npm - pnpm - Versions diffs - 11.5.3 → 11.7.0 - Mend

pnpm 11.5.3 → 11.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/dist/node_modules/node-gyp/.release-please-manifest.json +1 -1
package/dist/node_modules/node-gyp/gyp/.release-please-manifest.json +1 -1
package/dist/node_modules/node-gyp/gyp/pyproject.toml +4 -4
package/dist/node_modules/node-gyp/lib/download.js +3 -3
package/dist/node_modules/node-gyp/package.json +1 -1
package/dist/node_modules/semver/classes/range.js +11 -2
package/dist/node_modules/semver/classes/semver.js +19 -2
package/dist/node_modules/semver/package.json +2 -2
package/dist/node_modules/tar/dist/commonjs/header.js +51 -16
package/dist/node_modules/tar/dist/commonjs/index.min.js +3 -3
package/dist/node_modules/tar/dist/commonjs/pack.js +4 -5
package/dist/node_modules/tar/dist/commonjs/types.js +21 -1
package/dist/node_modules/tar/dist/esm/header.js +51 -16
package/dist/node_modules/tar/dist/esm/index.min.js +3 -3
package/dist/node_modules/tar/dist/esm/pack.js +4 -5
package/dist/node_modules/tar/dist/esm/types.js +20 -0
package/dist/node_modules/tar/package.json +11 -10
package/dist/pnpm.mjs +20910 -19771
package/dist/worker.js +408 -925
package/package.json +2 -1

package/dist/node_modules/node-gyp/.release-please-manifest.json CHANGED Viewed

@@ -1,3 +1,3 @@
 {
-    ".": "12.3.0"
+    ".": "12.4.0"
 }

package/dist/node_modules/node-gyp/gyp/.release-please-manifest.json CHANGED Viewed

@@ -1,3 +1,3 @@
 {
-    ".": "0.22.1"
+    ".": "0.22.2"
 }

package/dist/node_modules/node-gyp/gyp/pyproject.toml CHANGED Viewed

@@ -4,20 +4,20 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "gyp-next"
-version = "0.22.1"
+version = "0.22.2"
 authors = [
   { name="Node.js contributors", email="ryzokuken@disroot.org" },
 ]
 description = "A fork of the GYP build system for use in the Node.js projects"
 readme = "README.md"
-license = { file="LICENSE" }
+license = "BSD-3-Clause"
+license-files = ["LICENSE"]
 requires-python = ">=3.9"
-dependencies = ["packaging>=24.0", "setuptools>=69.5.1"]
+dependencies = ["packaging>=24.0", "setuptools>=77.0.3"]
 classifiers = [
     "Development Status :: 3 - Alpha",
     "Environment :: Console",
     "Intended Audience :: Developers",
-    "License :: OSI Approved :: BSD License",
     "Natural Language :: English",
     "Programming Language :: Python",
     "Programming Language :: Python :: 3",

package/dist/node_modules/node-gyp/lib/download.js CHANGED Viewed

@@ -1,5 +1,5 @@
 const { Readable } = require('stream')
-const { EnvHttpProxyAgent } = require('undici')
+const { Agent, EnvHttpProxyAgent, RetryAgent, fetch } = require('undici')
 const { promises: fs } = require('graceful-fs')
 const log = require('./log')
@@ -48,7 +48,7 @@ async function createDispatcher (gyp) {
   const env = process.env
   const hasProxyEnv = env.http_proxy || env.HTTP_PROXY || env.https_proxy || env.HTTPS_PROXY
   if (!gyp.opts.proxy && !gyp.opts.cafile && !hasProxyEnv) {
-    return undefined
+    return new RetryAgent(new Agent(), { maxRetries: 3 })
   }
   const opts = {}
@@ -69,7 +69,7 @@ async function createDispatcher (gyp) {
   if (gyp.opts.noproxy) {
     opts.noProxy = gyp.opts.noproxy
   }
-  return new EnvHttpProxyAgent(opts)
+  return new RetryAgent(new EnvHttpProxyAgent(opts), { maxRetries: 3 })
 }
 async function readCAFile (filename) {

package/dist/node_modules/node-gyp/package.json CHANGED Viewed

@@ -11,7 +11,7 @@
     "bindings",
     "gyp"
   ],
-  "version": "12.3.0",
+  "version": "12.4.0",
   "installVersion": 11,
   "author": "Nathan Rajlich <nathan@tootallnate.net> (http://tootallnate.net)",
   "repository": {

package/dist/node_modules/semver/classes/range.js CHANGED Viewed

@@ -277,6 +277,11 @@ const parseComparator = (comp, options) => {
 const isX = id => !id || id.toLowerCase() === 'x' || id === '*'
+const invalidXRangeOrder = (M, m, p) => (
+  (isX(M) && !isX(m)) ||
+  (isX(m) && p && !isX(p))
+)
 // ~, ~> --> * (any, kinda silly)
 // ~2, ~2.x, ~2.x.x, ~>2, ~>2.x ~>2.x.x --> >=2.0.0 <3.0.0-0
 // ~2.0, ~2.0.x, ~>2.0, ~>2.0.x --> >=2.0.0 <2.1.0-0
@@ -373,10 +378,10 @@ const replaceCaret = (comp, options) => {
       if (M === '0') {
         if (m === '0') {
           ret = `>=${M}.${m}.${p
-          }${z} <${M}.${m}.${+p + 1}-0`
+          } <${M}.${m}.${+p + 1}-0`
         } else {
           ret = `>=${M}.${m}.${p
-          }${z} <${M}.${+m + 1}.0-0`
+          } <${M}.${+m + 1}.0-0`
         }
       } else {
         ret = `>=${M}.${m}.${p
@@ -402,6 +407,10 @@ const replaceXRange = (comp, options) => {
   const r = options.loose ? re[t.XRANGELOOSE] : re[t.XRANGE]
   return comp.replace(r, (ret, gtlt, M, m, p, pr) => {
     debug('xRange', comp, ret, gtlt, M, m, p, pr)
+    if (invalidXRangeOrder(M, m, p)) {
+      return comp
+    }
     const xM = isX(M)
     const xm = xM || isX(m)
     const xp = xm || isX(p)

package/dist/node_modules/semver/classes/semver.js CHANGED Viewed

@@ -6,6 +6,22 @@ const { safeRe: re, t } = require('../internal/re')
 const parseOptions = require('../internal/parse-options')
 const { compareIdentifiers } = require('../internal/identifiers')
+const isPrereleaseIdentifier = (prerelease, identifier) => {
+  const identifiers = identifier.split('.')
+  if (identifiers.length > prerelease.length) {
+    return false
+  }
+  for (let i = 0; i < identifiers.length; i++) {
+    if (compareIdentifiers(prerelease[i], identifiers[i]) !== 0) {
+      return false
+    }
+  }
+  return true
+}
 class SemVer {
   constructor (version, options) {
     options = parseOptions(options)
@@ -309,8 +325,9 @@ class SemVer {
           if (identifierBase === false) {
             prerelease = [identifier]
           }
-          if (compareIdentifiers(this.prerelease[0], identifier) === 0) {
-            if (isNaN(this.prerelease[1])) {
+          if (isPrereleaseIdentifier(this.prerelease, identifier)) {
+            const prereleaseBase = this.prerelease[identifier.split('.').length]
+            if (isNaN(prereleaseBase)) {
               this.prerelease = prerelease
             }
           } else {

package/dist/node_modules/semver/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "semver",
-  "version": "7.8.1",
+  "version": "7.8.4",
   "description": "The semantic version parser used by npm.",
   "main": "index.js",
   "scripts": {
@@ -14,7 +14,7 @@
     "eslint": "eslint \"**/*.{js,cjs,ts,mjs,jsx,tsx}\""
   },
   "devDependencies": {
-    "@npmcli/eslint-config": "^6.0.0",
+    "@npmcli/eslint-config": "^7.0.0",
     "@npmcli/template-oss": "5.0.0",
     "benchmark": "^2.1.4",
     "tap": "^16.0.0"

