@vltpkg/vsr 0.0.0-27 → 0.0.0-28

package/src/utils/docs.ts

@@ -0,0 +1,146 @@
+export const apiBody = ({ YEAR }: { YEAR: number }) => {
+  return `The **vlt serverless registry** is the modern JavaScript package registry.
+        
+### Compatible Clients
+
+<table>
+  <tbody>
+    <tr>
+      <td><a href="https://vlt.sh" alt="vlt"><strong><code>vlt</code></strong></a></td>
+      <td><a href="https://npmjs.com/package/npm" alt="npm"><strong><code>npm</code></strong></a></td>
+      <td><a href="https://yarnpkg.com/" alt="yarn"><strong><code>yarn</code></strong></a></td>
+      <td><a href="https://pnpm.io/" alt="pnpm"><strong><code>pnpm</code></strong></a></td>
+      <td><a href="https://deno.com/" alt="deno"><strong><code>deno</code></strong></a></td>
+      <td><a href="https://bun.sh/" alt="bun"><strong><code>bun</code></strong></a></td>
+    </tr>
+  </tbody>
+</table>
+
+### Resources
+
+<ul alt="resources">
+  <li><a href="https://vlt.sh">https://<strong>vlt.sh</strong></a></li>
+  <li><a href="https://github.com/vltpkg/vsr">https://github.com/<strong>vltpkg/vsr</strong></a></li>
+  <li><a href="https://discord.gg/vltpkg">https://discord.gg/<strong>vltpkg</strong></a></li>
+  <li><a href="https://x.com/vltpkg">https://x.com/<strong>vltpkg</strong></a></li>
+</ul>
+
+##### Trademark Disclaimer
+
+<p alt="trademark-disclaimer">All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.</p>
+
+### License
+
+<details alt="license">
+<summary><strong>Functional Source License</strong>, Version 1.1, MIT Future License</summary>
+<h1>Functional Source License,<br />Version 1.1,<br />MIT Future License</h1>
+<h2>Abbreviation</h2>
+
+FSL-1.1-MIT
+
+<h2>Notice</h2>
+
+Copyright ${YEAR} vlt technology inc.
+
+<h2>Terms and Conditions</h2>
+
+<h3>Licensor ("We")</h3>
+
+The party offering the Software under these Terms and Conditions.
+
+<h3>The Software</h3>
+
+The "Software" is each version of the software that we make available under
+these Terms and Conditions, as indicated by our inclusion of these Terms and
+Conditions with the Software.
+
+<h3>License Grant</h3>
+
+Subject to your compliance with this License Grant and the Patents,
+Redistribution and Trademark clauses below, we hereby grant you the right to
+use, copy, modify, create derivative works, publicly perform, publicly display
+and redistribute the Software for any Permitted Purpose identified below.
+
+<h3>Permitted Purpose</h3>
+
+A Permitted Purpose is any purpose other than a Competing Use. A Competing Use
+means making the Software available to others in a commercial product or
+service that:
+
+1. substitutes for the Software;
+
+2. substitutes for any other product or service we offer using the Software
+that exists as of the date we make the Software available; or
+
+3. offers the same or substantially similar functionality as the Software.
+
+Permitted Purposes specifically include using the Software:
+
+1. for your internal use and access;
+
+2. for non-commercial education;
+
+3. for non-commercial research; and
+
+4. in connection with professional services that you provide to a licensee
+using the Software in accordance with these Terms and Conditions.
+
+<h3>Patents</h3>
+
+To the extent your use for a Permitted Purpose would necessarily infringe our
+patents, the license grant above includes a license under our patents. If you
+make a claim against any party that the Software infringes or contributes to
+the infringement of any patent, then your patent license to the Software ends
+immediately.
+
+<h3>Redistribution</h3>
+
+The Terms and Conditions apply to all copies, modifications and derivatives of
+the Software.
