@pnpm/releasing.commands 1000.0.0

package/lib/publish/displayError.js

@@ -0,0 +1,23 @@
+export function displayError(error) {
+    if (typeof error !== 'object' || !error)
+        return JSON.stringify(error);
+    let code;
+    let body;
+    if ('code' in error && typeof error.code === 'string') {
+        code = error.code;
+    }
+    else if ('name' in error && typeof error.name === 'string') {
+        code = error.name;
+    }
+    if ('message' in error && typeof error.message === 'string') {
+        body = error.message;
+    }
+    if (code && body)
+        return `${code}: ${body}`;
+    if (code)
+        return code;
+    if (body)
+        return body;
+    return JSON.stringify(error);
+}
+//# sourceMappingURL=displayError.js.map

package/lib/publish/executeTokenHelper.d.ts

@@ -0,0 +1,4 @@
+export interface ExecuteTokenHelperOptions {
+    globalWarn: (message: string) => void;
+}
+export declare function executeTokenHelper([cmd, ...args]: [string, ...string[]], opts: ExecuteTokenHelperOptions): string;

package/lib/publish/executeTokenHelper.js

@@ -0,0 +1,14 @@
+import { sync as execa } from 'execa';
+export function executeTokenHelper([cmd, ...args], opts) {
+    const execResult = execa(cmd, args, {
+        stdio: 'pipe',
+    });
+    const stderr = execResult.stderr?.toString() ?? '';
+    if (stderr.trim()) {
+        for (const line of stderr.trimEnd().split('\n')) {
+            opts.globalWarn(`(tokenHelper stderr) ${line}`);
+        }
+    }
+    return (execResult.stdout?.toString() ?? '').trim();
+}
+//# sourceMappingURL=executeTokenHelper.js.map

package/lib/publish/extractManifestFromPacked.d.ts

@@ -0,0 +1,12 @@
+import { PnpmError } from '@pnpm/error';
+import type { ExportedManifest } from '@pnpm/releasing.exportable-manifest';
+declare const TARBALL_SUFFIXES: readonly [".tar.gz", ".tgz"];
+export type TarballSuffix = typeof TARBALL_SUFFIXES[number];
+export type TarballPath = `${string}${TarballSuffix}`;
+export declare const isTarballPath: (path: string) => path is `${string}.tar.gz` | `${string}.tgz`;
+export declare function extractManifestFromPacked<Output = ExportedManifest>(tarballPath: TarballPath): Promise<Output>;
+export declare class PublishArchiveMissingManifestError extends PnpmError {
+    readonly tarballPath: string;
+    constructor(tarballPath: string);
+}
+export {};

package/lib/publish/extractManifestFromPacked.js

@@ -0,0 +1,71 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { createGunzip } from 'node:zlib';
+import { PnpmError } from '@pnpm/error';
+import tar from 'tar-stream';
+const TARBALL_SUFFIXES = ['.tar.gz', '.tgz'];
+export const isTarballPath = (path) => TARBALL_SUFFIXES.some(suffix => path.endsWith(suffix));
+export async function extractManifestFromPacked(tarballPath) {
+    const extract = tar.extract();
+    const gunzip = createGunzip();
+    const tarballStream = fs.createReadStream(tarballPath);
+    let cleanedUp = false;
+    function cleanup() {
+        if (cleanedUp)
+            return;
+        cleanedUp = true;
+        extract.destroy();
+        gunzip.destroy();
+        tarballStream.destroy();
+    }
+    const promise = new Promise((resolve, reject) => {
+        function handleError(error) {
+            cleanup();
+            reject(error);
+        }
+        tarballStream.once('error', handleError);
+        gunzip.once('error', handleError);
+        let manifestFound = false;
+        extract.on('entry', (header, stream, next) => {
+            const normalizedPath = path.normalize(header.name).replaceAll('\\', '/');
+            if (normalizedPath !== 'package/package.json') {
+                stream.once('end', next);
+                stream.resume();
+                return;
+            }
+            manifestFound = true;
+            const chunks = [];
+            stream.on('data', (chunk) => {
+                chunks.push(chunk);
+            });
+            stream.once('end', () => {
+                try {
+                    const text = Buffer.concat(chunks).toString();
+                    cleanup();
+                    resolve(text);
+                }
+                catch (error) {
+                    handleError(error);
+                }
+            });
+            stream.once('error', handleError);
+        });
+        extract.once('finish', () => {
+            cleanup();
+            if (!manifestFound) {
+                reject(new PublishArchiveMissingManifestError(tarballPath));
+            }
+        });
+        extract.once('error', handleError);
+    });
+    tarballStream.pipe(gunzip).pipe(extract);
+    return JSON.parse(await promise);
+}
+export class PublishArchiveMissingManifestError extends PnpmError {
+    tarballPath;
+    constructor(tarballPath) {
+        super('PUBLISH_ARCHIVE_MISSING_MANIFEST', `The archive ${tarballPath} does not contain package/package.json`);
+        this.tarballPath = tarballPath;
+    }
+}
+//# sourceMappingURL=extractManifestFromPacked.js.map

