pacote@11.3.2

author: Gar <gar+gh@danger.computer> 2021-04-22 22:15:36 +0300
committer: Gar <gar+gh@danger.computer> 2021-04-22 22:15:36 +0300
commit: 7f82ef5a84d70e28983ed43ba1d8aced0fb4ba45 (patch)
tree: c9b0be9e9c2160b609d26e6f1949f208ce9025f9
parent: 42e0587a9ea6940a5d5be5903370ad1113feef21 (diff)
15 files changed, 1759 insertions, 32 deletions
diff --git a/node_modules/pacote/lib/fetcher.js b/node_modules/pacote/lib/fetcher.js
index c9a3201f0..d488e88ff 100644
--- a/node_modules/pacote/lib/fetcher.js
+++ b/node_modules/pacote/lib/fetcher.js
@@ -40,6 +40,7 @@ const _istream = Symbol('_istream')
 const _assertType = Symbol('_assertType')
 const _tarballFromCache = Symbol('_tarballFromCache')
 const _tarballFromResolved = Symbol.for('pacote.Fetcher._tarballFromResolved')
+const _cacheFetches = Symbol.for('pacote.Fetcher._cacheFetches')
 
 class FetcherBase {
   constructor (spec, opts) {
@@ -166,25 +167,19 @@ class FetcherBase {
   }
 
   // private, should be overridden.
-  // Note that they should *not* calculate or check integrity, but *just*
-  // return the raw tarball data stream.
+  // Note that they should *not* calculate or check integrity or cache,
+  // but *just*  return the raw tarball data stream.
   [_tarballFromResolved] () {
     throw this.notImplementedError
   }
 
   // public, should not be overridden
   tarball () {
-    return this.tarballStream(stream => new Promise((res, rej) => {
-      const buf = []
-      stream.on('error', er => rej(er))
-      stream.on('end', () => {
-        const data = Buffer.concat(buf)
-        data.integrity = this.integrity && String(this.integrity)
-        data.resolved = this.resolved
-        data.from = this.from
-        return res(data)
-      })
-      stream.on('data', d => buf.push(d))
+    return this.tarballStream(stream => stream.concat().then(data => {
+      data.integrity = this.integrity && String(this.integrity)
+      data.resolved = this.resolved
+      data.from = this.from
+      return data
     }))
   }
 
@@ -194,6 +189,10 @@ class FetcherBase {
     return cacache.get.stream.byDigest(this.cache, this.integrity, this.opts)
   }
 
+  get [_cacheFetches] () {
+    return true
+  }
+
   [_istream] (stream) {
     // everyone will need one of these, either for verifying or calculating
     // We always set it, because we have might only have a weak legacy hex
@@ -203,7 +202,31 @@ class FetcherBase {
     // gets to the point of re-setting the integrity.
     const istream = ssri.integrityStream(this.opts)
     istream.on('integrity', i => this.integrity = i)
-    return stream.on('error', er => istream.emit('error', er)).pipe(istream)
+    stream.on('error', er => istream.emit('error', er))
+
+    // if not caching this, just pipe through to the istream and return it
+    if (!this.opts.cache || !this[_cacheFetches])
+      return stream.pipe(istream)
+
+    // we have to return a stream that gets ALL the data, and proxies errors,
+    // but then pipe from the original tarball stream into the cache as well.
+    // To do this without losing any data, and since the cacache put stream
+    // is not a passthrough, we have to pipe from the original stream into
+    // the cache AFTER we pipe into the istream.  Since the cache stream
+    // has an asynchronous flush to write its contents to disk, we need to
+    // defer the istream end until the cache stream ends.
+    stream.pipe(istream, { end: false })
+    const cstream = cacache.put.stream(
+      this.opts.cache,
+      `pacote:tarball:${this.from}`,
+      this.opts
+    )
+    stream.pipe(cstream)
+    // defer istream end until after cstream
+    // cache write errors should not crash the fetch, this is best-effort.
+    cstream.promise().catch(() => {}).then(() => istream.end())
+
+    return istream
   }
 
   pickIntegrityAlgorithm () {
@@ -232,7 +255,9 @@ class FetcherBase {
   // An ENOENT trying to read a tgz file, for example, is Right Out.
   isRetriableError (er) {
     // TODO: check error class, once those are rolled out to our deps
-    return this.isDataCorruptionError(er) || er.code === 'ENOENT'
+    return this.isDataCorruptionError(er) ||
+      er.code === 'ENOENT' ||
+      er.code === 'EISDIR'
   }
 
   // Mostly internal, but has some uses
diff --git a/node_modules/pacote/lib/remote.js b/node_modules/pacote/lib/remote.js
index 91f6eb59d..727a8bfc8 100644
--- a/node_modules/pacote/lib/remote.js
+++ b/node_modules/pacote/lib/remote.js
@@ -8,6 +8,7 @@ const Minipass = require('minipass')
 // The default registry URL is a string of great magic.
 const magic = /^https?:\/\/registry\.npmjs\.org\//
 
+const _cacheFetches = Symbol.for('pacote.Fetcher._cacheFetches')
 const _headers = Symbol('_headers')
 class RemoteFetcher extends Fetcher {
   constructor (spec, opts) {
@@ -21,6 +22,12 @@ class RemoteFetcher extends Fetcher {
     this.pkgid = opts.pkgid ? opts.pkgid : `remote:${nameat}${this.resolved}`
   }
 
+  // Don't need to cache tarball fetches in pacote, because make-fetch-happen
+  // will write into cacache anyway.
+  get [_cacheFetches] () {
+    return false
+  }
+
   [_tarballFromResolved] () {
     const stream = new Minipass()
     const fetchOpts = {
diff --git a/node_modules/pacote/node_modules/npm-registry-fetch/CHANGELOG.md b/node_modules/pacote/node_modules/npm-registry-fetch/CHANGELOG.md
new file mode 100644
index 000000000..fc26ee1bd
--- /dev/null
+++ b/node_modules/pacote/node_modules/npm-registry-fetch/CHANGELOG.md
@@ -0,0 +1,384 @@
+# Changelog
+
+All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
+
+### [8.1.5](https://github.com/npm/registry-fetch/compare/v8.1.4...v8.1.5) (2020-10-12)
+
+
+### Bug Fixes
+
+* respect publishConfig.registry when specified ([32e36ef](https://github.com/npm/registry-fetch/commit/32e36efe86302ed319973cd5b1e6ccc3f62e557e)), closes [#35](https://github.com/npm/registry-fetch/issues/35)
+
+### [8.1.4](https://github.com/npm/registry-fetch/compare/v8.1.3...v8.1.4) (2020-08-17)
+
+
+### Bug Fixes
+
+* redact passwords from http logs ([3c294eb](https://github.com/npm/registry-fetch/commit/3c294ebbd7821725db4ff1bc5fe368c49613efcc))
+
+### [8.1.3](https://github.com/npm/registry-fetch/compare/v8.1.2...v8.1.3) (2020-07-21)
+
+### [8.1.2](https://github.com/npm/registry-fetch/compare/v8.1.1...v8.1.2) (2020-07-11)
+
+### [8.1.1](https://github.com/npm/registry-fetch/compare/v8.1.0...v8.1.1) (2020-06-30)
+
+## [8.1.0](https://github.com/npm/registry-fetch/compare/v8.0.3...v8.1.0) (2020-05-20)
+
+
+### Features
+
+* add npm-command HTTP header ([1bb4eb2](https://github.com/npm/registry-fetch/commit/1bb4eb2c66ee8a0dc62558bdcff1b548e2bb9820))
+
+### [8.0.3](https://github.com/npm/registry-fetch/compare/v8.0.2...v8.0.3) (2020-05-13)
+
+
+### Bug Fixes
+
+* update minipass and make-fetch-happen to latest ([3b6c5d0](https://github.com/npm/registry-fetch/commit/3b6c5d0d8ccd4c4a97862a65acef956f19aec127)), closes [#23](https://github.com/npm/registry-fetch/issues/23)
+
+### [8.0.2](https://github.com/npm/registry-fetch/compare/v8.0.1...v8.0.2) (2020-05-04)
+
+
+### Bug Fixes
+
+* update make-fetch-happen to 8.0.6 ([226df2c](https://github.com/npm/registry-fetch/commit/226df2c32e3f9ed8ceefcfdbd11efb178181b442))
+
+## [8.0.0](https://github.com/npm/registry-fetch/compare/v7.0.1...v8.0.0) (2020-02-24)
+
+
+### ⚠ BREAKING CHANGES
+
+* Removes the 'opts.refer' option and the HTTP Referer
+header (unless explicitly added to the 'headers' option, of course).
+
+PR-URL: https://github.com/npm/npm-registry-fetch/pull/25
+Credit: @isaacs
+
+### Bug Fixes
+
+* remove referer header and opts.refer ([eb8f7af](https://github.com/npm/registry-fetch/commit/eb8f7af3c102834856604c1be664b00ca0fe8ef2)), closes [#25](https://github.com/npm/registry-fetch/issues/25)
+
+### [7.0.1](https://github.com/npm/registry-fetch/compare/v7.0.0...v7.0.1) (2020-02-24)
+
+## [7.0.0](https://github.com/npm/registry-fetch/compare/v6.0.2...v7.0.0) (2020-02-18)
+
+
+### ⚠ BREAKING CHANGES
+
+* figgy pudding is now nowhere to be found.
