@npmcli/metavuln-calculator
Advanced tools
Comparing version 3.0.1 to 3.1.0
@@ -42,2 +42,4 @@ const hash = require('./hash.js') | ||
this.vulnerableVersions = [] | ||
this.cwe = source.cwe | ||
this.cvss = source.cvss | ||
@@ -330,3 +332,3 @@ // advisories have the range, metavulns do not | ||
for (const list of versionSets) { | ||
for (const set of versionSets) { | ||
// it's common to have version lists like: | ||
@@ -345,11 +347,11 @@ // 1.0.0 | ||
// anyway. | ||
// If mid has a prerelease tag, and list[0] does not, then walk it | ||
// If mid has a prerelease tag, and set[0] does not, then walk it | ||
// back until we hit a non-prerelease version | ||
// If mid has a prerelease tag, and list[list.length-1] does not, | ||
// If mid has a prerelease tag, and set[set.length-1] does not, | ||
// then walk it forward until we hit a version without a prerelease tag | ||
// Similarly, if the head/tail is a prerelease, but there is a non-pr | ||
// version in the list, then start there instead. | ||
// version in the set, then start there instead. | ||
let h = 0 | ||
const origHeadVuln = this.testVersion(list[h]) | ||
while (h < list.length && /-/.test(String(list[h]))) { | ||
const origHeadVuln = this.testVersion(set[h]) | ||
while (h < set.length && /-/.test(String(set[h]))) { | ||
h++ | ||
@@ -359,3 +361,3 @@ } | ||
// don't filter out the whole list! they might all be pr's | ||
if (h === list.length) { | ||
if (h === set.length) { | ||
h = 0 | ||
@@ -365,9 +367,9 @@ } else if (origHeadVuln) { | ||
for (let hh = 0; hh < h; hh++) { | ||
this[_markVulnerable](list[hh]) | ||
this[_markVulnerable](set[hh]) | ||
} | ||
} | ||
let t = list.length - 1 | ||
const origTailVuln = this.testVersion(list[t]) | ||
while (t > h && /-/.test(String(list[t]))) { | ||
let t = set.length - 1 | ||
const origTailVuln = this.testVersion(set[t]) | ||
while (t > h && /-/.test(String(set[t]))) { | ||
t-- | ||
@@ -378,7 +380,7 @@ } | ||
if (t === h) { | ||
t = list.length - 1 | ||
t = set.length - 1 | ||
} else if (origTailVuln) { | ||
// if original tail was vulnerable, assume these are as well | ||
for (let tt = list.length - 1; tt > t; tt--) { | ||
this[_markVulnerable](list[tt]) | ||
for (let tt = set.length - 1; tt > t; tt--) { | ||
this[_markVulnerable](set[tt]) | ||
} | ||
@@ -388,6 +390,6 @@ } | ||
const headVuln = h === 0 ? origHeadVuln | ||
: this.testVersion(list[h]) | ||
: this.testVersion(set[h]) | ||
const tailVuln = t === list.length - 1 ? origTailVuln | ||
: this.testVersion(list[t]) | ||
const tailVuln = t === set.length - 1 ? origTailVuln | ||
: this.testVersion(set[t]) | ||
@@ -397,3 +399,3 @@ // if head and tail both vulnerable, whole list is thrown out | ||
for (let v = h; v < t; v++) { | ||
this[_markVulnerable](list[v]) | ||
this[_markVulnerable](set[v]) | ||
} | ||
@@ -408,5 +410,5 @@ continue | ||
const mid = Math.floor(list.length / 2) | ||
const pre = list.slice(0, mid) | ||
const post = list.slice(mid) | ||
const mid = Math.floor(set.length / 2) | ||
const pre = set.slice(0, mid) | ||
const post = set.slice(mid) | ||
@@ -413,0 +415,0 @@ // if the parent list wasn't prereleases, then drop pr tags |
{ | ||
"name": "@npmcli/metavuln-calculator", | ||
"version": "3.0.1", | ||
"version": "3.1.0", | ||
"main": "lib/index.js", | ||
"files": [ | ||
"bin", | ||
"lib" | ||
"bin/", | ||
"lib/" | ||
], | ||
"description": "Calculate meta-vulnerabilities from package security advisories", | ||
"repository": "https://github.com/npm/metavuln-calculator", | ||
"repository": { | ||
"type": "git", | ||
"url": "https://github.com/npm/metavuln-calculator.git" | ||
}, | ||
"author": "GitHub Inc.", | ||
@@ -22,6 +25,6 @@ "license": "ISC", | ||
"eslint": "eslint", | ||
"lint": "eslint '**/*.js'", | ||
"lint": "eslint \"**/*.js\"", | ||
"lintfix": "npm run lint -- --fix", | ||
"postlint": "npm-template-check", | ||
"template-copy": "npm-template-copy --force" | ||
"postlint": "template-oss-check", | ||
"template-oss-apply": "template-oss-apply --force" | ||
}, | ||
@@ -33,5 +36,6 @@ "tap": { | ||
"devDependencies": { | ||
"@npmcli/template-oss": "^2.9.2", | ||
"@npmcli/eslint-config": "^3.0.1", | ||
"@npmcli/template-oss": "3.2.0", | ||
"require-inject": "^1.4.4", | ||
"tap": "^15.1.6" | ||
"tap": "^16.0.1" | ||
}, | ||
@@ -45,7 +49,8 @@ "dependencies": { | ||
"engines": { | ||
"node": "^12.13.0 || ^14.15.0 || >=16" | ||
"node": "^12.13.0 || ^14.15.0 || >=16.0.0" | ||
}, | ||
"templateOSS": { | ||
"version": "2.9.2" | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "3.2.0" | ||
} | ||
} |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
No repository
Supply chain riskPackage does not have a linked source code repository. Without this field, a package will have no reference to the location of the source code use to generate the package.
Found 1 instance in 1 package
30371
511
0
4