pacote 11.1.13 → 11.1.14

package/lib/fetcher.js

@@ -75,7 +75,12 @@ class FetcherBase {
     this.type = this.constructor.name
     this.fmode = opts.fmode || 0o666
     this.dmode = opts.dmode || 0o777
-    this.umask = opts.umask || 0o022
+    // we don't need a default umask, because we don't chmod files coming
+    // out of package tarballs.  they're forced to have a mode that is
+    // valid, regardless of what's in the tarball entry, and then we let
+    // the process's umask setting do its job.  but if configured, we do
+    // respect it.
+    this.umask = opts.umask || 0
     this.log = opts.log || procLog
 
     this.preferOnline = !!opts.preferOnline
@@ -290,7 +295,7 @@ class FetcherBase {
     return cacache.rm.content(this.cache, this.integrity, this.opts)
   }
 
-  [_chown] (path, uid, gid) {
+  async [_chown] (path, uid, gid) {
     return selfOwner && (selfOwner.gid !== gid || selfOwner.uid !== uid)
       ? chownr(path, uid, gid)
       : /* istanbul ignore next - we don't test in root-owned folders */ null
@@ -388,13 +393,15 @@ class FetcherBase {
 
     // make sure package bins are executable
     const exe = isPackageBin(this.package, path) ? 0o111 : 0
-    return ((mode | m) & ~this.umask) | exe
+    // always ensure that files are read/writable by the owner
+    return ((mode | m) & ~this.umask) | exe | 0o600
   }
 
   [_tarxOptions] ({ cwd, uid, gid }) {
     const sawIgnores = new Set()
     return {
       cwd,
+      noChmod: true,
       filter: (name, entry) => {
         if (/Link$/.test(entry.type))
           return false

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "11.1.13",
+  "version": "11.1.14",
   "description": "JavaScript package downloader",
   "author": "Isaac Z. Schlueter <i@izs.me> (https://izs.me)",
   "bin": {
@@ -54,7 +54,7 @@
     "read-package-json-fast": "^1.1.3",
     "rimraf": "^3.0.2",
     "ssri": "^8.0.0",
-    "tar": "^6.0.1"
+    "tar": "^6.1.0"
   },
   "engines": {
     "node": ">=10"