From a9a6dcd4427ec82e491a2cad5672d8183e12180f Mon Sep 17 00:00:00 2001 From: Luke Karrys Date: Mon, 6 May 2024 15:13:26 -0700 Subject: [PATCH] deps: pacote@18.0.5 --- mock-registry/package.json | 2 +- .../pacote/{lib/bin.js => bin/index.js} | 0 node_modules/pacote/lib/dir.js | 13 +-- node_modules/pacote/lib/fetcher.js | 69 +++++-------- node_modules/pacote/lib/file.js | 15 ++- node_modules/pacote/lib/git.js | 96 +++++++++---------- node_modules/pacote/lib/index.js | 10 +- node_modules/pacote/lib/registry.js | 28 +++--- node_modules/pacote/lib/remote.js | 12 +-- node_modules/pacote/lib/util/protected.js | 11 +++ node_modules/pacote/package.json | 10 +- package-lock.json | 23 ++--- package.json | 2 +- workspaces/arborist/package.json | 2 +- workspaces/libnpmdiff/package.json | 2 +- workspaces/libnpmexec/package.json | 2 +- workspaces/libnpmpack/package.json | 2 +- 17 files changed, 137 insertions(+), 162 deletions(-) rename node_modules/pacote/{lib/bin.js => bin/index.js} (100%) create mode 100644 node_modules/pacote/lib/util/protected.js diff --git a/mock-registry/package.json b/mock-registry/package.json index 2484e9dab161a..1295f931d3afa 100644 --- a/mock-registry/package.json +++ b/mock-registry/package.json @@ -51,7 +51,7 @@ "json-stringify-safe": "^5.0.1", "nock": "^13.3.3", "npm-package-arg": "^11.0.2", - "pacote": "^18.0.1", + "pacote": "^18.0.5", "tap": "^16.3.8" } } diff --git a/node_modules/pacote/lib/bin.js b/node_modules/pacote/bin/index.js similarity index 100% rename from node_modules/pacote/lib/bin.js rename to node_modules/pacote/bin/index.js diff --git a/node_modules/pacote/lib/dir.js b/node_modules/pacote/lib/dir.js index 135be8e6cba83..6674bb0bf23a1 100644 --- a/node_modules/pacote/lib/dir.js +++ b/node_modules/pacote/lib/dir.js @@ -4,13 +4,10 @@ const { Minipass } = require('minipass') const tarCreateOptions = require('./util/tar-create-options.js') const packlist = require('npm-packlist') const tar = require('tar') -const _prepareDir = Symbol('_prepareDir') const { resolve } = require('path') -const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson') - const runScript = require('@npmcli/run-script') +const _ = require('./util/protected.js') -const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved') class DirFetcher extends Fetcher { constructor (spec, opts) { super(spec, opts) @@ -30,7 +27,7 @@ class DirFetcher extends Fetcher { return ['directory'] } - [_prepareDir] () { + [_.prepareDir] () { return this.manifest().then(mani => { if (!mani.scripts || !mani.scripts.prepare) { return @@ -55,7 +52,7 @@ class DirFetcher extends Fetcher { }) } - [_tarballFromResolved] () { + [_.tarballFromResolved] () { if (!this.tree && !this.Arborist) { throw new Error('DirFetcher requires either a tree or an Arborist constructor to pack') } @@ -68,7 +65,7 @@ class DirFetcher extends Fetcher { // run the prepare script, get the list of files, and tar it up // pipe to the stream, and proxy errors the chain. - this[_prepareDir]() + this[_.prepareDir]() .then(async () => { if (!this.tree) { const arb = new this.Arborist({ path: this.resolved }) @@ -87,7 +84,7 @@ class DirFetcher extends Fetcher { return Promise.resolve(this.package) } - return this[_readPackageJson](this.resolved) + return this[_.readPackageJson](this.resolved) .then(mani => this.package = { ...mani, _integrity: this.integrity && String(this.integrity), diff --git a/node_modules/pacote/lib/fetcher.js b/node_modules/pacote/lib/fetcher.js index c4a707e7ef81e..ec5a807b79991 100644 --- a/node_modules/pacote/lib/fetcher.js +++ b/node_modules/pacote/lib/fetcher.js @@ -18,27 +18,12 @@ const getContents = require('@npmcli/installed-package-contents') const PackageJson = require('@npmcli/package-json') const { Minipass } = require('minipass') const cacheDir = require('./util/cache-dir.js') +const _ = require('./util/protected.js') // Pacote is only concerned with the package.json contents const packageJsonPrepare = (p) => PackageJson.prepare(p).then(pkg => pkg.content) const packageJsonNormalize = (p) => PackageJson.normalize(p).then(pkg => pkg.content) -// Private methods. -// Child classes should not have to override these. -// Users should never call them. -const _extract = Symbol('_extract') -const _mkdir = Symbol('_mkdir') -const _empty = Symbol('_empty') -const _toFile = Symbol('_toFile') -const _tarxOptions = Symbol('_tarxOptions') -const _entryMode = Symbol('_entryMode') -const _istream = Symbol('_istream') -const _assertType = Symbol('_assertType') -const _tarballFromCache = Symbol('_tarballFromCache') -const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved') -const _cacheFetches = Symbol.for('pacote.Fetcher._cacheFetches') -const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson') - class FetcherBase { constructor (spec, opts) { if (!opts || typeof opts !== 'object') { @@ -57,7 +42,7 @@ class FetcherBase { this.from = this.spec.registry ? `${this.spec.name}@${this.spec.rawSpec}` : this.spec.saveSpec - this[_assertType]() + this.#assertType() // clone the opts object so that others aren't upset when we mutate it // by adding/modifying the integrity value. this.opts = { ...opts } @@ -93,11 +78,9 @@ class FetcherBase { this.before = opts.before this.fullMetadata = this.before ? true : !!opts.fullMetadata this.fullReadJson = !!opts.fullReadJson - if (this.fullReadJson) { - this[_readPackageJson] = packageJsonPrepare - } else { - this[_readPackageJson] = packageJsonNormalize - } + this[_.readPackageJson] = this.fullReadJson + ? packageJsonPrepare + : packageJsonNormalize // rrh is a registry hostname or 'never' or 'always' // defaults to registry.npmjs.org @@ -188,7 +171,7 @@ class FetcherBase { // private, should be overridden. // Note that they should *not* calculate or check integrity or cache, // but *just* return the raw tarball data stream. - [_tarballFromResolved] () { + [_.tarballFromResolved] () { throw this.notImplementedError } @@ -204,17 +187,17 @@ class FetcherBase { // private // Note: cacache will raise a EINTEGRITY error if the integrity doesn't match - [_tarballFromCache] () { + #tarballFromCache () { return cacache.get.stream.byDigest(this.cache, this.integrity, this.opts) } - get [_cacheFetches] () { + get [_.cacheFetches] () { return true } - [_istream] (stream) { + #istream (stream) { // if not caching this, just return it - if (!this.opts.cache || !this[_cacheFetches]) { + if (!this.opts.cache || !this[_.cacheFetches]) { // instead of creating a new integrity stream, we only piggyback on the // provided stream's events if (stream.hasIntegrityEmitter) { @@ -267,7 +250,7 @@ class FetcherBase { return false } - [_assertType] () { + #assertType () { if (this.types && !this.types.includes(this.spec.type)) { throw new TypeError(`Wrong spec type (${ this.spec.type @@ -306,7 +289,7 @@ class FetcherBase { !this.preferOnline && this.integrity && this.resolved - ) ? streamHandler(this[_tarballFromCache]()).catch(er => { + ) ? streamHandler(this.#tarballFromCache()).catch(er => { if (this.isDataCorruptionError(er)) { log.warn('tarball', `cached data for ${ this.spec @@ -329,7 +312,7 @@ class FetcherBase { }. Extracting by manifest.`) } return this.resolve().then(() => retry(tryAgain => - streamHandler(this[_istream](this[_tarballFromResolved]())) + streamHandler(this.#istream(this[_.tarballFromResolved]())) .catch(streamErr => { // Most likely data integrity. A cache ENOENT error is unlikely // here, since we're definitely not reading from the cache, but it @@ -352,24 +335,24 @@ class FetcherBase { return cacache.rm.content(this.cache, this.integrity, this.opts) } - [_empty] (path) { + #empty (path) { return getContents({ path, depth: 1 }).then(contents => Promise.all( contents.map(entry => fs.rm(entry, { recursive: true, force: true })))) } - async [_mkdir] (dest) { - await this[_empty](dest) + async #mkdir (dest) { + await this.