pacote - npm Package Compare versions

Comparing version 17.0.4 to 17.0.5

lib/registry.js

@@ -17,2 +17,6 @@ const Fetcher = require('./fetcher.js')
 
+// Some really old packages have no time field in their packument so we need a
+// cutoff date.
+const MISSING_TIME_CUTOFF = '2015-01-01T00:00:00.000Z'
+
 const fetch = require('npm-registry-fetch')
@@ -119,2 +123,9 @@
 
+    // When verifying signatures, we need to fetch the full/uncompressed
+    // packument to get publish time as this is not included in the
+    // corgi/compressed packument.
+    if (this.opts.verifySignatures) {
+      this.fullMetadata = true
+    }
+
     const packument = await this.packument()
@@ -129,2 +140,8 @@ let mani = await pickManifest(packument, this.spec.fetchSpec, {
 
+    // add _time from packument if fetched with fullMetadata
+    const time = packument.time?.[mani.version]
+    if (time) {
+      mani._time = time
+    }
+
     // add _resolved and _integrity from dist object
@@ -177,4 +194,6 @@ const { dist } = mani
             }
-            const validPublicKey =
-              !publicKey.expires || (Date.parse(publicKey.expires) > Date.now())
+
+            const publishedTime = Date.parse(mani._time || MISSING_TIME_CUTOFF)
+            const validPublicKey = !publicKey.expires ||
+              publishedTime < Date.parse(publicKey.expires)
             if (!validPublicKey) {
@@ -261,4 +280,9 @@ throw Object.assign(new Error(
 
-              const validPublicKey =
-                !publicKey.expires || (Date.parse(publicKey.expires) > Date.now())
+              const integratedTime = new Date(
+                Number(
+                  bundle.verificationMaterial.tlogEntries[0].integratedTime
+                ) * 1000
+              )
+              const validPublicKey = !publicKey.expires ||
+                (integratedTime < Date.parse(publicKey.expires))
               if (!validPublicKey) {
@@ -265,0 +289,0 @@ throw Object.assign(new Error(

package.json

 {
   "name": "pacote",
-  "version": "17.0.4",
+  "version": "17.0.5",
   "description": "JavaScript package downloader",
@@ -28,5 +28,5 @@ "author": "GitHub Inc.",
   "devDependencies": {
-    "@npmcli/arborist": "^6.0.0 || ^6.0.0-pre.0",
+    "@npmcli/arborist": "^7.1.0",
     "@npmcli/eslint-config": "^4.0.0",
-    "@npmcli/template-oss": "4.18.0",
+    "@npmcli/template-oss": "4.19.0",
     "hosted-git-info": "^7.0.0",
@@ -76,9 +76,3 @@ "mutate-fs": "^2.1.1",
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "ciVersions": [
-      "16.14.0",
-      "16.x",
-      "18.0.0",
-      "18.x"
-    ],
-    "version": "4.18.0",
+    "version": "4.19.0",
     "windowsCI": false,
@@ -85,0 +79,0 @@ "publish": "true"

No alert changes

Improved metrics

Total package byte prevSize

74781

increased by0.99%

Lines of code

1585

increased by1.28%

No dependency changes