Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

lockfile-lint-api

Package Overview
Dependencies
Maintainers
2
Versions
55
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

lockfile-lint-api - npm Package Compare versions

Comparing version 5.7.0 to 5.8.0

2

package.json
{
"name": "lockfile-lint-api",
"version": "5.7.0",
"version": "5.8.0",
"description": "Lint an npm or yarn lockfile to analyze and detect issues",

@@ -5,0 +5,0 @@ "main": "index.js",

49

src/validators/ValidatePackageNames.js

@@ -15,3 +15,3 @@ 'use strict'

validate () {
validate (packageNameAliases) {
let validationResult = {

@@ -22,2 +22,4 @@ type: 'success',

const packageNameAliasPairs = this._getPackageNameAliasPairs(packageNameAliases)
for (const [packageName, packageMetadata] of Object.entries(this.packages)) {

@@ -28,2 +30,11 @@ if (!('resolved' in packageMetadata)) {

if (Object.hasOwn(packageNameAliasPairs, this._getPackageNameOnly(packageName))) {
debug(
`skipping package name validation for aliased package name: ${packageName} resolving to: ${
packageNameAliasPairs[packageName]
}}`
)
continue
}
try {

@@ -46,9 +57,5 @@ const packageResolvedURL = new URL(packageMetadata.resolved)

// Remove versioning info from packageName. The @ sign is the delimiter, but could also be the
// first character of a scoped package name. We handle this edge-case here.
const nameOnly = packageName.startsWith('@')
? `@${packageName.slice(1).split('@')[0]}`
: packageName.split('@')[0]
const packageNameOnly = this._getPackageNameOnly(packageName)
const expectedURLBeginning = `${packageResolvedURL.origin}/${nameOnly}`
const expectedURLBeginning = `${packageResolvedURL.origin}/${packageNameOnly}`

@@ -58,4 +65,4 @@ const isPassing = packageMetadata.resolved.startsWith(expectedURLBeginning)

validationResult.errors.push({
message: `detected resolved URL for package with a different name: ${nameOnly}\n expected: ${nameOnly}\n actual: ${packageNameFromResolved}\n`,
package: nameOnly
message: `detected resolved URL for package with a different name: ${packageNameOnly}\n expected: ${packageNameOnly}\n actual: ${packageNameFromResolved}\n`,
package: packageNameOnly
})

@@ -74,2 +81,26 @@ }

}
_getPackageNameOnly (packageName) {
// Remove versioning info from packageName. The @ sign is the delimiter, but could also be the
// first character of a scoped package name. We handle this edge-case here.
const packageNameOnly = packageName.startsWith('@')
? `@${packageName.slice(1).split('@')[0]}`
: packageName.split('@')[0]
return packageNameOnly
}
_getPackageNameAliasPairs (packageNameAliases) {
if (!packageNameAliases || !Array.isArray(packageNameAliases)) {
return {}
}
const packageNameAliasPairs = {}
for (const packageNameAlias of packageNameAliases) {
const [packageName, aliasedPackageName] = packageNameAlias.split(':')
packageNameAliasPairs[packageName] = aliasedPackageName
}
return packageNameAliasPairs
}
}
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc