Fix workspace tests

feelepxyz · feelepxyz · commit e67e5db14995 · 2022-05-23T11:06:50.000+01:00
diff --git a/lib/commands/audit.js b/lib/commands/audit.js
@@ -80,7 +80,9 @@ class VerifySignatures {
     if (this.npm.config.get('json')) {
       this.appendOutput(this.makeJSON({ invalid, missing }))
     } else {
-      const timing = `audited ${this.audited} packages in ${Math.floor(Number(elapsed) / 1e9)}s`
+      const auditedPlural = this.audited > 1 ? 's' : ''
+      const timing = `audited ${this.audited} package${auditedPlural} in ` +
+                     `${Math.floor(Number(elapsed) / 1e9)}s`
       const verifiedPrefix = verified ? 'verified registry signatures, ' : ''
       this.appendOutput(`${verifiedPrefix}${timing}\n`)
 
@@ -119,9 +121,9 @@ class VerifySignatures {
           `${missing.length ? '\n' : ''}${invalid.length} ${msg}:\n`
         )
         this.appendOutput(this.humanOutput(invalid))
-        const plural = invalid.length === 1 ? '' : 's'
+        const invPlural = invalid.length === 1 ? '' : 's'
         this.appendOutput(
-          `\nSomeone might have tampered with the package${plural} ` +
+          `\nSomeone might have tampered with the package${invPlural} ` +
           `since it was published on the registry (monster-in-the-middle attack)!\n`
         )
       }
@@ -199,6 +201,11 @@ class VerifySignatures {
       : edge.dev ? 'devDependencies'
       : 'dependencies'
 
+    // Skip local workspaces
+    if (node.isWorkspace) {
+      return
+    }
+
     // Skip potentially optional packages that are not on disk, as these could
     // be omitted during install
     if (edge.error === 'MISSING' && type !== 'dependencies') {
diff --git a/tap-snapshots/test/lib/commands/audit.js.test.cjs b/tap-snapshots/test/lib/commands/audit.js.test.cjs
@@ -42,7 +42,7 @@ found 0 vulnerabilities
 `
 
 exports[`test/lib/commands/audit.js TAP audit signatures ignores optional dependencies > must match snapshot 1`] = `
-verified registry signatures, audited 1 packages in xxx
+verified registry signatures, audited 1 package in 0s
 
 `
 
@@ -85,12 +85,12 @@ exports[`test/lib/commands/audit.js TAP audit signatures json output with valid
 `
 
 exports[`test/lib/commands/audit.js TAP audit signatures omit dev dependencies with missing signature > must match snapshot 1`] = `
-verified registry signatures, audited 1 packages in xxx
+verified registry signatures, audited 1 package in 0s
 
 `
 
 exports[`test/lib/commands/audit.js TAP audit signatures output details about missing signatures > must match snapshot 1`] = `
-audited 1 packages in xxx
+audited 1 package in 0s
 
 1 package has a missing registry signature but the registry is providing signing keys:
 
@@ -112,7 +112,7 @@ Someone might have tampered with the package since it was published on the regis
 `
 
 exports[`test/lib/commands/audit.js TAP audit signatures with colour option and invalid signatures > must match snapshot 1`] = `
-audited 1 packages in xxx
+audited 1 package in 0s
 
 1 package has an [1m[31minvalid[39m[22m registry signature:
 
@@ -123,7 +123,7 @@ Someone might have tampered with the package since it was published on the regis
 `
 
 exports[`test/lib/commands/audit.js TAP audit signatures with invalid signatures > must match snapshot 1`] = `
-audited 1 packages in xxx
+audited 1 package in 0s
 
 1 package has an invalid registry signature:
 
@@ -134,7 +134,7 @@ Someone might have tampered with the package since it was published on the regis
 `
 
 exports[`test/lib/commands/audit.js TAP audit signatures with keys but missing signature > must match snapshot 1`] = `
-audited 1 packages in xxx
+audited 1 package in 0s
 
 1 package has a missing registry signature but the registry is providing signing keys
   run \`npm audit signatures --missing\` for details
@@ -150,7 +150,17 @@ audited 2 packages in xxx
 `
 
 exports[`test/lib/commands/audit.js TAP audit signatures with valid signatures > must match snapshot 1`] = `
-verified registry signatures, audited 1 packages in xxx
+verified registry signatures, audited 1 package in 0s
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures workspaces verifies registry deps and ignores local workspace deps > must match snapshot 1`] = `
+verified registry signatures, audited 3 packages in xxx
+
+`
+
+exports[`test/lib/commands/audit.js TAP audit signatures workspaces verifies registry deps when filtering by workspace name > must match snapshot 1`] = `
+verified registry signatures, audited 2 packages in xxx
 
 `
 
diff --git a/test/lib/commands/audit.js b/test/lib/commands/audit.js
@@ -379,16 +379,16 @@ t.test('audit signatures', async t => {
             version: '1.0.0',
           }),
         },
-        foo: {
+        async: {
           'package.json': JSON.stringify({
-            name: 'foo',
-            version: '1.0.0',
+            name: 'async',
+            version: '2.5.0',
           }),
         },
-        zeta: {
+        'light-cycle': {
           'package.json': JSON.stringify({
-            name: 'zeta',
-            version: '1.0.0',
+            name: 'light-cycle',
+            version: '1.4.2',
           }),
         },
       },
@@ -399,7 +399,7 @@ t.test('audit signatures', async t => {
             version: '1.0.0',
             dependencies: {
               b: '^1.0.0',
-              foo: '^1.0.0',
+              async: '^2.0.0',
             },
           }),
         },
@@ -408,17 +408,14 @@ t.test('audit signatures', async t => {
             name: 'b',
             version: '1.0.0',
             dependencies: {
-              zeta: '^1.0.0',
+              'light-cycle': '^1.0.0',
             },
           }),
         },
         c: {
           'package.json': JSON.stringify({
             name: 'c',
             version: '1.0.0',
-            dependencies: {
-              theta: '^1.0.0',
-            },
           }),
         },
       },
@@ -642,7 +639,7 @@ t.test('audit signatures', async t => {
 
     t.equal(process.exitCode, 0, 'should exit successfully')
     process.exitCode = 0
-    t.match(joinedOutput(), /verified registry signatures, audited 1 packages/)
+    t.match(joinedOutput(), /verified registry signatures, audited 1 package/)
     t.matchSnapshot(joinedOutput())
   })
 
@@ -834,7 +831,7 @@ t.test('audit signatures', async t => {
 
     t.equal(process.exitCode, 0, 'should exit successfully')
     process.exitCode = 0
-    t.match(joinedOutput(), /verified registry signatures, audited 1 packages/)
+    t.match(joinedOutput(), /verified registry signatures, audited 1 package/)
     t.matchSnapshot(joinedOutput())
   })
 
@@ -873,7 +870,7 @@ t.test('audit signatures', async t => {
 
     t.equal(process.exitCode, 0, 'should exit successfully')
     process.exitCode = 0
-    t.match(joinedOutput(), /verified registry signatures, audited 1 packages/)
+    t.match(joinedOutput(), /verified registry signatures, audited 1 package/)
     t.matchSnapshot(joinedOutput())
   })
 
@@ -961,33 +958,118 @@ t.test('audit signatures', async t => {
   })
 
   t.test('workspaces', async t => {
-    t.test('verifies registry deps and ignores local workspace deps', { todo: true }, async t => {
+    t.test('verifies registry deps and ignores local workspace deps', async t => {
       npm.prefix = workspaceInstall()
       await manifestWithValidSigs()
+      const asyncManifest = registry.manifest({
+        name: 'async',
+        packuments: [{
+          version: '2.5.0',
+          dist: {
+            tarball: 'https://registry.npmjs.org/async/-/async-2.5.0.tgz',
+            integrity: 'sha512-e+lJAJeNWuPCNyxZKOBdaJGyLGHugXVQtrAwtuAe2vhxTYxFT'
+                       + 'KE73p8JuTmdH0qdQZtDvI4dhJwjZc5zsfIsYw==',
+            signatures: [
+              {
+                keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA',
+                sig: 'MEUCIQCM8cX2U3IVZKKhzQx1w5AlNSDUI+fVf4857K1qT0NTNgIgdT4qwEl' +
+                     '/kg2vU1uIWUI0bGikRvVHCHlRs1rgjPMpRFA=',
+              },
+            ],
+          },
+        }],
+      })
+      const lightCycleManifest = registry.manifest({
+        name: 'light-cycle',
+        packuments: [{
+          version: '1.4.2',
+          dist: {
+            tarball: 'https://registry.npmjs.org/light-cycle/-/light-cycle-1.4.2.tgz',
+            integrity: 'sha512-badZ3KMUaGwQfVcHjXTXSecYSXxT6f99bT+kVzBqmO10U1UNlE' +
+                       'thJ1XAok97E4gfDRTA2JJ3r0IeMPtKf0EJMw==',
+            signatures: [
+              {
+                keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA',
+                sig: 'MEUCIQDXjoxQz4MzPqaIuy2RJmBlcFp0UD3h9EhKZxxEz9IYZAIgLO0znG5' +
+                     'aGciTAg4u8fE0/UXBU4gU7JcvTZGxW2BmKGw=',
+              },
+            ],
+          },
+        }],
+      })
+      await registry.package({ manifest: asyncManifest })
+      await registry.package({ manifest: lightCycleManifest })
       validKeys()
 
