fix: don't throw on invalid semver versions #43
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 tasks
|
Looks like the tests weren't even using the same semver options. This patch aligns the two and adds a "bad" semver value to one of the packument fixtures. diff --git a/test/advisory.js b/test/advisory.js
index 2da8412..f8a3b2b 100644
--- a/test/advisory.js
+++ b/test/advisory.js
@@ -5,7 +5,7 @@ const Advisory = require('../lib/advisory.js')
const advisories = require('./fixtures/advisories/index.js')
const packuments = require('./fixtures/packuments/index.js')
const semver = require('semver')
-const so = { includePrerelease: true }
+const so = { includePrerelease: true, loose: true }
t.test('create vulns from advisory', t => {
const v = new Advisory('semver', advisories.semver)
@@ -32,9 +32,9 @@ t.test('create vulns from advisory', t => {
name: 'semver',
title: 'Regular Expression Denial of Service',
severity: 'moderate',
- versions: semver.sort(Object.keys(packuments.semver.versions)),
+ versions: semver.sort(Object.keys(packuments.semver.versions), so),
vulnerableVersions: semver.sort(Object.keys(packuments.semver.versions).filter(vulnerable =>
- semver.satisfies(vulnerable, '<4.3.2', so))),
+ semver.satisfies(vulnerable, '<4.3.2', so)), so),
url: 'https://npmjs.com/advisories/31',
range: '<4.3.2',
id: 'jETG9IyfV60PqVhvt3BAecPdQKL2CvXOXr1GeFeSsTkGn8YHi+dU93h8zcjK/xptcxeaYeUBBKmD83eafSecwA==',
@@ -55,9 +55,9 @@ t.test('create vulns from advisory', t => {
name: 'semver',
title: 'Regular Expression Denial of Service',
severity: 'moderate',
- versions: semver.sort(Object.keys(packuments.semver.versions)),
+ versions: semver.sort(Object.keys(packuments.semver.versions), so),
vulnerableVersions: semver.sort(Object.keys(packuments.semver.versions).filter(vulnerable =>
- semver.satisfies(vulnerable, '<4.3.2', so))),
+ semver.satisfies(vulnerable, '<4.3.2', so)), so),
url: 'https://npmjs.com/advisories/31',
range: '<4.3.2',
id: 'jETG9IyfV60PqVhvt3BAecPdQKL2CvXOXr1GeFeSsTkGn8YHi+dU93h8zcjK/xptcxeaYeUBBKmD83eafSecwA==',
@@ -89,7 +89,7 @@ t.test('create vulns from advisory', t => {
title: 'Depends on vulnerable versions of semver',
url: null,
severity: 'moderate',
- versions: semver.sort(Object.keys(packuments.pacote.versions)),
+ versions: semver.sort(Object.keys(packuments.pacote.versions), so),
vulnerableVersions: [],
range: '<0.0.0-0',
id: 'gJzFN5q57zHrhqiRn+lNQXirLlMUtC+8bFqEBGqE3XW/5VC880QTk2o/iRXUfJPT+jhc90QD+d9QIADI68nYlg==',
@@ -107,7 +107,7 @@ t.test('create vulns from advisory', t => {
title: 'Depends on vulnerable versions of semver',
url: null,
severity: 'moderate',
- versions: semver.sort(Object.keys(packuments.pacote.versions)),
+ versions: semver.sort(Object.keys(packuments.pacote.versions), so),
vulnerableVersions: [],
range: '<0.0.0-0',
id: 'gJzFN5q57zHrhqiRn+lNQXirLlMUtC+8bFqEBGqE3XW/5VC880QTk2o/iRXUfJPT+jhc90QD+d9QIADI68nYlg==',
@@ -124,7 +124,7 @@ t.test('create vulns from advisory', t => {
title: 'Depends on vulnerable versions of semver',
url: null,
severity: 'moderate',
- versions: semver.sort(Object.keys(packuments.pacote.versions)),
+ versions: semver.sort(Object.keys(packuments.pacote.versions), so),
