feat: throw forbidden error when package is blocked by security policy

[claudiahdz]

✏️ Changes

This PR introduces a new error in the case that a forbidden package was requested and blocked by the security proxy. If no manifest was found under the versions object, then a check is done to verify if the package is forbidden under the restrictedVersions object. If it is, a new error code is thrown E403 and the admin custom message will be shown on the CLI like:

➜  security-messaging npm i [email protected]
npm ERR! code E403
npm ERR! 403 Could not download [email protected] due to policy violations.
npm ERR! 403 Use `npm audit fix` to upgrade this dependency.
npm ERR! 403
npm ERR! 403 In most cases you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy
npm ERR! 403 please contact your npme admin.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/claudiahdz/.npm/_logs/2019-08-09T20_46_04_225Z-debug.log

If no policy restrictions are found on the packument then the behavior will continue as is right now and throw a ETARGET error.

🔗 References

RFC: https://npmjs.slab.com/posts/proposed-package-filtering-messaging-on-the-cli-kejlhyow

🔍 Testing

Automated testing

• Checks if E403 when version is forbidden
• Checks if errors when metadata has no versions or restricted versions

✅ This change has unit test coverage

⚠️ Warning (Blockers)

This PR depends on: npm/cli#234

[djsauble]

Curious. What is this 'Enjoy By' date about?

[claudiahdz]

TIL! https://www.npmjs.com/package/pacote#optsenjoy-by

[djsauble]

Interesting. So what's the benefit of filtering out packages that are newer than a given date? Avoiding packages that haven't been thoroughly tested or widely deployed?

[isaacs]

@djsauble Reproducing installs as they would have happened at some point in the past.

[djsauble]

❤️