pacote 9.5.4 → 9.5.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/CHANGELOG.md +37 -0
  2. package/LICENSE +1 -1
  3. package/extract.js +52 -24
  4. package/lib/.with-tarball-stream.js.swp +0 -0
  5. package/lib/fetchers/.file.js.swp +0 -0
  6. package/lib/fetchers/file.js +0 -2
  7. package/lib/fetchers/registry/manifest.js +1 -1
  8. package/package.json +6 -4
package/CHANGELOG.md CHANGED
@@ -2,6 +2,43 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
4
4
 
5
+ <a name="9.5.8"></a>
6
+ ## [9.5.8](https://github.com/npm/pacote/compare/v9.5.7...v9.5.8) (2019-08-20)
7
+
8
+
9
+
10
+ <a name="9.5.7"></a>
11
+ ## [9.5.7](https://github.com/npm/pacote/compare/v9.5.6...v9.5.7) (2019-08-19)
12
+
13
+
14
+ ### Bug Fixes
15
+
16
+ * do not try to chown if not running as root ([bbc5da3](https://github.com/npm/pacote/commit/bbc5da3))
17
+
18
+
19
+
20
+ <a name="9.5.6"></a>
21
+ ## [9.5.6](https://github.com/npm/pacote/compare/v9.5.5...v9.5.6) (2019-08-15)
22
+
23
+
24
+ ### Bug Fixes
25
+
26
+ * **extract:** chown properly when more than one directory is made ([5161828](https://github.com/npm/pacote/commit/5161828))
27
+
28
+
29
+
30
+ <a name="9.5.5"></a>
31
+ ## [9.5.5](https://github.com/npm/pacote/compare/v9.5.4...v9.5.5) (2019-08-12)
32
+
33
+
34
+ ### Bug Fixes
35
+
36
+ * don't pass uid/gid to cacache ([0a0c73c](https://github.com/npm/pacote/commit/0a0c73c))
37
+ * Infer owner of all unpacked files ([f12e7ef](https://github.com/npm/pacote/commit/f12e7ef))
38
+ * invalid arg detection in extract() ([b4dc363](https://github.com/npm/pacote/commit/b4dc363)), closes [#5](https://github.com/npm/pacote/issues/5) [#6](https://github.com/npm/pacote/issues/6)
39
+
40
+
41
+
5
42
  <a name="9.5.4"></a>
6
43
  ## [9.5.4](https://github.com/npm/pacote/compare/v9.5.3...v9.5.4) (2019-07-16)
7
44
 
package/LICENSE CHANGED
@@ -1,5 +1,5 @@
1
1
  The MIT License (MIT)
2
- Copyright (c) 2017 Kat Marchán
2
+ Copyright (c) Kat Marchán, npm, Inc., and Contributors
3
3
 
4
4
  Permission is hereby granted, free of charge, to any person obtaining a copy
5
5
  of this software and associated documentation files (the "Software"), to deal
package/extract.js CHANGED
@@ -10,41 +10,60 @@ const optCheck = require('./lib/util/opt-check.js')
10
10
  const path = require('path')
11
11
  const rimraf = BB.promisify(require('rimraf'))
12
12
  const withTarballStream = require('./lib/with-tarball-stream.js')
13
+ const inferOwner = require('infer-owner')
14
+ const chown = BB.promisify(require('chownr'))
13
15
 
14
16
  const truncateAsync = BB.promisify(fs.truncate)
15
17
  const readFileAsync = BB.promisify(fs.readFile)
16
18
  const appendFileAsync = BB.promisify(fs.appendFile)
17
19
 
20
+ // you used to call me on my...
21
+ const selfOwner = process.getuid ? {
22
+ uid: process.getuid(),
23
+ gid: process.getgid()
24
+ } : {
25
+ uid: undefined,
26
+ gid: undefined
27
+ }
28
+
18
29
  module.exports = extract
19
30
  function extract (spec, dest, opts) {
20
31
  opts = optCheck(opts)
21
32
  spec = npa(spec, opts.where)
33
+ if (spec.type === 'git' && !opts.cache) {
34
+ throw new TypeError('Extracting git packages requires a cache folder')
35
+ }
36
+ if (typeof dest !== 'string') {
37
+ throw new TypeError('Extract requires a destination')
38
+ }
22
39
  const startTime = Date.now()
23
-
24
- return withTarballStream(spec, opts, stream => {
25
- return tryExtract(spec, stream, dest, opts)
26
- })
27
- .then(() => {
28
- if (!opts.resolved) {
29
- const pjson = path.join(dest, 'package.json')
30
- return readFileAsync(pjson, 'utf8')
31
- .then(str => truncateAsync(pjson)
32
- .then(() => appendFileAsync(pjson, str.replace(
33
- /}\s*$/,
34
- `\n,"_resolved": ${
35
- JSON.stringify(opts.resolved || '')
36
- }\n,"_integrity": ${
37
- JSON.stringify(opts.integrity || '')
38
- }\n,"_from": ${
39
- JSON.stringify(spec.toString())
40
- }\n}`
41
- ))))
42
- }
40
+ return inferOwner(dest).then(({ uid, gid }) => {
41
+ opts = opts.concat({ uid, gid })
42
+ return withTarballStream(spec, opts, stream => {
43
+ return tryExtract(spec, stream, dest, opts)
43
44
  })
44
- .then(() => opts.log.silly(
45
- 'extract',
46
- `${spec} extracted to ${dest} (${Date.now() - startTime}ms)`
47
- ))
45
+ .then(() => {
46
+ if (!opts.resolved) {
47
+ const pjson = path.join(dest, 'package.json')
48
+ return readFileAsync(pjson, 'utf8')
49
+ .then(str => truncateAsync(pjson)
50
+ .then(() => appendFileAsync(pjson, str.replace(
51
+ /}\s*$/,
52
+ `\n,"_resolved": ${
53
+ JSON.stringify(opts.resolved || '')
54
+ }\n,"_integrity": ${
55
+ JSON.stringify(opts.integrity || '')
56
+ }\n,"_from": ${
57
+ JSON.stringify(spec.toString())
58
+ }\n}`
59
+ ))))
60
+ }
61
+ })
62
+ .then(() => opts.log.silly(
63
+ 'extract',
64
+ `${spec} extracted to ${dest} (${Date.now() - startTime}ms)`
65
+ ))
66
+ })
48
67
  }
49
68
 
