-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use allowed url patterns in a single hostname #112
Comments
Hi @eserkaraca, I think that's a good idea for an enhancement. |
Another usecase for this feature is to ensure urls on github are from allowed orgs such as only the org developing the project, example in: BlueWallet/BlueWallet#5329 |
Yep, makes total sense and that's another good use-case @emanuelb. I would say we could update |
Yes, both options are ok (adding another parameter that support patterns such as globbing or regex, or adding this functionality to already available I prefer a new parameter name to support additional patterns because of the reasons mentioned above (not change previous usages in any way, less chances to introduce bugs that way for usage that dont expect any patterns) |
I found this issue after having the same need, I would propose to add a |
@eserkaraca It seems to me that your example use case could be supported without a glob or regex. Do you agree, or is the
or for multiple registries
|
@eins78 per my above comment about using allowed-urls - I generally still think it holds to just use that and update the current capability to regexes. However, as @emanuelb pointed out it might break existing URLs. I find EDIT: @eins78 specifically for your use case above with the registries, can you explain why the existing |
I'm not sure if it is related, but I have an internal registry too, and I can't make it ignore my private packages:
And I get
Settings: "lockfile-lint": {
"allowed-hosts": [
"npm",
"yarn",
"checkmarx.jfrog.io"
],
"allowed-urls": [
"https://checkmarx.jfrog.io/artifactory/api/npm/team-npm/@cxui/cypress-util/",
"https://checkmarx.jfrog.io/artifactory/api/npm/team-npm/@cxui/",
"https://checkmarx.jfrog.io/artifactory/api/npm/team-npm/@cxui",
"https://checkmarx.jfrog.io/artifactory/api/npm/team-npm/",
"https://checkmarx.jfrog.io/artifactory/api/npm/team-npm",
"https://checkmarx.jfrog.io/artifactory/api/npm/",
"https://checkmarx.jfrog.io/artifactory/api/npm",
"https://checkmarx.jfrog.io/artifactory/api/",
"https://checkmarx.jfrog.io/artifactory/api",
"https://checkmarx.jfrog.io/artifactory/",
"https://checkmarx.jfrog.io/artifactory",
"https://checkmarx.jfrog.io/",
"https://checkmarx.jfrog.io"
],
"validate-https": true,
"validate-package-names": true,
"validate-integrity": true,
"empty-hostname": false
} |
@baruchiro the problem with your setup is specifically the In this case, here are a few options we can solve this:
|
Fixed with the new PR to skip them. |
Is your feature request related to a problem? Please describe.
We have multiple npm repositories served on a single host, release, and dev on different paths. e.g.:
Dev repo: https://artifactory.example.com/npm/DEV/...
Release repo: https://artifactory.example.com/npm/REL/...
I want to enforce release usage.
Describe the solution you'd like
Have a parameter to specify allowed URLs but with wildcard support.
npx lockfile-lint --allowed-url-patterns https://artifactory.example.com/npm/REL/*/prefix
'*' means any char repeated any times.
Describe alternatives you've considered
Instead of a simple glob pattern, regex can be used. But that may be unnecessarily complex as for regex you'll need to escape the URL.
The text was updated successfully, but these errors were encountered: