npq 2.4.0 → 2.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/workflows/main.yml +6 -6
- package/README.md +1 -0
- package/__tests__/__fixtures__/test.marshall.js +6 -6
- package/__tests__/marshalls.signatures.test.js +136 -0
- package/__tests__/marshalls.tasks.test.js +1 -1
- package/lib/cliCommons.js +2 -2
- package/lib/helpers/packageRepoUtils.js +8 -8
- package/lib/marshall.js +7 -7
- package/lib/marshalls/age.marshall.js +3 -3
- package/lib/marshalls/author.marshall.js +3 -3
- package/lib/marshalls/baseMarshall.js +7 -7
- package/lib/marshalls/downloads.marshall.js +3 -3
- package/lib/marshalls/expiredDomains.marshall.js +3 -3
- package/lib/marshalls/index.js +5 -5
- package/lib/marshalls/license.marshall.js +3 -3
- package/lib/marshalls/readme.marshall.js +3 -3
- package/lib/marshalls/repo.marshall.js +3 -3
- package/lib/marshalls/scripts.marshall.js +3 -3
- package/lib/marshalls/signatures.marshall.js +4 -4
- package/lib/marshalls/snyk.marshall.js +7 -7
- package/lib/packageManager.js +4 -4
- package/package.json +10 -12
|
@@ -7,7 +7,7 @@ jobs:
|
|
|
7
7
|
strategy:
|
|
8
8
|
matrix:
|
|
9
9
|
platform: [ubuntu-latest]
|
|
10
|
-
node: ['
|
|
10
|
+
node: ['18', '20']
|
|
11
11
|
name: Node ${{ matrix.node }} (${{ matrix.platform }})
|
|
12
12
|
runs-on: ${{ matrix.platform }}
|
|
13
13
|
steps:
|
|
@@ -16,13 +16,13 @@ jobs:
|
|
|
16
16
|
with:
|
|
17
17
|
node-version: ${{ matrix.node }}
|
|
18
18
|
- name: install dependencies
|
|
19
|
-
run:
|
|
19
|
+
run: npm ci --ignore-engines --ignore-scripts
|
|
20
20
|
- name: lint code
|
|
21
|
-
run:
|
|
21
|
+
run: npm run lint
|
|
22
22
|
env:
|
|
23
23
|
CI: true
|
|
24
24
|
- name: run tests
|
|
25
|
-
run:
|
|
25
|
+
run: npm run test
|
|
26
26
|
env:
|
|
27
27
|
CI: true
|
|
28
28
|
- name: coverage
|
|
@@ -50,9 +50,9 @@ jobs:
|
|
|
50
50
|
with:
|
|
51
51
|
node-version: '18'
|
|
52
52
|
- name: install dependencies
|
|
53
|
-
run:
|
|
53
|
+
run: npm ci --ignore-engines --ignore-scripts
|
|
54
54
|
- name: release
|
|
55
|
-
run:
|
|
55
|
+
run: npm run semantic-release
|
|
56
56
|
env:
|
|
57
57
|
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
|
|
58
58
|
NPM_TOKEN: ${{secrets.NPM_TOKEN}}
|
package/README.md
CHANGED
|
@@ -99,6 +99,7 @@ Note: `npq` by default will offload all commands and their arguments to the `npm
|
|
|
99
99
|
| snyk | Will show a warning if a package has been found with vulnerabilities in Snyk's database | For Snyk to work you need to either have the `snyk` npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it
|
|
100
100
|
| license | Will show a warning if a package has been found without a license field | Checks the latest version for a license
|
|
101
101
|
| expired domains | Will show a warning if a package has been found with one of its maintainers having an email address that includes an expired domain | Checks a dependency version for a maintainer with an expired domain
|
|
102
|
+
| signatures | Will compare the package's signature as it shows on the registry's pakument with the keys published on the npmjs.com registry
|
|
102
103
|
|
|
103
104
|
### Disabling Marshalls
|
|
104
105
|
|
|
@@ -5,16 +5,16 @@ const BaseMarshall = require('../../lib/marshalls/baseMarshall')
|
|
|
5
5
|
const MARSHALL_NAME = 'test.marshall'
|
|
6
6
|
|
|
7
7
|
class TestMarshall extends BaseMarshall {
|
|
8
|
-
constructor(options) {
|
|
8
|
+
constructor (options) {
|
|
9
9
|
super(options)
|
|
10
10
|
this.name = MARSHALL_NAME
|
|
11
11
|
}
|
|
12
12
|
|
|
13
|
-
title() {
|
|
13
|
+
title () {
|
|
14
14
|
return 'A test marshall'
|
|
15
15
|
}
|
|
16
16
|
|
|
17
|
-
run(ctx, task) {
|
|
17
|
+
run (ctx, task) {
|
|
18
18
|
const tasks = ctx.pkgs.reduce((prevPkg, currPkg) => {
|
|
19
19
|
return prevPkg.concat(this.mockCheck(currPkg, ctx, task))
|
|
20
20
|
}, [])
|
|
@@ -22,7 +22,7 @@ class TestMarshall extends BaseMarshall {
