diff --git a/node_modules/.gitignore b/node_modules/.gitignore index 8c7c300513c58..bf27a6aafeb4c 100644 --- a/node_modules/.gitignore +++ b/node_modules/.gitignore @@ -22,10 +22,6 @@ !/@npmcli/installed-package-contents !/@npmcli/map-workspaces !/@npmcli/metavuln-calculator -!/@npmcli/metavuln-calculator/node_modules/ -/@npmcli/metavuln-calculator/node_modules/* -!/@npmcli/metavuln-calculator/node_modules/npm-packlist -!/@npmcli/metavuln-calculator/node_modules/pacote !/@npmcli/name-from-folder !/@npmcli/node-gyp !/@npmcli/package-json diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/npm-packlist/LICENSE b/node_modules/@npmcli/metavuln-calculator/node_modules/npm-packlist/LICENSE deleted file mode 100644 index 19129e315fe59..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/npm-packlist/LICENSE +++ /dev/null @@ -1,15 +0,0 @@ -The ISC License - -Copyright (c) Isaac Z. Schlueter and Contributors - -Permission to use, copy, modify, and/or distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/npm-packlist/lib/index.js b/node_modules/@npmcli/metavuln-calculator/node_modules/npm-packlist/lib/index.js deleted file mode 100644 index 985f11ee3f738..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/npm-packlist/lib/index.js +++ /dev/null @@ -1,456 +0,0 @@ -'use strict' - -const { Walker: IgnoreWalker } = require('ignore-walk') -const { lstatSync: lstat, readFileSync: readFile } = require('fs') -const { basename, dirname, extname, join, relative, resolve, sep } = require('path') - -// symbols used to represent synthetic rule sets -const defaultRules = Symbol('npm-packlist.rules.default') -const strictRules = Symbol('npm-packlist.rules.strict') - -// There may be others, but :?|<> are handled by node-tar -const nameIsBadForWindows = file => /\*/.test(file) - -// these are the default rules that are applied to everything except for non-link bundled deps -const defaults = [ - '.npmignore', - '.gitignore', - '**/.git', - '**/.svn', - '**/.hg', - '**/CVS', - '**/.git/**', - '**/.svn/**', - '**/.hg/**', - '**/CVS/**', - '/.lock-wscript', - '/.wafpickle-*', - '/build/config.gypi', - 'npm-debug.log', - '**/.npmrc', - '.*.swp', - '.DS_Store', - '**/.DS_Store/**', - '._*', - '**/._*/**', - '*.orig', - '/archived-packages/**', -] - -const strictDefaults = [ - // these are forcibly excluded - '/.git', -] - -const normalizePath = (path) => path.split('\\').join('/') - -const readOutOfTreeIgnoreFiles = (root, rel, result = []) => { - for (const file of ['.npmignore', '.gitignore']) { - try { - const ignoreContent = readFile(join(root, file), { encoding: 'utf8' }) - result.push(ignoreContent) - // break the loop immediately after reading, this allows us to prioritize - // the .npmignore and discard the .gitignore if one is present - break - } catch (err) { - // we ignore ENOENT errors completely because we don't care if the file doesn't exist - // but we throw everything else because failing to read a file that does exist is - // something that the user likely wants to know about - // istanbul ignore next -- we do not need to test a thrown error - if (err.code !== 'ENOENT') { - throw err - } - } - } - - if (!rel) { - return result - } - - const firstRel = rel.split(sep, 1)[0] - const newRoot = join(root, firstRel) - const newRel = relative(newRoot, join(root, rel)) - - return readOutOfTreeIgnoreFiles(newRoot, newRel, result) -} - -class PackWalker extends IgnoreWalker { - constructor (tree, opts) { - const options = { - ...opts, - includeEmpty: false, - follow: false, - // we path.resolve() here because ignore-walk doesn't do it and we want full paths - path: resolve(opts?.path || tree.path).replace(/\\/g, '/'), - ignoreFiles: opts?.ignoreFiles || [ - defaultRules, - 'package.json', - '.npmignore', - '.gitignore', - strictRules, - ], - } - - super(options) - this.isPackage = options.isPackage - this.seen = options.seen || new Set() - this.tree = tree - this.requiredFiles = options.requiredFiles || [] - - const additionalDefaults = [] - if (options.prefix && options.workspaces) { - const path = normalizePath(options.path) - const prefix = normalizePath(options.prefix) - const workspaces = options.workspaces.map((ws) => normalizePath(ws)) - - // istanbul ignore else - this does nothing unless we need it to - if (path !== prefix && workspaces.includes(path)) { - // if path and prefix are not the same directory, and workspaces has path in it - // then we know path is a workspace directory. in order to not drop ignore rules - // from directories between the workspaces root (prefix) and the workspace itself - // (path) we need to find and read those now - const relpath = relative(options.prefix, dirname(options.path)) - additionalDefaults.push(...readOutOfTreeIgnoreFiles(options.prefix, relpath)) - } else if (path === prefix) { - // on the other hand, if the path and prefix are the same, then we ignore workspaces - // so that we don't pack a workspace as part of the root project. append them as - // normalized relative paths from the root - additionalDefaults.push(...workspaces.map((w) => normalizePath(relative(options.path, w)))) - } - } - - // go ahead and inject the default rules now - this.injectRules(defaultRules, [...defaults, ...additionalDefaults]) - - if (!this.isPackage) { - // if this instance is not a package, then place some strict default rules, and append - // known required files for this directory - this.injectRules(strictRules, [ - ...strictDefaults, - ...this.requiredFiles.map((file) => `!${file}`), - ]) - } - } - - // overridden method: we intercept the reading of the package.json file here so that we can - // process it into both the package.json file rules as well as the strictRules synthetic rule set - addIgnoreFile (file, callback) { - // if we're adding anything other than package.json, then let ignore-walk handle it - if (file !== 'package.json' || !this.isPackage) { - return super.addIgnoreFile(file, callback) - } - - return this.processPackage(callback) - } - - // overridden method: if we're done, but we're a package, then we also need to evaluate bundles - // before we actually emit our done event - emit (ev, data) { - if (ev !== 'done' || !this.isPackage) { - return super.emit(ev, data) - } - - // we intentionally delay the done event while keeping the function sync here - // eslint-disable-next-line promise/catch-or-return, promise/always-return - this.gatherBundles().then(() => { - super.emit('done', this.result) - }) - return true - } - - // overridden method: before actually filtering, we make sure that we've removed the rules for - // files that should no longer take effect due to our order of precedence - filterEntries () { - if (this.ignoreRules['package.json']) { - // package.json means no .npmignore or .gitignore - this.ignoreRules['.npmignore'] = null - this.ignoreRules['.gitignore'] = null - } else if (this.ignoreRules['.npmignore']) { - // .npmignore means no .gitignore - this.ignoreRules['.gitignore'] = null - } - - return super.filterEntries() - } - - // overridden method: we never want to include anything that isn't a file or directory - onstat (opts, callback) { - if (!opts.st.isFile() && !opts.st.isDirectory()) { - return callback() - } - - return super.onstat(opts, callback) - } - - // overridden method: we want to refuse to pack files that are invalid, node-tar protects us from - // a lot of them but not all - stat (opts, callback) { - if (nameIsBadForWindows(opts.entry)) { - return callback() - } - - return super.stat(opts, callback) - } - - // overridden method: this is called to create options for a child walker when we step - // in to a normal child directory (this will never be a bundle). the default method here - // copies the root's `ignoreFiles` value, but we don't want to respect package.json for - // subdirectories, so we override it with a list that intentionally omits package.json - walkerOpt (entry, opts) { - let ignoreFiles = null - - // however, if we have a tree, and we have workspaces, and the directory we're about - // to step into is a workspace, then we _do_ want to respect its package.json - if (this.tree.workspaces) { - const workspaceDirs = [...this.tree.workspaces.values()] - .map((dir) => dir.replace(/\\/g, '/')) - - const entryPath = join(this.path, entry).replace(/\\/g, '/') - if (workspaceDirs.includes(entryPath)) { - ignoreFiles = [ - defaultRules, - 'package.json', - '.npmignore', - '.gitignore', - strictRules, - ] - } - } else { - ignoreFiles = [ - defaultRules, - '.npmignore', - '.gitignore', - strictRules, - ] - } - - return { - ...super.walkerOpt(entry, opts), - ignoreFiles, - // we map over our own requiredFiles and pass ones that are within this entry - requiredFiles: this.requiredFiles - .map((file) => { - if (relative(file, entry) === '..') { - return relative(entry, file).replace(/\\/g, '/') - } - return false - }) - .filter(Boolean), - } - } - - // overridden method: we want child walkers to be instances of this class, not ignore-walk - walker (entry, opts, callback) { - new PackWalker(this.tree, this.walkerOpt(entry, opts)).on('done', callback).start() - } - - // overridden method: we use a custom sort method to help compressibility - sort (a, b) { - // optimize for compressibility - // extname, then basename, then locale alphabetically - // https://twitter.com/isntitvacant/status/1131094910923231232 - const exta = extname(a).toLowerCase() - const extb = extname(b).toLowerCase() - const basea = basename(a).toLowerCase() - const baseb = basename(b).toLowerCase() - - return exta.localeCompare(extb, 'en') || - basea.localeCompare(baseb, 'en') || - a.localeCompare(b, 'en') - } - - // convenience method: this joins the given rules with newlines, appends a trailing newline, - // and calls the internal onReadIgnoreFile method - injectRules (filename, rules, callback = () => {}) { - this.onReadIgnoreFile(filename, `${rules.join('\n')}\n`, callback) - } - - // custom method: this is called by addIgnoreFile when we find a package.json, it uses the - // arborist tree to pull both default rules and strict rules for the package - processPackage (callback) { - const { - bin, - browser, - files, - main, - } = this.tree.package - - // rules in these arrays are inverted since they are patterns we want to _not_ ignore - const ignores = [] - const strict = [ - ...strictDefaults, - '!/package.json', - '!/readme{,.*[^~$]}', - '!/copying{,.*[^~$]}', - '!/license{,.*[^~$]}', - '!/licence{,.