pacote 11.2.4 → 11.3.0

package/README.md

@@ -168,6 +168,18 @@ resolved, and other properties, as they are determined.
   times (even just to validate the cache) for a given packument, since it
   is unlikely to change in the span of a single command.
 
+
+### Advanced API
+
+Each different type of fetcher is exposed for more advanced usage such as
+using helper methods from this classes:
+
+* `DirFetcher`
+* `FileFetcher`
+* `GitFetcher`
+* `RegistryFetcher`
+* `RemoteFetcher`
+
 ## Extracted File Modes
 
 Files are extracted with a mode matching the following formula:

package/lib/dir.js

@@ -4,11 +4,10 @@ const cacache = require('cacache')
 const Minipass = require('minipass')
 const { promisify } = require('util')
 const readPackageJson = require('read-package-json-fast')
-const isPackageBin = require('./util/is-package-bin.js')
+const tarCreateOptions = require('./util/tar-create-options.js')
 const packlist = require('npm-packlist')
 const tar = require('tar')
 const _prepareDir = Symbol('_prepareDir')
-const _tarcOpts = Symbol('_tarcOpts')
 const { resolve } = require('path')
 
 const runScript = require('@npmcli/run-script')
@@ -21,6 +20,11 @@ class DirFetcher extends Fetcher {
     this.resolved = this.spec.fetchSpec
   }
 
+  // exposes tarCreateOptions as public API
+  static tarCreateOptions (manifest) {
+    return tarCreateOptions(manifest)
+  }
+
   get types () {
     return ['directory']
   }
@@ -33,11 +37,20 @@ class DirFetcher extends Fetcher {
       // we *only* run prepare.
       // pre/post-pack is run by the npm CLI for publish and pack,
       // but this function is *also* run when installing git deps
+      const stdio = this.opts.foregroundScripts ? 'inherit' : 'pipe'
+
+      // hide the banner if loglevel is silent, or if prepare running
+      // in the background.
+      const banner = this.opts.log && this.opts.log.level === 'silent' ? false
+        : stdio === 'inherit'
+
       return runScript({
         pkg: mani,
         event: 'prepare',
         path: this.resolved,
         stdioString: true,
+        stdio,
+        banner,
         env: {
           npm_package_resolved: this.resolved,
           npm_package_integrity: this.integrity,
@@ -56,35 +69,12 @@ class DirFetcher extends Fetcher {
     // pipe to the stream, and proxy errors the chain.
     this[_prepareDir]()
       .then(() => packlist({ path: this.resolved }))
-      .then(files => tar.c(this[_tarcOpts](), files)
+      .then(files => tar.c(tarCreateOptions(this.package), files)
         .on('error', er => stream.emit('error', er)).pipe(stream))
       .catch(er => stream.emit('error', er))
     return stream
   }
 
-  [_tarcOpts] () {
-    return {
-      cwd: this.resolved,
-      prefix: 'package/',
-      portable: true,
-      gzip: true,
-
-      // ensure that package bins are always executable
-      // Note that npm-packlist is already filtering out
-      // anything that is not a regular file, ignored by
-      // .npmignore or package.json "files", etc.
-      filter: (path, stat) => {
-        if (isPackageBin(this.package, path))
-          stat.mode |= 0o111
-        return true
-      },
-
-      // Provide a specific date in the 1980s for the benefit of zip,
-      // which is confounded by files dated at the Unix epoch 0.
-      mtime: new Date('1985-10-26T08:15:00.000Z'),
-    }
-  }
-
   manifest () {
     if (this.package)
       return Promise.resolve(this.package)

package/lib/fetcher.js

@@ -110,7 +110,7 @@ class FetcherBase {
     // going to be packing in the context of a publish, which may set
     // a dist-tag, but certainly wants to keep defaulting to latest.
     this.npmCliConfig = opts.npmCliConfig || [
-      `--cache=${this.cache}`,
+      `--cache=${dirname(this.cache)}`,
       `--prefer-offline=${!!this.preferOffline}`,
       `--prefer-online=${!!this.preferOnline}`,
       `--offline=${!!this.offline}`,

