New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
nsp-preprocessor-yarn
Advanced tools
nsp-preprocessor-yarn - npm Package Compare versions
Comparing version 1.0.1 to 1.1.0
14
index.js
@@ -9,3 +9,7 @@ const Fs = require('fs'); | ||
| try { | ||
| pkg = JSON.parse(Fs.readFileSync(Path.join(args.path, 'package.json'))); | ||
| let pkgfile = 'package.json'; | ||
| if (args.packagejsonfile) { | ||
| pkgfile = args.packagejsonfile; | ||
| } | ||
| pkg = args.pkg || JSON.parse(Fs.readFileSync(Path.join(args.path, pkgfile))); | ||
| } catch (err) { | ||
@@ -17,6 +21,10 @@ return Promise.reject(new Error(`Unable to load package.json for project: ${Path.basename(args.path)}`)); | ||
| try { | ||
| const lockContents = Fs.readFileSync(Path.join(args.path, 'yarn.lock'), { encoding: "utf-8" }); | ||
| let lockfile = 'yarn.lock'; | ||
| if (args.lockfile) { | ||
| lockfile = args.lockfile; | ||
| } | ||
| const lockContents = Fs.readFileSync(Path.join(args.path, lockfile), { encoding: "utf-8" }); | ||
| lock = Lib.parse(lockContents, pkg); | ||
| } catch (err) { | ||
| return Promise.reject(new Error(`Unable to load yarn.lock for project: ${Path.basename(args.path)}`)); | ||
| return Promise.reject(new Error(`Unable to load yarn.lock for project "${Path.basename(args.path)}". ${err}`)); | ||
| } | ||
@@ -23,0 +31,0 @@ |
| { | ||
| "name": "nsp-preprocessor-yarn", | ||
| "version": "1.0.1", | ||
| "version": "1.1.0", | ||
| "description": "", | ||
| "main": "index.js", | ||
| "scripts": { | ||
| "test": "node test/test.js" | ||
| "test": "node test/test.js", | ||
| "test:integration": "node test/integration.js" | ||
| }, | ||
@@ -9,0 +10,0 @@ "repository": "github:hermanbanken/nsp-preprocessor-yarn", |
@@ -27,1 +27,10 @@ # Yarn.lock preprocessor for NSP | ||
| ```` | ||
| ## Workspaces | ||
| This preprocessor supports workspaces too: specify the `--lockfile` flag: | ||
| ````bash | ||
| touch workspace/yarn.lock | ||
| cd workspace/my-package-1 | ||
| nsp check --preprocessor yarn --lockfile ../yarn.lock | ||
| ```` |
@@ -10,4 +10,6 @@ const exec = require("child_process").exec; | ||
| const cmd = "nsp --packagejsonfile test.package.json --preprocessor yarn"; | ||
| const tests = [ | ||
| exec("nsp --preprocessor yarn check", { cwd: join(process.cwd(), "test/data/sample") }, (err, stdout, stderr) => { | ||
| exec(`${cmd} check`, { cwd: join(process.cwd(), "test/data/sample") }, (err, stdout, stderr) => { | ||
| if (!contains(stderr, stdout, "3 vulnerabilities found")) { | ||
@@ -18,3 +20,3 @@ errors.push("Should report vulnerabilities from yarn.lock."); | ||
| }), | ||
| exec("nsp --preprocessor yarn check", { cwd: join(process.cwd(), "test/data/circular") }, (err, stdout, stderr) => { | ||
| exec(`${cmd} check`, { cwd: join(process.cwd(), "test/data/circular") }, (err, stdout, stderr) => { | ||
| if (!contains(stderr, stdout, "3 vulnerabilities found")) { | ||
@@ -25,3 +27,3 @@ errors.push("Should work, even with circular dependencies."); | ||
| }), | ||
| exec("nsp --preprocessor yarn check", { cwd: join(process.cwd(), "test/data/outdated") }, (err, stdout, stderr) => { | ||
| exec(`${cmd} check`, { cwd: join(process.cwd(), "test/data/outdated") }, (err, stdout, stderr) => { | ||
| if (!contains(stderr, stdout, "yarn.lock is outdated")) { | ||
@@ -31,3 +33,16 @@ errors.push("Should report yarn.lock files that are not in sync with package.json." + err + stderr + stdout); | ||
| finish(); | ||
| }), | ||
| exec(`${cmd} check --lockfile ../yarn.lock`, { cwd: join(process.cwd(), "test/data/workspace/package-1") }, (err, stdout, stderr) => { | ||
