Merge pull request #16 from dominykas/tests

Add tests

Author: dominykas

.gitignore

@@ -1,3 +1,3 @@
 .idea
 node_modules
-
+test/tmp/

README.md

@@ -2,15 +2,22 @@
 
 Execute allowed `npm install` lifecycle scripts. 
 
-## Usage
+## tl;dr
+
+- Whitelist packages that you trust in your `package.json`: `"allowScripts": { "packageName": "1.x.x - 2.x.x" }`
+- Run `npm install --ignore-scripts` or `yarn install --ignore-scripts`
+- Run `npx allow-scripts`
+
+Only the explicitly allowed `[pre|post]install` scripts will be executed.
 
-Run your `npm install` with `--ignore-scripts` (or add `ignore-scripts=true` in your `.npmrc`), then:
+
+## Usage
 
 ```
 $ npx allow-scripts [--dry-run]
 ```
 
-Running the command will scan the list of installed dependencies (from the first source available: `npm-shrinkwrap.json`, `package-lock.json`, `npm ls --json`). It will then execute the scripts for allowed dependencies that have them in the following order:
+Running the command will scan the list of installed dependencies (using an existing `package-lock.json` or `npm-shrinkwrap.json` or by creating one on the fly). It will then execute the scripts for allowed dependencies that have them in the following order:
 
 - `preinstall` in the main package
 - `preinstall` in dependencies
@@ -21,20 +28,21 @@ Running the command will scan the list of installed dependencies (from the first
 - `prepublish` in the main package
 - `prepare` in the main package
 
-Allowed package list is configurable in `package.json` by adding an `allowScripts` property, with an object where the key is a package name and the value is one of:
-
-* a string with a semver specifier for allowed versions
-  - non-matching versions will be ignored
-* `true` - allow all versions (equivalent to `'*'` semver specifier)
-* `false` - ignore all versions
-
-If a package has a lifecycle script, but is neither allowed nor ignored, `allow-scripts` will exit with an error.
+### Configuration
 
-Example for `package.json`:
 ```
   "allowScripts": {
     "fsevents": "*",        # allow install scripts in all versions
     "node-sass": false,     # ignore install scripts for all versions
     "webpack-cli": "3.x.x"  # allow all minors for v3, ignore everything else
   }
 ```
+
+Allowed package list is configurable in `package.json` by adding an `allowScripts` property, with an object where the key is a package name and the value is one of:
+
+* a string with a semver specifier for allowed versions
+  - non-matching versions will be ignored
+* `true` - allow all versions (equivalent to `'*'` semver specifier)
+* `false` - ignore all versions
+
+If a package has a lifecycle script, but is neither allowed nor ignored, `allow-scripts` will exit with an error.

lib/index.js

@@ -51,10 +51,14 @@ internals.queue = (tree) => {
 
 internals.runScript = (stage, { pkg, path, cwd, unsafePerm }, options) => {
 
+    if (!pkg.scripts || !pkg.scripts[stage]) {
+        return;
+    }
+
     console.log();
 
     if (options.dryRun) {
-        console.log(`DRY RUN ==> ${stage} ${path || pkg.name}...`);
+        console.log(`DRY RUN ==> ${stage} ${path || pkg.name}`);
         return;
     }
 
@@ -84,21 +88,13 @@ internals.getLockFile = (cwd) => {
         return require(Path.join(cwd, 'package-lock.json'));
     }
 
-    let output;
-    try {
-        output = Cp.execSync('npm ls --json', { cwd });
-    }
-    catch (err) {
-        output = err.output[1]; // npm will exist with an error when e.g. there's peer deps missing - attempt to ignore that
-    }
+    Cp.execSync('npm shrinkwrap');
 
-    try {
-        return JSON.parse(output.toString());
-    }
-    catch (err) {
-        console.error(err);
-        throw new Error('Failed to read the contents of node_modules');
-    }
+    const lockFilePath = Path.join(cwd, 'npm-shrinkwrap.json');
+    const lockFileContents = require(lockFilePath);
+
+    Fs.unlinkSync(lockFilePath);
+    return lockFileContents;
 };
 
 exports.run = async (options) => {
@@ -108,7 +104,13 @@ exports.run = async (options) => {
 
     pkg._id = `${pkg.name}@${pkg.version}`; // @todo: find an official way to do this for top level package
 
