mirror of
https://github.com/oven-sh/bun
synced 2026-02-09 10:28:47 +00:00
3ee477fc5b
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Dylan Conway <dylan.conway567@gmail.com>
110 lines
3.0 KiB
TypeScript
110 lines
3.0 KiB
TypeScript
import { expect, test } from "bun:test";
|
|
import { bunEnv, bunExe, tempDirWithFiles } from "harness";
|
|
|
|
test("security scanner blocks bun update with fatal advisory", async () => {
|
|
const dir = tempDirWithFiles("bun-update-security", {
|
|
"package.json": JSON.stringify({
|
|
name: "test-app",
|
|
version: "1.0.0",
|
|
dependencies: {
|
|
"left-pad": "1.3.0", // There is a real update to 1.3.1
|
|
},
|
|
}),
|
|
"scanner.ts": `
|
|
export const scanner = {
|
|
version: "1",
|
|
scan: async ({ packages }) => {
|
|
console.log("Security scanner received " + packages.length + " packages");
|
|
if (packages.length === 0) return [];
|
|
return [
|
|
{
|
|
package: packages[0].name,
|
|
description: "Security warning for update test",
|
|
level: "fatal",
|
|
url: "https://example.com/advisory",
|
|
},
|
|
];
|
|
},
|
|
};
|
|
`,
|
|
});
|
|
|
|
// First install without scanner
|
|
await using installProc = Bun.spawn({
|
|
cmd: [bunExe(), "install"],
|
|
env: bunEnv,
|
|
cwd: dir,
|
|
stdout: "pipe",
|
|
stderr: "pipe",
|
|
});
|
|
|
|
await installProc.stdout.text();
|
|
await installProc.stderr.text();
|
|
const installCode = await installProc.exited;
|
|
expect(installCode).toBe(0);
|
|
|
|
// Now add scanner for update
|
|
await Bun.write(Bun.pathToFileURL(`${dir}/bunfig.toml`), `[install.security]\nscanner = "./scanner.ts"`);
|
|
|
|
await using updateProc = Bun.spawn({
|
|
cmd: [bunExe(), "update", "left-pad", "--latest"],
|
|
env: bunEnv,
|
|
cwd: dir,
|
|
stdout: "pipe",
|
|
stderr: "pipe",
|
|
stdin: "pipe",
|
|
});
|
|
|
|
const [out, exitCode] = await Promise.all([updateProc.stdout.text(), updateProc.exited]);
|
|
|
|
expect(out).toContain("Security scanner received");
|
|
expect(out).toContain("FATAL: left-pad");
|
|
expect(out).toContain("Security warning for update test");
|
|
expect(out).toContain("Installation aborted due to fatal security advisories");
|
|
expect(exitCode).toBe(1);
|
|
});
|
|
|
|
test("security scanner does not run on bun update when not configured", async () => {
|
|
const dir = tempDirWithFiles("bun-update-no-security", {
|
|
"package.json": JSON.stringify({
|
|
name: "test-app",
|
|
version: "1.0.0",
|
|
dependencies: {
|
|
"left-pad": "1.3.0",
|
|
},
|
|
}),
|
|
});
|
|
|
|
await using installProc = Bun.spawn({
|
|
cmd: [bunExe(), "install"],
|
|
env: bunEnv,
|
|
cwd: dir,
|
|
stdout: "pipe",
|
|
stderr: "pipe",
|
|
});
|
|
|
|
const installCode = await installProc.exited;
|
|
expect(installCode).toBe(0);
|
|
|
|
await using updateProc = Bun.spawn({
|
|
cmd: [bunExe(), "update", "left-pad", "--latest"],
|
|
env: bunEnv,
|
|
cwd: dir,
|
|
stdout: "pipe",
|
|
stderr: "pipe",
|
|
});
|
|
|
|
const [out, err, exitCode] = await Promise.all([
|
|
updateProc.stdout.text(),
|
|
updateProc.stderr.text(),
|
|
updateProc.exited,
|
|
]);
|
|
|
|
const combined = out + err;
|
|
expect(combined).not.toContain("Security scanner");
|
|
expect(combined).not.toContain("FATAL:");
|
|
expect(combined).not.toContain("WARN:");
|
|
|
|
expect(exitCode).toBe(0);
|
|
});
|