From db38553d05947167a280ae74d97beaabd52a8c41 Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Thu, 5 Jul 2018 11:10:25 +0200
Subject: [PATCH] fix(npm): verify that received package name matches requested
name
---
lib/datasource/npm.js | 7 +++++++
test/datasource/__snapshots__/npm.spec.js.snap | 18 +++++++++---------
test/datasource/npm.spec.js | 2 ++
.../repository/process/lookup/index.spec.js | 12 ++++++------
4 files changed, 24 insertions(+), 15 deletions(-)
diff --git a/lib/datasource/npm.js b/lib/datasource/npm.js
index 4d871d3977..bb20f7d472 100644
--- a/lib/datasource/npm.js
+++ b/lib/datasource/npm.js
@@ -147,6 +147,13 @@ async function getDependencyInner(name, retries = 5) {
retries: 5,
headers,
})).body;
+ if (res.name !== name) {
+ logger.warn(
+ { lookupName: name, returnedName: res.name },
+ 'Returned name does not match with requested name'
+ );
+ return null;
+ }
if (!res.versions || !Object.keys(res.versions).length) {
// Registry returned a 200 OK but with no versions
if (retries <= 0) {
diff --git a/test/datasource/__snapshots__/npm.spec.js.snap b/test/datasource/__snapshots__/npm.spec.js.snap
index aa91c3b0a2..68ed4c27fd 100644
--- a/test/datasource/__snapshots__/npm.spec.js.snap
+++ b/test/datasource/__snapshots__/npm.spec.js.snap
@@ -4,7 +4,7 @@ exports[`api/npm should fetch package info from custom registry 1`] = `
Object {
"homepage": undefined,
"latestVersion": "0.0.1",
- "name": undefined,
+ "name": "foobar",
"releases": Array [
Object {
"canBeUnpublished": false,
@@ -29,7 +29,7 @@ exports[`api/npm should fetch package info from npm 1`] = `
Object {
"homepage": undefined,
"latestVersion": "0.0.1",
- "name": undefined,
+ "name": "foobar",
"releases": Array [
Object {
"canBeUnpublished": false,
@@ -54,7 +54,7 @@ exports[`api/npm should handle no time 1`] = `
Object {
"homepage": undefined,
"latestVersion": "0.0.1",
- "name": undefined,
+ "name": "foobar",
"releases": Array [
Object {
"canBeUnpublished": false,
@@ -77,7 +77,7 @@ exports[`api/npm should handle purl 1`] = `
Object {
"homepage": undefined,
"latestVersion": "0.0.1",
- "name": undefined,
+ "name": "foobar",
"releases": Array [
Object {
"canBeUnpublished": false,
@@ -102,7 +102,7 @@ exports[`api/npm should replace any environment variable in npmrc 1`] = `
Object {
"homepage": undefined,
"latestVersion": "0.0.1",
- "name": undefined,
+ "name": "foobar",
"releases": Array [
Object {
"canBeUnpublished": false,
@@ -135,7 +135,7 @@ Marking the latest version of an npm package as deprecated results in the entire
"deprecationSource": "npm",
"homepage": undefined,
"latestVersion": "0.0.2",
- "name": undefined,
+ "name": "foobar",
"releases": Array [
Object {
"canBeUnpublished": false,
@@ -168,7 +168,7 @@ exports[`api/npm should send an authorization header if provided 1`] = `
Object {
"homepage": undefined,
"latestVersion": "0.0.1",
- "name": undefined,
+ "name": "foobar",
"releases": Array [
Object {
"canBeUnpublished": false,
@@ -193,7 +193,7 @@ exports[`api/npm should use NPM_TOKEN if provided 1`] = `
Object {
"homepage": undefined,
"latestVersion": "0.0.1",
- "name": undefined,
+ "name": "foobar",
"releases": Array [
Object {
"canBeUnpublished": false,
@@ -218,7 +218,7 @@ exports[`api/npm should use default registry if missing from npmrc 1`] = `
Object {
"homepage": undefined,
"latestVersion": "0.0.1",
- "name": undefined,
+ "name": "foobar",
"releases": Array [
Object {
"canBeUnpublished": false,
diff --git a/test/datasource/npm.spec.js b/test/datasource/npm.spec.js
index c53f76c469..cef89e65aa 100644
--- a/test/datasource/npm.spec.js
+++ b/test/datasource/npm.spec.js
@@ -18,6 +18,7 @@ describe('api/npm', () => {
jest.resetAllMocks();
npm.resetCache();
npmResponse = {
+ name: 'foobar',
versions: {
'0.0.1': {
foo: 1,
@@ -62,6 +63,7 @@ describe('api/npm', () => {
});
it('should return deprecated', async () => {
const deprecatedPackage = {
+ name: 'foobar',
versions: {
'0.0.1': {
foo: 1,
diff --git a/test/workers/repository/process/lookup/index.spec.js b/test/workers/repository/process/lookup/index.spec.js
index 395c9ecb5a..a0f1bad64f 100644
--- a/test/workers/repository/process/lookup/index.spec.js
+++ b/test/workers/repository/process/lookup/index.spec.js
@@ -652,20 +652,20 @@ describe('manager/npm/lookup', () => {
it('should treat zero zero tilde ranges as 0.0.x', async () => {
config.rangeStrategy = 'replace';
config.currentValue = '~0.0.34';
- config.depName = 'helmet';
- config.purl = 'pkg:npm/helmet';
+ config.depName = '@types/helmet';
+ config.purl = 'pkg:npm/%40types/helmet';
nock('https://registry.npmjs.org')
- .get('/helmet')
+ .get('/@types%2Fhelmet')
.reply(200, helmetJson);
expect((await lookup.lookupUpdates(config)).updates).toEqual([]);
});
it('should treat zero zero caret ranges as pinned', async () => {
config.rangeStrategy = 'replace';
config.currentValue = '^0.0.34';
- config.depName = 'helmet';
- config.purl = 'pkg:npm/helmet';
+ config.depName = '@types/helmet';
+ config.purl = 'pkg:npm/%40types/helmet';
nock('https://registry.npmjs.org')
- .get('/helmet')
+ .get('/@types%2Fhelmet')
.reply(200, helmetJson);
expect((await lookup.lookupUpdates(config)).updates).toMatchSnapshot();
});
--
GitLab