snyk-policy - npm Package Compare versions

Comparing version 1.25.0 to 1.25.1

lib/filter/get-vuln-source.js

@@ -8,3 +8,3 @@ // FIXME move to ext module
 const path = require('path');
-const statSync = require('fs').statSync;
+const { statSync } = require('fs');
 let { parsePackageString: moduleToObject } = require('snyk-module');
@@ -11,0 +11,0 @@

lib/filter/patch.js

@@ -7,3 +7,3 @@ module.exports = filterPatched;
 const path = require('path');
-const statSync = require('fs').statSync;
+const { statSync } = require('fs');
 const getVulnSource = require('./get-vuln-source');
@@ -73,3 +73,5 @@
             res = statSync(oldFlag);
-          } catch (e) {}
+          } catch (e) {
+            // continue regardless of error
+          }
         }
@@ -76,0 +78,0 @@

lib/index.js

@@ -1,2 +0,2 @@
-const fs = require('promise-fs');
+const { lstatSync, promises: fs } = require('fs');
 const path = require('path');
@@ -98,3 +98,3 @@ const debug = require('debug')('snyk:policy');
   try {
-    if (fs.lstatSync(filename).isDirectory()) {
+    if (lstatSync(filename).isDirectory()) {
       filename = path.join(filename, '/.snyk');
@@ -101,0 +101,0 @@ }

lib/match.js

@@ -6,2 +6,13 @@ module.exports = {
 
+/**
+ * @typedef Vulnerability
+ * @type {Object}
+ * @property {string[]} from - the dependency path in which it was introduced. This should include the project itself.
+ */
+
+/**
+ * @typedef IgnoreRule
+ * @type {Object.<string, Object>}
+ */
+
 const debug = require('debug')('snyk:policy');
@@ -109,2 +120,9 @@ const debugPolicy = require('debug')('snyk:protect');
 
+/**
+ * Returns whether any of the ignore rule paths match the path in which the vulnerability was introduced
+ * @param {Vulnerability} vuln a single vulnerability, where `from` contains the dependency path in which it was introduced
+ * @param {IgnoreRule} rule an ignore rule for the given vulnerability with one or more paths to ignore
+ * @param {('packageManager'|'exact')} matchStrategy
+ * @returns whether any ignore rules match the vulnerabilities import path
+ */
 function matchToRule(vuln, rule, matchStrategy = 'packageManager') {
@@ -111,0 +129,0 @@ return Object.keys(rule).some(function (path) {

package.json

@@ -21,10 +21,10 @@ {
   "devDependencies": {
-    "@commitlint/cli": "^12.1.4",
-    "eslint": "^5.0.0",
-    "eslint-config-prettier": "^5.0.0",
+    "@commitlint/cli": "^17.6.1",
+    "eslint": "^8.38.0",
+    "eslint-config-prettier": "^8.8.0",
     "npm-run-all": "^4.1.5",
     "prettier": "^2.0.5",
     "proxyquire": "^2.1.0",
-    "sinon": "^4.0.0",
-    "tap": "^12.0.1",
+    "sinon": "^15.0.4",
+    "tap": "^16.3.4",
     "tap-only": "0.0.5"
@@ -37,3 +37,2 @@ },
     "lodash.clonedeep": "^4.5.0",
-    "promise-fs": "^2.1.1",
     "semver": "^7.3.4",
@@ -48,3 +47,9 @@ "snyk-module": "^3.0.0",
   },
-  "version": "1.25.0"
+  "tap": {
+    "branches": 85,
+    "functions": 95,
+    "lines": 90,
+    "statements": 90
+  },
+  "version": "1.25.1"
 }

README.md

@@ -101,2 +101,9 @@ # snyk-policy
 
+[Version ranges](https://github.com/npm/node-semver#versions) may also be used. For example, the following will all match the root dependency above:
+```
+@remy/protect-test@1.x
+@remy/protect-test@>=1.0.1
+@remy/protect-test@^1.0.2
+```
+
 ## Usage
@@ -103,0 +110,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

49224

increased by11.13%

Dependency count

8

decreased by-11.11%

Number of package files

22

increased by4.76%

Lines of code

1028

increased by1.78%

Number of lines in readme file

249

increased by2.89%

Worsened metrics

Number of low supply chain risk alerts

3

increased by50%

Dependency changes

• - Removedpromise-fs@^2.1.1