Skip to content

Commit 378da7a

Browse files
zackschusterzackschuster
committed
lib/npm: validate semver specs
1 parent 7708f40 commit 378da7a

File tree

3 files changed

+35
-0
lines changed

3 files changed

+35
-0
lines changed

lib/npm.js

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
'use strict'
22
const execa = require('execa')
33
const npa = require('npm-package-arg')
4+
const semver = require('semver')
45
const validateNpmPackageName = require('validate-npm-package-name')
56

67
// Remove npm env vars from the commands, this
@@ -53,6 +54,17 @@ function normalizePackageName (name, opts = {}) {
5354
throw new Error(`Invalid package type specifier (${pkg.type} - ${pkg.raw})`)
5455
}
5556

57+
if (
58+
typeof pkg.rawSpec !== 'string' || (
59+
pkg.rawSpec.length > 0 && (
60+
semver.coerce(pkg.rawSpec, { loose: true }) == null && (
61+
pkg.rawSpec === '*' || pkg.rawSpec.startsWith('<=') || pkg.rawSpec.startsWith('>=')
62+
) === false)
63+
)
64+
) {
65+
throw new Error(`Invalid package semver specifier (${pkg.rawSpec} - ${pkg.raw})`)
66+
}
67+
5668
switch (pkg.type) {
5769
// Directory checkes for package.json and
5870
// hosted means it looks like a remote repo or tarball

package.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@
3838
"inquirer": "^5.2.0",
3939
"npm-package-arg": "^7.0.0",
4040
"safe-parse-list": "^0.1.1",
41+
"semver": "^7.3.5",
4142
"validate-npm-package-name": "^3.0.0"
4243
},
4344
"devDependencies": {

test/npm.js

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
const assert = require('assert')
2+
const { suite, test } = require('mocha')
3+
4+
const npm = require('../lib/npm')
5+
6+
suite('npm', () => {
7+
test('accept empty semver', () => {
8+
assert.doesNotThrow(() => npm.normalizePackageName('@pkgjs/create'))
9+
})
10+
test('accept valid semver', () => {
11+
assert.doesNotThrow(() => npm.normalizePackageName('@pkgjs/create@1.0.0'))
12+
assert.doesNotThrow(() => npm.normalizePackageName('@pkgjs/create@<1'))
13+
})
14+
test('accept valid semver (exceptions)', () => {
15+
assert.doesNotThrow(() => npm.normalizePackageName('@pkgjs/create@<=2'))
16+
assert.doesNotThrow(() => npm.normalizePackageName('@pkgjs/create@>=2'))
17+
assert.doesNotThrow(() => npm.normalizePackageName('@pkgjs/create@*'))
18+
})
19+
test('reject invalid semver', () => {
20+
assert.throws(() => npm.normalizePackageName('@pkgjs/create@a.b.c'))
21+
})
22+
})

0 commit comments

Comments
 (0)