npq 3.10.1 → 3.10.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +7 -1
- package/.editorconfig +0 -49
- package/.github/ISSUE_TEMPLATE.md +0 -32
- package/.github/Logo Horizontal.png +0 -0
- package/.github/Logo Vertical.png +0 -0
- package/.github/Logo.png +0 -0
- package/.github/PULL_REQUEST_TEMPLATE.md +0 -35
- package/.github/npq-demo-1.gif +0 -0
- package/.github/npq-demo-1.png +0 -0
- package/.github/npq-demo.gif +0 -0
- package/.github/npq.mov +0 -0
- package/.github/npq.mp4 +0 -0
- package/.github/npq.png +0 -0
- package/.github/workflows/automerge.yml +0 -39
- package/.github/workflows/main.yml +0 -58
- package/.husky/commit-msg +0 -4
- package/.husky/post-merge +0 -4
- package/.husky/pre-commit +0 -4
- package/.husky/pre-push +0 -4
- package/.prettierrc.js +0 -9
- package/CHANGELOG.md +0 -27
- package/CODE_OF_CONDUCT.md +0 -73
- package/CONTRIBUTING.md +0 -55
- package/SECURITY.md +0 -23
- package/__tests__/__fixtures__/test.marshall.js +0 -58
- package/__tests__/cli.parser.test.js +0 -121
- package/__tests__/cli.test.js +0 -110
- package/__tests__/cliPrompt.test.js +0 -409
- package/__tests__/env-var-integration.test.js +0 -109
- package/__tests__/marshalls.base.test.js +0 -113
- package/__tests__/marshalls.classMethods.test.js +0 -34
- package/__tests__/marshalls.expiredDomains.test.js +0 -100
- package/__tests__/marshalls.newBin.test.js +0 -441
- package/__tests__/marshalls.provenance.test.js +0 -383
- package/__tests__/marshalls.repo.test.js +0 -126
- package/__tests__/marshalls.signatures.test.js +0 -132
- package/__tests__/marshalls.snyk.test.js +0 -294
- package/__tests__/marshalls.tasks.test.js +0 -130
- package/__tests__/marshalls.typosquatting.test.js +0 -76
- package/__tests__/marshalls.version-maturity.test.js +0 -194
- package/__tests__/mocks/registryPackageOk.mock.json +0 -146
- package/__tests__/mocks/registryPackageUnpublished.mock.json +0 -31
- package/__tests__/packageManager.test.js +0 -93
- package/__tests__/packageRepoUtils.test.js +0 -251
- package/__tests__/reportResults.test.js +0 -772
- package/__tests__/scripts.test.js +0 -146
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "npq",
|
|
3
|
-
"version": "3.10.
|
|
3
|
+
"version": "3.10.2",
|
|
4
4
|
"description": "marshall your npm/npm package installs with high quality and class 🎖",
|
|
5
5
|
"bin": {
|
|
6
6
|
"npq": "./bin/npq.js",
|
|
@@ -26,6 +26,12 @@
|
|
|
26
26
|
"engines": {
|
|
27
27
|
"node": ">=20.13.0"
|
|
28
28
|
},
|
|
29
|
+
"files": [
|
|
30
|
+
"bin/",
|
|
31
|
+
"data/",
|
|
32
|
+
"lib/",
|
|
33
|
+
"scripts/"
|
|
34
|
+
],
|
|
29
35
|
"author": {
|
|
30
36
|
"name": "Liran Tal",
|
|
31
37
|
"email": "liran.tal@gmail.com"
|
package/.editorconfig
DELETED
|
@@ -1,49 +0,0 @@
|
|
|
1
|
-
# EditorConfig is awesome: http://EditorConfig.org
|
|
2
|
-
# Howto with your editor: http://editorconfig.org/#download
|
|
3
|
-
|
|
4
|
-
# top-most EditorConfig file
|
|
5
|
-
root = true
|
|
6
|
-
|
|
7
|
-
# Unix-style newlines with a newline ending every file
|
|
8
|
-
[**]
|
|
9
|
-
end_of_line = lf
|
|
10
|
-
insert_final_newline = true
|
|
11
|
-
charset = utf-8
|
|
12
|
-
|
|
13
|
-
# Standard at: https://github.com/felixge/node-style-guide
|
|
14
|
-
[**.{js,json}]
|
|
15
|
-
trim_trailing_whitespace = true
|
|
16
|
-
indent_style = space
|
|
17
|
-
indent_size = 2
|
|
18
|
-
quote_type = single
|
|
19
|
-
|
|
20
|
-
# LT: the following are enforced by standardjs so I commented
|
|
21
|
-
