Comparing version 14.0.0 to 15.0.0
@@ -10,6 +10,6 @@ // This is the base class that the other fetcher types in lib | ||
const { basename, dirname } = require('path') | ||
const rimraf = promisify(require('rimraf')) | ||
const tar = require('tar') | ||
const log = require('proc-log') | ||
const retry = require('promise-retry') | ||
const fs = require('fs/promises') | ||
const fsm = require('fs-minipass') | ||
@@ -24,10 +24,2 @@ const cacache = require('cacache') | ||
// we only change ownership on unix platforms, and only if uid is 0 | ||
const selfOwner = process.getuid && process.getuid() === 0 ? { | ||
uid: 0, | ||
gid: process.getgid(), | ||
} : null | ||
const chownr = selfOwner ? promisify(require('chownr')) : null | ||
const inferOwner = selfOwner ? require('infer-owner') : null | ||
const mkdirp = require('mkdirp') | ||
const cacheDir = require('./util/cache-dir.js') | ||
@@ -38,3 +30,2 @@ | ||
// Users should never call them. | ||
const _chown = Symbol('_chown') | ||
const _extract = Symbol('_extract') | ||
@@ -365,33 +356,10 @@ const _mkdir = Symbol('_mkdir') | ||
async [_chown] (path, uid, gid) { | ||
return selfOwner && (selfOwner.gid !== gid || selfOwner.uid !== uid) | ||
? chownr(path, uid, gid) | ||
: /* istanbul ignore next - we don't test in root-owned folders */ null | ||
} | ||
[_empty] (path) { | ||
return getContents({ path, depth: 1 }).then(contents => Promise.all( | ||
contents.map(entry => rimraf(entry)))) | ||
contents.map(entry => fs.rm(entry, { recursive: true, force: true })))) | ||
} | ||
[_mkdir] (dest) { | ||
// if we're bothering to do owner inference, then do it. | ||
// otherwise just make the dir, and return an empty object. | ||
// always empty the dir dir to start with, but do so | ||
// _after_ inferring the owner, in case there's an existing folder | ||
// there that we would want to preserve which differs from the | ||
// parent folder (rare, but probably happens sometimes). | ||
return !inferOwner | ||
? this[_empty](dest).then(() => mkdirp(dest)).then(() => ({})) | ||
: inferOwner(dest).then(({ uid, gid }) => | ||
this[_empty](dest) | ||
.then(() => mkdirp(dest)) | ||
.then(made => { | ||
// ignore the || dest part in coverage. It's there to handle | ||
// race conditions where the dir may be made by someone else | ||
// after being removed by us. | ||
const dir = made || /* istanbul ignore next */ dest | ||
return this[_chown](dir, uid, gid) | ||
}) | ||
.then(() => ({ uid, gid }))) | ||
async [_mkdir] (dest) { | ||
await this[_empty](dest) | ||
return await fs.mkdir(dest, { recursive: true }) | ||
} | ||
@@ -401,5 +369,5 @@ | ||
// the tarball comes from. | ||
extract (dest) { | ||
return this[_mkdir](dest).then(({ uid, gid }) => | ||
this.tarballStream(tarball => this[_extract](dest, tarball, uid, gid))) | ||
async extract (dest) { | ||
await this[_mkdir](dest) | ||
return this.tarballStream((tarball) => this[_extract](dest, tarball)) | ||
} | ||
@@ -422,14 +390,10 @@ | ||
// don't use this[_mkdir] because we don't want to rimraf anything | ||
tarballFile (dest) { | ||
async tarballFile (dest) { | ||
const dir = dirname(dest) | ||
