pacote 11.2.3 → 11.2.7

package/lib/dir.js

@@ -33,11 +33,20 @@ class DirFetcher extends Fetcher {
       // we *only* run prepare.
       // pre/post-pack is run by the npm CLI for publish and pack,
       // but this function is *also* run when installing git deps
+      const stdio = this.opts.foregroundScripts ? 'inherit' : 'pipe'
+
+      // hide the banner if loglevel is silent, or if prepare running
+      // in the background.
+      const banner = this.opts.log && this.opts.log.level === 'silent' ? false
+        : stdio === 'inherit'
+
       return runScript({
         pkg: mani,
         event: 'prepare',
         path: this.resolved,
         stdioString: true,
+        stdio,
+        banner,
         env: {
           npm_package_resolved: this.resolved,
           npm_package_integrity: this.integrity,

package/lib/fetcher.js

@@ -103,14 +103,14 @@ class FetcherBase {
     this.npmBin = opts.npmBin || 'npm'
 
     // command to install deps for preparing
-    this.npmInstallCmd = opts.npmInstallCmd || [ 'install' ]
+    this.npmInstallCmd = opts.npmInstallCmd || [ 'install', '--force' ]
 
     // XXX fill more of this in based on what we know from this.opts
     // we explicitly DO NOT fill in --tag, though, since we are often
     // going to be packing in the context of a publish, which may set
     // a dist-tag, but certainly wants to keep defaulting to latest.
     this.npmCliConfig = opts.npmCliConfig || [
-      `--cache=${this.cache}`,
+      `--cache=${dirname(this.cache)}`,
       `--prefer-offline=${!!this.preferOffline}`,
       `--prefer-online=${!!this.preferOnline}`,
       `--offline=${!!this.offline}`,

package/lib/git.js

@@ -18,6 +18,7 @@ const _resolvedFromHosted = Symbol('_resolvedFromHosted')
 const _resolvedFromClone = Symbol('_resolvedFromClone')
 const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
 const _addGitSha = Symbol('_addGitSha')
+const addGitSha = require('./util/add-git-sha.js')
 const _clone = Symbol('_clone')
 const _cloneHosted = Symbol('_cloneHosted')
 const _cloneRepo = Symbol('_cloneRepo')
@@ -131,16 +132,7 @@ class GitFetcher extends Fetcher {
   // when we get the git sha, we affix it to our spec to build up
   // either a git url with a hash, or a tarball download URL
   [_addGitSha] (sha) {
-    if (this.spec.hosted) {
-      const h = this.spec.hosted
-      const opt = { noCommittish: true }
-      const base = h.https && h.auth ? h.https(opt) : h.shortcut(opt)
-
-      this[_setResolvedWithSha](`${base}#${sha}`)
-    } else {
-      const u = url.format(new url.URL(`#${sha}`, this.spec.rawSpec))
-      this[_setResolvedWithSha](url.format(u))
-    }
+    this[_setResolvedWithSha](addGitSha(this.spec, sha))
   }
 
   [_resolvedFromClone] () {
@@ -161,12 +153,28 @@ class GitFetcher extends Fetcher {
           scripts.prepare))
         return
 
+      // to avoid cases where we have an cycle of git deps that depend
+      // on one another, we only ever do preparation for one instance
+      // of a given git dep along the chain of installations.
+      // Note that this does mean that a dependency MAY in theory end up
+      // trying to run its prepare script using a dependency that has not
+      // been properly prepared itself, but that edge case is smaller
+      // and less hazardous than a fork bomb of npm and git commands.
+      const noPrepare = !process.env._PACOTE_NO_PREPARE_ ? []
+        : process.env._PACOTE_NO_PREPARE_.split('\n')
+      if (noPrepare.includes(this.resolved)) {
+        this.log.info('prepare', 'skip prepare, already seen', this.resolved)
+        return
+      }
+      noPrepare.push(this.resolved)
+
       // the DirFetcher will do its own preparation to run the prepare scripts
       // All we have to do is put the deps in place so that it can succeed.
       return npm(
         this.npmBin,
         [].concat(this.npmInstallCmd).concat(this.npmCliConfig),
         dir,
+        { ...process.env, _PACOTE_NO_PREPARE_: noPrepare.join('\n') },
         { message: 'git dep preparation failed' }
       )
     })