#empty(dest) return await fs.mkdir(dest, { recursive: true }) } // extraction is always the same. the only difference is where // the tarball comes from. async extract (dest) { - await this[_mkdir](dest) - return this.tarballStream((tarball) => this[_extract](dest, tarball)) + await this.#mkdir(dest) + return this.tarballStream((tarball) => this.#extract(dest, tarball)) } - [_toFile] (dest) { + #toFile (dest) { return this.tarballStream(str => new Promise((res, rej) => { const writer = new fsm.WriteStream(dest) str.on('error', er => writer.emit('error', er)) @@ -383,15 +366,15 @@ class FetcherBase { })) } - // don't use this[_mkdir] because we don't want to rimraf anything + // don't use this.#mkdir because we don't want to rimraf anything async tarballFile (dest) { const dir = dirname(dest) await fs.mkdir(dir, { recursive: true }) - return this[_toFile](dest) + return this.#toFile(dest) } - [_extract] (dest, tarball) { - const extractor = tar.x(this[_tarxOptions]({ cwd: dest })) + #extract (dest, tarball) { + const extractor = tar.x(this.#tarxOptions({ cwd: dest })) const p = new Promise((resolve, reject) => { extractor.on('end', () => { resolve({ @@ -416,7 +399,7 @@ class FetcherBase { // always ensure that entries are at least as permissive as our configured // dmode/fmode, but never more permissive than the umask allows. - [_entryMode] (path, mode, type) { + #entryMode (path, mode, type) { const m = /Directory|GNUDumpDir/.test(type) ? this.dmode : /File$/.test(type) ? this.fmode : /* istanbul ignore next - should never happen in a pkg */ 0 @@ -427,7 +410,7 @@ class FetcherBase { return ((mode | m) & ~this.umask) | exe | 0o600 } - [_tarxOptions] ({ cwd }) { + #tarxOptions ({ cwd }) { const sawIgnores = new Set() return { cwd, @@ -437,7 +420,7 @@ class FetcherBase { if (/Link$/.test(entry.type)) { return false } - entry.mode = this[_entryMode](entry.path, entry.mode, entry.type) + entry.mode = this.#entryMode(entry.path, entry.mode, entry.type) // this replicates the npm pack behavior where .gitignore files // are treated like .npmignore files, but only if a .npmignore // file is not present. diff --git a/node_modules/pacote/lib/file.js b/node_modules/pacote/lib/file.js index 95769de1374c9..307efedb31f7e 100644 --- a/node_modules/pacote/lib/file.js +++ b/node_modules/pacote/lib/file.js @@ -3,10 +3,7 @@ const cacache = require('cacache') const { resolve } = require('path') const { stat, chmod } = require('fs/promises') const Fetcher = require('./fetcher.js') - -const _exeBins = Symbol('_exeBins') -const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved') -const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson') +const _ = require('./util/protected.js') class FileFetcher extends Fetcher { constructor (spec, opts) { @@ -27,7 +24,7 @@ class FileFetcher extends Fetcher { // have to unpack the tarball for this. return cacache.tmp.withTmp(this.cache, this.opts, dir => this.extract(dir) - .then(() => this[_readPackageJson](dir)) + .then(() => this[_.readPackageJson](dir)) .then(mani => this.package = { ...mani, _integrity: this.integrity && String(this.integrity), @@ -36,7 +33,7 @@ class FileFetcher extends Fetcher { })) } - [_exeBins] (pkg, dest) { + #exeBins (pkg, dest) { if (!pkg.bin) { return Promise.resolve() } @@ -65,11 +62,11 @@ class FileFetcher extends Fetcher { // but if not, read the unpacked manifest and chmod properly. return super.extract(dest) .then(result => this.package ? result - : this[_readPackageJson](dest).then(pkg => - this[_exeBins](pkg, dest)).then(() => result)) + : this[_.readPackageJson](dest).then(pkg => + this.