|
|
|
22
22
|
return Promise.all(tasks)
|
|
23
23
|
}
|
|
24
24
|
|
|
25
|
-
mockCheck(pkg, ctx, task) {
|
|
25
|
+
mockCheck (pkg, ctx, task) {
|
|
26
26
|
return this.validateSomething(pkg)
|
|
27
27
|
.then(() => {
|
|
28
28
|
const data = 'mock data check'
|
|
@@ -39,7 +39,7 @@ class TestMarshall extends BaseMarshall {
|
|
|
39
39
|
})
|
|
40
40
|
}
|
|
41
41
|
|
|
42
|
-
validateSomething(pkg) {
|
|
42
|
+
validateSomething (pkg) {
|
|
43
43
|
if (pkg === 'express' || pkg === 'semver') {
|
|
44
44
|
return Promise.resolve()
|
|
45
45
|
} else {
|
|
@@ -47,7 +47,7 @@ class TestMarshall extends BaseMarshall {
|
|
|
47
47
|
}
|
|
48
48
|
}
|
|
49
49
|
|
|
50
|
-
validate(pkg) {
|
|
50
|
+
validate (pkg) {
|
|
51
51
|
if (pkg === 'express' || pkg === 'semver') {
|
|
52
52
|
return Promise.resolve('validation-result')
|
|
53
53
|
} else {
|
|
@@ -0,0 +1,136 @@
|
|
|
1
|
+
jest.mock('pacote', () => {
|
|
2
|
+
return {
|
|
3
|
+
// manifest method should be a promise that resolves to a value:
|
|
4
|
+
manifest: jest.fn().mockResolvedValue({
|
|
5
|
+
name: 'packageName',
|
|
6
|
+
version: '1.0.0'
|
|
7
|
+
// Add other relevant properties
|
|
8
|
+
})
|
|
9
|
+
}
|
|
10
|
+
})
|
|
11
|
+
|
|
12
|
+
const SignaturesMarshall = require('../lib/marshalls/signatures.marshall')
|
|
13
|
+
const pacote = require('pacote')
|
|
14
|
+
|
|
15
|
+
describe('Signature test suites', () => {
|
|
16
|
+
beforeEach(() => {
|
|
17
|
+
jest.clearAllMocks()
|
|
18
|
+
jest.resetAllMocks()
|
|
19
|
+
})
|
|
20
|
+
|
|
21
|
+
test('has the right title', async () => {
|
|
22
|
+
const testMarshall = new SignaturesMarshall({
|
|
23
|
+
packageRepoUtils: {
|
|
24
|
+
getPackageInfo: (pkgInfo) => {
|
|
25
|
+
return new Promise((resolve) => {
|
|
26
|
+
resolve(pkgInfo)
|
|
27
|
+
})
|
|
28
|
+
}
|
|
29
|
+
}
|
|
30
|
+
})
|
|
31
|
+
|
|
32
|
+
expect(testMarshall.title()).toEqual('Verifying registry signatures for package')
|
|
33
|
+
})
|
|
34
|
+
|
|
35
|
+
test('should successfully validate a package with correct signature', async () => {
|
|
36
|
+
// Mock the response from fetch
|
|
37
|
+
const mockResponse = {
|
|
38
|
+
json: jest.fn().mockResolvedValue({
|
|
39
|
+
keys: [
|
|
40
|
+
{
|
|
41
|
+
key: 'publicKey1'
|
|
42
|
+
},
|
|
43
|
+
{
|
|
44
|
+
key: 'publicKey2'
|
|
45
|
+
}
|
|
46
|
+
]
|
|
47
|
+
})
|
|
48
|
+
}
|
|
49
|
+
global.fetch = jest.fn().mockResolvedValue(mockResponse)
|
|
50
|
+
|
|
51
|
+
const testMarshall = new SignaturesMarshall({
|
|
52
|
+
packageRepoUtils: {
|
|
53
|
+
getPackageInfo: (pkgInfo) => {
|
|
54
|
+
return new Promise((resolve) => {
|
|
55
|
+
resolve(pkgInfo)
|
|
56
|
+
})
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
})
|
|
60
|
+
|
|
61
|
+
// Call the validate method with a package object
|
|
62
|
+
const pkg = {
|
|
63
|
+
packageName: 'packageName',
|
|
64
|
+
packageVersion: '1.0.0'
|
|
65
|
+
}
|
|
66
|
+
|
|
67
|
+
// We assert that the validate method didn't throw an error,
|
|
68
|
+
// because the keys match the signature
|
|
69
|
+
await testMarshall.validate(pkg)
|
|
70
|
+
|
|
71
|
+
// Assert that the fetch method is called with the correct URL
|
|
72
|
+
// eslint-disable-next-line no-undef
|
|
73
|
+
expect(fetch).toHaveBeenCalledWith('https://registry.npmjs.org/-/npm/v1/keys')
|
|
74
|
+
|
|
75
|
+
// Assert that the pacote.manifest method is called with the correct arguments
|
|
76
|
+
expect(pacote.manifest).toHaveBeenCalledWith('packageName@1.0.0', {
|
|
77
|
+
verifySignatures: true,
|
|
78
|
+
registry: 'https://registry.npmjs.org',
|
|
79
|
+
'//registry.npmjs.org/:_keys': [
|
|
80
|
+
{
|
|
81
|
+
key: 'publicKey1',
|
|
82
|
+
pemkey: '-----BEGIN PUBLIC KEY-----\npublicKey1\n-----END PUBLIC KEY-----'
|
|
83
|
+
},
|
|
84
|
+
{
|
|
85
|
+
key: 'publicKey2',
|
|
86
|
+
pemkey: '-----BEGIN PUBLIC KEY-----\npublicKey2\n-----END PUBLIC KEY-----'
