pacote 18.0.4 → 18.0.6

package/{lib/bin.js → bin/index.js}

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-/* eslint-disable no-console */
 
 const run = conf => {
   const pacote = require('../')

package/lib/dir.js

@@ -1,16 +1,13 @@
+const { resolve } = require('node:path')
+const packlist = require('npm-packlist')
+const runScript = require('@npmcli/run-script')
+const tar = require('tar')
+const { Minipass } = require('minipass')
 const Fetcher = require('./fetcher.js')
 const FileFetcher = require('./file.js')
-const { Minipass } = require('minipass')
+const _ = require('./util/protected.js')
 const tarCreateOptions = require('./util/tar-create-options.js')
-const packlist = require('npm-packlist')
-const tar = require('tar')
-const _prepareDir = Symbol('_prepareDir')
-const { resolve } = require('path')
-const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson')
-
-const runScript = require('@npmcli/run-script')
 
-const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
 class DirFetcher extends Fetcher {
   constructor (spec, opts) {
     super(spec, opts)
@@ -30,7 +27,7 @@ class DirFetcher extends Fetcher {
     return ['directory']
   }
 
-  [_prepareDir] () {
+  #prepareDir () {
     return this.manifest().then(mani => {
       if (!mani.scripts || !mani.scripts.prepare) {
         return
@@ -55,7 +52,7 @@ class DirFetcher extends Fetcher {
     })
   }
 
-  [_tarballFromResolved] () {
+  [_.tarballFromResolved] () {
     if (!this.tree && !this.Arborist) {
       throw new Error('DirFetcher requires either a tree or an Arborist constructor to pack')
     }
@@ -68,7 +65,7 @@ class DirFetcher extends Fetcher {
 
     // run the prepare script, get the list of files, and tar it up
     // pipe to the stream, and proxy errors the chain.
-    this[_prepareDir]()
+    this.#prepareDir()
       .then(async () => {
         if (!this.tree) {
           const arb = new this.Arborist({ path: this.resolved })
@@ -87,7 +84,7 @@ class DirFetcher extends Fetcher {
       return Promise.resolve(this.package)
     }
 
-    return this[_readPackageJson](this.resolved)
+    return this[_.readPackageJson](this.resolved)
       .then(mani => this.package = {
         ...mani,
         _integrity: this.integrity && String(this.integrity),

package/lib/fetcher.js

@@ -3,42 +3,27 @@
 // It handles the unpacking and retry logic that is shared among
 // all of the other Fetcher types.
 
+const { basename, dirname } = require('node:path')
+const { rm, mkdir } = require('node:fs/promises')
+const PackageJson = require('@npmcli/package-json')
+const cacache = require('cacache')
+const fsm = require('fs-minipass')
+const getContents = require('@npmcli/installed-package-contents')
 const npa = require('npm-package-arg')
+const retry = require('promise-retry')
 const ssri = require('ssri')
-const { basename, dirname } = require('path')
 const tar = require('tar')
+const { Minipass } = require('minipass')
 const { log } = require('proc-log')
-const retry = require('promise-retry')
-const fs = require('fs/promises')
-const fsm = require('fs-minipass')
-const cacache = require('cacache')
+const _ = require('./util/protected.js')
+const cacheDir = require('./util/cache-dir.js')
 const isPackageBin = require('./util/is-package-bin.js')
 const removeTrailingSlashes = require('./util/trailing-slashes.js')
-const getContents = require('@npmcli/installed-package-contents')
-const PackageJson = require('@npmcli/package-json')
-const { Minipass } = require('minipass')
-const cacheDir = require('./util/cache-dir.js')
 
 // Pacote is only concerned with the package.json contents
 const packageJsonPrepare = (p) => PackageJson.prepare(p).then(pkg => pkg.content)
 const packageJsonNormalize = (p) => PackageJson.normalize(p).then(pkg => pkg.content)
 