+* this removes figgy-pudding, and drops several option
+aliases.
+
+Defaults and behavior are all the same, and this module is now using the
+canonical camelCase option names that npm v7 will provide to all its
+deps.
+
+Related to: https://github.com/npm/rfcs/pull/102
+
+PR-URL: https://github.com/npm/npm-registry-fetch/pull/22
+Credit: @isaacs
+
+### Bug Fixes
+
+* Remove figgy-pudding, use canonical option names ([ede3c08](https://github.com/npm/registry-fetch/commit/ede3c087007fd1808e02b1af70562220d03b18a9)), closes [#22](https://github.com/npm/registry-fetch/issues/22)
+
+
+* update cacache, ssri, make-fetch-happen ([57fcc88](https://github.com/npm/registry-fetch/commit/57fcc889bee03edcc0a2025d96a171039108c231))
+
+### [6.0.2](https://github.com/npm/registry-fetch/compare/v6.0.1...v6.0.2) (2020-02-14)
+
+
+### Bug Fixes
+
+* always bypass cache when ?write=true ([83f89f3](https://github.com/npm/registry-fetch/commit/83f89f35abd2ed0507c869e37f90ed746375772c))
+
+### [6.0.1](https://github.com/npm/registry-fetch/compare/v6.0.0...v6.0.1) (2020-02-14)
+
+
+### Bug Fixes
+
+* use 30s default for timeout as per README ([50e8afc](https://github.com/npm/registry-fetch/commit/50e8afc6ff850542feb588f9f9c64ebae59e72a0)), closes [#20](https://github.com/npm/registry-fetch/issues/20)
+
+## [6.0.0](https://github.com/npm/registry-fetch/compare/v5.0.1...v6.0.0) (2019-12-17)
+
+
+### ⚠ BREAKING CHANGES
+
+* This drops support for node < 10.
+
+There are some lint failures due to standard pushing for using WhatWG URL
+objects instead of url.parse/url.resolve.  However, the code in this lib
+does some fancy things with the query/search portions of the parsed url
+object, so it'll take a bit of care to make it work properly.
+
+### Bug Fixes
+
+* detect CI so our tests don't fail in CI ([5813da6](https://github.com/npm/registry-fetch/commit/5813da634cef73b12e40373972d7937e6934fce0))
+* Use WhatWG URLs instead of url.parse ([8ccfa8a](https://github.com/npm/registry-fetch/commit/8ccfa8a72c38cfedb0f525b7f453644fd4444f99))
+
+
+* normalize settings, drop old nodes, update deps ([510b125](https://github.com/npm/registry-fetch/commit/510b1255cc7ed4bb397a34e0007757dae33e2275))
+
+<a name="5.0.1"></a>
+## [5.0.1](https://github.com/npm/registry-fetch/compare/v5.0.0...v5.0.1) (2019-11-11)
+
+
+
+<a name="5.0.0"></a>
+# [5.0.0](https://github.com/npm/registry-fetch/compare/v4.0.2...v5.0.0) (2019-10-04)
+
+
+### Bug Fixes
+
+* prefer const in getAuth function ([90ac7b1](https://github.com/npm/registry-fetch/commit/90ac7b1))
+* use minizlib instead of core zlib ([e64702e](https://github.com/npm/registry-fetch/commit/e64702e))
+
+
+### Features
+
+* refactor to use Minipass streams ([bb37f20](https://github.com/npm/registry-fetch/commit/bb37f20))
+
+
+### BREAKING CHANGES
+
+* this replaces all core streams (except for some
+PassThrough streams in a few tests) with Minipass streams, and updates
+all deps to the latest and greatest Minipass versions of things.
+
+
+
+<a name="4.0.2"></a>
+## [4.0.2](https://github.com/npm/registry-fetch/compare/v4.0.0...v4.0.2) (2019-10-04)
+
+
+### Bug Fixes
+
+* Add null check on body on 401 errors ([e3a0186](https://github.com/npm/registry-fetch/commit/e3a0186)), closes [#9](https://github.com/npm/registry-fetch/issues/9)
+* **deps:** Add explicit dependency on safe-buffer ([8eae5f0](https://github.com/npm/registry-fetch/commit/8eae5f0)), closes [npm/libnpmaccess#2](https://github.com/npm/libnpmaccess/issues/2) [#3](https://github.com/npm/registry-fetch/issues/3)
+
+
+
+<a name="4.0.0"></a>
+# [4.0.0](https://github.com/npm/registry-fetch/compare/v3.9.1...v4.0.0) (2019-07-15)
+
+
+* cacache@12.0.0, infer uid from cache folder ([0c4f060](https://github.com/npm/registry-fetch/commit/0c4f060))
+
+
+### BREAKING CHANGES
+
+* uid and gid are inferred from cache folder, rather than
+being passed in as options.
+
+
+
+<a name="3.9.1"></a>
+## [3.9.1](https://github.com/npm/registry-fetch/compare/v3.9.0...v3.9.1) (2019-07-02)
+
+
+
+<a name="3.9.0"></a>
+# [3.9.0](https://github.com/npm/registry-fetch/compare/v3.8.0...v3.9.0) (2019-01-24)
+
+
+### Features
+
+* **auth:** support username:password encoded legacy _auth ([a91f90c](https://github.com/npm/registry-fetch/commit/a91f90c))
+
+
+
+<a name="3.8.0"></a>
+# [3.8.0](https://github.com/npm/registry-fetch/compare/v3.7.0...v3.8.0) (2018-08-23)
+
+
+### Features
+
+* **mapJson:** add support for passing in json stream mapper ([0600986](https://github.com/npm/registry-fetch/commit/0600986))
+
+
+
+<a name="3.7.0"></a>
+# [3.7.0](https://github.com/npm/registry-fetch/compare/v3.6.0...v3.7.0) (2018-08-23)
+
+
+### Features
+
+* **json.stream:** add utility function for streamed JSON parsing ([051d969](https://github.com/npm/registry-fetch/commit/051d969))
+
+
+
+<a name="3.6.0"></a>
+# [3.6.0](https://github.com/npm/registry-fetch/compare/v3.5.0...v3.6.0) (2018-08-22)
+
+
+### Bug Fixes
+
+* **docs:** document opts.forceAuth ([40bcd65](https://github.com/npm/registry-fetch/commit/40bcd65))
+
+
+### Features
+
+* **opts.ignoreBody:** add a boolean to throw away response bodies ([6923702](https://github.com/npm/registry-fetch/commit/6923702))
+
+
+
+<a name="3.5.0"></a>
+# [3.5.0](https://github.com/npm/registry-fetch/compare/v3.4.0...v3.5.0) (2018-08-22)
+
+
+### Features
+
+* **pkgid:** heuristic pkgid calculation for errors ([2e789a5](https://github.com/npm/registry-fetch/commit/2e789a5))
+
+
+
+<a name="3.4.0"></a>
+# [3.4.0](https://github.com/npm/registry-fetch/compare/v3.3.0...v3.4.0) (2018-08-22)
+
+
+### Bug Fixes
+
+* **deps:** use new figgy-pudding with aliases fix ([0308f54](https://github.com/npm/registry-fetch/commit/0308f54))
+
+
+### Features
+
+* **auth:** add forceAuth option to force a specific auth mechanism ([4524d17](https://github.com/npm/registry-fetch/commit/4524d17))
+
+
+
+<a name="3.3.0"></a>
+# [3.3.0](https://github.com/npm/registry-fetch/compare/v3.2.1...v3.3.0) (2018-08-21)
+
+
+### Bug Fixes
+
+* **query:** stop including undefined keys ([4718b1b](https://github.com/npm/registry-fetch/commit/4718b1b))
+
+
+### Features
+
+* **otp:** use heuristic detection for malformed EOTP responses ([f035194](https://github.com/npm/registry-fetch/commit/f035194))
+
+
+
+<a name="3.2.1"></a>
+## [3.2.1](https://github.com/npm/registry-fetch/compare/v3.2.0...v3.2.1) (2018-08-16)
+
+
+### Bug Fixes
+
+* **opts:** pass through non-null opts.retry ([beba040](https://github.com/npm/registry-fetch/commit/beba040))
+
+
+
+<a name="3.2.0"></a>
+# [3.2.0](https://github.com/npm/registry-fetch/compare/v3.1.1...v3.2.0) (2018-07-27)
+
+
+### Features
+
+* **gzip:** add opts.gzip convenience opt ([340abe0](https://github.com/npm/registry-fetch/commit/340abe0))
+
+
+
+<a name="3.1.1"></a>
+## [3.1.1](https://github.com/npm/registry-fetch/compare/v3.1.0...v3.1.1) (2018-04-09)
+
+
+
+<a name="3.1.0"></a>
+# [3.1.0](https://github.com/npm/registry-fetch/compare/v3.0.0...v3.1.0) (2018-04-09)
+
+
+### Features
+
+* **config:** support no-proxy and https-proxy options ([9aa906b](https://github.com/npm/registry-fetch/commit/9aa906b))
+
+
+
+<a name="3.0.0"></a>
+# [3.0.0](https://github.com/npm/registry-fetch/compare/v2.1.0...v3.0.0) (2018-04-09)
+
+
+### Bug Fixes
+
+* **api:** pacote integration-related fixes ([a29de4f](https://github.com/npm/registry-fetch/commit/a29de4f))
+* **config:** stop caring about opts.config ([5856a6f](https://github.com/npm/registry-fetch/commit/5856a6f))
+
+
+### BREAKING CHANGES
+
+* **config:** opts.config is no longer supported. Pass the options down in opts itself.
