deps: @npmcli/query@3.1.0

npm · Feb 26, 2024 · edc7e23 · edc7e23
1 parent 00a3a08
commit edc7e23
Show file tree

Hide file tree

Showing 4 changed files with 95 additions and 27 deletions.
diff --git a/node_modules/@npmcli/query/lib/index.js b/node_modules/@npmcli/query/lib/index.js
@@ -85,31 +85,57 @@ const fixupNestedPseudo = astNode => {
   transformAst(newRootNode)
 }
 
-// :semver(<version|range>, [selector], [function])
+// :semver(<version|range|selector>, [version|range|selector], [function])
+// note: the first or second parameter must be a static version or range
 const fixupSemverSpecs = astNode => {
-  // the first child node contains the version or range, most likely as a tag and a series of
-  // classes. we combine them into a single string here. this is the only required input.
-  const children = astNode.nodes.shift().nodes
-  const value = children.reduce((res, i) => `${res}${String(i)}`, '')
-
-  // next, if we have 2 nodes left then the user called us with a total of 3. that means the
-  // last one tells us what specific semver function the user is requesting, so we pull that out
-  let semverFunc
-  if (astNode.nodes.length === 2) {
+  // if we have three nodes, the last is the semver function to use, pull that out first
+  if (astNode.nodes.length === 3) {
     const funcNode = astNode.nodes.pop().nodes[0]
     if (funcNode.type === 'tag') {
-      semverFunc = funcNode.value
+      astNode.semverFunc = funcNode.value
+    } else if (funcNode.type === 'string') {
+      // a string is always in some type of quotes, we don't want those so slice them off
+      astNode.semverFunc = funcNode.value.slice(1, -1)
+    } else {
+      // anything that isn't a tag or a string isn't a function name
+      throw Object.assign(
+        new Error('`:semver` pseudo-class expects a function name as last value'),
+        { code: 'ESEMVERFUNC' }
+      )
+    }
+  }
+
+  // now if we have 1 node, it's a static value
+  // istanbul ignore else
+  if (astNode.nodes.length === 1) {
+    const semverNode = astNode.nodes.pop()
+    astNode.semverValue = semverNode.nodes.reduce((res, next) => `${res}${String(next)}`, '')
+  } else if (astNode.nodes.length === 2) {
+    // and if we have two nodes, one of them is a static value and we need to determine which it is
+    for (let i = 0; i < astNode.nodes.length; ++i) {
+      const type = astNode.nodes[i].nodes[0].type
+      // the type of the first child may be combinator for ranges, such as >14
+      if (type === 'tag' || type === 'combinator') {
+        const semverNode = astNode.nodes.splice(i, 1)[0]
+        astNode.semverValue = semverNode.nodes.reduce((res, next) => `${res}${String(next)}`, '')
+        astNode.semverPosition = i
+        break
+      }
+    }
+
+    if (typeof astNode.semverValue === 'undefined') {
+      throw Object.assign(
+        new Error('`:semver` pseudo-class expects a static value in the first or second position'),
+        { code: 'ESEMVERVALUE' }
+      )
     }
   }
 
-  // now if there's a node left, that node is our selector. since that is the last remaining
-  // child node, we call fixupAttr on ourselves so that the attribute selectors get parsed
+  // if we got here, the last remaining child should be attribute selector
   if (astNode.nodes.length === 1) {
     fixupAttr(astNode)
   } else {
-    // we weren't provided a selector, so we default to `[version]`. note, there's no default
-    // operator here. that's because we don't know yet if the user has provided us a version
-    // or range to assert against
+    // if we don't have a selector, we default to `[version]`
     astNode.attributeMatcher = {
       insensitive: false,
       attribute: 'version',
@@ -118,8 +144,6 @@ const fixupSemverSpecs = astNode => {
     astNode.lookupProperties = []
   }
 
-  astNode.semverFunc = semverFunc
-  astNode.semverValue = value
   astNode.nodes.length = 0
 }
 
