pacote 11.2.2 → 11.2.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/fetcher.js +2 -2
- package/lib/git.js +47 -13
- package/lib/util/cache-dir.js +2 -2
- package/lib/util/npm.js +8 -2
- package/package.json +7 -7
package/lib/fetcher.js
CHANGED
|
@@ -103,14 +103,14 @@ class FetcherBase {
|
|
|
103
103
|
this.npmBin = opts.npmBin || 'npm'
|
|
104
104
|
|
|
105
105
|
// command to install deps for preparing
|
|
106
|
-
this.npmInstallCmd = opts.npmInstallCmd || [ 'install' ]
|
|
106
|
+
this.npmInstallCmd = opts.npmInstallCmd || [ 'install', '--force' ]
|
|
107
107
|
|
|
108
108
|
// XXX fill more of this in based on what we know from this.opts
|
|
109
109
|
// we explicitly DO NOT fill in --tag, though, since we are often
|
|
110
110
|
// going to be packing in the context of a publish, which may set
|
|
111
111
|
// a dist-tag, but certainly wants to keep defaulting to latest.
|
|
112
112
|
this.npmCliConfig = opts.npmCliConfig || [
|
|
113
|
-
`--cache=${this.cache}`,
|
|
113
|
+
`--cache=${dirname(this.cache)}`,
|
|
114
114
|
`--prefer-offline=${!!this.preferOffline}`,
|
|
115
115
|
`--prefer-online=${!!this.preferOnline}`,
|
|
116
116
|
`--offline=${!!this.offline}`,
|
package/lib/git.js
CHANGED
|
@@ -24,13 +24,16 @@ const _cloneRepo = Symbol('_cloneRepo')
|
|
|
24
24
|
const _setResolvedWithSha = Symbol('_setResolvedWithSha')
|
|
25
25
|
const _prepareDir = Symbol('_prepareDir')
|
|
26
26
|
|
|
27
|
-
// get the repository url.
|
|
27
|
+
// get the repository url.
|
|
28
|
+
// prefer https if there's auth, since ssh will drop that.
|
|
29
|
+
// otherwise, prefer ssh if available (more secure).
|
|
28
30
|
// We have to add the git+ back because npa suppresses it.
|
|
29
|
-
const repoUrl = (
|
|
30
|
-
|
|
31
|
-
|
|
31
|
+
const repoUrl = (h, opts) =>
|
|
32
|
+
h.sshurl && !(h.https && h.auth) && addGitPlus(h.sshurl(opts)) ||
|
|
33
|
+
h.https && addGitPlus(h.https(opts))
|
|
32
34
|
|
|
33
|
-
|
|
35
|
+
// add git+ to the url, but only one time.
|
|
36
|
+
const addGitPlus = url => url && `git+${url}`.replace(/^(git\+)+/, 'git+')
|
|
34
37
|
|
|
35
38
|
class GitFetcher extends Fetcher {
|
|
36
39
|
constructor (spec, opts) {
|
|
@@ -51,6 +54,11 @@ class GitFetcher extends Fetcher {
|
|
|
51
54
|
this.resolvedSha = ''
|
|
52
55
|
}
|
|
53
56
|
|
|
57
|
+
// just exposed to make it easier to test all the combinations
|
|
58
|
+
static repoUrl (hosted, opts) {
|
|
59
|
+
return repoUrl(hosted, opts)
|
|
60
|
+
}
|
|
61
|
+
|
|
54
62
|
get types () {
|
|
55
63
|
return ['git']
|
|
56
64
|
}
|
|
@@ -69,13 +77,16 @@ class GitFetcher extends Fetcher {
|
|
|
69
77
|
}
|
|
70
78
|
|
|
71
79
|
// first try https, since that's faster and passphrase-less for
|
|
72
|
-
// public repos
|
|
73
|
-
//
|
|
80
|
+
// public repos, and supports private repos when auth is provided.
|
|
81
|
+
// Fall back to SSH to support private repos
|
|
82
|
+
// NB: we always store the https url in resolved field if auth
|
|
83
|
+
// is present, otherwise ssh if the hosted type provides it
|
|
74
84
|
[_resolvedFromHosted] (hosted) {
|
|
75
85
|
return this[_resolvedFromRepo](hosted.https && hosted.https())
|
|
76
86
|
.catch(er => {
|
|
77
87
|
const ssh = hosted.sshurl && hosted.sshurl()
|
|
78
|
-
if
|
|
88
|
+
// no fallthrough if we can't fall through or have https auth
|
|
89
|
+
if (!ssh || hosted.auth)
|
|
79
90
|
throw er
|
|
80
91
|
return this[_resolvedFromRepo](ssh)
|
|
81
92
|
})
|
|
@@ -121,9 +132,11 @@ class GitFetcher extends Fetcher {
|
|
|
121
132
|
// either a git url with a hash, or a tarball download URL
|
|
122
133
|
[_addGitSha] (sha) {
|
|
123
134
|
if (this.spec.hosted) {
|
|
124
|
-
this
|
|
125
|
-
|
|
126
|
-
)
|
|
135
|
+
const h = this.spec.hosted
|
|
136
|
+
const opt = { noCommittish: true }
|
|
137
|
+
const base = h.https && h.auth ? h.https(opt) : h.shortcut(opt)
|
|
138
|
+
|
|
139
|
+
this[_setResolvedWithSha](`${base}#${sha}`)
|
|
127
140
|
} else {
|
|
128
141
|
const u = url.format(new url.URL(`#${sha}`, this.spec.rawSpec))
|
|
129
142
|
this[_setResolvedWithSha](url.format(u))
|
|
@@ -148,12 +161,28 @@ class GitFetcher extends Fetcher {
|
|
|
148
161
|
scripts.prepare))
|
|
149
162
|
return
|
|
150
163
|
|
|
164
|
+
// to avoid cases where we have an cycle of git deps that depend
|
|
165
|
+
// on one another, we only ever do preparation for one instance
|
|
166
|
+
// of a given git dep along the chain of installations.
|
|
167
|
+
// Note that this does mean that a dependency MAY in theory end up
|
|
168
|
+
// trying to run its prepare script using a dependency that has not
|
|
169
|
+
// been properly prepared itself, but that edge case is smaller
|
|
170
|
+
// and less hazardous than a fork bomb of npm and git commands.
|
|
171
|
+
const noPrepare = !process.env._PACOTE_NO_PREPARE_ ? []
|
|
172
|
+
: process.env._PACOTE_NO_PREPARE_.split('\n')
|
|
173
|
+
if (noPrepare.includes(this.resolved)) {
|
|
174
|
+
this.log.info('prepare', 'skip prepare, already seen', this.resolved)
|
|
175
|
+
return
|
|
176
|
+
}
|
|
177
|
+
noPrepare.push(this.resolved)
|
|
178
|
+
|
|
151
179
|
// the DirFetcher will do its own preparation to run the prepare scripts
|
|
152
180
|
// All we have to do is put the deps in place so that it can succeed.
|
|
153
181
|
return npm(
|
|
154
182
|
this.npmBin,
|
|
155
183
|
[].concat(this.npmInstallCmd).concat(this.npmCliConfig),
|
|
156
184
|
dir,
|
|
185
|
+
{ ...process.env, _PACOTE_NO_PREPARE_: noPrepare.join('\n') },
|
|
157
186
|
{ message: 'git dep preparation failed' }
|
|
158
187
|
)
|
|
159
188
|
})
|
|
@@ -232,14 +261,19 @@ class GitFetcher extends Fetcher {
|
|
|
232
261
|
})
|
|
233
262
|
}
|
|
234
263
|
|
|
264
|
+
// first try https, since that's faster and passphrase-less for
|
|
265
|
+
// public repos, and supports private repos when auth is provided.
|
|
266
|
+
// Fall back to SSH to support private repos
|
|
267
|
+
// NB: we always store the https url in resolved field if auth
|
|
268
|
+
// is present, otherwise ssh if the hosted type provides it
|
|
235
269
|
[_cloneHosted] (ref, tmp) {
|
|
236
270
|
const hosted = this.spec.hosted
|
|
237
271
|
const https = hosted.https()
|
|
238
272
|
return this[_cloneRepo](hosted.https({ noCommittish: true }), ref, tmp)
|
|
239
273
|
.catch(er => {
|
|
240
274
|
const ssh = hosted.sshurl && hosted.sshurl({ noCommittish: true })
|
|
241
|
-
|
|
242
|
-
if (!ssh)
|
|
275
|
+
// no fallthrough if we can't fall through or have https auth
|
|
276
|
+
if (!ssh || hosted.auth)
|
|
243
277
|
throw er
|
|
244
278
|
return this[_cloneRepo](ssh, ref, tmp)
|
|
245
279
|
})
|
package/lib/util/cache-dir.js
CHANGED
|
@@ -7,6 +7,6 @@ module.exports = (fakePlatform = false) => {
|
|
|
7
7
|
const home = os.homedir() || resolve(temp, 'npm-' + uidOrPid)
|
|
8
8
|
const platform = fakePlatform || process.platform
|
|
9
9
|
const cacheExtra = platform === 'win32' ? 'npm-cache' : '.npm'
|
|
10
|
-
const cacheRoot = (platform === 'win32' && process.env.
