pacote 9.5.4 → 9.5.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/CHANGELOG.md +12 -0
  2. package/LICENSE +1 -1
  3. package/extract.js +51 -24
  4. package/lib/fetchers/file.js +0 -2
  5. package/package.json +3 -2
package/CHANGELOG.md CHANGED
@@ -2,6 +2,18 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
4
4
 
5
+ <a name="9.5.5"></a>
6
+ ## [9.5.5](https://github.com/npm/pacote/compare/v9.5.4...v9.5.5) (2019-08-12)
7
+
8
+
9
+ ### Bug Fixes
10
+
11
+ * don't pass uid/gid to cacache ([0a0c73c](https://github.com/npm/pacote/commit/0a0c73c))
12
+ * Infer owner of all unpacked files ([f12e7ef](https://github.com/npm/pacote/commit/f12e7ef))
13
+ * invalid arg detection in extract() ([b4dc363](https://github.com/npm/pacote/commit/b4dc363)), closes [#5](https://github.com/npm/pacote/issues/5) [#6](https://github.com/npm/pacote/issues/6)
14
+
15
+
16
+
5
17
  <a name="9.5.4"></a>
6
18
  ## [9.5.4](https://github.com/npm/pacote/compare/v9.5.3...v9.5.4) (2019-07-16)
7
19
 
package/LICENSE CHANGED
@@ -1,5 +1,5 @@
1
1
  The MIT License (MIT)
2
- Copyright (c) 2017 Kat Marchán
2
+ Copyright (c) Kat Marchán, npm, Inc., and Contributors
3
3
 
4
4
  Permission is hereby granted, free of charge, to any person obtaining a copy
5
5
  of this software and associated documentation files (the "Software"), to deal
package/extract.js CHANGED
@@ -10,41 +10,60 @@ const optCheck = require('./lib/util/opt-check.js')
10
10
  const path = require('path')
11
11
  const rimraf = BB.promisify(require('rimraf'))
12
12
  const withTarballStream = require('./lib/with-tarball-stream.js')
13
+ const inferOwner = require('infer-owner')
14
+ const chown = BB.promisify(fs.chown)
13
15
 
14
16
  const truncateAsync = BB.promisify(fs.truncate)
15
17
  const readFileAsync = BB.promisify(fs.readFile)
16
18
  const appendFileAsync = BB.promisify(fs.appendFile)
17
19
 
20
+ // you used to call me on my...
21
+ const selfOwner = process.getuid ? {
22
+ uid: process.getuid(),
23
+ gid: process.getgid()
24
+ } : {
25
+ uid: undefined,
26
+ gid: undefined
27
+ }
28
+
18
29
  module.exports = extract
19
30
  function extract (spec, dest, opts) {
20
31
  opts = optCheck(opts)
21
32
  spec = npa(spec, opts.where)
33
+ if (spec.type === 'git' && !opts.cache) {
34
+ throw new TypeError('Extracting git packages requires a cache folder')
35
+ }
36
+ if (typeof dest !== 'string') {
37
+ throw new TypeError('Extract requires a destination')
38
+ }
22
39
  const startTime = Date.now()
23
-
24
- return withTarballStream(spec, opts, stream => {
25
- return tryExtract(spec, stream, dest, opts)
26
- })
27
- .then(() => {
28
- if (!opts.resolved) {
29
- const pjson = path.join(dest, 'package.json')
30
- return readFileAsync(pjson, 'utf8')
31
- .then(str => truncateAsync(pjson)
32
- .then(() => appendFileAsync(pjson, str.replace(
33
- /}\s*$/,
34
- `\n,"_resolved": ${
35
- JSON.stringify(opts.resolved || '')
36
- }\n,"_integrity": ${
37
- JSON.stringify(opts.integrity || '')
38
- }\n,"_from": ${
39
- JSON.stringify(spec.toString())
40
- }\n}`
41
- ))))
42
- }
40
+ return inferOwner(dest).then(({ uid, gid }) => {
41
+ opts = opts.concat({ uid, gid })
42
+ return withTarballStream(spec, opts, stream => {
43
+ return tryExtract(spec, stream, dest, opts)
43
44
  })
44
- .then(() => opts.log.silly(
45
- 'extract',
46
- `${spec} extracted to ${dest} (${Date.now() - startTime}ms)`
47
- ))
45
+ .then(() => {
46
+ if (!opts.resolved) {
47
+ const pjson = path.join(dest, 'package.json')
48
+ return readFileAsync(pjson, 'utf8')
49
+ .then(str => truncateAsync(pjson)
50
+ .then(() => appendFileAsync(pjson, str.replace(
51
+ /}\s*$/,
52
+ `\n,"_resolved": ${
53
+ JSON.stringify(opts.resolved || '')
54
+ }\n,"_integrity": ${
55
+ JSON.stringify(opts.integrity || '')
56
+ }\n,"_from": ${
57
+ JSON.stringify(spec.toString())
58
+ }\n}`
59
+ ))))
60
+ }
61
+ })
62
+ .then(() => opts.log.silly(
63
+ 'extract',
64
+ `${spec} extracted to ${dest} (${Date.now() - startTime}ms)`
65
+ ))
66
+ })
48
67
  }
49
68
 
50
69
  function tryExtract (spec, tarStream, dest, opts) {
@@ -53,6 +72,14 @@ function tryExtract (spec, tarStream, dest, opts) {
53
72
 
54
73
  rimraf(dest)
55
74
  .then(() => mkdirp(dest))
75
+ .then(() => {
76
+ // respect the current ownership of unpack targets
77
+ if (typeof selfOwner.uid === 'number' &&
78
+ typeof selfOwner.gid === 'number' &&
79
+ selfOwner.uid !== opts.uid && selfOwner.gid !== opts.gid) {
80
+ return chown(dest, opts.uid, opts.gid)
81
+ }
82
+ })
56
83
  .then(() => {
57
84
  const xtractor = extractStream(spec, dest, opts)
58
85
  xtractor.on('error', reject)
package/lib/fetchers/file.js CHANGED
@@ -60,8 +60,6 @@ Fetcher.impl(fetchFile, {
60
60
  : (pipe(
61
61
  fs.createReadStream(src),
62
62
  cacache.put.stream(opts.cache, `pacote:tarball:${src}`, {
63
- uid: opts.uid,
64
- gid: opts.gid,
65
63
  integrity: opts.integrity
66
64
  }).on('integrity', d => { integrity = d })
67
65
  ))
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "pacote",
3
- "version": "9.5.4",
3
+ "version": "9.5.5",
4
4
  "description": "JavaScript package downloader",
5
5
  "main": "index.js",
6
6
  "files": [
@@ -42,10 +42,11 @@
42
42
  "license": "MIT",
43
43
  "dependencies": {
44
44
  "bluebird": "^3.5.3",
45
- "cacache": "^12.0.0",
45
+ "cacache": "^12.0.2",
46
46
  "figgy-pudding": "^3.5.1",
47
47
  "get-stream": "^4.1.0",
48
48
  "glob": "^7.1.3",
49
+ "infer-owner": "^1.0.4",
49
50
  "lru-cache": "^5.1.1",
50
51
  "make-fetch-happen": "^5.0.0",
51
52
  "minimatch": "^3.0.4",