#exeBins(pkg, dest)).then(() => result)) } - [_tarballFromResolved] () { + [_.tarballFromResolved] () { // create a read stream and return it return new fsm.ReadStream(this.resolved) } diff --git a/node_modules/pacote/lib/git.js b/node_modules/pacote/lib/git.js index 2cac44ae528e6..23f4b1d218bcc 100644 --- a/node_modules/pacote/lib/git.js +++ b/node_modules/pacote/lib/git.js @@ -2,7 +2,6 @@ const Fetcher = require('./fetcher.js') const FileFetcher = require('./file.js') const RemoteFetcher = require('./remote.js') const DirFetcher = require('./dir.js') -const hashre = /^[a-f0-9]{40}$/ const git = require('@npmcli/git') const pickManifest = require('npm-pick-manifest') const npa = require('npm-package-arg') @@ -10,19 +9,10 @@ const { Minipass } = require('minipass') const cacache = require('cacache') const { log } = require('proc-log') const npm = require('./util/npm.js') - -const _resolvedFromRepo = Symbol('_resolvedFromRepo') -const _resolvedFromHosted = Symbol('_resolvedFromHosted') -const _resolvedFromClone = Symbol('_resolvedFromClone') -const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved') -const _addGitSha = Symbol('_addGitSha') const addGitSha = require('./util/add-git-sha.js') -const _clone = Symbol('_clone') -const _cloneHosted = Symbol('_cloneHosted') -const _cloneRepo = Symbol('_cloneRepo') -const _setResolvedWithSha = Symbol('_setResolvedWithSha') -const _prepareDir = Symbol('_prepareDir') -const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson') +const _ = require('./util/protected.js') + +const hashre = /^[a-f0-9]{40}$/ // get the repository url. // prefer https if there's auth, since ssh will drop that. @@ -84,8 +74,9 @@ class GitFetcher extends Fetcher { // fetch the git repo and then look at the current hash const h = this.spec.hosted // try to use ssh, fall back to git. - return h ? this[_resolvedFromHosted](h) - : this[_resolvedFromRepo](this.spec.fetchSpec) + return h + ? this.#resolvedFromHosted(h) + : this.#resolvedFromRepo(this.spec.fetchSpec) } // first try https, since that's faster and passphrase-less for @@ -93,23 +84,22 @@ class GitFetcher extends Fetcher { // Fall back to SSH to support private repos // NB: we always store the https url in resolved field if auth // is present, otherwise ssh if the hosted type provides it - [_resolvedFromHosted] (hosted) { - return this[_resolvedFromRepo](hosted.https && hosted.https()) - .catch(er => { - // Throw early since we know pathspec errors will fail again if retried - if (er instanceof git.errors.GitPathspecError) { - throw er - } - const ssh = hosted.sshurl && hosted.sshurl() - // no fallthrough if we can't fall through or have https auth - if (!ssh || hosted.auth) { - throw er - } - return this[_resolvedFromRepo](ssh) - }) + #resolvedFromHosted (hosted) { + return this.#resolvedFromRepo(hosted.https && hosted.https()).catch(er => { + // Throw early since we know pathspec errors will fail again if retried + if (er instanceof git.errors.GitPathspecError) { + throw er + } + const ssh = hosted.sshurl && hosted.sshurl() + // no fallthrough if we can't fall through or have https auth + if (!ssh || hosted.auth) { + throw er + } + return this.#resolvedFromRepo(ssh) + }) } - [_resolvedFromRepo] (gitRemote) { + #resolvedFromRepo (gitRemote) { // XXX make this a custom error class if (!gitRemote) { return Promise.reject(new Error(`No git url for ${this.spec}`)) @@ -130,17 +120,17 @@ class GitFetcher extends Fetcher { // the committish provided isn't in the rev list // things like HEAD~3 or @yesterday can land here. if (!revDoc || !revDoc.sha) { - return this[_resolvedFromClone]() + return this.#resolvedFromClone() } this.resolvedRef = revDoc this.resolvedSha = revDoc.sha - this[_addGitSha](revDoc.sha) + this.#addGitSha(revDoc.sha) return this.resolved }) } - [_setResolvedWithSha] (withSha) { + #setResolvedWithSha (withSha) { // we haven't cloned, so a tgz download is still faster // of course, if it's not a known host, we can't do that. this.resolved = !this.spec.hosted ? withSha @@ -149,18 +139,18 @@ class GitFetcher extends Fetcher { // when we get the git sha, we affix it to our spec to build up // either a git url with a hash, or a tarball download URL - [_addGitSha] (sha) { - this[_setResolvedWithSha](addGitSha(this.spec, sha)) + #addGitSha (sha) { + this.