-
Notifications
You must be signed in to change notification settings - Fork 40
/
registry.js
161 lines (145 loc) · 5.46 KB
/
registry.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
const Fetcher = require('./fetcher.js')
const RemoteFetcher = require('./remote.js')
const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
const pacoteVersion = require('../package.json').version
const npa = require('npm-package-arg')
const pickManifest = require('npm-pick-manifest')
const ssri = require('ssri')
const Minipass = require('minipass')
// Corgis are cute. 🐕🐶
const corgiDoc = 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*'
const fullDoc = 'application/json'
const fetch = require('npm-registry-fetch')
// TODO: memoize reg requests, so we don't even have to check cache
const _headers = Symbol('_headers')
class RegistryFetcher extends Fetcher {
constructor (spec, opts) {
super(spec, opts)
// try to use corgis if available
this.fullMetadata = !!opts.fullMetadata
// handle case when npm-package-arg guesses wrong.
if (this.spec.type === 'tag' &&
this.spec.rawSpec === '' &&
this.tag !== 'latest')
this.spec = npa(`${this.spec.name}@${this.tag}`)
this.registry = fetch.pickRegistry(spec, opts)
this.packumentUrl = this.registry.replace(/\/*$/, '/') +
this.spec.escapedName
// XXX pacote <=9 has some logic to ignore opts.resolved if
// the resolved URL doesn't go to the same registry.
// Consider reproducing that here, to throw away this.resolved
// in that case.
}
resolve () {
if (this.resolved)
return Promise.resolve(this.resolved)
// fetching the manifest sets resolved and (usually) integrity
return this.manifest().then(() => {
if (this.resolved)
return this.resolved
throw Object.assign(
new Error('Invalid package manifest: no `dist.tarball` field'),
{ package: this.spec.toString() }
)
})
}
[_headers] () {
return {
// npm will override UA, but ensure that we always send *something*
'user-agent': this.opts['user-agent'] ||
`pacote/${pacoteVersion} node/${process.version}`,
...(this.opts.headers || {}),
'pacote-version': pacoteVersion,
'pacote-req-type': 'packument',
'pacote-pkg-id': `registry:${this.spec.name}`,
accept: this.fullMetadata ? fullDoc : corgiDoc,
}
}
packument () {
// npm-registry-fetch the packument
// set the appropriate header for corgis if fullMetadata isn't set
// return the res.json() promise
return fetch(this.packumentUrl, {
...this.opts,
headers: this[_headers](),
spec: this.spec,
// never check integrity for packuments themselves
integrity: null,
}).then(res => res.json().then(packument => {
packument._cached = res.headers.has('x-local-cache')
packument._contentLength = +res.headers.get('content-length')
return packument
})).catch(er => {
if (er.code === 'E404' && !this.fullMetadata) {
// possible that corgis are not supported by this registry
this.fullMetadata = true
return this.packument()
}
throw er
})
}
manifest () {
if (this.package)
return Promise.resolve(this.package)
return this.packument()
.then(packument => pickManifest(packument, this.spec.fetchSpec, {
...this.opts,
defaultTag: this.tag,
enjoyBy: this.enjoyBy,
}) /* XXX add ETARGET and E403 revalidation of cached packuments here */)
.then(mani => {
// add _resolved and _integrity from dist object
const { dist } = mani
if (dist) {
this.resolved = mani._resolved = dist.tarball
mani._from = this.from
const distIntegrity = dist.integrity ? ssri.parse(dist.integrity)
: dist.shasum ? ssri.fromHex(dist.shasum, 'sha1', this.opts)
: null
if (distIntegrity) {
if (!this.integrity)
this.integrity = distIntegrity
else if (!this.integrity.match(distIntegrity)) {
// only bork if they have algos in common.
// otherwise we end up breaking if we have saved a sha512
// previously for the tarball, but the manifest only
// provides a sha1, which is possible for older publishes.
// Otherwise, this is almost certainly a case of holding it
// wrong, and will result in weird or insecure behavior
// later on when building package tree.
for (const algo of Object.keys(this.integrity)) {
if (distIntegrity[algo]) {
throw Object.assign(new Error(
`Integrity checksum failed when using ${algo}: `+
`wanted ${this.integrity} but got ${distIntegrity}.`
), { code: 'EINTEGRITY' })
}
}
// made it this far, the integrity is worthwhile. accept it.
this.integrity = this.integrity.concat(distIntegrity)
this.opts.integrity = this.integrity
}
}
}
if (this.integrity)
mani._integrity = String(this.integrity)
return this.package = mani
})
}
[_tarballFromResolved] () {
// we use a RemoteFetcher to get the actual tarball stream
return new RemoteFetcher(this.resolved, {
...this.opts,
resolved: this.resolved,
pkgid: `registry:${this.spec.name}@${this.resolved}`,
})[_tarballFromResolved]()
}
get types () {
return [
'tag',
'version',
'range',
]
}
}
module.exports = RegistryFetcher