+
+If you redistribute any copies, modifications or derivatives of the Software,
+you must include a copy of or a link to these Terms and Conditions and not
+remove any copyright notices provided in or with the Software.
+
+<h3>Disclaimer</h3>
+
+THE SOFTWARE IS PROVIDED "AS IS" AND WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR
+PURPOSE, MERCHANTABILITY, TITLE OR NON-INFRINGEMENT.
+
+IN NO EVENT WILL WE HAVE ANY LIABILITY TO YOU ARISING OUT OF OR RELATED TO THE
+SOFTWARE, INCLUDING INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES,
+EVEN IF WE HAVE BEEN INFORMED OF THEIR POSSIBILITY IN ADVANCE.
+
+<h3>Trademarks</h3>
+
+Except for displaying the License Details and identifying us as the origin of
+the Software, you have no right under these Terms and Conditions to use our
+trademarks, trade names, service marks or product names.
+
+<h2>Grant of Future License</h2>
+
+We hereby irrevocably grant you an additional license to use the Software under
+the MIT license that is effective on the second anniversary of the date we make
+the Software available. On or after that date, you may use the Software under
+the MIT license, in which case the following will apply:
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+</dialog>`
+}

package/src/utils/packages.ts

@@ -0,0 +1,453 @@
+import * as semver from 'semver'
+import validate from 'validate-npm-package-name'
+import { URL } from '../../config.ts'
+import type {
+  HonoContext,
+  PackageSpec,
+  PackageManifest,
+  ValidationResult,
+} from '../../types.ts'
+
+/**
+ * Extracts package.json from a tarball buffer
+ * @param {Uint8Array} _tarballBuffer - The tarball as a Uint8Array
+ * @returns {Promise<PackageManifest | null>} The parsed package.json content
+ */
+export async function extractPackageJSON(
+  _tarballBuffer: Uint8Array,
+): Promise<PackageManifest | null> {
+  try {
+    // This would need to be implemented with a tarball extraction library
+    // For now, return null as a placeholder
+    return null
+  } catch (_error) {
+    return null
+  }
+}
+
+/**
+ * Extracts package specification from context
+ * @param {HonoContext} c - The Hono context
+ * @returns {PackageSpec} Package specification object
+ */
+export function packageSpec(c: HonoContext): PackageSpec {
+  const { scope, pkg } = c.req.param()
+
+  if (scope && pkg) {
+    // Scoped package
+    const name =
+      scope.startsWith('@') ? `${scope}/${pkg}` : `@${scope}/${pkg}`
+    return { name, scope, pkg }
+  } else if (scope) {
+    // Unscoped package (scope is actually the package name)
+    return { name: scope, pkg: scope }
+  }
+
+  return {}
+}
+
+/**
+ * Creates a file path for a package tarball
+ * @param {object} options - Object with pkg and version
+ * @param {string} options.pkg - Package name
+ * @param {string} options.version - Package version
+ * @returns {string} Tarball file path
+ */
+export function createFile({
+  pkg,
+  version,
+}: {
+  pkg: string
+  version: string
+}): string {
+  try {
+    if (!pkg || !version) {
+      throw new Error('Missing required parameters')
+    }
+    // Generate the tarball path similar to npm registry format
+    const packageName = pkg.split('/').pop() || pkg
+    return `${pkg}/-/${packageName}-${version}.tgz`
+  } catch (_err) {
+    // Failed to create file path
+    throw new Error('Failed to generate tarball path')
+  }
+}
+
+/**
+ * Creates a version specification string
+ * @param {string} packageName - The package name
+ * @param {string} version - The version
+ * @returns {string} Version specification string
+ */
+export function createVersionSpec(
+  packageName: string,
+  version: string,
+): string {
+  return `${packageName}@${version}`
+}
+
+/**
+ * Creates a full version object with proper manifest structure
+ * @param {object} options - Object with pkg, version, and manifest
+ * @param {string} options.pkg - Package name
+ * @param {string} options.version - Package version
+ * @param {any} options.manifest - Package manifest data
+ * @returns {any} The manifest with proper name, version, and dist fields
+ */
+interface ManifestInput {
+  name?: string
+  version?: string
+  dist?: {
+    tarball?: string
+    [key: string]: unknown
+  }
+  [key: string]: unknown
+}
+
+export function createVersion({
+  pkg,
+  version,
+  manifest,
+}: {
+  pkg: string
+  version: string
+  manifest: unknown
+}): ManifestInput {
+  // If manifest is a string, parse it
+  let parsedManifest: ManifestInput
+  if (typeof manifest === 'string') {
+    try {
+      parsedManifest = JSON.parse(manifest) as ManifestInput
+    } catch (_e) {
+      // If parsing fails, use empty object
+      parsedManifest = {}
+    }
+  } else {
+    parsedManifest = manifest as ManifestInput
+  }
+
+  // Create the final manifest with proper structure
+  const result: ManifestInput = {
+    ...parsedManifest,
+    name: pkg,
+    version: version,
+    dist: {
+      ...(parsedManifest.dist ?? {}),
+      tarball:
+        parsedManifest.dist?.tarball ??
+        `https://registry.npmjs.org/${pkg}/-/${pkg.split('/').pop()}-${version}.tgz`,
+    },
+  }
+
+  return result
+}
+
+interface SlimManifestContext {
+  protocol?: string
+  host?: string
+  upstream?: string
+}
+
+interface ParsedManifest {
+  name?: string
+  version?: string
+  description?: string
+  keywords?: string[]
+  homepage?: string
+  bugs?: unknown
+  license?: string
+  author?: unknown
+  contributors?: unknown[]
+  funding?: unknown
+  files?: string[]
+  main?: string
+  browser?: unknown
+  bin?: Record<string, string>
+  man?: unknown
+  directories?: unknown
+  repository?: unknown
+  scripts?: Record<string, string>
+  dependencies?: Record<string, string>
+  devDependencies?: Record<string, string>
+  peerDependencies?: Record<string, string>
+  optionalDependencies?: Record<string, string>
+  bundledDependencies?: string[]
+  peerDependenciesMeta?: Record<string, unknown>
+  engines?: Record<string, string>
+  os?: string[]
+  cpu?: string[]
+  types?: string
+  typings?: string
+  module?: string
+  exports?: unknown
+  imports?: unknown
+  type?: string
+  dist?: {
+    tarball?: string
+    integrity?: string
+    shasum?: string
+    [key: string]: unknown
+  }
+  [key: string]: unknown
+}
+
+/**
+ * Creates a slimmed down version of a package manifest
+ * Removes sensitive or unnecessary fields for public consumption
+ * @param {unknown} manifest - The full package manifest
+ * @param {SlimManifestContext} [context] - Optional context for URL rewriting
+ * @returns {ParsedManifest} Slimmed manifest
+ */
+export function slimManifest(
+  manifest: unknown,
+  context?: SlimManifestContext,
+): ParsedManifest {
+  if (!manifest) return {} as ParsedManifest
+
+  try {
+    // Parse manifest if it's a string
+    let parsed: ParsedManifest
+    if (typeof manifest === 'string') {
+      try {
+        parsed = JSON.parse(manifest) as ParsedManifest
+      } catch (_e) {
+        // If parsing fails, return empty manifest
+        return {} as ParsedManifest
+      }
+    } else {
+      parsed = manifest as ParsedManifest
+    }
+
+    // Create a new object with only the fields we want to keep
+    const slimmed: ParsedManifest = {}
+
+    // Only add properties that exist
+    if (parsed.name !== undefined) slimmed.name = parsed.name
+    if (parsed.version !== undefined) slimmed.version = parsed.version
+    if (parsed.description !== undefined)
+      slimmed.description = parsed.description
+    if (parsed.keywords !== undefined)
+      slimmed.keywords = parsed.keywords
