@pnpm/exe 11.0.0-beta.2 → 11.0.0-beta.4

package/dist/node_modules/@npmcli/redact/lib/utils.js

@@ -0,0 +1,202 @@
+const {
+  URL_MATCHER,
+  TYPE_URL,
+  TYPE_REGEX,
+  TYPE_PATH,
+} = require('./matchers')
+
+/**
+ * creates a string of asterisks,
+ * this forces a minimum asterisk for security purposes
+ */
+const asterisk = (length = 0) => {
+  length = typeof length === 'string' ? length.length : length
+  if (length < 8) {
+    return '*'.repeat(8)
+  }
+  return '*'.repeat(length)
+}
+
+/**
+ * escapes all special regex chars
+ * @see https://stackoverflow.com/a/9310752
+ * @see https://github.com/tc39/proposal-regex-escaping
+ */
+const escapeRegExp = (text) => {
+  return text.replace(/[-[\]{}()*+?.,\\^$|#\s]/g, `\\$&`)
+}
+
+/**
+ * provieds a regex "or" of the url versions of a string
+ */
+const urlEncodeRegexGroup = (value) => {
+  const decoded = decodeURIComponent(value)
+  const encoded = encodeURIComponent(value)
+  const union = [...new Set([encoded, decoded, value])].map(escapeRegExp).join('|')
+  return union
+}
+
+/**
+ * a tagged template literal that returns a regex ensures all variables are excaped
+ */
+const urlEncodeRegexTag = (strings, ...values) => {
+  let pattern = ''
+  for (let i = 0; i < values.length; i++) {
+    pattern += strings[i] + `(${urlEncodeRegexGroup(values[i])})`
+  }
+  pattern += strings[strings.length - 1]
+  return new RegExp(pattern)
+}
+
+/**
+ * creates a matcher for redacting url hostname
+ */
+const redactUrlHostnameMatcher = ({ hostname, replacement } = {}) => ({
+  type: TYPE_URL,
+  predicate: ({ url }) => url.hostname === hostname,
+  pattern: ({ url }) => {
+    return urlEncodeRegexTag`(^${url.protocol}//${url.username}:.+@)?${url.hostname}`
+  },
+  replacement: `$1${replacement || asterisk()}`,
+})
+
+/**
+ * creates a matcher for redacting url search / query parameter values
+ */
+const redactUrlSearchParamsMatcher = ({ param, replacement } = {}) => ({
+  type: TYPE_URL,
+  predicate: ({ url }) => url.searchParams.has(param),
+  pattern: ({ url }) => urlEncodeRegexTag`(${param}=)${url.searchParams.get(param)}`,
+  replacement: `$1${replacement || asterisk()}`,
+})
+
+/** creates a matcher for redacting the url password */
+const redactUrlPasswordMatcher = ({ replacement } = {}) => ({
+  type: TYPE_URL,
+  predicate: ({ url }) => url.password,
+  pattern: ({ url }) => urlEncodeRegexTag`(^${url.protocol}//${url.username}:)${url.password}`,
+  replacement: `$1${replacement || asterisk()}`,
+})
+
+const redactUrlReplacement = (...matchers) => (subValue) => {
+  try {
+    const url = new URL(subValue)
+    return redactMatchers(...matchers)(subValue, { url })
+  } catch (err) {
+    return subValue
+  }
+}
+
+/**
+ * creates a matcher / submatcher for urls, this function allows you to first
+ * collect all urls within a larger string and then pass those urls to a
+ * submatcher
+ *
+ * @example
+ * console.log("this will first match all urls, then pass those urls to the password patcher")
+ * redactMatchers(redactUrlMatcher(redactUrlPasswordMatcher()))
+ *
+ * @example
+ * console.log(
+ *   "this will assume you are passing in a string that is a url, and will redact the password"
+ * )
+ * redactMatchers(redactUrlPasswordMatcher())
+ *
+ */
+const redactUrlMatcher = (...matchers) => {
+  return {
+    ...URL_MATCHER,
+    replacement: redactUrlReplacement(...matchers),
+  }
+}
+
+const matcherFunctions = {
+  [TYPE_REGEX]: (matcher) => (value) => {
+    if (typeof value === 'string') {
+      value = value.replace(matcher.pattern, matcher.replacement)
+    }
+    return value
+  },
+  [TYPE_URL]: (matcher) => (value, ctx) => {
+    if (typeof value === 'string') {
+      try {
+        const url = ctx?.url || new URL(value)
+        const { predicate, pattern } = matcher
+        const predicateValue = predicate({ url })
+        if (predicateValue) {
+          value = value.replace(pattern({ url }), matcher.replacement)
+        }
+      } catch (_e) {
+        return value
+      }
+    }
+    return value
+  },
+  [TYPE_PATH]: (matcher) => (value, ctx) => {
+    const rawPath = ctx?.path
+    const path = rawPath.join('.').toLowerCase()
+    const { predicate, replacement } = matcher
+    const replace = typeof replacement === 'function' ? replacement : () => replacement
+    const shouldRun = predicate({ rawPath, path })
+    if (shouldRun) {
+      value = replace(value, { rawPath, path })
+    }
+    return value
+  },
+}
+
+/** converts a matcher to a function */
+const redactMatcher = (matcher) => {
+  return matcherFunctions[matcher.type](matcher)
+}
+
+/** converts a series of matchers to a function */
+const redactMatchers = (...matchers) => (value, ctx) => {
+  const flatMatchers = matchers.flat()
+  return flatMatchers.reduce((result, matcher) => {
+    const fn = (typeof matcher === 'function') ? matcher : redactMatcher(matcher)
+    return fn(result, ctx)
+  }, value)
+}
+
+/**
+ * replacement handler, keeping $1 (if it exists) and replacing the
+ * rest of the string with asterisks, maintaining string length
+ */
+const redactDynamicReplacement = () => (value, start) => {
+  if (typeof start === 'number') {
+    return asterisk(value)
+  }
+  return start + asterisk(value.substring(start.length).length)
+}
+
+/**
+ * replacement handler, keeping $1 (if it exists) and replacing the
+ * rest of the string with a fixed number of asterisks
+ */
+const redactFixedReplacement = (length) => (_value, start) => {
+  if (typeof start === 'number') {
+    return asterisk(length)
+  }
+  return start + asterisk(length)
+}
+
+const redactUrlPassword = (value, replacement) => {
+  return redactMatchers(redactUrlPasswordMatcher({ replacement }))(value)
+}
+
+module.exports = {
+  asterisk,
+  escapeRegExp,
+  urlEncodeRegexGroup,
+  urlEncodeRegexTag,
+  redactUrlHostnameMatcher,
+  redactUrlSearchParamsMatcher,
+  redactUrlPasswordMatcher,
+  redactUrlMatcher,
+  redactUrlReplacement,
+  redactDynamicReplacement,
+  redactFixedReplacement,
+  redactMatchers,
+  redactUrlPassword,
+}

