@metamask/snaps-controllers - npm Package Compare versions

Comparing version 3.5.1 to 3.6.0

CHANGELOG.md

		@@ -9,2 +9,13 @@ # Changelog

		## [3.6.0]
		### Changed
		- Revert usage of `DecompressionStream` ([#2052](https://github.com/MetaMask/snaps/pull/2052))
		- Refactor `NpmLocation` class ([#2038](https://github.com/MetaMask/snaps/pull/2038))
		- Most logic is now located in `BaseNpmLocation`, making it easier to extend without duplication.
		- Bump several MetaMask dependencies ([#2053](https://github.com/MetaMask/snaps/pull/2053), [#2061](https://github.com/MetaMask/snaps/pull/2061), [#2064](https://github.com/MetaMask/snaps/pull/2064), [#2065](https://github.com/MetaMask/snaps/pull/2065), [#2067](https://github.com/MetaMask/snaps/pull/2067))

		### Removed
		- Remove support for object-like syntax for cronjobs ([#2057](https://github.com/MetaMask/snaps/pull/2057))
		- Since this never worked in the first place we aren't marking it as breaking.

		## [3.5.1]
		@@ -145,3 +156,4 @@ ### Changed

		[Unreleased]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.5.1...HEAD
		[Unreleased]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.6.0...HEAD
		[3.6.0]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.5.1...@metamask/snaps-controllers@3.6.0
		[3.5.1]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.5.0...@metamask/snaps-controllers@3.5.1
		@@ -148,0 +160,0 @@ [3.5.0]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.4.1...@metamask/snaps-controllers@3.5.0