#setResolvedWithSha(addGitSha(this.spec, sha)) } - [_resolvedFromClone] () { + #resolvedFromClone () { // do a full or shallow clone, then look at the HEAD // kind of wasteful, but no other option, really - return this[_clone](() => this.resolved) + return this.#clone(() => this.resolved) } - [_prepareDir] (dir) { - return this[_readPackageJson](dir).then(mani => { + #prepareDir (dir) { + return this[_.readPackageJson](dir).then(mani => { // no need if we aren't going to do any preparation. const scripts = mani.scripts if (!mani.workspaces && (!scripts || !( @@ -200,13 +190,13 @@ class GitFetcher extends Fetcher { }) } - [_tarballFromResolved] () { + [_.tarballFromResolved] () { const stream = new Minipass() stream.resolved = this.resolved stream.from = this.from // check it out and then shell out to the DirFetcher tarball packer - this[_clone](dir => this[_prepareDir](dir) + this.#clone(dir => this.#prepareDir(dir) .then(() => new Promise((res, rej) => { if (!this.Arborist) { throw new Error('GitFetcher requires an Arborist constructor to pack a tarball') @@ -217,7 +207,7 @@ class GitFetcher extends Fetcher { resolved: null, integrity: null, }) - const dirStream = df[_tarballFromResolved]() + const dirStream = df[_.tarballFromResolved]() dirStream.on('error', rej) dirStream.on('end', res) dirStream.pipe(stream) @@ -235,7 +225,7 @@ class GitFetcher extends Fetcher { // TODO: after cloning, create a tarball of the folder, and add to the cache // with cacache.put.stream(), using a key that's deterministic based on the // spec and repo, so that we don't ever clone the same thing multiple times. - [_clone] (handler, tarballOk = true) { + #clone (handler, tarballOk = true) { const o = { tmpPrefix: 'git-clone' } const ref = this.resolvedSha || this.spec.gitCommittish const h = this.spec.hosted @@ -258,7 +248,7 @@ class GitFetcher extends Fetcher { }).extract(tmp).then(() => handler(tmp), er => { // fall back to ssh download if tarball fails if (er.constructor.name.match(/^Http/)) { - return this[_clone](handler, false) + return this.#clone(handler, false) } else { throw er } @@ -266,12 +256,12 @@ class GitFetcher extends Fetcher { } const sha = await ( - h ? this[_cloneHosted](ref, tmp) - : this[_cloneRepo](this.spec.fetchSpec, ref, tmp) + h ? this.#cloneHosted(ref, tmp) + : this.#cloneRepo(this.spec.fetchSpec, ref, tmp) ) this.resolvedSha = sha if (!this.resolved) { - await this[_addGitSha](sha) + await this.#addGitSha(sha) } return handler(tmp) }) @@ -282,9 +272,9 @@ class GitFetcher extends Fetcher { // Fall back to SSH to support private repos // NB: we always store the https url in resolved field if auth // is present, otherwise ssh if the hosted type provides it - [_cloneHosted] (ref, tmp) { + #cloneHosted (ref, tmp) { const hosted = this.spec.hosted - return this[_cloneRepo](hosted.https({ noCommittish: true }), ref, tmp) + return this.#cloneRepo(hosted.https({ noCommittish: true }), ref, tmp) .catch(er => { // Throw early since we know pathspec errors will fail again if retried if (er instanceof git.errors.GitPathspecError) { @@ -295,11 +285,11 @@ class GitFetcher extends Fetcher { if (!ssh || hosted.auth) { throw er } - return this[_cloneRepo](ssh, ref, tmp) + return this.#cloneRepo(ssh, ref, tmp) }) } - [_cloneRepo] (repo, ref, tmp) { + #cloneRepo (repo, ref, tmp) { const { opts, spec } = this return git.clone(repo, ref, tmp, { ...opts, spec }) } @@ -311,8 +301,8 @@ class GitFetcher extends Fetcher { return this.spec.hosted && this.resolved ? FileFetcher.prototype.manifest.apply(this) - : this[_clone](dir => - this[_readPackageJson](dir) + : this.