deps!: [email protected]

BREAKING CHANGE: `bun.lockb` files are now included in the strict ignore list during packing

Author: wraithgar

mock-registry/package.json

@@ -52,7 +52,7 @@
     "json-stringify-safe": "^5.0.1",
     "nock": "^13.3.3",
     "npm-package-arg": "^12.0.0",
-    "pacote": "^20.0.0",
+    "pacote": "^21.0.0",
     "tap": "^16.3.8"
   }
 }

node_modules/.gitignore

@@ -22,6 +22,10 @@
 !/@npmcli/installed-package-contents
 !/@npmcli/map-workspaces
 !/@npmcli/metavuln-calculator
+!/@npmcli/metavuln-calculator/node_modules/
+/@npmcli/metavuln-calculator/node_modules/*
+!/@npmcli/metavuln-calculator/node_modules/npm-packlist
+!/@npmcli/metavuln-calculator/node_modules/pacote
 !/@npmcli/name-from-folder
 !/@npmcli/node-gyp
 !/@npmcli/package-json
@@ -175,6 +179,7 @@
 !/npm-install-checks
 !/npm-normalize-package-bin
 !/npm-package-arg
+!/npm-packlist
 !/npm-pick-manifest
 !/npm-profile
 !/npm-registry-fetch
@@ -185,9 +190,6 @@
 !/p-map
 !/package-json-from-dist
 !/pacote
-!/pacote/node_modules/
-/pacote/node_modules/*
-!/pacote/node_modules/npm-packlist
 !/parse-conflict-json
 !/path-key
 !/path-scurry

node_modules/pacote/node_modules/npm-packlist/LICENSE node_modules/@npmcli/metavuln-calculator/node_modules/npm-packlist/LICENSE

@@ -0,0 +1,15 @@
+The ISC License
+
+Copyright (c) Isaac Z. Schlueter, Kat Marchán, npm, Inc., and Contributors
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

node_modules/pacote/node_modules/npm-packlist/lib/index.js node_modules/@npmcli/metavuln-calculator/node_modules/npm-packlist/lib/index.js

@@ -0,0 +1,158 @@
+#!/usr/bin/env node
+
+const run = conf => {
+  const pacote = require('../')
+  switch (conf._[0]) {
+    case 'resolve':
+    case 'manifest':
+    case 'packument':
+      if (conf._[0] === 'resolve' && conf.long) {
+        return pacote.manifest(conf._[1], conf).then(mani => ({
+          resolved: mani._resolved,
+          integrity: mani._integrity,
+          from: mani._from,
+        }))
+      }
+      return pacote[conf._[0]](conf._[1], conf)
+
+    case 'tarball':
+      if (!conf._[2] || conf._[2] === '-') {
+        return pacote.tarball.stream(conf._[1], stream => {
+          stream.pipe(
+            conf.testStdout ||
+            /* istanbul ignore next */
+            process.stdout
+          )
+          // make sure it resolves something falsey
+          return stream.promise().then(() => {
+            return false
+          })
+        }, conf)
+      } else {
+        return pacote.tarball.file(conf._[1], conf._[2], conf)
+      }
+
+    case 'extract':
+      return pacote.extract(conf._[1], conf._[2], conf)
+
+    default: /* istanbul ignore next */ {
+      throw new Error(`bad command: ${conf._[0]}`)
+    }
+  }
+}
+
+const version = require('../package.json').version
+const usage = () =>
+`Pacote - The JavaScript Package Handler, v${version}
+
+Usage:
+
+  pacote resolve <spec>
+    Resolve a specifier and output the fully resolved target
+    Returns integrity and from if '--long' flag is set.
+
+  pacote manifest <spec>
+    Fetch a manifest and print to stdout
+
+  pacote packument <spec>
+    Fetch a full packument and print to stdout
+
+  pacote tarball <spec> [<filename>]
+    Fetch a package tarball and save to <filename>
+    If <filename> is missing or '-', the tarball will be streamed to stdout.
+
+  pacote extract <spec> <folder>
+    Extract a package to the destination folder.
+
+Configuration values all match the names of configs passed to npm, or
+options passed to Pacote.  Additional flags for this executable:
+
+  --long     Print an object from 'resolve', including integrity and spec.
+  --json     Print result objects as JSON rather than node's default.
+             (This is the default if stdout is not a TTY.)
+  --help -h  Print this helpful text.
+
+For example '--cache=/path/to/folder' will use that folder as the cache.
+`
+
+const shouldJSON = (conf, result) =>
+  conf.json ||
+  !process.stdout.isTTY &&
+  conf.json === undefined &&
+  result &&
+  typeof result === 'object'
+
+const pretty = (conf, result) =>
+  shouldJSON(conf, result) ? JSON.stringify(result, 0, 2) : result
+
+let addedLogListener = false
+const main = args => {
+  const conf = parse(args)
+  if (conf.help || conf.h) {
+    return console.log(usage())
+  }
+
+  if (!addedLogListener) {
+    process.on('log', console.error)
+    addedLogListener = true
+  }
+
+  try {
+    return run(conf)
+      .then(result => result && console.log(pretty(conf, result)))
+      .catch(er => {
+        console.error(er)
+        process.exit(1)
+      })
+  } catch (er) {
+    console.error(er.message)
+    console.error(usage())
+  }
+}
+
+const parseArg = arg => {
+  const split = arg.slice(2).split('=')
+  const k = split.shift()
+  const v = split.join('=')
+  const no = /^no-/.test(k) && !v
+  const key = (no ? k.slice(3) : k)
+    .replace(/^tag$/, 'defaultTag')
+    .replace(/-([a-z])/g, (_, c) => c.toUpperCase())
+  const value = v ? v.replace(/^~/, process.env.HOME) : !no
+  return { key, value }
+}
+
+const parse = args => {
+  const conf = {
+    _: [],
+    cache: process.env.HOME + '/.npm/_cacache',
+  }
+  let dashdash = false
+  args.forEach(arg => {
+    if (dashdash) {
+      conf._.push(arg)
+    } else if (arg === '--') {
+      dashdash = true
+    } else if (arg === '-h') {
+      conf.help = true
+    } else if (/^--/.test(arg)) {
+      const { key, value } = parseArg(arg)
+      conf[key] = value
+    } else {
+      conf._.push(arg)
+    }
+  })
+  return conf
+}
+
+if (module === require.main) {
+  main(process.argv.slice(2))
+} else {
+  module.exports = {
+    main,
+    run,
+    usage,
+    parseArg,
+    parse,
+  }
+}

