@metamask/snaps-controllers 0.38.0-flask.1 → 1.0.0

package/dist/{esm/snaps → snaps}/location/npm.js

@@ -1,66 +1,90 @@
-function _check_private_redeclaration(obj, privateCollection) {
-    if (privateCollection.has(obj)) {
-        throw new TypeError("Cannot initialize the same private elements twice on an object");
-    }
-}
-function _class_private_method_get(receiver, privateSet, fn) {
-    if (!privateSet.has(receiver)) {
-        throw new TypeError("attempted to get private field on non-instance");
-    }
-    return fn;
-}
-function _class_private_method_init(obj, privateSet) {
-    _check_private_redeclaration(obj, privateSet);
-    privateSet.add(obj);
-}
-function _define_property(obj, key, value) {
-    if (key in obj) {
-        Object.defineProperty(obj, key, {
-            value: value,
-            enumerable: true,
-            configurable: true,
-            writable: true
-        });
-    } else {
-        obj[key] = value;
+"use strict";
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+var _NpmLocation_instances, _NpmLocation_lazyInit;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NpmLocation = void 0;
+const snaps_utils_1 = require("@metamask/snaps-utils");
+const utils_1 = require("@metamask/utils");
+const concat_stream_1 = __importDefault(require("concat-stream"));
+const gunzip_maybe_1 = __importDefault(require("gunzip-maybe"));
+const pump_1 = __importDefault(require("pump"));
+const readable_web_to_node_stream_1 = require("readable-web-to-node-stream");
+const tar_stream_1 = require("tar-stream");
+const DEFAULT_NPM_REGISTRY = 'https://registry.npmjs.org';
+class NpmLocation {
+    constructor(url, opts = {}) {
+        _NpmLocation_instances.add(this);
+        const allowCustomRegistries = opts.allowCustomRegistries ?? false;
+        const fetchFunction = opts.fetch ?? globalThis.fetch.bind(globalThis);
+        const requestedRange = opts.versionRange ?? snaps_utils_1.DEFAULT_REQUESTED_SNAP_VERSION;
+        (0, utils_1.assertStruct)(url.toString(), snaps_utils_1.NpmSnapIdStruct, 'Invalid Snap Id: ');
+        let registry;
+        if (url.host === '' &&
+            url.port === '' &&
+            url.username === '' &&
+            url.password === '') {
+            registry = new URL(DEFAULT_NPM_REGISTRY);
+        }
+        else {
+            registry = 'https://';
+            if (url.username) {
+                registry += url.username;
+                if (url.password) {
+                    registry += `:${url.password}`;
+                }
+                registry += '@';
+            }
+            registry += url.host;
+            registry = new URL(registry);
+            (0, utils_1.assert)(allowCustomRegistries, new TypeError(`Custom NPM registries are disabled, tried to use "${registry.toString()}".`));
+        }
+        (0, utils_1.assert)(registry.pathname === '/' &&
+            registry.search === '' &&
+            registry.hash === '');
+        (0, utils_1.assert)(url.pathname !== '' && url.pathname !== '/', new TypeError('The package name in NPM location is empty.'));
+        let packageName = url.pathname;
+        if (packageName.startsWith('/')) {
+            packageName = packageName.slice(1);
+        }
+        this.meta = {
+            requestedRange,
+            registry,
+            packageName,
+            fetch: fetchFunction,
+        };
     }
-    return obj;
-}
-import { createSnapManifest, DEFAULT_REQUESTED_SNAP_VERSION, getTargetVersion, isValidUrl, NpmSnapIdStruct, VirtualFile, normalizeRelative, parseJson } from '@metamask/snaps-utils';
-import { assert, assertIsSemVerVersion, assertStruct, isObject } from '@metamask/utils';
-import concat from 'concat-stream';
-import createGunzipStream from 'gunzip-maybe';
-import pump from 'pump';
-import { ReadableWebToNodeStream } from 'readable-web-to-node-stream';
-import { extract as tarExtract } from 'tar-stream';
-export const DEFAULT_NPM_REGISTRY = 'https://registry.npmjs.org';
-var _lazyInit = /*#__PURE__*/ new WeakSet();
-export class NpmLocation {
     async manifest() {
         if (this.validatedManifest) {
             return this.validatedManifest.clone();
         }
         const vfile = await this.fetch('snap.manifest.json');
-        const result = parseJson(vfile.toString());
-        vfile.result = createSnapManifest(result);
+        const result = (0, snaps_utils_1.parseJson)(vfile.toString());
+        vfile.result = (0, snaps_utils_1.createSnapManifest)(result);
         this.validatedManifest = vfile;
         return this.manifest();
     }
     async fetch(path) {
-        const relativePath = normalizeRelative(path);
+        const relativePath = (0, snaps_utils_1.normalizeRelative)(path);
         if (!this.files) {
-            await _class_private_method_get(this, _lazyInit, lazyInit).call(this);
-            assert(this.files !== undefined);
+            await __classPrivateFieldGet(this, _NpmLocation_instances, "m", _NpmLocation_lazyInit).call(this);
+            (0, utils_1.assert)(this.files !== undefined);
         }
         const vfile = this.files.get(relativePath);
-        assert(vfile !== undefined, new TypeError(`File "${path}" not found in package.`));
+        (0, utils_1.assert)(vfile !== undefined, new TypeError(`File "${path}" not found in package.`));
         return vfile.clone();
     }
     get packageName() {
         return this.meta.packageName;
     }
     get version() {
-        assert(this.meta.version !== undefined, 'Tried to access version without first fetching NPM package.');
+        (0, utils_1.assert)(this.meta.version !== undefined, 'Tried to access version without first fetching NPM package.');
         return this.meta.version;
     }
     get registry() {
@@ -69,47 +93,10 @@ export class NpmLocation {
     get versionRange() {
         return this.meta.requestedRange;
     }
-    constructor(url, opts = {}){
-        _class_private_method_init(this, _lazyInit);
-        _define_property(this, "meta", void 0);
-        _define_property(this, "validatedManifest", void 0);
-        _define_property(this, "files", void 0);
-        const allowCustomRegistries = opts.allowCustomRegistries ?? false;
-        const fetchFunction = opts.fetch ?? globalThis.fetch.bind(globalThis);
-        const requestedRange = opts.versionRange ?? DEFAULT_REQUESTED_SNAP_VERSION;
-        assertStruct(url.toString(), NpmSnapIdStruct, 'Invalid Snap Id: ');
-        let registry;
-        if (url.host === '' && url.port === '' && url.username === '' && url.password === '') {
-            registry = new URL(DEFAULT_NPM_REGISTRY);
-        } else {
-            registry = 'https://';
-            if (url.username) {
-                registry += url.username;
-                if (url.password) {
-                    registry += `:${url.password}`;
-                }
-                registry += '@';
-            }
-            registry += url.host;
-            registry = new URL(registry);
-            assert(allowCustomRegistries, new TypeError(`Custom NPM registries are disabled, tried to use "${registry.toString()}".`));
-        }
-        assert(registry.pathname === '/' && registry.search === '' && registry.hash === '');
-        assert(url.pathname !== '' && url.pathname !== '/', new TypeError('The package name in NPM location is empty.'));
-        let packageName = url.pathname;
-        if (packageName.startsWith('/')) {
-            packageName = packageName.slice(1);
-        }
-        this.meta = {
-            requestedRange,
-            registry,
-            packageName,
-            fetch: fetchFunction
-        };
-    }
 }
-async function lazyInit() {
-    assert(this.files === undefined);
+exports.NpmLocation = NpmLocation;
+_NpmLocation_instances = new WeakSet(), _NpmLocation_lazyInit = async function _NpmLocation_lazyInit() {
+    (0, utils_1.assert)(this.files === undefined);
     const [tarballResponse, actualVersion] = await fetchNpmTarball(this.meta.packageName, this.meta.requestedRange, this.meta.registry, this.meta.fetch);
     this.meta.version = actualVersion;
     let canonicalBase = 'npm://';
@@ -123,42 +110,22 @@ async function lazyInit() {
     canonicalBase += this.meta.registry.host;
     // TODO(ritave): Lazily extract files instead of up-front extracting all of them
     //               We would need to replace tar-stream package because it requires immediate consumption of streams.
-    await new Promise((resolve, reject)=>{
+    await new Promise((resolve, reject) => {
         this.files = new Map();
-        pump(getNodeStream(tarballResponse), // The "gz" in "tgz" stands for "gzip". The tarball needs to be decompressed
+        (0, pump_1.default)(getNodeStream(tarballResponse), 
+        // The "gz" in "tgz" stands for "gzip". The tarball needs to be decompressed
         // before we can actually grab any files from it.
         // To prevent recursion-based zip bombs, we set a maximum recursion depth of 1.
-        createGunzipStream(1), createTarballStream(`${canonicalBase}/${this.meta.packageName}/`, this.files), (error)=>{
+        (0, gunzip_maybe_1.default)(1), createTarballStream(`${canonicalBase}/${this.meta.packageName}/`, this.files), (error) => {
             error ? reject(error) : resolve();
         });
     });
-}
+};
 // Safety limit for tarballs, 250 MB in bytes
 const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
-/**
- * Fetches the NPM metadata of the specified package from
- * the public npm registry.
- *
- * @param packageName - The name of the package whose metadata to fetch.
- * @param registryUrl - The URL of the npm registry to fetch the metadata from.
- * @param fetchFunction - The fetch function to use. Defaults to the global
- * {@link fetch}. Useful for Node.js compatibility.
- * @returns The NPM metadata object.
- * @throws If fetching the metadata fails.
- */ export async function fetchNpmMetadata(packageName, registryUrl, fetchFunction) {
-    const packageResponse = await fetchFunction(new URL(packageName, registryUrl).toString());
-    if (!packageResponse.ok) {
-        throw new Error(`Failed to fetch NPM registry entry. Status code: ${packageResponse.status}.`);
-    }
-    const packageMetadata = await packageResponse.json();
-    if (!isObject(packageMetadata)) {
-        throw new Error(`Failed to fetch package "${packageName}" metadata from npm.`);
-    }
-    return packageMetadata;
-}
 /**
  * Fetches the tarball (`.tgz` file) of the specified package and version from
- * the public npm registry.
+ * the public npm registry. Throws an error if fetching fails.
  *
  * @param packageName - The name of the package whose tarball to fetch.
  * @param versionRange - The SemVer range of the package to fetch. The highest
@@ -168,19 +135,28 @@ const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
  * {@link fetch}. Useful for Node.js compatibility.
  * @returns A tuple of the {@link Response} for the package tarball and the
  * actual version of the package.
- * @throws If fetching the tarball fails.
- */ async function fetchNpmTarball(packageName, versionRange, registryUrl, fetchFunction) {
-    const packageMetadata = await fetchNpmMetadata(packageName, registryUrl, fetchFunction);
-    const versions = Object.keys(packageMetadata?.versions ?? {}).map((version)=>{
-        assertIsSemVerVersion(version);
+ */
+async function fetchNpmTarball(packageName, versionRange, registryUrl, fetchFunction) {
+    const packageResponse = await fetchFunction(new URL(packageName, registryUrl).toString());
+    if (!packageResponse.ok) {
+        throw new Error(`Failed to fetch NPM registry entry. Status code: ${packageResponse.status}.`);
+    }
+    const packageMetadata = await packageResponse.json();
+    if (!(0, utils_1.isObject)(packageMetadata)) {
+        throw new Error(`Failed to fetch package "${packageName}" metadata from npm.`);
+    }
+    const versions = Object.keys(packageMetadata?.versions ?? {}).map((version) => {
+        (0, utils_1.assertIsSemVerVersion)(version);
         return version;
     });
-    const targetVersion = getTargetVersion(versions, versionRange);
+    const targetVersion = (0, snaps_utils_1.getTargetVersion)(versions, versionRange);
     if (targetVersion === null) {
         throw new Error(`Failed to find a matching version in npm metadata for package "${packageName}" and requested semver range "${versionRange}".`);
     }
-    const tarballUrlString = packageMetadata?.versions?.[targetVersion]?.dist?.tarball;
-    if (!isValidUrl(tarballUrlString) || !tarballUrlString.toString().endsWith('.tgz')) {
+    const tarballUrlString = packageMetadata?.versions?.[targetVersion]
+        ?.dist?.tarball;
+    if (!(0, snaps_utils_1.isValidUrl)(tarballUrlString) ||
+        !tarballUrlString.toString().endsWith('.tgz')) {
         throw new Error(`Failed to find valid tarball URL in NPM metadata for package "${packageName}".`);
     }
     // Override the tarball hostname/protocol with registryUrl hostname/protocol
@@ -195,18 +171,16 @@ const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
     }
     // We assume that NPM is a good actor and provides us with a valid `content-length` header.
     const tarballSizeString = tarballResponse.headers.get('content-length');
-    assert(tarballSizeString, 'Snap tarball has invalid content-length');
+    (0, utils_1.assert)(tarballSizeString, 'Snap tarball has invalid content-length');
     const tarballSize = parseInt(tarballSizeString, 10);
-    assert(tarballSize <= TARBALL_SIZE_SAFETY_LIMIT, 'Snap tarball exceeds size limit');
-    return [
-        tarballResponse.body,
-        targetVersion
-    ];
+    (0, utils_1.assert)(tarballSize <= TARBALL_SIZE_SAFETY_LIMIT, 'Snap tarball exceeds size limit');
+    return [tarballResponse.body, targetVersion];
 }
 /**
  * The paths of files within npm tarballs appear to always be prefixed with
  * "package/".
- */ const NPM_TARBALL_PATH_PREFIX = /^package\//u;
+ */
+const NPM_TARBALL_PATH_PREFIX = /^package\//u;
 /**
  * Converts a {@link ReadableStream} to a Node.js {@link Readable}
  * stream. Returns the stream directly if it is already a Node.js stream.
