package-json
Advanced tools
Comparing version 2.3.3 to 2.4.0
21
index.js
@@ -5,3 +5,3 @@ 'use strict'; | ||
| var registryUrl = require('registry-url'); | ||
| var rc = require('rc'); | ||
| var registryAuthToken = require('registry-auth-token'); | ||
| var semver = require('semver'); | ||
@@ -11,18 +11,9 @@ | ||
| var scope = name.split('/')[0]; | ||
| var pkgUrl = url.resolve(registryUrl(scope), encodeURIComponent(name).replace(/^%40/, '@')); | ||
| var npmrc = rc('npm'); | ||
| var token; | ||
| if (!npmrc.registry || url.parse(npmrc.registry).hostname === 'registry.npmjs.org') { | ||
| token = npmrc[scope + ':_authToken'] || npmrc['//registry.npmjs.org/:_authToken']; | ||
| } | ||
| var regUrl = registryUrl(scope); | ||
| var pkgUrl = url.resolve(regUrl, encodeURIComponent(name).replace(/^%40/, '@')); | ||
| var authInfo = registryAuthToken(regUrl); | ||
| var headers = {}; | ||
| if (token) { | ||
| if (process.env.NPM_TOKEN) { | ||
| token = token.replace('${NPM_TOKEN}', process.env.NPM_TOKEN); | ||
| } | ||
| headers.authorization = 'Bearer ' + token; | ||
| if (authInfo) { | ||
| headers.authorization = authInfo.type + ' ' + authInfo.token; | ||
| } | ||
@@ -29,0 +20,0 @@ |
| { | ||
| "name": "package-json", | ||
| "version": "2.3.3", | ||
| "version": "2.4.0", | ||
| "description": "Get the package.json of a package from the npm registry", | ||
@@ -34,3 +34,3 @@ "license": "MIT", | ||
| "got": "^5.0.0", | ||
| "rc": "^1.1.2", | ||
| "registry-auth-token": "^3.0.1", | ||
| "registry-url": "^3.0.3", | ||
@@ -41,4 +41,5 @@ "semver": "^5.1.0" | ||
| "ava": "*", | ||
| "mock-private-registry": "^1.1.0", | ||
| "xo": "*" | ||
| } | ||
| } |
@@ -45,2 +45,8 @@ # package-json [](https://travis-ci.org/sindresorhus/package-json) | ||
| ## Authentication | ||
| Both public and private registries are supported, for both scoped and unscoped packages, as long as the registry uses either bearer tokens or basic authentication. | ||
| ## Related | ||
@@ -47,0 +53,0 @@ |
Fixed alerts
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by0.92%
5179
- Number of lines in readme file
- increased by10.34%
64
- Number of low supply chain risk alerts
- decreased by-66.67%
1
Worsened metrics
- Dev dependency count
- increased by50%
3
- Lines of code
- decreased by-11.76%
45
Dependency changes
+ Addedregistry-auth-token@^3.0.1
+ Addedregistry-auth-token@3.4.0(transitive)
- Removedrc@^1.1.2