jpm-pkg 1.0.3

package/src/commands/update.js

@@ -0,0 +1,63 @@
+'use strict';
+
+const PackageJSON = require('../core/package-json');
+const registry = require('../core/registry');
+const semver = require('../utils/semver');
+const { Spinner } = require('../utils/progress');
+const logger = require('../utils/logger');
+
+/** jpm update [pkg] | jpm outdated */
+module.exports = async function update(args, flags, command) {
+    const cwd = process.cwd();
+    const pkgJson = PackageJSON.fromDir(cwd);
+    const allDeps = pkgJson.allDeps();
+
+    const targets = args.length
+        ? args.reduce((acc, n) => { if (allDeps[n]) acc[n] = allDeps[n]; return acc; }, {})
+        : allDeps;
+
+    const spinner = new Spinner(`Checking ${Object.keys(targets).length} packages for updates...`).start();
+    const rows = [];
+
+    await Promise.all(
+        Object.entries(targets).map(async ([name, range]) => {
+            try {
+                const versions = await registry.getVersions(name);
+                const latest = await registry.getLatest(name);
+                const current = semver.maxSatisfying(versions, range);
+                const wanted = semver.maxSatisfying(versions, range);
+                const isOutdated = latest && current && semver.gt(latest, current);
+
+                rows.push({
+                    Package: name,
+                    Current: current || 'n/a',
+                    Wanted: wanted || 'n/a',
+                    Latest: latest || 'n/a',
+                    Status: isOutdated
+                        ? logger.c.yellow('outdated')
+                        : logger.c.green('up to date'),
+                });
+            } catch {
+                rows.push({ Package: name, Current: '?', Wanted: '?', Latest: '?', Status: logger.c.red('error') });
+            }
+        })
+    );
+
+    spinner.succeed('Done');
+
+    if (command === 'outdated') {
+        const outdated = rows.filter(r => r.Status.includes('outdated'));
+        if (!outdated.length) { logger.success('All packages are up to date!'); return; }
+        logger.table(outdated, ['Package', 'Current', 'Wanted', 'Latest', 'Status']);
+        return;
+    }
+
+    // Actually update
+    const outdatedPkgs = rows.filter(r => r.Status.includes('outdated'));
+    if (!outdatedPkgs.length) { logger.success('All packages are up to date!'); return; }
+
+    logger.info(`Updating ${outdatedPkgs.length} package(s)...`);
+    const installCmd = require('./install');
+    const pkgArgs = outdatedPkgs.map(p => `${p.Package}@${p.Latest}`);
+    await installCmd(pkgArgs, flags);
+};

package/src/commands/x.js

@@ -0,0 +1,136 @@
+'use strict';
+
+const path = require('node:path');
+const { spawnSync } = require('node:child_process');
+const Resolver = require('../core/resolver');
+const Installer = require('../core/installer');
+const { tempDir, rimraf } = require('../utils/fs');
+const { Spinner } = require('../utils/progress');
+const config = require('../utils/config');
+const logger = require('../utils/logger');
+
+/**
+ * jpm x <package>[@version] [args...]
+ * 
+ * Equivalent to npx. Resolves, installs to a temp dir, and executes.
