This repository has been archived by the owner on Jul 3, 2019. It is now read-only.
feat(integrity): replace http client #72
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zkat
force-pushed
the
zkat/new-fetcher
branch
6 times, most recently
from
3ecef19
to
37a6042
Compare
Fixes: #75 Fixes: #56 Fixes: #47 Fixes: #41 Fixes: #3 This PR changes pacote over from using npm-registry-client for its http stuff with a whole layer slapped on top to using make-fetch-happen. There's some features that are now missing, but those can be filled in before release. New features: * Faster, more robust http client. * Subresource Integrity support for tarball shasums. `corgi.dist.integrity` will be respected * `npm-notice` warnings * `opts.refreshCache` will force a conditional request to make sure the cache is up to date. BREAKING CHANGE: This PR replaces a pretty fundamental chunk of pacote. * Caching now follows standard-ish cache rules for http-related requests. * manifest() no longer includes the `_shasum` field. It's been replaced by `_integrity`, which is a Subresource Integrity hash string containing equivalent data. These strings can be parsed and managed using https://npm.im/ssri. * Any functions that accepted `opts.digest` and/or `opts.hashAlgorithm` now expect `opts.integrity` instead. * Packuments and finalized manifests are now cached using sha512. Tarballs can start using that hash (or any other more secure hash) once registries start supporting them: `packument.dist.integrity` will be prioritized over `packument.shasum`. * If opts.offline is used, a `ENOCACHE` error will be returned.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #56
Fixes: #47
Fixes: #41
Fixes: #3
This PR changes pacote over from using npm-registry-client for
its http stuff with a whole layer slapped on top to using
make-fetch-happen. There's some features that are now missing,
but those can be filled in before release.
New features:
Faster, more robust http client.
Subresource Integrity support for tarball shasums.
corgi.dist.integritywill be respectednpm-noticewarningsopts.refreshCachewill force a conditional request to make sure the cache is up to date.BREAKING CHANGE: This PR replaces a pretty fundamental chunk of pacote.
Caching now follows standard-ish cache rules for http-related requests.
manifest() no longer includes the
_shasumfield. It's been replaced by_integrity, which is a Subresource Integrity hash string containing equivalent data. These strings can be parsed and managed using https://npm.im/ssri.Any functions that accepted
opts.digestand/oropts.hashAlgorithmnow expectopts.integrityinstead.Packuments and finalized manifests are now cached using sha512. Tarballs can start using that hash (or any other more secure hash) once registries start supporting them:
packument.dist.integritywill be prioritized overpackument.shasum.If opts.offline is used, a
ENOCACHEerror will be returned.