npq 2.0.22 → 2.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -2
- package/__tests__/scripts.test.js +19 -0
- package/package.json +7 -7
- package/scripts/postinstall.js +6 -0
- package/scripts/scriptHelpers.js +7 -0
package/README.md
CHANGED
|
@@ -19,13 +19,14 @@
|
|
|
19
19
|
|
|
20
20
|
|
|
21
21
|
Media coverage about npq:
|
|
22
|
+
- As mentioned on [Thomas Gentilhomme](https://github.com/fraxken)'s French book of [Become a Node.js Developer](https://docs.google.com/document/d/1JHgmEFkc8Py4XSuCB8_DQ5FFEJoogyeninFK6ucTd4o/edit#)
|
|
22
23
|
- Tao Bojlén's [A web of trust for npm](https://www.btao.org/2020/10/02/npm-trust.html)
|
|
23
24
|
- Zander's [favorite list of command line tools](https://zander.wtf/blog/terminal-commands)
|
|
24
25
|
- Ran Bar Zik's [npq review to install safe modules](https://internet-israel.com/%D7%A4%D7%99%D7%AA%D7%95%D7%97-%D7%90%D7%99%D7%A0%D7%98%D7%A8%D7%A0%D7%98/%D7%91%D7%A0%D7%99%D7%99%D7%AA-%D7%90%D7%AA%D7%A8%D7%99-%D7%90%D7%99%D7%A0%D7%98%D7%A8%D7%A0%D7%98-%D7%9C%D7%9E%D7%A4%D7%AA%D7%97%D7%99%D7%9D/%D7%91%D7%93%D7%99%D7%A7%D7%94-%D7%A2%D7%9D-npq-%D7%9B%D7%93%D7%99-%D7%9C%D7%95%D7%95%D7%93%D7%90-%D7%94%D7%AA%D7%A7%D7%A0%D7%94-%D7%AA%D7%A7%D7%99%D7%A0%D7%94-%D7%A9%D7%9C-%D7%9E%D7%95%D7%93%D7%95/)
|
|
25
26
|
- ostechnix's [How To Safely Install Packages Using Npm Or Yarn On Linux](https://ostechnix.com/how-to-safely-install-packages-using-npm-or-yarn-on-linux)
|
|
26
27
|
- debricked's [How to evaluate the security of your NPM Package dependencies](https://debricked.com/blog/2020/03/11/how-to-evaluate-the-security-of-your-npm-package-dependencies)
|
|
27
|
-
- JavaScript January advent calendar's post on [Open Source From Heaven, Modules From Hell](https://www.
|
|
28
|
-
- Liran Tal's [Malicious Modules — what you need to know when installing npm packages](https://
|
|
28
|
+
- JavaScript January advent calendar's post on [Open Source From Heaven, Modules From Hell](https://www.lirantal.com/blog/2019-01-26)
|
|
29
|
+
- Liran Tal's [Malicious Modules — what you need to know when installing npm packages](https://www.lirantal.com/blog/malicious-modules-what-you-need-to-know-when-installing-npm-packages-12b2f56d3685)
|
|
29
30
|
|
|
30
31
|
|
|
31
32
|
## About
|
|
@@ -90,8 +91,10 @@ Note: `npq` by default will offload all commands and their arguments to the `npm
|
|
|
90
91
|
| Marshall Name | Description | Notes
|
|
91
92
|
| --- | --- | ---
|
|
92
93
|
| age | Will show a warning for a package if its age on npm is less than 22 days | Checks a package creation date, not a specific version
|
|
94
|
+
| author | Will show a warning if a package has been found without an author field | Checks the latest version for an author
|
|
93
95
|
| downloads | Will show a warning for a package if its download count in the last month is less than 20
|
|
94
96
|
| readme | Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff
|
|
97
|
+
| repo | Will show a warning if a package has been found without a valid and working repository URL | Checks the latest version for a repository URL
|
|
95
98
|
| scripts | Will show a warning if a package has a pre/post install script which could potentially be malicious
|
|
96
99
|
| snyk | Will show a warning if a package has been found with vulnerabilities in snyk's database | For snyk to work you need to either have the `snyk` npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it
|
|
97
100
|
| license | Will show a warning if a package has been found without a license field | Checks the latest version for a license
|
|
@@ -106,6 +109,12 @@ Example, to disable snyk:
|
|
|
106
109
|
MARSHALL_DISABLE_SNYK=1 npq install express
|
|
107
110
|
```
|
|
108
111
|
|
|
112
|
+
### Run checks on package without installing it:
|
|
113
|
+
|
|
114
|
+
```sh
|
|
115
|
+
npq install express --dry-run
|
|
116
|
+
```
|
|
117
|
+
|
|
109
118
|
### Using with TravisCI
|
|
110
119
|
|
|
111
120
|
An example of using lockfile-lint with a `.travis.yml` configuration as part of your build:
|
|
@@ -13,11 +13,14 @@ inquirer.prompt = jest.fn().mockResolvedValue({ install: true })
|
|
|
13
13
|
|
|
14
14
|
let mockGetShellConfig
|
|
15
15
|
let mockIsRunningInYarn
|
|
16
|
+
let mockGetNpmVersion
|
|
16
17
|
|
|
17
18
|
beforeEach(() => {
|
|
18
19
|
