diff options
Diffstat (limited to 'deps/npm/node_modules/npm-registry-client/node_modules/ssri')
5 files changed, 0 insertions, 1228 deletions
diff --git a/deps/npm/node_modules/npm-registry-client/node_modules/ssri/CHANGELOG.md b/deps/npm/node_modules/npm-registry-client/node_modules/ssri/CHANGELOG.md deleted file mode 100644 index 5c06894881..0000000000 --- a/deps/npm/node_modules/npm-registry-client/node_modules/ssri/CHANGELOG.md +++ /dev/null @@ -1,256 +0,0 @@ -# Change Log - -All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. - -<a name="5.3.0"></a> -# [5.3.0](https://github.com/zkat/ssri/compare/v5.2.4...v5.3.0) (2018-03-13) - - -### Features - -* **checkData:** optionally throw when checkData fails ([bf26b84](https://github.com/zkat/ssri/commit/bf26b84)) - - - -<a name="5.2.4"></a> -## [5.2.4](https://github.com/zkat/ssri/compare/v5.2.3...v5.2.4) (2018-02-16) - - - -<a name="5.2.3"></a> -## [5.2.3](https://github.com/zkat/ssri/compare/v5.2.2...v5.2.3) (2018-02-16) - - -### Bug Fixes - -* **hashes:** filter hash priority list by available hashes ([2fa30b8](https://github.com/zkat/ssri/commit/2fa30b8)) -* **integrityStream:** dedupe algorithms to generate ([d56c654](https://github.com/zkat/ssri/commit/d56c654)) - - - -<a name="5.2.2"></a> -## [5.2.2](https://github.com/zkat/ssri/compare/v5.2.1...v5.2.2) (2018-02-14) - - -### Bug Fixes - -* **security:** tweak strict SRI regex ([#10](https://github.com/zkat/ssri/issues/10)) ([d0ebcdc](https://github.com/zkat/ssri/commit/d0ebcdc)) - - - -<a name="5.2.1"></a> -## [5.2.1](https://github.com/zkat/ssri/compare/v5.2.0...v5.2.1) (2018-02-06) - - - -<a name="5.2.0"></a> -# [5.2.0](https://github.com/zkat/ssri/compare/v5.1.0...v5.2.0) (2018-02-06) - - -### Features - -* **match:** add integrity.match() ([3c49cc4](https://github.com/zkat/ssri/commit/3c49cc4)) - - - -<a name="5.1.0"></a> -# [5.1.0](https://github.com/zkat/ssri/compare/v5.0.0...v5.1.0) (2018-01-18) - - -### Bug Fixes - -* **checkStream:** integrityStream now takes opts.integrity algos into account ([d262910](https://github.com/zkat/ssri/commit/d262910)) - - -### Features - -* **sha3:** do some guesswork about upcoming sha3 ([7fdd9df](https://github.com/zkat/ssri/commit/7fdd9df)) - - - -<a name="5.0.0"></a> -# [5.0.0](https://github.com/zkat/ssri/compare/v4.1.6...v5.0.0) (2017-10-23) - - -### Features - -* **license:** relicense to ISC (#9) ([c82983a](https://github.com/zkat/ssri/commit/c82983a)) - - -### BREAKING CHANGES - -* **license:** the license has been changed from CC0-1.0 to ISC. - - - -<a name="4.1.6"></a> -## [4.1.6](https://github.com/zkat/ssri/compare/v4.1.5...v4.1.6) (2017-06-07) - - -### Bug Fixes - -* **checkStream:** make sure to pass all opts through ([0b1bcbe](https://github.com/zkat/ssri/commit/0b1bcbe)) - - - -<a name="4.1.5"></a> -## [4.1.5](https://github.com/zkat/ssri/compare/v4.1.4...v4.1.5) (2017-06-05) - - -### Bug Fixes - -* **integrityStream:** stop crashing if opts.algorithms and opts.integrity have an algo mismatch ([fb1293e](https://github.com/zkat/ssri/commit/fb1293e)) - - - -<a name="4.1.4"></a> -## [4.1.4](https://github.com/zkat/ssri/compare/v4.1.3...v4.1.4) (2017-05-31) - - -### Bug Fixes - -* **node:** older versions of node[@4](https://github.com/4) do not support base64buffer string parsing ([513df4e](https://github.com/zkat/ssri/commit/513df4e)) - - - -<a name="4.1.3"></a> -## [4.1.3](https://github.com/zkat/ssri/compare/v4.1.2...v4.1.3) (2017-05-24) - - -### Bug Fixes - -* **check:** handle various bad hash corner cases better ([c2c262b](https://github.com/zkat/ssri/commit/c2c262b)) - - - -<a name="4.1.2"></a> -## [4.1.2](https://github.com/zkat/ssri/compare/v4.1.1...v4.1.2) (2017-04-18) - - -### Bug Fixes - -* **stream:** _flush can be called multiple times. use on("end") ([b1c4805](https://github.com/zkat/ssri/commit/b1c4805)) - - - -<a name="4.1.1"></a> -## [4.1.1](https://github.com/zkat/ssri/compare/v4.1.0...v4.1.1) (2017-04-12) - - -### Bug Fixes - -* **pickAlgorithm:** error if pickAlgorithm() is used in an empty Integrity ([fab470e](https://github.com/zkat/ssri/commit/fab470e)) - - - -<a name="4.1.0"></a> -# [4.1.0](https://github.com/zkat/ssri/compare/v4.0.0...v4.1.0) (2017-04-07) - - -### Features - -* adding ssri.create for a crypto style interface (#2) ([96f52ad](https://github.com/zkat/ssri/commit/96f52ad)) - - - -<a name="4.0.0"></a> -# [4.0.0](https://github.com/zkat/ssri/compare/v3.0.2...v4.0.0) (2017-04-03) - - -### Bug Fixes - -* **integrity:** should have changed the error code before. oops ([8381afa](https://github.com/zkat/ssri/commit/8381afa)) - - -### BREAKING CHANGES - -* **integrity:** EBADCHECKSUM -> EINTEGRITY for verification errors - - - -<a name="3.0.2"></a> -## [3.0.2](https://github.com/zkat/ssri/compare/v3.0.1...v3.0.2) (2017-04-03) - - - -<a name="3.0.1"></a> -## [3.0.1](https://github.com/zkat/ssri/compare/v3.0.0...v3.0.1) (2017-04-03) - - -### Bug Fixes - -* **package.json:** really should have these in the keywords because search ([a6ac6d0](https://github.com/zkat/ssri/commit/a6ac6d0)) - - - -<a name="3.0.0"></a> -# [3.0.0](https://github.com/zkat/ssri/compare/v2.0.0...v3.0.0) (2017-04-03) - - -### Bug Fixes - -* **hashes:** IntegrityMetadata -> Hash ([d04aa1f](https://github.com/zkat/ssri/commit/d04aa1f)) - - -### Features - -* **check:** return IntegrityMetadata on check success ([2301e74](https://github.com/zkat/ssri/commit/2301e74)) -* **fromHex:** ssri.fromHex to make it easier to generate them from hex valus ([049b89e](https://github.com/zkat/ssri/commit/049b89e)) -* **hex:** utility function for getting hex version of digest ([a9f021c](https://github.com/zkat/ssri/commit/a9f021c)) -* **hexDigest:** added hexDigest method to Integrity objects too ([85208ba](https://github.com/zkat/ssri/commit/85208ba)) -* **integrity:** add .isIntegrity and .isIntegrityMetadata ([1b29e6f](https://github.com/zkat/ssri/commit/1b29e6f)) -* **integrityStream:** new stream that can both generate and check streamed data ([fd23e1b](https://github.com/zkat/ssri/commit/fd23e1b)) -* **parse:** allow parsing straight into a single IntegrityMetadata object ([c8ddf48](https://github.com/zkat/ssri/commit/c8ddf48)) -* **pickAlgorithm:** Intergrity#pickAlgorithm() added ([b97a796](https://github.com/zkat/ssri/commit/b97a796)) -* **size:** calculate and update stream sizes ([02ed1ad](https://github.com/zkat/ssri/commit/02ed1ad)) - - -### BREAKING CHANGES - -* **hashes:** `.isIntegrityMetadata` is now `.isHash`. Also, any references to `IntegrityMetadata` now refer to `Hash`. -* **integrityStream:** createCheckerStream has been removed and replaced with a general-purpose integrityStream. - -To convert existing createCheckerStream code, move the `sri` argument into `opts.integrity` in integrityStream. All other options should be the same. -* **check:** `checkData`, `checkStream`, and `createCheckerStream` now yield a whole IntegrityMetadata instance representing the first successful hash match. - - - -<a name="2.0.0"></a> -# [2.0.0](https://github.com/zkat/ssri/compare/v1.0.0...v2.0.0) (2017-03-24) - - -### Bug Fixes - -* **strict-mode:** make regexes more rigid ([122a32c](https://github.com/zkat/ssri/commit/122a32c)) - - -### Features - -* **api:** added serialize alias for unparse ([999b421](https://github.com/zkat/ssri/commit/999b421)) -* **concat:** add Integrity#concat() ([cae12c7](https://github.com/zkat/ssri/commit/cae12c7)) -* **pickAlgo:** pick the strongest algorithm provided, by default ([58c18f7](https://github.com/zkat/ssri/commit/58c18f7)) -* **strict-mode:** strict SRI support ([3f0b64c](https://github.com/zkat/ssri/commit/3f0b64c)) -* **stringify:** replaced unparse/serialize with stringify ([4acad30](https://github.com/zkat/ssri/commit/4acad30)) -* **verification:** add opts.pickAlgorithm ([f72e658](https://github.com/zkat/ssri/commit/f72e658)) - - -### BREAKING CHANGES - -* **pickAlgo:** ssri will prioritize specific hashes now -* **stringify:** serialize and unparse have been removed. Use ssri.stringify instead. -* **strict-mode:** functions that accepted an optional `sep` argument now expect `opts.sep`. - - - -<a name="1.0.0"></a> -# 1.0.0 (2017-03-23) - - -### Features - -* **api:** implemented initial api ([4fbb16b](https://github.com/zkat/ssri/commit/4fbb16b)) - - -### BREAKING CHANGES - -* **api:** Initial API established. diff --git a/deps/npm/node_modules/npm-registry-client/node_modules/ssri/LICENSE.md b/deps/npm/node_modules/npm-registry-client/node_modules/ssri/LICENSE.md deleted file mode 100644 index 8d28acf866..0000000000 --- a/deps/npm/node_modules/npm-registry-client/node_modules/ssri/LICENSE.md +++ /dev/null @@ -1,16 +0,0 @@ -ISC License - -Copyright (c) npm, Inc. - -Permission to use, copy, modify, and/or distribute this software for -any purpose with or without fee is hereby granted, provided that the -above copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE COPYRIGHT HOLDER DISCLAIMS -ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE -COPYRIGHT HOLDER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR -CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS -OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE -USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/deps/npm/node_modules/npm-registry-client/node_modules/ssri/README.md b/deps/npm/node_modules/npm-registry-client/node_modules/ssri/README.md deleted file mode 100644 index a6c07e7409..0000000000 --- a/deps/npm/node_modules/npm-registry-client/node_modules/ssri/README.md +++ /dev/null @@ -1,488 +0,0 @@ -# ssri [](https://npm.im/ssri) [](https://npm.im/ssri) [](https://travis-ci.org/zkat/ssri) [](https://ci.appveyor.com/project/zkat/ssri) [](https://coveralls.io/github/zkat/ssri?branch=latest) - -[`ssri`](https://github.com/zkat/ssri), short for Standard Subresource -Integrity, is a Node.js utility for parsing, manipulating, serializing, -generating, and verifying [Subresource -Integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) hashes. - -## Install - -`$ npm install --save ssri` - -## Table of Contents - -* [Example](#example) -* [Features](#features) -* [Contributing](#contributing) -* [API](#api) - * Parsing & Serializing - * [`parse`](#parse) - * [`stringify`](#stringify) - * [`Integrity#concat`](#integrity-concat) - * [`Integrity#toString`](#integrity-to-string) - * [`Integrity#toJSON`](#integrity-to-json) - * [`Integrity#match`](#integrity-match) - * [`Integrity#pickAlgorithm`](#integrity-pick-algorithm) - * [`Integrity#hexDigest`](#integrity-hex-digest) - * Integrity Generation - * [`fromHex`](#from-hex) - * [`fromData`](#from-data) - * [`fromStream`](#from-stream) - * [`create`](#create) - * Integrity Verification - * [`checkData`](#check-data) - * [`checkStream`](#check-stream) - * [`integrityStream`](#integrity-stream) - -### Example - -```javascript -const ssri = require('ssri') - -const integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo' - -// Parsing and serializing -const parsed = ssri.parse(integrity) -ssri.stringify(parsed) // === integrity (works on non-Integrity objects) -parsed.toString() // === integrity - -// Async stream functions -ssri.checkStream(fs.createReadStream('./my-file'), integrity).then(...) -ssri.fromStream(fs.createReadStream('./my-file')).then(sri => { - sri.toString() === integrity -}) -fs.createReadStream('./my-file').pipe(ssri.createCheckerStream(sri)) - -// Sync data functions -ssri.fromData(fs.readFileSync('./my-file')) // === parsed -ssri.checkData(fs.readFileSync('./my-file'), integrity) // => 'sha512' -``` - -### Features - -* Parses and stringifies SRI strings. -* Generates SRI strings from raw data or Streams. -* Strict standard compliance. -* `?foo` metadata option support. -* Multiple entries for the same algorithm. -* Object-based integrity hash manipulation. -* Small footprint: no dependencies, concise implementation. -* Full test coverage. -* Customizable algorithm picker. - -### Contributing - -The ssri team enthusiastically welcomes contributions and project participation! -There's a bunch of things you can do if you want to contribute! The [Contributor -Guide](CONTRIBUTING.md) has all the information you need for everything from -reporting bugs to contributing entire new features. Please don't hesitate to -jump in if you'd like to, or even ask us questions if something isn't clear. - -### API - -#### <a name="parse"></a> `> ssri.parse(sri, [opts]) -> Integrity` - -Parses `sri` into an `Integrity` data structure. `sri` can be an integrity -string, an `Hash`-like with `digest` and `algorithm` fields and an optional -`options` field, or an `Integrity`-like object. The resulting object will be an -`Integrity` instance that has this shape: - -```javascript -{ - 'sha1': [{algorithm: 'sha1', digest: 'deadbeef', options: []}], - 'sha512': [ - {algorithm: 'sha512', digest: 'c0ffee', options: []}, - {algorithm: 'sha512', digest: 'bad1dea', options: ['foo']} - ], -} -``` - -If `opts.single` is truthy, a single `Hash` object will be returned. That is, a -single object that looks like `{algorithm, digest, options}`, as opposed to a -larger object with multiple of these. - -If `opts.strict` is truthy, the resulting object will be filtered such that -it strictly follows the Subresource Integrity spec, throwing away any entries -with any invalid components. This also means a restricted set of algorithms -will be used -- the spec limits them to `sha256`, `sha384`, and `sha512`. - -Strict mode is recommended if the integrity strings are intended for use in -browsers, or in other situations where strict adherence to the spec is needed. - -##### Example - -```javascript -ssri.parse('sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo') // -> Integrity object -``` - -#### <a name="stringify"></a> `> ssri.stringify(sri, [opts]) -> String` - -This function is identical to [`Integrity#toString()`](#integrity-to-string), -except it can be used on _any_ object that [`parse`](#parse) can handle -- that -is, a string, an `Hash`-like, or an `Integrity`-like. - -The `opts.sep` option defines the string to use when joining multiple entries -together. To be spec-compliant, this _must_ be whitespace. The default is a -single space (`' '`). - -If `opts.strict` is true, the integrity string will be created using strict -parsing rules. See [`ssri.parse`](#parse). - -##### Example - -```javascript -// Useful for cleaning up input SRI strings: -ssri.stringify('\n\rsha512-foo\n\t\tsha384-bar') -// -> 'sha512-foo sha384-bar' - -// Hash-like: only a single entry. -ssri.stringify({ - algorithm: 'sha512', - digest:'9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==', - options: ['foo'] -}) -// -> -// 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo' - -// Integrity-like: full multi-entry syntax. Similar to output of `ssri.parse` -ssri.stringify({ - 'sha512': [ - { - algorithm: 'sha512', - digest:'9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==', - options: ['foo'] - } - ] -}) -// -> -// 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo' -``` - -#### <a name="integrity-concat"></a> `> Integrity#concat(otherIntegrity, [opts]) -> Integrity` - -Concatenates an `Integrity` object with another IntegrityLike, or an integrity -string. - -This is functionally equivalent to concatenating the string format of both -integrity arguments, and calling [`ssri.parse`](#ssri-parse) on the new string. - -If `opts.strict` is true, the new `Integrity` will be created using strict -parsing rules. See [`ssri.parse`](#parse). - -##### Example - -```javascript -// This will combine the integrity checks for two different versions of -// your index.js file so you can use a