deps: pacote@18.0.0

mock-registry/package.json

@@ -51,7 +51,7 @@
     "json-stringify-safe": "^5.0.1",
     "nock": "^13.3.3",
     "npm-package-arg": "^11.0.2",
-    "pacote": "^17.0.4",
+    "pacote": "^18.0.0",
     "tap": "^16.3.8"
   }
 }

node_modules/.gitignore

@@ -31,6 +31,12 @@
 !/@npmcli/installed-package-contents
 !/@npmcli/map-workspaces
 !/@npmcli/metavuln-calculator
+!/@npmcli/metavuln-calculator/node_modules/
+/@npmcli/metavuln-calculator/node_modules/*
+!/@npmcli/metavuln-calculator/node_modules/@npmcli/
+/@npmcli/metavuln-calculator/node_modules/@npmcli/*
+!/@npmcli/metavuln-calculator/node_modules/@npmcli/run-script
+!/@npmcli/metavuln-calculator/node_modules/pacote
 !/@npmcli/name-from-folder
 !/@npmcli/node-gyp
 !/@npmcli/package-json
@@ -187,6 +193,12 @@
 !/npm-user-validate
 !/p-map
 !/pacote
+!/pacote/node_modules/
+/pacote/node_modules/*
+!/pacote/node_modules/@npmcli/
+/pacote/node_modules/@npmcli/*
+!/pacote/node_modules/@npmcli/run-script
+!/pacote/node_modules/proc-log
 !/parse-conflict-json
 !/path-key
 !/path-scurry

node_modules/@npmcli/metavuln-calculator/node_modules/@npmcli/run-script/LICENSE

@@ -0,0 +1,15 @@
+The ISC License
+
+Copyright (c) npm, Inc.
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

node_modules/@npmcli/metavuln-calculator/node_modules/@npmcli/run-script/lib/is-server-package.js

@@ -0,0 +1,11 @@
+const { stat } = require('node:fs/promises')
+const { resolve } = require('node:path')
+
+module.exports = async path => {
+  try {
+    const st = await stat(resolve(path, 'server.js'))
+    return st.isFile()
+  } catch (er) {
+    return false
+  }
+}

node_modules/@npmcli/metavuln-calculator/node_modules/@npmcli/run-script/lib/make-spawn-args.js

@@ -0,0 +1,40 @@
+/* eslint camelcase: "off" */
+const setPATH = require('./set-path.js')
+const { resolve } = require('path')
+const npm_config_node_gyp = require.resolve('node-gyp/bin/node-gyp.js')
+
+const makeSpawnArgs = options => {
+  const {
+    event,
+    path,
+    scriptShell = true,
+    binPaths,
+    env,
+    stdio,
+    cmd,
+    args,
+    stdioString,
+  } = options
+
+  const spawnEnv = setPATH(path, binPaths, {
+    // we need to at least save the PATH environment var
+    ...process.env,
+    ...env,
+    npm_package_json: resolve(path, 'package.json'),
+    npm_lifecycle_event: event,
+    npm_lifecycle_script: cmd,
+    npm_config_node_gyp,
+  })
+
+  const spawnOpts = {
+    env: spawnEnv,
+    stdioString,
+    stdio,
+    cwd: path,
+    shell: scriptShell,
+  }
+
+  return [cmd, args, spawnOpts]
+}
+
+module.exports = makeSpawnArgs

node_modules/@npmcli/metavuln-calculator/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp

@@ -0,0 +1,2 @@
+#!/usr/bin/env sh
+node "$npm_config_node_gyp" "$@"

node_modules/@npmcli/metavuln-calculator/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp.cmd

@@ -0,0 +1 @@
+@node "%npm_config_node_gyp%" %*

node_modules/@npmcli/metavuln-calculator/node_modules/@npmcli/run-script/lib/package-envs.js

