npq 3.5.3 → 3.5.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -108,6 +108,24 @@ Example, to disable the Snyk vulnerability marshall:
108
108
  MARSHALL_DISABLE_SNYK=1 npq install express
109
109
  ```
110
110
 
111
+ #### Available Marshall Environment Variables
112
+
113
+ Here are all the available environment variable names for disabling specific marshalls:
114
+
115
+ | Marshall Name | Environment Variable | Description |
116
+ | --- | --- | --- |
117
+ | age | `MARSHALL_DISABLE_AGE` | Disable package age checks |
118
+ | author | `MARSHALL_DISABLE_AUTHOR` | Disable package author verification |
119
+ | downloads | `MARSHALL_DISABLE_DOWNLOADS` | Disable download count checks |
120
+ | expired domains | `MARSHALL_DISABLE_MAINTAINERS_EXPIRED_EMAILS` | Disable expired domain checks for maintainer emails |
121
+ | license | `MARSHALL_DISABLE_LICENSE` | Disable license availability checks |
122
+ | provenance | `MARSHALL_DISABLE_PROVENANCE` | Disable package provenance verification |
123
+ | repo | `MARSHALL_DISABLE_REPO` | Disable repository URL validation |
124
+ | scripts | `MARSHALL_DISABLE_SCRIPTS` | Disable pre/post install script checks |
125
+ | signatures | `MARSHALL_DISABLE_SIGNATURES` | Disable registry signature verification |
126
+ | snyk | `MARSHALL_DISABLE_SNYK` | Disable Snyk vulnerability checks |
127
+ | typosquatting | `MARSHALL_DISABLE_TYPOSQUATTING` | Disable typosquatting detection |
128
+
111
129
  ### Run checks on package without installing it:
112
130
 
113
131
  ```sh
@@ -0,0 +1,67 @@
1
+ const TyposquattingMarshall = require('../lib/marshalls/typosquatting.marshall')
2
+
3
+ describe('Typosquatting Marshall', () => {
4
+ test('should remove duplicate entries from similar packages', async () => {
5
+ const typosquattingMarshall = new TyposquattingMarshall({
6
+ packageRepoUtils: null
7
+ })
8
+
9
+ // Mock the top packages data to include duplicates
10
+ const originalTopPackages = require('../data/top-packages.json')
11
+
12
+ // Create a test package that would match multiple similar packages
13
+ const pkg = {
14
+ packageName: 'ghtml' // This should match 'html' which appears multiple times in the data
15
+ }
16
+
17
+ try {
18
+ await typosquattingMarshall.validate(pkg)
19
+ // If no error is thrown, the test should fail
20
+ expect(true).toBe(false)
21
+ } catch (error) {
22
+ // Check that the error message doesn't contain duplicate entries
23
+ const errorMessage = error.message
24
+ expect(errorMessage).toContain('Package name could be a typosquatting attempt for popular package(s):')
25
+
26
+ // Extract the package names from the error message
27
+ const packagesList = errorMessage.split('popular package(s): ')[1]
28
+ const packages = packagesList.split(', ')
29
+
30
+ // Check that there are no duplicates
31
+ const uniquePackages = [...new Set(packages)]
32
+ expect(packages.length).toBe(uniquePackages.length)
33
+
34
+ // Verify that 'html' appears only once even though it exists multiple times in the data
35
+ const htmlCount = packages.filter(pkg => pkg === 'html').length
36
+ expect(htmlCount).toBe(1)
37
+ }
38
+ })
39
+
40
+ test('should not report typosquatting for packages in top packages list', async () => {
41
+ const typosquattingMarshall = new TyposquattingMarshall({
42
+ packageRepoUtils: null
43
+ })
44
+
45
+ // Test with a package that exists in the top packages list
46
+ const pkg = {
47
+ packageName: 'express' // This should be in the top packages list
48
+ }
49
+
50
+ const result = await typosquattingMarshall.validate(pkg)
51
+ expect(result).toEqual([])
52
+ })
53
+
54
+ test('should not report typosquatting for packages with no similar matches', async () => {
55
+ const typosquattingMarshall = new TyposquattingMarshall({
56
+ packageRepoUtils: null
57
+ })
58
+
59
+ // Test with a package that has no similar matches
60
+ const pkg = {
61
+ packageName: 'verylonganduniquenamethatdoesnotmatchanything'
62
+ }
63
+
64
+ const result = await typosquattingMarshall.validate(pkg)
65
+ expect(result).toEqual([])
66
+ })
67
+ })
@@ -41,9 +41,11 @@ class Marshall extends BaseMarshall {
41
41
  }
42
42
 
43
43
  if (similarPackages.length > 0) {
44
+ // Remove duplicates from similarPackages array
45
+ const uniqueSimilarPackages = [...new Set(similarPackages)]
44
46
  return reject(
45
47
  new Error(
46
- `Package name could be a typosquatting attempt for popular package(s): ${similarPackages.join(
48
+ `Package name could be a typosquatting attempt for popular package(s): ${uniqueSimilarPackages.join(
47
49
  ', '
48
50
  )}`
49
51
  )
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "npq",
3
- "version": "3.5.3",
3
+ "version": "3.5.5",
4
4
  "description": "marshall your npm/npm package installs with high quality and class 🎖",
5
5
  "bin": {
6
6
  "npq": "./bin/npq.js",