Do not mutate the opts arg passed into Fetcher

This removes a footgun that occurs when the Fetcher objects update their
opts object to include the integrity when it's calculated.  That's an
appropriate thing to do with options objects passed through to subdeps
of pacote, but mutating the object as it was in the *caller* means that
passing the same options object to multiple pacote calls always results
in numerous failures.

CC: @mikemimik

Author: isaacs

lib/fetcher.js

@@ -58,7 +58,9 @@ class FetcherBase {
       ? `${this.spec.name}@${this.spec.rawSpec}` : this.spec.saveSpec
 
     this[_assertType]()
-    this.opts = opts
+    // clone the opts object so that others aren't upset when we mutate it
+    // by adding/modifying the integrity value.
+    this.opts = {...opts}
     this.cache = opts.cache || cacheDir()
     this.resolved = opts.resolved || null
 
@@ -68,7 +70,7 @@ class FetcherBase {
     this.defaultIntegrityAlgorithm = opts.defaultIntegrityAlgorithm || 'sha512'
 
     if (typeof opts.integrity === 'string')
-      opts.integrity = ssri.parse(opts.integrity)
+      this.opts.integrity = ssri.parse(opts.integrity)
 
     this.package = null
     this.type = this.constructor.name

test/fetcher.js

@@ -42,6 +42,24 @@ const Minipass = require('minipass')
 const FileFetcher = require('../lib/file.js')
 const cache = resolve(me, 'cache')
 
+t.test('do not mutate opts object passed in', t => {
+  const opts = {}
+  const f = new FileFetcher(abbrevspec, opts)
+  f.integrity = 'sha512-somekindofintegral'
+  t.strictSame(opts, {})
+  t.match(f.integrity, {
+    sha512: [
+      {
+        source: 'sha512-somekindofintegral',
+        digest: 'somekindofintegral',
+        algorithm: 'sha512',
+        options: [],
+      },
+    ],
+  })
+  t.end()
+})
+
 t.test('tarball data', t =>
   new FileFetcher(abbrevspec, { cache }).tarball()
   .then(data => {
@@ -434,7 +452,7 @@ t.test('set integrity, pick default algo', t => {
   }
   const f = new FileFetcher('pkg.tgz', opts)
   t.equal(f.pickIntegrityAlgorithm(), 'sha512')
-  t.isa(opts.integrity, Object)
+  t.isa(f.opts.integrity, Object)
   const i = f.integrity
   f.integrity = null
   t.equal(f.integrity, i, 'cannot remove integrity')