191

dist/cjs/snaps/location/npm.js

		@@ -15,2 +15,8 @@ "use strict";
		},
		BaseNpmLocation: function() {
		return BaseNpmLocation;
		},
		TARBALL_SIZE_SAFETY_LIMIT: function() {
		return TARBALL_SIZE_SAFETY_LIMIT;
		},
		NpmLocation: function() {
		@@ -21,2 +27,5 @@ return NpmLocation;
		return fetchNpmMetadata;
		},
		getNpmCanonicalBasePath: function() {
		return getNpmCanonicalBasePath;
		}
		@@ -37,2 +46,37 @@ });
		}
		function _class_apply_descriptor_get(receiver, descriptor) {
		if (descriptor.get) {
		return descriptor.get.call(receiver);
		}
		return descriptor.value;
		}
		function _class_apply_descriptor_set(receiver, descriptor, value) {
		if (descriptor.set) {
		descriptor.set.call(receiver, value);
		} else {
		if (!descriptor.writable) {
		throw new TypeError("attempted to set read only private field");
		}
		descriptor.value = value;
		}
		}
		function _class_extract_field_descriptor(receiver, privateMap, action) {
		if (!privateMap.has(receiver)) {
		throw new TypeError("attempted to " + action + " private field on non-instance");
		}
		return privateMap.get(receiver);
		}
		function _class_private_field_get(receiver, privateMap) {
		var descriptor = _class_extract_field_descriptor(receiver, privateMap, "get");
		return _class_apply_descriptor_get(receiver, descriptor);
		}
		function _class_private_field_init(obj, privateMap, value) {
		_check_private_redeclaration(obj, privateMap);
		privateMap.set(obj, value);
		}
		function _class_private_field_set(receiver, privateMap, value) {
		var descriptor = _class_extract_field_descriptor(receiver, privateMap, "set");
		_class_apply_descriptor_set(receiver, descriptor, value);
		return value;
		}
		function _class_private_method_get(receiver, privateSet, fn) {
		@@ -67,7 +111,7 @@ if (!privateSet.has(receiver)) {
		const DEFAULT_NPM_REGISTRY = new URL('https://registry.npmjs.org');
		var _lazyInit = /#__PURE__/ new WeakSet();
		class NpmLocation {
		var _validatedManifest = /#__PURE__/ new WeakMap(), _files = /#__PURE__/ new WeakMap(), _lazyInit = /#__PURE__/ new WeakSet();
		class BaseNpmLocation {
		async manifest() {
		if (this.validatedManifest) {
		return this.validatedManifest.clone();
		if (_class_private_field_get(this, _validatedManifest)) {
		return _class_private_field_get(this, _validatedManifest).clone();
		}
		@@ -77,3 +121,3 @@ const vfile = await this.fetch('snap.manifest.json');
		vfile.result = (0, _snapsutils.createSnapManifest)(result);
		this.validatedManifest = vfile;
		_class_private_field_set(this, _validatedManifest, vfile);
		return this.manifest();
		@@ -83,7 +127,7 @@ }
		const relativePath = (0, _snapsutils.normalizeRelative)(path);
		if (!this.files) {
		if (!_class_private_field_get(this, _files)) {
		await _class_private_method_get(this, _lazyInit, lazyInit).call(this);
		(0, _utils.assert)(this.files !== undefined);
		(0, _utils.assert)(_class_private_field_get(this, _files) !== undefined);
		}
		const vfile = this.files.get(relativePath);
		const vfile = _class_private_field_get(this, _files).get(relativePath);
		(0, _utils.assert)(vfile !== undefined, new TypeError(`File "${path}" not found in package.`));
		@@ -108,4 +152,10 @@ return vfile.clone();
		_define_property(this, "meta", void 0);
		_define_property(this, "validatedManifest", void 0);
		_define_property(this, "files", void 0);
		_class_private_field_init(this, _validatedManifest, {
		writable: true,
		value: void 0
		});
		_class_private_field_init(this, _files, {
		writable: true,
		value: void 0
		});
		const allowCustomRegistries = opts.allowCustomRegistries ?? false;
		@@ -149,39 +199,47 @@ const fetchFunction = opts.fetch ?? globalThis.fetch.bind(globalThis);
		async function lazyInit() {
		(0, _utils.assert)(this.files === undefined);
		(0, _utils.assert)(_class_private_field_get(this, _files) === undefined);
		const resolvedVersion = await this.meta.resolveVersion(this.meta.requestedRange);
		const [tarballResponse, actualVersion] = await fetchNpmTarball(this.meta.packageName, resolvedVersion, this.meta.registry, this.meta.fetch);
		this.meta.version = actualVersion;
		let canonicalBase = 'npm://';
		if (this.meta.registry.username !== '') {
		canonicalBase += this.meta.registry.username;
		if (this.meta.registry.password !== '') {
		canonicalBase += `:${this.meta.registry.password}`;
		const { tarballURL, targetVersion } = await resolveNpmVersion(this.meta.packageName, resolvedVersion, this.meta.registry, this.meta.fetch);
		if (!(0, _snapsutils.isValidUrl)(tarballURL) \|\| !tarballURL.toString().endsWith('.tgz')) {
		throw new Error(`Failed to find valid tarball URL in NPM metadata for package "${this.meta.packageName}".`);
		}
		// Override the tarball hostname/protocol with registryUrl hostname/protocol
		const newTarballUrl = new URL(tarballURL);
		newTarballUrl.hostname = this.meta.registry.hostname;
		newTarballUrl.protocol = this.meta.registry.protocol;
		const files = await this.fetchNpmTarball(newTarballUrl);
		_class_private_field_set(this, _files, files);
		this.meta.version = targetVersion;
		}
		const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
		class NpmLocation extends BaseNpmLocation {
		/**
		* Fetches and unpacks the tarball (`.tgz` file) from the specified URL.
		*
		* @param tarballUrl - The tarball URL to fetch and unpack.
		* @returns A the files for the package tarball.
		* @throws If fetching the tarball fails.
		*/ async fetchNpmTarball(tarballUrl) {
		// Perform a raw fetch because we want the Response object itself.
		const tarballResponse = await this.meta.fetch(tarballUrl.toString());
		if (!tarballResponse.ok \|\| !tarballResponse.body) {
		throw new Error(`Failed to fetch tarball for package "${this.meta.packageName}".`);
		}
		canonicalBase += '@';
		}
		canonicalBase += this.meta.registry.host;
		// TODO(ritave): Lazily extract files instead of up-front extracting all of them
		// We would need to replace tar-stream package because it requires immediate consumption of streams.
		await new Promise((resolve, reject)=>{
		this.files = new Map();
		const tarballStream = createTarballStream(`${canonicalBase}/${this.meta.packageName}/`, this.files);
		// The "gz" in "tgz" stands for "gzip". The tarball needs to be decompressed
		// before we can actually grab any files from it.
		// To prevent recursion-based zip bombs, we should not allow recursion here.
		// If native decompression stream is available we use that, otherwise fallback to zlib
		if ('DecompressionStream' in globalThis) {
		const decompressionStream = new DecompressionStream('gzip');
		const decompressedStream = tarballResponse.pipeThrough(decompressionStream);
		(0, _readablestream.pipeline)(getNodeStream(decompressedStream), tarballStream, (error)=>{
		error ? reject(error) : resolve();
		// We assume that NPM is a good actor and provides us with a valid `content-length` header.
		const tarballSizeString = tarballResponse.headers.get('content-length');
		(0, _utils.assert)(tarballSizeString, 'Snap tarball has invalid content-length');
		const tarballSize = parseInt(tarballSizeString, 10);
		(0, _utils.assert)(tarballSize <= TARBALL_SIZE_SAFETY_LIMIT, 'Snap tarball exceeds size limit');
		return new Promise((resolve, reject)=>{
		const files = new Map();
		// The "gz" in "tgz" stands for "gzip". The tarball needs to be decompressed
