Socket
Socket
Sign inDemoInstall

lockfile-lint-api

Package Overview
Dependencies
Maintainers
2
Versions
55
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

lockfile-lint-api - npm Package Compare versions

Comparing version 5.5.5 to 5.6.0

33

package.json
{
"name": "lockfile-lint-api",
"version": "5.5.5",
"version": "5.6.0",
"description": "Lint an npm or yarn lockfile to analyze and detect issues",
"main": "index.js",
"engines": {
"node": ">=10.0.0"
"node": ">=16.0.0"
},

@@ -19,4 +19,3 @@ "scripts": {

"docs:api": "doxdox *.js --layout bootstrap --output docs/index.html",
"docs:code": "docco *.js --output docs/code",
"semantic-release": "semantic-release"
"docs:code": "docco *.js --output docs/code"
},

@@ -74,4 +73,3 @@ "author": {

"open-cli": "^5.0.0",
"prettier-standard": "9.1.1",
"semantic-release": "^15.3.2"
"prettier-standard": "9.1.1"
},

@@ -158,24 +156,3 @@ "jest": {

}
},
"release": {
"branch": "master",
"analyzeCommits": {
"preset": "angular",
"releaseRules": [
{
"type": "docs",
"release": "patch"
},
{
"type": "refactor",
"release": "patch"
},
{
"type": "style",
"release": "patch"
}
]
}
},
"gitHead": "914ece489c48c8e7f3b584f784cce8f318c2e81e"
}
}

2

README.md

@@ -16,3 +16,3 @@ <p align="center"><h1 align="center">

<a href="https://snyk.io/test/npm/lockfile-lint-api"><img src="https://snyk.io/test/npm/lockfile-lint-api/badge.svg" alt="Known Vulnerabilities" data-canonical-src="https://snyk.io/test/npm/lockfile-lint-api" style="max-width:100%;"></a>
<a href="https://github.com/nodejs/security-wg/blob/master/processes/responsible_disclosure_template.md"><img src="https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg" alt="Security Responsible Disclosure" /></a>
<a href="https://github.com/nodejs/security-wg/blob/main/processes/responsible_disclosure_template.md"><img src="https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg" alt="Security Responsible Disclosure" /></a>
</p>

@@ -19,0 +19,0 @@

81

src/ParseLockfile.js

@@ -30,6 +30,6 @@ // @ts-check

sampleKey.match(/.*@.*/) &&
(sampleValue &&
typeof sampleValue === 'object' &&
sampleValue.hasOwnProperty('version') &&
(sampleValue.hasOwnProperty('resolved') || sampleValue.hasOwnProperty('resolution')))
sampleValue &&
typeof sampleValue === 'object' &&
sampleValue.hasOwnProperty('version') &&
(sampleValue.hasOwnProperty('resolved') || sampleValue.hasOwnProperty('resolution'))
)

@@ -178,3 +178,16 @@ }

// so we have a unified format to validate against
const npmDepsTree = packageJsonParsed.dependencies
// const npmDepsTree = packageJsonParsed.dependencies
let npmDepsTree = null
if (
packageJsonParsed.dependencies &&
Object.keys(packageJsonParsed.dependencies).length > 0
) {
npmDepsTree = packageJsonParsed.dependencies
}
if (packageJsonParsed.packages && Object.keys(packageJsonParsed.packages).length > 0) {
npmDepsTree = packageJsonParsed.packages
}
flattenedDepTree = npmDepsTree ? this._flattenNpmDepsTree(npmDepsTree) : {}

@@ -193,16 +206,39 @@ } catch (error) {

for (const [depName, depMetadata] of Object.entries(npmDepsTree)) {
const depMetadataShortend = {
version: depMetadata.version,
resolved: depMetadata.resolved ? depMetadata.resolved : depMetadata.version,
integrity: depMetadata.integrity,
requires: depMetadata.requires
}
const hashedDepValues = hash(depMetadataShortend)
// only evaluate dependency metadata if it's an object with actual metadata
// @TODO potentially, this entry can be just a dependency name and version
// which would inject a new dependency on npm install - warn based on diff?
if (typeof depMetadata === 'object' && depName.length > 0) {
const depMetadataShortend = {
version: depMetadata.version,
resolved: depMetadata.resolved ? depMetadata.resolved : depMetadata.version,
integrity: depMetadata.integrity,
requires: depMetadata.requires
}
const hashedDepValues = hash(depMetadataShortend)
npmDepMap[`${depName}@${depMetadata.version}-${hashedDepValues}`] = depMetadataShortend
// @TODO should we implement a clean package name
// or stay aligned with npm's lockfile reporting of full package path on disk?
// it has advantages in monorepos, such as reporting something like:
// packages/lockfile-lint/node_modules/yargs-parser
// instead of just
// yargs-parser
//
// npm package-lock.json v3 has depName set to path on disk, i.e:
// "node_modules/@babel/compat-data": {
// "version": "7.22.5",
// ..}
// we strip off the 'node_modules/' suffix to print pretty package name
// let depNameClean = depName
// if (depName.indexOf('node_modules/') === 0) {
// depNameClean = depName.substring('node_modules/'.length)
// }
const depNameClean = this.extractedPackageName(depName)
const nestedDepsTree = depMetadata.dependencies
npmDepMap[`${depNameClean}@${depMetadata.version}-${hashedDepValues}`] = depMetadataShortend
if (nestedDepsTree && Object.keys(nestedDepsTree).length !== 0) {
this._flattenNpmDepsTree(nestedDepsTree, npmDepMap)
const nestedDepsTree = depMetadata.dependencies
if (nestedDepsTree && Object.keys(nestedDepsTree).length !== 0) {
this._flattenNpmDepsTree(nestedDepsTree, npmDepMap)
}
}

@@ -213,4 +249,17 @@ }

}
extractedPackageName (packageName) {
const parts = packageName.split('/')
const lastIndex = parts.lastIndexOf('node_modules')
if (lastIndex === -1) {
// If "node_modules" is not found, return the last part of the input
return parts[parts.length - 1]
} else {
// If "node_modules" is found, return the part after it
return parts.slice(lastIndex + 1).join('/')
}
}
}
module.exports = ParseLockfile
CHANGELOG.md
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc