deps: pacote@21.3.1

wraithgar · wraithgar · commit aae84bf5a90b · 2026-02-10T13:19:44.000-08:00
diff --git a/node_modules/pacote/lib/fetcher.js b/node_modules/pacote/lib/fetcher.js
@@ -470,33 +470,32 @@ const DirFetcher = require('./dir.js')
 const RemoteFetcher = require('./remote.js')
 
 // possible values for allow: 'all', 'root', 'none'
-const canUseGit = (allow = 'all', isRoot = false) => {
+const canUse = ({ allow = 'all', isRoot = false, allowType, spec }) => {
   if (allow === 'all') {
     return true
   }
   if (allow !== 'none' && isRoot) {
     return true
   }
-  return false
+  throw Object.assign(
+    new Error(`Fetching${allow === 'root' ? ' non-root' : ''} packages of type "${allowType}" have been disabled`),
+    {
+      code: `EALLOW${allowType.toUpperCase()}`,
+      package: spec.toString(),
+    }
+  )
 }
 
 // Get an appropriate fetcher object from a spec and options
 FetcherBase.get = (rawSpec, opts = {}) => {
   const spec = npa(rawSpec, opts.where)
   switch (spec.type) {
     case 'git':
-      if (!canUseGit(opts.allowGit, opts._isRoot)) {
-        throw Object.assign(
-          new Error(`Fetching${opts.allowGit === 'root' ? ' non-root' : ''} packages from git has been disabled`),
-          {
-            code: 'EALLOWGIT',
-            package: spec.toString(),
-          }
-        )
-      }
+      canUse({ allow: opts.allowGit, isRoot: opts._isRoot, allowType: 'git', spec })
       return new GitFetcher(spec, opts)
 
     case 'remote':
+      canUse({ allow: opts.allowRemote, isRoot: opts._isRoot, allowType: 'remote', spec })
       return new RemoteFetcher(spec, opts)
 
     case 'version':
@@ -506,9 +505,11 @@ FetcherBase.get = (rawSpec, opts = {}) => {
       return new RegistryFetcher(spec.subSpec || spec, opts)
 
     case 'file':
+      canUse({ allow: opts.allowFile, isRoot: opts._isRoot, allowType: 'file', spec })
       return new FileFetcher(spec, opts)
 
     case 'directory':
+      canUse({ allow: opts.allowDirectory, isRoot: opts._isRoot, allowType: 'directory', spec })
       return new DirFetcher(spec, opts)
 
     default:
diff --git a/node_modules/pacote/lib/git.js b/node_modules/pacote/lib/git.js
@@ -12,7 +12,7 @@ const _ = require('./util/protected.js')
 const addGitSha = require('./util/add-git-sha.js')
 const npm = require('./util/npm.js')
 
-const hashre = /^[a-f0-9]{40}$/
+const hashre = /^[a-f0-9]{40,64}$/
 
 // get the repository url.
 // prefer https if there's auth, since ssh will drop that.
@@ -25,6 +25,14 @@ const repoUrl = (h, opts) =>
 // add git+ to the url, but only one time.
 const addGitPlus = url => url && `git+${url}`.replace(/^(git\+)+/, 'git+')
 
+const checkoutError = (expected, found) => {
+  const err = new Error(`Commit mismatch: expected SHA ${expected} and cloned HEAD ${found}`)
+  err.code = 'EGITCHECKOUT'
+  err.sha = expected
+  err.head = found
+  return err
+}
+
 class GitFetcher extends Fetcher {
   constructor (spec, opts) {
     super(spec, opts)
@@ -245,7 +253,7 @@ class GitFetcher extends Fetcher {
           pkgid: `git:${nameat}${this.resolved}`,
           resolved: this.resolved,
           integrity: null, // it'll always be different, if we have one
-        }).extract(tmp).then(() => handler(tmp), er => {
+        }).extract(tmp).then(() => handler(`${tmp}${this.spec.gitSubdir || ''}`), er => {
           // fall back to ssh download if tarball fails
           if (er.constructor.name.match(/^Http/)) {
             return this.#clone(handler, false)
@@ -259,11 +267,15 @@ class GitFetcher extends Fetcher {
         h ? this.#cloneHosted(ref, tmp)
         : this.#cloneRepo(this.spec.fetchSpec, ref, tmp)
       )
+      // if we already have a resolved sha ensure it doesn't change
+      if (this.resolvedSha && this.resolvedSha !== sha) {
+        throw checkoutError(this.resolvedSha, sha)
+      }
       this.resolvedSha = sha
       if (!this.resolved) {
         await this.#addGitSha(sha)
       }
-      return handler(tmp)
+      return handler(`${tmp}${this.spec.gitSubdir || ''}`)
     })
   }
 
diff --git a/node_modules/pacote/package.json b/node_modules/pacote/package.json
@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "21.1.0",
+  "version": "21.3.1",
   "description": "JavaScript package downloader",
   "author": "GitHub Inc.",
   "bin": {
diff --git a/package-lock.json b/package-lock.json
@@ -135,7 +135,7 @@
         "npm-registry-fetch": "^19.1.1",
         "npm-user-validate": "^4.0.0",
         "p-map": "^7.0.4",
-        "pacote": "^21.1.0",
+        "pacote": "^21.3.1",
         "parse-conflict-json": "^5.0.1",
         "proc-log": "^6.1.0",
         "qrcode-terminal": "^0.12.0",
@@ -9139,9 +9139,9 @@
       "license": "BlueOak-1.0.0"
     },
     "node_modules/pacote": {
-      "version": "21.1.0",
-      "resolved": "https://registry.npmjs.org/pacote/-/pacote-21.1.0.tgz",
-      "integrity": "sha512-WF/PwrImIIVaLmtuCeO5L7n6DA0ZGCqmDPO/XbNjZgNUX+2O5z4f4Wdmu6erBWNICkl3ftKJvit2eIVcpegRRw==",
+      "version": "21.3.1",
+      "resolved": "https://registry.npmjs.org/pacote/-/pacote-21.3.1.tgz",
+      "integrity": "sha512-O0EDXi85LF4AzdjG74GUwEArhdvawi/YOHcsW6IijKNj7wm8IvEWNF5GnfuxNpQ/ZpO3L37+v8hqdVh8GgWYhg==",
       "inBundle": true,
       "license": "ISC",
       "dependencies": {
diff --git a/package.json b/package.json
@@ -102,7 +102,7 @@
     "npm-registry-fetch": "^19.1.1",
     "npm-user-validate": "^4.0.0",
     "p-map": "^7.0.4",
-    "pacote": "^21.1.0",
+    "pacote": "^21.3.1",
     "parse-conflict-json": "^5.0.1",
     "proc-log": "^6.1.0",
     "qrcode-terminal": "^0.12.0",
diff --git a/test/lib/commands/install.js b/test/lib/commands/install.js
@@ -247,7 +247,7 @@ t.test('exec commands', async t => {
       npm.exec('install', ['npm/npm']),
       {
         code: 'EALLOWGIT',
-        message: 'Fetching packages from git has been disabled',
+        message: 'Fetching packages of type "git" have been disabled',
         package: 'github:npm/npm',
       }
     )
@@ -267,7 +267,7 @@ t.test('exec commands', async t => {
     })
     await t.rejects(
       npm.exec('install', ['./abbrev']),
-      /Fetching packages from git has been disabled/
+      /Fetching packages of type "git" have been disabled/
     )
   })
 })
diff --git a/test/lib/commands/view.js b/test/lib/commands/view.js
@@ -837,6 +837,6 @@ t.test('allow-git=none', async t => {
   await t.rejects(view.exec(['npm/npm']), {
     code: 'EALLOWGIT',
     package: 'github:npm/npm',
-    message: 'Fetching packages from git has been disabled',
+    message: 'Fetching packages of type "git" have been disabled',
   })
 })

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "pacote",`
`3`		`- "version": "21.1.0",`
	`3`	`+ "version": "21.3.1",`
`4`	`4`	`"description": "JavaScript package downloader",`
`5`	`5`	`"author": "GitHub Inc.",`
`6`	`6`	`"bin": {`
Original file line number	Diff line number	Diff line change
`@@ -247,7 +247,7 @@ t.test('exec commands', async t => {`
`247`	`247`	`npm.exec('install', ['npm/npm']),`
`248`	`248`	`{`
`249`	`249`	`code: 'EALLOWGIT',`
`250`		`- message: 'Fetching packages from git has been disabled',`
	`250`	`+ message: 'Fetching packages of type "git" have been disabled',`
`251`	`251`	`package: 'github:npm/npm',`
`252`	`252`	`}`
`253`	`253`	`)`
`@@ -267,7 +267,7 @@ t.test('exec commands', async t => {`
`267`	`267`	`})`
`268`	`268`	`await t.rejects(`
`269`	`269`	`npm.exec('install', ['./abbrev']),`
`270`		`- /Fetching packages from git has been disabled/`
	`270`	`+ /Fetching packages of type "git" have been disabled/`
`271`	`271`	`)`
`272`	`272`	`})`
`273`	`273`	`})`