diff --git a/node_modules/pacote/lib/fetcher.js b/node_modules/pacote/lib/fetcher.js index ad3cacec89bf..c9a3201f0ae4 100644 --- a/node_modules/pacote/lib/fetcher.js +++ b/node_modules/pacote/lib/fetcher.js @@ -110,7 +110,7 @@ class FetcherBase { // going to be packing in the context of a publish, which may set // a dist-tag, but certainly wants to keep defaulting to latest. this.npmCliConfig = opts.npmCliConfig || [ - `--cache=${this.cache}`, + `--cache=${dirname(this.cache)}`, `--prefer-offline=${!!this.preferOffline}`, `--prefer-online=${!!this.preferOnline}`, `--offline=${!!this.offline}`, diff --git a/node_modules/pacote/lib/git.js b/node_modules/pacote/lib/git.js index 406ab5c60022..14d8a833659c 100644 --- a/node_modules/pacote/lib/git.js +++ b/node_modules/pacote/lib/git.js @@ -161,12 +161,28 @@ class GitFetcher extends Fetcher { scripts.prepare)) return + // to avoid cases where we have an cycle of git deps that depend + // on one another, we only ever do preparation for one instance + // of a given git dep along the chain of installations. + // Note that this does mean that a dependency MAY in theory end up + // trying to run its prepare script using a dependency that has not + // been properly prepared itself, but that edge case is smaller + // and less hazardous than a fork bomb of npm and git commands. + const noPrepare = !process.env._PACOTE_NO_PREPARE_ ? [] + : process.env._PACOTE_NO_PREPARE_.split('\n') + if (noPrepare.includes(this.resolved)) { + this.log.info('prepare', 'skip prepare, already seen', this.resolved) + return + } + noPrepare.push(this.resolved) + // the DirFetcher will do its own preparation to run the prepare scripts // All we have to do is put the deps in place so that it can succeed. return npm( this.npmBin, [].concat(this.npmInstallCmd).concat(this.npmCliConfig), dir, + { ...process.env, _PACOTE_NO_PREPARE_: noPrepare.join('\n') }, { message: 'git dep preparation failed' } ) }) diff --git a/node_modules/pacote/lib/util/cache-dir.js b/node_modules/pacote/lib/util/cache-dir.js index d5c0bf28fb81..abd245323202 100644 --- a/node_modules/pacote/lib/util/cache-dir.js +++ b/node_modules/pacote/lib/util/cache-dir.js @@ -7,6 +7,6 @@ module.exports = (fakePlatform = false) => { const home = os.homedir() || resolve(temp, 'npm-' + uidOrPid) const platform = fakePlatform || process.platform const cacheExtra = platform === 'win32' ? 'npm-cache' : '.npm' - const cacheRoot = (platform === 'win32' && process.env.APPDATA) || home - return resolve(cacheRoot, cacheExtra) + const cacheRoot = (platform === 'win32' && process.env.LOCALAPPDATA) || home + return resolve(cacheRoot, cacheExtra, '_cacache') } diff --git a/node_modules/pacote/lib/util/npm.js b/node_modules/pacote/lib/util/npm.js index 293695525c72..f2f29bd0acbd 100644 --- a/node_modules/pacote/lib/util/npm.js +++ b/node_modules/pacote/lib/util/npm.js @@ -1,9 +1,15 @@ // run an npm command const spawn = require('@npmcli/promise-spawn') +const {dirname} = require('path') -module.exports = (npmBin, npmCommand, cwd, extra) => { +module.exports = (npmBin, npmCommand, cwd, env, extra) => { const isJS = npmBin.endsWith('.js') const cmd = isJS ? process.execPath : npmBin const args = (isJS ? [npmBin] : []).concat(npmCommand) - return spawn(cmd, args, { cwd, stdioString: true }, extra) + // when installing to run the `prepare` script for a git dep, we need + // to ensure that we don't run into a cycle of checking out packages + // in temp directories. this lets us link previously-seen repos that + // are also being prepared. + + return spawn(cmd, args, { cwd, stdioString: true, env }, extra) } diff --git a/node_modules/pacote/package.json b/node_modules/pacote/package.json index 959cb1ec4883..270d87212c14 100644 --- a/node_modules/pacote/package.json +++ b/node_modules/pacote/package.json @@ -1,6 +1,6 @@ { "name": "pacote", - "version": "11.2.4", + "version": "11.2.5", "description": "JavaScript package downloader", "author": "Isaac Z. Schlueter (https://izs.me)", "bin": { diff --git a/package-lock.json b/package-lock.json index eecef9bdf2af..b2f6868dda65 100644 --- a/package-lock.json +++ b/package-lock.json @@ -407,7 +407,7 @@ "npm-user-validate": "^1.0.1", "npmlog": "~4.1.2", "opener": "^1.5.2", - "pacote": "^11.2.3", + "pacote": "^11.2.5", "parse-conflict-json": "^1.1.1", "qrcode-terminal": "^0.12.0", "read": "~1.0.7", @@ -5380,9 +5380,9 @@ } }, "node_modules/pacote": { - "version": "11.2.4", - "resolved": "https://registry.npmjs.org/pacote/-/pacote-11.2.4.tgz", - "integrity": "sha512-GfTeVQGJ6WyBQbQD4t3ocHbyOmTQLmWjkCKSZPmKiGFKYKNUaM5U2gbLzUW8WG1XmS9yQFnsTFA0k3o1+q4klQ==", + "version": "11.2.5", + "resolved": "https://registry.npmjs.org/pacote/-/pacote-11.2.5.tgz", + "integrity": "sha512-KgVY3Rh3xJnhnRCirmsXW8kIdbslrFTnYeTtdzyvObPgj/Tc5VqdmazxsvdXGdIgRB/Km92mBKfuWcGGqgu7UQ==", "inBundle": true, "dependencies": { "@npmcli/git": "^2.0.1", @@ -13371,9 +13371,9 @@ } }, "pacote": { - "version": "11.2.4", - "resolved": "https://registry.npmjs.org/pacote/-/pacote-11.2.4.tgz", - "integrity": "sha512-GfTeVQGJ6WyBQbQD4t3ocHbyOmTQLmWjkCKSZPmKiGFKYKNUaM5U2gbLzUW8WG1XmS9yQFnsTFA0k3o1+q4klQ==", + "version": "11.2.5", + "resolved": "https://registry.npmjs.org/pacote/-/pacote-11.2.5.tgz", + "integrity": "sha512-KgVY3Rh3xJnhnRCirmsXW8kIdbslrFTnYeTtdzyvObPgj/Tc5VqdmazxsvdXGdIgRB/Km92mBKfuWcGGqgu7UQ==", "requires": { "@npmcli/git": "^2.0.1", "@npmcli/installed-package-contents": "^1.0.5", diff --git a/package.json b/package.json index 2eecfdbfc045..67aab55fe4c8 100644 --- a/package.json +++ b/package.json @@ -91,7 +91,7 @@ "npm-user-validate": "^1.0.1", "npmlog": "~4.1.2", "opener": "^1.5.2", - "pacote": "^11.2.3", + "pacote": "^11.2.5", "parse-conflict-json": "^1.1.1", "qrcode-terminal": "^0.12.0", "read": "~1.0.7",