@@ -0,0 +1,29 @@
+const packageEnvs = (vals, prefix, env = {}) => {
+  for (const [key, val] of Object.entries(vals)) {
+    if (val === undefined) {
+      continue
+    } else if (val === null || val === false) {
+      env[`${prefix}${key}`] = ''
+    } else if (Array.isArray(val)) {
+      val.forEach((item, index) => {
+        packageEnvs({ [`${key}_${index}`]: item }, `${prefix}`, env)
+      })
+    } else if (typeof val === 'object') {
+      packageEnvs(val, `${prefix}${key}_`, env)
+    } else {
+      env[`${prefix}${key}`] = String(val)
+    }
+  }
+  return env
+}
+
+// https://github.com/npm/rfcs/pull/183 defines which fields we put into the environment
+module.exports = pkg => {
+  return packageEnvs({
+    name: pkg.name,
+    version: pkg.version,
+    config: pkg.config,
+    engines: pkg.engines,
+    bin: pkg.bin,
+  }, 'npm_package_')
+}

node_modules/@npmcli/metavuln-calculator/node_modules/@npmcli/run-script/lib/run-script-pkg.js

@@ -0,0 +1,114 @@
+const makeSpawnArgs = require('./make-spawn-args.js')
+const promiseSpawn = require('@npmcli/promise-spawn')
+const packageEnvs = require('./package-envs.js')
+const { isNodeGypPackage, defaultGypInstallScript } = require('@npmcli/node-gyp')
+const signalManager = require('./signal-manager.js')
+const isServerPackage = require('./is-server-package.js')
+
+// you wouldn't like me when I'm angry...
+const bruce = (id, event, cmd, args) => {
+  let banner = id
+    ? `\n> ${id} ${event}\n`
+    : `\n> ${event}\n`
+  banner += `> ${cmd.trim().replace(/\n/g, '\n> ')}`
+  if (args.length) {
+    banner += ` ${args.join(' ')}`
+  }
+  banner += '\n'
+  return banner
+}
+
+const runScriptPkg = async options => {
+  const {
+    event,
+    path,
+    scriptShell,
+    binPaths = false,
+    env = {},
+    stdio = 'pipe',
+    pkg,
+    args = [],
+    stdioString,
+    // note: only used when stdio:inherit
+    banner = true,
+    // how long to wait for a process.kill signal
+    // only exposed here so that we can make the test go a bit faster.
+    signalTimeout = 500,
+  } = options
+
+  const { scripts = {}, gypfile } = pkg
+  let cmd = null
+  if (options.cmd) {
+    cmd = options.cmd
+  } else if (pkg.scripts && pkg.scripts[event]) {
+    cmd = pkg.scripts[event]
+  } else if (
+    // If there is no preinstall or install script, default to rebuilding node-gyp packages.
+    event === 'install' &&
+    !scripts.install &&
+    !scripts.preinstall &&
+    gypfile !== false &&
+    await isNodeGypPackage(path)
+  ) {
+    cmd = defaultGypInstallScript
+  } else if (event === 'start' && await isServerPackage(path)) {
+    cmd = 'node server.js'
+  }
+
+  if (!cmd) {
+    return { code: 0, signal: null }
+  }
+
+  if (stdio === 'inherit' && banner !== false) {
+    // we're dumping to the parent's stdout, so print the banner
+    console.log(bruce(pkg._id, event, cmd, args))
+  }
+
+  const [spawnShell, spawnArgs, spawnOpts] = makeSpawnArgs({
+    event,
+    path,
+    scriptShell,
+    binPaths,
+    env: { ...env, ...packageEnvs(pkg) },
+    stdio,
+    cmd,
+    args,
+    stdioString,
+  })
+
+  const p = promiseSpawn(spawnShell, spawnArgs, spawnOpts, {
+    event,
+    script: cmd,
+    pkgid: pkg._id,
+    path,
+  })
+
+  if (stdio === 'inherit') {
+    signalManager.add(p.process)
+  }
+
+  if (p.stdin) {
+    p.stdin.end()
+  }
+
+  return p.catch(er => {
+    const { signal } = er
+    // coverage disabled because win32 never emits signals
+    /* istanbul ignore next */
+    if (stdio === 'inherit' && signal) {
+      // by the time we reach here, the child has already exited. we send the
+      // signal back to ourselves again so that npm will exit with the same
+      // status as the child
+      process.kill(process.pid, signal)
+
+      // just in case we don't die, reject after 500ms
+      // this also keeps the node process open long enough to actually
+      // get the signal, rather than terminating gracefully.
+      return new Promise((res, rej) => setTimeout(() => rej(er), signalTimeout))
+    } else {
+      throw er
+    }
+  })
+}
+
+module.exports = runScriptPkg

node_modules/@npmcli/metavuln-calculator/node_modules/@npmcli/run-script/lib/run-script.js

