-
Notifications
You must be signed in to change notification settings - Fork 3.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
fd8beaf
commit cac0725
Showing
88 changed files
with
4,867 additions
and
1,604 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
218 changes: 218 additions & 0 deletions
218
node_modules/@npmcli/metavuln-calculator/node_modules/npm-pick-manifest/lib/index.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,218 @@ | ||
'use strict' | ||
|
||
const npa = require('npm-package-arg') | ||
const semver = require('semver') | ||
const { checkEngine } = require('npm-install-checks') | ||
const normalizeBin = require('npm-normalize-package-bin') | ||
|
||
const engineOk = (manifest, npmVersion, nodeVersion) => { | ||
try { | ||
checkEngine(manifest, npmVersion, nodeVersion) | ||
return true | ||
} catch (_) { | ||
return false | ||
} | ||
} | ||
|
||
const isBefore = (verTimes, ver, time) => | ||
!verTimes || !verTimes[ver] || Date.parse(verTimes[ver]) <= time | ||
|
||
const avoidSemverOpt = { includePrerelease: true, loose: true } | ||
const shouldAvoid = (ver, avoid) => | ||
avoid && semver.satisfies(ver, avoid, avoidSemverOpt) | ||
|
||
const decorateAvoid = (result, avoid) => | ||
result && shouldAvoid(result.version, avoid) | ||
? { ...result, _shouldAvoid: true } | ||
: result | ||
|
||
const pickManifest = (packument, wanted, opts) => { | ||
const { | ||
defaultTag = 'latest', | ||
before = null, | ||
nodeVersion = process.version, | ||
npmVersion = null, | ||
includeStaged = false, | ||
avoid = null, | ||
avoidStrict = false, | ||
} = opts | ||
|
||
const { name, time: verTimes } = packument | ||
const versions = packument.versions || {} | ||
|
||
if (avoidStrict) { | ||
const looseOpts = { | ||
...opts, | ||
avoidStrict: false, | ||
} | ||
|
||
const result = pickManifest(packument, wanted, looseOpts) | ||
if (!result || !result._shouldAvoid) { | ||
return result | ||
} | ||
|
||
const caret = pickManifest(packument, `^${result.version}`, looseOpts) | ||
if (!caret || !caret._shouldAvoid) { | ||
return { | ||
...caret, | ||
_outsideDependencyRange: true, | ||
_isSemVerMajor: false, | ||
} | ||
} | ||
|
||
const star = pickManifest(packument, '*', looseOpts) | ||
if (!star || !star._shouldAvoid) { | ||
return { | ||
...star, | ||
_outsideDependencyRange: true, | ||
_isSemVerMajor: true, | ||
} | ||
} | ||
|
||
throw Object.assign(new Error(`No avoidable versions for ${name}`), { | ||
code: 'ETARGET', | ||
name, | ||
wanted, | ||
avoid, | ||
before, | ||
versions: Object.keys(versions), | ||
}) | ||
} | ||
|
||
const staged = (includeStaged && packument.stagedVersions && | ||
packument.stagedVersions.versions) || {} | ||
const restricted = (packument.policyRestrictions && | ||
packument.policyRestrictions.versions) || {} | ||
|
||
const time = before && verTimes ? +(new Date(before)) : Infinity | ||
const spec = npa.resolve(name, wanted || defaultTag) | ||
const type = spec.type | ||
const distTags = packument['dist-tags'] || {} | ||
|
||
if (type !== 'tag' && type !== 'version' && type !== 'range') { | ||
throw new Error('Only tag, version, and range are supported') | ||
} | ||
|
||
// if the type is 'tag', and not just the implicit default, then it must | ||
// be that exactly, or nothing else will do. | ||
if (wanted && type === 'tag') { | ||
const ver = distTags[wanted] | ||
// if the version in the dist-tags is before the before date, then | ||
// we use that. Otherwise, we get the highest precedence version | ||
// prior to the dist-tag. | ||
if (isBefore(verTimes, ver, time)) { | ||
return decorateAvoid(versions[ver] || staged[ver] || restricted[ver], avoid) | ||
} else { | ||
return pickManifest(packument, `<=${ver}`, opts) | ||
} | ||
} | ||
|
||
// similarly, if a specific version, then only that version will do | ||
if (wanted && type === 'version') { | ||
const ver = semver.clean(wanted, { loose: true }) | ||
const mani = versions[ver] || staged[ver] || restricted[ver] | ||
return isBefore(verTimes, ver, time) ? decorateAvoid(mani, avoid) : null | ||
} | ||
|
||
// ok, sort based on our heuristics, and pick the best fit | ||
const range = type === 'range' ? wanted : '*' | ||
|
||
// if the range is *, then we prefer the 'latest' if available | ||
// but skip this if it should be avoided, in that case we have | ||
// to try a little harder. | ||
const defaultVer = distTags[defaultTag] | ||
if (defaultVer && | ||
(range === '*' || semver.satisfies(defaultVer, range, { loose: true })) && | ||
!shouldAvoid(defaultVer, avoid)) { | ||
const mani = versions[defaultVer] | ||
if (mani && isBefore(verTimes, defaultVer, time)) { | ||
return mani | ||
} | ||
} | ||
|
||
// ok, actually have to sort the list and take the winner | ||
const allEntries = Object.entries(versions) | ||
.concat(Object.entries(staged)) | ||
.concat(Object.entries(restricted)) | ||
.filter(([ver, mani]) => isBefore(verTimes, ver, time)) | ||
