(node)
| 23 | // for git, the resolved file path for local installs). Never falls back to |
| 24 | // `node.packageName` / `node.version`, which are tarball-controlled. |
| 25 | const versionedKeyFor = (node) => { |
| 26 | if (!node) { |
| 27 | return null |
| 28 | } |
| 29 | const resolved = primaryResolvedSource(node) |
| 30 | if (resolved.startsWith('git')) { |
| 31 | try { |
| 32 | const parsed = npa(resolved) |
| 33 | if (parsed.hosted) { |
| 34 | const committish = parsed.gitCommittish || parsed.hosted.committish |
| 35 | const base = parsed.hosted.shortcut({ noCommittish: true }) |
| 36 | return committish ? `${base}#${committish}` : base |
| 37 | } |
| 38 | } catch { |
| 39 | /* istanbul ignore next: npa already parsed this string in keyTargetsNode */ |
| 40 | return null |
| 41 | } |
| 42 | return null |
| 43 | } |
| 44 | if (/^https?:\/\//.test(resolved)) { |
| 45 | const trusted = getTrustedRegistryIdentity(node) |
| 46 | if (trusted && trusted.version) { |
| 47 | return `${trusted.name}@${trusted.version}` |
| 48 | } |
| 49 | // Registry node with a resolved URL that versionFromTgz couldn't |
| 50 | // parse (private-registry mirror, alternate CDN URL shape). Leave a |
| 51 | // breadcrumb so users notice when policy keys are silently pruned. |
| 52 | log.silly( |
| 53 | 'allow-scripts', |
| 54 | `unable to derive trusted versioned key for ${node.path || node.name || '<unknown>'} ` + |
| 55 | `(resolved: ${resolved}); key will be pruned on next save` |
| 56 | ) |
| 57 | return null |
| 58 | } |
| 59 | /* istanbul ignore next: 'file:' and '/' branches are each covered separately */ |
| 60 | if (resolved.startsWith('file:') || resolved.startsWith('/')) { |
| 61 | return resolved |
| 62 | } |
| 63 | // No trusted source. Refuse to compose a key from attacker-controlled |
| 64 | // `node.packageName` / `node.version`. |
| 65 | /* istanbul ignore next: callers filter out non-registry/non-file nodes before reaching this fallback */ |
| 66 | return null |
| 67 | } |
| 68 | |
| 69 | // Convert an arborist Node into the spec string used for a name-only policy |
| 70 | // entry. Same trust rules as versionedKeyFor — returns `null` rather than |
no test coverage detected
searching dependent graphs…