npq 2.2.0 → 2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -7,7 +7,7 @@ jobs:
7
7
  strategy:
8
8
  matrix:
9
9
  platform: [ubuntu-latest]
10
- node: ['12', '14']
10
+ node: ['12', '14', '16', '18']
11
11
  name: Node ${{ matrix.node }} (${{ matrix.platform }})
12
12
  runs-on: ${{ matrix.platform }}
13
13
  steps:
@@ -37,13 +37,18 @@ jobs:
37
37
  release:
38
38
  name: do semantic release
39
39
  runs-on: 'ubuntu-latest'
40
+ permissions:
41
+ contents: write # to be able to publish a GitHub release
42
+ issues: write # to be able to comment on released issues
43
+ pull-requests: write # to be able to comment on released pull requests
44
+ id-token: write # to enable use of OIDC for npm provenance
40
45
  needs: build
41
- if: github.event_name == 'push' && github.ref == 'refs/heads/master'
46
+ if: github.event_name == 'push' && github.ref == 'refs/heads/main'
42
47
  steps:
43
48
  - uses: actions/checkout@v2
44
49
  - uses: actions/setup-node@v2
45
50
  with:
46
- node-version: '14'
51
+ node-version: '18'
47
52
  - name: install dependencies
48
53
  run: yarn install --frozen-lockfile --ignore-engines --ignore-scripts
49
54
  - name: release
package/README.md CHANGED
@@ -1,13 +1,13 @@
1
1
  <p align="center">
2
2
  <br>
3
- <img width="200" src="https://github.com/lirantal/npq/raw/master/.github/Logo%20Horizontal.png">
3
+ <img width="200" src="https://github.com/lirantal/npq/raw/main/.github/Logo%20Horizontal.png">
4
4
  <br>
5
5
  safely* install packages with npm/yarn by auditing them as part of your install process
6
6
  </p>
7
7
 
8
8
  [![npm](https://img.shields.io/npm/v/npq.svg)](https://www.npmjs.com/package/npq)
9
9
  [![npm](https://img.shields.io/npm/l/npq.svg)](https://www.npmjs.com/package/npq)
10
- [![codecov](https://codecov.io/gh/lirantal/npq/branch/master/graph/badge.svg)](https://codecov.io/gh/lirantal/npq)
10
+ [![codecov](https://codecov.io/gh/lirantal/npq/branch/main/graph/badge.svg)](https://codecov.io/gh/lirantal/npq)
11
11
  [![Build Status](https://github.com/lirantal/npq/workflows/unit-tests/badge.svg)](https://github.com/lirantal/npq/workflows/unit-tests)
12
12
  [![Known Vulnerabilities](https://snyk.io/test/github/lirantal/npq/badge.svg)](https://snyk.io/test/github/lirantal/npq)
13
13
  [![Security Responsible Disclosure](https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg)](./SECURITY.md)
@@ -15,7 +15,7 @@
15
15
 
16
16
  [![npq](https://snyk.io/advisor/npm-package/npq/badge.svg)](https://snyk.io/advisor/npm-package/npq)
17
17
 
18
- ![npq-demo-3-final](https://github.com/lirantal/npq/blob/master/.github/npq-demo.gif?raw=true)
18
+ ![npq-demo-3-final](https://github.com/lirantal/npq/blob/main/.github/npq-demo.gif?raw=true)
19
19
 
20
20
 
21
21
  Media coverage about npq:
@@ -96,14 +96,15 @@ Note: `npq` by default will offload all commands and their arguments to the `npm
96
96
  | readme | Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff
97
97
  | repo | Will show a warning if a package has been found without a valid and working repository URL | Checks the latest version for a repository URL
98
98
  | scripts | Will show a warning if a package has a pre/post install script which could potentially be malicious
99
- | snyk | Will show a warning if a package has been found with vulnerabilities in snyk's database | For snyk to work you need to either have the `snyk` npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it
99
+ | snyk | Will show a warning if a package has been found with vulnerabilities in Snyk's database | For Snyk to work you need to either have the `snyk` npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it
100
100
  | license | Will show a warning if a package has been found without a license field | Checks the latest version for a license
101
+ | expired domains | Will show a warning if a package has been found with one of its maintainers having an email address that includes an expired domain | Checks a dependency version for a maintainer with an expired domain
101
102
 
102
103
  ### Disabling Marshalls
103
104
 
104
105
  To disable a marshall altogether, set an environment variable using with the marshall's shortname.
105
106
 
106
- Example, to disable snyk:
107
+ Example, to disable the Snyk vulnerability marshall:
107
108
 
