libnpmpublish - npm Package Compare versions

Comparing version 7.1.4 to 7.2.0

lib/publish.js

@@ -45,6 +45,12 @@ const { fixer } = require('normalize-package-data')
 
-  const metadata = await buildMetadata(reg, pubManifest, tarballData, spec, opts)
+  const { metadata, transparencyLogUrl } = await buildMetadata(
+    reg,
+    pubManifest,
+    tarballData,
+    spec,
+    opts
+  )
 
   try {
-    return await npmFetch(spec.escapedName, {
+    const res = await npmFetch(spec.escapedName, {
       ...opts,
@@ -55,2 +61,6 @@ method: 'PUT',
     })
+    if (transparencyLogUrl) {
+      res.transparencyLogUrl = transparencyLogUrl
+    }
+    return res
   } catch (err) {
@@ -69,3 +79,3 @@ if (err.code !== 'E409') {
     const newMetadata = patchMetadata(current, metadata)
-    return npmFetch(spec.escapedName, {
+    const res = await npmFetch(spec.escapedName, {
       ...opts,
@@ -76,2 +86,7 @@ method: 'PUT',
     })
+    /* istanbul ignore next */
+    if (transparencyLogUrl) {
+      res.transparencyLogUrl = transparencyLogUrl
+    }
+    return res
   }
@@ -145,2 +160,3 @@ }
   // Handle case where --provenance flag was set to true
+  let transparencyLogUrl
   if (provenance === true) {
@@ -169,4 +185,19 @@ const subject = {
 
-    const visibility =
-      await npmFetch.json(`${registry}/-/package/${spec.escapedName}/visibility`, opts)
+    // Some registries (e.g. GH packages) require auth to check visibility,
+    // and always return 404 when no auth is supplied. In this case we assume
+    // the package is always private and require `--access public` to publish
+    // with provenance.
+    let visibility = { public: false }
+    if (opts.provenance === true && opts.access !== 'public') {
+      try {
+        const res = await npmFetch
+          .json(`${registry}/-/package/${spec.escapedName}/visibility`, opts)
+        visibility = res
+      } catch (err) {
+        if (err.code !== 'E404') {
+          throw err
+        }
+      }
+    }
+
     if (!visibility.public && opts.provenance === true && opts.access !== 'public') {
@@ -187,4 +218,7 @@ throw Object.assign(
     if (tlogEntry) {
-      const logUrl = `${TLOG_BASE_URL}?logIndex=${tlogEntry.logIndex}`
-      log.notice('publish', `Provenance statement published to transparency log: ${logUrl}`)
+      transparencyLogUrl = `${TLOG_BASE_URL}?logIndex=${tlogEntry.logIndex}`
+      log.notice(
+        'publish',
+        `Provenance statement published to transparency log: ${transparencyLogUrl}`
+      )
     }
@@ -200,3 +234,6 @@
 
-  return root
+  return {
+    metadata: root,
+    transparencyLogUrl,
+  }
 }
@@ -203,0 +240,0 @@

package.json

 {
   "name": "libnpmpublish",
-  "version": "7.1.4",
+  "version": "7.2.0",
   "description": "Programmatic API for the bits behind npm publish and unpublish",
@@ -5,0 +5,0 @@ "author": "GitHub Inc.",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

20323

increased by4.68%

Lines of code

417

increased by9.45%

No dependency changes