feat: age marshall check unmaintained packages (#306)

age marshall checks if package version downloaded is more than 365 days old
lirantal · Mar 4, 2024 · 589b575 · 589b575
1 parent ab59142
commit 589b575
Showing 1 changed file with 42 additions and 14 deletions.
diff --git a/lib/marshalls/age.marshall.js b/lib/marshalls/age.marshall.js
@@ -5,6 +5,7 @@ const { marshallCategories } = require('./constants')
 
 const MARSHALL_NAME = 'age'
 const PACKAGE_AGE_THRESHOLD = 22 // specified in days
+const PACKAGE_AGE_UNMAINTAINED_RISK = 365 // specified in days
 
 class Marshall extends BaseMarshall {
   constructor(options) {
@@ -18,22 +19,49 @@ class Marshall extends BaseMarshall {
   }
 
   validate(pkg) {
-    return this.packageRepoUtils.getPackageInfo(pkg.packageName).then((data) => {
-      if (data && data.time && data.time.created) {
-        const pkgCreatedDate = data.time.created
-        const dateDiff = Date.now() - Date.parse(pkgCreatedDate)
-
-        if (dateDiff < PACKAGE_AGE_THRESHOLD) {
-          throw new Error(
-            `detected a newly published package (created < ${PACKAGE_AGE_THRESHOLD} days) act carefully`
-          )
+    let packageData = null
+    let ageDateDiff = null
+    return this.packageRepoUtils
+      .getPackageInfo(pkg.packageName)
+      .then((data) => {
+        if (data && data.time && data.time.created) {
+          packageData = data
+          const pkgCreatedDate = data.time.created
+          const dateDiff = Date.now() - Date.parse(pkgCreatedDate)
+
+          ageDateDiff = dateDiff
+          if (dateDiff < PACKAGE_AGE_THRESHOLD) {
+            throw new Error(
+              `detected a newly published package (created < ${PACKAGE_AGE_THRESHOLD} days) act carefully`
+            )
+          }
+
+          return pkg
+        } else {
+          throw new Error('could not determine package age')
         }
+      })
+      .then((pkg) => {
+        return this.packageRepoUtils.getSemVer(pkg.packageName, pkg.packageVersion)
+      })
+      .then((versionResolved) => {
+        const versionReleaseDate = packageData.time[versionResolved]
+        const versionDateDiff = new Date() - new Date(versionReleaseDate)
+
+        const versionDateDiffInDays = Math.round(versionDateDiff / (1000 * 60 * 60 * 24))
+
+        let timeAgoText = 'days'
+        let timeAgoNumber = versionDateDiffInDays
 
-        return dateDiff
-      } else {
-        throw new Error('could not determine package age')
-      }
-    })
+        if (versionDateDiffInDays >= 365) {
+          timeAgoText = 'years'
+          timeAgoNumber = Math.floor(versionDateDiffInDays / 365)
+        }
+
+        if (versionDateDiffInDays >= PACKAGE_AGE_UNMAINTAINED_RISK) {
+          throw new Error(`detected an old package (created ${timeAgoNumber} ${timeAgoText} ago)`)
+        }
+      })
   }
 }