pacote 11.1.12 → 11.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +5 -0
  2. package/lib/fetcher.js +17 -13
  3. package/lib/registry.js +23 -2
  4. package/package.json +4 -4
package/README.md CHANGED
@@ -162,6 +162,11 @@ resolved, and other properties, as they are determined.
162
162
  including information not strictly required for installation (author,
163
163
  description, etc.) Defaults to `true` when `before` is set, since the
164
164
  version publish time is part of the extended packument metadata.
165
+ * `packumentCache` For registry packuments only, you may provide a `Map`
166
+ object which will be used to cache packument requests between pacote
167
+ calls. This allows you to easily avoid hitting the registry multiple
168
+ times (even just to validate the cache) for a given packument, since it
169
+ is unlikely to change in the span of a single command.
165
170
 
166
171
  ## Extracted File Modes
167
172
 
package/lib/fetcher.js CHANGED
@@ -60,6 +60,7 @@ class FetcherBase {
60
60
  // clone the opts object so that others aren't upset when we mutate it
61
61
  // by adding/modifying the integrity value.
62
62
  this.opts = {...opts}
63
+
63
64
  this.cache = opts.cache || cacheDir()
64
65
  this.resolved = opts.resolved || null
65
66
 
@@ -75,7 +76,12 @@ class FetcherBase {
75
76
  this.type = this.constructor.name
76
77
  this.fmode = opts.fmode || 0o666
77
78
  this.dmode = opts.dmode || 0o777
78
- this.umask = opts.umask || 0o022
79
+ // we don't need a default umask, because we don't chmod files coming
80
+ // out of package tarballs. they're forced to have a mode that is
81
+ // valid, regardless of what's in the tarball entry, and then we let
82
+ // the process's umask setting do its job. but if configured, we do
83
+ // respect it.
84
+ this.umask = opts.umask || 0
79
85
  this.log = opts.log || procLog
80
86
 
81
87
  this.preferOnline = !!opts.preferOnline
@@ -91,18 +97,11 @@ class FetcherBase {
91
97
 
92
98
  // command to run 'prepare' scripts on directories and git dirs
93
99
  // To use pacote with yarn, for example, set npmBin to 'yarn'
94
- // and npmInstallCmd to ['add'], and npmCliConfig with yarn's equivalents.
100
+ // and npmCliConfig with yarn's equivalents.
95
101
  this.npmBin = opts.npmBin || 'npm'
96
102
 
97
103
  // command to install deps for preparing
98
- this.npmInstallCmd = opts.npmInstallCmd || [
99
- 'install',
100
- '--only=dev',
101
- '--prod',
102
- '--ignore-prepublish',
103
- '--no-progress',
104
- '--no-save',
105
- ]
104
+ this.npmInstallCmd = opts.npmInstallCmd || [ 'install' ]
106
105
 
107
106
  // XXX fill more of this in based on what we know from this.opts
108
107
  // we explicitly DO NOT fill in --tag, though, since we are often
@@ -113,7 +112,10 @@ class FetcherBase {
113
112
  `--prefer-offline=${!!this.preferOffline}`,
114
113
  `--prefer-online=${!!this.preferOnline}`,
115
114
  `--offline=${!!this.offline}`,
116
- `--before=${this.before ? this.before.toISOString() : ''}`,
115
+ ...(this.before ? [`--before=${this.before.toISOString()}`] : []),
116
+ '--no-progress',
117
+ '--no-save',
118
+ '--no-audit',
117
119
  ]
118
120
  }
119
121
 
@@ -294,7 +296,7 @@ class FetcherBase {
294
296
  return cacache.rm.content(this.cache, this.integrity, this.opts)
295
297
  }
296
298
 
297
- [_chown] (path, uid, gid) {
299
+ async [_chown] (path, uid, gid) {
298
300
  return selfOwner && (selfOwner.gid !== gid || selfOwner.uid !== uid)
299
301
  ? chownr(path, uid, gid)
300
302
  : /* istanbul ignore next - we don't test in root-owned folders */ null
@@ -392,13 +394,15 @@ class FetcherBase {
392
394
 
393
395
  // make sure package bins are executable
394
396
  const exe = isPackageBin(this.package, path) ? 0o111 : 0
395
- return ((mode | m) & ~this.umask) | exe
397
+ // always ensure that files are read/writable by the owner
398
+ return ((mode | m) & ~this.umask) | exe | 0o600
396
399
  }
397
400
 