@@ -0,0 +1,15 @@
+const PackageJson = require('@npmcli/package-json')
+const runScriptPkg = require('./run-script-pkg.js')
+const validateOptions = require('./validate-options.js')
+const isServerPackage = require('./is-server-package.js')
+
+const runScript = async options => {
+  validateOptions(options)
+  if (options.pkg) {
+    return runScriptPkg(options)
+  }
+  const { content: pkg } = await PackageJson.normalize(options.path)
+  return runScriptPkg({ ...options, pkg })
+}
+
+module.exports = Object.assign(runScript, { isServerPackage })

node_modules/@npmcli/metavuln-calculator/node_modules/@npmcli/run-script/lib/set-path.js

@@ -0,0 +1,45 @@
+const { resolve, dirname, delimiter } = require('path')
+// the path here is relative, even though it does not need to be
+// in order to make the posix tests pass in windows
+const nodeGypPath = resolve(__dirname, '../lib/node-gyp-bin')
+
+// Windows typically calls its PATH environ 'Path', but this is not
+// guaranteed, nor is it guaranteed to be the only one.  Merge them
+// all together in the order they appear in the object.
+const setPATH = (projectPath, binPaths, env) => {
+  const PATH = Object.keys(env).filter(p => /^path$/i.test(p) && env[p])
+    .map(p => env[p].split(delimiter))
+    .reduce((set, p) => set.concat(p.filter(concatted => !set.includes(concatted))), [])
+    .join(delimiter)
+
+  const pathArr = []
+  if (binPaths) {
+    pathArr.push(...binPaths)
+  }
+  // unshift the ./node_modules/.bin from every folder
+  // walk up until dirname() does nothing, at the root
+  // XXX we should specify a cwd that we don't go above
+  let p = projectPath
+  let pp
+  do {
+    pathArr.push(resolve(p, 'node_modules', '.bin'))
+    pp = p
+    p = dirname(p)
+  } while (p !== pp)
+  pathArr.push(nodeGypPath, PATH)
+
+  const pathVal = pathArr.join(delimiter)
+
+  // XXX include the node-gyp-bin path somehow?  Probably better for
+  // npm or arborist or whoever to just provide that by putting it in
+  // the PATH environ, since that's preserved anyway.
+  for (const key of Object.keys(env)) {
+    if (/^path$/i.test(key)) {
+      env[key] = pathVal
+    }
+  }
+
+  return env
+}
+
+module.exports = setPATH

node_modules/@npmcli/metavuln-calculator/node_modules/@npmcli/run-script/lib/signal-manager.js

@@ -0,0 +1,50 @@
+const runningProcs = new Set()
+let handlersInstalled = false
+
+const forwardedSignals = [
+  'SIGINT',
+  'SIGTERM',
+]
+
+// no-op, this is so receiving the signal doesn't cause us to exit immediately
+// instead, we exit after all children have exited when we re-send the signal
+// to ourselves. see the catch handler at the bottom of run-script-pkg.js
+const handleSignal = signal => {
+  for (const proc of runningProcs) {
+    proc.kill(signal)
+  }
+}
+
+const setupListeners = () => {
+  for (const signal of forwardedSignals) {
+    process.on(signal, handleSignal)
+  }
+  handlersInstalled = true
+}
+
+const cleanupListeners = () => {
+  if (runningProcs.size === 0) {
+    for (const signal of forwardedSignals) {
+      process.removeListener(signal, handleSignal)
+    }
+    handlersInstalled = false
+  }
+}
+
+const add = proc => {
+  runningProcs.add(proc)
+  if (!handlersInstalled) {
+    setupListeners()
+  }
+
+  proc.once('exit', () => {
+    runningProcs.delete(proc)
+    cleanupListeners()
+  })
+}
+
+module.exports = {
+  add,
+  handleSignal,
+  forwardedSignals,
+}