108
109
  ```
109
110
  MARSHALL_DISABLE_SNYK=1 npq install express
@@ -134,14 +135,14 @@ script:
134
135
  * NPQ will audit a package for possible security issues, but it isn't a replacement for npm or yarn. When you choose to continue installing the package, it will offload the installation process to your choice of either npm or yarn.
135
136
  2. **How is NPQ different from npm audit?**
136
137
  * `npm install` will install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.
137
- * NPQ will run synthethic checks, called [marshalls](https://github.com/lirantal/npq#marshalls), on the characteristics of a module, such as whether the module you are going to install has a `pre-install` script which can be potentially harmful for your system and prompt you whether to install it. Whereas `npm audit` will not perform any such checks, and only consults a vulnerability database for known security issues.
138
- * `npm audit` is closer in functionality to what snyk does, rather than what NPQ does.
139
- 3. **Do I require a snyk API key in order to use NPQ?**
140
- * It's not required. If NPQ is unable to detect a snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use snyk, and connect it with NPQ for broader security.
138
+ * NPQ will run synthetic checks, called [marshalls](https://github.com/lirantal/npq#marshalls), on the characteristics of a module, such as whether the module you are going to install has a `pre-install` script which can be potentially harmful for your system and prompt you whether to install it. Whereas `npm audit` will not perform any such checks, and only consults a vulnerability database for known security issues.
139
+ * `npm audit` is closer in functionality to what Snyk does, rather than what NPQ does.
140
+ 3. **Do I require a Snyk API key in order to use NPQ?**
141
+ * It's not required. If NPQ is unable to detect a Snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use Snyk, and connect it with NPQ for broader security.
141
142
 
142
143
  ## Contributing
143
144
 
144
- Please consult the [CONTRIBUTING](https://github.com/lirantal/npq/blob/master/CONTRIBUTING.md) for guidelines on contributing to this project
145
+ Please consult the [CONTRIBUTING](https://github.com/lirantal/npq/blob/main/CONTRIBUTING.md) for guidelines on contributing to this project
145
146
 
146
147
  ## Author
147
148
  Liran Tal <liran.tal@gmail.com>
@@ -27,7 +27,7 @@ test('checkPackage returns validation data if it was a success', async () => {
27
27
  expect(result).toEqual('validation-result')
28
28
  })
29
29
 
30
- test('checkPackage sets the error property if the validaiton failed', async () => {
30
+ test('checkPackage sets the error property if the validation failed', async () => {
31
31
  const testMarshall = new TestMarshall({
32
32
  packageRepoUtils: null
33
33
  })
@@ -0,0 +1,100 @@
1
+ const ExpiredDomainsMarshall = require('../lib/marshalls/expiredDomains.marshall')
2
+
3
+ const testMarshall = new ExpiredDomainsMarshall({
4
+ packageRepoUtils: {
5
+ getPackageInfo: (pkgInfo) => {
6
+ return new Promise((resolve) => {
7
+ resolve(pkgInfo)
8
+ })
9
+ }
10
+ }
11
+ })
12
+
13
+ describe('Expired domains test suites', () => {
14
+ beforeEach(() => {
15
+ jest.clearAllMocks()
16
+ jest.resetAllMocks()
17
+ })
18
+
19
+ test('has the right title', async () => {
20
+ expect(testMarshall.title()).toEqual('Detecting expired domains for authors account...')
21
+ })
22
+
23
+ test('throws the right error when an email domain cant be verified', async () => {
24
+ const nonExistentEmailAddress =
25
+ 'liran.tal+test1234@somenonexistentdomainongoogle109dubv98g39ujasdasda.com'
26
+ const pkgData = {
27
+ packageName: {
28
+ 'dist-tags': {
29
+ latest: '1.0.0'
30
+ },
31
+ versions: {
32
+ '1.0.0': {
33
+ maintainers: [
34
+ { name: 'lirantal', email: 'liran.tal@gmail.com' },
35
+ {
36
+ name: 'lirantal_test_user',
37
+ email: nonExistentEmailAddress
38
+ }
39
