deps: pacote@13.6.1

Author: nlf

node_modules/pacote/node_modules/@npmcli/run-script/LICENSE

@@ -0,0 +1,15 @@
+The ISC License
+
+Copyright (c) npm, Inc.
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

node_modules/pacote/node_modules/@npmcli/run-script/lib/escape.js

@@ -0,0 +1,67 @@
+'use strict'
+
+// eslint-disable-next-line max-len
+// this code adapted from: https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
+const cmd = (input) => {
+  if (!input.length) {
+    return '""'
+  }
+
+  let result
+  if (!/[ \t\n\v"]/.test(input)) {
+    result = input
+  } else {
+    result = '"'
+    for (let i = 0; i <= input.length; ++i) {
+      let slashCount = 0
+      while (input[i] === '\\') {
+        ++i
+        ++slashCount
+      }
+
+      if (i === input.length) {
+        result += '\\'.repeat(slashCount * 2)
+        break
+      }
+
+      if (input[i] === '"') {
+        result += '\\'.repeat(slashCount * 2 + 1)
+        result += input[i]
+      } else {
+        result += '\\'.repeat(slashCount)
+        result += input[i]
+      }
+    }
+    result += '"'
+  }
+
+  // and finally, prefix shell meta chars with a ^
+  result = result.replace(/[!^&()<>|"]/g, '^$&')
+  // except for % which is escaped with another %
+  result = result.replace(/%/g, '%%')
+
+  return result
+}
+
+const sh = (input) => {
+  if (!input.length) {
+    return `''`
+  }
+
+  if (!/[\t\n\r "#$&'()*;<>?\\`|~]/.test(input)) {
+    return input
+  }
+
+  // replace single quotes with '\'' and wrap the whole result in a fresh set of quotes
+  const result = `'${input.replace(/'/g, `'\\''`)}'`
+    // if the input string already had single quotes around it, clean those up
+    .replace(/^(?:'')+(?!$)/, '')
+    .replace(/\\'''/g, `\\'`)
+
+  return result
+}
+
+module.exports = {
+  cmd,
+  sh,
+}

node_modules/pacote/node_modules/@npmcli/run-script/lib/is-server-package.js

@@ -0,0 +1,12 @@
+const util = require('util')
+const fs = require('fs')
+const { stat } = fs.promises || { stat: util.promisify(fs.stat) }
+const { resolve } = require('path')
+module.exports = async path => {
+  try {
+    const st = await stat(resolve(path, 'server.js'))
+    return st.isFile()
+  } catch (er) {
+    return false
+  }
+}

node_modules/pacote/node_modules/@npmcli/run-script/lib/is-windows.js

@@ -0,0 +1,2 @@
+const platform = process.env.__FAKE_TESTING_PLATFORM__ || process.platform
+module.exports = platform === 'win32'

node_modules/pacote/node_modules/@npmcli/run-script/lib/make-spawn-args.js

@@ -0,0 +1,68 @@
+/* eslint camelcase: "off" */
+const isWindows = require('./is-windows.js')
+const setPATH = require('./set-path.js')
+const { chmodSync: chmod, unlinkSync: unlink, writeFileSync: writeFile } = require('fs')
+const { tmpdir } = require('os')
+const { resolve } = require('path')
+const which = require('which')
+const npm_config_node_gyp = require.resolve('node-gyp/bin/node-gyp.js')
+const escape = require('./escape.js')
+
+const makeSpawnArgs = options => {
+  const {
+    event,
+    path,
+    scriptShell = isWindows ? process.env.ComSpec || 'cmd' : 'sh',
+    env = {},
+    stdio,
+    cmd,
+    args = [],
+    stdioString = false,
+  } = options
+
+  let scriptFile
+  let script = ''
+  const isCmd = /(?:^|\\)cmd(?:\.exe)?$/i.test(scriptShell)
+  if (isCmd) {
+    scriptFile = resolve(tmpdir(), `${event}-${Date.now()}.cmd`)
+    script += '@echo off\n'
+    script += `${cmd} ${args.map((arg) => escape.cmd(arg)).join(' ')}`
+  } else {
+    const shellPath = which.sync(scriptShell)
+    scriptFile = resolve(tmpdir(), `${event}-${Date.now()}.sh`)
+    script += `#!${shellPath}\n`
+    script += `${cmd} ${args.map((arg) => escape.sh(arg)).join(' ')}`
+  }
+  writeFile(scriptFile, script)
+  if (!isCmd) {
+    chmod(scriptFile, '0775')
+  }
+  const spawnArgs = isCmd ? ['/d', '/s', '/c', scriptFile] : ['-c', scriptFile]
+
+  const spawnOpts = {
+    env: setPATH(path, {
+      // we need to at least save the PATH environment var
+      ...process.env,
+      ...env,
+      npm_package_json: resolve(path, 'package.json'),
+      npm_lifecycle_event: event,
+      npm_lifecycle_script: cmd,
+      npm_config_node_gyp,
+    }),
+    stdioString,
+    stdio,
+    cwd: path,
+    ...(isCmd ? { windowsVerbatimArguments: true } : {}),
+  }
+
+  const cleanup = () => {
+    // delete the script, this is just a best effort
+    try {
+      unlink(scriptFile)
+    } catch (err) {}
+  }
+
+  return [scriptShell, spawnArgs, spawnOpts, cleanup]
+}
+
+module.exports = makeSpawnArgs

