vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 06:40:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(ci): make pnpm audit hook dependency-free

Browse Source
This commit is contained in:
Gustavo Madeira Santana
2026-04-14 21:10:58 -04:00
parent e49be93f2c
commit da43277cc9
2 changed files with 367 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

384
scripts/pre-commit/pnpm-audit-prod.mjs
View File

@@ -4,7 +4,6 @@ import { readFile } from "node:fs/promises";
import path from "node:path";
import process from "node:process";
import { pathToFileURL } from "node:url";
import YAML from "yaml";
const DEFAULT_REGISTRY = "https://registry.npmjs.org";
const BULK_ADVISORY_PATH = "/-/npm/v1/security/advisories/bulk";
@@ -16,6 +15,11 @@ const SEVERITY_RANK = {
high: 3,
critical: 4,
};
const TOP_LEVEL_INDENT = 0;
const SECTION_ENTRY_INDENT = 2;
const NESTED_SECTION_INDENT = 4;
const MAPPING_ENTRY_INDENT = 6;
const NESTED_MAPPING_ENTRY_INDENT = 8;
const SNAPSHOT_SECTIONS = ["dependencies", "optionalDependencies"];
const IMPORTER_SECTIONS = ["dependencies", "optionalDependencies"];
const LOCAL_REFERENCE_PREFIXES = ["file:", "link:", "portal:", "workspace:"];
@@ -67,20 +71,345 @@ export function parseSnapshotKey(snapshotKey) {
};
}
function readResolvedReference(entry) {
if (typeof entry === "string") {
return entry;
}
if (entry && typeof entry === "object" && typeof entry.version === "string") {
return entry.version;
}
return null;
}
function isLocalReference(reference) {
return LOCAL_REFERENCE_PREFIXES.some((prefix) => reference.startsWith(prefix));
}
function countIndentation(line) {
let indentation = 0;
while (indentation < line.length && line[indentation] === " ") {
indentation += 1;
}
return indentation;
}
function isIgnorableYamlLine(trimmed) {
return !trimmed || trimmed.startsWith("#");
}
function unquoteYamlString(value) {
if (value.length >= 2 && value.startsWith("'") && value.endsWith("'")) {
return value.slice(1, -1).replaceAll("''", "'");
}
if (value.length >= 2 && value.startsWith('"') && value.endsWith('"')) {
return value.slice(1, -1).replaceAll('\\"', '"');
}
return value;
}
function parseYamlScalar(value) {
return unquoteYamlString(value.trim());
}
function splitInlineYamlMapEntries(text) {
const entries = [];
let current = "";
let quote = null;
let depth = 0;
for (const character of text) {
if (quote) {
current += character;
if (character === quote) {
quote = null;
}
continue;
}
if (character === "'" || character === '"') {
quote = character;
current += character;
continue;
}
if (character === "{" || character === "[" || character === "(") {
depth += 1;
current += character;
continue;
}
if (character === "}" || character === "]" || character === ")") {
depth = Math.max(0, depth - 1);
current += character;
continue;
}
if (character === "," && depth === 0) {
const entry = current.trim();
if (entry) {
entries.push(entry);
}
current = "";
continue;
}
current += character;
}
const entry = current.trim();
if (entry) {
entries.push(entry);
}
return entries;
}
function parseInlineYamlMap(rawValue) {
const trimmed = rawValue.trim();
if (!trimmed.startsWith("{") || !trimmed.endsWith("}")) {
return null;
}
const body = trimmed.slice(1, -1).trim();
if (!body) {
return {};
}
const result = {};
for (const entry of splitInlineYamlMapEntries(body)) {
const mapping = parseYamlMappingLine(entry);
if (!mapping?.value) {
continue;
}
result[mapping.key] = parseYamlScalar(mapping.value);
}
return result;
}
function parseYamlMappingLine(line) {
const separatorIndex = line.indexOf(":");
if (separatorIndex === -1) {
return null;
}
return {
key: parseYamlScalar(line.slice(0, separatorIndex)),
value: line.slice(separatorIndex + 1).trim(),
};
}
function isNamedYamlSection(trimmed, sectionNames) {
return sectionNames.some((sectionName) => trimmed === `${sectionName}:`);
}
function readNestedVersionValue(lines, startIndex, parentIndent) {
