pacote - npm Package Compare versions
+3
-2
@@ -13,3 +13,3 @@ // This is the base class that the other fetcher types in lib | ||
| const npa = require('npm-package-arg') | ||
| const retry = require('promise-retry') | ||
| const { promiseRetry } = require('@gar/promise-retry') | ||
| const ssri = require('ssri') | ||
@@ -323,3 +323,3 @@ const tar = require('tar') | ||
| } | ||
| return this.resolve().then(() => retry(tryAgain => | ||
| return this.resolve().then(() => promiseRetry(tryAgain => | ||
| streamHandler(this.#istream(this[_.tarballFromResolved]())) | ||
@@ -507,2 +507,3 @@ .catch(streamErr => { | ||
| case 'alias': | ||
| canUse({ allow: opts.allowRegistry, isRoot: opts._isRoot, allowType: 'registry', spec }) | ||
| return new RegistryFetcher(spec.subSpec || spec, opts) | ||
@@ -509,0 +510,0 @@ |
+5
-2
@@ -232,3 +232,3 @@ const crypto = require('node:crypto') | ||
| const attestationsPath = new URL(dist.attestations.url).pathname | ||
| const attestationsUrl = removeTrailingSlashes(this.registry) + attestationsPath | ||
| const attestationsUrl = new URL(attestationsPath, this.registry).href | ||
| const res = await fetch(attestationsUrl, { | ||
@@ -260,3 +260,6 @@ ...this.opts, | ||
| .filter(key => attestationKeyIds.includes(key.keyid)) | ||
| if (!attestationRegistryKeys.length) { | ||
| // Only require registry keys when there are keyed attestations. | ||
| // Keyless (Sigstore/Fulcio) attestations embed their signing | ||
| // certificate in the bundle and don't need registry keys. | ||
| if (attestationKeyIds.length > 0 && !attestationRegistryKeys.length) { | ||
| throw Object.assign(new Error( | ||
@@ -263,0 +266,0 @@ `${mani._id} has attestations but no corresponding public key(s) can be found` |
+2
-2
| { | ||
| "name": "pacote", | ||
| "version": "21.3.1", | ||
| "version": "21.4.0", | ||
| "description": "JavaScript package downloader", | ||
@@ -49,2 +49,3 @@ "author": "GitHub Inc.", | ||
| "dependencies": { | ||
| "@gar/promise-retry": "^1.0.0", | ||
| "@npmcli/git": "^7.0.0", | ||
@@ -63,3 +64,2 @@ "@npmcli/installed-package-contents": "^4.0.0", | ||
| "proc-log": "^6.0.0", | ||
| "promise-retry": "^2.0.1", | ||
| "sigstore": "^4.0.0", | ||
@@ -66,0 +66,0 @@ "ssri": "^13.0.0", |
+1
-0
@@ -163,2 +163,3 @@ # pacote | ||
| Possible values and defaults are the same as `allowGit` | ||
| * `allowRegistry` Whether or not to allow data to be fetched from registry specs. This includes `version`, `range`, `tag`, and `alias`. | ||
| * `_isRoot` Whether or not the package being fetched is in a root context. | ||
@@ -165,0 +166,0 @@ Defaults to `false`, |
New alerts
Network access
Supply chain riskThis module accesses the network.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 4 instances in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Fixed alerts
Network access
Supply chain riskThis module accesses the network.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 4 instances in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
76630
0.65%- Lines of code
1602
0.25%- Number of lines in readme file
252
0.4%Dependency changes
+ Added
@gar/promise-retry@^1.0.0- Removed
promise-retry@^2.0.1