npq 2.2.0 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,17 @@
1
+ queue_rules:
2
+ - name: Snyk PRs Queue
3
+ conditions:
4
+ - "check-success ~= .*"
5
+
6
+ pull_request_rules:
7
+ - name: Automatic merge Snyk PRs on Status Checks passing
8
+ conditions:
9
+ - title~=^\[Snyk\]
10
+ - head~=^snyk-fix
11
+ - base=main
12
+ actions:
13
+ queue:
14
+ name: "Snyk PRs Queue"
15
+ label:
16
+ add:
17
+ - "auto-merge"
@@ -7,7 +7,7 @@ jobs:
7
7
  strategy:
8
8
  matrix:
9
9
  platform: [ubuntu-latest]
10
- node: ['12', '14']
10
+ node: ['12', '14', '16', '18']
11
11
  name: Node ${{ matrix.node }} (${{ matrix.platform }})
12
12
  runs-on: ${{ matrix.platform }}
13
13
  steps:
@@ -37,13 +37,18 @@ jobs:
37
37
  release:
38
38
  name: do semantic release
39
39
  runs-on: 'ubuntu-latest'
40
+ permissions:
41
+ contents: write # to be able to publish a GitHub release
42
+ issues: write # to be able to comment on released issues
43
+ pull-requests: write # to be able to comment on released pull requests
44
+ id-token: write # to enable use of OIDC for npm provenance
40
45
  needs: build
41
- if: github.event_name == 'push' && github.ref == 'refs/heads/master'
46
+ if: github.event_name == 'push' && github.ref == 'refs/heads/main'
42
47
  steps:
43
48
  - uses: actions/checkout@v2
44
49
  - uses: actions/setup-node@v2
45
50
  with:
46
- node-version: '14'
51
+ node-version: '18'
47
52
  - name: install dependencies
48
53
  run: yarn install --frozen-lockfile --ignore-engines --ignore-scripts
49
54
  - name: release
package/README.md CHANGED
@@ -1,13 +1,13 @@
1
1
  <p align="center">
2
2
  <br>
3
- <img width="200" src="https://github.com/lirantal/npq/raw/master/.github/Logo%20Horizontal.png">
3
+ <img width="200" src="https://github.com/lirantal/npq/raw/main/.github/Logo%20Horizontal.png">
4
4
  <br>
5
5
  safely* install packages with npm/yarn by auditing them as part of your install process
6
6
  </p>
7
7
 
8
8
  [![npm](https://img.shields.io/npm/v/npq.svg)](https://www.npmjs.com/package/npq)
9
9
  [![npm](https://img.shields.io/npm/l/npq.svg)](https://www.npmjs.com/package/npq)
10
- [![codecov](https://codecov.io/gh/lirantal/npq/branch/master/graph/badge.svg)](https://codecov.io/gh/lirantal/npq)
10
+ [![codecov](https://codecov.io/gh/lirantal/npq/branch/main/graph/badge.svg)](https://codecov.io/gh/lirantal/npq)
11
11
  [![Build Status](https://github.com/lirantal/npq/workflows/unit-tests/badge.svg)](https://github.com/lirantal/npq/workflows/unit-tests)
12
12
  [![Known Vulnerabilities](https://snyk.io/test/github/lirantal/npq/badge.svg)](https://snyk.io/test/github/lirantal/npq)
13
13
  [![Security Responsible Disclosure](https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg)](./SECURITY.md)
@@ -15,7 +15,7 @@
15
15
 
16
16
  [![npq](https://snyk.io/advisor/npm-package/npq/badge.svg)](https://snyk.io/advisor/npm-package/npq)
17
17
 
18
- ![npq-demo-3-final](https://github.com/lirantal/npq/blob/master/.github/npq-demo.gif?raw=true)
18
+ ![npq-demo-3-final](https://github.com/lirantal/npq/blob/main/.github/npq-demo.gif?raw=true)
19
19
 
20
20
 
21
21
  Media coverage about npq:
@@ -96,14 +96,15 @@ Note: `npq` by default will offload all commands and their arguments to the `npm
96
96
  | readme | Will show a warning if a package has no README or it has been detected as a security placeholder package by npm staff
97
97
  | repo | Will show a warning if a package has been found without a valid and working repository URL | Checks the latest version for a repository URL
98
98
  | scripts | Will show a warning if a package has a pre/post install script which could potentially be malicious
99
- | snyk | Will show a warning if a package has been found with vulnerabilities in snyk's database | For snyk to work you need to either have the `snyk` npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it
99
+ | snyk | Will show a warning if a package has been found with vulnerabilities in Snyk's database | For Snyk to work you need to either have the `snyk` npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it
100
100
  | license | Will show a warning if a package has been found without a license field | Checks the latest version for a license
101
+ | expired domains | Will show a warning if a package has been found with one of its maintainers having an email address that includes an expired domain | Checks a dependency version for a maintainer with an expired domain
101
102
 
102
103
  ### Disabling Marshalls
103
104
 
104
105
  To disable a marshall altogether, set an environment variable using with the marshall's shortname.
