@hashicorp/danger-pkg-differ
Advanced tools
Comparing version 0.0.4 to 0.0.5
'use strict'; | ||
// nothing here | ||
var danger = require('danger'); | ||
function _toConsumableArray(arr) { if (Array.isArray(arr)) { for (var i = 0, arr2 = Array(arr.length); i < arr.length; i++) { arr2[i] = arr[i]; } return arr2; } else { return Array.from(arr); } } | ||
function _defineProperty(obj, key, value) { if (key in obj) { Object.defineProperty(obj, key, { value: value, enumerable: true, configurable: true, writable: true }); } else { obj[key] = value; } return obj; } | ||
var Promise = require('bluebird'); | ||
var semver = require('semver'); | ||
var octokit = require('@octokit/rest')(); | ||
var _require = require('child_process'), | ||
spawn = _require.spawn; | ||
var path = require('path'); | ||
var fs = require('fs'); | ||
octokit.authenticate({ | ||
type: 'token', | ||
token: process.env.DANGER_GITHUB_API_TOKEN | ||
}); | ||
function getChangedPackages(obj) { | ||
if (!obj || !obj.before || !obj.after) { | ||
return []; | ||
} | ||
return Object.keys(obj.before).reduce(function (acc, val) { | ||
var beforeVersion = semver.coerce(obj.before[val]); | ||
var afterVersion = semver.coerce(obj.after[val]); | ||
if (!afterVersion || !semver.gt(afterVersion, beforeVersion)) { | ||
return acc; | ||
} | ||
acc.push({ name: val, beforeVersion: beforeVersion, afterVersion: afterVersion }); | ||
return acc; | ||
}, []); | ||
} | ||
function runDiffer(name, beforeVersion, afterVersion) { | ||
var packageLockJson = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : ''; | ||
return new Promise(function (resolve, reject) { | ||
console.log('Generating diff for "' + name + '" ' + beforeVersion + ' => ' + afterVersion + ' (with lock file "' + (packageLockJson || '(none)') + '")'); | ||
var child = spawn(path.resolve(__dirname, './differ.sh'), [name, beforeVersion, afterVersion, packageLockJson]); | ||
var diff = ''; | ||
child.stdout.on('data', function (data) { | ||
return diff += data.toString(); | ||
}); | ||
child.on('close', function () { | ||
console.log('... ~' + diff.length + ' bytes'); | ||
resolve({ name: name, beforeVersion: beforeVersion, afterVersion: afterVersion, diff: diff }); | ||
}); | ||
child.on('error', function (err) { | ||
return reject(err); | ||
}); | ||
}); | ||
} | ||
function uploadGist(_ref, description) { | ||
var name = _ref.name, | ||
beforeVersion = _ref.beforeVersion, | ||
afterVersion = _ref.afterVersion, | ||
diff = _ref.diff; | ||
var filename = name + ' (' + beforeVersion + ' => ' + afterVersion + ').diff'; | ||
var files = _defineProperty({}, filename, { content: diff }); | ||
console.log('Creating gist file: ' + filename); | ||
return octokit.gists.create({ | ||
files: files, | ||
description: description | ||
}).then(function (gist) { | ||
return { filename: filename, url: gist.data.html_url }; | ||
}); | ||
} | ||
danger.schedule(function () { | ||
return Promise.resolve().then(function () { | ||
// when in Travis, only run for PR builds | ||
if (process.env.hasOwnProperty('TRAVIS_PULL_REQUEST') && process.env.TRAVIS_PULL_REQUEST == 'false') { | ||
throw new Error('Not a PR, will not run Danger...'); | ||
} | ||
// no need to run if there aren't any [nested] changed package.json files | ||
var changedPackageJsons = danger.danger.git.modified_files.filter(function (file) { | ||
return path.basename(file) === 'package.json'; | ||
}); | ||
if (!changedPackageJsons.length) { | ||
throw new Error('No package changes, will not run Danger...'); | ||
} | ||
// for every changed package.json file, find which actual | ||
// dependencies were changed | ||
return Promise.mapSeries(changedPackageJsons, function (packageJson) { | ||
console.log('========================================='); | ||
console.log('Processing changes in ' + packageJson); | ||
