@hashicorp/danger-pkg-differ
Advanced tools
Comparing version 0.0.4 to 0.0.5
| 'use strict'; | ||
| // nothing here | ||
| var danger = require('danger'); | ||
| function _toConsumableArray(arr) { if (Array.isArray(arr)) { for (var i = 0, arr2 = Array(arr.length); i < arr.length; i++) { arr2[i] = arr[i]; } return arr2; } else { return Array.from(arr); } } | ||
| function _defineProperty(obj, key, value) { if (key in obj) { Object.defineProperty(obj, key, { value: value, enumerable: true, configurable: true, writable: true }); } else { obj[key] = value; } return obj; } | ||
| var Promise = require('bluebird'); | ||
| var semver = require('semver'); | ||
| var octokit = require('@octokit/rest')(); | ||
| var _require = require('child_process'), | ||
| spawn = _require.spawn; | ||
| var path = require('path'); | ||
| var fs = require('fs'); | ||
| octokit.authenticate({ | ||
| type: 'token', | ||
| token: process.env.DANGER_GITHUB_API_TOKEN | ||
| }); | ||
| function getChangedPackages(obj) { | ||
| if (!obj || !obj.before || !obj.after) { | ||
| return []; | ||
| } | ||
| return Object.keys(obj.before).reduce(function (acc, val) { | ||
| var beforeVersion = semver.coerce(obj.before[val]); | ||
| var afterVersion = semver.coerce(obj.after[val]); | ||
| if (!afterVersion || !semver.gt(afterVersion, beforeVersion)) { | ||
| return acc; | ||
| } | ||
| acc.push({ name: val, beforeVersion: beforeVersion, afterVersion: afterVersion }); | ||
| return acc; | ||
| }, []); | ||
| } | ||
| function runDiffer(name, beforeVersion, afterVersion) { | ||
| var packageLockJson = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : ''; | ||
| return new Promise(function (resolve, reject) { | ||
| console.log('Generating diff for "' + name + '" ' + beforeVersion + ' => ' + afterVersion + ' (with lock file "' + (packageLockJson || '(none)') + '")'); | ||
| var child = spawn(path.resolve(__dirname, './differ.sh'), [name, beforeVersion, afterVersion, packageLockJson]); | ||
| var diff = ''; | ||
| child.stdout.on('data', function (data) { | ||
| return diff += data.toString(); | ||
| }); | ||
| child.on('close', function () { | ||
| console.log('... ~' + diff.length + ' bytes'); | ||
| resolve({ name: name, beforeVersion: beforeVersion, afterVersion: afterVersion, diff: diff }); | ||
| }); | ||
| child.on('error', function (err) { | ||
| return reject(err); | ||
| }); | ||
| }); | ||
| } | ||
| function uploadGist(_ref, description) { | ||
| var name = _ref.name, | ||
| beforeVersion = _ref.beforeVersion, | ||
| afterVersion = _ref.afterVersion, | ||
| diff = _ref.diff; | ||
| var filename = name + ' (' + beforeVersion + ' => ' + afterVersion + ').diff'; | ||
| var files = _defineProperty({}, filename, { content: diff }); | ||
| console.log('Creating gist file: ' + filename); | ||
| return octokit.gists.create({ | ||
| files: files, | ||
| description: description | ||
| }).then(function (gist) { | ||
| return { filename: filename, url: gist.data.html_url }; | ||
| }); | ||
| } | ||
| danger.schedule(function () { | ||
| return Promise.resolve().then(function () { | ||
| // when in Travis, only run for PR builds | ||
| if (process.env.hasOwnProperty('TRAVIS_PULL_REQUEST') && process.env.TRAVIS_PULL_REQUEST == 'false') { | ||
