From 1ac7f1d753ad34c0e8a72198e3c07adb697e655c Mon Sep 17 00:00:00 2001 From: Umar Bolatov Date: Mon, 23 Mar 2020 18:53:03 -0700 Subject: [PATCH] docs: update README with --allowed-urls option fix #82 --- packages/lockfile-lint/README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/packages/lockfile-lint/README.md b/packages/lockfile-lint/README.md index 1c1dd93..6cc3523 100644 --- a/packages/lockfile-lint/README.md +++ b/packages/lockfile-lint/README.md @@ -32,7 +32,7 @@ npm install --save lockfile-lint `lockfile-lint` can be installed per a project scope, or globally and exposes a `lockfile-lint` executable that should be practiced during builds, CIs, and general static code analysis procedures to ensure that lockfiles are kept up to date with pre-defined security and usage policies. ```bash -lockfile-lint --type --path --validate-https --allowed-hosts +lockfile-lint --type --path --validate-https --allowed-hosts --allowed-urls ``` Supported lockfiles: @@ -65,6 +65,15 @@ lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --validate-https - `--allowed-hosts` explicitly set to match github.com as a host and specifies `yarn` as the alias for yarn's official mirror host - `--allowed-schemes` overrides `validate-https` and so it explicitly allows both `https:` and `git+https:` for the github URL +**Example 4**: allow the lockfile to contain a package which resolves to a specific URL specified by the `--allowed-urls` option while all other packages must resolve to yarn as specified by `--allowed-hosts` + +```bash +lockfile-lint --path yarn.lock --allowed-hosts yarn --allowed-urls https://github.com/lirantal/lockfile-lint#d30ce73a3e5977dede29450df1c79b09f02779b2 +``` + +- `--allowed-hosts` allows packages from yarn only +- `--allowed-urls` overrides `allowed-hosts` and allows a specific Github URL to pass validation + # CLI command options | command line argument | description | implemented | @@ -74,6 +83,7 @@ lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --validate-https | `--validate-https`, `-s` | validates the use of HTTPS as protocol schema for all resources in the lockfile | ✅ | | `--allowed-hosts`, `-a` | validates a whitelist of allowed hosts to be used for all resources in the lockfile. Supported short-hands aliases are `npm`, `yarn`, and `verdaccio` which will match URLs `https://registry.npmjs.org`, `https://registry.yarnpkg.com` and `https://registry.verdaccio.org` respectively | ✅ | | `--allowed-schemes`, `-o` | allowed [URI schemes](https://tools.ietf.org/html/rfc2396#section-3.1) such as "https:", "http", "git+ssh:", or "git+https:" | ✅ | +| `--allowed-urls`, `-u` | allowed URLs (e.g. `https://github.com/some-org/some-repo#some-hash`) | ✅ | | `--empty-hostname`, `-e` | allow empty hostnames, or set to false if you wish for a stricter policy | ✅ | | `--validate-checksum`, `-c` | check that all resources include a checksum | ❌ PRs welcome | | `--validate-integrity`, `-i` | check that all resources include an integrity field | ❌ PRs welcome |