| if (!contains(stderr, stdout, "3 vulnerabilities found")) { | ||
| errors.push("Should report vulnerabilities from yarn.lock."); | ||
| } else { oks.push("workspace-package-1"); } | ||
| finish(); | ||
| }), | ||
| exec(`${cmd} check --lockfile ../yarn.lock`, { cwd: join(process.cwd(), "test/data/workspace/package-2") }, (err, stdout, stderr) => { | ||
| if (!contains(stderr, stdout, "No known vulnerabilities found")) { | ||
| errors.push("Should not report vulnerabilities of other packages in the workspaces yarn.lock."); | ||
| } else { oks.push("workspace-package-2"); } | ||
| finish(); | ||
| }) | ||
| ]; | ||
@@ -34,0 +49,0 @@ |
| const YarnPreprocessor = require("../index"); | ||
| const join = require("path").join; | ||
| const Fs = require('fs'); | ||
| function opts(path) { | ||
| return { | ||
| path: join(process.cwd(), path), | ||
| pkg: JSON.parse(Fs.readFileSync(join(process.cwd(), path, "test.package.json"))) | ||
| } | ||
| } | ||
| const tests = [ | ||
| () => Promise.resolve().then(() => YarnPreprocessor.check({ path: join(process.cwd(), "test/data/sample") })).then(args => { | ||
| () => Promise.resolve().then(() => YarnPreprocessor.check(opts("test/data/sample"))).then(args => { | ||
| if (!args || !args.shrinkwrap) { throw new Error("should add shrinkwrap"); } | ||
| return "sample"; | ||
| }), | ||
| () => Promise.resolve().then(() => YarnPreprocessor.check({ path: join(process.cwd(), "test/data/circular") })).then(args => { | ||
| () => Promise.resolve().then(() => YarnPreprocessor.check(opts("test/data/circular"))).then(args => { | ||
| if (!args || !args.shrinkwrap) { throw new Error("should add shrinkwrap"); } | ||
| return "circular"; | ||
| }), | ||
| () => Promise.resolve().then(() => YarnPreprocessor.check({ path: join(process.cwd(), "test/data/outdated") })).then(() => { | ||
| () => Promise.resolve().then(() => YarnPreprocessor.check(opts("test/data/outdated"))).then(() => { | ||
| throw new Error("Should report yarn.lock files that are not in sync with package.json."); | ||
| }, (err) => { | ||
| if (err.message.indexOf("Unable to load yarn.lock for project: outdated") >= 0) { | ||
| return "outdated"; | ||
| if (err.message.indexOf("Unable to load yarn.lock for project \"outdated\"") < 0) { | ||
| throw err; | ||
| } | ||
| throw err; | ||
| if (err.message.indexOf("yarn.lock is outdated") < 0) { | ||
| throw err; | ||
| } | ||
| return "outdated" | ||
| }), | ||
| () => Promise.resolve().then(() => YarnPreprocessor.check(Object.assign(opts("test/data/workspace/package-1"), { lockfile: "../yarn.lock" }))).then((args) => { | ||
| if (!args || !args.shrinkwrap) { throw new Error("should add shrinkwrap"); } | ||
| if (!args.shrinkwrap.dependencies.marked.dependencies.request) { throw new Error("should find nested dependencies from the workspace yarn.lock"); } | ||
| return "workspace-package-vulnerable" | ||
| }), | ||
| ].map(t => t().then(result => [null, result], err => [err, null])); | ||
@@ -22,0 +38,0 @@ |
New alerts
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
Fixed alerts
Mixed license
License(Experimental) Package contains multiple licenses.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by27.17%
10331
- Number of package files
- increased by33.33%
12
- Number of low license alerts
- decreased by-100%
0
- Lines of code
- increased by26.47%
172
- Number of lines in readme file
- increased by33.33%
36
Worsened metrics
- Number of low supply chain risk alerts
- increased by50%
3
- Number of medium supply chain risk alerts
- increased by100%
2
No dependency changes