fix: correct --integrity-exclude package name matching logic (#190)

Update the matching logic for --integrity-exclude to check the exluded package name against the package identifier used internally. Update the corresponding test suite with more realistic mocking data. Add an extra test case to ensure package names aren't matched partially.
lirantal · Feb 11, 2024 · b374b79 · b374b79
1 parent 9c03af3
commit b374b79
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 9 deletions.
diff --git a/packages/lockfile-lint-api/__tests__/validators.integrityHashType.test.js b/packages/lockfile-lint-api/__tests__/validators.integrityHashType.test.js
@@ -28,7 +28,7 @@ describe('Validator: Integrity', () => {
 
   it('validator should fail if not allowed hash type is used for a resource', () => {
     const mockedPackages = {
-      bolt11: {
+      'bolt11@1.4.1-3e38a8b13f29678e59705efec18f590e50272676': {
         integrity: 'sha1-1ZNEUixLxGSmWnMKxpUAf9tm3Yg='
       }
     }
@@ -39,20 +39,20 @@ describe('Validator: Integrity', () => {
       errors: [
         {
           message:
-            'detected invalid integrity hash type for package: bolt11\n    expected: sha512\n    actual: sha1-1ZNEUixLxGSmWnMKxpUAf9tm3Yg=\n',
-          package: 'bolt11'
+            'detected invalid integrity hash type for package: bolt11@1.4.1-3e38a8b13f29678e59705efec18f590e50272676\n    expected: sha512\n    actual: sha1-1ZNEUixLxGSmWnMKxpUAf9tm3Yg=\n',
+          package: 'bolt11@1.4.1-3e38a8b13f29678e59705efec18f590e50272676'
         }
       ]
     })
   })
 
   it('validator should succeed if all resources are from an allowed hash type', () => {
     const mockedPackages = {
-      '@types/node': {
+      '@types/node@20.11.17-14733ac8d7ad65e47f20fc8c2b20bd58ef37c9f5': {
         integrity:
           'sha512-CK2fnrQlIgKlCV3N2kM+Gznb5USlwA1KFX3rJVHmgVk6NJxFPuQ86pAcvKnu37IA4BGlSRz7sEE1lHL1aLZ/eQ=='
       },
-      typescript: {
+      'typescript@5.0.0-d5998c40b92db6ac7b06359242cf43afc8b499f4': {
         integrity:
           'sha512-goMHfm00nWPa8UvR/CPSvykqf6dVV8x/dp0c5mFTMTIu0u0FlGWRioyy7Nn0PGAdHxpJZnuO/ut+PpQ8UiHAig=='
       }
@@ -67,11 +67,11 @@ describe('Validator: Integrity', () => {
 
   it('validator should not fail even if one of the packages has no `integrity` field', () => {
     const mockedPackages = {
-      typescript: {
+      'typescript@5.0.0-d5998c40b92db6ac7b06359242cf43afc8b499f4': {
         integrity:
           'sha512-goMHfm00nWPa8UvR/CPSvykqf6dVV8x/dp0c5mFTMTIu0u0FlGWRioyy7Nn0PGAdHxpJZnuO/ut+PpQ8UiHAig=='
       },
-      meow: {}
+      'meow@13.0.0-0478ab49a1d0b9808d0ea088db43c980a15dfc4b': {}
     }
     const validator = new ValidateIntegrity({packages: mockedPackages})
 
@@ -83,7 +83,7 @@ describe('Validator: Integrity', () => {
 
   it('validator should not fail if an excluded package has an invalid integrity hash type', () => {
     const mockedPackages = {
-      typescript: {
+      'typescript@5.0.0-d5998c40b92db6ac7b06359242cf43afc8b499f4': {
         integrity: 'sha1-1ZNEUixLxGSmWnMKxpUAf9tm3Yg='
       }
     }
@@ -98,6 +98,29 @@ describe('Validator: Integrity', () => {
     })
   })
 
+  it('validator should not match excluded package by partial name', () => {
+    const mockedPackages = {
+      'common-prefix-package@1.0.0-30f09ab54e1d572758bd0673b8b96b5df96ec1fa': {
+        integrity: 'sha1-1ZNEUixLxGSmWnMKxpUAf9tm3Yg='
+      }
+    }
+    const options = {
+      integrityExclude: ['common-prefix']
+    }
+
+    const validator = new ValidateIntegrity({packages: mockedPackages})
+    expect(validator.validate(options)).toEqual({
+      type: 'error',
+      errors: [
+        {
+          message:
+            'detected invalid integrity hash type for package: common-prefix-package@1.0.0-30f09ab54e1d572758bd0673b8b96b5df96ec1fa\n    expected: sha512\n    actual: sha1-1ZNEUixLxGSmWnMKxpUAf9tm3Yg=\n',
+          package: 'common-prefix-package@1.0.0-30f09ab54e1d572758bd0673b8b96b5df96ec1fa'
+        }
+      ]
+    })
+  })
+
   it('validator should return true for a single package with a valid URL', () => {
     const mockedPackages = {
       typescript: {

diff --git a/packages/lockfile-lint-api/src/validators/ValidateIntegrity.js b/packages/lockfile-lint-api/src/validators/ValidateIntegrity.js
@@ -29,7 +29,7 @@ module.exports = class ValidateIntegrity {
         continue
       }
 
-      if (excludedPackages.includes(packageName)) {
+      if (excludedPackages.find(name => packageName.startsWith(`${name}@`))) {
         continue
       }