-// Private methods.
-// Child classes should not have to override these.
-// Users should never call them.
-const _extract = Symbol('_extract')
-const _mkdir = Symbol('_mkdir')
-const _empty = Symbol('_empty')
-const _toFile = Symbol('_toFile')
-const _tarxOptions = Symbol('_tarxOptions')
-const _entryMode = Symbol('_entryMode')
-const _istream = Symbol('_istream')
-const _assertType = Symbol('_assertType')
-const _tarballFromCache = Symbol('_tarballFromCache')
-const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
-const _cacheFetches = Symbol.for('pacote.Fetcher._cacheFetches')
-const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson')
-
 class FetcherBase {
   constructor (spec, opts) {
     if (!opts || typeof opts !== 'object') {
@@ -57,7 +42,7 @@ class FetcherBase {
     this.from = this.spec.registry
       ? `${this.spec.name}@${this.spec.rawSpec}` : this.spec.saveSpec
 
-    this[_assertType]()
+    this.#assertType()
     // clone the opts object so that others aren't upset when we mutate it
     // by adding/modifying the integrity value.
     this.opts = { ...opts }
@@ -93,11 +78,9 @@ class FetcherBase {
     this.before = opts.before
     this.fullMetadata = this.before ? true : !!opts.fullMetadata
     this.fullReadJson = !!opts.fullReadJson
-    if (this.fullReadJson) {
-      this[_readPackageJson] = packageJsonPrepare
-    } else {
-      this[_readPackageJson] = packageJsonNormalize
-    }
+    this[_.readPackageJson] = this.fullReadJson
+      ? packageJsonPrepare
+      : packageJsonNormalize
 
     // rrh is a registry hostname or 'never' or 'always'
     // defaults to registry.npmjs.org
@@ -188,7 +171,7 @@ class FetcherBase {
   // private, should be overridden.
   // Note that they should *not* calculate or check integrity or cache,
   // but *just*  return the raw tarball data stream.
-  [_tarballFromResolved] () {
+  [_.tarballFromResolved] () {
     throw this.notImplementedError
   }
 
@@ -204,17 +187,17 @@ class FetcherBase {
 
   // private
   // Note: cacache will raise a EINTEGRITY error if the integrity doesn't match
-  [_tarballFromCache] () {
+  #tarballFromCache () {
     return cacache.get.stream.byDigest(this.cache, this.integrity, this.opts)
   }
 
-  get [_cacheFetches] () {
+  get [_.cacheFetches] () {
     return true
   }
 
-  [_istream] (stream) {
+  #istream (stream) {
     // if not caching this, just return it
-    if (!this.opts.cache || !this[_cacheFetches]) {
+    if (!this.opts.cache || !this[_.cacheFetches]) {
       // instead of creating a new integrity stream, we only piggyback on the
       // provided stream's events
       if (stream.hasIntegrityEmitter) {
@@ -267,7 +250,7 @@ class FetcherBase {
     return false
   }
 
-  [_assertType] () {
+  #assertType () {
     if (this.types && !this.types.includes(this.spec.type)) {
       throw new TypeError(`Wrong spec type (${
         this.spec.type
@@ -306,7 +289,7 @@ class FetcherBase {
       !this.preferOnline &&
       this.integrity &&
       this.resolved
-    ) ? streamHandler(this[_tarballFromCache]()).catch(er => {
+    ) ? streamHandler(this.#tarballFromCache()).catch(er => {
         if (this.isDataCorruptionError(er)) {
           log.warn('tarball', `cached data for ${
           this.spec
@@ -329,7 +312,7 @@ class FetcherBase {
         }. Extracting by manifest.`)
       }
       return this.resolve().then(() => retry(tryAgain =>
-        streamHandler(this[_istream](this[_tarballFromResolved]()))
+        streamHandler(this.#istream(this[_.tarballFromResolved]()))
           .catch(streamErr => {
           // Most likely data integrity.  A cache ENOENT error is unlikely
           // here, since we're definitely not reading from the cache, but it
@@ -352,24 +335,24 @@ class FetcherBase {
     return cacache.rm.content(this.cache, this.integrity, this.opts)
   }
 
