@pnpm/tools.plugin-commands-self-updater 1000.1.57 → 1000.1.59
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/index.d.ts +1 -0
- package/lib/index.js +4 -1
- package/lib/index.js.map +1 -1
- package/lib/installPnpmToTools.js +6 -0
- package/lib/installPnpmToTools.js.map +1 -1
- package/lib/npmSigningKeys.d.ts +13 -0
- package/lib/npmSigningKeys.js +27 -0
- package/lib/npmSigningKeys.js.map +1 -0
- package/lib/selfUpdate.d.ts +5 -1
- package/lib/selfUpdate.js.map +1 -1
- package/lib/verifyPnpmEngineIdentity.d.ts +52 -0
- package/lib/verifyPnpmEngineIdentity.js +235 -0
- package/lib/verifyPnpmEngineIdentity.js.map +1 -0
- package/package.json +16 -10
package/lib/index.d.ts
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
1
|
import * as selfUpdate from './selfUpdate.js';
|
|
2
2
|
export { installPnpmToTools } from './installPnpmToTools.js';
|
|
3
|
+
export { getNpmSigningKeys, verifyPnpmEngineIdentity, type RegistryKey, type VerifyPnpmEngineIdentityOptions } from './verifyPnpmEngineIdentity.js';
|
|
3
4
|
export { selfUpdate };
|
package/lib/index.js
CHANGED
|
@@ -23,9 +23,12 @@ var __importStar = (this && this.__importStar) || function (mod) {
|
|
|
23
23
|
return result;
|
|
24
24
|
};
|
|
25
25
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
26
|
-
exports.selfUpdate = exports.installPnpmToTools = void 0;
|
|
26
|
+
exports.selfUpdate = exports.verifyPnpmEngineIdentity = exports.getNpmSigningKeys = exports.installPnpmToTools = void 0;
|
|
27
27
|
const selfUpdate = __importStar(require("./selfUpdate.js"));
|
|
28
28
|
exports.selfUpdate = selfUpdate;
|
|
29
29
|
var installPnpmToTools_js_1 = require("./installPnpmToTools.js");
|
|
30
30
|
Object.defineProperty(exports, "installPnpmToTools", { enumerable: true, get: function () { return installPnpmToTools_js_1.installPnpmToTools; } });
|
|
31
|
+
var verifyPnpmEngineIdentity_js_1 = require("./verifyPnpmEngineIdentity.js");
|
|
32
|
+
Object.defineProperty(exports, "getNpmSigningKeys", { enumerable: true, get: function () { return verifyPnpmEngineIdentity_js_1.getNpmSigningKeys; } });
|
|
33
|
+
Object.defineProperty(exports, "verifyPnpmEngineIdentity", { enumerable: true, get: function () { return verifyPnpmEngineIdentity_js_1.verifyPnpmEngineIdentity; } });
|
|
31
34
|
//# sourceMappingURL=index.js.map
|
package/lib/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,4DAA6C;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,4DAA6C;AAIpC,gCAAU;AAHnB,iEAA4D;AAAnD,2HAAA,kBAAkB,OAAA;AAC3B,6EAAmJ;AAA1I,gIAAA,iBAAiB,OAAA;AAAE,uIAAA,wBAAwB,OAAA"}
|
|
@@ -14,6 +14,7 @@ const rimraf_1 = require("@zkochan/rimraf");
|
|
|
14
14
|
const path_temp_1 = require("path-temp");
|
|
15
15
|
const semver_1 = __importDefault(require("semver"));
|
|
16
16
|
const symlink_dir_1 = __importDefault(require("symlink-dir"));
|
|
17
|
+
const verifyPnpmEngineIdentity_js_1 = require("./verifyPnpmEngineIdentity.js");
|
|
17
18
|
async function installPnpmToTools(pnpmVersion, opts) {
|
|
18
19
|
const currentPkgName = (0, cli_meta_1.getCurrentPackageName)();
|
|
19
20
|
// pnpm v11 dropped the darwin-x64 artifact from @pnpm/exe because Node.js
|
|
@@ -91,6 +92,11 @@ async function installPnpmToTools(pnpmVersion, opts) {
|
|
|
91
92
|
if (targetPkgName === '@pnpm/exe') {
|
|
92
93
|
linkExePlatformBinary(stage);
|
|
93
94
|
}
|
|
95
|
+
// Reached only when the wanted version is not yet in the tools directory
|
|
96
|
+
// (an actual download), so the signature check does not run on every
|
|
97
|
+
// invocation. Verify before the staged install is linked into place and
|
|
98
|
+
// spawned — on failure the stage is removed by the catch below.
|
|
99
|
+
await (0, verifyPnpmEngineIdentity_js_1.verifyPnpmEngineIdentity)(stage, targetPkgName, pnpmVersion, opts);
|
|
94
100
|
// We need the operation of installing pnpm to be atomic.
|
|
95
101
|
// However, we cannot use a rename as that breaks the command shim created for pnpm.
|
|
96
102
|
// Hence, we use a symlink.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"installPnpmToTools.js","sourceRoot":"","sources":["../src/installPnpmToTools.ts"],"names":[],"mappings":";;;;;
|
|
1
|
+
