@metamask/snaps-controllers
Advanced tools
Comparing version 3.5.1 to 3.6.0
@@ -9,2 +9,13 @@ # Changelog | ||
## [3.6.0] | ||
### Changed | ||
- Revert usage of `DecompressionStream` ([#2052](https://github.com/MetaMask/snaps/pull/2052)) | ||
- Refactor `NpmLocation` class ([#2038](https://github.com/MetaMask/snaps/pull/2038)) | ||
- Most logic is now located in `BaseNpmLocation`, making it easier to extend without duplication. | ||
- Bump several MetaMask dependencies ([#2053](https://github.com/MetaMask/snaps/pull/2053), [#2061](https://github.com/MetaMask/snaps/pull/2061), [#2064](https://github.com/MetaMask/snaps/pull/2064), [#2065](https://github.com/MetaMask/snaps/pull/2065), [#2067](https://github.com/MetaMask/snaps/pull/2067)) | ||
### Removed | ||
- Remove support for object-like syntax for cronjobs ([#2057](https://github.com/MetaMask/snaps/pull/2057)) | ||
- Since this never worked in the first place we aren't marking it as breaking. | ||
## [3.5.1] | ||
@@ -145,3 +156,4 @@ ### Changed | ||
[Unreleased]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.5.1...HEAD | ||
[Unreleased]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.6.0...HEAD | ||
[3.6.0]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.5.1...@metamask/snaps-controllers@3.6.0 | ||
[3.5.1]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.5.0...@metamask/snaps-controllers@3.5.1 | ||
@@ -148,0 +160,0 @@ [3.5.0]: https://github.com/MetaMask/snaps/compare/@metamask/snaps-controllers@3.4.1...@metamask/snaps-controllers@3.5.0 |
@@ -15,2 +15,8 @@ "use strict"; | ||
}, | ||
BaseNpmLocation: function() { | ||
return BaseNpmLocation; | ||
}, | ||
TARBALL_SIZE_SAFETY_LIMIT: function() { | ||
return TARBALL_SIZE_SAFETY_LIMIT; | ||
}, | ||
NpmLocation: function() { | ||
@@ -21,2 +27,5 @@ return NpmLocation; | ||
return fetchNpmMetadata; | ||
}, | ||
getNpmCanonicalBasePath: function() { | ||
return getNpmCanonicalBasePath; | ||
} | ||
@@ -37,2 +46,37 @@ }); | ||
} | ||
function _class_apply_descriptor_get(receiver, descriptor) { | ||
if (descriptor.get) { | ||
return descriptor.get.call(receiver); | ||
} | ||
return descriptor.value; | ||
} | ||
function _class_apply_descriptor_set(receiver, descriptor, value) { | ||
if (descriptor.set) { | ||
descriptor.set.call(receiver, value); | ||
} else { | ||
if (!descriptor.writable) { | ||
throw new TypeError("attempted to set read only private field"); | ||
} | ||
descriptor.value = value; | ||
} | ||
} | ||
function _class_extract_field_descriptor(receiver, privateMap, action) { | ||
if (!privateMap.has(receiver)) { | ||
throw new TypeError("attempted to " + action + " private field on non-instance"); | ||
} | ||
return privateMap.get(receiver); | ||
} | ||
function _class_private_field_get(receiver, privateMap) { | ||
var descriptor = _class_extract_field_descriptor(receiver, privateMap, "get"); | ||
return _class_apply_descriptor_get(receiver, descriptor); | ||
} | ||
function _class_private_field_init(obj, privateMap, value) { | ||
_check_private_redeclaration(obj, privateMap); | ||
privateMap.set(obj, value); | ||
} | ||
function _class_private_field_set(receiver, privateMap, value) { | ||
var descriptor = _class_extract_field_descriptor(receiver, privateMap, "set"); | ||
_class_apply_descriptor_set(receiver, descriptor, value); | ||
return value; | ||
} | ||
function _class_private_method_get(receiver, privateSet, fn) { | ||
@@ -67,7 +111,7 @@ if (!privateSet.has(receiver)) { | ||
const DEFAULT_NPM_REGISTRY = new URL('https://registry.npmjs.org'); | ||
var _lazyInit = /*#__PURE__*/ new WeakSet(); | ||
class NpmLocation { | ||
var _validatedManifest = /*#__PURE__*/ new WeakMap(), _files = /*#__PURE__*/ new WeakMap(), _lazyInit = /*#__PURE__*/ new WeakSet(); | ||