-  [_empty] (path) {
+  #empty (path) {
     return getContents({ path, depth: 1 }).then(contents => Promise.all(
-      contents.map(entry => fs.rm(entry, { recursive: true, force: true }))))
+      contents.map(entry => rm(entry, { recursive: true, force: true }))))
   }
 
-  async [_mkdir] (dest) {
-    await this[_empty](dest)
-    return await fs.mkdir(dest, { recursive: true })
+  async #mkdir (dest) {
+    await this.#empty(dest)
+    return await mkdir(dest, { recursive: true })
   }
 
   // extraction is always the same.  the only difference is where
   // the tarball comes from.
   async extract (dest) {
-    await this[_mkdir](dest)
-    return this.tarballStream((tarball) => this[_extract](dest, tarball))
+    await this.#mkdir(dest)
+    return this.tarballStream((tarball) => this.#extract(dest, tarball))
   }
 
-  [_toFile] (dest) {
+  #toFile (dest) {
     return this.tarballStream(str => new Promise((res, rej) => {
       const writer = new fsm.WriteStream(dest)
       str.on('error', er => writer.emit('error', er))
@@ -383,15 +366,15 @@ class FetcherBase {
     }))
   }
 
-  // don't use this[_mkdir] because we don't want to rimraf anything
+  // don't use this.#mkdir because we don't want to rimraf anything
   async tarballFile (dest) {
     const dir = dirname(dest)
-    await fs.mkdir(dir, { recursive: true })
-    return this[_toFile](dest)
+    await mkdir(dir, { recursive: true })
+    return this.#toFile(dest)
   }
 
-  [_extract] (dest, tarball) {
-    const extractor = tar.x(this[_tarxOptions]({ cwd: dest }))
+  #extract (dest, tarball) {
+    const extractor = tar.x(this.#tarxOptions({ cwd: dest }))
     const p = new Promise((resolve, reject) => {
       extractor.on('end', () => {
         resolve({
@@ -416,7 +399,7 @@ class FetcherBase {
 
   // always ensure that entries are at least as permissive as our configured
   // dmode/fmode, but never more permissive than the umask allows.
-  [_entryMode] (path, mode, type) {
+  #entryMode (path, mode, type) {
     const m = /Directory|GNUDumpDir/.test(type) ? this.dmode
       : /File$/.test(type) ? this.fmode
       : /* istanbul ignore next - should never happen in a pkg */ 0
@@ -427,7 +410,7 @@ class FetcherBase {
     return ((mode | m) & ~this.umask) | exe | 0o600
   }
 
-  [_tarxOptions] ({ cwd }) {
+  #tarxOptions ({ cwd }) {
     const sawIgnores = new Set()
     return {
       cwd,
@@ -437,7 +420,7 @@ class FetcherBase {
         if (/Link$/.test(entry.type)) {
           return false
         }
-        entry.mode = this[_entryMode](entry.path, entry.mode, entry.type)
+        entry.mode = this.#entryMode(entry.path, entry.mode, entry.type)
         // this replicates the npm pack behavior where .gitignore files
         // are treated like .npmignore files, but only if a .npmignore
         // file is not present.

package/lib/file.js

@@ -1,12 +1,9 @@
-const fsm = require('fs-minipass')
+const { resolve } = require('node:path')
+const { stat, chmod } = require('node:fs/promises')
 const cacache = require('cacache')
-const { resolve } = require('path')
-const { stat, chmod } = require('fs/promises')
+const fsm = require('fs-minipass')
 const Fetcher = require('./fetcher.js')
-
-const _exeBins = Symbol('_exeBins')
-const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
-const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson')
+const _ = require('./util/protected.js')
 
 class FileFetcher extends Fetcher {
   constructor (spec, opts) {
@@ -27,7 +24,7 @@ class FileFetcher extends Fetcher {
     // have to unpack the tarball for this.
     return cacache.tmp.withTmp(this.cache, this.opts, dir =>
       this.extract(dir)
-        .then(() => this[_readPackageJson](dir))
+        .then(() => this[_.readPackageJson](dir))
         .then(mani => this.package = {
           ...mani,
           _integrity: this.integrity && String(this.integrity),
@@ -36,7 +33,7 @@ class FileFetcher extends Fetcher {
         }))
   }
 
-  [_exeBins] (pkg, dest) {
+  #exeBins (pkg, dest) {
     if (!pkg.bin) {
       return Promise.resolve()
     }
@@ -65,11 +62,11 @@ class FileFetcher extends Fetcher {
     // but if not, read the unpacked manifest and chmod properly.
     return super.extract(dest)
       .then(result => this.package ? result
-      : this[_readPackageJson](dest).then(pkg =>
-        this[_exeBins](pkg, dest)).then(() => result))
+      : this[_.readPackageJson](dest).then(pkg =>
+        this.#exeBins(pkg, dest)).then(() => result))
   }
 
-  [_tarballFromResolved] () {
+  [_.tarballFromResolved] () {
     // create a read stream and return it
     return new fsm.ReadStream(this.resolved)
   }

package/lib/git.js

@@ -1,28 +1,18 @@
-const Fetcher = require('./fetcher.js')
-const FileFetcher = require('./file.js')
-const RemoteFetcher = require('./remote.js')
-const DirFetcher = require('./dir.js')
-const hashre = /^[a-f0-9]{40}$/
+const cacache = require('cacache')
 const git = require('@npmcli/git')
-const pickManifest = require('npm-pick-manifest')
 const npa = require('npm-package-arg')
+const pickManifest = require('npm-pick-manifest')
 const { Minipass } = require('minipass')
-const cacache = require('cacache')
 const { log } = require('proc-log')
+const DirFetcher = require('./dir.js')
+const Fetcher = require('./fetcher.js')
+const FileFetcher = require('./file.js')
+const RemoteFetcher = require('./remote.js')
+const _ = require('./util/protected.js')
+const addGitSha = require('./util/add-git-sha.js')
 const npm = require('./util/npm.js')
 
-const _resolvedFromRepo = Symbol('_resolvedFromRepo')
-const _resolvedFromHosted = Symbol('_resolvedFromHosted')
-const _resolvedFromClone = Symbol('_resolvedFromClone')
-const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
-const _addGitSha = Symbol('_addGitSha')
-const addGitSha = require('./util/add-git-sha.js')
-const _clone = Symbol('_clone')
-const _cloneHosted = Symbol('_cloneHosted')
-const _cloneRepo = Symbol('_cloneRepo')
-const _setResolvedWithSha = Symbol('_setResolvedWithSha')
-const _prepareDir = Symbol('_prepareDir')
-const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson')
+const hashre = /^[a-f0-9]{40}$/
 
 // get the repository url.
 // prefer https if there's auth, since ssh will drop that.
@@ -84,8 +74,9 @@ class GitFetcher extends Fetcher {
     // fetch the git repo and then look at the current hash
     const h = this.spec.hosted
     // try to use ssh, fall back to git.
-    return h ? this[_resolvedFromHosted](h)
-      : this[_resolvedFromRepo](this.spec.fetchSpec)
+    return h
+      ? this.#resolvedFromHosted(h)
+      : this.#resolvedFromRepo(this.spec.fetchSpec)
   }
 