105
106
 
106
- Example, to disable snyk:
107
+ Example, to disable the Snyk vulnerability marshall:
107
108
 
108
109
  ```
109
110
  MARSHALL_DISABLE_SNYK=1 npq install express
@@ -134,14 +135,14 @@ script:
134
135
  * NPQ will audit a package for possible security issues, but it isn't a replacement for npm or yarn. When you choose to continue installing the package, it will offload the installation process to your choice of either npm or yarn.
135
136
  2. **How is NPQ different from npm audit?**
136
137
  * `npm install` will install a module even if it has vulnerabilities; NPQ will display the issues detected, and prompt the user for confirmation on whether to proceed installing it.
137
- * NPQ will run synthethic checks, called [marshalls](https://github.com/lirantal/npq#marshalls), on the characteristics of a module, such as whether the module you are going to install has a `pre-install` script which can be potentially harmful for your system and prompt you whether to install it. Whereas `npm audit` will not perform any such checks, and only consults a vulnerability database for known security issues.
138
- * `npm audit` is closer in functionality to what snyk does, rather than what NPQ does.
139
- 3. **Do I require a snyk API key in order to use NPQ?**
140
- * It's not required. If NPQ is unable to detect a snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use snyk, and connect it with NPQ for broader security.
138
+ * NPQ will run synthetic checks, called [marshalls](https://github.com/lirantal/npq#marshalls), on the characteristics of a module, such as whether the module you are going to install has a `pre-install` script which can be potentially harmful for your system and prompt you whether to install it. Whereas `npm audit` will not perform any such checks, and only consults a vulnerability database for known security issues.
139
+ * `npm audit` is closer in functionality to what Snyk does, rather than what NPQ does.
140
+ 3. **Do I require a Snyk API key in order to use NPQ?**
141
+ * It's not required. If NPQ is unable to detect a Snyk API key for the user running NPQ, then it will skip the database vulnerabilities check. We do, however, greatly encourage you to use Snyk, and connect it with NPQ for broader security.
141
142
 
142
143
  ## Contributing
143
144
 
144
- Please consult the [CONTRIBUTING](https://github.com/lirantal/npq/blob/master/CONTRIBUTING.md) for guidelines on contributing to this project
145
+ Please consult the [CONTRIBUTING](https://github.com/lirantal/npq/blob/main/CONTRIBUTING.md) for guidelines on contributing to this project
145
146
 
146
147
  ## Author
147
148
  Liran Tal <liran.tal@gmail.com>
@@ -5,16 +5,16 @@ const BaseMarshall = require('../../lib/marshalls/baseMarshall')
5
5
  const MARSHALL_NAME = 'test.marshall'
6
6
 
7
7
  class TestMarshall extends BaseMarshall {
8
- constructor (options) {
8
+ constructor(options) {
9
9
  super(options)
10
10
  this.name = MARSHALL_NAME
11
11
  }
12
12
 
13
- title () {
13
+ title() {
14
14
  return 'A test marshall'
15
15
  }
16
16
 
17
- run (ctx, task) {
17
+ run(ctx, task) {
18
18
  const tasks = ctx.pkgs.reduce((prevPkg, currPkg) => {
19
19
  return prevPkg.concat(this.mockCheck(currPkg, ctx, task))
20
20
  }, [])
@@ -22,7 +22,7 @@ class TestMarshall extends BaseMarshall {
22
22
  return Promise.all(tasks)
23
23
  }
24
24
 
25
- mockCheck (pkg, ctx, task) {
25
+ mockCheck(pkg, ctx, task) {
26
26
  return this.validateSomething(pkg)
27
27
  .then(() => {
28
28
  const data = 'mock data check'
@@ -39,7 +39,7 @@ class TestMarshall extends BaseMarshall {
39
39
  })
40
40
  }
41
41
 
42
- validateSomething (pkg) {
42
+ validateSomething(pkg) {
43
43
  if (pkg === 'express' || pkg === 'semver') {
44
44
  return Promise.resolve()
45
45
  } else {
@@ -47,7 +47,7 @@ class TestMarshall extends BaseMarshall {
47
47
  }
48
48
  }
49
49
 
50
- validate (pkg) {
50
+ validate(pkg) {
51
51
  if (pkg === 'express' || pkg === 'semver') {
52
52
  return Promise.resolve('validation-result')
53
53
  } else {
@@ -27,7 +27,7 @@ test('checkPackage returns validation data if it was a success', async () => {
27
27
  expect(result).toEqual('validation-result')
28
28
  })
29
29
 
30
- test('checkPackage sets the error property if the validaiton failed', async () => {
30
+ test('checkPackage sets the error property if the validation failed', async () => {
31
31
  const testMarshall = new TestMarshall({
32
32
  packageRepoUtils: null
33
33
  })
@@ -0,0 +1,100 @@
1
+ const ExpiredDomainsMarshall = require('../lib/marshalls/expiredDomains.marshall')
2
+
3
+ const testMarshall = new ExpiredDomainsMarshall({
4
+ packageRepoUtils: {
5
+ getPackageInfo: (pkgInfo) => {
6
+ return new Promise((resolve) => {
7
+ resolve(pkgInfo)
8
+ })
9
+ }
10
+ }
11
+ })
12
+
13
+ describe('Expired domains test suites', () => {
14
+ beforeEach(() => {
15
+ jest.clearAllMocks()
16
+ jest.resetAllMocks()
17
+ })
18
+
19
+ test('has the right title', async () => {
20
+ expect(testMarshall.title()).toEqual('Detecting expired domains for authors account...')
21
+ })
22
+
23
+ test('throws the right error when an email domain cant be verified', async () => {
24
+ const nonExistentEmailAddress =
25
+ 'liran.tal+test1234@somenonexistentdomainongoogle109dubv98g39ujasdasda.com'
26
+ const pkgData = {
27
+ packageName: {
28
+ 'dist-tags': {
29
+ latest: '1.0.0'
30
+ },
31
+ versions: {
32
+ '1.0.0': {
33
+ maintainers: [
34
+ { name: 'lirantal', email: 'liran.tal@gmail.com' },
35
+ {
36
+ name: 'lirantal_test_user',
37
+ email: nonExistentEmailAddress
38
+ }
39
+ ]
40
+ }
41
+ }
42
+ }
43
+ }
44
+
45
+ await expect(testMarshall.validate(pkgData)).rejects.toThrow(
46
+ /Unable to resolve domain for maintainer e-mail, could be an expired account/
47
+ )
48
+ })
49
+
50
+ test('if email hostname is empty then show an unknown message', async () => {
51
+ const nonExistentEmailAddress = ''
52
+ const pkgData = {
53
+ packageName: {
54
+ 'dist-tags': {
55
+ latest: '1.0.0'
56
+ },
57
+ versions: {
58
+ '1.0.0': {
59
+ maintainers: [
60
+ { name: 'lirantal', email: 'liran.tal@gmail.com' },
61
+ {
62
+ name: 'lirantal_test_user',
63
+ email: nonExistentEmailAddress
64
+ }
65
+ ]
66
+ }
67
+ }
68
+ }
69
+ }
70
+
71
+ await expect(testMarshall.validate(pkgData)).rejects.toThrow(
72
+ /Unable to resolve domain for maintainer e-mail, could be an expired account: <unknown>/
73
+ )
74
+ })
75
+
76
+ test('does not throw any errors if the domain resolves well', async () => {
77
+ jest.setTimeout(15000)
78
+
79
+ const pkgData = {
80
+ packageName: {
81
+ 'dist-tags': {
82
+ latest: '1.0.0'
83
+ },
84
+ versions: {
85
+ '1.0.0': {
86
+ maintainers: [
87
+ { name: 'lirantal', email: 'liran.tal@gmail.com' },
88
+ {
89
+ name: 'lirantal_test_user',
90
+ email: 'liran.tal@gmail.com'
91
+ }
92
+ ]
93
+ }
94
+ }
95
+ }
96
+ }
97
+
98
+ await expect(testMarshall.validate(pkgData)).resolves.toEqual(expect.anything())
99
+ })
100
+ })
@@ -2,7 +2,7 @@ const path = require('path')
2
2
  const marshalls = require('../lib/marshalls')
3
3
 
4
4
  const PackageRepoUtilsMock = class Fake {
5
- getPackageInfo () {
5
+ getPackageInfo() {
6
6
  return Promise.resolve(true)
7
7
  }
8
8
  }
@@ -59,7 +59,7 @@ test('package manager spawns successfully when provided array of packages to han
59
59
  childProcess.spawn.mockReset()
60
60
  })
61
61
 
62
- test('package manager spawns successfully and ignore npqs own internal commands when spawning package manager', async () => {
62
+ test("package manager spawns successfully and ignore npq's own internal commands when spawning package manager", async () => {
63
63
  process.argv = [
64
64
  'node',
65
65
  'script name',
package/bin/npq-hero.js CHANGED
@@ -43,7 +43,7 @@ marshall
43
43
  })
44
44
  .then((status) => {
45
45
  if (status && status.hasOwnProperty('install') && status.install === true) {
46
- pkgMgr.process(PACKAGE_MANAGER_TOOL, cli.package)
46
+ pkgMgr.process(PACKAGE_MANAGER_TOOL)
47
47
  }
48
48
  })
49
49
  .catch((error) => {
package/lib/cliCommons.js CHANGED
@@ -1,6 +1,6 @@
1
1
  const npa = require('npm-package-arg')
2
2
  class cliCommons {
3
- static getInstallCommand () {
3
+ static getInstallCommand() {
4
4
  return {
5
5
  command: 'install [package...]',
6
6
  aliases: [
@@ -31,7 +31,7 @@ class cliCommons {
31
31
  }
32
32
  }
33
33
 
34
- static getOptions () {
34
+ static getOptions() {
35
35
  return {
36
36
  P: {
37
37
  alias: ['save-prod', 'peer'],
@@ -6,17 +6,17 @@ const NPM_REGISTRY = 'http://registry.npmjs.org'
6
6
  const NPM_REGISTRY_API = 'https://api.npmjs.org'
7
7
 
8
8
  class PackageRepoUtils {
9
- constructor (options = {}) {
9
+ constructor(options = {}) {
10
10
  this.registryUrl = options.registryUrl ? options.registryUrl : NPM_REGISTRY
11
11
  this.registryApiUrl = options.registryApiUrl ? options.registryApiUrl : NPM_REGISTRY_API
12
12
  this.pkgInfoCache = {}
13
13
  }
14
14
 
15
- formatPackageForUrl (pkg) {
16
- return pkg.replace('/', '%2F')
15
+ formatPackageForUrl(pkg) {
16
+ return pkg.replace(/\//g, '%2F')
17
17
  }
18
18
 
19
- getPackageInfo (pkg) {
19
+ getPackageInfo(pkg) {
20
20
  if (this.pkgInfoCache[pkg]) {