class BaseNpmLocation { | ||
async manifest() { | ||
if (this.validatedManifest) { | ||
return this.validatedManifest.clone(); | ||
if (_class_private_field_get(this, _validatedManifest)) { | ||
return _class_private_field_get(this, _validatedManifest).clone(); | ||
} | ||
@@ -77,3 +121,3 @@ const vfile = await this.fetch('snap.manifest.json'); | ||
vfile.result = (0, _snapsutils.createSnapManifest)(result); | ||
this.validatedManifest = vfile; | ||
_class_private_field_set(this, _validatedManifest, vfile); | ||
return this.manifest(); | ||
@@ -83,7 +127,7 @@ } | ||
const relativePath = (0, _snapsutils.normalizeRelative)(path); | ||
if (!this.files) { | ||
if (!_class_private_field_get(this, _files)) { | ||
await _class_private_method_get(this, _lazyInit, lazyInit).call(this); | ||
(0, _utils.assert)(this.files !== undefined); | ||
(0, _utils.assert)(_class_private_field_get(this, _files) !== undefined); | ||
} | ||
const vfile = this.files.get(relativePath); | ||
const vfile = _class_private_field_get(this, _files).get(relativePath); | ||
(0, _utils.assert)(vfile !== undefined, new TypeError(`File "${path}" not found in package.`)); | ||
@@ -108,4 +152,10 @@ return vfile.clone(); | ||
_define_property(this, "meta", void 0); | ||
_define_property(this, "validatedManifest", void 0); | ||
_define_property(this, "files", void 0); | ||
_class_private_field_init(this, _validatedManifest, { | ||
writable: true, | ||
value: void 0 | ||
}); | ||
_class_private_field_init(this, _files, { | ||
writable: true, | ||
value: void 0 | ||
}); | ||
const allowCustomRegistries = opts.allowCustomRegistries ?? false; | ||
@@ -149,39 +199,47 @@ const fetchFunction = opts.fetch ?? globalThis.fetch.bind(globalThis); | ||
async function lazyInit() { | ||
(0, _utils.assert)(this.files === undefined); | ||
(0, _utils.assert)(_class_private_field_get(this, _files) === undefined); | ||
const resolvedVersion = await this.meta.resolveVersion(this.meta.requestedRange); | ||
const [tarballResponse, actualVersion] = await fetchNpmTarball(this.meta.packageName, resolvedVersion, this.meta.registry, this.meta.fetch); | ||
this.meta.version = actualVersion; | ||
let canonicalBase = 'npm://'; | ||
if (this.meta.registry.username !== '') { | ||
canonicalBase += this.meta.registry.username; | ||
if (this.meta.registry.password !== '') { | ||
canonicalBase += `:${this.meta.registry.password}`; | ||
const { tarballURL, targetVersion } = await resolveNpmVersion(this.meta.packageName, resolvedVersion, this.meta.registry, this.meta.fetch); | ||
if (!(0, _snapsutils.isValidUrl)(tarballURL) || !tarballURL.toString().endsWith('.tgz')) { | ||
throw new Error(`Failed to find valid tarball URL in NPM metadata for package "${this.meta.packageName}".`); | ||
} | ||
// Override the tarball hostname/protocol with registryUrl hostname/protocol | ||
const newTarballUrl = new URL(tarballURL); | ||
newTarballUrl.hostname = this.meta.registry.hostname; | ||
newTarballUrl.protocol = this.meta.registry.protocol; | ||
const files = await this.fetchNpmTarball(newTarballUrl); | ||
_class_private_field_set(this, _files, files); | ||
this.meta.version = targetVersion; | ||
} | ||
const TARBALL_SIZE_SAFETY_LIMIT = 262144000; | ||
class NpmLocation extends BaseNpmLocation { | ||
/** | ||
* Fetches and unpacks the tarball (`.tgz` file) from the specified URL. | ||
* | ||
* @param tarballUrl - The tarball URL to fetch and unpack. | ||
* @returns A the files for the package tarball. | ||
* @throws If fetching the tarball fails. | ||
*/ async fetchNpmTarball(tarballUrl) { | ||
// Perform a raw fetch because we want the Response object itself. | ||
const tarballResponse = await this.meta.fetch(tarballUrl.toString()); | ||
