Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: npm/pacote
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: e660b7a5d4cf91d8eb381f0fd4011ce531404b29
Choose a base ref
...
head repository: npm/pacote
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 18e760f5c438155c1b8af8aa1ffbead874732058
Choose a head ref
9 contributors
Loading
1 change: 1 addition & 0 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
@@ -7,6 +7,7 @@ updates:
directory: /
schedule:
interval: daily
target-branch: "main"
allow:
- dependency-type: direct
versioning-strategy: increase-if-necessary
29 changes: 27 additions & 2 deletions .github/settings.yml
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,27 @@
---
_extends: '.github:npm-cli/settings.yml'
# This file is automatically added by @npmcli/template-oss. Do not edit.

repository:
allow_merge_commit: false
allow_rebase_merge: true
allow_squash_merge: true
squash_merge_commit_title: PR_TITLE
squash_merge_commit_message: PR_BODY
delete_branch_on_merge: true
enable_automated_security_fixes: true
enable_vulnerability_alerts: true

branches:
- name: main
protection:
required_status_checks: null
enforce_admins: true
block_creations: true
required_pull_request_reviews:
required_approving_review_count: 1
require_code_owner_reviews: true
require_last_push_approval: true
dismiss_stale_reviews: true
restrictions:
apps: []
users: []
teams: [ "cli-team" ]
6 changes: 4 additions & 2 deletions .github/workflows/audit.yml
View file
Original file line number Diff line number Diff line change
@@ -33,5 +33,7 @@ jobs:
run: npm -v
- name: Install Dependencies
run: npm i --ignore-scripts --no-audit --no-fund --package-lock
- name: Run Audit
run: npm audit
- name: Run Production Audit
run: npm audit --omit=dev
- name: Run Full Audit
run: npm audit --audit-level=none
108 changes: 84 additions & 24 deletions .github/workflows/ci-release.yml
View file
Original file line number Diff line number Diff line change
@@ -3,6 +3,12 @@
name: CI - Release

on:
workflow_dispatch:
inputs:
ref:
required: true
type: string
default: main
workflow_call:
inputs:
ref:
@@ -21,21 +27,49 @@ jobs:
run:
shell: bash
steps:
- name: Get Workflow Job
uses: actions/github-script@v6
if: inputs.check-sha
id: check-output
env:
JOB_NAME: "Lint All"
MATRIX_NAME: ""
with:
script: |
const { owner, repo } = context.repo
const { data } = await github.rest.actions.listJobsForWorkflowRun({
owner,
repo,
run_id: context.runId,
per_page: 100
})
const jobName = process.env.JOB_NAME + process.env.MATRIX_NAME
const job = data.jobs.find(j => j.name.endsWith(jobName))
const jobUrl = job?.html_url
const shaUrl = `${context.serverUrl}/${owner}/${repo}/commit/${{ inputs.check-sha }}`
let summary = `This check is assosciated with ${shaUrl}\n\n`
if (jobUrl) {
summary += `For run logs, click here: ${jobUrl}`
} else {
summary += `Run logs could not be found for a job with name: "${jobName}"`
}
return { summary }
- name: Create Check
uses: LouisBrunner/checks-action@v1.3.1
uses: LouisBrunner/checks-action@v1.6.0
id: check

if: inputs.check-sha
with:
token: ${{ secrets.GITHUB_TOKEN }}
status: in_progress
name: Lint All
sha: ${{ inputs.check-sha }}
# XXX: this does not work when using the default GITHUB_TOKEN.
# Instead we post the main job url to the PR as a comment which
# will link to all the other checks. To work around this we would
# need to create a GitHub that would create on-demand tokens.
# https://github.com/LouisBrunner/checks-action/issues/18
# details_url:
output: ${{ steps.check-output.outputs.result }}
- name: Checkout
uses: actions/checkout@v3
with:
@@ -59,8 +93,8 @@ jobs:
- name: Post Lint
run: npm run postlint --ignore-scripts
- name: Conclude Check
uses: LouisBrunner/checks-action@v1.3.1
if: always()
uses: LouisBrunner/checks-action@v1.6.0
if: steps.check.outputs.check_id && always()
with:
token: ${{ secrets.GITHUB_TOKEN }}
conclusion: ${{ job.status }}
@@ -80,9 +114,7 @@ jobs:
os: macos-latest
shell: bash
node-version:
- 14.17.0
- 14.x
- 16.13.0
- 16.14.0
- 16.x
- 18.0.0
- 18.x
@@ -91,21 +123,49 @@ jobs:
run:
shell: ${{ matrix.platform.shell }}
steps:
- name: Get Workflow Job
uses: actions/github-script@v6
if: inputs.check-sha
id: check-output
env:
JOB_NAME: "Test All"
MATRIX_NAME: " - ${{ matrix.platform.name }} - ${{ matrix.node-version }}"
with:
script: |
const { owner, repo } = context.repo
const { data } = await github.rest.actions.listJobsForWorkflowRun({
owner,
repo,
run_id: context.runId,
per_page: 100
})
const jobName = process.env.JOB_NAME + process.env.MATRIX_NAME
const job = data.jobs.find(j => j.name.endsWith(jobName))
const jobUrl = job?.html_url
const shaUrl = `${context.serverUrl}/${owner}/${repo}/commit/${{ inputs.check-sha }}`
let summary = `This check is assosciated with ${shaUrl}\n\n`
if (jobUrl) {
summary += `For run logs, click here: ${jobUrl}`
} else {
summary += `Run logs could not be found for a job with name: "${jobName}"`
}
return { summary }
- name: Create Check
uses: LouisBrunner/checks-action@v1.3.1
uses: LouisBrunner/checks-action@v1.6.0
id: check

if: inputs.check-sha
with:
token: ${{ secrets.GITHUB_TOKEN }}
status: in_progress
name: Test All - ${{ matrix.platform.name }} - ${{ matrix.node-version }}
sha: ${{ inputs.check-sha }}
# XXX: this does not work when using the default GITHUB_TOKEN.
# Instead we post the main job url to the PR as a comment which
# will link to all the other checks. To work around this we would
# need to create a GitHub that would create on-demand tokens.
# https://github.com/LouisBrunner/checks-action/issues/18
# details_url:
output: ${{ steps.check-output.outputs.result }}
- name: Checkout
uses: actions/checkout@v3
with:
@@ -141,10 +201,10 @@ jobs:
- name: Add Problem Matcher
run: echo "::add-matcher::.github/matchers/tap.json"
- name: Test
run: npm test --ignore-scripts -ws -iwr --if-present
run: npm test --ignore-scripts
- name: Conclude Check
uses: LouisBrunner/checks-action@v1.3.1
if: always()
uses: LouisBrunner/checks-action@v1.6.0
if: steps.check.outputs.check_id && always()
with:
token: ${{ secrets.GITHUB_TOKEN }}
conclusion: ${{ job.status }}
57 changes: 2 additions & 55 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
@@ -8,62 +8,11 @@ on:
push:
branches:
- main
- latest
schedule:
# "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
- cron: "0 9 * * 1"

jobs:
engines:
name: Engines - ${{ matrix.platform.name }} - ${{ matrix.node-version }}
if: github.repository_owner == 'npm'
strategy:
fail-fast: false
matrix:
platform:
- name: Linux
os: ubuntu-latest
shell: bash
node-version:
- 14.17.0
- 16.13.0
- 18.0.0
runs-on: ${{ matrix.platform.os }}
defaults:
run:
shell: ${{ matrix.platform.shell }}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Git User
run: |
git config --global user.email "npm-cli+bot@github.com"
git config --global user.name "npm CLI robot"
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
- name: Update Windows npm
# node 12 and 14 ship with npm@6, which is known to fail when updating itself in windows
if: matrix.platform.os == 'windows-latest' && (startsWith(matrix.node-version, '12.') || startsWith(matrix.node-version, '14.'))
run: |
curl -sO https://registry.npmjs.org/npm/-/npm-7.5.4.tgz
tar xf npm-7.5.4.tgz
cd package
node lib/npm.js install --no-fund --no-audit -g ..\npm-7.5.4.tgz
cd ..
rmdir /s /q package
- name: Install npm@7
if: startsWith(matrix.node-version, '10.')
run: npm i --prefer-online --no-fund --no-audit -g npm@7
- name: Install npm@latest
if: ${{ !startsWith(matrix.node-version, '10.') }}
run: npm i --prefer-online --no-fund --no-audit -g npm@latest
- name: npm Version
run: npm -v
- name: Install Dependencies
run: npm i --ignore-scripts --no-audit --no-fund --engines-strict

