Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Isaacs/install finish #1245

Closed
wants to merge 10 commits into from
Closed

Isaacs/install finish #1245

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
5e940d9
update @npmcli/arborist, dedupe/organize metadeps
isaacs Apr 23, 2020
59cd29d
remove libcipm, correct bundleDependencies
isaacs May 1, 2020
4f9f144
dedupe npm-pick-manifest up to 6.1.0
isaacs May 1, 2020
e1943ac
[email protected]
isaacs May 1, 2020
873665e
update arborist, dedupe pacote/make-fetch-happen
isaacs May 4, 2020
59d9373
Consistent output for most reify() commands
isaacs May 4, 2020
df53085
shrinkwrap: port to using Arborist
isaacs May 4, 2020
87a1559
@npmcli/[email protected]
isaacs May 5, 2020
8749628
show stdout/stderr output for failed scripts
isaacs May 5, 2020
56a688a
add the --legacy-peer-deps config
isaacs May 6, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
19 changes: 19 additions & 0 deletions docs/content/using-npm/config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -644,6 +644,25 @@ such as the one included with node 0.8, can install the package. This
eliminates all automatic deduping. If used with `global-style` this option
will be preferred.

#### legacy-peer-deps

* Default: false
* Type: Boolean

Causes npm to completely ignore `peerDependencies` when building a package
tree, as in npm versions 3 through 6.

If a package cannot be installed because of overly strict
`peerDependencies` that collide, it provides a way to move forward
resolving the situation.

This differs from `--omit=peer`, in that `--omit=peer` will avoid unpacking
`peerDependencies` on disk, but will still design a tree such that
`peerDependencies` _could_ be unpacked in a correct place.

Use of `legacy-peer-deps` is not recommended, as it will not enforce the
`peerDependencies` contract that meta-dependencies may rely on.

#### link

* Default: false
Expand Down
312 changes: 28 additions & 284 deletions lib/audit.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,50 +1,41 @@
'use strict'

const Bluebird = require('bluebird')

const audit = require('./install/audit.js')
const figgyPudding = require('figgy-pudding')
const fs = require('graceful-fs')
const Installer = require('./install.js').Installer
const lockVerify = require('lock-verify')
const log = require('npmlog')
const npa = require('npm-package-arg')
const Arborist = require('@npmcli/arborist')
const auditReport = require('npm-audit-report')
const npm = require('./npm.js')
const npmConfig = require('./config/figgy-config.js')
const output = require('./utils/output.js')
const parseJson = require('json-parse-better-errors')
const reifyOutput = require('./utils/reify-output.js')

const readFile = Bluebird.promisify(fs.readFile)

const AuditConfig = figgyPudding({
also: {},
'audit-level': {},
deepArgs: 'deep-args',
'deep-args': {},
dev: {},
force: {},
'dry-run': {},
global: {},
json: {},
only: {},
parseable: {},
prod: {},
production: {},
registry: {},
runId: {}
})
const audit = async args => {
const arb = new Arborist({
...npm.flatOptions,
audit: true,
path: npm.prefix
})
const fix = args[0] === 'fix'
const result = await arb.audit({ fix })
if (fix) {
reifyOutput(arb)
} else {
const reporter = npm.flatOptions.json ? 'json' : 'detail'
const result = auditReport(arb.auditReport, {
...npm.flatOptions,
reporter
})
process.exitCode = process.exitCode || result.exitCode
output(result.report)
}
}

module.exports = auditCmd
const cmd = (args, cb) => audit(args).then(() => cb()).catch(cb)

const usage = require('./utils/usage')
auditCmd.usage = usage(
const usageUtil = require('./utils/usage')
const usage = usageUtil(
'audit',
'\nnpm audit [--json] [--production]' +
'\nnpm audit fix ' +
'[--force|--package-lock-only|--dry-run|--production|--only=(dev|prod)]'
)

auditCmd.completion = function (opts, cb) {
const completion = (opts, cb) => {
const argv = opts.conf.argv.remain

switch (argv[2]) {
Expand All @@ -55,251 +46,4 @@ auditCmd.completion = function (opts, cb) {
}
}

class Auditor extends (class {}) {
constructor (where, dryrun, args, opts) {
super(where, dryrun, args, opts)
this.deepArgs = (opts && opts.deepArgs) || []
this.runId = opts.runId || ''
this.audit = false
}