#curly_bracket_next_line = false
|
|
22
|
-
#spaces_around_operators = true
|
|
23
|
-
#space_after_control_statements = true
|
|
24
|
-
#space_after_anonymous_functions = true
|
|
25
|
-
#spaces_in_brackets = false
|
|
26
|
-
|
|
27
|
-
# No Standard. Please document a standard if different from .js
|
|
28
|
-
[**.{yml,css}]
|
|
29
|
-
trim_trailing_whitespace = true
|
|
30
|
-
indent_style = space
|
|
31
|
-
|
|
32
|
-
[**.html]
|
|
33
|
-
trim_trailing_whitespace = true
|
|
34
|
-
indent_style = space
|
|
35
|
-
indent_size = 2
|
|
36
|
-
|
|
37
|
-
# No standard. Please document a standard if different from .js
|
|
38
|
-
[**.md]
|
|
39
|
-
indent_style = tab
|
|
40
|
-
|
|
41
|
-
# Standard at:
|
|
42
|
-
[Makefile]
|
|
43
|
-
indent_style = tab
|
|
44
|
-
|
|
45
|
-
# The indentation in package.json will always need to be 2 spaces
|
|
46
|
-
# https://github.com/npm/npm/issues/4718
|
|
47
|
-
[{package, bower}.json]
|
|
48
|
-
indent_style = space
|
|
49
|
-
indent_size = 2
|
|
@@ -1,32 +0,0 @@
|
|
|
1
|
-
<!--- Provide a general summary of the issue in the Title above -->
|
|
2
|
-
|
|
3
|
-
## Expected Behavior
|
|
4
|
-
<!--- If you're describing a bug, tell us what should happen -->
|
|
5
|
-
<!--- If you're suggesting a change/improvement, tell us how it should work -->
|
|
6
|
-
|
|
7
|
-
## Current Behavior
|
|
8
|
-
<!--- If describing a bug, tell us what happens instead of the expected behavior -->
|
|
9
|
-
<!--- If suggesting a change/improvement, explain the difference from current behavior -->
|
|
10
|
-
|
|
11
|
-
## Possible Solution
|
|
12
|
-
<!--- Not obligatory, but suggest a fix/reason for the bug, -->
|
|
13
|
-
<!--- or ideas how to implement the addition or change -->
|
|
14
|
-
|
|
15
|
-
## Steps to Reproduce (for bugs)
|
|
16
|
-
<!--- Provide a link to a live example, or an unambiguous set of steps to -->
|
|
17
|
-
<!--- reproduce this bug. Include code to reproduce, if relevant -->
|
|
18
|
-
1.
|
|
19
|
-
2.
|
|
20
|
-
3.
|
|
21
|
-
4.
|
|
22
|
-
|
|
23
|
-
## Context
|
|
24
|
-
<!--- How has this issue affected you? What are you trying to accomplish? -->
|
|
25
|
-
<!--- Providing context helps us come up with a solution that is most useful in the real world -->
|
|
26
|
-
|
|
27
|
-
## Your Environment
|
|
28
|
-
<!--- Include as many relevant details about the environment you experienced the bug in -->
|
|
29
|
-
* Version used:
|
|
30
|
-
* Environment name and version (e.g. Chrome 39, Node.js 5.4):
|
|
31
|
-
* Operating System and version (desktop or mobile):
|
|
32
|
-
* Link to your project:
|
|
Binary file
|
|
Binary file
|
package/.github/Logo.png
DELETED
|
Binary file
|
|
@@ -1,35 +0,0 @@
|
|
|
1
|
-
<!--- Provide a general summary of your changes in the Title above -->
|
|
2
|
-
|
|
3
|
-
## Description
|
|
4
|
-
<!--- Describe your changes in detail -->
|
|
5
|
-
|
|
6
|
-
## Types of changes
|
|
7
|
-
<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
|
|
8
|
-
- [ ] Bug fix (non-breaking change which fixes an issue)
|
|
9
|
-
- [ ] New feature (non-breaking change which adds functionality)
|
|
10
|
-
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
|
|
11
|
-
|
|
12
|
-
## Related Issue
|
|
13
|
-
<!--- This project only accepts pull requests related to open issues -->
|
|
14
|
-
<!--- If suggesting a new feature or change, please discuss it in an issue first -->
|
|
15
|
-
<!--- If fixing a bug, there should be an issue describing it with steps to reproduce -->