let index = startIndex;
let version = null;
while (index < lines.length) {
const nestedLine = lines[index];
const nestedTrimmed = nestedLine.trim();
const nestedIndentation = countIndentation(nestedLine);
if (isIgnorableYamlLine(nestedTrimmed)) {
index += 1;
continue;
}
if (nestedIndentation <= parentIndent) {
break;
}
if (nestedIndentation === NESTED_MAPPING_ENTRY_INDENT) {
const nestedEntry = parseYamlMappingLine(nestedTrimmed);
if (nestedEntry?.key === "version") {
version = parseYamlScalar(nestedEntry.value);
}
}
index += 1;
}
return { nextIndex: index, version };
}
function collectIndentedStringMap(lines, startIndex, entryIndent) {
const entries = {};
let index = startIndex;
while (index < lines.length) {
const line = lines[index];
const trimmed = line.trim();
const indentation = countIndentation(line);
if (isIgnorableYamlLine(trimmed)) {
index += 1;
continue;
}
if (indentation < entryIndent) {
break;
}
if (indentation !== entryIndent) {
index += 1;
continue;
}
const entry = parseYamlMappingLine(trimmed);
if (entry?.value) {
entries[entry.key] = parseYamlScalar(entry.value);
}
index += 1;
}
return { entries, nextIndex: index };
}
function collectImporterDependencyReferences(lines, startIndex) {
const references = [];
let index = startIndex;
while (index < lines.length) {
const line = lines[index];
const trimmed = line.trim();
const indentation = countIndentation(line);
if (isIgnorableYamlLine(trimmed)) {
index += 1;
continue;
}
if (indentation < MAPPING_ENTRY_INDENT) {
break;
}
if (indentation > MAPPING_ENTRY_INDENT) {
index += 1;
continue;
}
const entry = parseYamlMappingLine(trimmed);
index += 1;
if (!entry) {
continue;
}
if (entry.value) {
const inlineMap = parseInlineYamlMap(entry.value);
if (inlineMap && typeof inlineMap.version === "string") {
references.push({ dependencyName: entry.key, reference: inlineMap.version });
continue;
}
references.push({ dependencyName: entry.key, reference: parseYamlScalar(entry.value) });
continue;
}
const nestedVersion = readNestedVersionValue(lines, index, MAPPING_ENTRY_INDENT);
index = nestedVersion.nextIndex;
if (nestedVersion.version) {
references.push({ dependencyName: entry.key, reference: nestedVersion.version });
}
}
return {
nextIndex: index,
references,
};
}
function collectSnapshotDependencies(lines, startIndex) {
const result = collectIndentedStringMap(lines, startIndex, MAPPING_ENTRY_INDENT);
return { dependencies: result.entries, nextIndex: result.nextIndex };
}
function parsePnpmLockfileSections(lockfileText) {
// Keep this parser dependency-free: security-fast runs this hook without pnpm install.
// It only needs the small pnpm-lock subset used to collect production snapshots.
const importers = [];
const snapshots = {};
const lines = lockfileText.split(/\r?\n/u);
let currentTopLevelSection = null;
let hasImportersSection = false;
let hasSnapshotsSection = false;
for (let index = 0; index < lines.length; ) {
const line = lines[index];
const trimmed = line.trim();
const indentation = countIndentation(line);
if (isIgnorableYamlLine(trimmed)) {
index += 1;
continue;
}
if (indentation === TOP_LEVEL_INDENT && trimmed.endsWith(":")) {
currentTopLevelSection = parseYamlScalar(trimmed.slice(0, -1));
if (currentTopLevelSection === "importers") {
hasImportersSection = true;
}
if (currentTopLevelSection === "snapshots") {
hasSnapshotsSection = true;
}
index += 1;
continue;
}
if (
currentTopLevelSection === "importers" &&
indentation === SECTION_ENTRY_INDENT &&
trimmed.endsWith(":")
) {
index += 1;
while (index < lines.length) {
const nestedLine = lines[index];
const nestedTrimmed = nestedLine.trim();
const nestedIndentation = countIndentation(nestedLine);
if (isIgnorableYamlLine(nestedTrimmed)) {
index += 1;
continue;
}
if (nestedIndentation <= SECTION_ENTRY_INDENT) {
break;
}
if (
nestedIndentation === NESTED_SECTION_INDENT &&
isNamedYamlSection(nestedTrimmed, IMPORTER_SECTIONS)
) {
const result = collectImporterDependencyReferences(lines, index + 1);
importers.push(...result.references);
index = result.nextIndex;
continue;
}
index += 1;
}
continue;
}
if (currentTopLevelSection === "snapshots" && indentation === SECTION_ENTRY_INDENT) {
const snapshotEntry = parseYamlMappingLine(trimmed);
if (!snapshotEntry) {
index += 1;
continue;
}
if (snapshotEntry.value) {
snapshots[snapshotEntry.key] = {};
index += 1;
continue;
}
const snapshotKey = snapshotEntry.key;
const snapshot = {};
index += 1;
while (index < lines.length) {
const nestedLine = lines[index];
const nestedTrimmed = nestedLine.trim();
const nestedIndentation = countIndentation(nestedLine);
if (isIgnorableYamlLine(nestedTrimmed)) {
index += 1;
continue;
}
if (nestedIndentation <= SECTION_ENTRY_INDENT) {
break;
}
if (
nestedIndentation === NESTED_SECTION_INDENT &&
isNamedYamlSection(nestedTrimmed, SNAPSHOT_SECTIONS)
) {
const result = collectSnapshotDependencies(lines, index + 1);
snapshot[nestedTrimmed.slice(0, -1)] = result.dependencies;
index = result.nextIndex;
continue;
}
index += 1;
}
snapshots[snapshotKey] = snapshot;
continue;
}
index += 1;
}
return { hasImportersSection, hasSnapshotsSection, importers, snapshots };
}
function resolveSnapshot({ dependencyName, reference, snapshots }) {
if (isLocalReference(reference)) {
return null;
@@ -117,38 +446,17 @@ function resolveSnapshot({ dependencyName, reference, snapshots }) {
}
export function collectProdResolvedPackagesFromLockfile(lockfileText) {
const lockfile = YAML.parse(lockfileText);
const importers = lockfile?.importers;
const snapshots = lockfile?.snapshots;
if (!importers || typeof importers !== "object") {
const lockfile = parsePnpmLockfileSections(lockfileText);
if (!lockfile.hasImportersSection) {
throw new Error("pnpm-lock.yaml is missing the importers section.");
}
if (!snapshots || typeof snapshots !== "object") {
if (!lockfile.hasSnapshotsSection) {
throw new Error("pnpm-lock.yaml is missing the snapshots section.");
}
const versionsByPackage = new Map();
const seenSnapshots = new Set();
const queue = [];
for (const importer of Object.values(importers)) {
if (!importer || typeof importer !== "object") {
continue;
}
for (const sectionName of IMPORTER_SECTIONS) {
const dependencies = importer[sectionName];
if (!dependencies || typeof dependencies !== "object") {
continue;
}
for (const [dependencyName, entry] of Object.entries(dependencies)) {
const reference = readResolvedReference(entry);
if (!reference) {
continue;
}
queue.push({ dependencyName, reference });
}
}
}
const queue = [...lockfile.importers];
while (queue.length > 0) {
const next = queue.pop();
@@ -158,7 +466,7 @@ export function collectProdResolvedPackagesFromLockfile(lockfileText) {
const resolved = resolveSnapshot({
dependencyName: next.dependencyName,
reference: next.reference,
snapshots,
snapshots: lockfile.snapshots,
});
if (!resolved) {
continue;
@@ -176,7 +484,7 @@ export function collectProdResolvedPackagesFromLockfile(lockfileText) {
}
seenSnapshots.add(resolved.snapshotKey);
const snapshot = snapshots[resolved.snapshotKey];
const snapshot = lockfile.snapshots[resolved.snapshotKey];
if (!snapshot || typeof snapshot !== "object") {
continue;
}

21
test/scripts/pnpm-audit-prod.test.ts
View File

@@ -84,6 +84,27 @@ snapshots:
});
});
it("reads inline importer dependency maps without repo dependencies", () => {
const lockfile = `lockfileVersion: '9.0'
importers:
.:
dependencies:
axios: {specifier: ^1.0.0, version: 1.0.0}
'@scope/pkg': {'version': '2.0.0(peer@4.0.0)'}
snapshots:
axios@1.0.0: {}
'@scope/pkg@2.0.0(peer@4.0.0)': {}
`;
const payload = createBulkAdvisoryPayload(collectProdResolvedPackagesFromLockfile(lockfile));
expect(payload).toEqual({
"@scope/pkg": ["2.0.0"],
axios: ["1.0.0"],
});
});
it("filters advisory findings by minimum severity", () => {
const findings = filterFindingsBySeverity(
{