mirror/pnpm
1
0
Fork 0
mirror of https://github.com/pnpm/pnpm.git synced 2026-05-13 19:16:21 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
dcc171a948aa0eb00a84d1007782d3e8d48ebf13
pnpm/resolving/npm-resolver/test/trustChecks.test.ts
Zoltan Kochan 187049055f chore: upgrade @typescript/native-preview to 7.0.0-dev.20260421.2 (#11332) 
* chore: upgrade @typescript/native-preview to 7.0.0-dev.20260421.2

- Add explicit `types: ["node"]` to the shared tsconfig because tsgo
  20260421 no longer auto-acquires `@types/*` from `node_modules`.
- Refactor test files to explicitly import jest globals (`describe`,
  `it`, `test`, `expect`, `beforeEach`, etc.) from `@jest/globals`
  instead of relying on `@types/jest` ambient declarations. Under the
  new tsgo build, `import { jest } from '@jest/globals'` shadows the
  ambient `jest` namespace, breaking `@types/jest`'s `declare var
  describe: jest.Describe;` globals.
- Add `@jest/globals` to each package's devDependencies where tests
  now import from it, and add `@types/node` to packages that need it
  but were relying on hoisted resolution.
- Replace `fail()` calls with `throw new Error(...)` since `fail` is
  no longer globally available.

* chore: fix remaining tsgo type-strictness errors

- Strip `as <PnpmType>` casts on objects passed to toMatchObject /
  toStrictEqual / toEqual; @jest/globals rejects the typed objects
  (which include AsymmetricMatchers) vs. the repo-specific type.
- Type `jest.fn<...>()` explicitly where the mock's signature matters
  for toHaveBeenCalledWith.
- Replace `beforeEach(() => X)` with `beforeEach(() => { X })` so the
  return value is void, as the stricter jest typing requires.
- Use `expect.objectContaining({...})` in one place where the full
  expected object triggered stricter type resolution.
- Cast `prompt.mock.calls` arg through `as unknown as Record<...>[]`
  for patch.test.ts's nested-array matchers.
- Fix off-by-one `<reference path>` in pnpm/test/getConfig.test.ts
  that only surfaced now.
- Move `@jest/globals` from devDependencies to dependencies in the
  two `__utils__` packages that import it from `src/`.
- Clean up unused imports from the @jest/globals migration.

* chore: address Copilot review on #11332

- Move misplaced `@jest/globals` imports to the top import block in
  checkEngine, run.ts, and workspace/root-finder tests where the
  script dropped them below executable code.
- Replace `try { await x(); throw new Error('should have thrown') } catch`
  in bins/linker, lockfile/fs, and resolving/local-resolver tests with
  `await expect(x()).rejects.toMatchObject({...})`. The old pattern
  swallowed an unrelated `throw` if the under-test call silently
  succeeded, which would fail on the catch-block assertion with a
  misleading message.
2026-04-21 22:50:40 +02:00

