-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add npm audit licenses #3452
Conversation
lib/audit.js
Outdated
const auditType = this.npm.config.get('audit-type') | ||
if (auditType === 'license') { | ||
this.auditLicenses(args).then(() => cb()).catch(cb) | ||
} else { | ||
this.auditAdvisories(args).then(() => cb()).catch(cb) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does this mean that npm audit
can only do either licenses or advisories, but not both?
Should audit-type
be validated somehow so it's only "license" or "advisory"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ljharb in pairing with @ruyadorno today, we intentionally kept this limited to "getting it working" and not fully implementing. This was the minimum way to get it working. There will be individual ways to do advisories, licenses, and both (presuming both will be the default, since license
is going to be opt-in rather than opt-out).
Ruy's recommendation was npm audit --audit-type=license
as a more npm-y API, so we went with that. I'm not opposed to other APIs though and presume we'll end up bikeshedding a bit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When I just want one type, that totally makes sense to me - but when I want both, I'd want some config way to per-command override the global audit-type=license
i plan to configure.
As for the default, I'd assume licenses aren't validated unless there's a config for it, which means it'd be off initially?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oop, sorry thought I replied to this last night:
the intent is to have npm audit
do both licenses and advisories by default. It can optionally do just licenses or advisories.
the implementation here is an intentionally basic one that's the result of @ruyadorno and myself pairing trying to get a very basic implementation working that can be expanded on to include everything that's been scoped out, hence WIP status of the PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK - so what audit-type
value would I provide to override (a global config setting that restricts it to "just licenses")?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated this a bit. You can run it with `node . audit --audit-type=license --json" to get JSON output. I've got user configuration working (based on
Some additional notes:
|
FWIW, the npm docs refer to SPDX - it's something they seek to educate on. https://docs.npmjs.com/cli/v7/configuring-npm/package-json#license Perhaps it's worth considering spdx_identifers or similar, to indicate it shouldn't be free-form. |
no other property used by npm uses an underscore - I don't think this is a particularly npm-y approach. IMO that exact doc you linked is the justification for using |
Does npm even allow publishing anymore with a non-spdx license field? |
You can publish freeform text in that field, yes. If not, it'd prevent things like BlueOak's license from being used which is IMO a very bad thing for open source and progress. |
Free form text, but not non-strings? |
FWIW, Blue Oak's license has an SPDX code; |
AFAIK you can still do an object (the npmjs.com site renders it correctly despite it being deprecated) but you really shouldn't. |
Small update on this: After pairing with @izs it seems like the best approach is to update Arborist (specifically, updating AuditResolver to support licenses in addition to vulnerabilities), since without doing so it's relatively challenging to get nicer bits of I'll probably be a bit slow getting around to that. Happy to pair on it if anyone's interested. |
Starting to implemenent [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. It currently supports: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired, compared to the version created date - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - json/human format output TODO - [ ] Fix tests and implement test cases - [ ] Expired public key - [ ] No public keys - [ ] Missing signatures with a public key on the registry - [ ] Missing signatures without a public key on the registry - [ ] Install with valid signatures - [ ] Install with invalid signatures - [ ] Third party registry with signatures and keys - [ ] Tests for the different formats (json, human) - [ ] Tests to omit type of dependency (e.g dev deps) - [ ] Fetch signatures and integrity from `pacote.manifest` - [ ] Caching story for public keys? Currently cached for one week, assumes we'll double sign for longer when rotating keys - [ ] Validate early return conditionals for arb nodes, a lot of cases silently return, e.g. no version, are these correct? - [ ] What other checks do we want? - [ ] Strict mode to error if any signatures are missing when a registry does not return public keys? - [ ] Do we want to explitly trust keys from third party registries and store in .npmrc?