|
|
87
|
+
}
|
|
88
|
+
]
|
|
89
|
+
})
|
|
90
|
+
})
|
|
91
|
+
|
|
92
|
+
test('should throw an error if keys dont match and manifest() throws an error', async () => {
|
|
93
|
+
// Mock the response from fetch
|
|
94
|
+
const mockResponse = {
|
|
95
|
+
json: jest.fn().mockResolvedValue({
|
|
96
|
+
keys: [
|
|
97
|
+
{
|
|
98
|
+
key: 'publicKey1'
|
|
99
|
+
},
|
|
100
|
+
{
|
|
101
|
+
key: 'publicKey2'
|
|
102
|
+
}
|
|
103
|
+
]
|
|
104
|
+
})
|
|
105
|
+
}
|
|
106
|
+
global.fetch = jest.fn().mockResolvedValue(mockResponse)
|
|
107
|
+
|
|
108
|
+
// the manifest() method should throw an error
|
|
109
|
+
// in this jest mock to simulate a problem:
|
|
110
|
+
pacote.manifest = jest.fn().mockRejectedValue(new Error('mocked manifest error'))
|
|
111
|
+
|
|
112
|
+
const testMarshall = new SignaturesMarshall({
|
|
113
|
+
packageRepoUtils: {
|
|
114
|
+
getPackageInfo: (pkgInfo) => {
|
|
115
|
+
return new Promise((resolve) => {
|
|
116
|
+
resolve(pkgInfo)
|
|
117
|
+
})
|
|
118
|
+
}
|
|
119
|
+
}
|
|
120
|
+
})
|
|
121
|
+
|
|
122
|
+
// Call the validate method with a package object
|
|
123
|
+
const pkg = {
|
|
124
|
+
packageName: 'packageName',
|
|
125
|
+
packageVersion: '1.0.0'
|
|
126
|
+
}
|
|
127
|
+
|
|
128
|
+
// We assert that the validate method didn't throw an error,
|
|
129
|
+
// because the keys match the signature
|
|
130
|
+
await expect(testMarshall.validate(pkg)).rejects.toThrow('mocked manifest error')
|
|
131
|
+
|
|
132
|
+
// Assert that the fetch method is called with the correct URL
|
|
133
|
+
// eslint-disable-next-line no-undef
|
|
134
|
+
expect(fetch).toHaveBeenCalledWith('https://registry.npmjs.org/-/npm/v1/keys')
|
|
135
|
+
})
|
|
136
|
+
})
|
package/lib/cliCommons.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
const npa = require('npm-package-arg')
|
|
2
2
|
class cliCommons {
|
|
3
|
-
static getInstallCommand() {
|
|
3
|
+
static getInstallCommand () {
|
|
4
4
|
return {
|
|
5
5
|
command: 'install [package...]',
|
|
6
6
|
aliases: [
|
|
@@ -31,7 +31,7 @@ class cliCommons {
|
|
|
31
31
|
}
|
|
32
32
|
}
|
|
33
33
|
|
|
34
|
-
static getOptions() {
|
|
34
|
+
static getOptions () {
|
|
35
35
|
return {
|
|
36
36
|
P: {
|
|
37
37
|
alias: ['save-prod', 'peer'],
|
|
@@ -6,17 +6,17 @@ const NPM_REGISTRY = 'http://registry.npmjs.org'
|
|
|
6
6
|
const NPM_REGISTRY_API = 'https://api.npmjs.org'
|
|
7
7
|
|
|
8
8
|
class PackageRepoUtils {
|
|
9
|
-
constructor(options = {}) {
|
|
9
|
+
constructor (options = {}) {
|
|
10
10
|
this.registryUrl = options.registryUrl ? options.registryUrl : NPM_REGISTRY
|
|
11
11
|
this.registryApiUrl = options.registryApiUrl ? options.registryApiUrl : NPM_REGISTRY_API
|
|
12
12
|
this.pkgInfoCache = {}
|
|
13
13
|
}
|
|
14
14
|
|
|
15
|
-
formatPackageForUrl(pkg) {
|
|
15
|
+
formatPackageForUrl (pkg) {
|
|
16
16
|
return pkg.replace(/\//g, '%2F')
|
|
17
17
|
}
|
|
18
18
|
|
|
19
|
-
getPackageInfo(pkg) {
|
|
19
|
+
getPackageInfo (pkg) {
|
|
20
20
|
if (this.pkgInfoCache[pkg]) {
|
|
21
21
|
return Promise.resolve(this.pkgInfoCache[pkg])
|
|
22
22
|
} else {
|
|
@@ -29,27 +29,27 @@ class PackageRepoUtils {
|
|
|
29
29
|
}
|
|
30
30
|
}
|
|
31
31
|
|
|
32
|
-
getLatestVersion(pkg) {
|
|
32
|
+
getLatestVersion (pkg) {
|
|
33
33
|
return this.getPackageInfo(pkg).then((data) => {
|
|
34
34
|
return data['dist-tags'] && data['dist-tags']['latest'] ? data['dist-tags']['latest'] : null
|
|
35
35
|
})
|
|
36
36
|
}
|
|
37
37
|
|
|
38
|
-
getDownloadInfo(pkg) {
|
|
38
|
+
getDownloadInfo (pkg) {
|
|
39
39
|
return fetch(`${this.registryApiUrl}/downloads/point/last-month/${pkg}`)
|
|
40
40
|
.then((response) => response.json())
|
|
41
41
|
.then(({ downloads }) => downloads)
|
|
42
42
|
}
|
|
43
43
|
|
|
44
|
-
getReadmeInfo(pkg) {
|
|
44
|
+
getReadmeInfo (pkg) {
|
|
45
45
|
