snyk - npm Package Compare versions

Comparing version 1.8.5-alpha2 to 1.8.5-alpha3

cli/commands/protect/wizard.js

@@ -26,3 +26,16 @@ module.exports = wizard;
 var cwd = process.cwd();
+var semver = require('semver');
+var command = require('../../../lib/exec');
 
+// bail if npm version >=3
+function checkNpmVersion() {
+  return command('npm -v').then(function (ver) {
+    if (!semver.lt(ver, '3.0.0')) {
+      var error = new Error();
+      error.code = 'NPM_VERSION3_NOT_SUPPORTED';
+      throw error;
+    }
+  });
+}
+
 function wizard(options) {
@@ -41,63 +54,65 @@ if (!options) {
 
-  return snyk.policy.load(options).catch(function (error) {
-    // if we land in the catch, but we're in interactive mode, then it means
-    // the file hasn't been created yet, and that's fine, so we'll resolve
-    // with an empty object
-    if (error.code === 'ENOENT') {
-      options.newPolicy = true;
-      return {};
-    }
+  return checkNpmVersion().then(function () {
+    return snyk.policy.load(options).catch(function (error) {
+      // if we land in the catch, but we're in interactive mode, then it means
+      // the file hasn't been created yet, and that's fine, so we'll resolve
+      // with an empty object
+      if (error.code === 'ENOENT') {
+        options.newPolicy = true;
+        return {};
+      }
 
-    throw error;
-  }).then(function (policy) {
-    return auth.isAuthed().then(function (authed) {
-      analytics.add('inline-auth', !authed);
-      if (!authed) {
-        return auth();
-      }
-    }).then(function () {
-      var intro = __dirname + '/../../../help/wizard-intro.txt';
-      return fs.readFile(intro, 'utf8').then(function (str) {
-        if (!isCI) {
-          console.log(str);
+      throw error;
+    }).then(function (policy) {
+      return auth.isAuthed().then(function (authed) {
+        analytics.add('inline-auth', !authed);
+        if (!authed) {
+          return auth();
         }
       }).then(function () {
-        return new Promise(function (resolve) {
-          if (options.newPolicy) {
-            return resolve(); // don't prompt to start over
+        var intro = __dirname + '/../../../help/wizard-intro.txt';
+        return fs.readFile(intro, 'utf8').then(function (str) {
+          if (!isCI) {
+            console.log(str);
           }
-          inquirer.prompt(allPrompts.startOver(), function (answers) {
-            analytics.add('start-over', answers['misc-start-over']);
-            if (answers['misc-start-over']) {
-              options['ignore-policy'] = true;
+        }).then(function () {
+          return new Promise(function (resolve) {
+            if (options.newPolicy) {
+              return resolve(); // don't prompt to start over
             }
+            inquirer.prompt(allPrompts.startOver(), function (answers) {
+              analytics.add('start-over', answers['misc-start-over']);
+              if (answers['misc-start-over']) {
+                options['ignore-policy'] = true;
+              }
 
-            resolve();
+              resolve();
+            });
           });
-        });
-      }).then(function () {
-        return snyk.test(cwd, options).then(function (res) {
-          var packageFile = path.resolve(cwd, 'package.json');
+        }).then(function () {
+          return snyk.test(cwd, options).then(function (res) {
+            var packageFile = path.resolve(cwd, 'package.json');
 
-          if (!res.ok) {
-            var vulns = res.vulnerabilities;
-            // echo out the deps + vulns found
-            console.log('Tested %s dependencies for known vulnerabilities, %s',
-              res.dependencyCount,
-              chalk.bold.red('found ' + vulns.length + ' vulnerabilities.'));
-          } else {
-            console.log(chalk.green('✓ Tested %s dependencies for known ' +
-              'vulnerabilities, no vulnerabilities found.'),
-              res.dependencyCount);
-          }
+            if (!res.ok) {
+              var vulns = res.vulnerabilities;
+              // echo out the deps + vulns found
+              console.log('Tested %s dependencies for known vulnerabilities, %s',
+                res.dependencyCount,
+                chalk.bold.red('found ' + vulns.length + ' vulnerabilities.'));
+            } else {
+              console.log(chalk.green('✓ Tested %s dependencies for known ' +
+                'vulnerabilities, no vulnerabilities found.'),
+                res.dependencyCount);
+            }
 