package/dist/node_modules/tar/dist/commonjs/header.js CHANGED Viewed

@@ -78,22 +78,45 @@ class Header {
         if (!buf || !(buf.length >= off + 512)) {
             throw new Error('need 512 bytes for header');
         }
-        this.path = ex?.path ?? decString(buf, off, 100);
-        this.mode = ex?.mode ?? gex?.mode ?? decNumber(buf, off + 100, 8);
-        this.uid = ex?.uid ?? gex?.uid ?? decNumber(buf, off + 108, 8);
-        this.gid = ex?.gid ?? gex?.gid ?? decNumber(buf, off + 116, 8);
-        this.size = ex?.size ?? gex?.size ?? decNumber(buf, off + 124, 12);
-        this.mtime = ex?.mtime ?? gex?.mtime ?? decDate(buf, off + 136, 12);
+        // Decode the typeflag (independent of any pending PAX/GNU extended header)
+        // up front so we can tell whether THIS block is itself an intermediary
+        // extension header (PAX `x`/`g`, GNU long-name `L`, GNU long-link `K`).
+        // Per POSIX pax, a PAX extended header describes the *next file entry*, not
+        // the extension headers that may sit between it and that file. Applying the
+        // pending PAX overrides (notably `size`) to an intervening `L`/`K`/`x`/`g`
+        // header desynchronizes the stream relative to other tar implementations
+        // and enables tar interpretation-conflict / file-smuggling attacks.
+        const t = decString(buf, off + 156, 1);
+        const isNormalFS = types.normalFsTypes.has(t);
+        const exForFields = isNormalFS ? ex : undefined;
+        const gexForFields = isNormalFS ? gex : undefined;
+        this.path = exForFields?.path ?? decString(buf, off, 100);
+        this.mode =
+            exForFields?.mode ??
+                gexForFields?.mode ??
+                decNumber(buf, off + 100, 8);
+        this.uid =
+            exForFields?.uid ?? gexForFields?.uid ?? decNumber(buf, off + 108, 8);
+        this.gid =
+            exForFields?.gid ?? gexForFields?.gid ?? decNumber(buf, off + 116, 8);
+        this.size =
+            exForFields?.size ??
+                gexForFields?.size ??
+                decNumber(buf, off + 124, 12);
+        this.mtime =
+            exForFields?.mtime ??
+                gexForFields?.mtime ??
+                decDate(buf, off + 136, 12);
         this.cksum = decNumber(buf, off + 148, 12);
         // if we have extended or global extended headers, apply them now
         // See https://github.com/npm/node-tar/pull/187
-        // Apply global before local, so it overrides
-        if (gex)
-            this.#slurp(gex, true);
-        if (ex)
-            this.#slurp(ex);
+        // Apply global before local, so it overrides. Never slurp the pending
+        // extended-header fields onto an intermediary extension header.
+        if (gexForFields)
+            this.#slurp(gexForFields, true);
+        if (exForFields)
+            this.#slurp(exForFields);
         // old tar versions marked dirs as a file with a trailing /
-        const t = decString(buf, off + 156, 1);
         if (types.isCode(t)) {
             this.#type = t || '0';
         }
@@ -111,12 +134,24 @@ class Header {
         this.linkpath = decString(buf, off + 157, 100);
         if (buf.subarray(off + 257, off + 265).toString() === 'ustar\u000000') {
             /* c8 ignore start */
-            this.uname = ex?.uname ?? gex?.uname ?? decString(buf, off + 265, 32);
-            this.gname = ex?.gname ?? gex?.gname ?? decString(buf, off + 297, 32);
+            this.uname =
+                exForFields?.uname ??
+                    gexForFields?.uname ??
+                    decString(buf, off + 265, 32);
+            this.gname =
+                exForFields?.gname ??
+                    gexForFields?.gname ??
+                    decString(buf, off + 297, 32);
             this.devmaj =
-                ex?.devmaj ?? gex?.devmaj ?? decNumber(buf, off + 329, 8) ?? 0;
+                exForFields?.devmaj ??
+                    gexForFields?.devmaj ??
+                    decNumber(buf, off + 329, 8) ??
+                    0;
             this.devmin =
-                ex?.devmin ?? gex?.devmin ?? decNumber(buf, off + 337, 8) ?? 0;
+                exForFields?.devmin ??
+                    gexForFields?.devmin ??
+                    decNumber(buf, off + 337, 8) ??
+                    0;
             /* c8 ignore stop */
             if (buf[off + 475] !== 0) {
                 // definitely a prefix, definitely >130 chars.