return this.getPackageInfo(pkg).then(({ readme }) => readme)
|
|
46
46
|
}
|
|
47
47
|
|
|
48
|
-
getLicenseInfo(pkg) {
|
|
48
|
+
getLicenseInfo (pkg) {
|
|
49
49
|
return this.getPackageInfo(pkg).then(({ license }) => license)
|
|
50
50
|
}
|
|
51
51
|
|
|
52
|
-
parsePackageVersion(version) {
|
|
52
|
+
parsePackageVersion (version) {
|
|
53
53
|
return semver.coerce(version)
|
|
54
54
|
}
|
|
55
55
|
}
|
package/lib/marshall.js
CHANGED
|
@@ -12,12 +12,12 @@ const MESSAGE_TYPE = {
|
|
|
12
12
|
}
|
|
13
13
|
|
|
14
14
|
class Marshall {
|
|
15
|
-
constructor(options = {}) {
|
|
15
|
+
constructor (options = {}) {
|
|
16
16
|
this.pkgs = options ? options.pkgs : null
|
|
17
17
|
this.packageRepoUtils = new PackageRepoUtils()
|
|
18
18
|
}
|
|
19
19
|
|
|
20
|
-
process() {
|
|
20
|
+
process () {
|
|
21
21
|
// nothing to do? move on
|
|
22
22
|
if (!this.pkgs) {
|
|
23
23
|
return Promise.resolve()
|
|
@@ -37,7 +37,7 @@ class Marshall {
|
|
|
37
37
|
})
|
|
38
38
|
}
|
|
39
39
|
|
|
40
|
-
createPackageVersionMaps(packages) {
|
|
40
|
+
createPackageVersionMaps (packages) {
|
|
41
41
|
const packageVersionMapping = packages.reduce((prev, curr) => {
|
|
42
42
|
const versionSymbolPosition = curr.lastIndexOf('@')
|
|
43
43
|
const versionPosition =
|
|
@@ -57,7 +57,7 @@ class Marshall {
|
|
|
57
57
|
return packageVersionMapping
|
|
58
58
|
}
|
|
59
59
|
|
|
60
|
-
report(marshalls) {
|
|
60
|
+
report (marshalls) {
|
|
61
61
|
const messages = this.collectPackageMessages(marshalls)
|
|
62
62
|
|
|
63
63
|
if (!messages) {
|
|
@@ -81,7 +81,7 @@ class Marshall {
|
|
|
81
81
|
return { error: true, data: messages }
|
|
82
82
|
}
|
|
83
83
|
|
|
84
|
-
collectPackageMessages(marshalls) {
|
|
84
|
+
collectPackageMessages (marshalls) {
|
|
85
85
|
const allPackageMessages = {}
|
|
86
86
|
for (const key in marshalls) {
|
|
87
87
|
this.prepareMessages(allPackageMessages, marshalls[key].errors)
|
|
@@ -91,7 +91,7 @@ class Marshall {
|
|
|
91
91
|
return allPackageMessages
|
|
92
92
|
}
|
|
93
93
|
|
|
94
|
-
prepareMessages(allPackageMessages, messages, isWarning) {
|
|
94
|
+
prepareMessages (allPackageMessages, messages, isWarning) {
|
|
95
95
|
if (Array.isArray(messages) && messages.length > 0) {
|
|
96
96
|
messages.forEach((msg) => {
|
|
97
97
|
this.appendPackageMessage(allPackageMessages, msg.pkg, {
|
|
@@ -102,7 +102,7 @@ class Marshall {
|
|
|
102
102
|
}
|
|
103
103
|
}
|
|
104
104
|
|
|
105
|
-
appendPackageMessage(packages, packageName, packageMessage) {
|
|
105
|
+
appendPackageMessage (packages, packageName, packageMessage) {
|
|
106
106
|
packages[packageName]
|
|
107
107
|
? packages[packageName].push(packageMessage)
|
|
108
108
|
: (packages[packageName] = [packageMessage])
|
|
@@ -6,16 +6,16 @@ const MARSHALL_NAME = 'age'
|
|
|
6
6
|
const PACKAGE_AGE_THRESHOLD = 22 // specified in days
|
|
7
7
|
|
|
8
8
|
class Marshall extends BaseMarshall {
|
|
9
|
-
constructor(options) {
|
|
9
|
+
constructor (options) {
|
|
10
10
|
super(options)
|
|
11
11
|
this.name = MARSHALL_NAME
|
|
12
12
|
}
|
|
13
13
|
|
|
14
|
-
title() {
|
|
14
|
+
title () {
|
|
15
15
|
return 'Checking package maturity'
|
|
16
16
|
}
|
|
17
17
|
|
|
18
|
-
validate(pkg) {
|
|
18
|
+
validate (pkg) {
|
|
19
19
|
return this.packageRepoUtils.getPackageInfo(pkg.packageName).then((data) => {
|
|
20
20
|
if (data && data.time && data.time.created) {
|
|
21
21
|
const pkgCreatedDate = data.time.created
|
|
@@ -7,16 +7,16 @@ const Warning = require('../helpers/warning')
|
|
|
7
7
|
const MARSHALL_NAME = 'author'
|
|
8
8
|
|
|
9
9
|
class Marshall extends BaseMarshall {
|
|
10
|
-
constructor(options) {
|
|
10
|
+
constructor (options) {
|
|
11
11
|
super(options)
|
|
12
12
|
this.name = MARSHALL_NAME
|
|
13
13
|
}
|
|
14
14
|
|
|
15
|
-
title() {
|
|
15
|
+
title () {
|
|
16
16
|
return 'Identifying package author...'
