mirror of
https://github.com/pnpm/pnpm.git
synced 2026-07-19 12:12:34 -04:00
The jsr: specifier parser accepted scoped names with an empty scope or name and with path separators inside the name; the malformed name was folded into the @jsr/... npm name and flowed into registry URLs and metadata cache file paths. It now throws INVALID_JSR_PACKAGE_NAME for any name rejected by npm's package-name rules. The named-registry specifier parser (e.g. gh:) had the same gap: the scoped branch only rejected a missing '/' or trailing slash, and the unscoped branch validated nothing, while the downstream pick-package validator only rejects '/' in unscoped names. The parser now validates the final package name in every branch (including alias-derived names) and throws INVALID_NAMED_REGISTRY_PACKAGE_NAME for the same shapes. Rather than hand-rolling the shape checks, both parsers delegate to the validator the repo already ships: validate-npm-package-name (validForOldPackages) in TypeScript and its existing pacquet port is_valid_old_npm_package_name. Both fixes land in the TypeScript CLI and pacquet, with matching tests. --------- Co-authored-by: JSap0914 <JSap0914@users.noreply.github.com> Co-authored-by: Zoltan Kochan <z@kochan.io>
139 lines
6.4 KiB
TOML
139 lines
6.4 KiB
TOML
# Configuration for cargo-deny (https://embarkstudios.github.io/cargo-deny/).
|
|
# The schema evolves fast; fields follow the 0.19+ format.
|
|
|
|
# --- Graph ---------------------------------------------------------------
|
|
[graph]
|
|
targets = []
|
|
all-features = false
|
|
no-default-features = false
|
|
|
|
# --- Output --------------------------------------------------------------
|
|
[output]
|
|
feature-depth = 1
|
|
|
|
# --- Advisories ----------------------------------------------------------
|
|
# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
|
|
[advisories]
|
|
db-path = "~/.cargo/advisory-db"
|
|
db-urls = ["https://github.com/rustsec/advisory-db"]
|
|
# Scope for RUSTSEC unmaintained advisories.
|
|
# One of "all", "workspace", "transitive", "none".
|
|
unmaintained = "workspace"
|
|
# yanked-crates check: "deny" | "warn" | "allow"
|
|
yanked = "warn"
|
|
ignore = [
|
|
# `pgp` pulls in `rsa` to verify OpenPGP signatures made by RSA Node.js
|
|
# release keys. Pacquet only performs public-key signature verification here;
|
|
# it never handles RSA private keys, so the private-key timing side channel
|
|
# described by this advisory is not reachable through this use.
|
|
{ id = "RUSTSEC-2023-0071", reason = "Only public-key OpenPGP signature verification is performed for pinned Node.js release keys; no RSA private-key operation is exposed." },
|
|
# hickory-proto 0.25.2 is pulled in transitively through reqwest 0.13.x ->
|
|
# hickory-resolver 0.25.x. The reqwest 0.13 line has not migrated to
|
|
# hickory-proto 0.26, so `cargo update` cannot resolve either advisory; the
|
|
# only paths forward are an upstream reqwest release on hickory 0.26 or
|
|
# dropping the `hickory-dns` reqwest feature, which would regress the macOS
|
|
# `mDNSResponder` / `EAI_NONAME` workaround landed in #302. Revisit when
|
|
# reqwest moves to hickory 0.26.
|
|
#
|
|
# NSEC3 closest-encloser proof unbounded loop in `DnssecDnsHandle`. The
|
|
# vulnerable path is only linked when hickory-proto is built with the
|
|
# `dnssec-ring` or `dnssec-aws-lc-rs` Cargo feature; reqwest's `hickory-dns`
|
|
# feature does not enable either, so the affected code is unreachable in
|
|
# pacquet. The advisory itself notes "No safe upgrade is available" for the
|
|
# 0.25 line.
|
|
{ id = "RUSTSEC-2026-0118", reason = "DNSSEC validation path is not linked: reqwest's `hickory-dns` feature does not enable hickory-proto's `dnssec-ring`/`dnssec-aws-lc-rs` features, and no fix exists on the 0.25 line." },