@@ -215,11 +189,12 @@ const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
  *
  * @param stream - The stream to convert.
  * @returns The given stream as a Node.js Readable stream.
- */ function getNodeStream(stream) {
+ */
+function getNodeStream(stream) {
     if (typeof stream.getReader !== 'function') {
         return stream;
     }
-    return new ReadableWebToNodeStream(stream);
+    return new readable_web_to_node_stream_1.ReadableWebToNodeStream(stream);
 }
 /**
  * Creates a `tar-stream` that will get the necessary files from an npm Snap
@@ -228,37 +203,39 @@ const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
  * @param canonicalBase - A base URI as specified in {@link https://github.com/MetaMask/SIPs/blob/main/SIPS/sip-8.md SIP-8}. Starting with 'npm:'. Will be used for canonicalPath vfile argument.
  * @param files - An object to write target file contents to.
  * @returns The {@link Writable} tarball extraction stream.
- */ function createTarballStream(canonicalBase, files) {
-    assert(canonicalBase.endsWith('/'), "Base needs to end with '/' for relative paths to be added as children instead of siblings.");
-    assert(canonicalBase.startsWith('npm:'), 'Protocol mismatch, expected "npm:".');
+ */
+function createTarballStream(canonicalBase, files) {
+    (0, utils_1.assert)(canonicalBase.endsWith('/'), "Base needs to end with '/' for relative paths to be added as children instead of siblings.");
+    (0, utils_1.assert)(canonicalBase.startsWith('npm:'), 'Protocol mismatch, expected "npm:".');
     // `tar-stream` is pretty old-school, so we create it first and then
     // instrument it by adding event listeners.
-    const extractStream = tarExtract();
+    const extractStream = (0, tar_stream_1.extract)();
     let totalSize = 0;
     // "entry" is fired for every discreet entity in the tarball. This includes
     // files and folders.
-    extractStream.on('entry', (header, entryStream, next)=>{
+    extractStream.on('entry', (header, entryStream, next) => {
         const { name: headerName, type: headerType } = header;
         if (headerType === 'file') {
             // The name is a path if the header type is "file".
             const path = headerName.replace(NPM_TARBALL_PATH_PREFIX, '');
-            return entryStream.pipe(concat((data)=>{
+            return entryStream.pipe((0, concat_stream_1.default)((data) => {
                 try {
                     totalSize += data.byteLength;
                     // To prevent zip bombs, we set a safety limit for the total size of tarballs.
-                    assert(totalSize < TARBALL_SIZE_SAFETY_LIMIT, `Snap tarball exceeds limit of ${TARBALL_SIZE_SAFETY_LIMIT} bytes.`);
-                    const vfile = new VirtualFile({
+                    (0, utils_1.assert)(totalSize < TARBALL_SIZE_SAFETY_LIMIT, `Snap tarball exceeds limit of ${TARBALL_SIZE_SAFETY_LIMIT} bytes.`);
+                    const vfile = new snaps_utils_1.VirtualFile({
                         value: data,
                         path,
                         data: {
-                            canonicalPath: new URL(path, canonicalBase).toString()
-                        }
+                            canonicalPath: new URL(path, canonicalBase).toString(),
+                        },
                     });
                     // We disallow files having identical paths as it may confuse our checksum calculations.
-                    assert(!files.has(path), 'Malformed tarball, multiple files with the same path.');
+                    (0, utils_1.assert)(!files.has(path), 'Malformed tarball, multiple files with the same path.');
                     files.set(path, vfile);
                     return next();
-                } catch (error) {
+                }
+                catch (error) {
                     return extractStream.destroy(error);
                 }
             }));
@@ -266,10 +243,9 @@ const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
         // If we get here, the entry is not a file, and we want to ignore. The entry
         // stream must be drained, or the extractStream will stop reading. This is
         // effectively a no-op for the current entry.
-        entryStream.on('end', ()=>next());
+        entryStream.on('end', () => next());
         return entryStream.resume();
     });
     return extractStream;
 }
-
 //# sourceMappingURL=npm.js.map

package/dist/snaps/location/npm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"npm.js","sourceRoot":"","sources":["../../../src/snaps/location/npm.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,uDAU+B;AAC/B,2CAOyB;AACzB,kEAAmC;AACnC,gEAA8C;AAC9C,gDAAwB;AACxB,6EAAsE;AAEtE,2CAAmD;AAInD,MAAM,oBAAoB,GAAG,4BAA4B,CAAC;AAsB1D,MAAa,WAAW;IAOtB,YAAY,GAAQ,EAAE,OAAkC,EAAE;;QACxD,MAAM,qBAAqB,GAAG,IAAI,CAAC,qBAAqB,IAAI,KAAK,CAAC;QAClE,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACtE,MAAM,cAAc,GAAG,IAAI,CAAC,YAAY,IAAI,4CAA8B,CAAC;QAE3E,IAAA,oBAAY,EAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,6BAAe,EAAE,mBAAmB,CAAC,CAAC;QAEnE,IAAI,QAAsB,CAAC;QAC3B,IACE,GAAG,CAAC,IAAI,KAAK,EAAE;YACf,GAAG,CAAC,IAAI,KAAK,EAAE;YACf,GAAG,CAAC,QAAQ,KAAK,EAAE;YACnB,GAAG,CAAC,QAAQ,KAAK,EAAE,EACnB;YACA,QAAQ,GAAG,IAAI,GAAG,CAAC,oBAAoB,CAAC,CAAC;SAC1C;aAAM;YACL,QAAQ,GAAG,UAAU,CAAC;YACtB,IAAI,GAAG,CAAC,QAAQ,EAAE;gBAChB,QAAQ,IAAI,GAAG,CAAC,QAAQ,CAAC;gBACzB,IAAI,GAAG,CAAC,QAAQ,EAAE;oBAChB,QAAQ,IAAI,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;iBAChC;gBACD,QAAQ,IAAI,GAAG,CAAC;aACjB;YACD,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC;YACrB,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC7B,IAAA,cAAM,EACJ,qBAAqB,EACrB,IAAI,SAAS,CACX,qDAAqD,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAC7E,CACF,CAAC;SACH;QAED,IAAA,cAAM,EACJ,QAAQ,CAAC,QAAQ,KAAK,GAAG;YACvB,QAAQ,CAAC,MAAM,KAAK,EAAE;YACtB,QAAQ,CAAC,IAAI,KAAK,EAAE,CACvB,CAAC;QAEF,IAAA,cAAM,EACJ,GAAG,CAAC,QAAQ,KAAK,EAAE,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,EAC3C,IAAI,SAAS,CAAC,4CAA4C,CAAC,CAC5D,CAAC;QACF,IAAI,WAAW,GAAG,GAAG,CAAC,QAAQ,CAAC;QAC/B,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE;YAC/B,WAAW,