diff options
Diffstat (limited to 'deps/npm/node_modules/npm-registry-client')
19 files changed, 1531 insertions, 53 deletions
diff --git a/deps/npm/node_modules/npm-registry-client/CHANGELOG.md b/deps/npm/node_modules/npm-registry-client/CHANGELOG.md deleted file mode 100644 index bc74d3f0e8..0000000000 --- a/deps/npm/node_modules/npm-registry-client/CHANGELOG.md +++ /dev/null @@ -1,11 +0,0 @@ -# Change Log - -All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. - -<a name="8.5.1"></a> -## [8.5.1](https://github.com/npm/npm-registry-client/compare/v8.5.0...v8.5.1) (2018-03-08) - - -### Bug Fixes - -* **error:** improve `User not found` publish message ([#167](https://github.com/npm/npm-registry-client/issues/167)) ([5ebcffc](https://github.com/npm/npm-registry-client/commit/5ebcffc)) diff --git a/deps/npm/node_modules/npm-registry-client/lib/access.js b/deps/npm/node_modules/npm-registry-client/lib/access.js index d8d65a9442..b33d8973f3 100644 --- a/deps/npm/node_modules/npm-registry-client/lib/access.js +++ b/deps/npm/node_modules/npm-registry-client/lib/access.js @@ -93,7 +93,7 @@ function apiUri (registryUri) { function accessAssertions (subcommand, uri, params, cb) { assert(subcommands.hasOwnProperty(subcommand), - 'access subcommand must be one of ' + + 'access subcommand must be one of ' + Object.keys(subcommands).join(', ')) typeChecks({ 'uri': [uri, 'string'], @@ -106,7 +106,7 @@ function accessAssertions (subcommand, uri, params, cb) { ], subcommand)) { typeChecks({ 'package': [params.package, 'string'] }) assert(!!npa(params.package).scope, - 'access commands are only accessible for scoped packages') + 'access commands are only accessible for scoped packages') } if (contains(['grant', 'revoke', 'ls-packages'], subcommand)) { typeChecks({ 'scope': [params.scope, 'string'] }) @@ -118,7 +118,7 @@ function accessAssertions (subcommand, uri, params, cb) { typeChecks({ 'permissions': [params.permissions, 'string'] }) assert(params.permissions === 'read-only' || params.permissions === 'read-write', - 'permissions must be either read-only or read-write') + 'permissions must be either read-only or read-write') } } @@ -127,7 +127,7 @@ function typeChecks (specs) { var checks = specs[key] /* eslint valid-typeof:0 */ assert(typeof checks[0] === checks[1], - key + ' is required and must be of type ' + checks[1]) + key + ' is required and must be of type ' + checks[1]) }) } diff --git a/deps/npm/node_modules/npm-registry-client/lib/adduser.js b/deps/npm/node_modules/npm-registry-client/lib/adduser.js index a31d5b0333..0dd517d946 100644 --- a/deps/npm/node_modules/npm-registry-client/lib/adduser.js +++ b/deps/npm/node_modules/npm-registry-client/lib/adduser.js @@ -2,6 +2,7 @@ module.exports = adduser var url = require('url') var assert = require('assert') +var extend = Object.assign || require('util')._extend function adduser (uri, params, cb) { assert(typeof uri === 'string', 'must pass registry URI to adduser') @@ -67,7 +68,7 @@ function adduser (uri, params, cb) { } this.request( uri, - Object.assign({}, options), + extend({}, options), function (error, data, json, response) { if (!error || !response || response.statusCode !== 409) { return cb(error, data, json, response) diff --git a/deps/npm/node_modules/npm-registry-client/lib/dist-tags/fetch.js b/deps/npm/node_modules/npm-registry-client/lib/dist-tags/fetch.js index 69a126d1f4..558e2cf829 100644 --- a/deps/npm/node_modules/npm-registry-client/lib/dist-tags/fetch.js +++ b/deps/npm/node_modules/npm-registry-client/lib/dist-tags/fetch.js @@ -11,7 +11,7 @@ function fetch (uri, params, cb) { params && typeof params === 'object', 'must pass params to distTags.fetch' ) - assert(typeof cb === 'function', 'must pass callback to distTags.fetch') + assert(typeof cb === 'function', 'muss pass callback to distTags.fetch') assert( typeof params.package === 'string', diff --git a/deps/npm/node_modules/npm-registry-client/lib/org.js b/deps/npm/node_modules/npm-registry-client/lib/org.js index 3072b3817a..7c73caf7da 100644 --- a/deps/npm/node_modules/npm-registry-client/lib/org.js +++ b/deps/npm/node_modules/npm-registry-client/lib/org.js @@ -50,7 +50,7 @@ function apiUri (registryUri) { function orgAssertions (subcommand, uri, params, cb) { assert(subcommand, 'subcommand is required') assert(subcommands.hasOwnProperty(subcommand), - 'org subcommand must be one of ' + Object.keys(subcommands)) + 'org subcommand must be one of ' + Object.keys(subcommands)) assert(typeof uri === 'string', 'registry URI is required') assert(typeof params === 'object', 'params are required') assert(typeof params.auth === 'object', 'auth is required') diff --git a/deps/npm/node_modules/npm-registry-client/lib/publish.js b/deps/npm/node_modules/npm-registry-client/lib/publish.js index fd3adce126..ecf593a4ac 100644 --- a/deps/npm/node_modules/npm-registry-client/lib/publish.js +++ b/deps/npm/node_modules/npm-registry-client/lib/publish.js @@ -95,7 +95,7 @@ function putFirst (registry, data, tarbuffer, access, auth, cb) { // Legacy shasum support data.dist.shasum = integrity['sha1'][0].hexDigest() data.dist.tarball = url.resolve(registry, tbURI) - .replace(/^https:\/\//, 'http://') + .replace(/^https:\/\//, 'http://') root._attachments = {} root._attachments[ tbName ] = { diff --git a/deps/npm/node_modules/npm-registry-client/lib/request.js b/deps/npm/node_modules/npm-registry-client/lib/request.js index 471546c1d2..1b769c3e4f 100644 --- a/deps/npm/node_modules/npm-registry-client/lib/request.js +++ b/deps/npm/node_modules/npm-registry-client/lib/request.js @@ -298,8 +298,6 @@ function requestDone (method, where, cb) { ) } else if (name && parsed.error === 'not_found') { er = makeError('404 Not Found: ' + name, name, response.statusCode) - } else if (name && parsed.error === 'User not found') { - er = makeError('User not found. Check `npm whoami` and make sure you have a NPM account.', name, response.statusCode) } else { er = makeError( parsed.error + ' ' + (parsed.reason || '') + ': ' + (name || w), diff --git a/deps/npm/node_modules/npm-registry-client/lib/team.js b/deps/npm/node_modules/npm-registry-client/lib/team.js index 327fa9cd5a..3e3794e047 100644 --- a/deps/npm/node_modules/npm-registry-client/lib/team.js +++ b/deps/npm/node_modules/npm-registry-client/lib/team.js @@ -85,7 +85,7 @@ function apiUri (registryUri) { function teamAssertions (subcommand, uri, params, cb) { assert(subcommand, 'subcommand is required') assert(subcommands.hasOwnProperty(subcommand), - 'team subcommand must be one of ' + Object.keys(subcommands)) + 'team subcommand must be one of ' + Object.keys(subcommands)) assert(typeof uri === 'string', 'registry URI is required') assert(typeof params === 'object', 'params are required') assert(typeof params.auth === 'object', 'auth is required') @@ -100,6 +100,6 @@ function teamAssertions (subcommand, uri, params, cb) { if (subcommand === 'edit') { assert(typeof params.users === 'object' && params.users.length != null, - 'users is required') + 'users is required') } } diff --git a/deps/npm/node_modules/npm-registry-client/node_modules/concat-stream/package.json b/deps/npm/node_modules/npm-registry-client/node_modules/concat-stream/package.json index c26b388289..a215056dab 100644 --- a/deps/npm/node_modules/npm-registry-client/node_modules/concat-stream/package.json +++ b/deps/npm/node_modules/npm-registry-client/node_modules/concat-stream/package.json @@ -1,8 +1,7 @@ { "_from": "concat-stream@^1.5.2", - "_id": "concat-stream@1.6.1", - "_inBundle": false, - "_integrity": "sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==", + "_id": "concat-stream@1.6.0", + "_integrity": "sha1-CqxmL9Ur54lk1VMvaUeE5wEQrPc=", "_location": "/npm-registry-client/concat-stream", "_phantomChildren": {}, "_requested": { @@ -18,14 +17,16 @@ "_requiredBy": [ "/npm-registry-client" ], - "_resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz", - "_shasum": "261b8f518301f1d834e36342b9fea095d2620a26", + "_resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.0.tgz", + "_shasum": "0aac662fd52be78964d5532f694784e70110acf7", + "_shrinkwrap": null, "_spec": "concat-stream@^1.5.2", "_where": "/Users/zkat/Documents/code/npm/node_modules/npm-registry-client", "author": { "name": "Max Ogden", "email": "max@maxogden.com" }, + "bin": null, "bugs": { "url": "http://github.com/maxogden/concat-stream/issues" }, @@ -50,6 +51,8 @@ "license": "MIT", "main": "index.js", "name": "concat-stream", + "optionalDependencies": {}, + "peerDependencies": {}, "repository": { "type": "git", "url": "git+ssh://git@github.com/maxogden/concat-stream.git" @@ -79,5 +82,5 @@ "android-browser/4.2..latest" ] }, - "version": "1.6.1" + "version": "1.6.0" } diff --git a/deps/npm/node_modules/npm-registry-client/node_modules/npm-package-arg/LICENSE b/deps/npm/node_modules/npm-registry-client/node_modules/npm-package-arg/LICENSE new file mode 100644 index 0000000000..05eeeb88c2 --- /dev/null +++ b/deps/npm/node_modules/npm-registry-client/node_modules/npm-package-arg/LICENSE @@ -0,0 +1,15 @@ +The ISC License + +Copyright (c) Isaac Z. Schlueter + +Permission to use, copy, modify, and/or distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR +IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/deps/npm/node_modules/npm-registry-client/node_modules/npm-package-arg/README.md b/deps/npm/node_modules/npm-registry-client/node_modules/npm-package-arg/README.md new file mode 100644 index 0000000000..d45032dc74 --- /dev/null +++ b/deps/npm/node_modules/npm-registry-client/node_modules/npm-package-arg/README.md @@ -0,0 +1,81 @@ +# npm-package-arg + +Parses package name and specifier passed to commands like `npm install` or +`npm cache add`, or as found in `package.json` dependency sections. + +## EXAMPLES + +```javascript +var assert = require("assert") +var npa = require("npm-package-arg") + +// Pass in the descriptor, and it'll return an object +try { + var parsed = npa("@bar/foo@1.2") +} catch (ex) { + … +} +``` + +## USING + +`var npa = require('npm-package-arg')` + +### var result = npa(*arg*[, *where*]) + +* *arg* - a string that you might pass to `npm install`, like: +`foo@1.2`, `@bar/foo@1.2`, `foo@user/foo`, `http://x.com/foo.tgz`, +`git+https://github.com/user/foo`, `bitbucket:user/foo`, `foo.tar.gz`, +`../foo/bar/` or `bar`. If the *arg* you provide doesn't have a specifier +part, eg `foo` then the specifier will default to `latest`. +* *where* - Optionally the path to resolve file paths relative to. Defaults to `process.cwd()` + +**Throws** if the package name is invalid, a dist-tag is invalid or a URL's protocol is not supported. + +### var result = npa.resolve(*name*, *spec*[, *where*]) + +* *name* - The name of the module you want to install. For example: `foo` or `@bar/foo`. +* *spec* - The specifier indicating where and how you can get this module. Something like: +`1.2`, `^1.7.17`, `http://x.com/foo.tgz`, `git+https://github.com/user/foo`, +`bitbucket:user/foo`, `file:foo.tar.gz` or `file:../foo/bar/`. If not +included then the default is `latest`. +* *where* - Optionally the path to resolve file paths relative to. Defaults to `process.cwd()` + +**Throws** if the package name is invalid, a dist-tag is invalid or a URL's protocol is not supported. + +## RESULT OBJECT + +The objects that are returned by npm-package-arg contain the following +keys: + +* `type` - One of the following strings: + * `git` - A git repo + * `tag` - A tagged version, like `"foo@latest"` + * `version` - A specific version number, like `"foo@1.2.3"` + * `range` - A version range, like `"foo@2.x"` + * `file` - A local `.tar.gz`, `.tar` or `.tgz` file. + * `directory` - A local directory. + * `remote` - An http url (presumably to a tgz) +* `registry` - If true this specifier refers to a resource hosted on a + registry. This is true for `tag`, `version` and `range` types. +* `name` - If known, the `name` field expected in the resulting pkg. +* `scope` - If a name is something like `@org/module` then the `scope` + field will be set to `@org`. If it doesn't have a scoped name, then + scope is `null`. +* `escapedName` - A version of `name` escaped to match the npm scoped packages + specification. Mostly used when making requests against a registry. When + `name` is `null`, `escapedName` will also be `null`. +* `rawSpec` - The specifier part that was parsed out in calls to `npa(arg)`, + or the value of `spec` in calls to `npa.resolve(name, spec). +* `saveSpec` - The normalized specifier, for saving to package.json files. + `null` for registry dependencies. +* `fetchSpec` - The version of the specifier to be used to fetch this + resource. `null` for shortcuts to hosted git dependencies as there isn't + just one URL to try with them. +* `gitRange` - If set, this is a semver specifier to match against git tags with +* `gitCommittish` - If set, this is the specific committish to use with a git dependency. +* `hosted` - If `from === 'hosted'` then this will be a `hosted-git-info` + object. This property is not included when serializing the object as + JSON. +* `raw` - The original un-modified string that was provided. If called as + `npa.resolve(name, spec)` then this will be `name + '@' + spec`. diff --git a/deps/npm/node_modules/npm-registry-client/node_modules/npm-package-arg/npa.js b/deps/npm/node_modules/npm-registry-client/node_modules/npm-package-arg/npa.js new file mode 100644 index 0000000000..a61c057429 --- /dev/null +++ b/deps/npm/node_modules/npm-registry-client/node_modules/npm-package-arg/npa.js @@ -0,0 +1,270 @@ +'use strict' +module.exports = npa +module.exports.resolve = resolve +module.exports.Result = Result + +let url +let HostedGit +let semver +let path +let validatePackageName +let osenv + +const isWindows = process.platform === 'win32' || global.FAKE_WINDOWS +const hasSlashes = isWindows ? /\\|[/]/ : /[/]/ +const isURL = /^(?:git[+])?[a-z]+:/i +const isFilename = /[.](?:tgz|tar.gz|tar)$/i + +function npa (arg, where) { + let name + let spec + const nameEndsAt = arg[0] === '@' ? arg.slice(1).indexOf('@') + 1 : arg.indexOf('@') + const namePart = nameEndsAt > 0 ? arg.slice(0, nameEndsAt) : arg + if (isURL.test(arg)) { + spec = arg + } else if (namePart[0] !== '@' && (hasSlashes.test(namePart) || isFilename.test(namePart))) { + spec = arg + } else if (nameEndsAt > 0) { + name = namePart + spec = arg.slice(nameEndsAt + 1) + } else { + if (!validatePackageName) validatePackageName = require('validate-npm-package-name') + const valid = validatePackageName(arg) + if (valid.validForOldPackages) { + name = arg + } else { + spec = arg + } + } + return resolve(name, spec, where, arg) +} + +const isFilespec = isWindows ? /^(?:[.]|~[/]|[/\\]|[a-zA-Z]:)/ : /^(?:[.]|~[/]|[/]|[a-zA-Z]:)/ + +function resolve (name, spec, where, arg) { + const res = new Result({ + raw: arg, + name: name, + rawSpec: spec, + fromArgument: arg != null + }) + + if (name) res.setName(name) + + if (spec && (isFilespec.test(spec) || /^file:/i.test(spec))) { + return fromFile(res, where) + } + if (!HostedGit) HostedGit = require('hosted-git-info') + const hosted = HostedGit.fromUrl(spec, {noGitPlus: true, noCommittish: true}) + if (hosted) { + return fromHostedGit(res, hosted) + } else if (spec && isURL.test(spec)) { + return fromURL(res) + } else if (spec && (hasSlashes.test(spec) || isFilename.test(spec))) { + return fromFile(res, where) + } else { + return fromRegistry(res) + } +} + +function invalidPackageName (name, valid) { + const err = new Error(`Invalid package name "${name}": ${valid.errors.join('; ')}`) + err.code = 'EINVALIDPACKAGENAME' + return err +} +function invalidTagName (name) { + const err = new Error(`Invalid tag name "${name}": Tags may not have any characters that encodeURIComponent encodes.`) + err.code = 'EINVALIDTAGNAME' + return err +} + +function Result (opts) { + this.type = opts.type + this.registry = opts.registry + this.where = opts.where + if (opts.raw == null) { + this.raw = opts.name ? opts.name + '@' + opts.rawSpec : opts.rawSpec + } else { + this.raw = opts.raw + } + this.name = undefined + this.escapedName = undefined + this.scope = undefined + this.rawSpec = opts.rawSpec == null ? '' : opts.rawSpec + this.saveSpec = opts.saveSpec + this.fetchSpec = opts.fetchSpec + if (opts.name) this.setName(opts.name) + this.gitRange = opts.gitRange + this.gitCommittish = opts.gitCommittish + this.hosted = opts.hosted +} +Result.prototype = {} + +Result.prototype.setName = function (name) { + if (!validatePackageName) validatePackageName = require('validate-npm-package-name') + const valid = validatePackageName(name) + if (!valid.validForOldPackages) { + throw invalidPackageName(name, valid) + } + this.name = name + this.scope = name[0] === '@' ? name.slice(0, name.indexOf('/')) : undefined + // scoped packages in couch must have slash url-encoded, e.g. @foo%2Fbar + this.escapedName = name.replace('/', '%2f') + return this +} + +Result.prototype.toString = function () { + const full = [] + if (this.name != null && this.name !== '') full.push(this.name) + const spec = this.saveSpec || this.fetchSpec || this.rawSpec + if (spec != null && spec !== '') full.push(spec) + return full.length ? full.join('@') : this.raw +} + +Result.prototype.toJSON = function () { + const result = Object.assign({}, this) + delete result.hosted + return result +} + +function setGitCommittish (res, committish) { + if (committish != null && committish.length >= 7 && committish.slice(0, 7) === 'semver:') { + res.gitRange = decodeURIComponent(committish.slice(7)) + res.gitCommittish = null + } else if (committish == null || committish === '') { + res.gitCommittish = 'master' + } else { + res.gitCommittish = committish + } + return res +} + +const isAbsolutePath = /^[/]|^[A-Za-z]:/ + +function resolvePath (where, spec) { + if (isAbsolutePath.test(spec)) return spec + if (!path) path = require('path') + return path.resolve(where, spec) +} + +function isAbsolute (dir) { + if (dir[0] === '/') return true + if (/^[A-Za-z]:/.test(dir)) return true + return false +} + +function fromFile (res, where) { + if (!where) where = process.cwd() + res.type = isFilename.test(res.rawSpec) ? 'file' : 'directory' + res.where = where + + const spec = res.rawSpec.replace(/\\/g, '/') + .replace(/^file:[/]*([A-Za-z]:)/, '$1') // drive name paths on windows + .replace(/^file:(?:[/]*([~./]))?/, '$1') + if (/^~[/]/.test(spec)) { + // this is needed for windows and for file:~/foo/bar + if (!osenv) osenv = require('osenv') + res.fetchSpec = resolvePath(osenv.home(), spec.slice(2)) + res.saveSpec = 'file:' + spec + } else { + res.fetchSpec = resolvePath(where, spec) + if (isAbsolute(spec)) { + res.saveSpec = 'file:' + spec + } else { + if (!path) path = require('path') + res.saveSpec = 'file:' + path.relative(where, res.fetchSpec) + } + } + return res +} + +function fromHostedGit (res, hosted) { + res.type = 'git' + res.hosted = hosted + res.saveSpec = hosted.toString({noGitPlus: false, noCommittish: false}) + res.fetchSpec = hosted.getDefaultRepresentation() === 'shortcut' ? null : hosted.toString() + return setGitCommittish(res, hosted.committish) +} + +function unsupportedURLType (protocol, spec) { + const err = new Error(`Unsupported URL Type "${protocol}": ${spec}`) + err.code = 'EUNSUPPORTEDPROTOCOL' + return err +} + +function matchGitScp (spec) { + // git ssh specifiers are overloaded to also use scp-style git + // specifiers, so we have to parse those out and treat them special. + // They are NOT true URIs, so we can't hand them to `url.parse`. + // + // This regex looks for things that look like: + // git+ssh://git@my.custom.git.com:username/project.git#deadbeef + // + // ...and various combinations. The username in the beginning is *required*. + const matched = spec.match(/^git\+ssh:\/\/([^:#]+:[^#]+(?:\.git)?)(?:#(.*))?$/i) + return matched && !matched[1].match(/:[0-9]+\/?.*$/i) && { + fetchSpec: matched[1], + gitCommittish: matched[2] || 'master' + } +} + +function fromURL (res) { + if (!url) url = require('url') + const urlparse = url.parse(res.rawSpec) + res.saveSpec = res.rawSpec + // check the protocol, and then see if it's git or not + switch (urlparse.protocol) { + case 'git:': + case 'git+http:': + case 'git+https:': + case 'git+rsync:': + case 'git+ftp:': + case 'git+file:': + case 'git+ssh:': + res.type = 'git' + const match = urlparse.protocol === 'git+ssh:' && matchGitScp(res.rawSpec) + if (match) { + res.fetchSpec = match.fetchSpec + res.gitCommittish = match.gitCommittish + } else { + setGitCommittish(res, urlparse.hash != null ? urlparse.hash.slice(1) : '') + urlparse.protocol = urlparse.protocol.replace(/^git[+]/, '') + delete urlparse.hash + res.fetchSpec = url.format(urlparse) + } + break + case 'http:': + case 'https:': + res.type = 'remote' + res.fetchSpec = res.saveSpec + break + + default: + throw unsupportedURLType(urlparse.protocol, res.rawSpec) + } + + return res +} + +function fromRegistry (res) { + res.registry = true + const spec = res.rawSpec === '' ? 'latest' : res.rawSpec + // no save spec for registry components as we save based on the fetched + // version, not on the argument so this can't compute that. + res.saveSpec = null + res.fetchSpec = spec + if (!semver) semver = require('semver') + const version = semver.valid(spec, true) + const range = semver.validRange(spec, true) + if (version) { + res.type = 'version' + } else if (range) { + res.type = 'range' + } else { + if (encodeURIComponent(spec) !== spec) { + throw invalidTagName(spec) + } + res.type = 'tag' + } + return res +} diff --git a/deps/npm/node_modules/npm-registry-client/node_modules/npm-package-arg/package.json b/deps/npm/node_modules/npm-registry-client/node_modules/npm-package-arg/package.json new file mode 100644 index 0000000000..75f30d1258 --- /dev/null +++ b/deps/npm/node_modules/npm-registry-client/node_modules/npm-package-arg/package.json @@ -0,0 +1,64 @@ +{ + "_from": "npm-package-arg@^3.0.0 || ^4.0.0 || ^5.0.0", + "_id": "npm-package-arg@5.1.2", + "_inBundle": false, + "_integrity": "sha512-wJBsrf0qpypPT7A0LART18hCdyhpCMxeTtcb0X4IZO2jsP6Om7EHN1d9KSKiqD+KVH030RVNpWS9thk+pb7wzA==", + "_location": "/npm-registry-client/npm-package-arg", + "_phantomChildren": {}, + "_requested": { + "type": "range", + "registry": true, + "raw": "npm-package-arg@^3.0.0 || ^4.0.0 || ^5.0.0", + "name": "npm-package-arg", + "escapedName": "npm-package-arg", + "rawSpec": "^3.0.0 || ^4.0.0 || ^5.0.0", + "saveSpec": null, + "fetchSpec": "^3.0.0 || ^4.0.0 || ^5.0.0" + }, + "_requiredBy": [ + "/npm-registry-client" + ], + "_resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-5.1.2.tgz", + "_shasum": "fb18d17bb61e60900d6312619919bd753755ab37", + "_spec": "npm-package-arg@^3.0.0 || ^4.0.0 || ^5.0.0", + "_where": "/Users/zkat/Documents/code/npm/node_modules/npm-registry-client", + "author": { + "name": "Isaac Z. Schlueter", + "email": "i@izs.me", + "url": "http://blog.izs.me/" + }, + "bugs": { + "url": "https://github.com/npm/npm-package-arg/issues" + }, + "bundleDependencies": false, + "dependencies": { + "hosted-git-info": "^2.4.2", + "osenv": "^0.1.4", + "semver": "^5.1.0", + "validate-npm-package-name": "^3.0.0" + }, + "deprecated": false, + "description": "Parse the things that can be arguments to `npm install`", + "devDependencies": { + "standard": "9.0.2", + "tap": "^10.3.0" + }, + "directories": { + "test": "test" + }, + "files": [ + "npa.js" + ], + "homepage": "https://github.com/npm/npm-package-arg", + "license": "ISC", + "main": "npa.js", + "name": "npm-package-arg", + "repository": { + "type": "git", + "url": "git+https://github.com/npm/npm-package-arg.git" + }, + "scripts": { + "test": "standard && tap -J --coverage test/*.js" + }, + "version": "5.1.2" +} diff --git a/deps/npm/node_modules/npm-registry-client/node_modules/ssri/CHANGELOG.md b/deps/npm/node_modules/npm-registry-client/node_modules/ssri/CHANGELOG.md new file mode 100644 index 0000000000..c1136092e3 --- /dev/null +++ b/deps/npm/node_modules/npm-registry-client/node_modules/ssri/CHANGELOG.md @@ -0,0 +1,175 @@ +# Change Log + +All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. + +<a name="4.1.6"></a> +## [4.1.6](https://github.com/zkat/ssri/compare/v4.1.5...v4.1.6) (2017-06-07) + + +### Bug Fixes + +* **checkStream:** make sure to pass all opts through ([0b1bcbe](https://github.com/zkat/ssri/commit/0b1bcbe)) + + + +<a name="4.1.5"></a> +## [4.1.5](https://github.com/zkat/ssri/compare/v4.1.4...v4.1.5) (2017-06-05) + + +### Bug Fixes + +* **integrityStream:** stop crashing if opts.algorithms and opts.integrity have an algo mismatch ([fb1293e](https://github.com/zkat/ssri/commit/fb1293e)) + + + +<a name="4.1.4"></a> +## [4.1.4](https://github.com/zkat/ssri/compare/v4.1.3...v4.1.4) (2017-05-31) + + +### Bug Fixes + +* **node:** older versions of node[@4](https://github.com/4) do not support base64buffer string parsing ([513df4e](https://github.com/zkat/ssri/commit/513df4e)) + + + +<a name="4.1.3"></a> +## [4.1.3](https://github.com/zkat/ssri/compare/v4.1.2...v4.1.3) (2017-05-24) + + +### Bug Fixes + +* **check:** handle various bad hash corner cases better ([c2c262b](https://github.com/zkat/ssri/commit/c2c262b)) + + + +<a name="4.1.2"></a> +## [4.1.2](https://github.com/zkat/ssri/compare/v4.1.1...v4.1.2) (2017-04-18) + + +### Bug Fixes + +* **stream:** _flush can be called multiple times. use on("end") ([b1c4805](https://github.com/zkat/ssri/commit/b1c4805)) + + + +<a name="4.1.1"></a> +## [4.1.1](https://github.com/zkat/ssri/compare/v4.1.0...v4.1.1) (2017-04-12) + + +### Bug Fixes + +* **pickAlgorithm:** error if pickAlgorithm() is used in an empty Integrity ([fab470e](https://github.com/zkat/ssri/commit/fab470e)) + + + +<a name="4.1.0"></a> +# [4.1.0](https://github.com/zkat/ssri/compare/v4.0.0...v4.1.0) (2017-04-07) + + +### Features + +* adding ssri.create for a crypto style interface (#2) ([96f52ad](https://github.com/zkat/ssri/commit/96f52ad)) + + + +<a name="4.0.0"></a> +# [4.0.0](https://github.com/zkat/ssri/compare/v3.0.2...v4.0.0) (2017-04-03) + + +### Bug Fixes + +* **integrity:** should have changed the error code before. oops ([8381afa](https://github.com/zkat/ssri/commit/8381afa)) + + +### BREAKING CHANGES + +* **integrity:** EBADCHECKSUM -> EINTEGRITY for verification errors + + + +<a name="3.0.2"></a> +## [3.0.2](https://github.com/zkat/ssri/compare/v3.0.1...v3.0.2) (2017-04-03) + + + +<a name="3.0.1"></a> +## [3.0.1](https://github.com/zkat/ssri/compare/v3.0.0...v3.0.1) (2017-04-03) + + +### Bug Fixes + +* **package.json:** really should have these in the keywords because search ([a6ac6d0](https://github.com/zkat/ssri/commit/a6ac6d0)) + + + +<a name="3.0.0"></a> +# [3.0.0](https://github.com/zkat/ssri/compare/v2.0.0...v3.0.0) (2017-04-03) + + +### Bug Fixes + +* **hashes:** IntegrityMetadata -> Hash ([d04aa1f](https://github.com/zkat/ssri/commit/d04aa1f)) + + +### Features + +* **check:** return IntegrityMetadata on check success ([2301e74](https://github.com/zkat/ssri/commit/2301e74)) +* **fromHex:** ssri.fromHex to make it easier to generate them from hex valus ([049b89e](https://github.com/zkat/ssri/commit/049b89e)) +* **hex:** utility function for getting hex version of digest ([a9f021c](https://github.com/zkat/ssri/commit/a9f021c)) +* **hexDigest:** added hexDigest method to Integrity objects too ([85208ba](https://github.com/zkat/ssri/commit/85208ba)) +* **integrity:** add .isIntegrity and .isIntegrityMetadata ([1b29e6f](https://github.com/zkat/ssri/commit/1b29e6f)) +* **integrityStream:** new stream that can both generate and check streamed data ([fd23e1b](https://github.com/zkat/ssri/commit/fd23e1b)) +* **parse:** allow parsing straight into a single IntegrityMetadata object ([c8ddf48](https://github.com/zkat/ssri/commit/c8ddf48)) +* **pickAlgorithm:** Intergrity#pickAlgorithm() added ([b97a796](https://github.com/zkat/ssri/commit/b97a796)) +* **size:** calculate and update stream sizes ([02ed1ad](https://github.com/zkat/ssri/commit/02ed1ad)) + + +### BREAKING CHANGES + +* **hashes:** `.isIntegrityMetadata` is now `.isHash`. Also, any references to `IntegrityMetadata` now refer to `Hash`. +* **integrityStream:** createCheckerStream has been removed and replaced with a general-purpose integrityStream. + +To convert existing createCheckerStream code, move the `sri` argument into `opts.integrity` in integrityStream. All other options should be the same. +* **check:** `checkData`, `checkStream`, and `createCheckerStream` now yield a whole IntegrityMetadata instance representing the first successful hash match. + + + +<a name="2.0.0"></a> +# [2.0.0](https://github.com/zkat/ssri/compare/v1.0.0...v2.0.0) (2017-03-24) + + +### Bug Fixes + +* **strict-mode:** make regexes more rigid ([122a32c](https://github.com/zkat/ssri/commit/122a32c)) + + +### Features + +* **api:** added serialize alias for unparse ([999b421](https://github.com/zkat/ssri/commit/999b421)) +* **concat:** add Integrity#concat() ([cae12c7](https://github.com/zkat/ssri/commit/cae12c7)) +* **pickAlgo:** pick the strongest algorithm provided, by default ([58c18f7](https://github.com/zkat/ssri/commit/58c18f7)) +* **strict-mode:** strict SRI support ([3f0b64c](https://github.com/zkat/ssri/commit/3f0b64c)) +* **stringify:** replaced unparse/serialize with stringify ([4acad30](https://github.com/zkat/ssri/commit/4acad30)) +* **verification:** add opts.pickAlgorithm ([f72e658](https://github.com/zkat/ssri/commit/f72e658)) + + +### BREAKING CHANGES + +* **pickAlgo:** ssri will prioritize specific hashes now +* **stringify:** serialize and unparse have been removed. Use ssri.stringify instead. +* **strict-mode:** functions that accepted an optional `sep` argument now expect `opts.sep`. + + + +<a name="1.0.0"></a> +# 1.0.0 (2017-03-23) + + +### Features + +* **api:** implemented initial api ([4fbb16b](https://github.com/zkat/ssri/commit/4fbb16b)) + + +### BREAKING CHANGES + +* **api:** Initial API established. diff --git a/deps/npm/node_modules/npm-registry-client/node_modules/ssri/LICENSE.md b/deps/npm/node_modules/npm-registry-client/node_modules/ssri/LICENSE.md new file mode 100644 index 0000000000..c05cb09586 --- /dev/null +++ b/deps/npm/node_modules/npm-registry-client/node_modules/ssri/LICENSE.md @@ -0,0 +1,3 @@ +To the extent possible under law, maintainers for this project have waived all copyright and related or neighboring rights to this project. + +For more information on this waiver, see: https://creativecommons.org/publicdomain/zero/1.0/ diff --git a/deps/npm/node_modules/npm-registry-client/node_modules/ssri/README.md b/deps/npm/node_modules/npm-registry-client/node_modules/ssri/README.md new file mode 100644 index 0000000000..f2fc035da5 --- /dev/null +++ b/deps/npm/node_modules/npm-registry-client/node_modules/ssri/README.md @@ -0,0 +1,462 @@ +# ssri [![npm version](https://img.shields.io/npm/v/ssri.svg)](https://npm.im/ssri) [![license](https://img.shields.io/npm/l/ssri.svg)](https://npm.im/ssri) [![Travis](https://img.shields.io/travis/zkat/ssri.svg)](https://travis-ci.org/zkat/ssri) [![AppVeyor](https://ci.appveyor.com/api/projects/status/github/zkat/ssri?svg=true)](https://ci.appveyor.com/project/zkat/ssri) [![Coverage Status](https://coveralls.io/repos/github/zkat/ssri/badge.svg?branch=latest)](https://coveralls.io/github/zkat/ssri?branch=latest) + +[`ssri`](https://github.com/zkat/ssri), short for Standard Subresource +Integrity, is a Node.js utility for parsing, manipulating, serializing, +generating, and verifying [Subresource +Integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) hashes. + +## Install + +`$ npm install --save ssri` + +## Table of Contents + +* [Example](#example) +* [Features](#features) +* [Contributing](#contributing) +* [API](#api) + * Parsing & Serializing + * [`parse`](#parse) + * [`stringify`](#stringify) + * [`Integrity#concat`](#integrity-concat) + * [`Integrity#toString`](#integrity-to-string) + * [`Integrity#toJSON`](#integrity-to-json) + * [`Integrity#pickAlgorithm`](#integrity-pick-algorithm) + * [`Integrity#hexDigest`](#integrity-hex-digest) + * Integrity