pacote - npm Package Compare versions

Comparing version 14.0.0 to 15.0.0

lib/fetcher.js

@@ -10,6 +10,6 @@ // This is the base class that the other fetcher types in lib
 const { basename, dirname } = require('path')
-const rimraf = promisify(require('rimraf'))
 const tar = require('tar')
 const log = require('proc-log')
 const retry = require('promise-retry')
+const fs = require('fs/promises')
 const fsm = require('fs-minipass')
@@ -24,10 +24,2 @@ const cacache = require('cacache')
 
-// we only change ownership on unix platforms, and only if uid is 0
-const selfOwner = process.getuid && process.getuid() === 0 ? {
-  uid: 0,
-  gid: process.getgid(),
-} : null
-const chownr = selfOwner ? promisify(require('chownr')) : null
-const inferOwner = selfOwner ? require('infer-owner') : null
-const mkdirp = require('mkdirp')
 const cacheDir = require('./util/cache-dir.js')
@@ -38,3 +30,2 @@
 // Users should never call them.
-const _chown = Symbol('_chown')
 const _extract = Symbol('_extract')
@@ -365,33 +356,10 @@ const _mkdir = Symbol('_mkdir')
 
-  async [_chown] (path, uid, gid) {
-    return selfOwner && (selfOwner.gid !== gid || selfOwner.uid !== uid)
-      ? chownr(path, uid, gid)
-      : /* istanbul ignore next - we don't test in root-owned folders */ null
-  }
-
   [_empty] (path) {
     return getContents({ path, depth: 1 }).then(contents => Promise.all(
-      contents.map(entry => rimraf(entry))))
+      contents.map(entry => fs.rm(entry, { recursive: true, force: true }))))
   }
 
-  [_mkdir] (dest) {
-    // if we're bothering to do owner inference, then do it.
-    // otherwise just make the dir, and return an empty object.
-    // always empty the dir dir to start with, but do so
-    // _after_ inferring the owner, in case there's an existing folder
-    // there that we would want to preserve which differs from the
-    // parent folder (rare, but probably happens sometimes).
-    return !inferOwner
-      ? this[_empty](dest).then(() => mkdirp(dest)).then(() => ({}))
-      : inferOwner(dest).then(({ uid, gid }) =>
-        this[_empty](dest)
-          .then(() => mkdirp(dest))
-          .then(made => {
-            // ignore the || dest part in coverage.  It's there to handle
-            // race conditions where the dir may be made by someone else
-            // after being removed by us.
-            const dir = made || /* istanbul ignore next */ dest
-            return this[_chown](dir, uid, gid)
-          })
-          .then(() => ({ uid, gid })))
+  async [_mkdir] (dest) {
+    await this[_empty](dest)
+    return await fs.mkdir(dest, { recursive: true })
   }
@@ -401,5 +369,5 @@
   // the tarball comes from.
-  extract (dest) {
-    return this[_mkdir](dest).then(({ uid, gid }) =>
-      this.tarballStream(tarball => this[_extract](dest, tarball, uid, gid)))
+  async extract (dest) {
+    await this[_mkdir](dest)
+    return this.tarballStream((tarball) => this[_extract](dest, tarball))
   }
@@ -422,14 +390,10 @@
   // don't use this[_mkdir] because we don't want to rimraf anything
-  tarballFile (dest) {
+  async tarballFile (dest) {
     const dir = dirname(dest)
-    return !inferOwner
-      ? mkdirp(dir).then(() => this[_toFile](dest))
-      : inferOwner(dest).then(({ uid, gid }) =>
-        mkdirp(dir).then(made => this[_toFile](dest)
-          .then(res => this[_chown](made || dir, uid, gid)
-            .then(() => res))))
+    await fs.mkdir(dir, { recursive: true })
+    return this[_toFile](dest)
   }
 