+
+
+
+<a name="2.1.0"></a>
+# [2.1.0](https://github.com/npm/registry-fetch/compare/v2.0.0...v2.1.0) (2018-04-08)
+
+
+### Features
+
+* **token:** accept opts.token for opts._authToken ([108c9f0](https://github.com/npm/registry-fetch/commit/108c9f0))
+
+
+
+<a name="2.0.0"></a>
+# [2.0.0](https://github.com/npm/registry-fetch/compare/v1.1.1...v2.0.0) (2018-04-08)
+
+
+### meta
+
+* drop support for node@4 ([758536e](https://github.com/npm/registry-fetch/commit/758536e))
+
+
+### BREAKING CHANGES
+
+* node@4 is no longer supported
+
+
+
+<a name="1.1.1"></a>
+## [1.1.1](https://github.com/npm/registry-fetch/compare/v1.1.0...v1.1.1) (2018-04-06)
+
+
+
+<a name="1.1.0"></a>
+# [1.1.0](https://github.com/npm/registry-fetch/compare/v1.0.1...v1.1.0) (2018-03-16)
+
+
+### Features
+
+* **specs:** can use opts.spec to trigger pickManifest ([85c4ac9](https://github.com/npm/registry-fetch/commit/85c4ac9))
+
+
+
+<a name="1.0.1"></a>
+## [1.0.1](https://github.com/npm/registry-fetch/compare/v1.0.0...v1.0.1) (2018-03-16)
+
+
+### Bug Fixes
+
+* **query:** oops console.log ([870e4f5](https://github.com/npm/registry-fetch/commit/870e4f5))
+
+
+
+<a name="1.0.0"></a>
+# 1.0.0 (2018-03-16)
+
+
+### Bug Fixes
+
+* **auth:** get auth working with all the little details ([84b94ba](https://github.com/npm/registry-fetch/commit/84b94ba))
+* **deps:** add bluebird as an actual dep ([1286e31](https://github.com/npm/registry-fetch/commit/1286e31))
+* **errors:** Unknown auth errors use default code ([#1](https://github.com/npm/registry-fetch/issues/1)) ([3d91b93](https://github.com/npm/registry-fetch/commit/3d91b93))
+* **standard:** remove args from invocation ([9620a0a](https://github.com/npm/registry-fetch/commit/9620a0a))
+
+
+### Features
+
+* **api:** baseline kinda-working API impl ([bf91f9f](https://github.com/npm/registry-fetch/commit/bf91f9f))
+* **body:** automatic handling of different opts.body values ([f3b97db](https://github.com/npm/registry-fetch/commit/f3b97db))
+* **config:** nicer input config input handling ([b9ce21d](https://github.com/npm/registry-fetch/commit/b9ce21d))
+* **opts:** use figgy-pudding for opts handling ([0abd527](https://github.com/npm/registry-fetch/commit/0abd527))
+* **query:** add query utility support ([65ea8b1](https://github.com/npm/registry-fetch/commit/65ea8b1))
diff --git a/node_modules/pacote/node_modules/npm-registry-fetch/LICENSE.md b/node_modules/pacote/node_modules/npm-registry-fetch/LICENSE.md
new file mode 100644
index 000000000..8d28acf86
--- /dev/null
+++ b/node_modules/pacote/node_modules/npm-registry-fetch/LICENSE.md
@@ -0,0 +1,16 @@
+ISC License
+
+Copyright (c) npm, Inc.
+
+Permission to use, copy, modify, and/or distribute this software for
+any purpose with or without fee is hereby granted, provided that the
+above copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE COPYRIGHT HOLDER DISCLAIMS
+ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+USE OR PERFORMANCE OF THIS SOFTWARE.
diff --git a/node_modules/pacote/node_modules/npm-registry-fetch/README.md b/node_modules/pacote/node_modules/npm-registry-fetch/README.md
new file mode 100644
index 000000000..5ce9770c6
--- /dev/null
+++ b/node_modules/pacote/node_modules/npm-registry-fetch/README.md
@@ -0,0 +1,635 @@
+# npm-registry-fetch
+
+[`npm-registry-fetch`](https://github.com/npm/npm-registry-fetch) is a Node.js
+library that implements a `fetch`-like API for accessing npm registry APIs
+consistently. It's able to consume npm-style configuration values and has all
+the necessary logic for picking registries, handling scopes, and dealing with
+authentication details built-in.
+
+This package is meant to replace the older
+[`npm-registry-client`](https://npm.im/npm-registry-client).
+
+## Example
+
+```javascript
+const npmFetch = require('npm-registry-fetch')
+
+console.log(
+  await npmFetch.json('/-/ping')
+)
+```
+
+## Table of Contents
+
+* [Installing](#install)
+* [Example](#example)
+* [Contributing](#contributing)
+* [API](#api)
+  * [`fetch`](#fetch)
+  * [`fetch.json`](#fetch-json)
+  * [`fetch` options](#fetch-opts)
+
+### Install
+
+`$ npm install npm-registry-fetch`
+
+### Contributing
+
+The npm team enthusiastically welcomes contributions and project participation!
+There's a bunch of things you can do if you want to contribute! The [Contributor
+Guide](CONTRIBUTING.md) has all the information you need for everything from
+reporting bugs to contributing entire new features. Please don't hesitate to
+jump in if you'd like to, or even ask us questions if something isn't clear.
+
+All participants and maintainers in this project are expected to follow [Code of
+Conduct](CODE_OF_CONDUCT.md), and just generally be excellent to each other.
+
+Please refer to the [Changelog](CHANGELOG.md) for project history details, too.
+
+Happy hacking!
+
+### API
+
+#### Caching and `write=true` query strings
+
+Before performing any PUT or DELETE operation, npm clients first make a
+GET request to the registry resource being updated, which includes
+the query string `?write=true`.
+
+The semantics of this are, effectively, "I intend to write to this thing,
+and need to know the latest current value, so that my write can land
+cleanly".
+
+The public npm registry handles these `?write=true` requests by ensuring
+that the cache is re-validated before sending a response.  In order to
+maintain the same behavior on the client, and not get tripped up by an
+overeager local cache when we intend to write data to the registry, any
+request that comes through `npm-registry-fetch` that contains `write=true`
+in the query string will forcibly set the `prefer-online` option to `true`,
+and set both `prefer-offline` and `offline` to false, so that any local
+cached value will be revalidated.
+
+#### <a name="fetch"></a> `> fetch(url, [opts]) -> Promise<Response>`
+
+Performs a request to a given URL.
+
+The URL can be either a full URL, or a path to one. The appropriate registry
+will be automatically picked if only a URL path is given.
+
+For available options, please see the section on [`fetch` options](#fetch-opts).
+
+##### Example
+
+```javascript
+const res = await fetch('/-/ping')
+console.log(res.headers)
+res.on('data', d => console.log(d.toString('utf8')))
+```
+
+#### <a name="fetch-json"></a> `> fetch.json(url, [opts]) -> Promise<ResponseJSON>`
+
+Performs a request to a given registry URL, parses the body of the response as
+JSON, and returns it as its final value. This is a utility shorthand for
+`fetch(url).then(res => res.json())`.
+
+For available options, please see the section on [`fetch` options](#fetch-opts).
+
+##### Example
+
+```javascript
+const res = await fetch.json('/-/ping')
+console.log(res) // Body parsed as JSON
+```
+
+#### <a name="fetch-json-stream"></a> `> fetch.json.stream(url, jsonPath, [opts]) -> Stream`
+
+Performs a request to a given registry URL and parses the body of the response
+as JSON, with each entry being emitted through the stream.
+
+The `jsonPath` argument is a [`JSONStream.parse()`
+path](https://github.com/dominictarr/JSONStream#jsonstreamparsepath), and the
+returned stream (unlike default `JSONStream`s), has a valid
+`Symbol.asyncIterator` implementation.
+
+For available options, please see the section on [`fetch` options](#fetch-opts).
+
+##### Example
+
+```javascript
+console.log('https://npm.im/~zkat has access to the following packages:')
+for await (let {key, value} of fetch.json.stream('/-/user/zkat/package', '$*')) {
+  console.log(`https://npm.im/${key} (perms: ${value})`)
+}
+```
+
+#### <a name="fetch-opts"></a> `fetch` Options
+
+Fetch options are optional, and can be passed in as either a Map-like object
+(one with a `.get()` method), a plain javascript object, or a
+[`figgy-pudding`](https://npm.im/figgy-pudding) instance.
+
+##### <a name="opts-agent"></a> `opts.agent`
+
+* Type: http.Agent
+* Default: an appropriate agent based on URL protocol and proxy settings
+
+An [`Agent`](https://nodejs.org/api/http.html#http_class_http_agent) instance to
+be shared across requests. This allows multiple concurrent `fetch` requests to
+happen on the same socket.
+
+You do _not_ need to provide this option unless you want something particularly
+specialized, since proxy configurations and http/https agents are already
+automatically managed internally when this option is not passed through.
