lockfile-lint - npm Package Compare versions

Comparing version 4.8.0 to 4.9.0

bin/lockfile-lint.js

		@@ -47,3 +47,4 @@ #!/usr/bin/env node
		['allowed-schemes', 'validateSchemes'],
		['allowed-urls', 'validateUrls']
		['allowed-urls', 'validateUrls'],
		['validate-integrity-sha512', 'validateIntegrity']
		])
		@@ -50,0 +51,0 @@

CHANGELOG.md

		@@ -6,2 +6,13 @@ # Change Log

		# 4.9.0 (2022-09-26)


		### Features

		* validator: add new integrity hash type validator ([#135](https://github.com/lirantal/lockfile-lint/issues/135)) ([46d0fa7](https://github.com/lirantal/lockfile-lint/commit/46d0fa7))





		# 4.8.0 (2022-08-10)
		@@ -8,0 +19,0 @@

package.json

		{
		"name": "lockfile-lint",
		"version": "4.8.0",
		"version": "4.9.0",
		"description": "A CLI to lint a lockfile for security policies",
		@@ -57,3 +57,3 @@ "bin": {
		"debug": "^4.1.1",
		"lockfile-lint-api": "^5.3.0",
		"lockfile-lint-api": "^5.4.0",
		"yargs": "^16.0.0"
		@@ -183,3 +183,3 @@ },
		},
		"gitHead": "af23496d9a1e94ec03441c25a27584edcc13b882"
		"gitHead": "d917218406f195fa892e33bd8601ba336e586d90"
		}

README.md

		@@ -79,15 +79,15 @@ <p align="center"><h1 align="center">

		\| command line argument \| description \| implemented \|
		\| -------------------------------- \| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ \| -------------- \|
		\| `--path`, `-p` \| path to the lockfile \| ✅ \|
		\| `--type`, `-t` \| lockfile type, options are `npm` or `yarn` \| ✅ \|
		\| `--format`, `-f` \| sets what type of report output is desired, one of [ `pretty`, `plain` ] with `plain` removing colors & status symbols from output \| ✅ \|
		\| `--validate-https`, `-s` \| validates the use of HTTPS as protocol schema for all resources in the lockfile \| ✅ \|
		\| `--allowed-hosts`, `-a` \| validates a list of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are `npm`, `yarn`, and `verdaccio` which will match URLs `https://registry.npmjs.org`, `https://registry.yarnpkg.com` and `https://registry.verdaccio.org` respectively \| ✅ \|
		\| `--allowed-schemes`, `-o` \| allowed [URI schemes](https://tools.ietf.org/html/rfc2396#section-3.1) such as "https:", "http", "git+ssh:", or "git+https:" \| ✅ \|
		\| `--allowed-urls`, `-u` \| allowed URLs (e.g. `https://github.com/some-org/some-repo#some-hash`) \| ✅ \|
		\| `--empty-hostname`, `-e` \| allow empty hostnames, or set to false if you wish for a stricter policy \| ✅ \|
		\| `--validate-package-names`, `-n` \| validates that the resolved URL matches the package name \| ✅ \|
		\| `--validate-checksum`, `-c` \| check that all resources include a checksum \| ❌ PRs welcome \|
		\| `--validate-integrity`, `-i` \| check that all resources include an integrity field \| ❌ PRs welcome \|
		\| command line argument \| description \| implemented \|
		\|--------------------------------------\|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\|---------------\|
		\| `--path`, `-p` \| path to the lockfile \| ✅ \|
		\| `--type`, `-t` \| lockfile type, options are `npm` or `yarn` \| ✅ \|
		\| `--format`, `-f` \| sets what type of report output is desired, one of [ `pretty`, `plain` ] with `plain` removing colors & status symbols from output \| ✅ \|
		\| `--validate-https`, `-s` \| validates the use of HTTPS as protocol schema for all resources in the lockfile \| ✅ \|
		\| `--allowed-hosts`, `-a` \| validates a list of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are `npm`, `yarn`, and `verdaccio` which will match URLs `https://registry.npmjs.org`, `https://registry.yarnpkg.com` and `https://registry.verdaccio.org` respectively \| ✅ \|
		\| `--allowed-schemes`, `-o` \| allowed [URI schemes](https://tools.ietf.org/html/rfc2396#section-3.1) such as "https:", "http", "git+ssh:", or "git+https:" \| ✅ \|
		\| `--allowed-urls`, `-u` \| allowed URLs (e.g. `https://github.com/some-org/some-repo#some-hash`) \| ✅ \|
		\| `--empty-hostname`, `-e` \| allow empty hostnames, or set to false if you wish for a stricter policy \| ✅ \|
		\| `--validate-package-names`, `-n` \| validates that the resolved URL matches the package name \| ✅ \|
		\| `--validate-checksum`, `-c` \| check that all resources include a checksum \| ❌ PRs welcome \|
		\| `--validate-integrity-sha512`, `-i` \| validates the integrity field is a sha512 hash \| ✅ \|

