Update pacote and use new allowGit flag #8943

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

wraithgar wants to merge 2 commits into latest from gar/allow-git

+207 −61

lib/commands/cache.js

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -181,11 +181,12 @@ class Cache extends BaseCommand {
  
          await pacote.tarball.stream(spec, stream => {

            stream.resume()

            return stream.promise()

          }, { ...this.npm.flatOptions })

          }, { ...this.npm.flatOptions, _isRoot: true })

          await pacote.manifest(spec, {

            ...this.npm.flatOptions,

            fullMetadata: true,

            _isRoot: true,

          })

        }))

      }

lib/commands/ci.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -21,6 +21,7 @@ class CI extends ArboristWorkspaceCmd { @@
         'strict-peer-deps',
         'foreground-scripts',
         'ignore-scripts',
+        'allow-git',
         'audit',
         'bin-links',
         'fund',
@@ Expand Down @@

lib/commands/dedupe.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -14,6 +14,7 @@ class Dedupe extends ArboristWorkspaceCmd { @@
         'omit',
         'include',
         'ignore-scripts',
+        'allow-git',
         'audit',
         'bin-links',
         'fund',
@@ Expand Down @@

lib/commands/diff.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -198,6 +198,7 @@ class Diff extends BaseCommand { @@
             const packument = await pacote.packument(spec, {
               ...this.npm.flatOptions,
               preferOnline: true,
+              _isRoot: true,
             })
             bSpec = pickManifest(
               packument,
@@ Expand Down @@

lib/commands/install.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -28,6 +28,7 @@ class Install extends ArboristWorkspaceCmd { @@
         'package-lock-only',
         'foreground-scripts',
         'ignore-scripts',
+        'allow-git',
         'audit',
         'before',
         'bin-links',
@@ Expand Down @@

lib/commands/link.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -25,6 +25,7 @@ class Link extends ArboristWorkspaceCmd { @@
         'omit',
         'include',
         'ignore-scripts',
+        'allow-git',
         'audit',
         'bin-links',
         'fund',
@@ Expand Down @@

lib/commands/owner.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -63,6 +63,7 @@ class Owner extends BaseCommand { @@
           const data = await pacote.packument(spec, {
             ...npm.flatOptions,
             fullMetadata: true,
+            _isRoot: true,
           })
           if (data && data.maintainers && data.maintainers.length) {
             return data.maintainers.map(m => m.name)
@@ Expand Down Expand Up / @@ -112,7 +113,13 @@ class Owner extends BaseCommand { @@
         const spec = npa(pkg)
         try {
-          const packumentOpts = { ...this.npm.flatOptions, fullMetadata: true, preferOnline: true }
+          const packumentOpts = {
+            ...this.npm.flatOptions,
+            fullMetadata:
+            true,
+            preferOnline: true,
+            _isRoot: true,
+          }
           const { maintainers } = await pacote.packument(spec, packumentOpts)
           if (!maintainers || !maintainers.length) {
             output.standard('no admin found')
@@ Expand Down Expand Up / @@ -166,6 +173,7 @@ class Owner extends BaseCommand { @@
           ...this.npm.flatOptions,
           fullMetadata: true,
           preferOnline: true,
+          _isRoot: true,
         })
         const owners = data.maintainers || []
@@ Expand Down @@

lib/commands/pack.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -36,7 +36,11 @@ class Pack extends BaseCommand { @@
         const manifests = []
         for (const arg of args) {
           const spec = npa(arg)
-          const manifest = await pacote.manifest(spec, { ...this.npm.flatOptions, Arborist })
+          const manifest = await pacote.manifest(spec, {
+            ...this.npm.flatOptions,
+            Arborist,
+            _isRoot: true,
+          })
           if (!manifest._id) {
             throw new Error('Invalid package, must have name and version')
           }
@@ Expand Down @@

lib/commands/publish.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -221,6 +221,7 @@ class Publish extends BaseCommand { @@
             ...this.npm.flatOptions,
             preferOnline: true,
             registry,
+            _isRoot: true,
           })
           if (typeof packument?.versions === 'undefined') {
             return { versions: [], highestVersion: null }
@@ Expand Down @@

lib/commands/unpublish.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -26,6 +26,7 @@ class Unpublish extends BaseCommand { @@
           ...opts,
           spec: name,
           query: { write: true },
+          _isRoot: true,
         })
         return Object.keys(packument.versions)
       }
@@ Expand Down @@

