npm - pacote - Versions diffs - 7.3.2 → 7.3.3 - Mend

pacote 7.3.2 → 7.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/CHANGELOG.md +10 -0
package/lib/fetchers/registry/tarball.js +62 -74
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,16 @@
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
+<a name="7.3.3"></a>
+## [7.3.3](https://github.com/zkat/pacote/compare/v7.3.2...v7.3.3) (2018-02-15)
+### Bug Fixes
+* **tarball:** another attempt at fixing opts.resolved ([aff3b6a](https://github.com/zkat/pacote/commit/aff3b6a))
 <a name="7.3.2"></a>
 ## [7.3.2](https://github.com/zkat/pacote/compare/v7.3.1...v7.3.2) (2018-02-15)

package/lib/fetchers/registry/tarball.js CHANGED Viewed

@@ -13,19 +13,30 @@ const url = require('url')
 module.exports = tarball
 function tarball (spec, opts) {
   opts = optCheck(opts)
+  const registry = pickRegistry(spec, opts)
   const stream = new PassThrough()
-  const p = (opts.resolved && opts.integrity && spec.type === 'version')
-  ? BB.resolve({
-    name: spec.name,
-    version: spec.fetchSpec,
-    _integrity: opts.integrity,
-    _resolved: opts.resolved,
-    _fakeChild: true
-  })
-  : manifest(spec, opts)
-  p.then(manifest => {
-    !manifest._fakeChild && stream.emit('manifest', manifest)
-    const fetchStream = fromManifest(manifest, spec, opts).on(
+  let mani
+  if (
+    opts.resolved &&
+    // spec.type === 'version' &&
+    opts.resolved.indexOf(registry) === 0
+  ) {
+    // fakeChild is a shortcut to avoid looking up a manifest!
+    mani = BB.resolve({
+      name: spec.name,
+      version: spec.fetchSpec,
+      _integrity: opts.integrity,
+      _resolved: opts.resolved,
+      _fakeChild: true
+    })
+  } else {
+    // We can't trust opts.resolved if it's going to a separate host.
+    mani = manifest(spec, opts)
+  }
+  mani.then(mani => {
+    !mani._fakeChild && stream.emit('manifest', mani)
+    const fetchStream = fromManifest(mani, spec, opts).on(
       'integrity', i => stream.emit('integrity', i)
     )
     fetchStream.on('error', err => stream.emit('error', err))
@@ -40,33 +51,27 @@ function fromManifest (manifest, spec, opts) {
   opts.scope = spec.scope || opts.scope
   const stream = new PassThrough()
   const registry = pickRegistry(spec, opts)
-  getTarballUrl(spec, registry, manifest, opts)
-  .then(uri => {
-    return fetch(uri, registry, Object.assign({
-      headers: {
-        'pacote-req-type': 'tarball',
-        'pacote-pkg-id': `registry:${
-          spec.type === 'remote'
-          ? spec
-          : `${manifest.name}@${manifest.version}`
-        }`
-      },
-      integrity: manifest._integrity,
-      algorithms: [
-        manifest._integrity
-        ? ssri.parse(manifest._integrity).pickAlgorithm()
-        : 'sha1'
-      ],
-      spec
-    }, opts))
-    .then(res => {
-      const hash = res.headers.get('x-local-cache-hash')
-      if (hash) {
-        stream.emit('integrity', decodeURIComponent(hash))
-      }
-      res.body.on('error', err => stream.emit('error', err))
-      res.body.pipe(stream)
-    })
+  const uri = getTarballUrl(spec, registry, manifest, opts)
+  fetch(uri, registry, Object.assign({
+    headers: {
+      'pacote-req-type': 'tarball',
+      'pacote-pkg-id': `registry:${manifest.name}@${uri}`
+    },
+    integrity: manifest._integrity,
+    algorithms: [
+      manifest._integrity
+      ? ssri.parse(manifest._integrity).pickAlgorithm()
+      : 'sha1'
+    ],
+    spec
+  }, opts))
+  .then(res => {
+    const hash = res.headers.get('x-local-cache-hash')
+    if (hash) {
+      stream.emit('integrity', decodeURIComponent(hash))
+    }
+    res.body.on('error', err => stream.emit('error', err))
+    res.body.pipe(stream)
   })
   .catch(err => stream.emit('error', err))
   return stream
@@ -74,40 +79,23 @@ function fromManifest (manifest, spec, opts) {
 function getTarballUrl (spec, registry, mani, opts) {
   const reg = url.parse(registry)
-  const tarball = url.parse(opts.resolved || mani._resolved)
-  return (
-    // We cannot trust opts.resolved as-is: there can only be one registry per
-    // "scope" on any individual npm run, so we have to take any previously
-    // resolved fields and check them against the current registry -- if they
-    // don't match, we need to do a manifest fetch from the correct registry to
-    // get the tarball URL we're trying to reference.
-    (!opts.resolved || reg.hostname === tarball.hostname)
-    ? Promise.resolve(Object.assign(mani, {
-      _resolved: opts.resolved || mani._resolved
-    }))
-    // This second lookup should ONLY happen when we didn't already do a
-    // registry lookup earlier.
-    : manifest(spec, opts)
-  )
-  .then(mani => {
-    const tarball = url.parse(mani._resolved)
-    // https://github.com/npm/npm/pull/9471
-    //
-    // TL;DR: Some alternative registries host tarballs on http and packuments
-    // on https, and vice-versa. There's also a case where people who can't use
-    // SSL to access the npm registry, for example, might use
-    // `--registry=http://registry.npmjs.org/`. In this case, we need to
-    // rewrite `tarball` to match the protocol.
-    //
-    if (reg.hostname === tarball.hostname && reg.protocol !== tarball.protocol) {
-      tarball.protocol = reg.protocol
-      // Ports might be same host different protocol!
-      if (reg.port !== tarball.port) {
-        delete tarball.host
-        tarball.port = reg.port
-      }
-      delete tarball.href
+  const tarball = url.parse(mani._resolved)
+  // https://github.com/npm/npm/pull/9471
+  //
+  // TL;DR: Some alternative registries host tarballs on http and packuments
+  // on https, and vice-versa. There's also a case where people who can't use
+  // SSL to access the npm registry, for example, might use
+  // `--registry=http://registry.npmjs.org/`. In this case, we need to
+  // rewrite `tarball` to match the protocol.
+  //
+  if (reg.hostname === tarball.hostname && reg.protocol !== tarball.protocol) {
+    tarball.protocol = reg.protocol
+    // Ports might be same host different protocol!
+    if (reg.port !== tarball.port) {
+      delete tarball.host
+      tarball.port = reg.port
     }
-    return Promise.resolve(url.format(tarball))
-  })
+    delete tarball.href
+  }
+  return url.format(tarball)
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "7.3.2",
+  "version": "7.3.3",
   "description": "JavaScript package downloader",
   "main": "index.js",
   "files": [