		// before we can actually grab any files from it.
		// To prevent recursion-based zip bombs, we should not allow recursion here.
		(0, _readablestream.pipeline)(// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
		getNodeStream(tarballResponse.body), (0, _browserifyzlib.createGunzip)(), createTarballStream(getNpmCanonicalBasePath(this.meta.registry, this.meta.packageName), files), (error)=>{
		error ? reject(error) : resolve(files);
		});
		return;
		}
		(0, _readablestream.pipeline)(getNodeStream(tarballResponse), (0, _browserifyzlib.createGunzip)(), tarballStream, (error)=>{
		error ? reject(error) : resolve();
		});
		});
		}
		}
		// Safety limit for tarballs, 250 MB in bytes
		const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
		async function fetchNpmMetadata(packageName, registryUrl, fetchFunction) {
		@@ -203,2 +261,13 @@ const packageResponse = await fetchFunction(new URL(packageName, registryUrl).toString(), {
		}
		function getNpmCanonicalBasePath(registryUrl, packageName) {
		let canonicalBase = 'npm://';
		if (registryUrl.username !== '') {
		canonicalBase += registryUrl.username;
		if (registryUrl.password !== '') {
		canonicalBase += `:${registryUrl.password}`;
		}
		canonicalBase += '@';
		}
		return `${canonicalBase}${registryUrl.host}/${packageName}/`;
		}
		/**
		@@ -248,40 +317,2 @@ * Determine if a registry URL is NPM.
		/**
		* Fetches the tarball (`.tgz` file) of the specified package and version from
		* the public npm registry.
		*
		* @param packageName - The name of the package whose tarball to fetch.
		* @param versionRange - The SemVer range of the package to fetch. The highest
		* version satisfying the range will be fetched.
		* @param registryUrl - The URL of the npm registry to fetch the tarball from.
		* @param fetchFunction - The fetch function to use. Defaults to the global
		* {@link fetch}. Useful for Node.js compatibility.
		* @returns A tuple of the {@link Response} for the package tarball and the
		* actual version of the package.
		* @throws If fetching the tarball fails.
		*/ async function fetchNpmTarball(packageName, versionRange, registryUrl, fetchFunction) {
		const { tarballURL, targetVersion } = await resolveNpmVersion(packageName, versionRange, registryUrl, fetchFunction);
		if (!(0, _snapsutils.isValidUrl)(tarballURL) \|\| !tarballURL.toString().endsWith('.tgz')) {
		throw new Error(`Failed to find valid tarball URL in NPM metadata for package "${packageName}".`);
		}
		// Override the tarball hostname/protocol with registryUrl hostname/protocol
		const newRegistryUrl = new URL(registryUrl);
		const newTarballUrl = new URL(tarballURL);
		newTarballUrl.hostname = newRegistryUrl.hostname;
		newTarballUrl.protocol = newRegistryUrl.protocol;
		// Perform a raw fetch because we want the Response object itself.
		const tarballResponse = await fetchFunction(newTarballUrl.toString());
		if (!tarballResponse.ok \|\| !tarballResponse.body) {
		throw new Error(`Failed to fetch tarball for package "${packageName}".`);
		}
		// We assume that NPM is a good actor and provides us with a valid `content-length` header.
		const tarballSizeString = tarballResponse.headers.get('content-length');
		(0, _utils.assert)(tarballSizeString, 'Snap tarball has invalid content-length');
		const tarballSize = parseInt(tarballSizeString, 10);
		(0, _utils.assert)(tarballSize <= TARBALL_SIZE_SAFETY_LIMIT, 'Snap tarball exceeds size limit');
		return [
		tarballResponse.body,
		targetVersion
		];
		}
		/**
		* The paths of files within npm tarballs appear to always be prefixed with
		@@ -288,0 +319,0 @@ * "package/".