 
-          return fs.readFile(packageFile, 'utf8')
-            .then(JSON.parse)
-            .then(function (pkg) {
+            return fs.readFile(packageFile, 'utf8')
+              .then(JSON.parse)
+              .then(function (pkg) {
 
-              return interactive(res, pkg, policy).then(function (answers) {
-                return processAnswers(answers, policy, options);
+                return interactive(res, pkg, policy).then(function (answers) {
+                  return processAnswers(answers, policy, options);
+                });
               });
-            });
+          });
         });
@@ -107,2 +122,3 @@ });
   });
+
 }
@@ -109,0 +125,0 @@

lib/error.js

@@ -25,2 +25,5 @@ var Promise = require('es6-promise').Promise; // jshint ignore:line
     'this project had none). Try re-running with the `--dev` flag.',
+  npm3NotSupported: 'Snyk\'s wizard doesn\'t support npm@3 yet. Run snyk ' +
+    'test to find issues in your project, and manually apply' +
+    ' upgrades and patches.',
 };
@@ -45,2 +48,3 @@
   NOT_FOUND_HAS_DEV_DEPS: errors.tryDevDeps,
+  NPM_VERSION3_NOT_SUPPORTED: errors.npm3NotSupported,
 };
@@ -47,0 +51,0 @@

lib/modules.js

@@ -10,2 +10,3 @@ module.exports = loadModules;
 
+var fs = require('then-fs');
 var _ = require('lodash');
@@ -18,3 +19,2 @@ var Promise = require('es6-promise').Promise; // jshint ignore:line
 var spinner = require('./spinner');
-var resolvePkg = require('./resolve');
 
@@ -73,34 +73,7 @@ // FIXME only supports dependancies & dev deps not opt-deps
     }
-
-    // only read the dev deps on the first pass, don't go any further (which is
-    // why we set `options.dev = false`), and we merge them into the
-    // pkg.dependencies property.
-    if (options.dev) {
-      if (!pkg.dependencies) {
-        pkg.dependencies = {};
-      }
-      _.merge(pkg.dependencies, pkg.devDependencies);
-    }
-
-    options.dev = false;
-
     modules.dependencies = {};
-    var keys = Object.keys(pkg.dependencies);
-    if (keys.length === 0) {
-      return modules;
-    }
 
-    return Promise.all(keys.map(function (name) {
-      return resolvePkg(name, root).catch(function () {
-        // swallow
-      });
-    })).then(function (dirs) {
-      var seen = [];
-      var res = dirs.filter(Boolean).filter(function (dir) {
-        if (seen.indexOf(dir) === -1) {
-          seen.push(dir);
-          return true;
-        }
-        return false;
-      }).map(function (dir) {
+    // 2. check actual installed deps
+    return fs.readdir(path.resolve(root, 'node_modules')).then(function (dirs) {
+      var res = dirs.map(function (dir) {
         // completely ignore `.bin` npm helper dir
@@ -113,15 +86,15 @@ if (dir === '.bin') {
         // inside *this* `dir`, so treat differently
-        // if (dir.indexOf('@') === 0) {
-        //   dir = path.resolve(root, 'node_modules', dir);
-        //   return fs.readdir(dir).then(function (dirs) {
-        //     return Promise.all(dirs.map(function (scopedDir) {
-        //       dir = path.resolve(dir, scopedDir, 'package.json');
-        //       return tryRequire(dir);
-        //     }));
-        //   });
-        // }
+        if (dir.indexOf('@') === 0) {
+          dir = path.resolve(root, 'node_modules', dir);
+          return fs.readdir(dir).then(function (dirs) {
+            return Promise.all(dirs.map(function (scopedDir) {
+              dir = path.resolve(dir, scopedDir, 'package.json');
+              return tryRequire(dir);
+            }));
+          });
+        }
 
