snyk-policy
Advanced tools
snyk-policy - npm Package Compare versions
Comparing version 2.0.0-alpha.2 to 2.0.0
| { | ||
| "name": "snyk-policy", | ||
| "version": "2.0.0", | ||
| "description": "Snyk's policy parser and matching logic", | ||
| "version": "2.0.0-alpha.2", | ||
| "main": "lib/index.js", | ||
| "files": [ | ||
| "dist/lib", | ||
| "LICENSE", | ||
| "README.md" | ||
| ], | ||
| "main": "./dist/lib/index.js", | ||
| "scripts": { | ||
| "lint": "jscs lib/**/*.js -v", | ||
| "travis-coverage": "node_modules/tap/node_modules/.bin/nyc report --reporter=text-lcov | node_modules/tap/node_modules/.bin/coveralls", | ||
| "check-tests": "! grep 'test.only' test/**/*.test.js -n", | ||
| "build": "npm run clean && tsc", | ||
| "clean": "rm -rf ./dist", | ||
| "dev": "tsc -w", | ||
| "env": "node -e 'console.log(process.env, process.versions)'", | ||
| "cover": "tap test/**/*.test.js --cov --coverage-report=lcov", | ||
| "tap": "COVERALLS_REPO_TOKEN=0 tap test/**/*.test.js --cov --timeout=60 --coverage-report=text-summary", | ||
| "test": "npm run check-tests && npm run lint && npm run tap", | ||
| "semantic-release": "semantic-release pre && npm publish && semantic-release post" | ||
| "lint": "run-p --max-parallel=${JOBS:-6} --aggregate-output lint:*", | ||
| "lint:eslint": "eslint -c .eslintrc lib", | ||
| "lint:commits": "commitlint --from=HEAD~20", | ||
| "format": "prettier --write '{lib,test}/**/*.?s'", | ||
| "prepack": "npm run build", | ||
| "check-tests": "! grep 'test.only' test/**/*.test.ts -n", | ||
| "tap": "tap test/**/*.test.ts -R spec --timeout=60 --ts", | ||
| "test": "npm run check-tests && npm run tap" | ||
| }, | ||
@@ -22,24 +31,35 @@ "keywords": [ | ||
| "devDependencies": { | ||
| "jscs": "^2.11.0", | ||
| "proxyquire": "^1.7.4", | ||
| "semantic-release": "^4.3.5", | ||
| "sinon": "^1.17.3", | ||
| "tap": "^5.7.0", | ||
| "tap-only": "0.0.5" | ||
| "@commitlint/cli": "^17.6.1", | ||
| "@typescript-eslint/eslint-plugin": "^5.59.1", | ||
| "@typescript-eslint/parser": "^5.59.1", | ||
| "eslint": "^8.39.0", | ||
| "eslint-config-prettier": "^8.8.0", | ||
| "npm-run-all": "^4.1.5", | ||
| "prettier": "^2.0.5", | ||
| "sinon": "^15.0.4", | ||
| "tap": "^16.3.4", | ||
| "tap-only": "0.0.5", | ||
| "ts-node": "^10.9.1", | ||
| "typescript": "^5.0.4" | ||
| }, | ||
| "dependencies": { | ||
| "debug": "^2.2.0", | ||
| "es6-promise": "^3.1.2", | ||
| "js-yaml": "^3.5.3", | ||
| "lodash.clonedeep": "^4.3.1", | ||
| "semver": "^5.1.0", | ||
| "snyk-module": "^1.6.0", | ||
| "snyk-resolve": "^1.0.0", | ||
| "snyk-try-require": "^1.1.1", | ||
| "then-fs": "^2.0.0" | ||
| "debug": "^4.1.1", | ||
| "email-validator": "^2.0.4", | ||
| "js-yaml": "^3.13.1", | ||
| "lodash.clonedeep": "^4.5.0", | ||
| "semver": "^7.3.4", | ||
| "snyk-module": "^3.0.0", | ||
| "snyk-resolve": "^1.1.0", | ||
| "snyk-try-require": "^2.0.2" | ||
| }, | ||
| "repository": { | ||
| "type": "git", | ||
| "url": "https://github.com/Snyk/policy.git" | ||
| "url": "https://github.com/snyk/policy.git" | ||
| }, | ||
| "tap": { | ||
| "branches": 85, | ||
| "functions": 90, | ||
| "lines": 90, | ||
| "statements": 90 | ||
| } | ||
| } |
@@ -49,3 +49,3 @@ # snyk-policy | ||
| { | ||
| patched: '<JSON date format>' | ||
| patched: '<JSON date format>'; | ||
| } | ||
@@ -102,2 +102,9 @@ ``` | ||
| [Version ranges](https://github.com/npm/node-semver#versions) may also be used. For example, the following will all match the root dependency above: | ||
| ``` | ||
| @remy/protect-test@1.x | ||
| @remy/protect-test@>=1.0.1 | ||
| @remy/protect-test@^1.0.2 | ||
| ``` | ||
| ## Usage | ||
@@ -108,6 +115,6 @@ | ||
| ```js | ||
| var policy = require('snyk-policy'); | ||
| const policy = require('snyk-policy'); | ||
| var vulns = snyk.test('snyk-demo-app@1.0.0'); // assumes snyk is loaded | ||
| policy.load(process.cwd()).then(rules => { | ||
| const vulns = snyk.test('snyk-demo-app@1.0.0'); // assumes snyk is loaded | ||
| policy.load(process.cwd()).then((rules) => { | ||
| console.log(rules.filter(vulns)); | ||
