allow scripts related checks.

package.json

@@ -56,6 +56,7 @@
     "execa": "^5.1.1",
     "lodash": "^4.17.21",
     "superstruct": "^1.0.3",
+    "yaml": "^2.4.1",
     "yargs": "^17.7.2"
   },
   "devDependencies": {

src/main.test.ts

@@ -6,6 +6,7 @@ import execa from 'execa';
 import path from 'path';
 import { MockWritable } from 'stdio-mock';
 import stripAnsi from 'strip-ansi';
+import { stringify } from 'yaml';
 
 import { main } from './main';
 import { FakeOutputLogger } from '../tests/fake-output-logger';
@@ -61,10 +62,6 @@ describe('main', () => {
           await ensureDirectoryStructureExists(
             path.join(repository.directoryPath, 'src'),
           );
-          await writeFile(
-            path.join(repository.directoryPath, '.yarnrc.yml'),
-            '',
-          );
           await writeFile(
             path.join(
               repository.directoryPath,
@@ -96,6 +93,8 @@ describe('main', () => {
                 typescript: '1.0.0',
                 typedoc: '1.0.0',
                 '@metamask/auto-changelog': '1.0.0',
+                '@lavamoat/allow-scripts': '1.0.0',
+                '@lavamoat/preinstall-always-fail': '1.0.0',
               },
               scripts: {
                 test: 'test script',
@@ -109,6 +108,12 @@ describe('main', () => {
               repository: {
                 url: 'https://github.com/MetaMask/module-lint.git',
               },
+              lavamoat: {
+                allowScripts: {
+                  'tsup>esbuild': true,
+                  '@lavamoat/preinstall-always-fail': false,
+                },
+              },
             }),
           );
           await writeFile(
@@ -155,6 +160,25 @@ describe('main', () => {
             path.join(repository.directoryPath, '.gitignore'),
             'content for .gitignore',
           );
+          await writeFile(
+            path.join(repository.directoryPath, '.yarnrc.yml'),
+            stringify({
+              enableScripts: false,
+              plugins: [
+                {
+                  path: '.yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs',
+                  spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js',
+                },
+              ],
+            }),
+          );
+          await writeFile(
+            path.join(
+              repository.directoryPath,
+              '.yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs',
+            ),
+            'test scripts',
+          );
         }
         const outputLogger = new FakeOutputLogger();
 
@@ -193,11 +217,15 @@ repo-1
 - Do the typedoc-related \`scripts\` in \`package.json\` conform? ✅
 - Do the changelog-related \`devDependencies\` in \`package.json\` conform? ✅
 - Do the changelog-related \`scripts\` in \`package.json\` conform? ✅
+- Do the lavamoat-related \`devDependencies\` in \`package.json\` conform? ✅
+- Are postinstall scripts disabled for \`@lavamoat/preinstall-always-fail\`? ✅
 - Is \`README.md\` present? ✅
 - Does the README conform by recommending the correct Yarn version to install? ✅
 - Does the README conform by recommending node install from nodejs.org? ✅
 - Are all of the files for Yarn Modern present, and do they conform? ✅
 - Does the README conform by recommending the correct Yarn version to install? ✅
+- Does allow scripts conforms to yarn? ✅
+- Is the allow-scripts Yarn plugin installed? ✅
 - Does the \`src/\` directory exist? ✅
 - Is \`.nvmrc\` present, and does it conform? ✅
 - Is \`jest.config.js\` present, and does it conform? ✅
@@ -211,7 +239,7 @@ repo-1
 - Is \`.gitattributes\` present, and does it conform? ✅
 - Is \`.gitignore\` present, and does it conform? ✅
 
-Results:       36 passed, 0 failed, 36 total
+Results:       40 passed, 0 failed, 40 total
 Elapsed time:  0 ms
 
 
@@ -237,11 +265,15 @@ repo-2
 - Do the typedoc-related \`scripts\` in \`package.json\` conform? ✅
 - Do the changelog-related \`devDependencies\` in \`package.json\` conform? ✅
 - Do the changelog-related \`scripts\` in \`package.json\` conform? ✅
+- Do the lavamoat-related \`devDependencies\` in \`package.json\` conform? ✅
+- Are postinstall scripts disabled for \`@lavamoat/preinstall-always-fail\`? ✅
 - Is \`README.md\` present? ✅
 - Does the README conform by recommending the correct Yarn version to install? ✅
 - Does the README conform by recommending node install from nodejs.org? ✅
 - Are all of the files for Yarn Modern present, and do they conform? ✅
 - Does the README conform by recommending the correct Yarn version to install? ✅
+- Does allow scripts conforms to yarn? ✅
+- Is the allow-scripts Yarn plugin installed? ✅
 - Does the \`src/\` directory exist? ✅
 - Is \`.nvmrc\` present, and does it conform? ✅
 - Is \`jest.config.js\` present, and does it conform? ✅
@@ -255,7 +287,7 @@ repo-2
 - Is \`.gitattributes\` present, and does it conform? ✅
 - Is \`.gitignore\` present, and does it conform? ✅
 
