feat: add INVALID_REPOSITORY_VALUE rule #106

Namchee · 2024-08-06T14:55:40Z

Overview

Closes #97

This pull request adds new rule INVALID_REPOSITORY_VALUE that checks the validity of repository field in package.json.

How It Works

According to the specification, repository may be a string that represents a remote URL or an object with the following schema:

{
  "type": string;
  "url": string;
  "directory": string;
}

This rule will check whether the repository field is defined or not. If it's defined, the rule will perform regex matching if the value is a string or check both the url and directory property if it's an object.

Caveats

Currently, the URL regex doesn't support any remote URL other than GitHub.
type is not checked at the moment since the specification for that property is scarce.

pkg/src/index.js

pkg/src/message.js

pkg/src/index.js

bluwy · 2024-08-07T07:36:03Z

According to the specification, repository may be a string that represents a remote URL or an object with the following schema:

According to https://docs.npmjs.com/cli/v10/configuring-npm/package-json#repository, I'm not sure a remote URL string would work? At least when you run npm publish --dry-run, npm will try to convert it as an object instead

Namchee · 2024-08-07T13:19:12Z

According to the specification, repository may be a string that represents a remote URL or an object with the following schema:

According to https://docs.npmjs.com/cli/v10/configuring-npm/package-json#repository, I'm not sure a remote URL string would work? At least when you run npm publish --dry-run, npm will try to convert it as an object instead

Weird, it's used to work without a hitch (perhaps they enforced in it the newer version). Anyway, I'll put a suggestion to use object if the value is a string.

bluwy · 2024-08-12T13:19:06Z

Don't worry about the lint fail, I'm currently tweaking the changes locally and will push some fixes soon

bluwy · 2024-08-12T16:46:06Z

I've pushed some commits that:

Added docs
Simplified tests slightly
Updated how rules are reported and their messages

I think it should preserved the existing checks you did. Great addition for the git:// check and the shorthand regex check too. I still need to process the git url regex, but other than that I think it looks good to me now.

I'd appreciate if you can check the changes I made and if it works for you too.

Namchee · 2024-08-13T03:42:03Z

Thanks for taking your time on refactoring this PR! It looks much cleaner than I had expected, no issues from me.

As for the regex, I used these cases for testing, let me know if we missed something:

[email protected]:user/project.git
https://github.com/user/project.git
http://github.com/user/project.git
[email protected]:user/project.git
https://192.168.101.127/user/project.git
http://192.168.101.127/user/project.git
ssh://[email protected]:port/path/to/repo.git/
ssh://[email protected]/path/to/repo.git/
ssh://host.xz:1234/path/to/repo.git/
ssh://host.xz/path/to/repo.git/
ssh://[email protected]/path/to/repo.git/
ssh://host.xz/path/to/repo.git/
ssh://[email protected]/~user/path/to/repo.git/
ssh://host.xz/~user/path/to/repo.git/
ssh://[email protected]/~/path/to/repo.git
ssh://host.xz/~/path/to/repo.git
git://host.xz/path/to/repo.git/
git://host.xz/~user/path/to/repo.git/
http://host.xz/path/to/repo.git/
https://host.xz/path/to/repo.git/
git+https://github.com/user/repo.git
user@server:project.git
/path/to/repo.git/
path/to/repo.git/
~/path/to/repo.git
file:///path/to/repo.git/
file://~/path/to/repo.git/
host.xz:/path/to/repo.git/

Or you can play around on Debuggex (please enable multiline flag)

bluwy · 2024-08-13T04:52:01Z

Awesome. I pushed a commit that added some test for the utilities. Thanks for the debuggex link, IIUC the current regex doesn't seem to match all the valid git urls? I think that's fine as some valid git urls doesn't work for npm (example, edit, seems like ssh has a specific format (example)), but some valid ones aren't captured by the regex either it seems (example). Here's the github search I used to find these packages:

Maybe we should have this set of URLs to be matched by the regex only, a valid git URL that's also valid for npm. What do you think?