package/lib/git.js

@@ -18,6 +18,7 @@ const _resolvedFromHosted = Symbol('_resolvedFromHosted')
 const _resolvedFromClone = Symbol('_resolvedFromClone')
 const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
 const _addGitSha = Symbol('_addGitSha')
+const addGitSha = require('./util/add-git-sha.js')
 const _clone = Symbol('_clone')
 const _cloneHosted = Symbol('_cloneHosted')
 const _cloneRepo = Symbol('_cloneRepo')
@@ -131,16 +132,7 @@ class GitFetcher extends Fetcher {
   // when we get the git sha, we affix it to our spec to build up
   // either a git url with a hash, or a tarball download URL
   [_addGitSha] (sha) {
-    if (this.spec.hosted) {
-      const h = this.spec.hosted
-      const opt = { noCommittish: true }
-      const base = h.https && h.auth ? h.https(opt) : h.shortcut(opt)
-
-      this[_setResolvedWithSha](`${base}#${sha}`)
-    } else {
-      const u = url.format(new url.URL(`#${sha}`, this.spec.rawSpec))
-      this[_setResolvedWithSha](url.format(u))
-    }
+    this[_setResolvedWithSha](addGitSha(this.spec, sha))
   }
 
   [_resolvedFromClone] () {
@@ -161,12 +153,28 @@ class GitFetcher extends Fetcher {
           scripts.prepare))
         return
 
+      // to avoid cases where we have an cycle of git deps that depend
+      // on one another, we only ever do preparation for one instance
+      // of a given git dep along the chain of installations.
+      // Note that this does mean that a dependency MAY in theory end up
+      // trying to run its prepare script using a dependency that has not
+      // been properly prepared itself, but that edge case is smaller
+      // and less hazardous than a fork bomb of npm and git commands.
+      const noPrepare = !process.env._PACOTE_NO_PREPARE_ ? []
+        : process.env._PACOTE_NO_PREPARE_.split('\n')
+      if (noPrepare.includes(this.resolved)) {
+        this.log.info('prepare', 'skip prepare, already seen', this.resolved)
+        return
+      }
+      noPrepare.push(this.resolved)
+
       // the DirFetcher will do its own preparation to run the prepare scripts
       // All we have to do is put the deps in place so that it can succeed.
       return npm(
         this.npmBin,
         [].concat(this.npmInstallCmd).concat(this.npmCliConfig),
         dir,
+        { ...process.env, _PACOTE_NO_PREPARE_: noPrepare.join('\n') },
         { message: 'git dep preparation failed' }
       )
     })

package/lib/index.js

@@ -1,5 +1,16 @@
 const { get } = require('./fetcher.js')
+const GitFetcher = require('./git.js')
+const RegistryFetcher = require('./registry.js')
+const FileFetcher = require('./file.js')
+const DirFetcher = require('./dir.js')
+const RemoteFetcher = require('./remote.js')
+
 module.exports = {
+  GitFetcher,
+  RegistryFetcher,
+  FileFetcher,
+  DirFetcher,
+  RemoteFetcher,
   resolve: (spec, opts) => get(spec, opts).resolve(),
   extract: (spec, dest, opts) => get(spec, opts).extract(dest),
   manifest: (spec, opts) => get(spec, opts).manifest(),

package/lib/util/add-git-sha.js

@@ -0,0 +1,15 @@
+// add a sha to a git remote url spec
+const addGitSha = (spec, sha) => {
+  if (spec.hosted) {
+    const h = spec.hosted
+    const opt = { noCommittish: true }
+    const base = h.https && h.auth ? h.https(opt) : h.shortcut(opt)
+
+    return `${base}#${sha}`
+  } else {
+    // don't use new URL for this, because it doesn't handle scp urls
+    return spec.rawSpec.replace(/#.*$/, '') + `#${sha}`
+  }
+}
+
+module.exports = addGitSha