package/lib/util/add-git-sha.js

@@ -0,0 +1,15 @@
+// add a sha to a git remote url spec
+const addGitSha = (spec, sha) => {
+  if (spec.hosted) {
+    const h = spec.hosted
+    const opt = { noCommittish: true }
+    const base = h.https && h.auth ? h.https(opt) : h.shortcut(opt)
+
+    return `${base}#${sha}`
+  } else {
+    // don't use new URL for this, because it doesn't handle scp urls
+    return spec.rawSpec.replace(/#.*$/, '') + `#${sha}`
+  }
+}
+
+module.exports = addGitSha

package/lib/util/cache-dir.js

@@ -7,6 +7,6 @@ module.exports = (fakePlatform = false) => {
   const home = os.homedir() || resolve(temp, 'npm-' + uidOrPid)
   const platform = fakePlatform || process.platform
   const cacheExtra = platform === 'win32' ? 'npm-cache' : '.npm'
-  const cacheRoot = (platform === 'win32' && process.env.APPDATA) || home
-  return resolve(cacheRoot, cacheExtra)
+  const cacheRoot = (platform === 'win32' && process.env.LOCALAPPDATA) || home
+  return resolve(cacheRoot, cacheExtra, '_cacache')
 }

package/lib/util/npm.js

@@ -1,9 +1,15 @@
 // run an npm command
 const spawn = require('@npmcli/promise-spawn')
+const {dirname} = require('path')
 
-module.exports = (npmBin, npmCommand, cwd, extra) => {
+module.exports = (npmBin, npmCommand, cwd, env, extra) => {
   const isJS = npmBin.endsWith('.js')
   const cmd = isJS ? process.execPath : npmBin
   const args = (isJS ? [npmBin] : []).concat(npmCommand)
-  return spawn(cmd, args, { cwd, stdioString: true }, extra)
+  // when installing to run the `prepare` script for a git dep, we need
+  // to ensure that we don't run into a cycle of checking out packages
+  // in temp directories.  this lets us link previously-seen repos that
+  // are also being prepared.
+
+  return spawn(cmd, args, { cwd, stdioString: true, env }, extra)
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "11.2.3",
+  "version": "11.2.7",
   "description": "JavaScript package downloader",
   "author": "Isaac Z. Schlueter <i@izs.me> (https://izs.me)",
   "bin": {
@@ -25,7 +25,7 @@
     "mutate-fs": "^2.1.1",
     "npm-registry-mock": "^1.3.1",
     "require-inject": "^1.4.4",
-    "tap": "^14.10.8"
+    "tap": "^14.11.0"
   },
   "files": [
     "lib/**/*.js"
@@ -37,9 +37,9 @@
   ],
   "dependencies": {
     "@npmcli/git": "^2.0.1",
-    "@npmcli/installed-package-contents": "^1.0.5",
+    "@npmcli/installed-package-contents": "^1.0.6",
     "@npmcli/promise-spawn": "^1.2.0",
-    "@npmcli/run-script": "^1.3.0",
+    "@npmcli/run-script": "^1.8.2",
     "cacache": "^15.0.5",
     "chownr": "^2.0.0",
     "fs-minipass": "^2.1.0",
@@ -50,10 +50,10 @@
     "npm-packlist": "^2.1.4",
     "npm-pick-manifest": "^6.0.0",
     "npm-registry-fetch": "^9.0.0",
-    "promise-retry": "^1.1.1",
-    "read-package-json-fast": "^1.1.3",
+    "promise-retry": "^2.0.1",
+    "read-package-json-fast": "^2.0.1",
     "rimraf": "^3.0.2",
-    "ssri": "^8.0.0",
+    "ssri": "^8.0.1",
     "tar": "^6.1.0"
   },
   "engines": {