single integrity string and serve -// either of these to clients, from a single `<script>` tag. -const desktopIntegrity = ssri.fromData(fs.readFileSync('./index.desktop.js')) -const mobileIntegrity = ssri.fromData(fs.readFileSync('./index.mobile.js')) - -// Note that browsers (and ssri) will succeed as long as ONE of the entries -// for the *prioritized* algorithm succeeds. That is, in order for this fallback -// to work, both desktop and mobile *must* use the same `algorithm` values. -desktopIntegrity.concat(mobileIntegrity) -``` - -#### <a name="integrity-to-string"></a> `> Integrity#toString([opts]) -> String` - -Returns the string representation of an `Integrity` object. All hash entries -will be concatenated in the string by `opts.sep`, which defaults to `' '`. - -If you want to serialize an object that didn't from from an `ssri` function, -use [`ssri.stringify()`](#stringify). - -If `opts.strict` is true, the integrity string will be created using strict -parsing rules. See [`ssri.parse`](#parse). - -##### Example - -```javascript -const integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo' - -ssri.parse(integrity).toString() === integrity -``` - -#### <a name="integrity-to-json"></a> `> Integrity#toJSON() -> String` - -Returns the string representation of an `Integrity` object. All hash entries -will be concatenated in the string by `' '`. - -This is a convenience method so you can pass an `Integrity` object directly to `JSON.stringify`. -For more info check out [toJSON() behavior on mdn](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify#toJSON%28%29_behavior). - -##### Example - -```javascript -const integrity = '"sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo"' - -JSON.stringify(ssri.parse(integrity)) === integrity -``` - -#### <a name="integrity-match"></a> `> Integrity#match(sri, [opts]) -> Hash | false` - -Returns the matching (truthy) hash if `Integrity` matches the argument passed as -`sri`, which can be anything that [`parse`](#parse) will accept. `opts` will be -passed through to `parse` and [`pickAlgorithm()`](#integrity-pick-algorithm). - -##### Example - -```javascript -const integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==' - -ssri.parse(integrity).match(integrity) -// Hash { -// digest: '9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==' -// algorithm: 'sha512' -// } - -ssri.parse(integrity).match('sha1-deadbeef') -// false -``` - -#### <a name="integrity-pick-algorithm"></a> `> Integrity#pickAlgorithm([opts]) -> String` - -Returns the "best" algorithm from those available in the integrity object. - -If `opts.pickAlgorithm` is provided, it will be passed two algorithms as -arguments. ssri will prioritize whichever of the two algorithms is returned by -this function. Note that the function may be called multiple times, and it -**must** return one of the two algorithms provided. By default, ssri will make -a best-effort to pick the strongest/most reliable of the given algorithms. It -may intentionally deprioritize algorithms with known vulnerabilities. - -##### Example - -```javascript -ssri.parse('sha1-WEakDigEST sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1').pickAlgorithm() // sha512 -``` - -#### <a name="integrity-hex-digest"></a> `> Integrity#hexDigest() -> String` - -`Integrity` is assumed to be either a single-hash `Integrity` instance, or a -`Hash` instance. Returns its `digest`, converted to a hex representation of the -base64 data. - -##### Example - -```javascript -ssri.parse('sha1-deadbeef').hexDigest() // '75e69d6de79f' -``` - -#### <a name="from-hex"></a> `> ssri.fromHex(hexDigest, algorithm, [opts]) -> Integrity` - -Creates an `Integrity` object with a single entry, based on a hex-formatted -hash. This is a utility function to help convert existing shasums to the -Integrity format, and is roughly equivalent to something like: - -```javascript -algorithm + '-' + Buffer.from(hexDigest, 'hex').toString('base64') -``` - -`opts.options` may optionally be passed in: it must be an array of option -strings that will be added to all generated integrity hashes generated by -`fromData`. This is a loosely-specified feature of SRIs, and currently has no -specified semantics besides being `?`-separated. Use at your own risk, and -probably avoid if your integrity strings are meant to be used with browsers. - -If `opts.strict` is true, the integrity object will be created using strict -parsing rules. See [`ssri.parse`](#parse). - -If `opts.single` is true, a single `Hash` object will be returned. - -##### Example - -```javascript -ssri.fromHex('75e69d6de79f', 'sha1').toString() // 'sha1-deadbeef' -``` - -#### <a name="from-data"></a> `> ssri.fromData(data, [opts]) -> Integrity` - -Creates an `Integrity` object from either string or `Buffer` data, calculating -all the requested hashes and adding any specified options to the object. - -`opts.algorithms` determines which algorithms to generate hashes for. All -results will be included in a single `Integrity` object. The default value for -`opts.algorithms` is `['sha512']`. All algorithm strings must be hashes listed -in `crypto.getHashes()` for the host Node.js platform. - -`opts.options` may optionally be passed in: it must be an array of option -strings that will be added to all generated integrity hashes generated by -`fromData`. This is a loosely-specified feature of SRIs, and currently has no -specified semantics besides being `?