		@@ -94,0 +94,0 @@ # File-Based Configuration

src/config.js

		@@ -55,2 +55,7 @@ 'use strict'
		},
		i: {
		alias: ['validate-integrity-sha512'],
		type: 'boolean',
		describe: 'validates that the integrity hash type is sha512'
		},
		e: {
		@@ -57,0 +62,0 @@ alias: 'empty-hostname',

src/main.js

		@@ -9,3 +9,4 @@ 'use strict'
		ValidateSchemeManager,
		ValidateUrlManager
		ValidateUrlManager,
		ValidateIntegrityManager
		} = require('../src/validators')
		@@ -18,3 +19,4 @@
		['validateSchemes', ValidateSchemeManager],
		['validateUrls', ValidateUrlManager]
		['validateUrls', ValidateUrlManager],
		['validateIntegrity', ValidateIntegrityManager]
		])
		@@ -21,0 +23,0 @@

src/validators/index.js

		@@ -9,3 +9,4 @@ 'use strict'
		ValidateScheme,
		ValidateUrl
		ValidateUrl,
		ValidateIntegrity
		} = require('lockfile-lint-api')
		@@ -19,3 +20,4 @@ const debug = require('debug')('lockfile-lint')
		ValidateSchemeManager,
		ValidateUrlManager
		ValidateUrlManager,
		ValidateIntegrityManager
		}
		@@ -118,1 +120,18 @@
		}

		function ValidateIntegrityManager ({path, type, validatorValues, validatorOptions}) {
		debug(
		`validate-integrity-manager invoked with validator options: ${JSON.stringify(validatorValues)}`
		)

		const options = {
		lockfilePath: path,
		lockfileType: type
		}

		const parser = new ParseLockfile(options)
		const lockfile = parser.parseSync()
		const validator = new ValidateIntegrity({packages: lockfile.object})

		return validator.validate()
		}

		@@ -79,15 +79,15 @@ <p align="center"><h1 align="center">

		\| command line argument \| description \| implemented \|
		\| -------------------------------- \| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ \| -------------- \|
		\| `--path`, `-p` \| path to the lockfile \| ✅ \|
		\| `--type`, `-t` \| lockfile type, options are `npm` or `yarn` \| ✅ \|
		\| `--format`, `-f` \| sets what type of report output is desired, one of [ `pretty`, `plain` ] with `plain` removing colors & status symbols from output \| ✅ \|
		\| `--validate-https`, `-s` \| validates the use of HTTPS as protocol schema for all resources in the lockfile \| ✅ \|
		\| `--allowed-hosts`, `-a` \| validates a list of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are `npm`, `yarn`, and `verdaccio` which will match URLs `https://registry.npmjs.org`, `https://registry.yarnpkg.com` and `https://registry.verdaccio.org` respectively \| ✅ \|
		\| `--allowed-schemes`, `-o` \| allowed [URI schemes](https://tools.ietf.org/html/rfc2396#section-3.1) such as "https:", "http", "git+ssh:", or "git+https:" \| ✅ \|
		\| `--allowed-urls`, `-u` \| allowed URLs (e.g. `https://github.com/some-org/some-repo#some-hash`) \| ✅ \|
		\| `--empty-hostname`, `-e` \| allow empty hostnames, or set to false if you wish for a stricter policy \| ✅ \|
		\| `--validate-package-names`, `-n` \| validates that the resolved URL matches the package name \| ✅ \|
		\| `--validate-checksum`, `-c` \| check that all resources include a checksum \| ❌ PRs welcome \|
		\| `--validate-integrity`, `-i` \| check that all resources include an integrity field \| ❌ PRs welcome \|
		\| command line argument \| description \| implemented \|
		\|--------------------------------------\|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\|---------------\|
		\| `--path`, `-p` \| path to the lockfile \| ✅ \|
		\| `--type`, `-t` \| lockfile type, options are `npm` or `yarn` \| ✅ \|
		\| `--format`, `-f` \| sets what type of report output is desired, one of [ `pretty`, `plain` ] with `plain` removing colors & status symbols from output \| ✅ \|
		\| `--validate-https`, `-s` \| validates the use of HTTPS as protocol schema for all resources in the lockfile \| ✅ \|
		\| `--allowed-hosts`, `-a` \| validates a list of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are `npm`, `yarn`, and `verdaccio` which will match URLs `https://registry.npmjs.org`, `https://registry.yarnpkg.com` and `https://registry.verdaccio.org` respectively \| ✅ \|
		\| `--allowed-schemes`, `-o` \| allowed [URI schemes](https://tools.ietf.org/html/rfc2396#section-3.1) such as "https:", "http", "git+ssh:", or "git+https:" \| ✅ \|
		\| `--allowed-urls`, `-u` \| allowed URLs (e.g. `https://github.com/some-org/some-repo#some-hash`) \| ✅ \|
		\| `--empty-hostname`, `-e` \| allow empty hostnames, or set to false if you wish for a stricter policy \| ✅ \|
		\| `--validate-package-names`, `-n` \| validates that the resolved URL matches the package name \| ✅ \|
		\| `--validate-checksum`, `-c` \| check that all resources include a checksum \| ❌ PRs welcome \|
		\| `--validate-integrity-sha512`, `-i` \| validates the integrity field is a sha512 hash \| ✅ \|

		@@ -94,0 +94,0 @@ # File-Based Configuration

lockfile-lint - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Dependency changes