50
69
  function tryExtract (spec, tarStream, dest, opts) {
@@ -53,6 +72,15 @@ function tryExtract (spec, tarStream, dest, opts) {
53
72
 
54
73
  rimraf(dest)
55
74
  .then(() => mkdirp(dest))
75
+ .then((made) => {
76
+ // respect the current ownership of unpack targets
77
+ // but don't try to chown if we're not root.
78
+ if (selfOwner.uid === 0 &&
79
+ typeof selfOwner.gid === 'number' &&
80
+ selfOwner.uid !== opts.uid && selfOwner.gid !== opts.gid) {
81
+ return chown(made || dest, opts.uid, opts.gid)
82
+ }
83
+ })
56
84
  .then(() => {
57
85
  const xtractor = extractStream(spec, dest, opts)
58
86
  xtractor.on('error', reject)
package/lib/.with-tarball-stream.js.swp ADDED
Binary file
package/lib/fetchers/.file.js.swp ADDED
Binary file
package/lib/fetchers/file.js CHANGED
@@ -60,8 +60,6 @@ Fetcher.impl(fetchFile, {
60
60
  : (pipe(
61
61
  fs.createReadStream(src),
62
62
  cacache.put.stream(opts.cache, `pacote:tarball:${src}`, {
63
- uid: opts.uid,
64
- gid: opts.gid,
65
63
  integrity: opts.integrity
66
64
  }).on('integrity', d => { integrity = d })
67
65
  ))
package/lib/fetchers/registry/manifest.js CHANGED
@@ -27,7 +27,7 @@ function getManifest (spec, opts) {
27
27
  includeDeprecated: opts.includeDeprecated
28
28
  })
29
29
  } catch (err) {
30
- if (err.code === 'ETARGET' && packument._cached && !opts.offline) {
30
+ if ((err.code === 'ETARGET' || err.code === 'E403') && packument._cached && !opts.offline) {
31
31
  opts.log.silly(
32
32
  'registry:manifest',
33
33
  `no matching version for ${spec.name}@${spec.fetchSpec} in the cache. Forcing revalidation.`
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "pacote",
3
- "version": "9.5.4",
3
+ "version": "9.5.8",
4
4
  "description": "JavaScript package downloader",
5
5
  "main": "index.js",
6
6
  "files": [
@@ -42,10 +42,12 @@
42
42
  "license": "MIT",
43
43
  "dependencies": {
44
44
  "bluebird": "^3.5.3",
45
- "cacache": "^12.0.0",
45
+ "cacache": "^12.0.2",
46
+ "chownr": "^1.1.2",
46
47
  "figgy-pudding": "^3.5.1",
47
48
  "get-stream": "^4.1.0",
48
49
  "glob": "^7.1.3",
50
+ "infer-owner": "^1.0.4",
49
51
  "lru-cache": "^5.1.1",
50
52
  "make-fetch-happen": "^5.0.0",
51
53
  "minimatch": "^3.0.4",
@@ -55,7 +57,7 @@
55
57
  "normalize-package-data": "^2.4.0",
56
58
  "npm-package-arg": "^6.1.0",
57
59
  "npm-packlist": "^1.1.12",
58
- "npm-pick-manifest": "^2.2.3",
60
+ "npm-pick-manifest": "^3.0.0",
59
61
  "npm-registry-fetch": "^4.0.0",
60
62
  "osenv": "^0.1.5",
61
63
  "promise-inflight": "^1.0.1",
@@ -65,7 +67,7 @@
65
67
  "safe-buffer": "^5.1.2",
66
68
  "semver": "^5.6.0",
67
69
  "ssri": "^6.0.1",
68
- "tar": "^4.4.8",
70
+ "tar": "^4.4.10",
69
71
  "unique-filename": "^1.1.1",
70
72
  "which": "^1.3.1"
71
73
  },