A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://github.com/npm/cli/commit/f7b056f28ac1a26fd875662768742df586c0b334 below:

clean up audit-report code (#8400) · npm/cli@f7b056f · GitHub

1 1

// an object representing the set of vulnerabilities in a tree

 2 -

/* eslint camelcase: "off" */

 3 2 4 3

const localeCompare = require('@isaacs/string-locale-compare')('en')

 5 4

const npa = require('npm-package-arg')

@@ -8,16 +7,15 @@ const pickManifest = require('npm-pick-manifest')

 8 7

const Vuln = require('./vuln.js')

 9 8

const Calculator = require('@npmcli/metavuln-calculator')

 10 9 11 -

const _getReport = Symbol('getReport')

 12 -

const _fixAvailable = Symbol('fixAvailable')

 13 -

const _checkTopNode = Symbol('checkTopNode')

 14 -

const _init = Symbol('init')

 15 -

const _omit = Symbol('omit')

 16 10

const { log, time } = require('proc-log')

 17 11 18 12

const npmFetch = require('npm-registry-fetch')

 19 13 20 14

class AuditReport extends Map {

 15 +

#omit

 16 +

error = null

 17 +

topVulns = new Map()

 18 + 21 19

static load (tree, opts) {

 22 20

return new AuditReport(tree, opts).run()

 23 21

}

@@ -91,22 +89,18 @@ class AuditReport extends Map {

 91 89 92 90

constructor (tree, opts = {}) {

 93 91

super()

 94 -

const { omit } = opts

 95 -

this[_omit] = new Set(omit || [])

 96 -

this.topVulns = new Map()

 97 - 92 +

this.#omit = new Set(opts.omit || [])

 98 93

this.calculator = new Calculator(opts)

 99 -

this.error = null

 100 94

this.options = opts

 101 95

this.tree = tree

 102 96

this.filterSet = opts.filterSet

 103 97

}

 104 98 105 99

async run () {

 106 -

this.report = await this[_getReport]()

 100 +

this.report = await this.#getReport()

 107 101

log.silly('audit report', this.report)

 108 102

if (this.report) {

 109 -

await this[_init]()

 103 +

await this.#init()

 110 104

}

 111 105

return this

 112 106

}

@@ -116,7 +110,7 @@ class AuditReport extends Map {

 116 110

return !!(vuln && vuln.isVulnerable(node))

 117 111

}

 118 112 119 -

async [_init] () {

 113 +

async #init () {

 120 114

const timeEnd = time.start('auditReport:init')

 121 115 122 116

const promises = []

@@ -171,7 +165,15 @@ class AuditReport extends Map {

 171 165

vuln.nodes.add(node)

 172 166

for (const { from: dep, spec } of node.edgesIn) {

 173 167

if (dep.isTop && !vuln.topNodes.has(dep)) {

 174 -

this[_checkTopNode](dep, vuln, spec)

 168 +

vuln.fixAvailable = this.#fixAvailable(vuln, spec)

 169 +

if (vuln.fixAvailable !== true) {

 170 +

// now we know the top node is vulnerable, and cannot be

 171 +

// upgraded out of the bad place without --force. But, there's

 172 +

// no need to add it to the actual vulns list, because nothing

 173 +

// depends on root.

 174 +

this.topVulns.set(vuln.name, vuln)

 175 +

vuln.topNodes.add(dep)

 176 +

}

 175 177

} else {

 176 178

// calculate a metavuln, if necessary

 177 179

const calc = this.calculator.calculate(dep.packageName, advisory)

@@ -214,33 +216,14 @@ class AuditReport extends Map {

 214 216

timeEnd()

 215 217

}

 216 218 217 -

[_checkTopNode] (topNode, vuln, spec) {

 218 -

vuln.fixAvailable = this[_fixAvailable](topNode, vuln, spec)

 219 - 220 -

if (vuln.fixAvailable !== true) {

 221 -

// now we know the top node is vulnerable, and cannot be

 222 -

// upgraded out of the bad place without --force. But, there's

 223 -

// no need to add it to the actual vulns list, because nothing

 224 -

// depends on root.

 225 -

this.topVulns.set(vuln.name, vuln)

 226 -

vuln.topNodes.add(topNode)

 227 -

}

 228 -

}

 229 - 230 -

// check whether the top node is vulnerable.

 231 -

// check whether we can get out of the bad place with --force, and if

 232 -

// so, whether that update is SemVer Major

 233 -

[_fixAvailable] (topNode, vuln, spec) {

 234 -

// this will always be set to at least {name, versions:{}}

 235 -

const paku = vuln.packument

 236 - 219 +

// given the spec, see if there is a fix available at all, and note whether or not it's a semver major fix or not (i.e. will need --force)

 220 +

#fixAvailable (vuln, spec) {

 221 +

// TODO we return true, false, OR an object here. this is probably a bad pattern.

 237 222

if (!vuln.testSpec(spec)) {

 238 223

return true

 239 224

}

 240 225 241 -

// similarly, even if we HAVE a packument, but we're looking for it

 242 -

// somewhere other than the registry, and we got something vulnerable,

 243 -

// then we're stuck with it.

 226 +

// even if we HAVE a packument, if we're looking for it somewhere other than the registry and we have something vulnerable then we're stuck with it.

 244 227

const specObj = npa(spec)

 245 228

if (!specObj.registry) {

 246 229

return false

@@ -250,15 +233,13 @@ class AuditReport extends Map {

 250 233

spec = specObj.subSpec.rawSpec

 251 234

}

 252 235 253 -

// We don't provide fixes for top nodes other than root, but we

 254 -

// still check to see if the node is fixable with a different version,

 255 -

// and if that is a semver major bump.

 236 +

// we don't provide fixes for top nodes other than root, but we still check to see if the node is fixable with a different version, and note if that is a semver major bump.

 256 237

try {

 257 238

const {

 258 239

_isSemVerMajor: isSemVerMajor,

 259 240

version,

 260 241

name,

 261 -

} = pickManifest(paku, spec, {

 242 +

} = pickManifest(vuln.packument, spec, {

 262 243

...this.options,

 263 244

before: null,

 264 245

avoid: vuln.range,

@@ -274,7 +255,7 @@ class AuditReport extends Map {

 274 255

throw new Error('do not call AuditReport.set() directly')

 275 256

}

 276 257 277 -

async [_getReport] () {

 258 +

async #getReport () {

 278 259

// if we're not auditing, just return false

 279 260

if (this.options.audit === false || this.options.offline === true || this.tree.inventory.size === 1) {

 280 261

return null

@@ -312,11 +293,17 @@ class AuditReport extends Map {

 312 293 313 294

// return true if we should audit this one

 314 295

shouldAudit (node) {

 315 -

return !node.version ? false

 316 -

: node.isRoot ? false

 317 -

: this.filterSet && this.filterSet.size !== 0 && !this.filterSet.has(node) ? false

 318 -

: this[_omit].size === 0 ? true

 319 -

: !node.shouldOmit(this[_omit])

 296 +

if (

 297 +

!node.version ||

 298 +

node.isRoot ||

 299 +

(this.filterSet && this.filterSet?.size !== 0 && !this.filterSet?.has(node))

 300 +

) {

 301 +

return false

 302 +

}

 303 +

if (this.#omit.size === 0) {

 304 +

return true

 305 +

}

 306 +

return !node.shouldOmit(this.#omit)

 320 307

}

 321 308 322 309

prepareBulkData () {

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4