lib/commands/view.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -41,6 +41,7 @@ class View extends BaseCommand { @@
           ...npm.flatOptions,
           fullMetadata: true,
           preferOnline: true,
+          _isRoot: true,
         }
         const spec = npa(opts.conf.argv.remain[2])
         const pckmnt = await packument(spec, config)
@@ Expand Down Expand Up / @@ -136,6 +137,7 @@ class View extends BaseCommand { @@
           ...this.npm.flatOptions,
           preferOnline: true,
           fullMetadata: true,
+          _isRoot: true,
         })
         // get the data about this package
@@ Expand Down @@

lib/package-url-cmd.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -23,12 +23,12 @@ class PackageUrlCommand extends BaseCommand { @@
         }
         for (const arg of args) {
-          // XXX It is very odd that `where` is how pacote knows to look anywhere
-          // other than the cwd.
+          // XXX It is very odd that `where` is how pacote knows to look anywhere other than the cwd.
           const opts = {
             ...this.npm.flatOptions,
             where: this.npm.localPrefix,
             fullMetadata: true,
+            _isRoot: true,
           }
           const mani = await pacote.manifest(arg, opts)
           const url = this.getUrl(arg, mani)
@@ Expand Down @@

lib/utils/error-message.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -84,6 +84,11 @@ const errorMessage = (er, npm) => { @@
           break
         }
+        case 'EALLOWGIT':
+          summary.push(['', er.message])
+          detail.push(['', `Refusing to fetch "${er.package}"`])
+          break
         case 'ENOGIT':
           summary.push(['', er.message])
           detail.push(['', [
@@ Expand Down @@

node_modules/pacote/lib/fetcher.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -469,11 +469,31 @@ const FileFetcher = require('./file.js') @@
     const DirFetcher = require('./dir.js')
     const RemoteFetcher = require('./remote.js')
+    // possible values for allow: 'all', 'root', 'none'
+    const canUseGit = (allow = 'all', isRoot = false) => {
+      if (allow === 'all') {
+        return true
+      }
+      if (allow !== 'none' && isRoot) {
+        return true
+      }
+      return false
+    }
     // Get an appropriate fetcher object from a spec and options
     FetcherBase.get = (rawSpec, opts = {}) => {
       const spec = npa(rawSpec, opts.where)
       switch (spec.type) {
         case 'git':
+          if (!canUseGit(opts.allowGit, opts._isRoot)) {
+            throw Object.assign(
+              new Error(`Fetching${opts.allowGit === 'root' ? ' non-root' : ''} packages from git has been disabled`),
+              {
+                code: 'EALLOWGIT',
+                package: spec.toString(),
+              }
+            )
+          }
           return new GitFetcher(spec, opts)
         case 'remote':
@@ Expand Down @@

node_modules/pacote/package.json

-Original file line number
+Diff line change
@@ -1,6 +1,6 @@
     {
       "name": "pacote",
-      "version": "21.0.4",
+      "version": "21.1.0",
       "description": "JavaScript package downloader",
       "author": "GitHub Inc.",
       "bin": {
@@ Expand Down @@

package-lock.json

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -135,7 +135,7 @@
  
            "npm-registry-fetch": "^19.1.1",

            "npm-user-validate": "^4.0.0",

            "p-map": "^7.0.4",

            "pacote": "^21.0.4",

            "pacote": "^21.1.0",

            "parse-conflict-json": "^5.0.1",

            "proc-log": "^6.1.0",

            "qrcode-terminal": "^0.12.0",

    @@ -9232,9 +9232,9 @@
  
          "license": "BlueOak-1.0.0"

        },

        "node_modules/pacote": {

          "version": "21.0.4",

          "resolved": "https://registry.npmjs.org/pacote/-/pacote-21.0.4.tgz",

          "integrity": "sha512-RplP/pDW0NNNDh3pnaoIWYPvNenS7UqMbXyvMqJczosiFWTeGGwJC2NQBLqKf4rGLFfwCOnntw1aEp9Jiqm1MA==",

          "version": "21.1.0",

          "resolved": "https://registry.npmjs.org/pacote/-/pacote-21.1.0.tgz",

          "integrity": "sha512-WF/PwrImIIVaLmtuCeO5L7n6DA0ZGCqmDPO/XbNjZgNUX+2O5z4f4Wdmu6erBWNICkl3ftKJvit2eIVcpegRRw==",

          "inBundle": true,

          "license": "ISC",

          "dependencies": {

package.json

-Original file line number
+Diff line change
@@ Expand Up / @@ -102,7 +102,7 @@ @@
         "npm-registry-fetch": "^19.1.1",
         "npm-user-validate": "^4.0.0",
         "p-map": "^7.0.4",
-        "pacote": "^21.0.4",
+        "pacote": "^21.1.0",
         "parse-conflict-json": "^5.0.1",
         "proc-log": "^6.1.0",
         "qrcode-terminal": "^0.12.0",
@@ Expand Down @@

smoke-tests/tap-snapshots/test/index.js.test.cjs

-Original file line number
+Diff line change
@@ Expand Up / @@ -57,8 +57,9 @@ npm error Options: @@
     npm error [--install-strategy <hoisted|nested|shallow|linked>] [--legacy-bundling]
     npm error [--global-style] [--omit <dev|optional|peer> [--omit <dev|optional|peer> ...]]
     npm error [--include <prod|dev|optional|peer> [--include <prod|dev|optional|peer> ...]]
-    npm error [--strict-peer-deps] [--foreground-scripts] [--ignore-scripts] [--no-audit]
-    npm error [--no-bin-links] [--no-fund] [--dry-run]
+    npm error [--strict-peer-deps] [--foreground-scripts] [--ignore-scripts]
+    npm error [--allow-git <all|none|root>] [--no-audit] [--no-bin-links] [--no-fund]
+    npm error [--dry-run]
     npm error [-w|--workspace <workspace-name> [-w|--workspace <workspace-name> ...]]
     npm error [--workspaces] [--include-workspace-root] [--install-links]
     npm error
@@ Expand Down @@

tap-snapshots/test/lib/commands/config.js.test.cjs

-Original file line number
+Diff line change
@@ Expand Up @@
       "access": null,
       "all": false,
       "allow-same-version": false,
+      "allow-git": "all",
       "also": null,
       "audit": true,
       "audit-level": null,
@@ Expand Down Expand Up @@
     _auth = (protected)
     access = null
     all = false
+    allow-git = "all"
     allow-same-version = false
     also = null
     audit = true
@@ Expand Down @@

tap-snapshots/test/lib/commands/view.js.test.cjs

-Original file line number
+Diff line change
@@ Expand Up / @@ -5,6 +5,22 @@ @@
      * Make sure to inspect the output below.  Do not ignore changes!
      */
     'use strict'
+    exports[`test/lib/commands/view.js TAP allow-git=root, package with multiple dist‑tags and no time > must match snapshot 1`] = `
+    [4m[36mgray@1.1.0[39m[24m | [31mProprietary[39m | deps: [36mnone[39m | versions: [36m1[39m
+    dist
+    .tarball: [34mhttp://gray/1.1.0.tgz[39m
+    .shasum: [32mb[39m
+    dist-tags:
+    [34mlatest[39m: 1.1.0
+    [34mstable[39m: 1.1.0
+    [34mold[39m: 1.0.0
+    [34mbeta[39m: 1.2.0-beta
+    [34malpha[39m: 1.2.0-alpha
+    `
     exports[`test/lib/commands/view.js TAP deprecated package with license, bugs, repository and other fields > must match snapshot 1`] = `
     [4m[36mgreen@1.0.0[39m[24m | [32mACME[39m | deps: [36m2[39m | versions: [36m2[39m
@@ Expand Down Expand Up / @@ -279,22 +295,6 @@ dist-tags: @@
     [34mlatest[39m: 1.0.0
     `
-    exports[`test/lib/commands/view.js TAP package with multiple dist‑tags and no time > must match snapshot 1`] = `
-    [4m[36mgray@1.1.0[39m[24m | [31mProprietary[39m | deps: [36mnone[39m | versions: [36m1[39m
-    dist
-    .tarball: [34mhttp://gray/1.1.0.tgz[39m
-    .shasum: [32mb[39m
-    dist-tags:
-    [34mlatest[39m: 1.1.0
-    [34mstable[39m: 1.1.0
-    [34mold[39m: 1.0.0
-    [34mbeta[39m: 1.2.0-beta
-    [34malpha[39m: 1.2.0-alpha
-    `
     exports[`test/lib/commands/view.js TAP package with no modified time > must match snapshot 1`] = `
     [4m[36mcyan@1.0.0[39m[24m | [31mProprietary[39m | deps: [36mnone[39m | versions: [36m2[39m
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update pacote and use new allowGit flag #8943

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Update pacote and use new allowGit flag #8943

Are you sure you want to change the base?

Update pacote and use new allowGit flag #8943

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!