+
+##### <a name="opts-body"></a> `opts.body`
+
+* Type: Buffer | Stream | Object
+* Default: null
+
+Request body to send through the outgoing request. Buffers and Streams will be
+passed through as-is, with a default `content-type` of
+`application/octet-stream`. Plain JavaScript objects will be `JSON.stringify`ed
+and the `content-type` will default to `application/json`.
+
+Use [`opts.headers`](#opts-headers) to set the content-type to something else.
+
+##### <a name="opts-ca"></a> `opts.ca`
+
+* Type: String, Array, or null
+* Default: null
+
+The Certificate Authority signing certificate that is trusted for SSL
+connections to the registry. Values should be in PEM format (Windows calls it
+"Base-64 encoded X.509 (.CER)") with newlines replaced by the string `'\n'`. For
+example:
+
+```
+{
+  ca: '-----BEGIN CERTIFICATE-----\nXXXX\nXXXX\n-----END CERTIFICATE-----'
+}
+```
+
+Set to `null` to only allow "known" registrars, or to a specific CA cert
+to trust only that specific signing authority.
+
+Multiple CAs can be trusted by specifying an array of certificates instead of a
+single string.
+
+See also [`opts.strictSSL`](#opts-strictSSL), [`opts.ca`](#opts-ca) and
+[`opts.key`](#opts-key)
+
+##### <a name="opts-cache"></a> `opts.cache`
+
+* Type: path
+* Default: null
+
+The location of the http cache directory. If provided, certain cachable requests
+will be cached according to [IETF RFC 7234](https://tools.ietf.org/html/rfc7234)
+rules. This will speed up future requests, as well as make the cached data
+available offline if necessary/requested.
+
+See also [`offline`](#opts-offline), [`preferOffline`](#opts-preferOffline),
+and [`preferOnline`](#opts-preferOnline).
+
+##### <a name="opts-cert"></a> `opts.cert`
+
+* Type: String
+* Default: null
+
+A client certificate to pass when accessing the registry.  Values should be in
+PEM format (Windows calls it "Base-64 encoded X.509 (.CER)") with newlines
+replaced by the string `'\n'`. For example:
+
+```
+{
+  cert: '-----BEGIN CERTIFICATE-----\nXXXX\nXXXX\n-----END CERTIFICATE-----'
+}
+```
+
+It is _not_ the path to a certificate file (and there is no "certfile" option).
+
+See also: [`opts.ca`](#opts-ca) and [`opts.key`](#opts-key)
+
+##### <a name="opts-fetchRetries"></a> `opts.fetchRetries`
+
+* Type: Number
+* Default: 2
+
+The "retries" config for [`retry`](https://npm.im/retry) to use when fetching
+packages from the registry.
+
+See also [`opts.retry`](#opts-retry) to provide all retry options as a single
+object.
+
+##### <a name="opts-fetchRetryFactor"></a> `opts.fetchRetryFactor`
+
+* Type: Number
+* Default: 10
+
+The "factor" config for [`retry`](https://npm.im/retry) to use when fetching
+packages.
+
+See also [`opts.retry`](#opts-retry) to provide all retry options as a single
+object.
+
+##### <a name="opts-fetchRetryMintimeout"></a> `opts.fetchRetryMintimeout`
+
+* Type: Number
+* Default: 10000 (10 seconds)
+
+The "minTimeout" config for [`retry`](https://npm.im/retry) to use when fetching
+packages.
+
+See also [`opts.retry`](#opts-retry) to provide all retry options as a single
+object.
+
+##### <a name="opts-fetchRetryMaxtimeout"></a> `opts.fetchRetryMaxtimeout`
+
+* Type: Number
+* Default: 60000 (1 minute)
+
+The "maxTimeout" config for [`retry`](https://npm.im/retry) to use when fetching
+packages.
+
+See also [`opts.retry`](#opts-retry) to provide all retry options as a single
+object.
+
+##### <a name="opts-forceAuth"></a> `opts.forceAuth`
+
+* Type: Object
+* Default: null
+
+If present, other auth-related values in `opts` will be completely ignored,
+including `alwaysAuth`, `email`, and `otp`, when calculating auth for a request,
+and the auth details in `opts.forceAuth` will be used instead.
+
+##### <a name="opts-gzip"></a> `opts.gzip`
+
+* Type: Boolean
+* Default: false
+
+If true, `npm-registry-fetch` will set the `Content-Encoding` header to `gzip`
+and use `zlib.gzip()` or `zlib.createGzip()` to gzip-encode
+[`opts.body`](#opts-body).
+
+##### <a name="opts-headers"></a> `opts.headers`
+
+* Type: Object
+* Default: null
+
+Additional headers for the outgoing request. This option can also be used to
+override headers automatically generated by `npm-registry-fetch`, such as
+`Content-Type`.
+
+##### <a name="opts-ignoreBody"></a> `opts.ignoreBody`
+
+* Type: Boolean
+* Default: false
+
+If true, the **response body** will be thrown away and `res.body` set to `null`.
+This will prevent dangling response sockets for requests where you don't usually
+care what the response body is.
+
+##### <a name="opts-integrity"></a> `opts.integrity`
+
+* Type: String | [SRI object](https://npm.im/ssri)
+* Default: null
+
+If provided, the response body's will be verified against this integrity string,
+using [`ssri`](https://npm.im/ssri). If verification succeeds, the response will
+complete as normal. If verification fails, the response body will error with an
+`EINTEGRITY` error.
+
+Body integrity is only verified if the body is actually consumed to completion --
+that is, if you use `res.json()`/`res.buffer()`, or if you consume the default
+`res` stream data to its end.
+
+Cached data will have its integrity automatically verified using the
+previously-generated integrity hash for the saved request information, so
+`EINTEGRITY` errors can happen if [`opts.cache`](#opts-cache) is used, even if
+`opts.integrity` is not passed in.
+
+##### <a name="opts-key"></a> `opts.key`
+
+* Type: String
+* Default: null
+
+A client key to pass when accessing the registry.  Values should be in PEM
+format with newlines replaced by the string `'\n'`. For example:
+
+```
+{
+  key: '-----BEGIN PRIVATE KEY-----\nXXXX\nXXXX\n-----END PRIVATE KEY-----'
+}
+```
+
+It is _not_ the path to a key file (and there is no "keyfile" option).
+
+See also: [`opts.ca`](#opts-ca) and [`opts.cert`](#opts-cert)
+
+##### <a name="opts-localAddress"></a> `opts.localAddress`
+
+* Type: IP Address String
+* Default: null
+
+The IP address of the local interface to use when making connections
+to the registry.
+
+See also [`opts.proxy`](#opts-proxy)
+
+##### <a name="opts-log"></a> `opts.log`
+
+* Type: [`npmlog`](https://npm.im/npmlog)-like
+* Default: null
+
+Logger object to use for logging operation details. Must have the same methods
+as `npmlog`.
+
+##### <a name="opts-mapJSON"></a> `opts.mapJSON`
+
+* Type: Function
+* Default: undefined
+
+When using `fetch.json.stream()` (NOT `fetch.json()`), this will be passed down
+to [`JSONStream`](https://npm.im/JSONStream) as the second argument to
+`JSONStream.parse`, and can be used to transform stream data before output.
+
+##### <a name="opts-maxSockets"></a> `opts.maxSockets`
+
+* Type: Integer
+* Default: 12
+
+Maximum number of sockets to keep open during requests. Has no effect if
+[`opts.agent`](#opts-agent) is used.
+
+##### <a name="opts-method"></a> `opts.method`
+
+* Type: String
+* Default: 'GET'
+
+HTTP method to use for the outgoing request. Case-insensitive.
+
+##### <a name="opts-noproxy"></a> `opts.noproxy`
+
+* Type: Boolean
+* Default: process.env.NOPROXY
+
+If true, proxying will be disabled even if [`opts.proxy`](#opts-proxy) is used.
+
+##### <a name="opts-npmSession"></a> `opts.npmSession`
+
+* Type: String
+* Default: null
+
+If provided, will be sent in the `npm-session` header. This header is used by
+the npm registry to identify individual user sessions (usually individual
+invocations of the CLI).
+
+##### <a name="opts-npmCommand"></a> `opts.npmCommand`
+
+* Type: String
+* Default: null
+
+If provided, it will be sent in the `npm-command` header.  This yeader is
+used by the npm registry to identify the npm command that caused this
+request to be made.
+
+##### <a name="opts-offline"></a> `opts.offline`
+
+* Type: Boolean
+* Default: false
+
+Force offline mode: no network requests will be done during install. To allow
+`npm-registry-fetch` to fill in missing cache data, see
+[`opts.preferOffline`](#opts-preferOffline).
+
+This option is only really useful if you're also using
+[`opts.cache`](#opts-cache).
+
+This option is set to `true` when the request includes `write=true` in the
+query string.
+
+##### <a name="opts-otp"></a> `opts.otp`
+
+* Type: Number | String
+* Default: null
+
+This is a one-time password from a two-factor authenticator. It is required for
+certain registry interactions when two-factor auth is enabled for a user
+account.
+
+##### <a name="opts-otpPrompt"></a> `opts.otpPrompt`
+
+* Type: Function
+* Default: null
+
+This is a method which will be called to provide an OTP if the server
+responds with a 401 response indicating that a one-time-password is
+required.
+
+It may return a promise, which must resolve to the OTP value to be used.