*[^~$]}', - '/.git', - '/node_modules', - '.npmrc', - '/package-lock.json', - '/yarn.lock', - '/pnpm-lock.yaml', - ] - - // if we have a files array in our package, we need to pull rules from it - if (files) { - for (let file of files) { - // invert the rule because these are things we want to include - if (file.startsWith('./')) { - file = file.slice(1) - } - if (file.endsWith('/*')) { - file += '*' - } - const inverse = `!${file}` - try { - // if an entry in the files array is a specific file, then we need to include it as a - // strict requirement for this package. if it's a directory or a pattern, it's a default - // pattern instead. this is ugly, but we have to stat to find out if it's a file - const stat = lstat(join(this.path, file.replace(/^!+/, '')).replace(/\\/g, '/')) - // if we have a file and we know that, it's strictly required - if (stat.isFile()) { - strict.unshift(inverse) - this.requiredFiles.push(file.startsWith('/') ? file.slice(1) : file) - } else if (stat.isDirectory()) { - // otherwise, it's a default ignore, and since we got here we know it's not a pattern - // so we include the directory contents - ignores.push(inverse) - ignores.push(`${inverse}/**`) - } - // if the thing exists, but is neither a file or a directory, we don't want it at all - } catch (err) { - // if lstat throws, then we assume we're looking at a pattern and treat it as a default - ignores.push(inverse) - } - } - - // we prepend a '*' to exclude everything, followed by our inverted file rules - // which now mean to include those - this.injectRules('package.json', ['*', ...ignores]) - } - - // browser is required - if (browser) { - strict.push(`!/${browser}`) - } - - // main is required - if (main) { - strict.push(`!/${main}`) - } - - // each bin is required - if (bin) { - for (const key in bin) { - strict.push(`!/${bin[key]}`) - } - } - - // and now we add all of the strict rules to our synthetic file - this.injectRules(strictRules, strict, callback) - } - - // custom method: after we've finished gathering the files for the root package, we call this - // before emitting the 'done' event in order to gather all of the files for bundled deps - async gatherBundles () { - if (this.seen.has(this.tree)) { - return - } - - // add this node to our seen tracker - this.seen.add(this.tree) - - // if we're the project root, then we look at our bundleDependencies, otherwise we got here - // because we're a bundled dependency of the root, which means we need to include all prod - // and optional dependencies in the bundle - let toBundle - if (this.tree.isProjectRoot) { - const { bundleDependencies } = this.tree.package - toBundle = bundleDependencies || [] - } else { - const { dependencies, optionalDependencies } = this.tree.package - toBundle = Object.keys(dependencies || {}).concat(Object.keys(optionalDependencies || {})) - } - - for (const dep of toBundle) { - const edge = this.tree.edgesOut.get(dep) - // no edgeOut = missing node, so skip it. we can't pack it if it's not here - // we also refuse to pack peer dependencies and dev dependencies - if (!edge || edge.peer || edge.dev) { - continue - } - - // get a reference to the node we're bundling - const node = this.tree.edgesOut.get(dep).to - // if there's no node, this is most likely an optional dependency that hasn't been - // installed. just skip it. - if (!node) { - continue - } - // we use node.path for the path because we want the location the node was linked to, - // not where it actually lives on disk - const path = node.path - // but link nodes don't have edgesOut, so we need to pass in the target of the node - // in order to make sure we correctly traverse its dependencies - const tree = node.target - - // and start building options to be passed to the walker for this package - const walkerOpts = { - path, - isPackage: true, - ignoreFiles: [], - seen: this.seen, // pass through seen so we can prevent infinite circular loops - } - - // if our node is a link, we apply defaultRules. we don't do this for regular bundled - // deps because their .npmignore and .gitignore files are excluded by default and may - // override defaults - if (node.isLink) { - walkerOpts.ignoreFiles.push(defaultRules) - } - - // _all_ nodes will follow package.json rules from their package root - walkerOpts.ignoreFiles.push('package.json') - - // only link nodes will obey .npmignore or .gitignore - if (node.isLink) { - walkerOpts.ignoreFiles.push('.npmignore') - walkerOpts.ignoreFiles.push('.gitignore') - } - - // _all_ nodes follow strict rules - walkerOpts.ignoreFiles.push(strictRules) - - // create a walker for this dependency and gather its results - const walker = new PackWalker(tree, walkerOpts) - const bundled = await new Promise((pResolve, pReject) => { - walker.on('error', pReject) - walker.on('done', pResolve) - walker.start() - }) - - // now we make sure we have our paths correct from the root, and accumulate everything into - // our own result set to deduplicate - const relativeFrom = relative(this.root, walker.path) - for (const file of bundled) { - this.result.add(join(relativeFrom, file).replace(/\\/g, '/')) - } - } - } -} - -const walk = (tree, options, callback) => { - if (typeof options === 'function') { - callback = options - options = {} - } - const p = new Promise((pResolve, pReject) => { - new PackWalker(tree, { ...options, isPackage: true }) - .on('done', pResolve).on('error', pReject).start() - }) - return callback ? p.then(res => callback(null, res), callback) : p -} - -module.exports = walk -walk.Walker = PackWalker diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/npm-packlist/package.json b/node_modules/@npmcli/metavuln-calculator/node_modules/npm-packlist/package.json deleted file mode 100644 index d7e0a4fd5a845..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/npm-packlist/package.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "name": "npm-packlist", - "version": "9.0.0", - "description": "Get a list of the files to add from a folder into an npm package", - "directories": { - "test": "test" - }, - "main": "lib/index.js", - "dependencies": { - "ignore-walk": "^7.0.0" - }, - "author": "GitHub Inc.", - "license": "ISC", - "files": [ - "bin/", - "lib/" - ], - "devDependencies": { - "@npmcli/arborist": "^7.5.4", - "@npmcli/eslint-config": "^4.0.0", - "@npmcli/template-oss": "4.23.3", - "mutate-fs": "^2.1.1", - "tap": "^16.0.1" - }, - "scripts": { - "test": "tap", - "posttest": "npm run lint", - "snap": "tap", - "postsnap": "npm run lintfix --", - "eslint": "eslint \"**/*.{js,cjs,ts,mjs,jsx,tsx}\"", - "lint": "npm run eslint", - "lintfix": "npm run eslint -- --fix", - "npmclilint": "npmcli-lint", - "postlint": "template-oss-check", - "template-oss-apply": "template-oss-apply --force" - }, - "repository": { - "type": "git", - "url": "git+https://github.com/npm/npm-packlist.git" - }, - "tap": { - "test-env": [ - "LC_ALL=sk" - ], - "nyc-arg": [ - "--exclude", - "tap-snapshots/**" - ], - "files": [ - "test/*.js" - ] - }, - "engines": { - "node": "^18.17.0 || >=20.5.0" - }, - "templateOSS": { - "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.23.3", - "publish": true - } -} diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/LICENSE b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/LICENSE deleted file mode 100644 index a03cd0ed0b338..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/LICENSE +++ /dev/null @@ -1,15 +0,0 @@ -The ISC License - -Copyright (c) Isaac Z. Schlueter, Kat Marchán, npm, Inc., and Contributors - -Permission to use, copy, modify, and/or distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/bin/index.js b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/bin/index.js deleted file mode 100755 index f35b62ca71a53..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/bin/index.js +++ /dev/null @@ -1,158 +0,0 @@ -#!/usr/bin/env node - -const run = conf => { - const pacote = require('../') - switch (conf._[0]) { - case 'resolve': - case 'manifest': - case 'packument': - if (conf._[0] === 'resolve' && conf.long) { - return pacote.manifest(conf._[1], conf).then(mani => ({ - resolved: mani._resolved, - integrity: mani._integrity, - from: mani._from, - })) - } - return pacote[conf._[0]](conf._[1], conf) - - case 'tarball': - if (!conf._[2] || conf._[2] === '-') { - return pacote.tarball.stream(conf._[1], stream => { - stream.pipe( - conf.testStdout || - /* istanbul ignore next */ - process.stdout - ) - // make sure it resolves something falsey - return stream.promise().then(() => { - return false - }) - }, conf) - } else { - return pacote.tarball.file(conf._[1], conf._[2], conf) - } - - case 'extract': - return pacote.extract(conf._[1], conf._[2], conf) - - default: /* istanbul ignore next */ { - throw new Error(`bad command: ${conf._[0]}`) - } - } -} - -const version = require('../package.json').version -const usage = () => -`Pacote - The JavaScript Package Handler, v${version} - -Usage: - - pacote resolve - Resolve a specifier and output the fully resolved target - Returns integrity and from if '--long' flag is set. - - pacote manifest - Fetch a manifest and print to stdout - - pacote packument - Fetch a full packument and print to stdout - - pacote tarball [] - Fetch a package tarball and save to - If is missing or '-', the tarball will be streamed to stdout. - - pacote extract - Extract a package to the destination folder. - -Configuration values all match the names of configs passed to npm, or -options passed to Pacote. Additional flags for this executable: - - --long Print an object from 'resolve', including integrity and spec. - --json Print result objects as JSON rather than node's default. - (This is the default if stdout is not a TTY.) - --help -h Print this helpful text. - -For example '--cache=/path/to/folder' will use that folder as the cache. -` - -const shouldJSON = (conf, result) => - conf.json || - !process.stdout.isTTY && - conf.json === undefined && - result && - typeof result === 'object' - -const pretty = (conf, result) => - shouldJSON(conf, result) ? JSON.stringify(result, 0, 2) : result - -let addedLogListener = false -const main = args => { - const conf = parse(args) - if (conf.help || conf.h) { - return console.log(usage()) - } - - if (!addedLogListener) { - process.on('log', console.error) - addedLogListener = true - } - - try { - return run(conf) - .then(result => result && console.log(pretty(conf, result))) - .catch(er => { - console.error(er) - process.exit(1) - }) - } catch (er) { - console.error(er.message) - console.error(usage()) - } -} - -const parseArg = arg => { - const split = arg.slice(2).split('=') - const k = split.shift() - const v = split.join('=') - const no = /^no-/.test(k) && !v - const key = (no ? k.slice(3) : k) - .replace(/^tag$/, 'defaultTag') - .replace(/-([a-z])/g, (_, c) => c.toUpperCase()) - const value = v ? v.replace(/^~/, process.env.HOME) : !no - return { key, value } -} - -const parse = args => { - const conf = { - _: [], - cache: process.env.HOME + '/.npm/_cacache', - } - let dashdash = false - args.forEach(arg => { - if (dashdash) { - conf._.push(arg) - } else if (arg === '--') { - dashdash = true - } else if (arg === '-h') { - conf.help = true - } else if (/^--/.test(arg)) { - const { key, value } = parseArg(arg) - conf[key] = value - } else { - conf._.push(arg) - } - }) - return conf -} - -if (module === require.main) { - main(process.argv.slice(2)) -} else { - module.exports = { - main, - run, - usage, - parseArg, - parse, - } -} diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/dir.js b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/dir.js deleted file mode 100644 index 04846eb8a6e22..