if (!tarballResponse.ok || !tarballResponse.body) { | ||
throw new Error(`Failed to fetch tarball for package "${this.meta.packageName}".`); | ||
} | ||
canonicalBase += '@'; | ||
} | ||
canonicalBase += this.meta.registry.host; | ||
// TODO(ritave): Lazily extract files instead of up-front extracting all of them | ||
// We would need to replace tar-stream package because it requires immediate consumption of streams. | ||
await new Promise((resolve, reject)=>{ | ||
this.files = new Map(); | ||
const tarballStream = createTarballStream(`${canonicalBase}/${this.meta.packageName}/`, this.files); | ||
// The "gz" in "tgz" stands for "gzip". The tarball needs to be decompressed | ||
// before we can actually grab any files from it. | ||
// To prevent recursion-based zip bombs, we should not allow recursion here. | ||
// If native decompression stream is available we use that, otherwise fallback to zlib | ||
if ('DecompressionStream' in globalThis) { | ||
const decompressionStream = new DecompressionStream('gzip'); | ||
const decompressedStream = tarballResponse.pipeThrough(decompressionStream); | ||
(0, _readablestream.pipeline)(getNodeStream(decompressedStream), tarballStream, (error)=>{ | ||
error ? reject(error) : resolve(); | ||
// We assume that NPM is a good actor and provides us with a valid `content-length` header. | ||
const tarballSizeString = tarballResponse.headers.get('content-length'); | ||
(0, _utils.assert)(tarballSizeString, 'Snap tarball has invalid content-length'); | ||
const tarballSize = parseInt(tarballSizeString, 10); | ||
(0, _utils.assert)(tarballSize <= TARBALL_SIZE_SAFETY_LIMIT, 'Snap tarball exceeds size limit'); | ||
return new Promise((resolve, reject)=>{ | ||
const files = new Map(); | ||
// The "gz" in "tgz" stands for "gzip". The tarball needs to be decompressed | ||
// before we can actually grab any files from it. | ||
// To prevent recursion-based zip bombs, we should not allow recursion here. | ||
(0, _readablestream.pipeline)(// eslint-disable-next-line @typescript-eslint/no-non-null-assertion | ||
getNodeStream(tarballResponse.body), (0, _browserifyzlib.createGunzip)(), createTarballStream(getNpmCanonicalBasePath(this.meta.registry, this.meta.packageName), files), (error)=>{ | ||
error ? reject(error) : resolve(files); | ||
}); | ||
return; | ||
} | ||
(0, _readablestream.pipeline)(getNodeStream(tarballResponse), (0, _browserifyzlib.createGunzip)(), tarballStream, (error)=>{ | ||
error ? reject(error) : resolve(); | ||
}); | ||
}); | ||
} | ||
} | ||
// Safety limit for tarballs, 250 MB in bytes | ||
const TARBALL_SIZE_SAFETY_LIMIT = 262144000; | ||
async function fetchNpmMetadata(packageName, registryUrl, fetchFunction) { | ||
@@ -203,2 +261,13 @@ const packageResponse = await fetchFunction(new URL(packageName, registryUrl).toString(), { | ||
} | ||
function getNpmCanonicalBasePath(registryUrl, packageName) { | ||
let canonicalBase = 'npm://'; | ||
if (registryUrl.username !== '') { | ||
canonicalBase += registryUrl.username; | ||
if (registryUrl.password !== '') { | ||
canonicalBase += `:${registryUrl.password}`; | ||
} | ||
canonicalBase += '@'; | ||
} | ||
return `${canonicalBase}${registryUrl.host}/${packageName}/`; | ||
} | ||
/** | ||
@@ -248,40 +317,2 @@ * Determine if a registry URL is NPM. | ||
/** | ||
* Fetches the tarball (`.tgz` file) of the specified package and version from | ||
* the public npm registry. | ||
* | ||
* @param packageName - The name of the package whose tarball to fetch. | ||
* @param versionRange - The SemVer range of the package to fetch. The highest | ||
* version satisfying the range will be fetched. | ||
* @param registryUrl - The URL of the npm registry to fetch the tarball from. | ||
