		@@ -7,9 +7,6 @@ const Fetcher = require('./fetcher.js')
		const tar = require('tar')
		const _prepareDir = Symbol('_prepareDir')
		const { resolve } = require('path')
		const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson')

		const runScript = require('@npmcli/run-script')
		const _ = require('./util/protected.js')

		const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
		class DirFetcher extends Fetcher {
		@@ -34,3 +31,3 @@ constructor (spec, opts) {

		[_prepareDir] () {
		[_.prepareDir] () {
		return this.manifest().then(mani => {
		@@ -60,3 +57,3 @@ if (!mani.scripts \|\| !mani.scripts.prepare) {

		[_tarballFromResolved] () {
		[_.tarballFromResolved] () {
		if (!this.tree && !this.Arborist) {
		@@ -74,3 +71,3 @@ throw new Error('DirFetcher requires either a tree or an Arborist constructor to pack')
		// pipe to the stream, and proxy errors the chain.
		this[_prepareDir]()
		this[_.prepareDir]()
		.then(async () => {
		@@ -94,3 +91,3 @@ if (!this.tree) {

		return this[_readPackageJson](this.resolved)
		return this[_.readPackageJson](this.resolved)
		.then(mani => this.package = {
		@@ -97,0 +94,0 @@ ...mani,

lib/fetcher.js

		@@ -21,2 +21,3 @@ // This is the base class that the other fetcher types in lib
		const cacheDir = require('./util/cache-dir.js')
		const _ = require('./util/protected.js')

		@@ -27,18 +28,2 @@ // Pacote is only concerned with the package.json contents

		// Private methods.
		// Child classes should not have to override these.
		// Users should never call them.
		const _extract = Symbol('_extract')
		const _mkdir = Symbol('_mkdir')
		const _empty = Symbol('_empty')
		const _toFile = Symbol('_toFile')
		const _tarxOptions = Symbol('_tarxOptions')
		const _entryMode = Symbol('_entryMode')
		const _istream = Symbol('_istream')
		const _assertType = Symbol('_assertType')
		const _tarballFromCache = Symbol('_tarballFromCache')
		const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
		const _cacheFetches = Symbol.for('pacote.Fetcher._cacheFetches')
		const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson')

		class FetcherBase {
		@@ -62,3 +47,3 @@ constructor (spec, opts) {

		this[_assertType]()
		this.#assertType()
		// clone the opts object so that others aren't upset when we mutate it
		@@ -99,7 +84,5 @@ // by adding/modifying the integrity value.
		this.fullReadJson = !!opts.fullReadJson
		if (this.fullReadJson) {
		this[_readPackageJson] = packageJsonPrepare
		} else {
		this[_readPackageJson] = packageJsonNormalize
		}
		this[_.readPackageJson] = this.fullReadJson
		? packageJsonPrepare
		: packageJsonNormalize

		@@ -195,3 +178,3 @@ // rrh is a registry hostname or 'never' or 'always'
		// but just return the raw tarball data stream.
		[_tarballFromResolved] () {
		[_.tarballFromResolved] () {
		throw this.notImplementedError
		@@ -212,13 +195,13 @@ }
		// Note: cacache will raise a EINTEGRITY error if the integrity doesn't match
		[_tarballFromCache] () {
		#tarballFromCache () {
		return cacache.get.stream.byDigest(this.cache, this.integrity, this.opts)
		}

		get [_cacheFetches] () {
		get [_.cacheFetches] () {
		return true
		}

		[_istream] (stream) {
		#istream (stream) {
		// if not caching this, just return it
		if (!this.opts.cache \|\| !this[_cacheFetches]) {
		if (!this.opts.cache \|\| !this[_.cacheFetches]) {
		// instead of creating a new integrity stream, we only piggyback on the
		@@ -276,3 +259,3 @@ // provided stream's events

