fix: throw 403 for forbidden major/minor versions

shanisebarona · isaacs · commit 003286e1315b · 2019-08-28T13:21:31.000-07:00
Co-authored-by: @claudiahdz Co-authored-by: @emyl3 Co-authored-by: @rrconey PR-URL: #2 Credit: @claudiahdz Close: #2 Reviewed-by: @isaacs
diff --git a/index.js b/index.js
@@ -96,6 +96,10 @@ function pickManifest (packument, wanted, opts) {
     target = stillFresh[0]
   }
 
+  if (!target && restrictedVersions) {
+    target = semver.maxSatisfying(restrictedVersions, wanted, true)
+  }
+
   const manifest = (
     target &&
     packument.versions[target]
diff --git a/test/index.js b/test/index.js
@@ -147,6 +147,46 @@ test('E403 if version is forbidden', t => {
   t.done()
 })
 
+test('E403 if version is forbidden, provided a minor version', t => {
+  const metadata = {
+    policyRestrictions: {
+      versions: {
+        '2.1.0': { version: '2.1.0' },
+        '2.1.5': { version: '2.1.5' }
+      }
+    },
+    versions: {
+      '1.0.0': { version: '1.0.0' },
+      '2.0.0': { version: '2.0.0' },
+      '2.0.5': { version: '2.0.5' }
+    }
+  }
+  t.throws(() => {
+    pickManifest(metadata, '2.1')
+  }, {code: 'E403'}, 'got correct error on match failure')
+  t.done()
+})
+
+test('E403 if version is forbidden, provided a major version', t => {
+  const metadata = {
+    policyRestrictions: {
+      versions: {
+        '1.0.0': { version: '1.0.0' },
+        '2.1.0': { version: '2.1.0' },
+        '2.1.5': { version: '2.1.5' }
+      }
+    },
+    versions: {
+      '2.0.0': { version: '2.0.0' },
+      '2.0.5': { version: '2.0.5' }
+    }
+  }
+  t.throws(() => {
+    pickManifest(metadata, '1')
+  }, {code: 'E403'}, 'got correct error on match failure')
+  t.done()
+})
+
 test('if `defaultTag` matches a given range, use it', t => {
   const metadata = {
     'dist-tags': {