+    if (parsed.homepage !== undefined)
+      slimmed.homepage = parsed.homepage
+    if (parsed.bugs !== undefined) slimmed.bugs = parsed.bugs
+    if (parsed.license !== undefined) slimmed.license = parsed.license
+    if (parsed.author !== undefined) slimmed.author = parsed.author
+    if (parsed.contributors !== undefined)
+      slimmed.contributors = parsed.contributors
+    if (parsed.funding !== undefined) slimmed.funding = parsed.funding
+    if (parsed.files !== undefined) slimmed.files = parsed.files
+    if (parsed.main !== undefined) slimmed.main = parsed.main
+    if (parsed.browser !== undefined) slimmed.browser = parsed.browser
+    if (parsed.bin !== undefined) slimmed.bin = parsed.bin
+    if (parsed.man !== undefined) slimmed.man = parsed.man
+    if (parsed.directories !== undefined)
+      slimmed.directories = parsed.directories
+    if (parsed.repository !== undefined)
+      slimmed.repository = parsed.repository
+    if (parsed.scripts !== undefined) slimmed.scripts = parsed.scripts
+    // Always include dependencies as empty objects if not present
+    slimmed.dependencies = parsed.dependencies ?? {}
+    slimmed.devDependencies = parsed.devDependencies ?? {}
+    if (parsed.peerDependencies !== undefined)
+      slimmed.peerDependencies = parsed.peerDependencies
+    if (parsed.optionalDependencies !== undefined)
+      slimmed.optionalDependencies = parsed.optionalDependencies
+    if (parsed.bundledDependencies !== undefined)
+      slimmed.bundledDependencies = parsed.bundledDependencies
+    if (parsed.peerDependenciesMeta !== undefined)
+      slimmed.peerDependenciesMeta = parsed.peerDependenciesMeta
+    if (parsed.engines !== undefined) slimmed.engines = parsed.engines
+    if (parsed.os !== undefined) slimmed.os = parsed.os
+    if (parsed.cpu !== undefined) slimmed.cpu = parsed.cpu
+    if (parsed.types !== undefined) slimmed.types = parsed.types
+    if (parsed.typings !== undefined) slimmed.typings = parsed.typings
+    if (parsed.module !== undefined) slimmed.module = parsed.module
+    if (parsed.exports !== undefined) slimmed.exports = parsed.exports
+    if (parsed.imports !== undefined) slimmed.imports = parsed.imports
+    if (parsed.type !== undefined) slimmed.type = parsed.type
+
+    // Handle dist object specially - always include with defaults
+    slimmed.dist = {
+      ...(parsed.dist ?? {}),
+      tarball: rewriteTarballUrlIfNeeded(
+        parsed.dist?.tarball ?? '',
+        parsed.name ?? '',
+        parsed.version ?? '',
+        context,
+      ),
+      integrity: parsed.dist?.integrity ?? '',
+      shasum: parsed.dist?.shasum ?? '',
+    }
+
+    return slimmed
+  } catch (_err) {
+    // Failed to slim manifest
+    return {} as ParsedManifest // Return empty manifest if slimming fails
+  }
+}
+
+/**
+ * Validates a package name using npm validation rules
+ * @param {string} packageName - The package name to validate
+ * @returns {ValidationResult} Validation result
+ */
+export function validatePackageName(
+  packageName: string,
+): ValidationResult {
+  const result = validate(packageName)
+  return {
+    valid: result.validForNewPackages || result.validForOldPackages,
+
+    errors: result.errors ?? [],
+  }
+}
+
+/**
+ * Validates a semver version string
+ * @param {string} version - The version to validate
+ * @returns {boolean} True if valid semver
+ */
+export function validateVersion(version: string): boolean {
+  return semver.valid(version) !== null
+}
+
+/**
+ * Parses a version range and returns the best matching version from a list
+ * @param {string} range - The semver range
+ * @param {string[]} versions - Available versions
+ * @returns {string | null} Best matching version or null
+ */
+export function getBestMatchingVersion(
+  range: string,
