Skip to content

Commit

Permalink
deps: pacote@17.0.5
Browse files Browse the repository at this point in the history
  • Loading branch information
wraithgar committed Dec 6, 2023
1 parent 2e5331c commit 53aa8f2
Show file tree
Hide file tree
Showing 4 changed files with 37 additions and 19 deletions.
32 changes: 28 additions & 4 deletions node_modules/pacote/lib/registry.js
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ const sigstore = require('sigstore')
const corgiDoc = 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*'
const fullDoc = 'application/json'

// Some really old packages have no time field in their packument so we need a
// cutoff date.
const MISSING_TIME_CUTOFF = '2015-01-01T00:00:00.000Z'

const fetch = require('npm-registry-fetch')

const _headers = Symbol('_headers')
Expand Down Expand Up @@ -115,6 +119,13 @@ class RegistryFetcher extends Fetcher {
return this.package
}

// When verifying signatures, we need to fetch the full/uncompressed
// packument to get publish time as this is not included in the
// corgi/compressed packument.
if (this.opts.verifySignatures) {
this.fullMetadata = true
}

const packument = await this.packument()
let mani = await pickManifest(packument, this.spec.fetchSpec, {
...this.opts,
Expand All @@ -124,6 +135,12 @@ class RegistryFetcher extends Fetcher {
mani = rpj.normalize(mani)
/* XXX add ETARGET and E403 revalidation of cached packuments here */

// add _time from packument if fetched with fullMetadata
const time = packument.time?.[mani.version]
if (time) {
mani._time = time
}

// add _resolved and _integrity from dist object
const { dist } = mani
if (dist) {
Expand Down Expand Up @@ -171,8 +188,10 @@ class RegistryFetcher extends Fetcher {
'but no corresponding public key can be found'
), { code: 'EMISSINGSIGNATUREKEY' })
}
const validPublicKey =
!publicKey.expires || (Date.parse(publicKey.expires) > Date.now())

const publishedTime = Date.parse(mani._time || MISSING_TIME_CUTOFF)
const validPublicKey = !publicKey.expires ||
publishedTime < Date.parse(publicKey.expires)
if (!validPublicKey) {
throw Object.assign(new Error(
`${mani._id} has a registry signature with keyid: ${signature.keyid} ` +
Expand Down Expand Up @@ -254,8 +273,13 @@ class RegistryFetcher extends Fetcher {
), { code: 'EMISSINGSIGNATUREKEY' })
}

const validPublicKey =
!publicKey.expires || (Date.parse(publicKey.expires) > Date.now())
const integratedTime = new Date(
Number(
bundle.verificationMaterial.tlogEntries[0].integratedTime
) * 1000
)
const validPublicKey = !publicKey.expires ||
(integratedTime < Date.parse(publicKey.expires))
if (!validPublicKey) {
throw Object.assign(new Error(
`${mani._id} has attestations with keyid: ${keyid} ` +
Expand Down
14 changes: 4 additions & 10 deletions node_modules/pacote/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "pacote",
"version": "17.0.4",
"version": "17.0.5",
"description": "JavaScript package downloader",
"author": "GitHub Inc.",
"bin": {
Expand All @@ -25,9 +25,9 @@
]
},
"devDependencies": {
"@npmcli/arborist": "^6.0.0 || ^6.0.0-pre.0",
"@npmcli/arborist": "^7.1.0",
"@npmcli/eslint-config": "^4.0.0",
"@npmcli/template-oss": "4.18.0",
"@npmcli/template-oss": "4.19.0",
"hosted-git-info": "^7.0.0",
"mutate-fs": "^2.1.1",
"nock": "^13.2.4",
Expand Down Expand Up @@ -72,13 +72,7 @@
},
"templateOSS": {
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
"ciVersions": [
"16.14.0",
"16.x",
"18.0.0",
"18.x"
],
"version": "4.18.0",
"version": "4.19.0",
"windowsCI": false,
"publish": "true"
}
Expand Down
8 changes: 4 additions & 4 deletions package-lock.json
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@
"npm-user-validate": "^2.0.0",
"npmlog": "^7.0.1",
"p-map": "^4.0.0",
"pacote": "^17.0.4",
"pacote": "^17.0.5",
"parse-conflict-json": "^3.0.1",
"proc-log": "^3.0.0",
"qrcode-terminal": "^0.12.0",
Expand Down Expand Up @@ -12471,9 +12471,9 @@
}
},
"node_modules/pacote": {
"version": "17.0.4",
"resolved": "https://registry.npmjs.org/pacote/-/pacote-17.0.4.tgz",
"integrity": "sha512-eGdLHrV/g5b5MtD5cTPyss+JxOlaOloSMG3UwPMAvL8ywaLJ6beONPF40K4KKl/UI6q5hTKCJq5rCu8tkF+7Dg==",
"version": "17.0.5",
"resolved": "https://registry.npmjs.org/pacote/-/pacote-17.0.5.tgz",
"integrity": "sha512-TAE0m20zSDMnchPja9vtQjri19X3pZIyRpm2TJVeI+yU42leJBBDTRYhOcWFsPhaMxf+3iwQkFiKz16G9AEeeA==",
"inBundle": true,
"dependencies": {
"@npmcli/git": "^5.0.0",
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@
"npm-user-validate": "^2.0.0",
"npmlog": "^7.0.1",
"p-map": "^4.0.0",
"pacote": "^17.0.4",
"pacote": "^17.0.5",
"parse-conflict-json": "^3.0.1",
"proc-log": "^3.0.0",
"qrcode-terminal": "^0.12.0",
Expand Down

0 comments on commit 53aa8f2

Please sign in to comment.