@metamask/snaps-controllers 3.5.1 → 3.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/CHANGELOG.md +13 -1
  2. package/dist/cjs/snaps/location/npm.js +111 -80
  3. package/dist/cjs/snaps/location/npm.js.map +1 -1
  4. package/dist/esm/snaps/location/npm.js +111 -80
  5. package/dist/esm/snaps/location/npm.js.map +1 -1
  6. package/dist/types/snaps/location/npm.d.ts +38 -4
  7. package/package.json +9 -9
package/CHANGELOG.md CHANGED
@@ -6,6 +6,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
6
6
 
7
7
  ## [Unreleased]
8
8
 
9
+ ## [3.6.0]
10
+ ### Changed
11
+ - Revert usage of `DecompressionStream` ([#2052](https://github.com/MetaMask/snaps/pull/2052))
12
+ - Refactor `NpmLocation` class ([#2038](https://github.com/MetaMask/snaps/pull/2038))
13
+ - Most logic is now located in `BaseNpmLocation`, making it easier to extend without duplication.
14
+ - Bump several MetaMask dependencies ([#2053](https://github.com/MetaMask/snaps/pull/2053), [#2061](https://github.com/MetaMask/snaps/pull/2061), [#2064](https://github.com/MetaMask/snaps/pull/2064), [#2065](https://github.com/MetaMask/snaps/pull/2065), [#2067](https://github.com/MetaMask/snaps/pull/2067))
15
+
16
+ ### Removed
17
+ - Remove support for object-like syntax for cronjobs ([#2057](https://github.com/MetaMask/snaps/pull/2057))
18
+ - Since this never worked in the first place we aren't marking it as breaking.
19
+
9
20
  ## [3.5.1]
10
21
  ### Changed
11
22
  - Improve `SnapController` constructor types ([#2023](https://github.com/MetaMask/snaps/pull/2023))
@@ -141,7 +152,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
141
152
  - The version of the package no longer needs to match the version of all other
142
153
  MetaMask Snaps packages.
143
154
 
144
- [Unreleased]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.5.1...HEAD
155
+ [Unreleased]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.6.0...HEAD
156
+ [3.6.0]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.5.1...@metamask/snaps-controllers@3.6.0
145
157
  [3.5.1]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.5.0...@metamask/snaps-controllers@3.5.1
146
158
  [3.5.0]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.4.1...@metamask/snaps-controllers@3.5.0
147
159
  [3.4.1]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.4.0...@metamask/snaps-controllers@3.4.1
package/dist/cjs/snaps/location/npm.js CHANGED
@@ -12,11 +12,20 @@ _export(exports, {
12
12
  DEFAULT_NPM_REGISTRY: function() {
13
13
  return DEFAULT_NPM_REGISTRY;
14
14
  },
15
+ BaseNpmLocation: function() {
16
+ return BaseNpmLocation;
17
+ },
18
+ TARBALL_SIZE_SAFETY_LIMIT: function() {
19
+ return TARBALL_SIZE_SAFETY_LIMIT;
20
+ },
15
21
  NpmLocation: function() {
16
22
  return NpmLocation;
17
23
  },
18
24
  fetchNpmMetadata: function() {
19
25
  return fetchNpmMetadata;
26
+ },
27
+ getNpmCanonicalBasePath: function() {
28
+ return getNpmCanonicalBasePath;
20
29
  }
21
30
  });
22
31
  const _snapsutils = require("@metamask/snaps-utils");
@@ -32,6 +41,41 @@ function _check_private_redeclaration(obj, privateCollection) {
32
41
  throw new TypeError("Cannot initialize the same private elements twice on an object");
33
42
  }
34
43
  }
44
+ function _class_apply_descriptor_get(receiver, descriptor) {
45
+ if (descriptor.get) {
46
+ return descriptor.get.call(receiver);
47
+ }
48
+ return descriptor.value;
49
+ }
50
+ function _class_apply_descriptor_set(receiver, descriptor, value) {
51
+ if (descriptor.set) {
52
+ descriptor.set.call(receiver, value);
53
+ } else {
54
+ if (!descriptor.writable) {
55
+ throw new TypeError("attempted to set read only private field");
56
+ }
57
+ descriptor.value = value;
58
+ }
59
+ }
60
+ function _class_extract_field_descriptor(receiver, privateMap, action) {
61
+ if (!privateMap.has(receiver)) {
62
+ throw new TypeError("attempted to " + action + " private field on non-instance");
63
+ }
64
+ return privateMap.get(receiver);
65
+ }
66
+ function _class_private_field_get(receiver, privateMap) {
67
+ var descriptor = _class_extract_field_descriptor(receiver, privateMap, "get");
68
+ return _class_apply_descriptor_get(receiver, descriptor);
69
+ }
70
+ function _class_private_field_init(obj, privateMap, value) {
71
+ _check_private_redeclaration(obj, privateMap);
72
+ privateMap.set(obj, value);
73
+ }
74
+ function _class_private_field_set(receiver, privateMap, value) {
75
+ var descriptor = _class_extract_field_descriptor(receiver, privateMap, "set");
76
+ _class_apply_descriptor_set(receiver, descriptor, value);
77
+ return value;
78
+ }
35
79
  function _class_private_method_get(receiver, privateSet, fn) {
36
80
  if (!privateSet.has(receiver)) {
37
81
  throw new TypeError("attempted to get private field on non-instance");
@@ -61,25 +105,25 @@ function _interop_require_default(obj) {
61
105
  };
62
106
  }
63
107
  const DEFAULT_NPM_REGISTRY = new URL('https://registry.npmjs.org');
64
- var _lazyInit = /*#__PURE__*/ new WeakSet();
65
- class NpmLocation {
108
+ var _validatedManifest = /*#__PURE__*/ new WeakMap(), _files = /*#__PURE__*/ new WeakMap(), _lazyInit = /*#__PURE__*/ new WeakSet();
109
+ class BaseNpmLocation {
66
110
  async manifest() {
67
- if (this.validatedManifest) {
68
- return this.validatedManifest.clone();
111
+ if (_class_private_field_get(this, _validatedManifest)) {
112
+ return _class_private_field_get(this, _validatedManifest).clone();
69
113
  }
70
114
  const vfile = await this.fetch('snap.manifest.json');
71
115
  const result = (0, _snapsutils.parseJson)(vfile.toString());
72
116
  vfile.result = (0, _snapsutils.createSnapManifest)(result);
73
- this.validatedManifest = vfile;
117
+ _class_private_field_set(this, _validatedManifest, vfile);
74
118
  return this.manifest();
75
119
  }
76
120
  async fetch(path) {
77
121
  const relativePath = (0, _snapsutils.normalizeRelative)(path);
78
- if (!this.files) {
122
+ if (!_class_private_field_get(this, _files)) {
79
123
  await _class_private_method_get(this, _lazyInit, lazyInit).call(this);
80
- (0, _utils.assert)(this.files !== undefined);
124
+ (0, _utils.assert)(_class_private_field_get(this, _files) !== undefined);
81
125
  }
82
- const vfile = this.files.get(relativePath);
126
+ const vfile = _class_private_field_get(this, _files).get(relativePath);
83
127
  (0, _utils.assert)(vfile !== undefined, new TypeError(`File "${path}" not found in package.`));
84
128
  return vfile.clone();
85
129
  }
@@ -99,8 +143,14 @@ class NpmLocation {
99
143
  constructor(url, opts = {}){
100
144
  _class_private_method_init(this, _lazyInit);
101
145
  _define_property(this, "meta", void 0);
102
- _define_property(this, "validatedManifest", void 0);
103
- _define_property(this, "files", void 0);
146
+ _class_private_field_init(this, _validatedManifest, {
147
+ writable: true,
148
+ value: void 0
149
+ });
150
+ _class_private_field_init(this, _files, {
151
+ writable: true,
152
+ value: void 0
153
+ });
104
154
  const allowCustomRegistries = opts.allowCustomRegistries ?? false;
105
155
  const fetchFunction = opts.fetch ?? globalThis.fetch.bind(globalThis);
106
156
  const requestedRange = opts.versionRange ?? _snapsutils.DEFAULT_REQUESTED_SNAP_VERSION;
@@ -139,43 +189,51 @@ class NpmLocation {
139
189
  }
140
190
  }
141
191
  async function lazyInit() {
142
- (0, _utils.assert)(this.files === undefined);
192
+ (0, _utils.assert)(_class_private_field_get(this, _files) === undefined);
143
193
  const resolvedVersion = await this.meta.resolveVersion(this.meta.requestedRange);
144
- const [tarballResponse, actualVersion] = await fetchNpmTarball(this.meta.packageName, resolvedVersion, this.meta.registry, this.meta.fetch);
145
- this.meta.version = actualVersion;
146
- let canonicalBase = 'npm://';
147
- if (this.meta.registry.username !== '') {
148
- canonicalBase += this.meta.registry.username;
149
- if (this.meta.registry.password !== '') {
150
- canonicalBase += `:${this.meta.registry.password}`;
151
- }
152
- canonicalBase += '@';
194
+ const { tarballURL, targetVersion } = await resolveNpmVersion(this.meta.packageName, resolvedVersion, this.meta.registry, this.meta.fetch);
195
+ if (!(0, _snapsutils.isValidUrl)(tarballURL) || !tarballURL.toString().endsWith('.tgz')) {
196
+ throw new Error(`Failed to find valid tarball URL in NPM metadata for package "${this.meta.packageName}".`);
153
197
  }
154
- canonicalBase += this.meta.registry.host;
155
- // TODO(ritave): Lazily extract files instead of up-front extracting all of them
156
- // We would need to replace tar-stream package because it requires immediate consumption of streams.
157
- await new Promise((resolve, reject)=>{
158
- this.files = new Map();
159
- const tarballStream = createTarballStream(`${canonicalBase}/${this.meta.packageName}/`, this.files);
160
- // The "gz" in "tgz" stands for "gzip". The tarball needs to be decompressed
161
- // before we can actually grab any files from it.
162
- // To prevent recursion-based zip bombs, we should not allow recursion here.
163
- // If native decompression stream is available we use that, otherwise fallback to zlib
164
- if ('DecompressionStream' in globalThis) {
165
- const decompressionStream = new DecompressionStream('gzip');
166
- const decompressedStream = tarballResponse.pipeThrough(decompressionStream);
167
- (0, _readablestream.pipeline)(getNodeStream(decompressedStream), tarballStream, (error)=>{
168
- error ? reject(error) : resolve();
169
- });
170
- return;
198
+ // Override the tarball hostname/protocol with registryUrl hostname/protocol
199
+ const newTarballUrl = new URL(tarballURL);
200
+ newTarballUrl.hostname = this.meta.registry.hostname;
201
+ newTarballUrl.protocol = this.meta.registry.protocol;
202
+ const files = await this.fetchNpmTarball(newTarballUrl);
203
+ _class_private_field_set(this, _files, files);
204
+ this.meta.version = targetVersion;
205
+ }
206
+ const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
207
+ class NpmLocation extends BaseNpmLocation {
208
+ /**
209
+ * Fetches and unpacks the tarball (`.tgz` file) from the specified URL.
210
+ *
211
+ * @param tarballUrl - The tarball URL to fetch and unpack.
212
+ * @returns A the files for the package tarball.
213
+ * @throws If fetching the tarball fails.
214
+ */ async fetchNpmTarball(tarballUrl) {
215
+ // Perform a raw fetch because we want the Response object itself.
216
+ const tarballResponse = await this.meta.fetch(tarballUrl.toString());
217
+ if (!tarballResponse.ok || !tarballResponse.body) {
218
+ throw new Error(`Failed to fetch tarball for package "${this.meta.packageName}".`);
171
219
  }
172
- (0, _readablestream.pipeline)(getNodeStream(tarballResponse), (0, _browserifyzlib.createGunzip)(), tarballStream, (error)=>{
173
- error ? reject(error) : resolve();
220
+ // We assume that NPM is a good actor and provides us with a valid `content-length` header.
221
+ const tarballSizeString = tarballResponse.headers.get('content-length');
222
+ (0, _utils.assert)(tarballSizeString, 'Snap tarball has invalid content-length');
223
+ const tarballSize = parseInt(tarballSizeString, 10);
224
+ (0, _utils.assert)(tarballSize <= TARBALL_SIZE_SAFETY_LIMIT, 'Snap tarball exceeds size limit');
225
+ return new Promise((resolve, reject)=>{
226
+ const files = new Map();
227
+ // The "gz" in "tgz" stands for "gzip". The tarball needs to be decompressed
228
+ // before we can actually grab any files from it.
229
+ // To prevent recursion-based zip bombs, we should not allow recursion here.
230
+ (0, _readablestream.pipeline)(// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
231
+ getNodeStream(tarballResponse.body), (0, _browserifyzlib.createGunzip)(), createTarballStream(getNpmCanonicalBasePath(this.meta.registry, this.meta.packageName), files), (error)=>{
232
+ error ? reject(error) : resolve(files);
233
+ });
174
234
  });
175
- });
235
+ }
176
236
  }
177
- // Safety limit for tarballs, 250 MB in bytes
178
- const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
179
237
  async function fetchNpmMetadata(packageName, registryUrl, fetchFunction) {
180
238
  const packageResponse = await fetchFunction(new URL(packageName, registryUrl).toString(), {
181
239
  headers: {
@@ -192,6 +250,17 @@ async function fetchNpmMetadata(packageName, registryUrl, fetchFunction) {
192
250
  }
193
251
  return packageMetadata;
194
252
  }
253
+ function getNpmCanonicalBasePath(registryUrl, packageName) {
254
+ let canonicalBase = 'npm://';
255
+ if (registryUrl.username !== '') {
256
+ canonicalBase += registryUrl.username;
257
+ if (registryUrl.password !== '') {
258
+ canonicalBase += `:${registryUrl.password}`;
259
+ }
260
+ canonicalBase += '@';
261
+ }
262
+ return `${canonicalBase}${registryUrl.host}/${packageName}/`;
263
+ }
195
264
  /**
196
265
  * Determine if a registry URL is NPM.
197
266
  *
@@ -235,44 +304,6 @@ async function fetchNpmMetadata(packageName, registryUrl, fetchFunction) {
235
304
  targetVersion
236
305
  };
237
306
  }
238
- /**
239
- * Fetches the tarball (`.tgz` file) of the specified package and version from
240
- * the public npm registry.
241
- *
242
- * @param packageName - The name of the package whose tarball to fetch.
243
- * @param versionRange - The SemVer range of the package to fetch. The highest
244
- * version satisfying the range will be fetched.
245
- * @param registryUrl - The URL of the npm registry to fetch the tarball from.
246
- * @param fetchFunction - The fetch function to use. Defaults to the global
247
- * {@link fetch}. Useful for Node.js compatibility.
248
- * @returns A tuple of the {@link Response} for the package tarball and the
249
- * actual version of the package.
250
- * @throws If fetching the tarball fails.
251
- */ async function fetchNpmTarball(packageName, versionRange, registryUrl, fetchFunction) {
252
- const { tarballURL, targetVersion } = await resolveNpmVersion(packageName, versionRange, registryUrl, fetchFunction);
253
- if (!(0, _snapsutils.isValidUrl)(tarballURL) || !tarballURL.toString().endsWith('.tgz')) {
254
- throw new Error(`Failed to find valid tarball URL in NPM metadata for package "${packageName}".`);
255
- }
256
- // Override the tarball hostname/protocol with registryUrl hostname/protocol
257
- const newRegistryUrl = new URL(registryUrl);
258
- const newTarballUrl = new URL(tarballURL);
259
- newTarballUrl.hostname = newRegistryUrl.hostname;
260
- newTarballUrl.protocol = newRegistryUrl.protocol;
261
- // Perform a raw fetch because we want the Response object itself.
262
- const tarballResponse = await fetchFunction(newTarballUrl.toString());
263
- if (!tarballResponse.ok || !tarballResponse.body) {
264
- throw new Error(`Failed to fetch tarball for package "${packageName}".`);
265
- }
266
- // We assume that NPM is a good actor and provides us with a valid `content-length` header.
267
- const tarballSizeString = tarballResponse.headers.get('content-length');
268
- (0, _utils.assert)(tarballSizeString, 'Snap tarball has invalid content-length');
269
- const tarballSize = parseInt(tarballSizeString, 10);
270
- (0, _utils.assert)(tarballSize <= TARBALL_SIZE_SAFETY_LIMIT, 'Snap tarball exceeds size limit');
271
- return [
272
- tarballResponse.body,
273
- targetVersion
274
- ];
275
- }
276
307
  /**
277
308
  * The paths of files within npm tarballs appear to always be prefixed with
278
309
  * "package/".
