@npmcli/metavuln-calculator - npm Package Compare versions

Comparing version 2.0.0 to 3.0.0

lib/advisory.js

@@ -25,4 +25,5 @@ const hash = require('./hash.js')
     this.name = name
-    if (!source.name)
+    if (!source.name) {
       source.name = name
+    }
 
@@ -74,7 +75,9 @@ this.dependency = source.name
     // basic data integrity gutcheck
-    if (!cached || typeof cached !== 'object')
+    if (!cached || typeof cached !== 'object') {
       throw new TypeError('invalid cached data, expected object')
+    }
 
-    if (!packument || typeof packument !== 'object')
+    if (!packument || typeof packument !== 'object') {
       throw new TypeError('invalid packument data, expected object')
+    }
 
@@ -93,4 +96,5 @@ if (cached.id && cached.id !== this.id) {
     }
-    if (this[_packument])
+    if (this[_packument]) {
       throw new Error('advisory object already loaded')
+    }
 
@@ -100,4 +104,5 @@ // if we have a range from the initialization, and the cached
     // just don't use the cached data, so we will definitely not match later
-    if (!this.range || cached.range && cached.range === this.range)
+    if (!this.range || cached.range && cached.range === this.range) {
       Object.assign(this, cached)
+    }
 
@@ -114,4 +119,5 @@ this[_packument] = packument
         this.versions.push(v)
-      } else if (!pakuVersions.includes(v))
+      } else if (!pakuVersions.includes(v)) {
         versionsRemoved.push(v)
+      }
     }
@@ -146,4 +152,5 @@
     // test any versions newly added
-    if (!unchanged || versionsAdded.length)
+    if (!unchanged || versionsAdded.length) {
       this[_testVersions](unchanged ? versionsAdded : this.versions)
+    }
     this.vulnerableVersions = semver.sort(this.vulnerableVersions, semverOpt)
@@ -153,4 +160,5 @@
     // advisories just get their range from the advisory above
-    if (this.type === 'metavuln')
+    if (this.type === 'metavuln') {
       this[_calculateRange]()
+    }
 
@@ -180,6 +188,7 @@ return this
         }
-        if (vr.length > 1)
+        if (vr.length > 1) {
           vr[1] = this.versions[v]
-        else
+        } else {
           vr.push(this.versions[v])
+        }
         v++
@@ -209,8 +218,10 @@ vulnVer++
     const sv = String(version)
-    if (this[_versionVulnMemo].has(sv))
+    if (this[_versionVulnMemo].has(sv)) {
       return this[_versionVulnMemo].get(sv)
+    }
 
     const result = this[_testVersion](version, spec)
-    if (result)
+    if (result) {
       this[_markVulnerable](version)
+    }
     this[_versionVulnMemo].set(sv, !!result)
@@ -222,4 +233,5 @@ return result
     const sv = String(version)
-    if (!this.vulnerableVersions.includes(sv))
+    if (!this.vulnerableVersions.includes(sv)) {
       this.vulnerableVersions.push(sv)
+    }
   }
@@ -229,4 +241,5 @@
     const sv = String(version)
-    if (this.vulnerableVersions.includes(sv))
+    if (this.vulnerableVersions.includes(sv)) {
       return true
+    }
 
@@ -247,8 +260,10 @@ if (this.type === 'advisory') {
 
-    if (!spec)
+    if (!spec) {
       spec = getDepSpec(mani, this.dependency)
+    }
 
     // no dep, no vuln
-    if (spec === null)
+    if (spec === null) {
       return false
+    }
 
@@ -267,4 +282,5 @@ if (!semver.validRange(spec, semverOpt)) {
 
-    if (bundled)
+    if (bundled) {
       return semver.intersects(spec, avoid, semverOpt)
+    }
 
@@ -279,4 +295,5 @@ return this[_source].testSpec(spec)
     const memo = this[_specVulnMemo]
-    if (memo.has(spec))
+    if (memo.has(spec)) {
       return memo.get(spec)
+    }
 
@@ -291,6 +308,8 @@ const res = this[_testSpec](spec)
       const satisfies = semver.satisfies(v, spec)
-      if (!satisfies)
+      if (!satisfies) {
         continue
-      if (!this.testVersion(v))
+      }
+      if (!this.testVersion(v)) {
         return false
+      }
     }
@@ -303,4 +322,5 @@ // either vulnerable, or not installable because nothing satisfied
   [_testVersions] (versions) {
-    if (!versions.length)
+    if (!versions.length) {
       return
+    }
 
