-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(security): add option to check for secure node version
- Loading branch information
Showing
10 changed files
with
139 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
import execa from 'execa'; | ||
import fetch from 'node-fetch'; | ||
import { getNodeSecurityChecker } from '../src/security'; | ||
import { logMessages } from '../src/log-messages'; | ||
/// <reference types="@types/jest" /> | ||
|
||
jest.mock('execa'); | ||
jest.mock('node-fetch'); | ||
jest.mock('fs-extra'); | ||
|
||
|
||
const { Response } = jest.requireActual('node-fetch'); | ||
|
||
|
||
const exampleNodeList = [ | ||
{ version: 'v13.0.0', date: '2020-07-29', npm: '6.14.7', security: true, lts: false }, | ||
{ version: 'v13.1.0', date: '2020-07-29', npm: '6.14.7', security: false, lts: false }, | ||
{ version: 'v13.2.0', date: '2020-07-29', npm: '6.14.7', security: false, lts: false }, | ||
{ version: 'v14.1.0', date: '2020-07-29', npm: '6.14.7', security: false, lts: false }, | ||
{ version: 'v14.2.0', date: '2020-07-29', npm: '6.14.7', security: false, lts: false }, | ||
{ version: 'v14.3.0', date: '2020-07-29', npm: '6.14.7', security: true, lts: false }, | ||
{ version: 'v15.1.0', date: '2020-07-29', npm: '6.14.7', security: false, lts: false }, | ||
{ version: 'v15.3.0', date: '2020-07-29', npm: '6.14.7', security: true, lts: false }, | ||
]; | ||
const nodeVersionListURL = 'https://nodejs.org/dist/index.json'; | ||
|
||
describe('getNodeSecurityChecker', () => { | ||
it('should return success-text if there is no security version above inside this major version', async () => { | ||
(execa as any).mockReturnValue(Promise.resolve({ stdout: '13.1.0' })); | ||
(fetch as any).mockReturnValue(Promise.resolve(new Response(JSON.stringify(exampleNodeList)))); | ||
expect(await getNodeSecurityChecker()).toMatchObject({ | ||
error: false, | ||
text: logMessages.success.nodeVersionSecurity('13.1.0'), | ||
}); | ||
}); | ||
it('should return error-text if there is a security version above inside this major version', async () => { | ||
(execa as any).mockReturnValue(Promise.resolve({ stdout: 'v14.1.0' })); | ||
(fetch as any).mockReturnValue(Promise.resolve(new Response(JSON.stringify(exampleNodeList)))); | ||
expect(await getNodeSecurityChecker()).toMatchObject({ | ||
error: true, | ||
text: logMessages.error.nodeVersionNotSecureError('14.1.0'), | ||
}); | ||
}); | ||
it('should return warning-text if we can not receive node-list', async () => { | ||
(fetch as any).mockReturnValue(Promise.reject()); | ||
expect(await getNodeSecurityChecker()).toMatchObject({ | ||
error: false, | ||
text: logMessages.warning.fetchNodeListErrorNodeSecurity(nodeVersionListURL), | ||
}); | ||
}); | ||
it('should return error-text if we can not receive installed node version', async () => { | ||
(execa as any).mockReturnValue(Promise.reject()); | ||
expect(await getNodeSecurityChecker()).toMatchObject({ | ||
error: true, | ||
text: logMessages.error.readProgramVersionError('node'), | ||
}); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# Security | ||
|
||
This warning means, that your node version is not considered secure anymore. There has been a node release that fixes those vulnerabilities. Here is a [list of all node releases](https://nodejs.org/en/download/releases/) and here you likely find [more details to the release and the vulnerability](https://nodejs.org/en/blog/). | ||
|
||
You need to update the node version of your project. You do **not** need to update to a new major version (e.g. from v14 to v16), a newer minor version is sufficient. Security releases are rolled out to all LTS versions of node. Here is an [example of such a security release](https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/) which has rolled out to Node versions v10.x, v12.x, v14.x and v15.x. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
import semver from 'semver'; | ||
import { getInstalledVersion } from './get-version'; | ||
import { getNodeList } from './fetch-node-versions'; | ||
import { ILogMessage, INodeVersion } from './const'; | ||
import { logMessages } from './log-messages'; | ||
|
||
export const hasNodeVersionSecurityIssues = (nodeList: INodeVersion[], usedNodeVersion: string) => { | ||
return nodeList.some((nodeVersion) => { | ||
const nodeVersionText = nodeVersion.version.slice(1); | ||
// return true, if any MINOR version above THIS version has a security flag | ||
return ( | ||
semver.diff(nodeVersionText, usedNodeVersion) === 'minor' && | ||
semver.gt(nodeVersionText, usedNodeVersion) && | ||
nodeVersion.security | ||
); | ||
}); | ||
}; | ||
|
||
export const getSecurityNodeLog = async (usedNodeVersion: string) => { | ||
const nodeList = await getNodeList('security'); | ||
if (nodeList.error) { | ||
return { error: false, text: nodeList.text }; | ||
} | ||
|
||
return hasNodeVersionSecurityIssues(JSON.parse(nodeList.text), usedNodeVersion) | ||
? { error: true, text: logMessages.error.nodeVersionNotSecureError(usedNodeVersion) } | ||
: { error: false, text: logMessages.success.nodeVersionSecurity(usedNodeVersion) }; | ||
}; | ||
|
||
export const getNodeSecurityChecker = async () => { | ||
const usedNodeVersion: ILogMessage = await getInstalledVersion('node'); | ||
return usedNodeVersion.error ? usedNodeVersion : getSecurityNodeLog(usedNodeVersion.text); | ||
}; |