@lavamoat/aa - npm Package Compare versions

Comparing version 1.0.0 to 2.0.0

package.json

 {
   "name": "@lavamoat/aa",
-  "version": "1.0.0",
+  "version": "2.0.0",
   "main": "src/index.js",
@@ -11,3 +11,3 @@ "license": "MIT",
     "test": "yarn test:run",
-    "test:run": "ava test/index.js",
+    "test:run": "ava --timeout=30s test/index.js",
     "lint": "yarn lint:eslint && yarn lint:deps",
@@ -28,3 +28,4 @@ "lint:eslint": "eslint \"src/**/*.js\"",
   },
-  "author": "kumavis"
+  "author": "kumavis",
+  "gitHead": "efefc17dd7df5a94e90585c426fd06be4473a58d"
 }

src/index.js

 const { promises: fs } = require('fs')
 const path = require('path')
-const { sync: nodeResolve } = require('resolve')
-const resolve = (from, to) => nodeResolve(to, { basedir: from })
+const nodeResolve = require('resolve')
 
@@ -37,7 +36,7 @@ module.exports = {
  */
-async function loadCanonicalNameMap ({ rootDir, includeDevDeps } = {}) {
+async function loadCanonicalNameMap ({ rootDir, includeDevDeps, resolve } = {}) {
   const filePathToLogicalPaths = new SetMap()
   const canonicalNameMap = new Map()
   // walk tree
-  for await (const packageData of eachPackageInLogicalTree({ packageDir: rootDir, includeDevDeps })) {
+  for await (const packageData of eachPackageInLogicalTree({ packageDir: rootDir, includeDevDeps, resolve })) {
     const logicalPathString = packageData.logicalPathParts.join('>')
@@ -52,3 +51,3 @@ filePathToLogicalPaths.add(packageData.packageDir, logicalPathString)
   // add root dir as "app"
-  canonicalNameMap.set(rootDir, '<root>')
+  canonicalNameMap.set(rootDir, '$root$')
   Reflect.defineProperty(canonicalNameMap, 'rootDir', { value: rootDir })
@@ -63,3 +62,3 @@ return canonicalNameMap
 // TODO: optimize this to not walk the entire tree, can skip if the best known logical path is already shorter
-async function * eachPackageInLogicalTree ({ packageDir, logicalPath = [], includeDevDeps = false, visited = new Set() }) {
+async function * eachPackageInLogicalTree ({ packageDir, logicalPath = [], includeDevDeps = false, visited = new Set(), resolve = nodeResolve }) {
   const packageJsonPath = path.join(packageDir, 'package.json')
@@ -76,4 +75,4 @@ const rawPackageJson = await fs.readFile(packageJsonPath, 'utf8')
     // sync seems slightly faster
-    // depPackageJsonPath = await resolveAsync(depRelativePackageJsonPath, { basedir: packageJsonPath })
-    depPackageJsonPath = resolve(packageJsonPath, depRelativePackageJsonPath)
+    // depPackageJsonPath = await resolveAsync(depRelativePackageJsonPath, { basedir: packageDir })
+    depPackageJsonPath = resolve.sync(depRelativePackageJsonPath, { basedir: packageDir })
     const childPackageDir = path.dirname(depPackageJsonPath)
@@ -99,2 +98,7 @@ // avoid cycles, but still visit the same package
   const packageName = canonicalNameMap.get(packageDir)
+  const relativeToPackageDir = path.relative(packageDir, modulePath)
+  // files should never be associated with a package directory across a package boundary (as tested via the presense of "node_modules" in the path)
+  if (relativeToPackageDir.includes('node_modules')) {
+    throw new Error(`LavaMoat - Encountered unknown package directory for file "${modulePath}"`)
+  }
   return packageName
@@ -111,3 +115,4 @@ }
   }
-  return matchingPackageDirs.reduce(takeLongest)
+  const longestMatch = matchingPackageDirs.reduce(takeLongest)
+  return longestMatch
 }
@@ -114,0 +119,0 @@

test/index.js

@@ -25,3 +25,3 @@ const path = require('path');
       'projects/1',
-      '<root>',
+      '$root$',
     ],
@@ -55,3 +55,3 @@ ])
       'projects/2',
-      '<root>',
+      '$root$',
     ],
@@ -85,5 +85,5 @@ ])
       'projects/3',
-      '<root>',
+      '$root$',
     ],
   ])
 })

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Install scripts

Supply chain risk

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Found 2 instances in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

13701

increased by54.5%

Number of package files

20

increased by185.71%

Lines of code

190

increased by2.7%

Worsened metrics

Number of high supply chain risk alerts

5

increased byInfinity%

No dependency changes