pacote 21.1.0 → 21.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -2
- package/lib/fetcher.js +12 -11
- package/lib/git.js +2 -2
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -147,15 +147,24 @@ Options object is cloned, and mutated along the way to add integrity, resolved,
|
|
|
147
147
|
There must be a configured `_keys` entry in the config that is scoped to the registry the manifest is being fetched from.
|
|
148
148
|
* `tufCache` Where to store metadata/target files when retrieving the package attestation key material via TUF.
|
|
149
149
|
Defaults to the same cache directory that npm will use by default, based on platform and environment.
|
|
150
|
-
* `allowGit` Whether or not to allow data to be fetched from git.
|
|
150
|
+
* `allowGit` Whether or not to allow data to be fetched from a git spec.
|
|
151
151
|
Possible values are `all`, `none`, or `root`.
|
|
152
152
|
Defaults to `all`.
|
|
153
153
|
`all` means git is allowed
|
|
154
154
|
`none` means git is not allowed
|
|
155
155
|
`root` means that git is only allowed if fetching from a root context.
|
|
156
156
|
Context for whether or not the package being fetched is `root` is set via the `_isRoot` option.
|
|
157
|
+
* `allowRemote` Whether or not to allow data to be fetched from remote specs.
|
|
158
|
+
Possible values and defaults are the same as `allowGit`
|
|
159
|
+
* `allowFile` Whether or not to allow data to be fetched from file specs.
|
|
160
|
+
Possible values and defaults are the same as `allowGit`
|
|
161
|
+
* `allowDirectory` Whether or not to allow data to be fetched from directory specs.
|
|
162
|
+
Possible values and defaults are the same as `allowGit`
|
|
157
163
|
* `_isRoot` Whether or not the package being fetched is in a root context.
|
|
158
|
-
|
|
164
|
+
Defaults to `false`,
|
|
165
|
+
For `npm` itself this means a package that is defined in the local project or workspace package.json, or a package that is being fetched for another command like `npm view`. This informs the `allowX` options to let them know the context of the current request.
|
|
166
|
+
|
|
167
|
+
For more info on spec types (i.e. git, remote) see [npm-package-arg](npm.im/npm-package-arg)
|
|
159
168
|
|
|
160
169
|
### Advanced API
|
|
161
170
|
|
package/lib/fetcher.js
CHANGED
|
@@ -470,14 +470,20 @@ const DirFetcher = require('./dir.js')
|
|
|
470
470
|
const RemoteFetcher = require('./remote.js')
|
|
471
471
|
|
|
472
472
|
// possible values for allow: 'all', 'root', 'none'
|
|
473
|
-
const
|
|
473
|
+
const canUse = ({ allow = 'all', isRoot = false, allowType, spec }) => {
|
|
474
474
|
if (allow === 'all') {
|
|
475
475
|
return true
|
|
476
476
|
}
|
|
477
477
|
if (allow !== 'none' && isRoot) {
|
|
478
478
|
return true
|
|
479
479
|
}
|
|
480
|
-
|
|
480
|
+
throw Object.assign(
|
|
481
|
+
new Error(`Fetching${allow === 'root' ? ' non-root' : ''} packages of type "${allowType}" have been disabled`),
|
|
482
|
+
{
|
|
483
|
+
code: `EALLOW${allowType.toUpperCase()}`,
|
|
484
|
+
package: spec.toString(),
|
|
485
|
+
}
|
|
486
|
+
)
|
|
481
487
|
}
|
|
482
488
|
|
|
483
489
|
// Get an appropriate fetcher object from a spec and options
|
|
@@ -485,18 +491,11 @@ FetcherBase.get = (rawSpec, opts = {}) => {
|
|
|
485
491
|
const spec = npa(rawSpec, opts.where)
|
|
486
492
|
switch (spec.type) {
|
|
487
493
|
case 'git':
|
|
488
|
-
|
|
489
|
-
throw Object.assign(
|
|
490
|
-
new Error(`Fetching${opts.allowGit === 'root' ? ' non-root' : ''} packages from git has been disabled`),
|
|
491
|
-
{
|
|
492
|
-
code: 'EALLOWGIT',
|
|
493
|
-
package: spec.toString(),
|
|
494
|
-
}
|
|
495
|
-
)
|
|
496
|
-
}
|
|
494
|
+
canUse({ allow: opts.allowGit, isRoot: opts._isRoot, allowType: 'git', spec })
|
|
497
495
|
return new GitFetcher(spec, opts)
|
|
498
496
|
|
|
499
497
|
case 'remote':
|
|
498
|
+
canUse({ allow: opts.allowRemote, isRoot: opts._isRoot, allowType: 'remote', spec })
|
|
500
499
|
return new RemoteFetcher(spec, opts)
|
|
501
500
|
|
|
502
501
|
case 'version':
|
|
@@ -506,9 +505,11 @@ FetcherBase.get = (rawSpec, opts = {}) => {
|
|
|
506
505
|
return new RegistryFetcher(spec.subSpec || spec, opts)
|
|
507
506
|
|
|
508
507
|
case 'file':
|
|
508
|
+
canUse({ allow: opts.allowFile, isRoot: opts._isRoot, allowType: 'file', spec })
|
|
509
509
|
return new FileFetcher(spec, opts)
|
|
510
510
|
|
|
511
511
|
case 'directory':
|
|
512
|
+
canUse({ allow: opts.allowDirectory, isRoot: opts._isRoot, allowType: 'directory', spec })
|
|
512
513
|
return new DirFetcher(spec, opts)
|
|
513
514
|
|
|
514
515
|
default:
|
package/lib/git.js
CHANGED
|
@@ -245,7 +245,7 @@ class GitFetcher extends Fetcher {
|
|
|
245
245
|
pkgid: `git:${nameat}${this.resolved}`,
|
|
246
246
|
resolved: this.resolved,
|
|
247
247
|
integrity: null, // it'll always be different, if we have one
|
|
248
|
-
}).extract(tmp).then(() => handler(tmp), er => {
|
|
248
|
+
}).extract(tmp).then(() => handler(`${tmp}${this.spec.gitSubdir || ''}`), er => {
|
|
249
249
|
// fall back to ssh download if tarball fails
|
|
250
250
|
if (er.constructor.name.match(/^Http/)) {
|
|
251
251
|
return this.#clone(handler, false)
|
|
@@ -263,7 +263,7 @@ class GitFetcher extends Fetcher {
|
|
|
263
263
|
if (!this.resolved) {
|
|
264
264
|
await this.#addGitSha(sha)
|
|
265
265
|
}
|
|
266
|
-
return handler(tmp)
|
|
266
|
+
return handler(`${tmp}${this.spec.gitSubdir || ''}`)
|
|
267
267
|
})
|
|
268
268
|
}
|
|
269
269
|
|