+If the method fails to provide an OTP value, then the fetch will fail with
+the auth error that indicated an OTP was needed.
+
+##### <a name="opts-password"></a> `opts.password`
+
+* Alias: `_password`
+* Type: String
+* Default: null
+
+Password used for basic authentication. For the more modern authentication
+method, please use the (more secure) [`opts.token`](#opts-token)
+
+Can optionally be scoped to a registry by using a "nerf dart" for that registry.
+That is:
+
+```
+{
+  '//registry.npmjs.org/:password': 't0k3nH34r'
+}
+```
+
+See also [`opts.username`](#opts-username)
+
+##### <a name="opts-preferOffline"></a> `opts.preferOffline`
+
+* Type: Boolean
+* Default: false
+
+If true, staleness checks for cached data will be bypassed, but missing data
+will be requested from the server. To force full offline mode, use
+[`opts.offline`](#opts-offline).
+
+This option is generally only useful if you're also using
+[`opts.cache`](#opts-cache).
+
+This option is set to `false` when the request includes `write=true` in the
+query string.
+
+##### <a name="opts-preferOnline"></a> `opts.preferOnline`
+
+* Type: Boolean
+* Default: false
+
+If true, staleness checks for cached data will be forced, making the CLI look
+for updates immediately even for fresh package data.
+
+This option is generally only useful if you're also using
+[`opts.cache`](#opts-cache).
+
+This option is set to `true` when the request includes `write=true` in the
+query string.
+
+##### <a name="opts-projectScope"></a> `opts.projectScope`
+
+* Type: String
+* Default: null
+
+If provided, will be sent in the `npm-scope` header. This header is used by the
+npm registry to identify the toplevel package scope that a particular project
+installation is using.
+
+##### <a name="opts-proxy"></a> `opts.proxy`
+
+* Type: url
+* Default: null
+
+A proxy to use for outgoing http requests. If not passed in, the `HTTP(S)_PROXY`
+environment variable will be used.
+
+##### <a name="opts-query"></a> `opts.query`
+
+* Type: String | Object
+* Default: null
+
+If provided, the request URI will have a query string appended to it using this
+query. If `opts.query` is an object, it will be converted to a query string
+using
+[`querystring.stringify()`](https://nodejs.org/api/querystring.html#querystring_querystring_stringify_obj_sep_eq_options).
+
+If the request URI already has a query string, it will be merged with
+`opts.query`, preferring `opts.query` values.
+
+##### <a name="opts-registry"></a> `opts.registry`
+
+* Type: URL
+* Default: `'https://registry.npmjs.org'`
+
+Registry configuration for a request. If a request URL only includes the URL
+path, this registry setting will be prepended. This configuration is also used
+to determine authentication details, so even if the request URL references a
+completely different host, `opts.registry` will be used to find the auth details
+for that request.
+
+See also [`opts.scope`](#opts-scope), [`opts.spec`](#opts-spec), and
+[`opts.<scope>:registry`](#opts-scope-registry) which can all affect the actual
+registry URL used by the outgoing request.
+
+##### <a name="opts-retry"></a> `opts.retry`
+
+* Type: Object
+* Default: null
+
+Single-object configuration for request retry settings. If passed in, will
+override individually-passed `fetch-retry-*` settings.
+
+##### <a name="opts-scope"></a> `opts.scope`
+
+* Type: String
+* Default: null
+
+Associate an operation with a scope for a scoped registry. This option can force
+lookup of scope-specific registries and authentication.
+
+See also [`opts.<scope>:registry`](#opts-scope-registry) and
+[`opts.spec`](#opts-spec) for interactions with this option.
+
+##### <a name="opts-scope-registry"></a> `opts.<scope>:registry`
+
+* Type: String
+* Default: null
+
+This option type can be used to configure the registry used for requests
+involving a particular scope. For example, `opts['@myscope:registry'] =
+'https://scope-specific.registry/'` will make it so requests go out to this
+registry instead of [`opts.registry`](#opts-registry) when
+[`opts.scope`](#opts-scope) is used, or when [`opts.spec`](#opts-spec) is a
+scoped package spec.
+
+The `@` before the scope name is optional, but recommended.
+
+##### <a name="opts-spec"></a> `opts.spec`
+
+* Type: String | [`npm-registry-arg`](https://npm.im/npm-registry-arg) object.
+* Default: null
+
+If provided, can be used to automatically configure [`opts.scope`](#opts-scope)
+based on a specific package name. Non-registry package specs will throw an
+error.
+
+##### <a name="opts-strictSSL"></a> `opts.strictSSL`
+
+* Type: Boolean
+* Default: true
+
+Whether or not to do SSL key validation when making requests to the
+registry via https.
+
+See also [`opts.ca`](#opts-ca).
+
+##### <a name="opts-timeout"></a> `opts.timeout`
+
+* Type: Milliseconds
+* Default: 300000 (5 minutes)
+
+Time before a hanging request times out.
+
+##### <a name="opts-token"></a> `opts.token`
+
+* Alias: `opts._authToken`
+* Type: String
+* Default: null
+
+Authentication token string.
+
+Can be scoped to a registry by using a "nerf dart" for that registry. That is:
+
+```
+{
+  '//registry.npmjs.org/:token': 't0k3nH34r'
+}
+```
+
+##### <a name="opts-userAgent"></a> `opts.userAgent`
+
+* Type: String
+* Default: `'npm-registry-fetch@<version>/node@<node-version>+<arch> (<platform>)'`
+
+User agent string to send in the `User-Agent` header.
+
+##### <a name="opts-username"></a> `opts.username`
+
+* Type: String
+* Default: null
+
+Username used for basic authentication. For the more modern authentication
+method, please use the (more secure) [`opts.token`](#opts-token)
+
+Can optionally be scoped to a registry by using a "nerf dart" for that registry.
+That is:
+
+```
+{
+  '//registry.npmjs.org/:username': 't0k3nH34r'
+}
+```
+
+See also [`opts.password`](#opts-password)
+
+##### <a name="opts-auth"></a> `opts._auth`
+
+* Type: String
+* Default: null
+
+** DEPRECATED ** This is a legacy authentication token supported only for
+compatibility. Please use [`opts.token`](#opts-token) instead.
diff --git a/node_modules/pacote/node_modules/npm-registry-fetch/auth.js b/node_modules/pacote/node_modules/npm-registry-fetch/auth.js
new file mode 100644
index 000000000..cf76fdb6b
--- /dev/null
+++ b/node_modules/pacote/node_modules/npm-registry-fetch/auth.js
@@ -0,0 +1,94 @@
+'use strict'
+const npa = require('npm-package-arg')
+
+// Find the longest registry key that is used for some kind of auth
+// in the options.
+const regKeyFromURI = (uri, opts) => {
+  const parsed = new URL(uri)
+  // try to find a config key indicating we have auth for this registry
+  // can be one of :_authToken, :_auth, or :_password and :username
+  // We walk up the "path" until we're left with just //<host>[:<port>],
+  // stopping when we reach '//'.
+  let regKey = `//${parsed.host}${parsed.pathname}`
+  while (regKey.length > '//'.length) {
+    // got some auth for this URI
+    if (hasAuth(regKey, opts))
+      return regKey
+
+    // can be either //host/some/path/:_auth or //host/some/path:_auth
+    // walk up by removing EITHER what's after the slash OR the slash itself
+    regKey = regKey.replace(/([^/]+|\/)$/, '')
+  }
+}
+
+const hasAuth = (regKey, opts) => (
+  opts[`${regKey}:_authToken`] ||
+  opts[`${regKey}:_auth`] ||
+  opts[`${regKey}:username`] && opts[`${regKey}:_password`]
+)
+
+const getAuth = (uri, opts = {}) => {
+  const { forceAuth } = opts
+  if (!uri)
+    throw new Error('URI is required')
+  const regKey = regKeyFromURI(uri, forceAuth || opts)
+
+  // we are only allowed to use what's in forceAuth if specified
+  if (forceAuth && !regKey) {
+    return new Auth({
+      scopeAuthKey: null,
+      token: forceAuth._authToken,
+      username: forceAuth.username,
+      password: forceAuth._password || forceAuth.password,
+      auth: forceAuth._auth || forceAuth.auth,
+    })
+  }
+
+  // no auth for this URI
+  if (!regKey && opts.spec) {
+    // If making a tarball request to a different base URI than the
+    // registry where we logged in, but the same auth SHOULD be sent
+    // to that artifact host, then we track where it was coming in from,
+    // and warn the user if we get a 4xx error on it.