		[_assertType] () {
		#assertType () {
		if (this.types && !this.types.includes(this.spec.type)) {
		@@ -316,3 +299,3 @@ throw new TypeError(`Wrong spec type (${
		this.resolved
		) ? streamHandler(this[_tarballFromCache]()).catch(er => {
		) ? streamHandler(this.#tarballFromCache()).catch(er => {
		if (this.isDataCorruptionError(er)) {
		@@ -340,3 +323,3 @@ log.warn('tarball', `cached data for ${
		return this.resolve().then(() => retry(tryAgain =>
		streamHandler(this[_istream](this[_tarballFromResolved]()))
		streamHandler(this.#istream(this[_.tarballFromResolved]()))
		.catch(streamErr => {
		@@ -364,3 +347,3 @@ // Most likely data integrity. A cache ENOENT error is unlikely

		[_empty] (path) {
		#empty (path) {
		return getContents({ path, depth: 1 }).then(contents => Promise.all(
		@@ -370,4 +353,4 @@ contents.map(entry => fs.rm(entry, { recursive: true, force: true }))))

		async [_mkdir] (dest) {
		await this[_empty](dest)
		async #mkdir (dest) {
		await this.#empty(dest)
		return await fs.mkdir(dest, { recursive: true })
		@@ -379,7 +362,7 @@ }
		async extract (dest) {
		await this[_mkdir](dest)
		return this.tarballStream((tarball) => this[_extract](dest, tarball))
		await this.#mkdir(dest)
		return this.tarballStream((tarball) => this.#extract(dest, tarball))
		}

		[_toFile] (dest) {
		#toFile (dest) {
		return this.tarballStream(str => new Promise((res, rej) => {
		@@ -398,11 +381,11 @@ const writer = new fsm.WriteStream(dest)

		// don't use this[_mkdir] because we don't want to rimraf anything
		// don't use this.#mkdir because we don't want to rimraf anything
		async tarballFile (dest) {
		const dir = dirname(dest)
		await fs.mkdir(dir, { recursive: true })
		return this[_toFile](dest)
		return this.#toFile(dest)
		}

		[_extract] (dest, tarball) {
		const extractor = tar.x(this[_tarxOptions]({ cwd: dest }))
		#extract (dest, tarball) {
		const extractor = tar.x(this.#tarxOptions({ cwd: dest }))
		const p = new Promise((resolve, reject) => {
		@@ -432,3 +415,3 @@ extractor.on('end', () => {
		// dmode/fmode, but never more permissive than the umask allows.
		[_entryMode] (path, mode, type) {
		#entryMode (path, mode, type) {
		const m = /Directory\|GNUDumpDir/.test(type) ? this.dmode
		@@ -444,3 +427,3 @@ : /File$/.test(type) ? this.fmode

		[_tarxOptions] ({ cwd }) {
		#tarxOptions ({ cwd }) {
		const sawIgnores = new Set()
		@@ -455,3 +438,3 @@ return {
		}
		entry.mode = this[_entryMode](entry.path, entry.mode, entry.type)
		entry.mode = this.#entryMode(entry.path, entry.mode, entry.type)
		// this replicates the npm pack behavior where .gitignore files
		@@ -458,0 +441,0 @@ // are treated like .npmignore files, but only if a .npmignore

lib/file.js

		@@ -6,7 +6,4 @@ const fsm = require('fs-minipass')
		const Fetcher = require('./fetcher.js')
		const _ = require('./util/protected.js')

		const _exeBins = Symbol('_exeBins')
		const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
		const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson')

		class FileFetcher extends Fetcher {
		@@ -31,3 +28,3 @@ constructor (spec, opts) {
		this.extract(dir)
		.then(() => this[_readPackageJson](dir))
		.then(() => this[_.readPackageJson](dir))
		.then(mani => this.package = {
		@@ -41,3 +38,3 @@ ...mani,

		[_exeBins] (pkg, dest) {
		#exeBins (pkg, dest) {
		if (!pkg.bin) {
		@@ -71,7 +68,7 @@ return Promise.resolve()
		.then(result => this.package ? result
		: this[_readPackageJson](dest).then(pkg =>
		this[_exeBins](pkg, dest)).then(() => result))
		: this[_.readPackageJson](dest).then(pkg =>
		this.#exeBins(pkg, dest)).then(() => result))
		}

		[_tarballFromResolved] () {
		[_.tarballFromResolved] () {
		// create a read stream and return it
		@@ -78,0 +75,0 @@ return new fsm.ReadStream(this.resolved)

lib/git.js

		@@ -5,3 +5,2 @@ const Fetcher = require('./fetcher.js')
		const DirFetcher = require('./dir.js')
		const hashre = /^[a-f0-9]{40}$/
		const git = require('@npmcli/git')
		@@ -14,16 +13,7 @@ const pickManifest = require('npm-pick-manifest')
		const npm = require('./util/npm.js')

		const _resolvedFromRepo = Symbol('_resolvedFromRepo')
		const _resolvedFromHosted = Symbol('_resolvedFromHosted')
		const _resolvedFromClone = Symbol('_resolvedFromClone')
		const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
		const _addGitSha = Symbol('_addGitSha')
		const addGitSha = require('./util/add-git-sha.js')
		const _clone = Symbol('_clone')
		const _cloneHosted = Symbol('_cloneHosted')
		const _cloneRepo = Symbol('_cloneRepo')
		const _setResolvedWithSha = Symbol('_setResolvedWithSha')
		const _prepareDir = Symbol('_prepareDir')
		const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson')
		const _ = require('./util/protected.js')

		const hashre = /^[a-f0-9]{40}$/

		// get the repository url.
		@@ -89,4 +79,5 @@ // prefer https if there's auth, since ssh will drop that.
		// try to use ssh, fall back to git.
		return h ? this[_resolvedFromHosted](h)
		: this[_resolvedFromRepo](this.spec.fetchSpec)
		return h
		? this.#resolvedFromHosted(h)
		: this.#resolvedFromRepo(this.spec.fetchSpec)
		}
		@@ -99,19 +90,18 @@
		// is present, otherwise ssh if the hosted type provides it
		[_resolvedFromHosted] (hosted) {
		return this[_resolvedFromRepo](hosted.https && hosted.https())
		.catch(er => {
		// Throw early since we know pathspec errors will fail again if retried
		if (er instanceof git.errors.GitPathspecError) {
		throw er
		}
		const ssh = hosted.sshurl && hosted.sshurl()
		// no fallthrough if we can't fall through or have https auth
		if (!ssh \|\| hosted.auth) {
		throw er
		}
		return this[_resolvedFromRepo](ssh)
		})
		#resolvedFromHosted (hosted) {
		return this.#resolvedFromRepo(hosted.https && hosted.https()).catch(er => {
		// Throw early since we know pathspec errors will fail again if retried
		if (er instanceof git.errors.GitPathspecError) {
		throw er
		}
		const ssh = hosted.sshurl && hosted.sshurl()
		// no fallthrough if we can't fall through or have https auth
		if (!ssh \|\| hosted.auth) {
		throw er
		}
		return this.#resolvedFromRepo(ssh)
		})
		}

		[_resolvedFromRepo] (gitRemote) {
		#resolvedFromRepo (gitRemote) {
		// XXX make this a custom error class
		@@ -137,3 +127,3 @@ if (!gitRemote) {
		if (!revDoc \|\| !revDoc.sha) {
		return this[_resolvedFromClone]()
		return this.#resolvedFromClone()
		}
		@@ -143,3 +133,3 @@
		this.resolvedSha = revDoc.sha
		this[_addGitSha](revDoc.sha)
		this.#addGitSha(revDoc.sha)
		return this.resolved
		@@ -149,3 +139,3 @@ })

		[_setResolvedWithSha] (withSha) {
		#setResolvedWithSha (withSha) {
		// we haven't cloned, so a tgz download is still faster
		@@ -159,14 +149,14 @@ // of course, if it's not a known host, we can't do that.
		// either a git url with a hash, or a tarball download URL
		[_addGitSha] (sha) {
		this[_setResolvedWithSha](addGitSha(this.spec, sha))
		#addGitSha (sha) {
		this.#setResolvedWithSha(addGitSha(this.spec, sha))
		}

		[_resolvedFromClone] () {
		#resolvedFromClone () {
		// do a full or shallow clone, then look at the HEAD
		// kind of wasteful, but no other option, really
		return this[_clone](() => this.resolved)
		return this.#clone(() => this.resolved)
		}

		[_prepareDir] (dir) {
		return this[_readPackageJson](dir).then(mani => {
		#prepareDir (dir) {
		return this[_.readPackageJson](dir).then(mani => {
		// no need if we aren't going to do any preparation.
		@@ -211,3 +201,3 @@ const scripts = mani.scripts

		[_tarballFromResolved] () {
		[_.tarballFromResolved] () {
		const stream = new Minipass()
		@@ -218,3 +208,3 @@ stream.resolved = this.resolved
		// check it out and then shell out to the DirFetcher tarball packer
		this[_clone](dir => this[_prepareDir](dir)
		this.#clone(dir => this.#prepareDir(dir)
		.then(() => new Promise((res, rej) => {
		@@ -230,3 +220,3 @@ if (!this.Arborist) {
		})
		const dirStream = df[_tarballFromResolved]()
		const dirStream = df[_.tarballFromResolved]()
		dirStream.on('error', rej)
		@@ -249,3 +239,3 @@ dirStream.on('end', res)
		// spec and repo, so that we don't ever clone the same thing multiple times.
		[_clone] (handler, tarballOk = true) {
		#clone (handler, tarballOk = true) {
		const o = { tmpPrefix: 'git-clone' }
		@@ -273,3 +263,3 @@ const ref = this.resolvedSha \|\| this.spec.gitCommittish
		if (er.constructor.name.match(/^Http/)) {
		return this[_clone](handler, false)
		return this.#clone(handler, false)
		} else {
		@@ -282,8 +272,8 @@ throw er
		const sha = await (
		h ? this[_cloneHosted](ref, tmp)
		: this[_cloneRepo](this.spec.fetchSpec, ref, tmp)
		h ? this.#cloneHosted(ref, tmp)
		: this.#cloneRepo(this.spec.fetchSpec, ref, tmp)
		)
		this.resolvedSha = sha
		if (!this.resolved) {
		await this[_addGitSha](sha)
		await this.#addGitSha(sha)
		}
		@@ -299,5 +289,5 @@ return handler(tmp)
		// is present, otherwise ssh if the hosted type provides it
		[_cloneHosted] (ref, tmp) {
		#cloneHosted (ref, tmp) {
		const hosted = this.spec.hosted
		return this[_cloneRepo](hosted.https({ noCommittish: true }), ref, tmp)
		return this.#cloneRepo(hosted.https({ noCommittish: true }), ref, tmp)
		.catch(er => {
		@@ -313,7 +303,7 @@ // Throw early since we know pathspec errors will fail again if retried
		}
		return this[_cloneRepo](ssh, ref, tmp)
		return this.#cloneRepo(ssh, ref, tmp)
		})
		}

		[_cloneRepo] (repo, ref, tmp) {
		#cloneRepo (repo, ref, tmp) {
		const { opts, spec } = this
		@@ -330,4 +320,4 @@ return git.clone(repo, ref, tmp, { ...opts, spec })
		? FileFetcher.prototype.manifest.apply(this)
		: this[_clone](dir =>
		this[_readPackageJson](dir)
		: this.#clone(dir =>
		this[_.readPackageJson](dir)
		.then(mani => this.package = {
		@@ -334,0 +324,0 @@ ...mani,

lib/index.js

		@@ -8,2 +8,6 @@ const { get } = require('./fetcher.js')

		const tarball = (spec, opts) => get(spec, opts).tarball()
		tarball.stream = (spec, handler, opts) => get(spec, opts).tarballStream(handler)
		tarball.file = (spec, dest, opts) => get(spec, opts).tarballFile(dest)

		module.exports = {
		@@ -18,8 +22,4 @@ GitFetcher,
		manifest: (spec, opts) => get(spec, opts).manifest(),
		tarball: (spec, opts) => get(spec, opts).tarball(),
		packument: (spec, opts) => get(spec, opts).packument(),
		tarball,
		}
		module.exports.tarball.stream = (spec, handler, opts) =>
		get(spec, opts).tarballStream(handler)
		module.exports.tarball.file = (spec, dest, opts) =>
		get(spec, opts).tarballFile(dest)

lib/registry.js

		const Fetcher = require('./fetcher.js')
		const RemoteFetcher = require('./remote.js')
		const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
		const pacoteVersion = require('../package.json').version
		@@ -12,2 +11,4 @@ const removeTrailingSlashes = require('./util/trailing-slashes.js')
		const sigstore = require('sigstore')
		const fetch = require('npm-registry-fetch')
		const _ = require('./util/protected.js')