package/lib/publish/index.d.ts

@@ -0,0 +1,3 @@
+import * as pack from './pack.js';
+import * as publish from './publish.js';
+export { pack, publish };

package/lib/publish/index.js

@@ -0,0 +1,4 @@
+import * as pack from './pack.js';
+import * as publish from './publish.js';
+export { pack, publish };
+//# sourceMappingURL=index.js.map

package/lib/publish/oidc/authToken.d.ts

@@ -0,0 +1,73 @@
+import { PnpmError } from '@pnpm/error';
+import type { PublishPackedPkgOptions } from '../publishPackedPkg.js';
+export interface AuthTokenFetchOptions {
+    body?: '';
+    headers: {
+        Accept: 'application/json';
+        Authorization: `Bearer ${string}`;
+        'Content-Length': '0';
+    };
+    method?: 'POST';
+    retry?: {
+        factor?: number;
+        maxTimeout?: number;
+        minTimeout?: number;
+        randomize?: boolean;
+        retries?: number;
+    };
+    timeout?: number;
+}
+export interface AuthTokenFetchResponse {
+    readonly json: (this: this) => Promise<unknown>;
+    readonly ok: boolean;
+    readonly status: number;
+}
+export interface AuthTokenContext {
+    fetch: (url: string, options: AuthTokenFetchOptions) => Promise<AuthTokenFetchResponse>;
+}
+export type AuthTokenOptions = Pick<PublishPackedPkgOptions, 'fetchRetries' | 'fetchRetryFactor' | 'fetchRetryMaxtimeout' | 'fetchRetryMintimeout' | 'fetchTimeout'>;
+export interface AuthTokenParams {
+    context?: AuthTokenContext;
+    idToken: string;
+    options?: AuthTokenOptions;
+    packageName: string;
+    registry: string;
+}
+/**
+ * Retrieve an `authToken` from the registry.
+ *
+ * @throws instances of subclasses of {@link AuthTokenError} which can be converted into warnings and skipped.
+ *
+ * @see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect for GitHub Actions OIDC.
+ * @see https://api-docs.npmjs.com/#tag/OIDC/operation/exchangeOidcToken for NPM Registry OIDC.
+ * @see https://github.com/npm/cli/blob/7d900c46/lib/utils/oidc.js#L112-L142 for npm's implementation.
+ * @see https://github.com/yarnpkg/berry/blob/bafbef55/packages/plugin-npm/sources/npmHttpUtils.ts#L626-L641 for yarn's implementation.
+ */
+export declare function fetchAuthToken({ context: { fetch }, options, idToken, packageName, registry }: AuthTokenParams): Promise<string>;
+export declare abstract class AuthTokenError extends PnpmError {
+}
+export declare class AuthTokenFetchError extends AuthTokenError {
+    readonly errorSource: unknown;
+    readonly packageName: string;
+    readonly registry: string;
+    constructor(error: unknown, packageName: string, registry: string);
+}
+export declare class AuthTokenExchangeError extends AuthTokenError {
+    readonly errorResponse?: {
+        body?: {
+            message?: string;
+        };
+    };
+    readonly httpStatus: number;
+    constructor(errorResponse: AuthTokenExchangeError['errorResponse'], httpStatus: number);
+}
+export declare class AuthTokenJsonInterruptedError extends AuthTokenError {
+    readonly errorSource: unknown;
+    constructor(error: unknown);
+}
+export declare class AuthTokenMalformedJsonError extends AuthTokenError {
+    readonly malformedJsonResponse: unknown;
+    readonly packageName: string;
+    readonly registry: string;
+    constructor(malformedJsonResponse: unknown, packageName: string, registry: string);
+}

