@npmcli/metavuln-calculator - npm Package Compare versions

Comparing version 3.0.1 to 3.1.0

lib/advisory.js

@@ -42,2 +42,4 @@ const hash = require('./hash.js')
     this.vulnerableVersions = []
+    this.cwe = source.cwe
+    this.cvss = source.cvss
 
@@ -330,3 +332,3 @@ // advisories have the range, metavulns do not
 
-    for (const list of versionSets) {
+    for (const set of versionSets) {
       // it's common to have version lists like:
@@ -345,11 +347,11 @@ // 1.0.0
       // anyway.
-      // If mid has a prerelease tag, and list[0] does not, then walk it
+      // If mid has a prerelease tag, and set[0] does not, then walk it
       // back until we hit a non-prerelease version
-      // If mid has a prerelease tag, and list[list.length-1] does not,
+      // If mid has a prerelease tag, and set[set.length-1] does not,
       // then walk it forward until we hit a version without a prerelease tag
       // Similarly, if the head/tail is a prerelease, but there is a non-pr
-      // version in the list, then start there instead.
+      // version in the set, then start there instead.
       let h = 0
-      const origHeadVuln = this.testVersion(list[h])
-      while (h < list.length && /-/.test(String(list[h]))) {
+      const origHeadVuln = this.testVersion(set[h])
+      while (h < set.length && /-/.test(String(set[h]))) {
         h++
@@ -359,3 +361,3 @@ }
       // don't filter out the whole list!  they might all be pr's
-      if (h === list.length) {
+      if (h === set.length) {
         h = 0
@@ -365,9 +367,9 @@ } else if (origHeadVuln) {
         for (let hh = 0; hh < h; hh++) {
-          this[_markVulnerable](list[hh])
+          this[_markVulnerable](set[hh])
         }
       }
 
-      let t = list.length - 1
-      const origTailVuln = this.testVersion(list[t])
-      while (t > h && /-/.test(String(list[t]))) {
+      let t = set.length - 1
+      const origTailVuln = this.testVersion(set[t])
+      while (t > h && /-/.test(String(set[t]))) {
         t--
@@ -378,7 +380,7 @@ }
       if (t === h) {
-        t = list.length - 1
+        t = set.length - 1
       } else if (origTailVuln) {
         // if original tail was vulnerable, assume these are as well
-        for (let tt = list.length - 1; tt > t; tt--) {
-          this[_markVulnerable](list[tt])
+        for (let tt = set.length - 1; tt > t; tt--) {
+          this[_markVulnerable](set[tt])
         }
@@ -388,6 +390,6 @@ }
       const headVuln = h === 0 ? origHeadVuln
-        : this.testVersion(list[h])
+        : this.testVersion(set[h])
 
-      const tailVuln = t === list.length - 1 ? origTailVuln
-        : this.testVersion(list[t])
+      const tailVuln = t === set.length - 1 ? origTailVuln
+        : this.testVersion(set[t])
 
@@ -397,3 +399,3 @@ // if head and tail both vulnerable, whole list is thrown out
         for (let v = h; v < t; v++) {
-          this[_markVulnerable](list[v])
+          this[_markVulnerable](set[v])
         }
@@ -408,5 +410,5 @@ continue
 
-      const mid = Math.floor(list.length / 2)
-      const pre = list.slice(0, mid)
-      const post = list.slice(mid)
+      const mid = Math.floor(set.length / 2)
+      const pre = set.slice(0, mid)
+      const post = set.slice(mid)
 
@@ -413,0 +415,0 @@ // if the parent list wasn't prereleases, then drop pr tags

package.json

 {
   "name": "@npmcli/metavuln-calculator",
-  "version": "3.0.1",
+  "version": "3.1.0",
   "main": "lib/index.js",
   "files": [
-    "bin",
-    "lib"
+    "bin/",
+    "lib/"
   ],
   "description": "Calculate meta-vulnerabilities from package security advisories",
-  "repository": "https://github.com/npm/metavuln-calculator",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/npm/metavuln-calculator.git"
+  },
   "author": "GitHub Inc.",
@@ -22,6 +25,6 @@ "license": "ISC",
     "eslint": "eslint",
-    "lint": "eslint '**/*.js'",
+    "lint": "eslint \"**/*.js\"",
     "lintfix": "npm run lint -- --fix",
-    "postlint": "npm-template-check",
-    "template-copy": "npm-template-copy --force"
+    "postlint": "template-oss-check",
+    "template-oss-apply": "template-oss-apply --force"
   },
@@ -33,5 +36,6 @@ "tap": {
   "devDependencies": {
-    "@npmcli/template-oss": "^2.9.2",
+    "@npmcli/eslint-config": "^3.0.1",
+    "@npmcli/template-oss": "3.2.0",
     "require-inject": "^1.4.4",
-    "tap": "^15.1.6"
+    "tap": "^16.0.1"
   },
@@ -45,7 +49,8 @@ "dependencies": {
   "engines": {
-    "node": "^12.13.0 || ^14.15.0 || >=16"
+    "node": "^12.13.0 || ^14.15.0 || >=16.0.0"
   },
   "templateOSS": {
-    "version": "2.9.2"
+    "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
+    "version": "3.2.0"
   }
 }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

No repository

Supply chain risk

Package does not have a linked source code repository. Without this field, a package will have no reference to the location of the source code use to generate the package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

30371

increased by0.79%

Lines of code

511

increased by0.39%

Number of low supply chain risk alerts

0

decreased by-100%

Worsened metrics

Dev dependency count

4

increased by33.33%

No dependency changes