Warn about vendored versionless packages

3v0k4 · 3v0k4 · commit 5195c6c3323b · 2025-07-17T11:57:12.000+02:00
diff --git a/lib/importmap/npm.rb b/lib/importmap/npm.rb
@@ -3,14 +3,17 @@
 require "json"
 
 class Importmap::Npm
+  PIN_REGEX = /^pin ["']([^["']]*)["'].*/
+
   Error     = Class.new(StandardError)
   HTTPError = Class.new(Error)
 
   singleton_class.attr_accessor :base_uri
   self.base_uri = URI("https://registry.npmjs.org")
 
-  def initialize(importmap_path = "config/importmap.rb")
+  def initialize(importmap_path = "config/importmap.rb", vendor_path: "vendor/javascript")
     @importmap_path = Pathname.new(importmap_path)
+    @vendor_path    = Pathname.new(vendor_path)
   end
 
   def outdated_packages
@@ -48,16 +51,20 @@ def packages_with_versions
     # We cannot use the name after "pin" because some dependencies are loaded from inside packages
     # Eg. pin "buffer", to: "https://ga.jspm.io/npm:@jspm/core@2.0.0-beta.19/nodelibs/browser/buffer.js"
 
-    importmap.scan(/^pin .*(?<=npm:|npm\/|skypack\.dev\/|unpkg\.com\/)(.*)(?=@\d+\.\d+\.\d+)@(\d+\.\d+\.\d+(?:[^\/\s["']]*)).*$/) |
-      importmap.scan(/^pin ["']([^["']]*)["'].* #.*@(\d+\.\d+\.\d+(?:[^\s]*)).*$/)
+    with_versions = importmap.scan(/^pin .*(?<=npm:|npm\/|skypack\.dev\/|unpkg\.com\/)(.*)(?=@\d+\.\d+\.\d+)@(\d+\.\d+\.\d+(?:[^\/\s["']]*)).*$/) |
+      importmap.scan(/#{PIN_REGEX} #.*@(\d+\.\d+\.\d+(?:[^\s]*)).*$/)
+
+    vendored_packages_without_version(with_versions).each do |package, path|
+      $stdout.puts "Ignoring #{package} (#{path}) since no version is specified in the importmap"
+    end
+
+    with_versions
   end
 
   private
     OutdatedPackage   = Struct.new(:name, :current_version, :latest_version, :error, keyword_init: true)
     VulnerablePackage = Struct.new(:name, :severity, :vulnerable_versions, :vulnerability, keyword_init: true)
 
-
-
     def importmap
       @importmap ||= File.read(@importmap_path)
     end
@@ -130,4 +137,19 @@ def post_json(uri, body)
     rescue => error
       raise HTTPError, "Unexpected transport error (#{error.class}: #{error.message})"
     end
+
+    def vendored_packages_without_version(packages_with_versions)
+      importmap
+        .lines
+        .filter_map do |line|
+          next line.match(/#{PIN_REGEX}to: ["']([^["']]*)["'].*/).captures if line.include?("to:")
+          match = line.match(PIN_REGEX)
+          [match.captures.first, "#{match.captures.first}.js"] if match
+        end
+        .filter_map do |package, filename|
+          next if packages_with_versions.map(&:first).include?(package)
+          path = File.join(@vendor_path, filename)
+          [package, path] if File.exist?(path)
+        end
+    end
 end
diff --git a/test/fixtures/files/import_map_without_cdn_and_versions.rb b/test/fixtures/files/import_map_without_cdn_and_versions.rb
@@ -0,0 +1,2 @@
+pin "foo", preload: true
+pin "@bar/baz", to: "baz.js", preload: true
diff --git a/test/npm_test.rb b/test/npm_test.rb
@@ -46,23 +46,22 @@ class Importmap::NpmTest < ActiveSupport::TestCase
     end
   end
 
-  test "missing outdated packages with mock" do
-    response = { "error" => "Not found" }.to_json
-
-    @npm.stub(:get_json, response) do
-      outdated_packages = @npm.outdated_packages
-
-      assert_equal(1, outdated_packages.size)
-      assert_equal('md5', outdated_packages[0].name)
-      assert_equal('2.2.0', outdated_packages[0].current_version)
-      assert_equal('Not found', outdated_packages[0].error)
-    end
-  end
-
-  test "failed outdated packages request with exception" do
-    Net::HTTP.stub(:start, proc { raise "Unexpected Error" }) do
-      assert_raises(Importmap::Npm::HTTPError) do
-        @npm.outdated_packages
+  test "warns (and ignores) vendored packages without version" do
+    Dir.mktmpdir do |vendor_path|
+      with_vendored_package(vendor_path, "foo.js") do |foo_path|
+        with_vendored_package(vendor_path, "baz.js") do |baz_path|
+          npm = Importmap::Npm.new(file_fixture("import_map_without_cdn_and_versions.rb"), vendor_path: vendor_path)
+
+          outdated_packages = []
+          stdout, _stderr = capture_io { outdated_packages = npm.outdated_packages }
+
+          expected = [
+            "Ignoring foo (#{foo_path}) since no version is specified in the importmap\n",
+            "Ignoring @bar/baz (#{baz_path}) since no version is specified in the importmap\n"
+          ]
+          assert_equal(expected, stdout.lines)
+          assert_equal(0, outdated_packages.size)
+        end
       end
     end
   end
@@ -142,4 +141,12 @@ def code() "200" end
       assert_equal('version not found', outdated_packages[0].latest_version)
     end
   end
+
+  def with_vendored_package(dir, name)
+    path = File.join(dir, name)
+    File.write(path, "console.log(123)")
+    yield path
+  ensure
+    File.delete(path)
+  end
 end

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+pin "foo", preload: true`
	`2`	`+pin "@bar/baz", to: "baz.js", preload: true`