| throw new Error('Not a PR, will not run Danger...'); | ||
| } | ||
| // no need to run if there aren't any [nested] changed package.json files | ||
| var changedPackageJsons = danger.danger.git.modified_files.filter(function (file) { | ||
| return path.basename(file) === 'package.json'; | ||
| }); | ||
| if (!changedPackageJsons.length) { | ||
| throw new Error('No package changes, will not run Danger...'); | ||
| } | ||
| // for every changed package.json file, find which actual | ||
| // dependencies were changed | ||
| return Promise.mapSeries(changedPackageJsons, function (packageJson) { | ||
| console.log('========================================='); | ||
| console.log('Processing changes in ' + packageJson); | ||
| var packageLockPath = path.resolve(path.join(path.dirname(packageJson), 'package-lock.json')); | ||
| var packageLockExists = fs.existsSync(packageLockPath); | ||
| if (packageLockExists) { | ||
| console.log('Found package-lock.json file at ' + packageLockPath); | ||
| } | ||
| // find all changed dependencies in any | ||
| // of {dependencies,devDependencies,peerDependencies} | ||
| return danger.danger.git.JSONDiffForFile(packageJson).then(function (packageDiff) { | ||
| return [].concat(_toConsumableArray(getChangedPackages(packageDiff.dependencies)), _toConsumableArray(getChangedPackages(packageDiff.devDependencies)), _toConsumableArray(getChangedPackages(packageDiff.peerDependencies))); | ||
| }).then(function (changedDependecies) { | ||
| // no need to run if there aren't any actual changed dependencies | ||
| if (!changedDependecies.length) { | ||
| throw new Error('No dependency changes, will not run Danger...'); | ||
| } | ||
| // Generate and read .diff files for each changed dependency | ||
| return Promise.map(changedDependecies, function (_ref2) { | ||
| var name = _ref2.name, | ||
| beforeVersion = _ref2.beforeVersion, | ||
| afterVersion = _ref2.afterVersion; | ||
| return runDiffer(name, beforeVersion, afterVersion, packageLockExists ? packageLockPath : ''); | ||
| }); | ||
| }).then(function (diffs) { | ||
| // upload each .diff file as a GitHub | ||
| console.log('Uploading diffs to gist...'); | ||
| var description = 'Package diff files for "' + danger.danger.github.pr.title + ' #' + danger.danger.github.pr.number + '"'; | ||
| return Promise.map(diffs, function (diff) { | ||
| return uploadGist(diff, description); | ||
| }); | ||
| }).catch(function (err) { | ||
| return console.warn('Skipping danger: ' + err); | ||
| }); | ||
| }).then(function (nestedGists) { | ||
| var _ref3; | ||
| // flatten [[gists]] to one-dimesntinal array, and remove | ||
| // non-objects from failed attempts (.catch() blocks) | ||
| var gists = (_ref3 = []).concat.apply(_ref3, _toConsumableArray(nestedGists)).filter(function (x) { | ||
| return x; | ||
| }); | ||
| // report resulting gists in the original PR | ||
| if (gists.length) { | ||
| danger.warn('This PR is updating a dependency. You should carefully read through the attached diff files to make sure no evil code has been injected.'); | ||
| gists.forEach(function (gist) { | ||
| danger.warn('[' + gist.filename + '](' + gist.url + ')'); | ||
| }); | ||
| } | ||
| console.time('Done!'); | ||
| }); | ||
