feat(depWalker): highlight packages (#584)

Update workspaces/scanner/test/depWalker.spec.ts



Update workspaces/scanner/src/types.ts

Co-authored-by: Thomas.G <gentilhomme.thomas@gmail.com>

Author: clemgbld

.changeset/upset-jokes-listen.md

@@ -0,0 +1,5 @@
+---
+"@nodesecure/scanner": minor
+---
+
+feat(deepWalker): highlight packages

workspaces/scanner/src/depWalker.ts

@@ -16,6 +16,7 @@ import type { ManifestVersion, PackageJSON, WorkspacesPackageJSON } from "@nodes
 import { getNpmRegistryURL } from "@nodesecure/npm-registry-sdk";
 import type Config from "@npmcli/config";
 import { fromData } from "ssri";
+import semver from "semver";
 
 // Import Internal Dependencies
 import {
@@ -136,6 +137,7 @@ export async function depWalker(
   };
 
   const dependencies: Map<string, Dependency> = new Map();
+  const highlightedPackages: Set<string> = new Set();
   const npmTreeWalker = new npm.TreeWalker({
     registry
   });
@@ -300,6 +302,10 @@ export async function depWalker(
     }
     for (const version of Object.entries(dependency.versions)) {
       const [verStr, verDescriptor] = version as [string, DependencyVersion];
+      const range = options.highlight?.packages?.[packageName];
+      if (range && semver.satisfies(verStr, range)) {
+        highlightedPackages.add(`${packageName}@${verStr}`);
+      }
       verDescriptor.flags.push(
         ...addMissingVersionFlags(new Set(verDescriptor.flags), dependency)
       );
@@ -338,7 +344,8 @@ export async function depWalker(
     );
     payload.warnings = globalWarnings.concat(dependencyConfusionWarnings as GlobalWarning[]).concat(warnings);
     payload.highlighted = {
-      contacts: illuminated
+      contacts: illuminated,
+      packages: [...highlightedPackages]
     };
     payload.dependencies = Object.fromEntries(dependencies);
     payload.metadata.executionTime = Date.now() - startedAt;

workspaces/scanner/src/types.ts

@@ -198,6 +198,7 @@ export interface Payload {
   warnings: GlobalWarning[];
   highlighted: {
     contacts: IlluminatedContact[];
+    packages: string[];
   };
   /** All the dependencies of the package (flattened) */
   dependencies: Dependencies;
@@ -218,6 +219,10 @@ export interface Payload {
   };
 }
 
+export type SemverRange = string | "*";
+
+export type HighlightPackages = Record<string, SemverRange>;
+
 export interface Options {
   /**
    * Maximum tree depth
@@ -253,6 +258,7 @@ export interface Options {
 
   highlight?: {
     contacts: Contact[];
+    packages?: HighlightPackages;
   };
 
   /**

workspaces/scanner/test/depWalker.spec.ts

@@ -47,6 +47,11 @@ const pkgTypoSquatting = JSON.parse(readFileSync(
   "utf8"
 ));
 
+const pkgHighlightedPackages = JSON.parse(readFileSync(
+  path.join(kFixturePath, "highlighted-packages.json"),
+  "utf8"
+));
+
 function cleanupPayload(payload: Payload) {
   for (const pkg of Object.values(payload)) {
     const versions = Object.values(
@@ -221,6 +226,36 @@ test("execute depWalker on typo-squatting (with no location)", async(test) => {
   ]);
 });
 
+test("should highlight the given packages", async() => {
+  const { logger } = errorLogger();
+  test.after(() => logger.removeAllListeners());
+
+  const hightlightPackages = {
+    "zen-observable": "0.8.14 || 0.8.15",
+    nanoid: "*"
+  };
+
+  const result = await depWalker(
+    pkgHighlightedPackages,
+    structuredClone({
+      ...kDefaultWalkerOptions,
+      highlight: {
+        packages: hightlightPackages,
+        contacts: []
+      }
+    }),
+    logger
+  );
+
+  assert.deepStrictEqual(
+    result.highlighted.packages.sort(),
+    [
+      "nanoid@5.1.6",
+      "zen-observable@0.8.15"
+    ]
+  );
+});
+
 test("fetch payload of pacote on the npm registry", async() => {
   const result = await from(
     "pacote",

workspaces/scanner/test/fixtures/depWalker/highlighted-packages.json

@@ -0,0 +1,12 @@
+{
+  "name": "highlighted-packages",
+  "version": "0.1.0",
+  "description": "Mock package with dependency versions",
+  "main": "index.js",
+  "homepage": "https://github.com/username/highlighted-packages#readme",
+  "dependencies": {
+    "zen-observable": "0.8.15",
+    "nanoid": "5.1.6",
+    "nanoevents": "9.1.0"
+  }
+}