Support versioned packages in allowList/banList (#1205)

ije · web-flow · commit c62f191d3263 · 2025-09-09T17:51:14.000+08:00
diff --git a/config.example.jsonc b/config.example.jsonc
@@ -107,9 +107,7 @@
   // The list to only allow some packages or scopes, default allow all.
   "allowList": {
     "packages": ["@scope_name/package_name"],
-    "scopes": [{
-      "name": "@scope_name"
-    }]
+    "scopes": ["@scope_name"]
   },
 
   // The list to ban some packages or scopes, default no ban.
diff --git a/server/build_resolver.go b/server/build_resolver.go
@@ -314,6 +314,18 @@ func (ctx *BuildContext) resolveEntry(esm EsmPath) (entry BuildEntry) {
 					}
 					*/
 					exportEntry = ctx.resolveConditionExportEntry(obj, pkgJson.Type)
+				} else if arr, ok := v.([]any); ok {
+					/**
+					exports: {
+						".": ["./cjs/index.js", "./esm/index.js"]
+					}
+					*/
+					a0 := arr[0]
+					if s, ok := a0.(string); ok {
+						exportEntry.update(s, pkgJson.Type == "module")
+					} else if obj, ok := a0.(npm.JSONObject); ok {
+						exportEntry = ctx.resolveConditionExportEntry(obj, pkgJson.Type)
+					}
 				}
 			} else {
 				/**
diff --git a/server/config.go b/server/config.go
@@ -9,11 +9,13 @@ import (
 	"path"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"strconv"
 	"strings"
 
 	"github.com/esm-dev/esm.sh/internal/storage"
 	"github.com/ije/gox/term"
+	"github.com/ije/gox/utils"
 )
 
 var (
@@ -68,12 +70,8 @@ type BanScope struct {
 }
 
 type AllowList struct {
-	Packages []string     `json:"packages"`
-	Scopes   []AllowScope `json:"scopes"`
-}
-
-type AllowScope struct {
-	Name string `json:"name"`
+	Packages []string `json:"packages"`
+	Scopes   []string `json:"scopes"`
 }
 
 // LoadConfig loads config from the given file. Panic if failed to load.
@@ -248,77 +246,73 @@ func normalizeConfig(config *Config) {
 
 // extractPackageName Will take a packageName as input extract key parts and return them
 //
-// fullNameWithoutVersion  e.g. @github/faker
-// scope                   e.g. @github
-// nameWithoutVersionScope e.g. faker
-func extractPackageName(packageName string) (fullNameWithoutVersion string, scope string, nameWithoutVersionScope string) {
-	paths := strings.Split(packageName, "/")
-	if strings.HasPrefix(packageName, "@") {
+// moduleName        e.g. @github/faker[@1.0.0]/submodule
+// packageId         e.g. @github/faker[@1.0.0]
+// scope             e.g. @github
+// name              e.g. faker
+// version           e.g. [@1.0.0]
+func extractPackageName(moduleName string) (packageId string, scope string, name string, version string) {
+	paths := strings.Split(moduleName, "/")
+	if strings.HasPrefix(moduleName, "@") && len(paths) > 1 {
+		packageId = paths[0] + "/" + paths[1]
 		scope = paths[0]
-		nameWithoutVersionScope = strings.Split(paths[1], "@")[0]
-		fullNameWithoutVersion = fmt.Sprintf("%s/%s", scope, nameWithoutVersionScope)
+		name, version = utils.SplitByFirstByte(paths[1], '@')
 	} else {
 		// the package has no scope prefix
-		nameWithoutVersionScope = strings.Split(paths[0], "@")[0]
-		fullNameWithoutVersion = nameWithoutVersionScope
+		packageId = paths[0]
+		name, version = utils.SplitByFirstByte(packageId, '@')
 	}
-
-	return fullNameWithoutVersion, scope, nameWithoutVersionScope
+	return
 }
 
-// IsPackageBanned Checking if the package is banned.
-// The `packages` list is the highest priority ban rule to match,
-// so the `excludes` list in the `scopes` list won't take effect if the package is banned in `packages` list
-func (banList *BanList) IsPackageBanned(fullName string) bool {
-	fullNameWithoutVersion, scope, nameWithoutVersionScope := extractPackageName(fullName)
+func (allowList *AllowList) IsEmpty() bool {
+	return len(allowList.Packages) == 0 && len(allowList.Scopes) == 0
+}
 
-	for _, p := range banList.Packages {
-		if fullNameWithoutVersion == p {
-			return true
-		}
+// IsPackageAllowed Checking if the package is allowed.
+// The `packages` list is the highest priority allow rule to match,
+// so the `includes` list in the `scopes` list won't take effect if the package is allowed in `packages` list
+func (allowList *AllowList) IsPackageAllowed(moduleName string) bool {
+	if allowList.IsEmpty() {
+		return true
 	}
 