   // first try https, since that's faster and passphrase-less for
@@ -93,23 +84,22 @@ class GitFetcher extends Fetcher {
   // Fall back to SSH to support private repos
   // NB: we always store the https url in resolved field if auth
   // is present, otherwise ssh if the hosted type provides it
-  [_resolvedFromHosted] (hosted) {
-    return this[_resolvedFromRepo](hosted.https && hosted.https())
-      .catch(er => {
-        // Throw early since we know pathspec errors will fail again if retried
-        if (er instanceof git.errors.GitPathspecError) {
-          throw er
-        }
-        const ssh = hosted.sshurl && hosted.sshurl()
-        // no fallthrough if we can't fall through or have https auth
-        if (!ssh || hosted.auth) {
-          throw er
-        }
-        return this[_resolvedFromRepo](ssh)
-      })
+  #resolvedFromHosted (hosted) {
+    return this.#resolvedFromRepo(hosted.https && hosted.https()).catch(er => {
+      // Throw early since we know pathspec errors will fail again if retried
+      if (er instanceof git.errors.GitPathspecError) {
+        throw er
+      }
+      const ssh = hosted.sshurl && hosted.sshurl()
+      // no fallthrough if we can't fall through or have https auth
+      if (!ssh || hosted.auth) {
+        throw er
+      }
+      return this.#resolvedFromRepo(ssh)
+    })
   }
 
-  [_resolvedFromRepo] (gitRemote) {
+  #resolvedFromRepo (gitRemote) {
     // XXX make this a custom error class
     if (!gitRemote) {
       return Promise.reject(new Error(`No git url for ${this.spec}`))
@@ -130,17 +120,17 @@ class GitFetcher extends Fetcher {
       // the committish provided isn't in the rev list
       // things like HEAD~3 or @yesterday can land here.
       if (!revDoc || !revDoc.sha) {
-        return this[_resolvedFromClone]()
+        return this.#resolvedFromClone()
       }
 
       this.resolvedRef = revDoc
       this.resolvedSha = revDoc.sha
-      this[_addGitSha](revDoc.sha)
+      this.#addGitSha(revDoc.sha)
       return this.resolved
     })
   }
 
-  [_setResolvedWithSha] (withSha) {
+  #setResolvedWithSha (withSha) {
     // we haven't cloned, so a tgz download is still faster
     // of course, if it's not a known host, we can't do that.
     this.resolved = !this.spec.hosted ? withSha
@@ -149,18 +139,18 @@ class GitFetcher extends Fetcher {
 
   // when we get the git sha, we affix it to our spec to build up
   // either a git url with a hash, or a tarball download URL
-  [_addGitSha] (sha) {
-    this[_setResolvedWithSha](addGitSha(this.spec, sha))
+  #addGitSha (sha) {
+    this.#setResolvedWithSha(addGitSha(this.spec, sha))
   }
 
-  [_resolvedFromClone] () {
+  #resolvedFromClone () {
     // do a full or shallow clone, then look at the HEAD
     // kind of wasteful, but no other option, really
-    return this[_clone](() => this.resolved)
+    return this.#clone(() => this.resolved)
   }
 
-  [_prepareDir] (dir) {
-    return this[_readPackageJson](dir).then(mani => {
+  #prepareDir (dir) {
+    return this[_.readPackageJson](dir).then(mani => {
       // no need if we aren't going to do any preparation.
       const scripts = mani.scripts
       if (!mani.workspaces && (!scripts || !(
@@ -200,13 +190,13 @@ class GitFetcher extends Fetcher {
     })
   }
 
-  [_tarballFromResolved] () {
+  [_.tarballFromResolved] () {
     const stream = new Minipass()
     stream.resolved = this.resolved
     stream.from = this.from
 
     // check it out and then shell out to the DirFetcher tarball packer
-    this[_clone](dir => this[_prepareDir](dir)
+    this.#clone(dir => this.#prepareDir(dir)
       .then(() => new Promise((res, rej) => {
         if (!this.Arborist) {
           throw new Error('GitFetcher requires an Arborist constructor to pack a tarball')
@@ -217,7 +207,7 @@ class GitFetcher extends Fetcher {
           resolved: null,
           integrity: null,
         })
-        const dirStream = df[_tarballFromResolved]()
+        const dirStream = df[_.tarballFromResolved]()
         dirStream.on('error', rej)
         dirStream.on('end', res)
         dirStream.pipe(stream)
@@ -235,7 +225,7 @@ class GitFetcher extends Fetcher {
   // TODO: after cloning, create a tarball of the folder, and add to the cache
   // with cacache.put.stream(), using a key that's deterministic based on the
   // spec and repo, so that we don't ever clone the same thing multiple times.
-  [_clone] (handler, tarballOk = true) {
+  #clone (handler, tarballOk = true) {
     const o = { tmpPrefix: 'git-clone' }
     const ref = this.resolvedSha || this.spec.gitCommittish
     const h = this.spec.hosted
@@ -258,7 +248,7 @@ class GitFetcher extends Fetcher {
         }).extract(tmp).then(() => handler(tmp), er => {
           // fall back to ssh download if tarball fails
           if (er.constructor.name.match(/^Http/)) {
-            return this[_clone](handler, false)
+            return this.#clone(handler, false)
           } else {
             throw er
           }
@@ -266,12 +256,12 @@ class GitFetcher extends Fetcher {
       }
 
       const sha = await (
-        h ? this[_cloneHosted](ref, tmp)
-        : this[_cloneRepo](this.spec.fetchSpec, ref, tmp)
+        h ? this.#cloneHosted(ref, tmp)
+        : this.#cloneRepo(this.spec.fetchSpec, ref, tmp)
       )
       this.resolvedSha = sha
       if (!this.resolved) {
-        await this[_addGitSha](sha)
+        await this.#addGitSha(sha)
       }
       return handler(tmp)
     })
@@ -282,9 +272,9 @@ class GitFetcher extends Fetcher {
   // Fall back to SSH to support private repos
   // NB: we always store the https url in resolved field if auth
   // is present, otherwise ssh if the hosted type provides it
-  [_cloneHosted] (ref, tmp) {
+  #cloneHosted (ref, tmp) {
     const hosted = this.spec.hosted
-    return this[_cloneRepo](hosted.https({ noCommittish: true }), ref, tmp)
+    return this.#cloneRepo(hosted.https({ noCommittish: true }), ref, tmp)
       .catch(er => {
         // Throw early since we know pathspec errors will fail again if retried
         if (er instanceof git.errors.GitPathspecError) {
@@ -295,11 +285,11 @@ class GitFetcher extends Fetcher {
         if (!ssh || hosted.auth) {
           throw er
         }
-        return this[_cloneRepo](ssh, ref, tmp)
+        return this.#cloneRepo(ssh, ref, tmp)
       })
   }
 
-  [_cloneRepo] (repo, ref, tmp) {
+  #cloneRepo (repo, ref, tmp) {
     const { opts, spec } = this
     return git.clone(repo, ref, tmp, { ...opts, spec })
   }
@@ -311,8 +301,8 @@ class GitFetcher extends Fetcher {
 
     return this.spec.hosted && this.resolved
       ? FileFetcher.prototype.manifest.apply(this)
-      : this[_clone](dir =>
-        this[_readPackageJson](dir)
+      : this.#clone(dir =>
+        this[_.readPackageJson](dir)
           .then(mani => this.package = {
             ...mani,
             _resolved: this.resolved,

package/lib/index.js

@@ -5,6 +5,10 @@ const FileFetcher = require('./file.js')
 const DirFetcher = require('./dir.js')
 const RemoteFetcher = require('./remote.js')
 
+const tarball = (spec, opts) => get(spec, opts).tarball()
+tarball.stream = (spec, handler, opts) => get(spec, opts).tarballStream(handler)
+tarball.file = (spec, dest, opts) => get(spec, opts).tarballFile(dest)
+
 module.exports = {
   GitFetcher,
   RegistryFetcher,
@@ -14,10 +18,6 @@ module.exports = {
   resolve: (spec, opts) => get(spec, opts).resolve(),
   extract: (spec, dest, opts) => get(spec, opts).extract(dest),
   manifest: (spec, opts) => get(spec, opts).manifest(),
-  tarball: (spec, opts) => get(spec, opts).tarball(),
   packument: (spec, opts) => get(spec, opts).packument(),
+  tarball,
 }
-module.exports.tarball.stream = (spec, handler, opts) =>
-  get(spec, opts).tarballStream(handler)
-module.exports.tarball.file = (spec, dest, opts) =>
-  get(spec, opts).tarballFile(dest)

