fix: ignore integrity values for git dependencies (#4468)

This updates pacote@13.0.3 and @npmcli/run-script@3.0.0

node_modules/@npmcli/run-script/lib/make-spawn-args.js

@@ -1,7 +1,7 @@
 /* eslint camelcase: "off" */
 const isWindows = require('./is-windows.js')
 const setPATH = require('./set-path.js')
-const {resolve} = require('path')
+const { resolve } = require('path')
 const npm_config_node_gyp = require.resolve('node-gyp/bin/node-gyp.js')
 
 const makeSpawnArgs = options => {

node_modules/@npmcli/run-script/lib/package-envs.js

@@ -6,12 +6,13 @@ const envVal = val => Array.isArray(val) ? val.map(v => envVal(v)).join('\n\n')
 
 const packageEnvs = (env, vals, prefix) => {
   for (const [key, val] of Object.entries(vals)) {
-    if (val === undefined)
+    if (val === undefined) {
       continue
-    else if (val && !Array.isArray(val) && typeof val === 'object')
+    } else if (val && !Array.isArray(val) && typeof val === 'object') {
       packageEnvs(env, val, `${prefix}${key}_`)
-    else
+    } else {
       env[`${prefix}${key}`] = envVal(val)
+    }
   }
   return env
 }

node_modules/@npmcli/run-script/lib/run-script-pkg.js

@@ -26,25 +26,28 @@ const runScriptPkg = async options => {
     signalTimeout = 500,
   } = options
 
-  const {scripts = {}, gypfile} = pkg
+  const { scripts = {}, gypfile } = pkg
   let cmd = null
-  if (options.cmd)
+  if (options.cmd) {
     cmd = options.cmd
-  else if (pkg.scripts && pkg.scripts[event])
+  } else if (pkg.scripts && pkg.scripts[event]) {
     cmd = pkg.scripts[event] + args.map(a => ` ${JSON.stringify(a)}`).join('')
-  else if ( // If there is no preinstall or install script, default to rebuilding node-gyp packages.
+  } else if (
+    // If there is no preinstall or install script, default to rebuilding node-gyp packages.
     event === 'install' &&
     !scripts.install &&
     !scripts.preinstall &&
     gypfile !== false &&
     await isNodeGypPackage(path)
-  )
+  ) {
     cmd = defaultGypInstallScript
-  else if (event === 'start' && await isServerPackage(path))
+  } else if (event === 'start' && await isServerPackage(path)) {
     cmd = 'node server.js' + args.map(a => ` ${JSON.stringify(a)}`).join('')
+  }
 
-  if (!cmd)
+  if (!cmd) {
     return { code: 0, signal: null }
+  }
 
   if (stdio === 'inherit' && banner !== false) {
     // we're dumping to the parent's stdout, so print the banner
@@ -66,11 +69,13 @@ const runScriptPkg = async options => {
     path,
   })
 
-  if (stdio === 'inherit')
+  if (stdio === 'inherit') {
     signalManager.add(p.process)
+  }
 
-  if (p.stdin)
+  if (p.stdin) {
     p.stdin.end()
+  }
 
   return p.catch(er => {
     const { signal } = er
@@ -80,8 +85,9 @@ const runScriptPkg = async options => {
       // this also keeps the node process open long enough to actually
       // get the signal, rather than terminating gracefully.
       return new Promise((res, rej) => setTimeout(() => rej(er), signalTimeout))
-    } else
+    } else {
       throw er
+    }
   })
 }
 

node_modules/@npmcli/run-script/lib/run-script.js

@@ -5,9 +5,9 @@ const isServerPackage = require('./is-server-package.js')
 
 const runScript = options => {
   validateOptions(options)
-  const {pkg, path} = options
+  const { pkg, path } = options
   return pkg ? runScriptPkg(options)
-    : rpj(path + '/package.json').then(pkg => runScriptPkg({...options, pkg}))
+    : rpj(path + '/package.json').then(pkg => runScriptPkg({ ...options, pkg }))
 }
 
