npm-registry-client
Advanced tools
Comparing version 8.2.0 to 8.3.0
@@ -5,3 +5,2 @@ module.exports = publish | ||
var semver = require('semver') | ||
var crypto = require('crypto') | ||
var Stream = require('stream').Stream | ||
@@ -11,2 +10,3 @@ var assert = require('assert') | ||
var concat = require('concat-stream') | ||
var ssri = require('ssri') | ||
@@ -89,6 +89,12 @@ function escaped (name) { | ||
var tbURI = data.name + '/-/' + tbName | ||
var integrity = ssri.fromData(tarbuffer, { | ||
algorithms: ['sha1', 'sha512'] | ||
}) | ||
data._id = data.name + '@' + data.version | ||
data.dist = data.dist || {} | ||
data.dist.shasum = crypto.createHash('sha1').update(tarbuffer).digest('hex') | ||
// Don't bother having sha1 in the actual integrity field | ||
data.dist.integrity = integrity['sha512'][0].toString() | ||
// Legacy shasum support | ||
data.dist.shasum = integrity['sha1'][0].hexDigest() | ||
data.dist.tarball = url.resolve(registry, tbURI) | ||
@@ -95,0 +101,0 @@ .replace(/^https:\/\//, 'http://') |
@@ -5,3 +5,3 @@ { | ||
"description": "Client for the npm registry", | ||
"version": "8.2.0", | ||
"version": "8.3.0", | ||
"repository": { | ||
@@ -27,3 +27,4 @@ "url": "https://github.com/npm/npm-registry-client.git" | ||
"semver": "2 >=2.2.1 || 3.x || 4 || 5", | ||
"slide": "^1.1.3" | ||
"slide": "^1.1.3", | ||
"ssri": "^4.1.2" | ||
}, | ||
@@ -30,0 +31,0 @@ "devDependencies": { |
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
68789
1552
5
11
+ Addedssri@^4.1.2
+ Addedssri@4.1.6(transitive)