|
|
16
|
-
<!--- Please link to the issue here: -->
|
|
17
|
-
|
|
18
|
-
## Motivation and Context
|
|
19
|
-
<!--- Why is this change required? What problem does it solve? -->
|
|
20
|
-
|
|
21
|
-
## How Has This Been Tested?
|
|
22
|
-
<!--- Please describe in detail how you tested your changes. -->
|
|
23
|
-
<!--- Include details of your testing environment, and the tests you ran to -->
|
|
24
|
-
<!--- see how your change affects other areas of the code, etc. -->
|
|
25
|
-
<!--- Unit tests are expected for all changes. -->
|
|
26
|
-
|
|
27
|
-
## Screenshots (if appropriate):
|
|
28
|
-
|
|
29
|
-
## Checklist:
|
|
30
|
-
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
|
|
31
|
-
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
|
|
32
|
-
- [ ] I have updated the documentation (if required).
|
|
33
|
-
- [ ] I have read the **CONTRIBUTING** document.
|
|
34
|
-
- [ ] I have added tests to cover my changes.
|
|
35
|
-
- [ ] All new and existing tests passed.
|
package/.github/npq-demo-1.gif
DELETED
|
Binary file
|
package/.github/npq-demo-1.png
DELETED
|
Binary file
|
package/.github/npq-demo.gif
DELETED
|
Binary file
|
package/.github/npq.mov
DELETED
|
Binary file
|
package/.github/npq.mp4
DELETED
|
Binary file
|
package/.github/npq.png
DELETED
|
Binary file
|
|
@@ -1,39 +0,0 @@
|
|
|
1
|
-
name: automerge
|
|
2
|
-
on:
|
|
3
|
-
pull_request:
|
|
4
|
-
types:
|
|
5
|
-
- labeled
|
|
6
|
-
- unlabeled
|
|
7
|
-
- synchronize
|
|
8
|
-
- opened
|
|
9
|
-
- edited
|
|
10
|
-
- ready_for_review
|
|
11
|
-
- reopened
|
|
12
|
-
- unlocked
|
|
13
|
-
pull_request_review:
|
|
14
|
-
types:
|
|
15
|
-
- submitted
|
|
16
|
-
check_suite:
|
|
17
|
-
types:
|
|
18
|
-
- completed
|
|
19
|
-
status: {}
|
|
20
|
-
jobs:
|
|
21
|
-
automerge:
|
|
22
|
-
runs-on: ubuntu-latest
|
|
23
|
-
permissions:
|
|
24
|
-
contents: write
|
|
25
|
-
pull-requests: write
|
|
26
|
-
steps:
|
|
27
|
-
- id: automerge
|
|
28
|
-
name: automerge
|
|
29
|
-
uses: "pascalgn/automerge-action@v0.16.4"
|
|
30
|
-
env:
|
|
31
|
-
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
|
|
32
|
-
# we only merge PRs with labels of "dependencies"
|
|
33
|
-
MERGE_LABELS: "automerge"
|
|
34
|
-
MERGE_REMOVE_LABELS: "automerge"
|
|
35
|
-
MERGE_METHOD: "squash"
|
|
36
|
-
MERGE_COMMIT_MESSAGE: "automatic"
|
|
37
|
-
MERGE_FORKS: "false"
|
|
38
|
-
MERGE_REQUIRED_APPROVALS: "0"
|
|
39
|
-
UPDATE_METHOD: "rebase"
|
|
@@ -1,58 +0,0 @@
|
|
|
1
|
-
name: CI
|
|
2
|
-
|
|
3
|
-
on: [push, pull_request]
|
|
4
|
-
|
|
5
|
-
jobs:
|
|
6
|
-
build:
|
|
7
|
-
strategy:
|
|
8
|
-
matrix:
|
|
9
|
-
platform: [ubuntu-latest]
|
|
10
|
-
node: ['20', '22', '24']
|
|
11
|
-
name: Node ${{ matrix.node }} (${{ matrix.platform }})
|
|
12
|
-
runs-on: ${{ matrix.platform }}
|
|
13
|
-
steps:
|
|
14
|
-
- uses: actions/checkout@v2
|
|
15
|
-
- uses: actions/setup-node@v2
|
|
16
|
-
with:
|
|
17
|
-
node-version: ${{ matrix.node }}
|
|
18
|
-
- name: install dependencies
|
|
19
|
-
run: npm ci --ignore-engines --ignore-scripts
|
|
20
|
-
- name: lint code
|
|
21
|
-
run: npm run lint
|
|
22
|
-
env:
|
|
23
|
-
CI: true
|
|
24
|
-
- name: run tests
