.github/dependabot.yml

@@ -7,6 +7,7 @@ updates:
     directory: /
     schedule:
       interval: daily
+    target-branch: "main"
     allow:
       - dependency-type: direct
     versioning-strategy: increase-if-necessary

.github/settings.yml

@@ -1,2 +1,27 @@
----
-_extends: '.github:npm-cli/settings.yml'
+# This file is automatically added by @npmcli/template-oss. Do not edit.
+
+repository:
+  allow_merge_commit: false
+  allow_rebase_merge: true
+  allow_squash_merge: true
+  squash_merge_commit_title: PR_TITLE
+  squash_merge_commit_message: PR_BODY
+  delete_branch_on_merge: true
+  enable_automated_security_fixes: true
+  enable_vulnerability_alerts: true
+
+branches:
+  - name: main
+    protection:
+      required_status_checks: null
+      enforce_admins: true
+      block_creations: true
+      required_pull_request_reviews:
+        required_approving_review_count: 1
+        require_code_owner_reviews: true
+        require_last_push_approval: true
+        dismiss_stale_reviews: true
+      restrictions:
+        apps: []
+        users: []
+        teams: [ "cli-team" ]

.github/workflows/ci-release.yml

@@ -61,7 +61,7 @@ jobs:
 
             return { summary }
       - name: Create Check
-        uses: LouisBrunner/checks-action@v1.3.1
+        uses: LouisBrunner/checks-action@v1.6.0
         id: check
         if: inputs.check-sha
         with:
@@ -93,7 +93,7 @@ jobs:
       - name: Post Lint
         run: npm run postlint --ignore-scripts
       - name: Conclude Check
-        uses: LouisBrunner/checks-action@v1.3.1
+        uses: LouisBrunner/checks-action@v1.6.0
         if: steps.check.outputs.check_id && always()
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -114,9 +114,7 @@ jobs:
             os: macos-latest
             shell: bash
         node-version:
-          - 14.17.0
-          - 14.x
-          - 16.13.0
+          - 16.14.0
           - 16.x
           - 18.0.0
           - 18.x
@@ -159,7 +157,7 @@ jobs:
 
             return { summary }
       - name: Create Check
-        uses: LouisBrunner/checks-action@v1.3.1
+        uses: LouisBrunner/checks-action@v1.6.0
         id: check
         if: inputs.check-sha
         with:
@@ -205,7 +203,7 @@ jobs:
       - name: Test
         run: npm test --ignore-scripts
       - name: Conclude Check
-        uses: LouisBrunner/checks-action@v1.3.1
+        uses: LouisBrunner/checks-action@v1.6.0
         if: steps.check.outputs.check_id && always()
         with:
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ci.yml

@@ -8,7 +8,6 @@ on:
   push:
     branches:
       - main
-      - latest
   schedule:
     # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
     - cron: "0 9 * * 1"
@@ -57,9 +56,7 @@ jobs:
             os: macos-latest
             shell: bash
         node-version:
-          - 14.17.0
-          - 14.x
-          - 16.13.0
+          - 16.14.0
           - 16.x
           - 18.0.0
           - 18.x

.github/workflows/codeql-analysis.yml

@@ -6,11 +6,9 @@ on:
   push:
     branches:
       - main
-      - latest
   pull_request:
     branches:
       - main
-      - latest
   schedule:
     # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
     - cron: "0 10 * * 1"

.github/workflows/pull-request.yml

@@ -44,5 +44,7 @@ jobs:
           npx --offline commitlint -V --from 'origin/${{ github.base_ref }}' --to ${{ github.event.pull_request.head.sha }}
       - name: Run Commitlint on PR Title
         if: steps.commit.outcome == 'failure'
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
         run: |
-          echo '${{ github.event.pull_request.title }}' | npx --offline commitlint -V
+          echo "$PR_TITLE" | npx --offline commitlint -V

.github/workflows/release.yml

@@ -11,8 +11,6 @@ on:
   push:
     branches:
       - main
-      - latest
-      - release/v*
 
 permissions:
   contents: write
@@ -78,7 +76,7 @@ jobs:
             let commentId = comments.find(c => c.user.login === 'github-actions[bot]' && c.body.startsWith(body))?.id
 
             body += `Release workflow run: ${workflow.html_url}\n\n#### Force CI to Update This Release\n\n`
-            body += `This PR will be updated and CI will run for every non-\`chore:\` commit that is pushed to \`main\`. `
+            body += `This PR will be updated and CI will run for every non-\`chore:\` commit that is pushed to \`${REF_NAME}\`. `
             body += `To force CI to update this PR, run this command:\n\n`
             body += `\`\`\`\ngh workflow run release.yml -r ${REF_NAME} -R ${owner}/${repo} -f release-pr=${issue_number}\n\`\`\``
 
@@ -124,7 +122,7 @@ jobs:
 
             return { summary }
       - name: Create Check
-        uses: LouisBrunner/checks-action@v1.3.1
+        uses: LouisBrunner/checks-action@v1.6.0
         id: check
         if: steps.release.outputs.pr-sha
         with:
@@ -215,7 +213,7 @@ jobs:
 
             return { summary }
       - name: Create Check
-        uses: LouisBrunner/checks-action@v1.3.1
+        uses: LouisBrunner/checks-action@v1.6.0
         id: check
         if: steps.commit.outputs.sha
         with:
@@ -225,7 +223,7 @@ jobs:
           sha: ${{ steps.commit.outputs.sha }}
           output: ${{ steps.check-output.outputs.result }}
       - name: Conclude Check
-        uses: LouisBrunner/checks-action@v1.3.1
+        uses: LouisBrunner/checks-action@v1.6.0
         if: needs.release.outputs.check-id && always()
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -263,7 +261,7 @@ jobs:
           fi
           echo "result=$result" >> $GITHUB_OUTPUT
       - name: Conclude Check
-        uses: LouisBrunner/checks-action@v1.3.1
+        uses: LouisBrunner/checks-action@v1.6.0
         if: needs.update.outputs.check-id && always()
         with:
           token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -15,6 +15,7 @@
 !/bin/
 !/CHANGELOG*
 !/CODE_OF_CONDUCT.md
+!/CONTRIBUTING.md
 !/docs/
 !/lib/
 !/LICENSE*

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "15.1.3"
+  ".": "17.0.4"
 }

