[pull] latest from npm:latest#14
Open
pull[bot] wants to merge 875 commits into
Open
Conversation
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
The pull request #14 has too many files changed.
We can only review pull requests with up to 300 changed files, and this pull request has 587.
owlstronaut
force-pushed
the
latest
branch
2 times, most recently
from
85ec0c9 to
26b6454
Compare
## Add webauth URLs to EOTP error messages When npm returns an EOTP error with `authUrl` and `doneUrl` in the response body (web-based OTP flow), these URLs are now included in the error output. **What:** - Display `authUrl` (for browser authentication) and `doneUrl` (for token retrieval) in non-TTY EOTP error messages - Include both URLs in `--json` output as `error.authUrl` and `error.doneUrl` - Adjusted messaging to differentiate webauth flow from traditional TOTP authenticator flow **Why:** - In non-interactive/CI environments, the webauth URLs were not surfaced, making it impossible to complete authentication - Tools wrapping `npm publish` (like [changesets](changesets/changesets#1773)) need access to these URLs to implement web OTP support - The `doneUrl` is required for polling to retrieve the token after browser authentication completes
They are 64 characters long, not 40
feat: npm trust also implements per-command config
- Fixed spelling of "backronymic" (from "bacronymic"). - Improved sentence structure in the branding FAQ to be more concise. - Corrected "if the project was" to "if the project were" (subjunctive mood). - Removed redundant "in fact" and "to ever have been." --------- Co-authored-by: Chris <chris@csmit195.com>
## What changed Fix the indentation of the final `contact_links` entry in `.github/ISSUE_TEMPLATE/config.yml`. ## Why That entry was indented one space too far, which made the issue template config invalid YAML instead of a valid list item. ## Impact GitHub can parse the issue template config as intended again. ## Validation - Parsed `.github/ISSUE_TEMPLATE/config.yml` successfully with Ruby `YAML.load_file`
run() in libnpmexec wraps the executable name in double quotes before it becomes the npx script string, but double quotes still expand $(), backticks, $var and a closing quote, so a package whose bin key holds shell metacharacters breaks out once the name reaches sh -c. The bin name comes straight from a published package.json. Switch the non-Windows branch to single-quote escaping so the name is taken literally.
`npm pack` writes the tarball to a name built from `manifest.name` with a non-global `.replace(/\//, '-')`, which only strips the single scope slash. When packing a remote tarball, git, or directory spec the name comes from a package.json that the registry never validated, so a name like `x/../../../escaped` keeps its `../` segments and `path.resolve(packDestination, filename)` lands the tarball outside the destination. Make the separator replacement global so the filename is always one path component.
BREAKING CHANGE: allow-git and allow-remote now default to "none"; set them to "all" (or "root") to install git or user-supplied tarball-URL dependencies.
with new --allow-publish/--allow-staged-publish the minimum version of npm needed for the trust command has changed
Pulls the non-behavioral pieces out of #9424 so they can land on v11: the `collectUnreviewedScripts`/`strictAllowScriptsError` helpers, the `inBundle` fixes, and an opt-in libnpmexec preflight. Nothing changes by default here, install scripts still run. The default-deny flip stays in #9424 for v12. ## References #9424
Phase 2 of the RFC #868 install-script policy: flip the default so unreviewed lifecycle scripts are blocked unless covered by allowScripts. Stacked on the behavior-neutral tooling PR; this commit carries ONLY the v12-only default flip: - arborist: gate preinstall/install/postinstall/prepare in rebuild on the allowScripts policy (default-deny) - user-facing "blocked because not covered by allowScripts" wording in rebuild/reify-output/allow-scripts-cmd - config definition docs + approve/deny command docs + snapshots - flip tests
## Summary - Recognize local directory link targets by their incoming link source when matching `allowScripts` policy entries. - Reuse that source identity when `approve-scripts`/`deny-scripts` derive file dependency policy keys. - Add coverage for reviewed local `file:` dependency link targets. Fixes #9488 ## Testing - `node node_modules/tap/bin/run.js --no-coverage workspaces/arborist/test/script-allowed.js workspaces/arborist/test/unreviewed-scripts.js test/lib/utils/allow-scripts-writer.js test/lib/utils/check-allow-scripts.js test/lib/utils/resolve-allow-scripts.js` - `node node_modules/eslint/bin/eslint.js lib/utils/allow-scripts-writer.js test/lib/utils/allow-scripts-writer.js workspaces/arborist/lib/script-allowed.js workspaces/arborist/test/script-allowed.js workspaces/arborist/test/unreviewed-scripts.js` - `git diff --check` - Manual repro: local `file:` dependency with `allowScripts: { "file:../testdep": false }` no longer emits an `allow-scripts` warning; `npm approve-scripts --all` writes `file:../testdep`. --------- Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
npm run passes script-shell to @npmcli/run-script, but the three runScript() calls in publish.js for prepublishOnly, publish, and postpublish never did. On Windows, where users set script-shell to bash in .npmrc, those lifecycle hooks still ran under cmd.exe while explicit npm run calls used the configured shell. Reads script-shell from config in #publish() and passes it to all three calls, matching the existing pattern in run.js. Adds script-shell to static params so it appears in npm help publish. Fixes #9477