+    const { spec } = opts
+    const { scope: specScope, subSpec } = npa(spec)
+    const subSpecScope = subSpec && subSpec.scope
+    const scope = subSpec ? subSpecScope : specScope
+    const scopeReg = scope && opts[`${scope}:registry`]
+    const scopeAuthKey = scopeReg && regKeyFromURI(scopeReg, opts)
+    return new Auth({ scopeAuthKey })
+  }
+
+  const {
+    [`${regKey}:_authToken`]: token,
+    [`${regKey}:username`]: username,
+    [`${regKey}:_password`]: password,
+    [`${regKey}:_auth`]: auth,
+  } = opts
+
+  return new Auth({
+    scopeAuthKey: null,
+    token,
+    auth,
+    username,
+    password,
+  })
+}
+
+class Auth {
+  constructor ({ token, auth, username, password, scopeAuthKey }) {
+    this.scopeAuthKey = scopeAuthKey
+    this.token = null
+    this.auth = null
+    if (token)
+      this.token = token
+    else if (auth)
+      this.auth = auth
+    else if (username && password) {
+      const p = Buffer.from(password, 'base64').toString('utf8')
+      this.auth = Buffer.from(`${username}:${p}`, 'utf8').toString('base64')
+    }
+  }
+}
+
+module.exports = getAuth
diff --git a/node_modules/pacote/node_modules/npm-registry-fetch/check-response.js b/node_modules/pacote/node_modules/npm-registry-fetch/check-response.js
new file mode 100644
index 000000000..7610e0d7a
--- /dev/null
+++ b/node_modules/pacote/node_modules/npm-registry-fetch/check-response.js
@@ -0,0 +1,139 @@
+'use strict'
+
+const errors = require('./errors.js')
+const LRU = require('lru-cache')
+const { Response } = require('minipass-fetch')
+const defaultOpts = require('./default-opts.js')
+
+const checkResponse = async ({ method, uri, res, registry, startTime, auth, opts }) => {
+  opts = { ...defaultOpts, ...opts }
+  if (res.headers.has('npm-notice') && !res.headers.has('x-local-cache'))
+    opts.log.notice('', res.headers.get('npm-notice'))
+
+  checkWarnings(res, registry, opts)
+  if (res.status >= 400) {
+    logRequest(method, res, startTime, opts)
+    if (auth && auth.scopeAuthKey && !auth.token && !auth.auth) {
+      // we didn't have auth for THIS request, but we do have auth for
+      // requests to the registry indicated by the spec's scope value.
+      // Warn the user.
+      opts.log.warn('registry', `No auth for URI, but auth present for scoped registry.
+
+URI: ${uri}
+Scoped Registry Key: ${auth.scopeAuthKey}
+
+More info here: https://github.com/npm/cli/wiki/No-auth-for-URI,-but-auth-present-for-scoped-registry`)
+    }
+    return checkErrors(method, res, startTime, opts)
+  } else {
+    res.body.on('end', () => logRequest(method, res, startTime, opts))
+    if (opts.ignoreBody) {
+      res.body.resume()
+      return new Response(null, res)
+    }
+    return res
+  }
+}
+module.exports = checkResponse
+
+function logRequest (method, res, startTime, opts) {
+  const elapsedTime = Date.now() - startTime
+  const attempt = res.headers.get('x-fetch-attempts')
+  const attemptStr = attempt && attempt > 1 ? ` attempt #${attempt}` : ''
+  const cacheStr = res.headers.get('x-local-cache') ? ' (from cache)' : ''
+
+  let urlStr
+  try {
+    const { URL } = require('url')
+    const url = new URL(res.url)
+    if (url.password)
+      url.password = '***'
+
+    urlStr = url.toString()
+  } catch (er) {
+    urlStr = res.url
+  }
+
+  opts.log.http(
+    'fetch',
+    `${method.toUpperCase()} ${res.status} ${urlStr} ${elapsedTime}ms${attemptStr}${cacheStr}`
+  )
+}
+
+const WARNING_REGEXP = /^\s*(\d{3})\s+(\S+)\s+"(.*)"\s+"([^"]+)"/
+const BAD_HOSTS = new LRU({ max: 50 })
+
+function checkWarnings (res, registry, opts) {
+  if (res.headers.has('warning') && !BAD_HOSTS.has(registry)) {
+    const warnings = {}
+    // note: headers.raw() will preserve case, so we might have a
+    // key on the object like 'WaRnInG' if that was used first
+    for (const [key, value] of Object.entries(res.headers.raw())) {
+      if (key.toLowerCase() !== 'warning')
+        continue
+      value.forEach(w => {
+        const match = w.match(WARNING_REGEXP)
+        if (match) {
+          warnings[match[1]] = {
+            code: match[1],
+            host: match[2],
+            message: match[3],
+            date: new Date(match[4]),
+          }
+        }
+      })
+    }
+    BAD_HOSTS.set(registry, true)
+    if (warnings['199']) {
+      if (warnings['199'].message.match(/ENOTFOUND/))
+        opts.log.warn('registry', `Using stale data from ${registry} because the host is inaccessible -- are you offline?`)
+      else
+        opts.log.warn('registry', `Unexpected warning for ${registry}: ${warnings['199'].message}`)
+    }
+    if (warnings['111']) {
+      // 111 Revalidation failed -- we're using stale data
+      opts.log.warn(
+        'registry',
+        `Using stale data from ${registry} due to a request error during revalidation.`
+      )
+    }
+  }
+}
+
+function checkErrors (method, res, startTime, opts) {
+  return res.buffer()
+    .catch(() => null)
+    .then(body => {
+      let parsed = body
+      try {
+        parsed = JSON.parse(body.toString('utf8'))
+      } catch (e) {}
+      if (res.status === 401 && res.headers.get('www-authenticate')) {
+        const auth = res.headers.get('www-authenticate')
+          .split(/,\s*/)
+          .map(s => s.toLowerCase())
+        if (auth.indexOf('ipaddress') !== -1) {
+          throw new errors.HttpErrorAuthIPAddress(
+            method, res, parsed, opts.spec
+          )
+        } else if (auth.indexOf('otp') !== -1) {
+          throw new errors.HttpErrorAuthOTP(
+            method, res, parsed, opts.spec
+          )
+        } else {
+          throw new errors.HttpErrorAuthUnknown(
+            method, res, parsed, opts.spec
+          )
+        }
+      } else if (res.status === 401 && body != null && /one-time pass/.test(body.toString('utf8'))) {
+        // Heuristic for malformed OTP responses that don't include the www-authenticate header.
+        throw new errors.HttpErrorAuthOTP(
+          method, res, parsed, opts.spec
+        )
+      } else {
+        throw new errors.HttpErrorGeneral(
+          method, res, parsed, opts.spec
+        )
+      }
+    })
+}
diff --git a/node_modules/pacote/node_modules/npm-registry-fetch/default-opts.js b/node_modules/pacote/node_modules/npm-registry-fetch/default-opts.js
new file mode 100644
index 000000000..9ca3f97d0
--- /dev/null
+++ b/node_modules/pacote/node_modules/npm-registry-fetch/default-opts.js
@@ -0,0 +1,20 @@
+const pkg = require('./package.json')
+module.exports = {
+  log: require('./silentlog.js'),
+  maxSockets: 12,
+  method: 'GET',
+  registry: 'https://registry.npmjs.org/',
+  timeout: 5 * 60 * 1000, // 5 minutes
+  strictSSL: true,
+  noProxy: process.env.NOPROXY,
+  userAgent: `${pkg.name
+    }@${
+      pkg.version
+    }/node@${
+      process.version
+    }+${
+      process.arch
+    } (${
+      process.platform
+    })`,
+}
diff --git a/node_modules/pacote/node_modules/npm-registry-fetch/errors.js b/node_modules/pacote/node_modules/npm-registry-fetch/errors.js
new file mode 100644
index 000000000..e65e5fbd8
--- /dev/null
+++ b/node_modules/pacote/node_modules/npm-registry-fetch/errors.js
@@ -0,0 +1,79 @@
+'use strict'
+
+const url = require('url')
+
+function packageName (href) {
+  try {
+    let basePath = new url.URL(href).pathname.substr(1)
+    if (!basePath.match(/^-/)) {
+      basePath = basePath.split('/')
+      var index = basePath.indexOf('_rewrite')
+      if (index === -1)
+        index = basePath.length - 1
+      else
+        index++
+      return decodeURIComponent(basePath[index])
+    }
+  } catch (_) {
+    // this is ok
+  }
+}
+
+class HttpErrorBase extends Error {
+  constructor (method, res, body, spec) {
+    super()
+    this.name = this.constructor.name
+    this.headers = res.headers.raw()
+    this.statusCode = res.status
+    this.code = `E${res.status}`
+    this.method = method
+    this.uri = res.url
+    this.body = body
+    this.pkgid = spec ? spec.toString() : packageName(res.url)
+  }
+}
+module.exports.HttpErrorBase = HttpErrorBase
+
+class HttpErrorGeneral extends HttpErrorBase {
+  constructor (method, res, body, spec) {
+    super(method, res, body, spec)
+    this.message = `${res.status} ${res.statusText} - ${
+      this.method.toUpperCase()
+    } ${
+      this.spec || this.uri
+    }${
+      (body && body.error) ? ' - ' + body.error : ''
+    }`
+    Error.captureStackTrace(this, HttpErrorGeneral)
+  }
+}
+module.exports.HttpErrorGeneral = HttpErrorGeneral
+
+class HttpErrorAuthOTP extends HttpErrorBase {
+  constructor (method, res, body, spec) {
+    super(method, res, body, spec)
+    this.message = 'OTP required for authentication'
+    this.code = 'EOTP'
+    Error.captureStackTrace(this, HttpErrorAuthOTP)
+  }
+}
+module.exports.HttpErrorAuthOTP = HttpErrorAuthOTP
+
+class HttpErrorAuthIPAddress extends HttpErrorBase {
+  constructor (method, res, body, spec) {
+    super(method, res, body, spec)
+    this.message = 'Login is not allowed from your IP address'
+    this.code = 'EAUTHIP'
+    Error.captureStackTrace(this, HttpErrorAuthIPAddress)
+  }
+}
+module.exports.HttpErrorAuthIPAddress = HttpErrorAuthIPAddress
+
+class HttpErrorAuthUnknown extends HttpErrorBase {
+  constructor (method, res, body, spec) {
+    super(method, res, body, spec)
+    this.message = 'Unable to authenticate, need: ' + res.headers.get('www-authenticate')
+    Error.captureStackTrace(this, HttpErrorAuthUnknown)
+  }
+}
+module.exports.HttpErrorAuthUnknown = HttpErrorAuthUnknown
diff --git a/node_modules/pacote/node_modules/npm-registry-fetch/index.js b/node_modules/pacote/node_modules/npm-registry-fetch/index.js
new file mode 100644
index 000000000..5411b51e5
--- /dev/null
+++ b/node_modules/pacote/node_modules/npm-registry-fetch/index.js
@@ -0,0 +1,221 @@
+'use strict'
+
+const { HttpErrorAuthOTP } = require('./errors.js')
+const checkResponse = require('./check-response.js')
+const getAuth = require('./auth.js')
+const fetch = require('make-fetch-happen')
+const JSONStream = require('minipass-json-stream')
+const npa = require('npm-package-arg')
+const qs = require('querystring')
+const url = require('url')
+const zlib = require('minizlib')
+const Minipass = require('minipass')
+
+const defaultOpts = require('./default-opts.js')
+
+// WhatWG URL throws if it's not fully resolved
+const urlIsValid = u => {
+  try {
+    return !!new url.URL(u)
+  } catch (_) {
+    return false
+  }
+}
+
+module.exports = regFetch
+function regFetch (uri, /* istanbul ignore next */ opts_ = {}) {
+  const opts = {
+    ...defaultOpts,
+    ...opts_,
+  }
+
+  // if we did not get a fully qualified URI, then we look at the registry
+  // config or relevant scope to resolve it.
