vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 06:50:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
openclaw/test/scripts/pnpm-audit-prod.test.ts
Gustavo Madeira Santana 4c52731051 fix(ci): parse quoted pnpm snapshot keys
2026-04-14 21:15:43 -04:00

234 lines
6.0 KiB
TypeScript
Raw Permalink Blame History

import { mkdtemp, rm, writeFile } from "node:fs/promises";
import { tmpdir } from "node:os";
import path from "node:path";
import { describe, expect, it } from "vitest";
import {
collectProdResolvedPackagesFromLockfile,
createBulkAdvisoryPayload,
filterFindingsBySeverity,
parseSnapshotKey,
runPnpmAuditProd,
stripVersionDecorators,
} from "../../scripts/pre-commit/pnpm-audit-prod.mjs";
describe("pnpm-audit-prod", () => {
it("parses scoped snapshot keys with peer suffixes", () => {
expect(parseSnapshotKey("@scope/pkg@1.2.3(peer@4.5.6)")).toEqual({
packageName: "@scope/pkg",
reference: "1.2.3(peer@4.5.6)",
version: "1.2.3",
});
});
it("strips peer and patch decorators from resolved versions", () => {
expect(stripVersionDecorators("7.0.0-rc.9(patch_hash=abc123)(sharp@0.34.5)")).toBe(
"7.0.0-rc.9",
);
expect(stripVersionDecorators("1.2.3")).toBe("1.2.3");
});
it("collects the production graph from pnpm lockfile snapshots", () => {
const lockfile = `lockfileVersion: '9.0'
importers:
.:
dependencies:
pkg-a:
version: 1.0.0
devDependencies:
dev-only:
version: 9.9.9
extensions/demo:
dependencies:
'@scope/pkg':
version: 2.0.0(peer@4.0.0)
workspace-lib:
version: link:../../packages/workspace-lib
snapshots:
pkg-a@1.0.0:
dependencies:
transitive: 3.0.0(patch_hash=abc123)
transitive@3.0.0(patch_hash=abc123): {}
'@scope/pkg@2.0.0(peer@4.0.0)':
optionalDependencies:
opt-dep: 4.0.0
opt-dep@4.0.0: {}
`;
const payload = createBulkAdvisoryPayload(collectProdResolvedPackagesFromLockfile(lockfile));
expect(payload).toEqual({
"@scope/pkg": ["2.0.0"],
"opt-dep": ["4.0.0"],
"pkg-a": ["1.0.0"],
transitive: ["3.0.0"],
});
});
it("resolves npm alias snapshots to the real package name", () => {
const lockfile = `lockfileVersion: '9.0'
importers:
.:
dependencies:
request:
version: npm:@cypress/request@3.0.10
snapshots:
'@cypress/request@3.0.10': {}
`;
const payload = createBulkAdvisoryPayload(collectProdResolvedPackagesFromLockfile(lockfile));
expect(payload).toEqual({
"@cypress/request": ["3.0.10"],
});
});
it("reads inline importer dependency maps without repo dependencies", () => {
const lockfile = `lockfileVersion: '9.0'
importers:
.:
dependencies:
axios: {specifier: ^1.0.0, version: 1.0.0}
'@scope/pkg': {'version': '2.0.0(peer@4.0.0)'}
snapshots:
axios@1.0.0: {}
'@scope/pkg@2.0.0(peer@4.0.0)': {}
`;
const payload = createBulkAdvisoryPayload(collectProdResolvedPackagesFromLockfile(lockfile));
expect(payload).toEqual({
"@scope/pkg": ["2.0.0"],
axios: ["1.0.0"],
});
});
it("resolves quoted snapshot keys that contain tarball URLs", () => {
const lockfile = `lockfileVersion: '9.0'
importers:
.:
dependencies:
wrapper:
version: 1.0.0
snapshots:
wrapper@1.0.0:
dependencies:
libsignal: '@whiskeysockets/libsignal-node@https://codeload.github.com/whiskeysockets/libsignal-node/tar.gz/abc123'
'@whiskeysockets/libsignal-node@https://codeload.github.com/whiskeysockets/libsignal-node/tar.gz/abc123':
dependencies:
curve25519-js: 0.0.4
curve25519-js@0.0.4: {}
`;
const payload = createBulkAdvisoryPayload(collectProdResolvedPackagesFromLockfile(lockfile));
expect(payload).toEqual({
"@whiskeysockets/libsignal-node": [
"https://codeload.github.com/whiskeysockets/libsignal-node/tar.gz/abc123",
],
"curve25519-js": ["0.0.4"],
wrapper: ["1.0.0"],
});
});
it("filters advisory findings by minimum severity", () => {
const findings = filterFindingsBySeverity(
{
axios: [
{
id: "GHSA-low",
severity: "moderate",
title: "moderate issue",
},
{
id: "GHSA-high",
severity: "high",
title: "high issue",
url: "https://github.com/advisories/GHSA-high",
},
],
},
"high",
);
expect(findings).toEqual([
{
id: "GHSA-high",
packageName: "axios",
severity: "high",
title: "high issue",
url: "https://github.com/advisories/GHSA-high",
vulnerableVersions: null,
},
]);
});
it("returns a failing exit code when bulk advisories include high severity findings", async () => {
const tempDir = await mkdtemp(path.join(tmpdir(), "openclaw-audit-prod-"));
await writeFile(
path.join(tempDir, "pnpm-lock.yaml"),
`lockfileVersion: '9.0'
importers:
.:
dependencies:
axios:
version: 1.0.0
snapshots:
axios@1.0.0: {}
`,
"utf8",
);
try {
const stdoutChunks: string[] = [];
const stderrChunks: string[] = [];
const exitCode = await runPnpmAuditProd({
rootDir: tempDir,
fetchImpl: async () =>
new Response(
JSON.stringify({
axios: [
{
id: "GHSA-test",
severity: "high",
title: "test issue",
vulnerable_versions: "<=1.0.0",
url: "https://github.com/advisories/GHSA-test",
},
],
}),
{
status: 200,
headers: {
"content-type": "application/json",
},
},
),
stdout: {
write(chunk: string) {
stdoutChunks.push(chunk);
return true;
},
} as NodeJS.WriteStream,
stderr: {
write(chunk: string) {
stderrChunks.push(chunk);
return true;
},
} as NodeJS.WriteStream,
});
expect(exitCode).toBe(1);
expect(stdoutChunks).toEqual([]);
expect(stderrChunks.join("")).toContain("Found 1 high or higher advisories");
} finally {
await rm(tempDir, { recursive: true, force: true });
}
});
});
Reference in New Issue View Git Blame Copy Permalink