feat: use isSecurityHeld included in algolia api response

Author: shuuji3

app/composables/npm/useAlgoliaSearch.ts

@@ -50,6 +50,7 @@ interface AlgoliaHit {
   deprecated: boolean | string
   isDeprecated: boolean
   license: string | null
+  isSecurityHeld: boolean
 }
 
 const ATTRIBUTES_TO_RETRIEVE = [
@@ -67,6 +68,7 @@ const ATTRIBUTES_TO_RETRIEVE = [
   'deprecated',
   'isDeprecated',
   'license',
+  'isSecurityHeld',
 ]
 
 const EXISTENCE_CHECK_ATTRS = ['name']
@@ -90,6 +92,7 @@ function hitToSearchResult(hit: AlgoliaHit): NpmSearchResult {
             email: owner.email,
           }))
         : [],
+      isSecurityHeld: hit.isSecurityHeld,
     },
     searchScore: 0,
     downloads: {

app/pages/search.vue

@@ -94,8 +94,8 @@ const visibleResults = computed(() => {
 
   let objects = raw.objects
 
-  // Filter out "Security holding package" package takendown by npm registory
-  objects = objects.filter(r => r.package.repository?.url !== 'npm/security-holder')
+  // Filter out "Security holding package" packages taken down by npm registry
+  objects = objects.filter(r => !r.package.isSecurityHeld)
 
   // Filter out platform-specific packages if setting is enabled
   if (settings.value.hidePlatformPackages) {

shared/types/npm-registry.ts

@@ -189,7 +189,8 @@ export interface NpmSearchPackage {
   publisher?: NpmSearchPublisher
   maintainers?: NpmPerson[]
   license?: string
-  repository?: NpmSearchRepository
+  /** Algolia-only: package is an npm-owned security-holder takedown */
+  isSecurityHeld?: boolean
 }
 
 /**
@@ -306,20 +307,6 @@ export interface NpmTrustedPublisher {
   ciConfigPath?: string
 }
 
-/**
- * Repository types
- * Note: Not covered by @npm/types
- */
-export interface NpmSearchRepository {
-  type: 'git'
-  url: string
-  project: string
-  user: string
-  host: string
-  path: string
-  branch: string
-}
-
 /**
  * jsDelivr API Types
  * Used for package file browsing

test/fixtures/algolia/search/security-holder.json

@@ -0,0 +1,69 @@
+[
+  {
+    "name": "vuln-npm",
+    "downloadsLast30Days": 0,
+    "downloadsRatio": 0,
+    "popular": false,
+    "version": "0.0.1-security",
+    "description": "security holding package",
+    "repository": {
+      "type": "git",
+      "url": "npm/security-holder",
+      "project": "security-holder",
+      "user": "npm",
+      "host": "github.com",
+      "path": "",
+      "branch": "master"
+    },
+    "deprecated": false,
+    "isDeprecated": false,
+    "isSecurityHeld": true,
+    "homepage": null,
+    "license": null,
+    "keywords": [],
+    "modified": 1692592458394,
+    "owners": [
+      {
+        "email": "npm@npmjs.com",
+        "name": "npm",
+        "avatar": "https://gravatar.com/avatar/46d8d00e190be647053f7d97fd0478e4",
+        "link": "https://www.npmjs.com/~npm"
+      }
+    ],
+    "objectID": "vuln-npm"
+  },
+  {
+    "name": "npmx-connector",
+    "downloadsLast30Days": 1047,
+    "downloadsRatio": 0,
+    "popular": false,
+    "version": "0.9.0",
+    "description": "Local connector for npmx.dev - enables authenticated npm operations from the web UI",
+    "repository": {
+      "type": "git",
+      "url": "https://github.com/npmx-dev/npmx.dev",
+      "project": "npmx.dev",
+      "user": "npmx-dev",
+      "host": "github.com",
+      "path": "",
+      "head": "1f574e52f494032683c1aec7f64f6de72d4413a0",
+      "branch": "1f574e52f494032683c1aec7f64f6de72d4413a0"
+    },
+    "deprecated": false,
+    "isDeprecated": false,
+    "isSecurityHeld": false,
+    "homepage": "https://npmx.dev",
+    "license": "MIT",
+    "keywords": [],
+    "modified": 1776194979856,
+    "owners": [
+      {
+        "name": "danielroe",
+        "email": "daniel@roe.dev",
+        "avatar": "https://gravatar.com/avatar/f366ee6556b7307a1a2a253c8fb842ca",
+        "link": "https://www.npmjs.com/~danielroe"
+      }
+    ],
+    "objectID": "npmx-connector"
+  }
+]

test/nuxt/composables/use-algolia-search.spec.ts

@@ -0,0 +1,27 @@
+import { describe, expect, it, vi } from 'vitest'
+import fixture from '~~/test/fixtures/algolia/search/security-holder.json'
+
+const mockSearch = vi.fn()
+vi.mock('algoliasearch/lite', () => ({
+  liteClient: () => ({ search: mockSearch }),
+}))
+
+describe('useAlgoliaSearch', () => {
+  it('maps isSecurityHeld through to NpmSearchResult.package', async () => {
+    mockSearch.mockResolvedValue({
+      results: [{ hits: fixture, nbHits: fixture.length }],
+    })
+
+    const { search } = useAlgoliaSearch()
+    const { objects } = await search('')
+
+    const bad = objects.find(o => o.package.name === 'vuln-npm')
+    const good = objects.find(o => o.package.name === 'npmx-connector')
+
+    expect(bad?.package.isSecurityHeld).toBe(true)
+    expect(good?.package.isSecurityHeld).toBe(false)
+
+    const filtered = objects.filter(o => !o.package.isSecurityHeld).map(o => o.package.name)
+    expect(filtered).toEqual(['npmx-connector'])
+  })
+})