@npmcli/arborist 8.0.0 → 9.0.0-pre.1

package/lib/arborist/rebuild.js

@@ -154,7 +154,9 @@ module.exports = cls => class Builder extends cls {
 
     // links should run prepare scripts and only link bins after that
     if (type === 'links') {
-      await this.#runScripts('prepare')
+      if (!this.options.ignoreScripts) {
+        await this.#runScripts('prepare')
+      }
     }
     if (this.options.binLinks) {
       await this.#linkAllBins()

package/lib/audit-report.js

@@ -15,7 +15,7 @@ const _init = Symbol('init')
 const _omit = Symbol('omit')
 const { log, time } = require('proc-log')
 
-const fetch = require('npm-registry-fetch')
+const npmFetch = require('npm-registry-fetch')
 
 class AuditReport extends Map {
   static load (tree, opts) {
@@ -274,33 +274,6 @@ class AuditReport extends Map {
     throw new Error('do not call AuditReport.set() directly')
   }
 
-  // convert a quick-audit into a bulk advisory listing
-  static auditToBulk (report) {
-    if (!report.advisories) {
-      // tack on the report json where the response body would go
-      throw Object.assign(new Error('Invalid advisory report'), {
-        body: JSON.stringify(report),
-      })
-    }
-
-    const bulk = {}
-    const { advisories } = report
-    for (const advisory of Object.values(advisories)) {
-      const {
-        id,
-        url,
-        title,
-        severity = 'high',
-        vulnerable_versions = '*',
-        module_name: name,
-      } = advisory
-      bulk[name] = bulk[name] || []
-      bulk[name].push({ id, url, title, severity, vulnerable_versions })
-    }
-
-    return bulk
-  }
-
   async [_getReport] () {
     // if we're not auditing, just return false
     if (this.options.audit === false || this.options.offline === true || this.tree.inventory.size === 1) {
@@ -309,39 +282,24 @@ class AuditReport extends Map {
 
     const timeEnd = time.start('auditReport:getReport')
     try {
-      try {
-        // first try the super fast bulk advisory listing
-        const body = prepareBulkData(this.tree, this[_omit], this.filterSet)
-        log.silly('audit', 'bulk request', body)
-
-        // no sense asking if we don't have anything to audit,
-        // we know it'll be empty
-        if (!Object.keys(body).length) {
-          return null
-        }
+      const body = prepareBulkData(this.tree, this[_omit], this.filterSet)
+      log.silly('audit', 'bulk request', body)
 
-        const res = await fetch('/-/npm/v1/security/advisories/bulk', {
-          ...this.options,
-          registry: this.options.auditRegistry || this.options.registry,
-          method: 'POST',
-          gzip: true,
-          body,
-        })
-
-        return await res.json()
-      } catch (er) {
-        log.silly('audit', 'bulk request failed', String(er.body))
-        // that failed, try the quick audit endpoint
-        const body = prepareData(this.tree, this.options)
-        const res = await fetch('/-/npm/v1/security/audits/quick', {
-          ...this.options,
-          registry: this.options.auditRegistry || this.options.registry,
-          method: 'POST',
-          gzip: true,
-          body,
-        })
-        return AuditReport.auditToBulk(await res.json())
+      // no sense asking if we don't have anything to audit,
+      // we know it'll be empty
+      if (!Object.keys(body).length) {
+        return null
       }
+
+      const res = await npmFetch('/-/npm/v1/security/advisories/bulk', {
+        ...this.options,
+        registry: this.options.auditRegistry || this.options.registry,
+        method: 'POST',
+        gzip: true,
+        body,
+      })
+
+      return await res.json()
     } catch (er) {
       log.verbose('audit error', er)
       log.silly('audit error', String(er.body))
@@ -384,32 +342,4 @@ const prepareBulkData = (tree, omit, filterSet) => {
   return payload
 }
 
-const prepareData = (tree, opts) => {
-  const { npmVersion: npm_version } = opts
-  const node_version = process.version
-  const { platform, arch } = process
-  const { NODE_ENV: node_env } = process.env
-  const data = tree.meta.commit()
-  // the legacy audit endpoint doesn't support any kind of pre-filtering
-  // we just have to get the advisories and skip over them in the report
-  return {
-    name: data.name,
-    version: data.version,
-    requires: {
-      ...(tree.package.devDependencies || {}),
-      ...(tree.package.peerDependencies || {}),
-      ...(tree.package.optionalDependencies || {}),
-      ...(tree.package.dependencies || {}),
-    },
-    dependencies: data.dependencies,
-    metadata: {
-      node_version,
-      npm_version,
-      platform,
-      arch,
-      node_env,
-    },
-  }
-}
-
 module.exports = AuditReport

package/lib/query-selector-all.js

@@ -8,7 +8,7 @@ const { minimatch } = require('minimatch')
 const npa = require('npm-package-arg')
 const pacote = require('pacote')
 const semver = require('semver')
-const fetch = require('npm-registry-fetch')
+const npmFetch = require('npm-registry-fetch')
 
 // handle results for parsed query asts, results are stored in a map that has a
 // key that points to each ast selector node and stores the resulting array of
@@ -461,7 +461,7 @@ class Results {
           packages[node.name].push(node.version)
         }
       })
-      const res = await fetch('/-/npm/v1/security/advisories/bulk', {
+      const res = await npmFetch('/-/npm/v1/security/advisories/bulk', {
         ...this.flatOptions,
         registry: this.flatOptions.auditRegistry || this.flatOptions.registry,
         method: 'POST',

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "@npmcli/arborist",
-  "version": "8.0.0",
+  "version": "9.0.0-pre.1",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
     "@npmcli/fs": "^4.0.0",
     "@npmcli/installed-package-contents": "^3.0.0",
     "@npmcli/map-workspaces": "^4.0.1",
-    "@npmcli/metavuln-calculator": "^8.0.0",
+    "@npmcli/metavuln-calculator": "^9.0.0",
     "@npmcli/name-from-folder": "^3.0.0",
     "@npmcli/node-gyp": "^4.0.0",
     "@npmcli/package-json": "^6.0.1",
@@ -18,7 +18,6 @@
     "cacache": "^19.0.1",
     "common-ancestor-path": "^1.0.1",
     "hosted-git-info": "^8.0.0",
-    "json-parse-even-better-errors": "^4.0.0",
     "json-stringify-nice": "^1.1.4",
     "lru-cache": "^10.2.2",
     "minimatch": "^9.0.4",
@@ -27,7 +26,7 @@
     "npm-package-arg": "^12.0.0",
     "npm-pick-manifest": "^10.0.0",
     "npm-registry-fetch": "^18.0.1",
-    "pacote": "^19.0.0",
+    "pacote": "^21.0.0",
     "parse-conflict-json": "^4.0.0",
     "proc-log": "^5.0.0",
     "proggy": "^3.0.0",
@@ -37,11 +36,12 @@
     "semver": "^7.3.7",
     "ssri": "^12.0.0",
     "treeverse": "^3.0.0",
-    "walk-up-path": "^3.0.1"
+    "walk-up-path": "^4.0.0"
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^5.0.1",
-    "@npmcli/template-oss": "4.23.3",
+    "@npmcli/mock-registry": "^1.0.0",
+    "@npmcli/template-oss": "4.23.5",
     "benchmark": "^2.1.4",
     "minify-registry-metadata": "^4.0.0",
     "nock": "^13.3.3",
@@ -82,18 +82,18 @@
     "test-env": [
       "LC_ALL=sk"
     ],
-    "timeout": "360",
+    "timeout": "720",
     "nyc-arg": [
       "--exclude",
       "tap-snapshots/**"
     ]
   },
   "engines": {
-    "node": "^18.17.0 || >=20.5.0"
+    "node": "^20.17.0 || >=22.9.0"
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.23.3",
+    "version": "4.23.5",
     "content": "../../scripts/template-oss/index.js"
   }
 }