summaryrefslogtreecommitdiff
path: root/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
diff options
context:
space:
mode:
Diffstat (limited to 'deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js')
-rw-r--r--deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js94
1 files changed, 61 insertions, 33 deletions
diff --git a/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js b/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
index d0900e3732..5b58ef6370 100644
--- a/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
+++ b/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
@@ -22,8 +22,9 @@ class Advisory {
this[_source] = source
this[_options] = options
this.name = name
- if (!source.name)
+ if (!source.name) {
source.name = name
+ }
this.dependency = source.name
@@ -70,11 +71,13 @@ class Advisory {
// load up the data from a cache entry and a fetched packument
load (cached, packument) {
// basic data integrity gutcheck
- if (!cached || typeof cached !== 'object')
+ if (!cached || typeof cached !== 'object') {
throw new TypeError('invalid cached data, expected object')
+ }
- if (!packument || typeof packument !== 'object')
+ if (!packument || typeof packument !== 'object') {
throw new TypeError('invalid packument data, expected object')
+ }
if (cached.id && cached.id !== this.id) {
throw Object.assign(new Error('loading from incorrect cache entry'), {
@@ -88,14 +91,16 @@ class Advisory {
actual: packument.name,
})
}
- if (this[_packument])
+ if (this[_packument]) {
throw new Error('advisory object already loaded')
+ }
// if we have a range from the initialization, and the cached
// data has a *different* range, then we know we have to recalc.
// just don't use the cached data, so we will definitely not match later
- if (!this.range || cached.range && cached.range === this.range)
+ if (!this.range || cached.range && cached.range === this.range) {
Object.assign(this, cached)
+ }
this[_packument] = packument
@@ -107,8 +112,9 @@ class Advisory {
if (!this.versions.includes(v)) {
versionsAdded.push(v)
this.versions.push(v)
- } else if (!pakuVersions.includes(v))
+ } else if (!pakuVersions.includes(v)) {
versionsRemoved.push(v)
+ }
}
// strip out any removed versions from our lists, and sort by semver
@@ -138,14 +144,16 @@ class Advisory {
this[_updated] = true
// test any versions newly added
- if (!unchanged || versionsAdded.length)
+ if (!unchanged || versionsAdded.length) {
this[_testVersions](unchanged ? versionsAdded : this.versions)
+ }
this.vulnerableVersions = semver.sort(this.vulnerableVersions, semverOpt)
// metavulns have to calculate their range, since cache is invalidated
// advisories just get their range from the advisory above
- if (this.type === 'metavuln')
+ if (this.type === 'metavuln') {
this[_calculateRange]()
+ }
return this
}
@@ -170,10 +178,11 @@ class Advisory {
}
break
}
- if (vr.length > 1)
+ if (vr.length > 1) {
vr[1] = this.versions[v]
- else
+ } else {
vr.push(this.versions[v])
+ }
v++
vulnVer++
}
@@ -198,26 +207,30 @@ class Advisory {
// we use the dependency version from the manifest.
testVersion (version, spec = null) {
const sv = String(version)
- if (this[_versionVulnMemo].has(sv))
+ if (this[_versionVulnMemo].has(sv)) {
return this[_versionVulnMemo].get(sv)
+ }
const result = this[_testVersion](version, spec)
- if (result)
+ if (result) {
this[_markVulnerable](version)
+ }
this[_versionVulnMemo].set(sv, !!result)
return result
}
[_markVulnerable] (version) {
const sv = String(version)
- if (!this.vulnerableVersions.includes(sv))
+ if (!this.vulnerableVersions.includes(sv)) {
this.vulnerableVersions.push(sv)
+ }
}
[_testVersion] (version, spec) {
const sv = String(version)
- if (this.vulnerableVersions.includes(sv))
+ if (this.vulnerableVersions.includes(sv)) {
return true
+ }
if (this.type === 'advisory') {
// advisory, just test range
@@ -233,12 +246,14 @@ class Advisory {
},
}
- if (!spec)
+ if (!spec) {
spec = getDepSpec(mani, this.dependency)
+ }
// no dep, no vuln
- if (spec === null)
+ if (spec === null) {
return false
+ }
if (!semver.validRange(spec, semverOpt)) {
// not a semver range, nothing we can hope to do about it
@@ -252,8 +267,9 @@ class Advisory {
// try to pick a version of the dep that isn't vulnerable
const avoid = this[_source].range
- if (bundled)
+ if (bundled) {
return semver.intersects(spec, avoid, semverOpt)
+ }
return this[_source].testSpec(spec)
}
@@ -263,8 +279,9 @@ class Advisory {
// consistent across multiple versions, so memoize this as well, in case
// we're testing lots of versions.