|
|
25
|
-
run: npm run test
|
|
26
|
-
env:
|
|
27
|
-
CI: true
|
|
28
|
-
- name: coverage
|
|
29
|
-
uses: codecov/codecov-action@v1
|
|
30
|
-
with:
|
|
31
|
-
fail_ci_if_error: true
|
|
32
|
-
verbose: false
|
|
33
|
-
env:
|
|
34
|
-
CODECOV_TOKEN: ${{secrets.CODECOV_TOKEN}}
|
|
35
|
-
CI: true
|
|
36
|
-
|
|
37
|
-
release:
|
|
38
|
-
name: do semantic release
|
|
39
|
-
runs-on: 'ubuntu-latest'
|
|
40
|
-
permissions:
|
|
41
|
-
contents: write # to be able to publish a GitHub release
|
|
42
|
-
issues: write # to be able to comment on released issues
|
|
43
|
-
pull-requests: write # to be able to comment on released pull requests
|
|
44
|
-
id-token: write # to enable use of OIDC for npm provenance
|
|
45
|
-
needs: build
|
|
46
|
-
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
47
|
-
steps:
|
|
48
|
-
- uses: actions/checkout@v2
|
|
49
|
-
- uses: actions/setup-node@v2
|
|
50
|
-
with:
|
|
51
|
-
node-version: '24'
|
|
52
|
-
- name: install dependencies
|
|
53
|
-
run: npm ci --ignore-engines --ignore-scripts
|
|
54
|
-
- name: release
|
|
55
|
-
run: npx semantic-release
|
|
56
|
-
env:
|
|
57
|
-
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
|
|
58
|
-
NPM_TOKEN: ${{secrets.NPM_TOKEN}}
|
package/.husky/commit-msg
DELETED
package/.husky/post-merge
DELETED
package/.husky/pre-commit
DELETED
package/.husky/pre-push
DELETED
package/.prettierrc.js
DELETED
package/CHANGELOG.md
DELETED
|
@@ -1,27 +0,0 @@
|
|
|
1
|
-
# Changelog
|
|
2
|
-
All notable changes to this project will be documented in this file.
|
|
3
|
-
|
|
4
|
-
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
|
|
5
|
-
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
|
|
6
|
-
|
|
7
|
-
<!--
|
|
8
|
-
## [x.y.z] - YYYY-MM-DD
|
|
9
|
-
### [Type of Change]
|
|
10
|
-
- [description of change]
|
|
11
|
-
|
|
12
|
-
### Types of changes
|
|
13
|
-
- **Added** for new features.
|
|
14
|
-
- **Changed** for changes in existing functionality.
|
|
15
|
-
- **Deprecated** for soon-to-be removed features.
|
|
16
|
-
- **Removed** for now removed features.
|
|
17
|
-
- **Fixed** for any bug fixes.
|
|
18
|
-
- **Security** in case of vulnerabilities.
|
|
19
|
-
|
|
20
|
-
[x.y.z]: https://github.com/lirantal/npq/compare/1.0.0...x.y.z
|
|
21
|
-
-->
|
|
22
|
-
|
|
23
|
-
## [Unreleased]
|
|
24
|
-
- Initial Release
|
|
25
|
-
|
|
26
|
-
<!-- Update the Unreleased comparison range with each release -->
|
|
27
|
-
[Unreleased]: https://github.com/lirantal/npq/compare/x.y.z...master
|
package/CODE_OF_CONDUCT.md
DELETED
|
@@ -1,73 +0,0 @@
|
|
|
1
|
-
# Contributor Covenant Code of Conduct
|
|
2
|
-
|
|
3
|
-
## Our Pledge
|
|
4
|
-
|
|
5
|
-
In the interest of fostering an open and welcoming environment, we as
|
|
6
|
-
contributors and maintainers pledge to making participation in our project and
|
|
7
|
-
our community a harassment-free experience for everyone, regardless of age, body
|
|
8
|
-
size, disability, ethnicity, gender identity and expression, level of experience,
|
|
9
|
-
education, socio-economic status, nationality, personal appearance, race,
|
|
10
|
-
religion, or sexual identity and orientation.
