npm-pick-manifest - npm Package Compare versions

Comparing version 2.2.3 to 3.0.0

CHANGELOG.md

@@ -5,2 +5,21 @@ # Change Log
 
+<a name="3.0.0"></a>
+# [3.0.0](https://github.com/zkat/npm-pick-manifest/compare/v2.2.3...v3.0.0) (2019-08-20)
+
+
+### Features
+
+* throw forbidden error when package is blocked by policy ([ad2a962](https://github.com/zkat/npm-pick-manifest/commit/ad2a962)), closes [#1](https://github.com/zkat/npm-pick-manifest/issues/1)
+
+
+### BREAKING CHANGES
+
+* This adds a new error code when package versions are
+blocked.
+
+PR-URL: https://github.com/npm/npm-pick-manifest/pull/1
+Credit: @claudiahdz
+
+
+
 <a name="2.2.3"></a>
@@ -7,0 +26,0 @@ ## [2.2.3](https://github.com/zkat/npm-pick-manifest/compare/v2.2.2...v2.2.3) (2018-10-31)

index.js

@@ -26,2 +26,5 @@ 'use strict'
   })
+  const policyRestrictions = packument.policyRestrictions
+  const restrictedVersions = policyRestrictions
+    ? Object.keys(policyRestrictions.versions) : []
 
@@ -36,3 +39,3 @@ function enjoyableBy (v) {
 
-  if (!versions.length) {
+  if (!versions.length && !restrictedVersions.length) {
     err = new Error(`No valid versions available for ${packument.name}`)
@@ -103,12 +106,20 @@ err.code = 'ENOVERSIONS'
   if (!manifest) {
-    err = new Error(
-      `No matching version found for ${packument.name}@${wanted}${
-        opts.enjoyBy
-          ? ` with an Enjoy By date of ${
-            new Date(opts.enjoyBy).toLocaleString()
-          }. Maybe try a different date?`
-          : ''
-      }`
-    )
-    err.code = 'ETARGET'
+    // Check if target is forbidden
+    const isForbidden = target && policyRestrictions && policyRestrictions.versions[target]
+    const pckg = `${packument.name}@${wanted}${
+      opts.enjoyBy
+        ? ` with an Enjoy By date of ${
+          new Date(opts.enjoyBy).toLocaleString()
+        }. Maybe try a different date?`
+        : ''
+    }`
+
+    if (isForbidden) {
+      err = new Error(`Could not download ${pckg} due to policy violations.\n${policyRestrictions.message}\n`)
+      err.code = 'E403'
+    } else {
+      err = new Error(`No matching version found for ${pckg}.`)
+      err.code = 'ETARGET'
+    }
+
     err.name = packument.name
@@ -115,0 +126,0 @@ err.type = type

package.json

 {
   "name": "npm-pick-manifest",
-  "version": "2.2.3",
+  "version": "3.0.0",
   "description": "Resolves a matching manifest from a package metadata document according to standard npm semver resolution rules.",
@@ -5,0 +5,0 @@ "main": "index.js",

New alerts

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

13144

increased by8.15%

Lines of code

116

increased by8.41%

Worsened metrics

Number of medium supply chain risk alerts

1

increased byInfinity%

No dependency changes