|
|
17
17
|
}
|
|
18
18
|
|
|
19
|
-
validate(pkg) {
|
|
19
|
+
validate (pkg) {
|
|
20
20
|
return this.packageRepoUtils.getPackageInfo(pkg.packageName).then((data) => {
|
|
21
21
|
const lastVersionData =
|
|
22
22
|
data.versions && data['dist-tags'] && data.versions[data['dist-tags']['latest']]
|
|
@@ -3,11 +3,11 @@
|
|
|
3
3
|
const Warning = require('../helpers/warning')
|
|
4
4
|
|
|
5
5
|
class BaseMarshall {
|
|
6
|
-
constructor(options) {
|
|
6
|
+
constructor (options) {
|
|
7
7
|
this.packageRepoUtils = options.packageRepoUtils
|
|
8
8
|
}
|
|
9
9
|
|
|
10
|
-
init(ctx, task) {
|
|
10
|
+
init (ctx, task) {
|
|
11
11
|
this.ctx = ctx
|
|
12
12
|
this.task = task
|
|
13
13
|
|
|
@@ -19,7 +19,7 @@ class BaseMarshall {
|
|
|
19
19
|
}
|
|
20
20
|
}
|
|
21
21
|
|
|
22
|
-
run(ctx, task) {
|
|
22
|
+
run (ctx, task) {
|
|
23
23
|
const tasks = ctx.pkgs.reduce((prevPkg, currPkg) => {
|
|
24
24
|
return prevPkg.concat(this.checkPackage(currPkg, ctx, task))
|
|
25
25
|
}, [])
|
|
@@ -27,7 +27,7 @@ class BaseMarshall {
|
|
|
27
27
|
return Promise.all(tasks)
|
|
28
28
|
}
|
|
29
29
|
|
|
30
|
-
checkPackage(pkg, ctx, task) {
|
|
30
|
+
checkPackage (pkg, ctx, task) {
|
|
31
31
|
return this.validate(pkg)
|
|
32
32
|
.then((data) => {
|
|
33
33
|
task.output = `querying ${pkg.packageString}...`
|
|
@@ -47,13 +47,13 @@ class BaseMarshall {
|
|
|
47
47
|
})
|
|
48
48
|
}
|
|
49
49
|
|
|
50
|
-
isEnabled() {
|
|
50
|
+
isEnabled () {
|
|
51
51
|
const isMarshallSilent = process.env[`MARSHALL_DISABLE_${this.name.toUpperCase()}`] || false
|
|
52
52
|
|
|
53
53
|
return !isMarshallSilent
|
|
54
54
|
}
|
|
55
55
|
|
|
56
|
-
setMessage(msg, isWarning) {
|
|
56
|
+
setMessage (msg, isWarning) {
|
|
57
57
|
const messages = isWarning
|
|
58
58
|
? this.ctx.marshalls[this.name].warnings
|
|
59
59
|
: this.ctx.marshalls[this.name].errors
|
|
@@ -64,7 +64,7 @@ class BaseMarshall {
|
|
|
64
64
|
})
|
|
65
65
|
}
|
|
66
66
|
|
|
67
|
-
handleMessages() {
|
|
67
|
+
handleMessages () {
|
|
68
68
|
const errors = this.ctx.marshalls[this.name].errors
|
|
69
69
|
const warnings = this.ctx.marshalls[this.name].warnings
|
|
70
70
|
if ((errors && errors.length) || (warnings && warnings.length)) {
|
|
@@ -6,16 +6,16 @@ const MARSHALL_NAME = 'downloads'
|
|
|
6
6
|
const DOWNLOAD_COUNT_THRESHOLD = 20 // threshold per month
|
|
7
7
|
|
|
8
8
|
class Marshall extends BaseMarshall {
|
|
9
|
-
constructor(options) {
|
|
9
|
+
constructor (options) {
|
|
10
10
|
super(options)
|
|
11
11
|
this.name = MARSHALL_NAME
|
|
12
12
|
}
|
|
13
13
|
|
|
14
|
-
title() {
|
|
14
|
+
title () {
|
|
15
15
|
return 'Checking package download popularity'
|
|
16
16
|
}
|
|
17
17
|
|
|
18
|
-
validate(pkg) {
|
|
18
|
+
validate (pkg) {
|
|
19
19
|
return this.packageRepoUtils.getDownloadInfo(pkg.packageName).then((downloadCount) => {
|
|
20
20
|
if (downloadCount < DOWNLOAD_COUNT_THRESHOLD) {
|
|
21
21
|
throw new Error(
|
|
@@ -6,16 +6,16 @@ const dns = require('dns').promises
|
|
|
6
6
|
const MARSHALL_NAME = 'maintainers_expired_emails'
|
|
7
7
|
|
|
8
8
|
class Marshall extends BaseMarshall {
|
|
9
|
-
constructor(options) {
|
|
9
|
+
constructor (options) {
|
|
10
10
|
super(options)
|
|
11
11
|
this.name = MARSHALL_NAME
|
|
12
12
|
}
|
|
13
13
|
|
|
14
|
-
title() {
|
|
14
|
+
title () {
|
|
15
15
|
return 'Detecting expired domains for authors account...'