|
|
11
|
-
|
|
12
|
-
## Our Standards
|
|
13
|
-
|
|
14
|
-
Examples of behavior that contributes to creating a positive environment
|
|
15
|
-
include:
|
|
16
|
-
|
|
17
|
-
* Using welcoming and inclusive language
|
|
18
|
-
* Being respectful of differing viewpoints and experiences
|
|
19
|
-
* Gracefully accepting constructive criticism
|
|
20
|
-
* Focusing on what is best for the community
|
|
21
|
-
* Showing empathy towards other community members
|
|
22
|
-
|
|
23
|
-
Examples of unacceptable behavior by participants include:
|
|
24
|
-
|
|
25
|
-
* The use of sexualized language or imagery and unwelcome sexual attention or
|
|
26
|
-
advances
|
|
27
|
-
* Trolling, insulting/derogatory comments, and personal or political attacks
|
|
28
|
-
* Public or private harassment
|
|
29
|
-
* Publishing others' private information, such as a physical or electronic
|
|
30
|
-
address, without explicit permission
|
|
31
|
-
* Other conduct which could reasonably be considered inappropriate in a
|
|
32
|
-
professional setting
|
|
33
|
-
|
|
34
|
-
## Our Responsibilities
|
|
35
|
-
|
|
36
|
-
Project maintainers are responsible for clarifying the standards of acceptable
|
|
37
|
-
behavior and are expected to take appropriate and fair corrective action in
|
|
38
|
-
response to any instances of unacceptable behavior.
|
|
39
|
-
|
|
40
|
-
Project maintainers have the right and responsibility to remove, edit, or
|
|
41
|
-
reject comments, commits, code, wiki edits, issues, and other contributions
|
|
42
|
-
that are not aligned to this Code of Conduct, or to ban temporarily or
|
|
43
|
-
permanently any contributor for other behaviors that they deem inappropriate,
|
|
44
|
-
threatening, offensive, or harmful.
|
|
45
|
-
|
|
46
|
-
## Scope
|
|
47
|
-
|
|
48
|
-
This Code of Conduct applies both within project spaces and in public spaces
|
|
49
|
-
when an individual is representing the project or its community. Examples of
|
|
50
|
-
representing a project or community include using an official project e-mail
|
|
51
|
-
address, posting via an official social media account, or acting as an appointed
|
|
52
|
-
representative at an online or offline event. Representation of a project may be
|
|
53
|
-
further defined and clarified by project maintainers.
|
|
54
|
-
|
|
55
|
-
## Enforcement
|
|
56
|
-
|
|
57
|
-
Instances of abusive, harassing, or otherwise unacceptable behavior may be
|
|
58
|
-
reported by contacting the project maintainers team via their e-mail addresses. All
|
|
59
|
-
complaints will be reviewed and investigated and will result in a response that
|
|
60
|
-
is deemed necessary and appropriate to the circumstances. The project team is
|
|
61
|
-
obligated to maintain confidentiality with regard to the reporter of an incident.
|
|
62
|
-
Further details of specific enforcement policies may be posted separately.
|
|
63
|
-
|
|
64
|
-
Project maintainers who do not follow or enforce the Code of Conduct in good
|
|
65
|
-
faith may face temporary or permanent repercussions as determined by other
|
|
66
|
-
members of the project's leadership.
|
|
67
|
-
|
|
68
|
-
## Attribution
|
|
69
|
-
|
|
70
|
-
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
|
|
71
|
-
available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
|
|
72
|
-
|
|
73
|
-
[homepage]: https://www.contributor-covenant.org
|
package/CONTRIBUTING.md
DELETED
|
@@ -1,55 +0,0 @@
|
|
|
1
|
-
# Contribution Guidelines
|
|
2
|
-
|
|
3
|
-
Please review below for developer guidelines on general project contribution guidelines as well as writing your own marshalls plugin.
|
|
4
|
-
|
|
5
|
-
## Contributing Marshalls
|
|
6
|
-
|
|
7
|
-
### A Marshall's Interface
|
|
8
|
-
|
|
9
|
-
A Marshall always extends the BaseMarshall class and needs to implement the following interface:
|
|
10
|
-
* `title(): string`
|
|
11
|
-
* `isEnabled(ctx: object): boolean`
|
|
12
|
-
* `run(ctx: object, task: object): Promise<>`
|
|
13
|
-
|
|
14
|
-
for reference about the `ctx` and `task` objects passed to tasks refer to [listr](https://github.com/SamVerschueren/listr) package documentation.