191

dist/esm/snaps/location/npm.js

		@@ -6,2 +6,37 @@ function _check_private_redeclaration(obj, privateCollection) {
		}
		function _class_apply_descriptor_get(receiver, descriptor) {
		if (descriptor.get) {
		return descriptor.get.call(receiver);
		}
		return descriptor.value;
		}
		function _class_apply_descriptor_set(receiver, descriptor, value) {
		if (descriptor.set) {
		descriptor.set.call(receiver, value);
		} else {
		if (!descriptor.writable) {
		throw new TypeError("attempted to set read only private field");
		}
		descriptor.value = value;
		}
		}
		function _class_extract_field_descriptor(receiver, privateMap, action) {
		if (!privateMap.has(receiver)) {
		throw new TypeError("attempted to " + action + " private field on non-instance");
		}
		return privateMap.get(receiver);
		}
		function _class_private_field_get(receiver, privateMap) {
		var descriptor = _class_extract_field_descriptor(receiver, privateMap, "get");
		return _class_apply_descriptor_get(receiver, descriptor);
		}
		function _class_private_field_init(obj, privateMap, value) {
		_check_private_redeclaration(obj, privateMap);
		privateMap.set(obj, value);
		}
		function _class_private_field_set(receiver, privateMap, value) {
		var descriptor = _class_extract_field_descriptor(receiver, privateMap, "set");
		_class_apply_descriptor_set(receiver, descriptor, value);
		return value;
		}
		function _class_private_method_get(receiver, privateSet, fn) {
		@@ -39,7 +74,8 @@ if (!privateSet.has(receiver)) {
		export const DEFAULT_NPM_REGISTRY = new URL('https://registry.npmjs.org');
		var _lazyInit = /#__PURE__/ new WeakSet();
		export class NpmLocation {
		var _validatedManifest = /#__PURE__/ new WeakMap(), _files = /#__PURE__/ new WeakMap(), _lazyInit = /#__PURE__/ new WeakSet();
		// Base class for NPM implementation, useful for extending with custom NPM fetching logic
		export class BaseNpmLocation {
		async manifest() {
		if (this.validatedManifest) {
		return this.validatedManifest.clone();
		if (_class_private_field_get(this, _validatedManifest)) {
		return _class_private_field_get(this, _validatedManifest).clone();
		}
		@@ -49,3 +85,3 @@ const vfile = await this.fetch('snap.manifest.json');
		vfile.result = createSnapManifest(result);
		this.validatedManifest = vfile;
		_class_private_field_set(this, _validatedManifest, vfile);
		return this.manifest();
		@@ -55,7 +91,7 @@ }
		const relativePath = normalizeRelative(path);
		if (!this.files) {
		if (!_class_private_field_get(this, _files)) {
		await _class_private_method_get(this, _lazyInit, lazyInit).call(this);
		assert(this.files !== undefined);
		assert(_class_private_field_get(this, _files) !== undefined);
		}
		const vfile = this.files.get(relativePath);
		const vfile = _class_private_field_get(this, _files).get(relativePath);
		assert(vfile !== undefined, new TypeError(`File "${path}" not found in package.`));
		@@ -80,4 +116,10 @@ return vfile.clone();
		_define_property(this, "meta", void 0);
		_define_property(this, "validatedManifest", void 0);
		_define_property(this, "files", void 0);
		_class_private_field_init(this, _validatedManifest, {
		writable: true,
		value: void 0
		});
		_class_private_field_init(this, _files, {
		writable: true,
		value: void 0
		});
		const allowCustomRegistries = opts.allowCustomRegistries ?? false;
		@@ -121,39 +163,49 @@ const fetchFunction = opts.fetch ?? globalThis.fetch.bind(globalThis);
		async function lazyInit() {
		assert(this.files === undefined);
		assert(_class_private_field_get(this, _files) === undefined);
		const resolvedVersion = await this.meta.resolveVersion(this.meta.requestedRange);
		const [tarballResponse, actualVersion] = await fetchNpmTarball(this.meta.packageName, resolvedVersion, this.meta.registry, this.meta.fetch);
		this.meta.version = actualVersion;
		let canonicalBase = 'npm://';
		if (this.meta.registry.username !== '') {
		canonicalBase += this.meta.registry.username;
		if (this.meta.registry.password !== '') {
		canonicalBase += `:${this.meta.registry.password}`;
		const { tarballURL, targetVersion } = await resolveNpmVersion(this.meta.packageName, resolvedVersion, this.meta.registry, this.meta.fetch);
		if (!isValidUrl(tarballURL) \|\| !tarballURL.toString().endsWith('.tgz')) {
		throw new Error(`Failed to find valid tarball URL in NPM metadata for package "${this.meta.packageName}".`);
		}
		// Override the tarball hostname/protocol with registryUrl hostname/protocol
		const newTarballUrl = new URL(tarballURL);
		newTarballUrl.hostname = this.meta.registry.hostname;
		newTarballUrl.protocol = this.meta.registry.protocol;
		const files = await this.fetchNpmTarball(newTarballUrl);
		_class_private_field_set(this, _files, files);
		this.meta.version = targetVersion;
		}
		// Safety limit for tarballs, 250 MB in bytes
		export const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
		// Main NPM implementation, contains a browser tarball fetching implementation.
		export class NpmLocation extends BaseNpmLocation {
		/**
		* Fetches and unpacks the tarball (`.tgz` file) from the specified URL.
		*
		* @param tarballUrl - The tarball URL to fetch and unpack.
		* @returns A the files for the package tarball.
		* @throws If fetching the tarball fails.
		*/ async fetchNpmTarball(tarballUrl) {
		// Perform a raw fetch because we want the Response object itself.
