Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Pacote is a Node.js library that provides a set of utilities for fetching and extracting npm packages. It is designed to handle various types of package sources, including the npm registry, tarballs, git repositories, and local directories. Pacote is often used internally by npm and other tools to manage package dependencies.
Fetch Package Metadata
This feature allows you to fetch the metadata of a package from the npm registry. The code sample demonstrates how to fetch and log the metadata for the 'lodash' package.
const pacote = require('pacote');
async function fetchMetadata(packageName) {
const manifest = await pacote.manifest(packageName);
console.log(manifest);
}
fetchMetadata('lodash');
Extract Package Tarball
This feature allows you to fetch and extract the tarball of a package. The code sample demonstrates how to fetch the tarball for the 'lodash' package and save it to a file named 'lodash.tgz'.
const pacote = require('pacote');
const fs = require('fs');
async function extractTarball(packageName, destination) {
const tarballStream = await pacote.tarball.stream(packageName);
tarballStream.pipe(fs.createWriteStream(destination));
}
extractTarball('lodash', './lodash.tgz');
Fetch Package from Git Repository
This feature allows you to fetch a package directly from a git repository. The code sample demonstrates how to fetch and log the metadata for the 'lodash' package from its GitHub repository.
const pacote = require('pacote');
async function fetchFromGit(repoUrl) {
const manifest = await pacote.manifest(repoUrl);
console.log(manifest);
}
fetchFromGit('https://github.com/lodash/lodash.git');
The npm package itself provides functionalities for managing npm packages, including installing, updating, and removing packages. While npm is a full-fledged package manager, pacote focuses specifically on fetching and extracting packages.
Yarn is another package manager for JavaScript that offers similar functionalities to npm, including package fetching and dependency management. Yarn also provides a more deterministic dependency resolution compared to npm.
pnpm is a fast, disk space-efficient package manager. It uses a content-addressable file system to store all files from all module directories on a disk. While pnpm focuses on efficient package management, pacote is more specialized in fetching and extracting packages.
pacote
is a Node.js library for downloading
npm-compatible packages. It supports all package specifier
syntax that npm install
and its ilk support. It transparently caches anything
needed to reduce excess operations, using cacache
.
$ npm install --save pacote
const pacote = require('pacote')
pacote.manifest('pacote@^1').then(pkg => {
console.log('package manifest for registry pkg:', pkg)
// { "name": "pacote", "version": "1.0.0", ... }
})
pacote.extract('http://hi.com/pkg.tgz', './here').then(() => {
console.log('remote tarball contents extracted to ./here')
})
The pacote team enthusiastically welcomes contributions and project participation! There's a bunch of things you can do if you want to contribute! The Contributor Guide has all the information you need for everything from reporting bugs to contributing entire new features. Please don't hesitate to jump in if you'd like to, or even ask us questions if something isn't clear.
> pacote.manifest(spec, [opts])
Fetches the manifest for a package. Manifest objects are similar and based
on the package.json
for that package, but with pre-processed and limited
fields. The object has the following shape:
{
"name": PkgName,
"version": SemverString,
"dependencies": { PkgName: SemverString },
"optionalDependencies": { PkgName: SemverString },
"devDependencies": { PkgName: SemverString },
"peerDependencies": { PkgName: SemverString },
"bundleDependencies": false || [PkgName],
"bin": { BinName: Path },
"_resolved": TarballSource, // different for each package type
"_integrity": SubresourceIntegrityHash,
"_shrinkwrap": null || ShrinkwrapJsonObj
}
Note that depending on the spec type, some additional fields might be present.
For example, packages from registry.npmjs.org
have additional metadata
appended by the registry.
pacote.manifest('pacote@1.0.0').then(pkgJson => {
// fetched `package.json` data from the registry
})
> pacote.packument(spec, [opts])
Fetches the packument for a package. Packument objects are general metadata
about a project corresponding to registry metadata, and include version and
dist-tag
information about a package's available versions, rather than a
specific version. It may include additional metadata not usually available
through the individual package metadata objects.
It generally looks something like this:
{
"name": PkgName,
"dist-tags": {
'latest': VersionString,
[TagName]: VersionString,
...
},
"versions": {
[VersionString]: Manifest,
...