{"version":3,"file":"installPnpmToTools.js","sourceRoot":"","sources":["../src/installPnpmToTools.ts"],"names":[],"mappings":";;;;;AAmBA,gDAuGC;AA1HD,4CAAmB;AACnB,gDAAuB;AACvB,6CAAsD;AACtD,qEAAuD;AACvD,yCAAyC;AACzC,iDAAiD;AACjD,4CAAgD;AAChD,yCAAoD;AACpD,oDAA2B;AAC3B,8DAAoC;AAEpC,+EAAwE;AAQjE,KAAK,UAAU,kBAAkB,CAAE,WAAmB,EAAE,IAA8B;IAC3F,MAAM,cAAc,GAAG,IAAA,gCAAqB,GAAE,CAAA;IAC9C,0EAA0E;IAC1E,0EAA0E;IAC1E,qEAAqE;IACrE,sEAAsE;IACtE,0EAA0E;IAC1E,qEAAqE;IACrE,sEAAsE;IACtE,MAAM,aAAa,GAAG,CACpB,cAAc,KAAK,WAAW;QAC9B,OAAO,CAAC,QAAQ,KAAK,QAAQ;QAC7B,OAAO,CAAC,IAAI,KAAK,KAAK;QACtB,gBAAM,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,CAChC;QACC,CAAC,CAAC,MAAM;QACR,CAAC,CAAC,cAAc,CAAA;IAClB,IAAI,aAAa,KAAK,cAAc,EAAE,CAAC;QACrC,IAAA,mBAAU,EACR,yEAAyE,WAAW,yKAAyK,CAC9P,CAAA;IACH,CAAC;IACD,MAAM,GAAG,GAAG,IAAA,2BAAc,EAAC;QACzB,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,IAAI,EAAE;YACJ,IAAI,EAAE,aAAa;YACnB,OAAO,EAAE,WAAW;SACrB;KACF,CAAC,CAAA;IAEF,MAAM,MAAM,GAAG,cAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IACpC,MAAM,cAAc,GAAG,YAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAA;IAC5C,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO;YACL,cAAc;YACd,OAAO,EAAE,GAAG;YACZ,MAAM;SACP,CAAA;IACH,CAAC;IACD,MAAM,KAAK,GAAG,IAAA,wBAAQ,EAAC,GAAG,CAAC,CAAA;IAC3B,YAAE,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IACxC,YAAE,CAAC,aAAa,CAAC,cAAI,CAAC,IAAI,CAAC,KAAK,EAAE,cAAc,CAAC,EAAE,IAAI,CAAC,CAAA;IACxD,IAAI,CAAC;QACH,gHAAgH;QAChH,2DAA2D;QAC3D,mGAAmG;QACnG,iHAAiH;QACjH,0EAA0E;QAC1E,IAAA,iCAAU,EAAC;YACT,KAAK;YACL,GAAG,aAAa,IAAI,WAAW,EAAE;YACjC,kBAAkB;YAClB,kBAAkB;YAClB,kCAAkC;YAClC,wDAAwD;YACxD,yCAAyC;YACzC,8BAA8B;YAC9B,kBAAkB;YAClB,oEAAoE;YACpE,kEAAkE;YAClE,oEAAoE;YACpE,sEAAsE;YACtE,uEAAuE;YACvE,qEAAqE;YACrE,yEAAyE;YACzE,oBAAoB;SACrB,EAAE;YACD,GAAG,EAAE,KAAK;YACV,sEAAsE;YACtE,uEAAuE;YACvE,uEAAuE;YACvE,+DAA+D;YAC/D,qDAAqD;YACrD,GAAG,EAAE;gBACH,GAAG,OAAO,CAAC,GAAG;gBACd,0CAA0C,EAAE,OAAO;gBACnD,sBAAsB,EAAE,QAAQ;aACjC;SACF,CAAC,CAAA;QACF,IAAI,aAAa,KAAK,WAAW,EAAE,CAAC;YAClC,qBAAqB,CAAC,KAAK,CAAC,CAAA;QAC9B,CAAC;QACD,yEAAyE;QACzE,qEAAqE;QACrE,wEAAwE;QACxE,gEAAgE;QAChE,MAAM,IAAA,sDAAwB,EAAC,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,IAAI,CAAC,CAAA;QACvE,yDAAyD;QACzD,oFAAoF;QACpF,2BAA2B;QAC3B,+FAA+F;QAC/F,qBAAU,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;IAC7B,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IAAI,CAAC;YACH,IAAA,aAAM,EAAC,KAAK,CAAC,CAAA;QACf,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC,CAAC,+BAA+B;QAC1C,MAAM,GAAG,CAAA;IACX,CAAC;IACD,OAAO;QACL,cAAc;QACd,OAAO,EAAE,GAAG;QACZ,MAAM;KACP,CAAA;AACH,CAAC;AAED,qFAAqF;AACrF,2DAA2D;AAC3D,qDAAqD;AACrD,kFAAkF;AAClF,6EAA6E;AAC7E,wCAAwC;AACxC,SAAS,qBAAqB,CAAE,QAAgB;IAC9C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO;QAC3C,CAAC,CAAC,KAAK;QACP,CAAC,CAAC,OAAO,CAAC,QAAQ,KAAK,QAAQ;YAC7B,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAA;IACtB,MAAM,IAAI,GAAG,QAAQ,KAAK,KAAK,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAA;IACjF,MAAM,UAAU,GAAG,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAA;IAC3D,MAAM,cAAc,GAAG,cAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,IAAI,EAAE,CAAC,CAAA;IAC1F,MAAM,GAAG,GAAG,cAAI,CAAC,IAAI,CAAC,cAAc,EAAE,UAAU,CAAC,CAAA;IACjD,IAAI,CAAC,YAAE,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAM;IAC/B,MAAM,SAAS,GAAG,cAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,KAAK,CAAC,CAAA;IACrE,MAAM,IAAI,GAAG,cAAI,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CAAA;IAC7C,IAAI,CAAC;QACH,YAAE,CAAC,UAAU,CAAC,IAAI,CAAC,CAAA;IACrB,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IACD,YAAE,CAAC,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;IACtB,YAAE,CAAC,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAA;IACzB,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;QACvB,MAAM,cAAc,GAAG,cAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAA;QAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAE,CAAC,YAAY,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAA;QAClE,YAAE,CAAC,aAAa,CAAC,cAAI,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,oCAAoC,CAAC,CAAA;QACpF,MAAM,CAAC,GAAG,CAAC,IAAI,GAAG,UAAU,CAAA;QAC5B,YAAE,CAAC,aAAa,CAAC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;IACnE,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
export declare const NPM_SIGNING_KEYS: readonly [{
|
|
2
|
+
readonly expires: "2025-01-29T00:00:00.000Z";
|
|
3
|
+
readonly keyid: "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA";
|
|
4
|
+
readonly keytype: "ecdsa-sha2-nistp256";
|
|
5
|
+
readonly scheme: "ecdsa-sha2-nistp256";
|
|
6
|
+
readonly key: "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==";
|
|
7
|
+
}, {
|
|
8
|
+
readonly expires: null;
|
|
9
|
+
readonly keyid: "SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U";
|
|
10
|
+
readonly keytype: "ecdsa-sha2-nistp256";
|
|
11
|
+
readonly scheme: "ecdsa-sha2-nistp256";
|
|
12
|
+
readonly key: "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEY6Ya7W++7aUPzvMTrezH6Ycx3c+HOKYCcNGybJZSCJq/fd7Qa8uuAKtdIkUQtQiEKERhAmE5lMMJhP8OkDOa2g==";
|
|
13
|
+
}];
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.NPM_SIGNING_KEYS = void 0;
|
|
4
|
+
/* eslint-disable */
|
|
5
|
+
// GENERATED — npm's public registry signing keys, mirrored from
|
|
6
|
+
// https://registry.npmjs.org/-/npm/v1/keys
|
|
7
|
+
//
|
|
8
|
+
// Refresh with: node tools/plugin-commands-self-updater/scripts/update-npm-signing-keys.mjs --update
|
|
9
|
+
// The release workflow runs `--check` and fails if these drift from npm, so a
|
|
10
|
+
// rotated key cannot silently break (or weaken) signature verification.
