lockfile-lint
Advanced tools
Comparing version 4.8.0 to 4.9.0
@@ -47,3 +47,4 @@ #!/usr/bin/env node | ||
['allowed-schemes', 'validateSchemes'], | ||
['allowed-urls', 'validateUrls'] | ||
['allowed-urls', 'validateUrls'], | ||
['validate-integrity-sha512', 'validateIntegrity'] | ||
]) | ||
@@ -50,0 +51,0 @@ |
@@ -6,2 +6,13 @@ # Change Log | ||
# 4.9.0 (2022-09-26) | ||
### Features | ||
* **validator:** add new integrity hash type validator ([#135](https://github.com/lirantal/lockfile-lint/issues/135)) ([46d0fa7](https://github.com/lirantal/lockfile-lint/commit/46d0fa7)) | ||
# 4.8.0 (2022-08-10) | ||
@@ -8,0 +19,0 @@ |
{ | ||
"name": "lockfile-lint", | ||
"version": "4.8.0", | ||
"version": "4.9.0", | ||
"description": "A CLI to lint a lockfile for security policies", | ||
@@ -57,3 +57,3 @@ "bin": { | ||
"debug": "^4.1.1", | ||
"lockfile-lint-api": "^5.3.0", | ||
"lockfile-lint-api": "^5.4.0", | ||
"yargs": "^16.0.0" | ||
@@ -183,3 +183,3 @@ }, | ||
}, | ||
"gitHead": "af23496d9a1e94ec03441c25a27584edcc13b882" | ||
"gitHead": "d917218406f195fa892e33bd8601ba336e586d90" | ||
} |
@@ -79,15 +79,15 @@ <p align="center"><h1 align="center"> | ||
| command line argument | description | implemented | | ||
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------- | | ||
| `--path`, `-p` | path to the lockfile | ✅ | | ||
| `--type`, `-t` | lockfile type, options are `npm` or `yarn` | ✅ | | ||
| `--format`, `-f` | sets what type of report output is desired, one of [ `pretty`, `plain` ] with `plain` removing colors & status symbols from output | ✅ | | ||
| `--validate-https`, `-s` | validates the use of HTTPS as protocol schema for all resources in the lockfile | ✅ | | ||
| `--allowed-hosts`, `-a` | validates a list of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are `npm`, `yarn`, and `verdaccio` which will match URLs `https://registry.npmjs.org`, `https://registry.yarnpkg.com` and `https://registry.verdaccio.org` respectively | ✅ | | ||
| `--allowed-schemes`, `-o` | allowed [URI schemes](https://tools.ietf.org/html/rfc2396#section-3.1) such as "https:", "http", "git+ssh:", or "git+https:" | ✅ | | ||
| `--allowed-urls`, `-u` | allowed URLs (e.g. `https://github.com/some-org/some-repo#some-hash`) | ✅ | | ||
| `--empty-hostname`, `-e` | allow empty hostnames, or set to false if you wish for a stricter policy | ✅ | | ||
| `--validate-package-names`, `-n` | validates that the resolved URL matches the package name | ✅ | | ||
| `--validate-checksum`, `-c` | check that all resources include a checksum | ❌ PRs welcome | | ||
| `--validate-integrity`, `-i` | check that all resources include an integrity field | ❌ PRs welcome | | ||
| command line argument | description | implemented | | ||
|--------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------| | ||
| `--path`, `-p` | path to the lockfile | ✅ | | ||
| `--type`, `-t` | lockfile type, options are `npm` or `yarn` | ✅ | | ||
| `--format`, `-f` | sets what type of report output is desired, one of [ `pretty`, `plain` ] with `plain` removing colors & status symbols from output | ✅ | | ||
| `--validate-https`, `-s` | validates the use of HTTPS as protocol schema for all resources in the lockfile | ✅ | | ||
| `--allowed-hosts`, `-a` | validates a list of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are `npm`, `yarn`, and `verdaccio` which will match URLs `https://registry.npmjs.org`, `https://registry.yarnpkg.com` and `https://registry.verdaccio.org` respectively | ✅ | | ||
| `--allowed-schemes`, `-o` | allowed [URI schemes](https://tools.ietf.org/html/rfc2396#section-3.1) such as "https:", "http", "git+ssh:", or "git+https:" | ✅ | | ||
| `--allowed-urls`, `-u` | allowed URLs (e.g. `https://github.com/some-org/some-repo#some-hash`) | ✅ | | ||
| `--empty-hostname`, `-e` | allow empty hostnames, or set to false if you wish for a stricter policy | ✅ | | ||
| `--validate-package-names`, `-n` | validates that the resolved URL matches the package name | ✅ | | ||
| `--validate-checksum`, `-c` | check that all resources include a checksum | ❌ PRs welcome | | ||
| `--validate-integrity-sha512`, `-i` | validates the integrity field is a sha512 hash | ✅ | | ||
@@ -94,0 +94,0 @@ # File-Based Configuration |
@@ -55,2 +55,7 @@ 'use strict' | ||
}, | ||
i: { | ||
alias: ['validate-integrity-sha512'], | ||
type: 'boolean', | ||
describe: 'validates that the integrity hash type is sha512' | ||
}, | ||
e: { | ||
@@ -57,0 +62,0 @@ alias: 'empty-hostname', |
@@ -9,3 +9,4 @@ 'use strict' | ||
ValidateSchemeManager, | ||
ValidateUrlManager | ||
ValidateUrlManager, | ||
ValidateIntegrityManager | ||
} = require('../src/validators') | ||
@@ -18,3 +19,4 @@ | ||
['validateSchemes', ValidateSchemeManager], | ||
['validateUrls', ValidateUrlManager] | ||
['validateUrls', ValidateUrlManager], | ||
['validateIntegrity', ValidateIntegrityManager] | ||
]) | ||
@@ -21,0 +23,0 @@ |
@@ -9,3 +9,4 @@ 'use strict' | ||
ValidateScheme, | ||
ValidateUrl | ||
ValidateUrl, | ||
ValidateIntegrity | ||
} = require('lockfile-lint-api') | ||
@@ -19,3 +20,4 @@ const debug = require('debug')('lockfile-lint') | ||
ValidateSchemeManager, | ||
ValidateUrlManager | ||
ValidateUrlManager, | ||
ValidateIntegrityManager | ||
} | ||
@@ -118,1 +120,18 @@ | ||
} | ||
function ValidateIntegrityManager ({path, type, validatorValues, validatorOptions}) { | ||
debug( | ||
`validate-integrity-manager invoked with validator options: ${JSON.stringify(validatorValues)}` | ||
) | ||
const options = { | ||
lockfilePath: path, | ||
lockfileType: type | ||
} | ||
const parser = new ParseLockfile(options) | ||
const lockfile = parser.parseSync() | ||
const validator = new ValidateIntegrity({packages: lockfile.object}) | ||
return validator.validate() | ||
} |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
53504
376
Updatedlockfile-lint-api@^5.4.0