package/lib/registry.js

@@ -1,14 +1,15 @@
-const Fetcher = require('./fetcher.js')
-const RemoteFetcher = require('./remote.js')
-const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
-const pacoteVersion = require('../package.json').version
-const removeTrailingSlashes = require('./util/trailing-slashes.js')
+const crypto = require('node:crypto')
 const PackageJson = require('@npmcli/package-json')
 const pickManifest = require('npm-pick-manifest')
 const ssri = require('ssri')
-const crypto = require('crypto')
 const npa = require('npm-package-arg')
 const sigstore = require('sigstore')
+const fetch = require('npm-registry-fetch')
+const Fetcher = require('./fetcher.js')
+const RemoteFetcher = require('./remote.js')
+const pacoteVersion = require('../package.json').version
+const removeTrailingSlashes = require('./util/trailing-slashes.js')
+const _ = require('./util/protected.js')
 
 // Corgis are cute. 🐕🐶
 const corgiDoc = 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*'
@@ -18,10 +19,8 @@ const fullDoc = 'application/json'
 // cutoff date.
 const MISSING_TIME_CUTOFF = '2015-01-01T00:00:00.000Z'
 
-const fetch = require('npm-registry-fetch')
-
-const _headers = Symbol('_headers')
 class RegistryFetcher extends Fetcher {
+  #cacheKey
   constructor (spec, opts) {
     super(spec, opts)
 
@@ -34,8 +33,8 @@ class RegistryFetcher extends Fetcher {
     this.packumentCache = this.opts.packumentCache || null
 
     this.registry = fetch.pickRegistry(spec, opts)
-    this.packumentUrl = removeTrailingSlashes(this.registry) + '/' +
-      this.spec.escapedName
+    this.packumentUrl = `${removeTrailingSlashes(this.registry)}/${this.spec.escapedName}`
+    this.#cacheKey = `${this.fullMetadata ? 'full' : 'corgi'}:${this.packumentUrl}`
 
     const parsed = new URL(this.registry)
     const regKey = `//${parsed.host}${parsed.pathname}`
@@ -63,7 +62,7 @@ class RegistryFetcher extends Fetcher {
     return this.resolved
   }
 
-  [_headers] () {
+  #headers () {
     return {
       // npm will override UA, but ensure that we always send *something*
       'user-agent': this.opts.userAgent ||
@@ -80,8 +79,8 @@ class RegistryFetcher extends Fetcher {
     // note this might be either an in-flight promise for a request,
     // or the actual packument, but we never want to make more than
     // one request at a time for the same thing regardless.
-    if (this.packumentCache && this.packumentCache.has(this.packumentUrl)) {
-      return this.packumentCache.get(this.packumentUrl)
+    if (this.packumentCache?.has(this.#cacheKey)) {
+      return this.packumentCache.get(this.#cacheKey)
     }
 
     // npm-registry-fetch the packument
@@ -90,21 +89,21 @@ class RegistryFetcher extends Fetcher {
     try {
       const res = await fetch(this.packumentUrl, {
         ...this.opts,
-        headers: this[_headers](),
+        headers: this.#headers(),
         spec: this.spec,
+
         // never check integrity for packuments themselves
         integrity: null,
       })
       const packument = await res.json()
-      packument._contentLength = +res.headers.get('content-length')
-      if (this.packumentCache) {
-        this.packumentCache.set(this.packumentUrl, packument)
+      const contentLength = res.headers.get('content-length')
+      if (contentLength) {
+        packument._contentLength = Number(contentLength)
       }
+      this.packumentCache?.set(this.#cacheKey, packument)
       return packument
     } catch (err) {
-      if (this.packumentCache) {
-        this.packumentCache.delete(this.packumentUrl)
-      }
+      this.packumentCache?.delete(this.#cacheKey)
       if (err.code !== 'E404' || this.fullMetadata) {
         throw err
       }
@@ -350,13 +349,13 @@ class RegistryFetcher extends Fetcher {
     return this.package
   }
 