package/dist/cjs/snaps/location/npm.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../../../src/snaps/location/npm.ts"],"sourcesContent":["import type { SnapManifest } from '@metamask/snaps-utils';\nimport {\n createSnapManifest,\n DEFAULT_REQUESTED_SNAP_VERSION,\n getTargetVersion,\n isValidUrl,\n NpmSnapIdStruct,\n VirtualFile,\n normalizeRelative,\n parseJson,\n} from '@metamask/snaps-utils';\nimport type { SemVerRange, SemVerVersion } from '@metamask/utils';\nimport {\n assert,\n assertIsSemVerVersion,\n assertStruct,\n isObject,\n isValidSemVerVersion,\n} from '@metamask/utils';\nimport { createGunzip } from 'browserify-zlib';\nimport concat from 'concat-stream';\nimport getNpmTarballUrl from 'get-npm-tarball-url';\nimport { pipeline } from 'readable-stream';\nimport type { Readable, Writable } from 'readable-stream';\nimport { ReadableWebToNodeStream } from 'readable-web-to-node-stream';\nimport { extract as tarExtract } from 'tar-stream';\n\nimport type { DetectSnapLocationOptions, SnapLocation } from './location';\n\nexport const DEFAULT_NPM_REGISTRY = new URL('https://registry.npmjs.org');\n\ninterface NpmMeta {\n registry: URL;\n packageName: string;\n requestedRange: SemVerRange;\n version?: string;\n fetch: typeof fetch;\n resolveVersion: (range: SemVerRange) => Promise<SemVerRange>;\n}\nexport interface NpmOptions {\n /**\n * @default DEFAULT_REQUESTED_SNAP_VERSION\n */\n versionRange?: SemVerRange;\n /**\n * Whether to allow custom NPM registries outside of {@link DEFAULT_NPM_REGISTRY}.\n *\n * @default false\n */\n allowCustomRegistries?: boolean;\n}\n\nexport class NpmLocation implements SnapLocation {\n private readonly meta: NpmMeta;\n\n private validatedManifest?: VirtualFile<SnapManifest>;\n\n private files?: Map<string, VirtualFile>;\n\n constructor(url: URL, opts: DetectSnapLocationOptions = {}) {\n const allowCustomRegistries = opts.allowCustomRegistries ?? false;\n const fetchFunction = opts.fetch ?? globalThis.fetch.bind(globalThis);\n const requestedRange = opts.versionRange ?? DEFAULT_REQUESTED_SNAP_VERSION;\n const defaultResolve = async (range: SemVerRange) => range;\n const resolveVersion = opts.resolveVersion ?? defaultResolve;\n\n assertStruct(url.toString(), NpmSnapIdStruct, 'Invalid Snap Id: ');\n\n let registry: string | URL;\n if (\n url.host === '' &&\n url.port === '' &&\n url.username === '' &&\n url.password === ''\n ) {\n registry = DEFAULT_NPM_REGISTRY;\n } else {\n registry = 'https://';\n if (url.username) {\n registry += url.username;\n if (url.password) {\n registry += `:${url.password}`;\n }\n registry += '@';\n }\n registry += url.host;\n registry = new URL(registry);\n assert(\n allowCustomRegistries,\n new TypeError(\n `Custom NPM registries are disabled, tried to use \"${registry.toString()}\".`,\n ),\n );\n }\n\n assert(\n registry.pathname === '/' &&\n registry.search === '' &&\n registry.hash === '',\n );\n\n assert(\n url.pathname !== '' && url.pathname !== '/',\n new TypeError('The package name in NPM location is empty.'),\n );\n let packageName = url.pathname;\n if (packageName.startsWith('/')) {\n packageName = packageName.slice(1);\n }\n\n this.meta = {\n requestedRange,\n registry,\n packageName,\n fetch: fetchFunction,\n resolveVersion,\n };\n }\n\n async manifest(): Promise<VirtualFile<SnapManifest>> {\n if (this.validatedManifest) {\n return this.validatedManifest.clone();\n }\n\n const vfile = await this.fetch('snap.manifest.json');\n const result = parseJson(vfile.toString());\n vfile.result = createSnapManifest(result);\n this.validatedManifest = vfile as VirtualFile<SnapManifest>;\n\n return this.manifest();\n }\n\n async fetch(path: string): Promise<VirtualFile> {\n const relativePath = normalizeRelative(path);\n if (!this.files) {\n await this.#lazyInit();\n assert(this.files !== undefined);\n }\n const vfile = this.files.get(relativePath);\n assert(\n vfile !== undefined,\n new TypeError(`File \"${path}\" not found in package.`),\n );\n return vfile.clone();\n }\n\n get packageName(): string {\n return this.meta.packageName;\n }\n\n get version(): string {\n assert(\n this.meta.version !== undefined,\n 'Tried to access version without first fetching NPM package.',\n );\n return this.meta.version;\n }\n\n get registry(): URL {\n return this.meta.registry;\n }\n\n get versionRange(): SemVerRange {\n return this.meta.requestedRange;\n }\n\n async #lazyInit() {\n assert(this.files === undefined);\n const resolvedVersion = await this.meta.resolveVersion(\n this.meta.requestedRange,\n );\n const [tarballResponse, actualVersion] = await fetchNpmTarball(\n this.meta.packageName,\n resolvedVersion,\n this.meta.registry,\n this.meta.fetch,\n );\n this.meta.version = actualVersion;\n\n let canonicalBase = 'npm://';\n if (this.meta.registry.username !== '') {\n canonicalBase += this.meta.registry.username;\n if (this.meta.registry.password !== '') {\n canonicalBase += `:${this.meta.registry.password}`;\n }\n canonicalBase += '@';\n }\n canonicalBase += this.meta.registry.host;\n\n // TODO(ritave): Lazily extract files instead of up-front extracting all of them\n // We would need to replace tar-stream package because it requires immediate consumption of streams.\n await new Promise<void>((resolve, reject) => {\n this.files = new Map();\n\n const tarballStream = createTarballStream(\n `${canonicalBase}/${this.meta.packageName}/`,\n this.files,\n );\n\n // The \"gz\" in \"tgz\" stands for \"gzip\". The tarball needs to be decompressed\n // before we can actually grab any files from it.\n // To prevent recursion-based zip bombs, we should not allow recursion here.\n\n // If native decompression stream is available we use that, otherwise fallback to zlib\n if ('DecompressionStream' in globalThis) {\n const decompressionStream = new DecompressionStream('gzip');\n const decompressedStream =\n tarballResponse.pipeThrough(decompressionStream);\n\n pipeline(\n getNodeStream(decompressedStream),\n tarballStream,\n (error: unknown) => {\n error ? reject(error) : resolve();\n },\n );\n return;\n }\n\n pipeline(\n getNodeStream(tarballResponse),\n createGunzip(),\n tarballStream,\n (error: unknown) => {\n error ? reject(error) : resolve();\n },\n );\n });\n }\n}\n\n// Safety limit for tarballs, 250 MB in bytes\nconst TARBALL_SIZE_SAFETY_LIMIT = 262144000;\n\n// Incomplete type\nexport type PartialNpmMetadata = {\n versions: Record<string, { dist: { tarball: string } }>;\n};\n\n/**\n * Fetches the NPM metadata of the specified package from\n * the public npm registry.\n *\n * @param packageName - The name of the package whose metadata to fetch.\n * @param registryUrl - The URL of the npm registry to fetch the metadata from.\n * @param fetchFunction - The fetch function to use. Defaults to the global\n * {@link fetch}. Useful for Node.js compatibility.\n * @returns The NPM metadata object.\n * @throws If fetching the metadata fails.\n */\nexport async function fetchNpmMetadata(\n packageName: string,\n registryUrl: URL,\n fetchFunction: typeof fetch,\n): Promise<PartialNpmMetadata> {\n const packageResponse = await fetchFunction(\n new URL(packageName, registryUrl).toString(),\n {\n headers: {\n // Corgi format is slightly smaller: https://github.com/npm/pacote/blob/main/lib/registry.js#L71\n accept: isNPM(registryUrl)\n ? 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*'\n : 'application/json',\n },\n },\n );\n if (!packageResponse.ok) {\n throw new Error(\n `Failed to fetch NPM registry entry. Status code: ${packageResponse.status}.`,\n );\n }\n const packageMetadata = await packageResponse.json();\n\n if (!isObject(packageMetadata)) {\n throw new Error(\n `Failed to fetch package \"${packageName}\" metadata from npm.`,\n );\n }\n\n return packageMetadata as PartialNpmMetadata;\n}\n\n/**\n * Determine if a registry URL is NPM.\n *\n * @param registryUrl - A registry url.\n * @returns True if the registry is the NPM registry, otherwise false.\n */\nfunction isNPM(registryUrl: URL) {\n return registryUrl.toString() === DEFAULT_NPM_REGISTRY.toString();\n}\n\n/**\n * Resolves a version range to a version using the NPM registry.\n *\n * Unless the version range is already a version, then the NPM registry is skipped.\n *\n * @param packageName - The name of the package whose metadata to fetch.\n * @param versionRange - The version range of the package.\n * @param registryUrl - The URL of the npm registry to fetch the metadata from.\n * @param fetchFunction - The fetch function to use. Defaults to the global\n * {@link fetch}. Useful for Node.js compatibility.\n * @returns An object containing the resolved version and a URL for its tarball.\n * @throws If fetching the metadata fails.\n */\nasync function resolveNpmVersion(\n packageName: string,\n versionRange: SemVerRange,\n registryUrl: URL,\n fetchFunction: typeof fetch,\n): Promise<{ tarballURL: string; targetVersion: SemVerVersion }> {\n // If the version range is already a static version we don't need to look for the metadata.\n if (isNPM(registryUrl) && isValidSemVerVersion(versionRange)) {\n return {\n tarballURL: getNpmTarballUrl(packageName, versionRange),\n targetVersion: versionRange,\n };\n }\n\n const packageMetadata = await fetchNpmMetadata(\n packageName,\n registryUrl,\n fetchFunction,\n );\n\n const versions = Object.keys(packageMetadata?.versions ?? {}).map(\n (version) => {\n assertIsSemVerVersion(version);\n return version;\n },\n );\n\n const targetVersion = getTargetVersion(versions, versionRange);\n\n if (targetVersion === null) {\n throw new Error(\n `Failed to find a matching version in npm metadata for package \"${packageName}\" and requested semver range \"${versionRange}\".`,\n );\n }\n\n const tarballURL = packageMetadata?.versions?.[targetVersion]?.dist?.tarball;\n\n return { tarballURL, targetVersion };\n}\n\n/**\n * Fetches the tarball (`.tgz` file) of the specified package and version from\n * the public npm registry.\n *\n * @param packageName - The name of the package whose tarball to fetch.\n * @param versionRange - The SemVer range of the package to fetch. The highest\n * version satisfying the range will be fetched.\n * @param registryUrl - The URL of the npm registry to fetch the tarball from.\n * @param fetchFunction - The fetch function to use. Defaults to the global\n * {@link fetch}. Useful for Node.js compatibility.\n * @returns A tuple of the {@link Response} for the package tarball and the\n * actual version of the package.\n * @throws If fetching the tarball fails.\n */\nasync function fetchNpmTarball(\n packageName: string,\n versionRange: SemVerRange,\n registryUrl: URL,\n fetchFunction: typeof fetch,\n): Promise<[ReadableStream, SemVerVersion]> {\n const { tarballURL, targetVersion } = await resolveNpmVersion(\n packageName,\n versionRange,\n registryUrl,\n fetchFunction,\n );\n\n if (!isValidUrl(tarballURL) || !tarballURL.toString().endsWith('.tgz')) {\n throw new Error(\n `Failed to find valid tarball URL in NPM metadata for package \"${packageName}\".`,\n );\n }\n\n // Override the tarball hostname/protocol with registryUrl hostname/protocol\n const newRegistryUrl = new URL(registryUrl);\n const newTarballUrl = new URL(tarballURL);\n newTarballUrl.hostname = newRegistryUrl.hostname;\n newTarballUrl.protocol = newRegistryUrl.protocol;\n\n // Perform a raw fetch because we want the Response object itself.\n const tarballResponse = await fetchFunction(newTarballUrl.toString());\n if (!tarballResponse.ok || !tarballResponse.body) {\n throw new Error(`Failed to fetch tarball for package \"${packageName}\".`);\n }\n // We assume that NPM is a good actor and provides us with a valid `content-length` header.\n const tarballSizeString = tarballResponse.headers.get('content-length');\n assert(tarballSizeString, 'Snap tarball has invalid content-length');\n const tarballSize = parseInt(tarballSizeString, 10);\n assert(\n tarballSize <= TARBALL_SIZE_SAFETY_LIMIT,\n 'Snap tarball exceeds size limit',\n );\n return [tarballResponse.body, targetVersion];\n}\n\n/**\n * The paths of files within npm tarballs appear to always be prefixed with\n * \"package/\".\n */\nconst NPM_TARBALL_PATH_PREFIX = /^package\\//u;\n\n/**\n * Converts a {@link ReadableStream} to a Node.js {@link Readable}\n * stream. Returns the stream directly if it is already a Node.js stream.\n * We can't use the native Web {@link ReadableStream} directly because the\n * other stream libraries we use expect Node.js streams.\n *\n * @param stream - The stream to convert.\n * @returns The given stream as a Node.js Readable stream.\n */\nfunction getNodeStream(stream: ReadableStream): Readable {\n if (typeof stream.getReader !== 'function') {\n return stream as unknown as Readable;\n }\n\n return new ReadableWebToNodeStream(stream);\n}\n\n/**\n * Creates a `tar-stream` that will get the necessary files from an npm Snap\n * package tarball (`.tgz` file).\n *\n * @param canonicalBase - A base URI as specified in {@link https://github.com/MetaMask/SIPs/blob/main/SIPS/sip-8.md SIP-8}. Starting with 'npm:'. Will be used for canonicalPath vfile argument.\n * @param files - An object to write target file contents to.\n * @returns The {@link Writable} tarball extraction stream.\n */\nfunction createTarballStream(\n canonicalBase: string,\n files: Map<string, VirtualFile>,\n): Writable {\n assert(\n canonicalBase.endsWith('/'),\n \"Base needs to end with '/' for relative paths to be added as children instead of siblings.\",\n );\n\n assert(\n canonicalBase.startsWith('npm:'),\n 'Protocol mismatch, expected \"npm:\".',\n );\n // `tar-stream` is pretty old-school, so we create it first and then\n // instrument it by adding event listeners.\n const extractStream = tarExtract();\n\n let totalSize = 0;\n\n // \"entry\" is fired for every discreet entity in the tarball. This includes\n // files and folders.\n extractStream.on('entry', (header, entryStream, next) => {\n const { name: headerName, type: headerType } = header;\n if (headerType === 'file') {\n // The name is a path if the header type is \"file\".\n const path = headerName.replace(NPM_TARBALL_PATH_PREFIX, '');\n return entryStream.pipe(\n concat({ encoding: 'uint8array' }, (data) => {\n try {\n totalSize += data.byteLength;\n // To prevent zip bombs, we set a safety limit for the total size of tarballs.\n assert(\n totalSize < TARBALL_SIZE_SAFETY_LIMIT,\n `Snap tarball exceeds limit of ${TARBALL_SIZE_SAFETY_LIMIT} bytes.`,\n );\n const vfile = new VirtualFile({\n value: data,\n path,\n data: {\n canonicalPath: new URL(path, canonicalBase).toString(),\n },\n });\n // We disallow files having identical paths as it may confuse our checksum calculations.\n assert(\n !files.has(path),\n 'Malformed tarball, multiple files with the same path.',\n );\n files.set(path, vfile);\n return next();\n } catch (error) {\n return extractStream.destroy(error);\n }\n }),\n );\n }\n\n // If we get here, the entry is not a file, and we want to ignore. The entry\n // stream must be drained, or the extractStream will stop reading. This is\n // effectively a no-op for the current entry.