-	for _, s := range banList.Scopes {
-		if scope == s.Name {
-			return !isPackageExcluded(nameWithoutVersionScope, s.Excludes)
-		}
+	packageId, scope, name, _ := extractPackageName(moduleName)
+
+	if slices.Contains(allowList.Packages, packageId) || (scope != "" && slices.Contains(allowList.Packages, scope+"/"+name)) || (scope == "" && slices.Contains(allowList.Packages, name)) {
+		return true
 	}
 
-	return false
+	return slices.Contains(allowList.Scopes, scope)
 }
 
-// IsPackageAllowed Checking if the package is allowed.
-// The `packages` list is the highest priority allow rule to match,
-// so the `includes` list in the `scopes` list won't take effect if the package is allowed in `packages` list
-func (allowList *AllowList) IsPackageAllowed(fullName string) bool {
-	if len(allowList.Packages) == 0 && len(allowList.Scopes) == 0 {
-		return true
+// IsPackageBanned Checking if the package is banned.
+// The `packages` list is the highest priority ban rule to match,
+// so the `excludes` list in the `scopes` list won't take effect if the package is banned in `packages` list
+func (banList *BanList) IsPackageBanned(moduleName string) bool {
+	if banList.IsEmpty() {
+		return false
 	}
 
-	fullNameWithoutVersion, scope, _ := extractPackageName(fullName)
+	packageId, scope, name, version := extractPackageName(moduleName)
 
-	for _, p := range allowList.Packages {
-		if fullNameWithoutVersion == p {
-			return true
-		}
+	if slices.Contains(banList.Packages, packageId) || (scope != "" && slices.Contains(banList.Packages, scope+"/"+name)) || (scope == "" && slices.Contains(banList.Packages, name)) {
+		return true
 	}
 
-	for _, s := range allowList.Scopes {
-		if scope == s.Name {
-			return true
+	if scope != "" {
+		for _, s := range banList.Scopes {
+			if scope == s.Name {
+				return !slices.Contains(s.Excludes, name) && !(version != "" && slices.Contains(s.Excludes, name+"@"+version))
+			}
 		}
 	}
 
 	return false
 }
 
-func isPackageExcluded(name string, excludes []string) bool {
-	for _, exclude := range excludes {
-		if name == exclude {
-			return true
-		}
-	}
-	return false
+func (banList *BanList) IsEmpty() bool {
+	return len(banList.Packages) == 0 && len(banList.Scopes) == 0
 }
 
 func init() {
diff --git a/server/config_test.go b/server/config_test.go
@@ -6,9 +6,10 @@ import (
 
 func TestExtractPackageName(t *testing.T) {
 	type want struct {
-		fullNameWithoutVersion  string
-		scope                   string
-		nameWithoutVersionScope string
+		packageId string
+		scope     string
+		name      string
+		version   string
 	}
 	tests := []struct {
 		name        string
@@ -18,37 +19,40 @@ func TestExtractPackageName(t *testing.T) {
 		{
 			name:        "PackageWithVersionAndNoScope",
 			packageName: "faker@1.5.0",
-			want:        want{fullNameWithoutVersion: "faker", scope: "", nameWithoutVersionScope: "faker"},
+			want:        want{packageId: "faker@1.5.0", scope: "", name: "faker", version: "1.5.0"},
 		},
 		{
 			name:        "PackageWithVersionAndScope",
 			packageName: "@github/faker@1.5.0",
-			want:        want{fullNameWithoutVersion: "@github/faker", scope: "@github", nameWithoutVersionScope: "faker"},
+			want:        want{packageId: "@github/faker@1.5.0", scope: "@github", name: "faker", version: "1.5.0"},
 		},
 		{
 			name:        "ReactLoadedFromStable",
 			packageName: "react@18.2.0/es2022/react.mjs",
-			want:        want{fullNameWithoutVersion: "react", scope: "", nameWithoutVersionScope: "react"},
+			want:        want{packageId: "react@18.2.0", scope: "", name: "react", version: "18.2.0"},
 		},
 		{
 			name:        "ScopedLoadedFromStable",
 			packageName: "@github/faker@0.0.1/es2022/faker.mjs",
-			want:        want{fullNameWithoutVersion: "@github/faker", scope: "@github", nameWithoutVersionScope: "faker"},
+			want:        want{packageId: "@github/faker@0.0.1", scope: "@github", name: "faker", version: "0.0.1"},
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			fullNameWithoutVersion, scope, nameWithoutVersionScope := extractPackageName(tt.packageName)
+			fullNameWithoutVersion, scope, name, version := extractPackageName(tt.packageName)
 
