MCPcopy Index your code
hub / github.com/nodejs/node / versionedKeyFor

Function versionedKeyFor

deps/npm/lib/utils/allow-scripts-writer.js:25–67  ·  view source on GitHub ↗
(node)

Source from the content-addressed store, hash-verified

23// for git, the resolved file path for local installs). Never falls back to
24// `node.packageName` / `node.version`, which are tarball-controlled.
25const versionedKeyFor = (node) => {
26 if (!node) {
27 return null
28 }
29 const resolved = primaryResolvedSource(node)
30 if (resolved.startsWith('git')) {
31 try {
32 const parsed = npa(resolved)
33 if (parsed.hosted) {
34 const committish = parsed.gitCommittish || parsed.hosted.committish
35 const base = parsed.hosted.shortcut({ noCommittish: true })
36 return committish ? `${base}#${committish}` : base
37 }
38 } catch {
39 /* istanbul ignore next: npa already parsed this string in keyTargetsNode */
40 return null
41 }
42 return null
43 }
44 if (/^https?:\/\//.test(resolved)) {
45 const trusted = getTrustedRegistryIdentity(node)
46 if (trusted && trusted.version) {
47 return `${trusted.name}@${trusted.version}`
48 }
49 // Registry node with a resolved URL that versionFromTgz couldn't
50 // parse (private-registry mirror, alternate CDN URL shape). Leave a
51 // breadcrumb so users notice when policy keys are silently pruned.
52 log.silly(
53 'allow-scripts',
54 `unable to derive trusted versioned key for ${node.path || node.name || '<unknown>'} ` +
55 `(resolved: ${resolved}); key will be pruned on next save`
56 )
57 return null
58 }
59 /* istanbul ignore next: 'file:' and '/' branches are each covered separately */
60 if (resolved.startsWith('file:') || resolved.startsWith('/')) {
61 return resolved
62 }
63 // No trusted source. Refuse to compose a key from attacker-controlled
64 // `node.packageName` / `node.version`.
65 /* istanbul ignore next: callers filter out non-registry/non-file nodes before reaching this fallback */
66 return null
67}
68
69// Convert an arborist Node into the spec string used for a name-only policy
70// entry. Same trust rules as versionedKeyFor — returns `null` rather than

Callers 1

Calls 2

primaryResolvedSourceFunction · 0.85
testMethod · 0.45

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…