       await audit.exec(['signatures'])
 
       t.equal(process.exitCode, 0, 'should exit successfully')
       process.exitCode = 0
-      t.match(joinedOutput(), /verified registry signatures, audited 1 packages/)
+      t.match(joinedOutput(), /verified registry signatures, audited 3 packages/)
       t.matchSnapshot(joinedOutput())
     })
 
-    // TODO: This should verify kms-demo, but doesn't because arborist filters
-    // workspace deps even if they're also root deps
-    t.test('verifies registry dep if workspaces is disabled', { todo: true }, async t => {
+    t.test('verifies registry deps when filtering by workspace name', async t => {
       npm.prefix = workspaceInstall()
-      npm.flatOptions.workspacesEnabled = false
-      await manifestWithValidSigs()
+      npm.localPrefix = npm.prefix
+      const asyncManifest = registry.manifest({
+        name: 'async',
+        packuments: [{
+          version: '2.5.0',
+          dist: {
+            tarball: 'https://registry.npmjs.org/async/-/async-2.5.0.tgz',
+            integrity: 'sha512-e+lJAJeNWuPCNyxZKOBdaJGyLGHugXVQtrAwtuAe2vhxTYxFT'
+                       + 'KE73p8JuTmdH0qdQZtDvI4dhJwjZc5zsfIsYw==',
+            signatures: [
+              {
+                keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA',
+                sig: 'MEUCIQCM8cX2U3IVZKKhzQx1w5AlNSDUI+fVf4857K1qT0NTNgIgdT4qwEl' +
+                     '/kg2vU1uIWUI0bGikRvVHCHlRs1rgjPMpRFA=',
+              },
+            ],
+          },
+        }],
+      })
+      const lightCycleManifest = registry.manifest({
+        name: 'light-cycle',
+        packuments: [{
+          version: '1.4.2',
+          dist: {
+            tarball: 'https://registry.npmjs.org/light-cycle/-/light-cycle-1.4.2.tgz',
+            integrity: 'sha512-badZ3KMUaGwQfVcHjXTXSecYSXxT6f99bT+kVzBqmO10U1UNlE' +
+                       'thJ1XAok97E4gfDRTA2JJ3r0IeMPtKf0EJMw==',
+            signatures: [
+              {
+                keyid: 'SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA',
+                sig: 'MEUCIQDXjoxQz4MzPqaIuy2RJmBlcFp0UD3h9EhKZxxEz9IYZAIgLO0znG5' +
+                     'aGciTAg4u8fE0/UXBU4gU7JcvTZGxW2BmKGw=',
+              },
+            ],
+          },
+        }],
+      })
+      await registry.package({ manifest: asyncManifest })
+      await registry.package({ manifest: lightCycleManifest })
       validKeys()
 
-      await audit.exec(['signatures'])
+      await audit.execWorkspaces(['signatures'], ['./packages/a'])
 
       t.equal(process.exitCode, 0, 'should exit successfully')
       process.exitCode = 0
-      t.match(joinedOutput(), /verified registry signatures, audited 1 packages/)
+      t.match(joinedOutput(), /verified registry signatures, audited 2 packages/)
       t.matchSnapshot(joinedOutput())
     })
+
+    // TODO: This should verify kms-demo, but doesn't because arborist filters
+    // workspace deps even if they're also root deps
+    t.test('verifies registry dep if workspaces is disabled', async t => {
+      npm.prefix = workspaceInstall()
+      npm.flatOptions.workspacesEnabled = false
+
+      await t.rejects(
+        audit.exec(['signatures']),
+        /No dependencies found in current install/
+      )
+    })
   })
 })