| }).catch(function (err) { | ||
| return console.warn('Skipping danger: ' + err); | ||
| }); | ||
| }); |
162
index.js
@@ -1,1 +0,161 @@ | ||
| // nothing here | ||
| import { schedule, danger, warn } from 'danger' | ||
| const Promise = require('bluebird') | ||
| const semver = require('semver') | ||
| const octokit = require('@octokit/rest')() | ||
| const { spawn } = require('child_process') | ||
| const path = require('path') | ||
| const fs = require('fs') | ||
| octokit.authenticate({ | ||
| type: 'token', | ||
| token: process.env.DANGER_GITHUB_API_TOKEN | ||
| }) | ||
| function getChangedPackages(obj) { | ||
| if (!obj || !obj.before || !obj.after) { | ||
| return [] | ||
| } | ||
| return Object.keys(obj.before).reduce((acc, val) => { | ||
| const beforeVersion = semver.coerce(obj.before[val]) | ||
| const afterVersion = semver.coerce(obj.after[val]) | ||
| if (!afterVersion || !semver.gt(afterVersion, beforeVersion)) { | ||
| return acc | ||
| } | ||
| acc.push({ name: val, beforeVersion, afterVersion }) | ||
| return acc | ||
| }, []) | ||
| } | ||
| function runDiffer(name, beforeVersion, afterVersion, packageLockJson = '') { | ||
| return new Promise((resolve, reject) => { | ||
| console.log( | ||
| `Generating diff for "${name}" ${beforeVersion} => ${afterVersion} (with lock file "${packageLockJson || | ||
| '(none)'}")` | ||
| ) | ||
| const child = spawn(path.resolve(__dirname, `./differ.sh`), [ | ||
| name, | ||
| beforeVersion, | ||
| afterVersion, | ||
| packageLockJson | ||
| ]) | ||
| let diff = '' | ||
| child.stdout.on('data', data => (diff += data.toString())) | ||
| child.on('close', () => { | ||
| console.log(`... ~${diff.length} bytes`) | ||
| resolve({ name, beforeVersion, afterVersion, diff }) | ||
| }) | ||
| child.on('error', err => reject(err)) | ||
| }) | ||
| } | ||
| function uploadGist({ name, beforeVersion, afterVersion, diff }, description) { | ||
| const filename = `${name} (${beforeVersion} => ${afterVersion}).diff` | ||
| const files = { [filename]: { content: diff } } | ||
| console.log(`Creating gist file: ${filename}`) | ||
| return octokit.gists | ||
| .create({ | ||
| files, | ||
| description | ||
| }) | ||
| .then(gist => ({ filename, url: gist.data.html_url })) | ||
| } | ||
| schedule(() => | ||
| Promise.resolve() | ||
| .then(() => { | ||
| // when in Travis, only run for PR builds | ||
| if ( | ||
| process.env.hasOwnProperty('TRAVIS_PULL_REQUEST') && | ||
| process.env.TRAVIS_PULL_REQUEST == 'false' | ||
| ) { | ||
| throw new Error(`Not a PR, will not run Danger...`) | ||
| } | ||
| // no need to run if there aren't any [nested] changed package.json files | ||
| const changedPackageJsons = danger.git.modified_files.filter( | ||
| file => path.basename(file) === 'package.json' | ||
| ) | ||
| if (!changedPackageJsons.length) { | ||
| throw new Error(`No package changes, will not run Danger...`) | ||
| } | ||
| // for every changed package.json file, find which actual | ||
| // dependencies were changed | ||
| return Promise.mapSeries(changedPackageJsons, packageJson => { | ||
| console.log(`=========================================`) | ||
| console.log(`Processing changes in ${packageJson}`) | ||
| const packageLockPath = path.resolve( | ||
