69 lines
2.7 KiB
JavaScript
69 lines
2.7 KiB
JavaScript
// package-shape.test.mjs
|
|
// Step 10 (A1): package.json-kontrakten for det bevisste zero-dep-bruddet.
|
|
// Verifiserer at dep-laget er EXACT-pinnet (ingen ^/~/*), at engines-gulvet er
|
|
// satt (unpdf krever node >= 22), at pakken er ESM (type: module), at versjonen
|
|
// er 1.7.0 (direkte maal-versjon, bumpes ikke separat), og at .npmrc slaar av
|
|
// install-scripts (Shai-Hulud / supply-chain). Zero npm deps i selve testen.
|
|
// Moenster: tests/frontmatter.test.mjs (les fil, assert struktur).
|
|
|
|
import { test } from 'node:test';
|
|
import assert from 'node:assert/strict';
|
|
import { readFileSync, existsSync } from 'node:fs';
|
|
import { join, dirname } from 'node:path';
|
|
import { fileURLToPath } from 'node:url';
|
|
|
|
const ROOT = join(dirname(fileURLToPath(import.meta.url)), '..');
|
|
const PKG = join(ROOT, 'package.json');
|
|
const NPMRC = join(ROOT, '.npmrc');
|
|
const LOCK = join(ROOT, 'package-lock.json');
|
|
|
|
// De fire pure-JS-konverterings-deps fra A0 pre-flight (audit 0 vulnerabilities).
|
|
const EXPECTED_DEPS = ['mammoth', 'turndown', 'postal-mime', 'unpdf'];
|
|
|
|
function readPkg() {
|
|
return JSON.parse(readFileSync(PKG, 'utf8'));
|
|
}
|
|
|
|
test('package.json: type module + version 1.7.0 (direkte maal-versjon)', () => {
|
|
const pkg = readPkg();
|
|
assert.equal(pkg.type, 'module');
|
|
assert.equal(pkg.version, '1.7.0');
|
|
});
|
|
|
|
test('package.json: engines.node-gulv satt (unpdf krever >= 22)', () => {
|
|
const pkg = readPkg();
|
|
assert.ok(pkg.engines && pkg.engines.node, 'engines.node mangler');
|
|
assert.equal(pkg.engines.node, '>=22');
|
|
});
|
|
|
|
test('package.json: alle dependencies EXACT-pinnet (ingen ^/~/*)', () => {
|
|
const pkg = readPkg();
|
|
assert.ok(pkg.dependencies, 'dependencies mangler');
|
|
for (const dep of EXPECTED_DEPS) {
|
|
assert.ok(pkg.dependencies[dep], `dep mangler: ${dep}`);
|
|
}
|
|
for (const [name, version] of Object.entries(pkg.dependencies)) {
|
|
assert.match(
|
|
version,
|
|
/^\d+\.\d+\.\d+$/,
|
|
`dep ${name} er ikke exact-pinnet: ${version}`,
|
|
);
|
|
}
|
|
});
|
|
|
|
test('.npmrc: install-scripts avslaatt (supply-chain-vern)', () => {
|
|
const npmrc = readFileSync(NPMRC, 'utf8');
|
|
assert.match(npmrc, /^ignore-scripts\s*=\s*true$/m);
|
|
});
|
|
|
|
test('package-lock.json: finnes og pinner transitive deps med integrity', () => {
|
|
assert.ok(existsSync(LOCK), 'package-lock.json mangler');
|
|
const lock = JSON.parse(readFileSync(LOCK, 'utf8'));
|
|
const entries = Object.entries(lock.packages ?? {}).filter(([k]) => k !== '');
|
|
assert.ok(entries.length >= EXPECTED_DEPS.length, 'lockfile uten pakke-oppfoeringer');
|
|
for (const [name, meta] of entries) {
|
|
if (meta.link) continue;
|
|
assert.ok(meta.integrity, `lockfile-oppfoering uten integrity: ${name}`);
|
|
assert.match(meta.version ?? '', /^\d/, `lockfile-oppfoering uten versjon: ${name}`);
|
|
}
|
|
});
|