npq 3.2.1 → 3.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/__tests__/marshalls.provenance.test.js +1 -1
- package/__tests__/packageRepoUtils.test.js +24 -0
- package/lib/helpers/packageRepoUtils.js +22 -0
- package/lib/marshalls/author.marshall.js +10 -5
- package/lib/marshalls/provenance.marshall.js +8 -3
- package/lib/marshalls/signatures.marshall.js +3 -0
- package/lib/{marshalls → marshallsDecomissioned}/readme.marshall.js +2 -2
- package/package.json +1 -1
|
@@ -196,7 +196,7 @@ describe('Provenance test suites', () => {
|
|
|
196
196
|
// We assert that the validate method didn't throw an error,
|
|
197
197
|
// because the keys match the signature
|
|
198
198
|
await expect(testMarshall.validate(pkg)).rejects.toThrow(
|
|
199
|
-
'the package was published without any attestations.
|
|
199
|
+
'the package was published without any attestations.'
|
|
200
200
|
)
|
|
201
201
|
|
|
202
202
|
// Assert that the fetch method is called with the correct URL
|
|
@@ -136,3 +136,27 @@ test('repo utils parses package version', async () => {
|
|
|
136
136
|
)
|
|
137
137
|
expect(result).toBeTruthy()
|
|
138
138
|
})
|
|
139
|
+
|
|
140
|
+
test('repo utils returns valid semver for different cases of version asked', async () => {
|
|
141
|
+
const PackageRepoUtils = require('../lib/helpers/packageRepoUtils')
|
|
142
|
+
global.fetch = jest.fn().mockImplementation(() =>
|
|
143
|
+
Promise.resolve({
|
|
144
|
+
json: () => require('./mocks/registryPackageOk.mock.json')
|
|
145
|
+
})
|
|
146
|
+
)
|
|
147
|
+
|
|
148
|
+
const packageRepoUtils = new PackageRepoUtils()
|
|
149
|
+
const packageName = 'testPackage'
|
|
150
|
+
|
|
151
|
+
let result
|
|
152
|
+
|
|
153
|
+
result = await packageRepoUtils.getSemVer(packageName, 'latest')
|
|
154
|
+
expect(result).toEqual('3.1.0')
|
|
155
|
+
|
|
156
|
+
result = await packageRepoUtils.getSemVer(packageName, '3.1.0')
|
|
157
|
+
expect(result).toEqual('3.1.0')
|
|
158
|
+
|
|
159
|
+
await expect(packageRepoUtils.getSemVer(packageName, 'next')).rejects.toThrow(
|
|
160
|
+
'could not find dist-tag next for package testPackage'
|
|
161
|
+
)
|
|
162
|
+
})
|
|
@@ -51,6 +51,28 @@ class PackageRepoUtils {
|
|
|
51
51
|
parsePackageVersion(version) {
|
|
52
52
|
return semver.coerce(version)
|
|
53
53
|
}
|
|
54
|
+
|
|
55
|
+
async getSemVer(packageName, packageVersion) {
|
|
56
|
+
if (semver.valid(packageVersion)) {
|
|
57
|
+
return packageVersion
|
|
58
|
+
} else {
|
|
59
|
+
// this is probably an alias such as `latest` that we need to match
|
|
60
|
+
// via dist-tags:
|
|
61
|
+
const packageInfo = await this.getPackageInfo(packageName)
|
|
62
|
+
|
|
63
|
+
if (packageInfo['dist-tags'] === undefined) {
|
|
64
|
+
throw new Error(`could not find dist-tags for package ${packageName}`)
|
|
65
|
+
}
|
|
66
|
+
|
|
67
|
+
if (packageInfo['dist-tags'][packageVersion] === undefined) {
|
|
68
|
+
throw new Error(`could not find dist-tag ${packageVersion} for package ${packageName}`)
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
const semverVersion = packageInfo['dist-tags'][packageVersion]
|
|
72
|
+
|
|
73
|
+
return semverVersion
|
|
74
|
+
}
|
|
75
|
+
}
|
|
54
76
|
}
|
|
55
77
|
|
|
56
78
|
module.exports = PackageRepoUtils
|
|
@@ -34,9 +34,14 @@ class Marshall extends BaseMarshall {
|
|
|
34
34
|
// published, date diff, etc into the package repo utils
|
|
35
35
|
const pakument = await this.packageRepoUtils.getPackageInfo(pkg.packageName)
