npq 2.4.2 → 2.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -0
- package/lib/marshalls/provenance.marshall.js +78 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -100,6 +100,7 @@ Note: `npq` by default will offload all commands and their arguments to the `npm
|
|
|
100
100
|
| license | Will show a warning if a package has been found without a license field | Checks the latest version for a license
|
|
101
101
|
| expired domains | Will show a warning if a package has been found with one of its maintainers having an email address that includes an expired domain | Checks a dependency version for a maintainer with an expired domain
|
|
102
102
|
| signatures | Will compare the package's signature as it shows on the registry's pakument with the keys published on the npmjs.com registry
|
|
103
|
+
| provenance | Will verify the package's attestations of provenance metadata for the published package
|
|
103
104
|
|
|
104
105
|
### Disabling Marshalls
|
|
105
106
|
|
|
@@ -0,0 +1,78 @@
|
|
|
1
|
+
'use strict'
|
|
2
|
+
|
|
3
|
+
const BaseMarshall = require('./baseMarshall')
|
|
4
|
+
const pacote = require('pacote')
|
|
5
|
+
|
|
6
|
+
const MARSHALL_NAME = 'provenance'
|
|
7
|
+
|
|
8
|
+
class Marshall extends BaseMarshall {
|
|
9
|
+
constructor (options) {
|
|
10
|
+
super(options)
|
|
11
|
+
this.name = MARSHALL_NAME
|
|
12
|
+
}
|
|
13
|
+
|
|
14
|
+
title () {
|
|
15
|
+
return 'Verifying package provenance'
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
validate (pkg) {
|
|
19
|
+
const validationMetadata = {}
|
|
20
|
+
|
|
21
|
+
return this.packageRepoUtils
|
|
22
|
+
.getPackageInfo(pkg.packageName)
|
|
23
|
+
.then((packageInfo) => {
|
|
24
|
+
const packageName = packageInfo.name
|
|
25
|
+
const packageVersion =
|
|
26
|
+
pkg.packageVersion === 'latest'
|
|
27
|
+
? packageInfo['dist-tags'] && packageInfo['dist-tags']['latest']
|
|
28
|
+
: this.packageRepoUtils.parsePackageVersion(pkg.packageVersion).version
|
|
29
|
+
|
|
30
|
+
validationMetadata.name = packageName
|
|
31
|
+
validationMetadata.version = packageVersion
|
|
32
|
+
})
|
|
33
|
+
.then(() => {
|
|
34
|
+
return this.fetchRegistryKeys()
|
|
35
|
+
})
|
|
36
|
+
.then((keys) => {
|
|
37
|
+
// @TODO currently we're hardcoding the official npm registry
|
|
38
|
+
// this should however allow for local proxies and other registries
|
|
39
|
+
return pacote.manifest(`${validationMetadata.name}@${validationMetadata.version}`, {
|
|
40
|
+
verifyAttestations: true,
|
|
41
|
+
registry: 'https://registry.npmjs.org',
|
|
42
|
+
|
|
43
|
+
[`//registry.npmjs.org/:_keys`]: keys
|
|
44
|
+
})
|
|
45
|
+
})
|
|
46
|
+
.then((metadata) => {
|
|
47
|
+
return metadata
|
|
48
|
+
})
|
|
49
|
+
}
|
|
50
|
+
|
|
51
|
+
fetchRegistryKeys () {
|
|
52
|
+
const registryHost = 'https://registry.npmjs.org'
|
|
53
|
+
const registryKeysEndpoint = '/-/npm/v1/keys'
|
|
54
|
+
|
|
55
|
+
const registryKeysUrl = `${registryHost}${registryKeysEndpoint}`
|
|
56
|
+
// eslint-disable-next-line no-undef
|
|
57
|
+
return fetch(registryKeysUrl)
|
|
58
|
+
.then((response) => {
|
|
59
|
+
return response.json()
|
|
60
|
+
})
|
|
61
|
+
.then((response) => {
|
|
62
|
+
const registryKeys = response.keys
|
|
63
|
+
|
|
64
|
+
return registryKeys.map((key) => ({
|
|
65
|
+
...key,
|
|
66
|
+
pemkey: `-----BEGIN PUBLIC KEY-----\n${key.key}\n-----END PUBLIC KEY-----`
|
|
67
|
+
}))
|
|
68
|
+
})
|
|
69
|
+
.then((keys) => {
|
|
70
|
+
return keys
|
|
71
|
+
})
|
|
72
|
+
.catch((error) => {
|
|
73
|
+
throw new Error(`error fetching registry keys: ${error.message}`)
|
|
74
|
+
})
|
|
75
|
+
}
|
|
76
|
+
}
|
|
77
|
+
|
|
78
|
+
module.exports = Marshall
|