Security News
ESLint is Now Language-Agnostic: Linting JSON, Markdown, and Beyond
ESLint has added JSON and Markdown linting support with new officially-supported plugins, expanding its versatility beyond JavaScript.
Pacote is a Node.js library that provides a set of utilities for fetching and extracting npm packages. It is designed to handle various types of package sources, including the npm registry, tarballs, git repositories, and local directories. Pacote is often used internally by npm and other tools to manage package dependencies.
Fetch Package Metadata
This feature allows you to fetch the metadata of a package from the npm registry. The code sample demonstrates how to fetch and log the metadata for the 'lodash' package.
const pacote = require('pacote');
async function fetchMetadata(packageName) {
const manifest = await pacote.manifest(packageName);
console.log(manifest);
}
fetchMetadata('lodash');
Extract Package Tarball
This feature allows you to fetch and extract the tarball of a package. The code sample demonstrates how to fetch the tarball for the 'lodash' package and save it to a file named 'lodash.tgz'.
const pacote = require('pacote');
const fs = require('fs');
async function extractTarball(packageName, destination) {
const tarballStream = await pacote.tarball.stream(packageName);
tarballStream.pipe(fs.createWriteStream(destination));
}
extractTarball('lodash', './lodash.tgz');
Fetch Package from Git Repository
This feature allows you to fetch a package directly from a git repository. The code sample demonstrates how to fetch and log the metadata for the 'lodash' package from its GitHub repository.
const pacote = require('pacote');
async function fetchFromGit(repoUrl) {
const manifest = await pacote.manifest(repoUrl);
console.log(manifest);
}
fetchFromGit('https://github.com/lodash/lodash.git');
The npm package itself provides functionalities for managing npm packages, including installing, updating, and removing packages. While npm is a full-fledged package manager, pacote focuses specifically on fetching and extracting packages.
Yarn is another package manager for JavaScript that offers similar functionalities to npm, including package fetching and dependency management. Yarn also provides a more deterministic dependency resolution compared to npm.
pnpm is a fast, disk space-efficient package manager. It uses a content-addressable file system to store all files from all module directories on a disk. While pnpm focuses on efficient package management, pacote is more specialized in fetching and extracting packages.
NOTE: this package is still under heavy development. Please don't use it yet
pacote
is a Node.js library for downloading
npm-compatible packages. It supports all package specifier
syntax that npm install
and its ilk support. It transparently caches anything
needed to reduce excess operations, using cacache
.
$ npm install --save pacote
const pacote = require('pacote')
pacote.manifest('pacote@^1').then(pkg => {
console.log('package manifest for registry pkg:', pkg)
// { "name": "pacote", "version": "1.0.0", ... }
})
pacote.extract('http://hi.com/pkg.tgz', './here').then(() => {
console.log('remote tarball contents extracted to ./here')
})
The pacote team enthusiastically welcomes contributions and project participation! There's a bunch of things you can do if you want to contribute! The Contributor Guide has all the information you need for everything from reporting bugs to contributing entire new features. Please don't hesitate to jump in if you'd like to, or even ask us questions if something isn't clear.
> pacote.manifest(spec, [opts])
Fetches the manifest for a package. Manifest objects are similar and based
on the package.json
for that package, but with pre-processed and limited
fields. The object has the following shape:
{
"name": PkgName,
"version": SemverString,
"dependencies": { PkgName: SemverString },
"optionalDependencies": { PkgName: SemverString },
"devDependencies": { PkgName: SemverString },
"peerDependencies": { PkgName: SemverString },
"bundleDependencies": false || [PkgName],
"bin": { BinName: Path },
"_resolved": TarballSource, // different for each package type
"_integrity": SubresourceIntegrityHash,
"_shrinkwrap": null || ShrinkwrapJsonObj
}
Note that depending on the spec type, some additional fields might be present.
For example, packages from registry.npmjs.org
have additional metadata
appended by the registry.
pacote.manifest('pacote@1.0.0').then(pkgJson => {
// fetched `package.json` data from the registry
})
> pacote.extract(spec, destination, [opts])
Extracts package data identified by <spec>
into a directory named
<destination>
, which will be created if it does not already exist.
If opts.digest
is provided and the data it identifies is present in the cache,
extract
will bypass most of its operations and go straight to extracting the
tarball.
pacote.extract('pacote@1.0.0', './woot', {
digest: 'deadbeef'
}).then(() => {
// Succeeds as long as `pacote@1.0.0` still exists somewhere. Network and
// other operations are bypassed entirely if `digest` is present in the cache.
})
> pacote.prefetch(spec, [opts])
Fetches package data identified by <spec>
, usually for the purpose of warming
up the local package cache (with opts.cache
). It does not return anything.
pacote.prefetch('pacote@1.0.0', { cache: './my-cache' }).then(() => {
// ./my-cache now has both the manifest and tarball for `pacote@1.0.0`.
})
> pacote.clearMemoized()
This utility function can be used to force pacote to release its references to any memoized data in its various internal caches. It might help free some memory.
pacote.manifest(...).then(() => pacote.clearMemoized)
> options
opts.integrity
If provided, pacote will confirm that the relevant integrity hash for each
operation's results matches the given digest. The call will return EINTEGRITY
if the check fails.
Additionally, pacote.extract
will use this integrity string check the cache
directly for matching contents before performing any other operations.
opts.cache
opts.cacheUid
/opts.cacheGid
opts.uid
/opts.gid
opts.scope
opts.registry
opts.@somescope:registry
opts.auth
opts.log
opts.maxSockets
Default: silentNpmLog
An npmlog
-compatible logger. Will be used to log
various events at the levels specified by npmlog
.
FAQs
JavaScript package downloader
The npm package pacote receives a total of 5,841,822 weekly downloads. As such, pacote popularity was classified as popular.
We found that pacote demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
ESLint has added JSON and Markdown linting support with new officially-supported plugins, expanding its versatility beyond JavaScript.
Security News
Members Hub is conducting large-scale campaigns to artificially boost Discord server metrics, undermining community trust and platform integrity.
Security News
NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.