diff --git a/docs/lib/index.js b/docs/lib/index.js index deb715b38107a..e999d6f6159fd 100644 --- a/docs/lib/index.js +++ b/docs/lib/index.js @@ -42,6 +42,17 @@ const getCommandByDoc = (docFile, docExt) => { const srcName = name === 'npx' ? 'exec' : name const { params, usage = [''], workspaces } = require(`../../lib/commands/${srcName}`) const usagePrefix = name === 'npx' ? 'npx' : `npm ${name}` + if (params) { + for (const param of params) { + if (definitions[param].exclusive) { + for (const e of definitions[param].exclusive) { + if (!params.includes(e)) { + params.splice(params.indexOf(param) + 1, 0, e) + } + } + } + } + } return { name, diff --git a/lib/base-command.js b/lib/base-command.js index 883a4b0ced5dd..598964ce524e3 100644 --- a/lib/base-command.js +++ b/lib/base-command.js @@ -18,6 +18,7 @@ class BaseCommand { // this is a static so that we can read from it without instantiating a command // which would require loading the config static get describeUsage () { + const seenExclusive = new Set() const wrapWidth = 80 const { description, usage = [''], name, params } = this @@ -32,7 +33,22 @@ class BaseCommand { let results = '' let line = '' for (const param of params) { - const paramUsage = `[${definitions[param].usage}]` + /* istanbul ignore next */ + if (seenExclusive.has(param)) { + continue + } + const { exclusive } = definitions[param] + let paramUsage = `${definitions[param].usage}` + if (exclusive) { + const exclusiveParams = [paramUsage] + seenExclusive.add(param) + for (const e of exclusive) { + seenExclusive.add(e) + exclusiveParams.push(definitions[e].usage) + } + paramUsage = `${exclusiveParams.join('|')}` + } + paramUsage = `[${paramUsage}]` if (line.length + paramUsage.length > wrapWidth) { results = [results, line].filter(Boolean).join('\n') line = '' diff --git a/lib/utils/config/definition.js b/lib/utils/config/definition.js index f88d8334cf01f..54e522c355b93 100644 --- a/lib/utils/config/definition.js +++ b/lib/utils/config/definition.js @@ -13,6 +13,7 @@ const allowed = [ 'defaultDescription', 'deprecated', 'description', + 'exclusive', 'flatten', 'hint', 'key', @@ -83,12 +84,15 @@ class Definition { This value is not exported to the environment for child processes. ` const deprecated = !this.deprecated ? '' : `* DEPRECATED: ${unindent(this.deprecated)}\n` + /* eslint-disable-next-line max-len */ + const exclusive = !this.exclusive ? '' : `\nThis config can not be used with: \`${this.exclusive.join('`, `')}\`` return wrapAll(`#### \`${this.key}\` * Default: ${unindent(this.defaultDescription)} * Type: ${unindent(this.typeDescription)} ${deprecated} ${description} +${exclusive} ${noEnvExport}`) } } diff --git a/lib/utils/config/definitions.js b/lib/utils/config/definitions.js index 131053040ca2c..f86c3ddff81b5 100644 --- a/lib/utils/config/definitions.js +++ b/lib/utils/config/definitions.js @@ -1635,6 +1635,7 @@ define('progress', { define('provenance', { default: false, type: Boolean, + exclusive: ['provenance-file'], description: ` When publishing from a supported cloud CI/CD system, the package will be publicly linked to where it was built and published from. @@ -1642,6 +1643,17 @@ define('provenance', { flatten, }) +define('provenance-file', { + default: null, + type: path, + hint: '', + exclusive: ['provenance'], + description: ` + When publishing, the provenance bundle at the given path will be used. + `, + flatten, +}) + define('proxy', { default: null, type: [null, false, url], // allow proxy to be disabled explicitly diff --git a/tap-snapshots/test/lib/commands/config.js.test.cjs b/tap-snapshots/test/lib/commands/config.js.test.cjs index be98ad429c70e..d4fc5de7a1c4e 100644 --- a/tap-snapshots/test/lib/commands/config.js.test.cjs +++ b/tap-snapshots/test/lib/commands/config.js.test.cjs @@ -118,6 +118,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna "production": null, "progress": true, "provenance": false, + "provenance-file": null, "proxy": null, "read-only": false, "rebuild-bundle": true, @@ -274,6 +275,7 @@ preid = "" production = null progress = true provenance = false +provenance-file = null proxy = null read-only = false rebuild-bundle = true diff --git a/tap-snapshots/test/lib/docs.js.test.cjs b/tap-snapshots/test/lib/docs.js.test.cjs index e46fd065b9eb6..7999a5a9795f0 100644 --- a/tap-snapshots/test/lib/docs.js.test.cjs +++ b/tap-snapshots/test/lib/docs.js.test.cjs @@ -183,6 +183,8 @@ Warning: This should generally not be set via a command-line option. It is safer to use a registry-provided authentication bearer token stored in the ~/.npmrc file by running \`npm login\`. + + #### \`access\` * Default: 'public' for new packages, existing packages it will not change the @@ -199,6 +201,8 @@ packages. Specifying a value of \`restricted\` or \`public\` during publish will change the access for an existing package the same way that \`npm access set status\` would. + + #### \`all\` * Default: false @@ -208,6 +212,8 @@ When running \`npm outdated\` and \`npm ls\`, setting \`--all\` will show all outdated or installed packages, rather than only those directly depended upon by the current project. + + #### \`allow-same-version\` * Default: false @@ -216,6 +222,8 @@ upon by the current project. Prevents throwing an error when \`npm version\` is used to set the new version to the same value as the current version. + + #### \`audit\` * Default: true @@ -226,6 +234,8 @@ default registry and all registries configured for scopes. See the documentation for [\`npm audit\`](/commands/npm-audit) for details on what is submitted. + + #### \`audit-level\` * Default: null @@ -234,6 +244,8 @@ submitted. The minimum level of vulnerability for \`npm audit\` to exit with a non-zero exit code. + + #### \`auth-type\` * Default: "web" @@ -242,6 +254,8 @@ exit code. What authentication strategy to use with \`login\`. Note that if an \`otp\` config is given, this value will always be set to \`legacy\`. + + #### \`before\` * Default: null @@ -257,6 +271,8 @@ If the requested version is a \`dist-tag\` and the given tag does not pass the will be used. For example, \`foo@latest\` might install \`foo@1.2\` even though \`latest\` is \`2.0\`. + + #### \`bin-links\` * Default: true @@ -269,6 +285,8 @@ Set to false to have it not do this. This can be used to work around the fact that some file systems don't support symlinks, even on ostensibly Unix systems. + + #### \`browser\` * Default: OS X: \`"open"\`, Windows: \`"start"\`, Others: \`"xdg-open"\` @@ -281,6 +299,8 @@ terminal. Set to \`true\` to use default system URL opener. + + #### \`ca\` * Default: null @@ -307,6 +327,8 @@ ca[]="..." See also the \`strict-ssl\` config. + + #### \`cache\` * Default: Windows: \`%LocalAppData%\\npm-cache\`, Posix: \`~/.npm\` @@ -314,6 +336,8 @@ See also the \`strict-ssl\` config. The location of npm's cache directory. + + #### \`cafile\` * Default: null @@ -323,6 +347,8 @@ A path to a file containing one or multiple Certificate Authority signing certificates. Similar to the \`ca\` setting, but allows for multiple CA's, as well as for the CA information to be stored in a file on disk. + + #### \`call\` * Default: "" @@ -336,6 +362,7 @@ npm exec --package yo --package generator-node --call "yo node" \`\`\` + #### \`cidr\` * Default: null @@ -344,6 +371,8 @@ npm exec --package yo --package generator-node --call "yo node" This is a list of CIDR address to be used when configuring limited access tokens with the \`npm token create\` command. + + #### \`color\` * Default: true unless the NO_COLOR environ is set to something other than '0' @@ -352,6 +381,8 @@ tokens with the \`npm token create\` command. If false, never shows colors. If \`"always"\` then always shows colors. If true, then only prints color codes for tty file descriptors. + + #### \`commit-hooks\` * Default: true @@ -359,6 +390,8 @@ true, then only prints color codes for tty file descriptors. Run git commit hooks when using the \`npm version\` command. + + #### \`depth\` * Default: \`Infinity\` if \`--all\` is set, otherwise \`1\` @@ -369,6 +402,8 @@ The depth to go when recursing packages for \`npm ls\`. If not set, \`npm ls\` will show only the immediate dependencies of the root project. If \`--all\` is set, then npm will show all dependencies by default. + + #### \`description\` * Default: true @@ -376,6 +411,8 @@ project. If \`--all\` is set, then npm will show all dependencies by default. Show the description in \`npm search\` + + #### \`diff\` * Default: @@ -383,6 +420,8 @@ Show the description in \`npm search\` Define arguments to compare in \`npm diff\`. + + #### \`diff-dst-prefix\` * Default: "b/" @@ -390,6 +429,8 @@ Define arguments to compare in \`npm diff\`. Destination prefix to be used in \`npm diff\` output. + + #### \`diff-ignore-all-space\` * Default: false @@ -397,6 +438,8 @@ Destination prefix to be used in \`npm diff\` output. Ignore whitespace when comparing lines in \`npm diff\`. + + #### \`diff-name-only\` * Default: false @@ -404,6 +447,8 @@ Ignore whitespace when comparing lines in \`npm diff\`. Prints only filenames when using \`npm diff\`. + + #### \`diff-no-prefix\` * Default: false @@ -414,6 +459,8 @@ Do not show any source or destination prefix in \`npm diff\` output. Note: this causes \`npm diff\` to ignore the \`--diff-src-prefix\` and \`--diff-dst-prefix\` configs. + + #### \`diff-src-prefix\` * Default: "a/" @@ -421,6 +468,8 @@ Note: this causes \`npm diff\` to ignore the \`--diff-src-prefix\` and Source prefix to be used in \`npm diff\` output. + + #### \`diff-text\` * Default: false @@ -428,6 +477,8 @@ Source prefix to be used in \`npm diff\` output. Treat all files as text in \`npm diff\`. + + #### \`diff-unified\` * Default: 3 @@ -435,6 +486,8 @@ Treat all files as text in \`npm diff\`. The number of lines of context to print in \`npm diff\`. + + #### \`dry-run\` * Default: false @@ -448,6 +501,8 @@ commands that modify your local installation, eg, \`install\`, \`update\`, Note: This is NOT honored by other network related commands, eg \`dist-tags\`, \`owner\`, etc. + + #### \`editor\` * Default: The EDITOR or VISUAL environment variables, or @@ -456,6 +511,8 @@ Note: This is NOT honored by other network related commands, eg \`dist-tags\`, The command to run for \`npm edit\` and \`npm config edit\`. + + #### \`engine-strict\` * Default: false @@ -467,6 +524,8 @@ Node.js version. This can be overridden by setting the \`--force\` flag. + + #### \`fetch-retries\` * Default: 2 @@ -478,6 +537,8 @@ from the registry. npm will retry idempotent read requests to the registry in the case of network failures or 5xx HTTP errors. + + #### \`fetch-retry-factor\` * Default: 10 @@ -485,6 +546,8 @@ network failures or 5xx HTTP errors. The "factor" config for the \`retry\` module to use when fetching packages. + + #### \`fetch-retry-maxtimeout\` * Default: 60000 (1 minute) @@ -493,6 +556,8 @@ The "factor" config for the \`retry\` module to use when fetching packages. The "maxTimeout" config for the \`retry\` module to use when fetching packages. + + #### \`fetch-retry-mintimeout\` * Default: 10000 (10 seconds) @@ -501,6 +566,8 @@ packages. The "minTimeout" config for the \`retry\` module to use when fetching packages. + + #### \`fetch-timeout\` * Default: 300000 (5 minutes) @@ -508,6 +575,8 @@ packages. The maximum amount of time to wait for HTTP requests to complete. + + #### \`force\` * Default: false @@ -534,6 +603,8 @@ mistakes, unnecessary performance degradation, and malicious input. If you don't have a clear idea of what you want to do, it is strongly recommended that you do not use this option! + + #### \`foreground-scripts\` * Default: false @@ -546,6 +617,8 @@ input, output, and error with the main npm process. Note that this will generally make installs run slower, and be much noisier, but can be useful for debugging. + + #### \`format-package-lock\` * Default: true @@ -554,6 +627,8 @@ but can be useful for debugging. Format \`package-lock.json\` or \`npm-shrinkwrap.json\` as a human readable file. + + #### \`fund\` * Default: true @@ -563,6 +638,8 @@ When "true" displays the message at the end of each \`npm install\` acknowledging the number of dependencies looking for funding. See [\`npm fund\`](/commands/npm-fund) for details. + + #### \`git\` * Default: "git" @@ -571,6 +648,8 @@ fund\`](/commands/npm-fund) for details. The command to use for git commands. If git is installed on the computer, but is not in the \`PATH\`, then set this to the full path to the git binary. + + #### \`git-tag-version\` * Default: true @@ -579,6 +658,8 @@ but is not in the \`PATH\`, then set this to the full path to the git binary. Tag the commit when using the \`npm version\` command. Setting this to false results in no commit being made at all. + + #### \`global\` * Default: false @@ -593,6 +674,8 @@ folder instead of the current working directory. See * bin files are linked to \`{prefix}/bin\` * man pages are linked to \`{prefix}/share/man\` + + #### \`globalconfig\` * Default: The global --prefix setting plus 'etc/npmrc'. For example, @@ -601,6 +684,8 @@ folder instead of the current working directory. See The config file to read for global config options. + + #### \`heading\` * Default: "npm" @@ -608,6 +693,8 @@ The config file to read for global config options. The string