npq 2.2.0 → 2.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/workflows/main.yml +8 -3
- package/README.md +11 -10
- package/__tests__/marshalls.base.test.js +1 -1
- package/__tests__/marshalls.expiredDomains.test.js +100 -0
- package/__tests__/packageManager.test.js +1 -1
- package/bin/npq-hero.js +1 -1
- package/lib/helpers/packageRepoUtils.js +1 -1
- package/lib/marshalls/expiredDomains.marshall.js +46 -0
- package/lib/marshalls/index.js +4 -4
- package/lib/packageManager.js +10 -10
- package/package.json +13 -7
|
@@ -7,7 +7,7 @@ jobs:
|
|
|
7
7
|
strategy:
|
|
8
8
|
matrix:
|
|
9
9
|
platform: [ubuntu-latest]
|
|
10
|
-
node: ['12', '14']
|
|
10
|
+
node: ['12', '14', '16', '18']
|
|
11
11
|
name: Node ${{ matrix.node }} (${{ matrix.platform }})
|
|
12
12
|
runs-on: ${{ matrix.platform }}
|
|
13
13
|
steps:
|
|
@@ -37,13 +37,18 @@ jobs:
|
|
|
37
37
|
release:
|
|
38
38
|
name: do semantic release
|
|
39
39
|
runs-on: 'ubuntu-latest'
|
|
40
|
+
permissions:
|
|
41
|
+
contents: write # to be able to publish a GitHub release
|
|
42
|
+
issues: write # to be able to comment on released issues
|
|
43
|
+
pull-requests: write # to be able to comment on released pull requests
|
|
44
|
+
id-token: write # to enable use of OIDC for npm provenance
|
|
40
45
|
needs: build
|
|
41
|
-
if: github.event_name == 'push' && github.ref == 'refs/heads/
|
|
46
|
+
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
42
47
|
steps:
|
|
43
48
|
- uses: actions/checkout@v2
|
|
44
49
|
- uses: actions/setup-node@v2
|
|
45
50
|
with:
|
|
46
|
-
node-version: '
|
|
51
|
+
node-version: '18'
|
|
47
52
|
- name: install dependencies
|
|
48
53
|
run: yarn install --frozen-lockfile --ignore-engines --ignore-scripts
|
|
49
54
|
- name: release
|
package/README.md
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
<p align="center">
|
|
2
2
|
<br>
|
|
3
|
-
<img width="200" src="https://github.com/lirantal/npq/raw/
|
|
3
|
+
<img width="200" src="https://github.com/lirantal/npq/raw/main/.github/Logo%20Horizontal.png">
|
|
4
4
|
<br>
|
|
5
5
|
safely* install packages with npm/yarn by auditing them as part of your install process
|
|
6
6
|
</p>
|
|
7
7
|
|
|
8
8
|
[](https://www.npmjs.com/package/npq)
|
|
9
9
|
[](https://www.npmjs.com/package/npq)
|
|
10
|
-
[](https://codecov.io/gh/lirantal/npq)
|
|
11
11
|
[](https://github.com/lirantal/npq/workflows/unit-tests)
|
|
12
12
|
[](https://snyk.io/test/github/lirantal/npq)
|
|
13
13
|
[](./SECURITY.md)
|
|
@@ -15,7 +15,7 @@
|
|
|
15
15
|
|
|
16
16
|
[](https://snyk.io/advisor/npm-package/npq)
|
|
17
17
|
|
|
18
|
-

|
|
19
19
|
|
|
20
20
|
|
|
21
21
|
Media coverage about npq:
|
|
@@ -96,14 +96,15 @@ Note: `npq` by default will offload all commands and their arguments to the `npm
|
|
|
96
96
|
| readme | Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff
|
|
97
97
|
| repo | Will show a warning if a package has been found without a valid and working repository URL | Checks the latest version for a repository URL
|
|
98
98
|
| scripts | Will show a warning if a package has a pre/post install script which could potentially be malicious
|
|
99
|
-
| snyk | Will show a warning if a package has been found with vulnerabilities in
|
|
99
|
+
| snyk | Will show a warning if a package has been found with vulnerabilities in Snyk's database | For Snyk to work you need to either have the `snyk` npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it
|
|
100
100
|
| license | Will show a warning if a package has been found without a license field | Checks the latest version for a license
|
|
101
|
+
| expired domains | Will show a warning if a package has been found with one of its maintainers having an email address that includes an expired domain | Checks a dependency version for a maintainer with an expired domain
|
|
101
102
|
|
|
102
103
|
### Disabling Marshalls
|
|
103
104
|
|
|
104
105
|
To disable a marshall altogether, set an environment variable using with the marshall's shortname.
