lirantal / lockfile-lint

Lint an npm or yarn lockfile to analyze and detect security issues
Apache License 2.0
785 stars 35 forks source link

feat(schema): support protocol schema and refactor host validators #12

Closed lirantal closed 5 years ago

lirantal commented 5 years ago

Description

Types of changes

Related Issue

Addresses issues brought up in #11

Motivation and Context

11 brought up interesting idea in terms of supporting protocols

Checklist:

lirantal commented 5 years ago

cc @nottoseethesun you might want to take a look

nottoseethesun commented 5 years ago

I can't try this out, because there's no way to run the program.

If I try to install locally, I get Error: Cannot find module 'lockfile-lint-api'. There's no link in node_modules/.bin, and so I have to go into the actual package.

If I try to install globally or use npx, which I prefer to not do, then I get -bash: lockfile-lint: command not found or lockfile-lint: command not found.

nottoseethesun commented 5 years ago

Otherwise, lgtm, with the caveat that hopefully a few of the rest of the uri components could be supported soon, so that if a user wants to allow an npm package from github.com, they can limit it much more than all of github. The most frequent use of git+ssh or git+https would occur though with intranet git installations, so in that case, a hostname of github.foo.bar would suffice, which appears to be supported here.

lirantal commented 5 years ago

@nottoseethesun yes, a bit tricky to get this tested on a local install with monorepo setup. Hopefully will have time later on to explain this out in the docs.

Thanks, appreciate the input!