* @param fetchFunction - The fetch function to use. Defaults to the global | ||
* {@link fetch}. Useful for Node.js compatibility. | ||
* @returns A tuple of the {@link Response} for the package tarball and the | ||
* actual version of the package. | ||
* @throws If fetching the tarball fails. | ||
*/ async function fetchNpmTarball(packageName, versionRange, registryUrl, fetchFunction) { | ||
const { tarballURL, targetVersion } = await resolveNpmVersion(packageName, versionRange, registryUrl, fetchFunction); | ||
if (!(0, _snapsutils.isValidUrl)(tarballURL) || !tarballURL.toString().endsWith('.tgz')) { | ||
throw new Error(`Failed to find valid tarball URL in NPM metadata for package "${packageName}".`); | ||
} | ||
// Override the tarball hostname/protocol with registryUrl hostname/protocol | ||
const newRegistryUrl = new URL(registryUrl); | ||
const newTarballUrl = new URL(tarballURL); | ||
newTarballUrl.hostname = newRegistryUrl.hostname; | ||
newTarballUrl.protocol = newRegistryUrl.protocol; | ||
// Perform a raw fetch because we want the Response object itself. | ||
const tarballResponse = await fetchFunction(newTarballUrl.toString()); | ||
if (!tarballResponse.ok || !tarballResponse.body) { | ||
throw new Error(`Failed to fetch tarball for package "${packageName}".`); | ||
} | ||
// We assume that NPM is a good actor and provides us with a valid `content-length` header. | ||
const tarballSizeString = tarballResponse.headers.get('content-length'); | ||
(0, _utils.assert)(tarballSizeString, 'Snap tarball has invalid content-length'); | ||
const tarballSize = parseInt(tarballSizeString, 10); | ||
(0, _utils.assert)(tarballSize <= TARBALL_SIZE_SAFETY_LIMIT, 'Snap tarball exceeds size limit'); | ||
return [ | ||
tarballResponse.body, | ||
targetVersion | ||
]; | ||
} | ||
/** | ||
* The paths of files within npm tarballs appear to always be prefixed with | ||
@@ -288,0 +319,0 @@ * "package/". |
@@ -6,2 +6,37 @@ function _check_private_redeclaration(obj, privateCollection) { | ||
} | ||
function _class_apply_descriptor_get(receiver, descriptor) { | ||
if (descriptor.get) { | ||
return descriptor.get.call(receiver); | ||
} | ||
return descriptor.value; | ||
} | ||
function _class_apply_descriptor_set(receiver, descriptor, value) { | ||
if (descriptor.set) { | ||
descriptor.set.call(receiver, value); | ||
} else { | ||
if (!descriptor.writable) { | ||
throw new TypeError("attempted to set read only private field"); | ||
} | ||
descriptor.value = value; | ||
} | ||
} | ||
function _class_extract_field_descriptor(receiver, privateMap, action) { | ||
if (!privateMap.has(receiver)) { | ||
throw new TypeError("attempted to " + action + " private field on non-instance"); | ||
} | ||
return privateMap.get(receiver); | ||
} | ||
function _class_private_field_get(receiver, privateMap) { | ||
var descriptor = _class_extract_field_descriptor(receiver, privateMap, "get"); | ||
return _class_apply_descriptor_get(receiver, descriptor); | ||
} | ||
function _class_private_field_init(obj, privateMap, value) { | ||
_check_private_redeclaration(obj, privateMap); | ||
privateMap.set(obj, value); | ||
} | ||
function _class_private_field_set(receiver, privateMap, value) { | ||
var descriptor = _class_extract_field_descriptor(receiver, privateMap, "set"); | ||
_class_apply_descriptor_set(receiver, descriptor, value); | ||
return value; | ||
} | ||
function _class_private_method_get(receiver, privateSet, fn) { | ||
@@ -39,7 +74,8 @@ if (!privateSet.has(receiver)) { | ||
export const DEFAULT_NPM_REGISTRY = new URL('https://registry.npmjs.org'); | ||
var _lazyInit = /*#__PURE__*/ new WeakSet(); | ||
export class NpmLocation { | ||
