fix: capture resolvedUrl in pnpm, Yarn Classic, and Bun parsers for private registry detection#617
Merged
Merged
Conversation
… private registry detection
…te registry detection
…ry detection; add all fixtures to readme
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the gap introduced in #588 where private registry detection only worked for npm lockfiles.
pnpm, Yarn Classic, and Bun parsers now capture the resolved URL from their respective lockfile formats, so
isPrivateRegistrySource()correctly fires and packages from non-npm sources show as⚠ Unverifiable (private source)instead of⚠ Malicious.Parsers fixed:
resolution.tarballfrom the packages sectionpackages:section before processing snapshotsresolvedfield from lockfile entry metadataentry[1])New fixtures (all use
node-ipc@9.2.3resolved from a fake private registry, mirroring the existingmal-private-registrynpm fixture):examples/pnpm-mal-private-registry/(pnpm v9)examples/pnpm-legacy-mal-private-registry/(pnpm v6)examples/yarn-classic-mal-private-registry/examples/bun-mal-private-registry/Note: Yarn Berry is out of scope — GitHub/tarball packages are currently not parsed by the Berry parser at all (separate pre-existing issue).
Reported by a Discord engineer using pnpm v9 with GitHub-hosted first-party packages.
Closes #616