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;SACpC;QAED,IAAI,CAAC,IAAI,GAAG;YACV,cAAc;YACd,QAAQ;YACR,WAAW;YACX,KAAK,EAAE,aAAa;SACrB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,IAAI,IAAI,CAAC,iBAAiB,EAAE;YAC1B,OAAO,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,CAAC;SACvC;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;QACrD,MAAM,MAAM,GAAG,IAAA,uBAAS,EAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC3C,KAAK,CAAC,MAAM,GAAG,IAAA,gCAAkB,EAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,iBAAiB,GAAG,KAAkC,CAAC;QAE5D,OAAO,IAAI,CAAC,QAAQ,EAAE,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,IAAY;QACtB,MAAM,YAAY,GAAG,IAAA,+BAAiB,EAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE;YACf,MAAM,uBAAA,IAAI,qDAAU,MAAd,IAAI,CAAY,CAAC;YACvB,IAAA,cAAM,EAAC,IAAI,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC;SAClC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAC3C,IAAA,cAAM,EACJ,KAAK,KAAK,SAAS,EACnB,IAAI,SAAS,CAAC,SAAS,IAAI,yBAAyB,CAAC,CACtD,CAAC;QACF,OAAO,KAAK,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;IAED,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC;IAC/B,CAAC;IAED,IAAI,OAAO;QACT,IAAA,cAAM,EACJ,IAAI,CAAC,IAAI,CAAC,OAAO,KAAK,SAAS,EAC/B,6DAA6D,CAC9D,CAAC;QACF,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC;IAC3B,CAAC;IAED,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC;IAC5B,CAAC;IAED,IAAI,YAAY;QACd,OAAO,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC;IAClC,CAAC;CA0CF;AAvJD,kCAuJC;gEAxCC,KAAK;IACH,IAAA,cAAM,EAAC,IAAI,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,EAAE,aAAa,CAAC,GAAG,MAAM,eAAe,CAC5D,IAAI,CAAC,IAAI,CAAC,WAAW,EACrB,IAAI,CAAC,IAAI,CAAC,cAAc,EACxB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAClB,IAAI,CAAC,IAAI,CAAC,KAAK,CAChB,CAAC;IACF,IAAI,CAAC,IAAI,CAAC,OAAO,GAAG,aAAa,CAAC;IAElC,IAAI,aAAa,GAAG,QAAQ,CAAC;IAC7B,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,KAAK,EAAE,EAAE;QACtC,aAAa,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC7C,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,KAAK,EAAE,EAAE;YACtC,aAAa,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;SACpD;QACD,aAAa,IAAI,GAAG,CAAC;KACtB;IACD,aAAa,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;IAEzC,gFAAgF;IAChF,kHAAkH;IAClH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,IAAI,CAAC,KAAK,GAAG,IAAI,GAAG,EAAE,CAAC;QACvB,IAAA,cAAI,EACF,aAAa,CAAC,eAAe,CAAC;QAC9B,4EAA4E;QAC5E,iDAAiD;QACjD,+EAA+E;QAC/E,IAAA,sBAAkB,EAAC,CAAC,CAAC,EACrB,mBAAmB,CACjB,GAAG,aAAa,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,GAAG,EAC5C,IAAI,CAAC,KAAK,CACX,EACD,CAAC,KAAK,EAAE,EAAE;YACR,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;QACpC,CAAC,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAGH,6CAA6C;AAC7C,MAAM,yBAAyB,GAAG,SAAS,CAAC;AAE5C;;;;;;;;;;;;GAYG;AACH,KAAK,UAAU,eAAe,CAC5B,WAAmB,EACnB,YAAyB,EACzB,WAAyB,EACzB,aAA2B;IAE3B,MAAM,eAAe,GAAG,MAAM,aAAa,CACzC,IAAI,GAAG,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAC7C,CAAC;IACF,IAAI,CAAC,eAAe,CAAC,EAAE,EAAE;QACvB,MAAM,IAAI,KAAK,CACb,oDAAoD,eAAe,CAAC,MAAM,GAAG,CAC9E,CAAC;KACH;IACD,MAAM,eAAe,GAAG,MAAM,eAAe,CAAC,IAAI,EAAE,CAAC;IAErD,IAAI,CAAC,IAAA,gBAAQ,EAAC,eAAe,CAAC,EAAE;QAC9B,MAAM,IAAI,KAAK,CACb,4BAA4B,WAAW,sBAAsB,CAC9D,CAAC;KACH;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAE,eAAuB,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC,GAAG,CACxE,CAAC,OAAO,EAAE,EAAE;QACV,IAAA,6BAAqB,EAAC,OAAO,CAAC,CAAC;QAC/B,OAAO,OAAO,CAAC;IACjB,CAAC,CACF,CAAC;IAEF,MAAM,aAAa,GAAG,IAAA,8BAAgB,EAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IAE/D,IAAI,aAAa,KAAK,IAAI,EAAE;QAC1B,MAAM,IAAI,KAAK,CACb,kEAAkE,WAAW,iCAAiC,YAAY,IAAI,CAC/H,CAAC;KACH;IAED,MAAM,gBAAgB,GAAI,eAAuB,EAAE,QAAQ,EAAE,CAAC,aAAa,CAAC;QAC1E,EAAE,IAAI,EAAE,OAAO,CAAC;IAElB,IACE,CAAC,IAAA,wBAAU,EAAC,gBAAgB,CAAC;QAC7B,CAAC,gBAAgB,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,EAC7C;QACA,MAAM,IAAI,KAAK,CACb,iEAAiE,WAAW,IAAI,CACjF,CAAC;KACH;IAED,4EAA4E;IAC5E,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IAC5C,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAChD,aAAa,CAAC,QAAQ,GAAG,cAAc,CAAC,QAAQ,CAAC;IACjD,aAAa,CAAC,QAAQ,GAAG,cAAc,CAAC,QAAQ,CAAC;IAEjD,kEAAkE;IAClE,MAAM,eAAe,GAAG,MAAM,aAAa,CAAC,aAAa,CAAC,QAAQ,EAAE,CAAC,CAAC;IACtE,IAAI,CAAC,eAAe,CAAC,EAAE,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE;QAChD,MAAM,IAAI,KAAK,CAAC,wCAAwC,WAAW,IAAI,CAAC,CAAC;KAC1E;IACD,2FAA2F;IAC3F,MAAM,iBAAiB,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IACxE,IAAA,cAAM,EAAC,iBAAiB,EAAE,yCAAyC,CAAC,CAAC;IACrE,MAAM,WAAW,GAAG,QAAQ,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC;IACpD,IAAA,cAAM,EACJ,WAAW,IAAI,yBAAyB,EACxC,iCAAiC,CAClC,CAAC;IACF,OAAO,CAAC,eAAe,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,uBAAuB,GAAG,aAAa,CAAC;AAE9C;;;;;;;;GAQG;AACH,SAAS,aAAa,CAAC,MAAsB;IAC3C,IAAI,OAAO,MAAM,CAAC,SAAS,KAAK,UAAU,EAAE;QAC1C,OAAO,MAA6B,CAAC;KACtC;IAED,OAAO,IAAI,qDAAuB,CAAC,MAAM,CAAC,CAAC;AAC7C,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,mBAAmB,CAC1B,aAAqB,EACrB,KAA+B;IAE/B,IAAA,cAAM,EACJ,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,EAC3B,4FAA4F,CAC7F,CAAC;IAEF,IAAA,cAAM,EACJ,aAAa,CAAC,UAAU,CAAC,MAAM,CAAC,EAChC,qCAAqC,CACtC,CAAC;IACF,oEAAoE;IACpE,2CAA2C;IAC3C,MAAM,aAAa,GAAG,IAAA,oBAAU,GAAE,CAAC;IAEnC,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,2EAA2E;IAC3E,qBAAqB;IACrB,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE;QACtD,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,MAAM,CAAC;QACtD,IAAI,UAAU,KAAK,MAAM,EAAE;YACzB,mDAAmD;YACnD,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC,CAAC;YAC7D,OAAO,WAAW,CAAC,IAAI,CACrB,IAAA,uBAAM,EAAC,CAAC,IAAI,EAAE,EAAE;gBACd,IAAI;oBACF,SAAS,IAAI,IAAI,CAAC,UAAU,CAAC;oBAC7B,8EAA8E;oBAC9E,IAAA,cAAM,EACJ,SAAS,GAAG,yBAAyB,EACrC,iCAAiC,yBAAyB,SAAS,CACpE,CAAC;oBACF,MAAM,KAAK,GAAG,IAAI,yBAAW,CAAC;wBAC5B,KAAK,EAAE,IAAI;wBACX,IAAI;wBACJ,IAAI,EAAE;4BACJ,aAAa,EAAE,IAAI,GAAG,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,QAAQ,EAAE;yBACvD;qBACF,CAAC,CAAC;oBACH,wFAAwF;oBACxF,IAAA,cAAM,EACJ,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAChB,uDAAuD,CACxD,CAAC;oBACF,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;oBACvB,OAAO,IAAI,EAAE,CAAC;iBACf;gBAAC,OAAO,KAAK,EAAE;oBACd,OAAO,aAAa,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;iBACrC;YACH,CAAC,CAAC,CACH,CAAC;SACH;QAED,4EAA4E;QAC5E,0EAA0E;QAC1E,6CAA6C;QAC7C,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;QACpC,OAAO,WAAW,CAAC,MAAM,EAAE,CAAC;IAC9B,CAAC,CAAC,CAAC;IACH,OAAO,aAAa,CAAC;AACvB,CAAC","sourcesContent":["import {\n  createSnapManifest,\n  DEFAULT_REQUESTED_SNAP_VERSION,\n  getTargetVersion,\n  isValidUrl,\n  NpmSnapIdStruct,\n  SnapManifest,\n  VirtualFile,\n  normalizeRelative,\n  parseJson,\n} from '@metamask/snaps-utils';\nimport {\n  assert,\n  assertIsSemVerVersion,\n  assertStruct,\n  isObject,\n  SemVerRange,\n  SemVerVersion,\n} from '@metamask/utils';\nimport concat from 'concat-stream';\nimport createGunzipStream from 'gunzip-maybe';\nimport pump from 'pump';\nimport { ReadableWebToNodeStream } from 'readable-web-to-node-stream';\nimport { Readable, Writable } from 'stream';\nimport { extract as tarExtract } from 'tar-stream';\n\nimport { DetectSnapLocationOptions, SnapLocation } from './location';\n\nconst DEFAULT_NPM_REGISTRY = 'https://registry.npmjs.org';\n\ninterface NpmMeta {\n  registry: URL;\n  packageName: string;\n  requestedRange: SemVerRange;\n  version?: string;\n  fetch: typeof fetch;\n}\nexport interface NpmOptions {\n  /**\n   * @default DEFAULT_REQUESTED_SNAP_VERSION\n   */\n  versionRange?: SemVerRange;\n  /**\n   * Whether to allow custom NPM registries outside of {@link DEFAULT_NPM_REGISTRY}.\n   *\n   * @default false\n   */\n  allowCustomRegistries?: boolean;\n}\n\nexport class NpmLocation implements SnapLocation {\n  private readonly meta: NpmMeta;\n\n  private validatedManifest?: VirtualFile<SnapManifest>;\n\n  private files?: Map<string, VirtualFile>;\n\n  constructor(url: URL, opts: DetectSnapLocationOptions = {}) {\n    const allowCustomRegistries = opts.allowCustomRegistries ?? false;\n    const fetchFunction = opts.fetch ?? globalThis.fetch.bind(globalThis);\n    const requestedRange = opts.versionRange ?? DEFAULT_REQUESTED_SNAP_VERSION;\n\n    assertStruct(url.toString(), NpmSnapIdStruct, 'Invalid Snap Id: ');\n\n    let registry: string | URL;\n    if (\n      url.host === '' &&\n      url.port === '' &&\n      url.username === '' &&\n      url.password === ''\n    ) {\n      registry = new URL(DEFAULT_NPM_REGISTRY);\n    } else {\n      registry = 'https://';\n      if (url.username) {\n        registry += url.username;\n        if (url.password) {\n          registry += `:${url.password}`;\n        }\n        registry += '@';\n      }\n      registry += url.host;\n      registry = new URL(registry);\n      assert(\n        allowCustomRegistries,\n        new TypeError(\n          `Custom NPM registries are disabled, tried to use \"${registry.toString()}\".`,\n        ),\n      );\n    }\n\n    assert(\n      registry.pathname === '/' &&\n        registry.search === '' &&\n        registry.hash === '',\n    );\n\n    assert(\n      url.pathname !== '' && url.pathname !== '/',\n      new TypeError('The package name in NPM location is empty.'),\n    );\n    let packageName = url.pathname;\n    if (packageName.startsWith('/')) {\n      packageName = packageName.slice(1);\n    }\n\n    this.meta = {\n      requestedRange,\n      registry,\n      packageName,\n      fetch: fetchFunction,\n    };\n  }\n\n  async manifest(): Promise<VirtualFile<SnapManifest>> {\n    if (this.validatedManifest) {\n      return this.validatedManifest.clone();\n    }\n\n    const vfile = await this.fetch('snap.manifest.json');\n    const result = parseJson(vfile.toString());\n    vfile.result = createSnapManifest(result);\n    this.validatedManifest = vfile as VirtualFile<SnapManifest>;\n\n    return this.manifest();\n  }\n\n  async fetch(path: string): Promise<VirtualFile> {\n    const relativePath = normalizeRelative(path);\n    if (!this.files) {\n      await this.#lazyInit();\n      assert(this.files !== undefined);\n    }\n    const vfile = this.files.get(relativePath);\n    assert(\n      vfile !== undefined,\n      new TypeError(`File \"${path}\" not found in package.`),\n    );\n    return vfile.clone();\n  }\n\n  get packageName(): string {\n    return this.meta.packageName;\n  }\n\n  get version(): string {\n    assert(\n      this.meta.version !== undefined,\n      'Tried to access version without first fetching NPM package.',\n    );\n    return this.meta.version;\n  }\n\n  get registry(): URL {\n    return this.meta.registry;\n  }\n\n  get versionRange(): SemVerRange {\n    return this.meta.requestedRange;\n  }\n\n  async #lazyInit() {\n    assert(this.files === undefined);\n    const [tarballResponse, actualVersion] = await fetchNpmTarball(\n      this.meta.packageName,\n      this.meta.requestedRange,\n      this.meta.registry,\n      this.meta.fetch,\n    );\n    this.meta.version = actualVersion;\n\n    let canonicalBase = 'npm://';\n    if (this.meta.registry.username !== '') {\n      canonicalBase += this.meta.registry.username;\n      if (this.meta.registry.password !== '') {\n        canonicalBase += `:${this.meta.registry.password}`;\n      }\n      canonicalBase += '@';\n    }\n    canonicalBase += this.meta.registry.host;\n\n    // TODO(ritave): Lazily extract files instead of up-front extracting all of them\n    //               We would need to replace tar-stream package because it requires immediate consumption of streams.\n    await new Promise<void>((resolve, reject) => {\n      this.files = new Map();\n      pump(\n        getNodeStream(tarballResponse),\n        // The \"gz\" in \"tgz\" stands for \"gzip\". The tarball needs to be decompressed\n        // before we can actually grab any files from it.\n        // To prevent recursion-based zip bombs, we set a maximum recursion depth of 1.\n        createGunzipStream(1),\n        createTarballStream(\n          `${canonicalBase}/${this.meta.packageName}/`,\n          this.files,\n        ),\n        (error) => {\n          error ? reject(error) : resolve();\n        },\n      );\n    });\n  }\n}\n\n// Safety limit for tarballs, 250 MB in bytes\nconst TARBALL_SIZE_SAFETY_LIMIT = 262144000;\n\n/**\n * Fetches the tarball (`.tgz` file) of the specified package and version from\n * the public npm registry. Throws an error if fetching fails.\n *\n * @param packageName - The name of the package whose tarball to fetch.\n * @param versionRange - The SemVer range of the package to fetch. The highest\n * version satisfying the range will be fetched.\n * @param registryUrl - The URL of the npm registry to fetch the tarball from.\n * @param fetchFunction - The fetch function to use. Defaults to the global\n * {@link fetch}. Useful for Node.js compatibility.\n * @returns A tuple of the {@link Response} for the package tarball and the\n * actual version of the package.\n */\nasync function fetchNpmTarball(\n  packageName: string,\n  versionRange: SemVerRange,\n  registryUrl: URL | string,\n  fetchFunction: typeof fetch,\n): Promise<[ReadableStream, SemVerVersion]> {\n  const packageResponse = await fetchFunction(\n    new URL(packageName, registryUrl).toString(),\n  );\n  if (!packageResponse.ok) {\n    throw new Error(\n      `Failed to fetch NPM registry entry. Status code: ${packageResponse.status}.`,\n    );\n  }\n  const packageMetadata = await packageResponse.json();\n\n  if (!isObject(packageMetadata)) {\n    throw new Error(\n      `Failed to fetch package \"${packageName}\" metadata from npm.`,\n    );\n  }\n\n  const versions = Object.keys((packageMetadata as any)?.versions ?? {}).map(\n    (version) => {\n      assertIsSemVerVersion(version);\n      return version;\n    },\n  );\n\n  const targetVersion = getTargetVersion(versions, versionRange);\n\n  if (targetVersion === null) {\n    throw new Error(\n      `Failed to find a matching version in npm metadata for package \"${packageName}\" and requested semver range \"${versionRange}\".`,\n    );\n  }\n\n  const tarballUrlString = (packageMetadata as any)?.versions?.[targetVersion]\n    ?.dist?.tarball;\n\n  if (\n    !isValidUrl(tarballUrlString) ||\n    !tarballUrlString.toString().endsWith('.tgz')\n  ) {\n    throw new Error(\n      `Failed to find valid tarball URL in NPM metadata for package \"${packageName}\".`,\n    );\n  }\n\n  // Override the tarball hostname/protocol with registryUrl hostname/protocol\n  const newRegistryUrl = new URL(registryUrl);\n  const newTarballUrl = new URL(tarballUrlString);\n  newTarballUrl.hostname = newRegistryUrl.hostname;\n  newTarballUrl.protocol = newRegistryUrl.protocol;\n\n  // Perform a raw fetch because we want the Response object itself.\n  const tarballResponse = await fetchFunction(newTarballUrl.toString());\n  if (!tarballResponse.ok || !tarballResponse.body) {\n    throw new Error(`Failed to fetch tarball for package \"${packageName}\".`);\n  }\n  // We assume that NPM is a good actor and provides us with a valid `content-length` header.\n  const tarballSizeString = tarballResponse.headers.get('content-length');\n  assert(tarballSizeString, 'Snap tarball has invalid content-length');\n  const tarballSize = parseInt(tarballSizeString, 10);\n  assert(\n    tarballSize <= TARBALL_SIZE_SAFETY_LIMIT,\n    'Snap tarball exceeds size limit',\n  );\n  return [tarballResponse.body, targetVersion];\n}\n\n/**\n * The paths of files within npm tarballs appear to always be prefixed with\n * \"package/\".\n */\nconst NPM_TARBALL_PATH_PREFIX = /^package\\//u;\n\n/**\n * Converts a {@link ReadableStream} to a Node.js {@link Readable}\n * stream. Returns the stream directly if it is already a Node.js stream.\n * We can't use the native Web {@link ReadableStream} directly because the\n * other stream libraries we use expect Node.js streams.\n *\n * @param stream - The stream to convert.\n * @returns The given stream as a Node.js Readable stream.\n */\nfunction getNodeStream(stream: ReadableStream): Readable {\n  if (typeof stream.getReader !== 'function') {\n    return stream as unknown as Readable;\n  }\n\n  return new ReadableWebToNodeStream(stream);\n}\n\n/**\n * Creates a `tar-stream` that will get the necessary files from an npm Snap\n * package tarball (`.tgz` file).\n *\n * @param canonicalBase - A base URI as specified in {@link https://github.com/MetaMask/SIPs/blob/main/SIPS/sip-8.md SIP-8}. Starting with 'npm:'. Will be used for canonicalPath vfile argument.\n * @param files - An object to write target file contents to.\n * @returns The {@link Writable} tarball extraction stream.\n */\nfunction createTarballStream(\n  canonicalBase: string,\n  files: Map<string, VirtualFile>,\n): Writable {\n  assert(\n    canonicalBase.endsWith('/'),\n    \"Base needs to end with '/' for relative paths to be added as children instead of siblings.\",\n  );\n\n  assert(\n    canonicalBase.startsWith('npm:'),\n    'Protocol mismatch, expected \"npm:\".',\n  );\n  // `tar-stream` is pretty old-school, so we create it first and then\n  // instrument it by adding event listeners.\n  const extractStream = tarExtract();\n\n  let totalSize = 0;\n\n  // \"entry\" is fired for every discreet entity in the tarball. This includes\n  // files and folders.\n  extractStream.on('entry', (header, entryStream, next) => {\n    const { name: headerName, type: headerType } = header;\n    if (headerType === 'file') {\n      // The name is a path if the header type is \"file\".\n      const path = headerName.replace(NPM_TARBALL_PATH_PREFIX, '');\n      return entryStream.pipe(\n        concat((data) => {\n          try {\n            totalSize += data.byteLength;\n            // To prevent zip bombs, we set a safety limit for the total size of tarballs.\n            assert(\n              totalSize < TARBALL_SIZE_SAFETY_LIMIT,\n              `Snap tarball exceeds limit of ${TARBALL_SIZE_SAFETY_LIMIT} bytes.`,\n            );\n            const vfile = new VirtualFile({\n              value: data,\n              path,\n              data: {\n                canonicalPath: new URL(path, canonicalBase).toString(),\n              },\n            });\n            // We disallow files having identical paths as it may confuse our checksum calculations.\n            assert(\n              !files.has(path),\n              'Malformed tarball, multiple files with the same path.',\n            );\n            files.set(path, vfile);\n            return next();\n          } catch (error) {\n            return extractStream.destroy(error);\n          }\n        }),\n      );\n    }\n\n    // If we get here, the entry is not a file, and we want to ignore. The entry\n    // stream must be drained, or the extractStream will stop reading. This is\n    // effectively a no-op for the current entry.\n    entryStream.on('end', () => next());\n    return entryStream.resume();\n  });\n  return extractStream;\n}\n"]}

package/dist/snaps/registry/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./registry"), exports);
+__exportStar(require("./json"), exports);
+//# sourceMappingURL=index.js.map

package/dist/snaps/registry/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/snaps/registry/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,6CAA2B;AAC3B,yCAAuB","sourcesContent":["export * from './registry';\nexport * from './json';\n"]}

package/dist/{types/snaps → snaps}/registry/json.d.ts

@@ -1,8 +1,7 @@
-import type { RestrictedControllerMessenger } from '@metamask/base-controller';
-import { BaseControllerV2 as BaseController } from '@metamask/base-controller';
-import type { SnapsRegistryDatabase } from '@metamask/snaps-registry';
-import type { Hex } from '@metamask/utils';
-import type { SnapsRegistry } from './registry';
+import { BaseControllerV2 as BaseController, RestrictedControllerMessenger } from '@metamask/base-controller';
+import { SnapsRegistryDatabase } from '@metamask/snaps-registry';
+import { Hex } from '@metamask/utils';
+import { SnapsRegistry } from './registry';
 declare type JsonSnapsRegistryUrl = {
     registry: string;
     signature: string;

package/dist/snaps/registry/json.js

@@ -0,0 +1,171 @@
+"use strict";
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _JsonSnapsRegistry_instances, _JsonSnapsRegistry_url, _JsonSnapsRegistry_publicKey, _JsonSnapsRegistry_fetchFunction, _JsonSnapsRegistry_recentFetchThreshold, _JsonSnapsRegistry_refetchOnAllowlistMiss, _JsonSnapsRegistry_failOnUnavailableRegistry, _JsonSnapsRegistry_wasRecentlyFetched, _JsonSnapsRegistry_update, _JsonSnapsRegistry_getDatabase, _JsonSnapsRegistry_getSingle, _JsonSnapsRegistry_get, _JsonSnapsRegistry_getMetadata, _JsonSnapsRegistry_verifySignature, _JsonSnapsRegistry_safeFetch;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JsonSnapsRegistry = void 0;
+const base_controller_1 = require("@metamask/base-controller");
+const snaps_registry_1 = require("@metamask/snaps-registry");
+const utils_1 = require("@metamask/utils");
+const registry_1 = require("./registry");
+// TODO: Replace with a Codefi URL
+const SNAP_REGISTRY_URL = 'https://cdn.jsdelivr.net/gh/MetaMask/snaps-registry@gh-pages/latest/registry.json';
+const SNAP_REGISTRY_SIGNATURE_URL = 'https://cdn.jsdelivr.net/gh/MetaMask/snaps-registry@gh-pages/latest/signature.json';
+const controllerName = 'SnapsRegistry';
+const defaultState = {
+    database: null,
+    lastUpdated: null,
+};
+class JsonSnapsRegistry extends base_controller_1.BaseControllerV2 {
+    constructor({ messenger, state, url = {
+        registry: SNAP_REGISTRY_URL,
+        signature: SNAP_REGISTRY_SIGNATURE_URL,
+    }, publicKey, fetchFunction = globalThis.fetch.bind(globalThis), recentFetchThreshold = (0, utils_1.inMilliseconds)(5, utils_1.Duration.Minute), failOnUnavailableRegistry = true, refetchOnAllowlistMiss = true, }) {
+        super({
+            messenger,
+            metadata: {
+                database: { persist: true, anonymous: false },
+                lastUpdated: { persist: true, anonymous: false },
+            },
+            name: controllerName,
+            state: {
+                ...defaultState,
+                ...state,
+            },
+        });
+        _JsonSnapsRegistry_instances.add(this);
+        _JsonSnapsRegistry_url.set(this, void 0);
+        _JsonSnapsRegistry_publicKey.set(this, void 0);
+        _JsonSnapsRegistry_fetchFunction.set(this, void 0);
+        _JsonSnapsRegistry_recentFetchThreshold.set(this, void 0);
+        _JsonSnapsRegistry_refetchOnAllowlistMiss.set(this, void 0);
+        _JsonSnapsRegistry_failOnUnavailableRegistry.set(this, void 0);
+        __classPrivateFieldSet(this, _JsonSnapsRegistry_url, url, "f");
+        __classPrivateFieldSet(this, _JsonSnapsRegistry_publicKey, publicKey, "f");
+        __classPrivateFieldSet(this, _JsonSnapsRegistry_fetchFunction, fetchFunction, "f");
+        __classPrivateFieldSet(this, _JsonSnapsRegistry_recentFetchThreshold, recentFetchThreshold, "f");
+        __classPrivateFieldSet(this, _JsonSnapsRegistry_refetchOnAllowlistMiss, refetchOnAllowlistMiss, "f");
+        __classPrivateFieldSet(this, _JsonSnapsRegistry_failOnUnavailableRegistry, failOnUnavailableRegistry, "f");
+        this.messagingSystem.registerActionHandler('SnapsRegistry:get', async (...args) => __classPrivateFieldGet(this, _JsonSnapsRegistry_instances, "m", _JsonSnapsRegistry_get).call(this, ...args));
+        this.messagingSystem.registerActionHandler('SnapsRegistry:getMetadata', async (...args) => __classPrivateFieldGet(this, _JsonSnapsRegistry_instances, "m", _JsonSnapsRegistry_getMetadata).call(this, ...args));
+        this.messagingSystem.registerActionHandler('SnapsRegistry:update', async () => __classPrivateFieldGet(this, _JsonSnapsRegistry_instances, "m", _JsonSnapsRegistry_update).call(this));
+    }
+}
+exports.JsonSnapsRegistry = JsonSnapsRegistry;
+_JsonSnapsRegistry_url = new WeakMap(), _JsonSnapsRegistry_publicKey = new WeakMap(), _JsonSnapsRegistry_fetchFunction = new WeakMap(), _JsonSnapsRegistry_recentFetchThreshold = new WeakMap(), _JsonSnapsRegistry_refetchOnAllowlistMiss = new WeakMap(), _JsonSnapsRegistry_failOnUnavailableRegistry = new WeakMap(), _JsonSnapsRegistry_instances = new WeakSet(), _JsonSnapsRegistry_wasRecentlyFetched = function _JsonSnapsRegistry_wasRecentlyFetched() {
+    return (this.state.lastUpdated &&
+        Date.now() - this.state.lastUpdated < __classPrivateFieldGet(this, _JsonSnapsRegistry_recentFetchThreshold, "f"));
+}, _JsonSnapsRegistry_update = async function _JsonSnapsRegistry_update() {
+    // No-op if we recently fetched the registry.
+    if (__classPrivateFieldGet(this, _JsonSnapsRegistry_instances, "m", _JsonSnapsRegistry_wasRecentlyFetched).call(this)) {
+        return;
+    }
+    try {
+        const database = await __classPrivateFieldGet(this, _JsonSnapsRegistry_instances, "m", _JsonSnapsRegistry_safeFetch).call(this, __classPrivateFieldGet(this, _JsonSnapsRegistry_url, "f").registry);
+        if (__classPrivateFieldGet(this, _JsonSnapsRegistry_publicKey, "f")) {
+            const signature = await __classPrivateFieldGet(this, _JsonSnapsRegistry_instances, "m", _JsonSnapsRegistry_safeFetch).call(this, __classPrivateFieldGet(this, _JsonSnapsRegistry_url, "f").signature);
+            await __classPrivateFieldGet(this, _JsonSnapsRegistry_instances, "m", _JsonSnapsRegistry_verifySignature).call(this, database, signature);
+        }
+        this.update((state) => {
+            state.database = JSON.parse(database);
+            state.lastUpdated = Date.now();
+        });
+    }
+    catch {
+        // Ignore
+    }
+}, _JsonSnapsRegistry_getDatabase = async function _JsonSnapsRegistry_getDatabase() {
+    if (this.state.database === null) {
+        await __classPrivateFieldGet(this, _JsonSnapsRegistry_instances, "m", _JsonSnapsRegistry_update).call(this);
+    }
+    // If the database is still null and we require it, throw.
+    if (__classPrivateFieldGet(this, _JsonSnapsRegistry_failOnUnavailableRegistry, "f") && this.state.database === null) {
+        throw new Error('Snaps registry is unavailable, installation blocked.');
+    }
+    return this.state.database;
+}, _JsonSnapsRegistry_getSingle = async function _JsonSnapsRegistry_getSingle(snapId, snapInfo, refetch = false) {
+    const database = await __classPrivateFieldGet(this, _JsonSnapsRegistry_instances, "m", _JsonSnapsRegistry_getDatabase).call(this);
+    const blockedEntry = database?.blockedSnaps.find((blocked) => {
+        if ('id' in blocked) {
+            return (blocked.id === snapId &&
+                (0, utils_1.satisfiesVersionRange)(snapInfo.version, blocked.versionRange));
+        }
+        return blocked.checksum === snapInfo.checksum;
+    });
+    if (blockedEntry) {
+        return {
+            status: registry_1.SnapsRegistryStatus.Blocked,
+            reason: blockedEntry.reason,
+        };
+    }
+    const verified = database?.verifiedSnaps[snapId];
+    const version = verified?.versions?.[snapInfo.version];
+    if (version && version.checksum === snapInfo.checksum) {
+        return { status: registry_1.SnapsRegistryStatus.Verified };
+    }
+    // For now, if we have an allowlist miss, we can refetch once and try again.
+    if (__classPrivateFieldGet(this, _JsonSnapsRegistry_refetchOnAllowlistMiss, "f") && !refetch) {
+        await __classPrivateFieldGet(this, _JsonSnapsRegistry_instances, "m", _JsonSnapsRegistry_update).call(this);
+        return __classPrivateFieldGet(this, _JsonSnapsRegistry_instances, "m", _JsonSnapsRegistry_getSingle).call(this, snapId, snapInfo, true);
+    }
+    return { status: registry_1.SnapsRegistryStatus.Unverified };
+}, _JsonSnapsRegistry_get = async function _JsonSnapsRegistry_get(snaps) {
+    return Object.entries(snaps).reduce(async (previousPromise, [snapId, snapInfo]) => {
+        const result = await __classPrivateFieldGet(this, _JsonSnapsRegistry_instances, "m", _JsonSnapsRegistry_getSingle).call(this, snapId, snapInfo);
+        const acc = await previousPromise;
+        acc[snapId] = result;
+        return acc;
+    }, Promise.resolve({}));
+}, _JsonSnapsRegistry_getMetadata = 
+/**
+ * Get metadata for the given snap ID.
+ *
+ * @param snapId - The ID of the snap to get metadata for.
+ * @returns The metadata for the given snap ID, or `null` if the snap is not
+ * verified.
+ */
+async function _JsonSnapsRegistry_getMetadata(snapId) {
+    const database = await __classPrivateFieldGet(this, _JsonSnapsRegistry_instances, "m", _JsonSnapsRegistry_getDatabase).call(this);
+    return database?.verifiedSnaps[snapId]?.metadata ?? null;
+}, _JsonSnapsRegistry_verifySignature = 
+/**
+ * Verify the signature of the registry.
+ *
+ * @param database - The registry database.
+ * @param signature - The signature of the registry.
+ * @throws If the signature is invalid.
+ * @private
+ */
+async function _JsonSnapsRegistry_verifySignature(database, signature) {
+    (0, utils_1.assert)(__classPrivateFieldGet(this, _JsonSnapsRegistry_publicKey, "f"), 'No public key provided.');
+    const valid = await (0, snaps_registry_1.verify)({
+        registry: database,
+        signature: JSON.parse(signature),
+        publicKey: __classPrivateFieldGet(this, _JsonSnapsRegistry_publicKey, "f"),
+    });
+    (0, utils_1.assert)(valid, 'Invalid registry signature.');
+}, _JsonSnapsRegistry_safeFetch = 
+/**
+ * Fetch the given URL, throwing if the response is not OK.
+ *
+ * @param url - The URL to fetch.
+ * @returns The response body.
+ * @private
+ */
+async function _JsonSnapsRegistry_safeFetch(url) {
+    const response = await __classPrivateFieldGet(this, _JsonSnapsRegistry_fetchFunction, "f").call(this, url);
+    if (!response.ok) {
+        throw new Error(`Failed to fetch ${url}.`);
+    }
+    return await response.text();
+};
+//# sourceMappingURL=json.js.map