that starts all the debugging log output. + + #### \`https-proxy\` * Default: null @@ -618,6 +705,8 @@ A proxy to use for outgoing https requests. If the \`HTTPS_PROXY\` or proxy settings will be honored by the underlying \`make-fetch-happen\` library. + + #### \`if-present\` * Default: false @@ -644,6 +733,8 @@ Note that commands explicitly intended to run a particular script, such as will still run their intended script if \`ignore-scripts\` is set, but they will *not* run any pre- or post-scripts. + + #### \`include\` * Default: @@ -656,6 +747,8 @@ This is the inverse of \`--omit=\`. Dependency types specified in \`--include\` will not be omitted, regardless of the order in which omit/include are specified on the command-line. + + #### \`include-staged\` * Default: false @@ -666,6 +759,8 @@ Allow installing "staged" published packages, as defined by [npm RFC PR This is experimental, and not implemented by the npm public registry. + + #### \`include-workspace-root\` * Default: false @@ -686,6 +781,8 @@ This value is not exported to the environment for child processes. The value \`npm init\` should use by default for the package author's email. + + #### \`init-author-name\` * Default: "" @@ -693,6 +790,8 @@ The value \`npm init\` should use by default for the package author's email. The value \`npm init\` should use by default for the package author's name. + + #### \`init-author-url\` * Default: "" @@ -701,6 +800,8 @@ The value \`npm init\` should use by default for the package author's name. The value \`npm init\` should use by default for the package author's homepage. + + #### \`init-license\` * Default: "ISC" @@ -708,6 +809,8 @@ homepage. The value \`npm init\` should use by default for the package license. + + #### \`init-module\` * Default: "~/.npm-init.js" @@ -718,6 +821,8 @@ documentation for the [init-package-json](https://github.com/npm/init-package-json) module for more information, or [npm init](/commands/npm-init). + + #### \`init-version\` * Default: "1.0.0" @@ -726,6 +831,8 @@ more information, or [npm init](/commands/npm-init). The value that \`npm init\` should use by default for the package version number, if not already set in package.json. + + #### \`install-links\` * Default: false @@ -735,6 +842,8 @@ When set file: protocol dependencies will be packed and installed as regular dependencies instead of creating a symlink. This option has no effect on workspaces. + + #### \`install-strategy\` * Default: "hoisted" @@ -747,6 +856,8 @@ place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: (experimental) install in node_modules/.store, link in place, unhoisted. + + #### \`json\` * Default: false @@ -759,6 +870,8 @@ Whether or not to output JSON data, rather than the normal output. Not supported by all npm commands. + + #### \`legacy-peer-deps\` * Default: false @@ -777,6 +890,8 @@ This differs from \`--omit=peer\`, in that \`--omit=peer\` will avoid unpacking Use of \`legacy-peer-deps\` is not recommended, as it will not enforce the \`peerDependencies\` contract that meta-dependencies may rely on. + + #### \`link\` * Default: false @@ -784,6 +899,8 @@ Use of \`legacy-peer-deps\` is not recommended, as it will not enforce the Used with \`npm ls\`, limiting output to only those packages that are linked. + + #### \`local-address\` * Default: null @@ -792,6 +909,8 @@ Used with \`npm ls\`, limiting output to only those packages that are linked. The IP address of the local interface to use when making connections to the npm registry. Must be IPv4 in versions of Node prior to 0.12. + + #### \`location\` * Default: "user" unless \`--global\` is passed, which will also set this value @@ -809,6 +928,8 @@ instead of the current working directory. See * bin files are linked to \`{prefix}/bin\` * man pages are linked to \`{prefix}/share/man\` + + #### \`lockfile-version\` * Default: Version 3 if no lockfile, auto-converting v1 lockfiles to v3, @@ -831,6 +952,8 @@ determinism and interoperability, at the expense of more bytes on disk. disk than lockfile version 2, but not interoperable with older npm versions. Ideal if all users are on npm version 7 and higher. + + #### \`loglevel\` * Default: "notice" @@ -845,6 +968,8 @@ Any logs of a higher level than the setting are shown. The default is See also the \`foreground-scripts\` config. + + #### \`logs-dir\` * Default: A directory named \`_logs\` inside the cache @@ -853,6 +978,8 @@ See also the \`foreground-scripts\` config. The location of npm's log directory. See [\`npm logging\`](/using-npm/logging) for more information. + + #### \`logs-max\` * Default: 10 @@ -862,6 +989,8 @@ The maximum number of log files to store. If set to 0, no log files will be written for the current run. + + #### \`long\` * Default: false @@ -869,6 +998,8 @@ If set to 0, no log files will be written for the current run. Show extended information in \`ls\`, \`search\`, and \`help-search\`. + + #### \`maxsockets\` * Default: 15 @@ -877,6 +1008,8 @@ Show extended information in \`ls\`, \`search\`, and \`help-search\`. The maximum number of connections to use per origin (protocol/host/port combination). + + #### \`message\` * Default: "%s" @@ -886,6 +1019,8 @@ Commit message which is used by \`npm version\` when creating version commit. Any "%s" in the message will be replaced with the version number. + + #### \`node-options\` * Default: null @@ -895,6 +1030,8 @@ Options to pass through to Node.js via the \`NODE_OPTIONS\` environment variable. This does not impact how npm itself is executed but it does impact how lifecycle scripts are called. + + #### \`noproxy\` * Default: The value of the NO_PROXY environment variable @@ -904,6 +1041,8 @@ Domain extensions that should bypass any proxies. Also accepts a comma-delimited string. + + #### \`offline\` * Default: false @@ -912,6 +1051,8 @@ Also accepts a comma-delimited string. Force offline mode: no network requests will be done during install. To allow the CLI to fill in missing cache data, see \`--prefer-offline\`. + + #### \`omit\` * Default: 'dev' if the \`NODE_ENV\` environment variable is set to @@ -930,6 +1071,8 @@ it will be included. If the resulting omit list includes \`'dev'\`, then the \`NODE_ENV\` environment variable will be set to \`'production'\` for all lifecycle scripts. + + #### \`omit-lockfile-registry-resolved\` * Default: false @@ -940,6 +1083,8 @@ registry dependencies. Subsequent installs will need to resolve tarball endpoints with the configured registry, likely resulting in a longer install time. + + #### \`otp\` * Default: null @@ -951,6 +1096,8 @@ when publishing or changing package permissions with \`npm access\`. If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one. + + #### \`pack-destination\` * Default: "." @@ -958,6 +1105,8 @@ password, npm will prompt on the command line for one. Directory in which \`npm pack\` will save tarballs. + + #### \`package\` * Default: @@ -965,6 +1114,8 @@ Directory in which \`npm pack\` will save tarballs. The package or packages to install for [\`npm exec\`](/commands/npm-exec) + + #### \`package-lock\` * Default: true @@ -973,6 +1124,8 @@ The package or packages to install for [\`npm exec\`](/commands/npm-exec) If set to false, then ignore \`package-lock.json\` files when installing. This will also prevent _writing_ \`package-lock.json\` if \`save\` is true. + + #### \`package-lock-only\` * Default: false @@ -987,6 +1140,8 @@ instead of checking \`node_modules\` and downloading dependencies. For \`list\` this means the output will be based on the tree described by the \`package-lock.json\`, rather than the contents of \`node_modules\`. + + #### \`parseable\` * Default: false @@ -995,6 +1150,8 @@ For \`list\` this means the output will be based on the tree described by the Output parseable results from commands that write to standard output. For \`npm search\`, this will be tab-separated table format. + + #### \`prefer-dedupe\` * Default: false @@ -1003,6 +1160,8 @@ Output parseable results from commands that write to standard output. For Prefer to deduplicate packages if possible, rather than choosing a newer version of a dependency. + + #### \`prefer-offline\` * Default: false @@ -1012,6 +1171,8 @@ If true, staleness checks for cached data will be bypassed, but missing data will be requested from the server. To force full offline mode, use \`--offline\`. + + #### \`prefer-online\` * Default: false @@ -1020,6 +1181,8 @@ will be requested from the server. To force full offline mode, use If true, staleness checks for cached data will be forced, making the CLI look for updates immediately even for fresh package data. + + #### \`prefix\` * Default: In global mode, the folder where the node executable is installed. @@ -1030,6 +1193,8 @@ look for updates immediately even for fresh package data. The location to install global items. If set on the command line, then it forces non-global commands to run in the specified folder. + + #### \`preid\` * Default: "" @@ -1038,6 +1203,8 @@ forces non-global commands to run in the specified folder. The "prerelease identifier" to use as a prefix for the "prerelease" part of a semver. Like the \`rc\` in \`1.2.0-rc.8\`. + + #### \`progress\` * Default: \`true\` unless running in a known CI system @@ -1048,6 +1215,8 @@ operations, if \`process.stderr\` is a TTY. Set to \`false\` to suppress the progress bar. + + #### \`provenance\` * Default: false @@ -1056,6 +1225,17 @@ Set to \`false\` to suppress the progress bar. When publishing from a supported cloud CI/CD system, the package will be publicly linked to where it was built and published from. +This config can not be used with: \`provenance-file\` + +#### \`provenance-file\` + +* Default: null +* Type: Path + +When publishing, the provenance bundle at the given path will be used. + +This config can not be used with: \`provenance\` + #### \`proxy\` * Default: null @@ -1065,6 +1245,8 @@ A proxy to use for outgoing http requests. If the \`HTTP_PROXY\` or \`http_proxy\` environment variables are set, proxy settings will be honored by the underlying \`request\` library. + + #### \`read-only\` * Default: false @@ -1073,6 +1255,8 @@ by the underlying \`request\` library. This is used to mark a token as unable to publish when configuring limited access tokens with the \`npm token create\` command. + + #### \`rebuild-bundle\` * Default: true @@ -1080,6 +1264,8 @@ access tokens with the \`npm token create\` command. Rebuild bundled dependencies after installation. + + #### \`registry\` * Default: "https://registry.npmjs.org/" @@ -1087,6 +1273,8 @@ Rebuild bundled dependencies after installation. The base URL of the npm registry. + + #### \`replace-registry-host\` * Default: "npmjs" @@ -1102,6 +1290,8 @@ registry host with the configured host every time. You may also specify a bare hostname (e.g., "registry.npmjs.org"). + + #### \`save\` * Default: \`true\` unless when using \`npm update\` where it defaults to \`false\` @@ -1114,6 +1304,8 @@ When used with the \`npm rm\` command, removes the dependency from Will also prevent writing to \`package-lock.json\` if set to \`false\`. + + #### \`save-bundle\` * Default: false @@ -1125,6 +1317,8 @@ If a package would be saved at install time by the use of \`--save\`, Ignored if \`--save-peer\` is set, since peerDependencies cannot be bundled. + + #### \`save-dev\` * Default: false @@ -1132,6 +1326,8 @@ Ignored if \`--save-peer\` is set, since peerDependencies cannot be bundled. Save installed packages to a package.json file as \`devDependencies\`. + + #### \`save-exact\` * Default: false @@ -1140,6 +1336,8 @@ Save installed packages to a package.json file as \`devDependencies\`. Dependencies saved to package.json will be configured with an exact version rather than using npm's default semver range operator. + + #### \`save-optional\` * Default: false @@ -1147,6 +1345,8 @@ rather than using npm's default semver range operator. Save installed packages to a package.json file as \`optionalDependencies\`. + + #### \`save-peer\` * Default: false @@ -1154,6 +1354,8 @@ Save installed packages to a package.json file as \`optionalDependencies\`. Save installed packages to a package.json file as \`peerDependencies\` + + #### \`save-prefix\` * Default: "^" @@ -1167,6 +1369,8 @@ to \`^1.2.3\` which allows minor upgrades for that package, but after \`npm config set save-prefix='~'\` it would be set to \`~1.2.3\` which only allows patch upgrades. + + #### \`save-prod\` * Default: false @@ -1179,6 +1383,8 @@ you want to move it to be a non-optional production dependency. This is the default behavior if \`--save\` is true, and neither \`--save-dev\` or \`--save-optional\` are true. + + #### \`scope\` * Default: the scope of the current project, if any, or "" @@ -1209,6 +1415,7 @@ npm init --scope=@foo --yes \`\`\` + #### \`script-shell\` * Default: '/bin/sh' on POSIX systems, 'cmd.exe' on Windows @@ -1217,6 +1424,8 @@ npm init --scope=@foo --yes The shell to use for scripts run with the \`npm exec\`, \`npm run\` and \`npm init \` commands. + + #### \`searchexclude\` * Default: "" @@ -1224,6 +1433,8 @@ init \` commands. Space-separated options that limit the results from search. + + #### \`searchlimit\` * Default: 20 @@ -1232,6 +1443,8 @@ Space-separated options that limit the results from search. Number of