refactor(cli/extract.integrity): compare object if integrity is not matching (#544)

Author: fraxken

bin/index.js

@@ -131,7 +131,6 @@ prog
 prog
   .command("extract integrity [spec]")
   .describe(i18n.getTokenSync("cli.commands.extractIntegrity.desc"))
-  .option("-t, --token", i18n.getTokenSync("cli.commands.extractIntegrity.option_token"))
   .action(commands.extractIntegrity.main);
 
 prog.parse(process.argv);

docs/cli/extract-integrity.md

@@ -10,6 +10,4 @@ $ nsecure extract integrity [spec]
 
 ## ⚙️ Available Options
 
-| Name | Shortcut | Default Value | Description |
-|---|---|---|---|
-| `--token` | `-t` | undefined | NPM token. |
+NONE

i18n/english.js

@@ -78,8 +78,7 @@ const cli = {
       cleared: "Cache cleared successfully!"
     },
     extractIntegrity: {
-      desc: "Extract the integrity of a package from its manifest and tarball and compare the two integrities if different from one another.",
-      option_token: "NPM token"
+      desc: "Extract the integrity of a package from its manifest and tarball and compare the two integrities if different from one another."
     }
   },
   startHttp: {

i18n/french.js

@@ -78,8 +78,7 @@ const cli = {
       cleared: "Cache nettoyé avec succès !"
     },
     extractIntegrity: {
-      desc: "Extraire l'intégrité d'un paquet à partir de son manifeste et du tarball et comparer les deux intégrités si elles sont différentes.",
-      option_token: "Jeton NPM"
+      desc: "Extraire l'intégrité d'un paquet à partir de son manifeste et du tarball et comparer les deux intégrités si elles sont différentes."
     }
   },
   startHttp: {

package.json

@@ -91,14 +91,14 @@
     "@lit/task": "^1.0.3",
     "@nodesecure/documentation-ui": "^1.3.0",
     "@nodesecure/flags": "^3.0.3",
-    "@nodesecure/i18n": "^4.0.1",
+    "@nodesecure/i18n": "^4.0.2",
     "@nodesecure/js-x-ray": "^9.2.0",
     "@nodesecure/licenses-conformance": "^2.1.0",
     "@nodesecure/npm-registry-sdk": "^3.0.0",
     "@nodesecure/ossf-scorecard-sdk": "^3.2.1",
     "@nodesecure/rc": "^5.0.0",
     "@nodesecure/report": "^3.0.0",
-    "@nodesecure/scanner": "^6.9.0",
+    "@nodesecure/scanner": "^6.12.0",
     "@nodesecure/utils": "^2.2.0",
     "@nodesecure/vulnera": "^2.0.1",
     "@openally/result": "^1.3.0",
@@ -109,12 +109,12 @@
     "@topcli/spinner": "^3.0.0",
     "cacache": "^19.0.1",
     "chokidar": "^4.0.3",
-    "diff": "^8.0.2",
     "dotenv": "^17.0.0",
     "filenamify": "^6.0.0",
     "glob": "^11.0.1",
     "highlightjs-line-numbers.js": "^2.8.0",
     "ini": "^5.0.0",
+    "json-diff-ts": "^4.8.1",
     "kleur": "^4.1.5",
     "lit": "^3.3.1",
     "ms": "^2.1.3",

src/commands/extract-integrity.js

@@ -1,37 +1,58 @@
+// Import Node.js Dependencies
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+
 // Import Third-party Dependencies
-import kleur from "kleur";
-import { diffChars } from "diff";
-import { packumentVersion } from "@nodesecure/npm-registry-sdk";
+import * as npmRegistrySDK from "@nodesecure/npm-registry-sdk";
+import { diff } from "json-diff-ts";
 import { tarball } from "@nodesecure/scanner";
+import {
+  parseNpmSpec,
+  packageJSONIntegrityHash
+} from "@nodesecure/mama";
 
-export async function main(spec, options) {
-  const [pkgName, pkgVersion] = spec.split("@");
-  const { dist: { tarball: location, shasum: manifestIntegrity } } = await packumentVersion(pkgName, pkgVersion, {
-    token: options.token
-  });
-  const manifestManager = await tarball.extractAndResolve(location, {
-    spec
-  });
-  const tarballIntegrity = manifestManager.integrity;
-  if (manifestIntegrity === tarballIntegrity) {
-    console.log(`integrity: ${manifestIntegrity}`);
-
-    return;
+export async function main(
+  npmPackageSpec
+) {
+  const parsedPackageSpec = parseNpmSpec(npmPackageSpec);
+  if (!parsedPackageSpec) {
+    throw new Error(`Invalid npm spec: ${npmPackageSpec}`);
   }
 
-  console.log(`manifest integrity: ${manifestIntegrity}`);
-  console.log(`tarball integrity: ${tarballIntegrity}`);
-  process.stdout.write("integrity diff: ");
-  for (const { added, removed, value } of diffChars(manifestIntegrity, tarballIntegrity)) {
-    if (added) {
-      process.stdout.write(kleur.green().bold(`+${value}`));
-    }
-    else if (removed) {
-      process.stdout.write(kleur.red().bold(`-${value}`));
+  const packumentVersion = await npmRegistrySDK.packumentVersion(
+    parsedPackageSpec.name,
+    parsedPackageSpec.semver,
+    {
+      token: process.env.NODE_SECURE_TOKEN
     }
-    else {
-      process.stdout.write(value);
+  );
+  const remote = packageJSONIntegrityHash(
+    packumentVersion,
+    { isFromRemoteRegistry: true }
+  );
+
+  const extractionDirectory = await fs.mkdtemp(
+    path.join(os.tmpdir(), "nodesecure-tarball-integrity-")
+  );
+
+  try {
+    const mama = await tarball.extractAndResolve(extractionDirectory, {
+      spec: npmPackageSpec
+    });
+    const local = packageJSONIntegrityHash(mama.document);
+
+    if (local.integrity === remote.integrity) {
+      console.log("no integrity diff found");
+
+      return;
     }
+
+    const diffs = diff(local.object, remote.object);
+    console.log("integrity diff found:");
+    console.log(JSON.stringify(diffs, null, 2));
+  }
+  finally {
+    await fs.rm(extractionDirectory, { recursive: true, force: true });
   }
-  console.log("\n");
 }