+ */
+module.exports = async function xCommand(args, flags) {
+    if (!args.length) {
+        logger.error('No package specified to execute.');
+        logger.info('Usage: jpm x <package>[@version] [args...]');
+        process.exit(1);
+    }
+
+    const pkgArg = args[0];
+    const execArgs = args.slice(1);
+
+    const lastAt = pkgArg.lastIndexOf('@');
+    // Handle scoped packages correctly: @scope/pkg@version
+    const hasVersion = lastAt > 0 && !pkgArg.startsWith('@') || (pkgArg.startsWith('@') && pkgArg.split('@').length > 2);
+
+    let name, range;
+    if (pkgArg.startsWith('@')) {
+        const parts = pkgArg.split('@');
+        name = '@' + parts[1];
+        range = parts[2] || 'latest';
+    } else {
+        name = hasVersion ? pkgArg.slice(0, lastAt) : pkgArg;
+        range = hasVersion ? pkgArg.slice(lastAt + 1) : 'latest';
+    }
+
+    const resolveSpinner = new Spinner(`Resolving ${name}@${range}...`).start();
+
+    try {
+        // 1. Resolve
+        const resolver = new Resolver();
+        const resolvedMap = await resolver.resolve({ [name]: range }, {}, {}, (count) => {
+            resolveSpinner.text = `Resolving... (${count} resolved)`;
+        });
+        resolveSpinner.succeed(`Resolved ${resolvedMap.size} packages`);
+
+        // 2. Install to temp
+        const tmp = tempDir('jpm-x-');
+        const installer = new Installer(tmp);
+
+        logger.info(`Installing to temporary directory...`);
+        await installer.installAll(resolvedMap, { flags });
+
+        // 3. Find the binary
+        const resolvedPkg = [...resolvedMap.values()].find(m => m.name === name);
+        if (!resolvedPkg) throw new Error(`Failed to find resolved metadata for ${name}`);
+
+        const bins = resolvedPkg.bin;
+        let binName;
+
+        if (typeof bins === 'string') {
+            binName = name.split('/').pop();
+        } else if (typeof bins === 'object' && bins !== null) {
+            const entries = Object.keys(bins);
+            if (entries.length === 0) throw new Error(`Package ${name} has no binaries.`);
+            binName = entries.find(k => k === name || k === name.split('/').pop()) || entries[0];
+        } else {
+            throw new Error(`Package ${name} does not define any binaries in package.json`);
+        }
+
+        const binPath = path.join(tmp, 'node_modules', '.bin', binName + (process.platform === 'win32' ? '.cmd' : ''));
+
+        // If the .cmd doesn't exist, try the raw JS file with node
+        let finalBin = binPath;
+        let finalArgs = execArgs;
+        let useNode = false;
+
+        const fs = require('node:fs');
+        if (!fs.existsSync(binPath)) {
+            // Fallback to finding the JS file
+            const relPath = typeof bins === 'string' ? bins : bins[binName];
+            finalBin = path.join(tmp, 'node_modules', name, relPath);
+            useNode = true;
+        }
+
+        logger.info(`Executing ${binName}...\n`);
+
+        const spawnCmd = useNode ? process.execPath : finalBin;
+        const spawnArgs = useNode ? [finalBin, ...execArgs] : execArgs;
+
+        const env = {
+            ...process.env,
+            PATH: `${path.join(tmp, 'node_modules', '.bin')}${process.platform === 'win32' ? ';' : ':'}${process.env.PATH}`,
+        };
+
+        // On Windows, when shell: true is used, we need to be very careful with quoting
+        // if the path to node or the binary contains spaces (like C:\Program Files\...)
+        const isWin = process.platform === 'win32';
+
+        let result;
+        if (isWin && useNode) {
+            // Special handling for Windows + Node to avoid quoting hell with shell: true
+            result = spawnSync(`"${process.execPath}"`, [`"${finalBin}"`, ...execArgs.map(a => `"${a}"`)], {
+                cwd: process.cwd(),
+                stdio: 'inherit',
+                env,
+                shell: true,
+                windowsVerbatimArguments: true
+            });
+        } else {
+            result = spawnSync(useNode ? process.execPath : finalBin, useNode ? [finalBin, ...execArgs] : execArgs, {
+                cwd: process.cwd(),
+                stdio: 'inherit',
+                env,
+                shell: true
+            });
+        }
+
+        if (result.error) throw result.error;
+
+        // Cleanup on success if not in debug
+        if (result.status === 0 && config.loglevel !== 'debug') {
+            rimraf(tmp);
+        }
+
+        process.exit(result.status ?? 0);
+
+    } catch (err) {
+        resolveSpinner.fail(`Error: ${err.message}`);
+        process.exit(1);
+    }
+};

package/src/core/cache.js

@@ -0,0 +1,117 @@
+'use strict';
+
+const fs = require('node:fs');
+const path = require('node:path');
+const crypto = require('node:crypto');
+const config = require('../utils/config');
+const { mkdirp, rimraf } = require('../utils/fs');
+const logger = require('../utils/logger');
+
+/**
+ * Disk cache at ~/.jpm/cache/<name>/<version>.tgz
+ * Also stores metadata JSON alongside: <name>/<version>.json
+ */
+
+function cacheRoot() {
+    return config.cacheDir;
+}
+
+function tgzPath(name, version) {
+    const safeName = name.replace('/', '__SCOPE__');
+    return path.join(cacheRoot(), safeName, `${version}.tgz`);
+}
+
+function metaPath(name, version) {
+    const safeName = name.replace('/', '__SCOPE__');
+    return path.join(cacheRoot(), safeName, `${version}.json`);
+}
+
+async function get(name, version) {
+    const p = tgzPath(name, version);
+    if (fs.existsSync(p)) {
+        logger.verbose(`cache hit ${name}@${version}`);
+        return p;
+    }
+    return null;
+}
+
+async function set(name, version, srcTgz) {
+    const dest = tgzPath(name, version);
+    mkdirp(path.dirname(dest));
+    fs.copyFileSync(srcTgz, dest);
+    logger.verbose(`cache store ${name}@${version}`);
+}
+
+async function setMeta(name, version, meta) {
+    const p = metaPath(name, version);
+    mkdirp(path.dirname(p));
+    fs.writeFileSync(p, JSON.stringify(meta, null, 2), 'utf8');
+}
+
+async function getMeta(name, version) {
+    const p = metaPath(name, version);
+    try { return JSON.parse(fs.readFileSync(p, 'utf8')); }
+    catch { return null; }
+}
+
+function has(name, version) {
+    return fs.existsSync(tgzPath(name, version));
+}
+
+function clear(name, version) {
+    if (name && version) {
+        rimraf(tgzPath(name, version));
+        rimraf(metaPath(name, version));
+    } else if (name) {
+        const safeName = name.replace('/', '__SCOPE__');
+        rimraf(path.join(cacheRoot(), safeName));
+    } else {
+        // Clear entire cache
+        rimraf(cacheRoot());
+        logger.success('Cache cleared');
+    }
+}
+
+function stats() {
+    const root = cacheRoot();
+    if (!fs.existsSync(root)) return { packages: 0, size: 0 };
+
+    let packages = 0;
+    let size = 0;
+
+    function walk(dir) {
+        for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+            const full = path.join(dir, entry.name);
+            if (entry.isDirectory()) {
+                walk(full);
+            } else {
+                const s = fs.statSync(full);
+                size += s.size;
+                if (entry.name.endsWith('.tgz')) packages++;
+            }
+        }
+    }
+
+    try { walk(root); } catch { }
+    return { packages, size, root };
+}
+
+function list() {
+    const root = cacheRoot();
+    if (!fs.existsSync(root)) return [];
+    const result = [];
+    for (const scopeOrName of fs.readdirSync(root)) {
+        const dir = path.join(root, scopeOrName);
+        if (!fs.statSync(dir).isDirectory()) continue;
+        for (const file of fs.readdirSync(dir)) {
+            if (file.endsWith('.tgz')) {
+                const version = file.replace('.tgz', '');
+                const name = scopeOrName.replace('__SCOPE__', '/');
+                result.push({ name, version });
+            }
+        }
+    }
+    return result;
+}
+
+module.exports = { get, set, getMeta, setMeta, has, clear, stats, list };

package/src/core/installer.js

@@ -0,0 +1,316 @@
+'use strict';
+
+const fs = require('node:fs');
+const path = require('node:path');
+const crypto = require('node:crypto');
+const tar = require('tar');
+const registry = require('./registry');
+const cache = require('./cache');
+const { mkdirp, rimraf, tempDir, symlink } = require('../utils/fs');
+const { MultiBar, Spinner } = require('../utils/progress');
+const logger = require('../utils/logger');
+
+const SUSPICIOUS_PATTERNS = [
+    /curl\s+.*?http/i,
+    /wget\s+.*?http/i,
+    /rm\s+-rf\s+\//,
+    /sh\s+-c\s+.*?http/i,
+    /python.*?import\s+socket/i,
+];
+
+const integrity = require('../security/integrity');
+
+const CONCURRENCY = 6;
+
+/**
+ * Handles the actual filesystem installation of resolved packages.
+ */
+class Installer {
+    /**
+     * Creates an instance of the Installer.
+     * 
+     * @param {string} projectRoot - The absolute path to the project root directory
+     */
+    constructor(projectRoot) {
+        this.projectRoot = projectRoot;
+        this.nodeModules = path.join(projectRoot, 'node_modules');
+        this._multibar = new MultiBar();
+        this._flags = {};
+    }
+
+    /**
+     * Installs all packages specified in a resolved dependency map.
