yarn, but we still want to be able to run tests with yarn
20
21
  mockIsRunningInYarn = jest.spyOn(helpers, 'isRunningInYarn').mockImplementation(() => false)
22
+ // Our install script does not run when installing with npm V7, but we still want to be able to run tests with all npm versions
23
+ mockGetNpmVersion = jest.spyOn(helpers, 'getNpmVersion').mockImplementation(() => '6.0.0')
21
24
  })
22
25
 
23
26
  afterEach(async () => {
@@ -57,6 +60,22 @@ test('postinstall script does not run in yarn', async () => {
57
60
  spy.mockRestore()
58
61
  })
59
62
 
63
+ test('postinstall script does not run in npm v7', async () => {
64
+ // npm v7 does not allow for stdin input during `npm install [-g] npq`
65
+ mockGetNpmVersion.mockRestore()
66
+ const oldUserAgent = process.env.npm_config_user_agent
67
+
68
+ const spy = jest.spyOn(console, 'log')
69
+ // pretend that we're running in npm v7, whether or not we actually are
70
+ process.env.npm_config_user_agent = 'npm/7.19.1 node/v14.16.1 win32 x64 workspaces/false'
71
+
72
+ await postinstall.runPostInstall()
73
+ expect(spy).not.toHaveBeenCalled()
74
+
75
+ process.env.npm_config_user_agent = oldUserAgent
76
+ spy.mockRestore()
77
+ })
78
+
60
79
  test('postinstall script adds aliases', async () => {
61
80
  await postinstall.runPostInstall()
62
81
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "npq",
3
- "version": "2.0.22",
3
+ "version": "2.1.0",
4
4
  "description": "marshall your npm/yarn package installs with high quality and class 🎖",
5
5
  "bin": {
6
6
  "npq": "./bin/npq.js",
@@ -172,15 +172,15 @@
172
172
  },
173
173
  "dependencies": {
174
174
  "chalk": "^2.3.0",
175
- "glob": "^7.1.7",
175
+ "glob": "^8.0.3",
176
176
  "inquirer": "^7.3.3",
177
177
  "listr": "^0.14.0",
178
- "node-fetch": "^2.6.1",
179
- "npm-package-arg": "^8.1.4",
180
- "semver": "^6.3.0",
181
- "update-notifier": "^5.0.1",
178
+ "node-fetch": "^2.6.7",
179
+ "npm-package-arg": "^10.1.0",
180
+ "semver": "^7.3.8",
181
+ "update-notifier": "^6.0.2",
182
182
  "validator": "^13.6.0",
183
- "yargs": "^16.2.0"
183
+ "yargs": "^17.6.2"
184
184
  },
185
185
  "release": {
186
186
  "branch": "master",
@@ -1,6 +1,7 @@
1
1
  const fs = require('fs')
2
2
  const chalk = require('chalk')
3
3
  const inquirer = require('inquirer')
4
+ const semver = require('semver')
4
5
 
5
6
  const helpers = require('./scriptHelpers')
6
7
 
@@ -10,6 +11,11 @@ const runPostInstall = async () => {
10
11
  return
11
12
  }
12
13
 
14
+ if (semver.gte(helpers.getNpmVersion(), '7.0.0')) {
15
+ // `npm install` in npm v7 cannot get stdin input, so we can't run this script there
16
+ return
17
+ }
18
+
13
19
  const shellConfig = helpers.getShellConfig()
14
20
  if (!shellConfig) {
15
21
  console.log('Could not detect your shell; please add aliases for npq manually.')
@@ -1,6 +1,7 @@
1
1
  const fs = require('fs')
2
2
  const os = require('os')
3
3
  const path = require('path')
4
+ const semver = require('semver')
4
5
 
5
6
  const BASH_ZSH_ALIASES = '\nalias npm="npq-hero"\nalias yarn="NPQ_PKG_MGR=yarn npq-hero"\n'
6
7
  const SHELLS = {
@@ -47,6 +48,12 @@ module.exports.isRunningInYarn = () => {
47
48
  return binaryName.toLowerCase().includes('yarn')
48
49
  }
49
50
 
51
+ module.exports.getNpmVersion = () => {
52
+ const npmData = process.env['npm_config_user_agent'] || '0.0.0'
53
+ const version = /npm\/(.*) node/.exec(npmData)[1]
54
+ return semver.valid(version) ? version : '0.0.0'
55
+ }
56
+
50
57
  const getProfile = async (profilePath) => {
51
58
  try {
52
59
  // eslint-disable-next-line security/detect-non-literal-fs-filename