\n entryStream.on('end', () => next());\n return entryStream.resume();\n });\n return extractStream;\n}\n"],"names":["DEFAULT_NPM_REGISTRY","NpmLocation","fetchNpmMetadata","URL","manifest","validatedManifest","clone","vfile","fetch","result","parseJson","toString","createSnapManifest","path","relativePath","normalizeRelative","files","lazyInit","assert","undefined","get","TypeError","packageName","meta","version","registry","versionRange","requestedRange","constructor","url","opts","allowCustomRegistries","fetchFunction","globalThis","bind","DEFAULT_REQUESTED_SNAP_VERSION","defaultResolve","range","resolveVersion","assertStruct","NpmSnapIdStruct","host","port","username","password","pathname","search","hash","startsWith","slice","resolvedVersion","tarballResponse","actualVersion","fetchNpmTarball","canonicalBase","Promise","resolve","reject","Map","tarballStream","createTarballStream","decompressionStream","DecompressionStream","decompressedStream","pipeThrough","pipeline","getNodeStream","error","createGunzip","TARBALL_SIZE_SAFETY_LIMIT","registryUrl","packageResponse","headers","accept","isNPM","ok","Error","status","packageMetadata","json","isObject","resolveNpmVersion","isValidSemVerVersion","tarballURL","getNpmTarballUrl","targetVersion","versions","Object","keys","map","assertIsSemVerVersion","getTargetVersion","dist","tarball","isValidUrl","endsWith","newRegistryUrl","newTarballUrl","hostname","protocol","body","tarballSizeString","tarballSize","parseInt","NPM_TARBALL_PATH_PREFIX","stream","getReader","ReadableWebToNodeStream","extractStream","tarExtract","totalSize","on","header","entryStream","next","name","headerName","type","headerType","replace","pipe","concat","encoding","data","byteLength","VirtualFile","value","canonicalPath","has","set","destroy","resume"],"mappings":";;;;;;;;;;;IA6BaA,oBAAoB;eAApBA;;IAuBAC,WAAW;eAAXA;;IAsMSC,gBAAgB;eAAhBA;;;4BAhPf;uBAQA;gCACsB;qEACV;yEACU;gCACJ;yCAEe;2BACF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAI/B,MAAMF,uBAAuB,IAAIG,IAAI;IAyIpC;AAlHD,MAAMF;IAmEX,MAAMG,WAA+C;QACnD,IAAI,IAAI,CAACC,iBAAiB,EAAE;YAC1B,OAAO,IAAI,CAACA,iBAAiB,CAACC,KAAK;QACrC;QAEA,MAAMC,QAAQ,MAAM,IAAI,CAACC,KAAK,CAAC;QAC/B,MAAMC,SAASC,IAAAA,qBAAS,EAACH,MAAMI,QAAQ;QACvCJ,MAAME,MAAM,GAAGG,IAAAA,8BAAkB,EAACH;QAClC,IAAI,CAACJ,iBAAiB,GAAGE;QAEzB,OAAO,IAAI,CAACH,QAAQ;IACtB;IAEA,MAAMI,MAAMK,IAAY,EAAwB;QAC9C,MAAMC,eAAeC,IAAAA,6BAAiB,EAACF;QACvC,IAAI,CAAC,IAAI,CAACG,KAAK,EAAE;YACf,MAAM,0BAAA,IAAI,EAAEC,WAAAA,eAAN,IAAI;YACVC,IAAAA,aAAM,EAAC,IAAI,CAACF,KAAK,KAAKG;QACxB;QACA,MAAMZ,QAAQ,IAAI,CAACS,KAAK,CAACI,GAAG,CAACN;QAC7BI,IAAAA,aAAM,EACJX,UAAUY,WACV,IAAIE,UAAU,CAAC,MAAM,EAAER,KAAK,uBAAuB,CAAC;QAEtD,OAAON,MAAMD,KAAK;IACpB;IAEA,IAAIgB,cAAsB;QACxB,OAAO,IAAI,CAACC,IAAI,CAACD,WAAW;IAC9B;IAEA,IAAIE,UAAkB;QACpBN,IAAAA,aAAM,EACJ,IAAI,CAACK,IAAI,CAACC,OAAO,KAAKL,WACtB;QAEF,OAAO,IAAI,CAACI,IAAI,CAACC,OAAO;IAC1B;IAEA,IAAIC,WAAgB;QAClB,OAAO,IAAI,CAACF,IAAI,CAACE,QAAQ;IAC3B;IAEA,IAAIC,eAA4B;QAC9B,OAAO,IAAI,CAACH,IAAI,CAACI,cAAc;IACjC;IAzGAC,YAAYC,GAAQ,EAAEC,OAAkC,CAAC,CAAC,CAAE;QA2G5D,iCAAM;QAjHN,uBAAiBP,QAAjB,KAAA;QAEA,uBAAQlB,qBAAR,KAAA;QAEA,uBAAQW,SAAR,KAAA;QAGE,MAAMe,wBAAwBD,KAAKC,qBAAqB,IAAI;QAC5D,MAAMC,gBAAgBF,KAAKtB,KAAK,IAAIyB,WAAWzB,KAAK,CAAC0B,IAAI,CAACD;QAC1D,MAAMN,iBAAiBG,KAAKJ,YAAY,IAAIS,0CAA8B;QAC1E,MAAMC,iBAAiB,OAAOC,QAAuBA;QACrD,MAAMC,iBAAiBR,KAAKQ,cAAc,IAAIF;QAE9CG,IAAAA,mBAAY,EAACV,IAAIlB,QAAQ,IAAI6B,2BAAe,EAAE;QAE9C,IAAIf;QACJ,IACEI,IAAIY,IAAI,KAAK,MACbZ,IAAIa,IAAI,KAAK,MACbb,IAAIc,QAAQ,KAAK,MACjBd,IAAIe,QAAQ,KAAK,IACjB;YACAnB,WAAWzB;QACb,OAAO;YACLyB,WAAW;YACX,IAAII,IAAIc,QAAQ,EAAE;gBAChBlB,YAAYI,IAAIc,QAAQ;gBACxB,IAAId,IAAIe,QAAQ,EAAE;oBAChBnB,YAAY,CAAC,CAAC,EAAEI,IAAIe,QAAQ,CAAC,CAAC;gBAChC;gBACAnB,YAAY;YACd;YACAA,YAAYI,IAAIY,IAAI;YACpBhB,WAAW,IAAItB,IAAIsB;YACnBP,IAAAA,aAAM,EACJa,uBACA,IAAIV,UACF,CAAC,kDAAkD,EAAEI,SAASd,QAAQ,GAAG,EAAE,CAAC;QAGlF;QAEAO,IAAAA,aAAM,EACJO,SAASoB,QAAQ,KAAK,OACpBpB,SAASqB,MAAM,KAAK,MACpBrB,SAASsB,IAAI,KAAK;QAGtB7B,IAAAA,aAAM,EACJW,IAAIgB,QAAQ,KAAK,MAAMhB,IAAIgB,QAAQ,KAAK,KACxC,IAAIxB,UAAU;QAEhB,IAAIC,cAAcO,IAAIgB,QAAQ;QAC9B,IAAIvB,YAAY0B,UAAU,CAAC,MAAM;YAC/B1B,cAAcA,YAAY2B,KAAK,CAAC;QAClC;QAEA,IAAI,CAAC1B,IAAI,GAAG;YACVI;YACAF;YACAH;YACAd,OAAOwB;YACPM;QACF;IACF;AAgHF;AA/DE,eAAA;IACEpB,IAAAA,aAAM,EAAC,IAAI,CAACF,KAAK,KAAKG;IACtB,MAAM+B,kBAAkB,MAAM,IAAI,CAAC3B,IAAI,CAACe,cAAc,CACpD,IAAI,CAACf,IAAI,CAACI,cAAc;IAE1B,MAAM,CAACwB,iBAAiBC,cAAc,GAAG,MAAMC,gBAC7C,IAAI,CAAC9B,IAAI,CAACD,WAAW,EACrB4B,iBACA,IAAI,CAAC3B,IAAI,CAACE,QAAQ,EAClB,IAAI,CAACF,IAAI,CAACf,KAAK;IAEjB,IAAI,CAACe,IAAI,CAACC,OAAO,GAAG4B;IAEpB,IAAIE,gBAAgB;IACpB,IAAI,IAAI,CAAC/B,IAAI,CAACE,QAAQ,CAACkB,QAAQ,KAAK,IAAI;QACtCW,iBAAiB,IAAI,CAAC/B,IAAI,CAACE,QAAQ,CAACkB,QAAQ;QAC5C,IAAI,IAAI,CAACpB,IAAI,CAACE,QAAQ,CAACmB,QAAQ,KAAK,IAAI;YACtCU,iBAAiB,CAAC,CAAC,EAAE,IAAI,CAAC/B,IAAI,CAACE,QAAQ,CAACmB,QAAQ,CAAC,CAAC;QACpD;QACAU,iBAAiB;IACnB;IACAA,iBAAiB,IAAI,CAAC/B,IAAI,CAACE,QAAQ,CAACgB,IAAI;IAExC,gFAAgF;IAChF,kHAAkH;IAClH,MAAM,IAAIc,QAAc,CAACC,SAASC;QAChC,IAAI,CAACzC,KAAK,GAAG,IAAI0C;QAEjB,MAAMC,gBAAgBC,oBACpB,CAAC,EAAEN,cAAc,CAAC,EAAE,IAAI,CAAC/B,IAAI,CAACD,WAAW,CAAC,CAAC,CAAC,EAC5C,IAAI,CAACN,KAAK;QAGZ,4EAA4E;QAC5E,iDAAiD;QACjD,4EAA4E;QAE5E,sFAAsF;QACtF,IAAI,yBAAyBiB,YAAY;YACvC,MAAM4B,sBAAsB,IAAIC,oBAAoB;YACpD,MAAMC,qBACJZ,gBAAgBa,WAAW,CAACH;YAE9BI,IAAAA,wBAAQ,EACNC,cAAcH,qBACdJ,eACA,CAACQ;gBACCA,QAAQV,OAAOU,SAASX;YAC1B;YAEF;QACF;QAEAS,IAAAA,wBAAQ,EACNC,cAAcf,kBACdiB,IAAAA,4BAAY,KACZT,eACA,CAACQ;YACCA,QAAQV,OAAOU,SAASX;QAC1B;IAEJ;AACF;AAGF,6CAA6C;AAC7C,MAAMa,4BAA4B;AAkB3B,eAAenE,iBACpBoB,WAAmB,EACnBgD,WAAgB,EAChBtC,aAA2B;IAE3B,MAAMuC,kBAAkB,MAAMvC,cAC5B,IAAI7B,IAAImB,aAAagD,aAAa3D,QAAQ,IAC1C;QACE6D,SAAS;YACP,gGAAgG;YAChGC,QAAQC,MAAMJ,eACV,6EACA;QACN;IACF;IAEF,IAAI,CAACC,gBAAgBI,EAAE,EAAE;QACvB,MAAM,IAAIC,MACR,CAAC,iDAAiD,EAAEL,gBAAgBM,MAAM,CAAC,CAAC,CAAC;IAEjF;IACA,MAAMC,kBAAkB,MAAMP,gBAAgBQ,IAAI;IAElD,IAAI,CAACC,IAAAA,eAAQ,EAACF,kBAAkB;QAC9B,MAAM,IAAIF,MACR,CAAC,yBAAyB,EAAEtD,YAAY,oBAAoB,CAAC;IAEjE;IAEA,OAAOwD;AACT;AAEA;;;;;CAKC,GACD,SAASJ,MAAMJ,WAAgB;IAC7B,OAAOA,YAAY3D,QAAQ,OAAOX,qBAAqBW,QAAQ;AACjE;AAEA;;;;;;;;;;;;CAYC,GACD,eAAesE,kBACb3D,WAAmB,EACnBI,YAAyB,EACzB4C,WAAgB,EAChBtC,aAA2B;IAE3B,2FAA2F;IAC3F,IAAI0C,MAAMJ,gBAAgBY,IAAAA,2BAAoB,EAACxD,eAAe;QAC5D,OAAO;YACLyD,YAAYC,IAAAA,yBAAgB,EAAC9D,aAAaI;YAC1C2D,eAAe3D;QACjB;IACF;IAEA,MAAMoD,kBAAkB,MAAM5E,iBAC5BoB,aACAgD,aACAtC;IAGF,MAAMsD,WAAWC,OAAOC,IAAI,CAACV,iBAAiBQ,YAAY,CAAC,GAAGG,GAAG,CAC/D,CAACjE;QACCkE,IAAAA,4BAAqB,EAAClE;QACtB,OAAOA;IACT;IAGF,MAAM6D,gBAAgBM,IAAAA,4BAAgB,EAACL,UAAU5D;IAEjD,IAAI2D,kBAAkB,MAAM;QAC1B,MAAM,IAAIT,MACR,CAAC,+DAA+D,EAAEtD,YAAY,8BAA8B,EAAEI,aAAa,EAAE,CAAC;IAElI;IAEA,MAAMyD,aAAaL,iBAAiBQ,UAAU,CAACD,cAAc,EAAEO,MAAMC;IAErE,OAAO;QAAEV;QAAYE;IAAc;AACrC;AAEA;;;;;;;;;;;;;CAaC,GACD,eAAehC,gBACb/B,WAAmB,EACnBI,YAAyB,EACzB4C,WAAgB,EAChBtC,aAA2B;IAE3B,MAAM,EAAEmD,UAAU,EAAEE,aAAa,EAAE,GAAG,MAAMJ,kBAC1C3D,aACAI,cACA4C,aACAtC;IAGF,IAAI,CAAC8D,IAAAA,sBAAU,EAACX,eAAe,CAACA,WAAWxE,QAAQ,GAAGoF,QAAQ,CAAC,SAAS;QACtE,MAAM,IAAInB,MACR,CAAC,8DAA8D,EAAEtD,YAAY,EAAE,CAAC;IAEpF;IAEA,4EAA4E;IAC5E,MAAM0E,iBAAiB,IAAI7F,IAAImE;IAC/B,MAAM2B,gBAAgB,IAAI9F,IAAIgF;IAC9Bc,cAAcC,QAAQ,GAAGF,eAAeE,QAAQ;IAChDD,cAAcE,QAAQ,GAAGH,eAAeG,QAAQ;IAEhD,kEAAkE;IAClE,MAAMhD,kBAAkB,MAAMnB,cAAciE,cAActF,QAAQ;IAClE,IAAI,CAACwC,gBAAgBwB,EAAE,IAAI,CAACxB,gBAAgBiD,IAAI,EAAE;QAChD,MAAM,IAAIxB,MAAM,CAAC,qCAAqC,EAAEtD,YAAY,EAAE,CAAC;IACzE;IACA,2FAA2F;IAC3F,MAAM+E,oBAAoBlD,gBAAgBqB,OAAO,CAACpD,GAAG,CAAC;IACtDF,IAAAA,aAAM,EAACmF,mBAAmB;IAC1B,MAAMC,cAAcC,SAASF,mBAAmB;IAChDnF,IAAAA,aAAM,EACJoF,eAAejC,2BACf;IAEF,OAAO;QAAClB,gBAAgBiD,IAAI;QAAEf;KAAc;AAC9C;AAEA;;;CAGC,GACD,MAAMmB,0BAA0B;AAEhC;;;;;;;;CAQC,GACD,SAAStC,cAAcuC,MAAsB;IAC3C,IAAI,OAAOA,OAAOC,SAAS,KAAK,YAAY;QAC1C,OAAOD;IACT;IAEA,OAAO,IAAIE,gDAAuB,CAACF;AACrC;AAEA;;;;;;;CAOC,GACD,SAAS7C,oBACPN,aAAqB,EACrBtC,KAA+B;IAE/BE,IAAAA,aAAM,EACJoC,cAAcyC,QAAQ,CAAC,MACvB;IAGF7E,IAAAA,aAAM,EACJoC,cAAcN,UAAU,CAAC,SACzB;IAEF,oEAAoE;IACpE,2CAA2C;IAC3C,MAAM4D,gBAAgBC,IAAAA,kBAAU;IAEhC,IAAIC,YAAY;IAEhB,2EAA2E;IAC3E,qBAAqB;IACrBF,cAAcG,EAAE,CAAC,SAAS,CAACC,QAAQC,aAAaC;QAC9C,MAAM,EAAEC,MAAMC,UAAU,EAAEC,MAAMC,UAAU,EAAE,GAAGN;QAC/C,IAAIM,eAAe,QAAQ;YACzB,mDAAmD;YACnD,MAAMzG,OAAOuG,WAAWG,OAAO,CAACf,yBAAyB;YACzD,OAAOS,YAAYO,IAAI,CACrBC,IAAAA,qBAAM,EAAC;gBAAEC,UAAU;YAAa,GAAG,CAACC;gBAClC,IAAI;oBACFb,aAAaa,KAAKC,UAAU;oBAC5B,8EAA8E;oBAC9E1G,IAAAA,aAAM,EACJ4F,YAAYzC,2BACZ,CAAC,8BAA8B,EAAEA,0BAA0B,OAAO,CAAC;oBAErE,MAAM9D,QAAQ,IAAIsH,uBAAW,CAAC;wBAC5BC,OAAOH;wBACP9G;wBACA8G,MAAM;4BACJI,eAAe,IAAI5H,IAAIU,MAAMyC,eAAe3C,QAAQ;wBACtD;oBACF;oBACA,wFAAwF;oBACxFO,IAAAA,aAAM,EACJ,CAACF,MAAMgH,GAAG,CAACnH,OACX;oBAEFG,MAAMiH,GAAG,CAACpH,MAAMN;oBAChB,OAAO2G;gBACT,EAAE,OAAO/C,OAAO;oBACd,OAAOyC,cAAcsB,OAAO,CAAC/D;gBAC/B;YACF;QAEJ;QAEA,4EAA4E;QAC5E,0EAA0E;QAC1E,6CAA6C;QAC7C8C,YAAYF,EAAE,CAAC,OAAO,IAAMG;QAC5B,OAAOD,YAAYkB,MAAM;IAC3B;IACA,OAAOvB;AACT"}
1
+ {"version":3,"sources":["../../../../src/snaps/location/npm.ts"],"sourcesContent":["import type { SnapManifest } from '@metamask/snaps-utils';\nimport {\n createSnapManifest,\n DEFAULT_REQUESTED_SNAP_VERSION,\n getTargetVersion,\n isValidUrl,\n NpmSnapIdStruct,\n VirtualFile,\n normalizeRelative,\n parseJson,\n} from '@metamask/snaps-utils';\nimport type { SemVerRange, SemVerVersion } from '@metamask/utils';\nimport {\n assert,\n assertIsSemVerVersion,\n assertStruct,\n isObject,\n isValidSemVerVersion,\n} from '@metamask/utils';\nimport { createGunzip } from 'browserify-zlib';\nimport concat from 'concat-stream';\nimport getNpmTarballUrl from 'get-npm-tarball-url';\nimport { pipeline } from 'readable-stream';\nimport type { Readable, Writable } from 'readable-stream';\nimport { ReadableWebToNodeStream } from 'readable-web-to-node-stream';\nimport { extract as tarExtract } from 'tar-stream';\n\nimport type { DetectSnapLocationOptions, SnapLocation } from './location';\n\nexport const DEFAULT_NPM_REGISTRY = new URL('https://registry.npmjs.org');\n\ninterface NpmMeta {\n registry: URL;\n packageName: string;\n requestedRange: SemVerRange;\n version?: string;\n fetch: typeof fetch;\n resolveVersion: (range: SemVerRange) => Promise<SemVerRange>;\n}\nexport interface NpmOptions {\n /**\n * @default DEFAULT_REQUESTED_SNAP_VERSION\n */\n versionRange?: SemVerRange;\n /**\n * Whether to allow custom NPM registries outside of {@link DEFAULT_NPM_REGISTRY}.\n *\n * @default false\n */\n allowCustomRegistries?: boolean;\n}\n\n// Base class for NPM implementation, useful for extending with custom NPM fetching logic\nexport abstract class BaseNpmLocation implements SnapLocation {\n protected readonly meta: NpmMeta;\n\n #validatedManifest?: VirtualFile<SnapManifest>;\n\n #files?: Map<string, VirtualFile>;\n\n constructor(url: URL, opts: DetectSnapLocationOptions = {}) {\n const allowCustomRegistries = opts.allowCustomRegistries ?? false;\n const fetchFunction = opts.fetch ?? globalThis.fetch.bind(globalThis);\n const requestedRange = opts.versionRange ?? DEFAULT_REQUESTED_SNAP_VERSION;\n const defaultResolve = async (range: SemVerRange) => range;\n const resolveVersion = opts.resolveVersion ?? defaultResolve;\n\n assertStruct(url.toString(), NpmSnapIdStruct, 'Invalid Snap Id: ');\n\n let registry: string | URL;\n if (\n url.host === '' &&\n url.port === '' &&\n url.username === '' &&\n url.password === ''\n ) {\n registry = DEFAULT_NPM_REGISTRY;\n } else {\n registry = 'https://';\n if (url.username) {\n registry += url.username;\n if (url.password) {\n registry += `:${url.password}`;\n }\n registry += '@';\n }\n registry += url.host;\n registry = new URL(registry);\n assert(\n allowCustomRegistries,\n new TypeError(\n `Custom NPM registries are disabled, tried to use \"${registry.toString()}\".`,\n ),\n );\n }\n\n assert(\n registry.pathname === '/' &&\n registry.search === '' &&\n registry.hash === '',\n );\n\n assert(\n url.pathname !== '' && url.pathname !== '/',\n new TypeError('The package name in NPM location is empty.'),\n );\n let packageName = url.pathname;\n if (packageName.startsWith('/')) {\n packageName = packageName.slice(1);\n }\n\n this.meta = {\n requestedRange,\n registry,\n packageName,\n fetch: fetchFunction,\n resolveVersion,\n };\n }\n\n async manifest(): Promise<VirtualFile<SnapManifest>> {\n if (this.#validatedManifest) {\n return this.#validatedManifest.clone();\n }\n\n const vfile = await this.fetch('snap.manifest.json');\n const result = parseJson(vfile.toString());\n vfile.result = createSnapManifest(result);\n this.#validatedManifest = vfile as VirtualFile<SnapManifest>;\n\n return this.manifest();\n }\n\n async fetch(path: string): Promise<VirtualFile> {\n const relativePath = normalizeRelative(path);\n if (!this.#files) {\n await this.#lazyInit();\n assert(this.#files !== undefined);\n }\n const vfile = this.#files.get(relativePath);\n assert(\n vfile !== undefined,\n new TypeError(`File \"${path}\" not found in package.`),\n );\n return vfile.clone();\n }\n\n get packageName(): string {\n return this.meta.packageName;\n }\n\n get version(): string {\n assert(\n this.meta.version !== undefined,\n 'Tried to access version without first fetching NPM package.',\n );\n return this.meta.version;\n }\n\n get registry(): URL {\n return this.meta.registry;\n }\n\n get versionRange(): SemVerRange {\n return this.meta.requestedRange;\n }\n\n async #lazyInit() {\n assert(this.#files === undefined);\n const resolvedVersion = await this.meta.resolveVersion(\n this.meta.requestedRange,\n );\n\n const { tarballURL, targetVersion } = await resolveNpmVersion(\n this.meta.packageName,\n resolvedVersion,\n this.meta.registry,\n this.meta.fetch,\n );\n\n if (!isValidUrl(tarballURL) || !tarballURL.toString().endsWith('.tgz')) {\n throw new Error(\n `Failed to find valid tarball URL in NPM metadata for package \"${this.meta.packageName}\".`,\n );\n }\n\n // Override the tarball hostname/protocol with registryUrl hostname/protocol\n const newTarballUrl = new URL(tarballURL);\n newTarballUrl.hostname = this.meta.registry.hostname;\n newTarballUrl.protocol = this.meta.registry.protocol;\n\n const files = await this.fetchNpmTarball(newTarballUrl);\n\n this.#files = files;\n this.meta.version = targetVersion;\n }\n\n /**\n * Fetches and unpacks the tarball (`.tgz` file) from the specified URL.\n *\n * @param tarballUrl - The tarball URL to fetch and unpack.\n * @returns A the files for the package tarball.\n * @throws If fetching the tarball fails.\n */\n abstract fetchNpmTarball(tarballUrl: URL): Promise<Map<string, VirtualFile>>;\n}\n\n// Safety limit for tarballs, 250 MB in bytes\nexport const TARBALL_SIZE_SAFETY_LIMIT = 262144000;\n\n// Main NPM implementation, contains a browser tarball fetching implementation.\nexport class NpmLocation extends BaseNpmLocation {\n /**\n * Fetches and unpacks the tarball (`.tgz` file) from the specified URL.\n *\n * @param tarballUrl - The tarball URL to fetch and unpack.\n * @returns A the files for the package tarball.\n * @throws If fetching the tarball fails.\n */\n async fetchNpmTarball(\n tarballUrl: URL,\n ): Promise<Map<string, VirtualFile<unknown>>> {\n // Perform a raw fetch because we want the Response object itself.\n const tarballResponse = await this.meta.fetch(tarballUrl.toString());\n if (!tarballResponse.ok || !tarballResponse.body) {\n throw new Error(\n `Failed to fetch tarball for package \"${this.meta.packageName}\".`,\n );\n }\n\n // We assume that NPM is a good actor and provides us with a valid `content-length` header.\n const tarballSizeString = tarballResponse.headers.get('content-length');\n assert(tarballSizeString, 'Snap tarball has invalid content-length');\n const tarballSize = parseInt(tarballSizeString, 10);\n assert(\n tarballSize <= TARBALL_SIZE_SAFETY_LIMIT,\n 'Snap tarball exceeds size limit',\n );\n return new Promise((resolve, reject) => {\n const files = new Map();\n\n // The \"gz\" in \"tgz\" stands for \"gzip\". The tarball needs to be decompressed\n // before we can actually grab any files from it.\n // To prevent recursion-based zip bombs, we should not allow recursion here.\n pipeline(\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n getNodeStream(tarballResponse.body!),\n createGunzip(),\n createTarballStream(\n getNpmCanonicalBasePath(this.meta.registry, this.meta.packageName),\n files,\n ),\n (error: unknown) => {\n error ? reject(error) : resolve(files);\n },\n );\n });\n }\n}\n\n// Incomplete type\nexport type PartialNpmMetadata = {\n versions: Record<string, { dist: { tarball: string } }>;\n};\n\n/**\n * Fetches the NPM metadata of the specified package from\n * the public npm registry.\n *\n * @param packageName - The name of the package whose metadata to fetch.\n * @param registryUrl - The URL of the npm registry to fetch the metadata from.\n * @param fetchFunction - The fetch function to use. Defaults to the global\n * {@link fetch}. Useful for Node.js compatibility.\n * @returns The NPM metadata object.\n * @throws If fetching the metadata fails.\n */\nexport async function fetchNpmMetadata(\n packageName: string,\n registryUrl: URL,\n fetchFunction: typeof fetch,\n): Promise<PartialNpmMetadata> {\n const packageResponse = await fetchFunction(\n new URL(packageName, registryUrl).toString(),\n {\n headers: {\n // Corgi format is slightly smaller: https://github.com/npm/pacote/blob/main/lib/registry.js#L71\n accept: isNPM(registryUrl)\n ? 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*'\n : 'application/json',\n },\n },\n );\n if (!packageResponse.ok) {\n throw new Error(\n `Failed to fetch NPM registry entry. Status code: ${packageResponse.status}.`,\n );\n }\n const packageMetadata = await packageResponse.json();\n\n if (!isObject(packageMetadata)) {\n throw new Error(\n `Failed to fetch package \"${packageName}\" metadata from npm.`,\n );\n }\n\n return packageMetadata as PartialNpmMetadata;\n}\n\n/**\n * Gets the canonical base path for an NPM snap.\n *\n * @param registryUrl - A registry URL.\n * @param packageName - A package name.\n * @returns The canonical base path.\n */\nexport function getNpmCanonicalBasePath(registryUrl: URL, packageName: string) {\n let canonicalBase = 'npm://';\n if (registryUrl.username !== '') {\n canonicalBase += registryUrl.username;\n if (registryUrl.password !== '') {\n canonicalBase += `:${registryUrl.password}`;\n }\n canonicalBase += '@';\n }\n return `${canonicalBase}${registryUrl.host}/${packageName}/`;\n}\n\n/**\n * Determine if a registry URL is NPM.\n *\n * @param registryUrl - A registry url.\n * @returns True if the registry is the NPM registry, otherwise false.\n */\nfunction isNPM(registryUrl: URL) {\n return registryUrl.toString() === DEFAULT_NPM_REGISTRY.toString();\n}\n\n/**\n * Resolves a version range to a version using the NPM registry.\n *\n * Unless the version range is already a version, then the NPM registry is skipped.\n *\n * @param packageName - The name of the package whose metadata to fetch.\n * @param versionRange - The version range of the package.\n * @param registryUrl - The URL of the npm registry to fetch the metadata from.\n * @param fetchFunction - The fetch function to use. Defaults to the global\n * {@link fetch}. Useful for Node.js compatibility.\n * @returns An object containing the resolved version and a URL for its tarball.\n * @throws If fetching the metadata fails.\n */\nasync function resolveNpmVersion(\n packageName: string,\n versionRange: SemVerRange,\n registryUrl: URL,\n fetchFunction: typeof fetch,\n): Promise<{ tarballURL: string; targetVersion: SemVerVersion }> {\n // If the version range is already a static version we don't need to look for the metadata.\n if (isNPM(registryUrl) && isValidSemVerVersion(versionRange)) {\n return {\n tarballURL: getNpmTarballUrl(packageName, versionRange),\n targetVersion: versionRange,\n };\n }\n\n const packageMetadata = await fetchNpmMetadata(\n packageName,\n registryUrl,\n fetchFunction,\n );\n\n const versions = Object.keys(packageMetadata?.versions ?? {}).map(\n (version) => {\n assertIsSemVerVersion(version);\n return version;\n },\n );\n\n const targetVersion = getTargetVersion(versions, versionRange);\n\n if (targetVersion === null) {\n throw new Error(\n `Failed to find a matching version in npm metadata for package \"${packageName}\" and requested semver range \"${versionRange}\".`,\n );\n }\n\n const tarballURL = packageMetadata?.versions?.[targetVersion]?.dist?.tarball;\n\n return { tarballURL, targetVersion };\n}\n\n/**\n * The paths of files within npm tarballs appear to always be prefixed with\n * \"package/\".\n */\nconst NPM_TARBALL_PATH_PREFIX = /^package\\//u;\n\n/**\n * Converts a {@link ReadableStream} to a Node.js {@link Readable}\n * stream. Returns the stream directly if it is already a Node.js stream.\n * We can't use the native Web {@link ReadableStream} directly because the\n * other stream libraries we use expect Node.js streams.\n *\n * @param stream - The stream to convert.\n * @returns The given stream as a Node.js Readable stream.\n */\nfunction getNodeStream(stream: ReadableStream): Readable {\n if (typeof stream.getReader !== 'function') {\n return stream as unknown as Readable;\n }\n\n return new ReadableWebToNodeStream(stream);\n}\n\n/**\n * Creates a `tar-stream` that will get the necessary files from an npm Snap\n * package tarball (`.tgz` file).\n *\n * @param canonicalBase - A base URI as specified in {@link https://github.com/MetaMask/SIPs/blob/main/SIPS/sip-8.md SIP-8}. Starting with 'npm:'. Will be used for canonicalPath vfile argument.\n * @param files - An object to write target file contents to.\n * @returns The {@link Writable} tarball extraction stream.\n */\nfunction createTarballStream(\n canonicalBase: string,\n files: Map<string, VirtualFile>,\n): Writable {\n assert(\n canonicalBase.endsWith('/'),\n \"Base needs to end with '/' for relative paths to be added as children instead of siblings.\",\n );\n\n assert(\n canonicalBase.startsWith('npm:'),\n 'Protocol mismatch, expected \"npm:\".',\n );\n // `tar-stream` is pretty old-school, so we create it first and then\n // instrument it by adding event listeners.\n const extractStream = tarExtract();\n\n let totalSize = 0;\n\n // \"entry\" is fired for every discreet entity in the tarball. This includes\n // files and folders.\n extractStream.on('entry', (header, entryStream, next) => {\n const { name: headerName, type: headerType } = header;\n if (headerType === 'file') {\n // The name is a path if the header type is \"file\".\n const path = headerName.replace(NPM_TARBALL_PATH_PREFIX, '');\n return entryStream.pipe(\n concat({ encoding: 'uint8array' }, (data) => {\n try {\n totalSize += data.byteLength;\n // To prevent zip bombs, we set a safety limit for the total size of tarballs.\n assert(\n totalSize < TARBALL_SIZE_SAFETY_LIMIT,\n `Snap tarball exceeds limit of ${TARBALL_SIZE_SAFETY_LIMIT} bytes.`,\n );\n const vfile = new VirtualFile({\n value: data,\n path,\n data: {\n canonicalPath: new URL(path, canonicalBase).toString(),\n },\n });\n // We disallow files having identical paths as it may confuse our checksum calculations.\n assert(\n !files.has(path),\n 'Malformed tarball, multiple files with the same path.',\n );\n files.set(path, vfile);\n return next();\n } catch (error) {\n return extractStream.destroy(error);\n }\n }),\n );\n }\n\n // If we get here, the entry is not a file, and we want to ignore. The entry\n // stream must be drained, or the extractStream will stop reading. This is\n // effectively a no-op for the current entry.\n entryStream.on('end', () => next());\n return entryStream.resume();\n });\n return extractStream;\n}\n"],"names":["DEFAULT_NPM_REGISTRY","BaseNpmLocation","TARBALL_SIZE_SAFETY_LIMIT","NpmLocation","fetchNpmMetadata","getNpmCanonicalBasePath","URL","manifest","validatedManifest","clone","vfile","fetch","result","parseJson","toString","createSnapManifest","path","relativePath","normalizeRelative","files","lazyInit","assert","undefined","get","TypeError","packageName","meta","version","registry","versionRange","requestedRange","constructor","url","opts","allowCustomRegistries","fetchFunction","globalThis","bind","DEFAULT_REQUESTED_SNAP_VERSION","defaultResolve","range","resolveVersion","assertStruct","NpmSnapIdStruct","host","port","username","password","pathname","search","hash","startsWith","slice","resolvedVersion","tarballURL","targetVersion","resolveNpmVersion","isValidUrl","endsWith","Error","newTarballUrl","hostname","protocol","fetchNpmTarball","tarballUrl","tarballResponse","ok","body","tarballSizeString","headers","tarballSize","parseInt","Promise","resolve","reject","Map","pipeline","getNodeStream","createGunzip","createTarballStream","error","registryUrl","packageResponse","accept","isNPM","status","packageMetadata","json","isObject","canonicalBase","isValidSemVerVersion","getNpmTarballUrl","versions","Object","keys","map","assertIsSemVerVersion","getTargetVersion","dist","tarball","NPM_TARBALL_PATH_PREFIX","stream","getReader","ReadableWebToNodeStream","extractStream","tarExtract","totalSize","on","header","entryStream","next","name","headerName","type","headerType","replace","pipe","concat","encoding","data","byteLength","VirtualFile","value","canonicalPath","has","set","destroy","resume"],"mappings":";;;;;;;;;;;IA6BaA,oBAAoB;eAApBA;;IAwBSC,eAAe;eAAfA;;IA2JTC,yBAAyB;eAAzBA;;IAGAC,WAAW;eAAXA;;IAiESC,gBAAgB;eAAhBA;;IAuCNC,uBAAuB;eAAvBA;;;4BAjTT;uBAQA;gCACsB;qEACV;yEACU;gCACJ;yCAEe;2BACF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAI/B,MAAML,uBAAuB,IAAIM,IAAI;IA2B1C,kDAEA,sCA6GM;AAlHD,MAAeL;IAmEpB,MAAMM,WAA+C;QACnD,6BAAI,IAAI,EAAEC,qBAAmB;YAC3B,OAAO,yBAAA,IAAI,EAAEA,oBAAkBC,KAAK;QACtC;QAEA,MAAMC,QAAQ,MAAM,IAAI,CAACC,KAAK,CAAC;QAC/B,MAAMC,SAASC,IAAAA,qBAAS,EAACH,MAAMI,QAAQ;QACvCJ,MAAME,MAAM,GAAGG,IAAAA,8BAAkB,EAACH;uCAC5BJ,oBAAoBE;QAE1B,OAAO,IAAI,CAACH,QAAQ;IACtB;IAEA,MAAMI,MAAMK,IAAY,EAAwB;QAC9C,MAAMC,eAAeC,IAAAA,6BAAiB,EAACF;QACvC,IAAI,0BAAC,IAAI,EAAEG,SAAO;YAChB,MAAM,0BAAA,IAAI,EAAEC,WAAAA,eAAN,IAAI;YACVC,IAAAA,aAAM,EAAC,yBAAA,IAAI,EAAEF,YAAUG;QACzB;QACA,MAAMZ,QAAQ,yBAAA,IAAI,EAAES,QAAMI,GAAG,CAACN;QAC9BI,IAAAA,aAAM,EACJX,UAAUY,WACV,IAAIE,UAAU,CAAC,MAAM,EAAER,KAAK,uBAAuB,CAAC;QAEtD,OAAON,MAAMD,KAAK;IACpB;IAEA,IAAIgB,cAAsB;QACxB,OAAO,IAAI,CAACC,IAAI,CAACD,WAAW;IAC9B;IAEA,IAAIE,UAAkB;QACpBN,IAAAA,aAAM,EACJ,IAAI,CAACK,IAAI,CAACC,OAAO,KAAKL,WACtB;QAEF,OAAO,IAAI,CAACI,IAAI,CAACC,OAAO;IAC1B;IAEA,IAAIC,WAAgB;QAClB,OAAO,IAAI,CAACF,IAAI,CAACE,QAAQ;IAC3B;IAEA,IAAIC,eAA4B;QAC9B,OAAO,IAAI,CAACH,IAAI,CAACI,cAAc;IACjC;IAzGAC,YAAYC,GAAQ,EAAEC,OAAkC,CAAC,CAAC,CAAE;QA2G5D,iCAAM;QAjHN,uBAAmBP,QAAnB,KAAA;QAEA,gCAAA;;mBAAA,KAAA;;QAEA,gCAAA;;mBAAA,KAAA;;QAGE,MAAMQ,wBAAwBD,KAAKC,qBAAqB,IAAI;QAC5D,MAAMC,gBAAgBF,KAAKtB,KAAK,IAAIyB,WAAWzB,KAAK,CAAC0B,IAAI,CAACD;QAC1D,MAAMN,iBAAiBG,KAAKJ,YAAY,IAAIS,0CAA8B;QAC1E,MAAMC,iBAAiB,OAAOC,QAAuBA;QACrD,MAAMC,iBAAiBR,KAAKQ,cAAc,IAAIF;QAE9CG,IAAAA,mBAAY,EAACV,IAAIlB,QAAQ,IAAI6B,2BAAe,EAAE;QAE9C,IAAIf;QACJ,IACEI,IAAIY,IAAI,KAAK,MACbZ,IAAIa,IAAI,KAAK,MACbb,IAAIc,QAAQ,KAAK,MACjBd,IAAIe,QAAQ,KAAK,IACjB;YACAnB,WAAW5B;QACb,OAAO;YACL4B,WAAW;YACX,IAAII,IAAIc,QAAQ,EAAE;gBAChBlB,YAAYI,IAAIc,QAAQ;gBACxB,IAAId,IAAIe,QAAQ,EAAE;oBAChBnB,YAAY,CAAC,CAAC,EAAEI,IAAIe,QAAQ,CAAC,CAAC;gBAChC;gBACAnB,YAAY;YACd;YACAA,YAAYI,IAAIY,IAAI;YACpBhB,WAAW,IAAItB,IAAIsB;YACnBP,IAAAA,aAAM,EACJa,uBACA,IAAIV,UACF,CAAC,kDAAkD,EAAEI,SAASd,QAAQ,GAAG,EAAE,CAAC;QAGlF;QAEAO,IAAAA,aAAM,EACJO,SAASoB,QAAQ,KAAK,OACpBpB,SAASqB,MAAM,KAAK,MACpBrB,SAASsB,IAAI,KAAK;QAGtB7B,IAAAA,aAAM,EACJW,IAAIgB,QAAQ,KAAK,MAAMhB,IAAIgB,QAAQ,KAAK,KACxC,IAAIxB,UAAU;QAEhB,IAAIC,cAAcO,IAAIgB,QAAQ;QAC9B,IAAIvB,YAAY0B,UAAU,CAAC,MAAM;YAC/B1B,cAAcA,YAAY2B,KAAK,CAAC;QAClC;QAEA,IAAI,CAAC1B,IAAI,GAAG;YACVI;YACAF;YACAH;YACAd,OAAOwB;YACPM;QACF;IACF;AAuFF;AAtCE,eAAA;IACEpB,IAAAA,aAAM,EAAC,yBAAA,IAAI,EAAEF,YAAUG;IACvB,MAAM+B,kBAAkB,MAAM,IAAI,CAAC3B,IAAI,CAACe,cAAc,CACpD,IAAI,CAACf,IAAI,CAACI,cAAc;IAG1B,MAAM,EAAEwB,UAAU,EAAEC,aAAa,EAAE,GAAG,MAAMC,kBAC1C,IAAI,CAAC9B,IAAI,CAACD,WAAW,EACrB4B,iBACA,IAAI,CAAC3B,IAAI,CAACE,QAAQ,EAClB,IAAI,CAACF,IAAI,CAACf,KAAK;IAGjB,IAAI,CAAC8C,IAAAA,sBAAU,EAACH,eAAe,CAACA,WAAWxC,QAAQ,GAAG4C,QAAQ,CAAC,SAAS;QACtE,MAAM,IAAIC,MACR,CAAC,8DAA8D,EAAE,IAAI,CAACjC,IAAI,CAACD,WAAW,CAAC,EAAE,CAAC;IAE9F;IAEA,4EAA4E;IAC5E,MAAMmC,gBAAgB,IAAItD,IAAIgD;IAC9BM,cAAcC,QAAQ,GAAG,IAAI,CAACnC,IAAI,CAACE,QAAQ,CAACiC,QAAQ;IACpDD,cAAcE,QAAQ,GAAG,IAAI,CAACpC,IAAI,CAACE,QAAQ,CAACkC,QAAQ;IAEpD,MAAM3C,QAAQ,MAAM,IAAI,CAAC4C,eAAe,CAACH;mCAEnCzC,QAAQA;IACd,IAAI,CAACO,IAAI,CAACC,OAAO,GAAG4B;AACtB;AAaK,MAAMrD,4BAA4B;AAGlC,MAAMC,oBAAoBF;IAC/B;;;;;;GAMC,GACD,MAAM8D,gBACJC,UAAe,EAC6B;QAC5C,kEAAkE;QAClE,MAAMC,kBAAkB,MAAM,IAAI,CAACvC,IAAI,CAACf,KAAK,CAACqD,WAAWlD,QAAQ;QACjE,IAAI,CAACmD,gBAAgBC,EAAE,IAAI,CAACD,gBAAgBE,IAAI,EAAE;YAChD,MAAM,IAAIR,MACR,CAAC,qCAAqC,EAAE,IAAI,CAACjC,IAAI,CAACD,WAAW,CAAC,EAAE,CAAC;QAErE;QAEA,2FAA2F;QAC3F,MAAM2C,oBAAoBH,gBAAgBI,OAAO,CAAC9C,GAAG,CAAC;QACtDF,IAAAA,aAAM,EAAC+C,mBAAmB;QAC1B,MAAME,cAAcC,SAASH,mBAAmB;QAChD/C,IAAAA,aAAM,EACJiD,eAAepE,2BACf;QAEF,OAAO,IAAIsE,QAAQ,CAACC,SAASC;YAC3B,MAAMvD,QAAQ,IAAIwD;YAElB,4EAA4E;YAC5E,iDAAiD;YACjD,4EAA4E;YAC5EC,IAAAA,wBAAQ,EACN,oEAAoE;YACpEC,cAAcZ,gBAAgBE,IAAI,GAClCW,IAAAA,4BAAY,KACZC,oBACE1E,wBAAwB,IAAI,CAACqB,IAAI,CAACE,QAAQ,EAAE,IAAI,CAACF,IAAI,CAACD,WAAW,GACjEN,QAEF,CAAC6D;gBACCA,QAAQN,OAAOM,SAASP,QAAQtD;YAClC;QAEJ;IACF;AACF;AAkBO,eAAef,iBACpBqB,WAAmB,EACnBwD,WAAgB,EAChB9C,aAA2B;IAE3B,MAAM+C,kBAAkB,MAAM/C,cAC5B,IAAI7B,IAAImB,aAAawD,aAAanE,QAAQ,IAC1C;QACEuD,SAAS;YACP,gGAAgG;YAChGc,QAAQC,MAAMH,eACV,6EACA;QACN;IACF;IAEF,IAAI,CAACC,gBAAgBhB,EAAE,EAAE;QACvB,MAAM,IAAIP,MACR,CAAC,iDAAiD,EAAEuB,gBAAgBG,MAAM,CAAC,CAAC,CAAC;IAEjF;IACA,MAAMC,kBAAkB,MAAMJ,gBAAgBK,IAAI;IAElD,IAAI,CAACC,IAAAA,eAAQ,EAACF,kBAAkB;QAC9B,MAAM,IAAI3B,MACR,CAAC,yBAAyB,EAAElC,YAAY,oBAAoB,CAAC;IAEjE;IAEA,OAAO6D;AACT;AASO,SAASjF,wBAAwB4E,WAAgB,EAAExD,WAAmB;IAC3E,IAAIgE,gBAAgB;IACpB,IAAIR,YAAYnC,QAAQ,KAAK,IAAI;QAC/B2C,iBAAiBR,YAAYnC,QAAQ;QACrC,IAAImC,YAAYlC,QAAQ,KAAK,IAAI;YAC/B0C,iBAAiB,CAAC,CAAC,EAAER,YAAYlC,QAAQ,CAAC,CAAC;QAC7C;QACA0C,iBAAiB;IACnB;IACA,OAAO,CAAC,EAAEA,cAAc,EAAER,YAAYrC,IAAI,CAAC,CAAC,EAAEnB,YAAY,CAAC,CAAC;AAC9D;AAEA;;;;;CAKC,GACD,SAAS2D,MAAMH,WAAgB;IAC7B,OAAOA,YAAYnE,QAAQ,OAAOd,qBAAqBc,QAAQ;AACjE;AAEA;;;;;;;;;;;;CAYC,GACD,eAAe0C,kBACb/B,WAAmB,EACnBI,YAAyB,EACzBoD,WAAgB,EAChB9C,aAA2B;IAE3B,2FAA2F;IAC3F,IAAIiD,MAAMH,gBAAgBS,IAAAA,2BAAoB,EAAC7D,eAAe;QAC5D,OAAO;YACLyB,YAAYqC,IAAAA,yBAAgB,EAAClE,aAAaI;YAC1C0B,eAAe1B;QACjB;IACF;IAEA,MAAMyD,kBAAkB,MAAMlF,iBAC5BqB,aACAwD,aACA9C;IAGF,MAAMyD,WAAWC,OAAOC,IAAI,CAACR,iBAAiBM,YAAY,CAAC,GAAGG,GAAG,CAC/D,CAACpE;QACCqE,IAAAA,4BAAqB,EAACrE;QACtB,OAAOA;IACT;IAGF,MAAM4B,gBAAgB0C,IAAAA,4BAAgB,EAACL,UAAU/D;IAEjD,IAAI0B,kBAAkB,MAAM;QAC1B,MAAM,IAAII,MACR,CAAC,+DAA+D,EAAElC,YAAY,8BAA8B,EAAEI,aAAa,EAAE,CAAC;IAElI;IAEA,MAAMyB,aAAagC,iBAAiBM,UAAU,CAACrC,cAAc,EAAE2C,MAAMC;IAErE,OAAO;QAAE7C;QAAYC;IAAc;AACrC;AAEA;;;CAGC,GACD,MAAM6C,0BAA0B;AAEhC;;;;;;;;CAQC,GACD,SAASvB,cAAcwB,MAAsB;IAC3C,IAAI,OAAOA,OAAOC,SAAS,KAAK,YAAY;QAC1C,OAAOD;IACT;IAEA,OAAO,IAAIE,gDAAuB,CAACF;AACrC;AAEA;;;;;;;CAOC,GACD,SAAStB,oBACPU,aAAqB,EACrBtE,KAA+B;IAE/BE,IAAAA,aAAM,EACJoE,cAAc/B,QAAQ,CAAC,MACvB;IAGFrC,IAAAA,aAAM,EACJoE,cAActC,UAAU,CAAC,SACzB;IAEF,oEAAoE;IACpE,2CAA2C;IAC3C,MAAMqD,gBAAgBC,IAAAA,kBAAU;IAEhC,IAAIC,YAAY;IAEhB,2EAA2E;IAC3E,qBAAqB;IACrBF,cAAcG,EAAE,CAAC,SAAS,CAACC,QAAQC,aAAaC;QAC9C,MAAM,EAAEC,MAAMC,UAAU,EAAEC,MAAMC,UAAU,EAAE,GAAGN;QAC/C,IAAIM,eAAe,QAAQ;YACzB,mDAAmD;YACnD,MAAMlG,OAAOgG,WAAWG,OAAO,CAACf,yBAAyB;YACzD,OAAOS,YAAYO,IAAI,CACrBC,IAAAA,qBAAM,EAAC;gBAAEC,UAAU;YAAa,GAAG,CAACC;gBAClC,IAAI;oBACFb,aAAaa,KAAKC,UAAU;oBAC5B,8EAA8E;oBAC9EnG,IAAAA,aAAM,EACJqF,YAAYxG,2BACZ,CAAC,8BAA8B,EAAEA,0BAA0B,OAAO,CAAC;oBAErE,MAAMQ,QAAQ,IAAI+G,uBAAW,CAAC;wBAC5BC,OAAOH;wBACPvG;wBACAuG,MAAM;4BACJI,eAAe,IAAIrH,IAAIU,MAAMyE,eAAe3E,QAAQ;wBACtD;oBACF;oBACA,wFAAwF;oBACxFO,IAAAA,aAAM,EACJ,CAACF,MAAMyG,GAAG,CAAC5G,OACX;oBAEFG,MAAM0G,GAAG,CAAC7G,MAAMN;oBAChB,OAAOoG;gBACT,EAAE,OAAO9B,OAAO;oBACd,OAAOwB,cAAcsB,OAAO,CAAC9C;gBAC/B;YACF;QAEJ;QAEA,4EAA4E;QAC5E,0EAA0E;QAC1E,6CAA6C;QAC7C6B,YAAYF,EAAE,CAAC,OAAO,IAAMG;QAC5B,OAAOD,YAAYkB,MAAM;IAC3B;IACA,OAAOvB;AACT"}
package/dist/esm/snaps/location/npm.js CHANGED
@@ -3,6 +3,41 @@ function _check_private_redeclaration(obj, privateCollection) {
3
3
  throw new TypeError("Cannot initialize the same private elements twice on an object");
4
4
  }
5
5
  }
6
+ function _class_apply_descriptor_get(receiver, descriptor) {
7
+ if (descriptor.get) {
8
+ return descriptor.get.call(receiver);
9
+ }
10
+ return descriptor.value;
11
+ }
12
+ function _class_apply_descriptor_set(receiver, descriptor, value) {
13
+ if (descriptor.set) {
14
+ descriptor.set.call(receiver, value);
15
+ } else {
16
+ if (!descriptor.writable) {
17
+ throw new TypeError("attempted to set read only private field");
18
+ }
19
+ descriptor.value = value;
20
+ }
21
+ }
22
+ function _class_extract_field_descriptor(receiver, privateMap, action) {
23
+ if (!privateMap.has(receiver)) {
24
+ throw new TypeError("attempted to " + action + " private field on non-instance");
25
+ }
26
+ return privateMap.get(receiver);
27
+ }
28
+ function _class_private_field_get(receiver, privateMap) {
29
+ var descriptor = _class_extract_field_descriptor(receiver, privateMap, "get");
30
+ return _class_apply_descriptor_get(receiver, descriptor);
31
+ }
32
+ function _class_private_field_init(obj, privateMap, value) {
33
+ _check_private_redeclaration(obj, privateMap);
34
+ privateMap.set(obj, value);
35
+ }
36
+ function _class_private_field_set(receiver, privateMap, value) {
37
+ var descriptor = _class_extract_field_descriptor(receiver, privateMap, "set");
38
+ _class_apply_descriptor_set(receiver, descriptor, value);
39
+ return value;
40
+ }
6
41
  function _class_private_method_get(receiver, privateSet, fn) {
7
42
  if (!privateSet.has(receiver)) {
8
43
  throw new TypeError("attempted to get private field on non-instance");
@@ -35,25 +70,26 @@ import { pipeline } from 'readable-stream';
35
70
  import { ReadableWebToNodeStream } from 'readable-web-to-node-stream';
36
71
  import { extract as tarExtract } from 'tar-stream';
37
72
  export const DEFAULT_NPM_REGISTRY = new URL('https://registry.npmjs.org');
38
- var _lazyInit = /*#__PURE__*/ new WeakSet();
39
- export class NpmLocation {
73
+ var _validatedManifest = /*#__PURE__*/ new WeakMap(), _files = /*#__PURE__*/ new WeakMap(), _lazyInit = /*#__PURE__*/ new WeakSet();
74
+ // Base class for NPM implementation, useful for extending with custom NPM fetching logic
75
+ export class BaseNpmLocation {
40
76
  async manifest() {
41
- if (this.validatedManifest) {
42
- return this.validatedManifest.clone();
77
+ if (_class_private_field_get(this, _validatedManifest)) {
78
+ return _class_private_field_get(this, _validatedManifest).clone();
43
79
  }
44
80
  const vfile = await this.fetch('snap.manifest.json');
45
81
  const result = parseJson(vfile.toString());
46
82
  vfile.result = createSnapManifest(result);
47
- this.validatedManifest = vfile;
83
+ _class_private_field_set(this, _validatedManifest, vfile);
48
84
  return this.manifest();
49
85
  }
50
86
  async fetch(path) {
51
87
  const relativePath = normalizeRelative(path);
52
- if (!this.files) {
88
+ if (!_class_private_field_get(this, _files)) {
53
89
  await _class_private_method_get(this, _lazyInit, lazyInit).call(this);
54
- assert(this.files !== undefined);
90
+ assert(_class_private_field_get(this, _files) !== undefined);
55
91
  }
56
- const vfile = this.files.get(relativePath);
92
+ const vfile = _class_private_field_get(this, _files).get(relativePath);
57
93
  assert(vfile !== undefined, new TypeError(`File "${path}" not found in package.`));
58
94
  return vfile.clone();
59
95
  }
@@ -73,8 +109,14 @@ export class NpmLocation {
73
109
  constructor(url, opts = {}){
74
110
  _class_private_method_init(this, _lazyInit);
75
111
  _define_property(this, "meta", void 0);
76
- _define_property(this, "validatedManifest", void 0);
77
- _define_property(this, "files", void 0);
112
+ _class_private_field_init(this, _validatedManifest, {
113
+ writable: true,
114
+ value: void 0
115
+ });
116
+ _class_private_field_init(this, _files, {
117
+ writable: true,
118
+ value: void 0
119
+ });
78
120
  const allowCustomRegistries = opts.allowCustomRegistries ?? false;
79
121
  const fetchFunction = opts.fetch ?? globalThis.fetch.bind(globalThis);
80
122
  const requestedRange = opts.versionRange ?? DEFAULT_REQUESTED_SNAP_VERSION;
@@ -113,43 +155,53 @@ export class NpmLocation {
113
155
  }
114
156
  }
115
157
  async function lazyInit() {
116
- assert(this.files === undefined);
158
+ assert(_class_private_field_get(this, _files) === undefined);
117
159
  const resolvedVersion = await this.meta.resolveVersion(this.meta.requestedRange);
118
- const [tarballResponse, actualVersion] = await fetchNpmTarball(this.meta.packageName, resolvedVersion, this.meta.registry, this.meta.fetch);
119
- this.meta.version = actualVersion;
120
- let canonicalBase = 'npm://';
121
- if (this.meta.registry.username !== '') {
122
- canonicalBase += this.meta.registry.username;
123
- if (this.meta.registry.password !== '') {
124
- canonicalBase += `:${this.meta.registry.password}`;
125
- }
126
- canonicalBase += '@';
160
+ const { tarballURL, targetVersion } = await resolveNpmVersion(this.meta.packageName, resolvedVersion, this.meta.registry, this.meta.fetch);
161
+ if (!isValidUrl(tarballURL) || !tarballURL.toString().endsWith('.tgz')) {
162
+ throw new Error(`Failed to find valid tarball URL in NPM metadata for package "${this.meta.packageName}".`);
127
163
  }
128
- canonicalBase += this.meta.registry.host;
129
- // TODO(ritave): Lazily extract files instead of up-front extracting all of them
130
- // We would need to replace tar-stream package because it requires immediate consumption of streams.
131
- await new Promise((resolve, reject)=>{
132
- this.files = new Map();
133
- const tarballStream = createTarballStream(`${canonicalBase}/${this.meta.packageName}/`, this.files);
134
- // The "gz" in "tgz" stands for "gzip". The tarball needs to be decompressed
135
- // before we can actually grab any files from it.
136
- // To prevent recursion-based zip bombs, we should not allow recursion here.
137
- // If native decompression stream is available we use that, otherwise fallback to zlib
138
- if ('DecompressionStream' in globalThis) {
139
- const decompressionStream = new DecompressionStream('gzip');
140
- const decompressedStream = tarballResponse.pipeThrough(decompressionStream);
141
- pipeline(getNodeStream(decompressedStream), tarballStream, (error)=>{
142
- error ? reject(error) : resolve();
143
- });
144
- return;
164
+ // Override the tarball hostname/protocol with registryUrl hostname/protocol
165
+ const newTarballUrl = new URL(tarballURL);
166
+ newTarballUrl.hostname = this.meta.registry.hostname;
167
+ newTarballUrl.protocol = this.meta.registry.protocol;
168
+ const files = await this.fetchNpmTarball(newTarballUrl);
169
+ _class_private_field_set(this, _files, files);
170
+ this.meta.version = targetVersion;
171
+ }
172
+ // Safety limit for tarballs, 250 MB in bytes
173
+ export const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
174
+ // Main NPM implementation, contains a browser tarball fetching implementation.
175
+ export class NpmLocation extends BaseNpmLocation {
176
+ /**
177
+ * Fetches and unpacks the tarball (`.tgz` file) from the specified URL.
178
+ *
179
+ * @param tarballUrl - The tarball URL to fetch and unpack.
180
+ * @returns A the files for the package tarball.
181
+ * @throws If fetching the tarball fails.
182
+ */ async fetchNpmTarball(tarballUrl) {
183
+ // Perform a raw fetch because we want the Response object itself.
184
+ const tarballResponse = await this.meta.fetch(tarballUrl.toString());
185
+ if (!tarballResponse.ok || !tarballResponse.body) {
186
+ throw new Error(`Failed to fetch tarball for package "${this.meta.packageName}".`);
145
187
  }
146
- pipeline(getNodeStream(tarballResponse), createGunzip(), tarballStream, (error)=>{
147
- error ? reject(error) : resolve();
188
+ // We assume that NPM is a good actor and provides us with a valid `content-length` header.
189
+ const tarballSizeString = tarballResponse.headers.get('content-length');
190
+ assert(tarballSizeString, 'Snap tarball has invalid content-length');
191
+ const tarballSize = parseInt(tarballSizeString, 10);
192
+ assert(tarballSize <= TARBALL_SIZE_SAFETY_LIMIT, 'Snap tarball exceeds size limit');
193
+ return new Promise((resolve, reject)=>{
194
+ const files = new Map();
195
+ // The "gz" in "tgz" stands for "gzip". The tarball needs to be decompressed
196
+ // before we can actually grab any files from it.
197
+ // To prevent recursion-based zip bombs, we should not allow recursion here.
198
+ pipeline(// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
199
+ getNodeStream(tarballResponse.body), createGunzip(), createTarballStream(getNpmCanonicalBasePath(this.meta.registry, this.meta.packageName), files), (error)=>{
200
+ error ? reject(error) : resolve(files);
201
+ });
148
202
  });
149
- });
203
+ }
150
204
  }
151
- // Safety limit for tarballs, 250 MB in bytes
152
- const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
153
205
  /**
154
206
  * Fetches the NPM metadata of the specified package from
155
207
  * the public npm registry.
@@ -176,6 +228,23 @@ const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
176
228
  }
177
229
  return packageMetadata;
178
230
  }
231
+ /**
232
+ * Gets the canonical base path for an NPM snap.
233
+ *
234
+ * @param registryUrl - A registry URL.
235
+ * @param packageName - A package name.
236
+ * @returns The canonical base path.
237
+ */ export function getNpmCanonicalBasePath(registryUrl, packageName) {
238
+ let canonicalBase = 'npm://';
239
+ if (registryUrl.username !== '') {
240
+ canonicalBase += registryUrl.username;
241
+ if (registryUrl.password !== '') {
242
+ canonicalBase += `:${registryUrl.password}`;
243
+ }
244
+ canonicalBase += '@';
245
+ }
246
+ return `${canonicalBase}${registryUrl.host}/${packageName}/`;
247
+ }
179
248
  /**
180
249
  * Determine if a registry URL is NPM.
181
250
  *
@@ -219,44 +288,6 @@ const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
219
288
  targetVersion
220
289
  };
221
290
  }
222
- /**
223
- * Fetches the tarball (`.tgz` file) of the specified package and version from
224
- * the public npm registry.
225
- *
226
- * @param packageName - The name of the package whose tarball to fetch.
227
- * @param versionRange - The SemVer range of the package to fetch. The highest
228
- * version satisfying the range will be fetched.
229
- * @param registryUrl - The URL of the npm registry to fetch the tarball from.
230
- * @param fetchFunction - The fetch function to use. Defaults to the global
231
- * {@link fetch}. Useful for Node.js compatibility.
232
- * @returns A tuple of the {@link Response} for the package tarball and the
233
- * actual version of the package.
234
- * @throws If fetching the tarball fails.
235
- */ async function fetchNpmTarball(packageName, versionRange, registryUrl, fetchFunction) {
236
- const { tarballURL, targetVersion } = await resolveNpmVersion(packageName, versionRange, registryUrl, fetchFunction);
237
- if (!isValidUrl(tarballURL) || !tarballURL.toString().endsWith('.tgz')) {
238
- throw new Error(`Failed to find valid tarball URL in NPM metadata for package "${packageName}".`);
239
- }
240
- // Override the tarball hostname/protocol with registryUrl hostname/protocol
241
- const newRegistryUrl = new URL(registryUrl);
242
- const newTarballUrl = new URL(tarballURL);
243
- newTarballUrl.hostname = newRegistryUrl.hostname;
244
- newTarballUrl.protocol = newRegistryUrl.protocol;
245
- // Perform a raw fetch because we want the Response object itself.
246
- const tarballResponse = await fetchFunction(newTarballUrl.toString());
247
- if (!tarballResponse.ok || !tarballResponse.body) {
248
- throw new Error(`Failed to fetch tarball for package "${packageName}".`);
249
- }
250
- // We assume that NPM is a good actor and provides us with a valid `content-length` header.
251
- const tarballSizeString = tarballResponse.headers.get('content-length');
252
- assert(tarballSizeString, 'Snap tarball has invalid content-length');
253
- const tarballSize = parseInt(tarballSizeString, 10);
254
- assert(tarballSize <= TARBALL_SIZE_SAFETY_LIMIT, 'Snap tarball exceeds size limit');
255
- return [
256
- tarballResponse.body,
257
- targetVersion
258
- ];
259
- }
260
291
  /**
261
292
  * The paths of files within npm tarballs appear to always be prefixed with
262
293
  * "package/".
package/dist/esm/snaps/location/npm.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../../../src/snaps/location/npm.ts"],"sourcesContent":["import type { SnapManifest } from '@metamask/snaps-utils';\nimport {\n createSnapManifest,\n DEFAULT_REQUESTED_SNAP_VERSION,\n getTargetVersion,\n isValidUrl,\n NpmSnapIdStruct,\n VirtualFile,\n normalizeRelative,\n parseJson,\n} from '@metamask/snaps-utils';\nimport type { SemVerRange, SemVerVersion } from '@metamask/utils';\nimport {\n assert,\n assertIsSemVerVersion,\n assertStruct,\n isObject,\n isValidSemVerVersion,\n} from '@metamask/utils';\nimport { createGunzip } from 'browserify-zlib';\nimport concat from 'concat-stream';\nimport getNpmTarballUrl from 'get-npm-tarball-url';\nimport { pipeline } from 'readable-stream';\nimport type { Readable, Writable } from 'readable-stream';\nimport { ReadableWebToNodeStream } from 'readable-web-to-node-stream';\nimport { extract as tarExtract } from 'tar-stream';\n\nimport type { DetectSnapLocationOptions, SnapLocation } from './location';\n\nexport const DEFAULT_NPM_REGISTRY = new URL('https://registry.npmjs.org');\n\ninterface NpmMeta {\n registry: URL;\n packageName: string;\n requestedRange: SemVerRange;\n version?: string;\n fetch: typeof fetch;\n resolveVersion: (range: SemVerRange) => Promise<SemVerRange>;\n}\nexport interface NpmOptions {\n /**\n * @default DEFAULT_REQUESTED_SNAP_VERSION\n */\n versionRange?: SemVerRange;\n /**\n * Whether to allow custom NPM registries outside of {@link DEFAULT_NPM_REGISTRY}.\n *\n * @default false\n */\n allowCustomRegistries?: boolean;\n}\n\nexport class NpmLocation implements SnapLocation {\n private readonly meta: NpmMeta;\n\n private validatedManifest?: VirtualFile<SnapManifest>;\n\n private files?: Map<string, VirtualFile>;\n\n constructor(url: URL, opts: DetectSnapLocationOptions = {}) {\n const allowCustomRegistries = opts.allowCustomRegistries ?? false;\n const fetchFunction = opts.fetch ?? globalThis.fetch.bind(globalThis);\n const requestedRange = opts.versionRange ?? DEFAULT_REQUESTED_SNAP_VERSION;\n const defaultResolve = async (range: SemVerRange) => range;\n const resolveVersion = opts.resolveVersion ?? defaultResolve;\n\n assertStruct(url.toString(), NpmSnapIdStruct, 'Invalid Snap Id: ');\n\n let registry: string | URL;\n if (\n url.host === '' &&\n url.port === '' &&\n url.username === '' &&\n url.password === ''\n ) {\n registry = DEFAULT_NPM_REGISTRY;\n } else {\n registry = 'https://';\n if (url.username) {\n registry += url.username;\n if (url.password) {\n registry += `:${url.password}`;\n }\n registry += '@';\n }\n registry += url.host;\n registry = new URL(registry);\n assert(\n allowCustomRegistries,\n new TypeError(\n `Custom NPM registries are disabled, tried to use \"${registry.toString()}\".`,\n ),\n );\n }\n\n assert(\n registry.pathname === '/' &&\n registry.search === '' &&\n registry.hash === '',\n );\n\n assert(\n url.pathname !== '' && url.pathname !== '/',\n new TypeError('The package name in NPM location is empty.'),\n );\n let packageName = url.pathname;\n if (packageName.startsWith('/')) {\n packageName = packageName.slice(1);\n }\n\n this.meta = {\n requestedRange,\n registry,\n packageName,\n fetch: fetchFunction,\n resolveVersion,\n };\n }\n\n async manifest(): Promise<VirtualFile<SnapManifest>> {\n if (this.validatedManifest) {\n return this.validatedManifest.clone();\n }\n\n const vfile = await this.fetch('snap.manifest.json');\n const result = parseJson(vfile.toString());\n vfile.result = createSnapManifest(result);\n this.validatedManifest = vfile as VirtualFile<SnapManifest>;\n\n return this.manifest();\n }\n\n async fetch(path: string): Promise<VirtualFile> {\n const relativePath = normalizeRelative(path);\n if (!this.files) {\n await this.#lazyInit();\n assert(this.files !== undefined);\n }\n const vfile = this.files.get(relativePath);\n assert(\n vfile !== undefined,\n new TypeError(`File \"${path}\" not found in package.`),\n );\n return vfile.clone();\n }\n\n get packageName(): string {\n return this.meta.packageName;\n }\n\n get version(): string {\n assert(\n this.meta.version !== undefined,\n 'Tried to access version without first fetching NPM package.',\n );\n return this.meta.version;\n }\n\n get registry(): URL {\n return this.meta.registry;\n }\n\n get versionRange(): SemVerRange {\n return this.meta.requestedRange;\n }\n\n async #lazyInit() {\n assert(this.files === undefined);\n const resolvedVersion = await this.meta.resolveVersion(\n this.meta.requestedRange,\n );\n const [tarballResponse, actualVersion] = await fetchNpmTarball(\n this.meta.packageName,\n resolvedVersion,\n this.meta.registry,\n this.meta.fetch,\n );\n this.meta.version = actualVersion;\n\n let canonicalBase = 'npm://';\n if (this.meta.registry.username !== '') {\n canonicalBase += this.meta.registry.username;\n if (this.meta.registry.password !== '') {\n canonicalBase += `:${this.meta.registry.password}`;\n }\n canonicalBase += '@';\n }\n canonicalBase += this.meta.registry.host;\n\n // TODO(ritave): Lazily extract files instead of up-front extracting all of them\n // We would need to replace tar-stream package because it requires immediate consumption of streams.\n await new Promise<void>((resolve, reject) => {\n this.files = new Map();\n\n const tarballStream = createTarballStream(\n `${canonicalBase}/${this.meta.packageName}/`,\n this.files,\n );\n\n // The \"gz\" in \"tgz\" stands for \"gzip\". The tarball needs to be decompressed\n // before we can actually grab any files from it.\n // To prevent recursion-based zip bombs, we should not allow recursion here.\n\n // If native decompression stream is available we use that, otherwise fallback to zlib\n if ('DecompressionStream' in globalThis) {\n const decompressionStream = new DecompressionStream('gzip');\n const decompressedStream =\n tarballResponse.pipeThrough(decompressionStream);\n\n pipeline(\n getNodeStream(decompressedStream),\n tarballStream,\n (error: unknown) => {\n error ? reject(error) : resolve();\n },\n );\n return;\n }\n\n pipeline(\n getNodeStream(tarballResponse),\n createGunzip(),\n tarballStream,\n (error: unknown) => {\n error ? reject(error) : resolve();\n },\n );\n });\n }\n}\n\n// Safety limit for tarballs, 250 MB in bytes\nconst TARBALL_SIZE_SAFETY_LIMIT = 262144000;\n\n// Incomplete type\nexport type PartialNpmMetadata = {\n versions: Record<string, { dist: { tarball: string } }>;\n};\n\n/**\n * Fetches the NPM metadata of the specified package from\n * the public npm registry.\n *\n * @param packageName - The name of the package whose metadata to fetch.\n * @param registryUrl - The URL of the npm registry to fetch the metadata from.\n * @param fetchFunction - The fetch function to use. Defaults to the global\n * {@link fetch}. Useful for Node.js compatibility.\n * @returns The NPM metadata object.\n * @throws If fetching the metadata fails.\n */\nexport async function fetchNpmMetadata(\n packageName: string,\n registryUrl: URL,\n fetchFunction: typeof fetch,\n): Promise<PartialNpmMetadata> {\n const packageResponse = await fetchFunction(\n new URL(packageName, registryUrl).toString(),\n {\n headers: {\n // Corgi format is slightly smaller: https://github.com/npm/pacote/blob/main/lib/registry.js#L71\n accept: isNPM(registryUrl)\n ? 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*'\n : 'application/json',\n },\n },\n );\n if (!packageResponse.ok) {\n throw new Error(\n `Failed to fetch NPM registry entry. Status code: ${packageResponse.status}.`,\n );\n }\n const packageMetadata = await packageResponse.json();\n\n if (!isObject(packageMetadata)) {\n throw new Error(\n `Failed to fetch package \"${packageName}\" metadata from npm.`,\n );\n }\n\n return packageMetadata as PartialNpmMetadata;\n}\n\n/**\n * Determine if a registry URL is NPM.\n *\n * @param registryUrl - A registry url.\n * @returns True if the registry is the NPM registry, otherwise false.\n */\nfunction isNPM(registryUrl: URL) {\n return registryUrl.toString() === DEFAULT_NPM_REGISTRY.toString();\n}\n\n/**\n * Resolves a version range to a version using the NPM registry.\n *\n * Unless the version range is already a version, then the NPM registry is skipped.\n *\n * @param packageName - The name of the package whose metadata to fetch.\n * @param versionRange - The version range of the package.\n * @param registryUrl - The URL of the npm registry to fetch the metadata from.\n * @param fetchFunction - The fetch function to use. Defaults to the global\n * {@link fetch}. Useful for Node.js compatibility.\n * @returns An object containing the resolved version and a URL for its tarball.\n * @throws If fetching the metadata fails.\n */\nasync function resolveNpmVersion(\n packageName: string,\n versionRange: SemVerRange,\n registryUrl: URL,\n fetchFunction: typeof fetch,\n): Promise<{ tarballURL: string; targetVersion: SemVerVersion }> {\n // If the version range is already a static version we don't need to look for the metadata.\n if (isNPM(registryUrl) && isValidSemVerVersion(versionRange)) {\n return {\n tarballURL: getNpmTarballUrl(packageName, versionRange),\n targetVersion: versionRange,\n };\n }\n\n const packageMetadata = await fetchNpmMetadata(\n packageName,\n registryUrl,\n fetchFunction,\n );\n\n const versions = Object.keys(packageMetadata?.versions ?? {}).map(\n (version) => {\n assertIsSemVerVersion(version);\n return version;\n },\n );\n\n const targetVersion = getTargetVersion(versions, versionRange);\n\n if (targetVersion === null) {\n throw new Error(\n `Failed to find a matching version in npm metadata for package \"${packageName}\" and requested semver range \"${versionRange}\".`,\n );\n }\n\n const tarballURL = packageMetadata?.versions?.[targetVersion]?.dist?.tarball;\n\n return { tarballURL, targetVersion };\n}\n\n/**\n * Fetches the tarball (`.tgz` file) of the specified package and version from\n * the public npm registry.\n *\n * @param packageName - The name of the package whose tarball to fetch.\n * @param versionRange - The SemVer range of the package to fetch. The highest\n * version satisfying the range will be fetched.\n * @param registryUrl - The URL of the npm registry to fetch the tarball from.\n * @param fetchFunction - The fetch function to use. Defaults to the global\n * {@link fetch}. Useful for Node.js compatibility.\n * @returns A tuple of the {@link Response} for the package tarball and the\n * actual version of the package.\n * @throws If fetching the tarball fails.\n */\nasync function fetchNpmTarball(\n packageName: string,\n versionRange: SemVerRange,\n registryUrl: URL,\n fetchFunction: typeof fetch,\n): Promise<[ReadableStream, SemVerVersion]> {\n const { tarballURL, targetVersion } = await resolveNpmVersion(\n packageName,\n versionRange,\n registryUrl,\n fetchFunction,\n );\n\n if (!isValidUrl(tarballURL) || !tarballURL.toString().endsWith('.tgz')) {\n throw new Error(\n `Failed to find valid tarball URL in NPM metadata for package \"${packageName}\".`,\n );\n }\n\n // Override the tarball hostname/protocol with registryUrl hostname/protocol\n const newRegistryUrl = new URL(registryUrl);\n const newTarballUrl = new URL(tarballURL);\n newTarballUrl.hostname = newRegistryUrl.hostname;\n newTarballUrl.protocol = newRegistryUrl.protocol;\n\n // Perform a raw fetch because we want the Response object itself.\n const tarballResponse = await fetchFunction(newTarballUrl.toString());\n if (!tarballResponse.ok || !tarballResponse.body) {\n throw new Error(`Failed to fetch tarball for package \"${packageName}\".`);\n }\n // We assume that NPM is a good actor and provides us with a valid `content-length` header.\n const tarballSizeString = tarballResponse.headers.get('content-length');\n assert(tarballSizeString, 'Snap tarball has invalid content-length');\n const tarballSize = parseInt(tarballSizeString, 10);\n assert(\n tarballSize <= TARBALL_SIZE_SAFETY_LIMIT,\n 'Snap tarball exceeds size limit',\n );\n return [tarballResponse.body, targetVersion];\n}\n\n/**\n * The paths of files within npm tarballs appear to always be prefixed with\n * \"package/\".\n */\nconst NPM_TARBALL_PATH_PREFIX = /^package\\//u;\n\n/**\n * Converts a {@link ReadableStream} to a Node.js {@link Readable}\n * stream. Returns the stream directly if it is already a Node.js stream.\n * We can't use the native Web {@link ReadableStream} directly because the\n * other stream libraries we use expect Node.js streams.\n *\n * @param stream - The stream to convert.\n * @returns The given stream as a Node.js Readable stream.\n */\nfunction getNodeStream(stream: ReadableStream): Readable {\n if (typeof stream.getReader !== 'function') {\n return stream as unknown as Readable;\n }\n\n return new ReadableWebToNodeStream(stream);\n}\n\n/**\n * Creates a `tar-stream` that will get the necessary files from an npm Snap\n * package tarball (`.tgz` file).\n *\n * @param canonicalBase - A base URI as specified in {@link https://github.com/MetaMask/SIPs/blob/main/SIPS/sip-8.md SIP-8}. Starting with 'npm:'. Will be used for canonicalPath vfile argument.\n * @param files - An object to write target file contents to.\n * @returns The {@link Writable} tarball extraction stream.\n */\nfunction createTarballStream(\n canonicalBase: string,\n files: Map<string, VirtualFile>,\n): Writable {\n assert(\n canonicalBase.endsWith('/'),\n \"Base needs to end with '/' for relative paths to be added as children instead of siblings.\",\n );\n\n assert(\n canonicalBase.startsWith('npm:'),\n 'Protocol mismatch, expected \"npm:\".',\n );\n // `tar-stream` is pretty old-school, so we create it first and then\n // instrument it by adding event listeners.\n const extractStream = tarExtract();\n\n let totalSize = 0;\n\n // \"entry\" is fired for every discreet entity in the tarball. This includes\n // files and folders.\n extractStream.on('entry', (header, entryStream, next) => {\n const { name: headerName, type: headerType } = header;\n if (headerType === 'file') {\n // The name is a path if the header type is \"file\".\n const path = headerName.replace(NPM_TARBALL_PATH_PREFIX, '');\n return entryStream.pipe(\n concat({ encoding: 'uint8array' }, (data) => {\n try {\n totalSize += data.byteLength;\n // To prevent zip bombs, we set a safety limit for the total size of tarballs.\n assert(\n totalSize < TARBALL_SIZE_SAFETY_LIMIT,\n `Snap tarball exceeds limit of ${TARBALL_SIZE_SAFETY_LIMIT} bytes.`,\n );\n const vfile = new VirtualFile({\n value: data,\n path,\n data: {\n canonicalPath: new URL(path, canonicalBase).toString(),\n },\n });\n // We disallow files having identical paths as it may confuse our checksum calculations.\n assert(\n !files.has(path),\n 'Malformed tarball, multiple files with the same path.',\n );\n files.set(path, vfile);\n return next();\n } catch (error) {\n return extractStream.destroy(error);\n }\n }),\n );\n }\n\n // If we get here, the entry is not a file, and we want to ignore. The entry\n // stream must be drained, or the extractStream will stop reading. This is\n // effectively a no-op for the current entry.\n entryStream.on('end', () => next());\n return entryStream.resume();\n });\n return extractStream;\n}\n"],"names":["createSnapManifest","DEFAULT_REQUESTED_SNAP_VERSION","getTargetVersion","isValidUrl","NpmSnapIdStruct","VirtualFile","normalizeRelative","parseJson","assert","assertIsSemVerVersion","assertStruct","isObject","isValidSemVerVersion","createGunzip","concat","getNpmTarballUrl","pipeline","ReadableWebToNodeStream","extract","tarExtract","DEFAULT_NPM_REGISTRY","URL","NpmLocation","manifest","validatedManifest","clone","vfile","fetch","result","toString","path","relativePath","files","lazyInit","undefined","get","TypeError","packageName","meta","version","registry","versionRange","requestedRange","constructor","url","opts","allowCustomRegistries","fetchFunction","globalThis","bind","defaultResolve","range","resolveVersion","host","port","username","password","pathname","search","hash","startsWith","slice","resolvedVersion","tarballResponse","actualVersion","fetchNpmTarball","canonicalBase","Promise","resolve","reject","Map","tarballStream","createTarballStream","decompressionStream","DecompressionStream","decompressedStream","pipeThrough","getNodeStream","error","TARBALL_SIZE_SAFETY_LIMIT","fetchNpmMetadata","registryUrl","packageResponse","headers","accept","isNPM","ok","Error","status","packageMetadata","json","resolveNpmVersion","tarballURL","targetVersion","versions","Object","keys","map","dist","tarball","endsWith","newRegistryUrl","newTarballUrl","hostname","protocol","body","tarballSizeString","tarballSize","parseInt","NPM_TARBALL_PATH_PREFIX","stream","getReader","extractStream","totalSize","on","header","entryStream","next","name","headerName","type","headerType","replace","pipe","encoding","data","byteLength","value","canonicalPath","has","set","destroy","resume"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,SACEA,kBAAkB,EAClBC,8BAA8B,EAC9BC,gBAAgB,EAChBC,UAAU,EACVC,eAAe,EACfC,WAAW,EACXC,iBAAiB,EACjBC,SAAS,QACJ,wBAAwB;AAE/B,SACEC,MAAM,EACNC,qBAAqB,EACrBC,YAAY,EACZC,QAAQ,EACRC,oBAAoB,QACf,kBAAkB;AACzB,SAASC,YAAY,QAAQ,kBAAkB;AAC/C,OAAOC,YAAY,gBAAgB;AACnC,OAAOC,sBAAsB,sBAAsB;AACnD,SAASC,QAAQ,QAAQ,kBAAkB;AAE3C,SAASC,uBAAuB,QAAQ,8BAA8B;AACtE,SAASC,WAAWC,UAAU,QAAQ,aAAa;AAInD,OAAO,MAAMC,uBAAuB,IAAIC,IAAI,8BAA8B;IAyIlE;AAlHR,OAAO,MAAMC;IAmEX,MAAMC,WAA+C;QACnD,IAAI,IAAI,CAACC,iBAAiB,EAAE;YAC1B,OAAO,IAAI,CAACA,iBAAiB,CAACC,KAAK;QACrC;QAEA,MAAMC,QAAQ,MAAM,IAAI,CAACC,KAAK,CAAC;QAC/B,MAAMC,SAASrB,UAAUmB,MAAMG,QAAQ;QACvCH,MAAME,MAAM,GAAG5B,mBAAmB4B;QAClC,IAAI,CAACJ,iBAAiB,GAAGE;QAEzB,OAAO,IAAI,CAACH,QAAQ;IACtB;IAEA,MAAMI,MAAMG,IAAY,EAAwB;QAC9C,MAAMC,eAAezB,kBAAkBwB;QACvC,IAAI,CAAC,IAAI,CAACE,KAAK,EAAE;YACf,MAAM,0BAAA,IAAI,EAAEC,WAAAA,eAAN,IAAI;YACVzB,OAAO,IAAI,CAACwB,KAAK,KAAKE;QACxB;QACA,MAAMR,QAAQ,IAAI,CAACM,KAAK,CAACG,GAAG,CAACJ;QAC7BvB,OACEkB,UAAUQ,WACV,IAAIE,UAAU,CAAC,MAAM,EAAEN,KAAK,uBAAuB,CAAC;QAEtD,OAAOJ,MAAMD,KAAK;IACpB;IAEA,IAAIY,cAAsB;QACxB,OAAO,IAAI,CAACC,IAAI,CAACD,WAAW;IAC9B;IAEA,IAAIE,UAAkB;QACpB/B,OACE,IAAI,CAAC8B,IAAI,CAACC,OAAO,KAAKL,WACtB;QAEF,OAAO,IAAI,CAACI,IAAI,CAACC,OAAO;IAC1B;IAEA,IAAIC,WAAgB;QAClB,OAAO,IAAI,CAACF,IAAI,CAACE,QAAQ;IAC3B;IAEA,IAAIC,eAA4B;QAC9B,OAAO,IAAI,CAACH,IAAI,CAACI,cAAc;IACjC;IAzGAC,YAAYC,GAAQ,EAAEC,OAAkC,CAAC,CAAC,CAAE;QA2G5D,iCAAM;QAjHN,uBAAiBP,QAAjB,KAAA;QAEA,uBAAQd,qBAAR,KAAA;QAEA,uBAAQQ,SAAR,KAAA;QAGE,MAAMc,wBAAwBD,KAAKC,qBAAqB,IAAI;QAC5D,MAAMC,gBAAgBF,KAAKlB,KAAK,IAAIqB,WAAWrB,KAAK,CAACsB,IAAI,CAACD;QAC1D,MAAMN,iBAAiBG,KAAKJ,YAAY,IAAIxC;QAC5C,MAAMiD,iBAAiB,OAAOC,QAAuBA;QACrD,MAAMC,iBAAiBP,KAAKO,cAAc,IAAIF;QAE9CxC,aAAakC,IAAIf,QAAQ,IAAIzB,iBAAiB;QAE9C,IAAIoC;QACJ,IACEI,IAAIS,IAAI,KAAK,MACbT,IAAIU,IAAI,KAAK,MACbV,IAAIW,QAAQ,KAAK,MACjBX,IAAIY,QAAQ,KAAK,IACjB;YACAhB,WAAWpB;QACb,OAAO;YACLoB,WAAW;YACX,IAAII,IAAIW,QAAQ,EAAE;gBAChBf,YAAYI,IAAIW,QAAQ;gBACxB,IAAIX,IAAIY,QAAQ,EAAE;oBAChBhB,YAAY,CAAC,CAAC,EAAEI,IAAIY,QAAQ,CAAC,CAAC;gBAChC;gBACAhB,YAAY;YACd;YACAA,YAAYI,IAAIS,IAAI;YACpBb,WAAW,IAAInB,IAAImB;YACnBhC,OACEsC,uBACA,IAAIV,UACF,CAAC,kDAAkD,EAAEI,SAASX,QAAQ,GAAG,EAAE,CAAC;QAGlF;QAEArB,OACEgC,SAASiB,QAAQ,KAAK,OACpBjB,SAASkB,MAAM,KAAK,MACpBlB,SAASmB,IAAI,KAAK;QAGtBnD,OACEoC,IAAIa,QAAQ,KAAK,MAAMb,IAAIa,QAAQ,KAAK,KACxC,IAAIrB,UAAU;QAEhB,IAAIC,cAAcO,IAAIa,QAAQ;QAC9B,IAAIpB,YAAYuB,UAAU,CAAC,MAAM;YAC/BvB,cAAcA,YAAYwB,KAAK,CAAC;QAClC;QAEA,IAAI,CAACvB,IAAI,GAAG;YACVI;YACAF;YACAH;YACAV,OAAOoB;YACPK;QACF;IACF;AAgHF;AA/DE,eAAA;IACE5C,OAAO,IAAI,CAACwB,KAAK,KAAKE;IACtB,MAAM4B,kBAAkB,MAAM,IAAI,CAACxB,IAAI,CAACc,cAAc,CACpD,IAAI,CAACd,IAAI,CAACI,cAAc;IAE1B,MAAM,CAACqB,iBAAiBC,cAAc,GAAG,MAAMC,gBAC7C,IAAI,CAAC3B,IAAI,CAACD,WAAW,EACrByB,iBACA,IAAI,CAACxB,IAAI,CAACE,QAAQ,EAClB,IAAI,CAACF,IAAI,CAACX,KAAK;IAEjB,IAAI,CAACW,IAAI,CAACC,OAAO,GAAGyB;IAEpB,IAAIE,gBAAgB;IACpB,IAAI,IAAI,CAAC5B,IAAI,CAACE,QAAQ,CAACe,QAAQ,KAAK,IAAI;QACtCW,iBAAiB,IAAI,CAAC5B,IAAI,CAACE,QAAQ,CAACe,QAAQ;QAC5C,IAAI,IAAI,CAACjB,IAAI,CAACE,QAAQ,CAACgB,QAAQ,KAAK,IAAI;YACtCU,iBAAiB,CAAC,CAAC,EAAE,IAAI,CAAC5B,IAAI,CAACE,QAAQ,CAACgB,QAAQ,CAAC,CAAC;QACpD;QACAU,iBAAiB;IACnB;IACAA,iBAAiB,IAAI,CAAC5B,IAAI,CAACE,QAAQ,CAACa,IAAI;IAExC,gFAAgF;IAChF,kHAAkH;IAClH,MAAM,IAAIc,QAAc,CAACC,SAASC;QAChC,IAAI,CAACrC,KAAK,GAAG,IAAIsC;QAEjB,MAAMC,gBAAgBC,oBACpB,CAAC,EAAEN,cAAc,CAAC,EAAE,IAAI,CAAC5B,IAAI,CAACD,WAAW,CAAC,CAAC,CAAC,EAC5C,IAAI,CAACL,KAAK;QAGZ,4EAA4E;QAC5E,iDAAiD;QACjD,4EAA4E;QAE5E,sFAAsF;QACtF,IAAI,yBAAyBgB,YAAY;YACvC,MAAMyB,sBAAsB,IAAIC,oBAAoB;YACpD,MAAMC,qBACJZ,gBAAgBa,WAAW,CAACH;YAE9BzD,SACE6D,cAAcF,qBACdJ,eACA,CAACO;gBACCA,QAAQT,OAAOS,SAASV;YAC1B;YAEF;QACF;QAEApD,SACE6D,cAAcd,kBACdlD,gBACA0D,eACA,CAACO;YACCA,QAAQT,OAAOS,SAASV;QAC1B;IAEJ;AACF;AAGF,6CAA6C;AAC7C,MAAMW,4BAA4B;AAOlC;;;;;;;;;;CAUC,GACD,OAAO,eAAeC,iBACpB3C,WAAmB,EACnB4C,WAAgB,EAChBlC,aAA2B;IAE3B,MAAMmC,kBAAkB,MAAMnC,cAC5B,IAAI1B,IAAIgB,aAAa4C,aAAapD,QAAQ,IAC1C;QACEsD,SAAS;YACP,gGAAgG;YAChGC,QAAQC,MAAMJ,eACV,6EACA;QACN;IACF;IAEF,IAAI,CAACC,gBAAgBI,EAAE,EAAE;QACvB,MAAM,IAAIC,MACR,CAAC,iDAAiD,EAAEL,gBAAgBM,MAAM,CAAC,CAAC,CAAC;IAEjF;IACA,MAAMC,kBAAkB,MAAMP,gBAAgBQ,IAAI;IAElD,IAAI,CAAC/E,SAAS8E,kBAAkB;QAC9B,MAAM,IAAIF,MACR,CAAC,yBAAyB,EAAElD,YAAY,oBAAoB,CAAC;IAEjE;IAEA,OAAOoD;AACT;AAEA;;;;;CAKC,GACD,SAASJ,MAAMJ,WAAgB;IAC7B,OAAOA,YAAYpD,QAAQ,OAAOT,qBAAqBS,QAAQ;AACjE;AAEA;;;;;;;;;;;;CAYC,GACD,eAAe8D,kBACbtD,WAAmB,EACnBI,YAAyB,EACzBwC,WAAgB,EAChBlC,aAA2B;IAE3B,2FAA2F;IAC3F,IAAIsC,MAAMJ,gBAAgBrE,qBAAqB6B,eAAe;QAC5D,OAAO;YACLmD,YAAY7E,iBAAiBsB,aAAaI;YAC1CoD,eAAepD;QACjB;IACF;IAEA,MAAMgD,kBAAkB,MAAMT,iBAC5B3C,aACA4C,aACAlC;IAGF,MAAM+C,WAAWC,OAAOC,IAAI,CAACP,iBAAiBK,YAAY,CAAC,GAAGG,GAAG,CAC/D,CAAC1D;QACC9B,sBAAsB8B;QACtB,OAAOA;IACT;IAGF,MAAMsD,gBAAgB3F,iBAAiB4F,UAAUrD;IAEjD,IAAIoD,kBAAkB,MAAM;QAC1B,MAAM,IAAIN,MACR,CAAC,+DAA+D,EAAElD,YAAY,8BAA8B,EAAEI,aAAa,EAAE,CAAC;IAElI;IAEA,MAAMmD,aAAaH,iBAAiBK,UAAU,CAACD,cAAc,EAAEK,MAAMC;IAErE,OAAO;QAAEP;QAAYC;IAAc;AACrC;AAEA;;;;;;;;;;;;;CAaC,GACD,eAAe5B,gBACb5B,WAAmB,EACnBI,YAAyB,EACzBwC,WAAgB,EAChBlC,aAA2B;IAE3B,MAAM,EAAE6C,UAAU,EAAEC,aAAa,EAAE,GAAG,MAAMF,kBAC1CtD,aACAI,cACAwC,aACAlC;IAGF,IAAI,CAAC5C,WAAWyF,eAAe,CAACA,WAAW/D,QAAQ,GAAGuE,QAAQ,CAAC,SAAS;QACtE,MAAM,IAAIb,MACR,CAAC,8DAA8D,EAAElD,YAAY,EAAE,CAAC;IAEpF;IAEA,4EAA4E;IAC5E,MAAMgE,iBAAiB,IAAIhF,IAAI4D;IAC/B,MAAMqB,gBAAgB,IAAIjF,IAAIuE;IAC9BU,cAAcC,QAAQ,GAAGF,eAAeE,QAAQ;IAChDD,cAAcE,QAAQ,GAAGH,eAAeG,QAAQ;IAEhD,kEAAkE;IAClE,MAAMzC,kBAAkB,MAAMhB,cAAcuD,cAAczE,QAAQ;IAClE,IAAI,CAACkC,gBAAgBuB,EAAE,IAAI,CAACvB,gBAAgB0C,IAAI,EAAE;QAChD,MAAM,IAAIlB,MAAM,CAAC,qCAAqC,EAAElD,YAAY,EAAE,CAAC;IACzE;IACA,2FAA2F;IAC3F,MAAMqE,oBAAoB3C,gBAAgBoB,OAAO,CAAChD,GAAG,CAAC;IACtD3B,OAAOkG,mBAAmB;IAC1B,MAAMC,cAAcC,SAASF,mBAAmB;IAChDlG,OACEmG,eAAe5B,2BACf;IAEF,OAAO;QAAChB,gBAAgB0C,IAAI;QAAEZ;KAAc;AAC9C;AAEA;;;CAGC,GACD,MAAMgB,0BAA0B;AAEhC;;;;;;;;CAQC,GACD,SAAShC,cAAciC,MAAsB;IAC3C,IAAI,OAAOA,OAAOC,SAAS,KAAK,YAAY;QAC1C,OAAOD;IACT;IAEA,OAAO,IAAI7F,wBAAwB6F;AACrC;AAEA;;;;;;;CAOC,GACD,SAAStC,oBACPN,aAAqB,EACrBlC,KAA+B;IAE/BxB,OACE0D,cAAckC,QAAQ,CAAC,MACvB;IAGF5F,OACE0D,cAAcN,UAAU,CAAC,SACzB;IAEF,oEAAoE;IACpE,2CAA2C;IAC3C,MAAMoD,gBAAgB7F;IAEtB,IAAI8F,YAAY;IAEhB,2EAA2E;IAC3E,qBAAqB;IACrBD,cAAcE,EAAE,CAAC,SAAS,CAACC,QAAQC,aAAaC;QAC9C,MAAM,EAAEC,MAAMC,UAAU,EAAEC,MAAMC,UAAU,EAAE,GAAGN;QAC/C,IAAIM,eAAe,QAAQ;YACzB,mDAAmD;YACnD,MAAM3F,OAAOyF,WAAWG,OAAO,CAACb,yBAAyB;YACzD,OAAOO,YAAYO,IAAI,CACrB7G,OAAO;gBAAE8G,UAAU;YAAa,GAAG,CAACC;gBAClC,IAAI;oBACFZ,aAAaY,KAAKC,UAAU;oBAC5B,8EAA8E;oBAC9EtH,OACEyG,YAAYlC,2BACZ,CAAC,8BAA8B,EAAEA,0BAA0B,OAAO,CAAC;oBAErE,MAAMrD,QAAQ,IAAIrB,YAAY;wBAC5B0H,OAAOF;wBACP/F;wBACA+F,MAAM;4BACJG,eAAe,IAAI3G,IAAIS,MAAMoC,eAAerC,QAAQ;wBACtD;oBACF;oBACA,wFAAwF;oBACxFrB,OACE,CAACwB,MAAMiG,GAAG,CAACnG,OACX;oBAEFE,MAAMkG,GAAG,CAACpG,MAAMJ;oBAChB,OAAO2F;gBACT,EAAE,OAAOvC,OAAO;oBACd,OAAOkC,cAAcmB,OAAO,CAACrD;gBAC/B;YACF;QAEJ;QAEA,4EAA4E;QAC5E,0EAA0E;QAC1E,6CAA6C;QAC7CsC,YAAYF,EAAE,CAAC,OAAO,IAAMG;QAC5B,OAAOD,YAAYgB,MAAM;IAC3B;IACA,OAAOpB;AACT"}
1
+ {"version":3,"sources":["../../../../src/snaps/location/npm.ts"],"sourcesContent":["import type { SnapManifest } from '@metamask/snaps-utils';\nimport {\n createSnapManifest,\n DEFAULT_REQUESTED_SNAP_VERSION,\n getTargetVersion,\n isValidUrl,\n NpmSnapIdStruct,\n VirtualFile,\n normalizeRelative,\n parseJson,\n} from '@metamask/snaps-utils';\nimport type { SemVerRange, SemVerVersion } from '@metamask/utils';\nimport {\n assert,\n assertIsSemVerVersion,\n assertStruct,\n isObject,\n isValidSemVerVersion,\n} from '@metamask/utils';\nimport { createGunzip } from 'browserify-zlib';\nimport concat from 'concat-stream';\nimport getNpmTarballUrl from 'get-npm-tarball-url';\nimport { pipeline } from 'readable-stream';\nimport type { Readable, Writable } from 'readable-stream';\nimport { ReadableWebToNodeStream } from 'readable-web-to-node-stream';\nimport { extract as tarExtract } from 'tar-stream';\n\nimport type { DetectSnapLocationOptions, SnapLocation } from './location';\n\nexport const DEFAULT_NPM_REGISTRY = new URL('https://registry.npmjs.org');\n\ninterface NpmMeta {\n registry: URL;\n packageName: string;\n requestedRange: SemVerRange;\n version?: string;\n fetch: typeof fetch;\n resolveVersion: (range: SemVerRange) => Promise<SemVerRange>;\n}\nexport interface NpmOptions {\n /**\n * @default DEFAULT_REQUESTED_SNAP_VERSION\n */\n versionRange?: SemVerRange;\n /**\n * Whether to allow custom NPM registries outside of {@link DEFAULT_NPM_REGISTRY}.\n *\n * @default false\n */\n allowCustomRegistries?: boolean;\n}\n\n// Base class for NPM implementation, useful for extending with custom NPM fetching logic\nexport abstract class BaseNpmLocation implements SnapLocation {\n protected readonly meta: NpmMeta;\n\n #validatedManifest?: VirtualFile<SnapManifest>;\n\n #files?: Map<string, VirtualFile>;\n\n constructor(url: URL, opts: DetectSnapLocationOptions = {}) {\n const allowCustomRegistries = opts.allowCustomRegistries ?? false;\n const fetchFunction = opts.fetch ?? globalThis.fetch.bind(globalThis);\n const requestedRange = opts.versionRange ?? DEFAULT_REQUESTED_SNAP_VERSION;\n const defaultResolve = async (range: SemVerRange) => range;\n const resolveVersion = opts.resolveVersion ?? defaultResolve;\n\n assertStruct(url.toString(), NpmSnapIdStruct, 'Invalid Snap Id: ');\n\n let registry: string | URL;\n if (\n url.host === '' &&\n url.port === '' &&\n url.username === '' &&\n url.password === ''\n ) {\n registry = DEFAULT_NPM_REGISTRY;\n } else {\n registry = 'https://';\n if (url.username) {\n registry += url.username;\n if (url.password) {\n registry += `:${url.password}`;\n }\n registry += '@';\n }\n registry += url.host;\n registry = new URL(registry);\n assert(\n allowCustomRegistries,\n new TypeError(\n `Custom NPM registries are disabled, tried to use \"${registry.toString()}\".`,\n ),\n );\n }\n\n assert(\n registry.pathname === '/' &&\n registry.search === '' &&\n registry.hash === '',\n );\n\n assert(\n url.pathname !== '' && url.pathname !== '/',\n new TypeError('The package name in NPM location is empty.'),\n );\n let packageName = url.pathname;\n if (packageName.startsWith('/')) {\n packageName = packageName.slice(1);\n }\n\n this.meta = {\n requestedRange,\n registry,\n packageName,\n fetch: fetchFunction,\n resolveVersion,\n };\n }\n\n async manifest(): Promise<VirtualFile<SnapManifest>> {\n if (this.#validatedManifest) {\n return this.#validatedManifest.clone();\n }\n\n const vfile = await this.fetch('snap.manifest.json');\n const result = parseJson(vfile.toString());\n vfile.result = createSnapManifest(result);\n this.#validatedManifest = vfile as VirtualFile<SnapManifest>;\n\n return this.manifest();\n }\n\n async fetch(path: string): Promise<VirtualFile> {\n const relativePath = normalizeRelative(path);\n if (!this.#files) {\n await this.#lazyInit();\n assert(this.#files !== undefined);\n }\n const vfile = this.#files.get(relativePath);\n assert(\n vfile !== undefined,\n new TypeError(`File \"${path}\" not found in package.`),\n );\n return vfile.clone();\n }\n\n get packageName(): string {\n return this.meta.packageName;\n }\n\n get version(): string {\n assert(\n this.meta.version !== undefined,\n 'Tried to access version without first fetching NPM package.',\n );\n return this.meta.version;\n }\n\n get registry(): URL {\n return this.meta.registry;\n }\n\n get versionRange(): SemVerRange {\n return this.meta.requestedRange;\n }\n\n async #lazyInit() {\n assert(this.#files === undefined);\n const resolvedVersion = await this.meta.resolveVersion(\n this.meta.requestedRange,\n );\n\n const { tarballURL, targetVersion } = await resolveNpmVersion(\n this.meta.packageName,\n resolvedVersion,\n this.meta.registry,\n this.meta.fetch,\n );\n\n if (!isValidUrl(tarballURL) || !tarballURL.toString().endsWith('.tgz')) {\n throw new Error(\n `Failed to find valid tarball URL in NPM metadata for package \"${this.meta.packageName}\".`,\n );\n }\n\n // Override the tarball hostname/protocol with registryUrl hostname/protocol\n const newTarballUrl = new URL(tarballURL);\n newTarballUrl.hostname = this.meta.registry.hostname;\n newTarballUrl.protocol = this.meta.registry.protocol;\n\n const files = await this.fetchNpmTarball(newTarballUrl);\n\n this.#files = files;\n this.meta.version = targetVersion;\n }\n\n /**\n * Fetches and unpacks the tarball (`.tgz` file) from the specified URL.\n *\n * @param tarballUrl - The tarball URL to fetch and unpack.\n * @returns A the files for the package tarball.\n * @throws If fetching the tarball fails.\n */\n abstract fetchNpmTarball(tarballUrl: URL): Promise<Map<string, VirtualFile>>;\n}\n\n// Safety limit for tarballs, 250 MB in bytes\nexport const TARBALL_SIZE_SAFETY_LIMIT = 262144000;\n\n// Main NPM implementation, contains a browser tarball fetching implementation.\nexport class NpmLocation extends BaseNpmLocation {\n /**\n * Fetches and unpacks the tarball (`.tgz` file) from the specified URL.\n *\n * @param tarballUrl - The tarball URL to fetch and unpack.\n * @returns A the files for the package tarball.\n * @throws If fetching the tarball fails.\n */\n async fetchNpmTarball(\n tarballUrl: URL,\n ): Promise<Map<string, VirtualFile<unknown>>> {\n // Perform a raw fetch because we want the Response object itself.\n const tarballResponse = await this.meta.fetch(tarballUrl.toString());\n if (!tarballResponse.ok || !tarballResponse.body) {\n throw new Error(\n `Failed to fetch tarball for package \"${this.meta.packageName}\".`,\n );\n }\n\n // We assume that NPM is a good actor and provides us with a valid `content-length` header.\n const tarballSizeString = tarballResponse.headers.get('content-length');\n assert(tarballSizeString, 'Snap tarball has invalid content-length');\n const tarballSize = parseInt(tarballSizeString, 10);\n assert(\n tarballSize <= TARBALL_SIZE_SAFETY_LIMIT,\n 'Snap tarball exceeds size limit',\n );\n return new Promise((resolve, reject) => {\n const files = new Map();\n\n // The \"gz\" in \"tgz\" stands for \"gzip\". The tarball needs to be decompressed\n // before we can actually grab any files from it.\n // To prevent recursion-based zip bombs, we should not allow recursion here.\n pipeline(\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n getNodeStream(tarballResponse.body!),\n createGunzip(),\n createTarballStream(\n getNpmCanonicalBasePath(this.meta.registry, this.meta.packageName),\n files,\n ),\n (error: unknown) => {\n error ? reject(error) : resolve(files);\n },\n );\n });\n }\n}\n\n// Incomplete type\nexport type PartialNpmMetadata = {\n versions: Record<string, { dist: { tarball: string } }>;\n};\n\n/**\n * Fetches the NPM metadata of the specified package from\n * the public npm registry.\n *\n * @param packageName - The name of the package whose metadata to fetch.\n * @param registryUrl - The URL of the npm registry to fetch the metadata from.\n * @param fetchFunction - The fetch function to use. Defaults to the global\n * {@link fetch}. Useful for Node.js compatibility.\n * @returns The NPM metadata object.\n * @throws If fetching the metadata fails.\n */\nexport async function fetchNpmMetadata(\n packageName: string,\n registryUrl: URL,\n fetchFunction: typeof fetch,\n): Promise<PartialNpmMetadata> {\n const packageResponse = await fetchFunction(\n new URL(packageName, registryUrl).toString(),\n {\n headers: {\n // Corgi format is slightly smaller: https://github.com/npm/pacote/blob/main/lib/registry.js#L71\n accept: isNPM(registryUrl)\n ? 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*'\n : 'application/json',\n },\n },\n );\n if (!packageResponse.ok) {\n throw new Error(\n `Failed to fetch NPM registry entry. Status code: ${packageResponse.status}.`,\n );\n }\n const packageMetadata = await packageResponse.json();\n\n if (!isObject(packageMetadata)) {\n throw new Error(\n `Failed to fetch package \"${packageName}\" metadata from npm.`,\n );\n }\n\n return packageMetadata as PartialNpmMetadata;\n}\n\n/**\n * Gets the canonical base path for an NPM snap.\n *\n * @param registryUrl - A registry URL.\n * @param packageName - A package name.\n * @returns The canonical base path.\n */\nexport function getNpmCanonicalBasePath(registryUrl: URL, packageName: string) {\n let canonicalBase = 'npm://';\n if (registryUrl.username !== '') {\n canonicalBase += registryUrl.username;\n if (registryUrl.password !== '') {\n canonicalBase += `:${registryUrl.password}`;\n }\n canonicalBase += '@';\n }\n return `${canonicalBase}${registryUrl.host}/${packageName}/`;\n}\n\n/**\n * Determine if a registry URL is NPM.\n *\n * @param registryUrl - A registry url.\n * @returns True if the registry is the NPM registry, otherwise false.\n */\nfunction isNPM(registryUrl: URL) {\n return registryUrl.toString() === DEFAULT_NPM_REGISTRY.toString();\n}\n\n/**\n * Resolves a version range to a version using the NPM registry.\n *\n * Unless the version range is already a version, then the NPM registry is skipped.\n *\n * @param packageName - The name of the package whose metadata to fetch.\n * @param versionRange - The version range of the package.\n * @param registryUrl - The URL of the npm registry to fetch the metadata from.\n * @param fetchFunction - The fetch function to use. Defaults to the global\n * {@link fetch}. Useful for Node.js compatibility.\n * @returns An object containing the resolved version and a URL for its tarball.\n * @throws If fetching the metadata fails.\n */\nasync function resolveNpmVersion(\n packageName: string,\n versionRange: SemVerRange,\n registryUrl: URL,\n fetchFunction: typeof fetch,\n): Promise<{ tarballURL: string; targetVersion: SemVerVersion }> {\n // If the version range is already a static version we don't need to look for the metadata.\n if (isNPM(registryUrl) && isValidSemVerVersion(versionRange)) {\n return {\n tarballURL: getNpmTarballUrl(packageName, versionRange),\n targetVersion: versionRange,\n };\n }\n\n const packageMetadata = await fetchNpmMetadata(\n packageName,\n registryUrl,\n fetchFunction,\n );\n\n const versions = Object.keys(packageMetadata?.versions ?? {}).map(\n (version) => {\n assertIsSemVerVersion(version);\n return version;\n },\n );\n\n const targetVersion = getTargetVersion(versions, versionRange);\n\n if (targetVersion === null) {\n throw new Error(\n `Failed to find a matching version in npm metadata for package \"${packageName}\" and requested semver range \"${versionRange}\".`,\n );\n }\n\n const tarballURL = packageMetadata?.versions?.[targetVersion]?.dist?.tarball;\n\n return { tarballURL, targetVersion };\n}\n\n/**\n * The paths of files within npm tarballs appear to always be prefixed with\n * \"package/\".\n */\nconst NPM_TARBALL_PATH_PREFIX = /^package\\//u;\n\n/**\n * Converts a {@link ReadableStream} to a Node.js {@link Readable}\n * stream. Returns the stream directly if it is already a Node.js stream.\n * We can't use the native Web {@link ReadableStream} directly because the\n * other stream libraries we use expect Node.js streams.\n *\n * @param stream - The stream to convert.\n * @returns The given stream as a Node.js Readable stream.\n */\nfunction getNodeStream(stream: ReadableStream): Readable {\n if (typeof stream.getReader !== 'function') {\n return stream as unknown as Readable;\n }\n\n return new ReadableWebToNodeStream(stream);\n}\n\n/**\n * Creates a `tar-stream` that will get the necessary files from an npm Snap\n * package tarball (`.tgz` file).\n *\n * @param canonicalBase - A base URI as specified in {@link https://github.com/MetaMask/SIPs/blob/main/SIPS/sip-8.md SIP-8}. Starting with 'npm:'. Will be used for canonicalPath vfile argument.\n * @param files - An object to write target file contents to.\n * @returns The {@link Writable} tarball extraction stream.\n */\nfunction createTarballStream(\n canonicalBase: string,\n files: Map<string, VirtualFile>,\n): Writable {\n assert(\n canonicalBase.endsWith('/'),\n \"Base needs to end with '/' for relative paths to be added as children instead of siblings.\",\n );\n\n assert(\n canonicalBase.startsWith('npm:'),\n 'Protocol mismatch, expected \"npm:\".',\n );\n // `tar-stream` is pretty old-school, so we create it first and then\n // instrument it by adding event listeners.\n const extractStream = tarExtract();\n\n let totalSize = 0;\n\n // \"entry\" is fired for every discreet entity in the tarball. This includes\n // files and folders.\n extractStream.on('entry', (header, entryStream, next) => {\n const { name: headerName, type: headerType } = header;\n if (headerType === 'file') {\n // The name is a path if the header type is \"file\".\n const path = headerName.replace(NPM_TARBALL_PATH_PREFIX, '');\n return entryStream.pipe(\n concat({ encoding: 'uint8array' }, (data) => {\n try {\n totalSize += data.byteLength;\n // To prevent zip bombs, we set a safety limit for the total size of tarballs.\n assert(\n totalSize < TARBALL_SIZE_SAFETY_LIMIT,\n `Snap tarball exceeds limit of ${TARBALL_SIZE_SAFETY_LIMIT} bytes.`,\n );\n const vfile = new VirtualFile({\n value: data,\n path,\n data: {\n canonicalPath: new URL(path, canonicalBase).toString(),\n },\n });\n // We disallow files having identical paths as it may confuse our checksum calculations.\n assert(\n !files.has(path),\n 'Malformed tarball, multiple files with the same path.',\n );\n files.set(path, vfile);\n return next();\n } catch (error) {\n return extractStream.destroy(error);\n }\n }),\n );\n }\n\n // If we get here, the entry is not a file, and we want to ignore. The entry\n // stream must be drained, or the extractStream will stop reading. This is\n // effectively a no-op for the current entry.\n entryStream.on('end', () => next());\n return entryStream.resume();\n });\n return extractStream;\n}\n"],"names":["createSnapManifest","DEFAULT_REQUESTED_SNAP_VERSION","getTargetVersion","isValidUrl","NpmSnapIdStruct","VirtualFile","normalizeRelative","parseJson","assert","assertIsSemVerVersion","assertStruct","isObject","isValidSemVerVersion","createGunzip","concat","getNpmTarballUrl","pipeline","ReadableWebToNodeStream","extract","tarExtract","DEFAULT_NPM_REGISTRY","URL","BaseNpmLocation","manifest","validatedManifest","clone","vfile","fetch","result","toString","path","relativePath","files","lazyInit","undefined","get","TypeError","packageName","meta","version","registry","versionRange","requestedRange","constructor","url","opts","allowCustomRegistries","fetchFunction","globalThis","bind","defaultResolve","range","resolveVersion","host","port","username","password","pathname","search","hash","startsWith","slice","resolvedVersion","tarballURL","targetVersion","resolveNpmVersion","endsWith","Error","newTarballUrl","hostname","protocol","fetchNpmTarball","TARBALL_SIZE_SAFETY_LIMIT","NpmLocation","tarballUrl","tarballResponse","ok","body","tarballSizeString","headers","tarballSize","parseInt","Promise","resolve","reject","Map","getNodeStream","createTarballStream","getNpmCanonicalBasePath","error","fetchNpmMetadata","registryUrl","packageResponse","accept","isNPM","status","packageMetadata","json","canonicalBase","versions","Object","keys","map","dist","tarball","NPM_TARBALL_PATH_PREFIX","stream","getReader","extractStream","totalSize","on","header","entryStream","next","name","headerName","type","headerType","replace","pipe","encoding","data","byteLength","value","canonicalPath","has","set","destroy","resume"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,SACEA,kBAAkB,EAClBC,8BAA8B,EAC9BC,gBAAgB,EAChBC,UAAU,EACVC,eAAe,EACfC,WAAW,EACXC,iBAAiB,EACjBC,SAAS,QACJ,wBAAwB;AAE/B,SACEC,MAAM,EACNC,qBAAqB,EACrBC,YAAY,EACZC,QAAQ,EACRC,oBAAoB,QACf,kBAAkB;AACzB,SAASC,YAAY,QAAQ,kBAAkB;AAC/C,OAAOC,YAAY,gBAAgB;AACnC,OAAOC,sBAAsB,sBAAsB;AACnD,SAASC,QAAQ,QAAQ,kBAAkB;AAE3C,SAASC,uBAAuB,QAAQ,8BAA8B;AACtE,SAASC,WAAWC,UAAU,QAAQ,aAAa;AAInD,OAAO,MAAMC,uBAAuB,IAAIC,IAAI,8BAA8B;IA2BxE,kDAEA,sCA6GM;AAnHR,yFAAyF;AACzF,OAAO,MAAeC;IAmEpB,MAAMC,WAA+C;QACnD,6BAAI,IAAI,EAAEC,qBAAmB;YAC3B,OAAO,yBAAA,IAAI,EAAEA,oBAAkBC,KAAK;QACtC;QAEA,MAAMC,QAAQ,MAAM,IAAI,CAACC,KAAK,CAAC;QAC/B,MAAMC,SAASrB,UAAUmB,MAAMG,QAAQ;QACvCH,MAAME,MAAM,GAAG5B,mBAAmB4B;uCAC5BJ,oBAAoBE;QAE1B,OAAO,IAAI,CAACH,QAAQ;IACtB;IAEA,MAAMI,MAAMG,IAAY,EAAwB;QAC9C,MAAMC,eAAezB,kBAAkBwB;QACvC,IAAI,0BAAC,IAAI,EAAEE,SAAO;YAChB,MAAM,0BAAA,IAAI,EAAEC,WAAAA,eAAN,IAAI;YACVzB,OAAO,yBAAA,IAAI,EAAEwB,YAAUE;QACzB;QACA,MAAMR,QAAQ,yBAAA,IAAI,EAAEM,QAAMG,GAAG,CAACJ;QAC9BvB,OACEkB,UAAUQ,WACV,IAAIE,UAAU,CAAC,MAAM,EAAEN,KAAK,uBAAuB,CAAC;QAEtD,OAAOJ,MAAMD,KAAK;IACpB;IAEA,IAAIY,cAAsB;QACxB,OAAO,IAAI,CAACC,IAAI,CAACD,WAAW;IAC9B;IAEA,IAAIE,UAAkB;QACpB/B,OACE,IAAI,CAAC8B,IAAI,CAACC,OAAO,KAAKL,WACtB;QAEF,OAAO,IAAI,CAACI,IAAI,CAACC,OAAO;IAC1B;IAEA,IAAIC,WAAgB;QAClB,OAAO,IAAI,CAACF,IAAI,CAACE,QAAQ;IAC3B;IAEA,IAAIC,eAA4B;QAC9B,OAAO,IAAI,CAACH,IAAI,CAACI,cAAc;IACjC;IAzGAC,YAAYC,GAAQ,EAAEC,OAAkC,CAAC,CAAC,CAAE;QA2G5D,iCAAM;QAjHN,uBAAmBP,QAAnB,KAAA;QAEA,gCAAA;;mBAAA,KAAA;;QAEA,gCAAA;;mBAAA,KAAA;;QAGE,MAAMQ,wBAAwBD,KAAKC,qBAAqB,IAAI;QAC5D,MAAMC,gBAAgBF,KAAKlB,KAAK,IAAIqB,WAAWrB,KAAK,CAACsB,IAAI,CAACD;QAC1D,MAAMN,iBAAiBG,KAAKJ,YAAY,IAAIxC;QAC5C,MAAMiD,iBAAiB,OAAOC,QAAuBA;QACrD,MAAMC,iBAAiBP,KAAKO,cAAc,IAAIF;QAE9CxC,aAAakC,IAAIf,QAAQ,IAAIzB,iBAAiB;QAE9C,IAAIoC;QACJ,IACEI,IAAIS,IAAI,KAAK,MACbT,IAAIU,IAAI,KAAK,MACbV,IAAIW,QAAQ,KAAK,MACjBX,IAAIY,QAAQ,KAAK,IACjB;YACAhB,WAAWpB;QACb,OAAO;YACLoB,WAAW;YACX,IAAII,IAAIW,QAAQ,EAAE;gBAChBf,YAAYI,IAAIW,QAAQ;gBACxB,IAAIX,IAAIY,QAAQ,EAAE;oBAChBhB,YAAY,CAAC,CAAC,EAAEI,IAAIY,QAAQ,CAAC,CAAC;gBAChC;gBACAhB,YAAY;YACd;YACAA,YAAYI,IAAIS,IAAI;YACpBb,WAAW,IAAInB,IAAImB;YACnBhC,OACEsC,uBACA,IAAIV,UACF,CAAC,kDAAkD,EAAEI,SAASX,QAAQ,GAAG,EAAE,CAAC;QAGlF;QAEArB,OACEgC,SAASiB,QAAQ,KAAK,OACpBjB,SAASkB,MAAM,KAAK,MACpBlB,SAASmB,IAAI,KAAK;QAGtBnD,OACEoC,IAAIa,QAAQ,KAAK,MAAMb,IAAIa,QAAQ,KAAK,KACxC,IAAIrB,UAAU;QAEhB,IAAIC,cAAcO,IAAIa,QAAQ;QAC9B,IAAIpB,YAAYuB,UAAU,CAAC,MAAM;YAC/BvB,cAAcA,YAAYwB,KAAK,CAAC;QAClC;QAEA,IAAI,CAACvB,IAAI,GAAG;YACVI;YACAF;YACAH;YACAV,OAAOoB;YACPK;QACF;IACF;AAuFF;AAtCE,eAAA;IACE5C,OAAO,yBAAA,IAAI,EAAEwB,YAAUE;IACvB,MAAM4B,kBAAkB,MAAM,IAAI,CAACxB,IAAI,CAACc,cAAc,CACpD,IAAI,CAACd,IAAI,CAACI,cAAc;IAG1B,MAAM,EAAEqB,UAAU,EAAEC,aAAa,EAAE,GAAG,MAAMC,kBAC1C,IAAI,CAAC3B,IAAI,CAACD,WAAW,EACrByB,iBACA,IAAI,CAACxB,IAAI,CAACE,QAAQ,EAClB,IAAI,CAACF,IAAI,CAACX,KAAK;IAGjB,IAAI,CAACxB,WAAW4D,eAAe,CAACA,WAAWlC,QAAQ,GAAGqC,QAAQ,CAAC,SAAS;QACtE,MAAM,IAAIC,MACR,CAAC,8DAA8D,EAAE,IAAI,CAAC7B,IAAI,CAACD,WAAW,CAAC,EAAE,CAAC;IAE9F;IAEA,4EAA4E;IAC5E,MAAM+B,gBAAgB,IAAI/C,IAAI0C;IAC9BK,cAAcC,QAAQ,GAAG,IAAI,CAAC/B,IAAI,CAACE,QAAQ,CAAC6B,QAAQ;IACpDD,cAAcE,QAAQ,GAAG,IAAI,CAAChC,IAAI,CAACE,QAAQ,CAAC8B,QAAQ;IAEpD,MAAMtC,QAAQ,MAAM,IAAI,CAACuC,eAAe,CAACH;mCAEnCpC,QAAQA;IACd,IAAI,CAACM,IAAI,CAACC,OAAO,GAAGyB;AACtB;AAYF,6CAA6C;AAC7C,OAAO,MAAMQ,4BAA4B,UAAU;AAEnD,+EAA+E;AAC/E,OAAO,MAAMC,oBAAoBnD;IAC/B;;;;;;GAMC,GACD,MAAMiD,gBACJG,UAAe,EAC6B;QAC5C,kEAAkE;QAClE,MAAMC,kBAAkB,MAAM,IAAI,CAACrC,IAAI,CAACX,KAAK,CAAC+C,WAAW7C,QAAQ;QACjE,IAAI,CAAC8C,gBAAgBC,EAAE,IAAI,CAACD,gBAAgBE,IAAI,EAAE;YAChD,MAAM,IAAIV,MACR,CAAC,qCAAqC,EAAE,IAAI,CAAC7B,IAAI,CAACD,WAAW,CAAC,EAAE,CAAC;QAErE;QAEA,2FAA2F;QAC3F,MAAMyC,oBAAoBH,gBAAgBI,OAAO,CAAC5C,GAAG,CAAC;QACtD3B,OAAOsE,mBAAmB;QAC1B,MAAME,cAAcC,SAASH,mBAAmB;QAChDtE,OACEwE,eAAeR,2BACf;QAEF,OAAO,IAAIU,QAAQ,CAACC,SAASC;YAC3B,MAAMpD,QAAQ,IAAIqD;YAElB,4EAA4E;YAC5E,iDAAiD;YACjD,4EAA4E;YAC5ErE,SACE,oEAAoE;YACpEsE,cAAcX,gBAAgBE,IAAI,GAClChE,gBACA0E,oBACEC,wBAAwB,IAAI,CAAClD,IAAI,CAACE,QAAQ,EAAE,IAAI,CAACF,IAAI,CAACD,WAAW,GACjEL,QAEF,CAACyD;gBACCA,QAAQL,OAAOK,SAASN,QAAQnD;YAClC;QAEJ;IACF;AACF;AAOA;;;;;;;;;;CAUC,GACD,OAAO,eAAe0D,iBACpBrD,WAAmB,EACnBsD,WAAgB,EAChB5C,aAA2B;IAE3B,MAAM6C,kBAAkB,MAAM7C,cAC5B,IAAI1B,IAAIgB,aAAasD,aAAa9D,QAAQ,IAC1C;QACEkD,SAAS;YACP,gGAAgG;YAChGc,QAAQC,MAAMH,eACV,6EACA;QACN;IACF;IAEF,IAAI,CAACC,gBAAgBhB,EAAE,EAAE;QACvB,MAAM,IAAIT,MACR,CAAC,iDAAiD,EAAEyB,gBAAgBG,MAAM,CAAC,CAAC,CAAC;IAEjF;IACA,MAAMC,kBAAkB,MAAMJ,gBAAgBK,IAAI;IAElD,IAAI,CAACtF,SAASqF,kBAAkB;QAC9B,MAAM,IAAI7B,MACR,CAAC,yBAAyB,EAAE9B,YAAY,oBAAoB,CAAC;IAEjE;IAEA,OAAO2D;AACT;AAEA;;;;;;CAMC,GACD,OAAO,SAASR,wBAAwBG,WAAgB,EAAEtD,WAAmB;IAC3E,IAAI6D,gBAAgB;IACpB,IAAIP,YAAYpC,QAAQ,KAAK,IAAI;QAC/B2C,iBAAiBP,YAAYpC,QAAQ;QACrC,IAAIoC,YAAYnC,QAAQ,KAAK,IAAI;YAC/B0C,iBAAiB,CAAC,CAAC,EAAEP,YAAYnC,QAAQ,CAAC,CAAC;QAC7C;QACA0C,iBAAiB;IACnB;IACA,OAAO,CAAC,EAAEA,cAAc,EAAEP,YAAYtC,IAAI,CAAC,CAAC,EAAEhB,YAAY,CAAC,CAAC;AAC9D;AAEA;;;;;CAKC,GACD,SAASyD,MAAMH,WAAgB;IAC7B,OAAOA,YAAY9D,QAAQ,OAAOT,qBAAqBS,QAAQ;AACjE;AAEA;;;;;;;;;;;;CAYC,GACD,eAAeoC,kBACb5B,WAAmB,EACnBI,YAAyB,EACzBkD,WAAgB,EAChB5C,aAA2B;IAE3B,2FAA2F;IAC3F,IAAI+C,MAAMH,gBAAgB/E,qBAAqB6B,eAAe;QAC5D,OAAO;YACLsB,YAAYhD,iBAAiBsB,aAAaI;YAC1CuB,eAAevB;QACjB;IACF;IAEA,MAAMuD,kBAAkB,MAAMN,iBAC5BrD,aACAsD,aACA5C;IAGF,MAAMoD,WAAWC,OAAOC,IAAI,CAACL,iBAAiBG,YAAY,CAAC,GAAGG,GAAG,CAC/D,CAAC/D;QACC9B,sBAAsB8B;QACtB,OAAOA;IACT;IAGF,MAAMyB,gBAAgB9D,iBAAiBiG,UAAU1D;IAEjD,IAAIuB,kBAAkB,MAAM;QAC1B,MAAM,IAAIG,MACR,CAAC,+DAA+D,EAAE9B,YAAY,8BAA8B,EAAEI,aAAa,EAAE,CAAC;IAElI;IAEA,MAAMsB,aAAaiC,iBAAiBG,UAAU,CAACnC,cAAc,EAAEuC,MAAMC;IAErE,OAAO;QAAEzC;QAAYC;IAAc;AACrC;AAEA;;;CAGC,GACD,MAAMyC,0BAA0B;AAEhC;;;;;;;;CAQC,GACD,SAASnB,cAAcoB,MAAsB;IAC3C,IAAI,OAAOA,OAAOC,SAAS,KAAK,YAAY;QAC1C,OAAOD;IACT;IAEA,OAAO,IAAIzF,wBAAwByF;AACrC;AAEA;;;;;;;CAOC,GACD,SAASnB,oBACPW,aAAqB,EACrBlE,KAA+B;IAE/BxB,OACE0F,cAAchC,QAAQ,CAAC,MACvB;IAGF1D,OACE0F,cAActC,UAAU,CAAC,SACzB;IAEF,oEAAoE;IACpE,2CAA2C;IAC3C,MAAMgD,gBAAgBzF;IAEtB,IAAI0F,YAAY;IAEhB,2EAA2E;IAC3E,qBAAqB;IACrBD,cAAcE,EAAE,CAAC,SAAS,CAACC,QAAQC,aAAaC;QAC9C,MAAM,EAAEC,MAAMC,UAAU,EAAEC,MAAMC,UAAU,EAAE,GAAGN;QAC/C,IAAIM,eAAe,QAAQ;YACzB,mDAAmD;YACnD,MAAMvF,OAAOqF,WAAWG,OAAO,CAACb,yBAAyB;YACzD,OAAOO,YAAYO,IAAI,CACrBzG,OAAO;gBAAE0G,UAAU;YAAa,GAAG,CAACC;gBAClC,IAAI;oBACFZ,aAAaY,KAAKC,UAAU;oBAC5B,8EAA8E;oBAC9ElH,OACEqG,YAAYrC,2BACZ,CAAC,8BAA8B,EAAEA,0BAA0B,OAAO,CAAC;oBAErE,MAAM9C,QAAQ,IAAIrB,YAAY;wBAC5BsH,OAAOF;wBACP3F;wBACA2F,MAAM;4BACJG,eAAe,IAAIvG,IAAIS,MAAMoE,eAAerE,QAAQ;wBACtD;oBACF;oBACA,wFAAwF;oBACxFrB,OACE,CAACwB,MAAM6F,GAAG,CAAC/F,OACX;oBAEFE,MAAM8F,GAAG,CAAChG,MAAMJ;oBAChB,OAAOuF;gBACT,EAAE,OAAOxB,OAAO;oBACd,OAAOmB,cAAcmB,OAAO,CAACtC;gBAC/B;YACF;QAEJ;QAEA,4EAA4E;QAC5E,0EAA0E;QAC1E,6CAA6C;QAC7CuB,YAAYF,EAAE,CAAC,OAAO,IAAMG;QAC5B,OAAOD,YAAYgB,MAAM;IAC3B;IACA,OAAOpB;AACT"}
package/dist/types/snaps/location/npm.d.ts CHANGED
@@ -3,6 +3,14 @@ import { VirtualFile } from '@metamask/snaps-utils';
3
3
  import type { SemVerRange } from '@metamask/utils';
4
4
  import type { DetectSnapLocationOptions, SnapLocation } from './location';
5
5
  export declare const DEFAULT_NPM_REGISTRY: URL;
6
+ interface NpmMeta {
7
+ registry: URL;
8
+ packageName: string;
9
+ requestedRange: SemVerRange;
10
+ version?: string;
11
+ fetch: typeof fetch;
12
+ resolveVersion: (range: SemVerRange) => Promise<SemVerRange>;
13
+ }
6
14
  export interface NpmOptions {
7
15
  /**
8
16
  * @default DEFAULT_REQUESTED_SNAP_VERSION
@@ -15,11 +23,9 @@ export interface NpmOptions {
15
23
  */
16
24
  allowCustomRegistries?: boolean;
17
25
  }
18
- export declare class NpmLocation implements SnapLocation {
26
+ export declare abstract class BaseNpmLocation implements SnapLocation {
19
27
  #private;
20
- private readonly meta;
21
- private validatedManifest?;
22
- private files?;
28
+ protected readonly meta: NpmMeta;
23
29
  constructor(url: URL, opts?: DetectSnapLocationOptions);
24
30
  manifest(): Promise<VirtualFile<SnapManifest>>;
25
31
  fetch(path: string): Promise<VirtualFile>;
@@ -27,6 +33,25 @@ export declare class NpmLocation implements SnapLocation {
27
33
  get version(): string;
28
34
  get registry(): URL;
29
35
  get versionRange(): SemVerRange;
36
+ /**
37
+ * Fetches and unpacks the tarball (`.tgz` file) from the specified URL.
38
+ *
39
+ * @param tarballUrl - The tarball URL to fetch and unpack.
40
+ * @returns A the files for the package tarball.
41
+ * @throws If fetching the tarball fails.
42
+ */
43
+ abstract fetchNpmTarball(tarballUrl: URL): Promise<Map<string, VirtualFile>>;
44
+ }
45
+ export declare const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
46
+ export declare class NpmLocation extends BaseNpmLocation {
47
+ /**
48
+ * Fetches and unpacks the tarball (`.tgz` file) from the specified URL.
49
+ *
50
+ * @param tarballUrl - The tarball URL to fetch and unpack.
51
+ * @returns A the files for the package tarball.
52
+ * @throws If fetching the tarball fails.
53
+ */
54
+ fetchNpmTarball(tarballUrl: URL): Promise<Map<string, VirtualFile<unknown>>>;
30
55
  }
31
56
  export declare type PartialNpmMetadata = {
32
57
  versions: Record<string, {
@@ -47,3 +72,12 @@ export declare type PartialNpmMetadata = {
47
72
  * @throws If fetching the metadata fails.
48
73
  */
49
74
  export declare function fetchNpmMetadata(packageName: string, registryUrl: URL, fetchFunction: typeof fetch): Promise<PartialNpmMetadata>;
75
+ /**
76
+ * Gets the canonical base path for an NPM snap.
77
+ *
78
+ * @param registryUrl - A registry URL.
79
+ * @param packageName - A package name.
80
+ * @returns The canonical base path.
81
+ */
82
+ export declare function getNpmCanonicalBasePath(registryUrl: URL, packageName: string): string;
83
+ export {};
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@metamask/snaps-controllers",
3
- "version": "3.5.1",
3
+ "version": "3.6.0",
4
4
  "description": "Controllers for MetaMask Snaps.",
5
5
  "repository": {
6
6
  "type": "git",
@@ -42,18 +42,18 @@
42
42
  "lint:dependencies": "depcheck"
43
43
  },
44
44
  "dependencies": {
45
- "@metamask/approval-controller": "^5.0.0",
45
+ "@metamask/approval-controller": "^5.1.1",
46
46
  "@metamask/base-controller": "^4.0.0",
47
- "@metamask/json-rpc-engine": "^7.3.0",
47
+ "@metamask/json-rpc-engine": "^7.3.1",
48
48
  "@metamask/object-multiplex": "^2.0.0",
49
- "@metamask/permission-controller": "^6.0.0",
50
- "@metamask/phishing-controller": "^8.0.0",
49
+ "@metamask/permission-controller": "^7.0.0",
50
+ "@metamask/phishing-controller": "^8.0.1",
51
51
  "@metamask/post-message-stream": "^7.0.0",
52
52
  "@metamask/rpc-errors": "^6.1.0",
53
53
  "@metamask/snaps-registry": "^3.0.0",
54
- "@metamask/snaps-rpc-methods": "^4.0.2",
55
- "@metamask/snaps-sdk": "^1.3.0",
56
- "@metamask/snaps-utils": "^5.1.0",
54
+ "@metamask/snaps-rpc-methods": "^4.1.0",
55
+ "@metamask/snaps-sdk": "^1.3.1",
56
+ "@metamask/snaps-utils": "^5.1.1",
57
57
  "@metamask/utils": "^8.2.1",
58
58
  "@xstate/fsm": "^2.0.0",
59
59
  "browserify-zlib": "^0.2.0",
@@ -125,7 +125,7 @@
125
125
  "webdriverio": "^8.19.0"
126
126
  },
127
127
  "peerDependencies": {
128
- "@metamask/snaps-execution-environments": "^3.4.2"
128
+ "@metamask/snaps-execution-environments": "^3.4.3"
129
129
  },
130
130
  "peerDependenciesMeta": {
131
131
  "@metamask/snaps-execution-environments": {