package/lib/util/cache-dir.js

@@ -7,6 +7,6 @@ module.exports = (fakePlatform = false) => {
   const home = os.homedir() || resolve(temp, 'npm-' + uidOrPid)
   const platform = fakePlatform || process.platform
   const cacheExtra = platform === 'win32' ? 'npm-cache' : '.npm'
-  const cacheRoot = (platform === 'win32' && process.env.APPDATA) || home
-  return resolve(cacheRoot, cacheExtra)
+  const cacheRoot = (platform === 'win32' && process.env.LOCALAPPDATA) || home
+  return resolve(cacheRoot, cacheExtra, '_cacache')
 }

package/lib/util/npm.js

@@ -1,9 +1,15 @@
 // run an npm command
 const spawn = require('@npmcli/promise-spawn')
+const {dirname} = require('path')
 
-module.exports = (npmBin, npmCommand, cwd, extra) => {
+module.exports = (npmBin, npmCommand, cwd, env, extra) => {
   const isJS = npmBin.endsWith('.js')
   const cmd = isJS ? process.execPath : npmBin
   const args = (isJS ? [npmBin] : []).concat(npmCommand)
-  return spawn(cmd, args, { cwd, stdioString: true }, extra)
+  // when installing to run the `prepare` script for a git dep, we need
+  // to ensure that we don't run into a cycle of checking out packages
+  // in temp directories.  this lets us link previously-seen repos that
+  // are also being prepared.
+
+  return spawn(cmd, args, { cwd, stdioString: true, env }, extra)
 }

package/lib/util/tar-create-options.js

@@ -0,0 +1,24 @@
+const isPackageBin = require('./is-package-bin.js')
+
+const tarCreateOptions = manifest => ({
+  cwd: manifest._resolved,
+  prefix: 'package/',
+  portable: true,
+  gzip: true,
+
+  // ensure that package bins are always executable
+  // Note that npm-packlist is already filtering out
+  // anything that is not a regular file, ignored by
+  // .npmignore or package.json "files", etc.
+  filter: (path, stat) => {
+    if (isPackageBin(manifest, path))
+      stat.mode |= 0o111
+    return true
+  },
+
+  // Provide a specific date in the 1980s for the benefit of zip,
+  // which is confounded by files dated at the Unix epoch 0.
+  mtime: new Date('1985-10-26T08:15:00.000Z'),
+})
+
+module.exports = tarCreateOptions

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "11.2.4",
+  "version": "11.3.0",
   "description": "JavaScript package downloader",
   "author": "Isaac Z. Schlueter <i@izs.me> (https://izs.me)",
   "bin": {
@@ -25,7 +25,7 @@
     "mutate-fs": "^2.1.1",
     "npm-registry-mock": "^1.3.1",
     "require-inject": "^1.4.4",
-    "tap": "^14.10.8"
+    "tap": "^14.11.0"
   },
   "files": [
     "lib/**/*.js"
@@ -37,9 +37,9 @@
   ],
   "dependencies": {
     "@npmcli/git": "^2.0.1",
-    "@npmcli/installed-package-contents": "^1.0.5",
+    "@npmcli/installed-package-contents": "^1.0.6",
     "@npmcli/promise-spawn": "^1.2.0",
-    "@npmcli/run-script": "^1.3.0",
+    "@npmcli/run-script": "^1.8.2",
     "cacache": "^15.0.5",
     "chownr": "^2.0.0",
     "fs-minipass": "^2.1.0",
@@ -50,10 +50,10 @@
     "npm-packlist": "^2.1.4",
     "npm-pick-manifest": "^6.0.0",
     "npm-registry-fetch": "^9.0.0",
-    "promise-retry": "^1.1.1",
-    "read-package-json-fast": "^1.1.3",
+    "promise-retry": "^2.0.1",
+    "read-package-json-fast": "^2.0.1",
     "rimraf": "^3.0.2",
-    "ssri": "^8.0.0",
+    "ssri": "^8.0.1",
     "tar": "^6.1.0"
   },
   "engines": {