-  [_tarballFromResolved] () {
+  [_.tarballFromResolved] () {
     // we use a RemoteFetcher to get the actual tarball stream
     return new RemoteFetcher(this.resolved, {
       ...this.opts,
       resolved: this.resolved,
       pkgid: `registry:${this.spec.name}@${this.resolved}`,
-    })[_tarballFromResolved]()
+    })[_.tarballFromResolved]()
   }
 
   get types () {

package/lib/remote.js

@@ -1,12 +1,10 @@
+const fetch = require('npm-registry-fetch')
+const { Minipass } = require('minipass')
 const Fetcher = require('./fetcher.js')
 const FileFetcher = require('./file.js')
-const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
+const _ = require('./util/protected.js')
 const pacoteVersion = require('../package.json').version
-const fetch = require('npm-registry-fetch')
-const { Minipass } = require('minipass')
 
-const _cacheFetches = Symbol.for('pacote.Fetcher._cacheFetches')
-const _headers = Symbol('_headers')
 class RemoteFetcher extends Fetcher {
   constructor (spec, opts) {
     super(spec, opts)
@@ -25,17 +23,17 @@ class RemoteFetcher extends Fetcher {
 
   // Don't need to cache tarball fetches in pacote, because make-fetch-happen
   // will write into cacache anyway.
-  get [_cacheFetches] () {
+  get [_.cacheFetches] () {
     return false
   }
 
-  [_tarballFromResolved] () {
+  [_.tarballFromResolved] () {
     const stream = new Minipass()
     stream.hasIntegrityEmitter = true
 
     const fetchOpts = {
       ...this.opts,
-      headers: this[_headers](),
+      headers: this.#headers(),
       spec: this.spec,
       integrity: this.integrity,
       algorithms: [this.pickIntegrityAlgorithm()],
@@ -59,7 +57,7 @@ class RemoteFetcher extends Fetcher {
     return stream
   }
 
-  [_headers] () {
+  #headers () {
     return {
       // npm will override this, but ensure that we always send *something*
       'user-agent': this.opts.userAgent ||

package/lib/util/cache-dir.js

@@ -1,10 +1,10 @@
-const os = require('os')
-const { resolve } = require('path')
+const { resolve } = require('node:path')
+const { tmpdir, homedir } = require('node:os')
 
 module.exports = (fakePlatform = false) => {
-  const temp = os.tmpdir()
+  const temp = tmpdir()
   const uidOrPid = process.getuid ? process.getuid() : process.pid
-  const home = os.homedir() || resolve(temp, 'npm-' + uidOrPid)
+  const home = homedir() || resolve(temp, 'npm-' + uidOrPid)
   const platform = fakePlatform || process.platform
   const cacheExtra = platform === 'win32' ? 'npm-cache' : '.npm'
   const cacheRoot = (platform === 'win32' && process.env.LOCALAPPDATA) || home

package/lib/util/protected.js

@@ -0,0 +1,5 @@
+module.exports = {
+  cacheFetches: Symbol.for('pacote.Fetcher._cacheFetches'),
+  readPackageJson: Symbol.for('package.Fetcher._readPackageJson'),
+  tarballFromResolved: Symbol.for('pacote.Fetcher._tarballFromResolved'),
+}

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "pacote",
-  "version": "18.0.4",
+  "version": "18.0.6",
   "description": "JavaScript package downloader",
   "author": "GitHub Inc.",
   "bin": {
-    "pacote": "lib/bin.js"
+    "pacote": "bin/index.js"
   },
   "license": "ISC",
   "main": "lib/index.js",