deps: ssri@10.0.3

wraithgar · wraithgar · commit 201aa5adcdfc · 2023-04-17T14:05:57.000-07:00
diff --git a/node_modules/ssri/lib/index.js b/node_modules/ssri/lib/index.js
@@ -29,19 +29,33 @@ class IntegrityStream extends MiniPass {
     this.#getOptions()
 
     // options used for calculating stream.  can't be changed.
-    const algorithms = opts?.algorithms || DEFAULT_ALGORITHMS
-    this.algorithms = Array.from(
-      new Set(algorithms.concat(this.algorithm ? [this.algorithm] : []))
-    )
+    if (opts?.algorithms) {
+      this.algorithms = [...opts.algorithms]
+    } else {
+      this.algorithms = [...DEFAULT_ALGORITHMS]
+    }
+    if (this.algorithm !== null && !this.algorithms.includes(this.algorithm)) {
+      this.algorithms.push(this.algorithm)
+    }
+
     this.hashes = this.algorithms.map(crypto.createHash)
   }
 
   #getOptions () {
     // For verification
     this.sri = this.opts?.integrity ? parse(this.opts?.integrity, this.opts) : null
     this.expectedSize = this.opts?.size
-    this.goodSri = this.sri ? !!Object.keys(this.sri).length : false
-    this.algorithm = this.goodSri ? this.sri.pickAlgorithm(this.opts) : null
+
+    if (!this.sri) {
+      this.algorithm = null
+    } else if (this.sri.isHash) {
+      this.goodSri = true
+      this.algorithm = this.sri.algorithm
+    } else {
+      this.goodSri = !this.sri.isEmpty()
+      this.algorithm = this.sri.pickAlgorithm(this.opts)
+    }
+
     this.digests = this.goodSri ? this.sri[this.algorithm] : null
     this.optString = getOptString(this.opts?.options)
   }
@@ -159,6 +173,29 @@ class Hash {
     return this.toString()
   }
 
+  match (integrity, opts) {
+    const other = parse(integrity, opts)
+    if (!other) {
+      return false
+    }
+    if (other.isIntegrity) {
+      const algo = other.pickAlgorithm(opts, [this.algorithm])
+
+      if (!algo) {
+        return false
+      }
+
+      const foundHash = other[algo].find(hash => hash.digest === this.digest)
+
+      if (foundHash) {
+        return foundHash
+      }
+
+      return false
+    }
+    return other.digest === this.digest ? other : false
+  }
+
   toString (opts) {
     if (opts?.strict) {
       // Strict mode enforces the standard as close to the foot of the
@@ -285,8 +322,9 @@ class Integrity {
     if (!other) {
       return false
     }
-    const algo = other.pickAlgorithm(opts)
+    const algo = other.pickAlgorithm(opts, Object.keys(this))
     return (
+      !!algo &&
       this[algo] &&
       other[algo] &&
       this[algo].find(hash =>
@@ -297,12 +335,22 @@ class Integrity {
     ) || false
   }
 
-  pickAlgorithm (opts) {
+  // Pick the highest priority algorithm present, optionally also limited to a
+  // set of hashes found in another integrity.  When limiting it may return
+  // nothing.
+  pickAlgorithm (opts, hashes) {
     const pickAlgorithm = opts?.pickAlgorithm || getPrioritizedHash
-    const keys = Object.keys(this)
-    return keys.reduce((acc, algo) => {
-      return pickAlgorithm(acc, algo) || acc
+    const keys = Object.keys(this).filter(k => {
+      if (hashes?.length) {
+        return hashes.includes(k)
+      }
+      return true
     })
+    if (keys.length) {
+      return keys.reduce((acc, algo) => pickAlgorithm(acc, algo) || acc)
+    }
+    // no intersection between this and hashes,
+    return null
   }
 }
 
