Fix npm token scanning false positives

src/secretLint.ts

@@ -20,8 +20,7 @@ const lintConfig = {
 				{
 					id: "@secretlint/secretlint-rule-basicauth",
 					allowMessageIds: ["BasicAuth"]
-				},
-				{
+				}, {
 					id: "@secretlint/secretlint-rule-privatekey",
 					options: {
 						allows: [
@@ -30,6 +29,15 @@ const lintConfig = {
 							"/^(?![\\s\\S]*-----BEGIN .*PRIVATE KEY-----[A-Za-z0-9+/=\\r\\n]{50,}-----END .*PRIVATE KEY-----)[\\s\\S]*$/"
 						]
 					}
+				}, {
+					id: "@secretlint/secretlint-rule-npm",
+					options: {
+						allows: [
+							// An npm token has the prefix npm_ followed by 36 Base62 characters (30 random + 6-character checksum), totaling 40 characters.
+							// https://github.com/microsoft/vscode-vsce/issues/1153
+							"/^(?!(?:npm_[0-9A-Za-z]{36})$).+$/"
+						]
+					}
 				}
 			]
 		}, {

src/test/fixtures/secrets/noSecret1Ignore

@@ -1,2 +1,3 @@
 **secret**
+**noSecret**
 !noSecret1.ts

src/test/fixtures/secrets/noSecret2Ignore

@@ -1,2 +1,3 @@
 **secret**
+**noSecret**
 !noSecret2.ts

src/test/fixtures/secrets/noSecret3.ts

@@ -0,0 +1,4 @@
+// https://github.com/microsoft/vscode-vsce/issues/1153
+function npm_i_save_dev_types_Slashjest_or_npm_i_(){}
+function npm_i_save_dev_types_Slash_1_if_it_exists(){}
+function Cannot_find_name_0_Do_you_need_to_install_type_definitions_for_jQuery_Try_npm_i_save_dev_types_Slashjquery_and_then_add_jquery_to_the_types_field_in_your_tsconfig(){}

src/test/fixtures/secrets/noSecret3Ignore

@@ -0,0 +1,3 @@
+**secret**
+**noSecret**
+!noSecret3.ts

src/test/fixtures/secrets/secret1Ignore

@@ -1,2 +1,3 @@
 **secret**
+**noSecret**
 !secret1.ts

src/test/fixtures/secrets/secret2.ts

@@ -0,0 +1 @@
+export const k = `npm_Ab3kZy0X9QpLmN4tUvW7aBcDeFgHiJkLmNoPqRsTu`

src/test/fixtures/secrets/secret2Ignore

@@ -0,0 +1,3 @@
+**secret**
+**noSecret**
+!secret2.ts

src/test/package.test.ts

@@ -165,6 +165,19 @@ async function processExitExpected(fn: () => Promise<any>, errorMessage: string)
 	}
 }
 
+async function processExitNotExpected(fn: () => Promise<any>, errorMessage: string): Promise<void> {
+	const originalExit = process.exit;
+	try {
+		process.exit = (() => {
+			throw new Error(errorMessage);
+		}) as any;
+
+		await fn();
+	} finally {
+		process.exit = originalExit;
+	}
+}
+
 describe('collect', function () {
 	this.timeout(60000);
 
@@ -386,42 +399,54 @@ describe('collect', function () {
 
 	it('should not package .env file', async function () {
 		const cwd = fixture('env');
-		await processExitExpected(() => pack({ cwd, packagePath: getVisxOutputPath() }), 'Expected package to throw: .env file should not be packaged');
+		await processExitExpected(async () => await pack({ cwd, packagePath: getVisxOutputPath() }), 'Expected package to throw: .env file should not be packaged');
 	});
 
 	it('allow packaging .env file with --allow-package-env-file', async function () {
 		const cwd = fixture('env');
-		await pack({ cwd, allowPackageEnvFile: true, packagePath: getVisxOutputPath() });
+		await processExitNotExpected(async () => await pack({ cwd, allowPackageEnvFile: true, packagePath: getVisxOutputPath() }), 'Should not have exited');
 	});
 
 	it('should not package file which has a private key', async function () {
 		const cwd = fixture('secrets');
 		const ignoreFile = path.join(cwd, 'secret1Ignore');
-		await processExitExpected(() => pack({ cwd, packagePath: getVisxOutputPath(), ignoreFile }), 'Expected package to throw: file which has a private key should not be packaged');
+		await processExitExpected(async () => await pack({ cwd, packagePath: getVisxOutputPath(), ignoreFile }), 'Expected package to throw: file which has a private key should not be packaged');
 	});
 
 	it('allow packaging file which has a private key with --allow-package-secrets', async function () {
 		const cwd = fixture('secrets');
 		const ignoreFile = path.join(cwd, 'secret1Ignore');
-		await pack({ cwd, allowPackageSecrets: ['privatekey'], packagePath: getVisxOutputPath(), ignoreFile });
+		await processExitNotExpected(async () => await pack({ cwd, allowPackageSecrets: ['privatekey'], packagePath: getVisxOutputPath(), ignoreFile }), 'Should not have exited');
 	});
 
 	it('allow packaging file which has a private key with --allow-package-all-secrets', async function () {
 		const cwd = fixture('secrets');
 		const ignoreFile = path.join(cwd, 'secret1Ignore');
-		await pack({ cwd, allowPackageAllSecrets: true, packagePath: getVisxOutputPath(), ignoreFile });
+		await processExitNotExpected(async () => await pack({ cwd, allowPackageAllSecrets: true, packagePath: getVisxOutputPath(), ignoreFile }), 'Should not have exited');
 	});
 
 	it('private key false positive 1', async function () {
 		const cwd = fixture('secrets');
 		const ignoreFile = path.join(cwd, 'noSecret1Ignore');
-		await pack({ cwd, allowPackageAllSecrets: true, packagePath: getVisxOutputPath(), ignoreFile });
+		await processExitNotExpected(async () => await pack({ cwd, packagePath: getVisxOutputPath(), ignoreFile }), 'Should not have exited');
 	});
 
 	it('private key false positive 2', async function () {
 		const cwd = fixture('secrets');
 		const ignoreFile = path.join(cwd, 'noSecret2Ignore');
-		await pack({ cwd, allowPackageAllSecrets: true, packagePath: getVisxOutputPath(), ignoreFile });
+		await processExitNotExpected(async () => await pack({ cwd, packagePath: getVisxOutputPath(), ignoreFile }), 'Should not have exited');
+	});
+
+	it('should not package npm token', async function () {
+		const cwd = fixture('secrets');
+		const ignoreFile = path.join(cwd, 'secret2Ignore');
+		await processExitExpected(async () => await pack({ cwd, packagePath: getVisxOutputPath(), ignoreFile }), 'Expected package to throw: should not package npm token');
+	});
+
+	it('npm token false positive 1', async function () {
+		const cwd = fixture('secrets');
+		const ignoreFile = path.join(cwd, 'noSecret3Ignore');
+		await processExitNotExpected(async () => await pack({ cwd, packagePath: getVisxOutputPath(), ignoreFile }), 'Should not have exited');
 	});
 });