}
}
Note that depending on the spec type, some additional fields might be present.
For example, packages from registry.npmjs.org
have additional metadata
appended by the registry.
pacote.packument('pacote').then(pkgJson => {
// fetched package versions metadata from the registry
})
> pacote.extract(spec, destination, [opts])
Extracts package data identified by <spec>
into a directory named
<destination>
, which will be created if it does not already exist.
If opts.digest
is provided and the data it identifies is present in the cache,
extract
will bypass most of its operations and go straight to extracting the
tarball.
pacote.extract('pacote@1.0.0', './woot', {
digest: 'deadbeef'
}).then(() => {
// Succeeds as long as `pacote@1.0.0` still exists somewhere. Network and
// other operations are bypassed entirely if `digest` is present in the cache.
})
> pacote.tarball(spec, [opts])
Fetches package data identified by <spec>
and returns the data as a buffer.
This API has two variants:
pacote.tarball.stream(spec, [opts])
- Same as pacote.tarball
, except it returns a stream instead of a Promise.pacote.tarball.toFile(spec, dest, [opts])
- Instead of returning data directly, data will be written directly to dest
, and create any required directories along the way.pacote.tarball('pacote@1.0.0', { cache: './my-cache' }).then(data => {
// data is the tarball data for pacote@1.0.0
})
> pacote.tarball.stream(spec, [opts])
Same as pacote.tarball
, except it returns a stream instead of a Promise.
pacote.tarball.stream('pacote@1.0.0')
.pipe(fs.createWriteStream('./pacote-1.0.0.tgz'))
> pacote.tarball.toFile(spec, dest, [opts])
Like pacote.tarball
, but instead of returning data directly, data will be
written directly to dest
, and create any required directories along the way.
pacote.tarball.toFile('pacote@1.0.0', './pacote-1.0.0.tgz')
.then(() => /* pacote tarball written directly to ./pacote-1.0.0.tgz */)
> pacote.prefetch(spec, [opts])
pacote.tarball()
INSTEADFetches package data identified by <spec>
, usually for the purpose of warming
up the local package cache (with opts.cache
). It does not return anything.
pacote.prefetch('pacote@1.0.0', { cache: './my-cache' }).then(() => {
// ./my-cache now has both the manifest and tarball for `pacote@1.0.0`.
})
> pacote.clearMemoized()
This utility function can be used to force pacote to release its references to any memoized data in its various internal caches. It might help free some memory.
pacote.manifest(...).then(() => pacote.clearMemoized)
> options
pacote
accepts the options for
npm-registry-fetch
as-is,
with a couple of additional pacote-specific
ones:
opts.dirPacker
npm-packlist
and tar
to make a tarball.Expects a function that takes a single argument, dir
, and returns a
ReadableStream
that outputs packaged tarball data. Used when creating tarballs
for package specs that are not already packaged, such as git and directory
dependencies. The default opts.dirPacker
does not execute prepare
scripts,
even though npm itself does.
opts.enjoy-by
opts.enjoyBy
, opts.before
If passed in, will be used while resolving to filter the versions for registry
dependencies such that versions published after opts.enjoy-by
are not
considered -- as if they'd never been published.
opts.include-deprecated
opts.includeDeprecated
If false, deprecated versions will be skipped when selecting from registry range specifiers. If true, deprecations do not affect version selection.
opts.full-metadata
If true
, the full packument will be fetched when doing metadata requests. By
defaul, pacote
only fetches the summarized packuments, also called "corgis".
opts.tag
opts.defaultTag
'latest'
Package version resolution tag. When processing registry spec ranges, this
option is used to determine what dist-tag to treat as "latest". For more details
about how pacote
selects versions and how tag
is involved, see the
documentation for npm-pick-manifest
.
opts.resolved
When fetching tarballs, this option can be passed in to skip registry metadata
lookups when downloading tarballs. If the string is a file:
URL, pacote will
try to read the referenced local file before attempting to do any further
lookups. This option does not bypass integrity checks when opts.integrity
is
passed in.
opts.where
Passed as an argument to npm-package-arg
when resolving spec
arguments. Used to determine what path to resolve local
path specs relatively from.
FAQs
JavaScript package downloader
We found that pacote demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.