lockfile-lint-api
Advanced tools
Comparing version 5.5.5 to 5.6.0
{ | ||
"name": "lockfile-lint-api", | ||
"version": "5.5.5", | ||
"version": "5.6.0", | ||
"description": "Lint an npm or yarn lockfile to analyze and detect issues", | ||
"main": "index.js", | ||
"engines": { | ||
"node": ">=10.0.0" | ||
"node": ">=16.0.0" | ||
}, | ||
@@ -19,4 +19,3 @@ "scripts": { | ||
"docs:api": "doxdox *.js --layout bootstrap --output docs/index.html", | ||
"docs:code": "docco *.js --output docs/code", | ||
"semantic-release": "semantic-release" | ||
"docs:code": "docco *.js --output docs/code" | ||
}, | ||
@@ -74,4 +73,3 @@ "author": { | ||
"open-cli": "^5.0.0", | ||
"prettier-standard": "9.1.1", | ||
"semantic-release": "^15.3.2" | ||
"prettier-standard": "9.1.1" | ||
}, | ||
@@ -158,24 +156,3 @@ "jest": { | ||
} | ||
}, | ||
"release": { | ||
"branch": "master", | ||
"analyzeCommits": { | ||
"preset": "angular", | ||
"releaseRules": [ | ||
{ | ||
"type": "docs", | ||
"release": "patch" | ||
}, | ||
{ | ||
"type": "refactor", | ||
"release": "patch" | ||
}, | ||
{ | ||
"type": "style", | ||
"release": "patch" | ||
} | ||
] | ||
} | ||
}, | ||
"gitHead": "914ece489c48c8e7f3b584f784cce8f318c2e81e" | ||
} | ||
} |
@@ -16,3 +16,3 @@ <p align="center"><h1 align="center"> | ||
<a href="https://snyk.io/test/npm/lockfile-lint-api"><img src="https://snyk.io/test/npm/lockfile-lint-api/badge.svg" alt="Known Vulnerabilities" data-canonical-src="https://snyk.io/test/npm/lockfile-lint-api" style="max-width:100%;"></a> | ||
<a href="https://github.com/nodejs/security-wg/blob/master/processes/responsible_disclosure_template.md"><img src="https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg" alt="Security Responsible Disclosure" /></a> | ||
<a href="https://github.com/nodejs/security-wg/blob/main/processes/responsible_disclosure_template.md"><img src="https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg" alt="Security Responsible Disclosure" /></a> | ||
</p> | ||
@@ -19,0 +19,0 @@ |
@@ -30,6 +30,6 @@ // @ts-check | ||
sampleKey.match(/.*@.*/) && | ||
(sampleValue && | ||
typeof sampleValue === 'object' && | ||
sampleValue.hasOwnProperty('version') && | ||
(sampleValue.hasOwnProperty('resolved') || sampleValue.hasOwnProperty('resolution'))) | ||
sampleValue && | ||
typeof sampleValue === 'object' && | ||
sampleValue.hasOwnProperty('version') && | ||
(sampleValue.hasOwnProperty('resolved') || sampleValue.hasOwnProperty('resolution')) | ||
) | ||
@@ -178,3 +178,16 @@ } | ||
// so we have a unified format to validate against | ||
const npmDepsTree = packageJsonParsed.dependencies | ||
// const npmDepsTree = packageJsonParsed.dependencies | ||
let npmDepsTree = null | ||
if ( | ||
packageJsonParsed.dependencies && | ||
Object.keys(packageJsonParsed.dependencies).length > 0 | ||
) { | ||
npmDepsTree = packageJsonParsed.dependencies | ||
} | ||
if (packageJsonParsed.packages && Object.keys(packageJsonParsed.packages).length > 0) { | ||
npmDepsTree = packageJsonParsed.packages | ||
} | ||
flattenedDepTree = npmDepsTree ? this._flattenNpmDepsTree(npmDepsTree) : {} | ||
@@ -193,16 +206,39 @@ } catch (error) { | ||
for (const [depName, depMetadata] of Object.entries(npmDepsTree)) { | ||
const depMetadataShortend = { | ||
version: depMetadata.version, | ||
resolved: depMetadata.resolved ? depMetadata.resolved : depMetadata.version, | ||
integrity: depMetadata.integrity, | ||
requires: depMetadata.requires | ||
} | ||
const hashedDepValues = hash(depMetadataShortend) | ||
// only evaluate dependency metadata if it's an object with actual metadata | ||
// @TODO potentially, this entry can be just a dependency name and version | ||
// which would inject a new dependency on npm install - warn based on diff? | ||
if (typeof depMetadata === 'object' && depName.length > 0) { | ||
const depMetadataShortend = { | ||
version: depMetadata.version, | ||
resolved: depMetadata.resolved ? depMetadata.resolved : depMetadata.version, | ||
integrity: depMetadata.integrity, | ||
requires: depMetadata.requires | ||
} | ||
const hashedDepValues = hash(depMetadataShortend) | ||
npmDepMap[`${depName}@${depMetadata.version}-${hashedDepValues}`] = depMetadataShortend | ||
// @TODO should we implement a clean package name | ||
// or stay aligned with npm's lockfile reporting of full package path on disk? | ||
// it has advantages in monorepos, such as reporting something like: | ||
// packages/lockfile-lint/node_modules/yargs-parser | ||
// instead of just | ||
// yargs-parser | ||
// | ||
// npm package-lock.json v3 has depName set to path on disk, i.e: | ||
// "node_modules/@babel/compat-data": { | ||
// "version": "7.22.5", | ||
// ..} | ||
// we strip off the 'node_modules/' suffix to print pretty package name | ||
// let depNameClean = depName | ||
// if (depName.indexOf('node_modules/') === 0) { | ||
// depNameClean = depName.substring('node_modules/'.length) | ||
// } | ||
const depNameClean = this.extractedPackageName(depName) | ||
const nestedDepsTree = depMetadata.dependencies | ||
npmDepMap[`${depNameClean}@${depMetadata.version}-${hashedDepValues}`] = depMetadataShortend | ||
if (nestedDepsTree && Object.keys(nestedDepsTree).length !== 0) { | ||
this._flattenNpmDepsTree(nestedDepsTree, npmDepMap) | ||
const nestedDepsTree = depMetadata.dependencies | ||
if (nestedDepsTree && Object.keys(nestedDepsTree).length !== 0) { | ||
this._flattenNpmDepsTree(nestedDepsTree, npmDepMap) | ||
} | ||
} | ||
@@ -213,4 +249,17 @@ } | ||
} | ||
extractedPackageName (packageName) { | ||
const parts = packageName.split('/') | ||
const lastIndex = parts.lastIndexOf('node_modules') | ||
if (lastIndex === -1) { | ||
// If "node_modules" is not found, return the last part of the input | ||
return parts[parts.length - 1] | ||
} else { | ||
// If "node_modules" is found, return the part after it | ||
return parts.slice(lastIndex + 1).join('/') | ||
} | ||
} | ||
} | ||
module.exports = ParseLockfile |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
18
583
40753
13