Starting to implemenent [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. It currently supports: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired, compared to the version created date - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - json/human format output TODO - [ ] Fix tests and implement test cases - [ ] Expired public key - [ ] No public keys - [ ] Missing signatures with a public key on the registry - [ ] Missing signatures without a public key on the registry - [ ] Install with valid signatures - [ ] Install with invalid signatures - [ ] Third party registry with signatures and keys - [ ] Tests for the different formats (json, human) - [ ] Tests to omit type of dependency (e.g dev deps) - [ ] Fetch signatures and integrity from `pacote.manifest` - [ ] Caching story for public keys? Currently cached for one week, assumes we'll double sign for longer when rotating keys - [ ] Validate early return conditionals for arb nodes, a lot of cases silently return, e.g. no version, are these correct? - [ ] What other checks do we want? - [ ] Strict mode to error if any signatures are missing when a registry does not return public keys? - [ ] Do we want to explitly trust keys from third party registries and store in .npmrc?
Starting to implemenent [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. It currently supports: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired, compared to the version created date - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - json/human format output TODO - [ ] Fix tests and implement test cases - [ ] Expired public key - [ ] No public keys - [ ] Missing signatures with a public key on the registry - [ ] Missing signatures without a public key on the registry - [ ] Install with valid signatures - [ ] Install with invalid signatures - [ ] Third party registry with signatures and keys - [ ] Tests for the different formats (json, human) - [ ] Tests to omit type of dependency (e.g dev deps) - [ ] Fetch signatures and integrity from `pacote.manifest` - [ ] Caching story for public keys? Currently cached for one week, assumes we'll double sign for longer when rotating keys - [ ] Validate early return conditionals for arb nodes, a lot of cases silently return, e.g. no version, are these correct? - [ ] What other checks do we want? - [ ] Strict mode to error if any signatures are missing when a registry does not return public keys? - [ ] Do we want to explitly trust keys from third party registries and store in .npmrc?
Starting to implemenent [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. It currently supports: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired, compared to the version created date - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - json/human format output TODO - [ ] Fix tests and implement test cases - [ ] Expired public key - [ ] No public keys - [ ] Missing signatures with a public key on the registry - [ ] Missing signatures without a public key on the registry - [ ] Install with valid signatures - [ ] Install with invalid signatures - [ ] Third party registry with signatures and keys - [ ] Tests for the different formats (json, human) - [ ] Tests to omit type of dependency (e.g dev deps) - [ ] Fetch signatures and integrity from `pacote.manifest` - [ ] Caching story for public keys? Currently cached for one week, assumes we'll double sign for longer when rotating keys - [ ] Validate early return conditionals for arb nodes, a lot of cases silently return, e.g. no version, are these correct? - [ ] What other checks do we want? - [ ] Strict mode to error if any signatures are missing when a registry does not return public keys? - [ ] Do we want to explitly trust keys from third party registries and store in .npmrc?
Starting to implemenent [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. It currently supports: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired, compared to the version created date - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - json/human format output TODO - [ ] Fix tests and implement test cases - [ ] Expired public key - [ ] No public keys - [ ] Missing signatures with a public key on the registry - [ ] Missing signatures without a public key on the registry - [ ] Install with valid signatures - [ ] Install with invalid signatures - [ ] Third party registry with signatures and keys - [ ] Tests for the different formats (json, human) - [ ] Tests to omit type of dependency (e.g dev deps) - [ ] Fetch signatures and integrity from `pacote.manifest` - [ ] Caching story for public keys? Currently cached for one week, assumes we'll double sign for longer when rotating keys - [ ] Validate early return conditionals for arb nodes, a lot of cases silently return, e.g. no version, are these correct? - [ ] What other checks do we want? - [ ] Strict mode to error if any signatures are missing when a registry does not return public keys? - [ ] Do we want to explitly trust keys from third party registries and store in .npmrc?
Starting to implemenent [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. It currently supports: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired, compared to the version created date - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - json/human format output TODO - [ ] Fix tests and implement test cases - [ ] Expired public key - [ ] No public keys - [ ] Missing signatures with a public key on the registry - [ ] Missing signatures without a public key on the registry - [ ] Install with valid signatures - [ ] Install with invalid signatures - [ ] Third party registry with signatures and keys - [ ] Tests for the different formats (json, human) - [ ] Tests to omit type of dependency (e.g dev deps) - [ ] Fetch signatures and integrity from `pacote.manifest` - [ ] Caching story for public keys? Currently cached for one week, assumes we'll double sign for longer when rotating keys - [ ] Validate early return conditionals for arb nodes, a lot of cases silently return, e.g. no version, are these correct? - [ ] What other checks do we want? - [ ] Strict mode to error if any signatures are missing when a registry does not return public keys? - [ ] Do we want to explitly trust keys from third party registries and store in .npmrc?
