@lavamoat/allow-scripts
Advanced tools
Comparing version 1.0.4 to 1.0.5
{ | ||
"name": "@lavamoat/allow-scripts", | ||
"version": "1.0.4", | ||
"version": "1.0.5", | ||
"main": "src/index.js", | ||
@@ -10,2 +10,3 @@ "bin": { | ||
"dependencies": { | ||
"@lavamoat/preinstall-always-fail": "^1.0.0", | ||
"@npmcli/run-script": "^1.8.1", | ||
@@ -25,12 +26,16 @@ "@yarnpkg/lockfile": "^1.1.0", | ||
}, | ||
"devDependencies": {}, | ||
"devDependencies": { | ||
"eslint-plugin-ava": "^11.0.0", | ||
"eslint-plugin-standard": "^5.0.0" | ||
}, | ||
"scripts": { | ||
"test": "echo \"Error: no test specified\"", | ||
"lint": "npm run lint:standard && npm run lint:deps", | ||
"lint:standard": "standard src/**/*.js", | ||
"lint:fix": "standard src/**/*.js --fix", | ||
"lint": "npm run lint:eslint && npm run lint:deps", | ||
"lint:eslint": "eslint \"src/**/*.js\"", | ||
"lint:fix": "eslint src/**/*.js --fix", | ||
"lint:deps": "depcheck" | ||
}, | ||
"author": "", | ||
"homepage": "https://github.com/LavaMoat/LavaMoat/tree/main/packages/allow-scripts" | ||
"homepage": "https://github.com/LavaMoat/LavaMoat/tree/main/packages/allow-scripts", | ||
"gitHead": "2e58a29e0e2e5c423309155d94a63149b9f8a4a1" | ||
} |
@@ -121,10 +121,2 @@ const { promises: fs } = require('fs') | ||
if (excessPolicies.length) { | ||
console.log('\nremoving unneeded configuration for packages:') | ||
excessPolicies.forEach(pattern => { | ||
console.log(`- ${pattern}`) | ||
delete allowScriptsConfig[pattern] | ||
}) | ||
} | ||
// update package json | ||
@@ -282,4 +274,6 @@ if (!packageJson.lavamoat) packageJson.lavamoat = {} | ||
// fix path (via address field) for yarn tree | ||
// TOOO: make parallel | ||
for await (const { node, filePath } of findAllFilePathsForTree(tree)) { | ||
// skip unresolved paths | ||
// TODO: document when/why this would be falsy | ||
if (!filePath) continue | ||
@@ -296,2 +290,3 @@ const relativePath = path.relative(rootDir, filePath) | ||
} | ||
// TODO: validate tree (ensure nodes have addresses) | ||
@@ -377,4 +372,6 @@ return { tree, packageJson } | ||
for (const { node, branch } of eachNodeInTree(tree)) { | ||
// Skip root package | ||
if (branch.length === 1) continue | ||
const { canonicalName } = getCanonicalNameInfoForTreeNode(node) | ||
const nodePath = node.path() | ||
@@ -406,10 +403,7 @@ | ||
} | ||
// return | ||
const allowScriptsConfig = getAllowedScriptsConfig(packageJson) | ||
// const packages = await parseYarnLockForPackages() | ||
// packages with config | ||
const configuredPatterns = Object.keys(allowScriptsConfig) | ||
// const packagesWithMatchingPatterns = packages filter for configuredPatterns | ||
@@ -424,5 +418,2 @@ // select allowed + disallowed | ||
// const nonCanonicalPackages = packages.filter(packageData => packageData.namespace !== 'npm') | ||
// console.log(nonCanonicalPackages.map(packageData => packageData.canonicalName).join('\n')) | ||
return { | ||
@@ -429,0 +420,0 @@ tree, |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
9
22899
7
2
507
1
+ Added@lavamoat/preinstall-always-fail@1.0.3(transitive)