1 files changed, 13 insertions, 6 deletions

diff --git a/deps/npm/node_modules/pacote/lib/fetchers/registry/fetch.js b/deps/npm/node_modules/pacote/lib/fetchers/registry/fetch.js
index 914053c79f..46a926a1a1 100644
--- a/deps/npm/node_modules/pacote/lib/fetchers/registry/fetch.js
+++ b/deps/npm/node_modules/pacote/lib/fetchers/registry/fetch.js
@@ -1,5 +1,6 @@
 'use strict'
 
+const BB = require('bluebird')
 const Buffer = require('safe-buffer').Buffer
 
 const checkWarnings = require('./check-warning-header')
@@ -19,10 +20,13 @@ function regFetch (uri, registry, opts) {
     integrity: opts.integrity,
     memoize: opts.memoize,
     noProxy: opts.noProxy,
+    Promise: BB,
     proxy: opts.proxy,
     referer: opts.refer,
     retry: opts.retry,
-    timeout: opts.timeout
+    timeout: opts.timeout,
+    uid: opts.uid,
+    gid: opts.gid
   }).then(res => {
     if (res.headers.has('npm-notice') && !res.headers.has('x-local-cache')) {
       opts.log.warn('notice', res.headers.get('npm-notice'))
@@ -75,14 +79,17 @@ function getHeaders (uri, registry, opts) {
   }, opts.headers)
   const auth = (
     opts.auth &&
-    // If these two are on different hosts, don't send credentials.
-    // This is mainly used by the tarball fetcher.
-    url.parse(uri).host === url.parse(registry).host &&
     opts.auth[registryKey(registry)]
   )
-  if (auth && auth.token) {
+  // If a tarball is hosted on a different place than the manifest, only send
+  // credentials on `alwaysAuth`
+  const shouldAuth = auth && (
+    auth.alwaysAuth ||
+    url.parse(uri).host === url.parse(registry).host
+  )
+  if (shouldAuth && auth.token) {
     headers.authorization = `Bearer ${auth.token}`
-  } else if (auth && opts.alwaysAuth && auth.username && auth.password) {
+  } else if (shouldAuth && auth.username && auth.password) {
     const encoded = Buffer.from(
       `${auth.username}:${auth.password}`, 'utf8'
     ).toString('base64')