licensee - npm Package Compare versions

Comparing version 1.0.0 to 1.0.1

index.js

@@ -6,10 +6,6 @@ module.exports = licensee
 var semverMatches = require('semver').match
-var tv4 = require('tv4')
 var validSPDX = require('spdx-expression-validate')
 
-var schema = require('./configuration-schema.json')
-
 function licensee(configuration, path, callback) {
-  var validation = tv4.validateMultiple(configuration, schema)
-  if (!validation.valid) {
+  if (!validConfiguration(configuration)) {
     callback(new Error('Invalid configuration')) }
@@ -19,22 +15,45 @@ else if (!validSPDX(configuration.license)) {
   else {
-    readPackageTree(path, function(error, data) {
+    // Read the package tree from `node_modules`.
+    readPackageTree(path, function(error, tree) {
       if (error) {
         callback(error) }
       else {
-        callback(null, findIssues(configuration, data, [ ])) } }) } }
+        callback(null, findIssues(configuration, tree, [ ])) } }) } }
 
-function findIssues(configuration, data, issues) {
-  var dependencies = data.children
+function validConfiguration(configuration) {
+  return (
+    isObject(configuration) &&
+    // Validate `license` property.
+    configuration.hasOwnProperty('license') &&
+    isString(configuration.license) &&
+    ( configuration.license.length > 0 ) &&
+    // Validate `whitelist` property.
+    configuration.hasOwnProperty('whitelist') &&
+    isObject(configuration.whitelist) &&
+    Object.keys(configuration.whitelist)
+      .every(function(key) {
+        return isString(configuration.whitelist[key]) }) ) }
+
+function isObject(argument) {
+  return ( typeof argument === 'object' ) }
+
+function isString(argument) {
+  return ( typeof argument === 'string' ) }
+
+function findIssues(configuration, tree, issues) {
+  var dependencies = tree.children
+  // If there are dependencies, check license metadata.
   if (typeof dependencies === 'object') {
     return dependencies
       .reduce(
-        function(issues, data) {
-          if (!acceptablePackage(configuration, data)) {
+        function(issues, tree) {
+          if (!acceptablePackage(configuration, tree)) {
             issues.push({
-              name: data.package.name,
-              license: data.package.license,
-              version: data.package.version,
-              parent: data.parent,
-              path: data.path }) }
-          return findIssues(configuration, data, issues) },
+              name: tree.package.name,
+              license: tree.package.license,
+              version: tree.package.version,
+              parent: tree.parent,
+              path: tree.path }) }
+          // Recurse dependencies.
+          return findIssues(configuration, tree, issues) },
         issues) }
@@ -44,16 +63,18 @@ else {
 
-function acceptablePackage(configuration, data) {
+function acceptablePackage(configuration, tree) {
   var licenseExpression = configuration.license
   var whitelist = configuration.whitelist
   return (
+    // Is the package on the whitelist?
     Object.keys(whitelist)
       .some(function(name) {
         return (
-          ( data.name === name ) &&
-          ( semverMatches(data.package.version, whitelist[name]) ) ) }) ||
+          ( tree.name === name ) &&
+          ( semverMatches(tree.package.version, whitelist[name]) ) ) }) ||
+    // Does the package's license metadata match configuration?
     ( licenseExpression &&
       validSPDX(licenseExpression) &&
-      data.package.license &&
-      ( typeof data.package.license === 'string' ) &&
-      validSPDX(data.package.license) &&
-      licenseSatisfies(data.package.license, licenseExpression) ) ) }
+      tree.package.license &&
+      ( typeof tree.package.license === 'string' ) &&
+      validSPDX(tree.package.license) &&
+      licenseSatisfies(tree.package.license, licenseExpression) ) ) }

package.json

 {
   "name": "licensee",
   "description": "check dependency licenses against rules",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "author": "Kyle E. Mitchell <kyle@kemitchell.com> (https://kemitchell.com/)",
@@ -10,4 +10,3 @@ "dependencies": {
     "spdx-expression-validate": "^1.0.1",
-    "spdx-satisfies": "^0.1.3",
-    "tv4": "^1.2.7"
+    "spdx-satisfies": "^0.1.3"
   },
@@ -18,3 +17,2 @@ "bin": "./licensee",
     "NOTICE",
-    "configuration-schema.json",
     "index.js",
@@ -21,0 +19,0 @@ "licensee"

README.md

@@ -9,4 +9,3 @@ Check dependency licenses against rules.
 { "license": "(MIT OR BSD-2-Clause OR BSD-3-Clause OR ISC OR Apache-2.0)",
-  "whitelist": {
-    "optimist": "<=0.6.1" } }
+  "whitelist": { "optimist": "<=0.6.1" } }
 ```
@@ -54,5 +53,3 @@
 ```json
-{ "scripts": {
-    "test": "...",
-    "posttest": "licensee" } }
+{ "scripts": { "posttest": "licensee" } }
 ```
@@ -59,0 +56,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

18144

increased by2.44%

Dependency count

4

decreased by-20%

Lines of code

70

increased by12.9%

Number of medium supply chain risk alerts

0

decreased by-100%

Worsened metrics

Number of package files

6

decreased by-14.29%

Number of lines in readme file

65

decreased by-4.41%

Dependency changes

• - Removedtv4@^1.2.7

• - Removedtv4@1.3.0(transitive)