loadAllDepsIntoIdealTree (cb) {
Bluebird.fromNode(cb => super.loadAllDepsIntoIdealTree(cb)).then(() => {
if (this.deepArgs && this.deepArgs.length) {
this.deepArgs.forEach(arg => {
arg.reduce((acc, child, ii) => {
if (!acc) {
// We might not always be able to find `target` through the given
// path. If we can't we'll just ignore it.
return
}
const spec = npa(child)
const target = (
acc.requires.find(n => n.package.name === spec.name) ||
acc.requires.find(
n => audit.scrub(n.package.name, this.runId) === spec.name
)
)
if (target && ii === arg.length - 1) {
target.loaded = false
// This kills `hasModernMeta()` and forces a re-fetch
target.package = {
name: spec.name,
version: spec.fetchSpec,
_requested: target.package._requested
}
delete target.fakeChild
let parent = target.parent
while (parent) {
parent.loaded = false
parent = parent.parent
}
target.requiredBy.forEach(par => {
par.loaded = false
delete par.fakeChild
})
}
return target
}, this.idealTree)
})
return Bluebird.fromNode(cb => super.loadAllDepsIntoIdealTree(cb))
}
}).nodeify(cb)
}

// no top level lifecycles on audit
runPreinstallTopLevelLifecycles (cb) { cb() }
runPostinstallTopLevelLifecycles (cb) { cb() }
}

function maybeReadFile (name) {
const file = `${npm.prefix}/${name}`
return readFile(file)
.then((data) => {
try {
return parseJson(data)
} catch (ex) {
ex.code = 'EJSONPARSE'
throw ex
}
})
.catch({code: 'ENOENT'}, () => null)
.catch((ex) => {
ex.file = file
throw ex
})
}

function filterEnv (action, opts) {
const includeDev = opts.dev ||
(!/^prod(uction)?$/.test(opts.only) && !opts.production) ||
/^dev(elopment)?$/.test(opts.only) ||
/^dev(elopment)?$/.test(opts.also)
const includeProd = !/^dev(elopment)?$/.test(opts.only)
const resolves = action.resolves.filter(({dev}) => {
return (dev && includeDev) || (!dev && includeProd)
})
if (resolves.length) {
return Object.assign({}, action, {resolves})
}
}

function auditCmd (args, cb) {
const opts = AuditConfig(npmConfig())
if (opts.global) {
const err = new Error('`npm audit` does not support testing globals')
err.code = 'EAUDITGLOBAL'
throw err
}
if (args.length && args[0] !== 'fix') {
return cb(new Error('Invalid audit subcommand: `' + args[0] + '`\n\nUsage:\n' + auditCmd.usage))
}
return Bluebird.all([
maybeReadFile('npm-shrinkwrap.json'),
maybeReadFile('package-lock.json'),
maybeReadFile('package.json')
]).spread((shrinkwrap, lockfile, pkgJson) => {
const sw = shrinkwrap || lockfile
if (!pkgJson) {
const err = new Error('No package.json found: Cannot audit a project without a package.json')
err.code = 'EAUDITNOPJSON'
throw err
}
if (!sw) {
const err = new Error('Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile')
err.code = 'EAUDITNOLOCK'
throw err
} else if (shrinkwrap && lockfile) {
log.warn('audit', 'Both npm-shrinkwrap.json and package-lock.json exist, using npm-shrinkwrap.json.')
}
const requires = Object.assign(
{},
(pkgJson && pkgJson.dependencies) || {},
(!opts.production && pkgJson && pkgJson.devDependencies) || {}
)
return lockVerify(npm.prefix).then((result) => {
if (result.status) return audit.generate(sw, requires)

