@lavamoat/allow-scripts - npm Package Compare versions

Comparing version 1.0.4 to 1.0.5

package.json

 {
   "name": "@lavamoat/allow-scripts",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "main": "src/index.js",
@@ -10,2 +10,3 @@ "bin": {
   "dependencies": {
+    "@lavamoat/preinstall-always-fail": "^1.0.0",
     "@npmcli/run-script": "^1.8.1",
@@ -25,12 +26,16 @@ "@yarnpkg/lockfile": "^1.1.0",
   },
-  "devDependencies": {},
+  "devDependencies": {
+    "eslint-plugin-ava": "^11.0.0",
+    "eslint-plugin-standard": "^5.0.0"
+  },
   "scripts": {
     "test": "echo \"Error: no test specified\"",
-    "lint": "npm run lint:standard && npm run lint:deps",
-    "lint:standard": "standard src/**/*.js",
-    "lint:fix": "standard src/**/*.js --fix",
+    "lint": "npm run lint:eslint && npm run lint:deps",
+    "lint:eslint": "eslint \"src/**/*.js\"",
+    "lint:fix": "eslint src/**/*.js --fix",
     "lint:deps": "depcheck"
   },
   "author": "",
-  "homepage": "https://github.com/LavaMoat/LavaMoat/tree/main/packages/allow-scripts"
+  "homepage": "https://github.com/LavaMoat/LavaMoat/tree/main/packages/allow-scripts",
+  "gitHead": "2e58a29e0e2e5c423309155d94a63149b9f8a4a1"
 }

src/index.js

@@ -121,10 +121,2 @@ const { promises: fs } = require('fs')
 
-  if (excessPolicies.length) {
-    console.log('\nremoving unneeded configuration for packages:')
-    excessPolicies.forEach(pattern => {
-      console.log(`- ${pattern}`)
-      delete allowScriptsConfig[pattern]
-    })
-  }
-
   // update package json
@@ -282,4 +274,6 @@ if (!packageJson.lavamoat) packageJson.lavamoat = {}
     // fix path (via address field) for yarn tree
+    // TOOO: make parallel
     for await (const { node, filePath } of findAllFilePathsForTree(tree)) {
       // skip unresolved paths
+      // TODO: document when/why this would be falsy
       if (!filePath) continue
@@ -296,2 +290,3 @@ const relativePath = path.relative(rootDir, filePath)
   }
+  // TODO: validate tree (ensure nodes have addresses)
 
@@ -377,4 +372,6 @@ return { tree, packageJson }
   for (const { node, branch } of eachNodeInTree(tree)) {
+    // Skip root package
+    if (branch.length === 1) continue
+
     const { canonicalName } = getCanonicalNameInfoForTreeNode(node)
-
     const nodePath = node.path()
@@ -406,10 +403,7 @@
   }
-  // return
 
   const allowScriptsConfig = getAllowedScriptsConfig(packageJson)
-  // const packages = await parseYarnLockForPackages()
 
   // packages with config
   const configuredPatterns = Object.keys(allowScriptsConfig)
-  // const packagesWithMatchingPatterns = packages filter for configuredPatterns
 
@@ -424,5 +418,2 @@ // select allowed + disallowed
 
-  // const nonCanonicalPackages = packages.filter(packageData => packageData.namespace !== 'npm')
-  // console.log(nonCanonicalPackages.map(packageData => packageData.canonicalName).join('\n'))
-
   return {
@@ -429,0 +420,0 @@ tree,

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Number of package files

9

increased by50%

Worsened metrics

Total package byte prevSize

22899

decreased by-0.44%

Dependency count

7

increased by16.67%

Dev dependency count

2

increased byInfinity%

Lines of code

507

decreased by-0.78%

Number of medium supply chain risk alerts

1

increased byInfinity%

Dependency changes

• + Added@lavamoat/preinstall-always-fail@^1.0.0

• + Added@lavamoat/preinstall-always-fail@1.0.3(transitive)