| path.join(path.dirname(packageJson), 'package-lock.json') | ||
| ) | ||
| const packageLockExists = fs.existsSync(packageLockPath) | ||
| if (packageLockExists) { | ||
| console.log(`Found package-lock.json file at ${packageLockPath}`) | ||
| } | ||
| // find all changed dependencies in any | ||
| // of {dependencies,devDependencies,peerDependencies} | ||
| return danger.git | ||
| .JSONDiffForFile(packageJson) | ||
| .then(packageDiff => { | ||
| return [ | ||
| // include changes in "dependencies" | ||
| ...getChangedPackages(packageDiff.dependencies), | ||
| // include changes in "devDependencies" | ||
| ...getChangedPackages(packageDiff.devDependencies), | ||
| // include changes in "peerDependencies" | ||
| ...getChangedPackages(packageDiff.peerDependencies) | ||
| ] | ||
| }) | ||
| .then(changedDependecies => { | ||
| // no need to run if there aren't any actual changed dependencies | ||
| if (!changedDependecies.length) { | ||
| throw new Error(`No dependency changes, will not run Danger...`) | ||
| } | ||
| // Generate and read .diff files for each changed dependency | ||
| return Promise.map( | ||
| changedDependecies, | ||
| ({ name, beforeVersion, afterVersion }) => | ||
| runDiffer( | ||
| name, | ||
| beforeVersion, | ||
| afterVersion, | ||
| packageLockExists ? packageLockPath : '' | ||
| ) | ||
| ) | ||
| }) | ||
| .then(diffs => { | ||
| // upload each .diff file as a GitHub | ||
| console.log(`Uploading diffs to gist...`) | ||
| const description = `Package diff files for "${ | ||
| danger.github.pr.title | ||
| } #${danger.github.pr.number}"` | ||
| return Promise.map(diffs, diff => uploadGist(diff, description)) | ||
| }) | ||
| .catch(err => console.warn(`Skipping danger: ${err}`)) | ||
| }).then(nestedGists => { | ||
| // flatten [[gists]] to one-dimesntinal array, and remove | ||
| // non-objects from failed attempts (.catch() blocks) | ||
| const gists = [].concat(...nestedGists).filter(x => x) | ||
| // report resulting gists in the original PR | ||
| if (gists.length) { | ||
| warn( | ||
| `This PR is updating a dependency. You should carefully read through the attached diff files to make sure no evil code has been injected.` | ||
| ) | ||
| gists.forEach(gist => { | ||
| warn(`[${gist.filename}](${gist.url})`) | ||
| }) | ||
| } | ||
| console.time('Done!') | ||
| }) | ||
| }) | ||
| .catch(err => console.warn(`Skipping danger: ${err}`)) | ||
| ) |
| { | ||
| "name": "@hashicorp/danger-pkg-differ", | ||
| "description": "a dangerfile that adds diff files for updated node modules", | ||
| "version": "0.0.4", | ||
| "version": "0.0.5", | ||
| "author": "Hashicorp - Michael Schonfeld", | ||
@@ -9,3 +9,3 @@ "dependencies": { | ||
| "bluebird": "^3.5.3", | ||
| "danger": "^6.1.12", | ||
| "danger": "^7.0.0", | ||
| "semver": "^5.6.0" | ||
@@ -20,3 +20,3 @@ }, | ||
| }, | ||
| "gitHead": "51e320b072e9023b451ebe52aadf383b577aca6b" | ||
| "gitHead": "78236aa1b7f3adda5e4e3dd1d1ba8f084e1c24dc" | ||
| } |
New alerts
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by74.9%
14417
- Lines of code
- increased by87.07%
275
Worsened metrics
- Number of package files
- decreased by-16.67%
5
- Number of low supply chain risk alerts
- increased by80%
9
- Number of medium supply chain risk alerts