https://host.xz/path/to/repo.git/
http://host.xz/path/to/repo.git/
https://host.xz/path/to/repo.git
http://host.xz/path/to/repo.git
git+https://host.xz/path/to/repo.git
git+https://host.xz/path/to/repo
https://host.xz/path/to/repo.git
git+ssh://[email protected]/path/to/repo.git
git+ssh://[email protected]/path/to/repo
git://host.xz/path/to/repo.git
git://host.xz/path/to/repo

(Leaving out raw IP address and port as they're a bit fishy if used, but don't mind if the final regex can capture them either)

EDIT: I also found this fixture: https://github.com/npm/cli/blob/4e81a6a4106e4e125b0eefda042b75cfae0a5f23/test/lib/commands/repo.js#L115

bluwy · 2024-08-13T05:01:06Z

I also found https://github.com/npm/hosted-git-info, maybe we should simply use that 🤔

bluwy · 2024-08-13T09:36:56Z

I pushed a commit that updates the git URL regex so that while they may be valid git URLs per spec, they would also work for npm. The new regex also expands on the valid regexes that would previously be incorrectly marked some as invalid (e.g. ssh urls). I think this is good enough for now and I'm ready to not spend anymore time researching npm quirks 😅

Let me know if you have any more thoughts on this, otherwise I'll cut a release for this tonight.

Namchee · 2024-08-13T12:45:12Z

Personally, I would prefer if we can utilize hosted-git-info instead of trying to figure out the RegExp ourselves since the 'parser' is actually available.

Moreover, the RegExp seems to be unable to handle these cases correctly, hence strengthen the argument of using hosted-git-info instead.

I can work on this if you want

bluwy · 2024-08-13T15:08:37Z

Actually I forgot to comment about hosted-git-info. I tried to use it but the API feels awkward to use for our checks, for example (but I could be wrong), if repository is a string, we can't only validate that it's a valid shorthand. It'll treat http URLs as valid too. We also need to handle the github/gitlab suggestion ourselves because the package will autofix it.

It's probably easier to stick with the regex since these changes don't happen often, but if there's a neat way to reuse hosted-git-info without sacrificing the checks, that would be nice too.

Also, ssh://example.com:funny-port/repo is a valid name. For GitHub the funny-port is the username and it works on npm somehow.

Namchee · 2024-08-14T13:04:41Z

Well that sucks. Seems like the library is doing too much. At this point, I think it's better to resolve this and re-visit it later when someone created an issue here about the URL 😅. I swear npm has too many funny quirks.

bluwy · 2024-08-15T07:19:34Z

👍 Let's get this in first then. I just double checked how this change affects the popular packages listed on the site, and it seems to flag a lot of them with warnings. And strangely all those that we flagged still works on npm and displays the repository field properly. For now I'll mark ~~all~~ some of them as suggestions to prevent getting bashed and we can re-evaluate it again 😅

