vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 05:20:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
55ee3279819074a5fc7fa58c4a89f54050088a6b
openclaw/test/scripts/pnpm-audit-prod.test.ts
Vincent Koc 55ee327981 fix(ci): replace retired pnpm audit hook
2026-04-15 01:10:07 +01:00

184 lines
4.6 KiB
TypeScript
Raw Blame History

import { mkdtemp, rm, writeFile } from "node:fs/promises";
import { tmpdir } from "node:os";
import path from "node:path";
import { describe, expect, it } from "vitest";
import {
collectProdResolvedPackagesFromLockfile,
createBulkAdvisoryPayload,
filterFindingsBySeverity,
parseSnapshotKey,
runPnpmAuditProd,
stripVersionDecorators,
} from "../../scripts/pre-commit/pnpm-audit-prod.mjs";
describe("pnpm-audit-prod", () => {
it("parses scoped snapshot keys with peer suffixes", () => {
expect(parseSnapshotKey("@scope/pkg@1.2.3(peer@4.5.6)")).toEqual({
packageName: "@scope/pkg",
reference: "1.2.3(peer@4.5.6)",
version: "1.2.3",
});
});
it("strips peer and patch decorators from resolved versions", () => {
expect(stripVersionDecorators("7.0.0-rc.9(patch_hash=abc123)(sharp@0.34.5)")).toBe(
"7.0.0-rc.9",
);
expect(stripVersionDecorators("1.2.3")).toBe("1.2.3");
});
it("collects the production graph from pnpm lockfile snapshots", () => {
const lockfile = `lockfileVersion: '9.0'
importers:
.:
dependencies:
pkg-a:
version: 1.0.0
devDependencies:
dev-only:
version: 9.9.9
extensions/demo:
dependencies:
'@scope/pkg':
version: 2.0.0(peer@4.0.0)
workspace-lib:
version: link:../../packages/workspace-lib
snapshots:
pkg-a@1.0.0:
dependencies:
transitive: 3.0.0(patch_hash=abc123)
transitive@3.0.0(patch_hash=abc123): {}
'@scope/pkg@2.0.0(peer@4.0.0)':
optionalDependencies:
opt-dep: 4.0.0
opt-dep@4.0.0: {}
`;
const payload = createBulkAdvisoryPayload(collectProdResolvedPackagesFromLockfile(lockfile));
expect(payload).toEqual({
"@scope/pkg": ["2.0.0"],
"opt-dep": ["4.0.0"],
"pkg-a": ["1.0.0"],
transitive: ["3.0.0"],
});
});
it("resolves npm alias snapshots to the real package name", () => {
const lockfile = `lockfileVersion: '9.0'
importers:
.:
dependencies:
request:
version: npm:@cypress/request@3.0.10
snapshots:
'@cypress/request@3.0.10': {}
`;
const payload = createBulkAdvisoryPayload(collectProdResolvedPackagesFromLockfile(lockfile));
expect(payload).toEqual({
"@cypress/request": ["3.0.10"],
});
});
it("filters advisory findings by minimum severity", () => {
const findings = filterFindingsBySeverity(
{
axios: [
{
id: "GHSA-low",
severity: "moderate",
title: "moderate issue",
},
{
id: "GHSA-high",
severity: "high",
title: "high issue",
url: "https://github.com/advisories/GHSA-high",
},
],
},
"high",
);
expect(findings).toEqual([
{
id: "GHSA-high",
packageName: "axios",
severity: "high",
title: "high issue",
url: "https://github.com/advisories/GHSA-high",
vulnerableVersions: null,
},
]);
});
it("returns a failing exit code when bulk advisories include high severity findings", async () => {
const tempDir = await mkdtemp(path.join(tmpdir(), "openclaw-audit-prod-"));
await writeFile(
path.join(tempDir, "pnpm-lock.yaml"),
`lockfileVersion: '9.0'
importers:
.:
dependencies:
axios:
version: 1.0.0
snapshots:
axios@1.0.0: {}
`,
"utf8",
);
try {
const stdoutChunks: string[] = [];
const stderrChunks: string[] = [];
const exitCode = await runPnpmAuditProd({
rootDir: tempDir,
fetchImpl: async () =>
new Response(
JSON.stringify({
axios: [
{
id: "GHSA-test",
severity: "high",
title: "test issue",
vulnerable_versions: "<=1.0.0",
url: "https://github.com/advisories/GHSA-test",
},
],
}),
{
status: 200,
headers: {
"content-type": "application/json",
},
},
),
stdout: {
write(chunk: string) {
stdoutChunks.push(chunk);
return true;
},
} as NodeJS.WriteStream,
stderr: {
write(chunk: string) {
stderrChunks.push(chunk);
return true;
},
} as NodeJS.WriteStream,
});
expect(exitCode).toBe(1);
expect(stdoutChunks).toEqual([]);
expect(stderrChunks.join("")).toContain("Found 1 high or higher advisories");
} finally {
await rm(tempDir, { recursive: true, force: true });
}
});
});
Reference in New Issue View Git Blame Copy Permalink