|
|
105
106
|
|
|
106
|
-
Example, to disable
|
|
107
|
+
Example, to disable the Snyk vulnerability marshall:
|
|
107
108
|
|
|
108
109
|
```
|
|
109
110
|
MARSHALL_DISABLE_SNYK=1 npq install express
|
|
@@ -134,14 +135,14 @@ script:
|
|
|
134
135
|
* NPQ will audit a package for possible security issues, but it isn't a replacement for npm or yarn. When you choose to continue installing the package, it will offload the installation process to your choice of either npm or yarn.
|
|
135
136
|
2. **How is NPQ different from npm audit?**
|
|
136
137
|
* `npm install` will install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.
|
|
137
|
-
* NPQ will run
|
|
138
|
-
* `npm audit` is closer in functionality to what
|
|
139
|
-
3. **Do I require a
|
|
140
|
-
* It's not required. If NPQ is unable to detect a
|
|
138
|
+
* NPQ will run synthetic checks, called [marshalls](https://github.com/lirantal/npq#marshalls), on the characteristics of a module, such as whether the module you are going to install has a `pre-install` script which can be potentially harmful for your system and prompt you whether to install it. Whereas `npm audit` will not perform any such checks, and only consults a vulnerability database for known security issues.
|
|
139
|
+
* `npm audit` is closer in functionality to what Snyk does, rather than what NPQ does.
|
|
140
|
+
3. **Do I require a Snyk API key in order to use NPQ?**
|
|
141
|
+
* It's not required. If NPQ is unable to detect a Snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use Snyk, and connect it with NPQ for broader security.
|
|
141
142
|
|
|
142
143
|
## Contributing
|
|
143
144
|
|
|
144
|
-
Please consult the [CONTRIBUTING](https://github.com/lirantal/npq/blob/
|
|
145
|
+
Please consult the [CONTRIBUTING](https://github.com/lirantal/npq/blob/main/CONTRIBUTING.md) for guidelines on contributing to this project
|
|
145
146
|
|
|
146
147
|
## Author
|
|
147
148
|
Liran Tal <liran.tal@gmail.com>
|
|
@@ -27,7 +27,7 @@ test('checkPackage returns validation data if it was a success', async () => {
|
|
|
27
27
|
expect(result).toEqual('validation-result')
|
|
28
28
|
})
|
|
29
29
|
|
|
30
|
-
test('checkPackage sets the error property if the
|
|
30
|
+
test('checkPackage sets the error property if the validation failed', async () => {
|
|
31
31
|
const testMarshall = new TestMarshall({
|
|
32
32
|
packageRepoUtils: null
|
|
33
33
|
})
|
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
const ExpiredDomainsMarshall = require('../lib/marshalls/expiredDomains.marshall')
|
|
2
|
+
|
|
3
|
+
const testMarshall = new ExpiredDomainsMarshall({
|
|
4
|
+
packageRepoUtils: {
|
|
5
|
+
getPackageInfo: (pkgInfo) => {
|
|
6
|
+
return new Promise((resolve) => {
|
|
7
|
+
resolve(pkgInfo)
|
|
8
|
+
})
|
|
9
|
+
}
|
|
10
|
+
}
|
|
11
|
+
})
|
|
12
|
+
|
|
13
|
+
describe('Expired domains test suites', () => {
|
|
14
|
+
beforeEach(() => {
|
|
15
|
+
jest.clearAllMocks()
|
|
16
|
+
jest.resetAllMocks()
|
|
17
|
+
})
|
|
18
|
+
|
|
19
|
+
test('has the right title', async () => {
|
|
20
|
+
expect(testMarshall.title()).toEqual('Detecting expired domains for authors account...')