package/dist/node_modules/{unique-slug → @npmcli/redact}/package.json

@@ -1,8 +1,13 @@
 {
-  "name": "unique-slug",
-  "version": "6.0.0",
-  "description": "Generate a unique character string suitible for use in files and URLs.",
+  "name": "@npmcli/redact",
+  "version": "4.0.0",
+  "description": "Redact sensitive npm information from output",
   "main": "lib/index.js",
+  "exports": {
+    ".": "./lib/index.js",
+    "./server": "./lib/server.js",
+    "./package.json": "./package.json"
+  },
   "scripts": {
     "test": "tap",
     "lint": "npm run eslint",
@@ -16,24 +21,13 @@
   "keywords": [],
   "author": "GitHub Inc.",
   "license": "ISC",
-  "devDependencies": {
-    "@npmcli/eslint-config": "^5.0.0",
-    "@npmcli/template-oss": "4.27.1",
-    "tap": "^16.3.0"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/npm/unique-slug.git"
-  },
-  "dependencies": {
-    "imurmurhash": "^0.1.4"
-  },
   "files": [
     "bin/",
     "lib/"
   ],
-  "engines": {
-    "node": "^20.17.0 || >=22.9.0"
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/npm/redact.git"
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
@@ -44,6 +38,15 @@
     "nyc-arg": [
       "--exclude",
       "tap-snapshots/**"
-    ]
+    ],
+    "timeout": 120
+  },
+  "devDependencies": {
+    "@npmcli/eslint-config": "^5.0.0",
+    "@npmcli/template-oss": "4.27.1",
+    "tap": "^16.3.10"
+  },
+  "engines": {
+    "node": "^20.17.0 || >=22.9.0"
   }
 }

