pepr 0.42.0 → 0.42.1

package/src/lib/controller/index.ts

@@ -78,7 +78,7 @@ export class Controller {
   }
 
   /** Start the webhook server */
-  startServer = (port: number) => {
+  startServer = (port: number): void => {
     if (this.#running) {
       throw new Error("Cannot start Pepr module: Pepr module was not instantiated with deferStart=true");
     }
@@ -133,7 +133,7 @@ export class Controller {
     });
   };
 
-  #bindEndpoints = () => {
+  #bindEndpoints = (): void => {
     // Health check endpoint
     this.#app.get("/healthz", Controller.#healthz);
 
@@ -162,7 +162,7 @@ export class Controller {
    * @param next The next middleware function
    * @returns
    */
-  #validateToken = (req: express.Request, res: express.Response, next: NextFunction) => {
+  #validateToken = (req: express.Request, res: express.Response, next: NextFunction): void => {
     // Validate the token
     const { token } = req.params;
     if (token !== this.#token) {
@@ -183,7 +183,7 @@ export class Controller {
    * @param req the incoming request
    * @param res the outgoing response
    */
-  #metrics = async (req: express.Request, res: express.Response) => {
+  #metrics = async (req: express.Request, res: express.Response): Promise<void> => {
     try {
       // https://github.com/prometheus/docs/blob/main/content/docs/instrumenting/exposition_formats.md#basic-info
       res.set("Content-Type", "text/plain; version=0.0.4");
@@ -200,7 +200,9 @@ export class Controller {
    * @param admissionKind the type of admission request
    * @returns the request handler
    */
-  #admissionReq = (admissionKind: "Mutate" | "Validate") => {
+  #admissionReq = (
+    admissionKind: "Mutate" | "Validate",
+  ): ((req: express.Request, res: express.Response) => Promise<void>) => {
     // Create the admission request handler
     return async (req: express.Request, res: express.Response) => {
       // Start the metrics timer
@@ -259,7 +261,7 @@ export class Controller {
    * @param res the outgoing response
    * @param next the next middleware function
    */
-  static #logger(req: express.Request, res: express.Response, next: express.NextFunction) {
+  static #logger(req: express.Request, res: express.Response, next: express.NextFunction): void {
     const startTime = Date.now();
 
     res.on("finish", () => {
@@ -288,7 +290,7 @@ export class Controller {
    * @param req the incoming request
    * @param res the outgoing response
    */
-  static #healthz(req: express.Request, res: express.Response) {
+  static #healthz(req: express.Request, res: express.Response): void {
     try {
       res.send("OK");
     } catch (err) {

package/src/lib/controller/store.ts

@@ -12,7 +12,8 @@ import { DataOp, DataSender, DataStore, Storage } from "../storage";
 import { fillStoreCache, sendUpdatesAndFlushCache } from "./storeCache";
 
 const namespace = "pepr-system";
-export const debounceBackoff = 1000;
+const debounceBackoffReceive = 1000;
+const debounceBackoffSend = 4000;
 
 export class StoreController {
   #name: string;
@@ -25,7 +26,7 @@ export class StoreController {
 
     this.#name = name;
 
-    const setStorageInstance = (registrationFunction: () => Storage, name: string) => {
+    const setStorageInstance = (registrationFunction: () => Storage, name: string): void => {
       const scheduleStore = registrationFunction();
 
       // Bind the store sender to the capability
@@ -61,13 +62,22 @@ export class StoreController {
     );
   }
 
-  #setupWatch = () => {
+  #setupWatch = (): void => {
     const watcher = K8s(Store, { name: this.#name, namespace }).Watch(this.#receive);
     watcher.start().catch(e => Log.error(e, "Error starting Pepr store watch"));
   };
 
-  #migrateAndSetupWatch = async (store: Store) => {
+  #migrateAndSetupWatch = async (store: Store): Promise<void> => {
     Log.debug(redactedStore(store), "Pepr Store migration");
+    // Add cacheID label to store
+    await K8s(Store, { namespace, name: this.#name }).Patch([
+      {
+        op: "add",
+        path: "/metadata/labels/pepr.dev-cacheID",
+        value: `${Date.now()}`,
+      },
+    ]);
+
     const data: DataStore = store.data || {};
     let storeCache: Record<string, Operation> = {};
 
