Socket
Socket
Sign inDemoInstall

@scarf/scarf

Package Overview
Dependencies
0
Maintainers
1
Versions
26
Alerts
File Explorer

Advanced tools

npm Scripts

Install Socket

Detect and block malicious and high-risk dependencies

Install

Comparing version 1.0.5 to 1.0.6

2

package.json
{
"name": "@scarf/scarf",
"version": "1.0.5",
"version": "1.0.6",
"description": "Scarf is like Google Analytics for your npm packages. Gain insights into how your packages are installed and used, and by which companies.",

@@ -5,0 +5,0 @@ "main": "report.js",

10

README.md

@@ -73,10 +73,8 @@ # scarf-js

IP address itself will be subsequently deleted.
- Limited dependency tree information. Scarf sends the package name and version for
certain packages (provided they are not scoped packages, `@org/package-name`,
which are assumed to be private):
- Packages in the dependency tree that directly depend on
Scarf.
- Packages that depend on a package that depends on Scarf.
- Limited dependency tree information. Scarf sends the name and version of the package(s) that directly depend on scarf-js. Additionally, scarf-js will send SHA256-hashed name and version for the following packages in the dependency tree:
- Packages that depend on a package that depends on scarf-js.
- The root package of the dependency tree.
This allows Scarf to provide maintainers information about which public packages are using their own, without exposing identifying details of non-public packages.
### As a user of a package using Scarf, how can I opt out of analytics?

@@ -83,0 +81,0 @@

43

report.js

@@ -11,2 +11,4 @@ const path = require('path')

const scarfLibName = '@scarf/scarf'
const privatePackageRewrite = '@private/private'
const privateVersionRewrite = '0'

@@ -61,17 +63,33 @@ const rootPath = path.resolve(__dirname).split('node_modules')[0]

// We don't send any paths, we don't send any scoped package names or versions
function hashWithDefault (toHash, defaultReturn) {
let crypto
try {
crypto = require('crypto')
} catch (err) {
logIfVerbose('node crypto module unavailable')
}
if (crypto && toHash) {
return crypto.createHash('sha256').update(toHash, 'utf-8').digest('hex')
} else {
return defaultReturn
}
}
// We don't send any paths, hash package names and versions
function redactSensitivePackageInfo (dependencyInfo) {
const scopedRegex = /@\S+\//
const privatePackageRewrite = '@private/private'
const privateVersionRewrite = '0'
if (dependencyInfo.grandparent && dependencyInfo.grandparent.name.match(scopedRegex)) {
dependencyInfo.grandparent.name = privatePackageRewrite
dependencyInfo.grandparent.version = privateVersionRewrite
if (dependencyInfo.grandparent && dependencyInfo.grandparent.name) {
dependencyInfo.grandparent.nameHash = hashWithDefault(dependencyInfo.grandparent.name, privatePackageRewrite)
dependencyInfo.grandparent.versionHash = hashWithDefault(dependencyInfo.grandparent.version, privateVersionRewrite)
}
if (dependencyInfo.rootPackage && dependencyInfo.rootPackage.name.match(scopedRegex)) {
dependencyInfo.rootPackage.name = privateVersionRewrite
dependencyInfo.rootPackage.version = privateVersionRewrite
if (dependencyInfo.rootPackage && dependencyInfo.rootPackage.name) {
dependencyInfo.rootPackage.nameHash = hashWithDefault(dependencyInfo.rootPackage.name, privatePackageRewrite)
dependencyInfo.rootPackage.versionHash = hashWithDefault(dependencyInfo.rootPackage.version, privateVersionRewrite)
}
delete (dependencyInfo.rootPackage.packageJsonPath)
delete (dependencyInfo.rootPackage.path)
delete (dependencyInfo.rootPackage.name)
delete (dependencyInfo.rootPackage.version)
delete (dependencyInfo.parent.path)

@@ -81,2 +99,4 @@ delete (dependencyInfo.scarf.path)

delete (dependencyInfo.grandparent.path)
delete (dependencyInfo.grandparent.name)
delete (dependencyInfo.grandparent.version)
}

@@ -440,3 +460,4 @@ return dependencyInfo

getDependencyInfo,
reportPostInstall
reportPostInstall,
hashWithDefault
}

@@ -443,0 +464,0 @@

20

test/report.test.js

@@ -38,4 +38,6 @@ const report = require('../report')

test('Redact sensitive data', () => {
const rootPackageName = '@org/scarfed-lib-consumer'
const rootPackageName = '@org/scarfed-lib-consumer-consumer'
const rootPackageVersion = '1.0.0'
const grandparentName = 'scarfed-lib-consumer'
const grandparentVersion = '1.0.1'

@@ -45,3 +47,3 @@ const depInfo = {

parent: { name: 'scarfed-library', version: '1.0.0', scarfSettings: { defaultOptIn: true }, path: '/local/directory/deeper/' },
grandparent: { name: rootPackageName, version: rootPackageVersion, path: '/local/directory/' },
grandparent: { name: grandparentName, version: grandparentVersion, path: '/local/directory/' },
rootPackage: { name: rootPackageName, version: rootPackageVersion, packageJsonPath: '/local/directory', path: '/local/directory' }

@@ -58,9 +60,11 @@ }

expect(redacted.rootPackage.name).not.toContain('org')
expect(redacted.rootPackage.name).not.toContain('scarfed-lib-consumer')
expect(redacted.grandparent.name).not.toContain('org')
expect(redacted.grandparent.name).not.toContain('scarfed-lib-consumer')
expect(redacted.grandparent.nameHash).toBe(report.hashWithDefault(grandparentName, 'Fail: used hash fallback for name'))
expect(redacted.grandparent.versionHash).toBe(report.hashWithDefault(grandparentVersion, 'Fail: used hash fallback for version'))
expect(redacted.rootPackage.nameHash).toBe(report.hashWithDefault(rootPackageName, 'Fail: used hash fallback for name'))
expect(redacted.rootPackage.versionHash).toBe(report.hashWithDefault(rootPackageVersion, 'Fail: used hash fallback for version'))
expect(redacted.rootPackage.version).toBe('0')
expect(redacted.grandparent.version).toBe('0')
expect(redacted.grandparent.name).toBeUndefined()
expect(redacted.grandparent.version).toBeUndefined()
expect(redacted.rootPackage.name).toBeUndefined()
expect(redacted.rootPackage.version).toBeUndefined()

@@ -67,0 +71,0 @@ expect(redacted.scarf.name).toBe('@scarf/scarf')

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

About

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc