pacote - npm Package Compare versions

Comparing version 18.0.5 to 18.0.6

lib/dir.js

@@ -0,10 +1,10 @@
+const { resolve } = require('node:path')
+const packlist = require('npm-packlist')
+const runScript = require('@npmcli/run-script')
+const tar = require('tar')
+const { Minipass } = require('minipass')
 const Fetcher = require('./fetcher.js')
 const FileFetcher = require('./file.js')
-const { Minipass } = require('minipass')
+const _ = require('./util/protected.js')
 const tarCreateOptions = require('./util/tar-create-options.js')
-const packlist = require('npm-packlist')
-const tar = require('tar')
-const { resolve } = require('path')
-const runScript = require('@npmcli/run-script')
-const _ = require('./util/protected.js')
 
@@ -30,3 +30,3 @@ class DirFetcher extends Fetcher {
 
-  [_.prepareDir] () {
+  #prepareDir () {
     return this.manifest().then(mani => {
@@ -69,3 +69,3 @@ if (!mani.scripts || !mani.scripts.prepare) {
     // pipe to the stream, and proxy errors the chain.
-    this[_.prepareDir]()
+    this.#prepareDir()
       .then(async () => {
@@ -72,0 +72,0 @@ if (!this.tree) {

lib/fetcher.js

@@ -6,18 +6,18 @@ // This is the base class that the other fetcher types in lib
 
+const { basename, dirname } = require('node:path')
+const { rm, mkdir } = require('node:fs/promises')
+const PackageJson = require('@npmcli/package-json')
+const cacache = require('cacache')
+const fsm = require('fs-minipass')
+const getContents = require('@npmcli/installed-package-contents')
 const npa = require('npm-package-arg')
+const retry = require('promise-retry')
 const ssri = require('ssri')
-const { basename, dirname } = require('path')
 const tar = require('tar')
+const { Minipass } = require('minipass')
 const { log } = require('proc-log')
-const retry = require('promise-retry')
-const fs = require('fs/promises')
-const fsm = require('fs-minipass')
-const cacache = require('cacache')
+const _ = require('./util/protected.js')
+const cacheDir = require('./util/cache-dir.js')
 const isPackageBin = require('./util/is-package-bin.js')
 const removeTrailingSlashes = require('./util/trailing-slashes.js')
-const getContents = require('@npmcli/installed-package-contents')
-const PackageJson = require('@npmcli/package-json')
-const { Minipass } = require('minipass')
-const cacheDir = require('./util/cache-dir.js')
-const _ = require('./util/protected.js')
 
@@ -341,3 +341,3 @@ // Pacote is only concerned with the package.json contents
     return getContents({ path, depth: 1 }).then(contents => Promise.all(
-      contents.map(entry => fs.rm(entry, { recursive: true, force: true }))))
+      contents.map(entry => rm(entry, { recursive: true, force: true }))))
   }
@@ -347,3 +347,3 @@
     await this.#empty(dest)
-    return await fs.mkdir(dest, { recursive: true })
+    return await mkdir(dest, { recursive: true })
   }
@@ -375,3 +375,3 @@
     const dir = dirname(dest)
-    await fs.mkdir(dir, { recursive: true })
+    await mkdir(dir, { recursive: true })
     return this.#toFile(dest)
@@ -378,0 +378,0 @@ }

lib/file.js

@@ -0,5 +1,5 @@
+const { resolve } = require('node:path')
+const { stat, chmod } = require('node:fs/promises')
+const cacache = require('cacache')
 const fsm = require('fs-minipass')
-const cacache = require('cacache')
-const { resolve } = require('path')
-const { stat, chmod } = require('fs/promises')
 const Fetcher = require('./fetcher.js')
@@ -6,0 +6,0 @@ const _ = require('./util/protected.js')

lib/git.js

@@ -1,14 +0,14 @@
-const Fetcher = require('./fetcher.js')
-const FileFetcher = require('./file.js')
-const RemoteFetcher = require('./remote.js')
-const DirFetcher = require('./dir.js')
+const cacache = require('cacache')
 const git = require('@npmcli/git')
+const npa = require('npm-package-arg')
 const pickManifest = require('npm-pick-manifest')
-const npa = require('npm-package-arg')
 const { Minipass } = require('minipass')
-const cacache = require('cacache')
 const { log } = require('proc-log')
+const DirFetcher = require('./dir.js')
+const Fetcher = require('./fetcher.js')
+const FileFetcher = require('./file.js')
+const RemoteFetcher = require('./remote.js')
+const _ = require('./util/protected.js')
+const addGitSha = require('./util/add-git-sha.js')
 const npm = require('./util/npm.js')
-const addGitSha = require('./util/add-git-sha.js')
-const _ = require('./util/protected.js')
 
@@ -15,0 +15,0 @@ const hashre = /^[a-f0-9]{40}$/

lib/registry.js

@@ -1,12 +0,12 @@
-const Fetcher = require('./fetcher.js')
-const RemoteFetcher = require('./remote.js')
-const pacoteVersion = require('../package.json').version
-const removeTrailingSlashes = require('./util/trailing-slashes.js')
+const crypto = require('node:crypto')
 const PackageJson = require('@npmcli/package-json')
 const pickManifest = require('npm-pick-manifest')
 const ssri = require('ssri')
-const crypto = require('crypto')
 const npa = require('npm-package-arg')
 const sigstore = require('sigstore')
 const fetch = require('npm-registry-fetch')
+const Fetcher = require('./fetcher.js')
+const RemoteFetcher = require('./remote.js')
+const pacoteVersion = require('../package.json').version
+const removeTrailingSlashes = require('./util/trailing-slashes.js')
 const _ = require('./util/protected.js')
@@ -23,2 +23,3 @@
 class RegistryFetcher extends Fetcher {
+  #cacheKey
   constructor (spec, opts) {
@@ -36,4 +37,4 @@ super(spec, opts)
     this.registry = fetch.pickRegistry(spec, opts)
-    this.packumentUrl = removeTrailingSlashes(this.registry) + '/' +
-      this.spec.escapedName
+    this.packumentUrl = `${removeTrailingSlashes(this.registry)}/${this.spec.escapedName}`
+    this.#cacheKey = `${this.fullMetadata ? 'full' : 'corgi'}:${this.packumentUrl}`
 
@@ -83,4 +84,4 @@ const parsed = new URL(this.registry)
     // one request at a time for the same thing regardless.
-    if (this.packumentCache?.has(this.packumentUrl)) {
-      return this.packumentCache.get(this.packumentUrl)
+    if (this.packumentCache?.has(this.#cacheKey)) {
+      return this.packumentCache.get(this.#cacheKey)
     }
@@ -105,6 +106,6 @@
       }
-      this.packumentCache?.set(this.packumentUrl, packument)
+      this.packumentCache?.set(this.#cacheKey, packument)
       return packument
     } catch (err) {
-      this.packumentCache?.delete(this.packumentUrl)
+      this.packumentCache?.delete(this.#cacheKey)
       if (err.code !== 'E404' || this.fullMetadata) {
@@ -111,0 +112,0 @@ throw err

lib/remote.js

@@ -0,7 +1,7 @@
+const fetch = require('npm-registry-fetch')
+const { Minipass } = require('minipass')
 const Fetcher = require('./fetcher.js')
 const FileFetcher = require('./file.js')
+const _ = require('./util/protected.js')
 const pacoteVersion = require('../package.json').version
-const fetch = require('npm-registry-fetch')
-const { Minipass } = require('minipass')
-const _ = require('./util/protected.js')
 
@@ -8,0 +8,0 @@ class RemoteFetcher extends Fetcher {

lib/util/cache-dir.js

@@ -1,8 +0,8 @@
-const os = require('os')
-const { resolve } = require('path')
+const { resolve } = require('node:path')
+const { tmpdir, homedir } = require('node:os')
 
 module.exports = (fakePlatform = false) => {
-  const temp = os.tmpdir()
+  const temp = tmpdir()
   const uidOrPid = process.getuid ? process.getuid() : process.pid
-  const home = os.homedir() || resolve(temp, 'npm-' + uidOrPid)
+  const home = homedir() || resolve(temp, 'npm-' + uidOrPid)
   const platform = fakePlatform || process.platform
@@ -9,0 +9,0 @@ const cacheExtra = platform === 'win32' ? 'npm-cache' : '.npm'

lib/util/protected.js

@@ -1,11 +0,5 @@
-const readPackageJson = Symbol.for('package.Fetcher._readPackageJson')
-const prepareDir = Symbol('_prepareDir')
-const tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
-const cacheFetches = Symbol.for('pacote.Fetcher._cacheFetches')
-
 module.exports = {
-  readPackageJson,
-  prepareDir,
-  tarballFromResolved,
-  cacheFetches,
+  cacheFetches: Symbol.for('pacote.Fetcher._cacheFetches'),
+  readPackageJson: Symbol.for('package.Fetcher._readPackageJson'),
+  tarballFromResolved: Symbol.for('pacote.Fetcher._tarballFromResolved'),
 }

package.json

 {
   "name": "pacote",
-  "version": "18.0.5",
+  "version": "18.0.6",
   "description": "JavaScript package downloader",
@@ -5,0 +5,0 @@ "author": "GitHub Inc.",

Fixed alerts

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Improved metrics

Number of low supply chain risk alerts

8

decreased by-20%

Worsened metrics

Lines of code

1554

decreased by-0.26%

No dependency changes