Generation + * [`fromHex`](#from-hex) + * [`fromData`](#from-data) + * [`fromStream`](#from-stream) + * [`create`](#create) + * Integrity Verification + * [`checkData`](#check-data) + * [`checkStream`](#check-stream) + * [`integrityStream`](#integrity-stream) + +### Example + +```javascript +const ssri = require('ssri') + +const integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo' + +// Parsing and serializing +const parsed = ssri.parse(integrity) +ssri.stringify(parsed) // === integrity (works on non-Integrity objects) +parsed.toString() // === integrity + +// Async stream functions +ssri.checkStream(fs.createReadStream('./my-file'), integrity).then(...) +ssri.fromStream(fs.createReadStream('./my-file')).then(sri => { + sri.toString() === integrity +}) +fs.createReadStream('./my-file').pipe(ssri.createCheckerStream(sri)) + +// Sync data functions +ssri.fromData(fs.readFileSync('./my-file')) // === parsed +ssri.checkData(fs.readFileSync('./my-file'), integrity) // => 'sha512' +``` + +### Features + +* Parses and stringifies SRI strings. +* Generates SRI strings from raw data or Streams. +* Strict standard compliance. +* `?foo` metadata option support. +* Multiple entries for the same algorithm. +* Object-based integrity hash manipulation. +* Small footprint: no dependencies, concise implementation. +* Full test coverage. +* Customizable algorithm picker. + +### Contributing + +The ssri team enthusiastically welcomes contributions and project participation! +There's a bunch of things you can do if you want to contribute! The [Contributor +Guide](CONTRIBUTING.md) has all the information you need for everything from +reporting bugs to contributing entire new features. Please don't hesitate to +jump in if you'd like to, or even ask us questions if something isn't clear. + +### API + +#### <a name="parse"></a> `> ssri.parse(sri, [opts]) -> Integrity` + +Parses `sri` into an `Integrity` data structure. `sri` can be an integrity +string, an `Hash`-like with `digest` and `algorithm` fields and an optional +`options` field, or an `Integrity`-like object. The resulting object will be an +`Integrity` instance that has this shape: + +```javascript +{ + 'sha1': [{algorithm: 'sha1', digest: 'deadbeef', options: []}], + 'sha512': [ + {algorithm: 'sha512', digest: 'c0ffee', options: []}, + {algorithm: 'sha512', digest: 'bad1dea', options: ['foo']} + ], +} +``` + +If `opts.single` is truthy, a single `Hash` object will be returned. That is, a +single object that looks like `{algorithm, digest, options}`, as opposed to a +larger object with multiple of these. + +If `opts.strict` is truthy, the resulting object will be filtered such that +it strictly follows the Subresource Integrity spec, throwing away any entries +with any invalid components. This also means a restricted set of algorithms +will be used -- the spec limits them to `sha256`, `sha384`, and `sha512`. + +Strict mode is recommended if the integrity strings are intended for use in +browsers, or in other situations where strict adherence to the spec is needed. + +##### Example + +```javascript +ssri.parse('sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo') // -> Integrity object +``` + +#### <a name="stringify"></a> `> ssri.stringify(sri, [opts]) -> String` + +This function is identical to [`Integrity#toString()`](#integrity-to-string), +except it can be used on _any_ object that [`parse`](#parse) can handle -- that +is, a string, an `Hash`-like, or an `Integrity`-like. + +The `opts.sep` option defines the string to use when joining multiple entries +together. To be spec-compliant, this _must_ be whitespace. The default is a +single space (`' '`). + +If `opts.strict` is true, the integrity string will be created using strict +parsing rules. See [`ssri.parse`](#parse). + +##### Example + +```javascript +// Useful for cleaning up input SRI strings: +ssri.stringify('\n\rsha512-foo\n\t\tsha384-bar') +// -> 'sha512-foo sha384-bar' + +// Hash-like: only a single entry. +ssri.stringify({ + algorithm: 'sha512', + digest:'9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==', + options: ['foo'] +}) +// -> +// 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo' + +// Integrity-like: full multi-entry syntax. Similar to output of `ssri.parse` +ssri.stringify({ + 'sha512': [ + { + algorithm: 'sha512', + digest:'9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==', + options: ['foo'] + } + ] +}) +// -> +// 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo' +``` + +#### <a name="integrity-concat"></a> `> Integrity#concat(otherIntegrity, [opts]) -> Integrity` + +Concatenates an `Integrity` object with another IntegrityLike, or an integrity +string. + +This is functionally equivalent to concatenating the string format of both +integrity arguments, and calling [`ssri.parse`](#ssri-parse) on the new string. + +If `opts.strict` is true, the new `Integrity` will be created using strict +parsing rules. See [`ssri.parse`](#parse). + +##### Example + +```javascript +// This will combine the integrity checks for two different versions of +// your index.js file so you can use a single integrity string and serve +// either of these to clients, from a single `<script>` tag. +const desktopIntegrity = ssri.fromData(fs.readFileSync('./index.desktop.js')) +const mobileIntegrity = ssri.fromData(fs.readFileSync('./index.mobile.js')) + +// Note that browsers (and ssri) will succeed as long as ONE of the entries +// for the *prioritized* algorithm succeeds. That is, in order for this fallback +// to work, both desktop and mobile *must* use the same `algorithm` values. +desktopIntegrity.concat(mobileIntegrity) +``` + +#### <a name="integrity-to-string"></a> `> Integrity#toString([opts]) -> String` + +Returns the string representation of an `Integrity` object. All hash entries +will be concatenated in the string by `opts.sep`, which defaults to `' '`. + +If you want to serialize an object that didn't from from an `ssri` function, +use [`ssri.stringify()`](#stringify). + +If `opts.strict` is true, the integrity string will be created using strict +parsing rules. See [`ssri.parse`](#parse). + +##### Example + +```javascript +const integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo' + +ssri.parse(integrity).toString() === integrity +``` + +#### <a name="integrity-to-json"></a> `> Integrity#toJSON() -> String` + +Returns the string representation of an `Integrity` object. All hash entries +will be concatenated in the string by `' '`. + +This is a convenience method so you can pass an `Integrity` object directly to `JSON.stringify`. +For more info check out [toJSON() behavior on mdn](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify#toJSON%28%29_behavior). + +##### Example + +```javascript +const integrity = '"sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo"' + +JSON.stringify(ssri.parse(integrity)) === integrity +``` + +#### <a name="integrity-pick-algorithm"></a> `> Integrity#pickAlgorithm([opts]) -> String` + +Returns the "best" algorithm from those available in the integrity object. + +If `opts.pickAlgorithm` is provided, it will be passed two algorithms as +arguments. ssri will prioritize whichever of the two algorithms is returned by +this function. Note that the function may be called multiple times, and it +**must** return one of the two algorithms provided. By default, ssri will make +a best-effort to pick the strongest/most reliable of the given algorithms. It +may intentionally deprioritize algorithms with known vulnerabilities. + +##### Example + +```javascript +ssri.parse('sha1-WEakDigEST sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1').pickAlgorithm() // sha512 +``` + +#### <a name="integrity-hex-digest"></a> `> Integrity#hexDigest() -> String` + +`Integrity` is assumed to be either a single-hash `Integrity` instance, or a +`Hash` instance. Returns its `digest`, converted to a hex representation of the +base64 data. + +##### Example + +```javascript +ssri.parse('sha1-deadbeef').hexDigest() // '75e69d6de79f' +``` + +#### <a name="from-hex"></a> `> ssri.fromHex(hexDigest, algorithm, [opts]) -> Integrity` + +Creates an `Integrity` object with a single entry, based on a hex-formatted +hash. This is a utility function to help convert existing shasums to the +Integrity format, and is roughly equivalent to something like: + +```javascript +algorithm + '-' + Buffer.from(hexDigest, 'hex').toString('base64') +``` + +`opts.options` may optionally be passed in: it must be an array of option +strings that will be added to all generated integrity hashes generated by +`fromData`. This is a loosely-specified feature of SRIs, and currently has no +specified semantics besides being `?