|
|
36
36
|
|
|
37
|
+
const packageVersion = await this.packageRepoUtils.getSemVer(
|
|
38
|
+
pkg.packageName,
|
|
39
|
+
pkg.packageVersion
|
|
40
|
+
)
|
|
41
|
+
|
|
37
42
|
// @TODO fix to work for both explicit versions (1.0.0) and also
|
|
38
43
|
// for dis-tags (latest)
|
|
39
|
-
const npmUser = pakument.versions[
|
|
44
|
+
const npmUser = pakument.versions[packageVersion]._npmUser
|
|
40
45
|
if (!npmUser || !npmUser.email) {
|
|
41
46
|
throw new Error('could not determine publishing user for this package version')
|
|
42
47
|
}
|
|
@@ -46,7 +51,7 @@ class Marshall extends BaseMarshall {
|
|
|
46
51
|
}
|
|
47
52
|
|
|
48
53
|
let firstVersionForUser = null
|
|
49
|
-
const versionPublishedDateString = pakument.time[
|
|
54
|
+
const versionPublishedDateString = pakument.time[packageVersion]
|
|
50
55
|
for (const [version, versionMetadata] of Object.entries(pakument.versions)) {
|
|
51
56
|
if (versionMetadata._npmUser && versionMetadata._npmUser.email === npmUser.email) {
|
|
52
57
|
firstVersionForUser = versionMetadata
|
|
@@ -54,9 +59,9 @@ class Marshall extends BaseMarshall {
|
|
|
54
59
|
}
|
|
55
60
|
}
|
|
56
61
|
|
|
57
|
-
if (!firstVersionForUser || firstVersionForUser.version ===
|
|
62
|
+
if (!firstVersionForUser || firstVersionForUser.version === packageVersion) {
|
|
58
63
|
throw new Error(
|
|
59
|
-
`
|
|
64
|
+
`This is first version the user ${npmUser.name} <${npmUser.email}> published this package`
|
|
60
65
|
)
|
|
61
66
|
}
|
|
62
67
|
|
|
@@ -70,7 +75,7 @@ class Marshall extends BaseMarshall {
|
|
|
70
75
|
|
|
71
76
|
if (dateDiffInDays <= 30) {
|
|
72
77
|
throw new Error(
|
|
73
|
-
`The user ${npmUser.name} <${npmUser.email}> published this package for the first time only ${dateDiffInDays} days ago
|
|
78
|
+
`The user ${npmUser.name} <${npmUser.email}> published this package for the first time only ${dateDiffInDays} days ago.`
|
|
74
79
|
)
|
|
75
80
|
}
|
|
76
81
|
|
|
@@ -32,6 +32,10 @@ class Marshall extends BaseMarshall {
|
|
|
32
32
|
|
|
33
33
|
validationMetadata.name = packageName
|
|
34
34
|
validationMetadata.version = packageVersion
|
|
35
|
+
|
|
36
|
+
if (!validationMetadata.version) {
|
|
37
|
+
throw new Error('Unable to find version or dist-tag for package')
|
|
38
|
+
}
|
|
35
39
|
})
|
|
36
40
|
.then(() => {
|
|
37
41
|
return this.fetchRegistryKeys()
|
|
@@ -48,15 +52,16 @@ class Marshall extends BaseMarshall {
|
|
|
48
52
|
})
|
|
49
53
|
.then((metadata) => {
|
|
50
54
|
if (!metadata || !metadata._attestations) {
|
|
51
|
-
throw new Warning(
|
|
52
|
-
'the package was published without any attestations. Proceed with care.'
|
|
53
|
-
)
|
|
55
|
+
throw new Warning('the package was published without any attestations.')
|
|
54
56
|
}
|
|
55
57
|
|
|
56
58
|
const attestations = metadata._attestations
|
|
57
59
|
|
|
58
60
|
return attestations
|
|
59
61
|
})
|
|
62
|
+
.catch((error) => {
|
|
63
|
+
throw new Error(`Unable to verify provenance: ${error.message}`)
|
|
64
|
+
})
|
|
60
65
|
}
|
|
61
66
|
|
|
62
67
|
fetchRegistryKeys() {
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
'use strict'
|
|
2
2
|
|
|
3
|
-
const BaseMarshall = require('
|
|
4
|
-
const { marshallCategories } = require('
|
|
3
|
+
const BaseMarshall = require('../marshalls/baseMarshall')
|
|
4
|
+
const { marshallCategories } = require('../marshalls/constants')
|
|
5
5
|
|
|
6
6
|
const MARSHALL_NAME = 'readme'
|
|
7
7
|
|