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
test('throws the right error when an email domain cant be verified', async () => {
|
|
24
|
+
const nonExistentEmailAddress =
|
|
25
|
+
'liran.tal+test1234@somenonexistentdomainongoogle109dubv98g39ujasdasda.com'
|
|
26
|
+
const pkgData = {
|
|
27
|
+
packageName: {
|
|
28
|
+
'dist-tags': {
|
|
29
|
+
latest: '1.0.0'
|
|
30
|
+
},
|
|
31
|
+
versions: {
|
|
32
|
+
'1.0.0': {
|
|
33
|
+
maintainers: [
|
|
34
|
+
{ name: 'lirantal', email: 'liran.tal@gmail.com' },
|
|
35
|
+
{
|
|
36
|
+
name: 'lirantal_test_user',
|
|
37
|
+
email: nonExistentEmailAddress
|
|
38
|
+
}
|
|
39
|
+
]
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
}
|
|
44
|
+
|
|
45
|
+
await expect(testMarshall.validate(pkgData)).rejects.toThrow(
|
|
46
|
+
/Unable to resolve domain for maintainer e-mail, could be an expired account/
|
|
47
|
+
)
|
|
48
|
+
})
|
|
49
|
+
|
|
50
|
+
test('if email hostname is empty then show an unknown message', async () => {
|
|
51
|
+
const nonExistentEmailAddress = ''
|
|
52
|
+
const pkgData = {
|
|
53
|
+
packageName: {
|
|
54
|
+
'dist-tags': {
|
|
55
|
+
latest: '1.0.0'
|
|
56
|
+
},
|
|
57
|
+
versions: {
|
|
58
|
+
'1.0.0': {
|
|
59
|
+
maintainers: [
|
|
60
|
+
{ name: 'lirantal', email: 'liran.tal@gmail.com' },
|
|
61
|
+
{
|
|
62
|
+
name: 'lirantal_test_user',
|
|
63
|
+
email: nonExistentEmailAddress
|
|
64
|
+
}
|
|
65
|
+
]
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
}
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
await expect(testMarshall.validate(pkgData)).rejects.toThrow(
|
|
72
|
+
/Unable to resolve domain for maintainer e-mail, could be an expired account: <unknown>/
|
|
73
|
+
)
|
|
74
|
+
})
|
|
75
|
+
|
|
76
|
+
test('does not throw any errors if the domain resolves well', async () => {
|
|
77
|
+
jest.setTimeout(15000)
|
|
78
|
+
|
|
79
|
+
const pkgData = {
|
|
80
|
+
packageName: {
|
|
81
|
+
'dist-tags': {
|
|
82
|
+
latest: '1.0.0'
|
|
83
|
+
},
|
|
84
|
+
versions: {
|
|
85
|
+
'1.0.0': {
|
|
86
|
+
maintainers: [
|
|
87
|
+
{ name: 'lirantal', email: 'liran.tal@gmail.com' },
|
|
88
|
+
{
|
|
89
|
+
name: 'lirantal_test_user',
|
|
90
|
+
email: 'liran.tal@gmail.com'
|
|
91
|
+
}
|
|
92
|
+
]
|
|
93
|
+
}
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
|
|
98
|
+
await expect(testMarshall.validate(pkgData)).resolves.toEqual(expect.anything())
|
|
99
|
+
})
|
|
100
|
+
})
|
|
@@ -59,7 +59,7 @@ test('package manager spawns successfully when provided array of packages to han
|
|
|
59
59
|
childProcess.spawn.mockReset()
|
|
60
60
|
})
|
|
61
61
|
|
|
62
|
-
test(
|
|
62
|
+
test("package manager spawns successfully and ignore npq's own internal commands when spawning package manager", async () => {
|
|
63
63
|
process.argv = [
|
|
64
64
|
'node',
|
|
65
65
|
'script name',
|
package/bin/npq-hero.js
CHANGED
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
'use strict'
|
|
2
|
+
|
|
3
|
+
const BaseMarshall = require('./baseMarshall')
|
|
4
|
+
const dns = require('dns').promises
|
|
5
|
+
|
|
6
|
+
const MARSHALL_NAME = 'maintainers_expired_emails'
|
|
7
|
+
|
|
8
|
+
class Marshall extends BaseMarshall {
|
|
9
|
+
constructor (options) {
|
|
10
|
+
super(options)
|
|
11
|
+
this.name = MARSHALL_NAME
|
|
12
|
+
}
|
|
13
|
+
|
|
14
|
+
title () {
|
|
15
|
+
return 'Detecting expired domains for authors account...'