var _validatedManifest = /*#__PURE__*/ new WeakMap(), _files = /*#__PURE__*/ new WeakMap(), _lazyInit = /*#__PURE__*/ new WeakSet(); | ||
// Base class for NPM implementation, useful for extending with custom NPM fetching logic | ||
export class BaseNpmLocation { | ||
async manifest() { | ||
if (this.validatedManifest) { | ||
return this.validatedManifest.clone(); | ||
if (_class_private_field_get(this, _validatedManifest)) { | ||
return _class_private_field_get(this, _validatedManifest).clone(); | ||
} | ||
@@ -49,3 +85,3 @@ const vfile = await this.fetch('snap.manifest.json'); | ||
vfile.result = createSnapManifest(result); | ||
this.validatedManifest = vfile; | ||
_class_private_field_set(this, _validatedManifest, vfile); | ||
return this.manifest(); | ||
@@ -55,7 +91,7 @@ } | ||
const relativePath = normalizeRelative(path); | ||
if (!this.files) { | ||
if (!_class_private_field_get(this, _files)) { | ||
await _class_private_method_get(this, _lazyInit, lazyInit).call(this); | ||
assert(this.files !== undefined); | ||
assert(_class_private_field_get(this, _files) !== undefined); | ||
} | ||
const vfile = this.files.get(relativePath); | ||
const vfile = _class_private_field_get(this, _files).get(relativePath); | ||
assert(vfile !== undefined, new TypeError(`File "${path}" not found in package.`)); | ||
@@ -80,4 +116,10 @@ return vfile.clone(); | ||
_define_property(this, "meta", void 0); | ||
_define_property(this, "validatedManifest", void 0); | ||
_define_property(this, "files", void 0); | ||
_class_private_field_init(this, _validatedManifest, { | ||
writable: true, | ||
value: void 0 | ||
}); | ||
_class_private_field_init(this, _files, { | ||
writable: true, | ||
value: void 0 | ||
}); | ||
const allowCustomRegistries = opts.allowCustomRegistries ?? false; | ||
@@ -121,39 +163,49 @@ const fetchFunction = opts.fetch ?? globalThis.fetch.bind(globalThis); | ||
async function lazyInit() { | ||
assert(this.files === undefined); | ||
assert(_class_private_field_get(this, _files) === undefined); | ||
const resolvedVersion = await this.meta.resolveVersion(this.meta.requestedRange); | ||
const [tarballResponse, actualVersion] = await fetchNpmTarball(this.meta.packageName, resolvedVersion, this.meta.registry, this.meta.fetch); | ||
this.meta.version = actualVersion; | ||
let canonicalBase = 'npm://'; | ||
if (this.meta.registry.username !== '') { | ||
canonicalBase += this.meta.registry.username; | ||
if (this.meta.registry.password !== '') { | ||
canonicalBase += `:${this.meta.registry.password}`; | ||
const { tarballURL, targetVersion } = await resolveNpmVersion(this.meta.packageName, resolvedVersion, this.meta.registry, this.meta.fetch); | ||
if (!isValidUrl(tarballURL) || !tarballURL.toString().endsWith('.tgz')) { | ||
throw new Error(`Failed to find valid tarball URL in NPM metadata for package "${this.meta.packageName}".`); | ||
} | ||
// Override the tarball hostname/protocol with registryUrl hostname/protocol | ||
const newTarballUrl = new URL(tarballURL); | ||
newTarballUrl.hostname = this.meta.registry.hostname; | ||
newTarballUrl.protocol = this.meta.registry.protocol; | ||
const files = await this.fetchNpmTarball(newTarballUrl); | ||
_class_private_field_set(this, _files, files); | ||
this.meta.version = targetVersion; | ||
} | ||
// Safety limit for tarballs, 250 MB in bytes | ||
export const TARBALL_SIZE_SAFETY_LIMIT = 262144000; | ||
// Main NPM implementation, contains a browser tarball fetching implementation. | ||
export class NpmLocation extends BaseNpmLocation { | ||
/** | ||
* Fetches and unpacks the tarball (`.tgz` file) from the specified URL. | ||
* | ||
* @param tarballUrl - The tarball URL to fetch and unpack. | ||
* @returns A the files for the package tarball. | ||
* @throws If fetching the tarball fails. | ||