mockGetShellConfig = jest.spyOn(helpers, 'getShellConfig').mockImplementation(() => ({ name: 'testShell', profilePath: TEST_PROFILE_PATH, aliases: TEST_ALIAS }))
|
|
19
20
|
// Our install script does not run when installing with yarn, but we still want to be able to run tests with yarn
|
|
20
21
|
mockIsRunningInYarn = jest.spyOn(helpers, 'isRunningInYarn').mockImplementation(() => false)
|
|
22
|
+
// Our install script does not run when installing with npm V7, but we still want to be able to run tests with all npm versions
|
|
23
|
+
mockGetNpmVersion = jest.spyOn(helpers, 'getNpmVersion').mockImplementation(() => '6.0.0')
|
|
21
24
|
})
|
|
22
25
|
|
|
23
26
|
afterEach(async () => {
|
|
@@ -57,6 +60,22 @@ test('postinstall script does not run in yarn', async () => {
|
|
|
57
60
|
spy.mockRestore()
|
|
58
61
|
})
|
|
59
62
|
|
|
63
|
+
test('postinstall script does not run in npm v7', async () => {
|
|
64
|
+
// npm v7 does not allow for stdin input during `npm install [-g] npq`
|
|
65
|
+
mockGetNpmVersion.mockRestore()
|
|
66
|
+
const oldUserAgent = process.env.npm_config_user_agent
|
|
67
|
+
|
|
68
|
+
const spy = jest.spyOn(console, 'log')
|
|
69
|
+
// pretend that we're running in npm v7, whether or not we actually are
|
|
70
|
+
process.env.npm_config_user_agent = 'npm/7.19.1 node/v14.16.1 win32 x64 workspaces/false'
|
|
71
|
+
|
|
72
|
+
await postinstall.runPostInstall()
|
|
73
|
+
expect(spy).not.toHaveBeenCalled()
|
|
74
|
+
|
|
75
|
+
process.env.npm_config_user_agent = oldUserAgent
|
|
76
|
+
spy.mockRestore()
|
|
77
|
+
})
|
|
78
|
+
|
|
60
79
|
test('postinstall script adds aliases', async () => {
|
|
61
80
|
await postinstall.runPostInstall()
|
|
62
81
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "npq",
|
|
3
|
-
"version": "2.0
|
|
3
|
+
"version": "2.1.0",
|
|
4
4
|
"description": "marshall your npm/yarn package installs with high quality and class 🎖",
|
|
5
5
|
"bin": {
|
|
6
6
|
"npq": "./bin/npq.js",
|
|
@@ -172,15 +172,15 @@
|
|
|
172
172
|
},
|
|
173
173
|
"dependencies": {
|
|
174
174
|
"chalk": "^2.3.0",
|
|
175
|
-
"glob": "^
|
|
175
|
+
"glob": "^8.0.3",
|
|
176
176
|
"inquirer": "^7.3.3",
|
|
177
177
|
"listr": "^0.14.0",
|
|
178
|
-
"node-fetch": "^2.6.
|
|
179
|
-
"npm-package-arg": "^
|
|
180
|
-
"semver": "^
|
|
181
|
-
"update-notifier": "^
|
|
178
|
+
"node-fetch": "^2.6.7",
|
|
179
|
+
"npm-package-arg": "^10.1.0",
|
|
180
|
+
"semver": "^7.3.8",
|
|
181
|
+
"update-notifier": "^6.0.2",
|
|
182
182
|
"validator": "^13.6.0",
|
|
183
|
-
"yargs": "^
|
|
183
|
+
"yargs": "^17.6.2"
|
|
184
184
|
},
|
|
185
185
|
"release": {
|
|
186
186
|
"branch": "master",
|
package/scripts/postinstall.js
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
const fs = require('fs')
|
|
2
2
|
const chalk = require('chalk')
|
|
3
3
|
const inquirer = require('inquirer')
|
|
4
|
+
const semver = require('semver')
|
|
4
5
|
|
|
5
6
|
const helpers = require('./scriptHelpers')
|
|
6
7
|
|
|
@@ -10,6 +11,11 @@ const runPostInstall = async () => {
|
|
|
10
11
|
return
|
|
11
12
|
}
|
|
12
13
|
|
|
14
|
+
if (semver.gte(helpers.getNpmVersion(), '7.0.0')) {
|
|
15
|
+
// `npm install` in npm v7 cannot get stdin input, so we can't run this script there
|
|
16
|
+
return
|
|
17
|
+
}
|
|
18
|
+
|
|
13
19
|
const shellConfig = helpers.getShellConfig()
|
|
14
20
|
if (!shellConfig) {
|
|
15
21
|
console.log('Could not detect your shell; please add aliases for npq manually.')
|
package/scripts/scriptHelpers.js
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
const fs = require('fs')
|
|
2
2
|
const os = require('os')
|
|
3
3
|
const path = require('path')
|
|
4
|
+
const semver = require('semver')
|
|
4
5
|
|
|
5
6
|
const BASH_ZSH_ALIASES = '\nalias npm="npq-hero"\nalias yarn="NPQ_PKG_MGR=yarn npq-hero"\n'
|
|
6
7
|
const SHELLS = {
|
|
@@ -47,6 +48,12 @@ module.exports.isRunningInYarn = () => {
|
|
|
47
48
|
return binaryName.toLowerCase().includes('yarn')
|
|
48
49
|
}
|
|
49
50
|
|
|
51
|
+
module.exports.getNpmVersion = () => {
|
|
52
|
+
const npmData = process.env['npm_config_user_agent'] || '0.0.0'
|
|
53
|
+
const version = /npm\/(.*) node/.exec(npmData)[1]
|
|
54
|
+
return semver.valid(version) ? version : '0.0.0'
|
|
55
|
+
}
|
|
56
|
+
|
|
50
57
|
const getProfile = async (profilePath) => {
|
|
51
58
|
try {
|
|
52
59
|
// eslint-disable-next-line security/detect-non-literal-fs-filename
|