Comments (10)
Fixed with the new PR to skip them.
Please re-open if we want to revisit this.
from lockfile-lint.
Hi @eserkaraca,
I think that's a good idea for an enhancement.
I added some labels with hope that someone picks this up. If you're like to submit a PR yourself (or anyone on your team), I'd be happy to merge it and release the new feature support.
from lockfile-lint.
Another usecase for this feature is to ensure urls on github are from allowed orgs such as only the org developing the project, example in: BlueWallet/BlueWallet#5329
from lockfile-lint.
Yep, makes total sense and that's another good use-case @emanuelb.
I would say we could update --allowed-urls
logic to also support patterns. WDYT?
from lockfile-lint.
Yes, both options are ok (adding another parameter that support patterns such as globbing or regex, or adding this functionality to already available --allowed-urls
parameter, in case the current parameter will be used it's better to ensure the approach used wont change the functionality in a way that will make previous usages behave differently, such as if regex is used then .
in domain will mean any char and thus enabling urls from another domain, etc..)
I prefer a new parameter name to support additional patterns because of the reasons mentioned above (not change previous usages in any way, less chances to introduce bugs that way for usage that dont expect any patterns)
from lockfile-lint.
I found this issue after having the same need, I would propose to add a --allowed-registries
option to keep it in line with how .npmrc
is configured. It would validate the scheme, hostname and path-prefix of every given registry URLs. For complex setups wildcards might be desired, but I personally would rather list all the allowed registries.
from lockfile-lint.
@eserkaraca It seems to me that your example use case could be supported without a glob or regex. Do you agree, or is the …*/prefix
part somehow important?
E.g.
npx lockfile-lint --allowed-registries https://artifactory.example.com/npm/REL
or for multiple registries
npx lockfile-lint --allowed-registries https://artifactory.example.com/npm/DEV,https://artifactory.example.com/npm/REL
from lockfile-lint.
@eins78 per my above comment about using allowed-urls - I generally still think it holds to just use that and update the current capability to regexes.
However, as @emanuelb pointed out it might break existing URLs. I find --allowed-registries
to be a bit confusing, so maybe we use --allowed-urls-regex
to specify glob matching in URLs? (I'm not actually sure yet if "glob" or actual regex syntax but let's land on what s solution would look like first).
EDIT: @eins78 specifically for your use case above with the registries, can you explain why the existing -allowed-urls
flag doesn't work for you?
from lockfile-lint.
I'm not sure if it is related, but I have an internal registry too, and I can't make it ignore my private packages:
"@cxui/[email protected]":
version "1.0.10"
resolved "https://checkmarx.jfrog.io/artifactory/api/npm/team-npm/@cxui/cypress-util/-/@cxui/cypress-util-1.0.10.tgz#3134312351eb248c1c4561d393afc6d8c23b2943"
And I get
detected resolved URL for package with a different name: @cxui/cypress-util
expected: @cxui/cypress-util
actual: artifactory/api/npm/team-npm/@cxui/cypress-util
Settings:
"lockfile-lint": {
"allowed-hosts": [
"npm",
"yarn",
"checkmarx.jfrog.io"
],
"allowed-urls": [
"https://checkmarx.jfrog.io/artifactory/api/npm/team-npm/@cxui/cypress-util/",
"https://checkmarx.jfrog.io/artifactory/api/npm/team-npm/@cxui/",
"https://checkmarx.jfrog.io/artifactory/api/npm/team-npm/@cxui",
"https://checkmarx.jfrog.io/artifactory/api/npm/team-npm/",
"https://checkmarx.jfrog.io/artifactory/api/npm/team-npm",
"https://checkmarx.jfrog.io/artifactory/api/npm/",
"https://checkmarx.jfrog.io/artifactory/api/npm",
"https://checkmarx.jfrog.io/artifactory/api/",
"https://checkmarx.jfrog.io/artifactory/api",
"https://checkmarx.jfrog.io/artifactory/",
"https://checkmarx.jfrog.io/artifactory",
"https://checkmarx.jfrog.io/",
"https://checkmarx.jfrog.io"
],
"validate-https": true,
"validate-package-names": true,
"validate-integrity": true,
"empty-hostname": false
}
from lockfile-lint.
@baruchiro the problem with your setup is specifically the validate-package-names
which validates the package name resolves to a matching name in the registry but it only knows to parse the open registries (npm/yarn) so the matching fails.
In this case, here are a few options we can solve this:
- Ignore checking package names if the registry isn't one of the officials (npm/yarn) and not report on mis-matches
- Allow you to specify a flag like
package-name-url-prefixes
where you can writehttps://checkmarx.jfrog.io/artifactory/api/npm/team-npm/
so that we parse everything after that to compare the package name for a match
from lockfile-lint.
Related Issues (20)
- Limit reliance on `fs` and other powerful builtins in lockfile-lint-api HOT 4
- Epic: enable fearless cooperation HOT 3
- Remove strict dependency on `debug` in lockfile-lint-api
- Ability to validate lockfileVersion HOT 7
- publishing doesn't seem to work anymore HOT 10
- Bare output option for basic environments HOT 1
- lockfile-lint failed parsing a URL object from given host value so using as is HOT 4
- Renovate PRs don't include release notes
- Bug: CLI Argument parsing typos invokes other validates HOT 10
- Usage in a monorepo with local packages HOT 1
- Potential issue with parsing HTTPS schemes HOT 1
- package@version exemptions for --validate-integrity HOT 6
- Is it possible to run this for all yarn.lock files? HOT 4
- Parsing empty `yarn.lock` fails HOT 2
- Does not support NPM lockfile version 3 HOT 10
- Mark results as OK, how? HOT 3
- --version results in error in 4.12.0 HOT 3
- Check integrity values for weak hashes HOT 5
- Support mechanism for exceptions on integrity value requirements to the CLI HOT 2
- Does .lockfile-lint.js config work? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lockfile-lint.