var packageLockPath = path.resolve(path.join(path.dirname(packageJson), 'package-lock.json')); | ||
var packageLockExists = fs.existsSync(packageLockPath); | ||
if (packageLockExists) { | ||
console.log('Found package-lock.json file at ' + packageLockPath); | ||
} | ||
// find all changed dependencies in any | ||
// of {dependencies,devDependencies,peerDependencies} | ||
return danger.danger.git.JSONDiffForFile(packageJson).then(function (packageDiff) { | ||
return [].concat(_toConsumableArray(getChangedPackages(packageDiff.dependencies)), _toConsumableArray(getChangedPackages(packageDiff.devDependencies)), _toConsumableArray(getChangedPackages(packageDiff.peerDependencies))); | ||
}).then(function (changedDependecies) { | ||
// no need to run if there aren't any actual changed dependencies | ||
if (!changedDependecies.length) { | ||
throw new Error('No dependency changes, will not run Danger...'); | ||
} | ||
// Generate and read .diff files for each changed dependency | ||
return Promise.map(changedDependecies, function (_ref2) { | ||
var name = _ref2.name, | ||
beforeVersion = _ref2.beforeVersion, | ||
afterVersion = _ref2.afterVersion; | ||
return runDiffer(name, beforeVersion, afterVersion, packageLockExists ? packageLockPath : ''); | ||
}); | ||
}).then(function (diffs) { | ||
// upload each .diff file as a GitHub | ||
console.log('Uploading diffs to gist...'); | ||
var description = 'Package diff files for "' + danger.danger.github.pr.title + ' #' + danger.danger.github.pr.number + '"'; | ||
return Promise.map(diffs, function (diff) { | ||
return uploadGist(diff, description); | ||
}); | ||
}).catch(function (err) { | ||
return console.warn('Skipping danger: ' + err); | ||
}); | ||
}).then(function (nestedGists) { | ||
var _ref3; | ||
// flatten [[gists]] to one-dimesntinal array, and remove | ||
// non-objects from failed attempts (.catch() blocks) | ||
var gists = (_ref3 = []).concat.apply(_ref3, _toConsumableArray(nestedGists)).filter(function (x) { | ||
return x; | ||
}); | ||
// report resulting gists in the original PR | ||
if (gists.length) { | ||
danger.warn('This PR is updating a dependency. You should carefully read through the attached diff files to make sure no evil code has been injected.'); | ||
gists.forEach(function (gist) { | ||
danger.warn('[' + gist.filename + '](' + gist.url + ')'); | ||
}); | ||
} | ||
console.time('Done!'); | ||
}); | ||
}).catch(function (err) { | ||
return console.warn('Skipping danger: ' + err); | ||
}); | ||
}); |
162
index.js
@@ -1,1 +0,161 @@ | ||
// nothing here | ||
import { schedule, danger, warn } from 'danger' | ||
const Promise = require('bluebird') | ||
const semver = require('semver') | ||
const octokit = require('@octokit/rest')() | ||
const { spawn } = require('child_process') | ||
const path = require('path') | ||
const fs = require('fs') | ||
octokit.authenticate({ | ||
type: 'token', | ||
token: process.env.DANGER_GITHUB_API_TOKEN | ||
}) | ||
function getChangedPackages(obj) { | ||
if (!obj || !obj.before || !obj.after) { | ||
return [] | ||
} | ||
return Object.keys(obj.before).reduce((acc, val) => { | ||
const beforeVersion = semver.coerce(obj.before[val]) | ||
const afterVersion = semver.coerce(obj.after[val]) | ||
if (!afterVersion || !semver.gt(afterVersion, beforeVersion)) { | ||
return acc | ||
} | ||
acc.push({ name: val, beforeVersion, afterVersion }) | ||
return acc | ||
}, []) | ||
} | ||
function runDiffer(name, beforeVersion, afterVersion, packageLockJson = '') { | ||
return new Promise((resolve, reject) => { | ||
console.log( | ||
`Generating diff for "${name}" ${beforeVersion} => ${afterVersion} (with lock file "${packageLockJson || | ||
'(none)'}")` | ||
) | ||
const child = spawn(path.resolve(__dirname, `./differ.sh`), [ | ||
name, | ||
beforeVersion, | ||
afterVersion, | ||
packageLockJson | ||
]) | ||
let diff = '' | ||