#clone(dir => + this[_.readPackageJson](dir) .then(mani => this.package = { ...mani, _resolved: this.resolved, diff --git a/node_modules/pacote/lib/index.js b/node_modules/pacote/lib/index.js index cbcbd7c92d15f..f35314d275d5f 100644 --- a/node_modules/pacote/lib/index.js +++ b/node_modules/pacote/lib/index.js @@ -5,6 +5,10 @@ const FileFetcher = require('./file.js') const DirFetcher = require('./dir.js') const RemoteFetcher = require('./remote.js') +const tarball = (spec, opts) => get(spec, opts).tarball() +tarball.stream = (spec, handler, opts) => get(spec, opts).tarballStream(handler) +tarball.file = (spec, dest, opts) => get(spec, opts).tarballFile(dest) + module.exports = { GitFetcher, RegistryFetcher, @@ -14,10 +18,6 @@ module.exports = { resolve: (spec, opts) => get(spec, opts).resolve(), extract: (spec, dest, opts) => get(spec, opts).extract(dest), manifest: (spec, opts) => get(spec, opts).manifest(), - tarball: (spec, opts) => get(spec, opts).tarball(), packument: (spec, opts) => get(spec, opts).packument(), + tarball, } -module.exports.tarball.stream = (spec, handler, opts) => - get(spec, opts).tarballStream(handler) -module.exports.tarball.file = (spec, dest, opts) => - get(spec, opts).tarballFile(dest) diff --git a/node_modules/pacote/lib/registry.js b/node_modules/pacote/lib/registry.js index b6a8d49b84f32..f2b5a8a547cc9 100644 --- a/node_modules/pacote/lib/registry.js +++ b/node_modules/pacote/lib/registry.js @@ -1,6 +1,5 @@ const Fetcher = require('./fetcher.js') const RemoteFetcher = require('./remote.js') -const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved') const pacoteVersion = require('../package.json').version const removeTrailingSlashes = require('./util/trailing-slashes.js') const PackageJson = require('@npmcli/package-json') @@ -9,6 +8,8 @@ const ssri = require('ssri') const crypto = require('crypto') const npa = require('npm-package-arg') const sigstore = require('sigstore') +const fetch = require('npm-registry-fetch') +const _ = require('./util/protected.js') // Corgis are cute. 🐕🐶 const corgiDoc = 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*' @@ -18,9 +19,6 @@ const fullDoc = 'application/json' // cutoff date. const MISSING_TIME_CUTOFF = '2015-01-01T00:00:00.000Z' -const fetch = require('npm-registry-fetch') - -const _headers = Symbol('_headers') class RegistryFetcher extends Fetcher { constructor (spec, opts) { super(spec, opts) @@ -63,7 +61,7 @@ class RegistryFetcher extends Fetcher { return this.resolved } - [_headers] () { + #headers () { return { // npm will override UA, but ensure that we always send *something* 'user-agent': this.opts.userAgent || @@ -80,7 +78,7 @@ class RegistryFetcher extends Fetcher { // note this might be either an in-flight promise for a request, // or the actual packument, but we never want to make more than // one request at a time for the same thing regardless. - if (this.packumentCache && this.packumentCache.has(this.packumentUrl)) { + if (this.packumentCache?.has(this.packumentUrl)) { return this.packumentCache.get(this.packumentUrl) } @@ -90,21 +88,21 @@ class RegistryFetcher extends Fetcher { try { const res = await fetch(this.packumentUrl, { ...this.opts, - headers: this[_headers](), + headers: this.#headers(), spec: this.spec, + // never check integrity for packuments themselves integrity: null, }) const packument = await res.json() - packument._contentLength = +res.headers.get('content-length') - if (this.packumentCache) { - this.packumentCache.set(this.packumentUrl, packument) + const contentLength = res.headers.get('content-length') + if (contentLength) { + packument._contentLength = Number(contentLength) } + this.packumentCache?.set(this.packumentUrl, packument) return packument } catch (err) { - if (this.packumentCache) { - this.packumentCache.delete(this.packumentUrl) - } + this.packumentCache?.delete(this.packumentUrl) if (err.code !== 'E404' || this.fullMetadata) { throw err } @@ -350,13 +348,13 @@ class RegistryFetcher extends Fetcher { return this.package } - [_tarballFromResolved] () { + [_.tarballFromResolved] () { // we use a RemoteFetcher to get the actual tarball stream return new RemoteFetcher(this.resolved, { ...this.opts, resolved: this.resolved, pkgid: `registry:${this.spec.name}@${this.resolved}`, - })[_tarballFromResolved]() + })[_.tarballFromResolved]() } get types () { diff --git a/node_modules/pacote/lib/remote.js b/node_modules/pacote/lib/remote.js index fd617459fb031..9a743322ace4e 100644 --- a/node_modules/pacote/lib/remote.js +++ b/node_modules/pacote/lib/remote.js @@ -1,12 +1,10 @@ const Fetcher = require('./fetcher.js') const FileFetcher = require('./file.js') -const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved') const pacoteVersion = require('../package.json').version const fetch = require('npm-registry-fetch') const { Minipass } = require('minipass') +const _ = require('./util/protected.js') -const _cacheFetches = Symbol.for('pacote.Fetcher._cacheFetches') -const _headers = Symbol('_headers') class RemoteFetcher extends Fetcher { constructor (spec, opts) { super(spec, opts) @@ -25,17 +23,17 @@ class RemoteFetcher extends Fetcher { // Don't need to cache tarball fetches in pacote, because make-fetch-happen // will write into cacache anyway. - get [_cacheFetches] () { + get [_.cacheFetches] () { return false } - [_tarballFromResolved] () { + [_.tarballFromResolved] () { const stream = new Minipass() stream.hasIntegrityEmitter = true const fetchOpts = { ...this.opts, - headers: this[_headers](), + headers: this.#headers(), spec: this.spec, integrity: this.integrity, algorithms: [this.pickIntegrityAlgorithm()], @@ -59,7 +57,7 @@ class RemoteFetcher extends Fetcher { return stream } - [_headers] () { + #headers () { return { // npm will override this, but ensure that we always send *something* 'user-agent': this.opts.userAgent || diff --git a/node_modules/pacote/lib/util/protected.js b/node_modules/pacote/lib/util/protected.js new file mode 100644 index 0000000000000..3334550150e99 --- /dev/null +++ b/node_modules/pacote/lib/util/protected.js @@ -0,0 +1,11 @@ +const readPackageJson = Symbol.for('package.Fetcher._readPackageJson') +const prepareDir = Symbol('_prepareDir') +const tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved') +const cacheFetches = Symbol.for('pacote.Fetcher._cacheFetches') + +module.exports = { + readPackageJson, + prepareDir, + tarballFromResolved, + cacheFetches, +} diff --git a/node_modules/pacote/package.json b/node_modules/pacote/package.json index 4c1751644cd57..a391df823b9c6 100644 --- a/node_modules/pacote/package.json +++ b/node_modules/pacote/package.json @@ -1,10 +1,10 @@ { "name": "pacote", - "version": "18.0.3", + "version": "18.0.5", "description": "JavaScript package downloader", "author": "GitHub Inc.", "bin": { - "pacote": "lib/bin.js" + "pacote": "bin/index.js" }, "license": "ISC", "main": "lib/index.js", @@ -27,7 +27,7 @@ "devDependencies": { "@npmcli/arborist": "^7.1.0", "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.21.4", + "@npmcli/template-oss": "4.22.0", "hosted-git-info": "^7.0.0", "mutate-fs": "^2.1.1", "nock": "^13.2.4", @@ -67,11 +67,11 @@ }, "repository": { "type": "git", - "url": "https://github.com/npm/pacote.git" + "url": "git+https://github.com/npm/pacote.git" }, "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.21.4", + "version": "4.22.0", "windowsCI": false, "publish": "true" } diff --git a/package-lock.json b/package-lock.json index b1810d2cd6662..26b2c5856fb69 100644 --- a/package-lock.json +++ b/package-lock.json @@ -138,7 +138,7 @@ "npm-registry-fetch": "^17.0.1", "npm-user-validate": "^2.0.0", "p-map": "^4.0.0", - "pacote": "^18.0.3", + "pacote": "^18.0.5", "parse-conflict-json": "^3.0.1", "proc-log": "^4.2.0", "qrcode-terminal": "^0.12.0", @@ -234,7 +234,7 @@ "json-stringify-safe": "^5.0.1", "nock": "^13.3.3", "npm-package-arg": "^11.0.2", - "pacote": "^18.0.1", + "pacote": "^18.0.5", "tap": "^16.3.8" }, "engines": { @@ -9456,10 +9456,11 @@ } }, "node_modules/pacote": { - "version": "18.0.3", - "resolved": "https://registry.npmjs.org/pacote/-/pacote-18.0.3.tgz", - "integrity": "sha512-GFCGn27RSf2xa5DHShI7DzI8dCf5F0+9N+fbSpItZvi9ykSouPRXMKzfl2jF35Zoi9QysNF/aqeqQyU2tOJBbA==", + "version": "18.0.5", + "resolved": "https://registry.npmjs.org/pacote/-/pacote-18.0.5.tgz", + "integrity": "sha512-AtbhPJE1gFPFdIb04spfX0UprUL0xK2eOBVVQnDNbLg7/VPrK/NkqgZRv7fkPPMM/zxZukjCkuGh+tZh7arrwQ==", "inBundle": true, + "license": "ISC", "dependencies": { "@npmcli/git": "^5.0.0", "@npmcli/installed-package-contents": "^2.0.1", @@ -9471,7 +9472,7 @@ "minipass": "^7.0.2", "npm-package-arg": "^11.0.0", "npm-packlist": "^8.0.0", - "npm-pick-manifest": "^9.0.1", + "npm-pick-manifest": "^9.0.0", "npm-registry-fetch": "^17.0.0", "proc-log": "^4.0.0", "promise-retry": "^2.0.1", @@ -9480,7 +9481,7 @@ "tar": "^6.1.11" }, "bin": { - "pacote": "lib/bin.js" + "pacote": "bin/index.js" }, "engines": { "node": "^16.14.0 || >=18.0.0" @@ -14811,7 +14812,7 @@ "npm-package-arg": "^11.0.2", "npm-pick-manifest": "^9.0.1", "npm-registry-fetch": "^17.0.1", - "pacote": "^18.0.1", + "pacote": "^18.0.5", "parse-conflict-json": "^3.0.0", "proc-log": "^4.2.0", "proggy": "^2.0.0", @@ -14892,7 +14893,7 @@ "diff": "^5.1.0", "minimatch": "^9.0.4", "npm-package-arg": "^11.0.2", - "pacote": "^18.0.1", + "pacote": "^18.0.5", "tar": "^6.2.1" }, "devDependencies": { @@ -14912,7 +14913,7 @@ "@npmcli/run-script": "^8.1.0", "ci-info": "^4.0.0", "npm-package-arg": "^11.0.2", - "pacote": "^18.0.1", + "pacote": "^18.0.5", "proc-log": "^4.2.0", "read": "^3.0.1", "read-package-json-fast": "^3.0.2", @@ -14990,7 +14991,7 @@ "@npmcli/arborist": "^7.2.1", "@npmcli/run-script": "^8.1.0", "npm-package-arg": "^11.0.2", - "pacote": "^18.0.1" + "pacote": "^18.0.5" }, "devDependencies": { "@npmcli/eslint-config": "^4.0.0", diff --git a/package.json b/package.json index 239149ca27885..a014a266b79e9 100644 --- a/package.json +++ b/package.json @@ -103,7 +103,7 @@ "npm-registry-fetch": "^17.0.1", "npm-user-validate": "^2.0.0", "p-map": "^4.0.0", - "pacote": "^18.0.3", + "pacote": "^18.0.5", "parse-conflict-json": "^3.0.1", "proc-log": "^4.2.0", "qrcode-terminal": "^0.12.0", diff --git a/workspaces/arborist/package.json b/workspaces/arborist/package.json index 6bc356e34fa54..fb33009648859 100644 --- a/workspaces/arborist/package.json +++ b/workspaces/arborist/package.json @@ -26,7 +26,7 @@ "npm-package-arg": "^11.0.2", "npm-pick-manifest": "^9.0.1", "npm-registry-fetch": "^17.0.1", - "pacote": "^18.0.1", + "pacote": "^18.0.5", "parse-conflict-json": "^3.0.0", "proc-log": "^4.2.0", "proggy": "^2.0.0", diff --git a/workspaces/libnpmdiff/package.json b/workspaces/libnpmdiff/package.json index 60d00018fc381..382f9f43e8d55 100644 --- a/workspaces/libnpmdiff/package.json +++ b/workspaces/libnpmdiff/package.json @@ -52,7 +52,7 @@ "diff": "^5.1.0", "minimatch": "^9.0.4", "npm-package-arg": "^11.0.2", - "pacote": "^18.0.1", + "pacote": "^18.0.5", "tar": "^6.2.1" }, "templateOSS": { diff --git a/workspaces/libnpmexec/package.json b/workspaces/libnpmexec/package.json index e454739594e5c..cd051b4616a31 100644 --- a/workspaces/libnpmexec/package.json +++ b/workspaces/libnpmexec/package.json @@ -63,7 +63,7 @@ "@npmcli/run-script": "^8.1.0", "ci-info": "^4.0.0", "npm-package-arg": "^11.0.2", - "pacote": "^18.0.1", + "pacote": "^18.0.5", "proc-log": "^4.2.0", "read": "^3.0.1", "read-package-json-fast": "^3.0.2", diff --git a/workspaces/libnpmpack/package.json b/workspaces/libnpmpack/package.json index b0bc033b952cf..2bc6553f1ec8d 100644 --- a/workspaces/libnpmpack/package.json +++ b/workspaces/libnpmpack/package.json @@ -39,7 +39,7 @@ "@npmcli/arborist": "^7.2.1", "@npmcli/run-script": "^8.1.0", "npm-package-arg": "^11.0.2", - "pacote": "^18.0.1" + "pacote": "^18.0.5" }, "engines": { "node": "^16.14.0 || >=18.0.0"