|
||
if (!allEntries.length) { | ||
throw Object.assign(new Error(`No versions available for ${name}`), { | ||
code: 'ENOVERSIONS', | ||
name, | ||
type, | ||
wanted, | ||
before, | ||
versions: Object.keys(versions), | ||
}) | ||
} | ||
|
||
const sortSemverOpt = { loose: true } | ||
const entries = allEntries.filter(([ver, mani]) => | ||
semver.satisfies(ver, range, { loose: true })) | ||
.sort((a, b) => { | ||
const [vera, mania] = a | ||
const [verb, manib] = b | ||
const notavoida = !shouldAvoid(vera, avoid) | ||
const notavoidb = !shouldAvoid(verb, avoid) | ||
const notrestra = !restricted[a] | ||
const notrestrb = !restricted[b] | ||
const notstagea = !staged[a] | ||
const notstageb = !staged[b] | ||
const notdepra = !mania.deprecated | ||
const notdeprb = !manib.deprecated | ||
const enginea = engineOk(mania, npmVersion, nodeVersion) | ||
const engineb = engineOk(manib, npmVersion, nodeVersion) | ||
// sort by: | ||
// - not an avoided version | ||
// - not restricted | ||
// - not staged | ||
// - not deprecated and engine ok | ||
// - engine ok | ||
// - not deprecated | ||
// - semver | ||
return (notavoidb - notavoida) || | ||
(notrestrb - notrestra) || | ||
(notstageb - notstagea) || | ||
((notdeprb && engineb) - (notdepra && enginea)) || | ||
(engineb - enginea) || | ||
(notdeprb - notdepra) || | ||
semver.rcompare(vera, verb, sortSemverOpt) | ||
}) | ||
|
||
return decorateAvoid(entries[0] && entries[0][1], avoid) | ||
} | ||
|
||
module.exports = (packument, wanted, opts = {}) => { | ||
const mani = pickManifest(packument, wanted, opts) | ||
const picked = mani && normalizeBin(mani) | ||
const policyRestrictions = packument.policyRestrictions | ||
const restricted = (policyRestrictions && policyRestrictions.versions) || {} | ||
|
||
if (picked && !restricted[picked.version]) { | ||
return picked | ||
} | ||
|
||
const { before = null, defaultTag = 'latest' } = opts | ||
const bstr = before ? new Date(before).toLocaleString() : '' | ||
const { name } = packument | ||
const pckg = `${name}@${wanted}` + | ||
(before ? ` with a date before ${bstr}` : '') | ||
|
||
const isForbidden = picked && !!restricted[picked.version] | ||
const polMsg = isForbidden ? policyRestrictions.message : '' | ||
|
||
const msg = !isForbidden ? `No matching version found for ${pckg}.` | ||
: `Could not download ${pckg} due to policy violations:\n${polMsg}` | ||
|
||
const code = isForbidden ? 'E403' : 'ETARGET' | ||
throw Object.assign(new Error(msg), { | ||
code, | ||
type: npa.resolve(packument.name, wanted).type, | ||
wanted, | ||
versions: Object.keys(packument.versions ?? {}), | ||
name, | ||
distTags: packument['dist-tags'], | ||
defaultTag, | ||
}) | ||
} |
57 changes: 57 additions & 0 deletions
57
node_modules/@npmcli/metavuln-calculator/node_modules/npm-pick-manifest/package.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
{ | ||
"name": "npm-pick-manifest", | ||
"version": "8.0.2", | ||
"description": "Resolves a matching manifest from a package metadata document according to standard npm semver resolution rules.", | ||
"main": "./lib", | ||
"files": [ | ||
"bin/", | ||
"lib/" | ||
], | ||
"scripts": { | ||
"coverage": "tap", | ||
"lint": "eslint \"**/*.js\"", | ||
"test": "tap", | ||
"posttest": "npm run lint", | ||
"postlint": "template-oss-check", | ||
"lintfix": "npm run lint -- --fix", | ||
"snap": "tap", | ||
"template-oss-apply": "template-oss-apply --force" | ||
}, | ||
"repository": { | ||
"type": "git", | ||
"url": "https://github.com/npm/npm-pick-manifest.git" | ||
}, | ||
"keywords": [ | ||
"npm", | ||
"semver", | ||
"package manager" | ||
], | ||
"author": "GitHub Inc.", | ||
"license": "ISC", | ||
"dependencies": { | ||
"npm-install-checks": "^6.0.0", | ||
"npm-normalize-package-bin": "^3.0.0", | ||
"npm-package-arg": "^10.0.0", | ||
"semver": "^7.3.5" | ||
}, | ||
"devDependencies": { | ||
"@npmcli/eslint-config": "^4.0.0", | ||
"@npmcli/template-oss": "4.18.0", | ||
"tap": "^16.0.1" | ||
}, | ||
"tap": { | ||
"check-coverage": true, | ||
"nyc-arg": [ | ||
"--exclude", | ||
"tap-snapshots/**" | ||
] | ||
}, | ||
"engines": { | ||
"node": "^14.17.0 || ^16.13.0 || >=18.0.0" | ||
}, | ||
"templateOSS": { | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.18.0", | ||
"publish": true | ||
} | ||
} |
15 changes: 15 additions & 0 deletions
15
node_modules/@npmcli/metavuln-calculator/node_modules/pacote/LICENSE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
The ISC License | ||
|
||
Copyright (c) Isaac Z. Schlueter, Kat Marchán, npm, Inc., and Contributors | ||
|
||
Permission to use, copy, modify, and/or distribute this software for any | ||
purpose with or without fee is hereby granted, provided that the above | ||
copyright notice and this permission notice appear in all copies. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR | ||
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
Oops, something went wrong.