`-separated. Use at your own risk, and +probably avoid if your integrity strings are meant to be used with browsers. + +If `opts.strict` is true, the integrity object will be created using strict +parsing rules. See [`ssri.parse`](#parse). + +If `opts.single` is true, a single `Hash` object will be returned. + +##### Example + +```javascript +ssri.fromHex('75e69d6de79f', 'sha1').toString() // 'sha1-deadbeef' +``` + +#### <a name="from-data"></a> `> ssri.fromData(data, [opts]) -> Integrity` + +Creates an `Integrity` object from either string or `Buffer` data, calculating +all the requested hashes and adding any specified options to the object. + +`opts.algorithms` determines which algorithms to generate hashes for. All +results will be included in a single `Integrity` object. The default value for +`opts.algorithms` is `['sha512']`. All algorithm strings must be hashes listed +in `crypto.getHashes()` for the host Node.js platform. + +`opts.options` may optionally be passed in: it must be an array of option +strings that will be added to all generated integrity hashes generated by +`fromData`. This is a loosely-specified feature of SRIs, and currently has no +specified semantics besides being `?`-separated. Use at your own risk, and +probably avoid if your integrity strings are meant to be used with browsers. + +If `opts.strict` is true, the integrity object will be created using strict +parsing rules. See [`ssri.parse`](#parse). + +##### Example + +```javascript +const integrityObj = ssri.fromData('foobarbaz', { + algorithms: ['sha256', 'sha384', 'sha512'] +}) +integrity.toString('\n') +// -> +// sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0= +// sha384-irnCxQ0CfQhYGlVAUdwTPC9bF3+YWLxlaDGM4xbYminxpbXEq+D+2GCEBTxcjES9 +// sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1+9vBnypkYWg== +``` + +#### <a name="from-stream"></a> `> ssri.fromStream(stream, [opts]) -> Promise<Integrity>` + +Returns a Promise of an Integrity object calculated by reading data from +a given `stream`. + +It accepts both `opts.algorithms` and `opts.options`, which are documented as +part of [`ssri.fromData`](#from-data). + +Additionally, `opts.Promise` may be passed in to inject a Promise library of +choice. By default, ssri will use Node's built-in Promises. + +If `opts.strict` is true, the integrity object will be created using strict +parsing rules. See [`ssri.parse`](#parse). + +##### Example + +```javascript +ssri.fromStream(fs.createReadStream('index.js'), { + algorithms: ['sha1', 'sha512'] +}).then(integrity => { + return ssri.checkStream(fs.createReadStream('index.js'), integrity) +}) // succeeds +``` + +#### <a name="create"></a> `> ssri.create([opts]) -> <Hash>` + +Returns a Hash object with `update(<Buffer or string>[,enc])` and `digest()` methods. + + +The Hash object provides the same methods as [crypto class Hash](https://nodejs.org/dist/latest-v6.x/docs/api/crypto.html#crypto_class_hash). +`digest()` accepts no arguments and returns an Integrity object calculated by reading data from +calls to update. + +It accepts both `opts.algorithms` and `opts.options`, which are documented as +part of [`ssri.fromData`](#from-data). + +If `opts.strict` is true, the integrity object will be created using strict +parsing rules. See [`ssri.parse`](#parse). + +##### Example + +```javascript +const integrity = ssri.create().update('foobarbaz').digest() +integrity.toString() +// -> +// sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1+9vBnypkYWg== +``` + +#### <a name="check-data"></a> `> ssri.checkData(data, sri, [opts]) -> Hash|false` + +Verifies `data` integrity against an `sri` argument. `data` may be either a +`String` or a `Buffer`, and `sri` can be any subresource integrity +representation that [`ssri.parse`](#parse) can handle. + +If verification succeeds, `checkData` will return the name of the algorithm that +was used for verification (a truthy value). Otherwise, it will return `false`. + +If `opts.pickAlgorithm` is provided, it will be used by +[`Integrity#pickAlgorithm`](#integrity-pick-algorithm) when deciding which of +the available digests to match against. + +##### Example + +```javascript +const data = fs.readFileSync('index.js') +ssri.checkData(data, ssri.fromData(data)) // -> 'sha512' +ssri.checkData(data, 'sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0') +ssri.checkData(data, 'sha1-BaDDigEST') // -> false +``` + +#### <a name="check-stream"></a> `> ssri.checkStream(stream, sri, [opts]) -> Promise<Hash>` + +Verifies the contents of `stream` against an `sri` argument. `stream` will be +consumed in its entirety by this process. `sri` can be any subresource integrity +representation that [`ssri.parse`](#parse) can handle. + +`checkStream` will return a Promise that either resolves to the +`Hash` that succeeded verification, or, if the verification fails +or an error happens with `stream`, the Promise will be rejected. + +If the Promise is rejected because verification failed, the returned error will +have `err.code` as `EINTEGRITY`. + +If `opts.size` is given, it will be matched against the stream size. An error +with `err.code` `EBADSIZE` will be returned by a rejection if the expected size +and actual size fail to match. + +If `opts.pickAlgorithm` is provided, it will be used by +[`Integrity#pickAlgorithm`](#integrity-pick-algorithm) when deciding which of +the available digests to match against. + +##### Example + +```javascript +const integrity = ssri.fromData(fs.readFileSync('index.js')) + +ssri.checkStream( + fs.createReadStream('index.js'), + integrity +) +// -> +// Promise<{ +// algorithm: 'sha512', +// digest: 'sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1' +// }> + +ssri.checkStream( + fs.createReadStream('index.js'), + 'sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0' +) // -> Promise<Hash> + +ssri.checkStream( + fs.createReadStream('index.js'), + 'sha1-BaDDigEST' +) // -> Promise<Error<{code: 'EINTEGRITY'}>> +``` + +#### <a name="integrity-stream"></a> `> integrityStream(sri, [opts]) -> IntegrityStream` + +Returns a `Transform` stream that data can be piped through in order to generate +and optionally check data integrity for piped data. When the stream completes +successfully, it emits `size` and `integrity` events, containing the total +number of bytes processed and a calculated `Integrity` instance based on stream +data, respectively. + +If `opts.algorithms` is passed in, the listed algorithms will be calculated when +generating the final `Integrity` instance. The default is `['sha512']`. + +If `opts.single` is passed in, a single `Hash` instance will be returned. + +If `opts.integrity` is passed in, it should be an `integrity` value understood +by [`parse`](#parse) that the stream will check the data against. If +verification succeeds, the integrity stream will emit a `verified` event whose +value is a single `Hash` object that is the one that succeeded verification. If +verification fails, the stream will error with an `EINTEGRITY` error code. + +If `opts.size` is given, it will be matched against the stream size. An error +with `err.code` `EBADSIZE` will be emitted by the stream if the expected size +and actual size fail to match. + +If `opts.pickAlgorithm` is provided, it will be passed two algorithms as +arguments. ssri will prioritize whichever of the two algorithms is returned by +this function. Note that the function may be called multiple times, and it +**must** return one of the two algorithms provided. By default, ssri will make +a best-effort to pick the strongest/most reliable of the given algorithms. It +may intentionally deprioritize algorithms with known vulnerabilities. + +##### Example + +```javascript +const integrity = ssri.fromData(fs.readFileSync('index.js')) +fs.createReadStream('index.js') +.pipe(ssri.checkStream(integrity)) +``` diff --git a/deps/npm/node_modules/npm-registry-client/node_modules/ssri/index.js b/deps/npm/node_modules/npm-registry-client/node_modules/ssri/index.js new file mode 100644 index 0000000000..8ece662ba6 --- /dev/null +++ b/deps/npm/node_modules/npm-registry-client/node_modules/ssri/index.js @@ -0,0 +1,334 @@ +'use strict' + +const Buffer = require('safe-buffer').Buffer + +const crypto = require('crypto') +const Transform = require('stream').Transform + +const SPEC_ALGORITHMS = ['sha256', 'sha384', 'sha512'] + +const BASE64_REGEX = /^[a-z0-9+/]+(?:=?=?)$/i +const SRI_REGEX = /^([^-]+)-([^?]+)([?\S*]*)$/ +const STRICT_SRI_REGEX = /^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/ +const VCHAR_REGEX = /^[\x21-\x7E]+$/ + +class Hash { + get isHash () { return true } + constructor (hash, opts) { + const strict = !!(opts && opts.strict) + this.source = hash.trim() + // 3.1. Integrity metadata (called "Hash" by ssri) + // https://w3c.github.io/webappsec-subresource-integrity/#integrity-metadata-description + const match = this.source.match( + strict + ? STRICT_SRI_REGEX + : SRI_REGEX + ) + if (!match) { return } + if (strict && !SPEC_ALGORITHMS.some(a => a === match[1])) { return } + this.algorithm = match[1] + this.digest = match[2] + + const rawOpts = match[3] + this.options = rawOpts ? rawOpts.slice(1).split('?') : [] + } + hexDigest () { + return this.digest && Buffer.from(this.digest, 'base64').toString('hex') + } + toJSON () { + return this.toString() + } + toString (opts) { + if (opts && opts.strict) { + // Strict mode enforces the standard as close to the foot of the + // letter as it can. + if (!( + // The spec has very restricted productions for algorithms. + // https://www.w3.org/TR/CSP2/#source-list-syntax + SPEC_ALGORITHMS.some(x => x === this.algorithm) && + // Usually, if someone insists on using a "different" base64, we + // leave it as-is, since there's multiple standards, and the + // specified is not a URL-safe variant. + // https://www.w3.org/TR/CSP2/#base64_value + this.digest.match(BASE64_REGEX) && + // Option syntax is strictly visual chars. + // https://w3c.github.io/webappsec-subresource-integrity/#grammardef-option-expression + // https://tools.ietf.org/html/rfc5234#appendix-B.1 + (this.options || []).every(opt => opt.match(VCHAR_REGEX)) + )) { + return '' + } + } + const options = this.options && this.options.length + ? `?${this.options.join('?')}` + : '' + return `${this.algorithm}-${this.digest}${options}` + } +} + +class Integrity { + get isIntegrity () { return true } + toJSON () { + return this.toString() + } + toString (opts) { + opts = opts || {} + let sep = opts.sep || ' ' + if (opts.strict) { + // Entries must be separated by whitespace, according to spec. + sep = sep.replace(/\S+/g, ' ') + } + return Object.keys(this).map(k => { + return this[k].map(hash => { + return Hash.prototype.toString.call(hash, opts) + }).filter(x => x.length).join(sep) + }).filter(x => x.length).join(sep) + } + concat (integrity, opts) { + const other = typeof integrity === 'string' + ? integrity + : stringify(integrity, opts) + return parse(`${this.toString(opts)} ${other}`, opts) + } + hexDigest () { + return parse(this, {single: true}).hexDigest() + } + pickAlgorithm (opts) { + const pickAlgorithm = (opts && opts.pickAlgorithm) || getPrioritizedHash + const keys = Object.keys(this) + if (!keys.length) { + throw new Error(`No algorithms available for ${ + JSON.stringify(this.toString()) + }`) + } + return keys.reduce((acc, algo) => { + return pickAlgorithm(acc, algo) || acc + }) + } +} + +module.exports.parse = parse +function parse (sri, opts) { + opts = opts || {} + if (typeof sri === 'string') { + return _parse(sri, opts) + } else if (sri.algorithm && sri.digest) { + const fullSri = new Integrity() + fullSri[sri.algorithm] = [sri] + return _parse(stringify(fullSri, opts), opts) + } else { + return _parse(stringify(sri, opts), opts) + } +} + +function _parse (integrity, opts) { + // 3.4.3. Parse metadata + // https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata + if (opts.single) { + return new Hash(integrity, opts) + } + return integrity.trim().split(/\s+/).reduce((acc, string) => { + const hash = new Hash(string, opts) + if (hash.algorithm && hash.digest) { + const algo = hash.algorithm + if (!acc[algo]) { acc[algo] = [] } + acc[algo].push(hash) + } + return acc + }, new Integrity()) +} + +module.exports.stringify = stringify +function stringify (obj, opts) { + if (obj.algorithm && obj.digest) { + return Hash.prototype.toString.call(obj, opts) + } else if (typeof obj === 'string') { + return stringify(parse(obj, opts), opts) + } else { + return Integrity.prototype.toString.call(obj, opts) + } +} + +module.exports.fromHex = fromHex +function fromHex (hexDigest, algorithm, opts) { + const optString = (opts && opts.options && opts.options.length) + ? `?${opts.options.join('?')}` + : '' + return parse( + `${algorithm}-${ + Buffer.from(hexDigest, 'hex').toString('base64') + }${optString}`, opts + ) +} + +module.exports.fromData = fromData +function fromData (data, opts) { + opts = opts || {} + const algorithms = opts.algorithms || ['sha512'] + const optString = opts.options && opts.options.length + ? `?${opts.options.join('?')}` + : '' + return algorithms.reduce((acc, algo) => { + const digest = crypto.createHash(algo).update(data).digest('base64') + const hash = new Hash( + `${algo}-${digest}${optString}`, + opts + ) + if (hash.algorithm && hash.digest) { + const algo = hash.algorithm + if (!acc[algo]) { acc[algo] = [] } + acc[algo].push(hash) + } + return acc + }, new Integrity()) +} + +module.exports.fromStream = fromStream +function fromStream (stream, opts) { + opts = opts || {} + const P = opts.Promise || Promise + const istream = integrityStream(opts) + return new P((resolve, reject) => { + stream.pipe(istream) + stream.on('error', reject) + istream.on('error', reject) + let sri + istream.on('integrity', s => { sri = s }) + istream.on('end', () => resolve(sri)) + istream.on('data', () => {}) + }) +} + +module.exports.checkData = checkData +function checkData (data, sri, opts) { + opts = opts || {} + sri = parse(sri, opts) + if (!Object.keys(sri).length) { return false } + const algorithm = sri.pickAlgorithm(opts) + const digests = sri[algorithm] || [] + const digest = crypto.createHash(algorithm).update(data).digest('base64') + return digests.find(hash => hash.digest === digest) || false +} + +module.exports.checkStream = checkStream +function checkStream (stream, sri, opts) { + opts = opts || {} + const P = opts.Promise || Promise + const checker = integrityStream(Object.assign({}, opts, { + integrity: sri + })) + return new P((resolve, reject) => { + stream.pipe(checker) + stream.on('error', reject) + checker.on('error', reject) + let sri + checker.on('verified', s => { sri = s }) + checker.on('end', () => resolve(sri)) + checker.on('data', () => {}) + }) +} + +module.exports.integrityStream = integrityStream +function integrityStream (opts) { + opts = opts || {} + // For verification + const sri = opts.integrity && parse(opts.integrity, opts) + const goodSri = sri && Object.keys(sri).length + const algorithm = goodSri && sri.pickAlgorithm(opts) + const digests = goodSri && sri[algorithm] + // Calculating stream + const algorithms = opts.algorithms || [algorithm || 'sha512'] + const hashes = algorithms.map(crypto.createHash) + let streamSize = 0 + const stream = new Transform({ + transform (chunk, enc, cb) { + streamSize += chunk.length + hashes.forEach(h => h.update(chunk, enc)) + cb(null, chunk, enc) + } + }).on('end', () => { + const optString = (opts.options && opts.options.length) + ? `?${opts.options.join('?')}` + : '' + const newSri = parse(hashes.map((h, i) => { + return `${algorithms[i]}-${h.digest('base64')}${optString}` + }).join(' '), opts) + const match = ( + // Integrity verification mode + opts.integrity && + newSri[algorithm] && + digests && + digests.find(hash => { + return newSri[algorithm].find(newhash => { + return hash.digest === newhash.digest + }) + }) + ) + if (typeof opts.size === 'number' && streamSize !== opts.size) { + const err = new Error(`stream size mismatch when checking ${sri}.\n Wanted: ${opts.size}\n Found: ${streamSize}`) + err.code = 'EBADSIZE' + err.found = streamSize + err.expected = opts.size + err.sri = sri + stream.emit('error', err) + } else if (opts.integrity && !match) { + const err = new Error(`${sri} integrity checksum failed when using ${algorithm}: wanted ${digests} but got ${newSri}. (${streamSize} bytes)`) + err.code = 'EINTEGRITY' + err.found = newSri + err.expected = digests + err.algorithm = algorithm + err.sri = sri + stream.emit('error', err) + } else { + stream.emit('size', streamSize) + stream.emit('integrity', newSri) + match && stream.emit('verified', match) + } + }) + return stream +} + +module.exports.create = createIntegrity +function createIntegrity (opts) { + opts = opts || {} + const algorithms = opts.algorithms || ['sha512'] + const optString = opts.options && opts.options.length + ? `?${opts.options.join('?')}` + : '' + + const hashes = algorithms.map(crypto.createHash) + + return { + update: function (chunk, enc) { + hashes.forEach(h => h.update(chunk, enc)) + return this + }, + digest: function (enc) { + const integrity = algorithms.reduce((acc, algo) => { + const digest = hashes.shift().digest('base64') + const hash = new Hash( + `${algo}-${digest}${optString}`, + opts + ) + if (hash.algorithm && hash.digest) { + const algo = hash.algorithm + if (!acc[algo]) { acc[algo] = [] } + acc[algo].push(hash) + } + return acc + }, new Integrity()) + + return integrity + } + } +} + +// This is a Best Effort™ at a reasonable priority for hash algos +const DEFAULT_PRIORITY = [ + 'md5', 'whirlpool', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512' +] +function getPrioritizedHash (algo1, algo2) { + return DEFAULT_PRIORITY.indexOf(algo1.toLowerCase()) >= DEFAULT_PRIORITY.indexOf(algo2.toLowerCase()) + ? algo1 + : algo2 +} diff --git a/deps/npm/node_modules/npm-registry-client/node_modules/ssri/package.json b/deps/npm/node_modules/npm-registry-client/node_modules/ssri/package.json new file mode 100644 index 0000000000..ad7949d03e --- /dev/null +++ b/deps/npm/node_modules/npm-registry-client/node_modules/ssri/package.json @@ -0,0 +1,89 @@ +{ + "_from": "ssri@^4.1.2", + "_id": "ssri@4.1.6", + "_inBundle": false, + "_integrity": "sha512-WUbCdgSAMQjTFZRWvSPpauryvREEA+Krn19rx67UlJEJx/M192ZHxMmJXjZ4tkdFm+Sb0SXGlENeQVlA5wY7kA==", + "_location": "/npm-registry-client/ssri", + "_phantomChildren": {}, + "_requested": { + "type": "range", + "registry": true, + "raw": "ssri@^4.1.2", + "name": "ssri", + "escapedName": "ssri", + "rawSpec": "^4.1.2", + "saveSpec": null, + "fetchSpec": "^4.1.2" + }, + "_requiredBy": [ + "/npm-registry-client" + ], + "_resolved": "https://registry.npmjs.org/ssri/-/ssri-4.1.6.tgz", + "_shasum": "0cb49b6ac84457e7bdd466cb730c3cb623e9a25b", + "_spec": "ssri@^4.1.2", + "_where": "/Users/zkat/Documents/code/npm/node_modules/npm-registry-client", + "author": { + "name": "Kat Marchán", + "email": "kzm@sykosomatic.org" + }, + "bugs": { + "url": "https://github.com/zkat/ssri/issues" + }, + "bundleDependencies": false, + "config": { + "nyc": { + "exclude": [ + "node_modules/**", + "test/**" + ] + } + }, + "dependencies": { + "safe-buffer": "^5.1.0" + }, + "deprecated": false, + "description": "Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.", + "devDependencies": { + "nyc": "^10.3.2", + "standard": "^9.0.2", + "standard-version": "^4.1.0", + "tap": "^10.3.3", + "weallbehave": "^1.2.0", + "weallcontribute": "^1.0.8" + }, + "files": [ + "*.js" + ], + "homepage": "https://github.com/zkat/ssri#readme", + "keywords": [ + "w3c", + "web", + "security", + "integrity", + "checksum", + "hashing", + "subresource integrity", + "sri", + "sri hash", + "sri string", + "sri generator", + "html" + ], + "license": "CC0-1.0", + "main": "index.js", + "name": "ssri", + "repository": { + "type": "git", + "url": "git+https://github.com/zkat/ssri.git" + }, + "scripts": { + "postrelease": "npm publish && git push --follow-tags", + "prerelease": "npm t", + "pretest": "standard", + "release": "standard-version -s", + "test": "tap -J --coverage test/*.js", + "update-coc": "weallbehave -o . && git add CODE_OF_CONDUCT.md && git commit -m 'docs(coc): updated CODE_OF_CONDUCT.md'", + "update-contrib": "weallcontribute -o . && git add CONTRIBUTING.md && git commit -m 'docs(contributing): updated CONTRIBUTING.md'" + }, + "version": "4.1.6" +} diff --git a/deps/npm/node_modules/npm-registry-client/package.json b/deps/npm/node_modules/npm-registry-client/package.json index 2a605c105a..619940a5e6 100644 --- a/deps/npm/node_modules/npm-registry-client/package.json +++ b/deps/npm/node_modules/npm-registry-client/package.json @@ -1,31 +1,31 @@ { - "_from": "npm-registry-client@8.5.1", - "_id": "npm-registry-client@8.5.1", + "_from": "npm-registry-client@latest", + "_id": "npm-registry-client@8.5.0", "_inBundle": false, - "_integrity": "sha512-7rjGF2eA7hKDidGyEWmHTiKfXkbrcQAsGL/Rh4Rt3x3YNRNHhwaTzVJfW3aNvvlhg4G62VCluif0sLCb/i51Hg==", + "_integrity": "sha512-Nkcw24bfECKFNt0FLDQ+PjVqSlKxMggcboXiUBIvjbCnA15xjRO4kCwRDluGNXZjHFLx/vPjN4+ESXyVjpXLbQ==", "_location": "/npm-registry-client", "_phantomChildren": { "inherits": "2.0.3", - "readable-stream": "2.3.4" + "readable-stream": "2.3.3" }, "_requested": { - "type": "version", + "type": "tag", "registry": true, - "raw": "npm-registry-client@8.5.1", + "raw": "npm-registry-client@latest", "name": "npm-registry-client", "escapedName": "npm-registry-client", - "rawSpec": "8.5.1", + "rawSpec": "latest", "saveSpec": null, - "fetchSpec": "8.5.1" + "fetchSpec": "latest" }, "_requiredBy": [ "#USER", "/" ], - "_resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-8.5.1.tgz", - "_shasum": "8115809c0a4b40938b8a109b8ea74d26c6f5d7f1", - "_spec": "npm-registry-client@8.5.1", - "_where": "/Users/zkat/Documents/code/npm", + "_resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-8.5.0.tgz", + "_shasum": "4878fb6fa1f18a5dc08ae83acf94d0d0112d7ed0", + "_spec": "npm-registry-client@latest", + "_where": "/Users/rebecca/code/npm", "author": { "name": "Isaac Z. Schlueter", "email": "i@izs.me", @@ -39,15 +39,14 @@ "concat-stream": "^1.5.2", "graceful-fs": "^4.1.6", "normalize-package-data": "~1.0.1 || ^2.0.0", - "npm-package-arg": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0", + "npm-package-arg": "^3.0.0 || ^4.0.0 || ^5.0.0", "npmlog": "2 || ^3.1.0 || ^4.0.0", "once": "^1.3.3", "request": "^2.74.0", "retry": "^0.10.0", - "safe-buffer": "^5.1.1", "semver": "2 >=2.2.1 || 3.x || 4 || 5", "slide": "^1.1.3", - "ssri": "^5.2.4" + "ssri": "^4.1.2" }, "deprecated": false, "description": "Client for the npm registry", @@ -57,9 +56,8 @@ "readable-stream": "^2.1.5", "require-inject": "^1.4.0", "rimraf": "^2.5.4", - "standard": "^11.0.0", - "standard-version": "^4.3.0", - "tap": "^11.1.2" + "standard": "^9.0.0", + "tap": "^10.3.0" }, "files": [ "lib", @@ -76,11 +74,7 @@ "url": "git+https://github.com/npm/npm-registry-client.git" }, "scripts": { - "postrelease": "npm publish && git push --follow-tags", - "prerelease": "npm t", - "pretest": "standard", - "release": "standard-version -s", - "test": "tap --nyc-arg=--all --coverage test/*.js" + "test": "standard && tap test/*.js" }, - "version": "8.5.1" + "version": "8.5.0" } |