UNPKG

yarn-audit-fix

Version:

The missing `yarn audit fix`

github.com/antongolub/yarn-audit-fix

antongolub/yarn-audit-fix

135 lines (116 loc) 3.48 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
import sv from 'semver' import { TAuditReport, TContext, TLockfileObject, TLockfileType, } from '../ifaces' import { audit as auditV1, format as formatV1, parse as parseV1, patchEntry as patchEntryV1, } from './v1' import { audit as auditV2, format as formatV2, parse as parseV2, patchEntry as patchEntryV2, } from './v2' export const getLockfileType = (lockfile: string): TLockfileType => { if (lockfile.includes('yarn lockfile v1')) { return 'yarn1' } if (lockfile.includes('__metadata')) { return 'yarn2' } return undefined } export const _parse = ( lockfile: string, lockfileType: TLockfileType, ): TLockfileObject => { if (lockfileType === undefined) { throw new Error('Unsupported lockfile format') } return lockfileType === 'yarn2' ? parseV2(lockfile) : parseV1(lockfile) } export const _format = ( lockfile: TLockfileObject, lockfileType: TLockfileType, ): string => lockfileType === 'yarn2' ? formatV2(lockfile) : formatV1(lockfile) /** * Pulled up from https://github.com/hfour/yarn-audit-fix-ng/blob/main/src/index.ts */ export const _patch = ( lockfile: TLockfileObject, report: TAuditReport, { flags, bins }: TContext, lockfileType: TLockfileType, ): TLockfileObject => { // eslint-disable-line sonarjs/cognitive-complexity if (Object.keys(report).length === 0) { !flags.silent && console.log('Audit check found no issues') return lockfile } const upgraded: string[] = [] for (const depSpec of Object.keys(lockfile)) { // @babel/code-frame@^7.0.0 // @babel/code-frame@npm:^7.0.0 const [, pkgName, desiredRange] = /^(@?[^@]+)@(?:\w+:)?(.+)$/.exec(depSpec) || [] // const [pkgName, desiredRange] = depSpec.split('@') const pkgAudit = report[pkgName] if (!pkgAudit) continue const pkgSpec = lockfile[depSpec] if (sv.satisfies(pkgSpec.version, pkgAudit.vulnerable_versions)) { const fix = sv.minVersion(pkgAudit.patched_versions)?.format() if (fix === undefined) { console.error( "Can't find satisfactory version for", pkgAudit.module_name, pkgAudit.patched_versions, ) continue } if (!sv.satisfies(fix, desiredRange) && !flags.force) { console.error( "Can't find patched version that satisfies", depSpec, 'in', pkgAudit.patched_versions, ) continue } upgraded.push(`${pkgName}@${fix}`) lockfileType === 'yarn1' ? patchEntryV1(pkgSpec, pkgName, fix) : patchEntryV2(pkgSpec, pkgName, fix, bins.npm) } } !flags.silent && console.log( 'Upgraded deps:', upgraded.length > 0 ? upgraded.join(', ') : '<none>', ) return lockfile } export const _audit = ( { flags, temp, bins }: TContext, lockfileType: TLockfileType, ): TAuditReport => lockfileType === 'yarn2' ? auditV2(flags, temp, bins) : auditV1(flags, temp, bins) // FIXME Jest cannot mock esm yet // https://github.com/facebook/jest/commit/90d6908492d164392ce8429923e7f0fa17946d2d export const _internal = { _parse, _audit, _patch, _format, } export const parse: typeof _parse = (...args) => _internal._parse(...args) export const audit: typeof _audit = (...args) => _internal._audit(...args) export const patch: typeof _patch = (...args) => _internal._patch(...args) export const format: typeof _format = (...args) => _internal._format(...args)