@@ -347,12 +367,14 @@ // set of lists of versions
       const origHeadVuln = this.testVersion(list[h])
-      while (h < list.length && /-/.test(String(list[h])))
+      while (h < list.length && /-/.test(String(list[h]))) {
         h++
+      }
 
       // don't filter out the whole list!  they might all be pr's
-      if (h === list.length)
+      if (h === list.length) {
         h = 0
-      else if (origHeadVuln) {
+      } else if (origHeadVuln) {
         // if the original was vulnerable, assume so are all of these
-        for (let hh = 0; hh < h; hh++)
+        for (let hh = 0; hh < h; hh++) {
           this[_markVulnerable](list[hh])
+        }
       }
@@ -362,12 +384,14 @@
       const origTailVuln = this.testVersion(list[t])
-      while (t > h && /-/.test(String(list[t])))
+      while (t > h && /-/.test(String(list[t]))) {
         t--
+      }
 
       // don't filter out the whole list!  might all be pr's
-      if (t === h)
+      if (t === h) {
         t = list.length - 1
-      else if (origTailVuln) {
+      } else if (origTailVuln) {
         // if original tail was vulnerable, assume these are as well
-        for (let tt = list.length - 1; tt > t; tt--)
+        for (let tt = list.length - 1; tt > t; tt--) {
           this[_markVulnerable](list[tt])
+        }
       }
@@ -383,4 +407,5 @@
       if (headVuln && tailVuln) {
-        for (let v = h; v < t; v++)
+        for (let v = h; v < t; v++) {
           this[_markVulnerable](list[v])
+        }
         continue
@@ -390,4 +415,5 @@ }
       // if length is 2 or 1, then we marked them all already
-      if (t < h + 2)
+      if (t < h + 2) {
         continue
+      }
 
@@ -405,4 +431,5 @@ const mid = Math.floor(list.length / 2)
           const v = pre.pop()
-          if (midVuln)
+          if (midVuln) {
             this[_markVulnerable](v)
+          }
         }
@@ -415,4 +442,5 @@ }
           const v = post.shift()
-          if (midVuln)
+          if (midVuln) {
             this[_markVulnerable](v)
+          }
         }
@@ -419,0 +447,0 @@ }

lib/hash.js

@@ -1,5 +0,5 @@
-const {createHash} = require('crypto')
+const { createHash } = require('crypto')
 
-module.exports = ({name, source}) => createHash('sha512')
+module.exports = ({ name, source }) => createHash('sha512')
   .update(JSON.stringify([name, source]))
   .digest('base64')

lib/index.js

@@ -7,3 +7,3 @@ // this is the public class that is used by consumers.
 const Advisory = require('./advisory.js')
-const {homedir} = require('os')
+const { homedir } = require('os')
 const jsonParse = require('json-parse-even-better-errors')
@@ -41,4 +41,5 @@
     const k = `security-advisory:${name}:${source.id}`
-    if (this[_advisories].has(k))
+    if (this[_advisories].has(k)) {
       return this[_advisories].get(k)
+    }
 
@@ -63,4 +64,5 @@ const p = this[_calculate](name, source)
     process.emit('timeEnd', `metavuln:load:${k}`)
-    if (advisory.updated)
+    if (advisory.updated) {
       await this[_cachePut](advisory)
+    }
     this[_advisories].set(k, advisory)
@@ -87,4 +89,5 @@ process.emit('timeEnd', t)
      * advisory object itself using the same key, just being cautious */
-    if (this[_cacheData].has(key))
+    if (this[_cacheData].has(key)) {
       return this[_cacheData].get(key)
+    }
 
@@ -105,4 +108,5 @@ process.emit('time', `metavuln:cache:get:${key}`)
   async [_packument] (name) {
-    if (this[_packuments].has(name))
+    if (this[_packuments].has(name)) {
       return this[_packuments].get(name)
+    }
 
@@ -109,0 +113,0 @@ process.emit('time', `metavuln:packument:${name}`)