|
|
11
|
+
exports.NPM_SIGNING_KEYS = [
|
|
12
|
+
{
|
|
13
|
+
"expires": "2025-01-29T00:00:00.000Z",
|
|
14
|
+
"keyid": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
|
|
15
|
+
"keytype": "ecdsa-sha2-nistp256",
|
|
16
|
+
"scheme": "ecdsa-sha2-nistp256",
|
|
17
|
+
"key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="
|
|
18
|
+
},
|
|
19
|
+
{
|
|
20
|
+
"expires": null,
|
|
21
|
+
"keyid": "SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U",
|
|
22
|
+
"keytype": "ecdsa-sha2-nistp256",
|
|
23
|
+
"scheme": "ecdsa-sha2-nistp256",
|
|
24
|
+
"key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEY6Ya7W++7aUPzvMTrezH6Ycx3c+HOKYCcNGybJZSCJq/fd7Qa8uuAKtdIkUQtQiEKERhAmE5lMMJhP8OkDOa2g=="
|
|
25
|
+
}
|
|
26
|
+
];
|
|
27
|
+
//# sourceMappingURL=npmSigningKeys.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"npmSigningKeys.js","sourceRoot":"","sources":["../src/npmSigningKeys.ts"],"names":[],"mappings":";;;AAAA,oBAAoB;AACpB,gEAAgE;AAChE,2CAA2C;AAC3C,EAAE;AACF,qGAAqG;AACrG,8EAA8E;AAC9E,wEAAwE;AAC3D,QAAA,gBAAgB,GAAG;IAC9B;QACE,SAAS,EAAE,0BAA0B;QACrC,OAAO,EAAE,oDAAoD;QAC7D,SAAS,EAAE,qBAAqB;QAChC,QAAQ,EAAE,qBAAqB;QAC/B,KAAK,EAAE,8HAA8H;KACtI;IACD;QACE,SAAS,EAAE,IAAI;QACf,OAAO,EAAE,oDAAoD;QAC7D,SAAS,EAAE,qBAAqB;QAChC,QAAQ,EAAE,qBAAqB;QAC/B,KAAK,EAAE,8HAA8H;KACtI;CAOD,CAAA"}
|
package/lib/selfUpdate.d.ts
CHANGED
|
@@ -1,7 +1,11 @@
|
|
|
1
1
|
import { type Config } from '@pnpm/config';
|
|
2
|
+
import { type VerifyPnpmEngineIdentityOptions } from './verifyPnpmEngineIdentity.js';
|
|
2
3
|
export declare function rcOptionsTypes(): Record<string, unknown>;
|
|
3
4
|
export declare function cliOptionsTypes(): Record<string, unknown>;
|
|
4
5
|
export declare const commandNames: string[];
|
|
5
6
|
export declare function help(): string;
|
|
6
|
-
export type SelfUpdateCommandOptions = Pick<Config, 'cacheDir' | 'dir' | 'lockfileDir' | 'managePackageManagerVersions' | 'modulesDir' | 'pnpmHomeDir' | 'rawConfig' | 'registries' | 'rootProjectManifestDir' | 'wantedPackageManager'
|
|
7
|
+
export type SelfUpdateCommandOptions = Pick<Config, 'cacheDir' | 'dir' | 'lockfileDir' | 'managePackageManagerVersions' | 'modulesDir' | 'pnpmHomeDir' | 'rawConfig' | 'registries' | 'rootProjectManifestDir' | 'wantedPackageManager'> & {
|
|
8
|
+
/** See {@link VerifyPnpmEngineIdentityOptions.trustedKeys} — a test seam. */
|
|
9
|
+
trustedKeys?: VerifyPnpmEngineIdentityOptions['trustedKeys'];
|
|
10
|
+
};
|
|
7
11
|
export declare function handler(opts: SelfUpdateCommandOptions, params: string[]): Promise<undefined | string>;
|
package/lib/selfUpdate.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"selfUpdate.js","sourceRoot":"","sources":["../src/selfUpdate.ts"],"names":[],"mappings":";;;;;;
|
|
1
|
+
{"version":3,"file":"selfUpdate.js","sourceRoot":"","sources":["../src/selfUpdate.ts"],"names":[],"mappings":";;;;;;AAeA,wCAEC;AAED,0CAIC;AAaD,oBAYC;AAkBD,0BA+EC;AAjJD,gDAAuB;AACvB,+CAAyC;AACzC,6CAAqE;AACrE,yCAA6C;AAC7C,yCAA6D;AAC7D,uCAAuC;AACvC,yCAAyC;AACzC,uEAAiE;AACjE,+CAA0C;AAC1C,0DAAiC;AACjC,8DAAoC;AACpC,oDAA2B;AAC3B,mEAA4D;AAG5D,SAAgB,cAAc;IAC5B,OAAO,IAAA,cAAI,EAAC,EAAE,EAAE,cAAQ,CAAC,CAAA;AAC3B,CAAC;AAED,SAAgB,eAAe;IAC7B,OAAO;QACL,GAAG,cAAc,EAAE;KACpB,CAAA;AACH,CAAC;AAEY,QAAA,YAAY,GAAG,CAAC,aAAa,CAAC,CAAA;AAE3C,0EAA0E;AAC1E,wEAAwE;AACxE,gCAAgC;AAChC,MAAM,mBAAmB,GAA2B;IAClD,EAAE,EACA,oDAAoD;QACpD,gEAAgE;CACnE,CAAA;AAED,SAAgB,IAAI;IAClB,OAAO,IAAA,qBAAU,EAAC;QAChB,WAAW,EAAE,2DAA2D;QACxE,gBAAgB,EAAE,EAAE;QACpB,GAAG,EAAE,IAAA,mBAAO,EAAC,aAAa,CAAC;QAC3B,MAAM,EAAE;YACN,kBAAkB;YAClB,oBAAoB;YACpB,0BAA0B;YAC1B,yBAAyB;SAC1B;KACF,CAAC,CAAA;AACJ,CAAC;AAkBM,KAAK,UAAU,OAAO,CAC3B,IAA8B,EAC9B,MAAgB;IAEhB,IAAI,IAAA,+BAAoB,GAAE,EAAE,CAAC;QAC3B,MAAM,IAAI,iBAAS,CAAC,8BAA8B,EAAE,sCAAsC,CAAC,CAAA;IAC7F,CAAC;IACD,MAAM,EAAE,OAAO,EAAE,GAAG,IAAA,uBAAc,EAAC,EAAE,GAAG,IAAI,EAAE,UAAU,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAA;IAC3E,MAAM,OAAO,GAAG,MAAM,CAAA;IACtB,yEAAyE;IACzE,0EAA0E;IAC1E,uEAAuE;IACvE,uEAAuE;IACvE,8CAA8C;IAC9C,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,KAAK,CAAC,CAAA;IAC5C,MAAM,aAAa,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAA;IAC3C,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,EAAE;QAClE,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,GAAG;QACzC,iBAAiB,EAAE,EAAE;QACrB,UAAU,EAAE,IAAI,CAAC,GAAG;KACrB,CAAC,CAAA;IACF,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,CAAC;QAC1B,MAAM,IAAI,iBAAS,CAAC,qBAAqB,EAAE,gBAAgB,aAAa,mBAAmB,CAAC,CAAA;IAC9F,CAAC;IAED,oEAAoE;IACpE,mEAAmE;IACnE,kEAAkE;IAClE,qEAAqE;IACrE,oEAAoE;IACpE,6CAA6C;IAC7C,MAAM,aAAa,GAAG,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAA;IACjD,IAAI,eAAmC,CAAA;IACvC,IAAI,IAAI,CAAC,oBAAoB,EAAE,IAAI,KAAK,yBAAc,CAAC,IAAI,IAAI,IAAI,CAAC,4BAA4B,EAAE,CAAC;QACjG,IAAI,IAAI,CAAC,oBAAoB,CAAC,OAAO,KAAK,aAAa,EAAE,CAAC;YACxD,eAAe,GAAG,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAA;QACrD,CAAC;IACH,CAAC;SAAM,IAAI,yBAAc,CAAC,OAAO,KAAK,aAAa,EAAE,CAAC;QACpD,eAAe,GAAG,yBAAc,CAAC,OAAO,CAAA;IAC1C,CAAC;IACD,MAAM,aAAa,GAAG,eAAe,IAAI,IAAI;QAC3C,CAAC,CAAC,gBAAM,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,KAAK;QACvC,CAAC,CAAC,SAAS,CAAA;IACb,MAAM,WAAW,GAAG,gBAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAA;IAC/C,IAAI,aAAa,IAAI,IAAI,IAAI,WAAW,GAAG,aAAa,EAAE,CAAC;QACzD,MAAM,IAAI,GAAG,mBAAmB,CAAC,WAAW,CAAC,CAAA;QAC7C,IAAI,IAAI;YAAE,IAAA,mBAAU,EAAC,IAAI,CAAC,CAAA;IAC5B,CAAC;IAED,IAAI,IAAI,CAAC,oBAAoB,EAAE,IAAI,KAAK,yBAAc,CAAC,IAAI,IAAI,IAAI,CAAC,4BAA4B,EAAE,CAAC;QACjG,IAAI,IAAI,CAAC,oBAAoB,EAAE,OAAO,KAAK,UAAU,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;YACvE,MAAM,aAAa,GAAG,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAA;YACvD,IAAI,gBAAgB,IAAI,aAAa,IAAI,IAAI,IAAI,gBAAM,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,EAAE,CAAC;gBACvG,OAAO,