node_modules/pacote/node_modules/npm-packlist/package.json node_modules/@npmcli/metavuln-calculator/node_modules/npm-packlist/package.json

@@ -0,0 +1,105 @@
+const { resolve } = require('node:path')
+const packlist = require('npm-packlist')
+const runScript = require('@npmcli/run-script')
+const tar = require('tar')
+const { Minipass } = require('minipass')
+const Fetcher = require('./fetcher.js')
+const FileFetcher = require('./file.js')
+const _ = require('./util/protected.js')
+const tarCreateOptions = require('./util/tar-create-options.js')
+
+class DirFetcher extends Fetcher {
+  constructor (spec, opts) {
+    super(spec, opts)
+    // just the fully resolved filename
+    this.resolved = this.spec.fetchSpec
+
+    this.tree = opts.tree || null
+    this.Arborist = opts.Arborist || null
+  }
+
+  // exposes tarCreateOptions as public API
+  static tarCreateOptions (manifest) {
+    return tarCreateOptions(manifest)
+  }
+
+  get types () {
+    return ['directory']
+  }
+
+  #prepareDir () {
+    return this.manifest().then(mani => {
+      if (!mani.scripts || !mani.scripts.prepare) {
+        return
+      }
+      if (this.opts.ignoreScripts) {
+        return
+      }
+
+      // we *only* run prepare.
+      // pre/post-pack is run by the npm CLI for publish and pack,
+      // but this function is *also* run when installing git deps
+      const stdio = this.opts.foregroundScripts ? 'inherit' : 'pipe'
+
+      return runScript({
+        // this || undefined is because runScript will be unhappy with the default null value
+        scriptShell: this.opts.scriptShell || undefined,
+        pkg: mani,
+        event: 'prepare',
+        path: this.resolved,
+        stdio,
+        env: {
+          npm_package_resolved: this.resolved,
+          npm_package_integrity: this.integrity,
+          npm_package_json: resolve(this.resolved, 'package.json'),
+        },
+      })
+    })
+  }
+
+  [_.tarballFromResolved] () {
+    if (!this.tree && !this.Arborist) {
+      throw new Error('DirFetcher requires either a tree or an Arborist constructor to pack')
+    }
+
+    const stream = new Minipass()
+    stream.resolved = this.resolved
+    stream.integrity = this.integrity
+
+    const { prefix, workspaces } = this.opts
+
+    // run the prepare script, get the list of files, and tar it up
+    // pipe to the stream, and proxy errors the chain.
+    this.#prepareDir()
+      .then(async () => {
+        if (!this.tree) {
+          const arb = new this.Arborist({ path: this.resolved })
+          this.tree = await arb.loadActual()
+        }
+        return packlist(this.tree, { path: this.resolved, prefix, workspaces })
+      })
+      .then(files => tar.c(tarCreateOptions(this.package), files)
+        .on('error', er => stream.emit('error', er)).pipe(stream))
+      .catch(er => stream.emit('error', er))
+    return stream
+  }
+
+  manifest () {
+    if (this.package) {
+      return Promise.resolve(this.package)
+    }
+
+    return this[_.readPackageJson](this.resolved)
+      .then(mani => this.package = {
+        ...mani,
+        _integrity: this.integrity && String(this.integrity),
+        _resolved: this.resolved,
+        _from: this.from,
+      })
+  }
+
+  packument () {
+    return FileFetcher.prototype.packument.apply(this)
+  }
+}
+module.exports = DirFetcher