*/ async fetchNpmTarball(tarballUrl) { | ||
// Perform a raw fetch because we want the Response object itself. | ||
const tarballResponse = await this.meta.fetch(tarballUrl.toString()); | ||
if (!tarballResponse.ok || !tarballResponse.body) { | ||
throw new Error(`Failed to fetch tarball for package "${this.meta.packageName}".`); | ||
} | ||
canonicalBase += '@'; | ||
} | ||
canonicalBase += this.meta.registry.host; | ||
// TODO(ritave): Lazily extract files instead of up-front extracting all of them | ||
// We would need to replace tar-stream package because it requires immediate consumption of streams. | ||
await new Promise((resolve, reject)=>{ | ||
this.files = new Map(); | ||
const tarballStream = createTarballStream(`${canonicalBase}/${this.meta.packageName}/`, this.files); | ||
// The "gz" in "tgz" stands for "gzip". The tarball needs to be decompressed | ||
// before we can actually grab any files from it. | ||
// To prevent recursion-based zip bombs, we should not allow recursion here. | ||
// If native decompression stream is available we use that, otherwise fallback to zlib | ||
if ('DecompressionStream' in globalThis) { | ||
const decompressionStream = new DecompressionStream('gzip'); | ||
const decompressedStream = tarballResponse.pipeThrough(decompressionStream); | ||
pipeline(getNodeStream(decompressedStream), tarballStream, (error)=>{ | ||
error ? reject(error) : resolve(); | ||
// We assume that NPM is a good actor and provides us with a valid `content-length` header. | ||
const tarballSizeString = tarballResponse.headers.get('content-length'); | ||
assert(tarballSizeString, 'Snap tarball has invalid content-length'); | ||
const tarballSize = parseInt(tarballSizeString, 10); | ||
assert(tarballSize <= TARBALL_SIZE_SAFETY_LIMIT, 'Snap tarball exceeds size limit'); | ||
return new Promise((resolve, reject)=>{ | ||
const files = new Map(); | ||
// The "gz" in "tgz" stands for "gzip". The tarball needs to be decompressed | ||
// before we can actually grab any files from it. | ||
// To prevent recursion-based zip bombs, we should not allow recursion here. | ||
pipeline(// eslint-disable-next-line @typescript-eslint/no-non-null-assertion | ||
getNodeStream(tarballResponse.body), createGunzip(), createTarballStream(getNpmCanonicalBasePath(this.meta.registry, this.meta.packageName), files), (error)=>{ | ||
error ? reject(error) : resolve(files); | ||
}); | ||
return; | ||
} | ||
pipeline(getNodeStream(tarballResponse), createGunzip(), tarballStream, (error)=>{ | ||
error ? reject(error) : resolve(); | ||
}); | ||
}); | ||
} | ||
} | ||
// Safety limit for tarballs, 250 MB in bytes | ||
const TARBALL_SIZE_SAFETY_LIMIT = 262144000; | ||
/** | ||
@@ -186,2 +238,19 @@ * Fetches the NPM metadata of the specified package from | ||
/** | ||
* Gets the canonical base path for an NPM snap. | ||
* | ||
* @param registryUrl - A registry URL. | ||
* @param packageName - A package name. | ||
* @returns The canonical base path. | ||
*/ export function getNpmCanonicalBasePath(registryUrl, packageName) { | ||
let canonicalBase = 'npm://'; | ||
if (registryUrl.username !== '') { | ||
canonicalBase += registryUrl.username; | ||
if (registryUrl.password !== '') { | ||
canonicalBase += `:${registryUrl.password}`; | ||
} | ||
canonicalBase += '@'; | ||
} | ||
return `${canonicalBase}${registryUrl.host}/${packageName}/`; | ||
} | ||
/** | ||
* Determine if a registry URL is NPM. | ||
@@ -230,40 +299,2 @@ * | ||
/** | ||
* Fetches the tarball (`.tgz` file) of the specified package and version from | ||
* the public npm registry. | ||
* | ||
* @param packageName - The name of the package whose tarball to fetch. | ||
* @param versionRange - The SemVer range of the package to fetch. The highest | ||
