Skip to content

Commit

Permalink
Merge branch 'latest' into jumoel/support-web-publish
Browse files Browse the repository at this point in the history
  • Loading branch information
fritzy committed Jul 20, 2022
2 parents 1231bf7 + 68ade72 commit e137c4d
Show file tree
Hide file tree
Showing 29 changed files with 271 additions and 77 deletions.
3 changes: 3 additions & 0 deletions AUTHORS
Original file line number Diff line number Diff line change
Expand Up @@ -837,3 +837,6 @@ Yonathan Randolph <yonathan@gmail.com>
Julian Møller Ellehauge <jumoel@github.com>
Lucas Werkmeister <mail@lucaswerkmeister.de>
Seth Westphal <westy92@users.noreply.github.com>
Mihai Crisan <61682879+crisanmm@users.noreply.github.com>
Kenichi Kamiya <kachick1@gmail.com>
Chen XI <xichen1427@gmail.com>
33 changes: 33 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,38 @@
# Changelog

## v8.14.0 (2022-07-13)

### Features

* [`f032e1c`](https://github.com/npm/cli/commit/f032e1c0ada062e2139c8f057b24abb1ce2e4a33) [#4827](https://github.com/npm/cli/pull/4827) feat: add npm audit signatures ([@feelepxyz](https://github.com/feelepxyz))
* [`e8102c1`](https://github.com/npm/cli/commit/e8102c1aae65a18e41253fbcdffe2eff0bedae53) [#5076](https://github.com/npm/cli/pull/5076) feat: Add `web` auth type ([@jumoel](https://github.com/jumoel))
* [`e9b4214`](https://github.com/npm/cli/commit/e9b4214e1ddb1ad79fe6826cf2ce7ba385f0c274) [#5094](https://github.com/npm/cli/pull/5094) feat(arborist): add support for dependencies script ([@nlf](https://github.com/nlf))
* [`c6c4ba3`](https://github.com/npm/cli/commit/c6c4ba3b62e2a0896a48329f4c7e13d9e44a2f80) [#5149](https://github.com/npm/cli/pull/5149) feat: notify on adduser of upcoming cmds, login and register ([@fritzy](https://github.com/fritzy))
* [`e58f02f`](https://github.com/npm/cli/commit/e58f02f5e8263bf86ae1f07a863098d445e6d0cd) [#5149](https://github.com/npm/cli/pull/5149) feat: warn on config --auth-type=sso/saml/oauth, undeprecate --auth-type ([@fritzy](https://github.com/fritzy))

### Bug Fixes

* [`52ec5ec`](https://github.com/npm/cli/commit/52ec5ec61fd3b266efd7a9c5712dd6a769a2d365) [#5154](https://github.com/npm/cli/pull/5154) fix: properly open package arg repo inside workspace ([@wraithgar](https://github.com/wraithgar))

### Documentation

* [`9697f16`](https://github.com/npm/cli/commit/9697f16952b1bf02bb5455c36a1995277cbc0c97) [#5118](https://github.com/npm/cli/pull/5118) docs: typo in npm command ([@crisanmm](https://github.com/crisanmm))
* [`da5a4ba`](https://github.com/npm/cli/commit/da5a4ba2c83af9a7e5e0fe38c32136adf396f557) [#5079](https://github.com/npm/cli/pull/5079) docs: update reference to deprecated spdx package ([@kachick](https://github.com/kachick))
* [`25b3058`](https://github.com/npm/cli/commit/25b305830be0892bbbf0245aee2eebdb76ee2ce3) [#5043](https://github.com/npm/cli/pull/5043) docs: naming of files in example code should be consistent ([@xc1427](https://github.com/xc1427))
* [`ac56fc4`](https://github.com/npm/cli/commit/ac56fc41bc2f91f51c8438f98893121e7a92ee46) [#5095](https://github.com/npm/cli/pull/5095) docs: document `dependencies` script ([@nlf](https://github.com/nlf))