const memo = this[_specVulnMemo]
- if (memo.has(spec))
+ if (memo.has(spec)) {
return memo.get(spec)
+ }
const res = this[_testSpec](spec)
memo.set(spec, res)
@@ -274,10 +291,12 @@ class Advisory {
[_testSpec] (spec) {
for (const v of this.versions) {
const satisfies = semver.satisfies(v, spec)
- if (!satisfies)
+ if (!satisfies) {
continue
- if (!this.testVersion(v))
+ }
+ if (!this.testVersion(v)) {
return false
+ }
}
// either vulnerable, or not installable because nothing satisfied
// either way, best avoided.
@@ -285,8 +304,9 @@ class Advisory {
}
[_testVersions] (versions) {
- if (!versions.length)
+ if (!versions.length) {
return
+ }
// set of lists of versions
const versionSets = new Set()
@@ -328,30 +348,34 @@ class Advisory {
// version in the list, then start there instead.
let h = 0
const origHeadVuln = this.testVersion(list[h])
- while (h < list.length && /-/.test(String(list[h])))
+ while (h < list.length && /-/.test(String(list[h]))) {
h++
+ }
// don't filter out the whole list! they might all be pr's
- if (h === list.length)
+ if (h === list.length) {
h = 0
- else if (origHeadVuln) {
+ } else if (origHeadVuln) {
// if the original was vulnerable, assume so are all of these
- for (let hh = 0; hh < h; hh++)
+ for (let hh = 0; hh < h; hh++) {
this[_markVulnerable](list[hh])
+ }
}
let t = list.length - 1
const origTailVuln = this.testVersion(list[t])
- while (t > h && /-/.test(String(list[t])))
+ while (t > h && /-/.test(String(list[t]))) {
t--
+ }
// don't filter out the whole list! might all be pr's
- if (t === h)
+ if (t === h) {
t = list.length - 1
- else if (origTailVuln) {
+ } else if (origTailVuln) {
// if original tail was vulnerable, assume these are as well
- for (let tt = list.length - 1; tt > t; tt--)
+ for (let tt = list.length - 1; tt > t; tt--) {
this[_markVulnerable](list[tt])
+ }
}
const headVuln = h === 0 ? origHeadVuln
@@ -362,14 +386,16 @@ class Advisory {
// if head and tail both vulnerable, whole list is thrown out
if (headVuln && tailVuln) {
- for (let v = h; v < t; v++)
+ for (let v = h; v < t; v++) {
this[_markVulnerable](list[v])
+ }
continue
}
// if length is 2 or 1, then we marked them all already
- if (t < h + 2)
+ if (t < h + 2) {
continue
+ }
const mid = Math.floor(list.length / 2)
const pre = list.slice(0, mid)
@@ -382,8 +408,9 @@ class Advisory {
const midVuln = this.testVersion(pre[pre.length - 1])
while (/-/.test(String(pre[pre.length - 1]))) {
const v = pre.pop()
- if (midVuln)
+ if (midVuln) {
this[_markVulnerable](v)
+ }
}
}
@@ -391,8 +418,9 @@ class Advisory {
const midVuln = this.testVersion(post[0])
while (/-/.test(String(post[0]))) {
const v = post.shift()
- if (midVuln)
+ if (midVuln) {
this[_markVulnerable](v)
+ }
}
}
View Lorry Controller Status