* version satisfying the range will be fetched. | ||
* @param registryUrl - The URL of the npm registry to fetch the tarball from. | ||
* @param fetchFunction - The fetch function to use. Defaults to the global | ||
* {@link fetch}. Useful for Node.js compatibility. | ||
* @returns A tuple of the {@link Response} for the package tarball and the | ||
* actual version of the package. | ||
* @throws If fetching the tarball fails. | ||
*/ async function fetchNpmTarball(packageName, versionRange, registryUrl, fetchFunction) { | ||
const { tarballURL, targetVersion } = await resolveNpmVersion(packageName, versionRange, registryUrl, fetchFunction); | ||
if (!isValidUrl(tarballURL) || !tarballURL.toString().endsWith('.tgz')) { | ||
throw new Error(`Failed to find valid tarball URL in NPM metadata for package "${packageName}".`); | ||
} | ||
// Override the tarball hostname/protocol with registryUrl hostname/protocol | ||
const newRegistryUrl = new URL(registryUrl); | ||
const newTarballUrl = new URL(tarballURL); | ||
newTarballUrl.hostname = newRegistryUrl.hostname; | ||
newTarballUrl.protocol = newRegistryUrl.protocol; | ||
// Perform a raw fetch because we want the Response object itself. | ||
const tarballResponse = await fetchFunction(newTarballUrl.toString()); | ||
if (!tarballResponse.ok || !tarballResponse.body) { | ||
throw new Error(`Failed to fetch tarball for package "${packageName}".`); | ||
} | ||
// We assume that NPM is a good actor and provides us with a valid `content-length` header. | ||
const tarballSizeString = tarballResponse.headers.get('content-length'); | ||
assert(tarballSizeString, 'Snap tarball has invalid content-length'); | ||
const tarballSize = parseInt(tarballSizeString, 10); | ||
assert(tarballSize <= TARBALL_SIZE_SAFETY_LIMIT, 'Snap tarball exceeds size limit'); | ||
return [ | ||
tarballResponse.body, | ||
targetVersion | ||
]; | ||
} | ||
/** | ||
* The paths of files within npm tarballs appear to always be prefixed with | ||
@@ -270,0 +301,0 @@ * "package/". |
@@ -6,2 +6,10 @@ import type { SnapManifest } from '@metamask/snaps-utils'; | ||
export declare const DEFAULT_NPM_REGISTRY: URL; | ||
interface NpmMeta { | ||
registry: URL; | ||
packageName: string; | ||
requestedRange: SemVerRange; | ||
version?: string; | ||
fetch: typeof fetch; | ||
resolveVersion: (range: SemVerRange) => Promise<SemVerRange>; | ||
} | ||
export interface NpmOptions { | ||
@@ -19,7 +27,5 @@ /** | ||
} | ||
export declare class NpmLocation implements SnapLocation { | ||
export declare abstract class BaseNpmLocation implements SnapLocation { | ||
#private; | ||
private readonly meta; | ||
private validatedManifest?; | ||
private files?; | ||
protected readonly meta: NpmMeta; | ||
constructor(url: URL, opts?: DetectSnapLocationOptions); | ||
@@ -32,3 +38,22 @@ manifest(): Promise<VirtualFile<SnapManifest>>; | ||
get versionRange(): SemVerRange; | ||
/** | ||
* Fetches and unpacks the tarball (`.tgz` file) from the specified URL. | ||
* | ||
* @param tarballUrl - The tarball URL to fetch and unpack. | ||
* @returns A the files for the package tarball. | ||
* @throws If fetching the tarball fails. | ||
*/ | ||
abstract fetchNpmTarball(tarballUrl: URL): Promise<Map<string, VirtualFile>>; | ||
} | ||
export declare const TARBALL_SIZE_SAFETY_LIMIT = 262144000; | ||
export declare class NpmLocation extends BaseNpmLocation { | ||
/** | ||
* Fetches and unpacks the tarball (`.tgz` file) from the specified URL. | ||
* | ||
* @param tarballUrl - The tarball URL to fetch and unpack. | ||
* @returns A the files for the package tarball. | ||
* @throws If fetching the tarball fails. | ||
*/ | ||
fetchNpmTarball(tarballUrl: URL): Promise<Map<string, VirtualFile<unknown>>>; | ||
