ssri - npm Package Compare versions

Comparing version 10.0.2 to 10.0.3

lib/index.js

@@ -32,6 +32,11 @@ 'use strict'
     // options used for calculating stream.  can't be changed.
-    const algorithms = opts?.algorithms || DEFAULT_ALGORITHMS
-    this.algorithms = Array.from(
-      new Set(algorithms.concat(this.algorithm ? [this.algorithm] : []))
-    )
+    if (opts?.algorithms) {
+      this.algorithms = [...opts.algorithms]
+    } else {
+      this.algorithms = [...DEFAULT_ALGORITHMS]
+    }
+    if (this.algorithm !== null && !this.algorithms.includes(this.algorithm)) {
+      this.algorithms.push(this.algorithm)
+    }
+
     this.hashes = this.algorithms.map(crypto.createHash)
@@ -44,4 +49,13 @@ }
     this.expectedSize = this.opts?.size
-    this.goodSri = this.sri ? !!Object.keys(this.sri).length : false
-    this.algorithm = this.goodSri ? this.sri.pickAlgorithm(this.opts) : null
+
+    if (!this.sri) {
+      this.algorithm = null
+    } else if (this.sri.isHash) {
+      this.goodSri = true
+      this.algorithm = this.sri.algorithm
+    } else {
+      this.goodSri = !this.sri.isEmpty()
+      this.algorithm = this.sri.pickAlgorithm(this.opts)
+    }
+
     this.digests = this.goodSri ? this.sri[this.algorithm] : null
@@ -164,2 +178,25 @@ this.optString = getOptString(this.opts?.options)
 
+  match (integrity, opts) {
+    const other = parse(integrity, opts)
+    if (!other) {
+      return false
+    }
+    if (other.isIntegrity) {
+      const algo = other.pickAlgorithm(opts, [this.algorithm])
+
+      if (!algo) {
+        return false
+      }
+
+      const foundHash = other[algo].find(hash => hash.digest === this.digest)
+
+      if (foundHash) {
+        return foundHash
+      }
+
+      return false
+    }
+    return other.digest === this.digest ? other : false
+  }
+
   toString (opts) {
@@ -291,4 +328,5 @@ if (opts?.strict) {
     }
-    const algo = other.pickAlgorithm(opts)
+    const algo = other.pickAlgorithm(opts, Object.keys(this))
     return (
+      !!algo &&
       this[algo] &&
@@ -304,8 +342,18 @@ other[algo] &&
 
-  pickAlgorithm (opts) {
+  // Pick the highest priority algorithm present, optionally also limited to a
+  // set of hashes found in another integrity.  When limiting it may return
+  // nothing.
+  pickAlgorithm (opts, hashes) {
     const pickAlgorithm = opts?.pickAlgorithm || getPrioritizedHash
-    const keys = Object.keys(this)
-    return keys.reduce((acc, algo) => {
-      return pickAlgorithm(acc, algo) || acc
+    const keys = Object.keys(this).filter(k => {
+      if (hashes?.length) {
+        return hashes.includes(k)
+      }
+      return true
     })
+    if (keys.length) {
+      return keys.reduce((acc, algo) => pickAlgorithm(acc, algo) || acc)
+    }
+    // no intersection between this and hashes,
+    return null
   }
@@ -373,3 +421,3 @@ }
 function fromData (data, opts) {
-  const algorithms = opts?.algorithms || DEFAULT_ALGORITHMS
+  const algorithms = opts?.algorithms || [...DEFAULT_ALGORITHMS]
   const optString = getOptString(opts?.options)
@@ -408,3 +456,3 @@ return algorithms.reduce((acc, algo) => {
     istream.on('end', () => resolve(sri))
-    istream.on('data', () => {})
+    istream.resume()
   })
@@ -476,3 +524,3 @@ }
     checker.on('end', () => resolve(verified))
-    checker.on('data', () => {})
+    checker.resume()
   })
@@ -488,3 +536,3 @@ }
 function createIntegrity (opts) {
-  const algorithms = opts?.algorithms || DEFAULT_ALGORITHMS
+  const algorithms = opts?.algorithms || [...DEFAULT_ALGORITHMS]
   const optString = getOptString(opts?.options)
@@ -524,3 +572,3 @@
 
-const NODE_HASHES = new Set(crypto.getHashes())
+const NODE_HASHES = crypto.getHashes()
 
@@ -535,3 +583,3 @@ // This is a Best Effort™ at a reasonable priority for hash algos
   'sha3_256', 'sha3_384', 'sha3_512',
-].filter(algo => NODE_HASHES.has(algo))
+].filter(algo => NODE_HASHES.includes(algo))
 
@@ -538,0 +586,0 @@ function getPrioritizedHash (algo1, algo2) {

package.json

 {
   "name": "ssri",
-  "version": "10.0.2",
+  "version": "10.0.3",
   "description": "Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.",
@@ -5,0 +5,0 @@ "main": "lib/index.js",

Fixed alerts

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

38712

increased by2.85%

Lines of code

510

increased by8.51%

Number of medium supply chain risk alerts

0

decreased by-100%

No dependency changes