libnpmexec 10.1.6 → 10.1.8

package/README.md

@@ -40,7 +40,7 @@ await libexec({
   - `runPath`: Location to where to execute the script **String**, defaults to `.`
   - `scriptShell`: Default shell to be used **String**, defaults to `sh` on POSIX systems, `process.env.ComSpec` OR `cmd` on Windows
   - `yes`: Should skip download confirmation prompt when fetching missing packages from the registry? **Boolean**
-  - `registry`, `cache`, and more options that are forwarded to [@npmcli/arborist](https://github.com/npm/arborist/) and [pacote](https://github.com/npm/pacote/#options) **Object**
+  - `registry`, `cache`, and more options that are forwarded to [@npmcli/arborist](https://github.com/npm/cli/blob/latest/workspaces/arborist/README.md) and [pacote](https://github.com/npm/pacote/#options) **Object**
 
 ## LICENSE
 

package/lib/get-bin-from-manifest.js

@@ -1,7 +1,7 @@
 const getBinFromManifest = (mani) => {
   // if we have a bin matching (unscoped portion of) packagename, use that
   // otherwise if there's 1 bin or all bin value is the same (alias), use
-  // that, otherwise fail
+  // that; otherwise, fail
   const bin = mani.bin || {}
   if (new Set(Object.values(bin)).size === 1) {
     return Object.keys(bin)[0]

package/lib/index.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const { dirname, resolve } = require('node:path')
+const { dirname, join, resolve } = require('node:path')
 const crypto = require('node:crypto')
 const { mkdir } = require('node:fs/promises')
 const Arborist = require('@npmcli/arborist')
@@ -16,6 +16,7 @@ const getBinFromManifest = require('./get-bin-from-manifest.js')
 const noTTY = require('./no-tty.js')
 const runScript = require('./run-script.js')
 const isWindows = require('./is-windows.js')
+const withLock = require('./with-lock.js')
 
 const binPaths = []
 
@@ -247,7 +248,8 @@ const exec = async (opts) => {
       ...flatOptions,
       path: installDir,
     })
-    const npxTree = await npxArb.loadActual()
+    const lockPath = join(installDir, 'concurrency.lock')
+    const npxTree = await withLock(lockPath, () => npxArb.loadActual())
     await Promise.all(needInstall.map(async ({ spec }) => {
       const { manifest } = await missingFromTree({
         spec,
@@ -290,11 +292,11 @@ const exec = async (opts) => {
           }
         }
       }
-      await npxArb.reify({
+      await withLock(lockPath, () => npxArb.reify({
         ...flatOptions,
         save: true,
         add,
-      })
+      }))
     }
     binPaths.push(resolve(installDir, 'node_modules/.bin'))
     const pkgJson = await PackageJson.load(installDir)

package/lib/run-script.js

@@ -1,6 +1,6 @@
 const ciInfo = require('ci-info')
 const runScript = require('@npmcli/run-script')
-const readPackageJson = require('read-package-json-fast')
+const pkgJson = require('@npmcli/package-json')
 const { log, output } = require('proc-log')
 const noTTY = require('./no-tty.js')
 const isWindowsShell = require('./is-windows.js')
@@ -28,7 +28,10 @@ const run = async ({
 
   // do the fakey runScript dance
   // still should work if no package.json in cwd
-  const realPkg = await readPackageJson(`${path}/package.json`).catch(() => ({}))
+  const { content: realPkg } = await pkgJson.normalize(path, { steps: [
+    'binDir',
+    ...pkgJson.normalizeSteps,
+  ] }).catch(() => ({ content: {} }))
   const pkg = {
     ...realPkg,
     scripts: {

package/lib/with-lock.js

@@ -0,0 +1,175 @@
+const fs = require('node:fs/promises')
+const { rmdirSync } = require('node:fs')
+const promiseRetry = require('promise-retry')
+const { onExit } = require('signal-exit')
+
+// a lockfile implementation inspired by the unmaintained proper-lockfile library
+//
+// similarities:
+// - based on mkdir's atomicity
+// - works across processes and even machines (via NFS)
+// - cleans up after itself
+// - detects compromised locks
+//
+// differences:
+// - higher-level API (just a withLock function)
+// - written in async/await style
+// - uses mtime + inode for more reliable compromised lock detection
+// - more ergonomic compromised lock handling (i.e. withLock will reject, and callbacks have access to an AbortSignal)
+// - uses a more recent version of signal-exit
+
+const touchInterval = 1_000
+// mtime precision is platform dependent, so use a reasonably large threshold
+const staleThreshold = 5_000
+
+// track current locks and their cleanup functions
+const currentLocks = new Map()
+
+function cleanupLocks () {
+  for (const [, cleanup] of currentLocks) {
+    try {
+      cleanup()
+    } catch (err) {
+      //
+    }
+  }
+}
+
+// clean up any locks that were not released normally
+onExit(cleanupLocks)
+
+/**
+ * Acquire an advisory lock for the given path and hold it for the duration of the callback.
+ *
+ * The lock will be released automatically when the callback resolves or rejects.
+ * Concurrent calls to withLock() for the same path will wait until the lock is released.
+ */
+async function withLock (lockPath, cb) {
+  try {
+    const signal = await acquireLock(lockPath)
+    return await new Promise((resolve, reject) => {
+      signal.addEventListener('abort', () => {
+        reject(Object.assign(new Error('Lock compromised'), { code: 'ECOMPROMISED' }))
+      });
+
+      (async () => {
+        try {
+          resolve(await cb(signal))
+        } catch (err) {
+          reject(err)
+        }
+      })()
+    })
+  } finally {
+    releaseLock(lockPath)
+  }
+}
+
+function acquireLock (lockPath) {
+  return promiseRetry({
+    minTimeout: 100,
+    maxTimeout: 5_000,
+    // if another process legitimately holds the lock, wait for it to release; if it dies abnormally and the lock becomes stale, we'll acquire it automatically
+    forever: true,
+  }, async (retry) => {
+    try {
+      await fs.mkdir(lockPath)
+    } catch (err) {
+      if (err.code !== 'EEXIST' && err.code !== 'EBUSY' && err.code !== 'EPERM') {
+        throw err
+      }
+
+      const status = await getLockStatus(lockPath)
+
+      if (status === 'locked') {
+        // let's see if we can acquire it on the next attempt 🤞
+        return retry(err)
+      }
+      if (status === 'stale') {
+        try {
+          // there is a very tiny window where another process could also release the stale lock and acquire it before we release it here; the lock compromise checker should detect this and throw an error
+          deleteLock(lockPath)
+        } catch (e) {
+          // on windows, EBUSY/EPERM can happen if another process is (re)creating the lock; maybe we can acquire it on a subsequent attempt 🤞
+          if (e.code === 'EBUSY' || e.code === 'EPERM') {
+            return retry(e)
+          }
+          throw e
+        }
+      }
+      // immediately attempt to acquire the lock (no backoff)
+      return await acquireLock(lockPath)
+    }
+    try {
+      const signal = await maintainLock(lockPath)
+      return signal
+    } catch (err) {
+      throw Object.assign(new Error('Lock compromised'), { code: 'ECOMPROMISED' })
+    }
+  })
+}
+
+function deleteLock (lockPath) {
+  try {
+    // synchronous, so we can call in an exit handler
+    rmdirSync(lockPath)
+  } catch (err) {
+    if (err.code !== 'ENOENT') {
+      throw err
+    }
+  }
+}
+
+function releaseLock (lockPath) {
+  currentLocks.get(lockPath)?.()
+  currentLocks.delete(lockPath)
+}
+
+async function getLockStatus (lockPath) {
+  try {
+    const stat = await fs.stat(lockPath)
+    return (Date.now() - stat.mtimeMs > staleThreshold) ? 'stale' : 'locked'
+  } catch (err) {
+    if (err.code === 'ENOENT') {
+      return 'unlocked'
+    }
+    throw err
+  }
+}
+
+async function maintainLock (lockPath) {
+  const controller = new AbortController()
+  const stats = await fs.stat(lockPath)
+  // fs.utimes operates on floating points seconds (directly, or via strings/Date objects), which may not match the underlying filesystem's mtime precision, meaning that we might read a slightly different mtime than we write. always round to the nearest second, since all filesystems support at least second precision
+  let mtime = Math.round(stats.mtimeMs / 1000)
+  const signal = controller.signal
+
+  async function touchLock () {
+    try {
+      const currentStats = (await fs.stat(lockPath))
+      const currentMtime = Math.round(currentStats.mtimeMs / 1000)
+      if (currentStats.ino !== stats.ino || currentMtime !== mtime) {
+        throw new Error('Lock compromised')
+      }
+      mtime = Math.round(Date.now() / 1000)
+      // touch the lock, unless we just released it during this iteration
+      if (currentLocks.has(lockPath)) {
+        await fs.utimes(lockPath, mtime, mtime)
+      }
+    } catch (err) {
+      // stats mismatch or other fs error means the lock was compromised
+      controller.abort()
+    }
+  }
+
+  const timeout = setInterval(touchLock, touchInterval)
+  timeout.unref()
+  function cleanup () {
+    clearInterval(timeout)
+    deleteLock(lockPath)
+  }
+  currentLocks.set(lockPath, cleanup)
+  return signal
+}
+
+module.exports = withLock

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "libnpmexec",
-  "version": "10.1.6",
+  "version": "10.1.8",
   "files": [
     "bin/",
     "lib/"
@@ -52,7 +52,7 @@
   "devDependencies": {
     "@npmcli/eslint-config": "^5.0.1",
     "@npmcli/mock-registry": "^1.0.0",
-    "@npmcli/template-oss": "4.24.4",
+    "@npmcli/template-oss": "4.25.1",
     "bin-links": "^5.0.0",
     "chalk": "^5.2.0",
     "just-extend": "^6.2.0",
@@ -60,21 +60,22 @@
     "tap": "^16.3.8"
   },
   "dependencies": {
-    "@npmcli/arborist": "^9.1.4",
-    "@npmcli/package-json": "^6.1.1",
-    "@npmcli/run-script": "^9.0.1",
+    "@npmcli/arborist": "^9.1.6",
+    "@npmcli/package-json": "^7.0.0",
+    "@npmcli/run-script": "^10.0.0",
     "ci-info": "^4.0.0",
-    "npm-package-arg": "^12.0.0",
-    "pacote": "^21.0.0",
+    "npm-package-arg": "^13.0.0",
+    "pacote": "^21.0.2",
     "proc-log": "^5.0.0",
+    "promise-retry": "^2.0.1",
     "read": "^4.0.0",
-    "read-package-json-fast": "^4.0.0",
     "semver": "^7.3.7",
+    "signal-exit": "^4.1.0",
     "walk-up-path": "^4.0.0"
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.24.4",
+    "version": "4.25.1",
     "content": "../../scripts/template-oss/index.js"
   }
 }