+  const uriValid = urlIsValid(uri)
+  let registry = opts.registry || defaultOpts.registry
+  if (!uriValid) {
+    registry = opts.registry = (
+      (opts.spec && pickRegistry(opts.spec, opts)) ||
+      opts.registry ||
+      registry
+    )
+    uri = `${
+      registry.trim().replace(/\/?$/g, '')
+    }/${
+      uri.trim().replace(/^\//, '')
+    }`
+    // asserts that this is now valid
+    new url.URL(uri)
+  }
+
+  const method = opts.method || 'GET'
+
+  // through that takes into account the scope, the prefix of `uri`, etc
+  const startTime = Date.now()
+  const auth = getAuth(uri, opts)
+  const headers = getHeaders(uri, auth, opts)
+  let body = opts.body
+  const bodyIsStream = Minipass.isStream(body)
+  const bodyIsPromise = body &&
+    typeof body === 'object' &&
+    typeof body.then === 'function'
+
+  if (body && !bodyIsStream && !bodyIsPromise && typeof body !== 'string' && !Buffer.isBuffer(body)) {
+    headers['content-type'] = headers['content-type'] || 'application/json'
+    body = JSON.stringify(body)
+  } else if (body && !headers['content-type'])
+    headers['content-type'] = 'application/octet-stream'
+
+  if (opts.gzip) {
+    headers['content-encoding'] = 'gzip'
+    if (bodyIsStream) {
+      const gz = new zlib.Gzip()
+      body.on('error', /* istanbul ignore next: unlikely and hard to test */
+        err => gz.emit('error', err))
+      body = body.pipe(gz)
+    } else if (!bodyIsPromise)
+      body = new zlib.Gzip().end(body).concat()
+  }
+
+  const parsed = new url.URL(uri)
+
+  if (opts.query) {
+    const q = typeof opts.query === 'string' ? qs.parse(opts.query)
+      : opts.query
+
+    Object.keys(q).forEach(key => {
+      if (q[key] !== undefined)
+        parsed.searchParams.set(key, q[key])
+    })
+    uri = url.format(parsed)
+  }
+
+  if (parsed.searchParams.get('write') === 'true' && method === 'GET') {
+    // do not cache, because this GET is fetching a rev that will be
+    // used for a subsequent PUT or DELETE, so we need to conditionally
+    // update cache.
+    opts.offline = false
+    opts.preferOffline = false
+    opts.preferOnline = true
+  }
+
+  const doFetch = async body => {
+    const p = fetch(uri, {
+      agent: opts.agent,
+      algorithms: opts.algorithms,
+      body,
+      cache: getCacheMode(opts),
+      cacheManager: opts.cache,
+      ca: opts.ca,
+      cert: opts.cert,
+      headers,
+      integrity: opts.integrity,
+      key: opts.key,
+      localAddress: opts.localAddress,
+      maxSockets: opts.maxSockets,
+      memoize: opts.memoize,
+      method: method,
+      noProxy: opts.noProxy,
+      proxy: opts.httpsProxy || opts.proxy,
+      retry: opts.retry ? opts.retry : {
+        retries: opts.fetchRetries,
+        factor: opts.fetchRetryFactor,
+        minTimeout: opts.fetchRetryMintimeout,
+        maxTimeout: opts.fetchRetryMaxtimeout,
+      },
+      strictSSL: opts.strictSSL,
+      timeout: opts.timeout || 30 * 1000,
+    }).then(res => checkResponse({
+      method,
+      uri,
+      res,
+      registry,
+      startTime,
+      auth,
+      opts,
+    }))
+
+    if (typeof opts.otpPrompt === 'function') {
+      return p.catch(async er => {
+        if (er instanceof HttpErrorAuthOTP) {
+          // if otp fails to complete, we fail with that failure
+          const otp = await opts.otpPrompt()
+          // if no otp provided, throw the original HTTP error
+          if (!otp)
+            throw er
+          return regFetch(uri, { ...opts, otp })
+        }
+        throw er
+      })
+    } else
+      return p
+  }
+
+  return Promise.resolve(body).then(doFetch)
+}
+
+module.exports.json = fetchJSON
+function fetchJSON (uri, opts) {
+  return regFetch(uri, opts).then(res => res.json())
+}
+
+module.exports.json.stream = fetchJSONStream
+function fetchJSONStream (uri, jsonPath, /* istanbul ignore next */ opts_ = {}) {
+  const opts = { ...defaultOpts, ...opts_ }
+  const parser = JSONStream.parse(jsonPath, opts.mapJSON)
+  regFetch(uri, opts).then(res =>
+    res.body.on('error',
+      /* istanbul ignore next: unlikely and difficult to test */
+      er => parser.emit('error', er)).pipe(parser)
+  ).catch(er => parser.emit('error', er))
+  return parser
+}
+
+module.exports.pickRegistry = pickRegistry
+function pickRegistry (spec, opts = {}) {
+  spec = npa(spec)
+  let registry = spec.scope &&
+    opts[spec.scope.replace(/^@?/, '@') + ':registry']
+
+  if (!registry && opts.scope)
+    registry = opts[opts.scope.replace(/^@?/, '@') + ':registry']
+
+  if (!registry)
+    registry = opts.registry || defaultOpts.registry
+
+  return registry
+}
+
+function getCacheMode (opts) {
+  return opts.offline ? 'only-if-cached'
+    : opts.preferOffline ? 'force-cache'
+    : opts.preferOnline ? 'no-cache'
+    : 'default'
+}
+
+function getHeaders (uri, auth, opts) {
+  const headers = Object.assign({
+    'user-agent': opts.userAgent,
+  }, opts.headers || {})
+
+  if (opts.projectScope)
+    headers['npm-scope'] = opts.projectScope
+
+  if (opts.npmSession)
+    headers['npm-session'] = opts.npmSession
+
+  if (opts.npmCommand)
+    headers['npm-command'] = opts.npmCommand
+
+  // If a tarball is hosted on a different place than the manifest, only send
+  // credentials on `alwaysAuth`
+  if (auth.token)
+    headers.authorization = `Bearer ${auth.token}`
+  else if (auth.auth)
+    headers.authorization = `Basic ${auth.auth}`
+
+  if (opts.otp)
+    headers['npm-otp'] = opts.otp
+
+  return headers
+}
diff --git a/node_modules/pacote/node_modules/npm-registry-fetch/package.json b/node_modules/pacote/node_modules/npm-registry-fetch/package.json
new file mode 100644
index 000000000..614d664c4
--- /dev/null
+++ b/node_modules/pacote/node_modules/npm-registry-fetch/package.json
@@ -0,0 +1,62 @@
+{
+  "name": "npm-registry-fetch",
+  "version": "10.0.0",
+  "description": "Fetch-based http client for use with npm registry APIs",
+  "main": "index.js",
+  "files": [
+    "*.js"
+  ],
+  "scripts": {
+    "eslint": "eslint",
+    "lint": "npm run eslint -- *.js test/*.js",
+    "lintfix": "npm run lint -- --fix",
+    "prepublishOnly": "git push origin --follow-tags",
+    "preversion": "npm test",
+    "postversion": "npm publish",
+    "test": "tap",
+    "posttest": "npm run lint"
+  },
+  "repository": "https://github.com/npm/npm-registry-fetch",
+  "keywords": [
+    "npm",
+    "registry",
+    "fetch"
+  ],
+  "author": {
+    "name": "Kat Marchán",
+    "email": "kzm@sykosomatic.org",
+    "twitter": "maybekatz"
+  },
+  "license": "ISC",
+  "dependencies": {
+    "lru-cache": "^6.0.0",
+    "make-fetch-happen": "^8.0.9",
+    "minipass": "^3.1.3",
+    "minipass-fetch": "^1.3.0",