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ found 0 vulnerabilities`
`42`	`42`	`
`43`	`43`
`44`	`44`	exports[`test/lib/commands/audit.js TAP audit signatures ignores optional dependencies > must match snapshot 1`] = `
`45`		`-verified registry signatures, audited 1 packages in xxx`
	`45`	`+verified registry signatures, audited 1 package in 0s`
`46`	`46`
`47`	`47`	`
`48`	`48`
@@ -85,12 +85,12 @@ exports[`test/lib/commands/audit.js TAP audit signatures json output with valid
`85`	`85`	`
`86`	`86`
`87`	`87`	exports[`test/lib/commands/audit.js TAP audit signatures omit dev dependencies with missing signature > must match snapshot 1`] = `
`88`		`-verified registry signatures, audited 1 packages in xxx`
	`88`	`+verified registry signatures, audited 1 package in 0s`
`89`	`89`
`90`	`90`	`
`91`	`91`
`92`	`92`	exports[`test/lib/commands/audit.js TAP audit signatures output details about missing signatures > must match snapshot 1`] = `
`93`		`-audited 1 packages in xxx`
	`93`	`+audited 1 package in 0s`
`94`	`94`
`95`	`95`	`1 package has a missing registry signature but the registry is providing signing keys:`
`96`	`96`
`@@ -112,7 +112,7 @@ Someone might have tampered with the package since it was published on the regis`
`112`	`112`	`
`113`	`113`
`114`	`114`	exports[`test/lib/commands/audit.js TAP audit signatures with colour option and invalid signatures > must match snapshot 1`] = `
`115`		`-audited 1 packages in xxx`
	`115`	`+audited 1 package in 0s`
`116`	`116`
`117`	`117`	`1 package has an [1m[31minvalid[39m[22m registry signature:`
`118`	`118`
`@@ -123,7 +123,7 @@ Someone might have tampered with the package since it was published on the regis`
`123`	`123`	`
`124`	`124`
`125`	`125`	exports[`test/lib/commands/audit.js TAP audit signatures with invalid signatures > must match snapshot 1`] = `
`126`		`-audited 1 packages in xxx`
	`126`	`+audited 1 package in 0s`
`127`	`127`
`128`	`128`	`1 package has an invalid registry signature:`
`129`	`129`
`@@ -134,7 +134,7 @@ Someone might have tampered with the package since it was published on the regis`
`134`	`134`	`
`135`	`135`
`136`	`136`	exports[`test/lib/commands/audit.js TAP audit signatures with keys but missing signature > must match snapshot 1`] = `
`137`		`-audited 1 packages in xxx`
	`137`	`+audited 1 package in 0s`
`138`	`138`
`139`	`139`	`1 package has a missing registry signature but the registry is providing signing keys`
`140`	`140`	run \`npm audit signatures --missing\` for details
`@@ -150,7 +150,17 @@ audited 2 packages in xxx`
`150`	`150`	`
`151`	`151`
`152`	`152`	exports[`test/lib/commands/audit.js TAP audit signatures with valid signatures > must match snapshot 1`] = `
`153`		`-verified registry signatures, audited 1 packages in xxx`
	`153`	`+verified registry signatures, audited 1 package in 0s`
	`154`	`+`
	`155`	+`
	`156`	`+`
	`157`	+exports[`test/lib/commands/audit.js TAP audit signatures workspaces verifies registry deps and ignores local workspace deps > must match snapshot 1`] = `
	`158`	`+verified registry signatures, audited 3 packages in xxx`
	`159`	`+`
	`160`	+`
	`161`	`+`
	`162`	+exports[`test/lib/commands/audit.js TAP audit signatures workspaces verifies registry deps when filtering by workspace name > must match snapshot 1`] = `
	`163`	`+verified registry signatures, audited 2 packages in xxx`
`154`	`164`
`155`	`165`	`
`156`	`166`