`-separated. Use at your own risk, and -probably avoid if your integrity strings are meant to be used with browsers. - -If `opts.strict` is true, the integrity object will be created using strict -parsing rules. See [`ssri.parse`](#parse). - -##### Example - -```javascript -const integrityObj = ssri.fromData('foobarbaz', { - algorithms: ['sha256', 'sha384', 'sha512'] -}) -integrity.toString('\n') -// -> -// sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0= -// sha384-irnCxQ0CfQhYGlVAUdwTPC9bF3+YWLxlaDGM4xbYminxpbXEq+D+2GCEBTxcjES9 -// sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1+9vBnypkYWg== -``` - -#### <a name="from-stream"></a> `> ssri.fromStream(stream, [opts]) -> Promise<Integrity>` - -Returns a Promise of an Integrity object calculated by reading data from -a given `stream`. - -It accepts both `opts.algorithms` and `opts.options`, which are documented as -part of [`ssri.fromData`](#from-data). - -Additionally, `opts.Promise` may be passed in to inject a Promise library of -choice. By default, ssri will use Node's built-in Promises. - -If `opts.strict` is true, the integrity object will be created using strict -parsing rules. See [`ssri.parse`](#parse). - -##### Example - -```javascript -ssri.fromStream(fs.createReadStream('index.js'), { - algorithms: ['sha1', 'sha512'] -}).then(integrity => { - return ssri.checkStream(fs.createReadStream('index.js'), integrity) -}) // succeeds -``` - -#### <a name="create"></a> `> ssri.create([opts]) -> <Hash>` - -Returns a Hash object with `update(<Buffer or string>[,enc])` and `digest()` methods. - - -The Hash object provides the same methods as [crypto class Hash](https://nodejs.org/dist/latest-v6.x/docs/api/crypto.html#crypto_class_hash). -`digest()` accepts no arguments and returns an Integrity object calculated by reading data from -calls to update. - -It accepts both `opts.algorithms` and `opts.options`, which are documented as -part of [`ssri.fromData`](#from-data). - -If `opts.strict` is true, the integrity object will be created using strict -parsing rules. See [`ssri.parse`](#parse). - -##### Example - -```javascript -const integrity = ssri.create().update('foobarbaz').digest() -integrity.toString() -// -> -// sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1+9vBnypkYWg== -``` - -#### <a name="check-data"></a> `> ssri.checkData(data, sri, [opts]) -> Hash|false` - -Verifies `data` integrity against an `sri` argument. `data` may be either a -`String` or a `Buffer`, and `sri` can be any subresource integrity -representation that [`ssri.parse`](#parse) can handle. - -If verification succeeds, `checkData` will return the name of the algorithm that -was used for verification (a truthy value). Otherwise, it will return `false`. - -If `opts.pickAlgorithm` is provided, it will be used by -[`Integrity#pickAlgorithm`](#integrity-pick-algorithm) when deciding which of -the available digests to match against. - -If `opts.error` is true, and verification fails, `checkData` will throw either -an `EBADSIZE` or an `EINTEGRITY` error, instead of just returning false. - -##### Example - -```javascript -const data = fs.readFileSync('index.js') -ssri.checkData(data, ssri.fromData(data)) // -> 'sha512' -ssri.checkData(data, 'sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0') -ssri.checkData(data, 'sha1-BaDDigEST') // -> false -ssri.checkData(data, 'sha1-BaDDigEST', {error: true}) // -> Error! EINTEGRITY -``` - -#### <a name="check-stream"></a> `> ssri.checkStream(stream, sri, [opts]) -> Promise<Hash>` - -Verifies the contents of `stream` against an `sri` argument. `stream` will be -consumed in its entirety by this process. `sri` can be any subresource integrity -representation that [`ssri.parse`](#parse) can handle. - -`checkStream` will return a Promise that either resolves to the -`Hash` that succeeded verification, or, if the verification fails -or an error happens with `stream`, the Promise will be rejected. - -If the Promise is rejected because verification failed, the returned error will -have `err.code` as `EINTEGRITY`. - -If `opts.size` is given, it will be matched against the stream size. An error -with `err.code` `EBADSIZE` will be returned by a rejection if the expected size -and actual size fail to match. - -If `opts.pickAlgorithm` is provided, it will be used by -[`Integrity#pickAlgorithm`](#integrity-pick-algorithm) when deciding which of -the available digests to match against. - -##### Example - -```javascript -const integrity = ssri.fromData(fs.readFileSync('index.js')) - -ssri.checkStream( - fs.createReadStream('index.js'), - integrity -) -// -> -// Promise<{ -// algorithm: 'sha512', -// digest: 'sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1' -// }> - -ssri.checkStream( - fs.createReadStream('index.js'), - 'sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0' -) // -> Promise<Hash> - -ssri.checkStream( - fs.createReadStream('index.js'), - 'sha1-BaDDigEST' -) // -> Promise<Error<{code: 'EINTEGRITY'}>> -``` - -#### <a name="integrity-stream"></a> `> integrityStream([opts]) -> IntegrityStream` - -Returns a `Transform` stream that data can be piped through in order to generate -and optionally check data integrity for piped data. When the stream completes -successfully, it emits `size` and `integrity` events, containing the total -number of bytes processed and a calculated `Integrity` instance based on stream -data, respectively. - -If `opts.algorithms` is passed in, the listed algorithms will be calculated when -generating the final `Integrity` instance. The default is `['sha512']`. - -If `opts.single` is passed in, a single `Hash` instance will be returned. - -If `opts.integrity` is passed in, it should be an `integrity` value understood -by [`parse`](#parse) that the stream will check the data against. If -verification succeeds, the integrity stream will emit a `verified` event whose -value is a single `Hash` object that is the one that succeeded verification. If -verification fails, the stream will error with an `EINTEGRITY` error code. - -If `opts.size` is given, it will be matched against the stream size. An error -with `err.code` `EBADSIZE` will be emitted by the stream if the expected size -and actual size fail to match. - -If `opts.pickAlgorithm` is provided, it will be passed two algorithms as -arguments. ssri will prioritize whichever of the two algorithms is returned by -this function. Note that the function may be called multiple times, and it -**must** return one of the two algorithms provided. By default, ssri will make -a best-effort to pick the strongest/most reliable of the given algorithms. It -may intentionally deprioritize algorithms with known vulnerabilities. - -##### Example - -```javascript -const integrity = ssri.fromData(fs.readFileSync('index.js')) -fs.createReadStream('index.js') -.pipe(ssri.integrityStream({integrity})) -``` diff --git a/deps/npm/node_modules/npm-registry-client/node_modules/ssri/index.js b/deps/npm/node_modules/npm-registry-client/node_modules/ssri/index.js deleted file mode 100644 index ff7881f7cb..0000000000 --- a/deps/npm/node_modules/npm-registry-client/node_modules/ssri/index.js +++ /dev/null @@ -1,379 +0,0 @@ -'use strict' - -const Buffer = require('safe-buffer').Buffer - -const crypto = require('crypto') -const Transform = require('stream').Transform - -const SPEC_ALGORITHMS = ['sha256', 'sha384', 'sha512'] - -const BASE64_REGEX = /^[a-z0-9+/]+(?:=?=?)$/i -const SRI_REGEX = /^([^-]+)-([^?]+)([?\S*]*)$/ -const STRICT_SRI_REGEX = /^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/ -const VCHAR_REGEX = /^[\x21-\x7E]+$/ - -class Hash { - get isHash () { return true } - constructor (hash, opts) { - const strict = !!(opts && opts.strict) - this.source = hash.trim() - // 3.1. Integrity metadata (called "Hash" by ssri) - // https://w3c.github.io/webappsec-subresource-integrity/#integrity-metadata-description - const match = this.source.match( - strict - ? STRICT_SRI_REGEX - : SRI_REGEX - ) - if (!match) { return } - if (strict && !SPEC_ALGORITHMS.some(a => a === match[1])) { return } - this.algorithm = match[1] - this.digest = match[2] - - const rawOpts = match[3] - this.options = rawOpts ? rawOpts.slice(1).split('?') : [] - } - hexDigest () { - return this.digest && Buffer.from(this.digest, 'base64').toString('hex') - } - toJSON () { - return this.toString() - } - toString (opts) { - if (opts && opts.strict) { - // Strict mode enforces the standard as close to the foot of the - // letter as it can. - if (!( - // The spec has very restricted productions for algorithms. - // https://www.w3.org/TR/CSP2/#source-list-syntax - SPEC_ALGORITHMS.some(x => x === this.algorithm) && - // Usually, if someone insists on using a "different" base64, we - // leave it as-is, since there's multiple standards, and the - // specified is not a URL-safe variant. - // https://www.w3.org/TR/CSP2/#base64_value - this.digest.match(BASE64_REGEX) && - // Option syntax is strictly visual chars. - // https://w3c.github.io/webappsec-subresource-integrity/#grammardef-option-expression - // https://tools.ietf.org/html/rfc5234#appendix-B.1 - (this.options || []).every(opt => opt.match(VCHAR_REGEX)) - )) { - return '' - } - } - const options = this.options && this.options.length - ? `?${this.options.join('?')}` - : '' - return `${this.algorithm}-${this.digest}${options}` - } -} - -class Integrity { - get isIntegrity () { return true } - toJSON () { - return this.toString() - } - toString (opts) { - opts = opts || {} - let sep = opts.sep || ' ' - if (opts.strict) { - // Entries must be separated by whitespace, according to spec. - sep = sep.replace(/\S+/g, ' ') - } - return Object.keys(this).map(k => { - return this[k].map(hash => { - return Hash.prototype.toString.call(hash, opts) - }).filter(x => x.length).join(sep) - }).filter(x => x.length).join(sep) - } - concat (integrity, opts) { - const other = typeof integrity === 'string' - ? integrity - : stringify(integrity, opts) - return parse(`${this.toString(opts)} ${other}`, opts) - } - hexDigest () { - return parse(this, {single: true}).hexDigest() - } - match (integrity, opts) { - const other = parse(integrity, opts) - const algo = other.pickAlgorithm(opts) - return ( - this[algo] && - other[algo] && - this[algo].find(hash => - other[algo].find(otherhash => - hash.digest === otherhash.digest - ) - ) - ) || false - } - pickAlgorithm (opts) { - const pickAlgorithm = (opts && opts.pickAlgorithm) || getPrioritizedHash - const keys = Object.keys(this) - if (!keys.length) { - throw new Error(`No algorithms available for ${ - JSON.stringify(this.toString()) - }`) - } - return keys.reduce((acc, algo) => { - return pickAlgorithm(acc, algo) || acc - }) - } -} - -module.exports.parse = parse -function parse (sri, opts) { - opts = opts || {} - if (typeof sri === 'string') { - return _parse(sri, opts) - } else if (sri.algorithm && sri.digest) { - const fullSri = new Integrity() - fullSri[sri.algorithm] = [sri] - return _parse(stringify(fullSri, opts), opts) - } else { - return _parse(stringify(sri, opts), opts) - } -} - -function _parse (integrity, opts) { - // 3.4.3. Parse metadata - // https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata - if (opts.single) { - return new Hash(integrity, opts) - } - return integrity.trim().split(/\s+/).reduce((acc, string) => { - const hash = new Hash(string, opts) - if (hash.algorithm && hash.digest) { - const algo = hash.algorithm - if (!acc[algo]) { acc[algo] = [] } - acc[algo].push(hash) - } - return acc - }, new Integrity()) -} - -module.exports.stringify = stringify -function stringify (obj, opts) { - if (obj.algorithm && obj.digest) { - return Hash.prototype.toString.call(obj, opts) - } else if (typeof obj === 'string') { - return stringify(parse(obj, opts), opts) - } else { - return Integrity.prototype.toString.call(obj, opts) - } -} - -module.exports.fromHex = fromHex -function fromHex (hexDigest, algorithm, opts) { - const optString = (opts && opts.options && opts.options.length) - ? `?${opts.options.join('?')}` - : '' - return parse( - `${algorithm}-${ - Buffer.from(hexDigest, 'hex').toString('base64') - }${optString}`, opts - ) -} - -module.exports.fromData = fromData -function fromData (data, opts) { - opts = opts || {} - const algorithms = opts.algorithms || ['sha512'] - const optString = opts.options && opts.options.length - ? `?${opts.options.join('?')}` - : '' - return algorithms.reduce((acc, algo) => { - const digest = crypto.createHash(algo).update(data).digest('base64') - const hash = new Hash( - `${algo}-${digest}${optString}`, - opts - ) - if (hash.algorithm && hash.digest) { - const algo = hash.algorithm - if (!acc[algo]) { acc[algo] = [] } - acc[algo].push(hash) - } - return acc - }, new Integrity()) -} - -module.exports.fromStream = fromStream -function fromStream (stream, opts) { - opts = opts || {} - const P = opts.Promise || Promise - const istream = integrityStream(opts) - return new P((resolve, reject) => { - stream.pipe(istream) - stream.on('error', reject) - istream.on('error', reject) - let sri - istream.on('integrity', s => { sri = s }) - istream.on('end', () => resolve(sri)) - istream.on('data', () => {}) - }) -} - -module.exports.checkData = checkData -function checkData (data, sri, opts) { - opts = opts || {} - sri = parse(sri, opts) - if (!Object.keys(sri).length) { - if (opts.error) { - throw Object.assign( - new Error('No valid integrity hashes to check against'), { - code: 'EINTEGRITY' - } - ) - } else { - return false - } - } - const algorithm = sri.pickAlgorithm(opts) - const digest = crypto.createHash(algorithm).update(data).digest('base64') - const newSri = parse({algorithm, digest}) - const match = newSri.match(sri, opts) - if (match || !opts.error) { - return match - } else if (typeof opts.size === 'number' && (data.length !== opts.size)) { - const err = new Error(`data size mismatch when checking ${sri}.\n Wanted: ${opts.size}\n Found: ${data.length}`) - err.code = 'EBADSIZE' - err.found = data.length - err.expected = opts.size - err.sri = sri - throw err - } else { - const err = new Error(`Integrity checksum failed when using ${algorithm}: Wanted ${sri}, but got ${newSri}. (${data.length} bytes)`) - err.code = 'EINTEGRITY' - err.found = newSri - err.expected = sri - err.algorithm = algorithm - err.sri = sri - throw err - } -} - -module.exports.checkStream = checkStream -function checkStream (stream, sri, opts) { - opts = opts || {} - const P = opts.Promise || Promise - const checker = integrityStream(Object.assign({}, opts, { - integrity: sri - })) - return new P((resolve, reject) => { - stream.pipe(checker) - stream.on('error', reject) - checker.on('error', reject) - let sri - checker.on('verified', s => { sri = s }) - checker.on('end', () => resolve(sri)) - checker.on('data', () => {}) - }) -} - -module.exports.integrityStream = integrityStream -function integrityStream (opts) { - opts = opts || {} - // For verification - const sri = opts.integrity && parse(opts.integrity, opts) - const goodSri = sri && Object.keys(sri).length - const algorithm = goodSri && sri.pickAlgorithm(opts) - const digests = goodSri && sri[algorithm] - // Calculating stream - const algorithms = Array.from( - new Set( - (opts.algorithms || ['sha512']) - .concat(algorithm ? [algorithm] : []) - ) - ) - const hashes = algorithms.map(crypto.createHash) - let streamSize = 0 - const stream = new Transform({ - transform (chunk, enc, cb) { - streamSize += chunk.length - hashes.forEach(h => h.update(chunk, enc)) - cb(null, chunk, enc) - } - }).on('end', () => { - const optString = (opts.options && opts.options.length) - ? `?