-			if fullNameWithoutVersion != tt.want.fullNameWithoutVersion {
-				t.Errorf("%s not equal %s", fullNameWithoutVersion, tt.want.fullNameWithoutVersion)
+			if fullNameWithoutVersion != tt.want.packageId {
+				t.Errorf("%s not equal %s", fullNameWithoutVersion, tt.want.packageId)
 			}
 			if scope != tt.want.scope {
 				t.Errorf("%s not equal %s", scope, tt.want.scope)
 			}
-			if nameWithoutVersionScope != tt.want.nameWithoutVersionScope {
-				t.Errorf("%s not equal %s", nameWithoutVersionScope, tt.want.nameWithoutVersionScope)
+			if name != tt.want.name {
+				t.Errorf("%s not equal %s", name, tt.want.name)
+			}
+			if version != tt.want.version {
+				t.Errorf("%s not equal %s", version, tt.want.version)
 			}
 		})
 	}
@@ -75,9 +79,7 @@ func TestAllowListAndBanList_IsPackageNotAllowedOrBanned(t *testing.T) {
 		{
 			name: "AllowedScopeBannedScope",
 			allowList: AllowList{
-				Scopes: []AllowScope{{
-					Name: "@github",
-				}},
+				Scopes: []string{"@github"},
 			},
 			banList: BanList{
 				Scopes: []BanScope{{
@@ -90,9 +92,7 @@ func TestAllowListAndBanList_IsPackageNotAllowedOrBanned(t *testing.T) {
 		{
 			name: "AllowedScopeBannedPackage",
 			allowList: AllowList{
-				Scopes: []AllowScope{{
-					Name: "@github",
-				}},
+				Scopes: []string{"@github"},
 			},
 			banList: BanList{
 				Packages: []string{"@github/faker"},
@@ -178,29 +178,23 @@ func TestAllowList_IsPackageAllowed(t *testing.T) {
 		{
 			name: "AllowedByScope",
 			allowList: AllowList{
-				Scopes: []AllowScope{{
-					Name: "@github",
-				}},
+				Scopes: []string{"@github"},
 			},
 			args: args{fullName: "@github/perfect"},
 			want: true,
 		},
 		{
 			name: "NotAllowedByScope",
 			allowList: AllowList{
-				Scopes: []AllowScope{{
-					Name: "@github",
-				}},
+				Scopes: []string{"@github"},
 			},
 			args: args{fullName: "@faker/perfect"},
 			want: false,
 		},
 		{
 			name: "NotAllowedByScope",
 			allowList: AllowList{
-				Scopes: []AllowScope{{
-					Name: "@github",
-				}},
+				Scopes: []string{"@github"},
 			},
 			args: args{fullName: "@faker/perfect"},
 			want: false,
diff --git a/server/router.go b/server/router.go
@@ -854,9 +854,11 @@ func esmRouter(db Database, esmStorage storage.Storage, logger *log.Logger) rex.
 			return rex.Status(status, message)
 		}
 
-		pkgAllowed := config.AllowList.IsPackageAllowed(esm.PkgName)
-		pkgBanned := config.BanList.IsPackageBanned(esm.PkgName)
-		if !pkgAllowed || pkgBanned {
+		if !config.AllowList.IsEmpty() && !config.AllowList.IsPackageAllowed(esm.Name()) {
+			return rex.Status(403, "forbidden")
+		}
+
+		if !config.BanList.IsEmpty() && config.BanList.IsPackageBanned(esm.Name()) {
 			return rex.Status(403, "forbidden")
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -854,9 +854,11 @@ func esmRouter(db Database, esmStorage storage.Storage, logger *log.Logger) rex.`
`854`	`854`	`return rex.Status(status, message)`
`855`	`855`	`}`
`856`	`856`
`857`		`- pkgAllowed := config.AllowList.IsPackageAllowed(esm.PkgName)`
`858`		`- pkgBanned := config.BanList.IsPackageBanned(esm.PkgName)`
`859`		`- if !pkgAllowed \|\| pkgBanned {`
	`857`	`+ if !config.AllowList.IsEmpty() && !config.AllowList.IsPackageAllowed(esm.Name()) {`
	`858`	`+ return rex.Status(403, "forbidden")`
	`859`	`+ }`
	`860`	`+`
	`861`	`+ if !config.BanList.IsEmpty() && config.BanList.IsPackageBanned(esm.Name()) {`
`860`	`862`	`return rex.Status(403, "forbidden")`
`861`	`863`	`}`
`862`	`864`