package.json

 {
   "name": "@npmcli/metavuln-calculator",
-  "version": "2.0.0",
+  "version": "3.0.0",
   "main": "lib/index.js",
   "files": [
+    "bin",
     "lib"
@@ -10,3 +11,3 @@ ],
   "repository": "https://github.com/npm/metavuln-calculator",
-  "author": "Isaac Z. Schlueter <i@izs.me> (https://izs.me)",
+  "author": "GitHub Inc.",
   "license": "ISC",
@@ -22,4 +23,6 @@ "scripts": {
     "eslint": "eslint",
-    "lint": "npm run eslint -- \"lib/**/*.js\" \"test/**/*.js\"",
-    "lintfix": "npm run lint -- --fix"
+    "lint": "eslint '**/*.js'",
+    "lintfix": "npm run lint -- --fix",
+    "postlint": "npm-template-check",
+    "template-copy": "npm-template-copy --force"
   },
@@ -31,19 +34,18 @@ "tap": {
   "devDependencies": {
-    "eslint": "^7.20.0",
-    "eslint-plugin-import": "^2.22.1",
-    "eslint-plugin-node": "^11.1.0",
-    "eslint-plugin-promise": "^4.3.1",
-    "eslint-plugin-standard": "^4.1.0",
+    "@npmcli/template-oss": "^2.7.1",
     "require-inject": "^1.4.4",
-    "tap": "^14.10.8"
+    "tap": "^15.1.6"
   },
   "dependencies": {
-    "cacache": "^15.0.5",
+    "cacache": "^15.3.0",
     "json-parse-even-better-errors": "^2.3.1",
-    "pacote": "^12.0.0",
-    "semver": "^7.3.2"
+    "pacote": "^13.0.1",
+    "semver": "^7.3.5"
   },
   "engines": {
     "node": "^12.13.0 || ^14.15.0 || >=16"
+  },
+  "templateOSS": {
+    "version": "2.7.1"
   }
 }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

30133

increased by0.83%

Dev dependency count

3

decreased by-57.14%

Lines of code

509

increased by6.71%

Dependency changes

• + Added@npmcli/git@3.0.2(transitive)

• + Added@npmcli/node-gyp@2.0.0(transitive)

• + Added@npmcli/promise-spawn@3.0.0(transitive)

• + Added@npmcli/run-script@4.2.1(transitive)

• + Addedbuiltins@5.1.0(transitive)

• + Addedexponential-backoff@3.1.1(transitive)

• + Addedfunction-bind@1.1.2(transitive)

• + Addedhasown@2.0.2(transitive)

• + Addedhosted-git-info@5.2.1(transitive)

• + Addedignore-walk@5.0.1(transitive)

• + Addedis-core-module@2.15.1(transitive)

• + Addednode-gyp@9.4.1(transitive)

• + Addednopt@6.0.0(transitive)

• + Addednormalize-package-data@4.0.1(transitive)

• + Addednpm-bundled@2.0.1(transitive)

• + Addednpm-install-checks@5.0.0(transitive)

• + Addednpm-normalize-package-bin@2.0.0(transitive)

• + Addednpm-package-arg@9.1.2(transitive)

• + Addednpm-packlist@5.1.3(transitive)

• + Addednpm-pick-manifest@7.0.2(transitive)

• + Addednpm-registry-fetch@13.3.1(transitive)

• + Addedpacote@13.6.2(transitive)

• + Addedproc-log@2.0.1(transitive)

• + Addedread-package-json@5.0.2(transitive)

• + Addedspdx-correct@3.2.0(transitive)

• + Addedspdx-exceptions@2.5.0(transitive)

• + Addedspdx-expression-parse@3.0.1(transitive)

• + Addedspdx-license-ids@3.0.20(transitive)

• + Addedvalidate-npm-package-license@3.0.4(transitive)

• + Addedvalidate-npm-package-name@4.0.0(transitive)

• - Removed@npmcli/git@2.1.0(transitive)

• - Removed@npmcli/node-gyp@1.0.3(transitive)

• - Removed@npmcli/promise-spawn@1.3.2(transitive)

• - Removed@npmcli/run-script@2.0.0(transitive)

• - Removed@tootallnate/once@1.1.2(transitive)

• - Removedbuiltins@1.0.3(transitive)

• - Removedhosted-git-info@4.1.0(transitive)

• - Removedhttp-proxy-agent@4.0.1(transitive)

• - Removedignore-walk@4.0.1(transitive)

• - Removedmake-fetch-happen@9.1.0(transitive)

• - Removedminipass-fetch@1.4.1(transitive)

• - Removednode-gyp@8.4.1(transitive)

• - Removednopt@5.0.0(transitive)

• - Removednpm-install-checks@4.0.0(transitive)

• - Removednpm-package-arg@8.1.5(transitive)

• - Removednpm-packlist@3.0.0(transitive)

• - Removednpm-pick-manifest@6.1.1(transitive)

• - Removednpm-registry-fetch@12.0.2(transitive)

• - Removedpacote@12.0.3(transitive)

• - Removedsocks-proxy-agent@6.2.1(transitive)

• - Removedvalidate-npm-package-name@3.0.0(transitive)

• Updatedcacache@^15.3.0

• Updatedpacote@^13.0.1

• Updatedsemver@^7.3.5