### Dependencies

* [`cb0db7c`](https://github.com/npm/cli/commit/cb0db7c3fd1d0a4c30db9f44e9ea9e69ec327fe8) [#5147](https://github.com/npm/cli/pull/5147) deps: `@npmcli/arborist@5.3.0`
* [`b8c0580`](https://github.com/npm/cli/commit/b8c0580e5df93aa519b3ec240bb85d59eee5ee37) [#5156](https://github.com/npm/cli/pull/5156) deps: `minipass@3.3.4`
* [`ad72611`](https://github.com/npm/cli/commit/ad726118755ef577cc0755499d35a5d3c74d54a6) [#5156](https://github.com/npm/cli/pull/5156) deps: `lru-cache@7.12.0`
* [`c94919d`](https://github.com/npm/cli/commit/c94919dd4874196d3a84eff4fab450a17dcd4867) [#5156](https://github.com/npm/cli/pull/5156) deps: `just-diff@5.0.3`
* [`18ddc57`](https://github.com/npm/cli/commit/18ddc57c7a54165d55c81b413ef9de981c790148) [#5156](https://github.com/npm/cli/pull/5156) deps: `just-diff-apply@5.3.1`
* [`a2d700b`](https://github.com/npm/cli/commit/a2d700b3cc7cebca2d1b0c16224af41da3689aaf) [#5156](https://github.com/npm/cli/pull/5156) deps: `npm-package-arg@9.1.0`
* [`99dc697`](https://github.com/npm/cli/commit/99dc697409e1eb42caaf0c0e38fa41635d89a871) [#5156](https://github.com/npm/cli/pull/5156) deps: `@npmcli/run-script@4.1.7`
* [`4a9f2dc`](https://github.com/npm/cli/commit/4a9f2dc9169fd330c4dcf2bad7890aaf4765bafa) [#5157](https://github.com/npm/cli/pull/5157) deps: `npm-registry-fetch@13.2.0`
* [`45a9bde`](https://github.com/npm/cli/commit/45a9bdee604073a3c5b4d3c6d90e22bf6672d6bf) [#5158](https://github.com/npm/cli/pull/5158) deps: `npm-profile@6.2.0`

## v8.13.2 (2022-06-29)

### Documentation
Expand Down
15 changes: 9 additions & 6 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,15 +35,18 @@ $ node . run test

**5. Open a [Pull Request](https://github.com/npm/cli/pulls) for your work & become the newest contributor to `npm`! 🎉**

## Test Coverage
## Pull Request Conventions

We use [`tap`](https://node-tap.org/) for testing & expect that every new feature or bug fix comes with corresponding tests that validate the solutions. We strive to have as close to, if not exactly, 100% code coverage.
We use [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/). When opening a pull request, please be sure that either the pull request title, or each commit in the pull request, has one of the following prefixes:

**You can find out what the current test coverage percentage is by running...**
- `feat`: For when introducing a new feature. The result will be a new semver minor version of the package when it is next published.
- `fix`: For bug fixes. The result will be a new semver patch version of the package when it is next published.
- `docs`: For documentation updates. The result will be a new semver patch version of the package when it is next published.
- `chore`: For changes that do not affect the published module. Often these are changes to tests. The result will be *no* change to the version of the package when it is next published (as the commit does not affect the published version).

```bash
$ node . run check-coverage
```
## Test Coverage

We use [`tap`](https://node-tap.org/) for testing & expect that every new feature or bug fix comes with corresponding tests that validate the solutions. Tap also reports on code coverage and it will fail if that drops below 100%.