		const tarballResponse = await this.meta.fetch(tarballUrl.toString());
		if (!tarballResponse.ok \|\| !tarballResponse.body) {
		throw new Error(`Failed to fetch tarball for package "${this.meta.packageName}".`);
		}
		canonicalBase += '@';
		}
		canonicalBase += this.meta.registry.host;
		// TODO(ritave): Lazily extract files instead of up-front extracting all of them
		// We would need to replace tar-stream package because it requires immediate consumption of streams.
		await new Promise((resolve, reject)=>{
		this.files = new Map();
		const tarballStream = createTarballStream(`${canonicalBase}/${this.meta.packageName}/`, this.files);
		// The "gz" in "tgz" stands for "gzip". The tarball needs to be decompressed
		// before we can actually grab any files from it.
		// To prevent recursion-based zip bombs, we should not allow recursion here.
		// If native decompression stream is available we use that, otherwise fallback to zlib
		if ('DecompressionStream' in globalThis) {
		const decompressionStream = new DecompressionStream('gzip');
		const decompressedStream = tarballResponse.pipeThrough(decompressionStream);
		pipeline(getNodeStream(decompressedStream), tarballStream, (error)=>{
		error ? reject(error) : resolve();
		// We assume that NPM is a good actor and provides us with a valid `content-length` header.
		const tarballSizeString = tarballResponse.headers.get('content-length');
		assert(tarballSizeString, 'Snap tarball has invalid content-length');
		const tarballSize = parseInt(tarballSizeString, 10);
		assert(tarballSize <= TARBALL_SIZE_SAFETY_LIMIT, 'Snap tarball exceeds size limit');
		return new Promise((resolve, reject)=>{
		const files = new Map();
		// The "gz" in "tgz" stands for "gzip". The tarball needs to be decompressed
		// before we can actually grab any files from it.
		// To prevent recursion-based zip bombs, we should not allow recursion here.
		pipeline(// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
		getNodeStream(tarballResponse.body), createGunzip(), createTarballStream(getNpmCanonicalBasePath(this.meta.registry, this.meta.packageName), files), (error)=>{
		error ? reject(error) : resolve(files);
		});
		return;
		}
		pipeline(getNodeStream(tarballResponse), createGunzip(), tarballStream, (error)=>{
		error ? reject(error) : resolve();
		});
		});
		}
		}
		// Safety limit for tarballs, 250 MB in bytes
		const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
		/**
		@@ -186,2 +238,19 @@ * Fetches the NPM metadata of the specified package from
		/**
		* Gets the canonical base path for an NPM snap.
		*
		* @param registryUrl - A registry URL.
		* @param packageName - A package name.
		* @returns The canonical base path.
		*/ export function getNpmCanonicalBasePath(registryUrl, packageName) {
		let canonicalBase = 'npm://';
		if (registryUrl.username !== '') {
		canonicalBase += registryUrl.username;
		if (registryUrl.password !== '') {
		canonicalBase += `:${registryUrl.password}`;
		}
		canonicalBase += '@';
		}
		return `${canonicalBase}${registryUrl.host}/${packageName}/`;
		}
		/**
		* Determine if a registry URL is NPM.
		@@ -230,40 +299,2 @@ *
		/**
		* Fetches the tarball (`.tgz` file) of the specified package and version from
		* the public npm registry.
		*
		* @param packageName - The name of the package whose tarball to fetch.
		* @param versionRange - The SemVer range of the package to fetch. The highest
		* version satisfying the range will be fetched.
		* @param registryUrl - The URL of the npm registry to fetch the tarball from.
		* @param fetchFunction - The fetch function to use. Defaults to the global
		* {@link fetch}. Useful for Node.js compatibility.
		* @returns A tuple of the {@link Response} for the package tarball and the
		* actual version of the package.
		* @throws If fetching the tarball fails.
		*/ async function fetchNpmTarball(packageName, versionRange, registryUrl, fetchFunction) {
		const { tarballURL, targetVersion } = await resolveNpmVersion(packageName, versionRange, registryUrl, fetchFunction);
		if (!isValidUrl(tarballURL) \|\| !tarballURL.toString().endsWith('.tgz')) {
		throw new Error(`Failed to find valid tarball URL in NPM metadata for package "${packageName}".`);
		}
		// Override the tarball hostname/protocol with registryUrl hostname/protocol
		const newRegistryUrl = new URL(registryUrl);
		const newTarballUrl = new URL(tarballURL);
		newTarballUrl.hostname = newRegistryUrl.hostname;
		newTarballUrl.protocol = newRegistryUrl.protocol;
		// Perform a raw fetch because we want the Response object itself.
		const tarballResponse = await fetchFunction(newTarballUrl.toString());
		if (!tarballResponse.ok \|\| !tarballResponse.body) {
		throw new Error(`Failed to fetch tarball for package "${packageName}".`);
		}
		// We assume that NPM is a good actor and provides us with a valid `content-length` header.
		const tarballSizeString = tarballResponse.headers.get('content-length');
		assert(tarballSizeString, 'Snap tarball has invalid content-length');
		const tarballSize = parseInt(tarballSizeString, 10);
		assert(tarballSize <= TARBALL_SIZE_SAFETY_LIMIT, 'Snap tarball exceeds size limit');
		return [
		tarballResponse.body,
		targetVersion
		];
		}
		/**
		* The paths of files within npm tarballs appear to always be prefixed with
		@@ -270,0 +301,0 @@ * "package/".