398
401
  [_tarxOptions] ({ cwd, uid, gid }) {
399
402
  const sawIgnores = new Set()
400
403
  return {
401
404
  cwd,
405
+ noChmod: true,
402
406
  filter: (name, entry) => {
403
407
  if (/Link$/.test(entry.type))
404
408
  return false
package/lib/registry.js CHANGED
@@ -20,6 +20,14 @@ class RegistryFetcher extends Fetcher {
20
20
  constructor (spec, opts) {
21
21
  super(spec, opts)
22
22
 
23
+ // you usually don't want to fetch the same packument multiple times in
24
+ // the span of a given script or command, no matter how many pacote calls
25
+ // are made, so this lets us avoid doing that. It's only relevant for
26
+ // registry fetchers, because other types simulate their packument from
27
+ // the manifest, which they memoize on this.package, so it's very cheap
28
+ // already.
29
+ this.packumentCache = this.opts.packumentCache || null
30
+
23
31
  // handle case when npm-package-arg guesses wrong.
24
32
  if (this.spec.type === 'tag' &&
25
33
  this.spec.rawSpec === '' &&
@@ -64,11 +72,17 @@ class RegistryFetcher extends Fetcher {
64
72
  }
65
73
  }
66
74
 
67
- packument () {
75
+ async packument () {
76
+ // note this might be either an in-flight promise for a request,
77
+ // or the actual packument, but we never want to make more than
78
+ // one request at a time for the same thing regardless.
79
+ if (this.packumentCache && this.packumentCache.has(this.packumentUrl))
80
+ return this.packumentCache.get(this.packumentUrl)
81
+
68
82
  // npm-registry-fetch the packument
69
83
  // set the appropriate header for corgis if fullMetadata isn't set
70
84
  // return the res.json() promise
71
- return fetch(this.packumentUrl, {
85
+ const p = fetch(this.packumentUrl, {
72
86
  ...this.opts,
73
87
  headers: this[_headers](),
74
88
  spec: this.spec,
@@ -77,8 +91,12 @@ class RegistryFetcher extends Fetcher {
77
91
  }).then(res => res.json().then(packument => {
78
92
  packument._cached = res.headers.has('x-local-cache')
79
93
  packument._contentLength = +res.headers.get('content-length')
94
+ if (this.packumentCache)
95
+ this.packumentCache.set(this.packumentUrl, packument)
80
96
  return packument
81
97
  })).catch(er => {
98
+ if (this.packumentCache)
99
+ this.packumentCache.delete(this.packumentUrl)
82
100
  if (er.code === 'E404' && !this.fullMetadata) {
83
101
  // possible that corgis are not supported by this registry
84
102
  this.fullMetadata = true
@@ -86,6 +104,9 @@ class RegistryFetcher extends Fetcher {
86
104
  }
87
105
  throw er
88
106
  })
107
+ if (this.packumentCache)
108
+ this.packumentCache.set(this.packumentUrl, p)
109
+ return p
89
110
  }
90
111
 
91
112
  manifest () {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "pacote",
3
- "version": "11.1.12",
3
+ "version": "11.2.1",
4
4
  "description": "JavaScript package downloader",
5
5
  "author": "Isaac Z. Schlueter <i@izs.me> (https://izs.me)",
6
6
  "bin": {
@@ -13,7 +13,7 @@
13
13
  "snap": "tap",
14
14
  "preversion": "npm test",
15
15
  "postversion": "npm publish",
16
- "postpublish": "git push origin --follow-tags"
16
+ "prepublishOnly": "git push origin --follow-tags"
17
17
  },
18
18
  "tap": {
19
19
  "timeout": 300,
@@ -47,14 +47,14 @@
47
47
  "minipass": "^3.1.3",
48
48
  "mkdirp": "^1.0.3",
49
49
  "npm-package-arg": "^8.0.1",
50
- "npm-packlist": "^2.1.0",
50
+ "npm-packlist": "^2.1.4",
51
51
  "npm-pick-manifest": "^6.0.0",
52
52
  "npm-registry-fetch": "^9.0.0",
53
53
  "promise-retry": "^1.1.1",
54
54
  "read-package-json-fast": "^1.1.3",
55
55
  "rimraf": "^3.0.2",
56
56
  "ssri": "^8.0.0",
57
- "tar": "^6.0.1"
57
+ "tar": "^6.1.0"
58
58
  },
59
59
  "engines": {
60
60
  "node": ">=10"