2CAA2C,aAAa,gEAAgE,UAAU,CAAC,QAAQ,CAAC,OAAO,qEAAqE,CAAA;YACjO,CAAC;YACD,MAAM,EAAE,QAAQ,EAAE,oBAAoB,EAAE,GAAG,MAAM,IAAA,2CAAmB,EAAC,IAAI,CAAC,sBAAsB,CAAC,CAAA;YACjG,QAAQ,CAAC,cAAc,GAAG,QAAQ,UAAU,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAA;YAC/D,MAAM,oBAAoB,CAAC,QAAQ,CAAC,CAAA;YACpC,OAAO,qDAAqD,UAAU,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAA;QAC3F,CAAC;aAAM,CAAC;YACN,OAAO,mDAAmD,UAAU,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAA;QACzF,CAAC;IACH,CAAC;IACD,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,KAAK,yBAAc,CAAC,OAAO,EAAE,CAAC;QAC3D,OAAO,wBAAwB,yBAAc,CAAC,IAAI,KAAK,yBAAc,CAAC,OAAO,gBAAgB,aAAa,8BAA8B,CAAA;IAC1I,CAAC;IACD,IAAI,gBAAgB,IAAI,gBAAM,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,EAAE,yBAAc,CAAC,OAAO,CAAC,EAAE,CAAC;QACvF,OAAO,wBAAwB,yBAAc,CAAC,IAAI,KAAK,yBAAc,CAAC,OAAO,yDAAyD,UAAU,CAAC,QAAQ,CAAC,OAAO,qEAAqE,CAAA;IACxO,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,MAAM,IAAA,0CAAkB,EAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;IAC/F,MAAM,IAAA,oBAAQ,EAAC,cAAI,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,EAAE,IAAI,CAAC,WAAW,EACjE;QACE,IAAI,EAAE,mBAAU;KACjB,CACF,CAAA;IACD,OAAO,cAAc;QACnB,CAAC,CAAC,OAAO,aAAa,cAAc,UAAU,CAAC,QAAQ,CAAC,OAAO,2EAA2E,OAAO,GAAG;QACpJ,CAAC,CAAC,SAAS,CAAA;AACf,CAAC"}
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
import { type CreateFetchFromRegistryOptions } from '@pnpm/fetch';
|
|
2
|
+
import { type Registries } from '@pnpm/types';
|
|
3
|
+
export interface RegistryKey {
|
|
4
|
+
expires: string | null;
|
|
5
|
+
key: string;
|
|
6
|
+
keyid: string;
|
|
7
|
+
keytype: string;
|
|
8
|
+
scheme: string;
|
|
9
|
+
}
|
|
10
|
+
/**
|
|
11
|
+
* The trusted npm signing keys used to verify package-manager binaries before
|
|
12
|
+
* pnpm spawns them — npm's public keys embedded in the CLI. There is
|
|
13
|
+
* deliberately no way to override or disable them at runtime: a verification
|
|
14
|
+
* off-switch would be a footgun, and npm mirrors work without one (they proxy
|
|
15
|
+
* the same signed packument, which is verified against these keys). The keys
|
|
16
|
+
* are refreshed at release time by the update-npm-signing-keys script.
|
|
17
|
+
*/
|
|
18
|
+
export declare function getNpmSigningKeys(): RegistryKey[];
|
|
19
|
+
export interface VerifyPnpmEngineIdentityOptions extends CreateFetchFromRegistryOptions {
|
|
20
|
+
registries: Registries;
|
|
21
|
+
rawConfig: Record<string, string>;
|
|
22
|
+
retry?: {
|
|
23
|
+
retries?: number;
|
|
24
|
+
};
|
|
25
|
+
timeout?: number;
|
|
26
|
+
/**
|
|
27
|
+
* The npm signing keys to trust. Defaults to {@link getNpmSigningKeys} (npm's
|
|
28
|
+
* embedded public keys). A test seam only — passing an empty array skips
|
|
29
|
+
* verification. Not reachable from project config, so it cannot be used to
|
|
30
|
+
* weaken verification for a real install.
|
|
31
|
+
*/
|
|
32
|
+
trustedKeys?: RegistryKey[];
|
|
33
|
+
}
|
|
34
|
+
/**
|
|
35
|
+
* Verifies that the pnpm engine staged at `stageDir` (and about to be linked
|
|
36
|
+
* into the tools directory and executed) is genuinely the published `pnpm` /
|
|
37
|
+
* `@pnpm/exe` — i.e. the bytes recorded in the staged lockfile carry a valid
|
|
38
|
+
* npm registry signature for their exact `name@version`.
|
|
39
|
+
*
|
|
40
|
+
* The wanted pnpm version comes from a repository's `packageManager` field,
|
|
41
|
+
* so without this check a cloned repository could make pnpm download and run
|
|
42
|
+
* an arbitrary native binary. Signatures are verified against npm's embedded
|
|
43
|
+
* public keys (see {@link getNpmSigningKeys}), so a registry cannot answer
|
|
44
|
+
* with its own key pair; the signed packument is fetched from the configured
|
|
45
|
+
* registry, which an npm mirror proxies transparently.
|
|
46
|
+
*
|
|
47
|
+
* Fails closed: verification failure — including an unreachable registry —
|
|
48
|
+
* refuses the version switch rather than running an unverified binary. This
|
|
49
|
+
* runs only when the engine is actually being installed (a tools-directory
|
|
50
|
+
* cache miss), so it does not add a network round trip to every command.
|
|
51
|
+
*/
|
|
52
|
+
export declare function verifyPnpmEngineIdentity(stageDir: string, targetPkgName: string, pnpmVersion: string, opts: VerifyPnpmEngineIdentityOptions): Promise<void>;
|
|
@@ -0,0 +1,235 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.getNpmSigningKeys = getNpmSigningKeys;
|
|
7
|
+
exports.verifyPnpmEngineIdentity = verifyPnpmEngineIdentity;
|
|
8
|
+
const crypto_1 = __importDefault(require("crypto"));
|
|
9
|
+
const fs_1 = __importDefault(require("fs"));
|
|
10
|
+
const path_1 = __importDefault(require("path"));
|
|
11
|
+
const url_1 = __importDefault(require("url"));
|
|
12
|
+
const util_1 = __importDefault(require("util"));
|
|
13
|
+
const error_1 = require("@pnpm/error");
|
|
14
|
+
const fetch_1 = require("@pnpm/fetch");
|
|
15
|
+
const lockfile_fs_1 = require("@pnpm/lockfile.fs");
|
|
16
|
+
const network_auth_header_1 = require("@pnpm/network.auth-header");
|
|
17
|
+
const pick_registry_for_package_1 = require("@pnpm/pick-registry-for-package");
|
|
18
|
+
const npmSigningKeys_js_1 = require("./npmSigningKeys.js");
|
|
19
|
+
/**
|
|
20
|
+
* The trusted npm signing keys used to verify package-manager binaries before
|
|
21
|
+
* pnpm spawns them — npm's public keys embedded in the CLI. There is
|
|
22
|
+
* deliberately no way to override or disable them at runtime: a verification
|
|
23
|
+
* off-switch would be a footgun, and npm mirrors work without one (they proxy
|
|
24
|
+
* the same signed packument, which is verified against these keys). The keys
|
|
25
|
+
* are refreshed at release time by the update-npm-signing-keys script.