CHANGELOG.md

@@ -1,5 +1,70 @@
 # Changelog
 
+## [17.0.4](https://github.com/npm/pacote/compare/v17.0.3...v17.0.4) (2023-08-30)
+
+### Dependencies
+
+* [`ba8f790`](https://github.com/npm/pacote/commit/ba8f790ca27c753921d5cef08512705b50de12e8) [#309](https://github.com/npm/pacote/pull/309) bump @npmcli/promise-spawn from 6.0.2 to 7.0.0
+* [`2c0d3ae`](https://github.com/npm/pacote/commit/2c0d3ae6beaffcc849bebb1a45d6ba46cf3ce433) [#308](https://github.com/npm/pacote/pull/308) bump @npmcli/run-script from 6.0.2 to 7.0.0
+
+## [17.0.3](https://github.com/npm/pacote/compare/v17.0.2...v17.0.3) (2023-08-24)
+
+### Dependencies
+
+* [`ace7c28`](https://github.com/npm/pacote/commit/ace7c283c424b12ec18c9b412515fe750538f0d9) [#305](https://github.com/npm/pacote/pull/305) bump npm-packlist from 7.0.4 to 8.0.0
+
+## [17.0.2](https://github.com/npm/pacote/compare/v17.0.1...v17.0.2) (2023-08-18)
+
+### Dependencies
+
+* [`c3b892d`](https://github.com/npm/pacote/commit/c3b892db8b889e43d8f385ee1171e2e36a5b32eb) [#303](https://github.com/npm/pacote/pull/303) bump sigstore from 1.3.0 to 2.0.0
+
+## [17.0.1](https://github.com/npm/pacote/compare/v17.0.0...v17.0.1) (2023-08-15)
+
+### Dependencies
+
+* [`6ddae13`](https://github.com/npm/pacote/commit/6ddae13dd4cd346255221077d13fa534ed924f63) [#302](https://github.com/npm/pacote/pull/302) bump npm-registry-fetch from 15.0.0 to 16.0.0
+* [`42bf787`](https://github.com/npm/pacote/commit/42bf787be1af58050edd38ab599bb74021b88dbf) [#300](https://github.com/npm/pacote/pull/300) bump npm-pick-manifest from 8.0.2 to 9.0.0
+
+## [17.0.0](https://github.com/npm/pacote/compare/v16.0.0...v17.0.0) (2023-08-15)
+
+### ⚠️ BREAKING CHANGES
+
+* support for node <=16.13 has been removed
+
+### Bug Fixes
+
+* [`2db2fb5`](https://github.com/npm/pacote/commit/2db2fb520b54a3a486c92f141a86c31910a5fa73) [#296](https://github.com/npm/pacote/pull/296) drop node 16.13.x support (@lukekarrys)
+
+### Dependencies
+
+* [`e9e964b`](https://github.com/npm/pacote/commit/e9e964b5facbf4eb1229ec17e9da3ebeaffc7fe0) [#299](https://github.com/npm/pacote/pull/299) bump read-package-json from 6.0.4 to 7.0.0
+* [`5d26500`](https://github.com/npm/pacote/commit/5d26500d32bc379a26c42b7e107c9bb28dac5389) [#298](https://github.com/npm/pacote/pull/298) bump npm-package-arg from 10.1.0 to 11.0.0
+* [`d13bb9c`](https://github.com/npm/pacote/commit/d13bb9c5f174f38c419bb9701efe1bd9eef27a91) [#294](https://github.com/npm/pacote/pull/294) bump @npmcli/git from 4.1.0 to 5.0.0
+* [`7a25e39`](https://github.com/npm/pacote/commit/7a25e396b6ca6a54da9724726e1da4fdd5a95ea5) [#293](https://github.com/npm/pacote/pull/293) bump cacache from 17.1.4 to 18.0.0
+
+## [16.0.0](https://github.com/npm/pacote/compare/v15.2.0...v16.0.0) (2023-07-28)
+
+### ⚠️ BREAKING CHANGES
+
+* the underlying fetch module now uses `@npmcli/agent`. Backwards compatibility should be fully implemented but due to the scope of this change it was made a breaking change out of an abundance of caution.
+* support for node 14 has been removed
+
+### Bug Fixes
+
+* [`73b6297`](https://github.com/npm/pacote/commit/73b62976054951b683a5c4c5f511d39f818641e4) [#290](https://github.com/npm/pacote/pull/290) drop node14 support (#290) (@wraithgar)
+
+### Dependencies
+
+* [`8dc6a32`](https://github.com/npm/pacote/commit/8dc6a32a22d76028f9802fbe8920ec0911d3981a) bump minipass from 5.0.0 to 7.0.2
+* [`7cebf19`](https://github.com/npm/pacote/commit/7cebf194afb45e6aa8d44150b94984c75a3a5e08) bump npm-registry-fetch from 14.0.5 to 15.0.0
+
+## [15.2.0](https://github.com/npm/pacote/compare/v15.1.3...v15.2.0) (2023-05-03)
+
+### Features
+
+* [`3307ad9`](https://github.com/npm/pacote/commit/3307ad9c1600b6a60b2250c2239240ac41fc7b07) [#278](https://github.com/npm/pacote/pull/278) configurable TUF cache dir (#278) (@bdehamer)
+
 ## [15.1.3](https://github.com/npm/pacote/compare/v15.1.2...v15.1.3) (2023-04-27)
 