-  [_extract] (dest, tarball, uid, gid) {
-    const extractor = tar.x(this[_tarxOptions]({ cwd: dest, uid, gid }))
+  [_extract] (dest, tarball) {
+    const extractor = tar.x(this[_tarxOptions]({ cwd: dest }))
     const p = new Promise((resolve, reject) => {
@@ -436,0 +400,0 @@ extractor.on('end', () => {

package.json

 {
   "name": "pacote",
-  "version": "14.0.0",
+  "version": "15.0.0",
   "description": "JavaScript package downloader",
@@ -30,3 +30,3 @@ "author": "GitHub Inc.",
     "@npmcli/eslint-config": "^3.1.0",
-    "@npmcli/template-oss": "4.4.4",
+    "@npmcli/template-oss": "4.5.1",
     "hosted-git-info": "^5.0.0",
@@ -52,8 +52,5 @@ "mutate-fs": "^2.1.1",
     "@npmcli/run-script": "^4.1.0",
-    "cacache": "^16.0.0",
-    "chownr": "^2.0.0",
+    "cacache": "^17.0.0",
     "fs-minipass": "^2.1.0",
-    "infer-owner": "^1.0.4",
     "minipass": "^3.1.6",
-    "mkdirp": "^1.0.4",
     "npm-package-arg": "^9.0.0",
@@ -66,4 +63,3 @@ "npm-packlist": "^7.0.0",
     "read-package-json": "^5.0.0",
-    "read-package-json-fast": "^2.0.3",
-    "rimraf": "^3.0.2",
+    "read-package-json-fast": "^3.0.0",
     "ssri": "^9.0.0",
@@ -81,5 +77,5 @@ "tar": "^6.1.11"
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.4.4",
+    "version": "4.5.1",
     "windowsCI": false
   }
 }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Dependency count

17

decreased by-19.05%

Worsened metrics

Total package byte prevSize

68628

decreased by-2.51%

Lines of code

1463

decreased by-2.34%

Number of low supply chain risk alerts

10

increased by11.11%

Dependency changes

• + Added@isaacs/cliui@8.0.2(transitive)

• + Added@npmcli/fs@3.1.1(transitive)

• + Added@pkgjs/parseargs@0.11.0(transitive)

• + Addedansi-regex@6.1.0(transitive)

• + Addedansi-styles@4.3.06.2.1(transitive)

• + Addedcacache@17.1.4(transitive)

• + Addedcolor-convert@2.0.1(transitive)

• + Addedcolor-name@1.1.4(transitive)

• + Addedcross-spawn@7.0.3(transitive)

• + Addedeastasianwidth@0.2.0(transitive)

• + Addedemoji-regex@9.2.2(transitive)

• + Addedforeground-child@3.3.0(transitive)

• + Addedfs-minipass@3.0.3(transitive)

• + Addedglob@10.4.5(transitive)

• + Addedjackspeak@3.4.3(transitive)

• + Addedjson-parse-even-better-errors@3.0.2(transitive)

• + Addedlru-cache@10.4.3(transitive)

• + Addedminipass@7.1.2(transitive)

• + Addednpm-normalize-package-bin@3.0.1(transitive)

• + Addedpackage-json-from-dist@1.0.1(transitive)

• + Addedpath-key@3.1.1(transitive)

• + Addedpath-scurry@1.11.1(transitive)

• + Addedread-package-json-fast@3.0.2(transitive)

• + Addedshebang-command@2.0.0(transitive)

• + Addedshebang-regex@3.0.0(transitive)

• + Addedsignal-exit@4.1.0(transitive)

• + Addedssri@10.0.6(transitive)

• + Addedstring-width@5.1.2(transitive)

• + Addedstrip-ansi@7.1.0(transitive)

• + Addedunique-filename@3.0.0(transitive)

• + Addedunique-slug@4.0.0(transitive)

• + Addedwrap-ansi@7.0.08.1.0(transitive)

• - Removedchownr@^2.0.0

• - Removedinfer-owner@^1.0.4

• - Removedmkdirp@^1.0.4

• - Removedrimraf@^3.0.2

• Updatedcacache@^17.0.0

• Updatedread-package-json-fast@^3.0.0