vulnerableVersions: [],
range: '<0.0.0-0',
id: 'gJzFN5q57zHrhqiRn+lNQXirLlMUtC+8bFqEBGqE3XW/5VC880QTk2o/iRXUfJPT+jhc90QD+d9QIADI68nYlg==',
@@ -143,7 +143,7 @@ t.test('create vulns from advisory', t => {
title: 'Depends on vulnerable versions of minimist',
url: null,
severity: 'low',
- versions: semver.sort(Object.keys(packuments.mkdirp.versions)),
+ versions: semver.sort(Object.keys(packuments.mkdirp.versions), so),
vulnerableVersions: ['0.4.1', '0.4.2', '0.5.0', '0.5.1'],
range: '0.4.1 - 0.5.1',
id: 'dOqvv9Jcyhu8PueSJZB+eZ0G/JI7mVomMmOBSku5SA7OScjvKmHq9jcLVFKmH1wsW2LcZATEOArlMxt/fa5LmA==',
@@ -169,7 +169,7 @@ t.test('create vulns from advisory', t => {
title: 'Depends on vulnerable versions of minimist',
url: null,
severity: 'low',
- versions: semver.sort(Object.keys(packuments.mkdirp.versions)),
+ versions: semver.sort(Object.keys(packuments.mkdirp.versions), so),
vulnerableVersions: ['0.4.1', '0.4.2', '0.5.0', '0.5.1', '99.99.99'],
range: '0.4.1 - 0.5.1 || >=99.99.99',
id: 'dOqvv9Jcyhu8PueSJZB+eZ0G/JI7mVomMmOBSku5SA7OScjvKmHq9jcLVFKmH1wsW2LcZATEOArlMxt/fa5LmA==',
@@ -192,7 +192,7 @@ t.test('create vulns from advisory', t => {
title: 'Depends on vulnerable versions of minimist',
url: null,
severity: 'low',
- versions: semver.sort(Object.keys(packuments.mkdirp.versions)),
+ versions: semver.sort(Object.keys(packuments.mkdirp.versions), so),
vulnerableVersions: ['0.4.1', '0.4.2', '0.5.0-bundler', '0.5.0', '0.5.1', '99.99.99'],
range: '0.4.1 - 0.5.1 || >=99.99.99',
id: 'dOqvv9Jcyhu8PueSJZB+eZ0G/JI7mVomMmOBSku5SA7OScjvKmHq9jcLVFKmH1wsW2LcZATEOArlMxt/fa5LmA==',
@@ -220,7 +220,7 @@ t.test('create vulns from advisory', t => {
title: 'Depends on vulnerable versions of minimist',
url: null,
severity: 'low',
- versions: semver.sort(Object.keys(packuments.mkdirp.versions)),
+ versions: semver.sort(Object.keys(packuments.mkdirp.versions), so),
vulnerableVersions: ['0.4.1', '0.4.2', '0.5.0', '0.5.1'],
range: '0.4.1 - 0.5.1',
id: 'dOqvv9Jcyhu8PueSJZB+eZ0G/JI7mVomMmOBSku5SA7OScjvKmHq9jcLVFKmH1wsW2LcZATEOArlMxt/fa5LmA==',
diff --git a/test/fixtures/packuments/pacote.json b/test/fixtures/packuments/pacote.json
index f06e7dd..29ed0aa 100644
--- a/test/fixtures/packuments/pacote.json
+++ b/test/fixtures/packuments/pacote.json
@@ -5,7 +5,7 @@
"v9-legacy": "9.5.12"
},
"versions": {
- "0.0.0": {
+ "0.0.0pre92": {
"name": "pacote",
"version": "0.0.0",
"dist": { |
wraithgar
changed the title
Co-authored-by: Gar <gar+gh@danger.computer>
|
@wraithgar I amended the commit with your patch, thanks for your help. |
wraithgar
approved these changes
Jun 29, 2022
|
I'm gonna see if it's not too late to land this in today's cli release, otherwise we have to wait till July 13 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is a first step to fix npm/cli#5017
Since npm 8.x,
npm auditcrashes on packageyuiwith the following error:After some digging, it turns out that some calls to
semver.sort()miss thesemverOpt(espacially theloose: trueoption) parameter in@npmcli/metavuln-calculator/lib/advisory.js.I am not familiar neither with this package nor with its testing tools, so I was not able to write a test for this.