@@ -181,6 +181,71 @@ t.test('audit outdated nyc and mkdirp with before: option', async t => {
181181 t . equal ( report . get ( 'mkdirp' ) . simpleRange , '0.4.1 - 0.5.1' )
182182} )
183183
184+ t . test ( 'min-release-age blocks an available fix' , async t => {
185+ // mkdirp's fix (0.5.5, published 2020-04) is newer than a 2020-01-01 cutoff,
186+ // so the only versions old enough are still vulnerable and audit fix can't
187+ // apply the fix it reported as available.
188+ const path = resolve ( fixtures , 'audit-nyc-mkdirp' )
189+ const registry = createRegistry ( t )
190+ registry . audit ( { results : require ( resolve ( path , 'advisory-bulk.json' ) ) } )
191+ registry . mocks ( { dir : join ( __dirname , 'fixtures' ) } )
192+ const cache = t . testdir ( )
193+ const arb = newArb ( path , { before : new Date ( '2020-01-01' ) , cache } )
194+
195+ const tree = await arb . loadVirtual ( )
196+ const report = await AuditReport . load ( tree , arb . options )
197+ t . match ( report . get ( 'mkdirp' ) . fixBlockedByReleaseAge , { version : '0.5.5' } ,
198+ 'mkdirp fix flagged as blocked by the release-age window' )
199+ } )
200+
201+ t . test ( 'min-release-age does not block a fix that is old enough' , async t => {
202+ const path = resolve ( fixtures , 'audit-nyc-mkdirp' )
203+ const registry = createRegistry ( t )
204+ registry . audit ( { results : require ( resolve ( path , 'advisory-bulk.json' ) ) } )
205+ registry . mocks ( { dir : join ( __dirname , 'fixtures' ) } )
206+ const cache = t . testdir ( )
207+ // a cutoff after mkdirp@0.5.5 was published: the fix is reachable
208+ const arb = newArb ( path , { before : new Date ( '2021-01-01' ) , cache } )
209+
210+ const tree = await arb . loadVirtual ( )
211+ const report = await AuditReport . load ( tree , arb . options )
212+ t . notOk ( report . get ( 'mkdirp' ) . fixBlockedByReleaseAge ,
213+ 'fix reachable within the window, so not flagged' )
214+ } )
215+
216+ t . test ( 'min-release-age-exclude exempts a package from the block' , async t => {
217+ const path = resolve ( fixtures , 'audit-nyc-mkdirp' )
218+ const registry = createRegistry ( t )
219+ registry . audit ( { results : require ( resolve ( path , 'advisory-bulk.json' ) ) } )
220+ registry . mocks ( { dir : join ( __dirname , 'fixtures' ) } )
221+ const cache = t . testdir ( )
222+ const arb = newArb ( path , {
223+ before : new Date ( '2020-01-01' ) ,
224+ minReleaseAgeExclude : [ 'mkdirp' ] ,
225+ cache,
226+ } )
227+
228+ const tree = await arb . loadVirtual ( )
229+ const report = await AuditReport . load ( tree , arb . options )
230+ t . notOk ( report . get ( 'mkdirp' ) . fixBlockedByReleaseAge ,
231+ 'excluded package is not flagged even when its fix is too new' )
232+ } )
233+
234+ t . test ( 'min-release-age blocks when no version is old enough at all' , async t => {
235+ const path = resolve ( fixtures , 'audit-nyc-mkdirp' )
236+ const registry = createRegistry ( t )
237+ registry . audit ( { results : require ( resolve ( path , 'advisory-bulk.json' ) ) } )
238+ registry . mocks ( { dir : join ( __dirname , 'fixtures' ) } )
239+ const cache = t . testdir ( )
240+ // a cutoff before any mkdirp version was published: nothing is installable
241+ const arb = newArb ( path , { before : new Date ( '2000-01-01' ) , cache } )
242+
243+ const tree = await arb . loadVirtual ( )
244+ const report = await AuditReport . load ( tree , arb . options )
245+ t . match ( report . get ( 'mkdirp' ) . fixBlockedByReleaseAge , { version : '0.5.5' } ,
246+ 'flagged as blocked when nothing is installable within the window' )
247+ } )
248+
184249t . test ( 'audit returns an error' , async t => {
185250 const path = resolve ( fixtures , 'audit-nyc-mkdirp' )
186251 const registry = createRegistry ( t )
@@ -421,6 +486,43 @@ t.test('audit supports alias deps', async t => {
421486 t . equal ( report . get ( 'mkdirp' ) . simpleRange , '0.4.1 - 0.5.1' )
422487} )
423488
489+ t . test ( 'release-age block detection unwraps alias specs' , async t => {
490+ // An npm: alias edge must be resolved against its target, not fed to
491+ // pickManifest as an alias spec (which it rejects). With a release-age
492+ // window the alias fix (mkdirp@0.5.5) is too new, so it should be flagged.
493+ const path = resolve ( fixtures , 'audit-nyc-mkdirp' )
494+ const registry = createRegistry ( t )
495+ registry . audit ( { results : require ( resolve ( path , 'advisory-bulk.json' ) ) } )
496+ registry . mocks ( { dir : join ( __dirname , 'fixtures' ) } )
497+ const cache = t . testdir ( )
498+ const arb = newArb ( path , { before : new Date ( '2020-01-01' ) , cache } )
499+ const tree = new Node ( {
500+ path,
501+ pkg : {
502+ name : 'mkdirp' ,
503+ version : '0.5.0' ,
504+ dependencies : {
505+ novulnshereiswear : 'npm:mkdirp@^0.5.0' ,
506+ } ,
507+ } ,
508+ children : [
509+ {
510+ name : 'novulnshereiswear' ,
511+ pkg : {
512+ name : 'mkdirp' ,
513+ version : '0.5.1' ,
514+ dependencies : { minimist : '0.0.8' } ,
515+ } ,
516+ } ,
517+ { pkg : { name : 'minimist' , version : '0.0.8' } } ,
518+ ] ,
519+ } )
520+
521+ const report = await AuditReport . load ( tree , arb . options )
522+ t . match ( report . get ( 'mkdirp' ) . fixBlockedByReleaseAge , { version : '0.5.5' } ,
523+ 'alias spec is unwrapped and the blocked fix is detected' )
524+ } )
525+
424526t . test ( 'linked local package should not be audited against the registry' , async t => {
425527 const path = resolve ( fixtures , 'audit-linked-package' )
426528 // No registry.audit() mock needed — no request should be made
0 commit comments