Closed yoavain closed 1 year ago
This is awesome Yoav. I'm traveling to Open Source Summit this week so a bit low on availability but will review shortly!
Base: 97.75% // Head: 95.90% // Decreases project coverage by -1.84%
:warning:
Coverage data is based on head (
9a14afa
) compared to base (4667c3d
). Patch coverage: 77.41% of modified lines in pull request are covered.:exclamation: Current head 9a14afa differs from pull request most recent head 3357a87. Consider uploading reports for the commit 3357a87 to get more accurate results
:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.
Besides the comments, note the coverage miss.
@yoavain looks good. one last check before we land this, with regards to this comment:
To be more precise we're not validating the integrity itself here but rather it's type, so wdyt about updating the flag and naming convention to be explicit about the type validate-integrity-sha256 ?
Do you think it's better to leave this as validate-integrity
rather than call out that we're strictly checking the type conforms to a good type?
I think that as you said, we're not actually testing the validity, only the type.
How about --validate-integrity-type
? This sounds more generic and will allow changing the "recommended" types in the future.
I'm pretty open about this. As in, we could also keep it as is with --validate-integrity
, and in the future add an actual integrity check on the data itself to validate that the signature hasn't been spoofed.
Yep, let's do that and land this. In the meanwhile, open for others to chime in on this thread or a new issue and suggest as need.
I would love to see the Motivation and Context
paragraph with more information :-)
@julienw kind of based on Yoav's prior work with this package: https://github.com/yoavain/fix-lockfile-integrity
Description
Added a new validator to check that the integrity field uses sha512 hash.
Requires a flag
--validate-integrity
(alias:-i
) so should not be a breaking change.Types of changes
Related Issue
Motivation and Context
How Has This Been Tested?
Wrote unit tests.
Also, tested on a real package-lock.json file that contains
sha1
Screenshots (if appropriate):
Checklist: