wip

Author: bmeck

lib/shadow/npm-injection.cjs

@@ -249,6 +249,10 @@ function findRoot (filepath) {
 const npmDir = findRoot(path.dirname(npmEntrypoint))
 const arboristLibClassPath = path.join(npmDir, 'node_modules', '@npmcli', 'arborist', 'lib', 'arborist', 'index.js')
 const npmlog = require(path.join(npmDir, 'node_modules', 'npmlog', 'lib', 'log.js'))
+/**
+ * @type {import('pacote')}
+ */
+const pacote = require(path.join(npmDir, 'node_modules', 'pacote'))
 
 /**
  * @type {typeof import('@npmcli/arborist')}
@@ -336,7 +340,7 @@ class SafeArborist extends Arborist {
             spinner: oraNS.spinners.dots,
           })
         }
-        const risky = await packagesHaveRiskyIssues(this.registry, diff, ora, input, output)
+        const risky = await packagesHaveRiskyIssues(this, this.registry, diff, ora, input, output)
         if (!risky) {
           return true
         }
@@ -368,8 +372,8 @@ class SafeArborist extends Arborist {
           rli.close()
         }
       } else {
-        if (await packagesHaveRiskyIssues(this.registry, diff, null, null, output)) {
-          throw new Error('Socket npm unable to prompt to accept risk, need TTY to do so')
+        if (await packagesHaveRiskyIssues(this, this.registry, diff, null, null, output)) {
+          throw new Error('Socket npm Unable to prompt to accept risk, need TTY to do so')
         }
         return true
       }
@@ -479,14 +483,15 @@ function walk (diff, needInfoOn = []) {
 }
 
 /**
+ * @param {SafeArborist} safeArb
  * @param {string} registry
  * @param {InstallEffect[]} pkgs
  * @param {import('ora')['default'] | null} ora
  * @param {Readable | null} [input]
  * @param {Writable | null} [output]
  * @returns {Promise<boolean>}
  */
-async function packagesHaveRiskyIssues (registry, pkgs, ora = null, input, output) {
+async function packagesHaveRiskyIssues (safeArb, registry, pkgs, ora = null, input, output) {
   let failed = false
   if (pkgs.length) {
     let remaining = pkgs.length
@@ -511,6 +516,7 @@ async function packagesHaveRiskyIssues (registry, pkgs, ora = null, input, outpu
         let displayWarning = false
         const name = pkgData.pkg
         const version = pkgData.ver
+        let blocked = false
         if (pkgData.type === 'missing') {
           failed = true
           failures.push({
@@ -524,7 +530,7 @@ async function packagesHaveRiskyIssues (registry, pkgs, ora = null, input, outpu
               failures.push({ raw: failure, block: ux.block })
               // before we ask about problematic issues, check to see if they already existed in the old version
               // if they did, be quiet
-              const pkg = pkgs.find(pkg => pkg.pkgid === `${pkgData.pkg}@${pkgData.ver}` && pkg.existing?.startsWith(pkgData.pkg))
+              const pkg = pkgs.find(pkg => pkg.pkgid === `${pkgData.pkg}@${pkgData.ver}` && pkg.existing?.startsWith(pkgData.pkg + '@'))
               if (pkg?.existing) {
                 for await (const oldPkgData of batchScan([pkg.existing])) {
                   if (oldPkgData.type === 'success') {
@@ -537,14 +543,23 @@ async function packagesHaveRiskyIssues (registry, pkgs, ora = null, input, outpu
             }
             if (ux.block) {
               failed = true
-            } else {
-              // TODO: have pacote/cacache download non-problematic files while waiting
+              blocked = true
             }
             if (ux.display) {
               displayWarning = true
             }
           }
         }
+        if (!blocked) {
+          const pkg = pkgs.find(pkg => pkg.pkgid === `${pkgData.pkg}@${pkgData.ver}`)
+          if (pkg) {
+            pacote.tarball.stream(pkg.pkgid, (stream) => {
+              stream.resume()
+              // @ts-ignore pacote does a naughty
+              return stream.promise()
+            }, { ...safeArb[kCtorArgs][0] })
+          }
+        }
         if (displayWarning) {
           translations ??= JSON.parse(fs.readFileSync(path.join(__dirname, '/translations.json'), 'utf-8'))
           formatter ??= new ((await chalkMarkdownPromise).ChalkOrMarkdown)(false)