Update script & dependencies (#49)

* chore: update dependencies

* refactor: update spdx refresh script

.github/workflows/codeql.yml

@@ -41,16 +41,16 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - name: Checkout repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
+        uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,7 +60,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
+        uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -73,6 +73,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
+        uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/main.yml

@@ -17,13 +17,13 @@ jobs:
       fail-fast: false
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
         with:
           node-version: ${{ matrix.node-version }}
       - name: Install dependencies

.github/workflows/scorecard.yml

@@ -32,17 +32,17 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - name: "Checkout code"
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.3.0 # v3.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -64,14 +64,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
+        uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
         with:
           sarif_file: results.sarif

.gitignore

@@ -102,3 +102,5 @@ dist
 
 # TernJS port file
 .tern-port
+
+/temp

package.json

@@ -34,17 +34,19 @@
   "homepage": "https://github.com/NodeSecure/licenses-conformance#readme",
   "dependencies": {
     "fastest-levenshtein": "^1.0.16",
-    "spdx-expression-parse": "^3.0.1"
+    "spdx-expression-parse": "^4.0.0"
   },
   "devDependencies": {
-    "@myunisoft/httpie": "^1.10.0",
-    "@nodesecure/eslint-config": "^1.6.0",
+    "@myunisoft/httpie": "^2.0.3",
+    "@nodesecure/eslint-config": "^1.8.0",
     "@small-tech/esm-tape-runner": "^2.0.0",
     "@small-tech/tap-monkey": "^1.4.0",
-    "c8": "^8.0.0",
+    "astring": "^1.8.6",
+    "c8": "^8.0.1",
     "cross-env": "^7.0.3",
     "eslint": "^8.31.0",
-    "tape": "^5.6.1"
+    "node-estree": "^4.0.0",
+    "tape": "^5.7.2"
   },
   "engines": {
     "node": ">=18"

scripts/fetchSpdxLicenses.js

@@ -3,28 +3,49 @@ import fs from "node:fs";
 
 // Import Third-party Dependencies
 import httpie from "@myunisoft/httpie";
+import * as astring from "astring";
+import { ESTree, Helpers, VarDeclaration } from "node-estree";
 
 // CONSTANTS
 const kSrcDirectory = new URL("../src/", import.meta.url);
 
-// VARS
-const licenses = new Map();
-
 const { data } = await httpie.get(
   "https://raw.githubusercontent.com/spdx/license-list-data/main/json/licenses.json"
 );
 const response = JSON.parse(data);
 
+const spdxProperties = [];
+
 for (const license of response.licenses) {
   const {
+    name,
     isDeprecatedLicenseId: deprecated,
     licenseId: id,
     isOsiApproved: osi,
     isFsfLibre: fsf = false
   } = license;
 
-  licenses.set(license.name, { id, deprecated, osi, fsf });
+  spdxProperties.push(
+    ESTree.Property(
+      id.charAt(0) !== "0" && /^[a-zA-Z0-9]+$/.test(id) ? ESTree.Identifier(id) : ESTree.Literal(id),
+      Helpers.PlainObject({ name, id, deprecated, osi, fsf }),
+      {
+        kind: "init",
+        computed: false,
+        method: false,
+        shorthand: false
+      }
+    )
+  );
 }
 
-const spdxLicenses = Object.fromEntries(licenses);
-fs.writeFileSync(new URL("spdx.json", kSrcDirectory), JSON.stringify(spdxLicenses, null, 2));
+const prog = ESTree.Program("module", [
+  ESTree.ExportNamedDeclaration(
+    VarDeclaration.const("spdx", ESTree.ObjectExpression(spdxProperties))
+  )
+]);
+
+fs.writeFileSync(
+  new URL("spdx.js", kSrcDirectory),
+  `/* eslint-disable max-lines */\n\n` + astring.generate(prog)
+);

src/licenses.js

@@ -13,17 +13,17 @@ const osi = [];
 const fsf = [];
 const deprecated = [];
 
-for (const [licenseName, license] of Object.entries(spdx)) {
+for (const [licenseId, license] of Object.entries(spdx)) {
   if (license.deprecated) {
-    deprecated.push(license.id);
+    deprecated.push(licenseId);
   }
   if (license.osi) {
-    osi.push(license.id);
+    osi.push(licenseId);
   }
   if (license.fsf) {
-    fsf.push(license.id);
+    fsf.push(licenseId);
   }
-  licenseNameToId.set(licenseName, license);
+  licenseNameToId.set(license.name, license);
 }
 
 const spdxLicenseIds = new Set([