|
|
26
|
+
*/
|
|
27
|
+
function getNpmSigningKeys() {
|
|
28
|
+
return npmSigningKeys_js_1.NPM_SIGNING_KEYS.map((k) => ({ ...k }));
|
|
29
|
+
}
|
|
30
|
+
/**
|
|
31
|
+
* Verifies that the pnpm engine staged at `stageDir` (and about to be linked
|
|
32
|
+
* into the tools directory and executed) is genuinely the published `pnpm` /
|
|
33
|
+
* `@pnpm/exe` — i.e. the bytes recorded in the staged lockfile carry a valid
|
|
34
|
+
* npm registry signature for their exact `name@version`.
|
|
35
|
+
*
|
|
36
|
+
* The wanted pnpm version comes from a repository's `packageManager` field,
|
|
37
|
+
* so without this check a cloned repository could make pnpm download and run
|
|
38
|
+
* an arbitrary native binary. Signatures are verified against npm's embedded
|
|
39
|
+
* public keys (see {@link getNpmSigningKeys}), so a registry cannot answer
|
|
40
|
+
* with its own key pair; the signed packument is fetched from the configured
|
|
41
|
+
* registry, which an npm mirror proxies transparently.
|
|
42
|
+
*
|
|
43
|
+
* Fails closed: verification failure — including an unreachable registry —
|
|
44
|
+
* refuses the version switch rather than running an unverified binary. This
|
|
45
|
+
* runs only when the engine is actually being installed (a tools-directory
|
|
46
|
+
* cache miss), so it does not add a network round trip to every command.
|
|
47
|
+
*/
|
|
48
|
+
async function verifyPnpmEngineIdentity(stageDir, targetPkgName, pnpmVersion, opts) {
|
|
49
|
+
const trustedKeys = opts.trustedKeys ?? getNpmSigningKeys();
|
|
50
|
+
if (trustedKeys.length === 0)
|
|
51
|
+
return; // test seam: no trusted keys means skip
|
|
52
|
+
const lockfile = await (0, lockfile_fs_1.readWantedLockfile)(stageDir, { ignoreIncompatible: true });
|
|
53
|
+
if (lockfile == null) {
|
|
54
|
+
throw new error_1.PnpmError('PNPM_ENGINE_IDENTITY_UNVERIFIABLE', `Cannot verify the identity of pnpm@${pnpmVersion}: the staged install has no lockfile.`);
|
|
55
|
+
}
|
|
56
|
+
const toVerify = collectEnginePackagesToVerify(lockfile, stageDir, targetPkgName, pnpmVersion, opts.registries);
|
|
57
|
+
const getAuthHeader = (0, network_auth_header_1.createGetAuthHeaderByURI)({ allSettings: opts.rawConfig });
|
|
58
|
+
const fetchFromRegistry = (0, fetch_1.createFetchFromRegistry)(opts);
|
|
59
|
+
const failures = [];
|
|
60
|
+
await Promise.all(toVerify.map(async (pkg) => {
|
|
61
|
+
const failure = await findSignatureFailure(pkg, trustedKeys, { fetchFromRegistry, getAuthHeader, retry: opts.retry, timeout: opts.timeout });
|
|
62
|
+
if (failure != null) {
|
|
63
|
+
failures.push({ name: pkg.name, version: pkg.version, ...failure });
|
|
64
|
+
}
|
|
65
|
+
}));
|
|
66
|
+
if (failures.length === 0)
|
|
67
|
+
return;
|
|
68
|
+
failures.sort((a, b) => `${a.name}@${a.version}`.localeCompare(`${b.name}@${b.version}`));
|
|
69
|
+
const onlyUnreachable = failures.every((f) => f.category === 'unreachable');
|
|
70
|
+
throw new error_1.PnpmError(onlyUnreachable ? 'PNPM_ENGINE_IDENTITY_UNVERIFIABLE' : 'PNPM_ENGINE_IDENTITY_MISMATCH', `Refusing to run pnpm@${pnpmVersion}: its npm registry signature could not be verified ` +
|
|
71
|
+
`(${failures.map(({ name, version, reason }) => `${name}@${version}: ${reason}`).join('; ')}). ` +
|
|
72
|
+
'The bytes selected by this install do not match a published, signed pnpm release.', { hint: 'This can indicate a tampered download or a malicious/unreachable registry. Set `manage-package-manager-versions` to `false` to skip the version switch if this is unexpected.' });
|
|
73
|
+
}
|
|
74
|
+
function collectEnginePackagesToVerify(lockfile, stageDir, targetPkgName, version, registries) {
|
|
75
|
+
const toVerify = [engineComponentToVerify(lockfile, registries, targetPkgName, version)];
|
|
76
|
+
if (targetPkgName === '@pnpm/exe') {
|
|
77
|
+
// The bytes actually executed are the host's platform binary, listed as an
|
|
78
|
+
// optional dependency of `@pnpm/exe`. Verify every platform package the
|
|
79
|
+
// staged install actually materialized on disk.
|
|
80
|
+
const optionalDeps = lockfile.packages?.[`@pnpm/exe@${version}`]?.optionalDependencies ?? {};
|
|
81
|
+
for (const [name, platformVersion] of Object.entries(optionalDeps)) {
|
|
82
|
+
if (!fs_1.default.existsSync(path_1.default.join(stageDir, 'node_modules', name)))
|
|
83
|
+
continue;
|
|
84
|
+
toVerify.push(engineComponentToVerify(lockfile, registries, name, platformVersion));
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
return toVerify;
|
|
88
|
+
}
|
|
89
|
+
function engineComponentToVerify(lockfile, registries, name, version) {
|
|
90
|
+
const resolution = lockfile.packages?.[`${name}@${version}`]?.resolution;
|
|
91
|
+
const integrity = resolution?.integrity;
|
|
92
|
+
if (typeof integrity !== 'string' || !integrity) {
|
|
93
|
+
// pnpm can install a tarball without integrity, so a missing integrity must
|
|
94
|
+
// fail closed rather than silently exempt that component from verification.
|
|
95
|
+
throw new error_1.PnpmError('PNPM_ENGINE_IDENTITY_UNVERIFIABLE', `Cannot verify the identity of ${name}@${version}: its integrity metadata is missing from the staged lockfile.`);
|
|
96
|
+
}
|
|
97
|
+
return { name, version, registry: (0, pick_registry_for_package_1.pickRegistryForPackage)(registries, name), integrity };
|
|
98
|
+
}
|
|
99
|
+
async function findSignatureFailure(pkg, trustedKeys, ctx) {
|
|
100
|
+
let packument;
|
|
101
|
+
try {
|
|
102
|
+
packument = await fetchPackument(pkg, ctx);
|
|
103
|
+
}
|
|
104
|
+
catch (err) {
|
|
105
|
+
// Fetch-layer errors embed the request URL, which may carry credentials.
|
|
106
|
+
return { reason: redactTextCredentials(util_1.default.types.isNativeError(err) ? err.message : String(err)), category: 'unreachable' };
|
|
107
|
+
}
|
|
108
|
+
if (!packument)
|
|
109
|
+
return { reason: `${pkg.name} is not published on ${redactUrlCredentials(pkg.registry)}`, category: 'absent' };
|
|
110
|
+
const version = packument.versions?.[pkg.version];
|
|
111
|
+
if (!version)
|
|
112
|
+
return { reason: `${pkg.name}@${pkg.version} was not found on ${redactUrlCredentials(pkg.registry)}`, category: 'absent' };
|
|
113
|
+
const rawSignatures = version.dist?.signatures;
|
|
114
|
+
if (rawSignatures != null && !Array.isArray(rawSignatures)) {
|
|
115
|
+
return { reason: `malformed registry signatures metadata for ${pkg.name}@${pkg.version}`, category: 'absent' };
|
|
116
|
+
}
|
|
117
|
+
const signatures = rawSignatures ?? [];
|
|
118
|
+
if (!signatures.every(isPackageSignature)) {
|
|
119
|
+
return { reason: `malformed registry signatures metadata for ${pkg.name}@${pkg.version}`, category: 'absent' };
|
|
120
|
+
}
|
|
121
|
+
if (signatures.length === 0) {
|
|
122
|
+
return { reason: `${pkg.name}@${pkg.version} has no registry signature`, category: 'absent' };
|
|
123
|
+
}
|
|
124
|
+
// The message is built from the installed integrity, so a signature only
|
|
125
|
+
// validates when the installed bytes match what the registry signed.
