feat: verify engine constrains

README.md

@@ -111,3 +111,24 @@ As an example `mkdirp` can be replaced with `fs.mkdir(p, { recursive: true })` s
 While stable Linux distributions (e.g. Debian stable) and enterprise environment might not use the most recent versions they often try to stay away from EOL versions.
 Users stuck at older versions will not be able to update to the latest set of node packages but if you are using an environment with unsupported versions you are unlikely to want to update node packages.
 It is also very likely that the package doesn't actually run on such old version anyway because of a missing feature or a dependency requiring a later version.
+
+## Verify engine constraints
+
+Requires `engines.node` to be satisfied by all transitive dependencies.
+
+**Why?** It is a common error forget to verify transitive dependencies when setting constraints on node version.
+
+If `package.json` declares constraint such as:
+
+```json
+{
+  "dependencies": {
+    "my-dependency": "1.2.3"
+  },
+  "engines": {
+    "node": ">= 8"
+  }
+}
+```
+
+but the `my-dependency` constraint requires NodeJS 12 or later this rule yields an error as NodeJS 8 will not satisfy that constraint.

package.json

@@ -22,6 +22,7 @@
     "bin",
     "dist",
     "!**/*.d.ts",
+    "!**/*.js.map",
     "!**/*.spec.js"
   ],
   "scripts": {
@@ -54,11 +55,12 @@
   },
   "dependencies": {
     "@html-validate/stylish": "^1.0.0",
-    "argparse": "^2.0.1",
+    "argparse": "^2.0.0",
+    "execa": "^5.1.0",
     "find-up": "^5.0.0",
-    "semver": "^7.3.2",
-    "tar": "^6.0.5",
-    "tmp": "^0.2.1"
+    "semver": "^7.3.0",
+    "tar": "^6.0.0",
+    "tmp": "^0.2.0"
   },
   "devDependencies": {
     "@commitlint/cli": "12.1.4",
@@ -77,7 +79,6 @@
     "@types/tar": "4.0.4",
     "@types/tmp": "0.2.0",
     "eslint": "7.27.0",
-    "execa": "5.1.1",
     "glob": "7.1.7",
     "husky": "6.0.0",
     "jest": "27.0.4",

src/package-json.spec.ts

@@ -1,6 +1,12 @@
 import { verifyPackageJson } from "./package-json";
 import PackageJson from "./types/package-json";
 
+// eslint-disable-next-line @typescript-eslint/ban-ts-comment
+// @ts-ignore
+import { npmInfoMockDefault } from "./utils/npm-info";
+
+jest.mock("./utils/npm-info");
+
 let pkg: PackageJson;
 
 beforeEach(() => {
@@ -18,6 +24,7 @@ beforeEach(() => {
 			node: ">= 12",
 		},
 	};
+	npmInfoMockDefault(pkg);
 });
 
 it("should not return errors if package.json is well formed (strings only)", async () => {

src/package-json.ts

@@ -4,6 +4,7 @@ import { Result } from "./result";
 import { nonempty, present, typeArray, typeString, validUrl } from "./validators";
 import { isDisallowedDependency } from "./rules/disallowed-dependency";
 import { outdatedEngines } from "./rules/outdated-engines";
+import { verifyEngineConstraint } from "./rules/verify-engine-constraint";
 
 export interface VerifyPackageJsonOptions {
 	allowTypesDependencies?: boolean;
@@ -77,6 +78,7 @@ export async function verifyPackageJson(
 	options: VerifyPackageJsonOptions = {}
 ): Promise<Result[]> {
 	const messages: Message[] = [
+		...(await verifyEngineConstraint(pkg)),
 		...verifyFields(pkg, options),
 		...verifyDependencies(pkg, options),
 		...outdatedEngines(pkg),