package/lib/publish/oidc/authToken.js

@@ -0,0 +1,95 @@
+import { PnpmError } from '@pnpm/error';
+import { displayError } from '../displayError.js';
+import { SHARED_CONTEXT } from '../utils/shared-context.js';
+/**
+ * Retrieve an `authToken` from the registry.
+ *
+ * @throws instances of subclasses of {@link AuthTokenError} which can be converted into warnings and skipped.
+ *
+ * @see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect for GitHub Actions OIDC.
+ * @see https://api-docs.npmjs.com/#tag/OIDC/operation/exchangeOidcToken for NPM Registry OIDC.
+ * @see https://github.com/npm/cli/blob/7d900c46/lib/utils/oidc.js#L112-L142 for npm's implementation.
+ * @see https://github.com/yarnpkg/berry/blob/bafbef55/packages/plugin-npm/sources/npmHttpUtils.ts#L626-L641 for yarn's implementation.
+ */
+export async function fetchAuthToken({ context: { fetch, } = SHARED_CONTEXT, options, idToken, packageName, registry, }) {
+    const escapedPackageName = encodeURIComponent(packageName);
+    let response;
+    try {
+        response = await fetch(new URL(`/-/npm/v1/oidc/token/exchange/package/${escapedPackageName}`, registry).href, {
+            body: '',
+            headers: {
+                Accept: 'application/json',
+                Authorization: `Bearer ${idToken}`,
+                'Content-Length': '0',
+            },
+            method: 'POST',
+            retry: {
+                factor: options?.fetchRetryFactor,
+                maxTimeout: options?.fetchRetryMaxtimeout,
+                minTimeout: options?.fetchRetryMintimeout,
+                retries: options?.fetchRetries,
+            },
+            timeout: options?.fetchTimeout,
+        });
+    }
+    catch (error) {
+        throw new AuthTokenFetchError(error, packageName, registry);
+    }
+    if (!response.ok) {
+        const error = await response.json().catch(() => undefined);
+        throw new AuthTokenExchangeError(error, response.status);
+    }
+    let json;
+    try {
+        json = await response.json();
+    }
+    catch (error) {
+        throw new AuthTokenJsonInterruptedError(error);
+    }
+    if (!json || typeof json !== 'object' || !('token' in json) || typeof json.token !== 'string') {
+        throw new AuthTokenMalformedJsonError(json, packageName, registry);
+    }
+    return json.token;
+}
+export class AuthTokenError extends PnpmError {
+}
+export class AuthTokenFetchError extends AuthTokenError {
+    errorSource;
+    packageName;
+    registry;
+    constructor(error, packageName, registry) {
+        super('AUTH_TOKEN_FETCH', `Failed to fetch authToken for package ${packageName} from registry ${registry}: ${displayError(error)}`);
+        this.errorSource = error;
+        this.packageName = packageName;
+        this.registry = registry;
+    }
+}
+export class AuthTokenExchangeError extends AuthTokenError {
+    errorResponse;
+    httpStatus;
+    constructor(errorResponse, httpStatus) {
+        const message = errorResponse?.body?.message ?? 'Unknown error';
+        super('AUTH_TOKEN_EXCHANGE', `Failed token exchange request with body message: ${message} (status code ${httpStatus})`);
+        this.errorResponse = errorResponse;
+        this.httpStatus = httpStatus;
+    }
+}
+export class AuthTokenJsonInterruptedError extends AuthTokenError {
+    errorSource;
+    constructor(error) {
+        super('AUTH_TOKEN_JSON_INTERRUPTED', `Fetching of authToken JSON interrupted: ${displayError(error)}`);
+        this.errorSource = error;
+    }
+}
+export class AuthTokenMalformedJsonError extends AuthTokenError {
+    malformedJsonResponse;
+    packageName;
+    registry;
+    constructor(malformedJsonResponse, packageName, registry) {
+        super('AUTH_TOKEN_MALFORMED_JSON', `Failed to fetch authToken for package ${packageName} from registry ${registry} due to malformed JSON response`);
+        this.malformedJsonResponse = malformedJsonResponse;
+        this.packageName = packageName;
+        this.registry = registry;
+    }
+}
+//# sourceMappingURL=authToken.js.map