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
validate (pkg) {
|
|
19
|
+
return this.packageRepoUtils
|
|
20
|
+
.getPackageInfo(pkg.packageName)
|
|
21
|
+
.then((data) => {
|
|
22
|
+
const lastVersionData =
|
|
23
|
+
data.versions && data['dist-tags'] && data.versions[data['dist-tags']['latest']]
|
|
24
|
+
|
|
25
|
+
let maintainersAccounts = lastVersionData && lastVersionData.maintainers
|
|
26
|
+
|
|
27
|
+
let testEmails = []
|
|
28
|
+
for (const maintainerInfo of maintainersAccounts) {
|
|
29
|
+
const maintainerEmail = maintainerInfo.email
|
|
30
|
+
const emailDomain = maintainerEmail.split('@')[1]
|
|
31
|
+
testEmails.push(dns.resolve(emailDomain))
|
|
32
|
+
}
|
|
33
|
+
|
|
34
|
+
return Promise.all(testEmails)
|
|
35
|
+
})
|
|
36
|
+
.catch((error) => {
|
|
37
|
+
let emailHostname = error.hostname ? error.hostname : '<unknown>'
|
|
38
|
+
throw new Error(
|
|
39
|
+
'Unable to resolve domain for maintainer e-mail, could be an expired account: ' +
|
|
40
|
+
emailHostname
|
|
41
|
+
)
|
|
42
|
+
})
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
module.exports = Marshall
|
package/lib/marshalls/index.js
CHANGED
|
@@ -47,15 +47,15 @@ class Marshalls {
|
|
|
47
47
|
}
|
|
48
48
|
|
|
49
49
|
static tasks (options) {
|
|
50
|
-
return
|
|
51
|
-
.then(() =>
|
|
50
|
+
return Marshalls.warmUpPackagesCache(options)
|
|
51
|
+
.then(() => Marshalls.collectMarshalls())
|
|
52
52
|
.then((marshalls) => {
|
|
53
|
-
return
|
|
53
|
+
return Marshalls.buildMarshallTasks(marshalls, {
|
|
54
54
|
packageRepoUtils: options.packageRepoUtils
|
|
55
55
|
})
|
|
56
56
|
})
|
|
57
57
|
.then((tasks) => {
|
|
58
|
-
return
|
|
58
|
+
return Marshalls.runTasks(tasks, options)
|
|
59
59
|
})
|
|
60
60
|
}
|
|
61
61
|
|
package/lib/packageManager.js
CHANGED
|
@@ -5,12 +5,12 @@ const childProcess = require('child_process')
|
|
|
5
5
|
const DEFAULT_PKGMGR = 'npm'
|
|
6
6
|
|
|
7
7
|
class packageManager {
|
|
8
|
-
static process (
|
|
9
|
-
|
|
10
|
-
return
|
|
8
|
+
static process (packageManagerOption) {
|
|
9
|
+
const detectedPackageManager = packageManager.validatePackageManager(packageManagerOption)
|
|
10
|
+
return packageManager.spawnPackageManager(detectedPackageManager)
|
|
11
11
|
}
|
|
12
12
|
|
|
13
|
-
static spawnPackageManager (
|
|
13
|
+
static spawnPackageManager (packageManagerOption) {
|
|
14
14
|
let args = []
|
|
15
15
|
|
|
16
16
|
args = args.concat(process.argv.slice(2)).filter((item) => {
|
|
@@ -24,7 +24,7 @@ class packageManager {
|
|
|
24
24
|
}
|
|
25
25
|
})
|
|
26
26
|
|
|
27
|
-
const child = childProcess.spawn(
|
|
27
|
+
const child = childProcess.spawn(packageManagerOption, args, {
|
|
28
28
|
stdio: 'inherit',
|
|
29
29
|
shell: true
|
|
30
30
|
})
|
|
@@ -32,16 +32,16 @@ class packageManager {
|
|
|
32
32
|
return Promise.resolve(child)
|
|
33
33
|
}
|
|
34
34
|
|
|
35
|
-
static validatePackageManager (
|
|
36
|
-
if (!