638 lines
17 KiB
TypeScript
Raw Blame History

import { describe, expect, test } from '@jest/globals'
import { createPackageVersionPolicy } from '@pnpm/config.version-policy'
import type { PackageInRegistry, PackageMetaWithTime } from '@pnpm/resolving.registry.types'
import { failIfTrustDowngraded, getTrustEvidence } from '../src/trustChecks.js'
describe('getTrustEvidence', () => {
test('returns "trustedPublisher" when _npmUser.trustedPublisher exists', () => {
const manifest: PackageInRegistry = {
name: 'foo',
version: '1.0.0',
_npmUser: {
name: 'test-publisher',
email: 'publisher@example.com',
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
}
expect(getTrustEvidence(manifest)).toBe('trustedPublisher')
})
test('returns "trustedPublisher" even when attestations.provenance exists', () => {
const manifest: PackageInRegistry = {
name: 'foo',
version: '1.0.0',
_npmUser: {
name: 'test-publisher',
email: 'publisher@example.com',
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
}
expect(getTrustEvidence(manifest)).toBe('trustedPublisher')
})
test('returns true when provenance exists', () => {
const manifest: PackageInRegistry = {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
}
expect(getTrustEvidence(manifest)).toBe('provenance')
})
test('returns undefined when provenance and attestations are undefined', () => {
const manifest: PackageInRegistry = {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
}
expect(getTrustEvidence(manifest)).toBeUndefined()
})
test('returns undefined when _npmUser exists but trustedPublisher is undefined', () => {
const manifest: PackageInRegistry = {
name: 'foo',
version: '1.0.0',
_npmUser: {
name: 'test-user',
email: 'user@example.com',
},
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
}
expect(getTrustEvidence(manifest)).toBeUndefined()
})
})
describe('failIfTrustDowngraded', () => {
test('succeeds when no versions have attestation', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '2.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
},
'2.0.0': {
name: 'foo',
version: '2.0.0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
'2.0.0': '2025-02-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '2.0.0')
}).not.toThrow()
})
test('succeeds for version published before first attested version', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '2.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
},
'2.0.0': {
name: 'foo',
version: '2.0.0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
'2.0.0': '2025-02-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '1.0.0')
}).not.toThrow()
})
test('throws an error when downgrading from provenance to none', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '3.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
},
'2.0.0': {
name: 'foo',
version: '2.0.0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
'3.0.0': {
name: 'foo',
version: '3.0.0',
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/foo/-/foo-3.0.0.tgz',
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
'2.0.0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0')
}).toThrow('High-risk trust downgrade')
})
test('does not throw an error when only prerelease versions had provenance', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '3.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
},
'2.0.0-0': {
name: 'foo',
version: '2.0.0-0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0-0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
'3.0.0': {
name: 'foo',
version: '3.0.0',
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/foo/-/foo-3.0.0.tgz',
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
'2.0.0-0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0')
}).not.toThrow()
})
test('throws an error when downgrading from trustedPublisher to provenance', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '3.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
},
'2.0.0': {
name: 'foo',
version: '2.0.0',
_npmUser: {
name: 'test-publisher',
email: 'publisher@example.com',
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
},
},
'3.0.0': {
name: 'foo',
version: '3.0.0',
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/foo/-/foo-3.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
'2.0.0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0')
}).toThrow('High-risk trust downgrade')
})
test('throws an error when downgrading from trustedPublisher to none', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '3.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
},
'2.0.0': {
name: 'foo',
version: '2.0.0',
_npmUser: {
name: 'test-publisher',
email: 'publisher@example.com',
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
},
},
'3.0.0': {
name: 'foo',
version: '3.0.0',
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/foo/-/foo-3.0.0.tgz',
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
'2.0.0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0')
}).toThrow('High-risk trust downgrade')
})
test('succeeds when maintaining same trust level', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '3.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
},
'2.0.0': {
name: 'foo',
version: '2.0.0',
_npmUser: {
name: 'test-publisher',
email: 'publisher@example.com',
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
},
},
'3.0.0': {
name: 'foo',
version: '3.0.0',
_npmUser: {
name: 'test-publisher',
email: 'publisher@example.com',
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/foo/-/foo-3.0.0.tgz',
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
'2.0.0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0')
}).not.toThrow()
})
test('throws an error when version time is missing', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '2.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
'2.0.0': {
name: 'foo',
version: '2.0.0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '2.0.0')
}).toThrow('Missing time')
})
})
describe('failIfTrustDowngraded with trustPolicyExclude', () => {
test('allows downgrade when package@version is in exclude list', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '3.0.0' },
versions: {
'2.0.0': {
name: 'foo',
version: '2.0.0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
'3.0.0': {
name: 'foo',
version: '3.0.0',
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/foo/-/foo-3.0.0.tgz',
},
},
},
time: {
'2.0.0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0', { trustPolicyExclude: createPackageVersionPolicy(['foo@3.0.0']) })
}).not.toThrow()
expect(() => {
failIfTrustDowngraded(meta, '3.0.0')
}).toThrow('High-risk trust downgrade')
})
test('allows downgrade when package name is in exclude list (all versions)', () => {
const meta: PackageMetaWithTime = {
name: 'bar',
'dist-tags': { latest: '3.0.0' },
versions: {
'2.0.0': {
name: 'bar',
version: '2.0.0',
_npmUser: {
name: 'test-publisher',
email: 'publisher@example.com',
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/bar/-/bar-2.0.0.tgz',
},
},
'3.0.0': {
name: 'bar',
version: '3.0.0',
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/bar/-/bar-3.0.0.tgz',
},
},
},
time: {
'2.0.0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0', { trustPolicyExclude: createPackageVersionPolicy(['bar']) })
}).not.toThrow()
})
test('does not fail with ERR_PNPM_MISSING_TIME when package@version is excluded and time field is missing', () => {
const meta = {
name: 'baz',
'dist-tags': { latest: '1.0.0' },
versions: {
'1.0.0': {
name: 'baz',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/baz/-/baz-1.0.0.tgz',
},
},
},
// Note: no 'time' field
}
expect(() => {
failIfTrustDowngraded(meta, '1.0.0', { trustPolicyExclude: createPackageVersionPolicy(['baz@1.0.0']) })
}).not.toThrow()
})
test('does not fail with ERR_PNPM_MISSING_TIME when package name is excluded and time field is missing', () => {
const meta = {
name: 'qux',
'dist-tags': { latest: '2.0.0' },
versions: {
'1.0.0': {
name: 'qux',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/qux/-/qux-1.0.0.tgz',
},
},
'2.0.0': {
name: 'qux',
version: '2.0.0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/qux/-/qux-2.0.0.tgz',
},
},
},
// Note: no 'time' field
}
expect(() => {
failIfTrustDowngraded(meta, '2.0.0', { trustPolicyExclude: createPackageVersionPolicy(['qux']) })
}).not.toThrow()
})
})
describe('failIfTrustDowngraded with trustPolicyIgnoreAfter', () => {
test('allows downgrade when version is older than ignoreAfter threshold', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '3.0.0' },
versions: {
'2.0.0': {
name: 'foo',
version: '2.0.0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
'3.0.0': {
name: 'foo',
version: '3.0.0',
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/foo/-/foo-3.0.0.tgz',
},
},
},
time: {
'2.0.0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0', { trustPolicyIgnoreAfter: 60 * 24 * 30 }) // 30 days
}).not.toThrow()
expect(() => {
failIfTrustDowngraded(meta, '3.0.0')
}).toThrow('High-risk trust downgrade')
})
})
Reference in New Issue View Git Blame Copy Permalink