pacote 13.5.0 → 13.6.2

package/README.md

@@ -237,6 +237,7 @@ In addition to the common `package.json` fields, manifests include:
   artifact can be found.
 * `manifest._from` A normalized form of the spec passed in as an argument.
 * `manifest._integrity` The integrity value for the package artifact.
+* `manifest._id` The canonical spec of this package version: name@version.
 * `manifest.dist` Registry manifests (those included in a packument) have a
   `dist` object.  Only `tarball` is required, though at least one of
   `shasum` or `integrity` is almost always present.
@@ -274,3 +275,8 @@ For Pacote's purposes, the following fields are relevant:
   `foo@latest` gets turned into `foo@1.2.3`.
 * `time` In the full packument, an object mapping version numbers to
   publication times, for the `opts.before` functionality.
+
+Pacote adds the following fields, regardless of the accept header:
+
+* `_cached` Whether the packument was fetched from the network or the local cache.
+* `_contentLength` The size of the packument.

package/lib/bin.js

@@ -18,10 +18,15 @@ const run = conf => {
     case 'tarball':
       if (!conf._[2] || conf._[2] === '-') {
         return pacote.tarball.stream(conf._[1], stream => {
-          stream.pipe(conf.testStdout ||
-          /* istanbul ignore next */ process.stdout)
+          stream.pipe(
+            conf.testStdout ||
+            /* istanbul ignore next */
+            process.stdout
+          )
           // make sure it resolves something falsey
-          return stream.promise().then(() => {})
+          return stream.promise().then(() => {
+            return false
+          })
         }, conf)
       } else {
         return pacote.tarball.file(conf._[1], conf._[2], conf)

package/lib/fetcher.js

@@ -18,6 +18,7 @@ const removeTrailingSlashes = require('./util/trailing-slashes.js')
 const getContents = require('@npmcli/installed-package-contents')
 const readPackageJsonFast = require('read-package-json-fast')
 const readPackageJson = promisify(require('read-package-json'))
+const Minipass = require('minipass')
 
 // we only change ownership on unix platforms, and only if uid is 0
 const selfOwner = process.getuid && process.getuid() === 0 ? {
@@ -105,15 +106,10 @@ class FetcherBase {
       this[_readPackageJson] = readPackageJsonFast
     }
 
-    // config values: npmjs (default), never, always
-    // we don't want to mutate the original value
-    if (opts.replaceRegistryHost !== 'never'
-      && opts.replaceRegistryHost !== 'always'
-    ) {
-      this.replaceRegistryHost = 'npmjs'
-    } else {
-      this.replaceRegistryHost = opts.replaceRegistryHost
-    }
+    // rrh is a registry hostname or 'never' or 'always'
+    // defaults to registry.npmjs.org
+    this.replaceRegistryHost = (!opts.replaceRegistryHost || opts.replaceRegistryHost === 'npmjs') ?
+      'registry.npmjs.org' : opts.replaceRegistryHost
 
     this.defaultTag = opts.defaultTag || 'latest'
     this.registry = removeTrailingSlashes(opts.registry || 'https://registry.npmjs.org')
@@ -224,18 +220,18 @@ class FetcherBase {
   }
 
   [_istream] (stream) {
-    // everyone will need one of these, either for verifying or calculating
-    // We always set it, because we have might only have a weak legacy hex
-    // sha1 in the packument, and this MAY upgrade it to a stronger algo.
-    // If we had an integrity, and it doesn't match, then this does not
-    // override that error; the istream will raise the error before it
-    // gets to the point of re-setting the integrity.
-    const istream = ssri.integrityStream(this.opts)
-    istream.on('integrity', i => this.integrity = i)
-    stream.on('error', er => istream.emit('error', er))
-
-    // if not caching this, just pipe through to the istream and return it
+    // if not caching this, just return it
     if (!this.opts.cache || !this[_cacheFetches]) {
+      // instead of creating a new integrity stream, we only piggyback on the
+      // provided stream's events
+      if (stream.hasIntegrityEmitter) {
+        stream.on('integrity', i => this.integrity = i)
+        return stream
+      }
+
+      const istream = ssri.integrityStream(this.opts)
+      istream.on('integrity', i => this.integrity = i)
+      stream.on('error', err => istream.emit('error', err))
       return stream.pipe(istream)
     }
 