return !inferOwner | ||
? mkdirp(dir).then(() => this[_toFile](dest)) | ||
: inferOwner(dest).then(({ uid, gid }) => | ||
mkdirp(dir).then(made => this[_toFile](dest) | ||
.then(res => this[_chown](made || dir, uid, gid) | ||
.then(() => res)))) | ||
await fs.mkdir(dir, { recursive: true }) | ||
return this[_toFile](dest) | ||
} | ||
[_extract] (dest, tarball, uid, gid) { | ||
const extractor = tar.x(this[_tarxOptions]({ cwd: dest, uid, gid })) | ||
[_extract] (dest, tarball) { | ||
const extractor = tar.x(this[_tarxOptions]({ cwd: dest })) | ||
const p = new Promise((resolve, reject) => { | ||
@@ -436,0 +400,0 @@ extractor.on('end', () => { |
{ | ||
"name": "pacote", | ||
"version": "14.0.0", | ||
"version": "15.0.0", | ||
"description": "JavaScript package downloader", | ||
@@ -30,3 +30,3 @@ "author": "GitHub Inc.", | ||
"@npmcli/eslint-config": "^3.1.0", | ||
"@npmcli/template-oss": "4.4.4", | ||
"@npmcli/template-oss": "4.5.1", | ||
"hosted-git-info": "^5.0.0", | ||
@@ -52,8 +52,5 @@ "mutate-fs": "^2.1.1", | ||
"@npmcli/run-script": "^4.1.0", | ||
"cacache": "^16.0.0", | ||
"chownr": "^2.0.0", | ||
"cacache": "^17.0.0", | ||
"fs-minipass": "^2.1.0", | ||
"infer-owner": "^1.0.4", | ||
"minipass": "^3.1.6", | ||
"mkdirp": "^1.0.4", | ||
"npm-package-arg": "^9.0.0", | ||
@@ -66,4 +63,3 @@ "npm-packlist": "^7.0.0", | ||
"read-package-json": "^5.0.0", | ||
"read-package-json-fast": "^2.0.3", | ||
"rimraf": "^3.0.2", | ||
"read-package-json-fast": "^3.0.0", | ||
"ssri": "^9.0.0", | ||
@@ -81,5 +77,5 @@ "tar": "^6.1.11" | ||
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", | ||
"version": "4.4.4", | ||
"version": "4.5.1", | ||
"windowsCI": false | ||
} | ||
} |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
17
68628
1463
10
+ Added@isaacs/cliui@8.0.2(transitive)
+ Added@npmcli/fs@3.1.1(transitive)
+ Added@pkgjs/parseargs@0.11.0(transitive)
+ Addedansi-regex@6.1.0(transitive)
+ Addedansi-styles@4.3.06.2.1(transitive)
+ Addedcacache@17.1.4(transitive)
+ Addedcolor-convert@2.0.1(transitive)
+ Addedcolor-name@1.1.4(transitive)
+ Addedcross-spawn@7.0.3(transitive)
+ Addedeastasianwidth@0.2.0(transitive)
+ Addedemoji-regex@9.2.2(transitive)
+ Addedforeground-child@3.3.0(transitive)
+ Addedfs-minipass@3.0.3(transitive)
+ Addedglob@10.4.5(transitive)
+ Addedjackspeak@3.4.3(transitive)
+ Addedjson-parse-even-better-errors@3.0.2(transitive)
+ Addedlru-cache@10.4.3(transitive)
+ Addedminipass@7.1.2(transitive)
+ Addednpm-normalize-package-bin@3.0.1(transitive)
+ Addedpackage-json-from-dist@1.0.1(transitive)
+ Addedpath-key@3.1.1(transitive)
+ Addedpath-scurry@1.11.1(transitive)
+ Addedread-package-json-fast@3.0.2(transitive)
+ Addedshebang-command@2.0.0(transitive)
+ Addedshebang-regex@3.0.0(transitive)
+ Addedsignal-exit@4.1.0(transitive)
+ Addedssri@10.0.6(transitive)
+ Addedstring-width@5.1.2(transitive)
+ Addedstrip-ansi@7.1.0(transitive)
+ Addedunique-filename@3.0.0(transitive)
+ Addedunique-slug@4.0.0(transitive)
+ Addedwrap-ansi@7.0.08.1.0(transitive)
- Removedchownr@^2.0.0
- Removedinfer-owner@^1.0.4
- Removedmkdirp@^1.0.4
- Removedrimraf@^3.0.2
Updatedcacache@^17.0.0