You're Invited:Meet the Socket Team at RSAC and BSidesSF 2026, March 23–26.RSVP
Socket
Book a DemoSign in
Socket
Book a DemoSign in

pacote

Package Overview
Dependencies
Maintainers
6
Versions
236
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

pacote - npm Package Compare versions

Comparing version
21.1.0
 to
21.2.0
+12
-11
lib/fetcher.js

@@ -473,3 +473,3 @@ // This is the base class that the other fetcher types in lib

// possible values for allow: 'all', 'root', 'none'
const canUseGit = (allow = 'all', isRoot = false) => {
const canUse = ({ allow = 'all', isRoot = false, allowType, spec }) => {
if (allow === 'all') {

@@ -481,3 +481,9 @@ return true

}
return false
throw Object.assign(
new Error(`Fetching${allow === 'root' ? ' non-root' : ''} packages of type "${allowType}" have been disabled`),
{
code: `EALLOW${allowType.toUpperCase()}`,
package: spec.toString(),
}
)
}

@@ -490,14 +496,7 @@

case 'git':
if (!canUseGit(opts.allowGit, opts._isRoot)) {
throw Object.assign(
new Error(`Fetching${opts.allowGit === 'root' ? ' non-root' : ''} packages from git has been disabled`),
{
code: 'EALLOWGIT',
package: spec.toString(),
}
)
}
canUse({ allow: opts.allowGit, isRoot: opts._isRoot, allowType: 'git', spec })
return new GitFetcher(spec, opts)
case 'remote':
canUse({ allow: opts.allowRemote, isRoot: opts._isRoot, allowType: 'remote', spec })
return new RemoteFetcher(spec, opts)

@@ -512,5 +511,7 @@

case 'file':
canUse({ allow: opts.allowFile, isRoot: opts._isRoot, allowType: 'file', spec })
return new FileFetcher(spec, opts)
case 'directory':
canUse({ allow: opts.allowDirectory, isRoot: opts._isRoot, allowType: 'directory', spec })
return new DirFetcher(spec, opts)

@@ -517,0 +518,0 @@ 

+2
-2
lib/git.js

@@ -248,3 +248,3 @@ const cacache = require('cacache')

integrity: null, // it'll always be different, if we have one
}).extract(tmp).then(() => handler(tmp), er => {
}).extract(tmp).then(() => handler(`${tmp}${this.spec.gitSubdir || ''}`), er => {
// fall back to ssh download if tarball fails

@@ -267,3 +267,3 @@ if (er.constructor.name.match(/^Http/)) {

}
return handler(tmp)
return handler(`${tmp}${this.spec.gitSubdir || ''}`)
})

@@ -270,0 +270,0 @@ }

+1
-1
package.json
{
"name": "pacote",
"version": "21.1.0",
"version": "21.2.0",
"description": "JavaScript package downloader",

@@ -5,0 +5,0 @@ "author": "GitHub Inc.",

+11
-2
README.md

@@ -150,3 +150,3 @@ # pacote

Defaults to the same cache directory that npm will use by default, based on platform and environment.
* `allowGit` Whether or not to allow data to be fetched from git.
* `allowGit` Whether or not to allow data to be fetched from a git spec.
Possible values are `all`, `none`, or `root`.

@@ -158,5 +158,14 @@ Defaults to `all`.

Context for whether or not the package being fetched is `root` is set via the `_isRoot` option.
* `allowRemote` Whether or not to allow data to be fetched from remote specs.
Possible values and defaults are the same as `allowGit`
* `allowFile` Whether or not to allow data to be fetched from file specs.
Possible values and defaults are the same as `allowGit`
* `allowDirectory` Whether or not to allow data to be fetched from directory specs.
Possible values and defaults are the same as `allowGit`
* `_isRoot` Whether or not the package being fetched is in a root context.
For `npm` itself this means a package that is defined in the local project or workspace package.json, or a package that is being fetched for another command like `npm view`.
Defaults to `false`,
For `npm` itself this means a package that is defined in the local project or workspace package.json, or a package that is being fetched for another command like `npm view`. This informs the `allowX` options to let them know the context of the current request.
For more info on spec types (i.e. git, remote) see [npm-package-arg](npm.im/npm-package-arg)
### Advanced API

@@ -163,0 +172,0 @@