+     * 
+     * @param {Map<string, object>} resolvedMap - The output of Resolver.resolve()
+     * @param {object} [options={}] - Installation options
+     * @param {boolean} [options.dev=false] - Whether to include devDependencies
+     * @param {boolean} [options.production=false] - Whether to skip devDependencies
+     * @param {boolean} [options.dryRun=false] - If true, only print what would be installed
+     * @param {object} [options.flags={}] - CLI flags
+     * @returns {Promise<void>}
+     */
+    async installAll(resolvedMap, options = {}) {
+        this._flags = options.flags || {};
+        if (options.dryRun) {
+            logger.info('[dry-run] Would install:');
+            for (const [key] of resolvedMap) logger.log(`  + ${key}`);
+            return;
+        }
+
+        mkdirp(this.nodeModules);
+
+        const packages = [...resolvedMap.values()];
+        this._installedInRun = []; // Track for rollback
+
+        try {
+            if (this._flags.fast) {
+                logger.warn('BLIND INSTALL: Skipping all extraction and integrity checks.');
+                await this._linkBins(packages);
+                return;
+            }
+
+            await this._installBatch(packages);
+            await this._linkBins(packages);
+        } catch (err) {
+            logger.error('Installation failed. Rolling back partial changes...');
+            for (const name of this._installedInRun) {
+                await this.uninstall(name);
+            }
+            throw err;
+        }
+
+        this._multibar.stop();
+    }
+
+    /**
+     * Installs packages in parallel batches to optimize network and disk I/O.
+     * 
+     * @param {Object[]} packages - Array of package metadata objects to install
+     * @protected
+     */
+    async _installBatch(packages) {
+        const queue = [...packages];
+        const workers = Array(Math.min(CONCURRENCY, queue.length)).fill(null).map(async () => {
+            while (queue.length > 0) {
+                const p = queue.shift();
+                if (p) await this._installOne(p);
+            }
+        });
+        await Promise.all(workers);
+    }
+
+    /**
+     * Installs a single package into the node_modules directory.
+     * Handles caching, downloading, integrity verification, and extraction.
+     * 
+     * @param {Object} meta - The resolved metadata for the package
+     * @protected
+     */
+    async _installOne(meta) {
+        const { name, version, resolved, integrity: integrityHash, shasum } = meta;
+        const installName = meta.alias || name;
+        const destDir = this._destDir(installName);
+
+        // Check if already installed (Incremental Install)
+        if (this._isInstalled(installName, version)) {
+            logger.verbose(`skip ${installName}@${version} (already installed)`);
+            return;
+        }
+
+        // Check local cache for the tarball
+        const cached = await cache.get(name, version);
+        if (cached) {
+            logger.verbose(`cache hit ${installName}@${version}`);
+            await this._extract(cached, destDir, installName, version);
+            return;
+        }
+
+        if (!resolved) {
+            logger.warn(`No tarball URL for ${installName}@${version}, skipping.`);
+            return;
+        }
+
+        // Download to a temporary location
+        const tmp = tempDir('jpm-dl-');
+        const tgz = path.join(tmp, `${installName.replace('/', '-')}-${version}.tgz`);
+        const dest = fs.createWriteStream(tgz);
+
+        const barKey = `${installName}@${version}`;
+        this._multibar.add(barKey, 100);
+
+        try {
+            await registry.downloadTarball(resolved, dest, (received, total) => {
+                if (total) this._multibar.update(barKey, Math.round((received / total) * 100));
+            });
+            this._multibar.update(barKey, 100);
+            this._multibar.remove(barKey);
+        } catch (err) {
+            this._multibar.remove(barKey);
+            rimraf(tmp);
+            throw new Error(`Failed to download ${installName}@${version}: ${err.message}`);
+        }
+
+        // Verify cryptographic integrity
+        const ok = await integrity.verify(tgz, integrityHash, shasum);
+        if (!ok) {
+            rimraf(tmp);
+            throw new Error(`Integrity check failed for ${installName}@${version}`);
+        }
+
+        // Update local cache
+        await cache.set(name, version, tgz);
+
+        // Extract contents to node_modules
+        this._checkScripts(installName, version, meta);
+        await this._extract(tgz, destDir, installName, version);
+        rimraf(tmp);
+
+        this._installedInRun.push(installName);
+        logger.verbose(`installed ${installName}@${version}`);
+    }
+
+    /**
+     * Extracts a tarball to the destination directory.