@@ -183,16 +190,4 @@ }); | ||
| If all the vulns are filtered because of the policy, then the `ok` bool is set to `true`. | ||
| If all the vulns are stripped because of the policy, then the `ok` bool is set to `true`. | ||
| **Important:** the `vulnerabilities` array will contain all the initial vulnerabilities, but each filtered vuln will include a new `filtered` property: | ||
| ```js | ||
| "filtered": { | ||
| "type": "ignore", // or `patch` | ||
| "metadata": { // only included on `type="ignore"` | ||
| "reason": String, | ||
| "expires": Date | ||
| } | ||
| } | ||
| ``` | ||
| Note that this method is also available on the response object from [`.load`](#policyloadroot-options), so can be called as `res.filter()` (where `res` is the loaded config). | ||
@@ -202,8 +197,2 @@ | ||
| ### .stripstripFiltered(vulns) | ||
| Reads the vulnerabilities and looks for the `filtered` property removing each so that you're left with only the vulnerabilities that affect the package. | ||
| Note that the `vulns` object is expects to be the result of the `policy.filter` method. | ||
| ### policy.getByVuln(config, vuln) | ||
@@ -233,5 +222,33 @@ | ||
| ## Sample policies | ||
| Note that `<path to package>` below is the dependency chain of package names and valid versions separated by a `>` symbol. | ||
| By default, the policy file does not add versions to these packages, so a path would look like: `'jade > transformers > uglify-js'`, but it can include versions. More details and examples can be seen in the [module path rules](#module-path-rules) section. | ||
| ### Ignore | ||
| ```text | ||
| ignore: | ||
| '<snyk-vuln-id>': | ||
| - '<path to package>': | ||
| reason: String | ||
| expires: String(format: Date().toJSON()) | ||
| patch: {} | ||
| version: v1.0.0 | ||
| ``` | ||
| ### Patch | ||
| ```text | ||
| patch: | ||
| '<snyk-vuln-id>': | ||
| - '<path to package>': | ||
| patched: String(format: Date().toJSON()) | ||
| version: v1 | ||
| ``` | ||
| ## Misc | ||
| * [CONTRIBUTING.md](.github/CONTRIBUTING.md) | ||
| * [License: Apache License, Version 2.0](LICENSE) | ||
| - [CONTRIBUTING.md](.github/CONTRIBUTING.md) | ||
| - [License: Apache License, Version 2.0](LICENSE) |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Dynamic require
Supply chain riskDynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
No v1
QualityPackage is not semver >=1. This means it is not stable and does not support ^ ranges.
Found 1 instance in 1 package
Improved metrics
- Dependency count
- decreased by-11.11%
8
- Number of low quality alerts
- decreased by-50%
1
- Number of lines in readme file
- increased by7.33%
249
- Number of low supply chain risk alerts
- decreased by-40%
3
Worsened metrics
- Total package byte prevSize
- decreased by-96.57%
55870
- Dev dependency count
- increased by100%
12
- Number of package files
- decreased by-77.14%
16
- Lines of code
- decreased by-6.79%
1153
- Number of medium supply chain risk alerts
- increased byInfinity%
1
Dependency changes
+ Addedemail-validator@^2.0.4
+ Addedemail-validator@2.0.4(transitive)
+ Addedhosted-git-info@4.1.0(transitive)
+ Addedlru-cache@5.1.16.0.0(transitive)
+ Addedsemver@7.6.3(transitive)
+ Addedsnyk-module@3.2.0(transitive)
+ Addedsnyk-try-require@2.0.2(transitive)
+ Addedyallist@3.1.14.0.0(transitive)
- Removedes6-promise@^3.1.2
- Removedthen-fs@^2.0.0
- Removedasap@2.0.6(transitive)
- Removeddebug@2.6.93.2.7(transitive)
- Removedes6-promise@3.3.1(transitive)
- Removedhosted-git-info@2.8.9(transitive)
- Removedlru-cache@4.1.5(transitive)
- Removedms@2.0.0(transitive)
- Removedpromise@7.3.1(transitive)
- Removedpseudomap@1.0.2(transitive)
- Removedsemver@5.7.2(transitive)
- Removedsnyk-module@1.9.1(transitive)
- Removedsnyk-try-require@1.3.1(transitive)
- Removedthen-fs@2.0.0(transitive)
- Removedyallist@2.1.2(transitive)
Updateddebug@^4.1.1
Updatedjs-yaml@^3.13.1
Updatedlodash.clonedeep@^4.5.0
Updatedsemver@^7.3.4
Updatedsnyk-module@^3.0.0
Updatedsnyk-resolve@^1.1.0
Updatedsnyk-try-require@^2.0.2