|
|
126
|
+
return verifyPackageSignatures(pkg, packument.time?.[pkg.version], signatures, trustedKeys);
|
|
127
|
+
}
|
|
128
|
+
async function fetchPackument(pkg, ctx) {
|
|
129
|
+
const registryUrl = pkg.registry.endsWith('/') ? pkg.registry : `${pkg.registry}/`;
|
|
130
|
+
const packumentUrl = toUri(pkg.name, registryUrl);
|
|
131
|
+
const response = await ctx.fetchFromRegistry(packumentUrl, {
|
|
132
|
+
authHeaderValue: ctx.getAuthHeader(registryUrl),
|
|
133
|
+
fullMetadata: true,
|
|
134
|
+
retry: ctx.retry,
|
|
135
|
+
timeout: ctx.timeout,
|
|
136
|
+
});
|
|
137
|
+
if (response.status === 404) {
|
|
138
|
+
return undefined;
|
|
139
|
+
}
|
|
140
|
+
if (response.status !== 200) {
|
|
141
|
+
throw new error_1.PnpmError('ENGINE_IDENTITY_PACKUMENT_FETCH_FAIL', `The packument endpoint (at ${redactUrlCredentials(packumentUrl)}) responded with ${response.status}: ${(await response.text()).slice(0, 500)}`);
|
|
142
|
+
}
|
|
143
|
+
const body = await response.json();
|
|
144
|
+
if (!isPackument(body)) {
|
|
145
|
+
throw new error_1.PnpmError('ENGINE_IDENTITY_PACKUMENT_FETCH_FAIL', `The packument endpoint (at ${redactUrlCredentials(packumentUrl)}) returned an unexpected body. Expected an object with versions; got: ${JSON.stringify(body)?.slice(0, 500) ?? String(body)}`);
|
|
146
|
+
}
|
|
147
|
+
return body;
|
|
148
|
+
}
|
|
149
|
+
// Registry URLs may legally embed basic-auth credentials
|
|
150
|
+
// (https://user:pass@host/); never print those in error messages, which land
|
|
151
|
+
// in terminal output and CI logs.
|
|
152
|
+
function redactUrlCredentials(rawUrl) {
|
|
153
|
+
try {
|
|
154
|
+
const parsed = new url_1.default.URL(rawUrl);
|
|
155
|
+
parsed.username = '';
|
|
156
|
+
parsed.password = '';
|
|
157
|
+
return parsed.toString();
|
|
158
|
+
}
|
|
159
|
+
catch {
|
|
160
|
+
return rawUrl;
|
|
161
|
+
}
|
|
162
|
+
}
|
|
163
|
+
function redactTextCredentials(text) {
|
|
164
|
+
return text.replace(/([a-z][a-z0-9+.-]*:\/\/)[^@/\s]+@/gi, '$1');
|
|
165
|
+
}
|
|
166
|
+
function verifyPackageSignatures(pkg, publishedAt, signatures, keys) {
|
|
167
|
+
// Registry signatures cover the package identity and content integrity.
|
|
168
|
+
const message = `${pkg.name}@${pkg.version}:${pkg.integrity}`;
|
|
169
|
+
const publishedTime = publishedAt ? Date.parse(publishedAt) : undefined;
|
|
170
|
+
// A package is accepted as soon as ONE signature made by a trusted key
|
|
171
|
+
// validates. Signatures from unknown/expired/invalid keys are recorded but do
|
|
172
|
+
// not on their own fail the package — otherwise a key rotation (a packument
|
|
173
|
+
// carrying multiple signatures) breaks, and a mirror could force a failure
|
|
174
|
+
// just by appending a junk signature. We fail only when no signature validates
|
|
175
|
+
// against a trusted key.
|
|
176
|
+
const failures = [];
|
|
177
|
+
for (const signature of signatures) {
|
|
178
|
+
const key = keys.find(({ keyid }) => keyid === signature.keyid);
|
|
179
|
+
if (!key) {
|
|
180
|
+
failures.push(`${pkg.name}@${pkg.version} has a registry signature with keyid ${signature.keyid} but no corresponding public key can be found`);
|
|
181
|
+
continue;
|
|
182
|
+
}
|
|
183
|
+
// Key expiry is a consistency check, not a security boundary: the publish
|
|
184
|
+
// time comes from the same unauthenticated packument as the signatures, so
|
|
185
|
+
// a forger holding an expired trusted key could backdate it anyway. The
|
|
186
|
+
// signature verification below is what gates acceptance.
|
|
187
|
+
if (key.expires && publishedTime != null && publishedTime >= Date.parse(key.expires)) {
|
|
188
|
+
failures.push(`${pkg.name}@${pkg.version} has a registry signature with keyid ${signature.keyid} but the corresponding public key has expired ${key.expires}`);
|
|
189
|
+
continue;
|
|
190
|
+
}
|
|
191
|
+
const pem = `-----BEGIN PUBLIC KEY-----\n${key.key}\n-----END PUBLIC KEY-----`;
|
|
192
|
+
// crypto.verify can throw on malformed PEM key material or signature bytes
|
|
193
|
+
// returned by the registry; treat any failure as an invalid signature so
|
|
194
|
+
// one bad key doesn't crash the whole verification.
|
|
195
|
+
let verified;
|
|
196
|
+
try {
|
|
197
|
+
const verifier = crypto_1.default.createVerify('SHA256');
|
|
198
|
+
verifier.write(message);
|
|
199
|
+
verifier.end();
|
|
200
|
+
verified = verifier.verify(pem, signature.sig, 'base64');
|
|
201
|
+
}
|
|
202
|
+
catch {
|
|
203
|
+
verified = false;
|
|
204
|
+
}
|
|
205
|
+
if (verified)
|
|
206
|
+
return undefined;
|
|
207
|
+
failures.push(`${pkg.name}@${pkg.version} has an invalid registry signature with keyid ${signature.keyid}`);
|
|
208
|
+
}
|
|
209
|
+
// Prefer an invalid signature from a known key (a tamper signal) over an
|
|
210
|
+
// unknown-key or expiry reason, since unknown keys may just be junk a mirror
|
|
211
|
+
// appended.
|
|
212
|
+
const reason = failures.find((failure) => failure.includes('invalid registry signature')) ??
|
|
213
|
+
failures[0] ??
