-
Notifications
You must be signed in to change notification settings - Fork 33
Npm plugin loading #242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
+291
−3
Merged
Npm plugin loading #242
Changes from all commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
671de5c
Load first-party scanner plugins from NPM packages
kzhou314 9a9e932
Document loading scanner plugins from NPM packages
kzhou314 c451932
Merge branch 'main' into npm-plugin-loading
kzhou314 6aad92b
Validate scans input, skip lockfile writes, and warn on name mismatches
kzhou314 4488f96
Merge branch 'main' into npm-plugin-loading
kzhou314 59a5adc
Rename npmPluginLoader to pluginNpmLoader for consistency
kzhou314 fdafec3
Extract isValidPlugin and isDuplicatePlugin helpers for plugin loading
kzhou314 454be60
Link first-party allowlist in docs and drop redundant scans comment
kzhou314 4cadf62
Merge branch 'main' into npm-plugin-loading
kzhou314 2757b80
Guard object scans entries and read npm plugins from cached scans con…
kzhou314 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| import {execFileSync} from 'child_process' | ||
|
kzhou314 marked this conversation as resolved.
|
||
| import * as core from '@actions/core' | ||
| import type {NpmPluginRequest, Plugin} from './types.js' | ||
|
|
||
| // Install the package at runtime. | ||
| export function installNpmPackage(spec: string) { | ||
| execFileSync('npm', ['install', spec, '--no-save', '--no-package-lock', '--ignore-scripts'], {stdio: 'inherit'}) | ||
| } | ||
|
|
||
| // Install and import a single NPM-published plugin | ||
| export async function loadPluginViaNpm(request: NpmPluginRequest): Promise<Plugin | undefined> { | ||
| const spec = request.version ? `${request.package}@${request.version}` : request.package | ||
| try { | ||
| core.info(`Installing NPM plugin: ${spec}`) | ||
| installNpmPackage(spec) | ||
| // Import the bare package specifier as-is; pathToFileURL would mangle it. | ||
| const imported = await import(request.package) | ||
| return imported as Plugin | ||
| } catch (e) { | ||
| core.warning(`Failed to load NPM plugin '${spec}': ${e}`) | ||
| return undefined | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| import {describe, it, expect, vi, beforeEach} from 'vitest' | ||
|
|
||
| import * as childProcess from 'child_process' | ||
| import * as core from '@actions/core' | ||
| import * as pluginManager from '../src/pluginManager/index.js' | ||
| import * as npmPluginLoader from '../src/pluginManager/pluginNpmLoader.js' | ||
| import * as scansContextProvider from '../src/scansContextProvider.js' | ||
| import type {Plugin, NpmPluginRequest} from '../src/pluginManager/types.js' | ||
|
|
||
| vi.mock('child_process', {spy: true}) | ||
| vi.mock('@actions/core', {spy: true}) | ||
| vi.mock('../src/pluginManager/pluginNpmLoader.js', {spy: true}) | ||
| vi.mock('../src/scansContextProvider.js', {spy: true}) | ||
|
|
||
| const ALLOWED = '@github/accessibility-scanner-alt-text-plugin' | ||
|
|
||
| function mockNpmPlugins(npmPlugins: NpmPluginRequest[]) { | ||
| vi.spyOn(scansContextProvider, 'getScansContext').mockReturnValue({ | ||
| scansToPerform: npmPlugins.map(plugin => plugin.name), | ||
| npmPlugins, | ||
| shouldPerformAxeScan: false, | ||
| shouldRunPlugins: true, | ||
| }) | ||
| } | ||
|
|
||
| describe('npmPluginLoader', () => { | ||
| beforeEach(() => { | ||
| vi.restoreAllMocks() | ||
| vi.clearAllMocks() | ||
| }) | ||
|
|
||
| describe('installNpmPackage', () => { | ||
| it('installs with --no-save, --no-package-lock and --ignore-scripts', () => { | ||
| const execSpy = vi.spyOn(childProcess, 'execFileSync').mockImplementation(() => Buffer.from('')) | ||
| npmPluginLoader.installNpmPackage('some-pkg@1.0.0') | ||
| expect(execSpy).toHaveBeenCalledWith( | ||
| 'npm', | ||
| ['install', 'some-pkg@1.0.0', '--no-save', '--no-package-lock', '--ignore-scripts'], | ||
| { | ||
| stdio: 'inherit', | ||
| }, | ||
| ) | ||
| }) | ||
| }) | ||
|
|
||
| describe('loadPluginViaNpm', () => { | ||
| it('pins the version in the install spec', async () => { | ||
| const execSpy = vi.spyOn(childProcess, 'execFileSync').mockImplementation(() => Buffer.from('')) | ||
| await npmPluginLoader.loadPluginViaNpm({name: 'p', package: 'nonexistent-pkg-xyz', version: '2.3.4'}) | ||
| expect(execSpy).toHaveBeenCalledWith( | ||
| 'npm', | ||
| ['install', 'nonexistent-pkg-xyz@2.3.4', '--no-save', '--no-package-lock', '--ignore-scripts'], | ||
| {stdio: 'inherit'}, | ||
| ) | ||
| }) | ||
|
|
||
| it('returns undefined and warns when loading fails', async () => { | ||
| vi.spyOn(childProcess, 'execFileSync').mockImplementation(() => Buffer.from('')) | ||
| const warnSpy = vi.spyOn(core, 'warning').mockImplementation(() => {}) | ||
| const plugin = await npmPluginLoader.loadPluginViaNpm({name: 'p', package: 'nonexistent-pkg-xyz'}) | ||
| expect(plugin).toBeUndefined() | ||
| expect(warnSpy).toHaveBeenCalled() | ||
| }) | ||
| }) | ||
| }) | ||
|
|
||
| describe('loadNpmPlugins', () => { | ||
| beforeEach(() => { | ||
| vi.restoreAllMocks() | ||
| vi.clearAllMocks() | ||
| pluginManager.clearCache() | ||
| }) | ||
|
|
||
| it('loads a plugin from a first-party package', async () => { | ||
| vi.spyOn(npmPluginLoader, 'loadPluginViaNpm').mockResolvedValue({name: 'alt-text-scan', default: vi.fn()}) | ||
| mockNpmPlugins([{name: 'alt-text-scan', package: ALLOWED}]) | ||
| await pluginManager.loadNpmPlugins() | ||
| expect(pluginManager.getPlugins().map(plugin => plugin.name)).toContain('alt-text-scan') | ||
| }) | ||
|
|
||
| it('skips and warns when a package is not first-party', async () => { | ||
| const loadSpy = vi.spyOn(npmPluginLoader, 'loadPluginViaNpm').mockResolvedValue(undefined) | ||
| const warnSpy = vi.spyOn(core, 'warning').mockImplementation(() => {}) | ||
| mockNpmPlugins([{name: 'evil', package: 'evil-pkg'}]) | ||
| await pluginManager.loadNpmPlugins() | ||
| expect(loadSpy).not.toHaveBeenCalled() | ||
| expect(warnSpy).toHaveBeenCalled() | ||
| expect(pluginManager.getPlugins().length).toBe(0) | ||
| }) | ||
|
|
||
| it('skips a package that does not export a valid plugin', async () => { | ||
| vi.spyOn(npmPluginLoader, 'loadPluginViaNpm').mockResolvedValue({name: 'bad'} as unknown as Plugin) | ||
| const warnSpy = vi.spyOn(core, 'warning').mockImplementation(() => {}) | ||
| mockNpmPlugins([{name: 'bad', package: ALLOWED}]) | ||
| await pluginManager.loadNpmPlugins() | ||
| expect(warnSpy).toHaveBeenCalled() | ||
| expect(pluginManager.getPlugins().length).toBe(0) | ||
| }) | ||
|
|
||
| it('skips an NPM plugin whose exported name does not match the requested name', async () => { | ||
| vi.spyOn(npmPluginLoader, 'loadPluginViaNpm').mockResolvedValue({name: 'actual-name', default: vi.fn()}) | ||
| const warnSpy = vi.spyOn(core, 'warning').mockImplementation(() => {}) | ||
| mockNpmPlugins([{name: 'requested-name', package: ALLOWED}]) | ||
| await pluginManager.loadNpmPlugins() | ||
| expect(warnSpy).toHaveBeenCalled() | ||
| expect(pluginManager.getPlugins().length).toBe(0) | ||
| }) | ||
|
|
||
| it('skips an NPM plugin whose name collides with an already-loaded plugin', async () => { | ||
| pluginManager.getPlugins().push({name: 'dup', default: vi.fn()}) | ||
| vi.spyOn(npmPluginLoader, 'loadPluginViaNpm').mockResolvedValue({name: 'dup', default: vi.fn()}) | ||
| mockNpmPlugins([{name: 'dup', package: ALLOWED}]) | ||
| await pluginManager.loadNpmPlugins() | ||
| expect(pluginManager.getPlugins().filter(plugin => plugin.name === 'dup').length).toBe(1) | ||
| }) | ||
| }) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I see these "not for actual" use comments are increasing in number; are they still accurate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was an existing convention I noticed, for functions that needed to be exported since it was used in testing files, but the export wouldn't actually be used anywhere in production. Technically its accurate but it can be misleading. Do we need the label here or should I clean it up?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feel free to do this in a followup pull request, but yeah, I'm not sure these comments are particularly useful here since they're not programmatically enforced + nothing crazy should happen if, for some reason, you import and use one of these functions individually. But cc @abdulahmad307 in the event I'm missing something.
If we just want to separate out exports which solely exist for testing, maybe we could move these function definitions into a separate file imported both here and in tests? 🤷♀️
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea here is that this is a private function - it can be safely used inside this file, but should not be directly used by anything outside of this file, but still needs to be tested (which is the only reason its exported).
one could argue that we don't need to test it directly, and should only test the public functions that use it, but sometimes we need to mock things so we end up needing to export.
One thing I've done in the past to reduce the risk of accidentally using private functions outside of a file (even when they need to be exported for testing) is to create a common export pattern where the test functions are exported with a namespace wrapper. There are probably other pattern out there we can use too 🤷
Feel free to change, but just be mindful of what should be exposed externally and what should remain private.