Merge pull request #251 from NodeSecure/update-docs-deps

Update documentation and dependencies

.github/workflows/codeql.yml

@@ -41,16 +41,16 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - name: Checkout repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -63,7 +63,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -76,6 +76,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/nodejs.yml

@@ -18,13 +18,13 @@ jobs:
       fail-fast: false
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
         with:
           node-version: ${{ matrix.node-version }}
       - name: Install dependencies
@@ -34,4 +34,4 @@ jobs:
       - name: Run tests
         run: npm run coverage
       - name: Send coverage report to Codecov
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
+        uses: codecov/codecov-action@428cda1b1c731be3e8bfa389049c3f276d572ffb # v4.0.0-beta.3

.github/workflows/scorecards.yml

@@ -32,17 +32,17 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - name: "Checkout code"
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -64,14 +64,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
         with:
           sarif_file: results.sarif

.github/workflows/vis-network.yml

@@ -22,13 +22,13 @@ jobs:
       fail-fast: false
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
         with:
           node-version: ${{ matrix.node-version }}
       - name: Install dependencies

README.md

@@ -77,7 +77,8 @@ Then the **nsecure** binary will be available in your terminal. Give a try with
 $ nsecure auto express
 ```
 
-> ⚠️ Setup an [npm token](https://github.com/NodeSecure/cli#private-packages--registry) to avoid hiting the maximum request limit of the npm registry API.
+> [!TIP]
+> Setup an [npm token](https://github.com/NodeSecure/cli#private-packages--registry) to avoid hiting the maximum request limit of the npm registry API.
 
 ## 👀 Usage example
 
@@ -198,15 +199,17 @@ If you have already cloned and installed the project with npm locally, you still
 $ npm run build
 ```
 
-> **Warning** restart this command when modifying files in the public root folder
+> [!IMPORTANT]
+> Restart this command when modifying files in the public root folder
 
 Once you have finished your development, check that the tests (and linter) are still good by running the following script:
 
 ```bash
 $ npm test
 ```
 
-> **Note** If you add a feature, try adding tests for it along.
+> [!CAUTION]
+> If you add a feature, try adding tests for it along.
 
 ## Workspaces
 

package.json

@@ -80,9 +80,9 @@
     "@nodesecure/flags": "^2.4.0",
     "@nodesecure/i18n": "^3.2.2",
     "@nodesecure/npm-registry-sdk": "^1.6.1",
-    "@nodesecure/ossf-scorecard-sdk": "^2.0.0",
-    "@nodesecure/rc": "^1.4.0",
-    "@nodesecure/scanner": "^4.0.0",
+    "@nodesecure/ossf-scorecard-sdk": "^3.0.0",
+    "@nodesecure/rc": "^1.5.0",
+    "@nodesecure/scanner": "^5.0.1",
     "@nodesecure/utils": "^1.1.0",
     "@nodesecure/vuln": "^1.7.0",
     "@openally/result": "^1.2.0",

public/css/components/package/box.css

@@ -46,7 +46,7 @@ section#package-info .box-file-info>.box-header>span.Information {
   background: #0288d1ab;
 }
 
-section#package-info .box-file-info>.box-header>a {
+section#package-info .box-file-info>.box-header>.box-title {
   font-size: 18px;
   font-variant: small-caps;
   font-family: "mononoki";
@@ -61,22 +61,22 @@ section#package-info .box-file-info>.box-header>a:hover {
   cursor: pointer;
 }
 
-section#package-info .box-file-info>.box-header>p {
+section#package-info .box-file-info>.box-header>.box-file {
   margin-left: auto;
   color: #B3E5FC;
   display: flex;
 }
 
-section#package-info .box-file-info>.box-header>p a {
+section#package-info .box-file-info>.box-header>.box-file a {
   color: inherit;
   text-decoration: none;
 }
 
-section#package-info .box-file-info>.box-header>p a:hover {
+section#package-info .box-file-info>.box-header>.box-file a:hover {
   text-decoration: underline;
 }
 
-section#package-info .box-file-info>.box-header>p i {
+section#package-info .box-file-info>.box-header>.box-file i {
   margin-right: 6px;
 }
 

public/js/components/package/pannels/overview.js

@@ -16,9 +16,11 @@ export class Overview {
 
   get author() {
     const author = this.package.dependencyVersion.author;
-    const flatAuthorFullname = typeof author === "string" ? author : (author?.name ?? "Unknown");
+    if (author === null) {
+      return "Unknown";
+    }
 
-    return flatAuthorFullname.length > 26 ? `${flatAuthorFullname.slice(0, 26)}...` : flatAuthorFullname;
+    return author.name.length > 26 ? `${author.name.slice(0, 26)}...` : author.name;
   }
 
   /**

public/js/components/package/pannels/warnings.js

@@ -10,7 +10,7 @@ export class Warnings {
     this.package = pkg;
   }
 
-  get isLocalProject() {
+  get isPrincipalRootProject() {
     return this.package.currentNode === 0 ||
       this.package.dependencyVersion.flags.includes("isGit");
   }
@@ -55,9 +55,6 @@ export class Warnings {
       if (window.settings.warnings.has(warning.kind)) {
         continue;
       }
-      const multipleLocation = warning.kind === "encoded-literal" ?
-        warning.location.map((loc) => locationToString(loc)).join(" // ") :
-        locationToString(warning.location);
 
       const id = Math.random().toString(36).slice(2);
       const hasNoInspection =
@@ -72,7 +69,7 @@ export class Warnings {
         ]
       });
 