21
21
  return Promise.resolve(this.pkgInfoCache[pkg])
22
22
  } else {
@@ -29,27 +29,27 @@ class PackageRepoUtils {
29
29
  }
30
30
  }
31
31
 
32
- getLatestVersion (pkg) {
32
+ getLatestVersion(pkg) {
33
33
  return this.getPackageInfo(pkg).then((data) => {
34
34
  return data['dist-tags'] && data['dist-tags']['latest'] ? data['dist-tags']['latest'] : null
35
35
  })
36
36
  }
37
37
 
38
- getDownloadInfo (pkg) {
38
+ getDownloadInfo(pkg) {
39
39
  return fetch(`${this.registryApiUrl}/downloads/point/last-month/${pkg}`)
40
40
  .then((response) => response.json())
41
41
  .then(({ downloads }) => downloads)
42
42
  }
43
43
 
44
- getReadmeInfo (pkg) {
44
+ getReadmeInfo(pkg) {
45
45
  return this.getPackageInfo(pkg).then(({ readme }) => readme)
46
46
  }
47
47
 
48
- getLicenseInfo (pkg) {
48
+ getLicenseInfo(pkg) {
49
49
  return this.getPackageInfo(pkg).then(({ license }) => license)
50
50
  }
51
51
 
52
- parsePackageVersion (version) {
52
+ parsePackageVersion(version) {
53
53
  return semver.coerce(version)
54
54
  }
55
55
  }
package/lib/marshall.js CHANGED
@@ -12,12 +12,12 @@ const MESSAGE_TYPE = {
12
12
  }
13
13
 
14
14
  class Marshall {
15
- constructor (options = {}) {
15
+ constructor(options = {}) {
16
16
  this.pkgs = options ? options.pkgs : null
17
17
  this.packageRepoUtils = new PackageRepoUtils()
18
18
  }
19
19
 
20
- process () {
20
+ process() {
21
21
  // nothing to do? move on
22
22
  if (!this.pkgs) {
23
23
  return Promise.resolve()
@@ -37,7 +37,7 @@ class Marshall {
37
37
  })
38
38
  }
39
39
 
40
- createPackageVersionMaps (packages) {
40
+ createPackageVersionMaps(packages) {
41
41
  const packageVersionMapping = packages.reduce((prev, curr) => {
42
42
  const versionSymbolPosition = curr.lastIndexOf('@')
43
43
  const versionPosition =
@@ -57,7 +57,7 @@ class Marshall {
57
57
  return packageVersionMapping
58
58
  }
59
59
 
60
- report (marshalls) {
60
+ report(marshalls) {
61
61
  const messages = this.collectPackageMessages(marshalls)
62
62
 
63
63
  if (!messages) {
@@ -81,7 +81,7 @@ class Marshall {
81
81
  return { error: true, data: messages }
82
82
  }
83
83
 
84
- collectPackageMessages (marshalls) {
84
+ collectPackageMessages(marshalls) {
85
85
  const allPackageMessages = {}
86
86
  for (const key in marshalls) {
87
87
  this.prepareMessages(allPackageMessages, marshalls[key].errors)
@@ -91,7 +91,7 @@ class Marshall {
91
91
  return allPackageMessages
92
92
  }
93
93
 
94
- prepareMessages (allPackageMessages, messages, isWarning) {
94
+ prepareMessages(allPackageMessages, messages, isWarning) {
95
95
  if (Array.isArray(messages) && messages.length > 0) {
96
96
  messages.forEach((msg) => {
97
97
  this.appendPackageMessage(allPackageMessages, msg.pkg, {
@@ -102,7 +102,7 @@ class Marshall {
102
102
  }
103
103
  }
104
104
 
105
- appendPackageMessage (packages, packageName, packageMessage) {
105
+ appendPackageMessage(packages, packageName, packageMessage) {
106
106
  packages[packageName]
107
107
  ? packages[packageName].push(packageMessage)
108
108
  : (packages[packageName] = [packageMessage])
@@ -6,16 +6,16 @@ const MARSHALL_NAME = 'age'
6
6
  const PACKAGE_AGE_THRESHOLD = 22 // specified in days
7
7
 
8
8
  class Marshall extends BaseMarshall {
9
- constructor (options) {
9
+ constructor(options) {
10
10
  super(options)
11
11
  this.name = MARSHALL_NAME
12
12
  }
13
13
 
14
- title () {
14
+ title() {
15
15
  return 'Checking package maturity'
16
16
  }
17
17
 
18
- validate (pkg) {
18
+ validate(pkg) {
19
19
  return this.packageRepoUtils.getPackageInfo(pkg.packageName).then((data) => {
20
20
  if (data && data.time && data.time.created) {
21
21
  const pkgCreatedDate = data.time.created
@@ -7,16 +7,16 @@ const Warning = require('../helpers/warning')
7
7
  const MARSHALL_NAME = 'author'
8
8
 
9
9
  class Marshall extends BaseMarshall {
10
- constructor (options) {
10
+ constructor(options) {
11
11
  super(options)
12
12
  this.name = MARSHALL_NAME
13
13
  }
14
14
 
15
- title () {
15
+ title() {
16
16
  return 'Identifying package author...'
