Extra check for incompatible options

[XhmikosR]

Is your feature request related to a problem? Please describe.

https://github.com/lirantal/lockfile-lint/issues/23#issuecomment-569302102

> nodejs.org@ test:lint:lockfile C:\Users\xmr\Desktop\nodejs.org
> lockfile-lint --allowed-hosts npm github.com --allowed-schemes "https:" "git+https:" --empty-hostname false --validate-https --type npm --path package-lock.json

detected invalid protocol for package: metalsmith-permalinks@git+https://github.com/segmentio/metalsmith-permalinks.git#432843d5823a292b2e47397ba46fd761d03eb9d3
    expected: https:
    actual: git+https:

error: command failed with exit code 1

Describe the solution you'd like

Since the above works without the validate-https flag, maybe there should be some checks in place for potentially incompatible options.

[lirantal]

@XhmikosR totally agree and have been on my mind as well. It should also be straightforward to do with yargs configuration options. You can detect if both are being used and then fail, or better yet, in my opinion schemes should override https.

Would you like to submit a PR for this?

[XhmikosR]

Sorry, I don't have a lot of free time to tackle this. I just wanted to make an issue to track this. :)

On Thu, Feb 6, 2020, 21:53 Liran Tal notifications@github.com wrote:

@XhmikosR https://github.com/XhmikosR totally agree and have been on my mind as well. It should also be straightforward to do with yargs configuration options. You can detect if both are being used and then fail, or better yet, in my opinion schemes should override https.

Would you like to submit a PR for this?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/lirantal/lockfile-lint/issues/63?email_source=notifications&email_token=AACVLNN32KYSTRTMNUK2VNDRBRTCLA5CNFSM4KQZP77KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELARUQQ#issuecomment-583080514, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACVLNIXQWAMJKYM5LLLXE3RBRTCLANCNFSM4KQZP77A .

[lirantal]

No worries at all, I'll shoot in a PR for that soon enough and ping you then ❤️

[lirantal]

@XhmikosR how does this look like:

$ lockfile-lint --path package-lock.json --type npm --allowed-hosts npm github.com --allowed-schemes https: github: --empty-hostname false --validate-https
Arguments o and validate-https are mutually exclusive

Usage: lockfile-lint --path <path-to-lockfile> --allowed-hosts yarn npm

Options:
  --version              Show version number                           [boolean]
  --help, -h             Show help                                     [boolean]
  -p, --path             path to the lockfile                [string] [required]
  -t, --type             lockfile type, options are "npm" or "yarn"     [string]
  -s, --validate-https   validates the use of HTTPS as protocol schema for all
                         resources                                     [boolean]
  -e, --empty-hostname   allows empty hostnames, or set to false if you wish for
                         a stricter policy             [boolean] [default: true]
  -a, --allowed-hosts    validates a whitelist of allowed hosts to be used for
                         resources in the lockfile                       [array]
  -o, --allowed-schemes  validates a whitelist of allowed schemes to be used for
                         resources in the lockfile                       [array]

Examples:
  lockfile-lint --path yarn.lock --validate-https
  lockfile-lint --path yarn.lock --validate-https --allowed-hosts npm yarn
  verdaccio
  lockfile-lint --path yarn.lock --allowed-schemes "https:" "git+ssh:"
  --allowed-hosts npm yarn verdaccio

curated by Liran Tal at https://github.com/lirantal/lockfile-lint

Arguments o and validate-https are mutually exclusive

[XhmikosR]

@lirantal yup, that works!

[lirantal]

Great. Merging away 🎉