fix(api): lint all dependencies in package-lock (#53)

will not override in the object if there is a matching dep and version and will lint all the dependencies of dependencies.
lirantal · Feb 3, 2020 · f5bb8ca · f5bb8ca
1 parent dda2dff
commit f5bb8ca
Show file tree

Hide file tree

Showing 10 changed files with 28 additions and 56 deletions.
diff --git a/packages/lockfile-lint-api/__tests__/parseNpmLockfile.test.js b/packages/lockfile-lint-api/__tests__/parseNpmLockfile.test.js
@@ -17,8 +17,8 @@ describe('ParseLockfile Npm', () => {
     expect(lockfile.type).toEqual('success')
     expect(lockfile.object).toEqual(
       expect.objectContaining({
-        'debug@4.1.1': expect.any(Object),
-        'ms@2.1.2': expect.any(Object)
+        'debug@4.1.1-031b0fadad70d901aa76ca1028682c7fc8ed370c': expect.any(Object),
+        'ms@2.1.2-d6934ce87f6e568c4f5d6d9f6e5c5697992e7b91': expect.any(Object)
       })
     )
   })
@@ -35,10 +35,10 @@ describe('ParseLockfile Npm', () => {
     expect(lockfile.type).toEqual('success')
     expect(lockfile.object).toEqual(
       expect.objectContaining({
-        'debug@4.1.1': expect.any(Object),
-        'ms@2.1.2': expect.any(Object),
-        'ms@2.0.0': expect.any(Object),
-        'escape-html@1.0.3': expect.any(Object)
+        'debug@4.1.1-031b0fadad70d901aa76ca1028682c7fc8ed370c': expect.any(Object),
+        'ms@2.1.2-d6934ce87f6e568c4f5d6d9f6e5c5697992e7b91': expect.any(Object),
+        'ms@2.0.0-e3988f0b9b049286d39bee2b87cda1737adf1ba7': expect.any(Object),
+        'escape-html@1.0.3-541618a9ecf9b6e94c9131aec4590d01a5b0e720': expect.any(Object)
       })
     )
   })

diff --git a/packages/lockfile-lint-api/__tests__/validators.host.test.js b/packages/lockfile-lint-api/__tests__/validators.host.test.js
@@ -1,5 +1,4 @@
 const ValidatorHost = require('../src/validators/ValidateHost')
-const PackageError = require('../src/common/PackageError')
 
 describe('Validator: Host', () => {
   it('validator should throw an error when provided a string', () => {
@@ -144,17 +143,6 @@ describe('Validator: Host', () => {
     })
   })
 
-  it('validator should throw a descriptive error when one is encounterd in a package', () => {
-    const mockedPackages = {
-      '@babel/code-frame': {
-        resolved: 'debug-4.1.1.tgz#3b72260255109c6b589cee050f1d516139664791'
-      }
-    }
-    const validator = new ValidatorHost({packages: mockedPackages})
-
-    expect(() => validator.validate(['npm'])).toThrow(PackageError)
-  })
-
   it('validator should not throw if emptyHostnames are allowed', () => {
     const mockedPackages = {
       '@babel/code-frame': {

diff --git a/packages/lockfile-lint-api/__tests__/validators.https.test.js b/packages/lockfile-lint-api/__tests__/validators.https.test.js
@@ -1,5 +1,4 @@
 const ValidatorHTTPS = require('../src/validators/ValidateHttps')
-const PackageError = require('../src/common/PackageError')
 
 describe('Validator: HTTPS', () => {
   it('validator should throw an error when provided a string', () => {
@@ -60,17 +59,6 @@ describe('Validator: HTTPS', () => {
     })
   })
 
-  it('validator should throw a descriptive error when one is encounterd in a package', () => {
-    const mockedPackages = {
-      '@babel/code-frame': {
-        resolved: 'debug-4.1.1.tgz#3b72260255109c6b589cee050f1d516139664791'
-      }
-    }
-    const validator = new ValidatorHTTPS({packages: mockedPackages})
-
-    expect(() => validator.validate(['npm'])).toThrow(PackageError)
-  })
-
   it('validator should succeed if package has no `resolved` field', () => {
     const mockedPackages = {
       '@babel/code-frame': {

diff --git a/packages/lockfile-lint-api/__tests__/validators.scheme.test.js b/packages/lockfile-lint-api/__tests__/validators.scheme.test.js
@@ -1,5 +1,4 @@
 const ValidatorScheme = require('../src/validators/ValidateScheme')
-const PackageError = require('../src/common/PackageError')
 
 describe('Validator: Protocol', () => {
   it('validator should throw an error when provided a string', () => {
@@ -70,17 +69,6 @@ describe('Validator: Protocol', () => {
     })
   })
 
-  it('validator should throw a descriptive error when one is encounterd in a package', () => {
-    const mockedPackages = {
-      '@babel/code-frame': {
-        resolved: 'debug-4.1.1.tgz#3b72260255109c6b589cee050f1d516139664791'
-      }
-    }
-    const validator = new ValidatorScheme({packages: mockedPackages})
-
-    expect(() => validator.validate(['npm'])).toThrow(PackageError)
-  })
-
   it('validator should succeed if package has no `resolved` field', () => {
     const mockedPackages = {
       '@babel/code-frame': {

diff --git a/packages/lockfile-lint-api/package.json b/packages/lockfile-lint-api/package.json
@@ -49,7 +49,8 @@
   },
   "dependencies": {
     "@yarnpkg/lockfile": "^1.1.0",
-    "debug": "^4.1.1"
+    "debug": "^4.1.1",
+    "object-hash": "^2.0.1"
   },
   "devDependencies": {
     "babel-eslint": "^10.0.1",

diff --git a/packages/lockfile-lint-api/src/ParseLockfile.js b/packages/lockfile-lint-api/src/ParseLockfile.js
@@ -4,6 +4,7 @@
 const fs = require('fs')
 const path = require('path')
 const yarnLockfileParser = require('@yarnpkg/lockfile')
+const hash = require('object-hash')
 const {ParsingError, ERROR_MESSAGES} = require('./common/ParsingError')
 const {
   NO_OPTIONS,
@@ -124,26 +125,26 @@ class ParseLockfile {
     }
   }
 
-  _flattenNpmDepsTree (npmDepsTree) {
-    let flattenedDepTree = {}
-    let flattenedNestedDepsTree = {}
+  _flattenNpmDepsTree (npmDepsTree, npmDepMap = {}) {
     for (const [depName, depMetadata] of Object.entries(npmDepsTree)) {
       const depMetadataShortend = {
         version: depMetadata.version,
         resolved: depMetadata.resolved ? depMetadata.resolved : depMetadata.version,
         integrity: depMetadata.integrity,
         requires: depMetadata.requires
       }
+      const hashedDepValues = hash(depMetadataShortend)
 
-      flattenedDepTree[`${depName}@${depMetadata.version}`] = depMetadataShortend
+      npmDepMap[`${depName}@${depMetadata.version}-${hashedDepValues}`] = depMetadataShortend
 
       const nestedDepsTree = depMetadata.dependencies
+
       if (nestedDepsTree && Object.keys(nestedDepsTree).length !== 0) {
-        flattenedNestedDepsTree = this._flattenNpmDepsTree(nestedDepsTree)
+        this._flattenNpmDepsTree(nestedDepsTree, npmDepMap)
       }
     }
 
-    return Object.assign({}, flattenedDepTree, flattenedNestedDepsTree)
+    return npmDepMap
   }
 }
 

diff --git a/packages/lockfile-lint-api/src/validators/ValidateHost.js b/packages/lockfile-lint-api/src/validators/ValidateHost.js
@@ -2,7 +2,6 @@
 
 const {URL} = require('url')
 const debug = require('debug')('lockfile-lint-api')
-const PackageError = require('../common/PackageError')
 const {REGISTRY} = require('../common/constants')
 
 module.exports = class ValidateHost {
@@ -30,10 +29,11 @@ module.exports = class ValidateHost {
       }
 
       let packageResolvedURL = {}
+
       try {
         packageResolvedURL = new URL(packageMetadata.resolved)
       } catch (error) {
-        throw new PackageError(packageName, error)
+        // swallow error (assume that the version is correct)
       }
 
       const allowedHosts = hosts.map(hostValue => {

diff --git a/packages/lockfile-lint-api/src/validators/ValidateHttps.js b/packages/lockfile-lint-api/src/validators/ValidateHttps.js
@@ -1,7 +1,6 @@
 'use strict'
 
 const {URL} = require('url')
-const PackageError = require('../common/PackageError')
 
 const HTTPS_PROTOCOL = 'https:'
 
@@ -26,10 +25,11 @@ module.exports = class ValidateHttps {
       }
 
       let packageResolvedURL = {}
+
       try {
         packageResolvedURL = new URL(packageMetadata.resolved)
       } catch (error) {
-        throw new PackageError(packageName, error)
+        // swallow error (assume that the version is correct)
       }
 
       if (packageResolvedURL.protocol !== HTTPS_PROTOCOL) {

diff --git a/packages/lockfile-lint-api/src/validators/ValidateScheme.js b/packages/lockfile-lint-api/src/validators/ValidateScheme.js
@@ -1,7 +1,6 @@
 'use strict'
 
 const {URL} = require('url')
-const PackageError = require('../common/PackageError')
 
 module.exports = class ValidateProtocol {
   constructor ({packages} = {}) {
@@ -28,12 +27,14 @@ module.exports = class ValidateProtocol {
       }
 
       let packageResolvedURL = {}
+
       try {
         packageResolvedURL = new URL(packageMetadata.resolved)
       } catch (error) {
-        throw new PackageError(packageName, error)
+        // swallow error (assume that the version is correct)
       }
-      if (schemes.indexOf(packageResolvedURL.protocol) === -1) {
+
+      if (packageResolvedURL.protocol && schemes.indexOf(packageResolvedURL.protocol) === -1) {
         // throw new Error(`detected invalid origin for package: ${packageName}`)
         validationResult.errors.push({
           message: `detected invalid scheme(s) for package: ${packageName}\n    expected: ${schemes}\n    actual: ${

diff --git a/yarn.lock b/yarn.lock
@@ -7229,6 +7229,11 @@ object-copy@^0.1.0:
     define-property "^0.2.5"
     kind-of "^3.0.3"
 
+object-hash@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/object-hash/-/object-hash-2.0.1.tgz#cef18a0c940cc60aa27965ecf49b782cbf101d96"
+  integrity sha512-HgcGMooY4JC2PBt9sdUdJ6PMzpin+YtY3r/7wg0uTifP+HJWW8rammseSEHuyt0UeShI183UGssCJqm1bJR7QA==
+
 object-keys@^1.0.12:
   version "1.1.1"
   resolved "https://registry.yarnpkg.com/object-keys/-/object-keys-1.1.1.tgz#1c47f272df277f3b1daf061677d9c82e2322c60e"