Reject non-ranges in package dependencies

Author: jakebailey

.changeset/social-cows-yell.md

@@ -0,0 +1,5 @@
+---
+"@definitelytyped/header-parser": patch
+---
+
+Reject non-ranges in package dependencies

packages/header-parser/src/index.ts

@@ -98,6 +98,13 @@ export function validatePackageJson(
       `${typesDirectoryName}'s package.json has bad "devDependencies": must include \`"@types/${typesDirectoryName}": "workspace:."\``,
     );
   }
+  // dependency version ranges
+  for (const depsKey of ["dependencies", "peerDependencies", "devDependencies"] as const) {
+    const deps = packageJson[depsKey];
+    if (deps && typeof deps === "object" && !Array.isArray(deps)) {
+      errors.push(...checkDependencyVersions(typesDirectoryName, depsKey, deps as Record<string, unknown>));
+    }
+  }
   // typesVersions
   if (needsTypesVersions) {
     assert.strictEqual(
@@ -475,10 +482,6 @@ export function checkPackageJsonDependencies(
 Please make a pull request to microsoft/DefinitelyTyped-tools adding it to \`packages/definitions-parser/allowedPackageJsonDependencies.txt\`.`;
       errors.push(`In ${path}: ${msg}`);
     }
-    const version = (dependencies as { [key: string]: unknown })[dependencyName];
-    if (typeof version !== "string") {
-      errors.push(`In ${path}: Dependency version for ${dependencyName} should be a string.`);
-    }
   }
   if (devDependencySelfName) {
     const selfDependency = (dependencies as { [key: string]: string | undefined })[devDependencySelfName];
@@ -492,3 +495,26 @@ Please make a pull request to microsoft/DefinitelyTyped-tools adding it to \`pac
   }
   return errors;
 }
+
+function checkDependencyVersions(
+  typesDirectoryName: string,
+  depsKey: "dependencies" | "peerDependencies" | "devDependencies",
+  dependencies: Record<string, unknown>,
+): string[] {
+  const errors: string[] = [];
+  for (const dependencyName of Object.keys(dependencies)) {
+    const version = dependencies[dependencyName];
+    if (typeof version !== "string") {
+      errors.push(
+        `${typesDirectoryName}'s package.json has bad "${depsKey}": version for ${dependencyName} should be a string.`,
+      );
+    } else if (version !== "workspace:." && semver.validRange(version) === null) {
+      errors.push(
+        `${typesDirectoryName}'s package.json has bad "${depsKey}": version for ${dependencyName} (${JSON.stringify(
+          version,
+        )}) must be a valid semver range or "workspace:.".`,
+      );
+    }
+  }
+  return errors;
+}

packages/header-parser/test/index.test.ts

@@ -99,6 +99,37 @@ describe("validatePackageJson", () => {
   it("works with old-version packages", () => {
     expect(Array.isArray(validatePackageJson("hapi", { ...pkgJson, version: "16.6.9999" }, []))).toBeFalsy();
   });
+  it("requires dependency versions to be valid semver ranges or 'workspace:.'", () => {
+    expect(
+      validatePackageJson(
+        "hapi",
+        { ...pkgJson, dependencies: { ...(pkgJson.dependencies as object), joi: "not-a-range" } },
+        [],
+      ),
+    ).toEqual([
+      `hapi's package.json has bad "dependencies": version for joi ("not-a-range") must be a valid semver range or "workspace:.".`,
+    ]);
+  });
+  it("allows 'workspace:.' as a dependency version", () => {
+    expect(
+      Array.isArray(
+        validatePackageJson(
+          "hapi",
+          { ...pkgJson, dependencies: { ...(pkgJson.dependencies as object), joi: "workspace:." } },
+          [],
+        ),
+      ),
+    ).toBeFalsy();
+  });
+  it("requires dependency versions to be strings", () => {
+    expect(
+      validatePackageJson(
+        "hapi",
+        { ...pkgJson, peerDependencies: { foo: 5 } },
+        [],
+      ),
+    ).toEqual([`hapi's package.json has bad "peerDependencies": version for foo should be a string.`]);
+  });
 });
 
 describe("makeTypesVersionsForPackageJson", () => {