mbalabash / sdc-check Goto Github PK
View Code? Open in Web Editor NEWSmall tool to inform you about potential risks in project dependencies list
License: MIT License
sdc-check's People
Contributors
Stargazers
Watchers
Forkers
acumenixsdc-check's Issues
`file:` protocol in `package-lock.json` seems to not be supported
Hey! Cool project :) I tried it out and got some weird errors. Inside mdx-js/mdx:
node -v # v17.4.0
npm -v # 8.5.5
npx sdc-check -d .Yields:
Errors: 22
[
{
"metric": "lockfile-is-not-safe",
"message": "detected invalid host(s) for package: @mdx-js/esbuild@file:packages/esbuild-ebc0e1c9cb0044a8d3631c422ddb2f0182111f49\n expected: registry.npmjs.org\n actual: \n",
"package": "@mdx-js/esbuild@file:packages/esbuild-ebc0e1c9cb0044a8d3631c422ddb2f0182111f49"
},
{
"metric": "lockfile-is-not-safe",
"message": "detected invalid host(s) for package: @mdx-js/loader@file:packages/loader-bd54eca448ffeb221a8b218aea8e32061618c046\n expected: registry.npmjs.org\n actual: \n",
"package": "@mdx-js/loader@file:packages/loader-bd54eca448ffeb221a8b218aea8e32061618c046"
},
...,
{
"metric": "package-is-too-new",
"package": "@mdx-js/[email protected]",
"message": "package release date is 2022-03-31"
},
{
"metric": "package-is-too-new",
"package": "@mdx-js/[email protected]",
"message": "package release date is 2022-03-31"
},
So, it seems npm workspaces, or at least local references, don’t work well?
Support pnpm as package manager
After checking the source code, I realized that only npm and yarn are supported.
I have the feeling that this is a really valuable tool for people which want to be aware of potential security issues, so it would be amazing if there was official pnpm support too.
P.S.: It would be great to have a small notice of which package managers are supported in the readme, since the error Running sdc-checkError: There are no metrics data to create report wasn't telling me clearly what the issue was.
root package confused with npm package
I installed and ran the tool just like you suggested and it fails every time because it cannot find the version of my app which is the root project. I tried this on both the v1 and v2 versions of my package-lock.json.
I think the problem is that myapp (i changed the name) is a private package that is not on NPM, but there is a package called myapp on NPM. sdc-check doesn't realize that the root package should not be looked up on NPM.
This is true even if i add my app to the .sdccheckignore.
npm run sdc-check
> [email protected] sdc-check
> sdc-check -d .
⠸ Running sdc-checkERROR: Could not gather metrics
myapp: No matching version found for [email protected].
at module.exports (/tmp/myapp/node_modules/npm-pick-manifest/lib/index.js:209:23)
at /tmp/myapp/node_modules/pacote/lib/registry.js:126:26
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async getMetrics (file:///tmp/myapp/node_modules/sdc-check/src/metrics.js:28:37)
at async check (file:///tmp/myapp/node_modules/sdc-check/index.js:41:17)
at async file:///tmp/myapp/node_modules/sdc-check/src/cli.js:46:14 {
code: 'ETARGET',
type: 'version',
wanted: '0.0.7',
versions: [
'1.1.6', '1.1.7', '1.1.8', '1.1.9', '1.1.10',
'1.1.11', '1.1.12', '1.1.13', '1.1.14', '1.1.15',
'1.3.4', '1.3.5', '1.3.7', '1.3.8', '1.3.9',
'1.3.10'
],
distTags: { latest: '1.3.10' },
defaultTag: 'latest'
}
ERROR: Could not perform sdc-check audit
Error: sdc-check internal error
at file:///tmp/myapp/node_modules/sdc-check/src/cli.js:50:13
at processTicksAndRejections (node:internal/process/task_queues:96:5)
🚫 sdc-check exited with error
Is this OK to use globally?
From the README, CLI seems to be supported: sdc-check -d ..
However, it is unclear whether it works when globally installed.
Please, could you confirm.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.