npq 3.4.8 → 3.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +0 -15
- package/lib/marshalls/age.marshall.js +42 -14
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -28,7 +28,6 @@ Media coverage about npq:
|
|
|
28
28
|
- JavaScript January advent calendar's post on [Open Source From Heaven, Modules From Hell](https://www.lirantal.com/blog/2019-01-26)
|
|
29
29
|
- Liran Tal's [Malicious Modules — what you need to know when installing npm packages](https://www.lirantal.com/blog/malicious-modules-what-you-need-to-know-when-installing-npm-packages-12b2f56d3685)
|
|
30
30
|
|
|
31
|
-
|
|
32
31
|
## About
|
|
33
32
|
|
|
34
33
|
Once npq is installed, you can safely* install packages:
|
|
@@ -118,20 +117,6 @@ MARSHALL_DISABLE_SNYK=1 npq install express
|
|
|
118
117
|
npq install express --dry-run
|
|
119
118
|
```
|
|
120
119
|
|
|
121
|
-
### Using with TravisCI
|
|
122
|
-
|
|
123
|
-
An example of using lockfile-lint with a `.travis.yml` configuration as part of your build:
|
|
124
|
-
|
|
125
|
-
```
|
|
126
|
-
language: node_js
|
|
127
|
-
before_script:
|
|
128
|
-
- npx lockfile-lint --path package-lock.json --validate-https --allowed-hosts npm
|
|
129
|
-
install:
|
|
130
|
-
- yarn install
|
|
131
|
-
script:
|
|
132
|
-
- yarn run test
|
|
133
|
-
```
|
|
134
|
-
|
|
135
120
|
## FAQ
|
|
136
121
|
1. **Can I use NPQ without having npm or yarn?**
|
|
137
122
|
* NPQ will audit a package for possible security issues, but it isn't a replacement for npm or yarn. When you choose to continue installing the package, it will offload the installation process to your choice of either npm or yarn.
|
|
@@ -5,6 +5,7 @@ const { marshallCategories } = require('./constants')
|
|
|
5
5
|
|
|
6
6
|
const MARSHALL_NAME = 'age'
|
|
7
7
|
const PACKAGE_AGE_THRESHOLD = 22 // specified in days
|
|
8
|
+
const PACKAGE_AGE_UNMAINTAINED_RISK = 365 // specified in days
|
|
8
9
|
|
|
9
10
|
class Marshall extends BaseMarshall {
|
|
10
11
|
constructor(options) {
|
|
@@ -18,22 +19,49 @@ class Marshall extends BaseMarshall {
|
|
|
18
19
|
}
|
|
19
20
|
|
|
20
21
|
validate(pkg) {
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
if (
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
)
|
|
22
|
+
let packageData = null
|
|
23
|
+
let ageDateDiff = null
|
|
24
|
+
return this.packageRepoUtils
|
|
25
|
+
.getPackageInfo(pkg.packageName)
|
|
26
|
+
.then((data) => {
|
|
27
|
+
if (data && data.time && data.time.created) {
|
|
28
|
+
packageData = data
|
|
29
|
+
const pkgCreatedDate = data.time.created
|
|
30
|
+
const dateDiff = Date.now() - Date.parse(pkgCreatedDate)
|
|
31
|
+
|
|
32
|
+
ageDateDiff = dateDiff
|
|
33
|
+
if (dateDiff < PACKAGE_AGE_THRESHOLD) {
|
|
34
|
+
throw new Error(
|
|
35
|
+
`detected a newly published package (created < ${PACKAGE_AGE_THRESHOLD} days) act carefully`
|
|
36
|
+
)
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
return pkg
|
|
40
|
+
} else {
|
|
41
|
+
throw new Error('could not determine package age')
|
|
30
42
|
}
|
|
43
|
+
})
|
|
44
|
+
.then((pkg) => {
|
|
45
|
+
return this.packageRepoUtils.getSemVer(pkg.packageName, pkg.packageVersion)
|
|
46
|
+
})
|
|
47
|
+
.then((versionResolved) => {
|
|
48
|
+
const versionReleaseDate = packageData.time[versionResolved]
|
|
49
|
+
const versionDateDiff = new Date() - new Date(versionReleaseDate)
|
|
50
|
+
|
|
51
|
+
const versionDateDiffInDays = Math.round(versionDateDiff / (1000 * 60 * 60 * 24))
|
|
52
|
+
|
|
53
|
+
let timeAgoText = 'days'
|
|
54
|
+
let timeAgoNumber = versionDateDiffInDays
|
|
31
55
|
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
56
|
+
if (versionDateDiffInDays >= 365) {
|
|
57
|
+
timeAgoText = 'years'
|
|
58
|
+
timeAgoNumber = Math.floor(versionDateDiffInDays / 365)
|
|
59
|
+
}
|
|
60
|
+
|
|
61
|
+
if (versionDateDiffInDays >= PACKAGE_AGE_UNMAINTAINED_RISK) {
|
|
62
|
+
throw new Error(`detected an old package (created ${timeAgoNumber} ${timeAgoText} ago)`)
|
|
63
|
+
}
|
|
64
|
+
})
|
|
37
65
|
}
|
|
38
66
|
}
|
|
39
67
|
|