@@ -142,6 +166,46 @@ const fixupOutdated = astNode => {
   }
 }
 
+const fixupVuln = astNode => {
+  const vulns = []
+  if (astNode.nodes.length) {
+    for (const selector of astNode.nodes) {
+      const vuln = {}
+      for (const node of selector.nodes) {
+        if (node.type !== 'attribute') {
+          throw Object.assign(
+            new Error(':vuln pseudo-class only accepts attribute matchers or "cwe" tag'),
+            { code: 'EQUERYATTR' }
+          )
+        }
+        if (!['severity', 'cwe'].includes(node._attribute)) {
+          throw Object.assign(
+            new Error(':vuln pseudo-class only matches "severity" and "cwe" attributes'),
+            { code: 'EQUERYATTR' }
+          )
+        }
+        if (!node.operator) {
+          node.operator = '='
+          node.value = '*'
+        }
+        if (node.operator !== '=') {
+          throw Object.assign(
+            new Error(':vuln pseudo-class attribute selector only accepts "=" operator', node),
+            { code: 'EQUERYATTR' }
+          )
+        }
+        if (!vuln[node._attribute]) {
+          vuln[node._attribute] = []
+        }
+        vuln[node._attribute].push(node._value)
+      }
+      vulns.push(vuln)
+    }
+    astNode.vulns = vulns
+    astNode.nodes.length = 0
+  }
+}
+
 // a few of the supported ast nodes need to be tweaked in order to properly be
 // interpreted as proper arborist query selectors, namely semver ranges from
 // both ids and :semver pseudo-class selectors need to be translated from what
@@ -168,6 +232,8 @@ const transformAst = selector => {
         return fixupTypes(nextAstNode)
       case ':outdated':
         return fixupOutdated(nextAstNode)
+      case ':vuln':
+        return fixupVuln(nextAstNode)
     }
   })
 }

diff --git a/node_modules/@npmcli/query/package.json b/node_modules/@npmcli/query/package.json
@@ -1,11 +1,11 @@
 {
   "name": "@npmcli/query",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "description": "npm query parser and tools",
   "main": "lib/index.js",
   "scripts": {
     "test": "tap",
-    "lint": "eslint \"**/*.js\"",
+    "lint": "eslint \"**/*.{js,cjs,ts,mjs,jsx,tsx}\"",
     "postlint": "template-oss-check",
     "template-oss-apply": "template-oss-apply --force",
     "lintfix": "npm run lint -- --fix",
@@ -39,11 +39,12 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.5.1"
+    "version": "4.21.3",
+    "publish": true
   },
   "devDependencies": {
-    "@npmcli/eslint-config": "^3.0.1",
-    "@npmcli/template-oss": "4.5.1",
+    "@npmcli/eslint-config": "^4.0.0",
+    "@npmcli/template-oss": "4.21.3",
     "tap": "^16.2.0"
   },
   "dependencies": {

diff --git a/package-lock.json b/package-lock.json
@@ -2654,8 +2654,9 @@
       }
     },
     "node_modules/@npmcli/query": {
-      "version": "3.0.0",
-      "license": "ISC",
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/@npmcli/query/-/query-3.1.0.tgz",
+      "integrity": "sha512-C/iR0tk7KSKGldibYIB9x8GtO/0Bd0I2mhOaDb8ucQL/bQVTmGoeREaFj64Z5+iCBRf3dQfed0CjJL7I8iTkiQ==",
       "dependencies": {
         "postcss-selector-parser": "^6.0.10"
       },
@@ -16249,7 +16250,7 @@
         "@npmcli/name-from-folder": "^2.0.0",
         "@npmcli/node-gyp": "^3.0.0",
         "@npmcli/package-json": "^4.0.0",
-        "@npmcli/query": "^3.0.0",
+        "@npmcli/query": "^3.1.0",
         "@npmcli/run-script": "^6.0.0",
         "bin-links": "^4.0.1",
         "cacache": "^17.0.4",

diff --git a/workspaces/arborist/package.json b/workspaces/arborist/package.json
@@ -11,7 +11,7 @@
     "@npmcli/name-from-folder": "^2.0.0",
     "@npmcli/node-gyp": "^3.0.0",
     "@npmcli/package-json": "^4.0.0",
-    "@npmcli/query": "^3.0.0",
+    "@npmcli/query": "^3.1.0",
     "@npmcli/run-script": "^6.0.0",
     "bin-links": "^4.0.1",
     "cacache": "^17.0.4",