node_modules/pacote/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp

@@ -0,0 +1,2 @@
+#!/usr/bin/env sh
+node "$npm_config_node_gyp" "$@"

node_modules/pacote/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp.cmd

@@ -0,0 +1 @@
+@node "%npm_config_node_gyp%" %*

node_modules/pacote/node_modules/@npmcli/run-script/lib/package-envs.js

@@ -0,0 +1,26 @@
+// https://github.com/npm/rfcs/pull/183
+
+const envVal = val => Array.isArray(val) ? val.map(v => envVal(v)).join('\n\n')
+  : val === null || val === false ? ''
+  : String(val)
+
+const packageEnvs = (env, vals, prefix) => {
+  for (const [key, val] of Object.entries(vals)) {
+    if (val === undefined) {
+      continue
+    } else if (val && !Array.isArray(val) && typeof val === 'object') {
+      packageEnvs(env, val, `${prefix}${key}_`)
+    } else {
+      env[`${prefix}${key}`] = envVal(val)
+    }
+  }
+  return env
+}
+
+module.exports = (env, pkg) => packageEnvs({ ...env }, {
+  name: pkg.name,
+  version: pkg.version,
+  config: pkg.config,
+  engines: pkg.engines,
+  bin: pkg.bin,
+}, 'npm_package_')

node_modules/pacote/node_modules/@npmcli/run-script/lib/run-script-pkg.js

@@ -0,0 +1,97 @@
+const makeSpawnArgs = require('./make-spawn-args.js')
+const promiseSpawn = require('@npmcli/promise-spawn')
+const packageEnvs = require('./package-envs.js')
+const { isNodeGypPackage, defaultGypInstallScript } = require('@npmcli/node-gyp')
+const signalManager = require('./signal-manager.js')
+const isServerPackage = require('./is-server-package.js')
+
+// you wouldn't like me when I'm angry...
+const bruce = (id, event, cmd) =>
+  `\n> ${id ? id + ' ' : ''}${event}\n> ${cmd.trim().replace(/\n/g, '\n> ')}\n`
+
+const runScriptPkg = async options => {
+  const {
+    event,
+    path,
+    scriptShell,
+    env = {},
+    stdio = 'pipe',
+    pkg,
+    args = [],
+    stdioString = false,
+    // note: only used when stdio:inherit
+    banner = true,
+    // how long to wait for a process.kill signal
+    // only exposed here so that we can make the test go a bit faster.
+    signalTimeout = 500,
+  } = options
+
+  const { scripts = {}, gypfile } = pkg
+  let cmd = null
+  if (options.cmd) {
+    cmd = options.cmd
+  } else if (pkg.scripts && pkg.scripts[event]) {
+    cmd = pkg.scripts[event]
+  } else if (
+    // If there is no preinstall or install script, default to rebuilding node-gyp packages.
+    event === 'install' &&
+    !scripts.install &&
+    !scripts.preinstall &&
+    gypfile !== false &&
+    await isNodeGypPackage(path)
+  ) {
+    cmd = defaultGypInstallScript
+  } else if (event === 'start' && await isServerPackage(path)) {
+    cmd = 'node server.js'
+  }
+
+  if (!cmd) {
+    return { code: 0, signal: null }
+  }
+
+  if (stdio === 'inherit' && banner !== false) {
+    // we're dumping to the parent's stdout, so print the banner
+    console.log(bruce(pkg._id, event, cmd))
+  }
+
+  const [spawnShell, spawnArgs, spawnOpts, cleanup] = makeSpawnArgs({
+    event,
+    path,
+    scriptShell,
+    env: packageEnvs(env, pkg),
+    stdio,
+    cmd,
+    args,
+    stdioString,
+  })
+
+  const p = promiseSpawn(spawnShell, spawnArgs, spawnOpts, {
+    event,
+    script: cmd,
+    pkgid: pkg._id,
+    path,
+  })
+
+  if (stdio === 'inherit') {
+    signalManager.add(p.process)
+  }
+
+  if (p.stdin) {
+    p.stdin.end()
+  }
+
+  return p.catch(er => {
+    const { signal } = er
+    if (stdio === 'inherit' && signal) {
+      process.kill(process.pid, signal)
+      // just in case we don't die, reject after 500ms
+      // this also keeps the node process open long enough to actually
+      // get the signal, rather than terminating gracefully.
+      return new Promise((res, rej) => setTimeout(() => rej(er), signalTimeout))
+    } else {
+      throw er
+    }
+  }).finally(cleanup)
+}
+
+module.exports = runScriptPkg

node_modules/pacote/node_modules/@npmcli/run-script/lib/run-script.js

@@ -0,0 +1,14 @@
+const rpj = require('read-package-json-fast')
+const runScriptPkg = require('./run-script-pkg.js')
+const validateOptions = require('./validate-options.js')
+const isServerPackage = require('./is-server-package.js')
+
+const runScript = options => {
+  validateOptions(options)
+  const { pkg, path } = options
+  return pkg ? runScriptPkg(options)
+    : rpj(path + '/package.json')
+      .then(readPackage => runScriptPkg({ ...options, pkg: readPackage }))
+}
+
+module.exports = Object.assign(runScript, { isServerPackage })

node_modules/pacote/node_modules/@npmcli/run-script/lib/set-path.js

@@ -0,0 +1,45 @@
+const { resolve, dirname } = require('path')
+const isWindows = require('./is-windows.js')
+// the path here is relative, even though it does not need to be
+// in order to make the posix tests pass in windows
+const nodeGypPath = resolve(__dirname, '../lib/node-gyp-bin')
+
+// Windows typically calls its PATH environ 'Path', but this is not
+// guaranteed, nor is it guaranteed to be the only one.  Merge them
+// all together in the order they appear in the object.
+const setPATH = (projectPath, env) => {
+  // not require('path').delimiter, because we fake this for testing
+  const delimiter = isWindows ? ';' : ':'
+  const PATH = Object.keys(env).filter(p => /^path$/i.test(p) && env[p])
+    .map(p => env[p].split(delimiter))
+    .reduce((set, p) => set.concat(p.filter(concatted => !set.includes(concatted))), [])
+    .join(delimiter)
+
+  const pathArr = []
+  // unshift the ./node_modules/.bin from every folder
+  // walk up until dirname() does nothing, at the root
+  // XXX should we specify a cwd that we don't go above?
+  let p = projectPath
+  let pp
+  do {
+    pathArr.push(resolve(p, 'node_modules', '.bin'))
+    pp = p
+    p = dirname(p)
+  } while (p !== pp)
+  pathArr.push(nodeGypPath, PATH)
+
+  const pathVal = pathArr.join(delimiter)
+
+  // XXX include the node-gyp-bin path somehow?  Probably better for
+  // npm or arborist or whoever to just provide that by putting it in
+  // the PATH environ, since that's preserved anyway.
+  for (const key of Object.keys(env)) {
+    if (/^path$/i.test(key)) {
+      env[key] = pathVal
+    }
+  }
+
+  return env
+}
+
+module.exports = setPATH

package.json

@@ -107,7 +107,7 @@
     "npm-user-validate": "^1.0.1",
     "npmlog": "^6.0.2",
     "opener": "^1.5.2",
-    "pacote": "^13.6.0",
+    "pacote": "^13.6.1",
     "parse-conflict-json": "^2.0.2",
     "proc-log": "^2.0.1",
     "qrcode-terminal": "^0.12.0",

workspaces/arborist/package.json

@@ -25,7 +25,7 @@
     "npm-pick-manifest": "^7.0.0",
     "npm-registry-fetch": "^13.0.0",
     "npmlog": "^6.0.2",
-    "pacote": "^13.0.5",
+    "pacote": "^13.6.1",
     "parse-conflict-json": "^2.0.1",
     "proc-log": "^2.0.0",
     "promise-all-reject-late": "^1.0.0",

workspaces/libnpmdiff/package.json

@@ -56,7 +56,7 @@
     "diff": "^5.0.0",
     "minimatch": "^5.0.1",
     "npm-package-arg": "^9.0.1",
-    "pacote": "^13.0.5",
+    "pacote": "^13.6.1",
     "tar": "^6.1.0"
   },
   "templateOSS": {

workspaces/libnpmexec/package.json

@@ -62,7 +62,7 @@
     "mkdirp-infer-owner": "^2.0.0",
     "npm-package-arg": "^9.0.1",
     "npmlog": "^6.0.2",
-    "pacote": "^13.0.5",
+    "pacote": "^13.6.1",
     "proc-log": "^2.0.0",
     "read": "^1.0.7",
     "read-package-json-fast": "^2.0.2",

workspaces/libnpmpack/package.json

@@ -40,7 +40,7 @@
   "dependencies": {
     "@npmcli/run-script": "^3.0.0",
     "npm-package-arg": "^9.0.1",
-    "pacote": "^13.5.0"
+    "pacote": "^13.6.1"
   },
   "engines": {
     "node": "^12.13.0 || ^14.15.0 || >=16.0.0"