} | ||
export declare type PartialNpmMetadata = { | ||
@@ -53,1 +78,10 @@ versions: Record<string, { | ||
export declare function fetchNpmMetadata(packageName: string, registryUrl: URL, fetchFunction: typeof fetch): Promise<PartialNpmMetadata>; | ||
/** | ||
* Gets the canonical base path for an NPM snap. | ||
* | ||
* @param registryUrl - A registry URL. | ||
* @param packageName - A package name. | ||
* @returns The canonical base path. | ||
*/ | ||
export declare function getNpmCanonicalBasePath(registryUrl: URL, packageName: string): string; | ||
export {}; |
{ | ||
"name": "@metamask/snaps-controllers", | ||
"version": "3.5.1", | ||
"version": "3.6.0", | ||
"description": "Controllers for MetaMask Snaps.", | ||
@@ -45,14 +45,14 @@ "repository": { | ||
"dependencies": { | ||
"@metamask/approval-controller": "^5.0.0", | ||
"@metamask/approval-controller": "^5.1.1", | ||
"@metamask/base-controller": "^4.0.0", | ||
"@metamask/json-rpc-engine": "^7.3.0", | ||
"@metamask/json-rpc-engine": "^7.3.1", | ||
"@metamask/object-multiplex": "^2.0.0", | ||
"@metamask/permission-controller": "^6.0.0", | ||
"@metamask/phishing-controller": "^8.0.0", | ||
"@metamask/permission-controller": "^7.0.0", | ||
"@metamask/phishing-controller": "^8.0.1", | ||
"@metamask/post-message-stream": "^7.0.0", | ||
"@metamask/rpc-errors": "^6.1.0", | ||
"@metamask/snaps-registry": "^3.0.0", | ||
"@metamask/snaps-rpc-methods": "^4.0.2", | ||
"@metamask/snaps-sdk": "^1.3.0", | ||
"@metamask/snaps-utils": "^5.1.0", | ||
"@metamask/snaps-rpc-methods": "^4.1.0", | ||
"@metamask/snaps-sdk": "^1.3.1", | ||
"@metamask/snaps-utils": "^5.1.1", | ||
"@metamask/utils": "^8.2.1", | ||
@@ -129,3 +129,3 @@ "@xstate/fsm": "^2.0.0", | ||
"peerDependencies": { | ||
"@metamask/snaps-execution-environments": "^3.4.2" | ||
"@metamask/snaps-execution-environments": "^3.4.3" | ||
}, | ||
@@ -132,0 +132,0 @@ "peerDependenciesMeta": { |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
1222396
12251
- Removed@metamask/controller-utils@6.1.0(transitive)
- Removed@metamask/ethjs-unit@0.2.1(transitive)
- Removed@metamask/permission-controller@6.0.0(transitive)
- Removed@types/bn.js@5.1.6(transitive)
- Removed@types/node@22.5.5(transitive)
- Removed@types/pbkdf2@3.1.2(transitive)
- Removed@types/secp256k1@4.0.6(transitive)
- Removedbase-x@3.0.10(transitive)
- Removedblakejs@1.2.1(transitive)
- Removedbn.js@4.11.64.12.0(transitive)
- Removedbrorand@1.1.0(transitive)
- Removedbrowserify-aes@1.2.0(transitive)
- Removedbs58@4.0.1(transitive)
- Removedbs58check@2.1.2(transitive)
- Removedbuffer-xor@1.0.3(transitive)
- Removedcipher-base@1.0.4(transitive)
- Removedcreate-hash@1.2.0(transitive)
- Removedcreate-hmac@1.1.7(transitive)
- Removedelliptic@6.5.7(transitive)
- Removedethereum-cryptography@0.1.3(transitive)
- Removedethereumjs-util@7.1.5(transitive)
- Removedevp_bytestokey@1.0.3(transitive)
- Removedhash-base@3.1.0(transitive)
- Removedhash.js@1.1.7(transitive)
- Removedhmac-drbg@1.0.1(transitive)
- Removedkeccak@3.0.4(transitive)
- Removedmd5.js@1.3.5(transitive)
- Removedminimalistic-assert@1.0.1(transitive)
- Removedminimalistic-crypto-utils@1.0.1(transitive)
- Removednode-addon-api@2.0.2(transitive)
- Removednode-gyp-build@4.8.2(transitive)
- Removednumber-to-bn@1.7.0(transitive)
- Removedpbkdf2@3.1.2(transitive)
- Removedrandombytes@2.1.0(transitive)
- Removedripemd160@2.0.2(transitive)
- Removedrlp@2.2.7(transitive)
- Removedscrypt-js@3.0.1(transitive)
- Removedsecp256k1@4.0.3(transitive)
- Removedsetimmediate@1.0.5(transitive)
- Removedsha.js@2.4.11(transitive)
- Removedundici-types@6.19.8(transitive)
Updated@metamask/snaps-sdk@^1.3.1
Updated@metamask/snaps-utils@^5.1.1