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/dir.js +++ /dev/null @@ -1,105 +0,0 @@ -const { resolve } = require('node:path') -const packlist = require('npm-packlist') -const runScript = require('@npmcli/run-script') -const tar = require('tar') -const { Minipass } = require('minipass') -const Fetcher = require('./fetcher.js') -const FileFetcher = require('./file.js') -const _ = require('./util/protected.js') -const tarCreateOptions = require('./util/tar-create-options.js') - -class DirFetcher extends Fetcher { - constructor (spec, opts) { - super(spec, opts) - // just the fully resolved filename - this.resolved = this.spec.fetchSpec - - this.tree = opts.tree || null - this.Arborist = opts.Arborist || null - } - - // exposes tarCreateOptions as public API - static tarCreateOptions (manifest) { - return tarCreateOptions(manifest) - } - - get types () { - return ['directory'] - } - - #prepareDir () { - return this.manifest().then(mani => { - if (!mani.scripts || !mani.scripts.prepare) { - return - } - if (this.opts.ignoreScripts) { - return - } - - // we *only* run prepare. - // pre/post-pack is run by the npm CLI for publish and pack, - // but this function is *also* run when installing git deps - const stdio = this.opts.foregroundScripts ? 'inherit' : 'pipe' - - return runScript({ - // this || undefined is because runScript will be unhappy with the default null value - scriptShell: this.opts.scriptShell || undefined, - pkg: mani, - event: 'prepare', - path: this.resolved, - stdio, - env: { - npm_package_resolved: this.resolved, - npm_package_integrity: this.integrity, - npm_package_json: resolve(this.resolved, 'package.json'), - }, - }) - }) - } - - [_.tarballFromResolved] () { - if (!this.tree && !this.Arborist) { - throw new Error('DirFetcher requires either a tree or an Arborist constructor to pack') - } - - const stream = new Minipass() - stream.resolved = this.resolved - stream.integrity = this.integrity - - const { prefix, workspaces } = this.opts - - // run the prepare script, get the list of files, and tar it up - // pipe to the stream, and proxy errors the chain. - this.#prepareDir() - .then(async () => { - if (!this.tree) { - const arb = new this.Arborist({ path: this.resolved }) - this.tree = await arb.loadActual() - } - return packlist(this.tree, { path: this.resolved, prefix, workspaces }) - }) - .then(files => tar.c(tarCreateOptions(this.package), files) - .on('error', er => stream.emit('error', er)).pipe(stream)) - .catch(er => stream.emit('error', er)) - return stream - } - - manifest () { - if (this.package) { - return Promise.resolve(this.package) - } - - return this[_.readPackageJson](this.resolved) - .then(mani => this.package = { - ...mani, - _integrity: this.integrity && String(this.integrity), - _resolved: this.resolved, - _from: this.from, - }) - } - - packument () { - return FileFetcher.prototype.packument.apply(this) - } -} -module.exports = DirFetcher diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/fetcher.js b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/fetcher.js deleted file mode 100644 index f2ac97619d3af..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/fetcher.js +++ /dev/null @@ -1,497 +0,0 @@ -// This is the base class that the other fetcher types in lib -// all descend from. -// It handles the unpacking and retry logic that is shared among -// all of the other Fetcher types. - -const { basename, dirname } = require('node:path') -const { rm, mkdir } = require('node:fs/promises') -const PackageJson = require('@npmcli/package-json') -const cacache = require('cacache') -const fsm = require('fs-minipass') -const getContents = require('@npmcli/installed-package-contents') -const npa = require('npm-package-arg') -const retry = require('promise-retry') -const ssri = require('ssri') -const tar = require('tar') -const { Minipass } = require('minipass') -const { log } = require('proc-log') -const _ = require('./util/protected.js') -const cacheDir = require('./util/cache-dir.js') -const isPackageBin = require('./util/is-package-bin.js') -const removeTrailingSlashes = require('./util/trailing-slashes.js') - -// Pacote is only concerned with the package.json contents -const packageJsonPrepare = (p) => PackageJson.prepare(p).then(pkg => pkg.content) -const packageJsonNormalize = (p) => PackageJson.normalize(p).then(pkg => pkg.content) - -class FetcherBase { - constructor (spec, opts) { - if (!opts || typeof opts !== 'object') { - throw new TypeError('options object is required') - } - this.spec = npa(spec, opts.where) - - this.allowGitIgnore = !!opts.allowGitIgnore - - // a bit redundant because presumably the caller already knows this, - // but it makes it easier to not have to keep track of the requested - // spec when we're dispatching thousands of these at once, and normalizing - // is nice. saveSpec is preferred if set, because it turns stuff like - // x/y#committish into github:x/y#committish. use name@rawSpec for - // registry deps so that we turn xyz and xyz@ -> xyz@ - this.from = this.spec.registry - ? `${this.spec.name}@${this.spec.rawSpec}` : this.spec.saveSpec - - this.#assertType() - // clone the opts object so that others aren't upset when we mutate it - // by adding/modifying the integrity value. - this.opts = { ...opts } - - this.cache = opts.cache || cacheDir().cacache - this.tufCache = opts.tufCache || cacheDir().tufcache - this.resolved = opts.resolved || null - - // default to caching/verifying with sha512, that's what we usually have - // need to change this default, or start overriding it, when sha512 - // is no longer strong enough. - this.defaultIntegrityAlgorithm = opts.defaultIntegrityAlgorithm || 'sha512' - - if (typeof opts.integrity === 'string') { - this.opts.integrity = ssri.parse(opts.integrity) - } - - this.package = null - this.type = this.constructor.name - this.fmode = opts.fmode || 0o666 - this.dmode = opts.dmode || 0o777 - // we don't need a default umask, because we don't chmod files coming - // out of package tarballs. they're forced to have a mode that is - // valid, regardless of what's in the tarball entry, and then we let - // the process's umask setting do its job. but if configured, we do - // respect it. - this.umask = opts.umask || 0 - - this.preferOnline = !!opts.preferOnline - this.preferOffline = !!opts.preferOffline - this.offline = !!opts.offline - - this.before = opts.before - this.fullMetadata = this.before ? true : !!opts.fullMetadata - this.fullReadJson = !!opts.fullReadJson - this[_.readPackageJson] = this.fullReadJson - ? packageJsonPrepare - : packageJsonNormalize - - // rrh is a registry hostname or 'never' or 'always' - // defaults to registry.npmjs.org - this.replaceRegistryHost = (!opts.replaceRegistryHost || opts.replaceRegistryHost === 'npmjs') ? - 'registry.npmjs.org' : opts.replaceRegistryHost - - this.defaultTag = opts.defaultTag || 'latest' - this.registry = removeTrailingSlashes(opts.registry || 'https://registry.npmjs.org') - - // command to run 'prepare' scripts on directories and git dirs - // To use pacote with yarn, for example, set npmBin to 'yarn' - // and npmCliConfig with yarn's equivalents. - this.npmBin = opts.npmBin || 'npm' - - // command to install deps for preparing - this.npmInstallCmd = opts.npmInstallCmd || ['install', '--force'] - - // XXX fill more of this in based on what we know from this.opts - // we explicitly DO NOT fill in --tag, though, since we are often - // going to be packing in the context of a publish, which may set - // a dist-tag, but certainly wants to keep defaulting to latest. - this.npmCliConfig = opts.npmCliConfig || [ - `--cache=${dirname(this.cache)}`, - `--prefer-offline=${!!this.preferOffline}`, - `--prefer-online=${!!this.preferOnline}`, - `--offline=${!!this.offline}`, - ...(this.before ? [`--before=${this.before.toISOString()}`] : []), - '--no-progress', - '--no-save', - '--no-audit', - // override any omit settings from the environment - '--include=dev', - '--include=peer', - '--include=optional', - // we need the actual things, not just the lockfile - '--no-package-lock-only', - '--no-dry-run', - ] - } - - get integrity () { - return this.opts.integrity || null - } - - set integrity (i) { - if (!i) { - return - } - - i = ssri.parse(i) - const current = this.opts.integrity - - // do not ever update an existing hash value, but do - // merge in NEW algos and hashes that we don't already have. - if (current) { - current.merge(i) - } else { - this.opts.integrity = i - } - } - - get notImplementedError () { - return new Error('not implemented in this fetcher type: ' + this.type) - } - - // override in child classes - // Returns a Promise that resolves to this.resolved string value - resolve () { - return this.resolved ? Promise.resolve(this.resolved) - : Promise.reject(this.notImplementedError) - } - - packument () { - return Promise.reject(this.notImplementedError) - } - - // override in child class - // returns a manifest containing: - // - name - // - version - // - _resolved - // - _integrity - // - plus whatever else was in there (corgi, full metadata, or pj file) - manifest () { - return Promise.reject(this.notImplementedError) - } - - // private, should be overridden. - // Note that they should *not* calculate or check integrity or cache, - // but *just* return the raw tarball data stream. - [_.tarballFromResolved] () { - throw this.notImplementedError - } - - // public, should not be overridden - tarball () { - return this.tarballStream(stream => stream.concat().then(data => { - data.integrity = this.integrity && String(this.integrity) - data.resolved = this.resolved - data.from = this.from - return data - })) - } - - // private - // Note: cacache will raise a EINTEGRITY error if the integrity doesn't match - #tarballFromCache () { - const startTime = Date.now() - const stream = cacache.get.stream.byDigest(this.cache, this.integrity, this.opts) - const elapsedTime = Date.now() - startTime - // cache is good, so log it as a hit in particular since there was no fetch logged - log.http( - 'cache', - `${this.spec} ${elapsedTime}ms (cache hit)` - ) - return stream - } - - get [_.cacheFetches] () { - return true - } - - #istream (stream) { - // if not caching this, just return it - if (!this.opts.cache || !this[_.cacheFetches]) { - // instead of creating a new integrity stream, we only piggyback on the - // provided stream's events - if (stream.hasIntegrityEmitter) { - stream.on('integrity', i => this.integrity = i) - return stream - } - - const istream = ssri.integrityStream(this.opts) - istream.on('integrity', i => this.integrity = i) - stream.on('error', err => istream.emit('error', err)) - return stream.pipe(istream) - } - - // we have to return a stream that gets ALL the data, and proxies errors, - // but then pipe from the original tarball stream into the cache as well. - // To do this without losing any data, and since the cacache put stream - // is not a passthrough, we have to pipe from the original stream into - // the cache AFTER we pipe into the middleStream. Since the cache stream - // has an asynchronous flush to write its contents to disk, we need to - // defer the middleStream end until the cache stream ends. - const middleStream = new Minipass() - stream.on('error', err => middleStream.emit('error', err)) - stream.pipe(middleStream, { end: false }) - const cstream = cacache.put.stream( - this.opts.cache, - `pacote:tarball:${this.from}`, - this.opts - ) - cstream.on('integrity', i => this.integrity = i) - cstream.on('error', err => stream.emit('error', err)) - stream.pipe(cstream) - - // eslint-disable-next-line promise/catch-or-return - cstream.promise().catch(() => {}).then(() => middleStream.end()) - return middleStream - } - - pickIntegrityAlgorithm () { - return this.integrity ? this.integrity.pickAlgorithm(this.opts) - : this.defaultIntegrityAlgorithm - } - - // TODO: check error class, once those are rolled out to our deps - isDataCorruptionError (er) { - return er.code === 'EINTEGRITY' || er.code === 'Z_DATA_ERROR' - } - - // override the types getter - get types () { - return false - } - - #assertType () { - if (this.types && !this.types.includes(this.spec.type)) { - throw new TypeError(`Wrong spec type (${ - this.spec.type - }) for ${ - this.constructor.name - }. Supported types: ${this.types.join(', ')}`) - } - } - - // We allow ENOENTs from cacache, but not anywhere else. - // An ENOENT trying to read a tgz file, for example, is Right Out. - isRetriableError (er) { - // TODO: check error class, once those are rolled out to our deps - return this.isDataCorruptionError(er) || - er.code === 'ENOENT' || - er.code === 'EISDIR' - } - - // Mostly internal, but has some uses - // Pass in a function which returns a promise - // Function will be called 1 or more times with streams that may fail. - // Retries: - // Function MUST handle errors on the stream by rejecting the promise, - // so that retry logic can pick it up and either retry or fail whatever - // promise it was making (ie, failing extraction, etc.) - // - // The return value of this method is a Promise that resolves the same - // as whatever the streamHandler resolves to. - // - // This should never be overridden by child classes, but it is public. - tarballStream (streamHandler) { - // Only short-circuit via cache if we have everything else we'll need, - // and the user has not expressed a preference for checking online. - - const fromCache = ( - !this.preferOnline && - this.integrity && - this.resolved - ) ? streamHandler(this.#tarballFromCache()).catch(er => { - if (this.isDataCorruptionError(er)) { - log.warn('tarball', `cached data for ${ - this.spec - } (${this.integrity}) seems to be corrupted. Refreshing cache.`) - return this.cleanupCached().then(() => { - throw er - }) - } else { - throw er - } - }) : null - - const fromResolved = er => { - if (er) { - if (!this.isRetriableError(er)) { - throw er - } - log.silly('tarball', `no local data for ${ - this.spec - }. Extracting by manifest.`) - } - return this.resolve().then(() => retry(tryAgain => - streamHandler(this.#istream(this[_.tarballFromResolved]())) - .catch(streamErr => { - // Most likely data integrity. A cache ENOENT error is unlikely - // here, since we're definitely not reading from the cache, but it - // IS possible that the fetch subsystem accessed the cache, and the - // entry got blown away or something. Try one more time to be sure. - if (this.isRetriableError(streamErr)) { - log.warn('tarball', `tarball data for ${ - this.spec - } (${this.integrity}) seems to be corrupted. Trying again.`) - return this.cleanupCached().then(() => tryAgain(streamErr)) - } - throw streamErr - }), { retries: 1, minTimeout: 0, maxTimeout: 0 })) - } - - return fromCache ? fromCache.catch(fromResolved) : fromResolved() - } - - cleanupCached () { - return cacache.rm.content(this.cache, this.integrity, this.opts) - } - - #empty (path) { - return getContents({ path, depth: 1 }).then(contents => Promise.all( - contents.map(entry => rm(entry, { recursive: true, force: true })))) - } - - async #mkdir (dest) { - await this.#empty(dest) - return await mkdir(dest, { recursive: true }) - } - - // extraction is always the same. the only difference is where - // the tarball comes from. - async extract (dest) { - await this.#mkdir(dest) - return this.tarballStream((tarball) => this.#extract(dest, tarball)) - } - - #toFile (dest) { - return this.tarballStream(str => new Promise((res, rej) => { - const writer = new fsm.WriteStream(dest) - str.on('error', er => writer.emit('error', er)) - writer.on('error', er => rej(er)) - writer.on('close', () => res({ - integrity: this.integrity && String(this.integrity), - resolved: this.resolved, - from: this.from, - })) - str.pipe(writer) - })) - } - - // don't use this.#mkdir because we don't want to rimraf anything - async tarballFile (dest) { - const dir = dirname(dest) - await mkdir(dir, { recursive: true }) - return this.#toFile(dest) - } - - #extract (dest, tarball) { - const extractor = tar.x(this.#tarxOptions({ cwd: dest })) - const p = new Promise((resolve, reject) => { - extractor.on('end', () => { - resolve({ - resolved: this.resolved, - integrity: this.integrity && String(this.integrity), - from: this.from, - }) - }) - - extractor.on('error', er => { - log.warn('tar', er.message) - log.silly('tar', er) - reject(er) - }) - - tarball.on('error', er => reject(er)) - }) - - tarball.pipe(extractor) - return p - } - - // always ensure that entries are at least as permissive as our configured - // dmode/fmode, but never more permissive than the umask allows. - #entryMode (path, mode, type) { - const m = /Directory|GNUDumpDir/.test(type) ? this.dmode - : /File$/.test(type) ? this.fmode - : /* istanbul ignore next - should never happen in a pkg */ 0 - - // make sure package bins are executable - const exe = isPackageBin(this.package, path) ? 0o111 : 0 - // always ensure that files are read/writable by the owner - return ((mode | m) & ~this.umask) | exe | 0o600 - } - - #tarxOptions ({ cwd }) { - const sawIgnores = new Set() - return { - cwd, - noChmod: true, - noMtime: true, - filter: (name, entry) => { - if (/Link$/.test(entry.type)) { - return false - } - entry.mode = this.#entryMode(entry.path, entry.mode, entry.type) - // this replicates the npm pack behavior where .gitignore files - // are treated like .npmignore files, but only if a .npmignore - // file is not present. - if (/File$/.test(entry.type)) { - const base = basename(entry.path) - if (base === '.npmignore') { - sawIgnores.add(entry.path) - } else if (base === '.gitignore' && !this.allowGitIgnore) { - // rename, but only if there's not already a .npmignore - const ni = entry.path.replace(/\.gitignore$/, '.npmignore') - if (sawIgnores.has(ni)) { - return false - } - entry.path = ni - } - return true - } - }, - strip: 1, - onwarn: /* istanbul ignore next - we can trust that tar logs */ - (code, msg, data) => { - log.warn('tar', code, msg) - log.silly('tar', code, msg, data) - }, - umask: this.umask, - // always ignore ownership info from tarball metadata - preserveOwner: false, - } - } -} - -module.exports = FetcherBase - -// Child classes -const GitFetcher = require('./git.js') -const RegistryFetcher = require('./registry.js') -const FileFetcher = require('./file.js') -const DirFetcher = require('./dir.js') -const RemoteFetcher = require('./remote.js') - -// Get an appropriate fetcher object from a spec and options -FetcherBase.get = (rawSpec, opts = {}) => { - const spec = npa(rawSpec, opts.where) - switch (spec.type) { - case 'git': - return new GitFetcher(spec, opts) - - case 'remote': - return new RemoteFetcher(spec, opts) - - case 'version': - case 'range': - case 'tag': - case 'alias': - return new RegistryFetcher(spec.subSpec || spec, opts) - - case 'file': - return new FileFetcher(spec, opts) - - case 'directory': - return new DirFetcher(spec, opts) - - default: - throw new TypeError('Unknown spec type: ' + spec.type) - } -} diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/file.js b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/file.js deleted file mode 100644 index 2021325085e4f..