+ ]
40
+ }
41
+ }
42
+ }
43
+ }
44
+
45
+ await expect(testMarshall.validate(pkgData)).rejects.toThrow(
46
+ /Unable to resolve domain for maintainer e-mail, could be an expired account/
47
+ )
48
+ })
49
+
50
+ test('if email hostname is empty then show an unknown message', async () => {
51
+ const nonExistentEmailAddress = ''
52
+ const pkgData = {
53
+ packageName: {
54
+ 'dist-tags': {
55
+ latest: '1.0.0'
56
+ },
57
+ versions: {
58
+ '1.0.0': {
59
+ maintainers: [
60
+ { name: 'lirantal', email: 'liran.tal@gmail.com' },
61
+ {
62
+ name: 'lirantal_test_user',
63
+ email: nonExistentEmailAddress
64
+ }
65
+ ]
66
+ }
67
+ }
68
+ }
69
+ }
70
+
71
+ await expect(testMarshall.validate(pkgData)).rejects.toThrow(
72
+ /Unable to resolve domain for maintainer e-mail, could be an expired account: <unknown>/
73
+ )
74
+ })
75
+
76
+ test('does not throw any errors if the domain resolves well', async () => {
77
+ jest.setTimeout(15000)
78
+
79
+ const pkgData = {
80
+ packageName: {
81
+ 'dist-tags': {
82
+ latest: '1.0.0'
83
+ },
84
+ versions: {
85
+ '1.0.0': {
86
+ maintainers: [
87
+ { name: 'lirantal', email: 'liran.tal@gmail.com' },
88
+ {
89
+ name: 'lirantal_test_user',
90
+ email: 'liran.tal@gmail.com'
91
+ }
92
+ ]
93
+ }
94
+ }
95
+ }
96
+ }
97
+
98
+ await expect(testMarshall.validate(pkgData)).resolves.toEqual(expect.anything())
99
+ })
100
+ })
@@ -59,7 +59,7 @@ test('package manager spawns successfully when provided array of packages to han
59
59
  childProcess.spawn.mockReset()
60
60
  })
61
61
 
62
- test('package manager spawns successfully and ignore npqs own internal commands when spawning package manager', async () => {
62
+ test("package manager spawns successfully and ignore npq's own internal commands when spawning package manager", async () => {
63
63
  process.argv = [
64
64
  'node',
65
65
  'script name',
package/bin/npq-hero.js CHANGED
@@ -43,7 +43,7 @@ marshall
43
43
  })
44
44
  .then((status) => {
45
45
  if (status && status.hasOwnProperty('install') && status.install === true) {
46
- pkgMgr.process(PACKAGE_MANAGER_TOOL, cli.package)
46
+ pkgMgr.process(PACKAGE_MANAGER_TOOL)
47
47
  }
48
48
  })
49
49
  .catch((error) => {
@@ -13,7 +13,7 @@ class PackageRepoUtils {
13
13
  }
14
14
 
15
15
  formatPackageForUrl (pkg) {
16
- return pkg.replace('/', '%2F')
16
+ return pkg.replace(/\//g, '%2F')
17
17
  }
18
18
 
19
19
  getPackageInfo (pkg) {
@@ -0,0 +1,46 @@
1
+ 'use strict'
2
+
3
+ const BaseMarshall = require('./baseMarshall')
4
+ const dns = require('dns').promises
5
+
6
+ const MARSHALL_NAME = 'maintainers_expired_emails'
7
+
8
+ class Marshall extends BaseMarshall {
9
+ constructor (options) {
10
+ super(options)
11
+ this.name = MARSHALL_NAME
12
+ }
13
+
14
+ title () {
15
+ return 'Detecting expired domains for authors account...'
16
+ }
17
+
18
+ validate (pkg) {
19
+ return this.packageRepoUtils
20
+ .getPackageInfo(pkg.packageName)
21
+ .then((data) => {
22
+ const lastVersionData =
23
+ data.versions && data['dist-tags'] && data.versions[data['dist-tags']['latest']]
24
+
25
+ let maintainersAccounts = lastVersionData && lastVersionData.maintainers
26
+
27
+ let testEmails = []
28
+ for (const maintainerInfo of maintainersAccounts) {
29
+ const maintainerEmail = maintainerInfo.email
30
+ const emailDomain = maintainerEmail.split('@')[1]
31
+ testEmails.push(dns.resolve(emailDomain))
32
+ }
33
+
34
+ return Promise.all(testEmails)
35
+ })
36
+ .catch((error) => {
37
+ let emailHostname = error.hostname ? error.hostname : '<unknown>'
38
+ throw new Error(
39
+ 'Unable to resolve domain for maintainer e-mail, could be an expired account: ' +
40
+ emailHostname
41
+ )
42
+ })
43
+ }
44
+ }
45
+
46
+ module.exports = Marshall
@@ -47,15 +47,15 @@ class Marshalls {
47
47
  }
48
48
 
49
49
  static tasks (options) {
50
- return this.warmUpPackagesCache(options)
51
- .then(() => this.collectMarshalls())
50
+ return Marshalls.warmUpPackagesCache(options)