## Performance & Benchmarks

Expand Down
7 changes: 6 additions & 1 deletion DEPENDENCIES.md
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,7 @@ graph LR;
npm-bundled-->npm-normalize-package-bin;
npm-install-checks-->semver;
npm-package-arg-->hosted-git-info;
npm-package-arg-->proc-log;
npm-package-arg-->semver;
npm-package-arg-->validate-npm-package-name;
npm-packlist-->ignore-walk;
Expand Down Expand Up @@ -257,7 +258,7 @@ graph LR;
cidr-regex-->ip-regex;
cli-columns-->string-width;
cli-columns-->strip-ansi;
cli-table3-->colors;
cli-table3-->colors-colors["@colors/colors"];
cli-table3-->string-width;
cmd-shim-->mkdirp-infer-owner;
color-convert-->color-name;
Expand Down Expand Up @@ -405,6 +406,7 @@ graph LR;
libnpmversion-->require-inject;
libnpmversion-->semver;
libnpmversion-->tap;
lru-cache-->yallist;
make-fetch-happen-->agentkeepalive;
make-fetch-happen-->cacache;
make-fetch-happen-->http-cache-semantics;
Expand Down Expand Up @@ -510,6 +512,7 @@ graph LR;
npm-->npmcli-template-oss["@npmcli/template-oss"];
npm-->npmlog;
npm-->opener;
npm-->p-map;
npm-->pacote;
npm-->parse-conflict-json;
npm-->proc-log;
Expand All @@ -535,6 +538,7 @@ graph LR;
npm-bundled-->npm-normalize-package-bin;
npm-install-checks-->semver;
npm-package-arg-->hosted-git-info;
npm-package-arg-->proc-log;
npm-package-arg-->semver;
npm-package-arg-->validate-npm-package-name;
npm-packlist-->glob;
Expand Down Expand Up @@ -634,6 +638,7 @@ graph LR;
npmcli-run-script-->npmcli-node-gyp["@npmcli/node-gyp"];
npmcli-run-script-->npmcli-promise-spawn["@npmcli/promise-spawn"];
npmcli-run-script-->read-package-json-fast;
npmcli-run-script-->which;
npmlog-->are-we-there-yet;
npmlog-->console-control-strings;
npmlog-->gauge;
Expand Down
57 changes: 49 additions & 8 deletions docs/content/commands/npm-audit.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,14 +43,55 @@ output, it simply changes the command's failure threshold.

### Audit Signatures

This command can also audit the integrity values of the packages in your
tree against any signatures present in the registry they were downloaded
from. npm will attempt to download the keys from `/-/npm/v1/keys` on
each the registry used to download any given package. It will then
check the `dist.signatures` object in the package itself, and verify the
`sig` present there using the `keyid` there, matching it with a key
returned from the registry. The command for this is `npm audit
signatures`
To ensure the integrity of packages you download from the public npm registry, or any registry that supports signatures, you can verify the registry signatures of downloaded packages using the npm CLI.

Registry signatures can be verified using the following `audit` command:

```bash
$ npm audit signatures
```

The npm CLI supports registry signatures and signing keys provided by any registry if the following conventions are followed:

1. Signatures are provided in the package's `packument` in each published version within the `dist` object:

```json
"dist":{
"..omitted..": "..omitted..",
"signatures": [{
"keyid": "SHA256:{{SHA256_PUBLIC_KEY}}",
"sig": "a312b9c3cb4a1b693e8ebac5ee1ca9cc01f2661c14391917dcb111517f72370809..."
}]
}
```

See this [example](https://registry.npmjs.org/light-cycle/1.4.3) of a signed package from the public npm registry.

The `sig` is generated using the following template: `${package.name}@${package.version}:${package.dist.integrity}` and the `keyid` has to match one of the public signing keys below.

2. Public signing keys are provided at `registry-host.tld/-/npm/v1/keys` in the following format:

```
{
"keys": [{
"expires": null,
"keyid": "SHA256:{{SHA256_PUBLIC_KEY}}",
"keytype": "ecdsa-sha2-nistp256",
"scheme": "ecdsa-sha2-nistp256",
"key": "{{B64_PUBLIC_KEY}}"
}]
}
```

Keys response:

- `expires`: null or a simplified extended <a href="https://en.wikipedia.org/wiki/ISO_8601" target="_blank">ISO 8601 format</a>: `YYYY-MM-DDTHH:mm:ss.sssZ`
- `keydid`: sha256 fingerprint of the public key
- `keytype`: only `ecdsa-sha2-nistp256` is currently supported by the npm CLI
- `scheme`: only `ecdsa-sha2-nistp256` is currently supported by the npm CLI
- `key`: base64 encoded public key

See this <a href="https://registry.npmjs.org/-/npm/v1/keys" target="_blank">example key's response from the public npm registry</a>.

### Audit Endpoints

Expand Down
2 changes: 1 addition & 1 deletion docs/content/configuring-npm/folders.md
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,7 @@ For a graphical breakdown of what is installed where, use `npm ls`.
#### Publishing
Upon publishing, npm will look in the `node_modules` folder. If any of
the items there are not in the `bundledDependencies` array, then they will
the items there are not in the `bundleDependencies` array, then they will
not be included in the package tarball.
This allows a package maintainer to install all of their dependencies
Expand Down
10 changes: 5 additions & 5 deletions docs/content/configuring-npm/package-json.md
Original file line number Diff line number Diff line change
Expand Up @@ -829,14 +829,14 @@ if the `soy-milk` package is not installed on the host. This allows you to
integrate and interact with a variety of host packages without requiring
all of them to be installed.