${opts.options.join('?')}` - : '' - const newSri = parse(hashes.map((h, i) => { - return `${algorithms[i]}-${h.digest('base64')}${optString}` - }).join(' '), opts) - // Integrity verification mode - const match = goodSri && newSri.match(sri, opts) - if (typeof opts.size === 'number' && streamSize !== opts.size) { - const err = new Error(`stream size mismatch when checking ${sri}.\n Wanted: ${opts.size}\n Found: ${streamSize}`) - err.code = 'EBADSIZE' - err.found = streamSize - err.expected = opts.size - err.sri = sri - stream.emit('error', err) - } else if (opts.integrity && !match) { - const err = new Error(`${sri} integrity checksum failed when using ${algorithm}: wanted ${digests} but got ${newSri}. (${streamSize} bytes)`) - err.code = 'EINTEGRITY' - err.found = newSri - err.expected = digests - err.algorithm = algorithm - err.sri = sri - stream.emit('error', err) - } else { - stream.emit('size', streamSize) - stream.emit('integrity', newSri) - match && stream.emit('verified', match) - } - }) - return stream -} - -module.exports.create = createIntegrity -function createIntegrity (opts) { - opts = opts || {} - const algorithms = opts.algorithms || ['sha512'] - const optString = opts.options && opts.options.length - ? `?${opts.options.join('?')}` - : '' - - const hashes = algorithms.map(crypto.createHash) - - return { - update: function (chunk, enc) { - hashes.forEach(h => h.update(chunk, enc)) - return this - }, - digest: function (enc) { - const integrity = algorithms.reduce((acc, algo) => { - const digest = hashes.shift().digest('base64') - const hash = new Hash( - `${algo}-${digest}${optString}`, - opts - ) - if (hash.algorithm && hash.digest) { - const algo = hash.algorithm - if (!acc[algo]) { acc[algo] = [] } - acc[algo].push(hash) - } - return acc - }, new Integrity()) - - return integrity - } - } -} - -const NODE_HASHES = new Set(crypto.getHashes()) - -// This is a Best Effort™ at a reasonable priority for hash algos -const DEFAULT_PRIORITY = [ - 'md5', 'whirlpool', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', - // TODO - it's unclear _which_ of these Node will actually use as its name - // for the algorithm, so we guesswork it based on the OpenSSL names. - 'sha3', - 'sha3-256', 'sha3-384', 'sha3-512', - 'sha3_256', 'sha3_384', 'sha3_512' -].filter(algo => NODE_HASHES.has(algo)) - -function getPrioritizedHash (algo1, algo2) { - return DEFAULT_PRIORITY.indexOf(algo1.toLowerCase()) >= DEFAULT_PRIORITY.indexOf(algo2.toLowerCase()) - ? algo1 - : algo2 -} diff --git a/deps/npm/node_modules/npm-registry-client/node_modules/ssri/package.json b/deps/npm/node_modules/npm-registry-client/node_modules/ssri/package.json deleted file mode 100644 index 182bdf10fa..0000000000 --- a/deps/npm/node_modules/npm-registry-client/node_modules/ssri/package.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "_from": "ssri@^5.2.4", - "_id": "ssri@5.3.0", - "_inBundle": false, - "_integrity": "sha512-XRSIPqLij52MtgoQavH/x/dU1qVKtWUAAZeOHsR9c2Ddi4XerFy3mc1alf+dLJKl9EUIm/Ht+EowFkTUOA6GAQ==", - "_location": "/npm-registry-client/ssri", - "_phantomChildren": {}, - "_requested": { - "type": "range", - "registry": true, - "raw": "ssri@^5.2.4", - "name": "ssri", - "escapedName": "ssri", - "rawSpec": "^5.2.4", - "saveSpec": null, - "fetchSpec": "^5.2.4" - }, - "_requiredBy": [ - "/npm-registry-client" - ], - "_resolved": "https://registry.npmjs.org/ssri/-/ssri-5.3.0.tgz", - "_shasum": "ba3872c9c6d33a0704a7d71ff045e5ec48999d06", - "_spec": "ssri@^5.2.4", - "_where": "/Users/rebecca/code/npm/node_modules/npm-registry-client", - "author": { - "name": "Kat Marchán", - "email": "kzm@sykosomatic.org" - }, - "bugs": { - "url": "https://github.com/zkat/ssri/issues" - }, - "bundleDependencies": false, - "config": { - "nyc": { - "exclude": [ - "node_modules/**", - "test/**" - ] - } - }, - "dependencies": { - "safe-buffer": "^5.1.1" - }, - "deprecated": false, - "description": "Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.", - "devDependencies": { - "nyc": "^11.4.1", - "standard": "^10.0.3", - "standard-version": "^4.3.0", - "tap": "^11.1.0", - "weallbehave": "^1.2.0", - "weallcontribute": "^1.0.8" - }, - "files": [ - "*.js" - ], - "homepage": "https://github.com/zkat/ssri#readme", - "keywords": [ - "w3c", - "web", - "security", - "integrity", - "checksum", - "hashing", - "subresource integrity", - "sri", - "sri hash", - "sri string", - "sri generator", - "html" - ], - "license": "ISC", - "main": "index.js", - "name": "ssri", - "repository": { - "type": "git", - "url": "git+https://github.com/zkat/ssri.git" - }, - "scripts": { - "postrelease": "npm publish && git push --follow-tags", - "prerelease": "npm t", - "pretest": "standard", - "release": "standard-version -s", - "test": "tap -J --coverage test/*.js", - "update-coc": "weallbehave -o . && git add CODE_OF_CONDUCT.md && git commit -m 'docs(coc): updated CODE_OF_CONDUCT.md'", - "update-contrib": "weallcontribute -o . && git add CONTRIBUTING.md && git commit -m 'docs(contributing): updated CONTRIBUTING.md'" - }, - "version": "5.3.0" -} |