- increased by200%
3
Dependency changes
+ Addedarr-diff@4.0.0(transitive)
+ Addedarr-flatten@1.1.0(transitive)
+ Addedarr-union@3.1.0(transitive)
+ Addedarray-unique@0.3.2(transitive)
+ Addedassign-symbols@1.0.0(transitive)
+ Addedatob@2.1.2(transitive)
+ Addedbase@0.11.2(transitive)
+ Addedbraces@2.3.2(transitive)
+ Addedcache-base@1.0.1(transitive)
+ Addedclass-utils@0.3.6(transitive)
+ Addedcollection-visit@1.0.0(transitive)
+ Addedcomponent-emitter@1.3.1(transitive)
+ Addedcopy-descriptor@0.1.1(transitive)
+ Addeddanger@7.1.4(transitive)
+ Addeddebug@2.6.94.3.5(transitive)
+ Addeddecode-uri-component@0.2.2(transitive)
+ Addeddefine-property@0.2.51.0.02.0.2(transitive)
+ Addedexpand-brackets@2.1.4(transitive)
+ Addedextend-shallow@3.0.2(transitive)
+ Addedextglob@2.0.4(transitive)
+ Addedfill-range@4.0.0(transitive)
+ Addedfor-in@1.0.2(transitive)
+ Addedfragment-cache@0.2.1(transitive)
+ Addedfunction-bind@1.1.2(transitive)
+ Addedget-value@2.0.6(transitive)
+ Addedhas-value@0.3.11.0.0(transitive)
+ Addedhas-values@0.1.41.0.0(transitive)
+ Addedhasown@2.0.2(transitive)
+ Addedis-accessor-descriptor@1.0.1(transitive)
+ Addedis-buffer@1.1.6(transitive)
+ Addedis-data-descriptor@1.0.1(transitive)
+ Addedis-descriptor@0.1.71.0.3(transitive)
+ Addedis-extendable@1.0.1(transitive)
+ Addedis-number@3.0.0(transitive)
+ Addedis-plain-object@2.0.4(transitive)
+ Addedis-windows@1.0.2(transitive)
+ Addedisarray@1.0.0(transitive)
+ Addedisobject@2.1.03.0.1(transitive)
+ Addedkind-of@3.2.24.0.06.0.3(transitive)
+ Addedlodash.mapvalues@4.6.0(transitive)
+ Addedlodash.memoize@4.1.2(transitive)
+ Addedmap-cache@0.2.2(transitive)
+ Addedmap-visit@1.0.0(transitive)
+ Addedmicromatch@3.1.10(transitive)
+ Addedmixin-deep@1.3.2(transitive)
+ Addedms@2.1.2(transitive)
+ Addednanomatch@1.2.13(transitive)
+ Addedobject-copy@0.1.0(transitive)
+ Addedobject-visit@1.0.1(transitive)
+ Addedobject.pick@1.3.0(transitive)
+ Addedpascalcase@0.1.1(transitive)
+ Addedposix-character-classes@0.1.1(transitive)
+ Addedregex-not@1.0.2(transitive)
+ Addedrepeat-element@1.1.4(transitive)
+ Addedrepeat-string@1.6.1(transitive)
+ Addedresolve-url@0.2.1(transitive)
+ Addedret@0.1.15(transitive)
+ Addedsafe-regex@1.1.0(transitive)
+ Addedset-value@2.0.1(transitive)
+ Addedsnapdragon@0.8.2(transitive)
+ Addedsnapdragon-node@2.1.1(transitive)
+ Addedsnapdragon-util@3.0.1(transitive)
+ Addedsource-map@0.5.7(transitive)
+ Addedsource-map-resolve@0.5.3(transitive)
+ Addedsource-map-url@0.4.1(transitive)
+ Addedsplit-string@3.1.0(transitive)
+ Addedstatic-extend@0.1.2(transitive)
+ Addedto-object-path@0.3.0(transitive)
+ Addedto-regex@3.0.2(transitive)
+ Addedto-regex-range@2.1.1(transitive)
+ Addedunion-value@1.0.1(transitive)
+ Addedunset-value@1.0.0(transitive)
+ Addedurix@0.1.0(transitive)
+ Addeduse@3.1.1(transitive)
- Removed@octokit/rest@15.18.3(transitive)
- Removedacorn@8.11.3(transitive)
- Removedacorn-walk@8.3.2(transitive)
- Removedbefore-after-hook@1.4.0(transitive)
- Removeddanger@6.1.13(transitive)
- Removedlodash@4.17.21(transitive)
- Removedms@2.1.3(transitive)
- Removeduniversal-user-agent@2.1.0(transitive)
- Removedurl-template@2.0.8(transitive)
- Removedvm2@3.9.19(transitive)
Updateddanger@^7.0.0