deps: pacote@15.2.0

Author: wraithgar

node_modules/pacote/lib/fetcher.js

@@ -61,7 +61,8 @@ class FetcherBase {
     // by adding/modifying the integrity value.
     this.opts = { ...opts }
 
-    this.cache = opts.cache || cacheDir()
+    this.cache = opts.cache || cacheDir().cacache
+    this.tufCache = opts.tufCache || cacheDir().tufcache
     this.resolved = opts.resolved || null
 
     // default to caching/verifying with sha512, that's what we usually have

node_modules/pacote/lib/registry.js

@@ -295,7 +295,10 @@ class RegistryFetcher extends Fetcher {
               //
               // Publish attestations are signed with a keyid so we need to
               // specify a public key from the keys endpoint: `registry-host.tld/-/npm/v1/keys`
-              const options = { keySelector: publicKey ? () => publicKey.pemkey : undefined }
+              const options = {
+                tufCachePath: this.tufCache,
+                keySelector: publicKey ? () => publicKey.pemkey : undefined,
+              }
               await sigstore.verify(bundle, null, options)
             } catch (e) {
               throw Object.assign(new Error(

node_modules/pacote/lib/util/cache-dir.js

@@ -8,5 +8,8 @@ module.exports = (fakePlatform = false) => {
   const platform = fakePlatform || process.platform
   const cacheExtra = platform === 'win32' ? 'npm-cache' : '.npm'
   const cacheRoot = (platform === 'win32' && process.env.LOCALAPPDATA) || home
-  return resolve(cacheRoot, cacheExtra, '_cacache')
+  return {
+    cacache: resolve(cacheRoot, cacheExtra, '_cacache'),
+    tufcache: resolve(cacheRoot, cacheExtra, '_tuf'),
+  }
 }

node_modules/pacote/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "15.1.3",
+  "version": "15.2.0",
   "description": "JavaScript package downloader",
   "author": "GitHub Inc.",
   "bin": {

package-lock.json

@@ -134,7 +134,7 @@
         "npm-user-validate": "^2.0.0",
         "npmlog": "^7.0.1",
         "p-map": "^4.0.0",
-        "pacote": "^15.1.3",
+        "pacote": "^15.2.0",
         "parse-conflict-json": "^3.0.1",
         "proc-log": "^3.0.0",
         "qrcode-terminal": "^0.12.0",
@@ -10098,9 +10098,9 @@
       }
     },
     "node_modules/pacote": {
-      "version": "15.1.3",
-      "resolved": "https://registry.npmjs.org/pacote/-/pacote-15.1.3.tgz",
-      "integrity": "sha512-aRts8cZqxiJVDitmAh+3z+FxuO3tLNWEmwDRPEpDDiZJaRz06clP4XX112ynMT5uF0QNoMPajBBHnaStUEPJXA==",
+      "version": "15.2.0",
+      "resolved": "https://registry.npmjs.org/pacote/-/pacote-15.2.0.tgz",
+      "integrity": "sha512-rJVZeIwHTUta23sIZgEIM62WYwbmGbThdbnkt81ravBplQv+HjyroqnLRNH2+sLJHcGZmLRmhPwACqhfTcOmnA==",
       "inBundle": true,
       "dependencies": {
         "@npmcli/git": "^4.0.0",

package.json

@@ -101,7 +101,7 @@
     "npm-user-validate": "^2.0.0",
     "npmlog": "^7.0.1",
     "p-map": "^4.0.0",
-    "pacote": "^15.1.3",
+    "pacote": "^15.2.0",
     "parse-conflict-json": "^3.0.1",
     "proc-log": "^3.0.0",
     "qrcode-terminal": "^0.12.0",