@@ -96,11 +106,11 @@ export class StoreController {
     this.#setupWatch();
   };
 
-  #receive = (store: Store) => {
+  #receive = (store: Store): void => {
     Log.debug(redactedStore(store), "Pepr Store update");
 
     // Wrap the update in a debounced function
-    const debounced = () => {
+    const debounced = (): void => {
       // Base64 decode the data
       const data: DataStore = store.data || {};
 
@@ -134,10 +144,10 @@ export class StoreController {
 
     // Debounce the update to 1 second to avoid multiple rapid calls
     clearTimeout(this.#sendDebounce);
-    this.#sendDebounce = setTimeout(debounced, this.#onReady ? 0 : debounceBackoff);
+    this.#sendDebounce = setTimeout(debounced, this.#onReady ? 0 : debounceBackoffReceive);
   };
 
-  #send = (capabilityName: string) => {
+  #send = (capabilityName: string): DataSender => {
     let storeCache: Record<string, Operation> = {};
 
     // Create a sender function for the capability to add/remove data from the store
@@ -151,12 +161,12 @@ export class StoreController {
         Log.debug(redactedPatch(storeCache), "Sending updates to Pepr store");
         void sendUpdatesAndFlushCache(storeCache, namespace, this.#name);
       }
-    }, debounceBackoff);
+    }, debounceBackoffSend);
 
     return sender;
   };
 
-  #createStoreResource = async (e: unknown) => {
+  #createStoreResource = async (e: unknown): Promise<void> => {
     Log.info(`Pepr store not found, creating...`);
     Log.debug(e);
 
@@ -165,6 +175,9 @@ export class StoreController {
         metadata: {
           name: this.#name,
           namespace,
+          labels: {
+            "pepr.dev-cacheID": `${Date.now()}`,
+          },
         },
         data: {
           // JSON Patch will die if the data is empty, so we need to add a placeholder

package/src/lib/controller/storeCache.ts

@@ -11,7 +11,7 @@ export const sendUpdatesAndFlushCache = async (cache: Record<string, Operation>,
 
   try {
     if (payload.length > 0) {
-      await K8s(Store, { namespace, name }).Patch(payload); // Send patch to cluster
+      await K8s(Store, { namespace, name }).Patch(updateCacheID(payload)); // Send patch to cluster
       Object.keys(cache).forEach(key => delete cache[key]);
     }
   } catch (err) {
@@ -61,3 +61,12 @@ export const fillStoreCache = (
   }
   return cache;
 };
+
+export function updateCacheID(payload: Operation[]): Operation[] {
+  payload.push({
+    op: "replace",
+    path: "/metadata/labels/pepr.dev-cacheID",
+    value: `${Date.now()}`,
+  });
+  return payload;
+}

package/src/lib/mutate-request.ts

@@ -11,19 +11,19 @@ export class PeprMutateRequest<T extends KubernetesObject> {
   Raw: T;
   #input: AdmissionRequest<T>;
 
-  get PermitSideEffects() {
+  get PermitSideEffects(): boolean {
     return !this.#input.dryRun;
   }
 
-  get IsDryRun() {
+  get IsDryRun(): boolean | undefined {
     return this.#input.dryRun;
   }
 
-  get OldResource() {
+  get OldResource(): KubernetesObject | undefined {
     return this.#input.oldObject;
   }
 
-  get Request() {
+  get Request(): AdmissionRequest<KubernetesObject> {
     return this.#input;
   }
 
@@ -42,11 +42,11 @@ export class PeprMutateRequest<T extends KubernetesObject> {
     }
   }
 
-  Merge = (obj: DeepPartial<T>) => {
+  Merge = (obj: DeepPartial<T>): void => {
     this.Raw = mergeDeepRight(this.Raw, obj) as unknown as T;
   };
 
-  SetLabel = (key: string, value: string) => {
+  SetLabel = (key: string, value: string): this => {
     const ref = this.Raw;
     ref.metadata = ref.metadata ?? {};
     ref.metadata.labels = ref.metadata.labels ?? {};
@@ -54,7 +54,7 @@ export class PeprMutateRequest<T extends KubernetesObject> {
     return this;
   };
 