 ### Dependencies

CONTRIBUTING.md

@@ -0,0 +1,50 @@
+<!-- This file is automatically added by @npmcli/template-oss. Do not edit. -->
+
+# Contributing
+
+## Code of Conduct
+
+All interactions in the **npm** organization on GitHub are considered to be covered by our standard [Code of Conduct](https://docs.npmjs.com/policies/conduct).
+
+## Reporting Bugs
+
+Before submitting a new bug report please search for an existing or similar report.
+
+Use one of our existing issue templates if you believe you've come across a unique problem.
+
+Duplicate issues, or issues that don't use one of our templates may get closed without a response.
+
+## Pull Request Conventions
+
+### Commits
+
+We use [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/).
+
+When opening a pull request please be sure that either the pull request title, or each commit in the pull request, has one of the following prefixes:
+
+ - `feat`: For when introducing a new feature.  The result will be a new semver minor version of the package when it is next published.
+ - `fix`: For bug fixes. The result will be a new semver patch version of the package when it is next published.
+ - `docs`: For documentation updates.  The result will be a new semver patch version of the package when it is next published.
+ - `chore`: For changes that do not affect the published module.  Often these are changes to tests.  The result will be *no* change to the version of the package when it is next published (as the commit does not affect the published version).
+
+### Test Coverage
+
+Pull requests made against this repo will run `npm test` automatically.  Please make sure tests pass locally before submitting a PR.
+
+Every new feature or bug fix should come with a corresponding test or tests that validate the solutions. Testing also reports on code coverage and will fail if code coverage drops.
+
+### Linting
+
+Linting is also done automatically once tests pass.  `npm run lintfix` will fix most linting errors automatically.
+
+Please make sure linting passes before submitting a PR.
+
+## What _not_ to contribute?
+
+### Dependencies
+
+It should be noted that our team does not accept third-party dependency updates/PRs.  If you submit a PR trying to update our dependencies we will close it with or without a reference to these contribution guidelines.
+
+### Tools/Automation
+
+Our core team is responsible for the maintenance of the tooling/automation in this project and we ask contributors to not make changes to these when contributing (e.g. `.github/*`, `.eslintrc.json`, `.licensee.json`).  Most of those files also have a header at the top to remind folks they are automatically generated.  Pull requests that alter these will not be accepted.

README.md

@@ -175,6 +175,9 @@ resolved, and other properties, as they are determined.
 * `verifyAttestations` A boolean that will make pacote verify Sigstore
     attestations, if present. There must be a configured `_keys` entry in the
     config that is scoped to the registry the manifest is being fetched from.
+* `tufCache` Where to store metadata/target files when retrieving the package
+  attestation key material via TUF. Defaults to the same cache directory that
+  npm will use by default, based on platform and environment.
 
 ### Advanced API
 

lib/fetcher.js

@@ -61,7 +61,8 @@ class FetcherBase {
     // by adding/modifying the integrity value.
     this.opts = { ...opts }
 
-    this.cache = opts.cache || cacheDir()
+    this.cache = opts.cache || cacheDir().cacache
+    this.tufCache = opts.tufCache || cacheDir().tufcache
     this.resolved = opts.resolved || null
 
     // default to caching/verifying with sha512, that's what we usually have

lib/registry.js

@@ -8,7 +8,7 @@ const pickManifest = require('npm-pick-manifest')
 const ssri = require('ssri')
 const crypto = require('crypto')
 const npa = require('npm-package-arg')
-const { sigstore } = require('sigstore')
+const sigstore = require('sigstore')
 
 // Corgis are cute. 🐕🐶
 const corgiDoc = 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*'
@@ -295,8 +295,11 @@ class RegistryFetcher extends Fetcher {
               //
               // Publish attestations are signed with a keyid so we need to
               // specify a public key from the keys endpoint: `registry-host.tld/-/npm/v1/keys`
-              const options = { keySelector: publicKey ? () => publicKey.pemkey : undefined }
-              await sigstore.verify(bundle, null, options)
+              const options = {
+                tufCachePath: this.tufCache,
+                keySelector: publicKey ? () => publicKey.pemkey : undefined,
+              }
+              await sigstore.verify(bundle, options)
             } catch (e) {
               throw Object.assign(new Error(
                 `${mani._id} failed to verify attestation: ${e.message}`

lib/util/cache-dir.js

@@ -8,5 +8,8 @@ module.exports = (fakePlatform = false) => {
   const platform = fakePlatform || process.platform
   const cacheExtra = platform === 'win32' ? 'npm-cache' : '.npm'
   const cacheRoot = (platform === 'win32' && process.env.LOCALAPPDATA) || home
-  return resolve(cacheRoot, cacheExtra, '_cacache')
+  return {
+    cacache: resolve(cacheRoot, cacheExtra, '_cacache'),
+    tufcache: resolve(cacheRoot, cacheExtra, '_tuf'),
+  }
 }