 module.exports = Object.assign(runScript, { isServerPackage })

node_modules/@npmcli/run-script/lib/set-path.js

@@ -1,4 +1,4 @@
-const {resolve, dirname} = require('path')
+const { resolve, dirname } = require('path')
 const isWindows = require('./is-windows.js')
 // the path here is relative, even though it does not need to be
 // in order to make the posix tests pass in windows
@@ -34,8 +34,9 @@ const setPATH = (projectPath, env) => {
   // npm or arborist or whoever to just provide that by putting it in
   // the PATH environ, since that's preserved anyway.
   for (const key of Object.keys(env)) {
-    if (/^path$/i.test(key))
+    if (/^path$/i.test(key)) {
       env[key] = pathVal
+    }
   }
 
   return env

node_modules/@npmcli/run-script/lib/signal-manager.js

@@ -3,7 +3,7 @@ let handlersInstalled = false
 
 const forwardedSignals = [
   'SIGINT',
-  'SIGTERM'
+  'SIGTERM',
 ]
 
 const handleSignal = signal => {
@@ -30,8 +30,9 @@ const cleanupListeners = () => {
 
 const add = proc => {
   runningProcs.add(proc)
-  if (!handlersInstalled)
+  if (!handlersInstalled) {
     setupListeners()
+  }
 
   proc.once('exit', () => {
     runningProcs.delete(proc)
@@ -42,5 +43,5 @@ const add = proc => {
 module.exports = {
   add,
   handleSignal,
-  forwardedSignals
+  forwardedSignals,
 }

node_modules/@npmcli/run-script/lib/validate-options.js

@@ -1,6 +1,7 @@
 const validateOptions = options => {
-  if (typeof options !== 'object' || !options)
+  if (typeof options !== 'object' || !options) {
     throw new TypeError('invalid options object provided to runScript')
+  }
 
   const {
     event,
@@ -12,20 +13,27 @@ const validateOptions = options => {
     cmd,
   } = options
 
-  if (!event || typeof event !== 'string')
+  if (!event || typeof event !== 'string') {
     throw new TypeError('valid event not provided to runScript')
-  if (!path || typeof path !== 'string')
+  }
+  if (!path || typeof path !== 'string') {
     throw new TypeError('valid path not provided to runScript')
-  if (scriptShell !== undefined && typeof scriptShell !== 'string')
+  }
+  if (scriptShell !== undefined && typeof scriptShell !== 'string') {
     throw new TypeError('invalid scriptShell option provided to runScript')
-  if (typeof env !== 'object' || !env)
+  }
+  if (typeof env !== 'object' || !env) {
     throw new TypeError('invalid env option provided to runScript')
-  if (typeof stdio !== 'string' && !Array.isArray(stdio))
+  }
+  if (typeof stdio !== 'string' && !Array.isArray(stdio)) {
     throw new TypeError('invalid stdio option provided to runScript')
-  if (!Array.isArray(args) || args.some(a => typeof a !== 'string'))
+  }
+  if (!Array.isArray(args) || args.some(a => typeof a !== 'string')) {
     throw new TypeError('invalid args option provided to runScript')
-  if (cmd !== undefined && typeof cmd !== 'string')
+  }
+  if (cmd !== undefined && typeof cmd !== 'string') {
     throw new TypeError('invalid cmd option provided to runScript')
+  }
 }
 