-Results:       36 passed, 0 failed, 36 total
+Results:       40 passed, 0 failed, 40 total
 Elapsed time:  0 ms
 
 `,
@@ -486,10 +518,6 @@ Elapsed time:  0 ms
           await ensureDirectoryStructureExists(
             path.join(repository.directoryPath, 'src'),
           );
-          await writeFile(
-            path.join(repository.directoryPath, '.yarnrc.yml'),
-            '',
-          );
           await writeFile(
             path.join(
               repository.directoryPath,
@@ -521,6 +549,8 @@ Elapsed time:  0 ms
                 typescript: '1.0.0',
                 typedoc: '1.0.0',
                 '@metamask/auto-changelog': '1.0.0',
+                '@lavamoat/allow-scripts': '1.0.0',
+                '@lavamoat/preinstall-always-fail': '1.0.0',
               },
               scripts: {
                 test: 'test script',
@@ -534,6 +564,12 @@ Elapsed time:  0 ms
               repository: {
                 url: 'https://github.com/MetaMask/module-lint.git',
               },
+              lavamoat: {
+                allowScripts: {
+                  'tsup>esbuild': true,
+                  '@lavamoat/preinstall-always-fail': false,
+                },
+              },
             }),
           );
           await writeFile(
@@ -580,6 +616,26 @@ Elapsed time:  0 ms
             path.join(repository.directoryPath, '.gitignore'),
             'content for .gitignore',
           );
+          await writeFile(
+            path.join(repository.directoryPath, '.yarnrc.yml'),
+            stringify({
+              enableScripts: false,
+              plugins: [
+                {
+                  path: '.yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs',
+                  spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js',
+                },
+              ],
+            }),
+          );
+
+          await writeFile(
+            path.join(
+              repository.directoryPath,
+              '.yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs',
+            ),
+            'test scripts',
+          );
         }
         const outputLogger = new FakeOutputLogger();
 
@@ -618,11 +674,15 @@ repo-1
 - Do the typedoc-related \`scripts\` in \`package.json\` conform? ✅
 - Do the changelog-related \`devDependencies\` in \`package.json\` conform? ✅
 - Do the changelog-related \`scripts\` in \`package.json\` conform? ✅
+- Do the lavamoat-related \`devDependencies\` in \`package.json\` conform? ✅
+- Are postinstall scripts disabled for \`@lavamoat/preinstall-always-fail\`? ✅
 - Is \`README.md\` present? ✅
 - Does the README conform by recommending the correct Yarn version to install? ✅
 - Does the README conform by recommending node install from nodejs.org? ✅
 - Are all of the files for Yarn Modern present, and do they conform? ✅
 - Does the README conform by recommending the correct Yarn version to install? ✅
+- Does allow scripts conforms to yarn? ✅
+- Is the allow-scripts Yarn plugin installed? ✅
 - Does the \`src/\` directory exist? ✅
 - Is \`.nvmrc\` present, and does it conform? ✅
 - Is \`jest.config.js\` present, and does it conform? ✅
@@ -636,7 +696,7 @@ repo-1
 - Is \`.gitattributes\` present, and does it conform? ✅
 - Is \`.gitignore\` present, and does it conform? ✅
 
-Results:       36 passed, 0 failed, 36 total
+Results:       40 passed, 0 failed, 40 total
 Elapsed time:  0 ms
 
 
@@ -662,11 +722,15 @@ repo-2
 - Do the typedoc-related \`scripts\` in \`package.json\` conform? ✅
 - Do the changelog-related \`devDependencies\` in \`package.json\` conform? ✅
 - Do the changelog-related \`scripts\` in \`package.json\` conform? ✅
+- Do the lavamoat-related \`devDependencies\` in \`package.json\` conform? ✅
+- Are postinstall scripts disabled for \`@lavamoat/preinstall-always-fail\`? ✅
 - Is \`README.md\` present? ✅
 - Does the README conform by recommending the correct Yarn version to install? ✅
 - Does the README conform by recommending node install from nodejs.org? ✅
 - Are all of the files for Yarn Modern present, and do they conform? ✅
 - Does the README conform by recommending the correct Yarn version to install? ✅
+- Does allow scripts conforms to yarn? ✅
+- Is the allow-scripts Yarn plugin installed? ✅
 - Does the \`src/\` directory exist? ✅
 - Is \`.nvmrc\` present, and does it conform? ✅
 - Is \`jest.config.js\` present, and does it conform? ✅
@@ -680,7 +744,7 @@ repo-2
 - Is \`.gitattributes\` present, and does it conform? ✅
 - Is \`.gitignore\` present, and does it conform? ✅
 
-Results:       36 passed, 0 failed, 36 total
+Results:       40 passed, 0 failed, 40 total
 Elapsed time:  0 ms
 
 `,

src/repository-filesystem.test.ts

@@ -7,6 +7,7 @@ import fs from 'fs';
 import { mock } from 'jest-mock-extended';
 import path from 'path';
 import { integer, object, string } from 'superstruct';
+import { stringify } from 'yaml';
 
 import { RepositoryFilesystem } from './repository-filesystem';
 import { withinSandbox } from '../tests/helpers';
@@ -201,6 +202,57 @@ describe('RepositoryFilesystem', () => {
     });
   });
 
+  describe('readYamlFileAs', () => {
+    describe('if the file has not already been read', () => {
+      it('returns the content of the file as a JSON value if it conforms to the given Superstruct schema', async () => {
+        await withinSandbox(async ({ directoryPath: sandboxDirectoryPath }) => {
+          await writeFile(
+            path.join(sandboxDirectoryPath, 'somefile.yml'),
+            stringify({ name: 'utils', numberOfStars: 294 }),
+          );
+          const Repo = object({
+            name: string(),
+            numberOfStars: integer(),
+          });
+          const repositoryFilesystem = new RepositoryFilesystem(
+            sandboxDirectoryPath,
+          );
+
+          const person = await repositoryFilesystem.readYamlFileAs(
+            'somefile.yml',
+            Repo,
+          );
+
+          expect(person).toStrictEqual({ name: 'utils', numberOfStars: 294 });
+        });
+      });
+
+      it('throws a descriptive error if the content of the file does not conform to the given Superstruct schema', async () => {
+        await withinSandbox(async ({ directoryPath: sandboxDirectoryPath }) => {
+          await writeFile(
+            path.join(sandboxDirectoryPath, 'somefile.yml'),
+            stringify({ numberOfStars: 'whatever' }),
+          );
+          const Repo = object({
+            name: string(),
+            numberOfStars: integer(),
+          });
+          const repositoryFilesystem = new RepositoryFilesystem(
+            sandboxDirectoryPath,
+          );
+
+          await expect(
+            repositoryFilesystem.readYamlFileAs('somefile.yml', Repo),
+          ).rejects.toThrow(
+            new Error(
+              'Missing `name`; Invalid `numberOfStars` (Expected an integer, but received: "whatever").',
+            ),
+          );
+        });
+      });
+    });
+  });
+
   describe('readDirectoryRecursively', () => {
     it('reads the directory and all of its child directories, returning a flat list of files and their paths', async () => {
       await withinSandbox(async ({ directoryPath: sandboxDirectoryPath }) => {

src/repository-filesystem.ts

@@ -4,6 +4,7 @@ import type fs from 'fs';
 import path from 'path';
 import type { Struct } from 'superstruct';
 import type { ObjectSchema } from 'superstruct/dist/utils';
+import { parse as yamlParse } from 'yaml';
 
 import type { DirectoryEntry } from './misc-utils';
 import {
@@ -85,6 +86,25 @@ export class RepositoryFilesystem {
     return content;
   }
 
+  /**
+   * Reads a YAML file within the repository, ensuring that it matches the
+   * given Superstruct struct.
+   *
+   * @param filePath - The path to the file relative to the repository root.
+   * @param struct - The Superstruct object struct that you want to match
+   * against the content of the file.
+   * @returns The contents of the file as a JSON object.
+   */
+  async readYamlFileAs<Value extends Json, Schema extends ObjectSchema>(
+    filePath: string,
+    struct: Struct<Value, Schema>,
+  ): Promise<Value> {
+    const content = await this.readFile(filePath);
+    const parsedYaml = yamlParse(content);
+    assertJsonMatchesStruct(parsedYaml, struct);
+    return parsedYaml;
+  }
+
   /**
    * Reads a directory recursively within the repository.
    *

src/rules/index.ts

@@ -1,11 +1,15 @@
 import allYarnModernFilesConform from './all-yarn-modern-files-conform';
 import classicYarnConfigFileAbsent from './classic-yarn-config-file-absent';
+import packageAllowScriptsYarnConform from './package-allow-scripts-yarn-conform';
+import packageAllowScriptsYarnPluginsConform from './package-allow-scripts-yarn-plugins-conform';
 import packageChangelogDevDependenciesConform from './package-changelog-dev-dependencies-conform';
 import packageChangelogScriptsConform from './package-changelog-scripts-conform';
 import packageEnginesNodeFieldConforms from './package-engines-node-field-conforms';
 import packageExportsFieldConforms from './package-exports-field-conforms';
 import packageFilesFieldConforms from './package-files-field-conforms';
 import packageJestDependenciesConform from './package-jest-dependencies-conform';
+import packageLavamoatAllowScriptsConforms from './package-lavamoat-allow-scripts-conforms';
+import packageLavamoatDevDependenciesConform from './package-lavamoat-dev-dependencies-conform';
 import packageLavamoatTsupConforms from './package-lavamoat-tsup-conforms';
 import packageLintDependenciesConform from './package-lint-dependencies-conform';
 import packageMainFieldConforms from './package-main-field-conforms';
@@ -70,4 +74,8 @@ export const rules = [
   requireEditorconfig,
   requireGitattributes,
   requireGitignore,
+  packageLavamoatDevDependenciesConform,
+  packageLavamoatAllowScriptsConforms,
+  packageAllowScriptsYarnConform,
+  packageAllowScriptsYarnPluginsConform,
 ] as const;