fix: correct --integrity-exclude package name matching logic (#190)

Update the matching logic for --integrity-exclude to check the exluded package name against the
package identifier used internally. Update the corresponding test suite with more realistic mocking
data. Add an extra test case to ensure package names aren't matched partially.

Author: ericcornelissen

packages/lockfile-lint-api/__tests__/validators.integrityHashType.test.js

@@ -28,7 +28,7 @@ describe('Validator: Integrity', () => {
 
   it('validator should fail if not allowed hash type is used for a resource', () => {
     const mockedPackages = {
-      bolt11: {
+      'bolt11@1.4.1-3e38a8b13f29678e59705efec18f590e50272676': {
         integrity: 'sha1-1ZNEUixLxGSmWnMKxpUAf9tm3Yg='
       }
     }
@@ -39,20 +39,20 @@ describe('Validator: Integrity', () => {
       errors: [
         {
           message:
-            'detected invalid integrity hash type for package: bolt11\n    expected: sha512\n    actual: sha1-1ZNEUixLxGSmWnMKxpUAf9tm3Yg=\n',
-          package: 'bolt11'
+            'detected invalid integrity hash type for package: bolt11@1.4.1-3e38a8b13f29678e59705efec18f590e50272676\n    expected: sha512\n    actual: sha1-1ZNEUixLxGSmWnMKxpUAf9tm3Yg=\n',
+          package: 'bolt11@1.4.1-3e38a8b13f29678e59705efec18f590e50272676'
         }
       ]
     })
   })
 
   it('validator should succeed if all resources are from an allowed hash type', () => {
     const mockedPackages = {
-      '@types/node': {
+      '@types/node@20.11.17-14733ac8d7ad65e47f20fc8c2b20bd58ef37c9f5': {
         integrity:
           'sha512-CK2fnrQlIgKlCV3N2kM+Gznb5USlwA1KFX3rJVHmgVk6NJxFPuQ86pAcvKnu37IA4BGlSRz7sEE1lHL1aLZ/eQ=='
       },
-      typescript: {
+      'typescript@5.0.0-d5998c40b92db6ac7b06359242cf43afc8b499f4': {
         integrity:
           'sha512-goMHfm00nWPa8UvR/CPSvykqf6dVV8x/dp0c5mFTMTIu0u0FlGWRioyy7Nn0PGAdHxpJZnuO/ut+PpQ8UiHAig=='
       }
@@ -67,11 +67,11 @@ describe('Validator: Integrity', () => {
 
   it('validator should not fail even if one of the packages has no `integrity` field', () => {
     const mockedPackages = {
-      typescript: {
+      'typescript@5.0.0-d5998c40b92db6ac7b06359242cf43afc8b499f4': {
         integrity:
           'sha512-goMHfm00nWPa8UvR/CPSvykqf6dVV8x/dp0c5mFTMTIu0u0FlGWRioyy7Nn0PGAdHxpJZnuO/ut+PpQ8UiHAig=='
       },
-      meow: {}
+      'meow@13.0.0-0478ab49a1d0b9808d0ea088db43c980a15dfc4b': {}
     }
     const validator = new ValidateIntegrity({packages: mockedPackages})
 
@@ -83,7 +83,7 @@ describe('Validator: Integrity', () => {
 
   it('validator should not fail if an excluded package has an invalid integrity hash type', () => {
     const mockedPackages = {
-      typescript: {
+      'typescript@5.0.0-d5998c40b92db6ac7b06359242cf43afc8b499f4': {
         integrity: 'sha1-1ZNEUixLxGSmWnMKxpUAf9tm3Yg='
       }
     }
@@ -98,6 +98,29 @@ describe('Validator: Integrity', () => {
     })
   })
 
+  it('validator should not match excluded package by partial name', () => {
+    const mockedPackages = {
+      'common-prefix-package@1.0.0-30f09ab54e1d572758bd0673b8b96b5df96ec1fa': {
+        integrity: 'sha1-1ZNEUixLxGSmWnMKxpUAf9tm3Yg='
+      }
+    }
+    const options = {
+      integrityExclude: ['common-prefix']
+    }
+
+    const validator = new ValidateIntegrity({packages: mockedPackages})
+    expect(validator.validate(options)).toEqual({
+      type: 'error',
+      errors: [
+        {
+          message:
+            'detected invalid integrity hash type for package: common-prefix-package@1.0.0-30f09ab54e1d572758bd0673b8b96b5df96ec1fa\n    expected: sha512\n    actual: sha1-1ZNEUixLxGSmWnMKxpUAf9tm3Yg=\n',
+          package: 'common-prefix-package@1.0.0-30f09ab54e1d572758bd0673b8b96b5df96ec1fa'
+        }
+      ]
+    })
+  })
+
   it('validator should return true for a single package with a valid URL', () => {
     const mockedPackages = {
       typescript: {

packages/lockfile-lint-api/src/validators/ValidateIntegrity.js

@@ -29,7 +29,7 @@ module.exports = class ValidateIntegrity {
         continue
       }
 
-      if (excludedPackages.includes(packageName)) {
+      if (excludedPackages.find(name => packageName.startsWith(`${name}@`))) {
         continue
       }