const lockFile = shrinkwrap ? 'npm-shrinkwrap.json' : 'package-lock.json'
const err = new Error(`Errors were found in your ${lockFile}, run npm install to fix them.\n ` +
result.errors.join('\n '))
err.code = 'ELOCKVERIFY'
throw err
})
}).then((auditReport) => {
return audit.submitForFullReport(auditReport)
}).catch((err) => {
if (err.statusCode >= 400) {
let msg
if (err.statusCode === 401) {
msg = `Either your login credentials are invalid or your registry (${opts.registry}) does not support audit.`
} else if (err.statusCode === 404) {
msg = `Your configured registry (${opts.registry}) does not support audit requests.`
} else {
msg = `Your configured registry (${opts.registry}) may not support audit requests, or the audit endpoint may be temporarily unavailable.`
}
if (err.body.length) {
msg += '\nThe server said: ' + err.body
}
const ne = new Error(msg)
ne.code = 'ENOAUDIT'
ne.wrapped = err
throw ne
}
throw err
}).then((auditResult) => {
if (args[0] === 'fix') {
const actions = (auditResult.actions || []).reduce((acc, action) => {
action = filterEnv(action, opts)
if (!action) { return acc }
if (action.isMajor) {
acc.major.add(`${action.module}@${action.target}`)
action.resolves.forEach(({id, path}) => acc.majorFixes.add(`${id}::${path}`))
} else if (action.action === 'install') {
acc.install.add(`${action.module}@${action.target}`)
action.resolves.forEach(({id, path}) => acc.installFixes.add(`${id}::${path}`))
} else if (action.action === 'update') {
const name = action.module
const version = action.target
action.resolves.forEach(vuln => {
acc.updateFixes.add(`${vuln.id}::${vuln.path}`)
const modPath = vuln.path.split('>')
const newPath = modPath.slice(
0, modPath.indexOf(name)
).concat(`${name}@${version}`)
if (newPath.length === 1) {
acc.install.add(newPath[0])
} else {
acc.update.add(newPath.join('>'))
}
})
} else if (action.action === 'review') {
action.resolves.forEach(({id, path}) => acc.review.add(`${id}::${path}`))
}
return acc
}, {
install: new Set(),
installFixes: new Set(),
update: new Set(),
updateFixes: new Set(),
major: new Set(),
majorFixes: new Set(),
review: new Set()
})
return Bluebird.try(() => {
const installMajor = opts.force
const installCount = actions.install.size + (installMajor ? actions.major.size : 0) + actions.update.size
const vulnFixCount = new Set([...actions.installFixes, ...actions.updateFixes, ...(installMajor ? actions.majorFixes : [])]).size
const metavuln = auditResult.metadata.vulnerabilities
const total = Object.keys(metavuln).reduce((acc, key) => acc + metavuln[key], 0)
if (installCount) {
log.verbose(
'audit',
'installing',
[...actions.install, ...(installMajor ? actions.major : []), ...actions.update]
)
}
return Bluebird.fromNode(cb => {
new Auditor(
npm.prefix,
!!opts['dry-run'],
[...actions.install, ...(installMajor ? actions.major : [])],
opts.concat({
runId: auditResult.runId,
deepArgs: [...actions.update].map(u => u.split('>'))
}).toJSON()
).run(cb)
}).then(() => {
const numScanned = auditResult.metadata.totalDependencies
if (!opts.json && !opts.parseable) {
output(`fixed ${vulnFixCount} of ${total} vulnerabilit${total === 1 ? 'y' : 'ies'} in ${numScanned} scanned package${numScanned === 1 ? '' : 's'}`)
if (actions.review.size) {
output(` ${actions.review.size} vulnerabilit${actions.review.size === 1 ? 'y' : 'ies'} required manual review and could not be updated`)
}
if (actions.major.size) {
output(` ${actions.major.size} package update${actions.major.size === 1 ? '' : 's'} for ${actions.majorFixes.size} vulnerabilit${actions.majorFixes.size === 1 ? 'y' : 'ies'} involved breaking changes`)
if (installMajor) {
output(' (installed due to `--force` option)')
} else {
output(' (use `npm audit fix --force` to install breaking changes;' +
' or refer to `npm audit` for steps to fix these manually)')
}
}
}
})
})
} else {
const levels = ['low', 'moderate', 'high', 'critical']
const minLevel = levels.indexOf(opts['audit-level'])
const vulns = levels.reduce((count, level, i) => {
return i < minLevel ? count : count + (auditResult.metadata.vulnerabilities[level] || 0)
}, 0)
if (vulns > 0) process.exitCode = 1
if (opts.parseable) {
return audit.printParseableReport(auditResult)
} else {
return audit.printFullReport(auditResult)
}
}
}).asCallback(cb)
}
module.exports = Object.assign(cmd, { usage, completion })
Loading