|
|
# O(n²) name compression in `BinEncoder` during DNS message encoding.
|
|
# Reachability is bounded: the BinEncoder is only invoked when reqwest's
|
|
# `hickory-dns` resolver builds outbound DNS queries for the registry
|
|
# hostnames pacquet resolves, which originate from `.npmrc` and so can be
|
|
# attacker-influenced in an untrusted-checkout / untrusted-CI scenario. We
|
|
# accept this temporary DoS risk because no upgrade is reachable: reqwest
|
|
# 0.13.x (latest 0.13.3) is locked to `hickory-resolver` 0.25, and the fix
|
|
# ships only in `hickory-proto` 0.26.1+. Revisit when reqwest moves to
|
|
# hickory 0.26.
|
|
{ id = "RUSTSEC-2026-0119", reason = "Temporary risk acceptance: reqwest 0.13.x (latest 0.13.3) is locked to hickory-resolver 0.25 and no release consumes hickory-proto 0.26.1+ yet; revisit on reqwest upgrade." },
|
|
# quick-xml DoS advisories (quadratic duplicate-attribute check, unbounded
|
|
# namespace-declaration allocation). quick-xml is reached only through
|
|
# object_store's S3 XML response parsing in pnpr, so the XML comes from the
|
|
# operator-configured S3-compatible storage backend, not from untrusted
|
|
# clients. Both fixes ship only in quick-xml 0.41.0, which no object_store
|
|
# release can resolve yet: object_store 0.13 requires ^0.39 and 0.14
|
|
# requires ^0.40.1. Revisit when object_store consumes quick-xml 0.41+.
|
|
{ id = "RUSTSEC-2026-0194", reason = "Temporary risk acceptance: XML parsed by quick-xml comes only from the operator-configured S3 backend via object_store; no object_store release consumes the patched quick-xml 0.41 yet." },
|
|
{ id = "RUSTSEC-2026-0195", reason = "Temporary risk acceptance: XML parsed by quick-xml comes only from the operator-configured S3 backend via object_store; no object_store release consumes the patched quick-xml 0.41 yet." },
|
|
]
|
|
|
|
# --- Licenses ------------------------------------------------------------
|
|
# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
|
|
[licenses]
|
|
allow = [
|
|
"MIT",
|
|
"MPL-2.0", # required by mockito, used by crates/tarball tests and tasks/micro-benchmark
|
|
"Apache-2.0",
|
|
"Unicode-3.0", # newer ICU crates switched from Unicode-DFS-2016 to this
|
|
"Unicode-DFS-2016",
|
|
"BSD-3-Clause",
|
|
"BSL-1.0",
|
|
"CDLA-Permissive-2.0", # `webpki-root-certs`, pulled in by reqwest's `rustls` feature
|
|
"ISC",
|
|
"Zlib", # required by foldhash, a transitive dep of rusqlite
|
|
]
|
|
confidence-threshold = 0.8
|
|
exceptions = [
|
|
# `pnpr` and `pnpr-fixtures` are first-party crates licensed under
|
|
# PolyForm Shield (see `pnpr/LICENSE.md`), not the MIT used by the rest
|
|
# of the workspace. cargo-deny only recognizes the PolyForm-Noncommercial
|
|
# identifier for this license text, so allow that id for just these two
|
|
# crates (the clarify entries below pin it by file hash).
|
|
{ name = "pnpr", allow = ["PolyForm-Noncommercial-1.0.0"] },
|
|
{ name = "pnpr-fixtures", allow = ["PolyForm-Noncommercial-1.0.0"] },
|
|
]
|
|
|
|
[[licenses.clarify]]
|
|
name = "pnpr"
|
|
expression = "PolyForm-Noncommercial-1.0.0"
|
|
license-files = [{ path = "../../LICENSE.md", hash = 0x652a978e }]
|
|
|
|
[[licenses.clarify]]
|
|
name = "pnpr-fixtures"
|
|
expression = "PolyForm-Noncommercial-1.0.0"
|
|
license-files = [{ path = "../../LICENSE.md", hash = 0x652a978e }]
|
|
|
|
[[licenses.clarify]]
|
|
name = "ring"
|
|
version = "*"
|
|
expression = "MIT AND ISC AND OpenSSL"
|
|
license-files = [
|
|
{ path = "LICENSE", hash = 0xbd0eed23 },
|
|
]
|
|
|
|
[licenses.private]
|
|
ignore = false
|
|
registries = []
|
|
|
|
# --- Bans ----------------------------------------------------------------
|
|
# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
|
|
[bans]
|
|
multiple-versions = "warn"
|
|
wildcards = "allow"
|
|
highlight = "all"
|
|
workspace-default-features = "allow"
|
|
external-default-features = "allow"
|
|
allow = []
|
|
deny = []
|
|
skip = []
|
|
skip-tree = []
|
|
|
|
# --- Sources -------------------------------------------------------------
|
|
# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
|
|
[sources]
|
|
unknown-registry = "warn"
|
|
unknown-git = "warn"
|
|
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
|
|
allow-git = []
|
|
|
|
[sources.allow-org]
|
|
github = []
|
|
gitlab = []
|
|
bitbucket = []
|