pacote 15.1.3 → 16.0.0

package/README.md

@@ -175,6 +175,9 @@ resolved, and other properties, as they are determined.
 * `verifyAttestations` A boolean that will make pacote verify Sigstore
     attestations, if present. There must be a configured `_keys` entry in the
     config that is scoped to the registry the manifest is being fetched from.
+* `tufCache` Where to store metadata/target files when retrieving the package
+  attestation key material via TUF. Defaults to the same cache directory that
+  npm will use by default, based on platform and environment.
 
 ### Advanced API
 

package/lib/fetcher.js

@@ -61,7 +61,8 @@ class FetcherBase {
     // by adding/modifying the integrity value.
     this.opts = { ...opts }
 
-    this.cache = opts.cache || cacheDir()
+    this.cache = opts.cache || cacheDir().cacache
+    this.tufCache = opts.tufCache || cacheDir().tufcache
     this.resolved = opts.resolved || null
 
     // default to caching/verifying with sha512, that's what we usually have

package/lib/registry.js

@@ -295,7 +295,10 @@ class RegistryFetcher extends Fetcher {
               //
               // Publish attestations are signed with a keyid so we need to
               // specify a public key from the keys endpoint: `registry-host.tld/-/npm/v1/keys`
-              const options = { keySelector: publicKey ? () => publicKey.pemkey : undefined }
+              const options = {
+                tufCachePath: this.tufCache,
+                keySelector: publicKey ? () => publicKey.pemkey : undefined,
+              }
               await sigstore.verify(bundle, null, options)
             } catch (e) {
               throw Object.assign(new Error(

package/lib/util/cache-dir.js

@@ -8,5 +8,8 @@ module.exports = (fakePlatform = false) => {
   const platform = fakePlatform || process.platform
   const cacheExtra = platform === 'win32' ? 'npm-cache' : '.npm'
   const cacheRoot = (platform === 'win32' && process.env.LOCALAPPDATA) || home
-  return resolve(cacheRoot, cacheExtra, '_cacache')
+  return {
+    cacache: resolve(cacheRoot, cacheExtra, '_cacache'),
+    tufcache: resolve(cacheRoot, cacheExtra, '_tuf'),
+  }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "15.1.3",
+  "version": "16.0.0",
   "description": "JavaScript package downloader",
   "author": "GitHub Inc.",
   "bin": {
@@ -27,7 +27,7 @@
   "devDependencies": {
     "@npmcli/arborist": "^6.0.0 || ^6.0.0-pre.0",
     "@npmcli/eslint-config": "^4.0.0",
-    "@npmcli/template-oss": "4.14.1",
+    "@npmcli/template-oss": "4.18.0",
     "hosted-git-info": "^6.0.0",
     "mutate-fs": "^2.1.1",
     "nock": "^13.2.4",
@@ -50,11 +50,11 @@
     "@npmcli/run-script": "^6.0.0",
     "cacache": "^17.0.0",
     "fs-minipass": "^3.0.0",
-    "minipass": "^5.0.0",
+    "minipass": "^7.0.2",
     "npm-package-arg": "^10.0.0",
     "npm-packlist": "^7.0.0",
     "npm-pick-manifest": "^8.0.0",
-    "npm-registry-fetch": "^14.0.0",
+    "npm-registry-fetch": "^15.0.0",
     "proc-log": "^3.0.0",
     "promise-retry": "^2.0.1",
     "read-package-json": "^6.0.0",
@@ -64,7 +64,7 @@
     "tar": "^6.1.11"
   },
   "engines": {
-    "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
+    "node": "^16.13.0 || >=18.0.0"
   },
   "repository": {
     "type": "git",
@@ -72,7 +72,13 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.14.1",
+    "ciVersions": [
+      "16.13.0",
+      "16.x",
+      "18.0.0",
+      "18.x"
+    ],
+    "version": "4.18.0",
     "windowsCI": false,
     "publish": "true"
   }