17
17
  }
18
18
 
19
- validate (pkg) {
19
+ validate(pkg) {
20
20
  return this.packageRepoUtils.getPackageInfo(pkg.packageName).then((data) => {
21
21
  const lastVersionData =
22
22
  data.versions && data['dist-tags'] && data.versions[data['dist-tags']['latest']]
@@ -3,11 +3,11 @@
3
3
  const Warning = require('../helpers/warning')
4
4
 
5
5
  class BaseMarshall {
6
- constructor (options) {
6
+ constructor(options) {
7
7
  this.packageRepoUtils = options.packageRepoUtils
8
8
  }
9
9
 
10
- init (ctx, task) {
10
+ init(ctx, task) {
11
11
  this.ctx = ctx
12
12
  this.task = task
13
13
 
@@ -19,7 +19,7 @@ class BaseMarshall {
19
19
  }
20
20
  }
21
21
 
22
- run (ctx, task) {
22
+ run(ctx, task) {
23
23
  const tasks = ctx.pkgs.reduce((prevPkg, currPkg) => {
24
24
  return prevPkg.concat(this.checkPackage(currPkg, ctx, task))
25
25
  }, [])
@@ -27,7 +27,7 @@ class BaseMarshall {
27
27
  return Promise.all(tasks)
28
28
  }
29
29
 
30
- checkPackage (pkg, ctx, task) {
30
+ checkPackage(pkg, ctx, task) {
31
31
  return this.validate(pkg)
32
32
  .then((data) => {
33
33
  task.output = `querying ${pkg.packageString}...`
@@ -37,30 +37,23 @@ class BaseMarshall {
37
37
  return data
38
38
  })
39
39
  .catch((err) => {
40
- if (err instanceof Warning) {
41
- this.setMessage(
42
- {
43
- pkg: pkg.packageString,
44
- message: err.message
45
- },
46
- true
47
- )
48
- } else {
49
- this.setMessage({
40
+ this.setMessage(
41
+ {
50
42
  pkg: pkg.packageString,
51
43
  message: err.message
52
- })
53
- }
44
+ },
45
+ Boolean(err instanceof Warning)
46
+ )
54
47
  })
55
48
  }
56
49
 
57
- isEnabled () {
50
+ isEnabled() {
58
51
  const isMarshallSilent = process.env[`MARSHALL_DISABLE_${this.name.toUpperCase()}`] || false
59
52
 
60
53
  return !isMarshallSilent
61
54
  }
62
55
 
63
- setMessage (msg, isWarning) {
56
+ setMessage(msg, isWarning) {
64
57
  const messages = isWarning
65
58
  ? this.ctx.marshalls[this.name].warnings
66
59
  : this.ctx.marshalls[this.name].errors
@@ -71,7 +64,7 @@ class BaseMarshall {
71
64
  })
72
65
  }
73
66
 
74
- handleMessages () {
67
+ handleMessages() {
75
68
  const errors = this.ctx.marshalls[this.name].errors
76
69
  const warnings = this.ctx.marshalls[this.name].warnings
77
70
  if ((errors && errors.length) || (warnings && warnings.length)) {
@@ -6,16 +6,16 @@ const MARSHALL_NAME = 'downloads'
6
6
  const DOWNLOAD_COUNT_THRESHOLD = 20 // threshold per month
7
7
 
8
8
  class Marshall extends BaseMarshall {
9
- constructor (options) {
9
+ constructor(options) {
10
10
  super(options)
11
11
  this.name = MARSHALL_NAME
12
12
  }
13
13
 
14
- title () {
14
+ title() {
15
15
  return 'Checking package download popularity'
16
16
  }
17
17
 
18
- validate (pkg) {
18
+ validate(pkg) {
19
19
  return this.packageRepoUtils.getDownloadInfo(pkg.packageName).then((downloadCount) => {
20
20
  if (downloadCount < DOWNLOAD_COUNT_THRESHOLD) {
21
21
  throw new Error(
@@ -0,0 +1,46 @@
1
+ 'use strict'
2
+
3
+ const BaseMarshall = require('./baseMarshall')
4
+ const dns = require('dns').promises
5
+
6
+ const MARSHALL_NAME = 'maintainers_expired_emails'
7
+
8
+ class Marshall extends BaseMarshall {
9
+ constructor(options) {
10
+ super(options)
11
+ this.name = MARSHALL_NAME
12
+ }
13
+
14
+ title() {
15
+ return 'Detecting expired domains for authors account...'