-  SetAnnotation = (key: string, value: string) => {
+  SetAnnotation = (key: string, value: string): this => {
     const ref = this.Raw;
     ref.metadata = ref.metadata ?? {};
     ref.metadata.annotations = ref.metadata.annotations ?? {};
@@ -62,25 +62,25 @@ export class PeprMutateRequest<T extends KubernetesObject> {
     return this;
   };
 
-  RemoveLabel = (key: string) => {
+  RemoveLabel = (key: string): this => {
     if (this.Raw.metadata?.labels?.[key]) {
       delete this.Raw.metadata.labels[key];
     }
     return this;
   };
 
-  RemoveAnnotation = (key: string) => {
+  RemoveAnnotation = (key: string): this => {
     if (this.Raw.metadata?.annotations?.[key]) {
       delete this.Raw.metadata.annotations[key];
     }
     return this;
   };
 
-  HasLabel = (key: string) => {
+  HasLabel = (key: string): boolean => {
     return this.Raw.metadata?.labels?.[key] !== undefined;
   };
 
-  HasAnnotation = (key: string) => {
+  HasAnnotation = (key: string): boolean => {
     return this.Raw.metadata?.annotations?.[key] !== undefined;
   };
 }

package/src/lib/queue.ts

@@ -29,11 +29,19 @@ export class Queue<K extends KubernetesObject> {
     this.#uid = `${Date.now()}-${randomBytes(2).toString("hex")}`;
   }
 
-  label() {
+  label(): { name: string; uid: string } {
     return { name: this.#name, uid: this.#uid };
   }
 
-  stats() {
+  stats(): {
+    queue: {
+      name: string;
+      uid: string;
+    };
+    stats: {
+      length: number;
+    };
+  } {
     return {
       queue: this.label(),
       stats: {
@@ -51,7 +59,7 @@ export class Queue<K extends KubernetesObject> {
    * @param reconcile The callback to enqueue for reconcile
    * @returns A promise that resolves when the object is reconciled
    */
-  enqueue(item: K, phase: WatchPhase, reconcile: WatchCallback) {
+  enqueue(item: K, phase: WatchPhase, reconcile: WatchCallback): Promise<void> {
     const note = {
       queue: this.label(),
       item: {
@@ -73,7 +81,7 @@ export class Queue<K extends KubernetesObject> {
    *
    * @returns A promise that resolves when the webapp is reconciled
    */
-  async #dequeue() {
+  async #dequeue(): Promise<false | undefined> {
     // If there is a pending promise, do nothing
     if (this.#pendingPromise) {
       Log.debug("Pending promise, not dequeuing");

package/src/lib/storage.ts

@@ -12,6 +12,11 @@ export type Unsubscribe = () => void;
 const MAX_WAIT_TIME = 15000;
 const STORE_VERSION_PREFIX = "v2";
 
+interface WaitRecord {
+  timeout?: ReturnType<typeof setTimeout>;
+  unsubscribe?: () => void;
+}
+
 export function v2StoreKey(key: string): string {
   return `${STORE_VERSION_PREFIX}-${pointer.escape(key)}`;
 }
@@ -58,13 +63,13 @@ export interface PeprStore {
    * Sets the value of the pair identified by key to value, creating a new key/value pair if none existed for key previously.
    * Resolves when the key/value show up in the store.
    */
-  setItemAndWait(key: string, value: string): Promise<void>;
+  setItemAndWait(key: string, value: string): Promise<string>;
 
   /**
    * Remove the value of the key.
    * Resolves when the key does not show up in the store.
    */
-  removeItemAndWait(key: string): Promise<void>;
+  removeItemAndWait(key: string): Promise<string>;
 }
 
 /**
@@ -128,22 +133,24 @@ export class Storage implements PeprStore {
    * @param value - The value of the key
    * @returns
    */
-  setItemAndWait = (key: string, value: string): Promise<void> => {
+  setItemAndWait = (key: string, value: string): Promise<string> => {
     this.#dispatchUpdate("add", [v2StoreKey(key)], value);
+    const record: WaitRecord = {};
 
