UNPKG

lockfile-lint

Version:

A CLI to lint a lockfile for security policies

github.com/lirantal/lockfile-lint/tree/master/packages/lockfile-lint

lirantal/lockfile-lint

125 lines (120 loc) 3.88 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
'use strict' const debug = require('debug')('lockfile-lint') const yargs = require('yargs') const {cosmiconfig} = require('cosmiconfig') module.exports = async (argv, exitProcess = false, searchFrom = process.cwd()) => { let cosmiconfigResult try { const explorer = cosmiconfig('lockfile-lint', { searchPlaces: [ 'package.json', '.lockfile-lintrc', '.lockfile-lintrc.json', '.lockfile-lintrc.yaml', '.lockfile-lintrc.yml', '.lockfile-lintrc.js', '.lockfile-lintrc.cjs', '.lockfile-lintrc.mjs', 'lockfile-lint.config.js', 'lockfile-lint.config.cjs', 'lockfile-lint.config.mjs' ] }) cosmiconfigResult = await explorer.search(searchFrom) } catch (err) { debug(`error encountered while loading configuration: ${err}`) } let fileConfig = {} if (cosmiconfigResult) { fileConfig = cosmiconfigResult.config debug( `loaded the following config from ${cosmiconfigResult.filepath}: ${JSON.stringify( fileConfig )}` ) } return yargs(argv) .version() .config(fileConfig) .usage('Usage: lockfile-lint --path <path-to-lockfile> --allowed-hosts yarn npm') .help('help') .alias('help', 'h') .options({ path: { alias: ['p'], type: 'string', describe: 'path to the lockfile', demandOption: true }, type: { alias: ['t'], type: 'string', describe: 'lockfile type, options are "npm" or "yarn"' }, 'validate-https': { alias: ['s'], type: 'boolean', describe: 'validates the use of HTTPS as protocol schema for all resources' }, 'validate-package-names': { alias: ['n'], type: 'boolean', describe: "validates that the resource URL specifies the same package name as that listed as the lockfile entry's key", implies: 'allowed-hosts' }, 'validate-integrity': { alias: ['i'], type: 'boolean', describe: 'validates that the integrity hash type is sha512' }, 'empty-hostname': { alias: 'e', type: 'boolean', default: true, describe: 'allows empty hostnames, or set to false if you wish for a stricter policy' }, 'allowed-hosts': { alias: ['a'], type: 'array', describe: 'validates a whitelist of allowed hosts to be used for resources in the lockfile' }, 'allowed-schemes': { alias: ['o'], type: 'array', describe: 'validates a whitelist of allowed schemes to be used for resources in the lockfile', conflicts: ['validate-https', 's'] }, 'allowed-urls': { alias: ['u'], type: 'array', describe: 'validates a whitelist of allowed URLs to be used for resources in the lockfile' }, 'allowed-package-name-aliases': { alias: ['l'], type: 'array', describe: 'validates an alias of package names to be used for resources in the lockfile' }, 'integrity-exclude': { type: 'array', describe: 'do not validate integrity for these package' }, format: { alias: ['f'], type: 'string', description: 'format of the report output', choices: ['plain', 'pretty'], default: 'pretty' } }) .example('lockfile-lint --path yarn.lock --validate-https') .example('lockfile-lint --path yarn.lock --validate-https --allowed-hosts npm yarn verdaccio') .example( 'lockfile-lint --path yarn.lock --allowed-schemes "https:" "git+ssh:" --allowed-hosts npm yarn verdaccio' ) .epilogue('curated by Liran Tal at https://github.com/lirantal/lockfile-lint') .detectLocale(false) .exitProcess(exitProcess) .parse() }