51
+ .then(() => Marshalls.collectMarshalls())
52
52
  .then((marshalls) => {
53
- return this.buildMarshallTasks(marshalls, {
53
+ return Marshalls.buildMarshallTasks(marshalls, {
54
54
  packageRepoUtils: options.packageRepoUtils
55
55
  })
56
56
  })
57
57
  .then((tasks) => {
58
- return this.runTasks(tasks, options)
58
+ return Marshalls.runTasks(tasks, options)
59
59
  })
60
60
  }
61
61
 
@@ -5,12 +5,12 @@ const childProcess = require('child_process')
5
5
  const DEFAULT_PKGMGR = 'npm'
6
6
 
7
7
  class packageManager {
8
- static process (packageManager) {
9
- packageManager = this.validatePackageManager(packageManager)
10
- return this.spawnPackageManager(packageManager)
8
+ static process (packageManagerOption) {
9
+ const detectedPackageManager = packageManager.validatePackageManager(packageManagerOption)
10
+ return packageManager.spawnPackageManager(detectedPackageManager)
11
11
  }
12
12
 
13
- static spawnPackageManager (packageManager) {
13
+ static spawnPackageManager (packageManagerOption) {
14
14
  let args = []
15
15
 
16
16
  args = args.concat(process.argv.slice(2)).filter((item) => {
@@ -24,7 +24,7 @@ class packageManager {
24
24
  }
25
25
  })
26
26
 
27
- const child = childProcess.spawn(packageManager, args, {
27
+ const child = childProcess.spawn(packageManagerOption, args, {
28
28
  stdio: 'inherit',
29
29
  shell: true
30
30
  })
@@ -32,16 +32,16 @@ class packageManager {
32
32
  return Promise.resolve(child)
33
33
  }
34
34
 
35
- static validatePackageManager (packageManager) {
36
- if (!packageManager) {
37
- packageManager = this.getDefaultPackageManager()
35
+ static validatePackageManager (packageManagerOption) {
36
+ if (!packageManagerOption) {
37
+ packageManagerOption = packageManager.getDefaultPackageManager()
38
38
  }
39
39
 
40
- if (typeof packageManager !== 'string') {
40
+ if (typeof packageManagerOption !== 'string') {
41
41
  throw new Error('a packageManager should be specified as a string')
42
42
  }
43
43
 
44
- return packageManager
44
+ return packageManagerOption
45
45
  }
46
46
 
47
47
  static getDefaultPackageManager () {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "npq",
3
- "version": "2.2.0",
3
+ "version": "2.3.1",
4
4
  "description": "marshall your npm/yarn package installs with high quality and class 🎖",
5
5
  "bin": {
6
6
  "npq": "./bin/npq.js",
@@ -30,6 +30,10 @@
30
30
  "type": "git",
31
31
  "url": "git+https://github.com/lirantal/npq.git"
32
32
  },
33
+ "publishConfig": {
34
+ "provenance": true,
35
+ "access": "public"
36
+ },
33
37
  "devDependencies": {
34
38
  "@babel/core": "^7.7.4",
35
39
  "@babel/plugin-transform-runtime": "^7.7.4",
@@ -52,7 +56,7 @@
52
56
  "lockfile-lint": "^2.0.1",
53
57
  "opn-cli": "^4.0.0",
54
58
  "prettier": "^2.8.3",
55
- "semantic-release": "^15.0.0",
59
+ "semantic-release": "21.0.2",
56
60
  "standard": "^12.0.0"
57
61
  },
58
62
  "jest": {
@@ -152,14 +156,14 @@
152
156
  "node/no-unsupported-features/node-builtins": [
153
157
  "error",
154
158
  {
155
- "version": ">=10.1.0",
159
+ "version": ">=10.6.0",
156
160
  "ignores": []
157
161
  }
158
162
  ],
159
163
  "node/no-unsupported-features/es-syntax": [
160
164
  "error",
161
165
  {
162
- "version": ">=10.1.0",
166
+ "version": ">=10.6.0",
163
167
  "ignores": []
164
168
  }
165
169
  ]
@@ -183,17 +187,19 @@
183
187
  "dependencies": {
184
188
  "chalk": "^2.3.0",
185
189
  "glob": "^8.0.3",
186
- "inquirer": "^7.3.3",
190
+ "inquirer": "^8.0.0",
187
191
  "listr": "^0.14.0",
188
192
  "node-fetch": "^2.6.7",
189
193
  "npm-package-arg": "^10.1.0",
190
194
  "semver": "^7.3.8",
191
195
  "update-notifier": "^5",
192
- "validator": "^13.6.0",
196
+ "validator": "13.7.0",
193
197
  "yargs": "^17.6.2"
194
198
  },
195
199
  "release": {
196
- "branch": "master",
200
+ "branches": [
201
+ "main"
202
+ ],
197
203
  "analyzeCommits": {
198
204
  "preset": "angular",
199
205
  "releaseRules": [