pacote 12.0.2 → 13.0.2

package/README.md

@@ -146,10 +146,6 @@ resolved, and other properties, as they are determined.
   `0o666`.  See "Extracted File Modes" below.
 * `dmode` Minimum permission mode for extracted directories.  Defaults to
   `0o777`.  See "Extracted File Modes" below.
-* `log` A logger object with methods for various log levels.  Typically,
-  this will be [`npmlog`](http://npm.im/npmlog) in the npm CLI use case,
-  but if not specified, the default is a logger that emits `'log'` events
-  on the `process` object.
 * `preferOnline` Prefer to revalidate cache entries, even when it would not
   be strictly necessary.  Default `false`.
 * `before` When picking a manifest from a packument, only consider
@@ -162,11 +158,16 @@ resolved, and other properties, as they are determined.
   including information not strictly required for installation (author,
   description, etc.)  Defaults to `true` when `before` is set, since the
   version publish time is part of the extended packument metadata.
+* `fullReadJson` Use the slower `read-package-json` package insted of
+  `read-package-json-fast` in order to include extra fields like "readme" in
+  the manifest. Defaults to `false`.
 * `packumentCache` For registry packuments only, you may provide a `Map`
   object which will be used to cache packument requests between pacote
   calls.  This allows you to easily avoid hitting the registry multiple
   times (even just to validate the cache) for a given packument, since it
   is unlikely to change in the span of a single command.
+* `silent` A boolean that determines whether the banner is displayed
+  when calling `@npmcli/run-script`.
 
 
 ### Advanced API

package/lib/bin.js

@@ -4,26 +4,28 @@ const run = conf => {
   const pacote = require('../')
   switch (conf._[0]) {
     case 'resolve':
-      if (conf.long)
+    case 'manifest':
+    case 'packument':
+      if (conf._[0] === 'resolve' && conf.long) {
         return pacote.manifest(conf._[1], conf).then(mani => ({
           resolved: mani._resolved,
           integrity: mani._integrity,
           from: mani._from,
         }))
-    case 'manifest':
-    case 'packument':
+      }
       return pacote[conf._[0]](conf._[1], conf)
 
     case 'tarball':
       if (!conf._[2] || conf._[2] === '-') {
         return pacote.tarball.stream(conf._[1], stream => {
           stream.pipe(conf.testStdout ||
-            /* istanbul ignore next */ process.stdout)
+          /* istanbul ignore next */ process.stdout)
           // make sure it resolves something falsey
           return stream.promise().then(() => {})
         }, conf)
-      } else
+      } else {
         return pacote.tarball.file(conf._[1], conf._[2], conf)
+      }
 
     case 'extract':
       return pacote.extract(conf._[1], conf._[2], conf)
@@ -81,8 +83,9 @@ const pretty = (conf, result) =>
 let addedLogListener = false
 const main = args => {
   const conf = parse(args)
-  if (conf.help || conf.h)
+  if (conf.help || conf.h) {
     return console.log(usage())
+  }
 
   if (!addedLogListener) {
     process.on('log', console.error)
@@ -121,14 +124,14 @@ const parse = args => {
   }
   let dashdash = false
   args.forEach(arg => {
-    if (dashdash)
+    if (dashdash) {
       conf._.push(arg)
-    else if (arg === '--')
+    } else if (arg === '--') {
       dashdash = true
-    else if (arg === '-h')
+    } else if (arg === '-h') {
       conf.help = true
-    else if (/^--/.test(arg)) {
-      const {key, value} = parseArg(arg)
+    } else if (/^--/.test(arg)) {
+      const { key, value } = parseArg(arg)
       conf[key] = value
     } else {
       conf._.push(arg)
@@ -137,9 +140,9 @@ const parse = args => {
   return conf
 }
 
-if (module === require.main)
+if (module === require.main) {
   main(process.argv.slice(2))
-else
+} else {
   module.exports = {
     main,
     run,
@@ -147,3 +150,4 @@ else
     parseArg,
     parse,
   }
+}

package/lib/dir.js

@@ -1,14 +1,12 @@
 const Fetcher = require('./fetcher.js')
 const FileFetcher = require('./file.js')
-const cacache = require('cacache')
 const Minipass = require('minipass')
-const { promisify } = require('util')
-const readPackageJson = require('read-package-json-fast')
 const tarCreateOptions = require('./util/tar-create-options.js')
 const packlist = require('npm-packlist')
 const tar = require('tar')
 const _prepareDir = Symbol('_prepareDir')
 const { resolve } = require('path')
+const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson')
 
 const runScript = require('@npmcli/run-script')
 
@@ -31,18 +29,18 @@ class DirFetcher extends Fetcher {
 
   [_prepareDir] () {
     return this.manifest().then(mani => {
-      if (!mani.scripts || !mani.scripts.prepare)
+      if (!mani.scripts || !mani.scripts.prepare) {
         return
+      }
 
       // we *only* run prepare.
       // pre/post-pack is run by the npm CLI for publish and pack,
       // but this function is *also* run when installing git deps
       const stdio = this.opts.foregroundScripts ? 'inherit' : 'pipe'
 