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [publint](https://publint.dev) ([source](https://togithub.com/bluwy/publint/tree/HEAD/pkg)) | [`0.2.8` -> `0.2.10`](https://renovatebot.com/diffs/npm/publint/0.2.8/0.2.10) | [![age](https://developer.mend.io/api/mc/badges/age/npm/publint/0.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/publint/0.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/publint/0.2.8/0.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/publint/0.2.8/0.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>bluwy/publint (publint)</summary> ### [`v0.2.10`](https://togithub.com/bluwy/publint/releases/tag/v0.2.10) [Compare Source](https://togithub.com/bluwy/publint/compare/v0.2.9...v0.2.10) ##### Features - Adds a new rule that validates the `"repository"` field ([https://github.com/bluwy/publint/pull/106](https://togithub.com/bluwy/publint/pull/106)) - If `"repository"` is a string, it must be one of the supported shorthand strings from the docs. - If `"repository"` is an object with `"type": "git"`, the `"url"` must be a valid [git URL](https://git-scm.com/docs/git-clone#\_git_urls) and can be [parsed by npm](https://togithub.com/npm/hosted-git-info). - The `git://` protocol for GitHub repos should not be used due [security concerns](https://github.blog/security/application-security/improving-git-protocol-security-github/). - GitHub or GitLab links should be prefixed with `git+` and postfixed with `.git`. (This is also warned by npm when publishing a package). #### New Contributors - [@Namchee](https://togithub.com/Namchee) made their first contribution in [https://github.com/bluwy/publint/pull/106](https://togithub.com/bluwy/publint/pull/106) **Full Changelog**: bluwy/publint@v0.2.9...v0.2.10 ### [`v0.2.9`](https://togithub.com/bluwy/publint/releases/tag/v0.2.9) [Compare Source](https://togithub.com/bluwy/publint/compare/v0.2.8...v0.2.9) ##### Bug fixes - Update message when no type field is present by [@benmccann](https://togithub.com/benmccann) ([https://github.com/bluwy/publint/pull/104](https://togithub.com/bluwy/publint/pull/104)) ##### New Contributors - [@benmccann](https://togithub.com/benmccann) made their first contribution in [https://github.com/bluwy/publint/pull/104](https://togithub.com/bluwy/publint/pull/104) **Full Changelog**: bluwy/publint@v0.2.8...v0.2.9 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/netlify/functions).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [publint](https://publint.dev) ([source](https://togithub.com/bluwy/publint/tree/HEAD/pkg)) | [`0.2.9` -> `0.2.10`](https://renovatebot.com/diffs/npm/publint/0.2.9/0.2.10) | [![age](https://developer.mend.io/api/mc/badges/age/npm/publint/0.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/publint/0.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/publint/0.2.9/0.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/publint/0.2.9/0.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>bluwy/publint (publint)</summary> ### [`v0.2.10`](https://togithub.com/bluwy/publint/releases/tag/v0.2.10) [Compare Source](https://togithub.com/bluwy/publint/compare/v0.2.9...v0.2.10) ##### Features - Adds a new rule that validates the `"repository"` field ([https://github.com/bluwy/publint/pull/106](https://togithub.com/bluwy/publint/pull/106)) - If `"repository"` is a string, it must be one of the supported shorthand strings from the docs. - If `"repository"` is an object with `"type": "git"`, the `"url"` must be a valid [git URL](https://git-scm.com/docs/git-clone#\_git_urls) and can be [parsed by npm](https://togithub.com/npm/hosted-git-info). - The `git://` protocol for GitHub repos should not be used due [security concerns](https://github.blog/security/application-security/improving-git-protocol-security-github/). - GitHub or GitLab links should be prefixed with `git+` and postfixed with `.git`. (This is also warned by npm when publishing a package). #### New Contributors - [@Namchee](https://togithub.com/Namchee) made their first contribution in [https://github.com/bluwy/publint/pull/106](https://togithub.com/bluwy/publint/pull/106) **Full Changelog**: bluwy/publint@v0.2.9...v0.2.10 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/redwoodjs/redwood).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [publint](https://publint.dev) ([source](https://togithub.com/bluwy/publint/tree/HEAD/pkg)) | [`^0.2.9` -> `^0.2.10`](https://renovatebot.com/diffs/npm/publint/0.2.9/0.2.10) | [![age](https://developer.mend.io/api/mc/badges/age/npm/publint/0.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/publint/0.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/publint/0.2.9/0.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/publint/0.2.9/0.2.10?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>bluwy/publint (publint)</summary> ### [`v0.2.10`](https://togithub.com/bluwy/publint/releases/tag/v0.2.10) [Compare Source](https://togithub.com/bluwy/publint/compare/v0.2.9...v0.2.10) ##### Features - Adds a new rule that validates the `"repository"` field ([https://github.com/bluwy/publint/pull/106](https://togithub.com/bluwy/publint/pull/106)) - If `"repository"` is a string, it must be one of the supported shorthand strings from the docs. - If `"repository"` is an object with `"type": "git"`, the `"url"` must be a valid [git URL](https://git-scm.com/docs/git-clone#\_git_urls) and can be [parsed by npm](https://togithub.com/npm/hosted-git-info). - The `git://` protocol for GitHub repos should not be used due [security concerns](https://github.blog/security/application-security/improving-git-protocol-security-github/). - GitHub or GitLab links should be prefixed with `git+` and postfixed with `.git`. (This is also warned by npm when publishing a package). #### New Contributors - [@Namchee](https://togithub.com/Namchee) made their first contribution in [https://github.com/bluwy/publint/pull/106](https://togithub.com/bluwy/publint/pull/106) **Full Changelog**: bluwy/publint@v0.2.9...v0.2.10 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/dubzzz/fast-check).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