lint:
name: Lint
if: github.repository_owner == 'npm'
@@ -107,9 +56,7 @@ jobs:
os: macos-latest
shell: bash
node-version:
- 14.17.0
- 14.x
- 16.13.0
- 16.14.0
- 16.x
- 18.0.0
- 18.x
@@ -151,4 +98,4 @@ jobs:
- name: Add Problem Matcher
run: echo "::add-matcher::.github/matchers/tap.json"
- name: Test
run: npm test --ignore-scripts -iwr
run: npm test --ignore-scripts
2 changes: 0 additions & 2 deletions .github/workflows/codeql-analysis.yml
View file
Original file line number Diff line number Diff line change
@@ -6,11 +6,9 @@ on:
push:
branches:
- main
- latest
pull_request:
branches:
- main
- latest
schedule:
# "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
- cron: "0 10 * * 1"
16 changes: 8 additions & 8 deletions .github/workflows/post-dependabot.yml
View file
Original file line number Diff line number Diff line change
@@ -19,7 +19,7 @@ jobs:
- name: Checkout
uses: actions/checkout@v3
with:
ref: ${{ github.ref_name }}
ref: ${{ github.event.pull_request.head.ref }}
- name: Setup Git User
run: |
git config --global user.email "npm-cli+bot@github.com"
@@ -48,11 +48,11 @@ jobs:
run: |
dependabot_dir="${{ steps.metadata.outputs.directory }}"
if [[ "$dependabot_dir" == "/" ]]; then
echo "::set-output name=workspace::-iwr"
echo "workspace=-iwr" >> $GITHUB_OUTPUT
else
# strip leading slash from directory so it works as a
# a path to the workspace flag
echo "::set-output name=workspace::-w ${dependabot_dir#/}"
echo "workspace=-w ${dependabot_dir#/}" >> $GITHUB_OUTPUT
fi
- name: Apply Changes
@@ -61,17 +61,17 @@ jobs:
run: |
npm run template-oss-apply ${{ steps.flags.outputs.workspace }}
if [[ `git status --porcelain` ]]; then
echo "::set-output name=changes::true"
echo "changes=true" >> $GITHUB_OUTPUT
fi
# This only sets the conventional commit prefix. This workflow can't reliably determine
# what the breaking change is though. If a BREAKING CHANGE message is required then
# this PR check will fail and the commit will be amended with stafftools
if [[ "${{ steps.dependabot-metadata.outputs.update-type }}" == "version-update:semver-major" ]]; then
if [[ "${{ steps.metadata.outputs.update-type }}" == "version-update:semver-major" ]]; then
prefix='feat!'
else
prefix='chore!'
prefix='chore'
fi
echo "::set-output name=message::$prefix: postinstall for dependabot template-oss PR"
echo "message=$prefix: postinstall for dependabot template-oss PR" >> $GITHUB_OUTPUT
# This step will fail if template-oss has made any workflow updates. It is impossible
# for a workflow to update other workflows. In the case it does fail, we continue
@@ -90,7 +90,7 @@ jobs:
# and attempt to commit and push again. This is helpful because we will have a commit
# with the correct prefix that we can then --amend with @npmcli/stafftools later.
- name: Push All Changes Except Workflows
if: steps.apply.outputs.changes && steps.push-all.outcome == 'failure'
if: steps.apply.outputs.changes && steps.push.outcome == 'failure'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
6 changes: 4 additions & 2 deletions .github/workflows/pull-request.yml
View file
Original file line number Diff line number Diff line change
@@ -41,8 +41,10 @@ jobs:
id: commit
continue-on-error: true
run: |
npx --offline commitlint -V --from origin/${{ github.base_ref }} --to ${{ github.event.pull_request.head.sha }}
npx --offline commitlint -V --from 'origin/${{ github.base_ref }}' --to ${{ github.event.pull_request.head.sha }}
- name: Run Commitlint on PR Title
if: steps.commit.outcome == 'failure'
env:
PR_TITLE: ${{ github.event.pull_request.title }}
run: |
echo ${{ github.event.pull_request.title }} | npx --offline commitlint -V
echo "$PR_TITLE" | npx --offline commitlint -V
Loading