|
|
15
|
-
|
|
16
|
-
### run()
|
|
17
|
-
|
|
18
|
-
The `run()` method must be able to support multiple packages provided in `ctx.pkgs` to run its check upon.
|
|
19
|
-
|
|
20
|
-
If you implement multiple packages checks with a `Promise.all()` strategy you should be aware that it will fail-fast on exceptions. This default behavior is not desirable because while errors exist in one packge, you would still want to continue running your checks on the other packages as well.
|
|
21
|
-
|
|
22
|
-
To mitigate that, your specific check method should now throw an exception if it fails, but instead catch it and call
|
|
23
|
-
```js
|
|
24
|
-
this.setMessage({
|
|
25
|
-
pkg: pkg,
|
|
26
|
-
message: err.message
|
|
27
|
-
})
|
|
28
|
-
```
|
|
29
|
-
to record an error that happened in a specific package.
|
|
30
|
-
|
|
31
|
-
### General Marshalls Guidelines
|
|
32
|
-
|
|
33
|
-
* Never overwrite `ctx.pkgs` property
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
## Tests
|
|
37
|
-
|
|
38
|
-
Make sure you the code you're adding has decent test coverage.
|
|
39
|
-
|
|
40
|
-
Running project tests and coverage:
|
|
41
|
-
|
|
42
|
-
```bash
|
|
43
|
-
npm run test
|
|
44
|
-
```
|
|
45
|
-
|
|
46
|
-
## Commit Guidelines
|
|
47
|
-
|
|
48
|
-
The project uses the commitizen tool for standardizing changelog style commit
|
|
49
|
-
messages so you should follow it as so:
|
|
50
|
-
|
|
51
|
-
```bash
|
|
52
|
-
git add . # add files to staging
|
|
53
|
-
yarn run commit # use the wizard for the commit message
|
|
54
|
-
```
|
|
55
|
-
|
package/SECURITY.md
DELETED
|
@@ -1,23 +0,0 @@
|
|
|
1
|
-
# Security Policy
|
|
2
|
-
|
|
3
|
-
## Responsible disclosure security policy
|
|
4
|
-
|
|
5
|
-
A responsible disclosure policy helps protect users of the project from publicly disclosed security vulnerabilities without a fix by employing a process where vulnerabilities are first triaged in a private manner, and only publicly disclosed after a reasonable time period that allows patching the vulnerability and provides an upgrade path for users.
|
|
6
|
-
|
|
7
|
-
When contacting us directly via email, we will do our best efforts to respond in a reasonable time to resolve the issue. When contacting a security program their disclosure policy will provide details on time-frame, processes and paid bounties.
|
|
8
|
-
|
|
9
|
-
We kindly ask you to refrain from malicious acts that put our users, the project, or any of the project’s team members at risk.
|
|
10
|
-
|
|
11
|
-
## Reporting a security issue
|
|
12
|
-
|
|
13
|
-
We consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
|
|
14
|
-
|
|
15
|
-
If you discover a security vulnerability, please use one of the following means of communications to report it to us:
|
|
16
|
-
|
|
17
|
-
- Report the security issue to the Node.js Security WG through the [HackerOne program](https://hackerone.com/nodejs-ecosystem) for ecosystem modules on npm, or to [Snyk Security Team](https://snyk.io/vulnerability-disclosure). They will help triage the security issue and work with all involved parties to remediate and release a fix.
|
|
18
|
-
|
|
19
|
-
Note that time-frame and processes are subject to each program’s own policy.
|
|
20
|
-
|
|
21
|
-
- Report the security issue to the project maintainers directly.
|
|
22
|
-
|
|
23
|
-
Your efforts to responsibly disclose your findings are sincerely appreciated and will be taken into account to acknowledge your contributions.
|
|
@@ -1,58 +0,0 @@
|
|
|
1
|
-
'use strict'
|
|
2
|
-
|
|
3
|
-
const BaseMarshall = require('../../lib/marshalls/baseMarshall')
|
|
4
|
-
|
|
5
|
-
const MARSHALL_NAME = 'test.marshall'
|
|
6
|
-
|
|
7
|
-
class TestMarshall extends BaseMarshall {
|
|
8
|
-
constructor(options) {
|
|
9
|
-
super(options)
|
|
10
|
-
this.name = MARSHALL_NAME
|
|
11
|
-
}
|
|
12
|
-
|
|
13
|
-
title() {
|
|
14
|
-
return 'A test marshall'
|
|
15
|
-
}
|
|
16
|
-
|
|
17
|
-
run(ctx, task) {
|
|
18
|
-
const tasks = ctx.pkgs.reduce((prevPkg, currPkg) => {
|
|
19
|
-
return prevPkg.concat(this.mockCheck(currPkg, ctx, task))
|
|
20
|
-
}, [])
|
|
21
|
-
|
|
22
|
-
return Promise.all(tasks)
|
|
23
|
-
}
|
|
24
|
-
|
|
25
|
-
mockCheck(pkg, ctx) {
|
|
26
|
-
return this.validateSomething(pkg)
|
|
27
|
-
.then(() => {
|
|
28
|
-
const data = 'mock data check'
|
|
29
|
-
ctx.marshalls[this.name].data[pkg.packageName] = data
|
|
30
|
-
|
|
31
|
-
return data
|
|
32
|
-
})
|
|
33
|
-
.catch((err) => {
|
|
34
|
-
this.setMessage({
|
|
35
|
-
pkg: pkg.packageName,
|
|
36
|
-
message: err.message
|
|
37
|
-
})
|
|
38
|
-
})
|
|
39
|
-
}
|
|
40
|
-
|
|
41
|
-
validateSomething(pkg) {
|
|
42
|
-
if (pkg.packageName === 'express' || pkg.packageName === 'semver') {
|
|
43
|
-
return Promise.resolve()
|
|
44
|
-
} else {
|
|
45
|
-
return Promise.reject(new Error('simulating mock error'))
|
|
46
|
-
}
|
|
47
|
-
}
|
|
48
|
-
|
|
49
|
-
validate(pkg) {
|
|
50
|
-
if (pkg.packageName === 'express' || pkg.packageName === 'semver') {
|
|
51
|
-
return Promise.resolve('validation-result')
|
|
52
|
-
} else {
|
|
53
|
-
return Promise.reject(new Error('simulating mock error'))
|
|
54
|
-
}
|
|
55
|
-
}
|
|
56
|
-
}
|
|
57
|
-
|
|
58
|
-
module.exports = TestMarshall
|
|
@@ -1,121 +0,0 @@
|
|
|
1
|
-
// __tests__/env-var-integration.test.js
|
|
2
|
-
|
|
3
|
-
describe('NPQ_PKG_MGR Environment Variable Integration', () => {
|
|
4
|
-
let originalArgv
|
|
5
|
-
let originalNPQ_PKG_MGR
|
|
6
|
-
|
|
7
|
-
beforeEach(() => {
|
|
8
|
-
// Save original values
|
|
9
|
-
originalArgv = process.argv
|
|
10
|
-
originalNPQ_PKG_MGR = process.env.NPQ_PKG_MGR
|
|
11
|
-
|
|
12
|
-
// Clear environment variable
|
|
13
|
-
delete process.env.NPQ_PKG_MGR
|
|
14
|
-
|
|
15
|
-
// Mock console methods to avoid output during tests
|
|
16
|
-
jest.spyOn(console, 'log').mockImplementation(() => {})
|
|
17
|
-
jest.spyOn(console, 'error').mockImplementation(() => {})
|
|
18
|
-
jest.spyOn(process, 'exit').mockImplementation(() => {})
|
|
19
|
-
})
|
|
20
|
-
|
|
21
|
-
afterEach(() => {
|
|
22
|
-
// Restore original values
|
|
23
|
-
process.argv = originalArgv
|
|
24
|
-
if (originalNPQ_PKG_MGR !== undefined) {
|
|
25
|
-
process.env.NPQ_PKG_MGR = originalNPQ_PKG_MGR
|
|
26
|
-
} else {
|
|
27
|
-
delete process.env.NPQ_PKG_MGR
|
|
28
|
-
}
|
|
29
|
-
|
|
30
|
-
// Restore mocked methods
|
|
31
|
-
jest.restoreAllMocks()
|
|
32
|
-
})
|
|
33
|
-
|
|
34
|
-
test.only('should prioritize NPQ_PKG_MGR environment variable over command line options', () => {
|
|
35
|
-
// This test verifies the core functionality:
|
|
36
|
-
// process.env.NPQ_PKG_MGR || values.packageManager || values.pkgMgr || 'npm'
|
|
37
|
-
|
|
38
|
-
process.env.NPQ_PKG_MGR = 'pnpm'
|
|
39
|
-
|
|
40
|
-
// Dynamically require to get fresh instance with environment variable set
|
|
41
|
-
jest.resetModules()
|
|
42
|
-
const { CliParser } = require('../lib/cli')
|
|
43
|
-
|
|
44
|
-
// Mock parseArgs to simulate command line input with --packageManager
|
|
45
|
-
const originalParseArgs = require('node:util').parseArgs
|
|
46
|
-
require('node:util').parseArgs = jest.fn().mockReturnValue({
|
|
47
|
-
values: { packageManager: 'yarn' }, // CLI says yarn
|
|
48
|
-
positionals: ['install', 'express']
|
|
49
|
-
})
|
|
50
|
-
|
|
51
|
-
const result = CliParser.parseArgsFull()
|
|
52
|
-
|
|
53
|
-
// Environment variable should win over CLI option
|
|
54
|
-
expect(result.packageManager).toBe('pnpm')
|
|
55
|
-
|
|
56
|
-
// Restore
|
|
57
|
-
require('node:util').parseArgs = originalParseArgs
|
|
58
|
-
})
|
|
59
|
-
|
|
60
|
-
test('should fall back to command line option when NPQ_PKG_MGR is not set', () => {
|
|
61
|
-
// Ensure environment variable is not set
|
|
62
|
-
delete process.env.NPQ_PKG_MGR
|
|
63
|
-
|
|
64
|
-
jest.resetModules()
|
|
65
|
-
const { CliParser } = require('../lib/cli')
|
|
66
|
-
|
|
67
|
-
const originalParseArgs = require('node:util').parseArgs
|
|
68
|
-
require('node:util').parseArgs = jest.fn().mockReturnValue({
|
|
69
|
-
values: { packageManager: 'yarn' },
|
|
70
|
-
positionals: ['install', 'express']
|
|
71
|
-
})
|
|
72
|
-
|
|
73
|
-
const result = CliParser.parseArgsFull()
|
|
74
|
-
|
|
75
|
-
expect(result.packageManager).toBe('yarn')
|
|
76
|
-
|
|
77
|
-
// Restore
|
|
78
|
-
require('node:util').parseArgs = originalParseArgs
|
|
79
|
-
})
|
|
80
|
-
|
|
81
|
-
test('should fall back to npm default when neither env var nor CLI option provided', () => {
|
|
82
|
-
delete process.env.NPQ_PKG_MGR
|
|
83
|
-
|
|
84
|
-
jest.resetModules()
|
|
85
|
-
const { CliParser } = require('../lib/cli')
|
|
86
|
-
|
|
87
|
-
const originalParseArgs = require('node:util').parseArgs
|
|
88
|
-
require('node:util').parseArgs = jest.fn().mockReturnValue({
|
|
89
|
-
values: {}, // No package manager specified
|
|
90
|
-
positionals: ['install', 'express']
|
|
91
|
-
})
|
|
92
|
-
|
|
93
|
-
const result = CliParser.parseArgsFull()
|
|
94
|
-
|
|
95
|
-
expect(result.packageManager).toBe('npm')
|
|
96
|
-
|
|
97
|
-
// Restore
|
|
98
|
-
require('node:util').parseArgs = originalParseArgs
|
|
99
|
-
})
|
|
100
|
-
|
|
101
|
-
test('should handle empty NPQ_PKG_MGR environment variable', () => {
|
|
102
|
-
process.env.NPQ_PKG_MGR = '' // Empty string
|
|
103
|
-
|
|
104
|
-
jest.resetModules()
|
|
105
|
-
const { CliParser } = require('../lib/cli')
|
|
106
|
-
|
|
107
|
-
const originalParseArgs = require('node:util').parseArgs
|
|
108
|
-
require('node:util').parseArgs = jest.fn().mockReturnValue({
|
|
109
|
-
values: { packageManager: 'yarn' },
|
|
110
|
-
positionals: ['install', 'express']
|
|
111
|
-
})
|
|
112
|
-
|
|
113
|
-
const result = CliParser.parseArgsFull()
|
|
114
|
-
|
|
115
|
-
// Empty string should be falsy, so fall back to CLI option
|
|
116
|
-
expect(result.packageManager).toBe('yarn')
|
|
117
|
-
|
|
118
|
-
// Restore
|
|
119
|
-
require('node:util').parseArgs = originalParseArgs
|
|
120
|
-
})
|
|
121
|
-
})
|