items to limit search results to. Will not apply at all to legacy searches. + + #### \`searchopts\` * Default: "" @@ -1239,6 +1452,8 @@ searches. Space-separated options that are always passed to search. + + #### \`searchstaleness\` * Default: 900 @@ -1247,6 +1462,8 @@ Space-separated options that are always passed to search. The age of the cache, in seconds, before another registry request is made if using legacy search endpoint. + + #### \`shell\` * Default: SHELL environment variable, or "bash" on Posix, or "cmd.exe" on @@ -1255,6 +1472,8 @@ using legacy search endpoint. The shell to run for the \`npm explore\` command. + + #### \`sign-git-commit\` * Default: false @@ -1266,6 +1485,8 @@ version using \`-S\` to add a signature. Note that git requires you to have set up GPG keys in your git configs for this to work properly. + + #### \`sign-git-tag\` * Default: false @@ -1277,6 +1498,8 @@ If set to true, then the \`npm version\` command will tag the version using Note that git requires you to have set up GPG keys in your git configs for this to work properly. + + #### \`strict-peer-deps\` * Default: false @@ -1296,6 +1519,8 @@ When such an override is performed, a warning is printed, explaining the conflict and the packages involved. If \`--strict-peer-deps\` is set, then this warning is treated as a failure. + + #### \`strict-ssl\` * Default: true @@ -1306,6 +1531,8 @@ via https. See also the \`ca\` config. + + #### \`tag\` * Default: "latest" @@ -1320,6 +1547,8 @@ command, if no explicit tag is given. When used by the \`npm diff\` command, this is the tag used to fetch the tarball that will be compared with the local files by default. + + #### \`tag-version-prefix\` * Default: "v" @@ -1333,6 +1562,8 @@ Because other tools may rely on the convention that npm version tags look like \`v1.0.0\`, _only use this property if it is absolutely necessary_. In particular, use care when overriding this setting for public packages. + + #### \`timing\` * Default: false @@ -1347,6 +1578,8 @@ You can quickly view it with this [json](https://npm.im/json) command line: Timing information will also be reported in the terminal. To suppress this while still writing the timing file, use \`--silent\`. + + #### \`umask\` * Default: 0 @@ -1367,6 +1600,8 @@ Thus, the effective default umask value on most POSIX systems is 0o22, meaning that folders and executables are created with a mode of 0o755 and other files are created with a mode of 0o644. + + #### \`unicode\` * Default: false on windows, true on mac/unix systems with a unicode locale, @@ -1376,6 +1611,8 @@ other files are created with a mode of 0o644. When set to true, npm uses unicode characters in the tree output. When false, it uses ascii characters instead of unicode glyphs. + + #### \`update-notifier\` * Default: true @@ -1384,6 +1621,8 @@ false, it uses ascii characters instead of unicode glyphs. Set to false to suppress the update notification when using an older version of npm than the latest. + + #### \`usage\` * Default: false @@ -1391,6 +1630,8 @@ of npm than the latest. Show short usage output about the command specified. + + #### \`user-agent\` * Default: "npm/{npm-version} node/{node-version} {platform} {arch} @@ -1409,6 +1650,8 @@ their actual counterparts: * \`{ci}\` - The value of the \`ci-name\` config, if set, prefixed with \`ci/\`, or an empty string if \`ci-name\` is empty. + + #### \`userconfig\` * Default: "~/.npmrc" @@ -1420,6 +1663,8 @@ This may be overridden by the \`npm_config_userconfig\` environment variable or the \`--userconfig\` command line option, but may _not_ be overridden by settings in the \`globalconfig\` file. + + #### \`version\` * Default: false @@ -1429,6 +1674,8 @@ If true, output the npm version and exit successfully. Only relevant when specified explicitly on the command line. + + #### \`versions\` * Default: false @@ -1440,6 +1687,8 @@ exists, and exit successfully. Only relevant when specified explicitly on the command line. + + #### \`viewer\` * Default: "man" on Posix, "browser" on Windows @@ -1449,6 +1698,8 @@ The program to use to view help content. Set to \`"browser"\` to view html help content in the default web browser. + + #### \`which\` * Default: null @@ -1456,6 +1707,8 @@ Set to \`"browser"\` to view html help content in the default web browser. If there are multiple funding sources, which 1-indexed source URL to open. + + #### \`workspace\` * Default: @@ -1504,6 +1757,8 @@ This value is not exported to the environment for child processes. If set to true, the npm cli will run an update after operations that may possibly change the workspaces installed to the \`node_modules\` folder. + + #### \`yes\` * Default: null @@ -1512,6 +1767,8 @@ possibly change the workspaces installed to the \`node_modules\` folder. Automatically answer "yes" to any prompts that npm might print on the command line. + + #### \`also\` * Default: null @@ -1520,6 +1777,8 @@ command line. When set to \`dev\` or \`development\`, this is an alias for \`--include=dev\`. + + #### \`cache-max\` * Default: Infinity @@ -1528,6 +1787,8 @@ When set to \`dev\` or \`development\`, this is an alias for \`--include=dev\`. \`--cache-max=0\` is an alias for \`--prefer-online\` + + #### \`cache-min\` * Default: 0 @@ -1536,6 +1797,8 @@ When set to \`dev\` or \`development\`, this is an alias for \`--include=dev\`. \`--cache-min=9999 (or bigger)\` is an alias for \`--prefer-offline\`. + + #### \`cert\` * Default: null @@ -1557,6 +1820,8 @@ It is _not_ the path to a certificate file, though you can set a registry-scoped "certfile" path like "//other-registry.tld/:certfile=/path/to/cert.pem". + + #### \`ci-name\` * Default: The name of the current CI system, or \`null\` when not on a known CI @@ -1569,6 +1834,8 @@ The name of a continuous integration system. If not set explicitly, npm will detect the current CI environment using the [\`ci-info\`](http://npm.im/ci-info) module. + + #### \`dev\` * Default: false @@ -1577,6 +1844,8 @@ detect the current CI environment using the Alias for \`--include=dev\`. + + #### \`global-style\` * Default: false @@ -1587,6 +1856,8 @@ Alias for \`--include=dev\`. Only install direct dependencies in the top level \`node_modules\`, but hoist on deeper dependencies. Sets \`--install-strategy=shallow\`. + + #### \`init.author.email\` * Default: "" @@ -1595,6 +1866,8 @@ on deeper dependencies. Sets \`--install-strategy=shallow\`. Alias for \`--init-author-email\` + + #### \`init.author.name\` * Default: "" @@ -1603,6 +1876,8 @@ Alias for \`--init-author-email\` Alias for \`--init-author-name\` + + #### \`init.author.url\` * Default: "" @@ -1611,6 +1886,8 @@ Alias for \`--init-author-name\` Alias for \`--init-author-url\` + + #### \`init.license\` * Default: "ISC" @@ -1619,6 +1896,8 @@ Alias for \`--init-author-url\` Alias for \`--init-license\` + + #### \`init.module\` * Default: "~/.npm-init.js" @@ -1627,6 +1906,8 @@ Alias for \`--init-license\` Alias for \`--init-module\` + + #### \`init.version\` * Default: "1.0.0" @@ -1635,6 +1916,8 @@ Alias for \`--init-module\` Alias for \`--init-version\` + + #### \`key\` * Default: null @@ -1654,6 +1937,8 @@ key="-----BEGIN PRIVATE KEY-----\\nXXXX\\nXXXX\\n-----END PRIVATE KEY-----" It is _not_ the path to a key file, though you can set a registry-scoped "keyfile" path like "//other-registry.tld/:keyfile=/path/to/key.pem". + + #### \`legacy-bundling\` * Default: false @@ -1666,6 +1951,8 @@ the same manner that they are depended on. This may cause very deep directory structures and duplicate package installs as there is no de-duplicating. Sets \`--install-strategy=nested\`. + + #### \`only\` * Default: null @@ -1674,6 +1961,8 @@ de-duplicating. Sets \`--install-strategy=nested\`. When set to \`prod\` or \`production\`, this is an alias for \`--omit=dev\`. + + #### \`optional\` * Default: null @@ -1685,6 +1974,8 @@ Default value does install optional deps unless otherwise omitted. Alias for --include=optional or --omit=optional + + #### \`production\` * Default: null @@ -1693,6 +1984,8 @@ Alias for --include=optional or --omit=optional Alias for \`--omit=dev\` + + #### \`shrinkwrap\` * Default: true @@ -1701,6 +1994,8 @@ Alias for \`--omit=dev\` Alias for --package-lock + + #### \`tmp\` * Default: The value returned by the Node.js \`os.tmpdir()\` method @@ -1712,6 +2007,8 @@ Alias for --package-lock Historically, the location where temporary files were stored. No longer relevant. + + ` exports[`test/lib/docs.js TAP config > all keys 1`] = ` @@ -1822,6 +2119,7 @@ Array [ "production", "progress", "provenance", + "provenance-file", "proxy", "read-only", "rebuild-bundle", @@ -1958,6 +2256,7 @@ Array [ "production", "progress", "provenance", + "provenance-file", "proxy", "read-only", "rebuild-bundle", @@ -3343,7 +3642,8 @@ npm publish Options: [--tag ] [--access ] [--dry-run] [--otp ] [-w|--workspace [-w|--workspace ...]] -[-ws|--workspaces] [--include-workspace-root] [--provenance] +[-ws|--workspaces] [--include-workspace-root] +[--provenance|--provenance-file ] Run "npm help publish" for more info @@ -3359,6 +3659,7 @@ npm publish #### \`workspaces\` #### \`include-workspace-root\` #### \`provenance\` +#### \`provenance-file\` ` exports[`test/lib/docs.js TAP usage query > must match snapshot 1`] = ` diff --git a/tap-snapshots/test/lib/utils/config/definition.js.test.cjs b/tap-snapshots/test/lib/utils/config/definition.js.test.cjs index ad506ae8e3585..bf4dc30a041f7 100644 --- a/tap-snapshots/test/lib/utils/config/definition.js.test.cjs +++ b/tap-snapshots/test/lib/utils/config/definition.js.test.cjs @@ -15,6 +15,8 @@ exports[`test/lib/utils/config/definition.js TAP basic definition > description it should not be used ever not even once. + + ` exports[`test/lib/utils/config/definition.js TAP basic definition > human-readable description 1`] = ` @@ -24,6 +26,8 @@ exports[`test/lib/utils/config/definition.js TAP basic definition > human-readab * Type: Number or String just a test thingie + + ` exports[`test/lib/utils/config/definition.js TAP long description > cols=-1 1`] = ` @@ -93,6 +97,7 @@ with (multiple) { } \`\`\` + ` exports[`test/lib/utils/config/definition.js TAP long description > cols=0 1`] = ` @@ -162,6 +167,7 @@ with (multiple) { } \`\`\` + ` exports[`test/lib/utils/config/definition.js TAP long description > cols=40 1`] = ` @@ -201,6 +207,7 @@ with (multiple) { } \`\`\` + ` exports[`test/lib/utils/config/definition.js TAP long description > cols=9000 1`] = ` @@ -231,6 +238,7 @@ with (multiple) { } \`\`\` + ` exports[`test/lib/utils/config/definition.js TAP long description > cols=NaN 1`] = ` @@ -261,4 +269,5 @@ with (multiple) { } \`\`\` + ` diff --git a/workspaces/config/lib/index.js b/workspaces/config/lib/index.js index b7b848dea151c..84a009851d8a2 100644 --- a/workspaces/config/lib/index.js +++ b/workspaces/config/lib/index.js @@ -575,6 +575,13 @@ class Config { const v = this.parseField(value, k) if (where !== 'default') { this.#checkDeprecated(k, where, obj, [key, value]) + if (this.definitions[key]?.exclusive) { + for (const exclusive of this.definitions[key].exclusive) { + if (!this.isDefault(exclusive)) { + throw new TypeError(`--${key} can not be provided when using --${exclusive}`) + } + } + } } conf.data[k] = v } diff --git a/workspaces/config/test/fixtures/definitions.js b/workspaces/config/test/fixtures/definitions.js index ce0aff6f3c457..f17cb1031dde3 100644 --- a/workspaces/config/test/fixtures/definitions.js +++ b/workspaces/config/test/fixtures/definitions.js @@ -2606,4 +2606,18 @@ const definitions = module.exports = { defaultDescription: 'false', typeDescription: 'Boolean', }, + truth: { + key: 'truth', + default: false, + type: Boolean, + description: 'The Truth', + exclusive: ['lie'], + }, + lie: { + key: 'lie', + default: false, + type: Boolean, + description: 'A Lie', + exclusive: ['truth'], + }, } diff --git a/workspaces/config/test/index.js b/workspaces/config/test/index.js index bd19ee48bef4f..0d72cbee526bb 100644 --- a/workspaces/config/test/index.js +++ b/workspaces/config/test/index.js @@ -239,7 +239,6 @@ loglevel = yolo env, argv, cwd: join(`${path}/project`), - shorthands, definitions, }) @@ -1318,6 +1317,27 @@ t.test('workspaces', async (t) => { }) }) +t.test('exclusive options conflict', async t => { + const path = t.testdir() + const config = new Config({ + env: {}, + npmPath: __dirname, + argv: [ + process.execPath, + __filename, + '--truth=true', + '--lie=true', + ], + cwd: join(`${path}/project`), + shorthands, + definitions, + flatten, + }) + await t.rejects(config.load(), { + name: 'TypeError', + message: '--lie can not be provided when using --truth', + }) +}) t.test('env-replaced config from files is not clobbered when saving', async (t) => { const path = t.testdir() const opts = { diff --git a/workspaces/libnpmpublish/README.md b/workspaces/libnpmpublish/README.md index 9c9c61d4b5965..90b1f7c68ab4f 100644 --- a/workspaces/libnpmpublish/README.md +++ b/workspaces/libnpmpublish/README.md @@ -51,6 +51,17 @@ A couple of options of note: token for the registry. For other ways to pass in auth details, see the n-r-f docs. +* `opts.provenance` - when running in a supported CI environment, will trigger + the generation of a signed provenance statement to be published alongside + the package. Mutually