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/file.js +++ /dev/null @@ -1,94 +0,0 @@ -const { resolve } = require('node:path') -const { stat, chmod } = require('node:fs/promises') -const cacache = require('cacache') -const fsm = require('fs-minipass') -const Fetcher = require('./fetcher.js') -const _ = require('./util/protected.js') - -class FileFetcher extends Fetcher { - constructor (spec, opts) { - super(spec, opts) - // just the fully resolved filename - this.resolved = this.spec.fetchSpec - } - - get types () { - return ['file'] - } - - manifest () { - if (this.package) { - return Promise.resolve(this.package) - } - - // have to unpack the tarball for this. - return cacache.tmp.withTmp(this.cache, this.opts, dir => - this.extract(dir) - .then(() => this[_.readPackageJson](dir)) - .then(mani => this.package = { - ...mani, - _integrity: this.integrity && String(this.integrity), - _resolved: this.resolved, - _from: this.from, - })) - } - - #exeBins (pkg, dest) { - if (!pkg.bin) { - return Promise.resolve() - } - - return Promise.all(Object.keys(pkg.bin).map(async k => { - const script = resolve(dest, pkg.bin[k]) - // Best effort. Ignore errors here, the only result is that - // a bin script is not executable. But if it's missing or - // something, we just leave it for a later stage to trip over - // when we can provide a more useful contextual error. - try { - const st = await stat(script) - const mode = st.mode | 0o111 - if (mode === st.mode) { - return - } - await chmod(script, mode) - } catch { - // Ignore errors here - } - })) - } - - extract (dest) { - // if we've already loaded the manifest, then the super got it. - // but if not, read the unpacked manifest and chmod properly. - return super.extract(dest) - .then(result => this.package ? result - : this[_.readPackageJson](dest).then(pkg => - this.#exeBins(pkg, dest)).then(() => result)) - } - - [_.tarballFromResolved] () { - // create a read stream and return it - return new fsm.ReadStream(this.resolved) - } - - packument () { - // simulate based on manifest - return this.manifest().then(mani => ({ - name: mani.name, - 'dist-tags': { - [this.defaultTag]: mani.version, - }, - versions: { - [mani.version]: { - ...mani, - dist: { - tarball: `file:${this.resolved}`, - integrity: this.integrity && String(this.integrity), - }, - }, - }, - })) - } -} - -module.exports = FileFetcher diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/git.js b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/git.js deleted file mode 100644 index 077193a86f026..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/git.js +++ /dev/null @@ -1,317 +0,0 @@ -const cacache = require('cacache') -const git = require('@npmcli/git') -const npa = require('npm-package-arg') -const pickManifest = require('npm-pick-manifest') -const { Minipass } = require('minipass') -const { log } = require('proc-log') -const DirFetcher = require('./dir.js') -const Fetcher = require('./fetcher.js') -const FileFetcher = require('./file.js') -const RemoteFetcher = require('./remote.js') -const _ = require('./util/protected.js') -const addGitSha = require('./util/add-git-sha.js') -const npm = require('./util/npm.js') - -const hashre = /^[a-f0-9]{40}$/ - -// get the repository url. -// prefer https if there's auth, since ssh will drop that. -// otherwise, prefer ssh if available (more secure). -// We have to add the git+ back because npa suppresses it. -const repoUrl = (h, opts) => - h.sshurl && !(h.https && h.auth) && addGitPlus(h.sshurl(opts)) || - h.https && addGitPlus(h.https(opts)) - -// add git+ to the url, but only one time. -const addGitPlus = url => url && `git+${url}`.replace(/^(git\+)+/, 'git+') - -class GitFetcher extends Fetcher { - constructor (spec, opts) { - super(spec, opts) - - // we never want to compare integrity for git dependencies: npm/rfcs#525 - if (this.opts.integrity) { - delete this.opts.integrity - log.warn(`skipping integrity check for git dependency ${this.spec.fetchSpec}`) - } - - this.resolvedRef = null - if (this.spec.hosted) { - this.from = this.spec.hosted.shortcut({ noCommittish: false }) - } - - // shortcut: avoid full clone when we can go straight to the tgz - // if we have the full sha and it's a hosted git platform - if (this.spec.gitCommittish && hashre.test(this.spec.gitCommittish)) { - this.resolvedSha = this.spec.gitCommittish - // use hosted.tarball() when we shell to RemoteFetcher later - this.resolved = this.spec.hosted - ? repoUrl(this.spec.hosted, { noCommittish: false }) - : this.spec.rawSpec - } else { - this.resolvedSha = '' - } - - this.Arborist = opts.Arborist || null - } - - // just exposed to make it easier to test all the combinations - static repoUrl (hosted, opts) { - return repoUrl(hosted, opts) - } - - get types () { - return ['git'] - } - - resolve () { - // likely a hosted git repo with a sha, so get the tarball url - // but in general, no reason to resolve() more than necessary! - if (this.resolved) { - return super.resolve() - } - - // fetch the git repo and then look at the current hash - const h = this.spec.hosted - // try to use ssh, fall back to git. - return h - ? this.#resolvedFromHosted(h) - : this.#resolvedFromRepo(this.spec.fetchSpec) - } - - // first try https, since that's faster and passphrase-less for - // public repos, and supports private repos when auth is provided. - // Fall back to SSH to support private repos - // NB: we always store the https url in resolved field if auth - // is present, otherwise ssh if the hosted type provides it - #resolvedFromHosted (hosted) { - return this.#resolvedFromRepo(hosted.https && hosted.https()).catch(er => { - // Throw early since we know pathspec errors will fail again if retried - if (er instanceof git.errors.GitPathspecError) { - throw er - } - const ssh = hosted.sshurl && hosted.sshurl() - // no fallthrough if we can't fall through or have https auth - if (!ssh || hosted.auth) { - throw er - } - return this.#resolvedFromRepo(ssh) - }) - } - - #resolvedFromRepo (gitRemote) { - // XXX make this a custom error class - if (!gitRemote) { - return Promise.reject(new Error(`No git url for ${this.spec}`)) - } - const gitRange = this.spec.gitRange - const name = this.spec.name - return git.revs(gitRemote, this.opts).then(remoteRefs => { - return gitRange ? pickManifest({ - versions: remoteRefs.versions, - 'dist-tags': remoteRefs['dist-tags'], - name, - }, gitRange, this.opts) - : this.spec.gitCommittish ? - remoteRefs.refs[this.spec.gitCommittish] || - remoteRefs.refs[remoteRefs.shas[this.spec.gitCommittish]] - : remoteRefs.refs.HEAD // no git committish, get default head - }).then(revDoc => { - // the committish provided isn't in the rev list - // things like HEAD~3 or @yesterday can land here. - if (!revDoc || !revDoc.sha) { - return this.#resolvedFromClone() - } - - this.resolvedRef = revDoc - this.resolvedSha = revDoc.sha - this.#addGitSha(revDoc.sha) - return this.resolved - }) - } - - #setResolvedWithSha (withSha) { - // we haven't cloned, so a tgz download is still faster - // of course, if it's not a known host, we can't do that. - this.resolved = !this.spec.hosted ? withSha - : repoUrl(npa(withSha).hosted, { noCommittish: false }) - } - - // when we get the git sha, we affix it to our spec to build up - // either a git url with a hash, or a tarball download URL - #addGitSha (sha) { - this.#setResolvedWithSha(addGitSha(this.spec, sha)) - } - - #resolvedFromClone () { - // do a full or shallow clone, then look at the HEAD - // kind of wasteful, but no other option, really - return this.#clone(() => this.resolved) - } - - #prepareDir (dir) { - return this[_.readPackageJson](dir).then(mani => { - // no need if we aren't going to do any preparation. - const scripts = mani.scripts - if (!mani.workspaces && (!scripts || !( - scripts.postinstall || - scripts.build || - scripts.preinstall || - scripts.install || - scripts.prepack || - scripts.prepare))) { - return - } - - // to avoid cases where we have an cycle of git deps that depend - // on one another, we only ever do preparation for one instance - // of a given git dep along the chain of installations. - // Note that this does mean that a dependency MAY in theory end up - // trying to run its prepare script using a dependency that has not - // been properly prepared itself, but that edge case is smaller - // and less hazardous than a fork bomb of npm and git commands. - const noPrepare = !process.env._PACOTE_NO_PREPARE_ ? [] - : process.env._PACOTE_NO_PREPARE_.split('\n') - if (noPrepare.includes(this.resolved)) { - log.info('prepare', 'skip prepare, already seen', this.resolved) - return - } - noPrepare.push(this.resolved) - - // the DirFetcher will do its own preparation to run the prepare scripts - // All we have to do is put the deps in place so that it can succeed. - return npm( - this.npmBin, - [].concat(this.npmInstallCmd).concat(this.npmCliConfig), - dir, - { ...process.env, _PACOTE_NO_PREPARE_: noPrepare.join('\n') }, - { message: 'git dep preparation failed' } - ) - }) - } - - [_.tarballFromResolved] () { - const stream = new Minipass() - stream.resolved = this.resolved - stream.from = this.from - - // check it out and then shell out to the DirFetcher tarball packer - this.#clone(dir => this.#prepareDir(dir) - .then(() => new Promise((res, rej) => { - if (!this.Arborist) { - throw new Error('GitFetcher requires an Arborist constructor to pack a tarball') - } - const df = new DirFetcher(`file:${dir}`, { - ...this.opts, - Arborist: this.Arborist, - resolved: null, - integrity: null, - }) - const dirStream = df[_.tarballFromResolved]() - dirStream.on('error', rej) - dirStream.on('end', res) - dirStream.pipe(stream) - }))).catch( - /* istanbul ignore next: very unlikely and hard to test */ - er => stream.emit('error', er) - ) - return stream - } - - // clone a git repo into a temp folder (or fetch and unpack if possible) - // handler accepts a directory, and returns a promise that resolves - // when we're done with it, at which point, cacache deletes it - // - // TODO: after cloning, create a tarball of the folder, and add to the cache - // with cacache.put.stream(), using a key that's deterministic based on the - // spec and repo, so that we don't ever clone the same thing multiple times. - #clone (handler, tarballOk = true) { - const o = { tmpPrefix: 'git-clone' } - const ref = this.resolvedSha || this.spec.gitCommittish - const h = this.spec.hosted - const resolved = this.resolved - - // can be set manually to false to fall back to actual git clone - tarballOk = tarballOk && - h && resolved === repoUrl(h, { noCommittish: false }) && h.tarball - - return cacache.tmp.withTmp(this.cache, o, async tmp => { - // if we're resolved, and have a tarball url, shell out to RemoteFetcher - if (tarballOk) { - const nameat = this.spec.name ? `${this.spec.name}@` : '' - return new RemoteFetcher(h.tarball({ noCommittish: false }), { - ...this.opts, - allowGitIgnore: true, - pkgid: `git:${nameat}${this.resolved}`, - resolved: this.resolved, - integrity: null, // it'll always be different, if we have one - }).extract(tmp).then(() => handler(tmp), er => { - // fall back to ssh download if tarball fails - if (er.constructor.name.match(/^Http/)) { - return this.#clone(handler, false) - } else { - throw er - } - }) - } - - const sha = await ( - h ? this.#cloneHosted(ref, tmp) - : this.