-    return new Promise<void>((resolve, reject) => {
-      const unsubscribe = this.subscribe(data => {
+    return new Promise<string>((resolve, reject) => {
+      // If promise has not resolved before MAX_WAIT_TIME reject
+      record.timeout = setTimeout(() => {
+        record.unsubscribe!();
+        return reject(`MAX_WAIT_TIME elapsed: Key ${key} not seen in ${MAX_WAIT_TIME / 1000}s`);
+      }, MAX_WAIT_TIME);
+
+      record.unsubscribe = this.subscribe(data => {
         if (data[`${v2UnescapedStoreKey(key)}`] === value) {
-          unsubscribe();
-          resolve();
+          record.unsubscribe!();
+          clearTimeout(record.timeout);
+          resolve("ok");
         }
       });
-
-      // If promise has not resolved before MAX_WAIT_TIME reject
-      setTimeout(() => {
-        unsubscribe();
-        return reject();
-      }, MAX_WAIT_TIME);
     });
   };
 
@@ -154,21 +161,23 @@ export class Storage implements PeprStore {
    * @param key - The key to add into the store
    * @returns
    */
-  removeItemAndWait = (key: string): Promise<void> => {
+  removeItemAndWait = (key: string): Promise<string> => {
     this.#dispatchUpdate("remove", [v2StoreKey(key)]);
-    return new Promise<void>((resolve, reject) => {
-      const unsubscribe = this.subscribe(data => {
+    const record: WaitRecord = {};
+    return new Promise<string>((resolve, reject) => {
+      // If promise has not resolved before MAX_WAIT_TIME reject
+      record.timeout = setTimeout(() => {
+        record.unsubscribe!();
+        return reject(`MAX_WAIT_TIME elapsed: Key ${key} still seen after ${MAX_WAIT_TIME / 1000}s`);
+      }, MAX_WAIT_TIME);
+
+      record.unsubscribe = this.subscribe(data => {
         if (!Object.hasOwn(data, `${v2UnescapedStoreKey(key)}`)) {
-          unsubscribe();
-          resolve();
+          record.unsubscribe!();
+          clearTimeout(record.timeout);
+          resolve("ok");
         }
       });
-
-      // If promise has not resolved before MAX_WAIT_TIME reject
-      setTimeout(() => {
-        unsubscribe();
-        return reject();
-      }, MAX_WAIT_TIME);
     });
   };
 

package/src/lib/utils.ts

@@ -4,14 +4,14 @@
 import Log from "./telemetry/logger";
 
 /** Test if a string is ascii or not */
-export const isAscii = /^[\s\x20-\x7E]*$/;
+export const isAscii: RegExp = /^[\s\x20-\x7E]*$/;
 
 /**
  * Encode all ascii values in a map to base64
  * @param obj The object to encode
  * @param skip A list of keys to skip encoding
  */
-export function convertToBase64Map(obj: { data?: Record<string, string> }, skip: string[]) {
+export function convertToBase64Map(obj: { data?: Record<string, string> }, skip: string[]): void {
   obj.data = obj.data ?? {};
   for (const key in obj.data) {
     const value = obj.data[key];
@@ -25,7 +25,7 @@ export function convertToBase64Map(obj: { data?: Record<string, string> }, skip:
  * @param obj The object to decode
  * @returns A list of keys that were skipped
  */
-export function convertFromBase64Map(obj: { data?: Record<string, string> }) {
+export function convertFromBase64Map(obj: { data?: Record<string, string> }): string[] {
   const skip: string[] = [];
 
   obj.data = obj.data ?? {};
@@ -47,11 +47,11 @@ export function convertFromBase64Map(obj: { data?: Record<string, string> }) {
 }
 
 /** Decode a base64 string */
-export function base64Decode(data: string) {
+export function base64Decode(data: string): string {
   return Buffer.from(data, "base64").toString("utf-8");
 }
 
 /** Encode a string to base64 */
-export function base64Encode(data: string) {
+export function base64Encode(data: string): string {
   return Buffer.from(data).toString("base64");
 }

package/src/lib/validate-processor.ts

@@ -1,17 +1,56 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { kind } from "kubernetes-fluent-client";
-
+import { kind, KubernetesObject } from "kubernetes-fluent-client";
 import { Capability } from "./capability";
 import { shouldSkipRequest } from "./filter/filter";
 import { ValidateResponse } from "./k8s";
-import { AdmissionRequest } from "./types";
+import { AdmissionRequest, Binding } from "./types";
 import Log from "./telemetry/logger";
 import { convertFromBase64Map } from "./utils";
 import { PeprValidateRequest } from "./validate-request";
 import { ModuleConfig } from "./module";
 
