hosted-git-info
Advanced tools
Comparing version 2.8.6 to 2.8.7
@@ -5,2 +5,13 @@ # Change Log | ||
| <a name="2.8.7"></a> | ||
| ## [2.8.7](https://github.com/npm/hosted-git-info/compare/v2.8.6...v2.8.7) (2020-02-26) | ||
| ### Bug Fixes | ||
| * Do not attempt to use url.URL when unavailable ([2d0bb66](https://github.com/npm/hosted-git-info/commit/2d0bb66)), closes [#61](https://github.com/npm/hosted-git-info/issues/61) [#62](https://github.com/npm/hosted-git-info/issues/62) | ||
| * Do not pass scp-style URLs to the WhatWG url.URL ([f2cdfcf](https://github.com/npm/hosted-git-info/commit/f2cdfcf)), closes [#60](https://github.com/npm/hosted-git-info/issues/60) | ||
| <a name="2.8.6"></a> | ||
@@ -7,0 +18,0 @@ ## [2.8.6](https://github.com/npm/hosted-git-info/compare/v2.8.5...v2.8.6) (2020-02-25) |
23
index.js
@@ -111,6 +111,21 @@ 'use strict' | ||
| var legacy = url.parse(giturl) | ||
| if (legacy.auth) { | ||
| var whatwg = new url.URL(giturl) | ||
| legacy.auth = whatwg.username || '' | ||
| if (whatwg.password) legacy.auth += ':' + whatwg.password | ||
| // If we don't have url.URL, then sorry, this is just not fixable. | ||
| // This affects Node <= 6.12. | ||
| if (legacy.auth && typeof url.URL === 'function') { | ||
| // git urls can be in the form of scp-style/ssh-connect strings, like | ||
| // git+ssh://user@host.com:some/path, which the legacy url parser | ||
| // supports, but WhatWG url.URL class does not. However, the legacy | ||
| // parser de-urlencodes the username and password, so something like | ||
| // https://user%3An%40me:p%40ss%3Aword@x.com/ becomes | ||
| // https://user:n@me:p@ss:word@x.com/ which is all kinds of wrong. | ||
| // Pull off just the auth and host, so we dont' get the confusing | ||
| // scp-style URL, then pass that to the WhatWG parser to get the | ||
| // auth properly escaped. | ||
| const authmatch = giturl.match(/[^@]+@[^:/]+/) | ||
| /* istanbul ignore else - this should be impossible */ | ||
| if (authmatch) { | ||
| var whatwg = new url.URL(authmatch[0]) | ||
| legacy.auth = whatwg.username || '' | ||
| if (whatwg.password) legacy.auth += ':' + whatwg.password | ||
| } | ||
| } | ||
@@ -117,0 +132,0 @@ return legacy |
| { | ||
| "name": "hosted-git-info", | ||
| "version": "2.8.6", | ||
| "version": "2.8.7", | ||
| "description": "Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab", | ||
@@ -25,3 +25,3 @@ "main": "index.js", | ||
| "postrelease": "npm publish --tag=ancient-legacy-fixes && git push --follow-tags", | ||
| "pretest": "standard", | ||
| "posttest": "standard", | ||
| "release": "standard-version -s", | ||
@@ -28,0 +28,0 @@ "test:coverage": "tap --coverage-report=html -J --100 --no-esm test/*.js", |
Fixed alerts
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by6.15%
25027
- Lines of code
- increased by4.48%
350
- Number of medium supply chain risk alerts
- decreased by-100%
0
No dependency changes