lirantal / lockfile-lint

Lint an npm or yarn lockfile to analyze and detect security issues
Apache License 2.0
785 stars 35 forks source link

Getting detected invalid host(s) for file: dependencies #24

Closed mbogh closed 4 years ago

mbogh commented 4 years ago

Expected Behavior

I have a package.json and therefore also a package-lock.json which contains a reference to a package on the file system using file:. But it complains about the invalid hosts.

Current Behavior

package.json

{
  "dependencies": {
    "some-package": "file:./some-package-2.0.0.tgz"
  }
}

package-lock.json

{
  "dependencies": {
"some-package": {
      "version": "file:some-package-2.0.0.tgz",
      "integrity": "sha512-...."
    }
}
npx lockfile-lint --path package-lock.json --allowed-hosts npm --allowed-schemes "https:" "file:"
npx: installed 31 in 3.219s
detected invalid host(s) for package: some-package@file:some-package-2.0.0.tgz
    expected: registry.npmjs.org
    actual: 

error: command failed with exit code 1 

Possible Solution

Maybe ignore host when using a file: scheme?

Steps to Reproduce (for bugs)

  1. Create package.json with file reference
  2. Install
  3. Run lockfile-lint

Your Environment

lirantal commented 4 years ago

@mbogh I released a new version a couple of hours ago that mitigates this issue, try again:

npx lockfile-lint --path package-lock.json --allowed-hosts npm --allowed-schemes "https:" "file:"

Why the new version works? I am ignoring empty hostnames in resources as something invalid, which is what you get when you use local files or github related imports.

I'll close the issue since this is now fixed but if it's still not working for you let me know please and we'll figure it out.

mbogh commented 4 years ago

Thank you so very much 🎉

lirantal commented 4 years ago

Sure thing. Thanks for chining in with the issue and a descriptive problem detail :)