@npmcli/arborist 6.1.4 → 6.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -12,6 +12,7 @@ const { readdirScoped } = require('@npmcli/fs')
|
|
|
12
12
|
const { lstat, readlink } = require('fs/promises')
|
|
13
13
|
const { depth } = require('treeverse')
|
|
14
14
|
const log = require('proc-log')
|
|
15
|
+
const { cleanUrl } = require('npm-registry-fetch')
|
|
15
16
|
|
|
16
17
|
const {
|
|
17
18
|
OK,
|
|
@@ -619,14 +620,16 @@ module.exports = cls => class IdealTreeBuilder extends cls {
|
|
|
619
620
|
continue
|
|
620
621
|
}
|
|
621
622
|
|
|
622
|
-
|
|
623
|
+
// name may be different if parent fixes the dep
|
|
624
|
+
// see Vuln fixAvailable setter
|
|
625
|
+
const { isSemVerMajor, version, name: fixName } = fixAvailable
|
|
623
626
|
const breakingMessage = isSemVerMajor
|
|
624
627
|
? 'a SemVer major change'
|
|
625
628
|
: 'outside your stated dependency range'
|
|
626
|
-
log.warn('audit', `Updating ${
|
|
629
|
+
log.warn('audit', `Updating ${fixName} to ${version}, ` +
|
|
627
630
|
`which is ${breakingMessage}.`)
|
|
628
631
|
|
|
629
|
-
await this[_add](node, { add: [`${
|
|
632
|
+
await this[_add](node, { add: [`${fixName}@${version}`] })
|
|
630
633
|
nodesTouched.add(node)
|
|
631
634
|
}
|
|
632
635
|
}
|
|
@@ -1208,7 +1211,8 @@ This is a one-time fix-up, please be patient...
|
|
|
1208
1211
|
if (this[_manifests].has(spec.raw)) {
|
|
1209
1212
|
return this[_manifests].get(spec.raw)
|
|
1210
1213
|
} else {
|
|
1211
|
-
|
|
1214
|
+
const cleanRawSpec = cleanUrl(spec.rawSpec)
|
|
1215
|
+
log.silly('fetch manifest', spec.raw.replace(spec.rawSpec, cleanRawSpec))
|
|
1212
1216
|
const p = pacote.manifest(spec, options)
|
|
1213
1217
|
.then(mani => {
|
|
1214
1218
|
this[_manifests].set(spec.raw, mani)
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
// mixin providing the loadVirtual method
|
|
2
2
|
const localeCompare = require('@isaacs/string-locale-compare')('en')
|
|
3
|
+
const mapWorkspaces = require('@npmcli/map-workspaces')
|
|
3
4
|
|
|
4
5
|
const { resolve } = require('path')
|
|
5
6
|
|
|
@@ -21,7 +22,6 @@ const loadRoot = Symbol('loadRoot')
|
|
|
21
22
|
const loadNode = Symbol('loadVirtualNode')
|
|
22
23
|
const loadLink = Symbol('loadVirtualLink')
|
|
23
24
|
const loadWorkspaces = Symbol.for('loadWorkspaces')
|
|
24
|
-
const loadWorkspacesVirtual = Symbol.for('loadWorkspacesVirtual')
|
|
25
25
|
const flagsSuspect = Symbol.for('flagsSuspect')
|
|
26
26
|
const reCalcDepFlags = Symbol('reCalcDepFlags')
|
|
27
27
|
const checkRootEdges = Symbol('checkRootEdges')
|
|
@@ -157,7 +157,7 @@ module.exports = cls => class VirtualLoader extends cls {
|
|
|
157
157
|
}
|
|
158
158
|
|
|
159
159
|
const lockWS = []
|
|
160
|
-
const workspaces =
|
|
160
|
+
const workspaces = mapWorkspaces.virtual({
|
|
161
161
|
cwd: this.path,
|
|
162
162
|
lockfile: s.data,
|
|
163
163
|
})
|
|
@@ -1,33 +1,19 @@
|
|
|
1
1
|
const mapWorkspaces = require('@npmcli/map-workspaces')
|
|
2
2
|
|
|
3
|
-
const _appendWorkspaces = Symbol('appendWorkspaces')
|
|
4
3
|
// shared ref used by other mixins/Arborist
|
|
5
4
|
const _loadWorkspaces = Symbol.for('loadWorkspaces')
|
|
6
|
-
const _loadWorkspacesVirtual = Symbol.for('loadWorkspacesVirtual')
|
|
7
5
|
|
|
8
6
|
module.exports = cls => class MapWorkspaces extends cls {
|
|
9
|
-
[_appendWorkspaces] (node, workspaces) {
|
|
10
|
-
if (node && workspaces.size) {
|
|
11
|
-
node.workspaces = workspaces
|
|
12
|
-
}
|
|
13
|
-
|
|
14
|
-
return node
|
|
15
|
-
}
|
|
16
|
-
|
|
17
7
|
async [_loadWorkspaces] (node) {
|
|
18
|
-
if (node.workspaces) {
|
|
19
|
-
return node
|
|
20
|
-
}
|
|
21
|
-
|
|
22
8
|
const workspaces = await mapWorkspaces({
|
|
23
9
|
cwd: node.path,
|
|
24
10
|
pkg: node.package,
|
|
25
11
|
})
|
|
26
12
|
|
|
27
|
-
|
|
28
|
-
|
|
13
|
+
if (node && workspaces.size) {
|
|
14
|
+
node.workspaces = workspaces
|
|
15
|
+
}
|
|
29
16
|
|
|
30
|
-
|
|
31
|
-
return mapWorkspaces.virtual(opts)
|
|
17
|
+
return node
|
|
32
18
|
}
|
|
33
19
|
}
|
package/lib/override-resolves.js
CHANGED
package/lib/override-set.js
CHANGED
|
@@ -50,9 +50,36 @@ class OverrideSet {
|
|
|
50
50
|
continue
|
|
51
51
|
}
|
|
52
52
|
|
|
53
|
-
if
|
|
53
|
+
// if keySpec is * we found our override
|
|
54
|
+
if (rule.keySpec === '*') {
|
|
54
55
|
return rule
|
|
55
56
|
}
|
|
57
|
+
|
|
58
|
+
let spec = npa(`${edge.name}@${edge.spec}`)
|
|
59
|
+
if (spec.type === 'alias') {
|
|
60
|
+
spec = spec.subSpec
|
|
61
|
+
}
|
|
62
|
+
|
|
63
|
+
if (spec.type === 'git') {
|
|
64
|
+
if (spec.gitRange && semver.intersects(spec.gitRange, rule.keySpec)) {
|
|
65
|
+
return rule
|
|
66
|
+
}
|
|
67
|
+
|
|
68
|
+
continue
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
if (spec.type === 'range' || spec.type === 'version') {
|
|
72
|
+
if (semver.intersects(spec.fetchSpec, rule.keySpec)) {
|
|
73
|
+
return rule
|
|
74
|
+
}
|
|
75
|
+
|
|
76
|
+
continue
|
|
77
|
+
}
|
|
78
|
+
|
|
79
|
+
// if we got this far, the spec type is one of tag, directory or file
|
|
80
|
+
// which means we have no real way to make version comparisons, so we
|
|
81
|
+
// just accept the override
|
|
82
|
+
return rule
|
|
56
83
|
}
|
|
57
84
|
|
|
58
85
|
return this
|
package/lib/place-dep.js
CHANGED
|
@@ -9,6 +9,7 @@
|
|
|
9
9
|
|
|
10
10
|
const localeCompare = require('@isaacs/string-locale-compare')('en')
|
|
11
11
|
const log = require('proc-log')
|
|
12
|
+
const { cleanUrl } = require('npm-registry-fetch')
|
|
12
13
|
const deepestNestingTarget = require('./deepest-nesting-target.js')
|
|
13
14
|
const CanPlaceDep = require('./can-place-dep.js')
|
|
14
15
|
const {
|
|
@@ -187,7 +188,7 @@ class PlaceDep {
|
|
|
187
188
|
`${this.dep.name}@${this.dep.version}`,
|
|
188
189
|
this.canPlace.description,
|
|
189
190
|
`for: ${this.edge.from.package._id || this.edge.from.location}`,
|
|
190
|
-
`want: ${this.edge.spec || '*'}`
|
|
191
|
+
`want: ${cleanUrl(this.edge.spec || '*')}`
|
|
191
192
|
)
|
|
192
193
|
|
|
193
194
|
const placementType = this.canPlace.canPlace === CONFLICT
|
package/lib/vuln.js
CHANGED
|
@@ -65,6 +65,9 @@ class Vuln {
|
|
|
65
65
|
// - {name, version, isSemVerMajor} fix requires -f, is semver major
|
|
66
66
|
// - {name, version} fix requires -f, not semver major
|
|
67
67
|
// - true: fix does not require -f
|
|
68
|
+
// TODO: duped entries may require different fixes but the current
|
|
69
|
+
// structure does not support this, so the case were a top level fix
|
|
70
|
+
// corrects a duped entry may mean you have to run fix more than once
|
|
68
71
|
for (const v of this.via) {
|
|
69
72
|
// don't blow up on loops
|
|
70
73
|
if (v.fixAvailable === f) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@npmcli/arborist",
|
|
3
|
-
"version": "6.1.
|
|
3
|
+
"version": "6.1.6",
|
|
4
4
|
"description": "Manage node_modules trees",
|
|
5
5
|
"dependencies": {
|
|
6
6
|
"@isaacs/string-locale-compare": "^1.1.0",
|
|
@@ -14,37 +14,37 @@
|
|
|
14
14
|
"@npmcli/query": "^3.0.0",
|
|
15
15
|
"@npmcli/run-script": "^6.0.0",
|
|
16
16
|
"bin-links": "^4.0.1",
|
|
17
|
-
"cacache": "^17.0.
|
|
17
|
+
"cacache": "^17.0.3",
|
|
18
18
|
"common-ancestor-path": "^1.0.1",
|
|
19
19
|
"hosted-git-info": "^6.1.1",
|
|
20
20
|
"json-parse-even-better-errors": "^3.0.0",
|
|
21
21
|
"json-stringify-nice": "^1.1.4",
|
|
22
|
-
"minimatch": "^5.1.
|
|
22
|
+
"minimatch": "^5.1.1",
|
|
23
23
|
"nopt": "^7.0.0",
|
|
24
24
|
"npm-install-checks": "^6.0.0",
|
|
25
|
-
"npm-package-arg": "^10.
|
|
25
|
+
"npm-package-arg": "^10.1.0",
|
|
26
26
|
"npm-pick-manifest": "^8.0.1",
|
|
27
|
-
"npm-registry-fetch": "^14.0.
|
|
27
|
+
"npm-registry-fetch": "^14.0.3",
|
|
28
28
|
"npmlog": "^7.0.1",
|
|
29
|
-
"pacote": "^15.0.
|
|
29
|
+
"pacote": "^15.0.7",
|
|
30
30
|
"parse-conflict-json": "^3.0.0",
|
|
31
31
|
"proc-log": "^3.0.0",
|
|
32
32
|
"promise-all-reject-late": "^1.0.0",
|
|
33
33
|
"promise-call-limit": "^1.0.1",
|
|
34
34
|
"read-package-json-fast": "^3.0.1",
|
|
35
35
|
"semver": "^7.3.7",
|
|
36
|
-
"ssri": "^10.0.
|
|
36
|
+
"ssri": "^10.0.1",
|
|
37
37
|
"treeverse": "^3.0.0",
|
|
38
38
|
"walk-up-path": "^1.0.0"
|
|
39
39
|
},
|
|
40
40
|
"devDependencies": {
|
|
41
41
|
"@npmcli/eslint-config": "^4.0.0",
|
|
42
|
-
"@npmcli/template-oss": "4.
|
|
42
|
+
"@npmcli/template-oss": "4.11.0",
|
|
43
43
|
"benchmark": "^2.1.4",
|
|
44
44
|
"chalk": "^4.1.0",
|
|
45
|
-
"minify-registry-metadata": "^
|
|
45
|
+
"minify-registry-metadata": "^3.0.0",
|
|
46
46
|
"nock": "^13.2.0",
|
|
47
|
-
"tap": "^16.
|
|
47
|
+
"tap": "^16.3.2",
|
|
48
48
|
"tcompare": "^5.0.6"
|
|
49
49
|
},
|
|
50
50
|
"scripts": {
|
|
@@ -81,7 +81,6 @@
|
|
|
81
81
|
"tap": {
|
|
82
82
|
"color": true,
|
|
83
83
|
"after": "test/fixtures/cleanup.js",
|
|
84
|
-
"coverage-map": "map.js",
|
|
85
84
|
"test-env": [
|
|
86
85
|
"NODE_OPTIONS=--no-warnings",
|
|
87
86
|
"LC_ALL=sk"
|
|
@@ -101,7 +100,7 @@
|
|
|
101
100
|
},
|
|
102
101
|
"templateOSS": {
|
|
103
102
|
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
|
|
104
|
-
"version": "4.
|
|
103
|
+
"version": "4.11.0",
|
|
105
104
|
"content": "../../scripts/template-oss/index.js"
|
|
106
105
|
}
|
|
107
106
|
}
|