1 files changed, 25 insertions, 1 deletions

diff --git a/deps/npm/lib/utils/tar.js b/deps/npm/lib/utils/tar.js
index 3121bb0289..192de7a26a 100644
--- a/deps/npm/lib/utils/tar.js
+++ b/deps/npm/lib/utils/tar.js
@@ -240,6 +240,7 @@ function gunzTarPerm (tarball, target, dMode, fMode, uid, gid, cb_) {
     extractOpts.gid = gid
   }
 
+  var sawIgnores = {}
   extractOpts.filter = function () {
     // symbolic links are not allowed in packages.
     if (this.type.match(/^.*Link$/)) {
@@ -248,6 +249,28 @@ function gunzTarPerm (tarball, target, dMode, fMode, uid, gid, cb_) {
               + " -> " + this.linkpath )
       return false
     }
+
+    // Note: This mirrors logic in the fs read operations that are
+    // employed during tarball creation, in the fstream-npm module.
+    // It is duplicated here to handle tarballs that are created
+    // using other means, such as system tar or git archive.
+    if (this.type === "File") {
+      var base = path.basename(this.path)
+      if (base === ".npmignore") {
+        sawIgnores[ this.path ] = true
+      } else if (base === ".gitignore") {
+        var npmignore = this.path.replace(/\.gitignore$/, ".npmignore")
+        if (sawIgnores[npmignore]) {
+          // Skip this one, already seen.
+          return false
+        } else {
+          // Rename, may be clobbered later.
+          this.path = npmignore
+          this._path = npmignore
+        }
+      }
+    }
+
     return true
   }
 
@@ -277,7 +300,8 @@ function gunzTarPerm (tarball, target, dMode, fMode, uid, gid, cb_) {
           cb(er)
         })
         .on("close", cb)
-    } else if (c.toString().match(/^package\//)) {
+    } else if (c.toString().match(/^package\//) ||
+               c.toString().match(/^pax_global_header/)) {
       // naked tar
       fst
         .pipe(tar.Extract(extractOpts))