npq 3.5.3 → 3.5.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md
CHANGED
|
@@ -108,6 +108,24 @@ Example, to disable the Snyk vulnerability marshall:
|
|
|
108
108
|
MARSHALL_DISABLE_SNYK=1 npq install express
|
|
109
109
|
```
|
|
110
110
|
|
|
111
|
+
#### Available Marshall Environment Variables
|
|
112
|
+
|
|
113
|
+
Here are all the available environment variable names for disabling specific marshalls:
|
|
114
|
+
|
|
115
|
+
| Marshall Name | Environment Variable | Description |
|
|
116
|
+
| --- | --- | --- |
|
|
117
|
+
| age | `MARSHALL_DISABLE_AGE` | Disable package age checks |
|
|
118
|
+
| author | `MARSHALL_DISABLE_AUTHOR` | Disable package author verification |
|
|
119
|
+
| downloads | `MARSHALL_DISABLE_DOWNLOADS` | Disable download count checks |
|
|
120
|
+
| expired domains | `MARSHALL_DISABLE_MAINTAINERS_EXPIRED_EMAILS` | Disable expired domain checks for maintainer emails |
|
|
121
|
+
| license | `MARSHALL_DISABLE_LICENSE` | Disable license availability checks |
|
|
122
|
+
| provenance | `MARSHALL_DISABLE_PROVENANCE` | Disable package provenance verification |
|
|
123
|
+
| repo | `MARSHALL_DISABLE_REPO` | Disable repository URL validation |
|
|
124
|
+
| scripts | `MARSHALL_DISABLE_SCRIPTS` | Disable pre/post install script checks |
|
|
125
|
+
| signatures | `MARSHALL_DISABLE_SIGNATURES` | Disable registry signature verification |
|
|
126
|
+
| snyk | `MARSHALL_DISABLE_SNYK` | Disable Snyk vulnerability checks |
|
|
127
|
+
| typosquatting | `MARSHALL_DISABLE_TYPOSQUATTING` | Disable typosquatting detection |
|
|
128
|
+
|
|
111
129
|
### Run checks on package without installing it:
|
|
112
130
|
|
|
113
131
|
```sh
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
const TyposquattingMarshall = require('../lib/marshalls/typosquatting.marshall')
|
|
2
|
+
|
|
3
|
+
describe('Typosquatting Marshall', () => {
|
|
4
|
+
test('should remove duplicate entries from similar packages', async () => {
|
|
5
|
+
const typosquattingMarshall = new TyposquattingMarshall({
|
|
6
|
+
packageRepoUtils: null
|
|
7
|
+
})
|
|
8
|
+
|
|
9
|
+
// Mock the top packages data to include duplicates
|
|
10
|
+
const originalTopPackages = require('../data/top-packages.json')
|
|
11
|
+
|
|
12
|
+
// Create a test package that would match multiple similar packages
|
|
13
|
+
const pkg = {
|
|
14
|
+
packageName: 'ghtml' // This should match 'html' which appears multiple times in the data
|
|
15
|
+
}
|
|
16
|
+
|
|
17
|
+
try {
|
|
18
|
+
await typosquattingMarshall.validate(pkg)
|
|
19
|
+
// If no error is thrown, the test should fail
|
|
20
|
+
expect(true).toBe(false)
|
|
21
|
+
} catch (error) {
|
|
22
|
+
// Check that the error message doesn't contain duplicate entries
|
|
23
|
+
const errorMessage = error.message
|
|
24
|
+
expect(errorMessage).toContain('Package name could be a typosquatting attempt for popular package(s):')
|
|
25
|
+
|
|
26
|
+
// Extract the package names from the error message
|
|
27
|
+
const packagesList = errorMessage.split('popular package(s): ')[1]
|
|
28
|
+
const packages = packagesList.split(', ')
|
|
29
|
+
|
|
30
|
+
// Check that there are no duplicates
|
|
31
|
+
const uniquePackages = [...new Set(packages)]
|
|
32
|
+
expect(packages.length).toBe(uniquePackages.length)
|
|
33
|
+
|
|
34
|
+
// Verify that 'html' appears only once even though it exists multiple times in the data
|
|
35
|
+
const htmlCount = packages.filter(pkg => pkg === 'html').length
|
|
36
|
+
expect(htmlCount).toBe(1)
|
|
37
|
+
}
|
|
38
|
+
})
|
|
39
|
+
|
|
40
|
+
test('should not report typosquatting for packages in top packages list', async () => {
|
|
41
|
+
const typosquattingMarshall = new TyposquattingMarshall({
|
|
42
|
+
packageRepoUtils: null
|
|
43
|
+
})
|
|
44
|
+
|
|
45
|
+
// Test with a package that exists in the top packages list
|
|
46
|
+
const pkg = {
|
|
47
|
+
packageName: 'express' // This should be in the top packages list
|
|
48
|
+
}
|
|
49
|
+
|
|
50
|
+
const result = await typosquattingMarshall.validate(pkg)
|
|
51
|
+
expect(result).toEqual([])
|
|
52
|
+
})
|
|
53
|
+
|
|
54
|
+
test('should not report typosquatting for packages with no similar matches', async () => {
|
|
55
|
+
const typosquattingMarshall = new TyposquattingMarshall({
|
|
56
|
+
packageRepoUtils: null
|
|
57
|
+
})
|
|
58
|
+
|
|
59
|
+
// Test with a package that has no similar matches
|
|
60
|
+
const pkg = {
|
|
61
|
+
packageName: 'verylonganduniquenamethatdoesnotmatchanything'
|
|
62
|
+
}
|
|
63
|
+
|
|
64
|
+
const result = await typosquattingMarshall.validate(pkg)
|
|
65
|
+
expect(result).toEqual([])
|
|
66
|
+
})
|
|
67
|
+
})
|
|
@@ -41,9 +41,11 @@ class Marshall extends BaseMarshall {
|
|
|
41
41
|
}
|
|
42
42
|
|
|
43
43
|
if (similarPackages.length > 0) {
|
|
44
|
+
// Remove duplicates from similarPackages array
|
|
45
|
+
const uniqueSimilarPackages = [...new Set(similarPackages)]
|
|
44
46
|
return reject(
|
|
45
47
|
new Error(
|
|
46
|
-
`Package name could be a typosquatting attempt for popular package(s): ${
|
|
48
|
+
`Package name could be a typosquatting attempt for popular package(s): ${uniqueSimilarPackages.join(
|
|
47
49
|
', '
|
|
48
50
|
)}`
|
|
49
51
|
)
|