+     * 
+     * @param {string} tgzPath - Path to the tarball file
+     * @param {string} destDir - Target directory for extraction
+     * @param {string} name - Package name for logging
+     * @param {string} version - Package version for logging
+     * @protected
+     */
+    async _extract(tgzPath, destDir, name, version) {
+        rimraf(destDir);
+        mkdirp(destDir);
+
+        const absoluteDest = path.resolve(destDir);
+
+        await tar.extract({
+            file: tgzPath,
+            cwd: destDir,
+            strip: 1,
+            filter: (p, stat) => {
+                const fullPath = path.resolve(destDir, p);
+                if (!fullPath.startsWith(absoluteDest)) {
+                    logger.error(`Zip Slip security violation blocked: ${p} in ${name}@${version}`);
+                    return false;
+                }
+                return true;
+            }
+        });
+    }
+
+    /**
+     * Resolves the absolute path for a package in node_modules, handling scopes.
+     * 
+     * @param {string} name - The package name
+     * @returns {string} Absolute path to the package directory
+     * @protected
+     */
+    _destDir(name) {
+        if (name.startsWith('@')) {
+            const [scope, pkg] = name.split('/');
+            return path.join(this.nodeModules, scope, pkg);
+        }
+        return path.join(this.nodeModules, name);
+    }
+
+    /**
+     * Scans package scripts for known malicious or suspicious execution patterns.
+     * 
+     * @param {string} name - Package name
+     * @param {string} version - Package version
+     * @param {Object} meta - Package metadata containing scripts
+     * @returns {boolean} True if suspicious patterns were detected
+     * @protected
+     */
+    _checkScripts(name, version, meta) {
+        const scripts = meta.scripts || {};
+        for (const [id, cmd] of Object.entries(scripts)) {
+            if (['preinstall', 'postinstall', 'install'].includes(id)) {
+                for (const pattern of SUSPICIOUS_PATTERNS) {
+                    if (pattern.test(cmd)) {
+                        logger.warn(`SUSPICIOUS SCRIPT detected in ${name}@${version}: "${id}": "${cmd}"`);
+                        logger.warn('Exercise caution when installing this package.');
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Verifies if a specific version of a package is already present in node_modules.
+     * 
+     * @param {string} name - Package name
+     * @param {string} version - Package version to verify
+     * @returns {boolean} True if the exact version is installed
+     * @protected
+     */
+    _isInstalled(name, version) {
+        const pkgJson = path.join(this._destDir(name), 'package.json');
+        if (!fs.existsSync(pkgJson)) return false;
+        try {
+            const pkg = JSON.parse(fs.readFileSync(pkgJson, 'utf8'));
+            return pkg.version === version;
+        } catch { return false; }
+    }
+
+    /**
+     * Creates symbolic links for binary executables defined in package metadata.
+     * 
+     * @param {Object[]} packages - Array of resolved package metadata
+     * @protected
+     */
+    async _linkBins(packages) {
+        const binDir = path.join(this.nodeModules, '.bin');
+        mkdirp(binDir);
+
+        for (const meta of packages) {
+            const { name, bin } = meta;
+            const installName = meta.alias || name;
+            if (!bin || typeof bin !== 'object') continue;
+            for (const [binName, binPath] of Object.entries(bin)) {
+                const src = path.join(this._destDir(installName), binPath);
+                const dest = path.join(binDir, binName);
+
+                // Security: Ensure binary source is within the package directory
+                const resolvedSrc = path.resolve(src);
+                const packageDir = path.resolve(this._destDir(installName));
+                if (!resolvedSrc.startsWith(packageDir)) {
+                    logger.warn(`Insecure binary path blocked for ${installName}: ${binPath}`);
+                    continue;
+                }
+
+                try {
+                    symlink(src, dest);
+                    fs.chmodSync(src, 0o755);
+                } catch { }
+            }
+        }
+    }
+
+    /**
+     * Remove a single package from node_modules
+     */
+    async uninstall(name) {
+        const destDir = this._destDir(name);
+        if (!fs.existsSync(destDir)) return false;
+        rimraf(destDir);
+
+        // Remove bin links
+        const binDir = path.join(this.nodeModules, '.bin');
+        if (fs.existsSync(binDir)) {
+            for (const entry of fs.readdirSync(binDir)) {
+                const linkPath = path.join(binDir, entry);
+                try {
+                    const target = fs.readlinkSync(linkPath);
+                    if (target.includes(path.sep + name + path.sep)) fs.unlinkSync(linkPath);
+                } catch { }
+            }
+        }
+        return true;
+    }
+}
+
+module.exports = Installer;