feat: preserve sha1 integrity and auto detect lockfile (#10)

* bug: added `--preserve-integrity` flag to prevent removal of integrity hash when `sha1` is used due to private repositories such as Azure Artifacts not supporting anything other than `sha1`. feat: removed need for `--lockfile` flag if a `yarn.lock` or `package-lock.json` exists. Defaults to `yarn.lock` if not found. You can still specify a lockfile if you wish. chore: updated eslint-plugin-import to ^2.31.0 for eslint 9 support * Tweaked the lockFileName detector code as per feedback * Changed isYarn check to be more explicit with filename
ASOS · Dec 3, 2024 · fd95b77 · fd95b77
1 parent 5d53aa9
commit fd95b77
Show file tree

Hide file tree

Showing 5 changed files with 268 additions and 158 deletions.
diff --git a/README.md b/README.md
@@ -52,13 +52,16 @@ It is recommended that you use this tool alongside the official Snyk CLI, not re
 ### Options
 
 ```console
-snyker --retries 3 --lockfile package-lock.json
+snyker --retries 3 --lockfile package-lock.json --preserve-integrity
 ```
 
-| Flag                  | Description                                                            | Default     |
-| --------------------- | ---------------------------------------------------------------------- | ----------- |
-| `--lockfile <string>` | Specify the lockfile to use (e.g. `yarn.lock` or `package-lock.json`). | `yarn.lock` |
-| `--retries <int>`     | Will set the number of times to retry logical steps of Snyker.         | `2`         |
+| Flag                   | Description                                                              | Default     |
+| ---------------------- | -------------------------------------------------------------------------| ----------- |
+| `--lockfile <string>`  | Specify the lockfile to use (e.g. `yarn.lock` or `package-lock.json`).   | Attempts to find a `yarn.lock` or `package-lock.json` then defaults to `yarn.lock` |
+| `--retries <int>`      | Will set the number of times to retry logical steps of Snyker.           | `2`         |
+| `--preserve-integrity` | Will not attempt to update integrity hash when `sha1` is used. \*        | `false`     |
+
+> \* It is highly recommended to use `sha512` for the integrity hash algorithm which is default for `npm`. However, when using private repositories such as Azure Artifacts, they do not support anything other than `sha1`. In turn, if the integrity is removed, the subsequent `npm install` command does not re-instate these. This flag is a workaround for this issue.
 
 ## Alternatives
 

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -1,5 +1,11 @@
 # ChangeLog
 
+## [5.1.0] - 27-11-2024
+
+- feat: removed need for `--lockfile` flag if a `yarn.lock` or `package-lock.json` exists. Defaults to `yarn.lock` if not found. You can still specify a lockfile if you wish.
+- bug: added `--preserve-integrity` flag to prevent removal of integrity hash when `sha1` is used due to private repositories such as Azure Artifacts not supporting anything other than `sha1`.
+- chore: updated eslint-plugin-import to ^2.31.0 for eslint 9 support
+
 ## [5.0.0] - 31-08-2024
 
 - feat: upgrade dependencies to latest versions

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@asos/snyker",
-  "version": "5.0.0",
+  "version": "5.1.0",
   "description": "An opinionated, heavy-handed wrapper around Snyk.",
   "author": {
     "name": "Craig Morten",
@@ -59,7 +59,7 @@
     "cross-env": "^7.0.3",
     "eslint": "^9.10.0",
     "eslint-config-prettier": "^9.1.0",
-    "eslint-plugin-import": "^2.30.0",
+    "eslint-plugin-import": "^2.31.0",
     "eslint-plugin-prettier": "^5.2.1",
     "prettier": "^3.3.3",
     "rimraf": "^6.0.1",

diff --git a/src/index.js b/src/index.js
@@ -10,6 +10,7 @@ const LARGE_BUFFER = 1024 * 1024 * 1024 * 20;
 const DEFAULT_RETRIES = 2;
 
 let MAX_RETRIES;
+let PRESERVE_INTEGRITY = false;
 
 const catchAndRetry = async (fn) => {
   for (let retries = 0; retries < MAX_RETRIES; retries++) {
@@ -123,7 +124,9 @@ const updateYarnLock = async ({ lockFileName, depsToForceUpdate }) => {
  */
 const shaPatch = ({ integrity, ...rest }) => ({
   ...rest,
-  ...(!integrity || integrity.startsWith("sha1-") ? {} : { integrity }),
+  ...(!integrity || (integrity.startsWith("sha1-") && !PRESERVE_INTEGRITY)
+    ? {}
+    : { integrity }),
 });
 
 /**
@@ -295,9 +298,19 @@ const snyker = async () => {
   console.log("[SNYKER: STARTING]");
 
   MAX_RETRIES = argv.retries || DEFAULT_RETRIES;
-
-  const lockFileName = argv.lockfile || "yarn.lock";
-  const isYarn = lockFileName.includes("yarn");
+  PRESERVE_INTEGRITY = argv["preserve-integrity"] || false;
+
+  // We need to determine whether we're using Yarn or NPM
+  // Prioritise "lockfile" flag, then check for yarn.lock, then package-lock.json
+  // If none of these files exist, default to yarn.lock
+  const lockFileName =
+    argv.lockfile ||
+    ["yarn.lock", "package-lock.json"].find((file) =>
+      fs.existsSync(path.join(process.cwd(), file)),
+    ) ||
+    "yarn.lock";
+
+  const isYarn = lockFileName === "yarn.lock";
 
   console.log(
     `[SNYKER: STEP 1]: Ensuring lockfile '${lockFileName}' is up to date.\n`,