@scarf/scarf
Advanced tools
Comparing version 1.0.5 to 1.0.6
{ | ||
"name": "@scarf/scarf", | ||
"version": "1.0.5", | ||
"version": "1.0.6", | ||
"description": "Scarf is like Google Analytics for your npm packages. Gain insights into how your packages are installed and used, and by which companies.", | ||
@@ -5,0 +5,0 @@ "main": "report.js", |
@@ -73,10 +73,8 @@ # scarf-js | ||
IP address itself will be subsequently deleted. | ||
- Limited dependency tree information. Scarf sends the package name and version for | ||
certain packages (provided they are not scoped packages, `@org/package-name`, | ||
which are assumed to be private): | ||
- Packages in the dependency tree that directly depend on | ||
Scarf. | ||
- Packages that depend on a package that depends on Scarf. | ||
- Limited dependency tree information. Scarf sends the name and version of the package(s) that directly depend on scarf-js. Additionally, scarf-js will send SHA256-hashed name and version for the following packages in the dependency tree: | ||
- Packages that depend on a package that depends on scarf-js. | ||
- The root package of the dependency tree. | ||
This allows Scarf to provide maintainers information about which public packages are using their own, without exposing identifying details of non-public packages. | ||
### As a user of a package using Scarf, how can I opt out of analytics? | ||
@@ -83,0 +81,0 @@ |
@@ -11,2 +11,4 @@ const path = require('path') | ||
const scarfLibName = '@scarf/scarf' | ||
const privatePackageRewrite = '@private/private' | ||
const privateVersionRewrite = '0' | ||
@@ -61,17 +63,33 @@ const rootPath = path.resolve(__dirname).split('node_modules')[0] | ||
// We don't send any paths, we don't send any scoped package names or versions | ||
function hashWithDefault (toHash, defaultReturn) { | ||
let crypto | ||
try { | ||
crypto = require('crypto') | ||
} catch (err) { | ||
logIfVerbose('node crypto module unavailable') | ||
} | ||
if (crypto && toHash) { | ||
return crypto.createHash('sha256').update(toHash, 'utf-8').digest('hex') | ||
} else { | ||
return defaultReturn | ||
} | ||
} | ||
// We don't send any paths, hash package names and versions | ||
function redactSensitivePackageInfo (dependencyInfo) { | ||
const scopedRegex = /@\S+\// | ||
const privatePackageRewrite = '@private/private' | ||
const privateVersionRewrite = '0' | ||
if (dependencyInfo.grandparent && dependencyInfo.grandparent.name.match(scopedRegex)) { | ||
dependencyInfo.grandparent.name = privatePackageRewrite | ||
dependencyInfo.grandparent.version = privateVersionRewrite | ||
if (dependencyInfo.grandparent && dependencyInfo.grandparent.name) { | ||
dependencyInfo.grandparent.nameHash = hashWithDefault(dependencyInfo.grandparent.name, privatePackageRewrite) | ||
dependencyInfo.grandparent.versionHash = hashWithDefault(dependencyInfo.grandparent.version, privateVersionRewrite) | ||
} | ||
if (dependencyInfo.rootPackage && dependencyInfo.rootPackage.name.match(scopedRegex)) { | ||
dependencyInfo.rootPackage.name = privateVersionRewrite | ||
dependencyInfo.rootPackage.version = privateVersionRewrite | ||
if (dependencyInfo.rootPackage && dependencyInfo.rootPackage.name) { | ||
dependencyInfo.rootPackage.nameHash = hashWithDefault(dependencyInfo.rootPackage.name, privatePackageRewrite) | ||
dependencyInfo.rootPackage.versionHash = hashWithDefault(dependencyInfo.rootPackage.version, privateVersionRewrite) | ||
} | ||
delete (dependencyInfo.rootPackage.packageJsonPath) | ||
delete (dependencyInfo.rootPackage.path) | ||
delete (dependencyInfo.rootPackage.name) | ||
delete (dependencyInfo.rootPackage.version) | ||
delete (dependencyInfo.parent.path) | ||
@@ -81,2 +99,4 @@ delete (dependencyInfo.scarf.path) | ||
delete (dependencyInfo.grandparent.path) | ||
delete (dependencyInfo.grandparent.name) | ||
delete (dependencyInfo.grandparent.version) | ||
} | ||
@@ -440,3 +460,4 @@ return dependencyInfo | ||
getDependencyInfo, | ||
reportPostInstall | ||
reportPostInstall, | ||
hashWithDefault | ||
} | ||
@@ -443,0 +464,0 @@ |
@@ -38,4 +38,6 @@ const report = require('../report') | ||
test('Redact sensitive data', () => { | ||
const rootPackageName = '@org/scarfed-lib-consumer' | ||
const rootPackageName = '@org/scarfed-lib-consumer-consumer' | ||
const rootPackageVersion = '1.0.0' | ||
const grandparentName = 'scarfed-lib-consumer' | ||
const grandparentVersion = '1.0.1' | ||
@@ -45,3 +47,3 @@ const depInfo = { | ||
parent: { name: 'scarfed-library', version: '1.0.0', scarfSettings: { defaultOptIn: true }, path: '/local/directory/deeper/' }, | ||
grandparent: { name: rootPackageName, version: rootPackageVersion, path: '/local/directory/' }, | ||
grandparent: { name: grandparentName, version: grandparentVersion, path: '/local/directory/' }, | ||
rootPackage: { name: rootPackageName, version: rootPackageVersion, packageJsonPath: '/local/directory', path: '/local/directory' } | ||
@@ -58,9 +60,11 @@ } | ||
expect(redacted.rootPackage.name).not.toContain('org') | ||
expect(redacted.rootPackage.name).not.toContain('scarfed-lib-consumer') | ||
expect(redacted.grandparent.name).not.toContain('org') | ||
expect(redacted.grandparent.name).not.toContain('scarfed-lib-consumer') | ||
expect(redacted.grandparent.nameHash).toBe(report.hashWithDefault(grandparentName, 'Fail: used hash fallback for name')) | ||
expect(redacted.grandparent.versionHash).toBe(report.hashWithDefault(grandparentVersion, 'Fail: used hash fallback for version')) | ||
expect(redacted.rootPackage.nameHash).toBe(report.hashWithDefault(rootPackageName, 'Fail: used hash fallback for name')) | ||
expect(redacted.rootPackage.versionHash).toBe(report.hashWithDefault(rootPackageVersion, 'Fail: used hash fallback for version')) | ||
expect(redacted.rootPackage.version).toBe('0') | ||
expect(redacted.grandparent.version).toBe('0') | ||
expect(redacted.grandparent.name).toBeUndefined() | ||
expect(redacted.grandparent.version).toBeUndefined() | ||
expect(redacted.rootPackage.name).toBeUndefined() | ||
expect(redacted.rootPackage.version).toBeUndefined() | ||
@@ -67,0 +71,0 @@ expect(redacted.scarf.name).toBe('@scarf/scarf') |
40860
625
114