deps: pacote@21.1.0

wraithgar · wraithgar · commit ebe5abdaa55a · 2026-01-28T13:42:47.000-08:00
diff --git a/node_modules/pacote/lib/fetcher.js b/node_modules/pacote/lib/fetcher.js
@@ -469,11 +469,31 @@ const FileFetcher = require('./file.js')
 const DirFetcher = require('./dir.js')
 const RemoteFetcher = require('./remote.js')
 
+// possible values for allow: 'all', 'root', 'none'
+const canUseGit = (allow = 'all', isRoot = false) => {
+  if (allow === 'all') {
+    return true
+  }
+  if (allow !== 'none' && isRoot) {
+    return true
+  }
+  return false
+}
+
 // Get an appropriate fetcher object from a spec and options
 FetcherBase.get = (rawSpec, opts = {}) => {
   const spec = npa(rawSpec, opts.where)
   switch (spec.type) {
     case 'git':
+      if (!canUseGit(opts.allowGit, opts._isRoot)) {
+        throw Object.assign(
+          new Error(`Fetching${opts.allowGit === 'root' ? ' non-root' : ''} packages from git has been disabled`),
+          {
+            code: 'EALLOWGIT',
+            package: spec.toString(),
+          }
+        )
+      }
       return new GitFetcher(spec, opts)
 
     case 'remote':
diff --git a/node_modules/pacote/package.json b/node_modules/pacote/package.json
@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "21.0.4",
+  "version": "21.1.0",
   "description": "JavaScript package downloader",
   "author": "GitHub Inc.",
   "bin": {
diff --git a/package-lock.json b/package-lock.json
@@ -135,7 +135,7 @@
         "npm-registry-fetch": "^19.1.1",
         "npm-user-validate": "^4.0.0",
         "p-map": "^7.0.4",
-        "pacote": "^21.0.4",
+        "pacote": "^21.1.0",
         "parse-conflict-json": "^5.0.1",
         "proc-log": "^6.1.0",
         "qrcode-terminal": "^0.12.0",
@@ -9232,9 +9232,9 @@
       "license": "BlueOak-1.0.0"
     },
     "node_modules/pacote": {
-      "version": "21.0.4",
-      "resolved": "https://registry.npmjs.org/pacote/-/pacote-21.0.4.tgz",
-      "integrity": "sha512-RplP/pDW0NNNDh3pnaoIWYPvNenS7UqMbXyvMqJczosiFWTeGGwJC2NQBLqKf4rGLFfwCOnntw1aEp9Jiqm1MA==",
+      "version": "21.1.0",
+      "resolved": "https://registry.npmjs.org/pacote/-/pacote-21.1.0.tgz",
+      "integrity": "sha512-WF/PwrImIIVaLmtuCeO5L7n6DA0ZGCqmDPO/XbNjZgNUX+2O5z4f4Wdmu6erBWNICkl3ftKJvit2eIVcpegRRw==",
       "inBundle": true,
       "license": "ISC",
       "dependencies": {
diff --git a/package.json b/package.json
@@ -102,7 +102,7 @@
     "npm-registry-fetch": "^19.1.1",
     "npm-user-validate": "^4.0.0",
     "p-map": "^7.0.4",
-    "pacote": "^21.0.4",
+    "pacote": "^21.1.0",
     "parse-conflict-json": "^5.0.1",
     "proc-log": "^6.1.0",
     "qrcode-terminal": "^0.12.0",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "pacote",`
`3`		`- "version": "21.0.4",`
	`3`	`+ "version": "21.1.0",`
`4`	`4`	`"description": "JavaScript package downloader",`
`5`	`5`	`"author": "GitHub Inc.",`
`6`	`6`	`"bin": {`