@@ -365,7 +413,7 @@ function fromHex (hexDigest, algorithm, opts) {
 
 module.exports.fromData = fromData
 function fromData (data, opts) {
-  const algorithms = opts?.algorithms || DEFAULT_ALGORITHMS
+  const algorithms = opts?.algorithms || [...DEFAULT_ALGORITHMS]
   const optString = getOptString(opts?.options)
   return algorithms.reduce((acc, algo) => {
     const digest = crypto.createHash(algo).update(data).digest('base64')
@@ -399,7 +447,7 @@ function fromStream (stream, opts) {
       sri = s
     })
     istream.on('end', () => resolve(sri))
-    istream.on('data', () => {})
+    istream.resume()
   })
 }
 
@@ -466,7 +514,7 @@ function checkStream (stream, sri, opts) {
       verified = s
     })
     checker.on('end', () => resolve(verified))
-    checker.on('data', () => {})
+    checker.resume()
   })
 }
 
@@ -477,7 +525,7 @@ function integrityStream (opts = Object.create(null)) {
 
 module.exports.create = createIntegrity
 function createIntegrity (opts) {
-  const algorithms = opts?.algorithms || DEFAULT_ALGORITHMS
+  const algorithms = opts?.algorithms || [...DEFAULT_ALGORITHMS]
   const optString = getOptString(opts?.options)
 
   const hashes = algorithms.map(crypto.createHash)
@@ -512,7 +560,7 @@ function createIntegrity (opts) {
   }
 }
 
-const NODE_HASHES = new Set(crypto.getHashes())
+const NODE_HASHES = crypto.getHashes()
 
 // This is a Best Effort™ at a reasonable priority for hash algos
 const DEFAULT_PRIORITY = [
@@ -522,7 +570,7 @@ const DEFAULT_PRIORITY = [
   'sha3',
   'sha3-256', 'sha3-384', 'sha3-512',
   'sha3_256', 'sha3_384', 'sha3_512',
-].filter(algo => NODE_HASHES.has(algo))
+].filter(algo => NODE_HASHES.includes(algo))
 
 function getPrioritizedHash (algo1, algo2) {
   /* eslint-disable-next-line max-len */
diff --git a/node_modules/ssri/package.json b/node_modules/ssri/package.json
@@ -1,6 +1,6 @@
 {
   "name": "ssri",
-  "version": "10.0.2",
+  "version": "10.0.3",
   "description": "Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.",
   "main": "lib/index.js",
   "files": [
diff --git a/package-lock.json b/package-lock.json
@@ -141,7 +141,7 @@
         "read-package-json": "^6.0.1",
         "read-package-json-fast": "^3.0.2",
         "semver": "^7.3.8",
-        "ssri": "^10.0.2",
+        "ssri": "^10.0.3",
         "tar": "^6.1.13",
         "text-table": "~0.2.0",
         "tiny-relative-date": "^1.3.0",
@@ -11440,9 +11440,9 @@
       "dev": true
     },
     "node_modules/ssri": {
-      "version": "10.0.2",
-      "resolved": "https://registry.npmjs.org/ssri/-/ssri-10.0.2.tgz",
-      "integrity": "sha512-LWMXUSh7fEfCXNBq4UnRzC4Qc5Y1PPg5ogmb+6HX837i2cKzjB133aYmQ4lgO0shVTcTQHquKp3v5bn898q3Sw==",
+      "version": "10.0.3",
+      "resolved": "https://registry.npmjs.org/ssri/-/ssri-10.0.3.tgz",
+      "integrity": "sha512-lJtX/BFPI/VEtxZmLfeh7pzisIs6micwZ3eruD3+ds9aPsXKlYpwDS2Q7omD6WC42WO9+bnUSzlMmfv8uK8meg==",
       "inBundle": true,
       "dependencies": {
         "minipass": "^4.0.0"
diff --git a/package.json b/package.json
@@ -110,7 +110,7 @@
     "read-package-json": "^6.0.1",
     "read-package-json-fast": "^3.0.2",
     "semver": "^7.3.8",
-    "ssri": "^10.0.2",
+    "ssri": "^10.0.3",
     "tar": "^6.1.13",
     "text-table": "~0.2.0",
     "tiny-relative-date": "^1.3.0",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "ssri",`
`3`		`- "version": "10.0.2",`
	`3`	`+ "version": "10.0.3",`
`4`	`4`	`"description": "Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.",`
`5`	`5`	`"main": "lib/index.js",`
`6`	`6`	`"files": [`