package/lib/publish/oidc/idToken.d.ts

@@ -0,0 +1,76 @@
+import { PnpmError } from '@pnpm/error';
+import type { PublishPackedPkgOptions } from '../publishPackedPkg.js';
+export interface IdTokenDate {
+    now: (this: this) => number;
+}
+export interface IdTokenCIInfo {
+    GITHUB_ACTIONS?: boolean;
+    GITLAB?: boolean;
+}
+export interface IdTokenEnv extends NodeJS.ProcessEnv {
+    ACTIONS_ID_TOKEN_REQUEST_TOKEN?: string;
+    ACTIONS_ID_TOKEN_REQUEST_URL?: string;
+    NPM_ID_TOKEN?: string;
+}
+export interface IdTokenFetchOptions {
+    body?: null;
+    headers: {
+        Accept: 'application/json';
+        Authorization: `Bearer ${string}`;
+    };
+    method?: 'GET';
+    retry?: {
+        factor?: number;
+        maxTimeout?: number;
+        minTimeout?: number;
+        randomize?: boolean;
+        retries?: number;
+    };
+    timeout?: number;
+}
+export interface IdTokenFetchResponse {
+    readonly json: (this: this) => Promise<unknown>;
+    readonly ok: boolean;
+    readonly status: number;
+}
+export interface IdTokenContext {
+    Date: IdTokenDate;
+    ciInfo: IdTokenCIInfo;
+    fetch: (url: string, options: IdTokenFetchOptions) => Promise<IdTokenFetchResponse>;
+    globalInfo: (message: string) => void;
+    process: {
+        env?: IdTokenEnv;
+    };
+}
+export type IdTokenOptions = Pick<PublishPackedPkgOptions, 'fetchRetries' | 'fetchRetryFactor' | 'fetchRetryMaxtimeout' | 'fetchRetryMintimeout' | 'fetchTimeout'>;
+export interface IdTokenParams {
+    context?: IdTokenContext;
+    options?: IdTokenOptions;
+    registry: string;
+}
+/**
+ * Retrieve an `idToken` from the CI environment.
+ *
+ * @throws instances of subclasses of {@link IdTokenError} which can be converted into warnings and skipped.
+ *
+ * @see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect for GitHub Actions OIDC.
+ * @see https://github.com/npm/cli/blob/7d900c46/lib/utils/oidc.js#L37-L110 for npm's implementation
+ * @see https://github.com/yarnpkg/berry/blob/bafbef55/packages/plugin-npm/sources/npmHttpUtils.ts#L594-L624 for yarn's implementation
+ */
+export declare function getIdToken({ context: { Date, ciInfo: { GITHUB_ACTIONS, GITLAB }, fetch, globalInfo, process: { env } }, options, registry }: IdTokenParams): Promise<string | undefined>;
+export declare abstract class IdTokenError extends PnpmError {
+}
+export declare class IdTokenGitHubWorkflowIncorrectPermissionsError extends IdTokenError {
+    constructor();
+}
+export declare class IdTokenGitHubInvalidResponseError extends IdTokenError {
+    constructor();
+}
+export declare class IdTokenGitHubJsonInterruptedError extends IdTokenError {
+    readonly errorSource: unknown;
+    constructor(error: unknown);
+}
+export declare class IdTokenGitHubJsonInvalidValueError extends IdTokenError {
+    readonly jsonResponse: unknown;
+    constructor(jsonResponse: unknown);
+}

package/lib/publish/oidc/idToken.js

@@ -0,0 +1,85 @@
+import { PnpmError } from '@pnpm/error';
+import { displayError } from '../displayError.js';
+import { SHARED_CONTEXT } from '../utils/shared-context.js';
+/**
+ * Retrieve an `idToken` from the CI environment.
+ *
+ * @throws instances of subclasses of {@link IdTokenError} which can be converted into warnings and skipped.
+ *
+ * @see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect for GitHub Actions OIDC.
+ * @see https://github.com/npm/cli/blob/7d900c46/lib/utils/oidc.js#L37-L110 for npm's implementation
+ * @see https://github.com/yarnpkg/berry/blob/bafbef55/packages/plugin-npm/sources/npmHttpUtils.ts#L594-L624 for yarn's implementation
+ */
+export async function getIdToken({ context: { Date, ciInfo: { GITHUB_ACTIONS, GITLAB }, fetch, globalInfo, process: { env }, } = SHARED_CONTEXT, options, registry, }) {
+    if (!GITHUB_ACTIONS && !GITLAB)
+        return undefined;
+    if (env?.NPM_ID_TOKEN)
+        return env.NPM_ID_TOKEN;
+    if (!GITHUB_ACTIONS)
+        return undefined;
+    if (!env?.ACTIONS_ID_TOKEN_REQUEST_TOKEN || !env?.ACTIONS_ID_TOKEN_REQUEST_URL) {
+        throw new IdTokenGitHubWorkflowIncorrectPermissionsError();
+    }
+    const parsedRegistry = new URL(registry);
+    const audience = `npm:${parsedRegistry.hostname}`;
+    const url = new URL(env.ACTIONS_ID_TOKEN_REQUEST_URL);
+    url.searchParams.append('audience', audience);
+    const startTime = Date.now();
+    const response = await fetch(url.href, {
+        headers: {
+            Accept: 'application/json',
+            Authorization: `Bearer ${env.ACTIONS_ID_TOKEN_REQUEST_TOKEN}`,
+        },
+        method: 'GET',
+        retry: {
+            factor: options?.fetchRetryFactor,
+            maxTimeout: options?.fetchRetryMaxtimeout,
+            minTimeout: options?.fetchRetryMintimeout,
+            retries: options?.fetchRetries,
+        },
+        timeout: options?.fetchTimeout,
+    });
+    const elapsedTime = Date.now() - startTime;
+    globalInfo(`GET ${url.href} ${response.status} ${elapsedTime}ms`);
+    if (!response.ok) {
+        throw new IdTokenGitHubInvalidResponseError();
+    }
+    let json;
+    try {
+        json = await response.json();
+    }
+    catch (error) {
+        throw new IdTokenGitHubJsonInterruptedError(error);
+    }
+    if (!json || typeof json !== 'object' || !('value' in json) || typeof json.value !== 'string') {
+        throw new IdTokenGitHubJsonInvalidValueError(json);
+    }
+    return json.value;
+}
+export class IdTokenError extends PnpmError {
+}
+export class IdTokenGitHubWorkflowIncorrectPermissionsError extends IdTokenError {
+    constructor() {
+        super('ID_TOKEN_GITHUB_WORKFLOW_INCORRECT_PERMISSIONS', 'Incorrect permissions for idToken within GitHub Workflows');
+    }
+}
+export class IdTokenGitHubInvalidResponseError extends IdTokenError {
+    constructor() {
+        super('ID_TOKEN_GITHUB_INVALID_RESPONSE', 'Failed to fetch idToken from GitHub: received an invalid response');
+    }
+}
+export class IdTokenGitHubJsonInterruptedError extends IdTokenError {
+    errorSource;
+    constructor(error) {
+        super('ID_TOKEN_GITHUB_JSON_INTERRUPTED_ERROR', `Fetching of idToken JSON interrupted: ${displayError(error)}`);
+        this.errorSource = error;
+    }
+}
+export class IdTokenGitHubJsonInvalidValueError extends IdTokenError {
+    jsonResponse;
+    constructor(jsonResponse) {
+        super('ID_TOKEN_GITHUB_JSON_INVALID_VALUE', 'Failed to fetch idToken from GitHub: missing or invalid value');
+        this.jsonResponse = jsonResponse;
+    }
+}
+//# sourceMappingURL=idToken.js.map

