pacote 11.3.1 → 11.3.5

package/lib/fetcher.js

@@ -40,6 +40,7 @@ const _istream = Symbol('_istream')
 const _assertType = Symbol('_assertType')
 const _tarballFromCache = Symbol('_tarballFromCache')
 const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
+const _cacheFetches = Symbol.for('pacote.Fetcher._cacheFetches')
 
 class FetcherBase {
   constructor (spec, opts) {
@@ -118,6 +119,13 @@ class FetcherBase {
       '--no-progress',
       '--no-save',
       '--no-audit',
+      // override any omit settings from the environment
+      '--include=dev',
+      '--include=peer',
+      '--include=optional',
+      // we need the actual things, not just the lockfile
+      '--no-package-lock-only',
+      '--no-dry-run',
     ]
   }
 
@@ -166,25 +174,19 @@ class FetcherBase {
   }
 
   // private, should be overridden.
-  // Note that they should *not* calculate or check integrity, but *just*
-  // return the raw tarball data stream.
+  // Note that they should *not* calculate or check integrity or cache,
+  // but *just*  return the raw tarball data stream.
   [_tarballFromResolved] () {
     throw this.notImplementedError
   }
 
   // public, should not be overridden
   tarball () {
-    return this.tarballStream(stream => new Promise((res, rej) => {
-      const buf = []
-      stream.on('error', er => rej(er))
-      stream.on('end', () => {
-        const data = Buffer.concat(buf)
-        data.integrity = this.integrity && String(this.integrity)
-        data.resolved = this.resolved
-        data.from = this.from
-        return res(data)
-      })
-      stream.on('data', d => buf.push(d))
+    return this.tarballStream(stream => stream.concat().then(data => {
+      data.integrity = this.integrity && String(this.integrity)
+      data.resolved = this.resolved
+      data.from = this.from
+      return data
     }))
   }
 
@@ -194,6 +196,10 @@ class FetcherBase {
     return cacache.get.stream.byDigest(this.cache, this.integrity, this.opts)
   }
 
+  get [_cacheFetches] () {
+    return true
+  }
+
   [_istream] (stream) {
     // everyone will need one of these, either for verifying or calculating
     // We always set it, because we have might only have a weak legacy hex
@@ -203,7 +209,31 @@ class FetcherBase {
     // gets to the point of re-setting the integrity.
     const istream = ssri.integrityStream(this.opts)
     istream.on('integrity', i => this.integrity = i)
-    return stream.on('error', er => istream.emit('error', er)).pipe(istream)
+    stream.on('error', er => istream.emit('error', er))
+
+    // if not caching this, just pipe through to the istream and return it
+    if (!this.opts.cache || !this[_cacheFetches])
+      return stream.pipe(istream)
+
+    // we have to return a stream that gets ALL the data, and proxies errors,
+    // but then pipe from the original tarball stream into the cache as well.
+    // To do this without losing any data, and since the cacache put stream
+    // is not a passthrough, we have to pipe from the original stream into
+    // the cache AFTER we pipe into the istream.  Since the cache stream
+    // has an asynchronous flush to write its contents to disk, we need to
+    // defer the istream end until the cache stream ends.
+    stream.pipe(istream, { end: false })
+    const cstream = cacache.put.stream(
+      this.opts.cache,
+      `pacote:tarball:${this.from}`,
+      this.opts
+    )
+    stream.pipe(cstream)
+    // defer istream end until after cstream
+    // cache write errors should not crash the fetch, this is best-effort.
+    cstream.promise().catch(() => {}).then(() => istream.end())
+
+    return istream
   }
 
   pickIntegrityAlgorithm () {
@@ -232,7 +262,9 @@ class FetcherBase {
   // An ENOENT trying to read a tgz file, for example, is Right Out.
   isRetriableError (er) {
     // TODO: check error class, once those are rolled out to our deps
-    return this.isDataCorruptionError(er) || er.code === 'ENOENT'
+    return this.isDataCorruptionError(er) ||
+      er.code === 'ENOENT' ||
+      er.code === 'EISDIR'
   }
 
   // Mostly internal, but has some uses
@@ -405,6 +437,7 @@ class FetcherBase {
     return {
       cwd,
       noChmod: true,
+      noMtime: true,
       filter: (name, entry) => {
         if (/Link$/.test(entry.type))
           return false

package/lib/git.js

@@ -85,6 +85,9 @@ class GitFetcher extends Fetcher {
   [_resolvedFromHosted] (hosted) {
     return this[_resolvedFromRepo](hosted.https && hosted.https())
       .catch(er => {
+        // Throw early since we know pathspec errors will fail again if retried
+        if (er instanceof git.errors.GitPathspecError)
+          throw er
         const ssh = hosted.sshurl && hosted.sshurl()
         // no fallthrough if we can't fall through or have https auth
         if (!ssh || hosted.auth)
@@ -260,9 +263,11 @@ class GitFetcher extends Fetcher {
   // is present, otherwise ssh if the hosted type provides it
   [_cloneHosted] (ref, tmp) {
     const hosted = this.spec.hosted
-    const https = hosted.https()
     return this[_cloneRepo](hosted.https({ noCommittish: true }), ref, tmp)
       .catch(er => {
+        // Throw early since we know pathspec errors will fail again if retried
+        if (er instanceof git.errors.GitPathspecError)
+          throw er
         const ssh = hosted.sshurl && hosted.sshurl({ noCommittish: true })
         // no fallthrough if we can't fall through or have https auth
         if (!ssh || hosted.auth)

package/lib/registry.js

@@ -3,6 +3,7 @@ const RemoteFetcher = require('./remote.js')
 const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
 const pacoteVersion = require('../package.json').version
 const npa = require('npm-package-arg')
+const rpj = require('read-package-json-fast')
 const pickManifest = require('npm-pick-manifest')
 const ssri = require('ssri')
 const Minipass = require('minipass')
@@ -156,7 +157,8 @@ class RegistryFetcher extends Fetcher {
         }
         if (this.integrity)
           mani._integrity = String(this.integrity)
-        return this.package = mani
+        this.package = rpj.normalize(mani)
+        return this.package
       })
   }
 

package/lib/remote.js

@@ -8,6 +8,7 @@ const Minipass = require('minipass')
 // The default registry URL is a string of great magic.
 const magic = /^https?:\/\/registry\.npmjs\.org\//
 
+const _cacheFetches = Symbol.for('pacote.Fetcher._cacheFetches')
 const _headers = Symbol('_headers')
 class RemoteFetcher extends Fetcher {
   constructor (spec, opts) {
@@ -21,6 +22,12 @@ class RemoteFetcher extends Fetcher {
     this.pkgid = opts.pkgid ? opts.pkgid : `remote:${nameat}${this.resolved}`
   }
 
+  // Don't need to cache tarball fetches in pacote, because make-fetch-happen
+  // will write into cacache anyway.
+  get [_cacheFetches] () {
+    return false
+  }
+
   [_tarballFromResolved] () {
     const stream = new Minipass()
     const fetchOpts = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "11.3.1",
+  "version": "11.3.5",
   "description": "JavaScript package downloader",
   "author": "Isaac Z. Schlueter <i@izs.me> (https://izs.me)",
   "bin": {
@@ -17,15 +17,12 @@
   },
   "tap": {
     "timeout": 300,
-    "check-coverage": true,
-    "coverage-map": "map.js",
-    "esm": false
+    "coverage-map": "map.js"
   },
   "devDependencies": {
     "mutate-fs": "^2.1.1",
     "npm-registry-mock": "^1.3.1",
-    "require-inject": "^1.4.4",
-    "tap": "^14.11.0"
+    "tap": "^15.0.4"
   },
   "files": [
     "lib/**/*.js"
@@ -36,7 +33,7 @@
     "git"
   ],
   "dependencies": {
-    "@npmcli/git": "^2.0.1",
+    "@npmcli/git": "^2.1.0",
     "@npmcli/installed-package-contents": "^1.0.6",
     "@npmcli/promise-spawn": "^1.2.0",
     "@npmcli/run-script": "^1.8.2",
@@ -49,7 +46,7 @@
     "npm-package-arg": "^8.0.1",
     "npm-packlist": "^2.1.4",
     "npm-pick-manifest": "^6.0.0",
-    "npm-registry-fetch": "^9.0.0",
+    "npm-registry-fetch": "^11.0.0",
     "promise-retry": "^2.0.1",
     "read-package-json-fast": "^2.0.1",
     "rimraf": "^3.0.2",