feat: add INVALID_REPOSITORY_VALUE rule

2b38596

bluwy reviewed Aug 7, 2024

View reviewed changes

pkg/src/index.js Outdated Show resolved Hide resolved

pkg/src/message.js Outdated Show resolved Hide resolved

pkg/src/index.js Outdated Show resolved Hide resolved

feat: implement INVALID_REPOSITORY_VALUE on site

6e3b040

Namchee added 6 commits August 7, 2024 21:39

feat: improve regex to be more generic

91bf8bb

fix: replace rootPkgPath with pkgDir as intended

d9773aa

fix: only check for URL if type is .git

039c505

fix: revise code based on review

2814291

feat: include message handler on site

6de6925

test: add more test for repository rule

d859f09

Namchee requested a review from bluwy August 10, 2024 04:06

feat: add git:// deprecation check for GitHub URLs

67df037

bluwy added 5 commits August 12, 2024 21:19

chore: remove unused fields

0c4d4e9

style: format

773cb51

refactor: update rule and message

f687cd6

docs: add rule docs

d7fa64d

chore: simplify test

cb4ee83

chore: add test

d170d67

bluwy added 3 commits August 13, 2024 17:22

fix: update git url regex

b413c1d

chore: note one case

9f9408a

docs: update

bafb639

chore: update level

6af7d02

bluwy approved these changes Aug 15, 2024

View reviewed changes

chore: my bad

a6d505b

bluwy merged commit a94f663 into bluwy:master Aug 15, 2024
2 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add INVALID_REPOSITORY_VALUE rule #106

feat: add INVALID_REPOSITORY_VALUE rule #106

Namchee commented Aug 6, 2024

bluwy commented Aug 7, 2024

Namchee commented Aug 7, 2024 •

edited

Loading

bluwy commented Aug 12, 2024

bluwy commented Aug 12, 2024

Namchee commented Aug 13, 2024

bluwy commented Aug 13, 2024 •

edited

Loading

bluwy commented Aug 13, 2024

bluwy commented Aug 13, 2024

Namchee commented Aug 13, 2024 •

edited

Loading

bluwy commented Aug 13, 2024

Namchee commented Aug 14, 2024

bluwy commented Aug 15, 2024 •

edited

Loading

feat: add INVALID_REPOSITORY_VALUE rule #106

feat: add INVALID_REPOSITORY_VALUE rule #106

Conversation

Namchee commented Aug 6, 2024

Overview

How It Works

Caveats

bluwy commented Aug 7, 2024

Namchee commented Aug 7, 2024 • edited Loading

bluwy commented Aug 12, 2024

bluwy commented Aug 12, 2024

Namchee commented Aug 13, 2024

bluwy commented Aug 13, 2024 • edited Loading

bluwy commented Aug 13, 2024

bluwy commented Aug 13, 2024

Namchee commented Aug 13, 2024 • edited Loading

bluwy commented Aug 13, 2024

Namchee commented Aug 14, 2024

bluwy commented Aug 15, 2024 • edited Loading

Namchee commented Aug 7, 2024 •

edited

Loading

bluwy commented Aug 13, 2024 •

edited

Loading

Namchee commented Aug 13, 2024 •

edited

Loading

bluwy commented Aug 15, 2024 •

edited

Loading