search

lirantal / lockfile-lint

Lint an npm or yarn lockfile to analyze and detect security issues
Apache License 2.0
781 stars 35 forks source link

Example 3 from Readme does not work #89

Closed jennifer-shehane closed 4 years ago

jennifer-shehane commented 4 years ago

Expected Behavior

Run examples given in Readme.

Current Behavior

Running example #3 from readme does not work, refers to CLI info. https://github.com/lirantal/lockfile-lint/tree/master/packages/lockfile-lint#example

 lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --validate-https --allowed-schemes "https:" "git+https:"
Usage: lockfile-lint --path <path-to-lockfile> --allowed-hosts yarn npm

Options:
  --version              Show version number                           [boolean]
  --help, -h             Show help                                     [boolean]
  -p, --path             path to the lockfile                [string] [required]
  -t, --type             lockfile type, options are "npm" or "yarn"     [string]
  -s, --validate-https   validates the use of HTTPS as protocol schema for all
                         resources                                     [boolean]
  -e, --empty-hostname   allows empty hostnames, or set to false if you wish for
                         a stricter policy             [boolean] [default: true]
  -a, --allowed-hosts    validates a whitelist of allowed hosts to be used for
                         resources in the lockfile                       [array]
  -o, --allowed-schemes  validates a whitelist of allowed schemes to be used for
                         resources in the lockfile                       [array]
  -u, --allowed-urls     validates a whitelist of allowed URLs to be used for
                         resources in the lockfile                       [array]

Examples:
  lockfile-lint --path yarn.lock --validate-https
  lockfile-lint --path yarn.lock --validate-https --allowed-hosts npm yarn
  verdaccio
  lockfile-lint --path yarn.lock --allowed-schemes "https:" "git+ssh:"
  --allowed-hosts npm yarn verdaccio

curated by Liran Tal at https://github.com/lirantal/lockfile-lint

Arguments o and validate-https are mutually exclusive

Steps to Reproduce (for bugs)

  1. lockfile-lint --path yarn.lock --allowed-hosts yarn github.com --validate-https --allowed-schemes "https:" "git+https:"

Context

Was just playing around with the CLI to see if we can integrate.

Your Environment

juanpicado commented 4 years ago

@lirantal is the issue only in the README? like remove --validate-https?

As far I can read int he codes both arguments cannot be used together. In the case of + :) I'd love to PR.

lirantal commented 4 years ago

Thanks @jennifer-shehane, good catch!

@juanpicado yep, the issue is the README on the lockfile-lint/ package. validating https and using allowed-schemes is indeed mutually exclusive, so need to update that example. I'd be honored for a PR ❤️🤗