Extra check for incompatible options

Question

Extra check for incompatible options

XhmikosR opened this issue 5 years ago · 6 comments

Is your feature request related to a problem? Please describe.

> nodejs.org@ test:lint:lockfile C:\Users\xmr\Desktop\nodejs.org
> lockfile-lint --allowed-hosts npm github.com --allowed-schemes "https:" "git+https:" --empty-hostname false --validate-https --type npm --path package-lock.json

detected invalid protocol for package: metalsmith-permalinks@git+https://github.com/segmentio/metalsmith-permalinks.git#432843d5823a292b2e47397ba46fd761d03eb9d3
    expected: https:
    actual: git+https:

error: command failed with exit code 1

Describe the solution you'd like

Since the above works without the validate-https flag, maybe there should be some checks in place for potentially incompatible options.

Answer 1 · 2020-02-06T19:53:08.000Z

@XhmikosR totally agree and have been on my mind as well.
It should also be straightforward to do with yargs configuration options. You can detect if both are being used and then fail, or better yet, in my opinion schemes should override https.

Would you like to submit a PR for this?

Answer 2 · 2020-02-07T23:34:18.000Z

Sorry, I don't have a lot of free time to tackle this. I just wanted to make an issue to track this. :)

…

On Thu, Feb 6, 2020, 21:53 Liran Tal ***@***.***> wrote: @XhmikosR <https://github.com/XhmikosR> totally agree and have been on my mind as well. It should also be straightforward to do with yargs configuration options. You can detect if both are being used and then fail, or better yet, in my opinion schemes should override https. Would you like to submit a PR for this? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#63?email_source=notifications&email_token=AACVLNN32KYSTRTMNUK2VNDRBRTCLA5CNFSM4KQZP77KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELARUQQ#issuecomment-583080514>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACVLNIXQWAMJKYM5LLLXE3RBRTCLANCNFSM4KQZP77A> .

Answer 3 · 2020-02-07T23:35:35.000Z

No worries at all, I'll shoot in a PR for that soon enough and ping you then ❤️

Answer 4 · 2020-02-08T11:57:37.000Z

@XhmikosR how does this look like:

$ lockfile-lint --path package-lock.json --type npm --allowed-hosts npm github.com --allowed-schemes https: github: --empty-hostname false --validate-https
Arguments o and validate-https are mutually exclusive

Usage: lockfile-lint --path <path-to-lockfile> --allowed-hosts yarn npm

Options:
  --version              Show version number                           [boolean]
  --help, -h             Show help                                     [boolean]
  -p, --path             path to the lockfile                [string] [required]
  -t, --type             lockfile type, options are "npm" or "yarn"     [string]
  -s, --validate-https   validates the use of HTTPS as protocol schema for all
                         resources                                     [boolean]
  -e, --empty-hostname   allows empty hostnames, or set to false if you wish for
                         a stricter policy             [boolean] [default: true]
  -a, --allowed-hosts    validates a whitelist of allowed hosts to be used for
                         resources in the lockfile                       [array]
  -o, --allowed-schemes  validates a whitelist of allowed schemes to be used for
                         resources in the lockfile                       [array]

Examples:
  lockfile-lint --path yarn.lock --validate-https
  lockfile-lint --path yarn.lock --validate-https --allowed-hosts npm yarn
  verdaccio
  lockfile-lint --path yarn.lock --allowed-schemes "https:" "git+ssh:"
  --allowed-hosts npm yarn verdaccio

curated by Liran Tal at https://github.com/lirantal/lockfile-lint

Arguments o and validate-https are mutually exclusive

Answer 5 · 2020-02-10T09:55:12.000Z

@lirantal yup, that works!

Answer 6 · 2020-02-10T09:55:48.000Z

Great. Merging away 🎉