|
|
11
|
-
return resolve(cacheRoot, cacheExtra)
|
|
10
|
+
const cacheRoot = (platform === 'win32' && process.env.LOCALAPPDATA) || home
|
|
11
|
+
return resolve(cacheRoot, cacheExtra, '_cacache')
|
|
12
12
|
}
|
package/lib/util/npm.js
CHANGED
|
@@ -1,9 +1,15 @@
|
|
|
1
1
|
// run an npm command
|
|
2
2
|
const spawn = require('@npmcli/promise-spawn')
|
|
3
|
+
const {dirname} = require('path')
|
|
3
4
|
|
|
4
|
-
module.exports = (npmBin, npmCommand, cwd, extra) => {
|
|
5
|
+
module.exports = (npmBin, npmCommand, cwd, env, extra) => {
|
|
5
6
|
const isJS = npmBin.endsWith('.js')
|
|
6
7
|
const cmd = isJS ? process.execPath : npmBin
|
|
7
8
|
const args = (isJS ? [npmBin] : []).concat(npmCommand)
|
|
8
|
-
|
|
9
|
+
// when installing to run the `prepare` script for a git dep, we need
|
|
10
|
+
// to ensure that we don't run into a cycle of checking out packages
|
|
11
|
+
// in temp directories. this lets us link previously-seen repos that
|
|
12
|
+
// are also being prepared.
|
|
13
|
+
|
|
14
|
+
return spawn(cmd, args, { cwd, stdioString: true, env }, extra)
|
|
9
15
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "pacote",
|
|
3
|
-
"version": "11.2.
|
|
3
|
+
"version": "11.2.6",
|
|
4
4
|
"description": "JavaScript package downloader",
|
|
5
5
|
"author": "Isaac Z. Schlueter <i@izs.me> (https://izs.me)",
|
|
6
6
|
"bin": {
|
|
@@ -25,7 +25,7 @@
|
|
|
25
25
|
"mutate-fs": "^2.1.1",
|
|
26
26
|
"npm-registry-mock": "^1.3.1",
|
|
27
27
|
"require-inject": "^1.4.4",
|
|
28
|
-
"tap": "^14.
|
|
28
|
+
"tap": "^14.11.0"
|
|
29
29
|
},
|
|
30
30
|
"files": [
|
|
31
31
|
"lib/**/*.js"
|
|
@@ -37,9 +37,9 @@
|
|
|
37
37
|
],
|
|
38
38
|
"dependencies": {
|
|
39
39
|
"@npmcli/git": "^2.0.1",
|
|
40
|
-
"@npmcli/installed-package-contents": "^1.0.
|
|
40
|
+
"@npmcli/installed-package-contents": "^1.0.6",
|
|
41
41
|
"@npmcli/promise-spawn": "^1.2.0",
|
|
42
|
-
"@npmcli/run-script": "^1.
|
|
42
|
+
"@npmcli/run-script": "^1.8.2",
|
|
43
43
|
"cacache": "^15.0.5",
|
|
44
44
|
"chownr": "^2.0.0",
|
|
45
45
|
"fs-minipass": "^2.1.0",
|
|
@@ -50,10 +50,10 @@
|
|
|
50
50
|
"npm-packlist": "^2.1.4",
|
|
51
51
|
"npm-pick-manifest": "^6.0.0",
|
|
52
52
|
"npm-registry-fetch": "^9.0.0",
|
|
53
|
-
"promise-retry": "^
|
|
54
|
-
"read-package-json-fast": "^
|
|
53
|
+
"promise-retry": "^2.0.1",
|
|
54
|
+
"read-package-json-fast": "^2.0.1",
|
|
55
55
|
"rimraf": "^3.0.2",
|
|
56
|
-
"ssri": "^8.0.
|
|
56
|
+
"ssri": "^8.0.1",
|
|
57
57
|
"tar": "^6.1.0"
|
|
58
58
|
},
|
|
59
59
|
"engines": {
|