|
|
16
16
|
}
|
|
17
17
|
|
|
18
|
-
validate(pkg) {
|
|
18
|
+
validate (pkg) {
|
|
19
19
|
return this.packageRepoUtils
|
|
20
20
|
.getPackageInfo(pkg.packageName)
|
|
21
21
|
.then((data) => {
|
package/lib/marshalls/index.js
CHANGED
|
@@ -4,7 +4,7 @@ const Listr = require('listr')
|
|
|
4
4
|
const glob = require('glob')
|
|
5
5
|
|
|
6
6
|
class Marshalls {
|
|
7
|
-
static collectMarshalls() {
|
|
7
|
+
static collectMarshalls () {
|
|
8
8
|
return new Promise((resolve, reject) => {
|
|
9
9
|
glob(
|
|
10
10
|
this.GLOB_MARSHALLS,
|
|
@@ -23,7 +23,7 @@ class Marshalls {
|
|
|
23
23
|
})
|
|
24
24
|
}
|
|
25
25
|
|
|
26
|
-
static buildMarshallTasks(marshalls, config) {
|
|
26
|
+
static buildMarshallTasks (marshalls, config) {
|
|
27
27
|
if (!marshalls || !Array.isArray(marshalls) || marshalls.length === 0) {
|
|
28
28
|
return Promise.reject(new Error('unable to collect marshalls, or no marshalls found'))
|
|
29
29
|
}
|
|
@@ -46,7 +46,7 @@ class Marshalls {
|
|
|
46
46
|
return new Listr(marshallTasks, { exitOnError: false, concurrent: true })
|
|
47
47
|
}
|
|
48
48
|
|
|
49
|
-
static tasks(options) {
|
|
49
|
+
static tasks (options) {
|
|
50
50
|
return Marshalls.warmUpPackagesCache(options)
|
|
51
51
|
.then(() => Marshalls.collectMarshalls())
|
|
52
52
|
.then((marshalls) => {
|
|
@@ -59,7 +59,7 @@ class Marshalls {
|
|
|
59
59
|
})
|
|
60
60
|
}
|
|
61
61
|
|
|
62
|
-
static warmUpPackagesCache(options) {
|
|
62
|
+
static warmUpPackagesCache (options) {
|
|
63
63
|
const fetchPackagesInfoPromises = []
|
|
64
64
|
options.pkgs.forEach((packageMeta) => {
|
|
65
65
|
fetchPackagesInfoPromises.push(
|
|
@@ -70,7 +70,7 @@ class Marshalls {
|
|
|
70
70
|
return Promise.all(fetchPackagesInfoPromises)
|
|
71
71
|
}
|
|
72
72
|
|
|
73
|
-
static runTasks(tasks, options) {
|
|
73
|
+
static runTasks (tasks, options) {
|
|
74
74
|
return tasks.run({
|
|
75
75
|
pkgs: options.pkgs,
|
|
76
76
|
marshalls: {}
|
|
@@ -5,16 +5,16 @@ const BaseMarshall = require('./baseMarshall')
|
|
|
5
5
|
const MARSHALL_NAME = 'license'
|
|
6
6
|
|
|
7
7
|
class Marshall extends BaseMarshall {
|
|
8
|
-
constructor(options) {
|
|
8
|
+
constructor (options) {
|
|
9
9
|
super(options)
|
|
10
10
|
this.name = MARSHALL_NAME
|
|
11
11
|
}
|
|
12
12
|
|
|
13
|
-
title() {
|
|
13
|
+
title () {
|
|
14
14
|
return 'Checking availability of a LICENSE'
|
|
15
15
|
}
|
|
16
16
|
|
|
17
|
-
validate(pkg) {
|
|
17
|
+
validate (pkg) {
|
|
18
18
|
return this.packageRepoUtils.getLicenseInfo(pkg.packageName).then((licenseContents) => {
|
|
19
19
|
if (!licenseContents || licenseContents === 'ERROR: No LICENSE data found!') {
|
|
20
20
|
throw new Error('package has no LICENSE file available')
|
|
@@ -5,16 +5,16 @@ const BaseMarshall = require('./baseMarshall')
|
|
|
5
5
|
const MARSHALL_NAME = 'readme'
|
|
6
6
|
|
|
7
7
|
class Marshall extends BaseMarshall {
|
|
8
|
-
constructor(options) {
|
|
8
|
+
constructor (options) {
|
|
9
9
|
super(options)
|
|
10
10
|
this.name = MARSHALL_NAME
|
|
11
11
|
}
|
|
12
12
|
|
|
13
|
-
title() {
|
|
13
|
+
title () {
|
|
14
14
|
return 'Checking availability of a README'
|
|
15
15
|
}
|
|
16
16
|
|
|
17
|
-
validate(pkg) {
|
|
17
|
+
validate (pkg) {
|
|
18
18
|
return this.packageRepoUtils.getReadmeInfo(pkg.packageName).then((readmeContents) => {
|
|
19
19
|
if (!readmeContents || readmeContents === 'ERROR: No README data found!') {
|
|
20
20
|
throw new Error('package has no README file available')
|
|
@@ -6,16 +6,16 @@ const URL = require('url').URL
|
|
|
6
6
|
const MARSHALL_NAME = 'repo'
|
|
7
7
|
|
|
8
8
|
class Marshall extends BaseMarshall {
|
|
9
|
-
constructor(options) {
|
|
9
|
+
constructor (options) {
|
|
10
10
|
super(options)
|
|
11
11
|
this.name = MARSHALL_NAME
|
|
12
12
|
}
|
|
13
13
|
|
|
14
|
-
title() {
|
|
14
|
+
title () {
|
|
15
15
|
return 'Identifying package repository...'