|
|
37
|
-
|
|
35
|
+
static validatePackageManager (packageManagerOption) {
|
|
36
|
+
if (!packageManagerOption) {
|
|
37
|
+
packageManagerOption = packageManager.getDefaultPackageManager()
|
|
38
38
|
}
|
|
39
39
|
|
|
40
|
-
if (typeof
|
|
40
|
+
if (typeof packageManagerOption !== 'string') {
|
|
41
41
|
throw new Error('a packageManager should be specified as a string')
|
|
42
42
|
}
|
|
43
43
|
|
|
44
|
-
return
|
|
44
|
+
return packageManagerOption
|
|
45
45
|
}
|
|
46
46
|
|
|
47
47
|
static getDefaultPackageManager () {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "npq",
|
|
3
|
-
"version": "2.
|
|
3
|
+
"version": "2.3.1",
|
|
4
4
|
"description": "marshall your npm/yarn package installs with high quality and class 🎖",
|
|
5
5
|
"bin": {
|
|
6
6
|
"npq": "./bin/npq.js",
|
|
@@ -30,6 +30,10 @@
|
|
|
30
30
|
"type": "git",
|
|
31
31
|
"url": "git+https://github.com/lirantal/npq.git"
|
|
32
32
|
},
|
|
33
|
+
"publishConfig": {
|
|
34
|
+
"provenance": true,
|
|
35
|
+
"access": "public"
|
|
36
|
+
},
|
|
33
37
|
"devDependencies": {
|
|
34
38
|
"@babel/core": "^7.7.4",
|
|
35
39
|
"@babel/plugin-transform-runtime": "^7.7.4",
|
|
@@ -52,7 +56,7 @@
|
|
|
52
56
|
"lockfile-lint": "^2.0.1",
|
|
53
57
|
"opn-cli": "^4.0.0",
|
|
54
58
|
"prettier": "^2.8.3",
|
|
55
|
-
"semantic-release": "
|
|
59
|
+
"semantic-release": "21.0.2",
|
|
56
60
|
"standard": "^12.0.0"
|
|
57
61
|
},
|
|
58
62
|
"jest": {
|
|
@@ -152,14 +156,14 @@
|
|
|
152
156
|
"node/no-unsupported-features/node-builtins": [
|
|
153
157
|
"error",
|
|
154
158
|
{
|
|
155
|
-
"version": ">=10.
|
|
159
|
+
"version": ">=10.6.0",
|
|
156
160
|
"ignores": []
|
|
157
161
|
}
|
|
158
162
|
],
|
|
159
163
|
"node/no-unsupported-features/es-syntax": [
|
|
160
164
|
"error",
|
|
161
165
|
{
|
|
162
|
-
"version": ">=10.
|
|
166
|
+
"version": ">=10.6.0",
|
|
163
167
|
"ignores": []
|
|
164
168
|
}
|
|
165
169
|
]
|
|
@@ -183,17 +187,19 @@
|
|
|
183
187
|
"dependencies": {
|
|
184
188
|
"chalk": "^2.3.0",
|
|
185
189
|
"glob": "^8.0.3",
|
|
186
|
-
"inquirer": "^
|
|
190
|
+
"inquirer": "^8.0.0",
|
|
187
191
|
"listr": "^0.14.0",
|
|
188
192
|
"node-fetch": "^2.6.7",
|
|
189
193
|
"npm-package-arg": "^10.1.0",
|
|
190
194
|
"semver": "^7.3.8",
|
|
191
195
|
"update-notifier": "^5",
|
|
192
|
-
"validator": "
|
|
196
|
+
"validator": "13.7.0",
|
|
193
197
|
"yargs": "^17.6.2"
|
|
194
198
|
},
|
|
195
199
|
"release": {
|
|
196
|
-
"
|
|
200
|
+
"branches": [
|
|
201
|
+
"main"
|
|
202
|
+
],
|
|
197
203
|
"analyzeCommits": {
|
|
198
204
|
"preset": "angular",
|
|
199
205
|
"releaseRules": [
|