@npmcli/metavuln-calculator
Advanced tools
Comparing version 2.0.0 to 3.0.0
@@ -25,4 +25,5 @@ const hash = require('./hash.js') | ||
this.name = name | ||
if (!source.name) | ||
if (!source.name) { | ||
source.name = name | ||
} | ||
@@ -74,7 +75,9 @@ this.dependency = source.name | ||
// basic data integrity gutcheck | ||
if (!cached || typeof cached !== 'object') | ||
if (!cached || typeof cached !== 'object') { | ||
throw new TypeError('invalid cached data, expected object') | ||
} | ||
if (!packument || typeof packument !== 'object') | ||
if (!packument || typeof packument !== 'object') { | ||
throw new TypeError('invalid packument data, expected object') | ||
} | ||
@@ -93,4 +96,5 @@ if (cached.id && cached.id !== this.id) { | ||
} | ||
if (this[_packument]) | ||
if (this[_packument]) { | ||
throw new Error('advisory object already loaded') | ||
} | ||
@@ -100,4 +104,5 @@ // if we have a range from the initialization, and the cached | ||
// just don't use the cached data, so we will definitely not match later | ||
if (!this.range || cached.range && cached.range === this.range) | ||
if (!this.range || cached.range && cached.range === this.range) { | ||
Object.assign(this, cached) | ||
} | ||
@@ -114,4 +119,5 @@ this[_packument] = packument | ||
this.versions.push(v) | ||
} else if (!pakuVersions.includes(v)) | ||
} else if (!pakuVersions.includes(v)) { | ||
versionsRemoved.push(v) | ||
} | ||
} | ||
@@ -146,4 +152,5 @@ | ||
// test any versions newly added | ||
if (!unchanged || versionsAdded.length) | ||
if (!unchanged || versionsAdded.length) { | ||
this[_testVersions](unchanged ? versionsAdded : this.versions) | ||
} | ||
this.vulnerableVersions = semver.sort(this.vulnerableVersions, semverOpt) | ||
@@ -153,4 +160,5 @@ | ||
// advisories just get their range from the advisory above | ||
if (this.type === 'metavuln') | ||
if (this.type === 'metavuln') { | ||
this[_calculateRange]() | ||
} | ||
@@ -180,6 +188,7 @@ return this | ||
} | ||
if (vr.length > 1) | ||
if (vr.length > 1) { | ||
vr[1] = this.versions[v] | ||
else | ||
} else { | ||
vr.push(this.versions[v]) | ||
} | ||
v++ | ||
@@ -209,8 +218,10 @@ vulnVer++ | ||
const sv = String(version) | ||
if (this[_versionVulnMemo].has(sv)) | ||
if (this[_versionVulnMemo].has(sv)) { | ||
return this[_versionVulnMemo].get(sv) | ||
} | ||
const result = this[_testVersion](version, spec) | ||
if (result) | ||
if (result) { | ||
this[_markVulnerable](version) | ||
} | ||
this[_versionVulnMemo].set(sv, !!result) | ||
@@ -222,4 +233,5 @@ return result | ||
const sv = String(version) | ||
if (!this.vulnerableVersions.includes(sv)) | ||
if (!this.vulnerableVersions.includes(sv)) { | ||
this.vulnerableVersions.push(sv) | ||
} | ||
} | ||
@@ -229,4 +241,5 @@ | ||
const sv = String(version) | ||
if (this.vulnerableVersions.includes(sv)) | ||
if (this.vulnerableVersions.includes(sv)) { | ||
return true | ||
} | ||
@@ -247,8 +260,10 @@ if (this.type === 'advisory') { | ||
if (!spec) | ||
if (!spec) { | ||
spec = getDepSpec(mani, this.dependency) | ||
} | ||
// no dep, no vuln | ||
if (spec === null) | ||
if (spec === null) { | ||
return false | ||
} | ||
@@ -267,4 +282,5 @@ if (!semver.validRange(spec, semverOpt)) { | ||
if (bundled) | ||
if (bundled) { | ||
return semver.intersects(spec, avoid, semverOpt) | ||
} | ||
@@ -279,4 +295,5 @@ return this[_source].testSpec(spec) | ||
const memo = this[_specVulnMemo] | ||
if (memo.has(spec)) | ||
if (memo.has(spec)) { | ||
return memo.get(spec) | ||
} | ||
@@ -291,6 +308,8 @@ const res = this[_testSpec](spec) | ||
const satisfies = semver.satisfies(v, spec) | ||
if (!satisfies) | ||
if (!satisfies) { | ||
continue | ||
if (!this.testVersion(v)) | ||
} | ||
if (!this.testVersion(v)) { | ||
return false | ||
} | ||
} | ||
@@ -303,4 +322,5 @@ // either vulnerable, or not installable because nothing satisfied | ||
[_testVersions] (versions) { | ||
if (!versions.length) | ||
if (!versions.length) { | ||
return | ||
} | ||
@@ -347,12 +367,14 @@ // set of lists of versions | ||
const origHeadVuln = this.testVersion(list[h]) | ||
while (h < list.length && /-/.test(String(list[h]))) | ||
while (h < list.length && /-/.test(String(list[h]))) { | ||
h++ | ||
} | ||
// don't filter out the whole list! they might all be pr's | ||
if (h === list.length) | ||
if (h === list.length) { | ||
h = 0 | ||
else if (origHeadVuln) { | ||
} else if (origHeadVuln) { | ||
// if the original was vulnerable, assume so are all of these | ||
for (let hh = 0; hh < h; hh++) | ||
for (let hh = 0; hh < h; hh++) { | ||
this[_markVulnerable](list[hh]) | ||
} | ||
} | ||
@@ -362,12 +384,14 @@ | ||
const origTailVuln = this.testVersion(list[t]) | ||
while (t > h && /-/.test(String(list[t]))) | ||
while (t > h && /-/.test(String(list[t]))) { | ||
t-- | ||
} | ||
// don't filter out the whole list! might all be pr's | ||
if (t === h) | ||
if (t === h) { | ||
t = list.length - 1 | ||
else if (origTailVuln) { | ||
} else if (origTailVuln) { | ||
// if original tail was vulnerable, assume these are as well | ||
for (let tt = list.length - 1; tt > t; tt--) | ||
for (let tt = list.length - 1; tt > t; tt--) { | ||
this[_markVulnerable](list[tt]) | ||
} | ||
} | ||
@@ -383,4 +407,5 @@ | ||
if (headVuln && tailVuln) { | ||
for (let v = h; v < t; v++) | ||
for (let v = h; v < t; v++) { | ||
this[_markVulnerable](list[v]) | ||
} | ||
continue | ||
@@ -390,4 +415,5 @@ } | ||
// if length is 2 or 1, then we marked them all already | ||
if (t < h + 2) | ||
if (t < h + 2) { | ||
continue | ||
} | ||
@@ -405,4 +431,5 @@ const mid = Math.floor(list.length / 2) | ||
const v = pre.pop() | ||
if (midVuln) | ||
if (midVuln) { | ||
this[_markVulnerable](v) | ||
} | ||
} | ||
@@ -415,4 +442,5 @@ } | ||
const v = post.shift() | ||
if (midVuln) | ||
if (midVuln) { | ||
this[_markVulnerable](v) | ||
} | ||
} | ||
@@ -419,0 +447,0 @@ } |
@@ -1,5 +0,5 @@ | ||
const {createHash} = require('crypto') | ||
const { createHash } = require('crypto') | ||
module.exports = ({name, source}) => createHash('sha512') | ||
module.exports = ({ name, source }) => createHash('sha512') | ||
.update(JSON.stringify([name, source])) | ||
.digest('base64') |
@@ -7,3 +7,3 @@ // this is the public class that is used by consumers. | ||
const Advisory = require('./advisory.js') | ||
const {homedir} = require('os') | ||
const { homedir } = require('os') | ||
const jsonParse = require('json-parse-even-better-errors') | ||
@@ -41,4 +41,5 @@ | ||
const k = `security-advisory:${name}:${source.id}` | ||
if (this[_advisories].has(k)) | ||
if (this[_advisories].has(k)) { | ||
return this[_advisories].get(k) | ||
} | ||
@@ -63,4 +64,5 @@ const p = this[_calculate](name, source) | ||
process.emit('timeEnd', `metavuln:load:${k}`) | ||
if (advisory.updated) | ||
if (advisory.updated) { | ||
await this[_cachePut](advisory) | ||
} | ||
this[_advisories].set(k, advisory) | ||
@@ -87,4 +89,5 @@ process.emit('timeEnd', t) | ||
* advisory object itself using the same key, just being cautious */ | ||
if (this[_cacheData].has(key)) | ||
if (this[_cacheData].has(key)) { | ||
return this[_cacheData].get(key) | ||
} | ||
@@ -105,4 +108,5 @@ process.emit('time', `metavuln:cache:get:${key}`) | ||
async [_packument] (name) { | ||
if (this[_packuments].has(name)) | ||
if (this[_packuments].has(name)) { | ||
return this[_packuments].get(name) | ||
} | ||
@@ -109,0 +113,0 @@ process.emit('time', `metavuln:packument:${name}`) |