|
|
16
16
|
}
|
|
17
17
|
|
|
18
|
-
validate(pkg) {
|
|
18
|
+
validate (pkg) {
|
|
19
19
|
return this.packageRepoUtils.getPackageInfo(pkg.packageName).then((data) => {
|
|
20
20
|
const lastVersionData =
|
|
21
21
|
(data.versions &&
|
|
@@ -5,16 +5,16 @@ const BaseMarshall = require('./baseMarshall')
|
|
|
5
5
|
const MARSHALL_NAME = 'scripts'
|
|
6
6
|
|
|
7
7
|
class Marshall extends BaseMarshall {
|
|
8
|
-
constructor(options) {
|
|
8
|
+
constructor (options) {
|
|
9
9
|
super(options)
|
|
10
10
|
this.name = MARSHALL_NAME
|
|
11
11
|
}
|
|
12
12
|
|
|
13
|
-
title() {
|
|
13
|
+
title () {
|
|
14
14
|
return 'Checking package for pre/post install scripts'
|
|
15
15
|
}
|
|
16
16
|
|
|
17
|
-
validate(pkg) {
|
|
17
|
+
validate (pkg) {
|
|
18
18
|
return this.packageRepoUtils.getPackageInfo(pkg.packageName).then((data) => {
|
|
19
19
|
const packageVersion =
|
|
20
20
|
pkg.packageVersion === 'latest'
|
|
@@ -6,16 +6,16 @@ const pacote = require('pacote')
|
|
|
6
6
|
const MARSHALL_NAME = 'signatures'
|
|
7
7
|
|
|
8
8
|
class Marshall extends BaseMarshall {
|
|
9
|
-
constructor(options) {
|
|
9
|
+
constructor (options) {
|
|
10
10
|
super(options)
|
|
11
11
|
this.name = MARSHALL_NAME
|
|
12
12
|
}
|
|
13
13
|
|
|
14
|
-
title() {
|
|
14
|
+
title () {
|
|
15
15
|
return 'Verifying registry signatures for package'
|
|
16
16
|
}
|
|
17
17
|
|
|
18
|
-
validate(pkg) {
|
|
18
|
+
validate (pkg) {
|
|
19
19
|
// @TODO currently we're hardcoding the official npm registry
|
|
20
20
|
// this should however allow for local proxies and other registries
|
|
21
21
|
return this.fetchRegistryKeys()
|
|
@@ -32,7 +32,7 @@ class Marshall extends BaseMarshall {
|
|
|
32
32
|
})
|
|
33
33
|
}
|
|
34
34
|
|
|
35
|
-
fetchRegistryKeys() {
|
|
35
|
+
fetchRegistryKeys () {
|
|
36
36
|
const registryHost = 'https://registry.npmjs.org'
|
|
37
37
|
const registryKeysEndpoint = '/-/npm/v1/keys'
|
|
38
38
|
|
|
@@ -14,18 +14,18 @@ const SNYK_API_TOKEN = process.env.SNYK_TOKEN
|
|
|
14
14
|
const SNYK_CONFIG_FILE = '.config/configstore/snyk.json'
|
|
15
15
|
|
|
16
16
|
class Marshall extends BaseMarshall {
|
|
17
|
-
constructor(options) {
|
|
17
|
+
constructor (options) {
|
|
18
18
|
super(options)
|
|
19
19
|
this.name = MARSHALL_NAME
|
|
20
20
|
|
|
21
21
|
this.snykApiToken = this.getSnykToken()
|
|
22
22
|
}
|
|
23
23
|
|
|
24
|
-
title() {
|
|
24
|
+
title () {
|
|
25
25
|
return 'Checking for known vulnerabilities'
|
|
26
26
|
}
|
|
27
27
|
|
|
28
|
-
run(ctx, task) {
|
|
28
|
+
run (ctx, task) {
|
|
29
29
|
const tasks = ctx.pkgs.reduce((prevPkg, currPkg) => {
|
|
30
30
|
return prevPkg.concat(this.checkPackage(currPkg, ctx, task))
|
|
31
31
|
}, [])
|
|
@@ -33,7 +33,7 @@ class Marshall extends BaseMarshall {
|
|
|
33
33
|
return Promise.all(tasks)
|
|
34
34
|
}
|
|
35
35
|
|
|
36
|
-
validate(pkg) {
|
|
36
|
+
validate (pkg) {
|
|
37
37
|
return Promise.resolve()
|
|
38
38
|
.then(() => {
|
|
39
39
|
if (!pkg.packageVersion || pkg.packageVersion === 'latest') {
|
|
@@ -60,7 +60,7 @@ class Marshall extends BaseMarshall {
|
|
|
60
60
|
})
|
|
61
61
|
}
|
|
62
62
|
|
|
63
|
-
getSnykVulnInfoUnauthenticated({ packageName, packageVersion }) {
|
|
63
|
+
getSnykVulnInfoUnauthenticated ({ packageName, packageVersion }) {
|
|
64
64
|
const url = encodeURI(`${SNYK_TEST_URL}/${packageName}/${packageVersion}?type=json`)
|
|
65
65
|
|
|
66
66
|
return fetch(url)
|
|
@@ -77,7 +77,7 @@ class Marshall extends BaseMarshall {
|
|
|
77
77
|
.catch(() => false)
|
|
78
78
|
}
|
|
79
79
|
|
|
80
|
-
getSnykVulnInfo({ packageName, packageVersion } = {}) {
|
|
80
|
+
getSnykVulnInfo ({ packageName, packageVersion } = {}) {
|
|
81
81
|
if (!this.snykApiToken) {
|
|
82
82
|
return this.getSnykVulnInfoUnauthenticated({ packageName, packageVersion })
|
|
83
83
|
}
|
|
@@ -102,7 +102,7 @@ class Marshall extends BaseMarshall {
|
|
|
102
102
|
.catch(() => false)
|
|
103
103
|
}
|
|
104
104
|
|
|
105
|
-
getSnykToken() {
|
|
105
|
+
getSnykToken () {
|
|
106
106
|
if (SNYK_API_TOKEN) {
|
|
107
107
|
return SNYK_API_TOKEN
