Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
  • Loading branch information
lukekarrys committed Aug 30, 2023
1 parent fd8beaf commit cac0725
Show file tree
Hide file tree
Showing 88 changed files with 4,867 additions and 1,604 deletions.
2 changes: 1 addition & 1 deletion mock-registry/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@
"json-stringify-safe": "^5.0.1",
"nock": "^13.3.0",
"npm-package-arg": "^11.0.0",
"pacote": "^16.0.0",
"pacote": "^17.0.0",
"tap": "^16.3.4"
}
}
19 changes: 13 additions & 6 deletions node_modules/.gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,15 @@
!/@npmcli/metavuln-calculator
!/@npmcli/metavuln-calculator/node_modules/
/@npmcli/metavuln-calculator/node_modules/*
!/@npmcli/metavuln-calculator/node_modules/@npmcli/
/@npmcli/metavuln-calculator/node_modules/@npmcli/*
!/@npmcli/metavuln-calculator/node_modules/@npmcli/git
!/@npmcli/metavuln-calculator/node_modules/cacache
!/@npmcli/metavuln-calculator/node_modules/hosted-git-info
!/@npmcli/metavuln-calculator/node_modules/lru-cache
!/@npmcli/metavuln-calculator/node_modules/npm-package-arg
!/@npmcli/metavuln-calculator/node_modules/npm-pick-manifest
!/@npmcli/metavuln-calculator/node_modules/pacote
!/@npmcli/name-from-folder
!/@npmcli/node-gyp
!/@npmcli/package-json
Expand Down Expand Up @@ -245,14 +252,14 @@
!/pacote
!/pacote/node_modules/
/pacote/node_modules/*
!/pacote/node_modules/@npmcli/
/pacote/node_modules/@npmcli/*
!/pacote/node_modules/@npmcli/git
!/pacote/node_modules/cacache
!/pacote/node_modules/hosted-git-info
!/pacote/node_modules/lru-cache
!/pacote/node_modules/npm-package-arg
!/pacote/node_modules/normalize-package-data
!/pacote/node_modules/npm-pick-manifest
!/pacote/node_modules/npm-pick-manifest/node_modules/
/pacote/node_modules/npm-pick-manifest/node_modules/*
!/pacote/node_modules/npm-pick-manifest/node_modules/hosted-git-info
!/pacote/node_modules/npm-pick-manifest/node_modules/npm-package-arg
!/pacote/node_modules/read-package-json
!/parse-conflict-json
!/path-is-absolute
!/path-key
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,218 @@
'use strict'

const npa = require('npm-package-arg')
const semver = require('semver')
const { checkEngine } = require('npm-install-checks')
const normalizeBin = require('npm-normalize-package-bin')

const engineOk = (manifest, npmVersion, nodeVersion) => {
try {
checkEngine(manifest, npmVersion, nodeVersion)
return true
} catch (_) {
return false
}
}

const isBefore = (verTimes, ver, time) =>
!verTimes || !verTimes[ver] || Date.parse(verTimes[ver]) <= time

const avoidSemverOpt = { includePrerelease: true, loose: true }
const shouldAvoid = (ver, avoid) =>
avoid && semver.satisfies(ver, avoid, avoidSemverOpt)

const decorateAvoid = (result, avoid) =>
result && shouldAvoid(result.version, avoid)
? { ...result, _shouldAvoid: true }
: result

const pickManifest = (packument, wanted, opts) => {
const {
defaultTag = 'latest',
before = null,
nodeVersion = process.version,
npmVersion = null,
includeStaged = false,
avoid = null,
avoidStrict = false,
} = opts

const { name, time: verTimes } = packument
const versions = packument.versions || {}

if (avoidStrict) {
const looseOpts = {
...opts,
avoidStrict: false,
}

const result = pickManifest(packument, wanted, looseOpts)
if (!result || !result._shouldAvoid) {
return result
}

const caret = pickManifest(packument, `^${result.version}`, looseOpts)
if (!caret || !caret._shouldAvoid) {
return {
...caret,
_outsideDependencyRange: true,
_isSemVerMajor: false,
}
}

const star = pickManifest(packument, '*', looseOpts)
if (!star || !star._shouldAvoid) {
return {
...star,
_outsideDependencyRange: true,
_isSemVerMajor: true,
}
}

throw Object.assign(new Error(`No avoidable versions for ${name}`), {
code: 'ETARGET',
name,
wanted,
avoid,
before,
versions: Object.keys(versions),
})
}

const staged = (includeStaged && packument.stagedVersions &&
packument.stagedVersions.versions) || {}
const restricted = (packument.policyRestrictions &&
packument.policyRestrictions.versions) || {}

const time = before && verTimes ? +(new Date(before)) : Infinity
const spec = npa.resolve(name, wanted || defaultTag)
const type = spec.type
const distTags = packument['dist-tags'] || {}

if (type !== 'tag' && type !== 'version' && type !== 'range') {
throw new Error('Only tag, version, and range are supported')
}

// if the type is 'tag', and not just the implicit default, then it must
// be that exactly, or nothing else will do.
if (wanted && type === 'tag') {
const ver = distTags[wanted]
// if the version in the dist-tags is before the before date, then
// we use that. Otherwise, we get the highest precedence version
// prior to the dist-tag.
if (isBefore(verTimes, ver, time)) {
return decorateAvoid(versions[ver] || staged[ver] || restricted[ver], avoid)
} else {
return pickManifest(packument, `<=${ver}`, opts)
}
}

// similarly, if a specific version, then only that version will do
if (wanted && type === 'version') {
const ver = semver.clean(wanted, { loose: true })
const mani = versions[ver] || staged[ver] || restricted[ver]
return isBefore(verTimes, ver, time) ? decorateAvoid(mani, avoid) : null
}

// ok, sort based on our heuristics, and pick the best fit
const range = type === 'range' ? wanted : '*'

// if the range is *, then we prefer the 'latest' if available
// but skip this if it should be avoided, in that case we have
// to try a little harder.
const defaultVer = distTags[defaultTag]
if (defaultVer &&
(range === '*' || semver.satisfies(defaultVer, range, { loose: true })) &&
!shouldAvoid(defaultVer, avoid)) {
const mani = versions[defaultVer]
if (mani && isBefore(verTimes, defaultVer, time)) {
return mani
}
}

// ok, actually have to sort the list and take the winner
const allEntries = Object.entries(versions)
.concat(Object.entries(staged))
.concat(Object.entries(restricted))
.filter(([ver, mani]) => isBefore(verTimes, ver, time))

if (!allEntries.length) {
throw Object.assign(new Error(`No versions available for ${name}`), {
code: 'ENOVERSIONS',
name,
type,
wanted,
before,
versions: Object.keys(versions),
})
}

const sortSemverOpt = { loose: true }
const entries = allEntries.filter(([ver, mani]) =>
semver.satisfies(ver, range, { loose: true }))
.sort((a, b) => {
const [vera, mania] = a
const [verb, manib] = b
const notavoida = !shouldAvoid(vera, avoid)
const notavoidb = !shouldAvoid(verb, avoid)
const notrestra = !restricted[a]
const notrestrb = !restricted[b]
const notstagea = !staged[a]
const notstageb = !staged[b]
const notdepra = !mania.deprecated
const notdeprb = !manib.deprecated
const enginea = engineOk(mania, npmVersion, nodeVersion)
const engineb = engineOk(manib, npmVersion, nodeVersion)
// sort by:
// - not an avoided version
// - not restricted
// - not staged
// - not deprecated and engine ok
// - engine ok
// - not deprecated
// - semver
return (notavoidb - notavoida) ||
(notrestrb - notrestra) ||
(notstageb - notstagea) ||
((notdeprb && engineb) - (notdepra && enginea)) ||
(engineb - enginea) ||
(notdeprb - notdepra) ||
semver.rcompare(vera, verb, sortSemverOpt)
})

return decorateAvoid(entries[0] && entries[0][1], avoid)
}

module.exports = (packument, wanted, opts = {}) => {
const mani = pickManifest(packument, wanted, opts)
const picked = mani && normalizeBin(mani)
const policyRestrictions = packument.policyRestrictions
const restricted = (policyRestrictions && policyRestrictions.versions) || {}

if (picked && !restricted[picked.version]) {
return picked
}

const { before = null, defaultTag = 'latest' } = opts
const bstr = before ? new Date(before).toLocaleString() : ''
const { name } = packument
const pckg = `${name}@${wanted}` +
(before ? ` with a date before ${bstr}` : '')

const isForbidden = picked && !!restricted[picked.version]
const polMsg = isForbidden ? policyRestrictions.message : ''

const msg = !isForbidden ? `No matching version found for ${pckg}.`
: `Could not download ${pckg} due to policy violations:\n${polMsg}`

const code = isForbidden ? 'E403' : 'ETARGET'
throw Object.assign(new Error(msg), {
code,
type: npa.resolve(packument.name, wanted).type,
wanted,
versions: Object.keys(packument.versions ?? {}),
name,
distTags: packument['dist-tags'],
defaultTag,
})
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
{
"name": "npm-pick-manifest",
"version": "8.0.2",
"description": "Resolves a matching manifest from a package metadata document according to standard npm semver resolution rules.",
"main": "./lib",
"files": [
"bin/",
"lib/"
],
"scripts": {
"coverage": "tap",
"lint": "eslint \"**/*.js\"",
"test": "tap",
"posttest": "npm run lint",
"postlint": "template-oss-check",
"lintfix": "npm run lint -- --fix",
"snap": "tap",
"template-oss-apply": "template-oss-apply --force"
},
"repository": {
"type": "git",
"url": "https://github.com/npm/npm-pick-manifest.git"
},
"keywords": [
"npm",
"semver",
"package manager"
],
"author": "GitHub Inc.",
"license": "ISC",
"dependencies": {
"npm-install-checks": "^6.0.0",
"npm-normalize-package-bin": "^3.0.0",
"npm-package-arg": "^10.0.0",
"semver": "^7.3.5"
},
"devDependencies": {
"@npmcli/eslint-config": "^4.0.0",
"@npmcli/template-oss": "4.18.0",
"tap": "^16.0.1"
},
"tap": {
"check-coverage": true,
"nyc-arg": [
"--exclude",
"tap-snapshots/**"
]
},
"engines": {
"node": "^14.17.0 || ^16.13.0 || >=18.0.0"
},
"templateOSS": {
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
"version": "4.18.0",
"publish": true
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
The ISC License

Copyright (c) Isaac Z. Schlueter, Kat Marchán, npm, Inc., and Contributors

Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Loading

0 comments on commit cac0725

Please sign in to comment.