Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

lockfile-lint does not lint the entire tree for package-lock.json

See original GitHub issue

When running "test:lockfile": "lockfile-lint -p package-lock.json -t npm -a npm -o https: -c -i", it does not check past the first resolved URL for a dependency.

Expected Behavior

lockfile-lint should check the entire tree.

Current Behavior

If we take the below snippet from a package-lock.json and change the semver resolved URL to http or a URL other than registry.npmjs.org, lockfile-lint will not catch this.

"@babel/core": {
  "version": "7.7.5",
  "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.7.5.tgz",
  "integrity": "sha512-M42+ScN4+1S9iB6f+TL7QBpoQETxbclx+KNoKJABghnKYE+fMzSGqst0BZJc8CpI625bwPwYgUyRvxZ+0mZzpw==",
  "dev": true,
  "requires": {
    "@babel/code-frame": "^7.5.5",
    "@babel/generator": "^7.7.4",
    "@babel/helpers": "^7.7.4",
    "@babel/parser": "^7.7.5",
    "@babel/template": "^7.7.4",
    "@babel/traverse": "^7.7.4",
    "@babel/types": "^7.7.4",
    "convert-source-map": "^1.7.0",
    "debug": "^4.1.0",
    "json5": "^2.1.0",
    "lodash": "^4.17.13",
    "resolve": "^1.3.2",
    "semver": "^5.4.1",
    "source-map": "^0.5.0"
  },
  "dependencies": {
    "semver": {
      "version": "5.7.1",
      "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz",
      "integrity": "sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==",
      "dev": true
    },
    "source-map": {
      "version": "0.5.7",
      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz",
      "integrity": "sha1-igOdLRAh0i0eoUyA2OpGi6LvP8w=",
      "dev": true
    }
  }
},

Possible Solution

At the moment, my current possible solution is to find and loop over all the resolved URLs.

Steps to Reproduce (for bugs)

If you don’t have a project with lockfile-lint in it already, create one and install lockfile-lint
Add a script that uses lockfile-lint (e.x. "test:lockfile": "lockfile-lint -p package-lock.json -t npm -a npm -o https: -c -i")
Go into the package-lock.json and change the resolved URL to a dependency that is under "dependencies"
Run lockfile-lint

Context

I cannot fully lint my entire package-lock.json file due to this.

Your Environment

Library Version used: ^3.0.8
Node.js version (e.g. Node.js 5.4): v10.13.0
Operating System and version (desktop or mobile): macOS Mojave v10.14.5

Issue Analytics

State:
Created 4 years ago
Comments:11 (11 by maintainers)

Top GitHub Comments

2reactions

lirantalcommented, Jan 26, 2020

@JamesSingleton if you wanted to take a stab at fixing it and providing a PR I’m happy to guide you through on the change that I had in mind. It’s not a very complicated one but the refactor will touch a few places.

In specific I was thinking of:

parse functions in ParseLockfile.js will return a flat array list instead of an object
all validators and tests will accept the list and will iterate that, instead of an object
updating the constructor signature for the validators to use packagesList instead of packages which hints an array list, and opens the possibility in the future to provide a hierarchy structure or otherwise.

2reactions

lirantalcommented, Jan 26, 2020

Alrighty, I’m able to reproduce. Thanks for the heads up on this 👌