+  versions: string[],
+): string | null {
+  try {
+    return semver.maxSatisfying(versions, range)
+  } catch (_error) {
+    // Invalid semver range
+    return null
+  }
+}
+
+/**
+ * Extracts the package name from a scoped or unscoped package identifier
+ * @param {string} identifier - Package identifier (e.g., "@scope/package" or "package")
+ * @returns {object} Package name components
+ */
+export function parsePackageIdentifier(identifier: string): {
+  scope?: string
+  name: string
+  fullName: string
+} {
+  if (identifier.startsWith('@')) {
+    const parts = identifier.split('/')
+    if (parts.length >= 2) {
+      const scope = parts[0]
+      return {
+        ...(scope && { scope }),
+        name: parts.slice(1).join('/'),
+        fullName: identifier,
+      }
+    }
+  }
+
+  return {
+    name: identifier,
+    fullName: identifier,
+  }
+}
+
+/**
+ * Generates a tarball filename for a package version
+ * @param {string} packageName - The package name
+ * @param {string} version - The package version
+ * @returns {string} Tarball filename
+ */
+export function generateTarballFilename(
+  packageName: string,
+  version: string,
+): string {
+  const name = packageName.split('/').pop() || packageName
+  return `${name}-${version}.tgz`
+}
+
+/**
+ * Rewrites tarball URLs if needed for local registry
+ * @param {string} _originalUrl - The original tarball URL
+ * @param {string} packageName - The package name
+ * @param {string} version - The package version
+ * @param {any} [context] - Optional context for URL rewriting
+ * @returns {string} Rewritten or original URL
+ */
+function rewriteTarballUrlIfNeeded(
+  _originalUrl: string,
+  packageName: string,
+  version: string,
+  context?: SlimManifestContext,
+): string {
+  try {
+    // Check if we should rewrite URLs for this upstream
+    const upstream = context?.upstream
+    const protocol = context?.protocol
+    const host = context?.host
+
+    if (upstream && protocol && host) {
+      // Rewrite to our local registry format for upstream packages
+      return `${protocol}://${host}/${upstream}/${packageName}/-/${generateTarballFilename(packageName, version)}`
+    }
+
+    // Default to local registry format using DOMAIN
+    return `${URL}/${createFile({ pkg: packageName, version })}`
+  } catch (_err) {
+    // Fallback to local registry format
+    return `${URL}/${createFile({ pkg: packageName, version })}`
+  }
+}
+
+/**
+ * Checks if a version satisfies a semver range
+ * @param {string} version - The version to check
+ * @param {string} range - The semver range
+ * @returns {boolean} True if version satisfies range
+ */
+export function satisfiesRange(
+  version: string,
+  range: string,
+): boolean {
+  try {
+    return semver.satisfies(version, range)
+  } catch (_error) {
+    return false
+  }
+}
+
+/**
+ * Sorts versions in descending order
+ * @param {string[]} versions - Array of version strings
+ * @returns {string[]} Sorted versions
+ */
+export function sortVersionsDescending(versions: string[]): string[] {
+  return versions.sort((a, b) => semver.rcompare(a, b))
+}
+
+/**
+ * Gets the latest version from an array of versions
+ * @param {string[]} versions - Array of version strings
+ * @returns {string | null} Latest version or null if none
+ */
+export function getLatestVersion(versions: string[]): string | null {
+  if (versions.length === 0) return null
+  const sorted = sortVersionsDescending(versions)
+  return sorted[0] || null
+}
+
+/**
+ * Validates a tarball buffer
+ * @param {Uint8Array} _tarballBuffer - The tarball buffer to validate
+ * @returns {boolean} True if valid tarball
+ */
+export function validateTarball(_tarballBuffer: Uint8Array): boolean {
+  // Basic validation - could be extended
+  return true
+}