{ | ||
"name": "@npmcli/metavuln-calculator", | ||
"version": "2.0.0", | ||
"version": "3.0.0", | ||
"main": "lib/index.js", | ||
"files": [ | ||
"bin", | ||
"lib" | ||
@@ -10,3 +11,3 @@ ], | ||
"repository": "https://github.com/npm/metavuln-calculator", | ||
"author": "Isaac Z. Schlueter <i@izs.me> (https://izs.me)", | ||
"author": "GitHub Inc.", | ||
"license": "ISC", | ||
@@ -22,4 +23,6 @@ "scripts": { | ||
"eslint": "eslint", | ||
"lint": "npm run eslint -- \"lib/**/*.js\" \"test/**/*.js\"", | ||
"lintfix": "npm run lint -- --fix" | ||
"lint": "eslint '**/*.js'", | ||
"lintfix": "npm run lint -- --fix", | ||
"postlint": "npm-template-check", | ||
"template-copy": "npm-template-copy --force" | ||
}, | ||
@@ -31,19 +34,18 @@ "tap": { | ||
"devDependencies": { | ||
"eslint": "^7.20.0", | ||
"eslint-plugin-import": "^2.22.1", | ||
"eslint-plugin-node": "^11.1.0", | ||
"eslint-plugin-promise": "^4.3.1", | ||
"eslint-plugin-standard": "^4.1.0", | ||
"@npmcli/template-oss": "^2.7.1", | ||
"require-inject": "^1.4.4", | ||
"tap": "^14.10.8" | ||
"tap": "^15.1.6" | ||
}, | ||
"dependencies": { | ||
"cacache": "^15.0.5", | ||
"cacache": "^15.3.0", | ||
"json-parse-even-better-errors": "^2.3.1", | ||
"pacote": "^12.0.0", | ||
"semver": "^7.3.2" | ||
"pacote": "^13.0.1", | ||
"semver": "^7.3.5" | ||
}, | ||
"engines": { | ||
"node": "^12.13.0 || ^14.15.0 || >=16" | ||
}, | ||
"templateOSS": { | ||
"version": "2.7.1" | ||
} | ||
} |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
30133
3
509
+ Added@npmcli/git@3.0.2(transitive)
+ Added@npmcli/node-gyp@2.0.0(transitive)
+ Added@npmcli/promise-spawn@3.0.0(transitive)
+ Added@npmcli/run-script@4.2.1(transitive)
+ Addedbuiltins@5.1.0(transitive)
+ Addedexponential-backoff@3.1.1(transitive)
+ Addedfunction-bind@1.1.2(transitive)
+ Addedhasown@2.0.2(transitive)
+ Addedhosted-git-info@5.2.1(transitive)
+ Addedignore-walk@5.0.1(transitive)
+ Addedis-core-module@2.15.1(transitive)
+ Addednode-gyp@9.4.1(transitive)
+ Addednopt@6.0.0(transitive)
+ Addednormalize-package-data@4.0.1(transitive)
+ Addednpm-bundled@2.0.1(transitive)
+ Addednpm-install-checks@5.0.0(transitive)
+ Addednpm-normalize-package-bin@2.0.0(transitive)
+ Addednpm-package-arg@9.1.2(transitive)
+ Addednpm-packlist@5.1.3(transitive)
+ Addednpm-pick-manifest@7.0.2(transitive)
+ Addednpm-registry-fetch@13.3.1(transitive)
+ Addedpacote@13.6.2(transitive)
+ Addedproc-log@2.0.1(transitive)
+ Addedread-package-json@5.0.2(transitive)
+ Addedspdx-correct@3.2.0(transitive)
+ Addedspdx-exceptions@2.5.0(transitive)
+ Addedspdx-expression-parse@3.0.1(transitive)
+ Addedspdx-license-ids@3.0.20(transitive)
+ Addedvalidate-npm-package-license@3.0.4(transitive)
+ Addedvalidate-npm-package-name@4.0.0(transitive)
- Removed@npmcli/git@2.1.0(transitive)
- Removed@npmcli/node-gyp@1.0.3(transitive)
- Removed@npmcli/promise-spawn@1.3.2(transitive)
- Removed@npmcli/run-script@2.0.0(transitive)
- Removed@tootallnate/once@1.1.2(transitive)
- Removedbuiltins@1.0.3(transitive)
- Removedhosted-git-info@4.1.0(transitive)
- Removedhttp-proxy-agent@4.0.1(transitive)
- Removedignore-walk@4.0.1(transitive)
- Removedmake-fetch-happen@9.1.0(transitive)
- Removedminipass-fetch@1.4.1(transitive)
- Removednode-gyp@8.4.1(transitive)
- Removednopt@5.0.0(transitive)
- Removednpm-install-checks@4.0.0(transitive)
- Removednpm-package-arg@8.1.5(transitive)
- Removednpm-packlist@3.0.0(transitive)
- Removednpm-pick-manifest@6.1.1(transitive)
- Removednpm-registry-fetch@12.0.2(transitive)
- Removedpacote@12.0.3(transitive)
- Removedsocks-proxy-agent@6.2.1(transitive)
- Removedvalidate-npm-package-name@3.0.0(transitive)
Updatedcacache@^15.3.0
Updatedpacote@^13.0.1
Updatedsemver@^7.3.5