|
|
214
|
+
`${pkg.name}@${pkg.version} has no registry signature from a trusted key`;
|
|
215
|
+
return { reason, category: 'invalid' };
|
|
216
|
+
}
|
|
217
|
+
function toUri(pkgName, registry) {
|
|
218
|
+
let encodedName;
|
|
219
|
+
if (pkgName[0] === '@') {
|
|
220
|
+
encodedName = `@${encodeURIComponent(pkgName.slice(1))}`;
|
|
221
|
+
}
|
|
222
|
+
else {
|
|
223
|
+
encodedName = encodeURIComponent(pkgName);
|
|
224
|
+
}
|
|
225
|
+
return new url_1.default.URL(encodedName, registry.endsWith('/') ? registry : `${registry}/`).toString();
|
|
226
|
+
}
|
|
227
|
+
function isPackument(body) {
|
|
228
|
+
return typeof body === 'object' && body != null && typeof body.versions === 'object' && body.versions != null;
|
|
229
|
+
}
|
|
230
|
+
function isPackageSignature(signature) {
|
|
231
|
+
return typeof signature === 'object' && signature != null &&
|
|
232
|
+
typeof signature.keyid === 'string' &&
|
|
233
|
+
typeof signature.sig === 'string';
|
|
234
|
+
}
|
|
235
|
+
//# sourceMappingURL=verifyPnpmEngineIdentity.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verifyPnpmEngineIdentity.js","sourceRoot":"","sources":["../src/verifyPnpmEngineIdentity.ts"],"names":[],"mappings":";;;;;AAgCA,8CAEC;AA2CD,4DAuCC;AApHD,oDAA2B;AAC3B,4CAAmB;AACnB,gDAAuB;AACvB,8CAAqB;AACrB,gDAAuB;AAEvB,uCAAuC;AACvC,uCAA0F;AAE1F,mDAAsD;AACtD,mEAAoE;AACpE,+EAAwE;AAGxE,2DAAsD;AAUtD;;;;;;;GAOG;AACH,SAAgB,iBAAiB;IAC/B,OAAO,oCAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAA;AAChD,CAAC;AAyBD;;;;;;;;;;;;;;;;;GAiBG;AACI,KAAK,UAAU,wBAAwB,CAC5C,QAAgB,EAChB,aAAqB,EACrB,WAAmB,EACnB,IAAqC;IAErC,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,iBAAiB,EAAE,CAAA;IAC3D,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAM,CAAC,wCAAwC;IAE7E,MAAM,QAAQ,GAAG,MAAM,IAAA,gCAAkB,EAAC,QAAQ,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAA;IACjF,IAAI,QAAQ,IAAI,IAAI,EAAE,CAAC;QACrB,MAAM,IAAI,iBAAS,CACjB,mCAAmC,EACnC,sCAAsC,WAAW,uCAAuC,CACzF,CAAA;IACH,CAAC;IACD,MAAM,QAAQ,GAAG,6BAA6B,CAAC,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,CAAA;IAE/G,MAAM,aAAa,GAAG,IAAA,8CAAwB,EAAC,EAAE,WAAW,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAA;IAC/E,MAAM,iBAAiB,GAAG,IAAA,+BAAuB,EAAC,IAAI,CAAC,CAAA;IAEvD,MAAM,QAAQ,GAA6B,EAAE,CAAA;IAC7C,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QAC3C,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,GAAG,EAAE,WAAW,EAAE,EAAE,iBAAiB,EAAE,aAAa,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAA;QAC5I,IAAI,OAAO,IAAI,IAAI,EAAE,CAAC;YACpB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,GAAG,OAAO,EAAE,CAAC,CAAA;QACrE,CAAC;IACH,CAAC,CAAC,CAAC,CAAA;IACH,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAM;IAEjC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;IACzF,MAAM,eAAe,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,aAAa,CAAC,CAAA;IAC3E,MAAM,IAAI,iBAAS,CACjB,eAAe,CAAC,CAAC,CAAC,mCAAmC,CAAC,CAAC,CAAC,+BAA+B,EACvF,wBAAwB,WAAW,qDAAqD;QACxF,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,GAAG,IAAI,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK;QAChG,mFAAmF,EACnF,EAAE,IAAI,EAAE,+KAA+K,EAAE,CAC1L,CAAA;AACH,CAAC;AAoBD,SAAS,6BAA6B,CACpC,QAAwB,EACxB,QAAgB,EAChB,aAAqB,EACrB,OAAe,EACf,UAAsB;IAEtB,MAAM,QAAQ,GAAG,CAAC,uBAAuB,CAAC,QAAQ,EAAE,UAAU,EAAE,aAAa,EAAE,OAAO,CAAC,CAAC,CAAA;IACxF,IAAI,aAAa,KAAK,WAAW,EAAE,CAAC;QAClC,2EAA2E;QAC3E,wEAAwE;QACxE,gDAAgD;QAChD,MAAM,YAAY,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC,aAAa,OAAO,EAAa,CAAC,EAAE,oBAAoB,IAAI,EAAE,CAAA;QACvG,KAAK,MAAM,CAAC,IAAI,EAAE,eAAe,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YACnE,IAAI,CAAC,YAAE,CAAC,UAAU,CAAC,cAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;gBAAE,SAAQ;YACvE,QAAQ,CAAC,IAAI,CAAC,uBAAuB,CAAC,QAAQ,EAAE,UAAU,EAAE,IAAI,EAAE,eAAe,CAAC,CAAC,CAAA;QACrF,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED,SAAS,uBAAuB,CAC9B,QAAwB,EACxB,UAAsB,EACtB,IAAY,EACZ,OAAe;IAEf,MAAM,UAAU,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC,GAAG,IAAI,IAAI,OAAO,EAAa,CAAC,EAAE,UAAU,CAAA;IACnF,MAAM,SAAS,GAAI,UAAkD,EAAE,SAAS,CAAA;IAChF,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,CAAC,SAAS,EAAE,CAAC;QAChD,4EAA4E;QAC5E,4EAA4E;QAC5E,MAAM,IAAI,iBAAS,CACjB,mCAAmC,EACnC,iCAAiC,IAAI,IAAI,OAAO,+DAA+D,CAChH,CAAA;IACH,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAA,kDAAsB,EAAC,UAAU,EAAE,IAAI,CAAC,EAAE,SAAS,EAAE,CAAA;AACzF,CAAC;AA2BD,KAAK,UAAU,oBAAoB,CACjC,GAA6B,EAC7B,WAA0B,EAC1B,GAA0B;IAE1B,IAAI,SAAgC,CAAA;IACpC,IAAI,CAAC;QACH,SAAS,GAAG,MAAM,cAAc,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;IAC5C,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,yEAAyE;QACzE,OAAO,EAAE,MAAM,EAAE,qBAAqB,CAAC,cAAI,CAAC,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAA;IAC9H,CAAC;IACD,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,IAAI,wBAAwB,oBAAoB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAA;IAE9H,MAAM,OAAO,GAAG,SAAS,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;IACjD,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,qBAAqB,oBAAoB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAA;IAExI,MAAM,aAAa,GAAG,OAAO,CAAC,IAAI,EAAE,UAAU,CAAA;IAC9C,IAAI,aAAa,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;QAC3D,OAAO,EAAE,MAAM,EAAE,8CAA8C,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAA;IAChH,CAAC;IACD,MAAM,UAAU,GAAG,aAAa,IAAI,EAAE,CAAA;IACtC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC1C,OAAO,EAAE,MAAM,EAAE,8CAA8C,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAA;IAChH,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,4BAA4B,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAA;IAC/F,CAAC;IAED,yEAAyE;IACzE,qEAAqE;IACrE,OAAO,uBAAuB,CAAC,GAAG,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,UAAU,EAAE,WAAW,CAAC,CAAA;AAC7F,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,GAA6B,EAC7B,GAA0B;IAE1B,MAAM,WAAW,GAAG,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,QAAQ,GAAG,