npq 3.2.1 → 3.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -196,7 +196,7 @@ describe('Provenance test suites', () => {
196
196
  // We assert that the validate method didn't throw an error,
197
197
  // because the keys match the signature
198
198
  await expect(testMarshall.validate(pkg)).rejects.toThrow(
199
- 'the package was published without any attestations. Proceed with care.'
199
+ 'the package was published without any attestations.'
200
200
  )
201
201
 
202
202
  // Assert that the fetch method is called with the correct URL
@@ -136,3 +136,27 @@ test('repo utils parses package version', async () => {
136
136
  )
137
137
  expect(result).toBeTruthy()
138
138
  })
139
+
140
+ test('repo utils returns valid semver for different cases of version asked', async () => {
141
+ const PackageRepoUtils = require('../lib/helpers/packageRepoUtils')
142
+ global.fetch = jest.fn().mockImplementation(() =>
143
+ Promise.resolve({
144
+ json: () => require('./mocks/registryPackageOk.mock.json')
145
+ })
146
+ )
147
+
148
+ const packageRepoUtils = new PackageRepoUtils()
149
+ const packageName = 'testPackage'
150
+
151
+ let result
152
+
153
+ result = await packageRepoUtils.getSemVer(packageName, 'latest')
154
+ expect(result).toEqual('3.1.0')
155
+
156
+ result = await packageRepoUtils.getSemVer(packageName, '3.1.0')
157
+ expect(result).toEqual('3.1.0')
158
+
159
+ await expect(packageRepoUtils.getSemVer(packageName, 'next')).rejects.toThrow(
160
+ 'could not find dist-tag next for package testPackage'
161
+ )
162
+ })
@@ -51,6 +51,28 @@ class PackageRepoUtils {
51
51
  parsePackageVersion(version) {
52
52
  return semver.coerce(version)
53
53
  }
54
+
55
+ async getSemVer(packageName, packageVersion) {
56
+ if (semver.valid(packageVersion)) {
57
+ return packageVersion
58
+ } else {
59
+ // this is probably an alias such as `latest` that we need to match
60
+ // via dist-tags:
61
+ const packageInfo = await this.getPackageInfo(packageName)
62
+
63
+ if (packageInfo['dist-tags'] === undefined) {
64
+ throw new Error(`could not find dist-tags for package ${packageName}`)
65
+ }
66
+
67
+ if (packageInfo['dist-tags'][packageVersion] === undefined) {
68
+ throw new Error(`could not find dist-tag ${packageVersion} for package ${packageName}`)
69
+ }
70
+
71
+ const semverVersion = packageInfo['dist-tags'][packageVersion]
72
+
73
+ return semverVersion
74
+ }
75
+ }
54
76
  }
55
77
 
56
78
  module.exports = PackageRepoUtils
@@ -34,9 +34,14 @@ class Marshall extends BaseMarshall {
34
34
  // published, date diff, etc into the package repo utils
35
35
  const pakument = await this.packageRepoUtils.getPackageInfo(pkg.packageName)
36
36
 
37
+ const packageVersion = await this.packageRepoUtils.getSemVer(
38
+ pkg.packageName,
39
+ pkg.packageVersion
40
+ )
41
+
37
42
  // @TODO fix to work for both explicit versions (1.0.0) and also
38
43
  // for dis-tags (latest)
39
- const npmUser = pakument.versions[pkg.packageVersion]._npmUser
44
+ const npmUser = pakument.versions[packageVersion]._npmUser
40
45
  if (!npmUser || !npmUser.email) {
41
46
  throw new Error('could not determine publishing user for this package version')
42
47
  }
@@ -46,7 +51,7 @@ class Marshall extends BaseMarshall {
46
51
  }
47
52
 
48
53
  let firstVersionForUser = null
49
- const versionPublishedDateString = pakument.time[pkg.packageVersion]
54
+ const versionPublishedDateString = pakument.time[packageVersion]
50
55
  for (const [version, versionMetadata] of Object.entries(pakument.versions)) {
51
56
  if (versionMetadata._npmUser && versionMetadata._npmUser.email === npmUser.email) {
52
57
  firstVersionForUser = versionMetadata
@@ -54,9 +59,9 @@ class Marshall extends BaseMarshall {
54
59
  }
55
60
  }
56
61
 
57
- if (!firstVersionForUser || firstVersionForUser.version === pkg.packageVersion) {
62
+ if (!firstVersionForUser || firstVersionForUser.version === packageVersion) {
58
63
  throw new Error(
59
- `The user ${npmUser.name} <${npmUser.email}> published this package for the first time only ${dateDiffInDays} days ago. Proceed with care.`
64
+ `This is first version the user ${npmUser.name} <${npmUser.email}> published this package`
60
65
  )
61
66
  }
62
67
 
@@ -70,7 +75,7 @@ class Marshall extends BaseMarshall {
70
75
 
71
76
  if (dateDiffInDays <= 30) {
72
77
  throw new Error(
73
- `The user ${npmUser.name} <${npmUser.email}> published this package for the first time only ${dateDiffInDays} days ago. Proceed with care.`
78
+ `The user ${npmUser.name} <${npmUser.email}> published this package for the first time only ${dateDiffInDays} days ago.`
74
79
  )
75
80
  }
76
81
 
@@ -32,6 +32,10 @@ class Marshall extends BaseMarshall {
32
32
 
33
33
  validationMetadata.name = packageName
34
34
  validationMetadata.version = packageVersion
35
+
36
+ if (!validationMetadata.version) {
37
+ throw new Error('Unable to find version or dist-tag for package')
38
+ }
35
39
  })
36
40
  .then(() => {
37
41
  return this.fetchRegistryKeys()
@@ -48,15 +52,16 @@ class Marshall extends BaseMarshall {
48
52
  })
49
53
  .then((metadata) => {
50
54
  if (!metadata || !metadata._attestations) {
51
- throw new Warning(
52
- 'the package was published without any attestations. Proceed with care.'
53
- )
55
+ throw new Warning('the package was published without any attestations.')
54
56
  }
55
57
 
56
58
  const attestations = metadata._attestations
57
59
 
58
60
  return attestations
59
61
  })
62
+ .catch((error) => {
63
+ throw new Error(`Unable to verify provenance: ${error.message}`)
64
+ })
60
65
  }
61
66
 
62
67
  fetchRegistryKeys() {
@@ -32,6 +32,9 @@ class Marshall extends BaseMarshall {
32
32
  .then((metadata) => {
33
33
  return metadata
34
34
  })
35
+ .catch((error) => {
36
+ throw new Error(`Unable to grab package manifest: ${error.message}`)
37
+ })
35
38
  }
36
39
 
37
40
  fetchRegistryKeys() {
@@ -1,7 +1,7 @@
1
1
  'use strict'
2
2
 
3
- const BaseMarshall = require('./baseMarshall')
4
- const { marshallCategories } = require('./constants')
3
+ const BaseMarshall = require('../marshalls/baseMarshall')
4
+ const { marshallCategories } = require('../marshalls/constants')
5
5
 
6
6
  const MARSHALL_NAME = 'readme'
7
7
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "npq",
3
- "version": "3.2.1",
3
+ "version": "3.2.3",
4
4
  "description": "marshall your npm/npm package installs with high quality and class 🎖",
5
5
  "bin": {
6
6
  "npq": "./bin/npq.js",