Skip to content
This repository was archived by the owner on Jan 30, 2018. It is now read-only.

Audit package for vulnerable dependencies #5

Open
accraze wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Audit package for vulnerable dependencies #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@
}
},
"dependencies": {
"@semantic-release/error": "^1.0.0"
"@semantic-release/error": "^1.0.0",
"nsp": "1.1.0"
},
"devDependencies": {
"babel": "^5.5.8",
Expand Down
15 changes: 13 additions & 2 deletions src/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,16 @@
const SRError = require('@semantic-release/error')
var auditPackage = require('nsp/lib/auditPackage.js')

module.exports = function (pluginConfig, config, cb) {
cb(null)
module.exports = function (pluginConfig, packagePath, cb) {
if (!packagePath) {
packagePath = process.cwd() + '/package.json'
}

auditPackage(packagePath, (err, results) => {
if (err) return cb(new SRError('nsp returned unexpected error code', 'ENSPFAIL'))

if (results.length > 0) return cb(new SRError('Vulnerable Dependencies', 'EVULNERABLEDEPS'))

return cb(null)
})
}
11 changes: 11 additions & 0 deletions test/data/dep-package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "git-deps",
"version": "0.0.1",
"dependencies": {
"file-dep": "file:../node",
"some-dep": "https://github.com/joyent/node.git",
"other-dep": "git+ssh://[email protected]:nodesecurity/nsp.git",
"short-url-dep": "nodesecurity/nsp.git"
}
}

10 changes: 10 additions & 0 deletions test/data/vulnerable-package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"name": "test",
"version": "0.0.1",
"author": "Node Security Project",
"dependencies": {
"node-print": "0.0.4",
"request": "^2.40.0",
"qs": "^0.5"
}
}
38 changes: 34 additions & 4 deletions test/specs/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,40 @@ const { test } = require('tap')
const SRError = require('@semantic-release/error')

const condition = proxyquire('../../', {
// ...
'auditPackage': (cb) => cb(null)
})

test('run-script', (t) => {
t.ok(condition)
t.end()
test('find vulnerable packages', (tt) => {
tt.plan(2)

condition({}, 'test/data/vulnerable-package.json', (err, results) => {
tt.ok(err instanceof SRError)
tt.is(err.code, 'EVULNERABLEDEPS')
})
})

test('does not raise error on safe packages', (tt) => {
tt.plan(1)

condition({}, 'test/data/dep-package.json', (err) => {
tt.is(err, null)
})
})

test('requires proper path to package', (tt) => {
tt.plan(2)

condition({}, 'weird', (err) => {
tt.ok(err instanceof SRError)
tt.is(err.code, 'ENSPFAIL')
})
})

test('if no path given, path defaults to cwd + package.json', (tt) => {
tt.plan(1)

condition({}, '', (err) => {
tt.is(err, null)
})
})