pacote 21.3.1 → 21.4.0

package/README.md

@@ -160,6 +160,7 @@ Options object is cloned, and mutated along the way to add integrity, resolved,
   Possible values and defaults are the same as `allowGit`
 * `allowDirectory` Whether or not to allow data to be fetched from directory specs.
   Possible values and defaults are the same as `allowGit`
+* `allowRegistry` Whether or not to allow data to be fetched from registry specs.  This includes `version`, `range`, `tag`, and `alias`.
 * `_isRoot` Whether or not the package being fetched is in a root context.
   Defaults to `false`,
   For `npm` itself this means a package that is defined in the local project or workspace package.json, or a package that is being fetched for another command like `npm view`.  This informs the `allowX` options to let them know the context of the current request.

package/lib/fetcher.js

@@ -10,7 +10,7 @@ const cacache = require('cacache')
 const fsm = require('fs-minipass')
 const getContents = require('@npmcli/installed-package-contents')
 const npa = require('npm-package-arg')
-const retry = require('promise-retry')
+const { promiseRetry } = require('@gar/promise-retry')
 const ssri = require('ssri')
 const tar = require('tar')
 const { Minipass } = require('minipass')
@@ -319,7 +319,7 @@ class FetcherBase {
           this.spec
         }. Extracting by manifest.`)
       }
-      return this.resolve().then(() => retry(tryAgain =>
+      return this.resolve().then(() => promiseRetry(tryAgain =>
         streamHandler(this.#istream(this[_.tarballFromResolved]()))
           .catch(streamErr => {
           // Most likely data integrity.  A cache ENOENT error is unlikely
@@ -502,6 +502,7 @@ FetcherBase.get = (rawSpec, opts = {}) => {
     case 'range':
     case 'tag':
     case 'alias':
+      canUse({ allow: opts.allowRegistry, isRoot: opts._isRoot, allowType: 'registry', spec })
       return new RegistryFetcher(spec.subSpec || spec, opts)
 
     case 'file':

package/lib/registry.js

@@ -229,7 +229,7 @@ class RegistryFetcher extends Fetcher {
         if (this.opts.verifyAttestations) {
           // Always fetch attestations from the current registry host
           const attestationsPath = new URL(dist.attestations.url).pathname
-          const attestationsUrl = removeTrailingSlashes(this.registry) + attestationsPath
+          const attestationsUrl = new URL(attestationsPath, this.registry).href
           const res = await fetch(attestationsUrl, {
             ...this.opts,
             // disable integrity check for attestations json payload, we check the
@@ -256,7 +256,10 @@ class RegistryFetcher extends Fetcher {
           const attestationKeyIds = bundles.map((b) => b.keyid).filter((k) => !!k)
           const attestationRegistryKeys = (this.registryKeys || [])
             .filter(key => attestationKeyIds.includes(key.keyid))
-          if (!attestationRegistryKeys.length) {
+          // Only require registry keys when there are keyed attestations.
+          // Keyless (Sigstore/Fulcio) attestations embed their signing
+          // certificate in the bundle and don't need registry keys.
+          if (attestationKeyIds.length > 0 && !attestationRegistryKeys.length) {
             throw Object.assign(new Error(
               `${mani._id} has attestations but no corresponding public key(s) can be found`
             ), { code: 'EMISSINGSIGNATUREKEY' })

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "21.3.1",
+  "version": "21.4.0",
   "description": "JavaScript package downloader",
   "author": "GitHub Inc.",
   "bin": {
@@ -46,6 +46,7 @@
     "git"
   ],
   "dependencies": {
+    "@gar/promise-retry": "^1.0.0",
     "@npmcli/git": "^7.0.0",
     "@npmcli/installed-package-contents": "^4.0.0",
     "@npmcli/package-json": "^7.0.0",
@@ -59,7 +60,6 @@
     "npm-pick-manifest": "^11.0.1",
     "npm-registry-fetch": "^19.0.0",
     "proc-log": "^6.0.0",
-    "promise-retry": "^2.0.1",
     "sigstore": "^4.0.0",
     "ssri": "^13.0.0",
     "tar": "^7.4.3"