pacote 17.0.4 → 17.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/registry.js +29 -4
- package/package.json +6 -12
package/lib/registry.js
CHANGED
|
@@ -14,6 +14,10 @@ const sigstore = require('sigstore')
|
|
|
14
14
|
const corgiDoc = 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*'
|
|
15
15
|
const fullDoc = 'application/json'
|
|
16
16
|
|
|
17
|
+
// Some really old packages have no time field in their packument so we need a
|
|
18
|
+
// cutoff date.
|
|
19
|
+
const MISSING_TIME_CUTOFF = '2015-01-01T00:00:00.000Z'
|
|
20
|
+
|
|
17
21
|
const fetch = require('npm-registry-fetch')
|
|
18
22
|
|
|
19
23
|
const _headers = Symbol('_headers')
|
|
@@ -115,6 +119,13 @@ class RegistryFetcher extends Fetcher {
|
|
|
115
119
|
return this.package
|
|
116
120
|
}
|
|
117
121
|
|
|
122
|
+
// When verifying signatures, we need to fetch the full/uncompressed
|
|
123
|
+
// packument to get publish time as this is not included in the
|
|
124
|
+
// corgi/compressed packument.
|
|
125
|
+
if (this.opts.verifySignatures) {
|
|
126
|
+
this.fullMetadata = true
|
|
127
|
+
}
|
|
128
|
+
|
|
118
129
|
const packument = await this.packument()
|
|
119
130
|
let mani = await pickManifest(packument, this.spec.fetchSpec, {
|
|
120
131
|
...this.opts,
|
|
@@ -124,6 +135,12 @@ class RegistryFetcher extends Fetcher {
|
|
|
124
135
|
mani = rpj.normalize(mani)
|
|
125
136
|
/* XXX add ETARGET and E403 revalidation of cached packuments here */
|
|
126
137
|
|
|
138
|
+
// add _time from packument if fetched with fullMetadata
|
|
139
|
+
const time = packument.time?.[mani.version]
|
|
140
|
+
if (time) {
|
|
141
|
+
mani._time = time
|
|
142
|
+
}
|
|
143
|
+
|
|
127
144
|
// add _resolved and _integrity from dist object
|
|
128
145
|
const { dist } = mani
|
|
129
146
|
if (dist) {
|
|
@@ -171,8 +188,10 @@ class RegistryFetcher extends Fetcher {
|
|
|
171
188
|
'but no corresponding public key can be found'
|
|
172
189
|
), { code: 'EMISSINGSIGNATUREKEY' })
|
|
173
190
|
}
|
|
174
|
-
|
|
175
|
-
|
|
191
|
+
|
|
192
|
+
const publishedTime = Date.parse(mani._time || MISSING_TIME_CUTOFF)
|
|
193
|
+
const validPublicKey = !publicKey.expires ||
|
|
194
|
+
publishedTime < Date.parse(publicKey.expires)
|
|
176
195
|
if (!validPublicKey) {
|
|
177
196
|
throw Object.assign(new Error(
|
|
178
197
|
`${mani._id} has a registry signature with keyid: ${signature.keyid} ` +
|
|
@@ -254,8 +273,13 @@ class RegistryFetcher extends Fetcher {
|
|
|
254
273
|
), { code: 'EMISSINGSIGNATUREKEY' })
|
|
255
274
|
}
|
|
256
275
|
|
|
257
|
-
const
|
|
258
|
-
|
|
276
|
+
const integratedTime = new Date(
|
|
277
|
+
Number(
|
|
278
|
+
bundle.verificationMaterial.tlogEntries[0].integratedTime
|
|
279
|
+
) * 1000
|
|
280
|
+
)
|
|
281
|
+
const validPublicKey = !publicKey.expires ||
|
|
282
|
+
(integratedTime < Date.parse(publicKey.expires))
|
|
259
283
|
if (!validPublicKey) {
|
|
260
284
|
throw Object.assign(new Error(
|
|
261
285
|
`${mani._id} has attestations with keyid: ${keyid} ` +
|
|
@@ -297,6 +321,7 @@ class RegistryFetcher extends Fetcher {
|
|
|
297
321
|
// specify a public key from the keys endpoint: `registry-host.tld/-/npm/v1/keys`
|
|
298
322
|
const options = {
|
|
299
323
|
tufCachePath: this.tufCache,
|
|
324
|
+
tufForceCache: true,
|
|
300
325
|
keySelector: publicKey ? () => publicKey.pemkey : undefined,
|
|
301
326
|
}
|
|
302
327
|
await sigstore.verify(bundle, options)
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "pacote",
|
|
3
|
-
"version": "17.0.
|
|
3
|
+
"version": "17.0.6",
|
|
4
4
|
"description": "JavaScript package downloader",
|
|
5
5
|
"author": "GitHub Inc.",
|
|
6
6
|
"bin": {
|
|
@@ -11,7 +11,7 @@
|
|
|
11
11
|
"scripts": {
|
|
12
12
|
"test": "tap",
|
|
13
13
|
"snap": "tap",
|
|
14
|
-
"lint": "eslint \"**/*.js\"",
|
|
14
|
+
"lint": "eslint \"**/*.{js,cjs,ts,mjs,jsx,tsx}\"",
|
|
15
15
|
"postlint": "template-oss-check",
|
|
16
16
|
"lintfix": "npm run lint -- --fix",
|
|
17
17
|
"posttest": "npm run lint",
|
|
@@ -25,9 +25,9 @@
|
|
|
25
25
|
]
|
|
26
26
|
},
|
|
27
27
|
"devDependencies": {
|
|
28
|
-
"@npmcli/arborist": "^
|
|
28
|
+
"@npmcli/arborist": "^7.1.0",
|
|
29
29
|
"@npmcli/eslint-config": "^4.0.0",
|
|
30
|
-
"@npmcli/template-oss": "4.
|
|
30
|
+
"@npmcli/template-oss": "4.21.3",
|
|
31
31
|
"hosted-git-info": "^7.0.0",
|
|
32
32
|
"mutate-fs": "^2.1.1",
|
|
33
33
|
"nock": "^13.2.4",
|
|
@@ -59,7 +59,7 @@
|
|
|
59
59
|
"promise-retry": "^2.0.1",
|
|
60
60
|
"read-package-json": "^7.0.0",
|
|
61
61
|
"read-package-json-fast": "^3.0.0",
|
|
62
|
-
"sigstore": "^2.
|
|
62
|
+
"sigstore": "^2.2.0",
|
|
63
63
|
"ssri": "^10.0.0",
|
|
64
64
|
"tar": "^6.1.11"
|
|
65
65
|
},
|
|
@@ -72,13 +72,7 @@
|
|
|
72
72
|
},
|
|
73
73
|
"templateOSS": {
|
|
74
74
|
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
|
|
75
|
-
"
|
|
76
|
-
"16.14.0",
|
|
77
|
-
"16.x",
|
|
78
|
-
"18.0.0",
|
|
79
|
-
"18.x"
|
|
80
|
-
],
|
|
81
|
-
"version": "4.18.0",
|
|
75
|
+
"version": "4.21.3",
|
|
82
76
|
"windowsCI": false,
|
|
83
77
|
"publish": "true"
|
|
84
78
|
}
|