+export async function processRequest(
+  binding: Binding,
+  actionMetadata: Record<string, string>,
+  peprValidateRequest: PeprValidateRequest<KubernetesObject>,
+): Promise<ValidateResponse> {
+  const label = binding.validateCallback!.name;
+  Log.info(actionMetadata, `Processing validation action (${label})`);
+
+  const valResp: ValidateResponse = {
+    uid: peprValidateRequest.Request.uid,
+    allowed: true, // Assume it's allowed until a validation check fails
+  };
+
+  try {
+    // Run the validation callback, if it fails set allowed to false
+    const callbackResp = await binding.validateCallback!(peprValidateRequest);
+    valResp.allowed = callbackResp.allowed;
+
+    // If the validation callback returned a status code or message, set it in the Response
+    if (callbackResp.statusCode || callbackResp.statusMessage) {
+      valResp.status = {
+        code: callbackResp.statusCode || 400,
+        message: callbackResp.statusMessage || `Validation failed for ${name}`,
+      };
+    }
+
+    Log.info(actionMetadata, `Validation action complete (${label}): ${callbackResp.allowed ? "allowed" : "denied"}`);
+    return valResp;
+  } catch (e) {
+    // If any validation throws an error, note the failure in the Response
+    Log.error(actionMetadata, `Action failed: ${JSON.stringify(e)}`);
+    valResp.allowed = false;
+    valResp.status = {
+      code: 500,
+      message: `Action failed with error: ${JSON.stringify(e)}`,
+    };
+    return valResp;
+  }
+}
+
 export async function validateProcessor(
   config: ModuleConfig,
   capabilities: Capability[],
@@ -32,52 +71,21 @@ export async function validateProcessor(
   for (const { name, bindings, namespaces } of capabilities) {
     const actionMetadata = { ...reqMetadata, name };
 
-    for (const action of bindings) {
+    for (const binding of bindings) {
       // Skip this action if it's not a validation action
-      if (!action.validateCallback) {
+      if (!binding.validateCallback) {
         continue;
       }
 
-      const localResponse: ValidateResponse = {
-        uid: req.uid,
-        allowed: true, // Assume it's allowed until a validation check fails
-      };
-
       // Continue to the next action without doing anything if this one should be skipped
-      const shouldSkip = shouldSkipRequest(action, req, namespaces, config?.alwaysIgnore?.namespaces);
+      const shouldSkip = shouldSkipRequest(binding, req, namespaces, config?.alwaysIgnore?.namespaces);
       if (shouldSkip !== "") {
         Log.debug(shouldSkip);
         continue;
       }
 
-      const label = action.validateCallback.name;
-      Log.info(actionMetadata, `Processing validation action (${label})`);
-
-      try {
-        // Run the validation callback, if it fails set allowed to false
-        const resp = await action.validateCallback(wrapped);
-        localResponse.allowed = resp.allowed;
-
-        // If the validation callback returned a status code or message, set it in the Response
-        if (resp.statusCode || resp.statusMessage) {
-          localResponse.status = {
-            code: resp.statusCode || 400,
-            message: resp.statusMessage || `Validation failed for ${name}`,
-          };
-        }
-
-        Log.info(actionMetadata, `Validation action complete (${label}): ${resp.allowed ? "allowed" : "denied"}`);
-      } catch (e) {
-        // If any validation throws an error, note the failure in the Response
-        Log.error(actionMetadata, `Action failed: ${JSON.stringify(e)}`);
-        localResponse.allowed = false;
-        localResponse.status = {
-          code: 500,
-          message: `Action failed with error: ${JSON.stringify(e)}`,
-        };
-        return [localResponse];
-      }
-      response.push(localResponse);
+      const resp = await processRequest(binding, actionMetadata, wrapped);
+      response.push(resp);
     }
   }
 

package/src/lib/watch-processor.ts

@@ -20,7 +20,7 @@ const queues: Record<string, Queue<KubernetesObject>> = {};
  * @param obj The object to derive a key from
  * @returns The key to a Queue in the list of queues
  */
-export function queueKey(obj: KubernetesObject) {
+export function queueKey(obj: KubernetesObject): string {
   const options = ["kind", "kindNs", "kindNsName", "global"];
   const d3fault = "kind";
 
@@ -40,7 +40,7 @@ export function queueKey(obj: KubernetesObject) {
   return lookup[strat];
 }
 
