From 8710ff88afffb573b4f65c4a19303924935fecd2 Mon Sep 17 00:00:00 2001 From: Gar Date: Mon, 19 Jun 2023 07:41:50 -0700 Subject: [PATCH] deps: pacote@15.2.0 --- node_modules/pacote/lib/fetcher.js | 3 ++- node_modules/pacote/lib/registry.js | 5 ++++- node_modules/pacote/lib/util/cache-dir.js | 5 ++++- node_modules/pacote/package.json | 2 +- package-lock.json | 8 ++++---- package.json | 2 +- 6 files changed, 16 insertions(+), 9 deletions(-) diff --git a/node_modules/pacote/lib/fetcher.js b/node_modules/pacote/lib/fetcher.js index 6694a57f6af36..f961a45c7d346 100644 --- a/node_modules/pacote/lib/fetcher.js +++ b/node_modules/pacote/lib/fetcher.js @@ -61,7 +61,8 @@ class FetcherBase { // by adding/modifying the integrity value. this.opts = { ...opts } - this.cache = opts.cache || cacheDir() + this.cache = opts.cache || cacheDir().cacache + this.tufCache = opts.tufCache || cacheDir().tufcache this.resolved = opts.resolved || null // default to caching/verifying with sha512, that's what we usually have diff --git a/node_modules/pacote/lib/registry.js b/node_modules/pacote/lib/registry.js index 625bedc9a7736..34d9b2b87f3f3 100644 --- a/node_modules/pacote/lib/registry.js +++ b/node_modules/pacote/lib/registry.js @@ -295,7 +295,10 @@ class RegistryFetcher extends Fetcher { // // Publish attestations are signed with a keyid so we need to // specify a public key from the keys endpoint: `registry-host.tld/-/npm/v1/keys` - const options = { keySelector: publicKey ? () => publicKey.pemkey : undefined } + const options = { + tufCachePath: this.tufCache, + keySelector: publicKey ? () => publicKey.pemkey : undefined, + } await sigstore.verify(bundle, null, options) } catch (e) { throw Object.assign(new Error( diff --git a/node_modules/pacote/lib/util/cache-dir.js b/node_modules/pacote/lib/util/cache-dir.js index 4236213edd409..ac83b1793f199 100644 --- a/node_modules/pacote/lib/util/cache-dir.js +++ b/node_modules/pacote/lib/util/cache-dir.js @@ -8,5 +8,8 @@ module.exports = (fakePlatform = false) => { const platform = fakePlatform || process.platform const cacheExtra = platform === 'win32' ? 'npm-cache' : '.npm' const cacheRoot = (platform === 'win32' && process.env.LOCALAPPDATA) || home - return resolve(cacheRoot, cacheExtra, '_cacache') + return { + cacache: resolve(cacheRoot, cacheExtra, '_cacache'), + tufcache: resolve(cacheRoot, cacheExtra, '_tuf'), + } } diff --git a/node_modules/pacote/package.json b/node_modules/pacote/package.json index 48f2bb0ac3fee..bc8d984704af5 100644 --- a/node_modules/pacote/package.json +++ b/node_modules/pacote/package.json @@ -1,6 +1,6 @@ { "name": "pacote", - "version": "15.1.3", + "version": "15.2.0", "description": "JavaScript package downloader", "author": "GitHub Inc.", "bin": { diff --git a/package-lock.json b/package-lock.json index cd11ee1e959d5..7651a93dfd2ac 100644 --- a/package-lock.json +++ b/package-lock.json @@ -134,7 +134,7 @@ "npm-user-validate": "^2.0.0", "npmlog": "^7.0.1", "p-map": "^4.0.0", - "pacote": "^15.1.3", + "pacote": "^15.2.0", "parse-conflict-json": "^3.0.1", "proc-log": "^3.0.0", "qrcode-terminal": "^0.12.0", @@ -10098,9 +10098,9 @@ } }, "node_modules/pacote": { - "version": "15.1.3", - "resolved": "https://registry.npmjs.org/pacote/-/pacote-15.1.3.tgz", - "integrity": "sha512-aRts8cZqxiJVDitmAh+3z+FxuO3tLNWEmwDRPEpDDiZJaRz06clP4XX112ynMT5uF0QNoMPajBBHnaStUEPJXA==", + "version": "15.2.0", + "resolved": "https://registry.npmjs.org/pacote/-/pacote-15.2.0.tgz", + "integrity": "sha512-rJVZeIwHTUta23sIZgEIM62WYwbmGbThdbnkt81ravBplQv+HjyroqnLRNH2+sLJHcGZmLRmhPwACqhfTcOmnA==", "inBundle": true, "dependencies": { "@npmcli/git": "^4.0.0", diff --git a/package.json b/package.json index b8904d6c77494..e88777c450b98 100644 --- a/package.json +++ b/package.json @@ -101,7 +101,7 @@ "npm-user-validate": "^2.0.0", "npmlog": "^7.0.1", "p-map": "^4.0.0", - "pacote": "^15.1.3", + "pacote": "^15.2.0", "parse-conflict-json": "^3.0.1", "proc-log": "^3.0.0", "qrcode-terminal": "^0.12.0",