		@@ -22,5 +23,2 @@ // Corgis are cute. 🐕🐶

		const fetch = require('npm-registry-fetch')

		const _headers = Symbol('_headers')
		class RegistryFetcher extends Fetcher {
		@@ -68,3 +66,3 @@ constructor (spec, opts) {

		[_headers] () {
		#headers () {
		return {
		@@ -86,3 +84,3 @@ // npm will override UA, but ensure that we always send something
		// one request at a time for the same thing regardless.
		if (this.packumentCache && this.packumentCache.has(this.packumentUrl)) {
		if (this.packumentCache?.has(this.packumentUrl)) {
		return this.packumentCache.get(this.packumentUrl)
		@@ -97,4 +95,5 @@ }
		...this.opts,
		headers: this[_headers](),
		headers: this.#headers(),
		spec: this.spec,

		// never check integrity for packuments themselves
		@@ -104,11 +103,10 @@ integrity: null,
		const packument = await res.json()
		packument._contentLength = +res.headers.get('content-length')
		if (this.packumentCache) {
		this.packumentCache.set(this.packumentUrl, packument)
		const contentLength = res.headers.get('content-length')
		if (contentLength) {
		packument._contentLength = Number(contentLength)
		}
		this.packumentCache?.set(this.packumentUrl, packument)
		return packument
		} catch (err) {
		if (this.packumentCache) {
		this.packumentCache.delete(this.packumentUrl)
		}
		this.packumentCache?.delete(this.packumentUrl)
		if (err.code !== 'E404' \|\| this.fullMetadata) {
		@@ -359,3 +357,3 @@ throw err

		[_tarballFromResolved] () {
		[_.tarballFromResolved] () {
		// we use a RemoteFetcher to get the actual tarball stream
		@@ -366,3 +364,3 @@ return new RemoteFetcher(this.resolved, {
		pkgid: `registry:${this.spec.name}@${this.resolved}`,
		})[_tarballFromResolved]()
		})[_.tarballFromResolved]()
		}
		@@ -369,0 +367,0 @@

lib/remote.js

		const Fetcher = require('./fetcher.js')
		const FileFetcher = require('./file.js')
		const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
		const pacoteVersion = require('../package.json').version
		const fetch = require('npm-registry-fetch')
		const { Minipass } = require('minipass')
		const _ = require('./util/protected.js')

		const _cacheFetches = Symbol.for('pacote.Fetcher._cacheFetches')
		const _headers = Symbol('_headers')
		class RemoteFetcher extends Fetcher {
		@@ -28,7 +26,7 @@ constructor (spec, opts) {
		// will write into cacache anyway.
		get [_cacheFetches] () {
		get [_.cacheFetches] () {
		return false
		}

		[_tarballFromResolved] () {
		[_.tarballFromResolved] () {
		const stream = new Minipass()
		@@ -39,3 +37,3 @@ stream.hasIntegrityEmitter = true
		...this.opts,
		headers: this[_headers](),
		headers: this.#headers(),
		spec: this.spec,
		@@ -64,3 +62,3 @@ integrity: this.integrity,

		[_headers] () {
		#headers () {
		return {
		@@ -67,0 +65,0 @@ // npm will override this, but ensure that we always send something

package.json

		{
		"name": "pacote",
		"version": "18.0.4",
		"version": "18.0.5",
		"description": "JavaScript package downloader",
		"author": "GitHub Inc.",
		"bin": {
		"pacote": "lib/bin.js"
		"pacote": "bin/index.js"
		},
		@@ -9,0 +9,0 @@ "license": "ISC",

lib/bin.js

pacote - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics