pacote 15.1.2 → 15.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -0
- package/lib/dir.js +1 -1
- package/lib/fetcher.js +3 -2
- package/lib/git.js +1 -1
- package/lib/registry.js +4 -1
- package/lib/remote.js +1 -1
- package/lib/util/cache-dir.js +4 -1
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -175,6 +175,9 @@ resolved, and other properties, as they are determined.
|
|
|
175
175
|
* `verifyAttestations` A boolean that will make pacote verify Sigstore
|
|
176
176
|
attestations, if present. There must be a configured `_keys` entry in the
|
|
177
177
|
config that is scoped to the registry the manifest is being fetched from.
|
|
178
|
+
* `tufCache` Where to store metadata/target files when retrieving the package
|
|
179
|
+
attestation key material via TUF. Defaults to the same cache directory that
|
|
180
|
+
npm will use by default, based on platform and environment.
|
|
178
181
|
|
|
179
182
|
### Advanced API
|
|
180
183
|
|
package/lib/dir.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
const Fetcher = require('./fetcher.js')
|
|
2
2
|
const FileFetcher = require('./file.js')
|
|
3
|
-
const Minipass = require('minipass')
|
|
3
|
+
const { Minipass } = require('minipass')
|
|
4
4
|
const tarCreateOptions = require('./util/tar-create-options.js')
|
|
5
5
|
const packlist = require('npm-packlist')
|
|
6
6
|
const tar = require('tar')
|
package/lib/fetcher.js
CHANGED
|
@@ -18,7 +18,7 @@ const removeTrailingSlashes = require('./util/trailing-slashes.js')
|
|
|
18
18
|
const getContents = require('@npmcli/installed-package-contents')
|
|
19
19
|
const readPackageJsonFast = require('read-package-json-fast')
|
|
20
20
|
const readPackageJson = promisify(require('read-package-json'))
|
|
21
|
-
const Minipass = require('minipass')
|
|
21
|
+
const { Minipass } = require('minipass')
|
|
22
22
|
|
|
23
23
|
const cacheDir = require('./util/cache-dir.js')
|
|
24
24
|
|
|
@@ -61,7 +61,8 @@ class FetcherBase {
|
|
|
61
61
|
// by adding/modifying the integrity value.
|
|
62
62
|
this.opts = { ...opts }
|
|
63
63
|
|
|
64
|
-
this.cache = opts.cache || cacheDir()
|
|
64
|
+
this.cache = opts.cache || cacheDir().cacache
|
|
65
|
+
this.tufCache = opts.tufCache || cacheDir().tufcache
|
|
65
66
|
this.resolved = opts.resolved || null
|
|
66
67
|
|
|
67
68
|
// default to caching/verifying with sha512, that's what we usually have
|
package/lib/git.js
CHANGED
|
@@ -6,7 +6,7 @@ const hashre = /^[a-f0-9]{40}$/
|
|
|
6
6
|
const git = require('@npmcli/git')
|
|
7
7
|
const pickManifest = require('npm-pick-manifest')
|
|
8
8
|
const npa = require('npm-package-arg')
|
|
9
|
-
const Minipass = require('minipass')
|
|
9
|
+
const { Minipass } = require('minipass')
|
|
10
10
|
const cacache = require('cacache')
|
|
11
11
|
const log = require('proc-log')
|
|
12
12
|
const npm = require('./util/npm.js')
|
package/lib/registry.js
CHANGED
|
@@ -295,7 +295,10 @@ class RegistryFetcher extends Fetcher {
|
|
|
295
295
|
//
|
|
296
296
|
// Publish attestations are signed with a keyid so we need to
|
|
297
297
|
// specify a public key from the keys endpoint: `registry-host.tld/-/npm/v1/keys`
|
|
298
|
-
const options = {
|
|
298
|
+
const options = {
|
|
299
|
+
tufCachePath: this.tufCache,
|
|
300
|
+
keySelector: publicKey ? () => publicKey.pemkey : undefined,
|
|
301
|
+
}
|
|
299
302
|
await sigstore.verify(bundle, null, options)
|
|
300
303
|
} catch (e) {
|
|
301
304
|
throw Object.assign(new Error(
|
package/lib/remote.js
CHANGED
|
@@ -3,7 +3,7 @@ const FileFetcher = require('./file.js')
|
|
|
3
3
|
const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
|
|
4
4
|
const pacoteVersion = require('../package.json').version
|
|
5
5
|
const fetch = require('npm-registry-fetch')
|
|
6
|
-
const Minipass = require('minipass')
|
|
6
|
+
const { Minipass } = require('minipass')
|
|
7
7
|
|
|
8
8
|
const _cacheFetches = Symbol.for('pacote.Fetcher._cacheFetches')
|
|
9
9
|
const _headers = Symbol('_headers')
|
package/lib/util/cache-dir.js
CHANGED
|
@@ -8,5 +8,8 @@ module.exports = (fakePlatform = false) => {
|
|
|
8
8
|
const platform = fakePlatform || process.platform
|
|
9
9
|
const cacheExtra = platform === 'win32' ? 'npm-cache' : '.npm'
|
|
10
10
|
const cacheRoot = (platform === 'win32' && process.env.LOCALAPPDATA) || home
|
|
11
|
-
return
|
|
11
|
+
return {
|
|
12
|
+
cacache: resolve(cacheRoot, cacheExtra, '_cacache'),
|
|
13
|
+
tufcache: resolve(cacheRoot, cacheExtra, '_tuf'),
|
|
14
|
+
}
|
|
12
15
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "pacote",
|
|
3
|
-
"version": "15.
|
|
3
|
+
"version": "15.2.0",
|
|
4
4
|
"description": "JavaScript package downloader",
|
|
5
5
|
"author": "GitHub Inc.",
|
|
6
6
|
"bin": {
|
|
@@ -50,7 +50,7 @@
|
|
|
50
50
|
"@npmcli/run-script": "^6.0.0",
|
|
51
51
|
"cacache": "^17.0.0",
|
|
52
52
|
"fs-minipass": "^3.0.0",
|
|
53
|
-
"minipass": "^
|
|
53
|
+
"minipass": "^5.0.0",
|
|
54
54
|
"npm-package-arg": "^10.0.0",
|
|
55
55
|
"npm-packlist": "^7.0.0",
|
|
56
56
|
"npm-pick-manifest": "^8.0.0",
|