feat: config tree size limit for yarn and npm.

anthogez · anthogez · commit 220060d28483 · 2020-04-22T23:20:11.000+03:00
diff --git a/config.default.json b/config.default.json
@@ -0,0 +1,4 @@
+{
+  "NPM_TREE_SIZE_LIMIT": 6.0e6,
+  "YARN_TREE_SIZE_LIMIT": 6.0e6
+}
diff --git a/lib/config.ts b/lib/config.ts
@@ -0,0 +1,2 @@
+import { loadConfig } from 'snyk-config';
+export const config: any = loadConfig(__dirname + '../..');
diff --git a/lib/parsers/package-lock-parser.ts b/lib/parsers/package-lock-parser.ts
@@ -1,6 +1,7 @@
 import * as _ from 'lodash';
 import * as graphlib from 'graphlib';
 import * as uuid from 'uuid/v4';
+import { config } from '../config';
 import { setImmediatePromise } from '../set-immediate-promise';
 
 import {
@@ -143,10 +144,9 @@ export class PackageLockParser implements LockfileParser {
 
     // number of dependencies including root one
     let treeSize = 1;
-    const treeSizeLimit = 6.0e6;
     for (const dep of topLevelDeps) {
       // tree size limit should be 6 millions.
-      if (treeSize > treeSizeLimit) {
+      if (treeSize > config.NPM_TREE_SIZE_LIMIT) {
         throw new TreeSizeLimitError();
       }
       // if any of top level dependencies is a part of cycle
diff --git a/lib/parsers/yarn-lock-parse.ts b/lib/parsers/yarn-lock-parse.ts
@@ -18,7 +18,9 @@ import {
   InvalidUserInputError,
   UnsupportedRuntimeError,
   OutOfSyncError,
+  TreeSizeLimitError,
 } from '../errors';
+import { config } from '../config';
 
 const EVENT_PROCESSING_CONCURRENCY = 5;
 
@@ -158,6 +160,10 @@ export class YarnLockParser implements LockfileParser {
       });
 
       for (const [subName, subVersion] of subDependencies) {
+        // tree size limit should be 6 millions.
+        if (this.treeSize > config.YARN_TREE_SIZE_LIMIT) {
+          throw new TreeSizeLimitError();
+        }
         const subDependency: DepTreeDep = {
           labels: {
             scope: tree.labels!.scope, // propagate scope label only
diff --git a/package.json b/package.json
@@ -34,6 +34,7 @@
     "graphlib": "^2.1.5",
     "lodash": "^4.17.14",
     "p-map": "2.1.0",
+    "snyk-config": "^3.0.0",
     "source-map-support": "^0.5.7",
     "tslib": "^1.9.3",
     "uuid": "^3.3.2"
diff --git a/test/lib/package-lock-depTree.test.ts b/test/lib/package-lock-depTree.test.ts
@@ -2,10 +2,15 @@
 // Shebang is required, and file *has* to be executable: chmod +x file.test.js
 // See: https://github.com/tapjs/node-tap/issues/313#issuecomment-250067741
 import { test } from 'tap';
+import { config } from '../../lib/config';
 import { buildDepTreeFromFiles } from '../../lib';
 import * as fs from 'fs';
 import * as _ from 'lodash';
-import { InvalidUserInputError, OutOfSyncError } from '../../lib/errors';
+import {
+  InvalidUserInputError,
+  OutOfSyncError,
+  TreeSizeLimitError,
+} from '../../lib/errors';
 
 const load = (filename) =>
   JSON.parse(fs.readFileSync(`${__dirname}/fixtures/${filename}`, 'utf8'));
@@ -250,3 +255,16 @@ test('`package.json` with file as version', async (t) => {
 
   t.deepEqual(depTree, expectedDepTree, 'Tree generated as expected');
 });
+
+test('Npm Tree size exceeds the allowed limit of 500 dependencies.', async (t) => {
+  config.NPM_TREE_SIZE_LIMIT = 500;
+  t.rejects(
+    buildDepTreeFromFiles(
+      `${__dirname}/fixtures/goof/`,
+      'package.json',
+      'package-lock.json',
+    ),
+    new TreeSizeLimitError(),
+    'Expected error is thrown',
+  );
+});
diff --git a/test/lib/yarn.test.ts b/test/lib/yarn.test.ts
@@ -2,6 +2,7 @@
 // Shebang is required, and file *has* to be executable: chmod +x file.test.js
 // See: https://github.com/tapjs/node-tap/issues/313#issuecomment-250067741
 import { test } from 'tap';
+import { config } from '../../lib/config';
 import { buildDepTreeFromFiles, getYarnWorkspacesFromFiles } from '../../lib';
 import getRuntimeVersion from '../../lib/get-node-runtime-version';
 import * as fs from 'fs';
@@ -10,6 +11,7 @@ import {
   UnsupportedRuntimeError,
   InvalidUserInputError,
   OutOfSyncError,
+  TreeSizeLimitError,
 } from '../../lib/errors';
 
 if (getRuntimeVersion() < 6) {
@@ -250,3 +252,16 @@ test('identify package.json as Not a workspace project', async (t) => {
   );
   t.is(workspaces, false, 'Not a yarn workspace');
 });
+
+test('Yarn Tree size exceeds the allowed limit of 500 dependencies.', async (t) => {
+  config.YARN_TREE_SIZE_LIMIT = 500;
+  t.rejects(
+    buildDepTreeFromFiles(
+      `${__dirname}/fixtures/goof/`,
+      'package.json',
+      'yarn.lock',
+    ),
+    new TreeSizeLimitError(),
+    'Expected error is thrown',
+  );
+});

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +{
 +  "NPM_TREE_SIZE_LIMIT": 6.0e6,
 +  "YARN_TREE_SIZE_LIMIT": 6.0e6
 +}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+import { loadConfig } from 'snyk-config';`
	`2`	`+export const config: any = loadConfig(__dirname + '../..');`