-      // hide the banner if loglevel is silent, or if prepare running
+      // hide the banner if silent opt is passed in, or if prepare running
       // in the background.
-      const banner = this.opts.log && this.opts.log.level === 'silent' ? false
-        : stdio === 'inherit'
+      const banner = this.opts.silent ? false : stdio === 'inherit'
 
       return runScript({
         pkg: mani,
@@ -76,10 +74,11 @@ class DirFetcher extends Fetcher {
   }
 
   manifest () {
-    if (this.package)
+    if (this.package) {
       return Promise.resolve(this.package)
+    }
 
-    return readPackageJson(this.resolved + '/package.json')
+    return this[_readPackageJson](this.resolved + '/package.json')
       .then(mani => this.package = {
         ...mani,
         _integrity: this.integrity && String(this.integrity),

package/lib/fetcher.js

@@ -9,12 +9,15 @@ const { promisify } = require('util')
 const { basename, dirname } = require('path')
 const rimraf = promisify(require('rimraf'))
 const tar = require('tar')
-const procLog = require('./util/proc-log.js')
+const log = require('proc-log')
 const retry = require('promise-retry')
 const fsm = require('fs-minipass')
 const cacache = require('cacache')
 const isPackageBin = require('./util/is-package-bin.js')
+const removeTrailingSlashes = require('./util/trailing-slashes.js')
 const getContents = require('@npmcli/installed-package-contents')
+const readPackageJsonFast = require('read-package-json-fast')
+const readPackageJson = promisify(require('read-package-json'))
 
 // we only change ownership on unix platforms, and only if uid is 0
 const selfOwner = process.getuid && process.getuid() === 0 ? {
@@ -41,11 +44,13 @@ const _assertType = Symbol('_assertType')
 const _tarballFromCache = Symbol('_tarballFromCache')
 const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
 const _cacheFetches = Symbol.for('pacote.Fetcher._cacheFetches')
+const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson')
 
 class FetcherBase {
   constructor (spec, opts) {
-    if (!opts || typeof opts !== 'object')
+    if (!opts || typeof opts !== 'object') {
       throw new TypeError('options object is required')
+    }
     this.spec = npa(spec, opts.where)
 
     this.allowGitIgnore = !!opts.allowGitIgnore
@@ -62,7 +67,7 @@ class FetcherBase {
     this[_assertType]()
     // clone the opts object so that others aren't upset when we mutate it
     // by adding/modifying the integrity value.
-    this.opts = {...opts}
+    this.opts = { ...opts }
 
     this.cache = opts.cache || cacheDir()
     this.resolved = opts.resolved || null
@@ -72,8 +77,9 @@ class FetcherBase {
     // is no longer strong enough.
     this.defaultIntegrityAlgorithm = opts.defaultIntegrityAlgorithm || 'sha512'
 
-    if (typeof opts.integrity === 'string')
+    if (typeof opts.integrity === 'string') {
       this.opts.integrity = ssri.parse(opts.integrity)
+    }
 
     this.package = null
     this.type = this.constructor.name
@@ -85,7 +91,6 @@ class FetcherBase {
     // the process's umask setting do its job.  but if configured, we do
     // respect it.
     this.umask = opts.umask || 0
-    this.log = opts.log || procLog
 
     this.preferOnline = !!opts.preferOnline
     this.preferOffline = !!opts.preferOffline
@@ -93,10 +98,15 @@ class FetcherBase {
 
     this.before = opts.before
     this.fullMetadata = this.before ? true : !!opts.fullMetadata
+    this.fullReadJson = !!opts.fullReadJson
+    if (this.fullReadJson) {
+      this[_readPackageJson] = readPackageJson
+    } else {
+      this[_readPackageJson] = readPackageJsonFast
+    }
 
     this.defaultTag = opts.defaultTag || 'latest'
-    this.registry = (opts.registry || 'https://registry.npmjs.org')
-      .replace(/\/+$/, '')
+    this.registry = removeTrailingSlashes(opts.registry || 'https://registry.npmjs.org')
 
     // command to run 'prepare' scripts on directories and git dirs
     // To use pacote with yarn, for example, set npmBin to 'yarn'
@@ -104,7 +114,7 @@ class FetcherBase {
     this.npmBin = opts.npmBin || 'npm'
 
     // command to install deps for preparing
-    this.npmInstallCmd = opts.npmInstallCmd || [ 'install', '--force' ]
+    this.npmInstallCmd = opts.npmInstallCmd || ['install', '--force']
 
     // XXX fill more of this in based on what we know from this.opts
     // we explicitly DO NOT fill in --tag, though, since we are often
@@ -132,19 +142,22 @@ class FetcherBase {
   get integrity () {
     return this.opts.integrity || null
   }
+
   set integrity (i) {
-    if (!i)
+    if (!i) {
       return
+    }
 
     i = ssri.parse(i)
     const current = this.opts.integrity
 
     // do not ever update an existing hash value, but do
     // merge in NEW algos and hashes that we don't already have.
-    if (current)
+    if (current) {
       current.merge(i)
-    else
+    } else {
       this.opts.integrity = i
+    }
   }
 
   get notImplementedError () {
@@ -212,8 +225,9 @@ class FetcherBase {
     stream.on('error', er => istream.emit('error', er))
 
