search

NodeSecure / scanner

⚡️ A package API to run a static analysis of your module's dependencies. This is the CLI engine!
MIT License
27 stars 14 forks source link

Sort dependencies & scripts for integrity #247

Closed fraxken closed 1 week ago

fraxken commented 3 weeks ago

Integrity hash may differ because the order of the keys in scripts and dependencies are not the same between the manifest in the tarball and the manifest in the registry.

RomainLanz commented 2 weeks ago

We had a similar issue in @boringnode/bus, so we decided to use the package object-hash to create the same hash for an object regardless of the order of the keys.

fraxken commented 1 week ago

Here is the two codes where is required an update

  1. Scanner https://github.com/NodeSecure/scanner/blob/4161e61d79d011c2f9a035d087718ab59114b835/workspaces/scanner/src/npmRegistry.ts#L151-L173

  2. TarballT https://github.com/NodeSecure/scanner/blob/4161e61d79d011c2f9a035d087718ab59114b835/workspaces/tarball/src/manifest.ts#L53-L64