lockfile-lint - npm Package Compare versions

Comparing version 2.1.0 to 2.1.1

CHANGELOG.md

@@ -6,2 +6,10 @@ # Change Log
 
+## [2.1.1](https://github.com/lirantal/lockfile-lint/compare/lockfile-lint@2.1.0...lockfile-lint@2.1.1) (2019-10-12)
+
+**Note:** Version bump only for package lockfile-lint
+
+
+
+
+
 # [2.1.0](https://github.com/lirantal/lockfile-lint/compare/lockfile-lint@2.0.1...lockfile-lint@2.1.0) (2019-10-12)
@@ -8,0 +16,0 @@

package.json

 {
   "name": "lockfile-lint",
-  "version": "2.1.0",
+  "version": "2.1.1",
   "description": "A CLI to lint a lockfile for security policies",
@@ -184,3 +184,3 @@ "bin": {
   },
-  "gitHead": "463ed503352b660a11512c199b87e37ea03ac043"
+  "gitHead": "6b3daf933872b245ee4003412ad9e7ef10ac813c"
 }

README.md

@@ -35,3 +35,3 @@ <p align="center"><h1 align="center">
 ```bash
-lockfile-lint --type <yarn|npm> --path <path-to-lockfile> --validate-https --allowed-hosts <URL-to-match>
+lockfile-lint --type <yarn|npm> --path <path-to-lockfile> --validate-https --allowed-hosts <host-to-match>
 ```
@@ -47,2 +47,21 @@
 
+**Example 2**: specify hostnames and enforce the use of HTTPS as a protocol
+
+```bash
+lockfile-lint --path yarn.lock --allowed-hosts registry.yarnpkg.com --validate-https
+```
+
+- `--type yarn` is ommitted since lockfile-lint can figure it out on it's own
+- `--allowed-hosts` explicitly set to match yarn's mirror host
+
+**Example 3**: allow the lockfile to contain packages served over github and so need to specify github.com as a host as well as the `git+https:` as a valid URI scheme
+
+```bash
+lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --validate-https --allowed-schemes "https:" "git+https:"
+```
+
+- `--allowed-hosts` explicitly set to match github.com as a host and specifies `yarn` as the alias for yarn's official mirror host
+- `--allowed-schemes` overrides `validate-https` and so it explicitly allows both `https:` and `git+https:` for the github URL
+
+
 # CLI command options
@@ -56,2 +75,3 @@
 | `--allowed-hosts`, `-a`      | validates a whitelist of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are `npm`, `yarn`, and `verdaccio` which will match URLs `https://registry.npmjs.org`, `https://registry.yarnpkg.com` and `https://registry.verdaccio.org` respectively | ✅             |
+| `--allowed-schemes`, `-o`    | allowed [URI schemes](https://tools.ietf.org/html/rfc2396#section-3.1) such as "https:", "http", "git+ssh:", or "git+https:"                                                                                                                                                                                                                                                                                        | ✅             |
 | `--validate-checksum`, `-c`  | check that all resources include a checksum                                                                                                                                                                                                                                                | ❌ PRs welcome |
@@ -58,0 +78,0 @@ | `--validate-integrity`, `-i` | check that all resources include an integrity field                                                                                                                                                                                                                                        | ❌ PRs welcome |

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

42654

increased by3.68%

Number of lines in readme file

84

increased by31.25%

No dependency changes