package/lib/publish/oidc/provenance.d.ts

@@ -0,0 +1,73 @@
+import { PnpmError } from '@pnpm/error';
+import type { PublishPackedPkgOptions } from '../publishPackedPkg.js';
+export interface ProvenanceCIInfo {
+    GITHUB_ACTIONS?: boolean;
+    GITLAB?: boolean;
+}
+export interface ProvenanceEnv extends NodeJS.ProcessEnv {
+    SIGSTORE_ID_TOKEN?: string;
+}
+export interface ProvenanceFetchOptions {
+    headers: {
+        Accept: 'application/json';
+        Authorization: `Bearer ${string}`;
+    };
+    method: 'GET';
+    retry?: {
+        factor?: number;
+        maxTimeout?: number;
+        minTimeout?: number;
+        randomize?: boolean;
+        retries?: number;
+    };
+    timeout?: number;
+}
+export interface ProvenanceFetchResponse {
+    readonly json: (this: this) => Promise<unknown>;
+    readonly ok: boolean;
+    readonly status: number;
+}
+export interface ProvenanceContext {
+    ciInfo: ProvenanceCIInfo;
+    fetch: (url: URL, options: ProvenanceFetchOptions) => Promise<ProvenanceFetchResponse>;
+    process: {
+        env?: ProvenanceEnv;
+    };
+}
+export type ProvenanceOptions = Pick<PublishPackedPkgOptions, 'fetchRetries' | 'fetchRetryFactor' | 'fetchRetryMaxtimeout' | 'fetchRetryMintimeout' | 'fetchTimeout'>;
+export interface ProvenanceParams {
+    authToken: string;
+    context?: ProvenanceContext;
+    idToken: string;
+    options?: ProvenanceOptions;
+    packageName: string;
+    registry: string;
+}
+/**
+ * Determine `provenance` for a package from the CI context and the visibility of the package.
+ *
+ * @throws instances of subclasses of {@link ProvenanceError} which can be converted into warnings and skipped.
+ *
+ * @see https://github.com/npm/cli/blob/7d900c46/lib/utils/oidc.js#L145-L164 for npm's implementation.
+ */
+export declare function determineProvenance({ authToken, idToken, options, packageName, registry, context: { ciInfo: { GITHUB_ACTIONS, GITLAB }, fetch, process: { env } } }: ProvenanceParams): Promise<boolean | undefined>;
+export declare abstract class ProvenanceError extends PnpmError {
+}
+export declare class ProvenanceMalformedIdTokenError extends ProvenanceError {
+    readonly idToken: string;
+    constructor(idToken: string);
+}
+export declare class ProvenanceInsufficientInformationError extends ProvenanceError {
+    constructor();
+}
+export declare class ProvenanceFailedToFetchVisibilityError extends ProvenanceError {
+    readonly errorResponse?: {
+        code?: string;
+        message?: string;
+    };
+    readonly packageName: string;
+    readonly registry: string;
+    readonly status: number;
+    constructor(errorResponse: ProvenanceFailedToFetchVisibilityError['errorResponse'], status: number, packageName: string, registry: string);
+    static createErrorFromFetchResponse(response: ProvenanceFetchResponse, packageName: string, registry: string): Promise<ProvenanceFailedToFetchVisibilityError>;
+}

package/lib/publish/oidc/provenance.js

@@ -0,0 +1,90 @@
+import { PnpmError } from '@pnpm/error';
+import { SHARED_CONTEXT } from '../utils/shared-context.js';
+/**
+ * Determine `provenance` for a package from the CI context and the visibility of the package.
+ *
+ * @throws instances of subclasses of {@link ProvenanceError} which can be converted into warnings and skipped.
+ *
+ * @see https://github.com/npm/cli/blob/7d900c46/lib/utils/oidc.js#L145-L164 for npm's implementation.
+ */
+export async function determineProvenance({ authToken, idToken, options, packageName, registry, context: { ciInfo: { GITHUB_ACTIONS, GITLAB }, fetch, process: { env }, } = SHARED_CONTEXT, }) {
+    const [headerB64, payloadB64] = idToken.split('.');
+    if (!headerB64 || !payloadB64) {
+        throw new ProvenanceMalformedIdTokenError(idToken);
+    }
+    const payloadJson = Buffer.from(payloadB64, 'base64url').toString('utf8');
+    const payload = JSON.parse(payloadJson);
+    if ((!GITHUB_ACTIONS || payload.repository_visibility !== 'public') &&
+        (!GITLAB || payload.project_visibility !== 'public' || !env?.SIGSTORE_ID_TOKEN)) {
+        throw new ProvenanceInsufficientInformationError();
+    }
+    const escapedPackageName = encodeURIComponent(packageName);
+    const visibilityUrl = new URL(`/-/package/${escapedPackageName}/visibility`, registry);
+    const response = await fetch(visibilityUrl, {
+        headers: {
+            Accept: 'application/json',
+            Authorization: `Bearer ${authToken}`,
+        },
+        method: 'GET',
+        retry: {
+            factor: options?.fetchRetryFactor,
+            maxTimeout: options?.fetchRetryMaxtimeout,
+            minTimeout: options?.fetchRetryMintimeout,
+            retries: options?.fetchRetries,
+        },
+        timeout: options?.fetchTimeout,
+    });
+    if (!response.ok) {
+        throw await ProvenanceFailedToFetchVisibilityError.createErrorFromFetchResponse(response, packageName, registry);
+    }
+    const visibility = await response.json();
+    if (visibility?.public)
+        return true;
+    return undefined;
+}
+export class ProvenanceError extends PnpmError {
+}
+export class ProvenanceMalformedIdTokenError extends ProvenanceError {
+    idToken;
+    constructor(idToken) {
+        super('PROVENANCE_MALFORMED_ID_TOKEN', 'The received idToken is not a valid JWT');
+        this.idToken = idToken;
+    }
+}
+export class ProvenanceInsufficientInformationError extends ProvenanceError {
+    constructor() {
+        super('PROVENANCE_INSUFFICIENT_INFORMATION', 'The environment does not provide enough information to determine visibility');
+    }
+}
+export class ProvenanceFailedToFetchVisibilityError extends ProvenanceError {
+    errorResponse;
+    packageName;
+    registry;
+    status;
+    constructor(errorResponse, status, packageName, registry) {
+        let message = 'an unknown error';
+        if (errorResponse?.code && errorResponse?.message) {
+            message = `${errorResponse.code}: ${errorResponse.message}`;
+        }
+        else if (errorResponse?.code) {
+            message = errorResponse.code;
+        }
+        else if (errorResponse?.message) {
+            message = errorResponse.message;
+        }
+        super('PROVENANCE_FAILED_TO_FETCH_VISIBILITY', `Failed to fetch visibility for package ${packageName} from registry ${registry} due to ${message} (status code ${status})`);
+        this.errorResponse = errorResponse;
+        this.status = status;
+        this.packageName = packageName;
+        this.registry = registry;
+    }
+    static async createErrorFromFetchResponse(response, packageName, registry) {
+        let errorResponse;
+        try {
+            errorResponse = await response.json();
+        }
+        catch { }
+        return new ProvenanceFailedToFetchVisibilityError(errorResponse, response.status, packageName, registry);
+    }
+}
+//# sourceMappingURL=provenance.js.map