CAAA;IAClF,MAAM,YAAY,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,WAAW,CAAC,CAAA;IAEjD,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,iBAAiB,CAAC,YAAY,EAAE;QACzD,eAAe,EAAE,GAAG,CAAC,aAAa,CAAC,WAAW,CAAC;QAC/C,YAAY,EAAE,IAAI;QAClB,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,OAAO,EAAE,GAAG,CAAC,OAAO;KACrB,CAAC,CAAA;IAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,OAAO,SAAS,CAAA;IAClB,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,MAAM,IAAI,iBAAS,CACjB,sCAAsC,EACtC,8BAA8B,oBAAoB,CAAC,YAAY,CAAC,oBAAoB,QAAQ,CAAC,MAAM,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAChJ,CAAA;IACH,CAAC;IAED,MAAM,IAAI,GAAY,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC3C,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,iBAAS,CACjB,sCAAsC,EACtC,8BAA8B,oBAAoB,CAAC,YAAY,CAAC,yEAAyE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAC/L,CAAA;IACH,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED,yDAAyD;AACzD,6EAA6E;AAC7E,kCAAkC;AAClC,SAAS,oBAAoB,CAAE,MAAc;IAC3C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,aAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAClC,MAAM,CAAC,QAAQ,GAAG,EAAE,CAAA;QACpB,MAAM,CAAC,QAAQ,GAAG,EAAE,CAAA;QACpB,OAAO,MAAM,CAAC,QAAQ,EAAE,CAAA;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,MAAM,CAAA;IACf,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAE,IAAY;IAC1C,OAAO,IAAI,CAAC,OAAO,CAAC,qCAAqC,EAAE,IAAI,CAAC,CAAA;AAClE,CAAC;AAED,SAAS,uBAAuB,CAC9B,GAA6B,EAC7B,WAA+B,EAC/B,UAA8B,EAC9B,IAAmB;IAEnB,wEAAwE;IACxE,MAAM,OAAO,GAAG,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,SAAS,EAAE,CAAA;IAC7D,MAAM,aAAa,GAAG,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IAEvE,uEAAuE;IACvE,8EAA8E;IAC9E,4EAA4E;IAC5E,2EAA2E;IAC3E,+EAA+E;IAC/E,yBAAyB;IACzB,MAAM,QAAQ,GAAa,EAAE,CAAA;IAC7B,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,KAAK,KAAK,SAAS,CAAC,KAAK,CAAC,CAAA;QAC/D,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,QAAQ,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,wCAAwC,SAAS,CAAC,KAAK,+CAA+C,CAAC,CAAA;YAC/I,SAAQ;QACV,CAAC;QACD,0EAA0E;QAC1E,2EAA2E;QAC3E,wEAAwE;QACxE,yDAAyD;QACzD,IAAI,GAAG,CAAC,OAAO,IAAI,aAAa,IAAI,IAAI,IAAI,aAAa,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YACrF,QAAQ,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,wCAAwC,SAAS,CAAC,KAAK,iDAAiD,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;YAC9J,SAAQ;QACV,CAAC;QACD,MAAM,GAAG,GAAG,+BAA+B,GAAG,CAAC,GAAG,4BAA4B,CAAA;QAC9E,2EAA2E;QAC3E,yEAAyE;QACzE,oDAAoD;QACpD,IAAI,QAAiB,CAAA;QACrB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,gBAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAA;YAC9C,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;YACvB,QAAQ,CAAC,GAAG,EAAE,CAAA;YACd,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;QAC1D,CAAC;QAAC,MAAM,CAAC;YACP,QAAQ,GAAG,KAAK,CAAA;QAClB,CAAC;QACD,IAAI,QAAQ;YAAE,OAAO,SAAS,CAAA;QAC9B,QAAQ,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,iDAAiD,SAAS,CAAC,KAAK,EAAE,CAAC,CAAA;IAC7G,CAAC;IACD,yEAAyE;IACzE,6EAA6E;IAC7E,YAAY;IACZ,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,4BAA4B,CAAC,CAAC;QACvF,QAAQ,CAAC,CAAC,CAAC;QACX,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,+CAA+C,CAAA;IAC3E,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAA;AACxC,CAAC;AAED,SAAS,KAAK,CAAE,OAAe,EAAE,QAAgB;IAC/C,IAAI,WAAmB,CAAA;IACvB,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;QACvB,WAAW,GAAG,IAAI,kBAAkB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAC1D,CAAC;SAAM,CAAC;QACN,WAAW,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAA;IAC3C,CAAC;IACD,OAAO,IAAI,aAAG,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,QAAQ,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAA;AAChG,CAAC;AAED,SAAS,WAAW,CAAE,IAAa;IACjC,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,IAAI,IAAI,IAAI,OAAQ,IAAkB,CAAC,QAAQ,KAAK,QAAQ,IAAK,IAAkB,CAAC,QAAQ,IAAI,IAAI,CAAA;AAC7I,CAAC;AAED,SAAS,kBAAkB,CAAE,SAAkB;IAC7C,OAAO,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,IAAI,IAAI;QACvD,OAAQ,SAA8B,CAAC,KAAK,KAAK,QAAQ;QACzD,OAAQ,SAA8B,CAAC,GAAG,KAAK,QAAQ,CAAA;AAC3D,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@pnpm/tools.plugin-commands-self-updater",
|
|
3
|
-
"version": "1000.1.
|
|
3
|
+
"version": "1000.1.59",
|
|
4
4
|
"description": "A command for updating pnpm itself",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"pnpm",
|
|
@@ -30,15 +30,21 @@
|
|
|
30
30
|
"render-help": "^1.0.3",
|
|
31
31
|
"semver": "^7.7.4",
|
|
32
32
|
"symlink-dir": "^6.0.5",
|
|
33
|
-
"@pnpm/cli-meta": "1000.0.
|
|
34
|
-
"@pnpm/
|
|
35
|
-
"@pnpm/config": "1004.11.
|
|
36
|
-
"@pnpm/error": "1000.1.0",
|
|
37
|
-
"@pnpm/client": "1001.1.25",
|
|
33
|
+
"@pnpm/cli-meta": "1000.0.17",
|
|
34
|
+
"@pnpm/client": "1001.1.27",
|
|
35
|
+
"@pnpm/config": "1004.11.3",
|
|
38
36
|
"@pnpm/exec.pnpm-cli-runner": "1000.1.0",
|
|
39
|
-
"@pnpm/
|
|
37
|
+
"@pnpm/link-bins": "1000.3.9",
|
|
38
|
+
"@pnpm/error": "1000.1.0",
|
|
39
|
+
"@pnpm/fetch": "1001.0.1",
|
|
40
|
+
"@pnpm/cli-utils": "1001.3.13",
|
|
41
|
+
"@pnpm/lockfile.fs": "1001.1.35",
|
|
42
|
+
"@pnpm/lockfile.types": "1002.1.2",
|
|
43
|
+
"@pnpm/network.auth-header": "1001.0.0",
|
|
44
|
+
"@pnpm/pick-registry-for-package": "1000.0.17",
|
|
45
|
+
"@pnpm/read-project-manifest": "1001.2.7",
|
|
40
46
|
"@pnpm/tools.path": "1000.0.0",
|
|
41
|
-
"@pnpm/
|
|
47
|
+
"@pnpm/types": "1001.3.1"
|
|
42
48
|
},
|
|
43
49
|
"peerDependencies": {
|
|
44
50
|
"@pnpm/logger": "^1001.0.1"
|
|
@@ -50,9 +56,9 @@
|
|
|
50
56
|
"@types/semver": "7.5.3",
|
|
51
57
|
"cross-spawn": "^7.0.6",
|
|
52
58
|
"nock": "13.3.4",
|
|
59
|
+
"@pnpm/prepare": "1000.0.18",
|
|
53
60
|
"@pnpm/env.path": "1000.0.0",
|
|
54
|
-
"@pnpm/
|
|
55
|
-
"@pnpm/tools.plugin-commands-self-updater": "1000.1.57"
|
|
61
|
+
"@pnpm/tools.plugin-commands-self-updater": "1000.1.59"
|
|
56
62
|
},
|
|
57
63
|
"engines": {
|
|
58
64
|
"node": ">=18.12"
|