#cloneRepo(this.spec.fetchSpec, ref, tmp) - ) - this.resolvedSha = sha - if (!this.resolved) { - await this.#addGitSha(sha) - } - return handler(tmp) - }) - } - - // first try https, since that's faster and passphrase-less for - // public repos, and supports private repos when auth is provided. - // Fall back to SSH to support private repos - // NB: we always store the https url in resolved field if auth - // is present, otherwise ssh if the hosted type provides it - #cloneHosted (ref, tmp) { - const hosted = this.spec.hosted - return this.#cloneRepo(hosted.https({ noCommittish: true }), ref, tmp) - .catch(er => { - // Throw early since we know pathspec errors will fail again if retried - if (er instanceof git.errors.GitPathspecError) { - throw er - } - const ssh = hosted.sshurl && hosted.sshurl({ noCommittish: true }) - // no fallthrough if we can't fall through or have https auth - if (!ssh || hosted.auth) { - throw er - } - return this.#cloneRepo(ssh, ref, tmp) - }) - } - - #cloneRepo (repo, ref, tmp) { - const { opts, spec } = this - return git.clone(repo, ref, tmp, { ...opts, spec }) - } - - manifest () { - if (this.package) { - return Promise.resolve(this.package) - } - - return this.spec.hosted && this.resolved - ? FileFetcher.prototype.manifest.apply(this) - : this.#clone(dir => - this[_.readPackageJson](dir) - .then(mani => this.package = { - ...mani, - _resolved: this.resolved, - _from: this.from, - })) - } - - packument () { - return FileFetcher.prototype.packument.apply(this) - } -} -module.exports = GitFetcher diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/index.js b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/index.js deleted file mode 100644 index f35314d275d5f..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/index.js +++ /dev/null @@ -1,23 +0,0 @@ -const { get } = require('./fetcher.js') -const GitFetcher = require('./git.js') -const RegistryFetcher = require('./registry.js') -const FileFetcher = require('./file.js') -const DirFetcher = require('./dir.js') -const RemoteFetcher = require('./remote.js') - -const tarball = (spec, opts) => get(spec, opts).tarball() -tarball.stream = (spec, handler, opts) => get(spec, opts).tarballStream(handler) -tarball.file = (spec, dest, opts) => get(spec, opts).tarballFile(dest) - -module.exports = { - GitFetcher, - RegistryFetcher, - FileFetcher, - DirFetcher, - RemoteFetcher, - resolve: (spec, opts) => get(spec, opts).resolve(), - extract: (spec, dest, opts) => get(spec, opts).extract(dest), - manifest: (spec, opts) => get(spec, opts).manifest(), - packument: (spec, opts) => get(spec, opts).packument(), - tarball, -} diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/registry.js b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/registry.js deleted file mode 100644 index 1ecf4ee177349..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/registry.js +++ /dev/null @@ -1,369 +0,0 @@ -const crypto = require('node:crypto') -const PackageJson = require('@npmcli/package-json') -const pickManifest = require('npm-pick-manifest') -const ssri = require('ssri') -const npa = require('npm-package-arg') -const sigstore = require('sigstore') -const fetch = require('npm-registry-fetch') -const Fetcher = require('./fetcher.js') -const RemoteFetcher = require('./remote.js') -const pacoteVersion = require('../package.json').version -const removeTrailingSlashes = require('./util/trailing-slashes.js') -const _ = require('./util/protected.js') - -// Corgis are cute. 🐕🐶 -const corgiDoc = 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*' -const fullDoc = 'application/json' - -// Some really old packages have no time field in their packument so we need a -// cutoff date. -const MISSING_TIME_CUTOFF = '2015-01-01T00:00:00.000Z' - -class RegistryFetcher extends Fetcher { - #cacheKey - constructor (spec, opts) { - super(spec, opts) - - // you usually don't want to fetch the same packument multiple times in - // the span of a given script or command, no matter how many pacote calls - // are made, so this lets us avoid doing that. It's only relevant for - // registry fetchers, because other types simulate their packument from - // the manifest, which they memoize on this.package, so it's very cheap - // already. - this.packumentCache = this.opts.packumentCache || null - - this.registry = fetch.pickRegistry(spec, opts) - this.packumentUrl = `${removeTrailingSlashes(this.registry)}/${this.spec.escapedName}` - this.#cacheKey = `${this.fullMetadata ? 'full' : 'corgi'}:${this.packumentUrl}` - - const parsed = new URL(this.registry) - const regKey = `//${parsed.host}${parsed.pathname}` - // unlike the nerf-darted auth keys, this one does *not* allow a mismatch - // of trailing slashes. It must match exactly. - if (this.opts[`${regKey}:_keys`]) { - this.registryKeys = this.opts[`${regKey}:_keys`] - } - - // XXX pacote <=9 has some logic to ignore opts.resolved if - // the resolved URL doesn't go to the same registry. - // Consider reproducing that here, to throw away this.resolved - // in that case. - } - - async resolve () { - // fetching the manifest sets resolved and (if present) integrity - await this.manifest() - if (!this.resolved) { - throw Object.assign( - new Error('Invalid package manifest: no `dist.tarball` field'), - { package: this.spec.toString() } - ) - } - return this.resolved - } - - #headers () { - return { - // npm will override UA, but ensure that we always send *something* - 'user-agent': this.opts.userAgent || - `pacote/${pacoteVersion} node/${process.version}`, - ...(this.opts.headers || {}), - 'pacote-version': pacoteVersion, - 'pacote-req-type': 'packument', - 'pacote-pkg-id': `registry:${this.spec.name}`, - accept: this.fullMetadata ? fullDoc : corgiDoc, - } - } - - async packument () { - // note this might be either an in-flight promise for a request, - // or the actual packument, but we never want to make more than - // one request at a time for the same thing regardless. - if (this.packumentCache?.has(this.#cacheKey)) { - return this.packumentCache.get(this.#cacheKey) - } - - // npm-registry-fetch the packument - // set the appropriate header for corgis if fullMetadata isn't set - // return the res.json() promise - try { - const res = await fetch(this.packumentUrl, { - ...this.opts, - headers: this.#headers(), - spec: this.spec, - - // never check integrity for packuments themselves - integrity: null, - }) - const packument = await res.json() - const contentLength = res.headers.get('content-length') - if (contentLength) { - packument._contentLength = Number(contentLength) - } - this.packumentCache?.set(this.#cacheKey, packument) - return packument - } catch (err) { - this.packumentCache?.delete(this.#cacheKey) - if (err.code !== 'E404' || this.fullMetadata) { - throw err - } - // possible that corgis are not supported by this registry - this.fullMetadata = true - return this.packument() - } - } - - async manifest () { - if (this.package) { - return this.package - } - - // When verifying signatures, we need to fetch the full/uncompressed - // packument to get publish time as this is not included in the - // corgi/compressed packument. - if (this.opts.verifySignatures) { - this.fullMetadata = true - } - - const packument = await this.packument() - const steps = PackageJson.normalizeSteps.filter(s => s !== '_attributes') - const mani = await new PackageJson().fromContent(pickManifest(packument, this.spec.fetchSpec, { - ...this.opts, - defaultTag: this.defaultTag, - before: this.before, - })).normalize({ steps }).then(p => p.content) - - /* XXX add ETARGET and E403 revalidation of cached packuments here */ - - // add _time from packument if fetched with fullMetadata - const time = packument.time?.[mani.version] - if (time) { - mani._time = time - } - - // add _resolved and _integrity from dist object - const { dist } = mani - if (dist) { - this.resolved = mani._resolved = dist.tarball - mani._from = this.from - const distIntegrity = dist.integrity ? ssri.parse(dist.integrity) - : dist.shasum ? ssri.fromHex(dist.shasum, 'sha1', { ...this.opts }) - : null - if (distIntegrity) { - if (this.integrity && !this.integrity.match(distIntegrity)) { - // only bork if they have algos in common. - // otherwise we end up breaking if we have saved a sha512 - // previously for the tarball, but the manifest only - // provides a sha1, which is possible for older publishes. - // Otherwise, this is almost certainly a case of holding it - // wrong, and will result in weird or insecure behavior - // later on when building package tree. - for (const algo of Object.keys(this.integrity)) { - if (distIntegrity[algo]) { - throw Object.assign(new Error( - `Integrity checksum failed when using ${algo}: ` + - `wanted ${this.integrity} but got ${distIntegrity}.` - ), { code: 'EINTEGRITY' }) - } - } - } - // made it this far, the integrity is worthwhile. accept it. - // the setter here will take care of merging it into what we already - // had. - this.integrity = distIntegrity - } - } - if (this.integrity) { - mani._integrity = String(this.integrity) - if (dist.signatures) { - if (this.opts.verifySignatures) { - // validate and throw on error, then set _signatures - const message = `${mani._id}:${mani._integrity}` - for (const signature of dist.signatures) { - const publicKey = this.registryKeys && - this.registryKeys.filter(key => (key.keyid === signature.keyid))[0] - if (!publicKey) { - throw Object.assign(new Error( - `${mani._id} has a registry signature with keyid: ${signature.keyid} ` + - 'but no corresponding public key can be found' - ), { code: 'EMISSINGSIGNATUREKEY' }) - } - - const publishedTime = Date.parse(mani._time || MISSING_TIME_CUTOFF) - const validPublicKey = !publicKey.expires || - publishedTime < Date.parse(publicKey.expires) - if (!validPublicKey) { - throw Object.assign(new Error( - `${mani._id} has a registry signature with keyid: ${signature.keyid} ` + - `but the corresponding public key has expired ${publicKey.expires}` - ), { code: 'EEXPIREDSIGNATUREKEY' }) - } - const verifier = crypto.createVerify('SHA256') - verifier.write(message) - verifier.end() - const valid = verifier.verify( - publicKey.pemkey, - signature.sig, - 'base64' - ) - if (!valid) { - throw Object.assign(new Error( - `${mani._id} has an invalid registry signature with ` + - `keyid: ${publicKey.keyid} and signature: ${signature.sig}` - ), { - code: 'EINTEGRITYSIGNATURE', - keyid: publicKey.keyid, - signature: signature.sig, - resolved: mani._resolved, - integrity: mani._integrity, - }) - } - } - mani._signatures = dist.signatures - } else { - mani._signatures = dist.signatures - } - } - - if (dist.attestations) { - if (this.opts.verifyAttestations) { - // Always fetch attestations from the current registry host - const attestationsPath = new URL(dist.attestations.url).pathname - const attestationsUrl = removeTrailingSlashes(this.registry) + attestationsPath - const res = await fetch(attestationsUrl, { - ...this.opts, - // disable integrity check for attestations json payload, we check the - // integrity in the verification steps below - integrity: null, - }) - const { attestations } = await res.json() - const bundles = attestations.map(({ predicateType, bundle }) => { - const statement = JSON.parse( - Buffer.from(bundle.dsseEnvelope.payload, 'base64').toString('utf8') - ) - const keyid = bundle.dsseEnvelope.signatures[0].keyid - const signature = bundle.dsseEnvelope.signatures[0].sig - - return { - predicateType, - bundle, - statement, - keyid, - signature, - } - }) - - const attestationKeyIds = bundles.map((b) => b.keyid).filter((k) => !!k) - const attestationRegistryKeys = (this.registryKeys || []) - .filter(key => attestationKeyIds.includes(key.keyid)) - if (!attestationRegistryKeys.length) { - throw Object.assign(new Error( - `${mani._id} has attestations but no corresponding public key(s) can be found` - ), { code: 'EMISSINGSIGNATUREKEY' }) - } - - for (const { predicateType, bundle, keyid, signature, statement } of bundles) { - const publicKey = attestationRegistryKeys.find(key => key.keyid === keyid) - // Publish attestations have a keyid set and a valid public key must be found - if (keyid) { - if (!publicKey) { - throw Object.assign(new Error( - `${mani._id} has attestations with keyid: ${keyid} ` + - 'but no corresponding public key can be found' - ), { code: 'EMISSINGSIGNATUREKEY' }) - } - - const integratedTime = new Date( - Number( - bundle.verificationMaterial.tlogEntries[0].integratedTime - ) * 1000 - ) - const validPublicKey = !publicKey.expires || - (integratedTime < Date.parse(publicKey.expires)) - if (!validPublicKey) { - throw Object.assign(new Error( - `${mani._id} has attestations with keyid: ${keyid} ` + - `but the corresponding public key has expired ${publicKey.expires}` - ), { code: 'EEXPIREDSIGNATUREKEY' }) - } - } - - const subject = { - name: statement.subject[0].name, - sha512: statement.subject[0].digest.sha512, - } - - // Only type 'version' can be turned into a PURL - const purl = this.spec.type === 'version' ? npa.toPurl(this.spec) : this.spec - // Verify the statement subject matches the package, version - if (subject.name !== purl) { - throw Object.assign(new Error( - `${mani._id} package name and version (PURL): ${purl} ` + - `doesn't match what was signed: ${subject.name}` - ), { code: 'EATTESTATIONSUBJECT' }) - } - - // Verify the statement subject matches the tarball integrity - const integrityHexDigest = ssri.parse(this.integrity).hexDigest() - if (subject.sha512 !== integrityHexDigest) { - throw Object.assign(new Error( - `${mani._id} package integrity (hex digest): ` + - `${integrityHexDigest} ` + - `doesn't match what was signed: ${subject.sha512}` - ), { code: 'EATTESTATIONSUBJECT' }) - } - - try { - // Provenance attestations are signed with a signing certificate - // (including the key) so we don't need to return a public key. - // - // Publish attestations are signed with a keyid so we need to - // specify a public key from the keys endpoint: `registry-host.tld/-/npm/v1/keys` - const options = { - tufCachePath: this.tufCache, - tufForceCache: true, - keySelector: publicKey ? () => publicKey.pemkey : undefined, - } - await sigstore.verify(bundle, options) - } catch (e) { - throw Object.assign(new Error( - `${mani._id} failed to verify attestation: ${e.message}` - ), { - code: 'EATTESTATIONVERIFY', - predicateType, - keyid, - signature, - resolved: mani._resolved, - integrity: mani._integrity, - }) - } - } - mani._attestations = dist.attestations - } else { - mani._attestations = dist.attestations - } - } - } - - this.package = mani - return this.package - } - - [_.tarballFromResolved] () { - // we use a RemoteFetcher to get the actual tarball stream - return new RemoteFetcher(this.resolved, { - ...this.opts, - resolved: this.resolved, - pkgid: `registry:${this.spec.name}@${this.resolved}`, - })[_.tarballFromResolved]() - } - - get types () { - return [ - 'tag', - 'version', - 'range', - ] - } -} -module.exports = RegistryFetcher diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/remote.js b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/remote.js deleted file mode 100644 index bd321e65a1f18..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/remote.js +++ /dev/null @@ -1,89 +0,0 @@ -const fetch = require('npm-registry-fetch') -const { Minipass } = require('minipass') -const Fetcher = require('./fetcher.js') -const FileFetcher = require('./file.js') -const _ = require('./util/protected.js') -const pacoteVersion = require('../package.json').version - -class RemoteFetcher extends Fetcher { - constructor (spec, opts) { - super(spec, opts) - this.resolved = this.spec.fetchSpec - const resolvedURL = new URL(this.resolved) - if (this.replaceRegistryHost !== 'never' - && (this.replaceRegistryHost === 'always' - || this.replaceRegistryHost === resolvedURL.host)) { - this.resolved = new URL(resolvedURL.pathname, this.registry).href - } - - // nam is a fermented pork sausage that is good to eat - const nameat = this.spec.name ? `${this.spec.name}@` : '' - this.pkgid = opts.pkgid ? opts.pkgid : `remote:${nameat}${this.resolved}` - } - - // Don't need to cache tarball fetches in pacote, because make-fetch-happen - // will write into cacache anyway. - get [_.cacheFetches] () { - return false - } - - [_.tarballFromResolved] () { - const stream = new Minipass() - stream.hasIntegrityEmitter = true - - const fetchOpts = { - ...this.opts, - headers: this.#headers(), - spec: this.spec, - integrity: this.integrity, - algorithms: [this.pickIntegrityAlgorithm()], - } - - // eslint-disable-next-line promise/always-return - fetch(this.resolved, fetchOpts).then(res => { - res.body.on('error', - /* istanbul ignore next - exceedingly rare and hard to simulate */ - er => stream.emit('error', er) - ) - - res.body.on('integrity', i => { - this.integrity = i - stream.emit('integrity', i) - }) - - res.body.pipe(stream) - }).catch(er => stream.emit('error', er)) - - return stream - } - - #headers () { - return { - // npm will override this, but ensure that we always send *something* - 'user-agent': this.opts.userAgent || - `pacote/${pacoteVersion} node/${process.version}`, - ...(this.opts.headers || {}), - 'pacote-version': pacoteVersion, - 'pacote-req-type': 'tarball', - 'pacote-pkg-id': this.pkgid, - ...(this.integrity ? { 'pacote-integrity': String(this.integrity) } - : {}), - ...(this.opts.headers || {}), - } - } - - get types () { - return ['remote'] - } - - // getting a packument and/or manifest is the same as with a file: spec. - // unpack the tarball stream, and then read from the package.json file. - packument () { - return FileFetcher.prototype.packument.apply(this) - } - - manifest () { - return FileFetcher.prototype.manifest.apply(this) - } -} -module.exports = RemoteFetcher diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/add-git-sha.js b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/add-git-sha.js deleted file mode 100644 index 843fe5b600caf..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/add-git-sha.js +++ /dev/null @@ -1,15 +0,0 @@ -// add a sha to a git remote url spec -const addGitSha = (spec, sha) => { - if (spec.hosted) { - const h = spec.hosted - const opt = { noCommittish: true } - const base = h.https && h.auth ? h.https(opt) : h.shortcut(opt) - - return `${base}#${sha}` - } else { - // don't use new URL for this, because it doesn't handle scp urls - return spec.rawSpec.replace(/#.*$/, '') + `#${sha}` - } -} - -module.exports = addGitSha diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/cache-dir.js b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/cache-dir.js deleted file mode 100644 index ba5683a7bb5bf..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/cache-dir.js +++ /dev/null @@ -1,15 +0,0 @@ -const { resolve } = require('node:path') -const { tmpdir, homedir } = require('node:os') - -module.exports = (fakePlatform = false) => { - const temp = tmpdir() - const uidOrPid = process.getuid ? process.getuid() : process.pid - const home = homedir() || resolve(temp, 'npm-' + uidOrPid) - const platform = fakePlatform || process.platform - const cacheExtra = platform === 'win32' ? 'npm-cache' : '.npm' - const cacheRoot = (platform === 'win32' && process.env.LOCALAPPDATA) || home - return { - cacache: resolve(cacheRoot, cacheExtra, '_cacache'), - tufcache: resolve(cacheRoot, cacheExtra, '_tuf'), - } -} diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/is-package-bin.js b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/is-package-bin.js deleted file mode 100644 index 49a3f73f537ce..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/is-package-bin.js +++ /dev/null @@ -1,25 +0,0 @@ -// Function to determine whether a path is in the package.bin set. -// Used to prevent issues when people publish a package from a -// windows machine, and then install with --no-bin-links. -// -// Note: this is not possible in remote or file fetchers, since -// we don't have the manifest until AFTER we've unpacked. But the -// main use case is registry fetching with git a distant second, -// so that's an acceptable edge case to not handle. - -const binObj = (name, bin) => - typeof bin === 'string' ? { [name]: bin } : bin - -const hasBin = (pkg, path) => { - const bin = binObj(pkg.name, pkg.bin) - const p = path.replace(/^[^\\/]*\//, '') - for (const kv of Object.entries(bin)) { - if (kv[1] === p) { - return true - } - } - return false -} - -module.exports = (pkg, path) => - pkg && pkg.bin ? hasBin(pkg, path) : false diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/npm.js b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/npm.js deleted file mode 100644 index a3005c255565f..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/npm.js +++ /dev/null @@ -1,14 +0,0 @@ -// run an npm command -const spawn = require('@npmcli/promise-spawn') - -module.exports = (npmBin, npmCommand, cwd, env, extra) => { - const isJS = npmBin.endsWith('.js') - const cmd = isJS ? process.execPath : npmBin - const args = (isJS ? [npmBin] : []).concat(npmCommand) - // when installing to run the `prepare` script for a git dep, we need - // to ensure that we don't run into a cycle of checking out packages - // in temp directories. this lets us link previously-seen repos that - // are also being prepared. - - return spawn(cmd, args, { cwd, env }, extra) -} diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/protected.js b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/protected.js deleted file mode 100644 index e05203b481e6a..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/protected.js +++ /dev/null @@ -1,5 +0,0 @@ -module.exports = { - cacheFetches: Symbol.for('pacote.Fetcher._cacheFetches'), - readPackageJson: Symbol.for('package.Fetcher._readPackageJson'), - tarballFromResolved: Symbol.for('pacote.Fetcher._tarballFromResolved'), -} diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/tar-create-options.js b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/tar-create-options.js deleted file mode 100644 index d070f0f7ba2d4..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/tar-create-options.js +++ /dev/null @@ -1,31 +0,0 @@ -const isPackageBin = require('./is-package-bin.js') - -const tarCreateOptions = manifest => ({ - cwd: manifest._resolved, - prefix: 'package/', - portable: true, - gzip: { - // forcing the level to 9 seems to avoid some - // platform specific optimizations that cause - // integrity mismatch errors due to differing - // end results after compression - level: 9, - }, - - // ensure that package bins are always executable - // Note that npm-packlist is already filtering out - // anything that is not a regular file, ignored by - // .npmignore or package.json "files", etc. - filter: (path, stat) => { - if (isPackageBin(manifest, path)) { - stat.mode |= 0o111 - } - return true - }, - - // Provide a specific date in the 1980s for the benefit of zip, - // which is confounded by files dated at the Unix epoch 0. - mtime: new Date('1985-10-26T08:15:00.000Z'), -}) - -module.exports = tarCreateOptions diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/trailing-slashes.js b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/trailing-slashes.js deleted file mode 100644 index c50cb6173b92e..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/lib/util/trailing-slashes.js +++ /dev/null @@ -1,10 +0,0 @@ -const removeTrailingSlashes = (input) => { - // in order to avoid regexp redos detection - let output = input - while (output.endsWith('/')) { - output = output.slice(0, -1) - } - return output -} - -module.exports = removeTrailingSlashes diff --git a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/package.json b/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/package.json deleted file mode 100644 index 335c7a6c87bd3..0000000000000 --- a/node_modules/@npmcli/metavuln-calculator/node_modules/pacote/package.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "name": "pacote", - "version": "20.0.0", - "description": "JavaScript package downloader", - "author": "GitHub Inc.", - "bin": { - "pacote": "bin/index.js" - }, - "license": "ISC", - "main": "lib/index.js", - "scripts": { - "test": "tap", - "snap": "tap", - "lint": "npm run eslint", - "postlint": "template-oss-check", - "lintfix": "npm run eslint -- --fix", - "posttest": "npm run lint", - "template-oss-apply": "template-oss-apply --force", - "eslint": "eslint \"**/*.{js,cjs,ts,mjs,jsx,tsx}\"" - }, - "tap": { - "timeout": 300, - "nyc-arg": [ - "--exclude", - "tap-snapshots/**" - ] - }, - "devDependencies": { - "@npmcli/arborist": "^7.1.0", - "@npmcli/eslint-config": "^5.0.0", - "@npmcli/template-oss": "4.23.3", - "hosted-git-info": "^8.0.0", - "mutate-fs": "^2.1.1", - "nock": "^13.2.4", - "npm-registry-mock": "^1.3.2", - "tap": "^16.0.1" - }, - "files": [ - "bin/", - "lib/" - ], - "keywords": [ - "packages", - "npm", - "git" - ], - "dependencies": { - "@npmcli/git": "^6.0.0", - "@npmcli/installed-package-contents": "^3.0.0", - "@npmcli/package-json": "^6.0.0", - "@npmcli/promise-spawn": "^8.0.0", - "@npmcli/run-script": "^9.0.0", - "cacache": "^19.0.0", - "fs-minipass": "^3.0.0", - "minipass": "^7.0.2", - "npm-package-arg": "^12.0.0", - "npm-packlist": "^9.0.0", - "npm-pick-manifest": "^10.0.0", - "npm-registry-fetch": "^18.0.0", - "proc-log": "^5.0.0", - "promise-retry": "^2.0.1", - "sigstore": "^3.0.0", - "ssri": "^12.0.0", - "tar": "^6.1.11" - }, - "engines": { - "node": "^18.17.0 || >=20.5.0" - }, - "repository": { - "type": "git", - "url": "git+https://github.com/npm/pacote.git" - }, - "templateOSS": { - "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.23.3", - "windowsCI": false, - "publish": "true" - } -} diff --git a/node_modules/@npmcli/metavuln-calculator/package.json b/node_modules/@npmcli/metavuln-calculator/package.json index df0b8f2f4faf1..1343b37427304 100644 --- a/node_modules/@npmcli/metavuln-calculator/package.json +++ b/node_modules/@npmcli/metavuln-calculator/package.json @@ -1,6 +1,6 @@ { "name": "@npmcli/metavuln-calculator", - "version": "8.0.1", + "version": "9.0.0", "main": "lib/index.js", "files": [ "bin/", @@ -34,23 +34,23 @@ }, "devDependencies": { "@npmcli/eslint-config": "^5.0.0", - "@npmcli/template-oss": "4.23.3", + "@npmcli/template-oss": "4.23.4", "require-inject": "^1.4.4", "tap": "^16.0.1" }, "dependencies": { "cacache": "^19.0.0", "json-parse-even-better-errors": "^4.0.0", - "pacote": "^20.0.0", + "pacote": "^21.0.0", "proc-log": "^5.0.0", "semver": "^7.3.5" }, "engines": { - "node": "^18.17.0 || >=20.5.0" + "node": "^20.17.0 || >=22.9.0" }, "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "4.23.3", + "version": "4.23.4", "publish": "true", "ciVersions": [ "16.14.0", diff --git a/package-lock.json b/package-lock.json index 2f016a9f1e311..840c984a1b040 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2102,6 +2102,55 @@ "node": "^18.17.0 || >=20.5.0" } }, + "mock-registry/node_modules/@npmcli/metavuln-calculator": { + "version": "8.0.1", + "resolved": "https://registry.npmjs.org/@npmcli/metavuln-calculator/-/metavuln-calculator-8.0.1.tgz", + "integrity": "sha512-WXlJx9cz3CfHSt9W9Opi1PTFc4WZLFomm5O8wekxQZmkyljrBRwATwDxfC9iOXJwYVmfiW1C1dUe0W2aN0UrSg==", + "dev": true, + "license": "ISC", + "dependencies": { + "cacache": "^19.0.0", + "json-parse-even-better-errors": "^4.0.0", + "pacote": "^20.0.0", + "proc-log": "^5.0.0", + "semver": "^7.3.5" + }, + "engines": { + "node": "^18.17.0 || >=20.5.0" + } + }, + "mock-registry/node_modules/@npmcli/metavuln-calculator/node_modules/pacote": { + "version": "20.0.0", + "resolved": "https://registry.npmjs.org/pacote/-/pacote-20.0.0.tgz", + "integrity": "sha512-pRjC5UFwZCgx9kUFDVM9YEahv4guZ1nSLqwmWiLUnDbGsjs+U5w7z6Uc8HNR1a6x8qnu5y9xtGE6D1uAuYz+0A==", + "dev": true, + "license": "ISC", + "dependencies": { + "@npmcli/git": "^6.0.0", + "@npmcli/installed-package-contents": "^3.0.0", + "@npmcli/package-json": "^6.0.0", + "@npmcli/promise-spawn": "^8.0.0", + "@npmcli/run-script": "^9.0.0", + "cacache": "^19.0.0", + "fs-minipass": "^3.0.0", + "minipass": "^7.0.2", + "npm-package-arg": "^12.0.0", + "npm-packlist": "^9.0.0", + "npm-pick-manifest": "^10.0.0", + "npm-registry-fetch": "^18.0.0", + "proc-log": "^5.0.0", + "promise-retry": "^2.0.1", + "sigstore": "^3.0.0", + "ssri": "^12.0.0", + "tar": "^6.1.11" + }, + "bin": { + "pacote": "bin/index.js" + }, + "engines": { + "node": "^18.17.0 || >=20.5.0" + } + }, "mock-registry/node_modules/npm-packlist": { "version": "9.0.0", "resolved": "https://registry.npmjs.org/npm-packlist/-/npm-packlist-9.0.0.tgz", @@ -3444,62 +3493,19 @@ } }, "node_modules/@npmcli/metavuln-calculator": { - "version": "8.0.1", - "resolved": "https://registry.npmjs.org/@npmcli/metavuln-calculator/-/metavuln-calculator-8.0.1.tgz", - "integrity": "sha512-WXlJx9cz3CfHSt9W9Opi1PTFc4WZLFomm5O8wekxQZmkyljrBRwATwDxfC9iOXJwYVmfiW1C1dUe0W2aN0UrSg==", + "version": "9.0.0", + "resolved": "https://registry.npmjs.org/@npmcli/metavuln-calculator/-/metavuln-calculator-9.0.0.tgz", + "integrity": "sha512-znLKqdy1ZEGNK3VB9j/RzGyb/P0BJb3fGpvEbHIAyBAXsps2l1ce8SVHfsGAFLl9s8072PxafqTn7RC8wSnQPg==", "license": "ISC", "dependencies": { "cacache": "^19.0.0", "json-parse-even-better-errors": "^4.0.0", - "pacote": "^20.0.0", + "pacote": "^21.0.0", "proc-log": "^5.0.0", "semver": "^7.3.5" }, "engines": { - "node": "^18.17.0 || >=20.5.0" - } - }, - "node_modules/@npmcli/metavuln-calculator/node_modules/npm-packlist": { - "version": "9.0.0", - "resolved": "https://registry.npmjs.org/npm-packlist/-/npm-packlist-9.0.0.tgz", - "integrity": "sha512-8qSayfmHJQTx3nJWYbbUmflpyarbLMBc6LCAjYsiGtXxDB68HaZpb8re6zeaLGxZzDuMdhsg70jryJe+RrItVQ==", - "license": "ISC", - "dependencies": { - "ignore-walk": "^7.0.0" - }, - "engines": { - "node": "^18.17.0 || >=20.5.0" - } - }, - "node_modules/@npmcli/metavuln-calculator/node_modules/pacote": { - "version": "20.0.0", - "resolved": "https://registry.npmjs.org/pacote/-/pacote-20.0.0.tgz", - "integrity": "sha512-pRjC5UFwZCgx9kUFDVM9YEahv4guZ1nSLqwmWiLUnDbGsjs+U5w7z6Uc8HNR1a6x8qnu5y9xtGE6D1uAuYz+0A==", - "license": "ISC", - "dependencies": { - "@npmcli/git": "^6.0.0", - "@npmcli/installed-package-contents": "^3.0.0", - "@npmcli/package-json": "^6.0.0", - "@npmcli/promise-spawn": "^8.0.0", - "@npmcli/run-script": "^9.0.0", - "cacache": "^19.0.0", - "fs-minipass": "^3.0.0", - "minipass": "^7.0.2", - "npm-package-arg": "^12.0.0", - "npm-packlist": "^9.0.0", - "npm-pick-manifest": "^10.0.0", - "npm-registry-fetch": "^18.0.0", - "proc-log": "^5.0.0", - "promise-retry": "^2.0.1", - "sigstore": "^3.0.0", - "ssri": "^12.0.0", - "tar": "^6.1.11" - }, - "bin": { - "pacote": "bin/index.js" - }, - "engines": { - "node": "^18.17.0 || >=20.5.0" + "node": "^20.17.0 || >=22.9.0" } }, "node_modules/@npmcli/mock-globals": { @@ -18441,7 +18447,7 @@ "@npmcli/fs": "^4.0.0", "@npmcli/installed-package-contents": "^3.0.0", "@npmcli/map-workspaces": "^4.0.1", - "@npmcli/metavuln-calculator": "^8.0.0", + "@npmcli/metavuln-calculator": "^9.0.0", "@npmcli/name-from-folder": "^3.0.0", "@npmcli/node-gyp": "^4.0.0", "@npmcli/package-json": "^6.0.1", diff --git a/workspaces/arborist/package.json b/workspaces/arborist/package.json index 814d5fdfa3740..377bcd632f349 100644 --- a/workspaces/arborist/package.json +++ b/workspaces/arborist/package.json @@ -7,7 +7,7 @@ "@npmcli/fs": "^4.0.0", "@npmcli/installed-package-contents": "^3.0.0", "@npmcli/map-workspaces": "^4.0.1", - "@npmcli/metavuln-calculator": "^8.0.0", + "@npmcli/metavuln-calculator": "^9.0.0", "@npmcli/name-from-folder": "^3.0.0", "@npmcli/node-gyp": "^4.0.0", "@npmcli/package-json": "^6.0.1",