child.stdout.on('data', data => (diff += data.toString())) | ||
child.on('close', () => { | ||
console.log(`... ~${diff.length} bytes`) | ||
resolve({ name, beforeVersion, afterVersion, diff }) | ||
}) | ||
child.on('error', err => reject(err)) | ||
}) | ||
} | ||
function uploadGist({ name, beforeVersion, afterVersion, diff }, description) { | ||
const filename = `${name} (${beforeVersion} => ${afterVersion}).diff` | ||
const files = { [filename]: { content: diff } } | ||
console.log(`Creating gist file: ${filename}`) | ||
return octokit.gists | ||
.create({ | ||
files, | ||
description | ||
}) | ||
.then(gist => ({ filename, url: gist.data.html_url })) | ||
} | ||
schedule(() => | ||
Promise.resolve() | ||
.then(() => { | ||
// when in Travis, only run for PR builds | ||
if ( | ||
process.env.hasOwnProperty('TRAVIS_PULL_REQUEST') && | ||
process.env.TRAVIS_PULL_REQUEST == 'false' | ||
) { | ||
throw new Error(`Not a PR, will not run Danger...`) | ||
} | ||
// no need to run if there aren't any [nested] changed package.json files | ||
const changedPackageJsons = danger.git.modified_files.filter( | ||
file => path.basename(file) === 'package.json' | ||
) | ||
if (!changedPackageJsons.length) { | ||
throw new Error(`No package changes, will not run Danger...`) | ||
} | ||
// for every changed package.json file, find which actual | ||
// dependencies were changed | ||
return Promise.mapSeries(changedPackageJsons, packageJson => { | ||
console.log(`=========================================`) | ||
console.log(`Processing changes in ${packageJson}`) | ||
const packageLockPath = path.resolve( | ||
path.join(path.dirname(packageJson), 'package-lock.json') | ||
) | ||
const packageLockExists = fs.existsSync(packageLockPath) | ||
if (packageLockExists) { | ||
console.log(`Found package-lock.json file at ${packageLockPath}`) | ||
} | ||
// find all changed dependencies in any | ||
// of {dependencies,devDependencies,peerDependencies} | ||
return danger.git | ||
.JSONDiffForFile(packageJson) | ||
.then(packageDiff => { | ||
return [ | ||
// include changes in "dependencies" | ||
...getChangedPackages(packageDiff.dependencies), | ||
// include changes in "devDependencies" | ||
...getChangedPackages(packageDiff.devDependencies), | ||
// include changes in "peerDependencies" | ||
...getChangedPackages(packageDiff.peerDependencies) | ||
] | ||
}) | ||
.then(changedDependecies => { | ||
// no need to run if there aren't any actual changed dependencies | ||
if (!changedDependecies.length) { | ||
throw new Error(`No dependency changes, will not run Danger...`) | ||
} | ||
// Generate and read .diff files for each changed dependency | ||
return Promise.map( | ||
changedDependecies, | ||
({ name, beforeVersion, afterVersion }) => | ||
runDiffer( | ||
name, | ||
beforeVersion, | ||
afterVersion, | ||
packageLockExists ? packageLockPath : '' | ||
) | ||
) | ||
}) | ||
.then(diffs => { | ||
// upload each .diff file as a GitHub | ||
console.log(`Uploading diffs to gist...`) | ||
const description = `Package diff files for "${ | ||
danger.github.pr.title | ||
} #${danger.github.pr.number}"` | ||
return Promise.map(diffs, diff => uploadGist(diff, description)) | ||
}) | ||
.catch(err => console.warn(`Skipping danger: ${err}`)) | ||
}).then(nestedGists => { | ||
// flatten [[gists]] to one-dimesntinal array, and remove | ||
// non-objects from failed attempts (.catch() blocks) | ||
const gists = [].concat(...nestedGists).filter(x => x) | ||
// report resulting gists in the original PR | ||
if (gists.length) { | ||
warn( | ||
`This PR is updating a dependency. You should carefully read through the attached diff files to make sure no evil code has been injected.` | ||
) | ||
gists.forEach(gist => { | ||
warn(`[${gist.filename}](${gist.url})`) | ||
}) | ||
} | ||
console.time('Done!') | ||
}) | ||
}) | ||
.catch(err => console.warn(`Skipping danger: ${err}`)) | ||
) |
{ | ||
"name": "@hashicorp/danger-pkg-differ", | ||
"description": "a dangerfile that adds diff files for updated node modules", | ||
"version": "0.0.4", | ||
"version": "0.0.5", | ||
"author": "Hashicorp - Michael Schonfeld", | ||
@@ -9,3 +9,3 @@ "dependencies": { | ||
"bluebird": "^3.5.3", | ||
"danger": "^6.1.12", | ||
"danger": "^7.0.0", | ||
"semver": "^5.6.0" | ||
@@ -20,3 +20,3 @@ }, | ||
}, | ||
"gitHead": "51e320b072e9023b451ebe52aadf383b577aca6b" | ||
"gitHead": "78236aa1b7f3adda5e4e3dd1d1ba8f084e1c24dc" | ||
} |
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
14417
275
5
9
3
+ Addedarr-diff@4.0.0(transitive)
+ Addedarr-flatten@1.1.0(transitive)
+ Addedarr-union@3.1.0(transitive)
+ Addedarray-unique@0.3.2(transitive)
+ Addedassign-symbols@1.0.0(transitive)
+ Addedatob@2.1.2(transitive)
+ Addedbase@0.11.2(transitive)
+ Addedbraces@2.3.2(transitive)
+ Addedcache-base@1.0.1(transitive)
+ Addedclass-utils@0.3.6(transitive)
+ Addedcollection-visit@1.0.0(transitive)
+ Addedcomponent-emitter@1.3.1(transitive)
+ Addedcopy-descriptor@0.1.1(transitive)
+ Addeddanger@7.1.4(transitive)
+ Addeddebug@2.6.94.3.5(transitive)
+ Addeddecode-uri-component@0.2.2(transitive)
+ Addeddefine-property@0.2.51.0.02.0.2(transitive)
+ Addedexpand-brackets@2.1.4(transitive)
+ Addedextend-shallow@3.0.2(transitive)
+ Addedextglob@2.0.4(transitive)
+ Addedfill-range@4.0.0(transitive)
+ Addedfor-in@1.0.2(transitive)
+ Addedfragment-cache@0.2.1(transitive)
+ Addedfunction-bind@1.1.2(transitive)
+ Addedget-value@2.0.6(transitive)
+ Addedhas-value@0.3.11.0.0(transitive)
+ Addedhas-values@0.1.41.0.0(transitive)
+ Addedhasown@2.0.2(transitive)
+ Addedis-accessor-descriptor@1.0.1(transitive)
+ Addedis-buffer@1.1.6(transitive)
+ Addedis-data-descriptor@1.0.1(transitive)
+ Addedis-descriptor@0.1.71.0.3(transitive)
+ Addedis-extendable@1.0.1(transitive)
+ Addedis-number@3.0.0(transitive)
+ Addedis-plain-object@2.0.4(transitive)
+ Addedis-windows@1.0.2(transitive)
+ Addedisarray@1.0.0(transitive)
+ Addedisobject@2.1.03.0.1(transitive)
+ Addedkind-of@3.2.24.0.06.0.3(transitive)
+ Addedlodash.mapvalues@4.6.0(transitive)
+ Addedlodash.memoize@4.1.2(transitive)
+ Addedmap-cache@0.2.2(transitive)
+ Addedmap-visit@1.0.0(transitive)
+ Addedmicromatch@3.1.10(transitive)
+ Addedmixin-deep@1.3.2(transitive)
+ Addedms@2.1.2(transitive)
+ Addednanomatch@1.2.13(transitive)
+ Addedobject-copy@0.1.0(transitive)
+ Addedobject-visit@1.0.1(transitive)
+ Addedobject.pick@1.3.0(transitive)
+ Addedpascalcase@0.1.1(transitive)
+ Addedposix-character-classes@0.1.1(transitive)
+ Addedregex-not@1.0.2(transitive)
+ Addedrepeat-element@1.1.4(transitive)
+ Addedrepeat-string@1.6.1(transitive)
+ Addedresolve-url@0.2.1(transitive)
+ Addedret@0.1.15(transitive)
+ Addedsafe-regex@1.1.0(transitive)
+ Addedset-value@2.0.1(transitive)
+ Addedsnapdragon@0.8.2(transitive)
+ Addedsnapdragon-node@2.1.1(transitive)
+ Addedsnapdragon-util@3.0.1(transitive)
+ Addedsource-map@0.5.7(transitive)
+ Addedsource-map-resolve@0.5.3(transitive)
+ Addedsource-map-url@0.4.1(transitive)
+ Addedsplit-string@3.1.0(transitive)
+ Addedstatic-extend@0.1.2(transitive)
+ Addedto-object-path@0.3.0(transitive)
+ Addedto-regex@3.0.2(transitive)
+ Addedto-regex-range@2.1.1(transitive)
+ Addedunion-value@1.0.1(transitive)
+ Addedunset-value@1.0.0(transitive)
+ Addedurix@0.1.0(transitive)
+ Addeduse@3.1.1(transitive)
- Removed@octokit/rest@15.18.3(transitive)
- Removedacorn@8.11.3(transitive)
- Removedacorn-walk@8.3.2(transitive)
- Removedbefore-after-hook@1.4.0(transitive)
- Removeddanger@6.1.13(transitive)
- Removedlodash@4.17.21(transitive)
- Removedms@2.1.3(transitive)
- Removeduniversal-user-agent@2.1.0(transitive)
- Removedurl-template@2.0.8(transitive)
- Removedvm2@3.9.19(transitive)
Updateddanger@^7.0.0