     // if not caching this, just pipe through to the istream and return it
-    if (!this.opts.cache || !this[_cacheFetches])
+    if (!this.opts.cache || !this[_cacheFetches]) {
       return stream.pipe(istream)
+    }
 
     // we have to return a stream that gets ALL the data, and proxies errors,
     // but then pipe from the original tarball stream into the cache as well.
@@ -288,39 +302,42 @@ class FetcherBase {
       this.integrity &&
       this.resolved
     ) ? streamHandler(this[_tarballFromCache]()).catch(er => {
-      if (this.isDataCorruptionError(er)) {
-        this.log.warn('tarball', `cached data for ${
+        if (this.isDataCorruptionError(er)) {
+          log.warn('tarball', `cached data for ${
           this.spec
         } (${this.integrity}) seems to be corrupted. Refreshing cache.`)
-        return this.cleanupCached().then(() => { throw er })
-      } else {
-        throw er
-      }
-    }) : null
+          return this.cleanupCached().then(() => {
+            throw er
+          })
+        } else {
+          throw er
+        }
+      }) : null
 
     const fromResolved = er => {
       if (er) {
-        if (!this.isRetriableError(er))
+        if (!this.isRetriableError(er)) {
           throw er
-        this.log.silly('tarball', `no local data for ${
+        }
+        log.silly('tarball', `no local data for ${
           this.spec
         }. Extracting by manifest.`)
       }
       return this.resolve().then(() => retry(tryAgain =>
         streamHandler(this[_istream](this[_tarballFromResolved]()))
-        .catch(er => {
+          .catch(er => {
           // Most likely data integrity.  A cache ENOENT error is unlikely
           // here, since we're definitely not reading from the cache, but it
           // IS possible that the fetch subsystem accessed the cache, and the
           // entry got blown away or something.  Try one more time to be sure.
-          if (this.isRetriableError(er)) {
-            this.log.warn('tarball', `tarball data for ${
+            if (this.isRetriableError(er)) {
+              log.warn('tarball', `tarball data for ${
               this.spec
             } (${this.integrity}) seems to be corrupted. Trying again.`)
-            return this.cleanupCached().then(() => tryAgain(er))
-          }
-          throw er
-        }), { retries: 1, minTimeout: 0, maxTimeout: 0 }))
+              return this.cleanupCached().then(() => tryAgain(er))
+            }
+            throw er
+          }), { retries: 1, minTimeout: 0, maxTimeout: 0 }))
     }
 
     return fromCache ? fromCache.catch(fromResolved) : fromResolved()
@@ -337,7 +354,7 @@ class FetcherBase {
   }
 
   [_empty] (path) {
-    return getContents({path, depth: 1}).then(contents => Promise.all(
+    return getContents({ path, depth: 1 }).then(contents => Promise.all(
       contents.map(entry => rimraf(entry))))
   }
 
@@ -350,7 +367,7 @@ class FetcherBase {
     // parent folder (rare, but probably happens sometimes).
     return !inferOwner
       ? this[_empty](dest).then(() => mkdirp(dest)).then(() => ({}))
-      : inferOwner(dest).then(({uid, gid}) =>
+      : inferOwner(dest).then(({ uid, gid }) =>
         this[_empty](dest)
           .then(() => mkdirp(dest))
           .then(made => {
@@ -360,13 +377,13 @@ class FetcherBase {
             const dir = made || /* istanbul ignore next */ dest
             return this[_chown](dir, uid, gid)
           })
-          .then(() => ({uid, gid})))
+          .then(() => ({ uid, gid })))
   }
 
   // extraction is always the same.  the only difference is where
   // the tarball comes from.
   extract (dest) {
-    return this[_mkdir](dest).then(({uid, gid}) =>
+    return this[_mkdir](dest).then(({ uid, gid }) =>
       this.tarballStream(tarball => this[_extract](dest, tarball, uid, gid)))
   }
 
@@ -389,7 +406,7 @@ class FetcherBase {
     const dir = dirname(dest)
     return !inferOwner
       ? mkdirp(dir).then(() => this[_toFile](dest))
-      : inferOwner(dest).then(({uid, gid}) =>
+      : inferOwner(dest).then(({ uid, gid }) =>
         mkdirp(dir).then(made => this[_toFile](dest)
           .then(res => this[_chown](made || dir, uid, gid)
             .then(() => res))))
@@ -407,8 +424,8 @@ class FetcherBase {
       })
 
       extractor.on('error', er => {
-        this.log.warn('tar', er.message)
-        this.log.silly('tar', er)
+        log.warn('tar', er.message)
+        log.silly('tar', er)
         reject(er)
       })
 