### bundledDependencies
### bundleDependencies

This defines an array of package names that will be bundled when publishing
the package.

In cases where you need to preserve npm packages locally or have them
available through a single file download, you can bundle the packages in a
tarball file by specifying the package names in the `bundledDependencies`
tarball file by specifying the package names in the `bundleDependencies`
array and executing `npm pack`.

For example:
Expand All @@ -847,7 +847,7 @@ If we define a package.json like this:
{
"name": "awesome-web-framework",
"version": "1.0.0",
"bundledDependencies": [
"bundleDependencies": [
"renderized",
"super-streams"
]
Expand All @@ -860,9 +860,9 @@ can be installed in a new project by executing `npm install
awesome-web-framework-1.0.0.tgz`. Note that the package names do not
include any versions, as that information is specified in `dependencies`.

If this is spelled `"bundleDependencies"`, then that is also honored.
If this is spelled `"bundledDependencies"`, then that is also honored.

Alternatively, `"bundledDependencies"` can be defined as a boolean value. A
Alternatively, `"bundleDependencies"` can be defined as a boolean value. A
value of `true` will bundle all dependencies, a value of `false` will bundle
none.

Expand Down
8 changes: 5 additions & 3 deletions docs/content/using-npm/config.md
Original file line number Diff line number Diff line change
Expand Up @@ -357,8 +357,9 @@ newlines replaced by the string "\n". For example:
cert="-----BEGIN CERTIFICATE-----\nXXXX\nXXXX\n-----END CERTIFICATE-----"
```

It is _not_ the path to a certificate file (and there is no "certfile"
option).
It is _not_ the path to a certificate file, though you can set a
registry-scoped "certfile" path like
"//other-registry.tld/:certfile=/path/to/cert.pem".

<!-- automatically generated, do not edit manually -->
<!-- see lib/utils/config/definitions.js -->
Expand Down Expand Up @@ -946,7 +947,8 @@ format with newlines replaced by the string "\n". For example:
key="-----BEGIN PRIVATE KEY-----\nXXXX\nXXXX\n-----END PRIVATE KEY-----"
```

It is _not_ the path to a key file (and there is no "keyfile" option).
It is _not_ the path to a key file, though you can set a registry-scoped
"keyfile" path like "//other-registry.tld/:keyfile=/path/to/key.pem".

<!-- automatically generated, do not edit manually -->
<!-- see lib/utils/config/definitions.js -->
Expand Down
2 changes: 1 addition & 1 deletion lib/commands/adduser.js
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ class AddUser extends BaseCommand {
log.disableProgress()

log.warn('adduser',
'`adduser` will be split into `login` and `register in a future version.'
'`adduser` will be split into `login` and `register` in a future version.'
+ ' `adduser` will become an alias of `register`.'
+ ' `login` (currently an alias) will become its own command.')
log.notice('', `Log in on ${replaceInfo(registry)}`)
Expand Down
5 changes: 2 additions & 3 deletions lib/commands/publish.js
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,7 @@ class Publish extends BaseCommand {
throw new Error('Tag name must not be a valid SemVer range: ' + defaultTag.trim())
}

const opts = { ...this.npm.flatOptions }
log.disableProgress()
const opts = { ...this.npm.flatOptions, progress: false }

// you can publish name@version, ./foo.tgz, etc.
// even though the default is the 'file:.' cwd.
Expand Down Expand Up @@ -102,7 +101,7 @@ class Publish extends BaseCommand {
const resolved = npa.resolve(manifest.name, manifest.version)
const registry = npmFetch.pickRegistry(resolved, opts)
const creds = this.npm.config.getCredentialsByURI(registry)
const noCreds = !creds.token && !creds.username
const noCreds = !(creds.token || creds.username || creds.certfile && creds.keyfile)
const outputRegistry = replaceInfo(registry)