dist/types/snaps/location/npm.d.ts

		@@ -6,2 +6,10 @@ import type { SnapManifest } from '@metamask/snaps-utils';
		export declare const DEFAULT_NPM_REGISTRY: URL;
		interface NpmMeta {
		registry: URL;
		packageName: string;
		requestedRange: SemVerRange;
		version?: string;
		fetch: typeof fetch;
		resolveVersion: (range: SemVerRange) => Promise<SemVerRange>;
		}
		export interface NpmOptions {
		@@ -19,7 +27,5 @@ /**
		}
		export declare class NpmLocation implements SnapLocation {
		export declare abstract class BaseNpmLocation implements SnapLocation {
		#private;
		private readonly meta;
		private validatedManifest?;
		private files?;
		protected readonly meta: NpmMeta;
		constructor(url: URL, opts?: DetectSnapLocationOptions);
		@@ -32,3 +38,22 @@ manifest(): Promise<VirtualFile<SnapManifest>>;
		get versionRange(): SemVerRange;
		/**
		* Fetches and unpacks the tarball (`.tgz` file) from the specified URL.
		*
		* @param tarballUrl - The tarball URL to fetch and unpack.
		* @returns A the files for the package tarball.
		* @throws If fetching the tarball fails.
		*/
		abstract fetchNpmTarball(tarballUrl: URL): Promise<Map<string, VirtualFile>>;
		}
		export declare const TARBALL_SIZE_SAFETY_LIMIT = 262144000;
		export declare class NpmLocation extends BaseNpmLocation {
		/**
		* Fetches and unpacks the tarball (`.tgz` file) from the specified URL.
		*
		* @param tarballUrl - The tarball URL to fetch and unpack.
		* @returns A the files for the package tarball.
		* @throws If fetching the tarball fails.
		*/
		fetchNpmTarball(tarballUrl: URL): Promise<Map<string, VirtualFile<unknown>>>;
		}
		export declare type PartialNpmMetadata = {
		@@ -53,1 +78,10 @@ versions: Record<string, {
		export declare function fetchNpmMetadata(packageName: string, registryUrl: URL, fetchFunction: typeof fetch): Promise<PartialNpmMetadata>;
		/**
		* Gets the canonical base path for an NPM snap.
		*
		* @param registryUrl - A registry URL.
		* @param packageName - A package name.
		* @returns The canonical base path.
		*/
		export declare function getNpmCanonicalBasePath(registryUrl: URL, packageName: string): string;
		export {};

package.json

		{
		"name": "@metamask/snaps-controllers",
		"version": "3.5.1",
		"version": "3.6.0",
		"description": "Controllers for MetaMask Snaps.",
		@@ -45,14 +45,14 @@ "repository": {
		"dependencies": {
		"@metamask/approval-controller": "^5.0.0",
		"@metamask/approval-controller": "^5.1.1",
		"@metamask/base-controller": "^4.0.0",
		"@metamask/json-rpc-engine": "^7.3.0",
		"@metamask/json-rpc-engine": "^7.3.1",
		"@metamask/object-multiplex": "^2.0.0",
		"@metamask/permission-controller": "^6.0.0",
		"@metamask/phishing-controller": "^8.0.0",
		"@metamask/permission-controller": "^7.0.0",
		"@metamask/phishing-controller": "^8.0.1",
		"@metamask/post-message-stream": "^7.0.0",
		"@metamask/rpc-errors": "^6.1.0",
		"@metamask/snaps-registry": "^3.0.0",
		"@metamask/snaps-rpc-methods": "^4.0.2",
		"@metamask/snaps-sdk": "^1.3.0",
		"@metamask/snaps-utils": "^5.1.0",
		"@metamask/snaps-rpc-methods": "^4.1.0",
		"@metamask/snaps-sdk": "^1.3.1",
		"@metamask/snaps-utils": "^5.1.1",
		"@metamask/utils": "^8.2.1",
		@@ -129,3 +129,3 @@ "@xstate/fsm": "^2.0.0",
		"peerDependencies": {
		"@metamask/snaps-execution-environments": "^3.4.2"
		"@metamask/snaps-execution-environments": "^3.4.3"
		},
		@@ -132,0 +132,0 @@ "peerDependenciesMeta": {

dist/cjs/snaps/location/npm.js.map

Sorry, the diff of this file is not supported yet

dist/esm/snaps/location/npm.js.map

Sorry, the diff of this file is not supported yet

@metamask/snaps-controllers - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Dependency changes