@@ -243,21 +239,24 @@ class FetcherBase {
     // but then pipe from the original tarball stream into the cache as well.
     // To do this without losing any data, and since the cacache put stream
     // is not a passthrough, we have to pipe from the original stream into
-    // the cache AFTER we pipe into the istream.  Since the cache stream
+    // the cache AFTER we pipe into the middleStream.  Since the cache stream
     // has an asynchronous flush to write its contents to disk, we need to
-    // defer the istream end until the cache stream ends.
-    stream.pipe(istream, { end: false })
+    // defer the middleStream end until the cache stream ends.
+    const middleStream = new Minipass()
+    stream.on('error', err => middleStream.emit('error', err))
+    stream.pipe(middleStream, { end: false })
     const cstream = cacache.put.stream(
       this.opts.cache,
       `pacote:tarball:${this.from}`,
       this.opts
     )
+    cstream.on('integrity', i => this.integrity = i)
+    cstream.on('error', err => stream.emit('error', err))
     stream.pipe(cstream)
-    // defer istream end until after cstream
-    // cache write errors should not crash the fetch, this is best-effort.
-    cstream.promise().catch(() => {}).then(() => istream.end())
 
-    return istream
+    // eslint-disable-next-line promise/catch-or-return
+    cstream.promise().catch(() => {}).then(() => middleStream.end())
+    return middleStream
   }
 
   pickIntegrityAlgorithm () {
@@ -271,7 +270,10 @@ class FetcherBase {
   }
 
   // override the types getter
-  get types () {}
+  get types () {
+    return false
+  }
+
   [_assertType] () {
     if (this.types && !this.types.includes(this.spec.type)) {
       throw new TypeError(`Wrong spec type (${

package/lib/git.js

@@ -239,7 +239,7 @@ class GitFetcher extends Fetcher {
     tarballOk = tarballOk &&
       h && resolved === repoUrl(h, { noCommittish: false }) && h.tarball
 
-    return cacache.tmp.withTmp(this.cache, o, tmp => {
+    return cacache.tmp.withTmp(this.cache, o, async tmp => {
       // if we're resolved, and have a tarball url, shell out to RemoteFetcher
       if (tarballOk) {
         const nameat = this.spec.name ? `${this.spec.name}@` : ''
@@ -259,16 +259,15 @@ class GitFetcher extends Fetcher {
         })
       }
 
-      return (
+      const sha = await (
         h ? this[_cloneHosted](ref, tmp)
         : this[_cloneRepo](this.spec.fetchSpec, ref, tmp)
-      ).then(sha => {
-        this.resolvedSha = sha
-        if (!this.resolved) {
-          this[_addGitSha](sha)
-        }
-      })
-        .then(() => handler(tmp))
+      )
+      this.resolvedSha = sha
+      if (!this.resolved) {
+        await this[_addGitSha](sha)
+      }
+      return handler(tmp)
     })
   }
 

package/lib/registry.js

@@ -122,11 +122,12 @@ class RegistryFetcher extends Fetcher {
     }
 
     const packument = await this.packument()
-    const mani = await pickManifest(packument, this.spec.fetchSpec, {
+    let mani = await pickManifest(packument, this.spec.fetchSpec, {
       ...this.opts,
       defaultTag: this.defaultTag,
       before: this.before,
     })
+    mani = rpj.normalize(mani)
     /* XXX add ETARGET and E403 revalidation of cached packuments here */
 
     // add _resolved and _integrity from dist object
@@ -165,49 +166,53 @@ class RegistryFetcher extends Fetcher {
       mani._integrity = String(this.integrity)
       if (dist.signatures) {
         if (this.opts.verifySignatures) {
-          if (this.registryKeys) {
-            // validate and throw on error, then set _signatures
-            const message = `${mani._id}:${mani._integrity}`
-            for (const signature of dist.signatures) {
-              const publicKey = this.registryKeys.filter(key => (key.keyid === signature.keyid))[0]
-              if (!publicKey) {
-                throw Object.assign(new Error(
-                  `${mani._id} has a signature with keyid: ${signature.keyid} ` +
-                  'but no corresponding public key can be found.'
-                ), { code: 'EMISSINGSIGNATUREKEY' })
-              }
-              const validPublicKey =
-                !publicKey.expires || (Date.parse(publicKey.expires) > Date.now())
-              if (!validPublicKey) {
-                throw Object.assign(new Error(
-                  `${mani._id} has a signature with keyid: ${signature.keyid} ` +
+          // validate and throw on error, then set _signatures
+          const message = `${mani._id}:${mani._integrity}`
+          for (const signature of dist.signatures) {
+            const publicKey = this.registryKeys &&
+              this.registryKeys.filter(key => (key.keyid === signature.keyid))[0]
+            if (!publicKey) {
+              throw Object.assign(new Error(
+                  `${mani._id} has a registry signature with keyid: ${signature.keyid} ` +
+                  'but no corresponding public key can be found'
+              ), { code: 'EMISSINGSIGNATUREKEY' })
+            }
+            const validPublicKey =
+              !publicKey.expires || (Date.parse(publicKey.expires) > Date.now())
+            if (!validPublicKey) {
+              throw Object.assign(new Error(
+                  `${mani._id} has a registry signature with keyid: ${signature.keyid} ` +
                   `but the corresponding public key has expired ${publicKey.expires}`
-                ), { code: 'EEXPIREDSIGNATUREKEY' })
-              }
-              const verifier = crypto.createVerify('SHA256')
-              verifier.write(message)
-              verifier.end()
-              const valid = verifier.verify(
-                publicKey.pemkey,
-                signature.sig,
-                'base64'
-              )
-              if (!valid) {
-                throw Object.assign(new Error(
-                  'Integrity checksum signature failed: ' +
-                  `key ${publicKey.keyid} signature ${signature.sig}`
-                ), { code: 'EINTEGRITYSIGNATURE' })
-              }
+              ), { code: 'EEXPIREDSIGNATUREKEY' })
+            }
+            const verifier = crypto.createVerify('SHA256')
+            verifier.write(message)
+            verifier.end()
+            const valid = verifier.verify(
+              publicKey.pemkey,
+              signature.sig,
+              'base64'
+            )
+            if (!valid) {
+              throw Object.assign(new Error(
+                  `${mani._id} has an invalid registry signature with ` +
+                  `keyid: ${publicKey.keyid} and signature: ${signature.sig}`
+              ), {
+                code: 'EINTEGRITYSIGNATURE',
+                keyid: publicKey.keyid,
+                signature: signature.sig,
+                resolved: mani._resolved,
+                integrity: mani._integrity,
+              })
             }
-            mani._signatures = dist.signatures
           }
-          // if no keys, don't set _signatures
+          mani._signatures = dist.signatures
         } else {
           mani._signatures = dist.signatures
         }
       }
     }
-    this.package = rpj.normalize(mani)
+    this.package = mani
     return this.package
   }
 

package/lib/remote.js

@@ -4,8 +4,6 @@ const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
 const pacoteVersion = require('../package.json').version
 const fetch = require('npm-registry-fetch')
 const Minipass = require('minipass')
-// The default registry URL is a string of great magic.
-const magicHost = 'https://registry.npmjs.org'
 
 const _cacheFetches = Symbol.for('pacote.Fetcher._cacheFetches')
 const _headers = Symbol('_headers')
@@ -14,11 +12,9 @@ class RemoteFetcher extends Fetcher {
     super(spec, opts)
     this.resolved = this.spec.fetchSpec
     const resolvedURL = new URL(this.resolved)
-    if (
-      (this.replaceRegistryHost === 'npmjs'
-        && resolvedURL.origin === magicHost)
-      || this.replaceRegistryHost === 'always'
-    ) {
+    if (this.replaceRegistryHost !== 'never'
+      && (this.replaceRegistryHost === 'always'
+      || this.replaceRegistryHost === resolvedURL.host)) {
       this.resolved = new URL(resolvedURL.pathname, this.registry).href
     }
 
@@ -35,6 +31,8 @@ class RemoteFetcher extends Fetcher {
 
   [_tarballFromResolved] () {
     const stream = new Minipass()
+    stream.hasIntegrityEmitter = true
+
     const fetchOpts = {
       ...this.opts,
       headers: this[_headers](),
@@ -42,16 +40,20 @@ class RemoteFetcher extends Fetcher {
       integrity: this.integrity,
       algorithms: [this.pickIntegrityAlgorithm()],
     }
-    fetch(this.resolved, fetchOpts).then(res => {
-      const hash = res.headers.get('x-local-cache-hash')
-      if (hash) {
-        this.integrity = decodeURIComponent(hash)
-      }
 
+    // eslint-disable-next-line promise/always-return
+    fetch(this.resolved, fetchOpts).then(res => {
       res.body.on('error',
         /* istanbul ignore next - exceedingly rare and hard to simulate */
         er => stream.emit('error', er)
-      ).pipe(stream)
+      )
+
+      res.body.on('integrity', i => {
+        this.integrity = i
+        stream.emit('integrity', i)
+      })
+
+      res.body.pipe(stream)
     }).catch(er => stream.emit('error', er))
 
     return stream

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "13.5.0",
+  "version": "13.6.2",
   "description": "JavaScript package downloader",
   "author": "GitHub Inc.",
   "bin": {
@@ -21,8 +21,7 @@
     "template-oss-apply": "template-oss-apply --force"
   },
   "tap": {
-    "timeout": 300,
-    "coverage-map": "map.js"
+    "timeout": 300
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^3.0.1",
@@ -46,7 +45,7 @@
     "@npmcli/git": "^3.0.0",
     "@npmcli/installed-package-contents": "^1.0.7",
     "@npmcli/promise-spawn": "^3.0.0",
-    "@npmcli/run-script": "^3.0.1",
+    "@npmcli/run-script": "^4.1.0",
     "cacache": "^16.0.0",
     "chownr": "^2.0.0",
     "fs-minipass": "^2.1.0",