lirantal / lockfile-lint

Lint an npm or yarn lockfile to analyze and detect security issues
Apache License 2.0
785 stars 35 forks source link

Support multiple paths and/or glob patterns in the CLI #47

Closed JamesSingleton closed 3 years ago

JamesSingleton commented 4 years ago

Is your feature request related to a problem? Please describe.

Sort of, if you are trying to use the CLI in a lerna repo it doesn't support glob patterns like lockfile-lint -p packages/*/package-lock.json -t npm -a npm -o https: -c -i

Describe the solution you'd like

Either support multiple paths or glob patterns.

Describe alternatives you've considered

Writing a script to manually loop over all the packages.

Would you entertain a PR that would accomplish this?

tunnckoCore commented 4 years ago

Doesn't Lerna support single lockfile at the root (when used only with npm)? Lerna with Yarn workspaces creates single lockfile. Sorry, I'm just not using npm since the first days of Yarn.

Pnpm also supports single root lockfile in monorepos. Not sure if lockfile-lint supports Pnpm?

Francois-Esquire commented 4 years ago

@tunnckoCore I believe lerna behaves differently between yarn and npm:

https://stackoverflow.com/questions/52181762/are-there-any-advantages-to-using-lerna-with-yarn-workspaces/52279466#52279466

https://github.com/yarnpkg/yarn/issues/5428

As some of these links suggest, having one package-lock.json or yarn.lock in a monorepo is not necessarily production ready per package- if each was containerized without a lock file, differing versions resolved in your node_modules could break your package.

tunnckoCore commented 4 years ago

Got it. Thanks for the linked discussions :)

lirantal commented 4 years ago

@tunnckoCore no support for pnpm but it shouldn't be hard to add if you wanted to give it a stab

@JamesSingleton if you wanted to provide a glob pattern I'd happily merge it.

tunnckoCore commented 4 years ago

@lirantal I'm looked in the source and it's seems easy to add.

We could probably use @pnpm/lockfile-file, but I don't see exposed api there for "parsing" there is only methods that accept the path to the lockfile. Here, we need the final "parsed" content of the file. /cc @zkochan

And yet, I'm not sure if that the lockfile-lint-api/src/ParseLockfile.js is the only place that changes are needed.

Sorry, I won't pollute more this thread. Opened https://github.com/lirantal/lockfile-lint/issues/48