npq 3.1.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/marshalls/author.marshall.js +55 -26
- package/package.json +1 -1
|
@@ -2,7 +2,6 @@
|
|
|
2
2
|
|
|
3
3
|
const BaseMarshall = require('./baseMarshall')
|
|
4
4
|
const validator = require('validator')
|
|
5
|
-
const Warning = require('../helpers/warning')
|
|
6
5
|
const { marshallCategories } = require('./constants')
|
|
7
6
|
|
|
8
7
|
const MARSHALL_NAME = 'author'
|
|
@@ -11,39 +10,69 @@ class Marshall extends BaseMarshall {
|
|
|
11
10
|
constructor(options) {
|
|
12
11
|
super(options)
|
|
13
12
|
this.name = MARSHALL_NAME
|
|
14
|
-
this.categoryId = marshallCategories.
|
|
13
|
+
this.categoryId = marshallCategories.SupplyChainSecurity.id
|
|
15
14
|
}
|
|
16
15
|
|
|
17
16
|
title() {
|
|
18
17
|
return 'Identifying package author...'
|
|
19
18
|
}
|
|
20
19
|
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
20
|
+
/**
|
|
21
|
+
* What do we check?
|
|
22
|
+
* 1. Who is the user who published the package? in the pakument's `_npmUser` field
|
|
23
|
+
* 2. Is this the first time we see this user publishing a package?
|
|
24
|
+
* If so, halt and report.
|
|
25
|
+
* 3. Start from first version to latest version and check if they published
|
|
26
|
+
* the package before.
|
|
27
|
+
* If they did, and the difference between this published version date and
|
|
28
|
+
* first is more than 30 days then halt and report.
|
|
29
|
+
* @param {*} pkg
|
|
30
|
+
* @returns
|
|
31
|
+
*/
|
|
32
|
+
async validate(pkg) {
|
|
33
|
+
const pakument = await this.packageRepoUtils.getPackageInfo(pkg.packageName)
|
|
34
|
+
|
|
35
|
+
// @TODO fix to work for both explicit versions (1.0.0) and also
|
|
36
|
+
// for dis-tags (latest)
|
|
37
|
+
const npmUser = pakument.versions[pkg.packageVersion]._npmUser
|
|
38
|
+
if (!npmUser || !npmUser.email) {
|
|
39
|
+
throw new Error('could not determine publishing user for this package version')
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
if (!validator.isEmail(npmUser.email)) {
|
|
43
|
+
throw new Error('the publishing user has no valid email address')
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
let firstVersionForUser = null
|
|
47
|
+
const versionPublishedDateString = pakument.time[pkg.packageVersion]
|
|
48
|
+
for (const [version, versionMetadata] of Object.entries(pakument.versions)) {
|
|
49
|
+
if (versionMetadata._npmUser && versionMetadata._npmUser.email === npmUser.email) {
|
|
50
|
+
firstVersionForUser = versionMetadata
|
|
51
|
+
break
|
|
43
52
|
}
|
|
53
|
+
}
|
|
54
|
+
|
|
55
|
+
if (!firstVersionForUser || firstVersionForUser.version === pkg.packageVersion) {
|
|
56
|
+
throw new Error(
|
|
57
|
+
`The user ${npmUser.name} <${npmUser.email}> published this package for the first time only ${dateDiffInDays} days ago. Proceed with care.`
|
|
58
|
+
)
|
|
59
|
+
}
|
|
60
|
+
|
|
61
|
+
const firstPublishedDateString = pakument.time[firstVersionForUser.version]
|
|
62
|
+
|
|
63
|
+
const dateDiffInMs = new Date(versionPublishedDateString) - new Date(firstPublishedDateString)
|
|
64
|
+
let dateDiffInDays = 0
|
|
65
|
+
if (dateDiffInMs > 0) {
|
|
66
|
+
dateDiffInDays = Math.round(dateDiffInMs / (1000 * 60 * 60 * 24))
|
|
67
|
+
}
|
|
68
|
+
|
|
69
|
+
if (dateDiffInDays <= 30) {
|
|
70
|
+
throw new Error(
|
|
71
|
+
`The user ${npmUser.name} <${npmUser.email}> published this package for the first time only ${dateDiffInDays} days ago. Proceed with care.`
|
|
72
|
+
)
|
|
73
|
+
}
|
|
44
74
|
|
|
45
|
-
|
|
46
|
-
})
|
|
75
|
+
return versionPublishedDateString
|
|
47
76
|
}
|
|
48
77
|
}
|
|
49
78
|
|