…d strategy (#9495) In continuation of our exploration of using `install-strategy=linked` in the [Gutenberg monorepo](WordPress/gutenberg#75814), which powers the WordPress Block Editor. Under `install-strategy=linked`, a fresh install fails with `EALLOWREMOTE` on ordinary registry dependencies whose lockfile `resolved` is a full registry tarball URL, even though `allow-remote=none` is meant to permit registry-mediated tarballs. The standard (hoisted) reifier installs the same dependency fine; only the linked strategy rejects it. ``` npm error code EALLOWREMOTE npm error Fetching packages of type "remote" have been disabled npm error Refusing to fetch "minimatch@https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz" ``` ## Why Both strategies extract through the same `pacote.extract` in `reify.js`, which exempts registry tarballs from the allow-remote gate via `#isRegistryResolvedTarball`. That check first requires `node.isRegistryDependency`. In the linked strategy, store nodes are `IsolatedNode` instances — a standalone class that emulates `lib/node.js` but has no `isRegistryDependency` getter and no edges to recompute it from. So `node.isRegistryDependency` was `undefined`, the exemption short-circuited to `false`, the `allowRemote: 'all'` override was never applied, and pacote rejected the same-origin registry tarball. This is the second half of the allow-remote registry-tarball handling: the URL-matching half was hardened previously (origin + registry-path-prefix); this fixes the `isRegistryDependency` half for the linked path. The origin/path security check still runs unchanged on the linked path — a tampered lockfile pointing at a foreign host is still blocked. ## How Carry the registry-dependency flag from the source tree node onto the store node, rather than weakening the guard: 1. `IsolatedNode` gains an `isRegistryDependency` field (default `false`), settable from constructor options. 2. `#externalProxy` copies `node.isRegistryDependency` from the real tree node onto the proxy. 3. `#generateChild` passes it through to the store `IsolatedNode`. This preserves exact parity with the hoisted reifier: registry deps are exempt, user-pinned off-registry URLs are not. It also makes the linked strategy's `isScriptAllowed` matching more accurate — store nodes now carry the trustworthy edge-based flag instead of falling back to guessing registry-ness from the resolved URL. ## References Fixes #9494
#9401) For now, `npm outdated`'s document shows `wanted` field for global `npm outdated` is always the same as `current` field, but the runtime behavior shows `npm outdated` prints `wanted` as latest version. Considering `npm update`'s behavior, it should be a document issue. This PR fixes it by saying `the latest version` instead of `currently-installed version`. ## References Close #3612
## Summary - state explicitly that override values accept standard npm dependency specifiers - add a semver range example for override values - keep the change scoped to the existing `package.json#overrides` docs Closes #9475. ## Validation - `git diff --check`
#9510) In continuation of our exploration of using `install-strategy=linked` in the [Gutenberg monorepo](WordPress/gutenberg#75814), which powers the WordPress Block Editor. Under `install-strategy=linked` with `allow-remote=root`, a fresh install fails with `EALLOWREMOTE` on a genuine remote (non-registry) tarball that is a direct dependency of the project root or a workspace. The standard (hoisted) reifier installs the same dependency fine under `allow-remote=root`; only the linked strategy rejects it. ``` npm error code EALLOWREMOTE npm error Fetching non-root packages of type "remote" have been disabled npm error Refusing to fetch "@react-native-community/slider@https://raw.githubusercontent.com/wordpress-mobile/react-native-slider/v3.0.2-wp-5/react-native-community-slider-3.0.2-wp-5.tgz" ``` ## Why The `allow-remote=root` gate is enforced at reify time by computing `_isRoot` and passing it to `pacote.extract` in `reify.js`. A node counts as "root" if it satisfies at least one valid dependency edge from the project root or a workspace, which is derived from `node.edgesIn`. In the linked strategy, store nodes are `IsolatedNode` instances with no `edgesIn` to recompute root-ness from, so `_isRoot` was always `false`, every remote tarball was treated as non-root, and pacote refused even a legitimate root/workspace direct dependency. This is the sibling of the registry-tarball fix (#9495). That change carried `isRegistryDependency` onto store nodes so the registry-tarball exemption still applied; this change carries the analogous root-ness signal so the `allow-remote=root` gate resolves correctly for genuine remote tarballs, which are not registry-mediated and so do not qualify for the registry exemption. This only widens `allow-remote=root`. `allow-remote=none` still rejects all remote specs (pacote refuses regardless of `_isRoot`), and a genuinely transitive remote dependency still fails the resolution-layer `#checkAllow` gate during ideal-tree construction. Hoisted is unaffected because its nodes retain real `edgesIn`. ## How Carry a root-ness flag from the source tree node onto the store node, rather than weakening the guard: 1. `IsolatedNode` gains an `isRootDependency` field (default `false`), settable from constructor options. 2. `#externalProxy` computes `isRootDependency` from the real tree node's `edgesIn` using the same predicate the reifier applies (a valid edge from the project root or a workspace). 3. `#generateChild` passes it through to the store `IsolatedNode`. 4. The `_isRoot` computation in `reify.js` falls back to `node.isRootDependency`. Hoisted nodes do not have the property, so they fall through to the existing edge-based check unchanged. ## References Fixes #9509 Follows-up #9495
The lockfile pruning added in 11.15.0 dropped every extraneous node outside node_modules to remove stale workspace entries. This also removed legitimate nested entries for a file: dependency that itself has a file: dependency (e.g. lib/b/lib/a), leaving the lockfile incomplete so `npm ci` failed with "Missing: a@1.0.0 from lock file". Only prune extraneous nodes that are direct fsChildren of the root or detached link targets (removed workspaces, removed root-level file: deps, orphaned link targets). Extraneous fsChildren nested under another package are kept so `npm ci` can resolve the parent's dependency. Fixes: #9433 Fixes: #9486 Supersedes: #9524
Updates the `user-agent` to specify github-actions runner. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Casey Holzer <casey.h@leantaas.com>
The `npm ci` smoke snapshot still had the old strict-allow-scripts
description ("silent skip"), but commit 9b5c7b0 changed it to
"warning into a hard" without regenerating the snapshot. This drift is
present on latest and unrelated to min-release-age-exclude; regenerating
unblocks CI.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
19 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )