tests(snyk): assert upper bounds

lighthouse-core/test/audits/dobetterweb/no-vulnerable-libraries-test.js

@@ -8,6 +8,7 @@
 const NoVulnerableLibrariesAudit =
   require('../../../audits/dobetterweb/no-vulnerable-libraries.js');
 const assert = require('assert');
+const semver = require('semver');
 
 /* eslint-env jest */
 describe('Avoids front-end JavaScript libraries with known vulnerabilities', () => {
@@ -99,3 +100,41 @@ describe('Avoids front-end JavaScript libraries with known vulnerabilities', ()
     assert.equal(auditResult.score, 1);
   });
 });
+
+// https://github.com/npm/node-semver/issues/166#issuecomment-245990039
+function hasUpperBound(rangeString) {
+  const range = new semver.Range(rangeString);
+  if (!range) return false;
+
+  // For every subset ...
+  for (const subset of range.set) {
+    // Upperbound exists if...
+
+    // < or <= is in one of the subset's clauses (= gets normalized to >= and <).
+    if (subset.some(comparator => comparator.operator.match(/^</))) {
+      continue;
+    }
+
+    // Subset has a prerelease tag (operator will be empty).
+    if (subset.length === 1 && subset[0].operator === '') {
+      continue;
+    }
+
+    // No upperbound for this subset.
+    return false;
+  }
+
+  return true;
+}
+
+describe('every snyk vulnerability has an upper bound', () => {
+  for (const vulns of Object.values(NoVulnerableLibrariesAudit.snykDB.npm)) {
+    for (const vuln of vulns) {
+      for (const semver of vuln.semver.vulnerable) {
+        if (!hasUpperBound(semver)) {
+          assert.fail(`invalid semver: ${semver}. Must contain an upper bound`);
+        }
+      }
+    }
+  }
+});