![Introducing Enhanced Alert Actions and Triage Functionality](https://cdn.sanity.io/images/cgdhsj6q/production/fe71306d515f85de6139b46745ea7180362324f0-2530x946.png?w=800&fit=max&auto=format)
Product
Introducing Enhanced Alert Actions and Triage Functionality
Socket now supports four distinct alert actions instead of the previous two, and alert triaging allows users to override the actions taken for all individual alerts.
pacote
Advanced tools
Readme
NOTE: this package is still under heavy development. Please don't use it yet
pacote
is a Node.js library for downloading
npm-compatible packages. It supports all package specifier
syntax that npm install
and its ilk support. It transparently caches anything
needed to reduce excess operations, using cacache
.
$ npm install --save pacote
const pacote = require('pacote')
pacote.manifest('pacote@^1').then(pkg => {
console.log('package manifest for registry pkg:', pkg)
// { "name": "pacote", "version": "1.0.0", ... }
})
pacote.extract('http://hi.com/pkg.tgz', './here').then(() => {
console.log('remote tarball contents extracted to ./here')
})
The pacote team enthusiastically welcomes contributions and project participation! There's a bunch of things you can do if you want to contribute! The Contributor Guide has all the information you need for everything from reporting bugs to contributing entire new features. Please don't hesitate to jump in if you'd like to, or even ask us questions if something isn't clear.
> pacote.manifest(spec, [opts])
Fetches the manifest for a package. Manifest objects are similar and based
on the package.json
for that package, but with pre-processed and limited
fields. The object has the following shape:
{
"name": PkgName,
"version": SemverString,
"dependencies": { PkgName: SemverString },
"optionalDependencies": { PkgName: SemverString },
"devDependencies": { PkgName: SemverString },
"peerDependencies": { PkgName: SemverString },
"bundleDependencies": false || [PkgName],
"bin": { BinName: Path },
"_resolved": TarballSource, // different for each package type
"_integrity": SubresourceIntegrityHash,
"_shrinkwrap": null || ShrinkwrapJsonObj
}
Note that depending on the spec type, some additional fields might be present.
For example, packages from registry.npmjs.org
have additional metadata
appended by the registry.
pacote.manifest('pacote@1.0.0').then(pkgJson => {
// fetched `package.json` data from the registry
})
> pacote.extract(spec, destination, [opts])
Extracts package data identified by <spec>
into a directory named
<destination>
, which will be created if it does not already exist.
If opts.digest
is provided and the data it identifies is present in the cache,
extract
will bypass most of its operations and go straight to extracting the
tarball.
pacote.extract('pacote@1.0.0', './woot', {
digest: 'deadbeef'
}).then(() => {
// Succeeds as long as `pacote@1.0.0` still exists somewhere. Network and
// other operations are bypassed entirely if `digest` is present in the cache.
})
> pacote.prefetch(spec, [opts])
Fetches package data identified by <spec>
, usually for the purpose of warming
up the local package cache (with opts.cache
). It does not return anything.
pacote.prefetch('pacote@1.0.0', { cache: './my-cache' }).then(() => {
// ./my-cache now has both the manifest and tarball for `pacote@1.0.0`.
})
> options
opts.integrity
If provided, pacote will confirm that the relevant integrity hash for each
operation's results matches the given digest. The call will return EINTEGRITY
if the check fails.
Additionally, pacote.extract
will use this integrity string check the cache
directly for matching contents before performing any other operations.
opts.cache
opts.cacheUid
/opts.cacheGid
opts.uid
/opts.gid
opts.scope
opts.registry
opts.@somescope:registry
opts.auth
opts.log
Default: silentNpmLog
An npmlog
-compatible logger. Will be used to log
various events at the levels specified by npmlog
.
FAQs
JavaScript package downloader
We found that pacote demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Socket now supports four distinct alert actions instead of the previous two, and alert triaging allows users to override the actions taken for all individual alerts.
Security News
Polyfill.io has been serving malware for months via its CDN, after the project's open source maintainer sold the service to a company based in China.
Security News
OpenSSF is warning open source maintainers to stay vigilant against reputation farming on GitHub, where users artificially inflate their status by manipulating interactions on closed issues and PRs.