@@ -439,21 +456,23 @@ class FetcherBase {
       noChmod: true,
       noMtime: true,
       filter: (name, entry) => {
-        if (/Link$/.test(entry.type))
+        if (/Link$/.test(entry.type)) {
           return false
+        }
         entry.mode = this[_entryMode](entry.path, entry.mode, entry.type)
         // this replicates the npm pack behavior where .gitignore files
         // are treated like .npmignore files, but only if a .npmignore
         // file is not present.
         if (/File$/.test(entry.type)) {
           const base = basename(entry.path)
-          if (base === '.npmignore')
+          if (base === '.npmignore') {
             sawIgnores.add(entry.path)
-          else if (base === '.gitignore' && !this.allowGitIgnore) {
+          } else if (base === '.gitignore' && !this.allowGitIgnore) {
             // rename, but only if there's not already a .npmignore
             const ni = entry.path.replace(/\.gitignore$/, '.npmignore')
-            if (sawIgnores.has(ni))
+            if (sawIgnores.has(ni)) {
               return false
+            }
             entry.path = ni
           }
           return true
@@ -462,8 +481,8 @@ class FetcherBase {
       strip: 1,
       onwarn: /* istanbul ignore next - we can trust that tar logs */
       (code, msg, data) => {
-        this.log.warn('tar', code, msg)
-        this.log.silly('tar', code, msg, data)
+        log.warn('tar', code, msg)
+        log.silly('tar', code, msg, data)
       },
       uid,
       gid,

package/lib/file.js

@@ -1,12 +1,11 @@
 const Fetcher = require('./fetcher.js')
 const fsm = require('fs-minipass')
 const cacache = require('cacache')
-const { promisify } = require('util')
-const readPackageJson = require('read-package-json-fast')
 const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
 const _exeBins = Symbol('_exeBins')
 const { resolve } = require('path')
 const fs = require('fs')
+const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson')
 
 class FileFetcher extends Fetcher {
   constructor (spec, opts) {
@@ -20,24 +19,26 @@ class FileFetcher extends Fetcher {
   }
 
   manifest () {
-    if (this.package)
+    if (this.package) {
       return Promise.resolve(this.package)
+    }
 
     // have to unpack the tarball for this.
     return cacache.tmp.withTmp(this.cache, this.opts, dir =>
       this.extract(dir)
-      .then(() => readPackageJson(dir + '/package.json'))
-      .then(mani => this.package = {
-        ...mani,
-        _integrity: this.integrity && String(this.integrity),
-        _resolved: this.resolved,
-        _from: this.from,
-      }))
+        .then(() => this[_readPackageJson](dir + '/package.json'))
+        .then(mani => this.package = {
+          ...mani,
+          _integrity: this.integrity && String(this.integrity),
+          _resolved: this.resolved,
+          _from: this.from,
+        }))
   }
 
   [_exeBins] (pkg, dest) {
-    if (!pkg.bin)
+    if (!pkg.bin) {
       return Promise.resolve()
+    }
 
     return Promise.all(Object.keys(pkg.bin).map(k => new Promise(res => {
       const script = resolve(dest, pkg.bin[k])
@@ -46,11 +47,13 @@ class FileFetcher extends Fetcher {
       // something, we just leave it for a later stage to trip over
       // when we can provide a more useful contextual error.
       fs.stat(script, (er, st) => {
-        if (er)
+        if (er) {
           return res()
+        }
         const mode = st.mode | 0o111
-        if (mode === st.mode)
+        if (mode === st.mode) {
           return res()
+        }
         fs.chmod(script, mode, res)
       })
     })))
@@ -61,8 +64,8 @@ class FileFetcher extends Fetcher {
     // but if not, read the unpacked manifest and chmod properly.
     return super.extract(dest)
       .then(result => this.package ? result
-        : readPackageJson(dest + '/package.json').then(pkg =>
-          this[_exeBins](pkg, dest)).then(() => result))
+      : this[_readPackageJson](dest + '/package.json').then(pkg =>
+        this[_exeBins](pkg, dest)).then(() => result))
   }
 
   [_tarballFromResolved] () {
@@ -75,7 +78,7 @@ class FileFetcher extends Fetcher {
     return this.manifest().then(mani => ({
       name: mani.name,
       'dist-tags': {
-        [this.defaultTag]: mani.version
+        [this.defaultTag]: mani.version,
       },
       versions: {
         [mani.version]: {
@@ -83,9 +86,9 @@ class FileFetcher extends Fetcher {
           dist: {
             tarball: `file:${this.resolved}`,
             integrity: this.integrity && String(this.integrity),
-          }
-        }
-      }
+          },
+        },
+      },
     }))
   }
 }

package/lib/git.js

@@ -6,11 +6,9 @@ const hashre = /^[a-f0-9]{40}$/
 const git = require('@npmcli/git')
 const pickManifest = require('npm-pick-manifest')
 const npa = require('npm-package-arg')
-const url = require('url')
 const Minipass = require('minipass')
 const cacache = require('cacache')
-const { promisify } = require('util')
-const readPackageJson = require('read-package-json-fast')
+const log = require('proc-log')
 const npm = require('./util/npm.js')
 
 const _resolvedFromRepo = Symbol('_resolvedFromRepo')
@@ -24,6 +22,7 @@ const _cloneHosted = Symbol('_cloneHosted')
 const _cloneRepo = Symbol('_cloneRepo')
 const _setResolvedWithSha = Symbol('_setResolvedWithSha')
 const _prepareDir = Symbol('_prepareDir')
+const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson')
 
 // get the repository url.
 // prefer https if there's auth, since ssh will drop that.
@@ -40,8 +39,9 @@ class GitFetcher extends Fetcher {
   constructor (spec, opts) {
     super(spec, opts)
     this.resolvedRef = null
-    if (this.spec.hosted)
+    if (this.spec.hosted) {
       this.from = this.spec.hosted.shortcut({ noCommittish: false })
+    }
 
     // shortcut: avoid full clone when we can go straight to the tgz
     // if we have the full sha and it's a hosted git platform
@@ -51,8 +51,9 @@ class GitFetcher extends Fetcher {
       this.resolved = this.spec.hosted
         ? repoUrl(this.spec.hosted, { noCommittish: false })
         : this.spec.rawSpec
-    } else
+    } else {
       this.resolvedSha = ''
+    }
   }
 
   // just exposed to make it easier to test all the combinations
@@ -67,8 +68,9 @@ class GitFetcher extends Fetcher {
   resolve () {
     // likely a hosted git repo with a sha, so get the tarball url
     // but in general, no reason to resolve() more than necessary!
-    if (this.resolved)
+    if (this.resolved) {
       return super.resolve()
+    }
 
     // fetch the git repo and then look at the current hash
     const h = this.spec.hosted
@@ -86,37 +88,41 @@ class GitFetcher extends Fetcher {
     return this[_resolvedFromRepo](hosted.https && hosted.https())
       .catch(er => {
         // Throw early since we know pathspec errors will fail again if retried
-        if (er instanceof git.errors.GitPathspecError)
+        if (er instanceof git.errors.GitPathspecError) {
           throw er
+        }
         const ssh = hosted.sshurl && hosted.sshurl()
         // no fallthrough if we can't fall through or have https auth
-        if (!ssh || hosted.auth)
+        if (!ssh || hosted.auth) {
           throw er
+        }
         return this[_resolvedFromRepo](ssh)
       })
   }
 
   [_resolvedFromRepo] (gitRemote) {
     // XXX make this a custom error class
-    if (!gitRemote)
+    if (!gitRemote) {
       return Promise.reject(new Error(`No git url for ${this.spec}`))
+    }
     const gitRange = this.spec.gitRange
     const name = this.spec.name
     return git.revs(gitRemote, this.opts).then(remoteRefs => {
       return gitRange ? pickManifest({
-          versions: remoteRefs.versions,
-          'dist-tags': remoteRefs['dist-tags'],
-          name,
-        }, gitRange, this.opts)
+        versions: remoteRefs.versions,
+        'dist-tags': remoteRefs['dist-tags'],
+        name,
+      }, gitRange, this.opts)
         : this.spec.gitCommittish ?
           remoteRefs.refs[this.spec.gitCommittish] ||
           remoteRefs.refs[remoteRefs.shas[this.spec.gitCommittish]]
-        : remoteRefs.refs.HEAD // no git committish, get default head
+          : remoteRefs.refs.HEAD // no git committish, get default head
     }).then(revDoc => {
       // the committish provided isn't in the rev list
       // things like HEAD~3 or @yesterday can land here.
-      if (!revDoc || !revDoc.sha)
+      if (!revDoc || !revDoc.sha) {
         return this[_resolvedFromClone]()
+      }
 
       this.resolvedRef = revDoc
       this.resolvedSha = revDoc.sha
@@ -145,16 +151,18 @@ class GitFetcher extends Fetcher {
   }
 
   [_prepareDir] (dir) {
-    return readPackageJson(dir + '/package.json').then(mani => {
+    return this[_readPackageJson](dir + '/package.json').then(mani => {
       // no need if we aren't going to do any preparation.
       const scripts = mani.scripts
-      if (!scripts || !(
-          scripts.postinstall ||
+      if (!mani.workspaces && (!scripts || !(
+        scripts.postinstall ||
           scripts.build ||
           scripts.preinstall ||
           scripts.install ||
-          scripts.prepare))
+          scripts.prepack ||
+          scripts.prepare))) {
         return
+      }
 
       // to avoid cases where we have an cycle of git deps that depend
       // on one another, we only ever do preparation for one instance
@@ -166,7 +174,7 @@ class GitFetcher extends Fetcher {
       const noPrepare = !process.env._PACOTE_NO_PREPARE_ ? []
         : process.env._PACOTE_NO_PREPARE_.split('\n')
       if (noPrepare.includes(this.resolved)) {
-        this.log.info('prepare', 'skip prepare, already seen', this.resolved)
+        log.info('prepare', 'skip prepare, already seen', this.resolved)
         return
       }
       noPrepare.push(this.resolved)
@@ -202,9 +210,9 @@ class GitFetcher extends Fetcher {
         dirStream.on('end', res)
         dirStream.pipe(stream)
       }))).catch(
-        /* istanbul ignore next: very unlikely and hard to test */
-        er => stream.emit('error', er)
-      )
+      /* istanbul ignore next: very unlikely and hard to test */
+      er => stream.emit('error', er)
+    )
     return stream
   }
 
@@ -237,10 +245,11 @@ class GitFetcher extends Fetcher {
           integrity: null, // it'll always be different, if we have one
         }).extract(tmp).then(() => handler(tmp), er => {
           // fall back to ssh download if tarball fails
-          if (er.constructor.name.match(/^Http/))
+          if (er.constructor.name.match(/^Http/)) {
             return this[_clone](handler, false)
-          else
+          } else {
             throw er
+          }
         })
       }
 
@@ -249,10 +258,11 @@ class GitFetcher extends Fetcher {
         : this[_cloneRepo](this.spec.fetchSpec, ref, tmp)
       ).then(sha => {
         this.resolvedSha = sha
-        if (!this.resolved)
+        if (!this.resolved) {
           this[_addGitSha](sha)
+        }
       })
-      .then(() => handler(tmp))
+        .then(() => handler(tmp))
     })
   }
 
@@ -266,12 +276,14 @@ class GitFetcher extends Fetcher {
     return this[_cloneRepo](hosted.https({ noCommittish: true }), ref, tmp)
       .catch(er => {
         // Throw early since we know pathspec errors will fail again if retried
-        if (er instanceof git.errors.GitPathspecError)
+        if (er instanceof git.errors.GitPathspecError) {
           throw er
+        }
         const ssh = hosted.sshurl && hosted.sshurl({ noCommittish: true })
         // no fallthrough if we can't fall through or have https auth
-        if (!ssh || hosted.auth)
+        if (!ssh || hosted.auth) {
           throw er
+        }
         return this[_cloneRepo](ssh, ref, tmp)
       })
   }
@@ -282,19 +294,20 @@ class GitFetcher extends Fetcher {
   }
 
   manifest () {
-    if (this.package)
+    if (this.package) {
       return Promise.resolve(this.package)
+    }
 
     return this.spec.hosted && this.resolved
       ? FileFetcher.prototype.manifest.apply(this)
       : this[_clone](dir =>
-          readPackageJson(dir + '/package.json')
-            .then(mani => this.package = {
-              ...mani,
-              _integrity: this.integrity && String(this.integrity),
-              _resolved: this.resolved,
-              _from: this.from,
-            }))
+        this[_readPackageJson](dir + '/package.json')
+          .then(mani => this.package = {
+            ...mani,
+            _integrity: this.integrity && String(this.integrity),
+            _resolved: this.resolved,
+            _from: this.from,
+          }))
   }
 
   packument () {

package/lib/registry.js

@@ -2,11 +2,11 @@ const Fetcher = require('./fetcher.js')
 const RemoteFetcher = require('./remote.js')
 const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
 const pacoteVersion = require('../package.json').version
+const removeTrailingSlashes = require('./util/trailing-slashes.js')
 const npa = require('npm-package-arg')
 const rpj = require('read-package-json-fast')
 const pickManifest = require('npm-pick-manifest')
 const ssri = require('ssri')
-const Minipass = require('minipass')
 
 // Corgis are cute. 🐕🐶
 const corgiDoc = 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*'
@@ -32,10 +32,11 @@ class RegistryFetcher extends Fetcher {
     // handle case when npm-package-arg guesses wrong.
     if (this.spec.type === 'tag' &&
         this.spec.rawSpec === '' &&
-        this.defaultTag !== 'latest')
+        this.defaultTag !== 'latest') {
       this.spec = npa(`${this.spec.name}@${this.defaultTag}`)
+    }
     this.registry = fetch.pickRegistry(spec, opts)
-    this.packumentUrl = this.registry.replace(/\/*$/, '/') +
+    this.packumentUrl = removeTrailingSlashes(this.registry) + '/' +
       this.spec.escapedName
 
     // XXX pacote <=9 has some logic to ignore opts.resolved if
@@ -45,13 +46,15 @@ class RegistryFetcher extends Fetcher {
   }
 
   resolve () {
-    if (this.resolved)
+    if (this.resolved) {
       return Promise.resolve(this.resolved)
+    }
 
     // fetching the manifest sets resolved and (usually) integrity
     return this.manifest().then(() => {
-      if (this.resolved)
+      if (this.resolved) {
         return this.resolved
+      }
 
       throw Object.assign(
         new Error('Invalid package manifest: no `dist.tarball` field'),
@@ -77,8 +80,9 @@ class RegistryFetcher extends Fetcher {
     // note this might be either an in-flight promise for a request,
     // or the actual packument, but we never want to make more than
     // one request at a time for the same thing regardless.
-    if (this.packumentCache && this.packumentCache.has(this.packumentUrl))
+    if (this.packumentCache && this.packumentCache.has(this.packumentUrl)) {
       return this.packumentCache.get(this.packumentUrl)
+    }
 
     // npm-registry-fetch the packument
     // set the appropriate header for corgis if fullMetadata isn't set
@@ -92,12 +96,14 @@ class RegistryFetcher extends Fetcher {
     }).then(res => res.json().then(packument => {
       packument._cached = res.headers.has('x-local-cache')
       packument._contentLength = +res.headers.get('content-length')
-      if (this.packumentCache)
+      if (this.packumentCache) {
         this.packumentCache.set(this.packumentUrl, packument)
+      }
       return packument
     })).catch(er => {
-      if (this.packumentCache)
+      if (this.packumentCache) {
         this.packumentCache.delete(this.packumentUrl)
+      }
       if (er.code === 'E404' && !this.fullMetadata) {
         // possible that corgis are not supported by this registry
         this.fullMetadata = true
@@ -105,14 +111,16 @@ class RegistryFetcher extends Fetcher {
       }
       throw er
     })
-    if (this.packumentCache)
+    if (this.packumentCache) {
       this.packumentCache.set(this.packumentUrl, p)
+    }
     return p
   }
 
   manifest () {
-    if (this.package)
+    if (this.package) {
       return Promise.resolve(this.package)
+    }
 
     return this.packument()
       .then(packument => pickManifest(packument, this.spec.fetchSpec, {
@@ -127,12 +135,12 @@ class RegistryFetcher extends Fetcher {
           this.resolved = mani._resolved = dist.tarball
           mani._from = this.from
           const distIntegrity = dist.integrity ? ssri.parse(dist.integrity)
-            : dist.shasum ? ssri.fromHex(dist.shasum, 'sha1', {...this.opts})
+            : dist.shasum ? ssri.fromHex(dist.shasum, 'sha1', { ...this.opts })
             : null
           if (distIntegrity) {
-            if (!this.integrity)
+            if (!this.integrity) {
               this.integrity = distIntegrity
-            else if (!this.integrity.match(distIntegrity)) {
+            } else if (!this.integrity.match(distIntegrity)) {
               // only bork if they have algos in common.
               // otherwise we end up breaking if we have saved a sha512
               // previously for the tarball, but the manifest only
@@ -143,7 +151,7 @@ class RegistryFetcher extends Fetcher {
               for (const algo of Object.keys(this.integrity)) {
                 if (distIntegrity[algo]) {
                   throw Object.assign(new Error(
-                    `Integrity checksum failed when using ${algo}: `+
+                    `Integrity checksum failed when using ${algo}: ` +
                     `wanted ${this.integrity} but got ${distIntegrity}.`
                   ), { code: 'EINTEGRITY' })
                 }
@@ -155,8 +163,9 @@ class RegistryFetcher extends Fetcher {
             }
           }
         }
-        if (this.integrity)
+        if (this.integrity) {
           mani._integrity = String(this.integrity)
+        }
         this.package = rpj.normalize(mani)
         return this.package
       })

package/lib/remote.js

@@ -3,7 +3,6 @@ const FileFetcher = require('./file.js')
 const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
 const pacoteVersion = require('../package.json').version
 const fetch = require('npm-registry-fetch')
-const ssri = require('ssri')
 const Minipass = require('minipass')
 // The default registry URL is a string of great magic.
 const magic = /^https?:\/\/registry\.npmjs\.org\//
@@ -14,8 +13,9 @@ class RemoteFetcher extends Fetcher {
   constructor (spec, opts) {
     super(spec, opts)
     this.resolved = this.spec.fetchSpec
-    if (magic.test(this.resolved) && !magic.test(this.registry + '/'))
+    if (magic.test(this.resolved) && !magic.test(this.registry + '/')) {
       this.resolved = this.resolved.replace(magic, this.registry + '/')
+    }
 
     // nam is a fermented pork sausage that is good to eat
     const nameat = this.spec.name ? `${this.spec.name}@` : ''
@@ -35,7 +35,7 @@ class RemoteFetcher extends Fetcher {
       headers: this[_headers](),
       spec: this.spec,
       integrity: this.integrity,
-      algorithms: [ this.pickIntegrityAlgorithm() ],
+      algorithms: [this.pickIntegrityAlgorithm()],
     }
     fetch(this.resolved, fetchOpts).then(res => {
       const hash = res.headers.get('x-local-cache-hash')
@@ -62,7 +62,7 @@ class RemoteFetcher extends Fetcher {
       'pacote-req-type': 'tarball',
       'pacote-pkg-id': this.pkgid,
       ...(this.integrity ? { 'pacote-integrity': String(this.integrity) }
-        : {}),
+      : {}),
       ...(this.opts.headers || {}),
     }
   }

package/lib/util/cache-dir.js

@@ -1,5 +1,5 @@
 const os = require('os')
-const {resolve} = require('path')
+const { resolve } = require('path')
 
 module.exports = (fakePlatform = false) => {
   const temp = os.tmpdir()

package/lib/util/is-package-bin.js

@@ -12,10 +12,11 @@ const binObj = (name, bin) =>
 
 const hasBin = (pkg, path) => {
   const bin = binObj(pkg.name, pkg.bin)
-  const p = path.replace(/^[^\\\/]*\//, '')
-  for (const [k, v] of Object.entries(bin)) {
-    if (v === p)
+  const p = path.replace(/^[^\\/]*\//, '')
+  for (const kv of Object.entries(bin)) {
+    if (kv[1] === p) {
       return true
+    }
   }
   return false
 }

package/lib/util/npm.js

@@ -1,6 +1,5 @@
 // run an npm command
 const spawn = require('@npmcli/promise-spawn')
-const {dirname} = require('path')
 
 module.exports = (npmBin, npmCommand, cwd, env, extra) => {
   const isJS = npmBin.endsWith('.js')

package/lib/util/tar-create-options.js

@@ -9,7 +9,7 @@ const tarCreateOptions = manifest => ({
     // platform specific optimizations that cause
     // integrity mismatch errors due to differing
     // end results after compression
-    level: 9
+    level: 9,
   },
 
   // ensure that package bins are always executable
@@ -17,8 +17,9 @@ const tarCreateOptions = manifest => ({
   // anything that is not a regular file, ignored by
   // .npmignore or package.json "files", etc.
   filter: (path, stat) => {
-    if (isPackageBin(manifest, path))
+    if (isPackageBin(manifest, path)) {
       stat.mode |= 0o111
+    }
     return true
   },
 

package/lib/util/trailing-slashes.js

@@ -0,0 +1,10 @@
+const removeTrailingSlashes = (input) => {
+  // in order to avoid regexp redos detection
+  let output = input
+  while (output.endsWith('/')) {
+    output = output.substr(0, output.length - 1)
+  }
+  return output
+}
+
+module.exports = removeTrailingSlashes

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "pacote",
-  "version": "12.0.2",
+  "version": "13.0.2",
   "description": "JavaScript package downloader",
-  "author": "Isaac Z. Schlueter <i@izs.me> (https://izs.me)",
+  "author": "GitHub Inc.",
   "bin": {
     "pacote": "lib/bin.js"
   },
@@ -13,19 +13,26 @@
     "snap": "tap",
     "preversion": "npm test",
     "postversion": "npm publish",
-    "prepublishOnly": "git push origin --follow-tags"
+    "prepublishOnly": "git push origin --follow-tags",
+    "lint": "eslint '**/*.js'",
+    "postlint": "npm-template-check",
+    "lintfix": "npm run lint -- --fix",
+    "posttest": "npm run lint",
+    "template-copy": "npm-template-copy --force"
   },
   "tap": {
     "timeout": 300,
     "coverage-map": "map.js"
   },
   "devDependencies": {
+    "@npmcli/template-oss": "^2.7.1",
     "mutate-fs": "^2.1.1",
     "npm-registry-mock": "^1.3.1",
-    "tap": "^15.0.4"
+    "tap": "^15.1.6"
   },
   "files": [
-    "lib/**/*.js"
+    "bin",
+    "lib"
   ],
   "keywords": [
     "packages",
@@ -33,28 +40,34 @@
     "git"
   ],
   "dependencies": {
-    "@npmcli/git": "^2.1.0",
-    "@npmcli/installed-package-contents": "^1.0.6",
+    "@npmcli/git": "^3.0.0",
+    "@npmcli/installed-package-contents": "^1.0.7",
     "@npmcli/promise-spawn": "^1.2.0",
     "@npmcli/run-script": "^2.0.0",
-    "cacache": "^15.0.5",
+    "cacache": "^15.3.0",
     "chownr": "^2.0.0",
     "fs-minipass": "^2.1.0",
     "infer-owner": "^1.0.4",
-    "minipass": "^3.1.3",
-    "mkdirp": "^1.0.3",
-    "npm-package-arg": "^8.0.1",
+    "minipass": "^3.1.6",
+    "mkdirp": "^1.0.4",
+    "npm-package-arg": "^9.0.0",
     "npm-packlist": "^3.0.0",
-    "npm-pick-manifest": "^6.0.0",
-    "npm-registry-fetch": "^11.0.0",
+    "npm-pick-manifest": "^7.0.0",
+    "npm-registry-fetch": "^13.0.0",
+    "proc-log": "^2.0.0",
     "promise-retry": "^2.0.1",
-    "read-package-json-fast": "^2.0.1",
+    "read-package-json": "^4.1.1",
+    "read-package-json-fast": "^2.0.3",
     "rimraf": "^3.0.2",
     "ssri": "^8.0.1",
-    "tar": "^6.1.0"
+    "tar": "^6.1.11"
   },
   "engines": {
     "node": "^12.13.0 || ^14.15.0 || >=16"
   },
-  "repository": "git@github.com:npm/pacote"
+  "repository": "git@github.com:npm/pacote",
+  "templateOSS": {
+    "version": "2.7.1",
+    "windowsCI": false
+  }
 }

package/lib/util/proc-log.js

@@ -1,21 +0,0 @@
-// default logger.
-// emits 'log' events on the process
-const LEVELS = [
-  'notice',
-  'error',
-  'warn',
-  'info',
-  'verbose',
-  'http',
-  'silly',
-  'pause',
-  'resume'
-]
-
-const log = level => (...args) => process.emit('log', level, ...args)
-
-const logger = {}
-for (const level of LEVELS) {
-  logger[level] = log(level)
-}
-module.exports = logger