package/dist/node_modules/brace-expansion/dist/commonjs/index.js

@@ -144,7 +144,9 @@ function expand_(str, max, isTop) {
             const x = numeric(n[0]);
             const y = numeric(n[1]);
             const width = Math.max(n[0].length, n[1].length);
-            let incr = n.length === 3 && n[2] !== undefined ? Math.abs(numeric(n[2])) : 1;
+            let incr = n.length === 3 && n[2] !== undefined ?
+                Math.max(Math.abs(numeric(n[2])), 1)
+                : 1;
             let test = lte;
             const reverse = y < x;
             if (reverse) {

package/dist/node_modules/brace-expansion/dist/esm/index.js

@@ -140,7 +140,9 @@ function expand_(str, max, isTop) {
             const x = numeric(n[0]);
             const y = numeric(n[1]);
             const width = Math.max(n[0].length, n[1].length);
-            let incr = n.length === 3 && n[2] !== undefined ? Math.abs(numeric(n[2])) : 1;
+            let incr = n.length === 3 && n[2] !== undefined ?
+                Math.max(Math.abs(numeric(n[2])), 1)
+                : 1;
             let test = lte;
             const reverse = y < x;
             if (reverse) {

package/dist/node_modules/brace-expansion/package.json

@@ -1,7 +1,7 @@
 {
   "name": "brace-expansion",
   "description": "Brace expansion as known from sh/bash",
-  "version": "5.0.4",
+  "version": "5.0.5",
   "files": [
     "dist"
   ],

package/dist/node_modules/cacache/lib/content/write.js

@@ -10,7 +10,7 @@ const Pipeline = require('minipass-pipeline')
 const Flush = require('minipass-flush')
 const path = require('path')
 const ssri = require('ssri')
-const uniqueFilename = require('unique-filename')
+const { tmpName } = require('../util/tmp')
 const fsm = require('fs-minipass')
 
 module.exports = write
@@ -152,7 +152,7 @@ async function pipeToTmp (inputStream, cache, tmpTarget, opts) {
 }
 
 async function makeTmp (cache, opts) {
-  const tmpTarget = uniqueFilename(path.join(cache, 'tmp'), opts.tmpPrefix)
+  const tmpTarget = tmpName(cache, opts.tmpPrefix)
   await fs.mkdir(path.dirname(tmpTarget), { recursive: true })
   return {
     target: tmpTarget,

package/dist/node_modules/cacache/lib/entry-index.js

@@ -12,7 +12,7 @@ const {
 const { Minipass } = require('minipass')
 const path = require('path')
 const ssri = require('ssri')
-const uniqueFilename = require('unique-filename')
+const { tmpName } = require('./util/tmp')
 
 const contentPath = require('./content/path')
 const hashToSegments = require('./util/hash-to-segments')
@@ -69,7 +69,7 @@ async function compact (cache, key, matchFn, opts = {}) {
   }).join('\n')
 
   const setup = async () => {
-    const target = uniqueFilename(path.join(cache, 'tmp'), opts.tmpPrefix)
+    const target = tmpName(cache, opts.tmpPrefix)
     await mkdir(path.dirname(target), { recursive: true })
     return {
       target,

package/dist/node_modules/cacache/lib/util/tmp.js

@@ -1,11 +1,17 @@
 'use strict'
 
+const crypto = require('crypto')
 const { withTempDir } = require('@npmcli/fs')
 const fs = require('fs/promises')
 const path = require('path')
 
 module.exports.mkdir = mktmpdir
 
+module.exports.tmpName = function tmpName (cache, tmpPrefix) {
+  const id = crypto.randomUUID()
+  return path.join(cache, 'tmp', tmpPrefix ? `${tmpPrefix}-${id}` : id)
+}
+
 async function mktmpdir (cache, opts = {}) {
   const { tmpPrefix } = opts
   const tmpDir = path.join(cache, 'tmp')

package/dist/node_modules/cacache/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cacache",
-  "version": "20.0.3",
+  "version": "20.0.4",
   "cache-version": {
     "content": "2",
     "index": "5"
@@ -55,12 +55,11 @@
     "minipass-flush": "^1.0.5",
     "minipass-pipeline": "^1.2.4",
     "p-map": "^7.0.2",
-    "ssri": "^13.0.0",
-    "unique-filename": "^5.0.0"
+    "ssri": "^13.0.0"
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^6.0.1",
-    "@npmcli/template-oss": "4.28.0",
+    "@npmcli/template-oss": "4.29.0",
     "tap": "^16.0.0"
   },
   "engines": {
@@ -69,7 +68,7 @@
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
     "windowsCI": false,
-    "version": "4.28.0",
+    "version": "4.29.0",
     "publish": "true"
   },
   "author": "GitHub Inc.",

package/dist/node_modules/make-fetch-happen/lib/remote.js

@@ -3,6 +3,7 @@ const fetch = require('minipass-fetch')
 const { promiseRetry } = require('@gar/promise-retry')
 const ssri = require('ssri')
 const { log } = require('proc-log')
+const { redact: cleanUrl } = require('@npmcli/redact')
 
 const CachingMinipassPipeline = require('./pipeline.js')
 const { getAgent } = require('@npmcli/agent')
@@ -55,6 +56,7 @@ const remoteFetch = (request, options) => {
 
   return promiseRetry(async (retryHandler, attemptNum) => {
     const req = new fetch.Request(request, _opts)
+    const url = cleanUrl(req.url)
     try {
       let res = await fetch(req, _opts)
       if (_opts.integrity && res.status === 200) {
@@ -92,7 +94,7 @@ const remoteFetch = (request, options) => {
         }
 
         /* eslint-disable-next-line max-len */
-        log.http('fetch', `${req.method} ${req.url} attempt ${attemptNum} failed with ${res.status}`)
+        log.http('fetch', `${req.method} ${url} attempt ${attemptNum} failed with ${res.status}`)
         return retryHandler(res)
       }
 
@@ -116,7 +118,7 @@ const remoteFetch = (request, options) => {
         options.onRetry(err)
       }
 
-      log.http('fetch', `${req.method} ${req.url} attempt ${attemptNum} failed with ${err.code}`)
+      log.http('fetch', `${req.method} ${url} attempt ${attemptNum} failed with ${err.code}`)
       return retryHandler(err)
     }
   }, options.retry).catch((err) => {

package/dist/node_modules/make-fetch-happen/package.json

@@ -1,6 +1,6 @@
 {
   "name": "make-fetch-happen",
-  "version": "15.0.4",
+  "version": "15.0.5",
   "description": "Opinionated, caching, retrying fetch client",
   "main": "lib/index.js",
   "files": [
@@ -35,6 +35,7 @@
   "dependencies": {
     "@gar/promise-retry": "^1.0.0",
     "@npmcli/agent": "^4.0.0",
+    "@npmcli/redact": "^4.0.0",
     "cacache": "^20.0.1",
     "http-cache-semantics": "^4.1.1",
     "minipass": "^7.0.2",

package/dist/node_modules/minipass-flush/package.json

@@ -1,9 +1,12 @@
 {
   "name": "minipass-flush",
-  "version": "1.0.5",
+  "version": "1.0.7",
+  "publishConfig": {
+    "tag": "v1-legacy"
+  },
   "description": "A Minipass stream that calls a flush function before emitting 'end'",
   "author": "Isaac Z. Schlueter <i@izs.me> (https://izs.me)",
-  "license": "ISC",
+  "license": "BlueOak-1.0.0",
   "scripts": {
     "test": "tap",
     "snap": "tap",
@@ -15,7 +18,7 @@
     "check-coverage": true
   },
   "devDependencies": {
-    "tap": "^14.6.9"
+    "tap": "^15.1.6"
   },
   "dependencies": {
     "minipass": "^3.0.0"

package/dist/node_modules/picomatch/lib/constants.js

@@ -3,6 +3,8 @@
 const WIN_SLASH = '\\\\/';
 const WIN_NO_SLASH = `[^${WIN_SLASH}]`;
 
+const DEFAULT_MAX_EXTGLOB_RECURSION = 0;
+
 /**
  * Posix glob regex
  */
@@ -69,6 +71,7 @@ const WINDOWS_CHARS = {
  */
 
 const POSIX_REGEX_SOURCE = {
+  __proto__: null,
   alnum: 'a-zA-Z0-9',
   alpha: 'a-zA-Z',
   ascii: '\\x00-\\x7F',
@@ -86,6 +89,7 @@ const POSIX_REGEX_SOURCE = {
 };
 
 module.exports = {
+  DEFAULT_MAX_EXTGLOB_RECURSION,
   MAX_LENGTH: 1024 * 64,
   POSIX_REGEX_SOURCE,