-      if (this.isLocalProject || hasNoInspection) {
+      if (this.isPrincipalRootProject || hasNoInspection) {
         viewMoreElement.style.display = "none";
       }
       else {
@@ -102,18 +99,21 @@ export class Warnings {
           viewMoreElement
         ]
       });
-      const boxPosition = utils.createDOMElement("div", {
+      const boxPosition = warning.location === null ? null : utils.createDOMElement("div", {
         className: "box-source-code-position",
         childs: [
-          utils.createDOMElement("p", { text: multipleLocation })
+          utils.createDOMElement("p", {
+            text: this.getWarningLocation(warning)
+          })
         ]
       });
 
       const box = utils.createFileBox({
         title: warning.kind,
         fileName: warning.file.length > 20 ? `${warning.file.slice(0, 20)}...` : warning.file,
         childs: [boxContainer, boxPosition],
-        titleHref: `https://github.com/NodeSecure/js-x-ray/blob/master/docs/${warning.kind}.md`,
+        titleHref: warning.kind === "invalid-semver" ?
+          null : `https://github.com/NodeSecure/js-x-ray/blob/master/docs/${warning.kind}.md`,
         fileHref: `${unpkgRoot}${warning.file}`,
         severity: warning.severity ?? "Information"
       })
@@ -122,4 +122,13 @@ export class Warnings {
 
     return fragment;
   }
+
+  getWarningLocation(warning) {
+    if (warning.kind === "encoded-literal") {
+      return warning.location
+        .map((loc) => locationToString(loc)).join(" // ");
+    }
+
+    return locationToString(warning.location);;
+  }
 }

public/js/utils.js

@@ -108,13 +108,17 @@ export function createFileBox(options = {}) {
       ...(severity === null ? [] : [
         createDOMElement("span", { classList: [severity], text: severity.charAt(0).toUpperCase() })
       ]),
-      createDOMElement("a", {
-        text: title,
-        attributes: {
-          href: titleHref, ...defaultHrefProperties
-        }
-      }),
+      titleHref === null ?
+        createDOMElement("p", { text: title, className: "box-title" }) :
+        createDOMElement("a", {
+          text: title,
+          className: "box-title",
+          attributes: {
+            href: titleHref, ...defaultHrefProperties
+          }
+        }),
       createDOMElement("p", {
+        className: "box-file",
         childs: [
           createDOMElement("i", { classList: ["icon-docs"] }),
           fileDomElement
@@ -127,7 +131,7 @@ export function createFileBox(options = {}) {
     classList: ["box-file-info"],
     childs: [
       boxHeader,
-      ...childs
+      ...childs.filter((element) => element !== null)
     ]
   });
 }

test/commands/scorecard.test.js

@@ -38,30 +38,32 @@ test("scorecard should display fastify scorecard", async() => {
   const scorecardCliOptions = {
     path: kProcessPath,
     args: [packageName],
-    undiciMockAgentOptions: [{
-      baseUrl: API_URL,
-      intercept: {
-        path: `/projects/github.com/${packageName}`,
-        method: "GET"
-      },
-      response: {
-        body: mockBody,
-        status: 200
-      }
-    },
-    {
-      baseUrl: "https://api.github.com",
-      intercept: {
-        path: "/repos/fastify/fastify",
-        method: "GET"
+    undiciMockAgentOptions: [
+      {
+        baseUrl: API_URL,
+        intercept: {
+          path: `/projects/github.com/${packageName}`,
+          method: "GET"
+        },
+        response: {
+          body: mockBody,
+          status: 200
+        }
       },
-      response: {
-        body: {
-          full_name: "fastify/fastify"
+      {
+        baseUrl: "https://api.github.com",
+        intercept: {
+          path: "/repos/fastify/fastify",
+          method: "GET"
         },
-        status: 200
+        response: {
+          body: {
+            full_name: "fastify/fastify"
+          },
+          status: 200
+        }
       }
-    }]
+    ]
   };
 
 

test/helpers/cliCommandRunner.js

@@ -3,7 +3,7 @@ import { fork } from "node:child_process";
 import { createInterface } from "node:readline";
 
 // Import Third-party Dependencies
-import { MockAgent, setGlobalDispatcher } from "undici";
+import { MockAgent, setGlobalDispatcher } from "@myunisoft/httpie";
 import stripAnsi from "strip-ansi";
 
 export async function* runProcess(options) {
@@ -36,7 +36,13 @@ export function prepareProcess(command, args = process.argv.slice(2)) {
         const { baseUrl, intercept, response } = mock;
         const pool = mockAgent.get(baseUrl);
 
-        pool.intercept(intercept).reply(response.status, () => response.body);
+        pool
+          .intercept(intercept)
+          .reply(
+            response.status,
+            () => response.body,
+            { headers: { "content-type": "application/json" } }
+          );
       }
 
       mockAgent.disableNetConnect();

views/index.html

@@ -188,6 +188,10 @@ <h1><i class="icon-cog"></i>General</h1>
             <input type="checkbox" checked name="warnings" value="weak-crypto">
             <p>weak crypto</p>
           </div>
+          <div>
+            <input type="checkbox" checked name="warnings" value="invalid-semver">
+            <p>invalid semver (0.x.x)</p>
+          </div>
         </div>
         <div class="line">
           <p>Flags to ignore:</p>