exclusive with the `provenanceFile` option. + +* `opts.provenanceFile` - specifies the path to an externally-generated + provenance statement to be published alongside the package. Mutually + exclusive with the `provenance` option. The specified file should be a + [Sigstore Bundle](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) + containing a [DSSE](https://github.com/secure-systems-lab/dsse)-packaged + provenance statement. + #### `> libpub.publish(manifest, tarData, [opts]) -> Promise` Sends the package represented by the `manifest` and `tarData` to the diff --git a/workspaces/libnpmpublish/lib/provenance.js b/workspaces/libnpmpublish/lib/provenance.js index 1eb870da5f24f..ebe4a24475331 100644 --- a/workspaces/libnpmpublish/lib/provenance.js +++ b/workspaces/libnpmpublish/lib/provenance.js @@ -1,4 +1,5 @@ const { sigstore } = require('sigstore') +const { readFile } = require('fs/promises') const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json' const INTOTO_STATEMENT_TYPE = 'https://in-toto.io/Statement/v0.1' @@ -66,6 +67,50 @@ const generateProvenance = async (subject, opts) => { return sigstore.attest(Buffer.from(JSON.stringify(payload)), INTOTO_PAYLOAD_TYPE, opts) } +const verifyProvenance = async (subject, provenancePath) => { + let provenanceBundle + try { + provenanceBundle = JSON.parse(await readFile(provenancePath)) + } catch (err) { + err.message = `Invalid provenance provided: ${err.message}` + throw err + } + + const payload = extractProvenance(provenanceBundle) + if (!payload.subject || !payload.subject.length) { + throw new Error('No subject found in sigstore bundle payload') + } + if (payload.subject.length > 1) { + throw new Error('Found more than one subject in the sigstore bundle payload') + } + + const bundleSubject = payload.subject[0] + if (subject.name !== bundleSubject.name) { + throw new Error( + `Provenance subject ${bundleSubject.name} does not match the package: ${subject.name}` + ) + } + if (subject.digest.sha512 !== bundleSubject.digest.sha512) { + throw new Error('Provenance subject digest does not match the package') + } + + await sigstore.verify(provenanceBundle) + return provenanceBundle +} + +const extractProvenance = (bundle) => { + if (!bundle?.dsseEnvelope?.payload) { + throw new Error('No dsseEnvelope with payload found in sigstore bundle') + } + try { + return JSON.parse(Buffer.from(bundle.dsseEnvelope.payload, 'base64').toString('utf8')) + } catch (err) { + err.message = `Failed to parse payload from dsseEnvelope: ${err.message}` + throw err + } +} + module.exports = { generateProvenance, + verifyProvenance, } diff --git a/workspaces/libnpmpublish/lib/publish.js b/workspaces/libnpmpublish/lib/publish.js index 79c00eb68ad0c..3749c3cebfdc8 100644 --- a/workspaces/libnpmpublish/lib/publish.js +++ b/workspaces/libnpmpublish/lib/publish.js @@ -7,7 +7,7 @@ const { URL } = require('url') const ssri = require('ssri') const ciInfo = require('ci-info') -const { generateProvenance } = require('./provenance') +const { generateProvenance, verifyProvenance } = require('./provenance') const TLOG_BASE_URL = 'https://search.sigstore.dev/' @@ -111,7 +111,7 @@ const patchManifest = (_manifest, opts) => { } const buildMetadata = async (registry, manifest, tarballData, spec, opts) => { - const { access, defaultTag, algorithms, provenance } = opts + const { access, defaultTag, algorithms, provenance, provenanceFile } = opts const root = { _id: manifest.name, name: manifest.name, @@ -154,66 +154,31 @@ const buildMetadata = async (registry, manifest, tarballData, spec, opts) => { // Handle case where --provenance flag was set to true let transparencyLogUrl - if (provenance === true) { + if (provenance === true || provenanceFile) { + let provenanceBundle const subject = { name: npa.toPurl(spec), digest: { sha512: integrity.sha512[0].hexDigest() }, } - // Ensure that we're running in GHA, currently the only supported build environment - if (ciInfo.name !== 'GitHub Actions') { - throw Object.assign( - new Error('Automatic provenance generation not supported outside of GitHub Actions'), - { code: 'EUSAGE' } - ) - } - - // Ensure that the GHA OIDC token is available - if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) { - throw Object.assign( - /* eslint-disable-next-line max-len */ - new Error('Provenance generation in GitHub Actions requires "write" access to the "id-token" permission'), - { code: 'EUSAGE' } - ) - } - - // Some registries (e.g. GH packages) require auth to check visibility, - // and always return 404 when no auth is supplied. In this case we assume - // the package is always private and require `--access public` to publish - // with provenance. - let visibility = { public: false } - if (opts.provenance === true && opts.access !== 'public') { - try { - const res = await npmFetch - .json(`${registry}/-/package/${spec.escapedName}/visibility`, opts) - visibility = res - } catch (err) { - if (err.code !== 'E404') { - throw err - } + if (provenance === true) { + await ensureProvenanceGeneration(registry, spec, opts) + provenanceBundle = await generateProvenance([subject], opts) + + /* eslint-disable-next-line max-len */ + log.notice('publish', 'Signed provenance statement with source and build information from GitHub Actions') + + const tlogEntry = provenanceBundle?.verificationMaterial?.tlogEntries[0] + /* istanbul ignore else */ + if (tlogEntry) { + transparencyLogUrl = `${TLOG_BASE_URL}?logIndex=${tlogEntry.logIndex}` + log.notice( + 'publish', + `Provenance statement published to transparency log: ${transparencyLogUrl}` + ) } - } - - if (!visibility.public && opts.provenance === true && opts.access !== 'public') { - throw Object.assign( - /* eslint-disable-next-line max-len */ - new Error("Can't generate provenance for new or private package, you must set `access` to public."), - { code: 'EUSAGE' } - ) - } - const provenanceBundle = await generateProvenance([subject], opts) - - /* eslint-disable-next-line max-len */ - log.notice('publish', 'Signed provenance statement with source and build information from GitHub Actions') - - const tlogEntry = provenanceBundle?.verificationMaterial?.tlogEntries[0] - /* istanbul ignore else */ - if (tlogEntry) { - transparencyLogUrl = `${TLOG_BASE_URL}?logIndex=${tlogEntry.logIndex}` - log.notice( - 'publish', - `Provenance statement published to transparency log: ${transparencyLogUrl}` - ) + } else { + provenanceBundle = await verifyProvenance(subject, provenanceFile) } const serializedBundle = JSON.stringify(provenanceBundle) @@ -275,4 +240,49 @@ const patchMetadata = (current, newData) => { return current } +// Check that all the prereqs are met for provenance generation +const ensureProvenanceGeneration = async (registry, spec, opts) => { + // Ensure that we're running in GHA, currently the only supported build environment + if (ciInfo.name !