-export function getOrCreateQueue(obj: KubernetesObject) {
+export function getOrCreateQueue(obj: KubernetesObject): Queue<KubernetesObject> {
   const key = queueKey(obj);
   if (!queues[key]) {
     queues[key] = new Queue<KubernetesObject>(key);
@@ -74,7 +74,7 @@ const eventToPhaseMap = {
  *
  * @param capabilities The capabilities to load watches for
  */
-export function setupWatch(capabilities: Capability[], ignoredNamespaces?: string[]) {
+export function setupWatch(capabilities: Capability[], ignoredNamespaces?: string[]): void {
   capabilities.map(capability =>
     capability.bindings
       .filter(binding => binding.isWatch)
@@ -88,14 +88,18 @@ export function setupWatch(capabilities: Capability[], ignoredNamespaces?: strin
  * @param binding the binding to watch
  * @param capabilityNamespaces list of namespaces to filter on
  */
-async function runBinding(binding: Binding, capabilityNamespaces: string[], ignoredNamespaces?: string[]) {
+async function runBinding(
+  binding: Binding,
+  capabilityNamespaces: string[],
+  ignoredNamespaces?: string[],
+): Promise<void> {
   // Get the phases to match, fallback to any
   const phaseMatch: WatchPhase[] = eventToPhaseMap[binding.event] || eventToPhaseMap[Event.ANY];
 
   // The watch callback is run when an object is received or dequeued
   Log.debug({ watchCfg }, "Effective WatchConfig");
 
-  const watchCallback = async (kubernetesObject: KubernetesObject, phase: WatchPhase) => {
+  const watchCallback = async (kubernetesObject: KubernetesObject, phase: WatchPhase): Promise<void> => {
     // First, filter the object based on the phase
     if (phaseMatch.includes(phase)) {
       try {
@@ -117,7 +121,7 @@ async function runBinding(binding: Binding, capabilityNamespaces: string[], igno
     }
   };
 
-  const handleFinalizerRemoval = async (kubernetesObject: KubernetesObject) => {
+  const handleFinalizerRemoval = async (kubernetesObject: KubernetesObject): Promise<void> => {
     if (!kubernetesObject.metadata?.deletionTimestamp) {
       return;
     }
@@ -191,7 +195,7 @@ async function runBinding(binding: Binding, capabilityNamespaces: string[], igno
   }
 }
 
-export function logEvent(event: WatchEvent, message: string = "", obj?: KubernetesObject) {
+export function logEvent(event: WatchEvent, message: string = "", obj?: KubernetesObject): void {
   const logMessage = `Watch event ${event} received${message ? `. ${message}.` : "."}`;
   if (obj) {
     Log.debug(obj, logMessage);

package/src/sdk/cosign.ts

@@ -212,15 +212,15 @@ export async function verifyImage(
     url: `https://${X.iref.host}/v2/${X.iref.name}/manifests/${X.iref.tag}`,
   };
 
-  const supportsMediaType = async (url: string, mediaType: string) => {
+  const supportsMediaType = async (url: string, mediaType: string): Promise<boolean> => {
     return (await head(url, mediaType, { ca: tlsCrts }))["content-type"] === mediaType;
   };
 
-  const canOciV1Manifest = async (manifestUrl: string) => {
+  const canOciV1Manifest = async (manifestUrl: string): Promise<boolean> => {
     return supportsMediaType(manifestUrl, MediaTypeOciV1.Manifest);
   };
 
-  const canDockerV2Manifest = async (manifestUrl: string) => {
+  const canDockerV2Manifest = async (manifestUrl: string): Promise<boolean> => {
     return supportsMediaType(manifestUrl, MediaTypeDockerV2.Manifest);
   };
 
@@ -228,7 +228,7 @@ export async function verifyImage(
   const manifestResp =
     await canOciV1Manifest(X.manifest.url) ? await get(X.manifest.url, MediaTypeOciV1.Manifest, {ca: tlsCrts}) :
     await canDockerV2Manifest(X.manifest.url) ? await get(X.manifest.url, MediaTypeDockerV2.Manifest, {ca: tlsCrts}) :
-    (() => { throw "Can't pull image manifest with supported MediaType." })();
+    (():never => { throw "Can't pull image manifest with supported MediaType." })();
   X.manifest.content = manifestResp.body;
 
   X.manifest.digest = `sha256:${crypto