+    "minipass-json-stream": "^1.0.1",
+    "minizlib": "^2.0.0",
+    "npm-package-arg": "^8.0.0"
+  },
+  "devDependencies": {
+    "cacache": "^15.0.0",
+    "eslint": "^6.8.0",
+    "eslint-plugin-import": "^2.18.2",
+    "eslint-plugin-node": "^10.0.0",
+    "eslint-plugin-promise": "^4.2.1",
+    "eslint-plugin-standard": "^4.0.1",
+    "mkdirp": "^0.5.1",
+    "nock": "^11.7.0",
+    "npmlog": "^4.1.2",
+    "require-inject": "^1.4.4",
+    "rimraf": "^2.6.2",
+    "ssri": "^8.0.0",
+    "tap": "^14.10.7"
+  },
+  "tap": {
+    "check-coverage": true,
+    "test-ignore": "test[\\\\/](util|cache)[\\\\/]"
+  },
+  "engines": {
+    "node": ">=10"
+  }
+}
diff --git a/node_modules/pacote/node_modules/npm-registry-fetch/silentlog.js b/node_modules/pacote/node_modules/npm-registry-fetch/silentlog.js
new file mode 100644
index 000000000..483bd44c7
--- /dev/null
+++ b/node_modules/pacote/node_modules/npm-registry-fetch/silentlog.js
@@ -0,0 +1,14 @@
+'use strict'
+
+const noop = Function.prototype
+module.exports = {
+  error: noop,
+  warn: noop,
+  notice: noop,
+  info: noop,
+  verbose: noop,
+  silly: noop,
+  http: noop,
+  pause: noop,
+  resume: noop,
+}
diff --git a/node_modules/pacote/package.json b/node_modules/pacote/package.json
index dd6bf9400..aee117b01 100644
--- a/node_modules/pacote/package.json
+++ b/node_modules/pacote/package.json
@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "11.3.1",
+  "version": "11.3.2",
   "description": "JavaScript package downloader",
   "author": "Isaac Z. Schlueter <i@izs.me> (https://izs.me)",
   "bin": {
@@ -17,15 +17,12 @@
   },
   "tap": {
     "timeout": 300,
-    "check-coverage": true,
-    "coverage-map": "map.js",
-    "esm": false
+    "coverage-map": "map.js"
   },
   "devDependencies": {
     "mutate-fs": "^2.1.1",
     "npm-registry-mock": "^1.3.1",
-    "require-inject": "^1.4.4",
-    "tap": "^14.11.0"
+    "tap": "^15.0.4"
   },
   "files": [
     "lib/**/*.js"
@@ -49,7 +46,7 @@
     "npm-package-arg": "^8.0.1",
     "npm-packlist": "^2.1.4",
     "npm-pick-manifest": "^6.0.0",
-    "npm-registry-fetch": "^9.0.0",
+    "npm-registry-fetch": "^10.0.0",
     "promise-retry": "^2.0.1",
     "read-package-json-fast": "^2.0.1",
     "rimraf": "^3.0.2",
diff --git a/package-lock.json b/package-lock.json
index 704fd1571..af537c677 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -303,7 +303,7 @@
         "npm-user-validate": "^1.0.1",
         "npmlog": "~4.1.2",
         "opener": "^1.5.2",
-        "pacote": "^11.3.1",
+        "pacote": "^11.3.2",
         "parse-conflict-json": "^1.1.1",
         "qrcode-terminal": "^0.12.0",
         "read": "~1.0.7",
@@ -6037,9 +6037,9 @@
       }
     },
     "node_modules/pacote": {
-      "version": "11.3.1",
-      "resolved": "https://registry.npmjs.org/pacote/-/pacote-11.3.1.tgz",
-      "integrity": "sha512-TymtwoAG12cczsJIrwI/euOQKtjrQHlD0k0oyt9QSmZGpqa+KdlxKdWR/YUjYizkixaVyztxt/Wsfo8bL3A6Fg==",
+      "version": "11.3.2",
+      "resolved": "https://registry.npmjs.org/pacote/-/pacote-11.3.2.tgz",
+      "integrity": "sha512-lMO7V9aMhyE5gfaSFxKfW3OTdXuFBNQJfuNuet3NPzWWhOYIW90t85vHcHLDjdhgmfAdAHyh9q1HAap96ea0XA==",
       "inBundle": true,
       "dependencies": {
         "@npmcli/git": "^2.0.1",
@@ -6055,7 +6055,7 @@
         "npm-package-arg": "^8.0.1",
         "npm-packlist": "^2.1.4",
         "npm-pick-manifest": "^6.0.0",
-        "npm-registry-fetch": "^9.0.0",
+        "npm-registry-fetch": "^10.0.0",
         "promise-retry": "^2.0.1",
         "read-package-json-fast": "^2.0.1",
         "rimraf": "^3.0.2",
@@ -6069,6 +6069,24 @@
         "node": ">=10"
       }
     },
+    "node_modules/pacote/node_modules/npm-registry-fetch": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/npm-registry-fetch/-/npm-registry-fetch-10.0.0.tgz",
+      "integrity": "sha512-/uLlH8Toc2ZwxwcKpxciEr8WaJM9eW5OeznBphtob8T0fWRT8IDCRYvXfKvmGVYdRdA9ZPDEwE8AF8C0RMTyew==",
+      "inBundle": true,
+      "dependencies": {
+        "lru-cache": "^6.0.0",
+        "make-fetch-happen": "^8.0.9",
+        "minipass": "^3.1.3",
+        "minipass-fetch": "^1.3.0",
+        "minipass-json-stream": "^1.0.1",
+        "minizlib": "^2.0.0",
+        "npm-package-arg": "^8.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
     "node_modules/parent-module": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz",
@@ -14921,9 +14939,9 @@
       }
     },
     "pacote": {
-      "version": "11.3.1",
-      "resolved": "https://registry.npmjs.org/pacote/-/pacote-11.3.1.tgz",
-      "integrity": "sha512-TymtwoAG12cczsJIrwI/euOQKtjrQHlD0k0oyt9QSmZGpqa+KdlxKdWR/YUjYizkixaVyztxt/Wsfo8bL3A6Fg==",
+      "version": "11.3.2",
+      "resolved": "https://registry.npmjs.org/pacote/-/pacote-11.3.2.tgz",
+      "integrity": "sha512-lMO7V9aMhyE5gfaSFxKfW3OTdXuFBNQJfuNuet3NPzWWhOYIW90t85vHcHLDjdhgmfAdAHyh9q1HAap96ea0XA==",
       "requires": {
         "@npmcli/git": "^2.0.1",
         "@npmcli/installed-package-contents": "^1.0.6",
@@ -14938,12 +14956,28 @@
         "npm-package-arg": "^8.0.1",
         "npm-packlist": "^2.1.4",
         "npm-pick-manifest": "^6.0.0",
-        "npm-registry-fetch": "^9.0.0",
+        "npm-registry-fetch": "^10.0.0",
         "promise-retry": "^2.0.1",
         "read-package-json-fast": "^2.0.1",
         "rimraf": "^3.0.2",
         "ssri": "^8.0.1",
         "tar": "^6.1.0"
+      },
+      "dependencies": {
+        "npm-registry-fetch": {
+          "version": "10.0.0",
+          "resolved": "https://registry.npmjs.org/npm-registry-fetch/-/npm-registry-fetch-10.0.0.tgz",
+          "integrity": "sha512-/uLlH8Toc2ZwxwcKpxciEr8WaJM9eW5OeznBphtob8T0fWRT8IDCRYvXfKvmGVYdRdA9ZPDEwE8AF8C0RMTyew==",
+          "requires": {
+            "lru-cache": "^6.0.0",
+            "make-fetch-happen": "^8.0.9",
+            "minipass": "^3.1.3",
+            "minipass-fetch": "^1.3.0",
+            "minipass-json-stream": "^1.0.1",
+            "minizlib": "^2.0.0",
+            "npm-package-arg": "^8.0.0"
+          }
+        }
       }
     },
     "parent-module": {
diff --git a/package.json b/package.json
index a10d5377a..0db985b8a 100644
--- a/package.json
+++ b/package.json
@@ -92,7 +92,7 @@
     "npm-user-validate": "^1.0.1",
     "npmlog": "~4.1.2",
     "opener": "^1.5.2",
-    "pacote": "^11.3.1",
+    "pacote": "^11.3.2",
     "parse-conflict-json": "^1.1.1",
     "qrcode-terminal": "^0.12.0",
     "read": "~1.0.7",
author	Gar <gar+gh@danger.computer>	2021-04-22 22:15:36 +0300
committer	Gar <gar+gh@danger.computer>	2021-04-22 22:15:36 +0300
commit	7f82ef5a84d70e28983ed43ba1d8aced0fb4ba45 (patch)
tree	c9b0be9e9c2160b609d26e6f1949f208ce9025f9
parent	42e0587a9ea6940a5d5be5903370ad1113feef21 (diff)