== 'GitHub Actions') { + throw Object.assign( + new Error('Automatic provenance generation not supported outside of GitHub Actions'), + { code: 'EUSAGE' } + ) + } + + // Ensure that the GHA OIDC token is available + if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) { + throw Object.assign( + /* eslint-disable-next-line max-len */ + new Error('Provenance generation in GitHub Actions requires "write" access to the "id-token" permission'), + { code: 'EUSAGE' } + ) + } + + // Some registries (e.g. GH packages) require auth to check visibility, + // and always return 404 when no auth is supplied. In this case we assume + // the package is always private and require `--access public` to publish + // with provenance. + let visibility = { public: false } + if (true && opts.access !== 'public') { + try { + const res = await npmFetch + .json(`${registry}/-/package/${spec.escapedName}/visibility`, opts) + visibility = res + } catch (err) { + if (err.code !== 'E404') { + throw err + } + } + } + + if (!visibility.public && opts.provenance === true && opts.access !== 'public') { + throw Object.assign( + /* eslint-disable-next-line max-len */ + new Error("Can't generate provenance for new or private package, you must set `access` to public."), + { code: 'EUSAGE' } + ) + } +} + module.exports = publish diff --git a/workspaces/libnpmpublish/test/publish.js b/workspaces/libnpmpublish/test/publish.js index 4cc1199a0d6a8..5c4aa0b1742bd 100644 --- a/workspaces/libnpmpublish/test/publish.js +++ b/workspaces/libnpmpublish/test/publish.js @@ -980,3 +980,177 @@ t.test('automatic provenance with incorrect permissions', async t => { } ) }) + +t.test('user-supplied provenance - success', async t => { + const { publish } = t.mock('..', { + '../lib/provenance': t.mock('../lib/provenance', { + sigstore: { sigstore: { verify: () => {} } }, + }), + }) + + const registry = new MockRegistry({ + tap: t, + registry: opts.registry, + authorization: token, + }) + const manifest = { + name: '@npmcli/libnpmpublish-test', + version: '1.0.0', + description: 'test libnpmpublish package', + } + const spec = npa(manifest.name) + const packument = { + _id: manifest.name, + name: manifest.name, + description: manifest.description, + 'dist-tags': { + latest: '1.0.0', + }, + versions: { + '1.0.0': { + _id: `${manifest.name}@${manifest.version}`, + _nodeVersion: process.versions.node, + ...manifest, + dist: { + shasum, + integrity: integrity.sha512[0].toString(), + /* eslint-disable-next-line max-len */ + tarball: 'http://mock.reg/@npmcli/libnpmpublish-test/-/@npmcli/libnpmpublish-test-1.0.0.tgz', + }, + }, + }, + access: 'public', + _attachments: { + '@npmcli/libnpmpublish-test-1.0.0.tgz': { + content_type: 'application/octet-stream', + data: tarData.toString('base64'), + length: tarData.length, + }, + '@npmcli/libnpmpublish-test-1.0.0.sigstore': { + content_type: 'application/vnd.dev.sigstore.bundle+json;version=0.1', + data: /.*/, // Can't match against static value as signature is always different + length: 7927, + }, + }, + } + registry.nock.put(`/${spec.escapedName}`, body => { + return t.match(body, packument, 'posted packument matches expectations') + }).reply(201, {}) + const ret = await publish(manifest, tarData, { + ...opts, + provenanceFile: './test/fixtures/valid-bundle.json', + }) + t.ok(ret, 'publish succeeded') +}) + +t.test('user-supplied provenance - failure', async t => { + const { publish } = t.mock('..') + const manifest = { + name: '@npmcli/libnpmpublish-test', + version: '1.0.0', + description: 'test libnpmpublish package', + } + await t.rejects( + publish(manifest, Buffer.from(''), { + ...opts, + provenanceFile: './test/fixtures/bad-bundle.json', + }), + { message: /Invalid provenance provided/ } + ) +}) + +t.test('user-supplied provenance - bundle missing DSSE envelope', async t => { + const { publish } = t.mock('..') + const manifest = { + name: '@npmcli/libnpmpublish-test', + version: '1.0.0', + description: 'test libnpmpublish package', + } + await t.rejects( + publish(manifest, Buffer.from(''), { + ...opts, + provenanceFile: './test/fixtures/no-provenance-envelope-bundle.json', + }), + { message: /No dsseEnvelope with payload found/ } + ) +}) + +t.test('user-supplied provenance - bundle with invalid DSSE payload', async t => { + const { publish } = t.mock('..') + const manifest = { + name: '@npmcli/libnpmpublish-test', + version: '1.0.0', + description: 'test libnpmpublish package', + } + await t.rejects( + publish(manifest, Buffer.from(''), { + ...opts, + provenanceFile: './test/fixtures/bad-dsse-payload-bundle.json', + }), + { message: /Failed to parse payload/ } + ) +}) + +t.test('user-supplied provenance - provenance with missing subject', async t => { + const { publish } = t.mock('..') + const manifest = { + name: '@npmcli/libnpmpublish-test', + version: '1.0.0', + description: 'test libnpmpublish package', + } + await t.rejects( + publish(manifest, Buffer.from(''), { + ...opts, + provenanceFile: './test/fixtures/no-provenance-subject-bundle.json', + }), + { message: /No subject found/ } + ) +}) + +t.test('user-supplied provenance - provenance w/ multiple subjects', async t => { + const { publish } = t.mock('..') + const manifest = { + name: '@npmcli/libnpmpublish-test', + version: '1.0.0', + description: 'test libnpmpublish package', + } + await t.rejects( + publish(manifest, Buffer.from(''), { + ...opts, + provenanceFile: './test/fixtures/multi-subject-provenance-bundle.json', + }), + { message: /Found more than one subject/ } + ) +}) + +t.test('user-supplied provenance - provenance w/ mismatched subject name', async t => { + const { publish } = t.mock('..') + const manifest = { + name: '@npmcli/libnpmpublish-fail-test', + version: '1.0.0', + description: 'test libnpmpublish package', + } + await t.rejects( + publish(manifest, Buffer.from(''), { + ...opts, + provenanceFile: './test/fixtures/valid-bundle.json', + }), + { message: /Provenance subject/ } + ) +}) + +t.test('user-supplied provenance - provenance w/ mismatched package digest', async t => { + const { publish } = t.mock('..') + const manifest = { + name: '@npmcli/libnpmpublish-test', + version: '1.0.0', + description: 'test libnpmpublish package', + } + await t.rejects( + publish(manifest, Buffer.from(''), { + ...opts, + provenanceFile: './test/fixtures/digest-mismatch-provenance-bundle.json', + }), + { message: /Provenance subject digest does not match/ } + ) +})