if (noCreds) {
Expand Down
7 changes: 4 additions & 3 deletions lib/utils/config/definitions.js
Original file line number Diff line number Diff line change
Expand Up @@ -436,8 +436,8 @@ define('cert', {
cert="-----BEGIN CERTIFICATE-----\\nXXXX\\nXXXX\\n-----END CERTIFICATE-----"
\`\`\`
It is _not_ the path to a certificate file (and there is no "certfile"
option).
It is _not_ the path to a certificate file, though you can set a registry-scoped
"certfile" path like "//other-registry.tld/:certfile=/path/to/cert.pem".
`,
flatten,
})
Expand Down Expand Up @@ -1118,7 +1118,8 @@ define('key', {
key="-----BEGIN PRIVATE KEY-----\\nXXXX\\nXXXX\\n-----END PRIVATE KEY-----"
\`\`\`
It is _not_ the path to a key file (and there is no "keyfile" option).
It is _not_ the path to a key file, though you can set a registry-scoped
"keyfile" path like "//other-registry.tld/:keyfile=/path/to/key.pem".
`,
flatten,
})
Expand Down
4 changes: 2 additions & 2 deletions lib/utils/get-identity.js
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ module.exports = async (npm, opts) => {
return creds.username
}

// No username, but we have a token; fetch the username from registry
if (creds.token) {
// No username, but we have other credentials; fetch the username from registry
if (creds.token || creds.certfile && creds.keyfile) {
const registryData = await npmFetch.json('/-/whoami', { ...opts })
return registryData.username
}
Expand Down
19 changes: 17 additions & 2 deletions node_modules/@npmcli/config/lib/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -698,9 +698,11 @@ class Config {
this.delete(`${nerfed}:_password`, 'user')
this.delete(`${nerfed}:username`, 'user')
this.delete(`${nerfed}:email`, 'user')
this.delete(`${nerfed}:certfile`, 'user')
this.delete(`${nerfed}:keyfile`, 'user')
}

setCredentialsByURI (uri, { token, username, password, email }) {
setCredentialsByURI (uri, { token, username, password, email, certfile, keyfile }) {
const nerfed = nerfDart(uri)
const def = nerfDart(this.get('registry'))

Expand Down Expand Up @@ -733,6 +735,11 @@ class Config {
this.delete(`${nerfed}:-authtoken`, 'user')
this.delete(`${nerfed}:_authtoken`, 'user')
this.delete(`${nerfed}:email`, 'user')
if (certfile && keyfile) {
this.set(`${nerfed}:certfile`, certfile, 'user')
this.set(`${nerfed}:keyfile`, keyfile, 'user')
// cert/key may be used in conjunction with other credentials, thus no `else`
}
if (token) {
this.set(`${nerfed}:_authToken`, token, 'user')
this.delete(`${nerfed}:_password`, 'user')
Expand All @@ -750,7 +757,7 @@ class Config {
// protects against shoulder-hacks if password is memorable, I guess?
const encoded = Buffer.from(password, 'utf8').toString('base64')
this.set(`${nerfed}:_password`, encoded, 'user')
} else {
} else if (!certfile || !keyfile) {
throw new Error('No credentials to set.')
}
}
Expand All @@ -765,6 +772,14 @@ class Config {
creds.email = email
}

const certfileReg = this.get(`${nerfed}:certfile`)
const keyfileReg = this.get(`${nerfed}:keyfile`)
if (certfileReg && keyfileReg) {
creds.certfile = certfileReg
creds.keyfile = keyfileReg
// cert/key may be used in conjunction with other credentials, thus no `return`
}

const tokenReg = this.get(`${nerfed}:_authToken`) ||
this.get(`${nerfed}:_authtoken`) ||
this.get(`${nerfed}:-authtoken`) ||
Expand Down
6 changes: 3 additions & 3 deletions node_modules/@npmcli/config/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@npmcli/config",
"version": "4.1.0",
"version": "4.2.0",
"files": [
"bin/",
"lib/"
Expand Down Expand Up @@ -31,7 +31,7 @@
},
"devDependencies": {
"@npmcli/eslint-config": "^3.0.1",
"@npmcli/template-oss": "3.3.2",
"@npmcli/template-oss": "3.5.0",
"tap": "^16.0.1"
},
"dependencies": {
Expand All @@ -49,6 +49,6 @@
},
"templateOSS": {
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
"version": "3.3.2"
"version": "3.5.0"
}
}
1 change: 1 addition & 0 deletions node_modules/make-fetch-happen/lib/cache/entry.js
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ const KEEP_RESPONSE_HEADERS = [
'etag',
'expires',
'last-modified',
'link',
'location',
'pragma',
'vary',
Expand Down
Loading

0 comments on commit e137c4d

Please sign in to comment.