16
+ }
17
+
18
+ validate(pkg) {
19
+ return this.packageRepoUtils
20
+ .getPackageInfo(pkg.packageName)
21
+ .then((data) => {
22
+ const lastVersionData =
23
+ data.versions && data['dist-tags'] && data.versions[data['dist-tags']['latest']]
24
+
25
+ let maintainersAccounts = lastVersionData && lastVersionData.maintainers
26
+
27
+ let testEmails = []
28
+ for (const maintainerInfo of maintainersAccounts) {
29
+ const maintainerEmail = maintainerInfo.email
30
+ const emailDomain = maintainerEmail.split('@')[1]
31
+ testEmails.push(dns.resolve(emailDomain))
32
+ }
33
+
34
+ return Promise.all(testEmails)
35
+ })
36
+ .catch((error) => {
37
+ let emailHostname = error.hostname ? error.hostname : '<unknown>'
38
+ throw new Error(
39
+ 'Unable to resolve domain for maintainer e-mail, could be an expired account: ' +
40
+ emailHostname
41
+ )
42
+ })
43
+ }
44
+ }
45
+
46
+ module.exports = Marshall
@@ -4,7 +4,7 @@ const Listr = require('listr')
4
4
  const glob = require('glob')
5
5
 
6
6
  class Marshalls {
7
- static collectMarshalls () {
7
+ static collectMarshalls() {
8
8
  return new Promise((resolve, reject) => {
9
9
  glob(
10
10
  this.GLOB_MARSHALLS,
@@ -23,7 +23,7 @@ class Marshalls {
23
23
  })
24
24
  }
25
25
 
26
- static buildMarshallTasks (marshalls, config) {
26
+ static buildMarshallTasks(marshalls, config) {
27
27
  if (!marshalls || !Array.isArray(marshalls) || marshalls.length === 0) {
28
28
  return Promise.reject(new Error('unable to collect marshalls, or no marshalls found'))
29
29
  }
@@ -46,20 +46,20 @@ class Marshalls {
46
46
  return new Listr(marshallTasks, { exitOnError: false, concurrent: true })
47
47
  }
48
48
 
49
- static tasks (options) {
50
- return this.warmUpPackagesCache(options)
51
- .then(() => this.collectMarshalls())
49
+ static tasks(options) {
50
+ return Marshalls.warmUpPackagesCache(options)
51
+ .then(() => Marshalls.collectMarshalls())
52
52
  .then((marshalls) => {
53
- return this.buildMarshallTasks(marshalls, {
53
+ return Marshalls.buildMarshallTasks(marshalls, {
54
54
  packageRepoUtils: options.packageRepoUtils
55
55
  })
56
56
  })
57
57
  .then((tasks) => {
58
- return this.runTasks(tasks, options)
58
+ return Marshalls.runTasks(tasks, options)
59
59
  })
60
60
  }
61
61
 
62
- static warmUpPackagesCache (options) {
62
+ static warmUpPackagesCache(options) {
63
63
  const fetchPackagesInfoPromises = []
64
64
  options.pkgs.forEach((packageMeta) => {
65
65
  fetchPackagesInfoPromises.push(
@@ -70,7 +70,7 @@ class Marshalls {
70
70
  return Promise.all(fetchPackagesInfoPromises)
71
71
  }
72
72
 
73
- static runTasks (tasks, options) {
73
+ static runTasks(tasks, options) {
74
74
  return tasks.run({
75
75
  pkgs: options.pkgs,
76
76
  marshalls: {}
@@ -5,16 +5,16 @@ const BaseMarshall = require('./baseMarshall')
5
5
  const MARSHALL_NAME = 'license'
6
6
 
7
7
  class Marshall extends BaseMarshall {
8
- constructor (options) {
8
+ constructor(options) {
9
9
  super(options)
10
10
  this.name = MARSHALL_NAME
11
11
  }
12
12
 
13
- title () {
13
+ title() {
14
14
  return 'Checking availability of a LICENSE'
15
15
  }
16
16
 
17
- validate (pkg) {
17
+ validate(pkg) {
18
18
  return this.packageRepoUtils.getLicenseInfo(pkg.packageName).then((licenseContents) => {
19
19
  if (!licenseContents || licenseContents === 'ERROR: No LICENSE data found!') {
20
20
  throw new Error('package has no LICENSE file available')
@@ -5,16 +5,16 @@ const BaseMarshall = require('./baseMarshall')
5
5
  const MARSHALL_NAME = 'readme'
6
6
 
7
7
  class Marshall extends BaseMarshall {
8
- constructor (options) {
8
+ constructor(options) {
9
9
  super(options)
10
10
  this.name = MARSHALL_NAME
11
11
  }
12
12
 
13
- title () {
13
+ title() {
14
14
  return 'Checking availability of a README'
15
15
  }
16
16
 
17
- validate (pkg) {
17
+ validate(pkg) {
18
18
  return this.packageRepoUtils.getReadmeInfo(pkg.packageName).then((readmeContents) => {
19
19
  if (!readmeContents || readmeContents === 'ERROR: No README data found!') {
20
20
  throw new Error('package has no README file available')
@@ -6,16 +6,16 @@ const URL = require('url').URL
6
6
  const MARSHALL_NAME = 'repo'
7
7
 
8
8
  class Marshall extends BaseMarshall {
9
- constructor (options) {
9
+ constructor(options) {
10
10
  super(options)
11
11
  this.name = MARSHALL_NAME
12
12
  }
13
13
 
14
- title () {
14
+ title() {
15
15
  return 'Identifying package repository...'
16
16
  }
17
17
 
18
- validate (pkg) {
18
+ validate(pkg) {
19
19
  return this.packageRepoUtils.getPackageInfo(pkg.packageName).then((data) => {
20
20
  const lastVersionData =
21
21
  (data.versions &&
@@ -5,16 +5,16 @@ const BaseMarshall = require('./baseMarshall')
5
5
  const MARSHALL_NAME = 'scripts'
6
6
 
7
7
  class Marshall extends BaseMarshall {
8
- constructor (options) {
8
+ constructor(options) {
9
9
  super(options)
10
10
  this.name = MARSHALL_NAME
11
11
  }
12
12
 
13
- title () {
13
+ title() {
14
14
  return 'Checking package for pre/post install scripts'
15
15
  }
16
16
 
17
- validate (pkg) {
17
+ validate(pkg) {
18
18
  return this.packageRepoUtils.getPackageInfo(pkg.packageName).then((data) => {
19
19
  const packageVersion =
20
20
  pkg.packageVersion === 'latest'
@@ -0,0 +1,62 @@
1
+ 'use strict'
2
+
3
+ const BaseMarshall = require('./baseMarshall')
4
+ const pacote = require('pacote')
5
+
6
+ const MARSHALL_NAME = 'signatures'
7
+
8
+ class Marshall extends BaseMarshall {
9
+ constructor(options) {
10
+ super(options)
11
+ this.name = MARSHALL_NAME
12
+ }
13
+
14
+ title() {
15
+ return 'Verifying registry signatures for package'
16
+ }
17
+
18
+ validate(pkg) {
19
+ // @TODO currently we're hardcoding the official npm registry
20
+ // this should however allow for local proxies and other registries
21
+ return this.fetchRegistryKeys()
22
+ .then((keys) => {
23
+ return pacote.manifest(`${pkg.packageName}@${pkg.packageVersion}`, {
24
+ verifySignatures: true,
25
+ registry: 'https://registry.npmjs.org',
26
+
27
+ [`//registry.npmjs.org/:_keys`]: keys
28
+ })
29
+ })
30
+ .then((metadata) => {
31
+ return metadata
32
+ })
33
+ }
34
+
35
+ fetchRegistryKeys() {
36
+ const registryHost = 'https://registry.npmjs.org'
37
+ const registryKeysEndpoint = '/-/npm/v1/keys'
38
+
39
+ const registryKeysUrl = `${registryHost}${registryKeysEndpoint}`
40
+ // eslint-disable-next-line no-undef
41
+ return fetch(registryKeysUrl)
42
+ .then((response) => {
43
+ return response.json()
44
+ })
45
+ .then((response) => {
46
+ const registryKeys = response.keys
47
+
48
+ return registryKeys.map((key) => ({
49
+ ...key,
50
+ pemkey: `-----BEGIN PUBLIC KEY-----\n${key.key}\n-----END PUBLIC KEY-----`
51
+ }))
52
+ })
53
+ .then((keys) => {
54
+ return keys
55
+ })
56
+ .catch((error) => {
57
+ throw new Error(`error fetching registry keys: ${error.message}`)
58
+ })
59
+ }
60
+ }
61
+
62
+ module.exports = Marshall
@@ -14,18 +14,18 @@ const SNYK_API_TOKEN = process.env.SNYK_TOKEN
14
14
  const SNYK_CONFIG_FILE = '.config/configstore/snyk.json'
15
15
 
16
16
  class Marshall extends BaseMarshall {
17
- constructor (options) {
17
+ constructor(options) {
18
18
  super(options)
19
19
  this.name = MARSHALL_NAME
20
20
 
21
21
  this.snykApiToken = this.getSnykToken()
22
22
  }
23
23
 
24
- title () {
24
+ title() {
25
25
  return 'Checking for known vulnerabilities'
26
26
  }
27
27
 
28
- run (ctx, task) {
28
+ run(ctx, task) {
29
29
  const tasks = ctx.pkgs.reduce((prevPkg, currPkg) => {
30
30
  return prevPkg.concat(this.checkPackage(currPkg, ctx, task))
31
31
  }, [])
@@ -33,7 +33,7 @@ class Marshall extends BaseMarshall {
33
33
  return Promise.all(tasks)
34
34
  }
35
35
 
36
- validate (pkg) {
36
+ validate(pkg) {
37
37
  return Promise.resolve()
38
38
  .then(() => {
39
39
  if (!pkg.packageVersion || pkg.packageVersion === 'latest') {
@@ -60,7 +60,7 @@ class Marshall extends BaseMarshall {
60
60
  })
61
61
  }
62
62
 
63
- getSnykVulnInfoUnauthenticated ({ packageName, packageVersion }) {
63
+ getSnykVulnInfoUnauthenticated({ packageName, packageVersion }) {
64
64
  const url = encodeURI(`${SNYK_TEST_URL}/${packageName}/${packageVersion}?type=json`)
65
65
 
66
66
  return fetch(url)
@@ -77,7 +77,7 @@ class Marshall extends BaseMarshall {
77
77
  .catch(() => false)
78
78
  }
79
79
 
80
- getSnykVulnInfo ({ packageName, packageVersion } = {}) {
80
+ getSnykVulnInfo({ packageName, packageVersion } = {}) {
81
81
  if (!this.snykApiToken) {
82
82
  return this.getSnykVulnInfoUnauthenticated({ packageName, packageVersion })
83
83
  }
@@ -102,7 +102,7 @@ class Marshall extends BaseMarshall {
102
102
  .catch(() => false)
103
103
  }
104
104
 
105
- getSnykToken () {
105
+ getSnykToken() {
106
106
  if (SNYK_API_TOKEN) {
107
107
  return SNYK_API_TOKEN
108
108
  }
@@ -5,12 +5,12 @@ const childProcess = require('child_process')
5
5
  const DEFAULT_PKGMGR = 'npm'
6
6
 
7
7
  class packageManager {
8
- static process (packageManager) {
9
- packageManager = this.validatePackageManager(packageManager)
10
- return this.spawnPackageManager(packageManager)
8
+ static process(packageManagerOption) {
9
+ const detectedPackageManager = packageManager.validatePackageManager(packageManagerOption)
10
+ return packageManager.spawnPackageManager(detectedPackageManager)
11
11
  }
12
12
 
13
- static spawnPackageManager (packageManager) {
13
+ static spawnPackageManager(packageManagerOption) {
14
14
  let args = []
15
15
 
16
16
  args = args.concat(process.argv.slice(2)).filter((item) => {
@@ -24,7 +24,7 @@ class packageManager {
24
24
  }
25
25
  })
26
26
 
27
- const child = childProcess.spawn(packageManager, args, {
27
+ const child = childProcess.spawn(packageManagerOption, args, {
28
28
  stdio: 'inherit',
29
29
  shell: true
30
30
  })
@@ -32,19 +32,19 @@ class packageManager {
32
32
  return Promise.resolve(child)
33
33
  }
34
34
 
35
- static validatePackageManager (packageManager) {
36
- if (!packageManager) {
37
- packageManager = this.getDefaultPackageManager()
35
+ static validatePackageManager(packageManagerOption) {
36
+ if (!packageManagerOption) {
37
+ packageManagerOption = packageManager.getDefaultPackageManager()
38
38
  }
39
39
 
40
- if (typeof packageManager !== 'string') {
40
+ if (typeof packageManagerOption !== 'string') {
41
41
  throw new Error('a packageManager should be specified as a string')
42
42
  }
43
43
 
44
- return packageManager
44
+ return packageManagerOption
45
45
  }
46
46
 
47
- static getDefaultPackageManager () {
47
+ static getDefaultPackageManager() {
48
48
  return DEFAULT_PKGMGR
49
49
  }
50
50
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "npq",
3
- "version": "2.2.0",
3
+ "version": "2.4.0",
4
4
  "description": "marshall your npm/yarn package installs with high quality and class 🎖",
5
5
  "bin": {
6
6
  "npq": "./bin/npq.js",
@@ -30,6 +30,10 @@
30
30
  "type": "git",
31
31
  "url": "git+https://github.com/lirantal/npq.git"
32
32
  },
33
+ "publishConfig": {
34
+ "provenance": true,
35
+ "access": "public"
36
+ },
33
37
  "devDependencies": {
34
38
  "@babel/core": "^7.7.4",
35
39
  "@babel/plugin-transform-runtime": "^7.7.4",
@@ -52,7 +56,7 @@
52
56
  "lockfile-lint": "^2.0.1",
53
57
  "opn-cli": "^4.0.0",
54
58
  "prettier": "^2.8.3",
55
- "semantic-release": "^15.0.0",
59
+ "semantic-release": "21.0.2",
56
60
  "standard": "^12.0.0"
57
61
  },
58
62
  "jest": {
@@ -152,14 +156,14 @@
152
156
  "node/no-unsupported-features/node-builtins": [
153
157
  "error",
154
158
  {
155
- "version": ">=10.1.0",
159
+ "version": ">=10.6.0",
156
160
  "ignores": []
157
161
  }
158
162
  ],
159
163
  "node/no-unsupported-features/es-syntax": [
160
164
  "error",
161
165
  {
162
- "version": ">=10.1.0",
166
+ "version": ">=10.6.0",
163
167
  "ignores": []
164
168
  }
165
169
  ]
@@ -183,17 +187,20 @@
183
187
  "dependencies": {
184
188
  "chalk": "^2.3.0",
185
189
  "glob": "^8.0.3",
186
- "inquirer": "^7.3.3",
190
+ "inquirer": "^8.0.0",
187
191
  "listr": "^0.14.0",
188
192
  "node-fetch": "^2.6.7",
189
193
  "npm-package-arg": "^10.1.0",
194
+ "pacote": "^17.0.4",
190
195
  "semver": "^7.3.8",
191
196
  "update-notifier": "^5",
192
- "validator": "^13.6.0",
197
+ "validator": "13.7.0",
193
198
  "yargs": "^17.6.2"
194
199
  },
195
200
  "release": {
196
- "branch": "master",
201
+ "branches": [
202
+ "main"
203
+ ],
197
204
  "analyzeCommits": {
198
205
  "preset": "angular",
199
206
  "releaseRules": [