Merge pull request #21 from apostrophecms/pro-2080

PRO-2080 if there is no package.json at all in the project folder, allow recursive lookup

Author: boutell

README.md

@@ -350,6 +350,8 @@ If the same module exists in two places, an exception is thrown.
 
 **The 2.x series is deprecated for new work, as its functionality was folded into Apostrophe 3.x. See below for 1.x release notes relevant to maintenance of Apostrophe 2.x.**
 
+1.3.2: starting in version 1.3.1, this module only loads other modules via `npm` if they are explicit npm dependencies, which is necessary for stability and security. However, it is too strict: if the project has no `package.json` at all at the level of `app.js`, `npm` search up the tree, and this module should too. Beginning in verison 1.3.2, it does search up the tree. However it stops at the first `package.json` found.
+
 1.3.1: `moog-require` loads modules from npm if they exist there and are configured by name in the application. This was always intended only as a way to load direct, intentional dependencies of your project. However, since npm "flattens" the dependency tree, dependencies of dependencies that happen to have the same name as a project-level module could be loaded by default, crashing the site or causing unexpected behavior. So beginning with this release, `moog-require` scans `package.json` to verify an npm module is actually a dependency of the project itself before attempting to load it.
 
 1.3.0: achieved an approximately 100x performance improvement when `nestedModuleSubdirs` is in use by fetching

index.js

@@ -162,10 +162,26 @@ module.exports = function(options) {
     // Even if the package exists in node_modules it might just be a
     // sub-dependency due to npm/yarn flattening, which means we could be
     // confused by an unrelated npm module with the same name as an Apostrophe
-    // module unless we verify it is a real project-level dependency
+    // module unless we verify it is a real project-level dependency. However
+    // if no package.json at all exists at project level we do search up the
+    // tree until we find one to accommodate patterns like `src/app.js`
     if (!self.validPackages) {
-      const info = JSON.parse(fs.readFileSync(`${path.dirname(self.root.filename)}/package.json`, 'utf8'));
-      self.validPackages = new Set([ ...Object.keys(info.dependencies || {}), ...Object.keys(info.devDependencies || {}) ]);
+      let info = null;
+      const initialFolder = path.dirname(self.root.filename);
+      let folder = initialFolder;
+      while (true) {
+        const file = `${folder}/package.json`;
+        if (fs.existsSync(file)) {
+          const info = JSON.parse(fs.readFileSync(file, 'utf8'));
+          self.validPackages = new Set([ ...Object.keys(info.dependencies || {}), ...Object.keys(info.devDependencies || {}) ]);
+          break;
+        } else {
+          folder = path.dirname(folder);
+          if (!folder.length) {
+            throw new Error(`package.json was not found in ${initialFolder} or any of its parent folders.`);
+          }
+        }
+      }
     }
     if (!self.validPackages.has(type)) {
       return null;

package.json

@@ -36,7 +36,7 @@
     "url": "git://github.com/apostrophecms/moog-require.git"
   },
   "scripts": {
-    "test": "mocha test/test.js"
+    "test": "mocha test/test.js test/nested/test.js"
   },
-  "version": "1.3.1"
+  "version": "1.3.2"
 }

test/nested/project_modules

@@ -0,0 +1 @@
+../project_modules/