-    const tree = Npm.logicalTree(pkg, internals.getLockFile(cwd));
+    try {
+        var tree = Npm.logicalTree(pkg, internals.getLockFile(cwd));
+    }
+    catch (err) {
+        throw new Error('Failed to read the installed tree - you might want to `rm -rf node_modules && npm i --ignore-scripts`.');
+    }
+
     const queue = internals.queue(tree);
 
     const allowScripts = pkg.allowScripts || {};
@@ -134,6 +136,7 @@ exports.run = async (options) => {
 
             if (allowScripts[name] === false) {
                 console.warn(`==========> skip ${path} (because it is not allowed in package.json)`);
+                return false;
             }
 
             if (allowScripts[name] === true) {

package.json

@@ -7,7 +7,7 @@
     "url": "https://github.com/dominykas/allow-scripts.git"
   },
   "scripts": {
-    "test": "lab -L -n"
+    "test": "lab -L -t 100 -m 5000"
   },
   "bin": {
     "allow-scripts": "./bin/allow-scripts.js"
@@ -20,8 +20,12 @@
     "topo": "3.x.x"
   },
   "devDependencies": {
+    "code": "5.x.x",
     "lab": "18.x.x",
-    "semantic-release": "15.x.x"
+    "mkdirp": "0.5.x",
+    "rimraf": "2.x.x",
+    "semantic-release": "15.x.x",
+    "sinon": "7.x.x"
   },
   "files": [
     "bin",

test/fixtures/allowed-false.json

@@ -0,0 +1,14 @@
+{
+  "private": true,
+  "name": "@example/allowed-false",
+  "version": "0.0.0",
+  "dependencies": {
+    "@example/with-install-script": "*",
+    "@example/with-postinstall-script": "*",
+    "@example/without-scripts": "*"
+  },
+  "allowScripts": {
+    "@example/with-install-script": false,
+    "@example/with-postinstall-script": "*"
+  }
+}

test/fixtures/allowed-semver.json

@@ -0,0 +1,14 @@
+{
+  "private": true,
+  "name": "@example/allowed-semver",
+  "version": "0.0.0",
+  "dependencies": {
+    "@example/with-install-script": "*",
+    "@example/with-postinstall-script": "*",
+    "@example/without-scripts": "*"
+  },
+  "allowScripts": {
+    "@example/with-install-script": "1.x.x",
+    "@example/with-postinstall-script": "*"
+  }
+}

test/fixtures/basic.dry-run.txt

@@ -0,0 +1,15 @@
+DRY RUN ==> preinstall @example/basic
+
+DRY RUN ==> preinstall node_modules/@example/with-preinstall-script
+
+DRY RUN ==> install node_modules/@example/with-install-script
+
+DRY RUN ==> postinstall node_modules/@example/with-postinstall-script
+
+DRY RUN ==> install @example/basic
+
+DRY RUN ==> postinstall @example/basic
+
+DRY RUN ==> prepublish @example/basic
+
+DRY RUN ==> prepare @example/basic

test/fixtures/basic.full.txt

@@ -0,0 +1,8 @@
+preinstall from basic
+preinstall from with-preinstall-script
+install from with-install-script
+postinstall from with-postinstall-script
+install from basic
+postinstall from basic
+prepublish from basic
+prepare from basic

test/fixtures/basic.json

@@ -0,0 +1,24 @@
+{
+  "private": true,
+  "name": "@example/basic",
+  "version": "0.0.0",
+  "dependencies": {
+    "@example/with-preinstall-script": "*",
+    "@example/with-install-script": "*",
+    "@example/with-postinstall-script": "*",
+    "@example/without-scripts": "*",
+    "@example/without-install-scripts": "*"
+  },
+  "allowScripts": {
+    "@example/with-preinstall-script": "*",
+    "@example/with-install-script": "*",
+    "@example/with-postinstall-script": true
+  },
+  "scripts": {
+    "preinstall": "echo preinstall from basic >> ${OUTPUT}",
+    "install": "echo install from basic >> ${OUTPUT}",
+    "postinstall": "echo postinstall from basic >> ${OUTPUT}",
+    "prepublish": "echo prepublish from basic >> ${OUTPUT}",
+    "prepare": "echo prepare from basic >> ${OUTPUT}"
+  }
+}

test/fixtures/cycle-a.json

@@ -0,0 +1,8 @@
+{
+  "private": true,
+  "name": "@example/cycle-a",
+  "version": "0.0.0",
+  "dependencies": {
+    "@example/cycle-b": "*"
+  }
+}