Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
* unique filename for temporary script files
* correctly translate paths when using bash in windows
|
|
|
|
No more having to manually remember to run this!
|
|
* feat: add npm audit signatures
Implements [RFC: Improve signature verification](https://github.com/npm/rfcs/pull/550/)
Adds a new sub-command to `audit`: `npm audit signatures` (following [`npm audit licenses`](https://github.com/npm/cli/pull/3452))
This command will verify registry signatures stored in the packument against a public key on the registry.
Supporting:
- Any registry that implements `host/-/npm/v1/keys` endpoint and provides `signatures` in the packument `dist` object
- Validates public keys are not expired
- Errors when encountering packages with missing signatures when the registry returns keys at `host/-/npm/v1/keys`
- Errors when encountering invalid signatures
- Output: json/human formats
|
|
|
|
|
|
|
|
|
|
* deps: @npmcli/run-script@4.1.3
|
|
|
|
* Allow web-login donecheck to cancel opener promise
* set 'npm-use-webauthn' header depending on option
|
|
|
|
|
|
|
|
|
|
* read: change lstat to stat to correctly evaluate file size
|
|
|
|
|
|
|
|
* allow reuse of external integrity stream
* replaceRegistryHost can now be a hostname
* error when passing signature without keys
|
|
|
|
|
|
* store emitted events and re-emit them for late listeners
|
|
* pass prefix and workspaces to npm-packlist
* add verifySignatures to registry.manifest
|
|
* cache integrity and size events so late listeners still get them
* pass expected integrity to cacache
* pass integrityEmitter to cacache to avoid a redundant integrity stream
* remove in-memory buffering in favor of full time streaming
|
|
* allow external integrity/size source
|
|
|
|
|
|
|
|
Turns out there were three files that still had no test coverage because
of the combination of the mocks in tests and the coverage map. Removing
the map altogether exposed them.
This PR removes the coverage map and fixes test to cover all lines that
were being missed.
While adding coverage to the `npm search` codebase multiple unneeded
guards and at least one bug was found (it was impossible to exclude
searches based on username). These were fixed.
The `npm view` tests were also refactored to use the real npm object.
Finally, a small inlining of lib/utils/file-exists.js was done.
|
|
|
|
* add _signatures to manifest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|