search

lirantal / lockfile-lint

Lint an npm or yarn lockfile to analyze and detect security issues
Apache License 2.0
781 stars 35 forks source link

Does .lockfile-lint.js config work? #192

Closed jerone closed 7 months ago

jerone commented 7 months ago

The documentation states that it's possible to define a config with the following filenames .lockfile-lint.js or lockfilelint.config.js. Per convention it should return a JavaScript object.

However, it seems to not work. When running lockfile-lint with one of the examples below, it errors with the following message:

Missing required argument: path

I've tried the following config:

const config = {
  allowedHosts: ["npm"],
  path: "package-lock.json",
  type: "npm",
  validateHttps: true,
  validatePackageNames: true,
};
export default config;

or 

const config = {
  allowedHosts: ["npm"],
  path: "package-lock.json",
  type: "npm",
  validateHttps: true,
  validatePackageNames: true,
};
module.exports = config;

When I try a JSON config (e.g. .lockfile-lintrc) it just works.

It also appears there is no @types for the config. Not in the package or as a separate npm package. There is an @types/lockfile-lint-api package, but it's only for the API, not the config. I would like to use the types in the JavaScript configs:

/** @type {import("lockfile-lint").Config} */
const config = {
  allowedHosts: ["npm"],
  path: "package-lock.json",
  type: "npm",
  validateHttps: true,
  validatePackageNames: true,
};
lirantal commented 7 months ago

About the config file loader - we're using cosmiconfig in the project and it appears that some naming conventions work, and others don't for some reason but I didn't check why.

Works:

If you wanted to update the README for the project with this information and examples, I'm happy to merge the PR so it is more helpful to other users in the future.

As for the types - if you want to contribute that in a PR as well, I'm happy to land it.

jerone commented 7 months ago

I fixed my issue; it was a small error in the documentation. See #193.

Would you mind updating to the latest release of cosmiconfig: https://github.com/cosmiconfig/cosmiconfig/releases/tag/v9.0.0 It has support for the .config folder. Or provide a cli option to use a custom config location.

lirantal commented 7 months ago

Ahh yes! Good catch.

I'll also shoot out a new release for the cosmiconfig dependency in a bit.

jerone commented 4 months ago

I'll also shoot out a new release for the cosmiconfig dependency in a bit.

@lirantal I noticed that cosmiconfig still is pinned on version 8, and not yet updated to v9. https://github.com/lirantal/lockfile-lint/blob/5278050700971f18a59114c362bc234836d24f14/packages/lockfile-lint/package.json#L55

lirantal commented 3 months ago

Sorry for the delay, @jerone New version now published with cosmiconfig@9: https://github.com/lirantal/lockfile-lint/releases/tag/lockfile-lint%404.14.0

Let me know if there are still any pending issues.