 module.exports = validateOptions

node_modules/@npmcli/run-script/package.json

@@ -1,45 +1,51 @@
 {
   "name": "@npmcli/run-script",
-  "version": "2.0.0",
+  "version": "3.0.0",
   "description": "Run a lifecycle script for a package (descendant of npm-lifecycle)",
-  "author": "Isaac Z. Schlueter <i@izs.me> (https://izs.me)",
+  "author": "GitHub Inc.",
   "license": "ISC",
   "scripts": {
     "test": "tap",
     "preversion": "npm test",
     "postversion": "npm publish",
     "prepublishOnly": "git push origin --follow-tags",
     "eslint": "eslint",
-    "lint": "npm run eslint -- \"lib/**/*.js\"",
-    "lintfix": "npm run lint -- --fix"
+    "lint": "eslint '**/*.js'",
+    "lintfix": "npm run lint -- --fix",
+    "postlint": "npm-template-check",
+    "template-copy": "npm-template-copy --force",
+    "snap": "tap",
+    "posttest": "npm run lint"
   },
   "tap": {
     "check-coverage": true,
     "coverage-map": "map.js"
   },
   "devDependencies": {
-    "eslint": "^7.19.0",
-    "eslint-plugin-import": "^2.22.1",
-    "eslint-plugin-node": "^11.1.0",
-    "eslint-plugin-promise": "^4.2.1",
-    "eslint-plugin-standard": "^5.0.0",
-    "minipass": "^3.1.1",
+    "@npmcli/template-oss": "^2.7.1",
+    "minipass": "^3.1.6",
     "require-inject": "^1.4.4",
     "tap": "^15.0.4"
   },
   "dependencies": {
-    "@npmcli/node-gyp": "^1.0.2",
+    "@npmcli/node-gyp": "^1.0.3",
     "@npmcli/promise-spawn": "^1.3.2",
-    "node-gyp": "^8.2.0",
-    "read-package-json-fast": "^2.0.1"
+    "node-gyp": "^8.4.1",
+    "read-package-json-fast": "^2.0.3"
   },
   "files": [
-    "lib/**/*.js",
-    "lib/node-gyp-bin"
+    "bin",
+    "lib"
   ],
   "main": "lib/run-script.js",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/npm/run-script.git"
+  },
+  "engines": {
+    "node": "^12.13.0 || ^14.15.0 || >=16"
+  },
+  "templateOSS": {
+    "version": "2.7.1"
   }
 }

node_modules/pacote/lib/git.js

@@ -38,6 +38,13 @@ const addGitPlus = url => url && `git+${url}`.replace(/^(git\+)+/, 'git+')
 class GitFetcher extends Fetcher {
   constructor (spec, opts) {
     super(spec, opts)
+
+    // we never want to compare integrity for git dependencies: npm/rfcs#525
+    if (this.opts.integrity) {
+      delete this.opts.integrity
+      log.warn(`skipping integrity check for git dependency ${this.spec.fetchSpec}`)
+    }
+
     this.resolvedRef = null
     if (this.spec.hosted) {
       this.from = this.spec.hosted.shortcut({ noCommittish: false })
@@ -194,7 +201,6 @@ class GitFetcher extends Fetcher {
   [_tarballFromResolved] () {
     const stream = new Minipass()
     stream.resolved = this.resolved
-    stream.integrity = this.integrity
     stream.from = this.from
 
     // check it out and then shell out to the DirFetcher tarball packer
@@ -304,7 +310,6 @@ class GitFetcher extends Fetcher {
         this[_readPackageJson](dir + '/package.json')
           .then(mani => this.package = {
             ...mani,
-            _integrity: this.integrity && String(this.integrity),
             _resolved: this.resolved,
             _from: this.from,
           }))

node_modules/pacote/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "13.0.2",
+  "version": "13.0.3",
   "description": "JavaScript package downloader",
   "author": "GitHub Inc.",
   "bin": {
@@ -43,7 +43,7 @@
     "@npmcli/git": "^3.0.0",
     "@npmcli/installed-package-contents": "^1.0.7",
     "@npmcli/promise-spawn": "^1.2.0",
-    "@npmcli/run-script": "^2.0.0",
+    "@npmcli/run-script": "^3.0.0",
     "cacache": "^15.3.0",
     "chownr": "^2.0.0",
     "fs-minipass": "^2.1.0",