Starting to implemenent [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. It currently supports: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired, compared to the version created date - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - json/human format output TODO - [ ] Fix tests and implement test cases - [ ] Expired public key - [ ] No public keys - [ ] Missing signatures with a public key on the registry - [ ] Missing signatures without a public key on the registry - [ ] Install with valid signatures - [ ] Install with invalid signatures - [ ] Third party registry with signatures and keys - [ ] Tests for the different formats (json, human) - [ ] Tests to omit type of dependency (e.g dev deps) - [ ] Fetch signatures and integrity from `pacote.manifest` - [ ] Caching story for public keys? Currently cached for one week, assumes we'll double sign for longer when rotating keys - [ ] Validate early return conditionals for arb nodes, a lot of cases silently return, e.g. no version, are these correct? - [ ] What other checks do we want? - [ ] Strict mode to error if any signatures are missing when a registry does not return public keys? - [ ] Do we want to explitly trust keys from third party registries and store in .npmrc?
Starting to implemenent [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. It currently supports: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired, compared to the version created date - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - json/human format output TODO - [ ] Fix tests and implement test cases - [ ] Expired public key - [ ] No public keys - [ ] Missing signatures with a public key on the registry - [ ] Missing signatures without a public key on the registry - [ ] Install with valid signatures - [ ] Install with invalid signatures - [ ] Third party registry with signatures and keys - [ ] Tests for the different formats (json, human) - [ ] Tests to omit type of dependency (e.g dev deps) - [ ] Fetch signatures and integrity from `pacote.manifest` - [ ] Caching story for public keys? Currently cached for one week, assumes we'll double sign for longer when rotating keys - [ ] Validate early return conditionals for arb nodes, a lot of cases silently return, e.g. no version, are these correct? - [ ] What other checks do we want? - [ ] Strict mode to error if any signatures are missing when a registry does not return public keys? - [ ] Do we want to explitly trust keys from third party registries and store in .npmrc?
Starting to implemenent [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. It currently supports: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired, compared to the version created date - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - json/human format output TODO - [ ] Fix tests and implement test cases - [ ] Expired public key - [ ] No public keys - [ ] Missing signatures with a public key on the registry - [ ] Missing signatures without a public key on the registry - [ ] Install with valid signatures - [ ] Install with invalid signatures - [ ] Third party registry with signatures and keys - [ ] Tests for the different formats (json, human) - [ ] Tests to omit type of dependency (e.g dev deps) - [ ] Fetch signatures and integrity from `pacote.manifest` - [ ] Caching story for public keys? Currently cached for one week, assumes we'll double sign for longer when rotating keys - [ ] Validate early return conditionals for arb nodes, a lot of cases silently return, e.g. no version, are these correct? - [ ] What other checks do we want? - [ ] Strict mode to error if any signatures are missing when a registry does not return public keys? - [ ] Do we want to explitly trust keys from third party registries and store in .npmrc?
Implemenents [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. Supporting: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - Output: json/human formats
Implemenents [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. Supporting: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - Output: json/human formats Co-authored-by: Michael Garvin <wraithgar@github.com>
Implemenents [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. Supporting: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - Output: json/human formats Co-authored-by: Michael Garvin <wraithgar@github.com>
Implemenents [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. Supporting: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - Output: json/human formats Co-authored-by: Michael Garvin <wraithgar@github.com>
Implemenents [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. Supporting: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - Output: json/human formats Co-authored-by: Michael Garvin <wraithgar@github.com>
* feat: add npm audit signatures Implements [RFC: Improve signature verification](npm/rfcs#550) Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](#3452)) This command will verify registry signatures stored in the packument against a public key on the registry. Supporting: - Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object - Validates public keys are not expired - Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys` - Errors when encountering invalid signatures - Output: json/human formats
3037d35
to
f3b0c43
Compare
Closing this while folks work on it. Please do keep your branch in the forked repo. Trying to clear out our pull requests so that they are more manageable. |
Begins to implement
npm audit licenses
, which is from npm/rfcs#18.