moog-require
Advanced tools
Comparing version 1.3.1 to 1.3.2
22
index.js
@@ -165,6 +165,22 @@ var async = require('async'); | ||
// confused by an unrelated npm module with the same name as an Apostrophe | ||
// module unless we verify it is a real project-level dependency | ||
// module unless we verify it is a real project-level dependency. However | ||
// if no package.json at all exists at project level we do search up the | ||
// tree until we find one to accommodate patterns like `src/app.js` | ||
if (!self.validPackages) { | ||
const info = JSON.parse(fs.readFileSync(`${path.dirname(self.root.filename)}/package.json`, 'utf8')); | ||
self.validPackages = new Set([ ...Object.keys(info.dependencies || {}), ...Object.keys(info.devDependencies || {}) ]); | ||
let info = null; | ||
const initialFolder = path.dirname(self.root.filename); | ||
let folder = initialFolder; | ||
while (true) { | ||
const file = `${folder}/package.json`; | ||
if (fs.existsSync(file)) { | ||
const info = JSON.parse(fs.readFileSync(file, 'utf8')); | ||
self.validPackages = new Set([ ...Object.keys(info.dependencies || {}), ...Object.keys(info.devDependencies || {}) ]); | ||
break; | ||
} else { | ||
folder = path.dirname(folder); | ||
if (!folder.length) { | ||
throw new Error(`package.json was not found in ${initialFolder} or any of its parent folders.`); | ||
} | ||
} | ||
} | ||
} | ||
@@ -171,0 +187,0 @@ if (!self.validPackages.has(type)) { |
@@ -39,5 +39,5 @@ { | ||
"scripts": { | ||
"test": "mocha test/test.js" | ||
"test": "mocha test/test.js test/nested/test.js" | ||
}, | ||
"version": "1.3.1" | ||
"version": "1.3.2" | ||
} |
@@ -353,2 +353,4 @@ [![Build Status](https://travis-ci.org/punkave/moog-require.svg?branch=master)](https://travis-ci.org/punkave/moog-require) | ||
1.3.2: starting in version 1.3.1, this module only loads other modules via `npm` if they are explicit npm dependencies, which is necessary for stability and security. However, it is too strict: if the project has no `package.json` at all at the level of `app.js`, `npm` search up the tree, and this module should too. Beginning in verison 1.3.2, it does search up the tree. However it stops at the first `package.json` found. | ||
1.3.1: `moog-require` loads modules from npm if they exist there and are configured by name in the application. This was always intended only as a way to load direct, intentional dependencies of your project. However, since npm "flattens" the dependency tree, dependencies of dependencies that happen to have the same name as a project-level module could be loaded by default, crashing the site or causing unexpected behavior. So beginning with this release, `moog-require` scans `package.json` to verify an npm module is actually a dependency of the project itself before attempting to load it. | ||
@@ -355,0 +357,0 @@ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
80479
37
1743
381
0