fix(ci): lockfile-age-audit — request full packument so time is present#888
Open
motsc wants to merge 1 commit into
Open
fix(ci): lockfile-age-audit — request full packument so time is present#888motsc wants to merge 1 commit into
motsc wants to merge 1 commit into
Conversation
…sent The abbreviated `application/vnd.npm.install-v1+json` response strips the `time` map, so `data.time?.[version]` was always undefined and every newly-added entry hit the "missing publish time in registry response" error path. Net effect was that the gate failed closed on every PR that added lockfile entries, regardless of actual package age. Drop the abbreviated Accept header (request the default full packument) so `time` is present and the age check works as intended. Verified against `lodash@4.17.21` — was returning undefined, now returns the real publishedAt of 2021-02-20.
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes the CI lockfile age audit script to request an npm registry packument that includes publish timestamps, so new lockfile entries can be age-checked correctly.
Changes:
- Stop requesting the abbreviated npm packument format that omits the
timemap. - Fetch the full packument so
data.time?.[version]can be resolved for publish-date checks.
Comment on lines
+194
to
+197
| // Default (full) packument — the abbreviated `application/vnd.npm.install-v1+json` | ||
| // response intentionally strips the `time` map, so we have to ask for the full doc | ||
| // to read publish timestamps. | ||
| res = await fetch(url, { headers: { Accept: "application/json" } }); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
forwarding the fix from control-plane:
Accept: application/vnd.npm.install-v1+jsonstripstimefrom the response, sodata.time?.[version]was always undefined and every new entry failed closed. drop the header, default packument has time.Fabio (@fneves) caught this on the control-plane side.