Skip to content

Commit 0d894e5

Browse files
seansicaseansica
committed
Merge branch 'main' into next
2 parents a2f75b2 + 4d2dadd commit 0d894e5

File tree

1 file changed

+13
-9
lines changed

1 file changed

+13
-9
lines changed

scripts/check-package-lock.sh

Lines changed: 13 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,27 @@
11
#!/usr/bin/env bash
22

3-
# This script checks package-lock.json for references to internal Artifactory.
4-
# Developers using ~/.npmrc with artifacts.mitre.org will have their package-lock.json
5-
# updated with internal registry URLs, which cannot be committed to the public repo.
3+
# This script checks package-lock.json for references to private npm registries.
4+
# Developers using ~/.npmrc with a private Artifactory registry will have their
5+
# package-lock.json updated with internal registry URLs in the "resolved" fields,
6+
# which cannot be committed to the public repo.
67

78
LOCKFILE="package-lock.json"
8-
FORBIDDEN_PATTERN="artifacts.mitre.org"
9+
10+
# Check for any mitre.org subdomain in resolved URLs (e.g., private Artifactory)
11+
FORBIDDEN_PATTERN='[a-zA-Z0-9.-]*\.mitre\.org'
912

1013
if [ ! -f "$LOCKFILE" ]; then
1114
echo "✓ No package-lock.json found, skipping check."
1215
exit 0
1316
fi
1417

15-
if grep -q "$FORBIDDEN_PATTERN" "$LOCKFILE"; then
16-
echo "✗ ERROR: package-lock.json contains references to '$FORBIDDEN_PATTERN'"
18+
# Look specifically for "resolved" fields pointing to mitre.org subdomains
19+
if grep -E '"resolved":\s*"https?://'"$FORBIDDEN_PATTERN" "$LOCKFILE" > /dev/null; then
20+
echo "✗ ERROR: package-lock.json contains 'resolved' URLs pointing to a private registry"
1721
echo ""
18-
echo " This happens when your ~/.npmrc is configured to use the internal"
22+
echo " This happens when your ~/.npmrc is configured to use an internal"
1923
echo " Artifactory registry. Committing this file would break CI pipelines"
20-
echo " that run on public GitHub runners without access to Artifactory."
24+
echo " that run on public GitHub runners without access to the private registry."
2125
echo ""
2226
echo " To fix this:"
2327
echo " 1. Temporarily rename or remove your ~/.npmrc"
@@ -28,5 +32,5 @@ if grep -q "$FORBIDDEN_PATTERN" "$LOCKFILE"; then
2832
exit 1
2933
fi
3034

31-
echo "✓ package-lock.json is clean (no internal registry references found)."
35+
echo "✓ package-lock.json is clean (no private registry references found)."
3236
exit 0

0 commit comments

Comments
 (0)