 
         // otherwise try to load a package.json from this node_module dir
-        dir = path.resolve(dir, 'package.json');
+        dir = path.resolve(root, 'node_modules', dir, 'package.json');
         return tryRequire(dir);
@@ -173,3 +146,2 @@ });
           acc[curr.name] = {
-            __filename: curr.__filename,
             name: curr.name,
@@ -200,3 +172,3 @@ version: curr.version || null,
         var depType = modules.dependencies[dep].depType;
-        var dir = path.resolve(modules.dependencies[dep].__filename, '..'); //path.resolve(root, 'node_modules', dep);
+        var dir = path.resolve(root, 'node_modules', dep);
         return loadModulesInternal(dir, depType, options);
@@ -207,2 +179,3 @@ });
         res.forEach(function (mod) {
+          // console.log(modules.dependencies[mod.name], mod.name, mod);
           modules.dependencies[mod.name].dependencies = mod.dependencies;
@@ -233,2 +206,2 @@ });
   return promise;
-}
+}

lib/protect.js

@@ -24,3 +24,3 @@ var protect = module.exports = {
 var statSync = require('fs').statSync;
-var resolve = require('./resolve');
+var resolve = require('resolve');
 var path = require('path');
@@ -377,6 +377,7 @@ var _ = require('lodash');
 
-          var source = basedir;
-
+          var pkgDir = basedir;
           try {
-            source = resolve.sync(from.slice(-1).pop(), basedir);
+            pkgDir = resolve.sync(from.slice(-1).pop(), {
+              basedir: basedir,
+            });
           } catch (e) {
@@ -391,2 +392,3 @@ if (live) {
           }
+          source = path.dirname(pkgDir);
           debug('found better source for package: %s', source);
@@ -554,3 +556,3 @@ }
 
-    var cmd = 'patch -p1 --backup --silent < ' + patch;
+    var cmd = 'patch -p1 --backup --verbose < ' + patch;
     var test = ' --dry-run';
@@ -573,3 +575,3 @@
       var out = stdout.trim();
-      if (error || out) {
+      if (error || out.indexOf('FAILED') !== -1) {
         debug('patch command failed', relative, error, out);
@@ -589,3 +591,3 @@ return reject(patchError(error, out, relative, patch));
         var out = stdout.trim();
-        if (error || out) {
+        if (error || out.indexOf('FAILED') !== -1) {
           debug('patch command failed', relative, error, out);
@@ -595,2 +597,4 @@ return reject(patchError(error, out, relative, patch));
 
+        debug('patch succeed', out);
+
         resolve();
@@ -597,0 +601,0 @@ });

lib/try-require.js

@@ -29,6 +29,4 @@ module.exports = tryRequire;
 
-      pkg.__filename = filename;
-
       return pkg;
     });
 }

package.json

@@ -5,3 +5,3 @@ {
   "main": "lib/index.js",
-  "version": "1.8.5-alpha2",
+  "version": "1.8.5-alpha3",
   "directories": {
@@ -17,3 +17,5 @@ "test": "test"
     "watch": "nodemon -q -x 'for FILE in test/*.test.js; do echo $FILE; tape $FILE | tap-spec; if [ $? -ne 0 ]; then exit 1; fi; done'",
-    "semantic-release": "semantic-release pre && npm publish && semantic-release post"
+    "semantic-release": "semantic-release pre && npm publish && semantic-release post",
+    "snyk-protect": "node cli/index.js protect",
+    "postinstall": "npm run snyk-protect"
   },
@@ -66,3 +68,4 @@ "keywords": [
     "url": "https://github.com/Snyk/snyk.git"
-  }
+  },
+  "snyk": true
 }

New alerts

Install scripts

Supply chain risk

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Found 1 instance in 1 package

Improved metrics

Number of package files

102

increased by7.37%

Lines of code

4846

increased by4.96%

Worsened metrics

Total package byte prevSize

4638579

decreased by-3.54%

Number of high supply chain risk alerts

1

increased byInfinity%

No dependency changes