From ca92a3077d05a896f31e2dea1a5a229c6f996eac Mon Sep 17 00:00:00 2001 From: Christian Duerr Date: Tue, 10 Dec 2024 21:35:35 +0100 Subject: [PATCH 1/2] Add artifact repository docs for pnpm and yarn --- docs/artifact_repositories/npm.md | 65 ++++++++++++++++++++++++++++++- 1 file changed, 63 insertions(+), 2 deletions(-) diff --git a/docs/artifact_repositories/npm.md b/docs/artifact_repositories/npm.md index 42a24353..0874844c 100644 --- a/docs/artifact_repositories/npm.md +++ b/docs/artifact_repositories/npm.md @@ -24,9 +24,9 @@ authentication details. [API Keys documentation]: ../knowledge_base/api-keys.md#generate-an-api-key [policy]: ../knowledge_base/policy.md -### `npm` +### `npm` and `pnpm` -Custom NPM registries can be configured with `npm`: +Both `npm` and `pnpm` allow setting custom NPM registries using `npm`: ```sh npm config set replace-registry-host never @@ -58,5 +58,66 @@ npm error notarget In most cases you or one of your dependencies are requesting npm error notarget a package version that doesn't exist. ``` +If you're using `pnpm`, the output will look like this: + +```text + ERR_PNPM_NO_VERSIONS  No versions available for malicious. The package may be unpublished. + +This error happened while installing a direct dependency of /tmp/testing +``` + If a version range is accepted by the manifest, the package manager will automatically attempt to use a version that passes Phylum's policy. + +### `yarn` + +Custom NPM registries can be configured with `yarn`: + +```sh +yarn config set -H npmRegistryServer "https://npm.phylum.io/" +yarn config set -H npmAuthIdent "/" +yarn config set -H npmAlwaysAuth true +``` + +> ⚠️ **WARNING** ⚠️ +> +> Do not accidentally save your token into your shell history. + +A blocked package will show up in `yarn` output as missing: + +```text +➤ YN0027: malicious@unknown can't be resolved to a satisfying range +➤ YN0001: TypeError: Cannot read properties of undefined (reading 'dist') + at Fv.getCandidates (/home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:688:7154) + at process.processTicksAndRejections (node:internal/process/task_queues:105:5) + at async Pg.getCandidates (/home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:141:1271) + at async uH (/home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:401:9441) + at async /home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:401:8776 + at async C (/home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:401:7127) + at async T2 (/home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:401:8456) + at async /home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:402:531 + at async Promise.all (index 0) + at async /home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:402:488 + +➤ Errors happened when preparing the environment required to run this command. + +TODO: OR MAYBE THIS? + +➤ YN0027: malicious@unknown can't be resolved to a satisfying range +➤ YN0035: Package not found +➤ YN0035: Response Code: 404 (Not Found) +➤ YN0035: Request Method: GET +➤ YN0035: Request URL: https://npm.phylum.io/malicious + +➤ Errors happened when preparing the environment required to run this command. +``` + +Alternatively, if only a specific version is affected: + +```text +➤ YN0000: · Yarn 4.5.3 +➤ YN0000: ┌ Resolution step +➤ YN0082: │ malicious@npm:1.0.0: No candidates found +➤ YN0000: └ Completed in 4s 398ms +➤ YN0000: · Failed with errors in 4s 405ms +``` From 0ede7e97becc675d64d0a782ba3cfb8d60d547a1 Mon Sep 17 00:00:00 2001 From: Christian Duerr Date: Tue, 10 Dec 2024 22:51:39 +0100 Subject: [PATCH 2/2] Keep existing yarn output --- docs/artifact_repositories/npm.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/docs/artifact_repositories/npm.md b/docs/artifact_repositories/npm.md index 0874844c..f932a580 100644 --- a/docs/artifact_repositories/npm.md +++ b/docs/artifact_repositories/npm.md @@ -99,16 +99,6 @@ A blocked package will show up in `yarn` output as missing: at async Promise.all (index 0) at async /home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:402:488 -➤ Errors happened when preparing the environment required to run this command. - -TODO: OR MAYBE THIS? - -➤ YN0027: malicious@unknown can't be resolved to a satisfying range -➤ YN0035: Package not found -➤ YN0035: Response Code: 404 (Not Found) -➤ YN0035: Request Method: GET -➤ YN0035: Request URL: https://npm.phylum.io/malicious - ➤ Errors happened when preparing the environment required to run this command. ```