All notable changes to this project will be documented in this file. See standard-version for commit guidelines.
12.0.3 (2019-08-19)
- do not chown if not running as root (2d80af9)
12.0.2 (2019-07-19)
12.0.1 (2019-07-19)
- deps Abstracted out
lib/util/infer-owner.jsto @npmcli/infer-owner so that it could be more easily used in other parts of the npm CLI.
12.0.0 (2019-07-15)
- the uid gid options are no longer respected or necessary. As of this change, cacache will always match the cache contents to the ownership of the cache directory (or its parent directory), regardless of what the caller passes in.
Reasoning:
The number one reason to use a uid or gid option was to keep root-owned files from causing problems in the cache. In npm's case, this meant that CLI's ./lib/command.js had to work out the appropriate uid and gid, then pass it to the libnpmcommand module, which had to in turn pass the uid and gid to npm-registry-fetch, which then passed it to make-fetch-happen, which passed it to cacache. (For package fetching, pacote would be in that mix as well.)
Added to that, cacache.rm() will actually write a file into the
cache index, but has no way to accept an option so that its call to
entry-index.js will write the index with the appropriate uid/gid.
Little ownership bugs were all over the place, and tricky to trace
through. (Why should make-fetch-happen even care about accepting or
passing uids and gids? It's an http library.)
This change allows us to keep the cache from having mixed ownership in any situation.
Of course, this does mean that if you have a root-owned but
user-writable folder (for example, /tmp), then the cache will try to
chown everything to root.
The solution is for the user to create a folder, make it user-owned, and use that, rather than relying on cacache to create the root cache folder.
If we decide to restore the uid/gid opts, and use ownership inferrence only when uid/gid are unset, then take care to also make rm take an option object, and pass it through to entry-index.js.
11.3.3 (2019-06-17)
- audit: npm audit fix (200a6d5)
- config: Add ssri config 'error' option (#146) (47de8f5)
- deps: npm audit fix (481a7dc)
- standard: standard --fix (7799149)
- write: avoid another cb never called situation (5156561)
11.3.2 (2018-12-21)
- get: make sure to handle errors in the .then (b10bcd0)
11.3.1 (2018-11-05)
- get: export hasContent.sync properly (d76c920)
11.3.0 (2018-11-05)
- get: add sync API for reading (db1e094)
11.2.0 (2018-08-08)
- read: add sync support to other internal read.js fns (fe638b6)
11.1.0 (2018-08-01)
- read: add sync support for low-level content read (b43af83)
11.0.3 (2018-08-01)
- config: add ssri config options (#136) (10d5d9a)
- perf: refactor content.read to avoid lstats (c5ac10e)
- test: oops when removing safe-buffer (1950490)
11.0.2 (2018-05-07)
11.0.1 (2018-04-10)
11.0.0 (2018-04-09)
- drop support for node@4 (529f347)
- node@4 is no longer supported
10.0.4 (2018-02-16)
10.0.3 (2018-02-16)
- content: rethrow aggregate errors as ENOENT (fa918f5)
10.0.2 (2018-01-07)
- ls: deleted entries could cause a premature stream EOF (347dc36)
10.0.1 (2017-11-15)
- move-file: actually use the fallback to
move-concurrently(#110) (073fbe1)
10.0.0 (2017-10-23)
- license: relicense to ISC (#111) (fdbb4e5)
- more copyFile benchmarks (63787bb)
- license: the license has been changed from CC0-1.0 to ISC.
9.3.0 (2017-10-07)
- copy: added cacache.get.copy api for fast copies (#107) (067b5f6)
9.2.9 (2017-06-17)
9.2.8 (2017-06-05)
- ssri: bump ssri for bugfix (c3232ea)
9.2.7 (2017-06-05)
- content: make verified content completely read-only (#96) (4131196)
9.2.6 (2017-05-31)
- node: update ssri to prevent old node 4 crash (5209ffe)
9.2.5 (2017-05-25)
- deps: fix lockfile issues and bump ssri (84e1d7e)
9.2.4 (2017-05-24)
- deps: bumping deps (bbccb12)
9.2.3 (2017-05-24)
- rm: stop crashing if content is missing on rm (ac90bc0)
9.2.2 (2017-05-14)
- i18n: lets pretend this didn't happen (519b4ee)
9.2.1 (2017-05-14)
- docs: fixing translation messup (bb9e4f9)
9.2.0 (2017-05-14)
- i18n: add Spanish translation for API (531f9a4)
9.1.0 (2017-05-14)
- i18n: Add Spanish translation and i18n setup (#91) (323b90c)
9.0.0 (2017-04-28)
- memoization: actually use the LRU (0e55dc9)
- memoization: memoizers can be injected through opts.memoize (#90) (e5614c7)
- memoization: If you were passing an object to opts.memoize, it will now be used as an injected memoization object. If you were only passing booleans and other non-objects through that option, no changes are needed.
8.0.0 (2017-04-22)
- read: hasContent now returns an object with
{sri, size}instead ofsri. Useresult.srianywhere that needed the old return value.
7.1.0 (2017-04-20)
- size: handle content size info (#49) (91230af)
7.0.5 (2017-04-18)
- integrity: new ssri with fixed integrity stream (6d13e8e)
- write: wrap stuff in promises to improve errors (3624fc5)
7.0.4 (2017-04-15)
- fix-owner: throw away ENOENTs on chownr (d49bbcd)
7.0.3 (2017-04-05)
- read: fixing error message for integrity verification failures (9d4f0a5)
7.0.2 (2017-04-03)
- integrity: use EINTEGRITY error code and update ssri (8dc2e62)
7.0.1 (2017-04-03)
- docs: fix header name conflict in readme (afcd456)
7.0.0 (2017-04-03)
- test: fix content.write tests when running in docker (d2e9b6a)
- integrity: subresource integrity support (#78) (b1e731f)
-
integrity: The entire API has been overhauled to use SRI hashes instead of digest/hashAlgorithm pairs. SRI hashes follow the Subresource Integrity standard and support strings and objects compatible with
ssri. -
This change bumps the index version, which will invalidate all previous index entries. Content entries will remain intact, and existing caches will automatically reuse any content from before this breaking change.
-
cacache.get.info(),cacache.ls(), andcacache.ls.stream()will now return objects that looks like this:
{
key: String,
integrity: '<algorithm>-<base64hash>',
path: ContentPath,
time: Date<ms>,
metadata: Any
}
-
opts.digestandopts.hashAlgorithmare obsolete for any API calls that used them. -
Anywhere
opts.digestwas accepted,opts.integrityis now an option. Any valid SRI hash is accepted here -- multiple hash entries will be resolved according to the standard: first, the "strongest" hash algorithm will be picked, and then each of the entries for that algorithm will be matched against the content. Content will be validated if any of the entries match (so, a single integrity string can be used for multiple "versions" of the same document/data). -
put.byDigest(),put.stream.byDigest,get.byDigest()andget.stream.byDigest()now expect an SRI instead of adigest+opts.hashAlgorithmpairing. -
get.hasContent()now expects an integrity hash instead of a digest. If content exists, it will return the specific single integrity hash that was found in the cache. -
verify()has learned to handle integrity-based caches, and forgotten how to handle old-style cache indices due to the format change. -
cacache.rm.content()now expects an integrity hash instead of a hex digest.
6.3.0 (2017-04-01)
- fixOwner: ignore EEXIST race condition from mkdirp (4670e9b)
- index: ignore index removal races when inserting (b9d2fa2)
- memo: use lru-cache for better mem management (#75) (d8ac5aa)
- dependencies: Switch to move-concurrently (#77) (dc6482d)
6.2.0 (2017-03-15)
- index: additional bucket entry verification with checksum (#72) (f8e0f25)
- verify: return fixOwner.chownr promise (6818521)
- tmp: safe tmp dir creation/management util (#73) (c42da71)
6.1.2 (2017-03-13)
- index: set default hashAlgorithm (d6eb2f0)
6.1.1 (2017-03-13)
- coverage: bumping coverage for verify (#71) (0b7faf6)
- deps: glob should have been a regular dep :< (0640bc4)
6.1.0 (2017-03-12)
- coverage: more coverage for content reads (#70) (ef4f70a)
- tests: use safe-buffer because omfg (#69) (6ab8132)
- rm: limited rm.all and fixed bugs (#66) (d5d25ba), closes #66
- verify: tested, working cache verifier/gc (#68) (45ad77a)
6.0.2 (2017-03-11)
- index: segment cache items with another subbucket (#64) (c3644e5)
6.0.1 (2017-03-05)
- docs: Missed spots in README (8ffb7fa)
6.0.0 (2017-03-05)
- api: keep memo cache mostly-internal (2f72d0a)
- content: use the rest of the string, not the whole string (fa8f3c3)
- deps: removed
format-number@2.0.2(1187791) - deps: removed inflight@1.0.6 (0d1819c)
- deps: rimraf@2.6.1 (9efab6b)
- deps: standard@9.0.0 (4202cba)
- deps: tap@10.3.0 (aa03088)
- deps: weallcontribute@1.0.8 (ad4f4dc)
- docs: add security note to hashKey (03f81ba)
- hashes: change default hashAlgorithm to sha512 (ea00ba6)
- hashes: missed a spot for hashAlgorithm defaults (45997d8)
- index: add length header before JSON for verification (fb8cb4d)
- index: change index filenames to sha1s of keys (bbc5fca)
- index: who cares about race conditions anyway (b1d3888)
- perf: bulk-read get+read for massive speed (d26cdf9)
- perf: use bulk file reads for index reads (79a8891)
- put-stream: remove tmp file on stream insert error (65f6632)
- put-stream: robustified and predictibilized (daf9e08)
- put-stream: use new promise API for moves (1d36013)
- readme: updated to reflect new default hashAlgo (c60a2fa)
- verify: tiny typo fix (db22d05)
- api: converted external api (7bf032f)
- cacache: exported clearMemoized() utility (8d2c5b6)
- cache: add versioning to content and index (31bc549)
- content: collate content files into subdirs (c094d9f)
- deps:
@npmcorp/move@1.0.0(bdd00bf) - deps:
bluebird@3.4.7(3a17aff) - deps:
promise-inflight@1.0.1(a004fe6) - get: added memoization support for get (c77d794)
- get: export hasContent (2956ec3)
- index: add hashAlgorithm and format insert ret val (b639746)
- index: collate index files into subdirs (e8402a5)
- index: promisify entry index (cda3335)
- memo: added memoization lib (da07b92)
- memo: export memoization api (954b1b3)
- move-file: add move fallback for weird errors (5cf4616)
- perf: bulk content write api (51b536e)
- put: added memoization support to put (b613a70)
- read: switched to promises (a869362)
- rm: added memoization support to rm (4205cf0)
- rm: switched to promises (a000d24)
- util: promise-inflight ownership fix requests (9517cd7)
- util: use promises for api (ae204bb)
- verify: converted to Promises (f0b3974)
- cache: index/content directories are now versioned. Previous caches are no longer compatible and cannot be migrated.
- util: fix-owner now uses Promises instead of callbacks
- index: Previously-generated index entries are no longer compatible and the index must be regenerated.
- index: The index format has changed and previous caches are no longer compatible. Existing caches will need to be regenerated.
- hashes: Default hashAlgorithm changed from sha1 to sha512. If you
rely on the prior setting, pass
opts.hashAlgorithmin explicitly. - content: Previously-generated content directories are no longer compatible and must be regenerated.
- verify: API is now promise-based
- read: Switches to a Promise-based API and removes callback stuff
- rm: Switches to a Promise-based API and removes callback stuff
- index: this changes the API to work off promises instead of callbacks
- api: this means we are going all in on promises now