Skip to content

Commit

Permalink
Fix workspace tests
Browse files Browse the repository at this point in the history
  • Loading branch information
feelepxyz committed May 23, 2022
1 parent 5a87311 commit e67e5db
Show file tree
Hide file tree
Showing 3 changed files with 132 additions and 33 deletions.
13 changes: 10 additions & 3 deletions lib/commands/audit.js
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,9 @@ class VerifySignatures {
if (this.npm.config.get('json')) {
this.appendOutput(this.makeJSON({ invalid, missing }))
} else {
const timing = `audited ${this.audited} packages in ${Math.floor(Number(elapsed) / 1e9)}s`
const auditedPlural = this.audited > 1 ? 's' : ''
const timing = `audited ${this.audited} package${auditedPlural} in ` +
`${Math.floor(Number(elapsed) / 1e9)}s`
const verifiedPrefix = verified ? 'verified registry signatures, ' : ''
this.appendOutput(`${verifiedPrefix}${timing}\n`)

Expand Down Expand Up @@ -119,9 +121,9 @@ class VerifySignatures {
`${missing.length ? '\n' : ''}${invalid.length} ${msg}:\n`
)
this.appendOutput(this.humanOutput(invalid))
const plural = invalid.length === 1 ? '' : 's'
const invPlural = invalid.length === 1 ? '' : 's'
this.appendOutput(
`\nSomeone might have tampered with the package${plural} ` +
`\nSomeone might have tampered with the package${invPlural} ` +
`since it was published on the registry (monster-in-the-middle attack)!\n`
)
}
Expand Down Expand Up @@ -199,6 +201,11 @@ class VerifySignatures {
: edge.dev ? 'devDependencies'
: 'dependencies'

// Skip local workspaces
if (node.isWorkspace) {
return
}

// Skip potentially optional packages that are not on disk, as these could
// be omitted during install
if (edge.error === 'MISSING' && type !== 'dependencies') {
Expand Down
24 changes: 17 additions & 7 deletions tap-snapshots/test/lib/commands/audit.js.test.cjs
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ found 0 vulnerabilities
`

exports[`test/lib/commands/audit.js TAP audit signatures ignores optional dependencies > must match snapshot 1`] = `
verified registry signatures, audited 1 packages in xxx
verified registry signatures, audited 1 package in 0s
`

Expand Down Expand Up @@ -85,12 +85,12 @@ exports[`test/lib/commands/audit.js TAP audit signatures json output with valid
`

exports[`test/lib/commands/audit.js TAP audit signatures omit dev dependencies with missing signature > must match snapshot 1`] = `
verified registry signatures, audited 1 packages in xxx
verified registry signatures, audited 1 package in 0s
`

exports[`test/lib/commands/audit.js TAP audit signatures output details about missing signatures > must match snapshot 1`] = `
audited 1 packages in xxx
audited 1 package in 0s
1 package has a missing registry signature but the registry is providing signing keys:
Expand All @@ -112,7 +112,7 @@ Someone might have tampered with the package since it was published on the regis
`

exports[`test/lib/commands/audit.js TAP audit signatures with colour option and invalid signatures > must match snapshot 1`] = `
audited 1 packages in xxx
audited 1 package in 0s
1 package has an invalid registry signature:
Expand All @@ -123,7 +123,7 @@ Someone might have tampered with the package since it was published on the regis
`

exports[`test/lib/commands/audit.js TAP audit signatures with invalid signatures > must match snapshot 1`] = `
audited 1 packages in xxx
audited 1 package in 0s
1 package has an invalid registry signature:
Expand All @@ -134,7 +134,7 @@ Someone might have tampered with the package since it was published on the regis
`

exports[`test/lib/commands/audit.js TAP audit signatures with keys but missing signature > must match snapshot 1`] = `
audited 1 packages in xxx
audited 1 package in 0s
1 package has a missing registry signature but the registry is providing signing keys
run \`npm audit signatures --missing\` for details
Expand All @@ -150,7 +150,17 @@ audited 2 packages in xxx
`

exports[`test/lib/commands/audit.js TAP audit signatures with valid signatures > must match snapshot 1`] = `
verified registry signatures, audited 1 packages in xxx
verified registry signatures, audited 1 package in 0s
`

exports[`test/lib/commands/audit.js TAP audit signatures workspaces verifies registry deps and ignores local workspace deps > must match snapshot 1`] = `
verified registry signatures, audited 3 packages in xxx
`

exports[`test/lib/commands/audit.js TAP audit signatures workspaces verifies registry deps when filtering by workspace name > must match snapshot 1`] = `
verified registry signatures, audited 2 packages in xxx
`

Expand Down
128 changes: 105 additions & 23 deletions test/lib/commands/audit.js
Original file line number Diff line number Diff line change
Expand Up @@ -379,16 +379,16 @@ t.test('audit signatures', async t => {
version: '1.0.0',
}),
},
foo: {
async: {
'package.json': JSON.stringify({
name: 'foo',
version: '1.0.0',
name: 'async',
version: '2.5.0',
}),
},
zeta: {
'light-cycle': {
'package.json': JSON.stringify({
name: 'zeta',
version: '1.0.0',
name: 'light-cycle',
version: '1.4.2',
}),
},
},
Expand All @@ -399,7 +399,7 @@ t.test('audit signatures', async t => {
version: '1.0.0',
dependencies: {
b: '^1.0.0',
foo: '^1.0.0',
async: '^2.0.0',
},
}),
},
Expand All @@ -408,17 +408,14 @@ t.test('audit signatures', async t => {
name: 'b',
version: '1.0.0',
dependencies: {
zeta: '^1.0.0',
'light-cycle': '^1.0.0',
},
}),
},
c: {
'package.json': JSON.stringify({
name: 'c',
version: '1.0.0',
dependencies: {
theta: '^1.0.0',
},
}),
},
},
Expand Down Expand Up @@ -642,7 +639,7 @@ t.test('audit signatures', async t => {

t.equal(process.exitCode, 0, 'should exit successfully')
process.exitCode = 0
t.match(joinedOutput(), /verified registry signatures, audited 1 packages/)
t.match(joinedOutput(), /verified registry signatures, audited 1 package/)
t.matchSnapshot(joinedOutput())
})

Expand Down Expand Up @@ -834,7 +831,7 @@ t.test('audit signatures', async t => {

t.equal(process.exitCode, 0, 'should exit successfully')
process.exitCode = 0
t.match(joinedOutput(), /verified registry signatures, audited 1 packages/)
t.match(joinedOutput(), /verified registry signatures, audited 1 package/)
t.matchSnapshot(joinedOutput())
})

Expand Down Expand Up @@ -873,7 +870,7 @@ t.test('audit signatures', async t => {

t.equal(process.exitCode, 0, 'should exit successfully')
process.exitCode = 0
t.match(joinedOutput(), /verified registry signatures, audited 1 packages/)
t.match(joinedOutput(), /verified registry signatures, audited 1 package/)
t.matchSnapshot(joinedOutput())
})

Expand Down Expand Up @@ -961,33 +958,118 @@ t.test('audit signatures', async t => {
})

t.test('workspaces', async t => {
t.test('verifies registry deps and ignores local workspace deps', { todo: true }, async t => {
t.test('verifies registry deps and ignores local workspace deps', async t => {
npm.prefix = workspaceInstall()
await manifestWithValidSigs()
const asyncManifest = registry.manifest({
name: 'async',
packuments: [{
version: '2.5.0',
dist: {
tarball: 'https://registry.npmjs.org/async/-/async-2.5.0.tgz',
integrity: 'sha512-e+lJAJeNWuPCNyxZKOBdaJGyLGHugXVQtrAwtuAe2vhxTYxFT'
+ 'KE73p8JuTmdH0qdQZtDvI4dhJwjZc5zsfIsYw==',
signatures: [
{
keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA',
sig: 'MEUCIQCM8cX2U3IVZKKhzQx1w5AlNSDUI+fVf4857K1qT0NTNgIgdT4qwEl' +
'/kg2vU1uIWUI0bGikRvVHCHlRs1rgjPMpRFA=',
},
],
},
}],
})
const lightCycleManifest = registry.manifest({
name: 'light-cycle',
packuments: [{
version: '1.4.2',
dist: {
tarball: 'https://registry.npmjs.org/light-cycle/-/light-cycle-1.4.2.tgz',
integrity: 'sha512-badZ3KMUaGwQfVcHjXTXSecYSXxT6f99bT+kVzBqmO10U1UNlE' +
'thJ1XAok97E4gfDRTA2JJ3r0IeMPtKf0EJMw==',
signatures: [
{
keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA',
sig: 'MEUCIQDXjoxQz4MzPqaIuy2RJmBlcFp0UD3h9EhKZxxEz9IYZAIgLO0znG5' +
'aGciTAg4u8fE0/UXBU4gU7JcvTZGxW2BmKGw=',
},
],
},
}],
})
await registry.package({ manifest: asyncManifest })
await registry.package({ manifest: lightCycleManifest })
validKeys()

await audit.exec(['signatures'])

t.equal(process.exitCode, 0, 'should exit successfully')
process.exitCode = 0
t.match(joinedOutput(), /verified registry signatures, audited 1 packages/)
t.match(joinedOutput(), /verified registry signatures, audited 3 packages/)
t.matchSnapshot(joinedOutput())
})

// TODO: This should verify kms-demo, but doesn't because arborist filters
// workspace deps even if they're also root deps
t.test('verifies registry dep if workspaces is disabled', { todo: true }, async t => {
t.test('verifies registry deps when filtering by workspace name', async t => {
npm.prefix = workspaceInstall()
npm.flatOptions.workspacesEnabled = false
await manifestWithValidSigs()
npm.localPrefix = npm.prefix
const asyncManifest = registry.manifest({
name: 'async',
packuments: [{
version: '2.5.0',
dist: {
tarball: 'https://registry.npmjs.org/async/-/async-2.5.0.tgz',
integrity: 'sha512-e+lJAJeNWuPCNyxZKOBdaJGyLGHugXVQtrAwtuAe2vhxTYxFT'
+ 'KE73p8JuTmdH0qdQZtDvI4dhJwjZc5zsfIsYw==',
signatures: [
{
keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA',
sig: 'MEUCIQCM8cX2U3IVZKKhzQx1w5AlNSDUI+fVf4857K1qT0NTNgIgdT4qwEl' +
'/kg2vU1uIWUI0bGikRvVHCHlRs1rgjPMpRFA=',
},
],
},
}],
})
const lightCycleManifest = registry.manifest({
name: 'light-cycle',
packuments: [{
version: '1.4.2',
dist: {
tarball: 'https://registry.npmjs.org/light-cycle/-/light-cycle-1.4.2.tgz',
integrity: 'sha512-badZ3KMUaGwQfVcHjXTXSecYSXxT6f99bT+kVzBqmO10U1UNlE' +
'thJ1XAok97E4gfDRTA2JJ3r0IeMPtKf0EJMw==',
signatures: [
{
keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA',
sig: 'MEUCIQDXjoxQz4MzPqaIuy2RJmBlcFp0UD3h9EhKZxxEz9IYZAIgLO0znG5' +
'aGciTAg4u8fE0/UXBU4gU7JcvTZGxW2BmKGw=',
},
],
},
}],
})
await registry.package({ manifest: asyncManifest })
await registry.package({ manifest: lightCycleManifest })
validKeys()

await audit.exec(['signatures'])
await audit.execWorkspaces(['signatures'], ['./packages/a'])

t.equal(process.exitCode, 0, 'should exit successfully')
process.exitCode = 0
t.match(joinedOutput(), /verified registry signatures, audited 1 packages/)
t.match(joinedOutput(), /verified registry signatures, audited 2 packages/)
t.matchSnapshot(joinedOutput())
})

// TODO: This should verify kms-demo, but doesn't because arborist filters
// workspace deps even if they're also root deps
t.test('verifies registry dep if workspaces is disabled', async t => {
npm.prefix = workspaceInstall()
npm.flatOptions.workspacesEnabled = false

await t.rejects(
audit.exec(['signatures']),
/No dependencies found in current install/
)
})
})
})

0 comments on commit e67e5db

Please sign in to comment.