deps: pacote@18.0.2

DEPENDENCIES.md

@@ -242,18 +242,14 @@ graph LR;
   pacote-->npm-registry-fetch;
   pacote-->npmcli-git["@npmcli/git"];
   pacote-->npmcli-installed-package-contents["@npmcli/installed-package-contents"];
+  pacote-->npmcli-package-json["@npmcli/package-json"];
   pacote-->npmcli-promise-spawn["@npmcli/promise-spawn"];
   pacote-->npmcli-run-script["@npmcli/run-script"];
   pacote-->proc-log;
-  pacote-->read-package-json-fast;
-  pacote-->read-package-json;
   pacote-->ssri;
   parse-conflict-json-->json-parse-even-better-errors;
   promzard-->read;
   read-->mute-stream;
-  read-package-json-->json-parse-even-better-errors;
-  read-package-json-->normalize-package-data;
-  read-package-json-->npm-normalize-package-bin;
   read-package-json-fast-->json-parse-even-better-errors;
   read-package-json-fast-->npm-normalize-package-bin;
   unique-filename-->unique-slug;
@@ -713,12 +709,11 @@ graph LR;
   pacote-->npm-registry-fetch;
   pacote-->npmcli-git["@npmcli/git"];
   pacote-->npmcli-installed-package-contents["@npmcli/installed-package-contents"];
+  pacote-->npmcli-package-json["@npmcli/package-json"];
   pacote-->npmcli-promise-spawn["@npmcli/promise-spawn"];
   pacote-->npmcli-run-script["@npmcli/run-script"];
   pacote-->proc-log;
   pacote-->promise-retry;
-  pacote-->read-package-json-fast;
-  pacote-->read-package-json;
   pacote-->sigstore;
   pacote-->ssri;
   pacote-->tar;
@@ -733,10 +728,6 @@ graph LR;
   promise-retry-->retry;
   promzard-->read;
   read-->mute-stream;
-  read-package-json-->glob;
-  read-package-json-->json-parse-even-better-errors;
-  read-package-json-->normalize-package-data;
-  read-package-json-->npm-normalize-package-bin;
   read-package-json-fast-->json-parse-even-better-errors;
   read-package-json-fast-->npm-normalize-package-bin;
   semver-->lru-cache;
@@ -811,6 +802,6 @@ packages higher up the chain.
  - @npmcli/run-script, libnpmhook, libnpmorg, libnpmsearch, libnpmteam, init-package-json, npm-profile
  - @npmcli/package-json, npm-registry-fetch
  - @npmcli/git, make-fetch-happen, @npmcli/config
- - @npmcli/installed-package-contents, @npmcli/map-workspaces, cacache, npm-pick-manifest, read-package-json, promzard
+ - @npmcli/installed-package-contents, @npmcli/map-workspaces, cacache, npm-pick-manifest, promzard
  - @npmcli/docs, @npmcli/fs, npm-bundled, read-package-json-fast, unique-filename, npm-install-checks, npm-package-arg, normalize-package-data, npm-packlist, bin-links, nopt, parse-conflict-json, @npmcli/mock-globals, read
  - @npmcli/eslint-config, @npmcli/template-oss, ignore-walk, semver, npm-normalize-package-bin, @npmcli/name-from-folder, json-parse-even-better-errors, fs-minipass, ssri, unique-slug, @npmcli/promise-spawn, hosted-git-info, proc-log, validate-npm-package-name, @npmcli/node-gyp, @npmcli/redact, @npmcli/agent, minipass-fetch, @npmcli/query, cmd-shim, read-cmd-shim, write-file-atomic, abbrev, proggy, minify-registry-metadata, ini, mute-stream, npm-audit-report, npm-user-validate

mock-registry/package.json

@@ -51,7 +51,7 @@
     "json-stringify-safe": "^5.0.1",
     "nock": "^13.3.3",
     "npm-package-arg": "^11.0.2",
-    "pacote": "^18.0.0",
+    "pacote": "^18.0.1",
     "tap": "^16.3.8"
   }
 }

node_modules/.gitignore

@@ -178,7 +178,6 @@
 !/qrcode-terminal
 !/read-cmd-shim
 !/read-package-json-fast
-!/read-package-json
 !/read
 !/retry
 !/safer-buffer

node_modules/@npmcli/package-json/lib/index.js

@@ -167,6 +167,12 @@ class PackageJson {
     return this
   }
 
+  fromContent (data) {
+    this.#manifest = data
+    this.#canSave = false
+    return this
+  }
+
   // Load data from a comment
   // /**package { "name": "foo", "version": "1.2.3", ... } **/
   fromComment (data) {

node_modules/@npmcli/package-json/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/package-json",
-  "version": "5.0.3",
+  "version": "5.1.0",
   "description": "Programmatic API to update package.json",
   "main": "lib/index.js",
   "files": [
@@ -25,7 +25,7 @@
   "license": "ISC",
   "devDependencies": {
     "@npmcli/eslint-config": "^4.0.0",
-    "@npmcli/template-oss": "4.21.3",
+    "@npmcli/template-oss": "4.21.4",
     "read-package-json": "^7.0.0",
     "read-package-json-fast": "^3.0.2",
     "tap": "^16.0.1"
@@ -48,7 +48,7 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.21.3",
+    "version": "4.21.4",
     "publish": "true"
   },
   "tap": {

node_modules/pacote/lib/dir.js

@@ -87,7 +87,7 @@ class DirFetcher extends Fetcher {
       return Promise.resolve(this.package)
     }
 
-    return this[_readPackageJson](this.resolved + '/package.json')
+    return this[_readPackageJson](this.resolved)
       .then(mani => this.package = {
         ...mani,
         _integrity: this.integrity && String(this.integrity),

node_modules/pacote/lib/fetcher.js

@@ -5,7 +5,6 @@
 
 const npa = require('npm-package-arg')
 const ssri = require('ssri')
-const { promisify } = require('util')
 const { basename, dirname } = require('path')
 const tar = require('tar')
 const { log } = require('proc-log')
@@ -16,12 +15,14 @@ const cacache = require('cacache')
 const isPackageBin = require('./util/is-package-bin.js')
 const removeTrailingSlashes = require('./util/trailing-slashes.js')
 const getContents = require('@npmcli/installed-package-contents')
-const readPackageJsonFast = require('read-package-json-fast')
-const readPackageJson = promisify(require('read-package-json'))
+const PackageJson = require('@npmcli/package-json')
 const { Minipass } = require('minipass')
-
 const cacheDir = require('./util/cache-dir.js')
 
+// Pacote is only concerned with the package.json contents
+const packageJsonPrepare = (p) => PackageJson.prepare(p).then(pkg => pkg.content)
+const packageJsonNormalize = (p) => PackageJson.normalize(p).then(pkg => pkg.content)
+
 // Private methods.
 // Child classes should not have to override these.
 // Users should never call them.
@@ -93,9 +94,9 @@ class FetcherBase {
     this.fullMetadata = this.before ? true : !!opts.fullMetadata
     this.fullReadJson = !!opts.fullReadJson
     if (this.fullReadJson) {
-      this[_readPackageJson] = readPackageJson
+      this[_readPackageJson] = packageJsonPrepare
     } else {
-      this[_readPackageJson] = readPackageJsonFast
+      this[_readPackageJson] = packageJsonNormalize
     }
 
     // rrh is a registry hostname or 'never' or 'always'

node_modules/pacote/lib/file.js

@@ -1,10 +1,11 @@
-const Fetcher = require('./fetcher.js')
 const fsm = require('fs-minipass')
 const cacache = require('cacache')
-const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
-const _exeBins = Symbol('_exeBins')
 const { resolve } = require('path')
-const fs = require('fs')
+const { stat, chmod } = require('fs/promises')
+const Fetcher = require('./fetcher.js')
+
+const _exeBins = Symbol('_exeBins')
+const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
 const _readPackageJson = Symbol.for('package.Fetcher._readPackageJson')
 
 class FileFetcher extends Fetcher {
@@ -26,7 +27,7 @@ class FileFetcher extends Fetcher {
     // have to unpack the tarball for this.
     return cacache.tmp.withTmp(this.cache, this.opts, dir =>
       this.extract(dir)
-        .then(() => this[_readPackageJson](dir + '/package.json'))
+        .then(() => this[_readPackageJson](dir))
         .then(mani => this.package = {
           ...mani,
           _integrity: this.integrity && String(this.integrity),
@@ -40,31 +41,31 @@ class FileFetcher extends Fetcher {
       return Promise.resolve()
     }
 
-    return Promise.all(Object.keys(pkg.bin).map(k => new Promise(res => {
+    return Promise.all(Object.keys(pkg.bin).map(async k => {
       const script = resolve(dest, pkg.bin[k])
       // Best effort.  Ignore errors here, the only result is that
       // a bin script is not executable.  But if it's missing or
       // something, we just leave it for a later stage to trip over
       // when we can provide a more useful contextual error.
-      fs.stat(script, (er, st) => {
-        if (er) {
-          return res()
-        }
+      try {
+        const st = await stat(script)
         const mode = st.mode | 0o111
         if (mode === st.mode) {
-          return res()
+          return
         }
-        fs.chmod(script, mode, res)
-      })
-    })))
+        await chmod(script, mode)
+      } catch {
+        // Ignore errors here
+      }
+    }))
   }
 
   extract (dest) {
     // if we've already loaded the manifest, then the super got it.
     // but if not, read the unpacked manifest and chmod properly.
     return super.extract(dest)
       .then(result => this.package ? result
-      : this[_readPackageJson](dest + '/package.json').then(pkg =>
+      : this[_readPackageJson](dest).then(pkg =>
         this[_exeBins](pkg, dest)).then(() => result))
   }
 

node_modules/pacote/lib/git.js

@@ -156,11 +156,11 @@ class GitFetcher extends Fetcher {
   [_resolvedFromClone] () {
     // do a full or shallow clone, then look at the HEAD
     // kind of wasteful, but no other option, really
-    return this[_clone](dir => this.resolved)
+    return this[_clone](() => this.resolved)
   }
 
   [_prepareDir] (dir) {
-    return this[_readPackageJson](dir + '/package.json').then(mani => {
+    return this[_readPackageJson](dir).then(mani => {
       // no need if we aren't going to do any preparation.
       const scripts = mani.scripts
       if (!mani.workspaces && (!scripts || !(
@@ -312,7 +312,7 @@ class GitFetcher extends Fetcher {
     return this.spec.hosted && this.resolved
       ? FileFetcher.prototype.manifest.apply(this)
       : this[_clone](dir =>
-        this[_readPackageJson](dir + '/package.json')
+        this[_readPackageJson](dir)
           .then(mani => this.package = {
             ...mani,
             _resolved: this.resolved,

node_modules/pacote/lib/registry.js

@@ -3,7 +3,7 @@ const RemoteFetcher = require('./remote.js')
 const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
 const pacoteVersion = require('../package.json').version
 const removeTrailingSlashes = require('./util/trailing-slashes.js')
-const rpj = require('read-package-json-fast')
+const PackageJson = require('@npmcli/package-json')
 const pickManifest = require('npm-pick-manifest')
 const ssri = require('ssri')
 const crypto = require('crypto')
@@ -127,12 +127,13 @@ class RegistryFetcher extends Fetcher {
     }
 
     const packument = await this.packument()
-    let mani = await pickManifest(packument, this.spec.fetchSpec, {
+    const steps = PackageJson.normalizeSteps.filter(s => s !== '_attributes')
+    const mani = await new PackageJson().fromContent(pickManifest(packument, this.spec.fetchSpec, {
       ...this.opts,
       defaultTag: this.defaultTag,
       before: this.before,
-    })
-    mani = rpj.normalize(mani)
+    })).normalize({ steps }).then(p => p.content)
+
     /* XXX add ETARGET and E403 revalidation of cached packuments here */
 
     // add _time from packument if fetched with fullMetadata

node_modules/pacote/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "18.0.0",
+  "version": "18.0.2",
   "description": "JavaScript package downloader",
   "author": "GitHub Inc.",
   "bin": {
@@ -46,6 +46,7 @@
   "dependencies": {
     "@npmcli/git": "^5.0.0",
     "@npmcli/installed-package-contents": "^2.0.1",
+    "@npmcli/package-json": "^5.1.0",
     "@npmcli/promise-spawn": "^7.0.0",
     "@npmcli/run-script": "^8.0.0",
     "cacache": "^18.0.0",
@@ -57,8 +58,6 @@
     "npm-registry-fetch": "^16.0.0",
     "proc-log": "^4.0.0",
     "promise-retry": "^2.0.1",
-    "read-package-json": "^7.0.0",
-    "read-package-json-fast": "^3.0.0",
     "sigstore": "^2.2.0",
     "ssri": "^10.0.0",
     "tar": "^6.1.11"