|
|
108
108
|
}
|
package/lib/packageManager.js
CHANGED
|
@@ -5,12 +5,12 @@ const childProcess = require('child_process')
|
|
|
5
5
|
const DEFAULT_PKGMGR = 'npm'
|
|
6
6
|
|
|
7
7
|
class packageManager {
|
|
8
|
-
static process(packageManagerOption) {
|
|
8
|
+
static process (packageManagerOption) {
|
|
9
9
|
const detectedPackageManager = packageManager.validatePackageManager(packageManagerOption)
|
|
10
10
|
return packageManager.spawnPackageManager(detectedPackageManager)
|
|
11
11
|
}
|
|
12
12
|
|
|
13
|
-
static spawnPackageManager(packageManagerOption) {
|
|
13
|
+
static spawnPackageManager (packageManagerOption) {
|
|
14
14
|
let args = []
|
|
15
15
|
|
|
16
16
|
args = args.concat(process.argv.slice(2)).filter((item) => {
|
|
@@ -32,7 +32,7 @@ class packageManager {
|
|
|
32
32
|
return Promise.resolve(child)
|
|
33
33
|
}
|
|
34
34
|
|
|
35
|
-
static validatePackageManager(packageManagerOption) {
|
|
35
|
+
static validatePackageManager (packageManagerOption) {
|
|
36
36
|
if (!packageManagerOption) {
|
|
37
37
|
packageManagerOption = packageManager.getDefaultPackageManager()
|
|
38
38
|
}
|
|
@@ -44,7 +44,7 @@ class packageManager {
|
|
|
44
44
|
return packageManagerOption
|
|
45
45
|
}
|
|
46
46
|
|
|
47
|
-
static getDefaultPackageManager() {
|
|
47
|
+
static getDefaultPackageManager () {
|
|
48
48
|
return DEFAULT_PKGMGR
|
|
49
49
|
}
|
|
50
50
|
}
|
package/package.json
CHANGED
|
@@ -1,20 +1,20 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "npq",
|
|
3
|
-
"version": "2.4.
|
|
4
|
-
"description": "marshall your npm/
|
|
3
|
+
"version": "2.4.2",
|
|
4
|
+
"description": "marshall your npm/npm package installs with high quality and class 🎖",
|
|
5
5
|
"bin": {
|
|
6
6
|
"npq": "./bin/npq.js",
|
|
7
7
|
"npq-hero": "./bin/npq-hero.js"
|
|
8
8
|
},
|
|
9
9
|
"scripts": {
|
|
10
|
-
"lint": "standard --fix && eslint . --ignore-path .gitignore &&
|
|
11
|
-
"lint:lockfile": "lockfile-lint --path
|
|
10
|
+
"lint": "standard --fix && eslint . --ignore-path .gitignore && npm run lint:lockfile",
|
|
11
|
+
"lint:lockfile": "lockfile-lint --path package-lock.json --type npm --validate-https --allowed-hosts npm npm",
|
|
12
12
|
"test": "jest",
|
|
13
13
|
"test:watch": "jest --watch",
|
|
14
14
|
"coverage:view": "opn coverage/lcov-report/index.html",
|
|
15
15
|
"commit": "git-cz",
|
|
16
16
|
"format": "prettier --config .prettierrc.js --write '**/*.js'",
|
|
17
|
-
"docs": "
|
|
17
|
+
"docs": "npm run docs:code && npm run docs:api",
|
|
18
18
|
"docs:api": "doxdox *.js --layout bootstrap --output docs/index.html",
|
|
19
19
|
"docs:code": "docco *.js --output docs/code",
|
|
20
20
|
"semantic-release": "semantic-release",
|
|
@@ -44,8 +44,6 @@
|
|
|
44
44
|
"@commitlint/config-angular": "^8.0.0",
|
|
45
45
|
"commitizen": "^3.0.0",
|
|
46
46
|
"cz-conventional-changelog": "^2.1.0",
|
|
47
|
-
"docco": "^0.7.0",
|
|
48
|
-
"doxdox": "^3.0.0",
|
|
49
47
|
"eslint": "^5.0.0",
|
|
50
48
|
"eslint-plugin-import": "^2.2.0",
|
|
51
49
|
"eslint-plugin-node": "^8.0.0",
|
|
@@ -53,7 +51,7 @@
|
|
|
53
51
|
"husky": "^3.0.0",
|
|
54
52
|
"jest": "^24.9.0",
|
|
55
53
|
"lint-staged": "^13.1.0",
|
|
56
|
-
"lockfile-lint": "^
|
|
54
|
+
"lockfile-lint": "^4.12.1",
|
|
57
55
|
"opn-cli": "^4.0.0",
|
|
58
56
|
"prettier": "^2.8.3",
|
|
59
57
|
"semantic-release": "21.0.2",
|
|
@@ -99,10 +97,10 @@
|
|
|
99
97
|
"hooks": {
|
|
100
98
|
"commit-msg": "commitlint --env HUSKY_GIT_PARAMS",
|
|
101
99
|
"pre-commit": "lint-staged",
|
|
102
|
-
"pre-push": "
|
|
100
|
+
"pre-push": "npm run lint && npm run test",
|
|
103
101
|
"post-commit": "git status",
|
|
104
102
|
"post-checkout": "git status",
|
|
105
|
-
"post-merge": "
|
|
103
|
+
"post-merge": "npm install"
|
|
106
104
|
}
|
|
107
105
|
},
|
|
108
106
|
"commitlint": {
|
|
@@ -112,8 +110,8 @@
|
|
|
112
110
|
},
|
|
113
111
|
"lint-staged": {
|
|
114
112
|
"**/*.js": [
|
|
115
|
-
"
|
|
116
|
-
"
|
|
113
|
+
"npm run format",
|
|
114
|
+
"npm run lint",
|
|
117
115
|
"git add"
|
|
118
116
|
]
|
|
119
117
|
},
|