search

zkat / pacote

programmatic npm package and metadata downloader (moved!)
https://github.com/npm/pacote
MIT License
280 stars 62 forks source link

`_from` key of publishing package json should not have local file path of `tgz` file #153

Open dr-js opened 6 years ago

dr-js commented 6 years ago

First sorry for a third issue of the same problem...

The problem

I found the JSON from API:Objects:Version (GET·/{package}/{version}) of my recent published package all have a _from key like: "file:C:/Users/Dr/Documents/GitHub/dr-js/dr-js-0.15.1-dev.6.tgz" sample.

The _from value is the full path of the tgz file on my local system, and I think that should not be published as a public meta data.

Further digging

This should be caused by publishing with syntax: npm publish <tarball>.

Basically I added console.log to lib/publish.js#L110-L124:

function publishFromPackage (arg) {
  console.log('### publishFromPackage ###', arg)
  return cacache.tmp.withTmp(npm.tmp, {tmpPrefix: 'fromPackage'}, (tmp) => {
    const extracted = path.join(tmp, 'package')
    const target = path.join(tmp, 'package.json')
    const opts = pacoteOpts()
    return pacote.tarball.toFile(arg, target, opts)
      .then(() => pacote.extract(arg, extracted, opts))
      .then(() => readJson(path.join(extracted, 'package.json')))
      .then((pkg) => {
        console.log('$$$ publishFromPackage $$$', pkg._from)
        process.exit()
      })
  })
}

And got the following result:

PS C:\Users\Dr\Documents\GitHub> npm publish C:/Users/Dr/Documents/GitHub/dr-js/dr-js-0.15.1-dev.7.tgz
### publishFromPackage ### C:/Users/Dr/Documents/GitHub/dr-js/dr-js-0.15.1-dev.7.tgz
$$$ publishFromPackage $$$ file:C:/Users/Dr/Documents/GitHub/dr-js/dr-js-0.15.1-dev.7.tgz

PS C:\Users\Dr\Documents\GitHub> npm publish foo/../dr-js/dr-js-0.15.1-dev.7.tgz
### publishFromPackage ### foo/../dr-js/dr-js-0.15.1-dev.7.tgz
$$$ publishFromPackage $$$ file:dr-js\dr-js-0.15.1-dev.7.tgz

PS C:\Users\Dr\Documents\GitHub\dr-js> npm publish ../foo/../dr-js/dr-js-0.15.1-dev.7.tgz
### publishFromPackage ### ../foo/../dr-js/dr-js-0.15.1-dev.7.tgz
$$$ publishFromPackage $$$ file:dr-js-0.15.1-dev.7.tgz

The first two have full or extra local path in the _from value.

The printed _from value should then be uploaded to the registry and be public accessible.

By checking the registry this key started at _npmVersion: "5.8.0", the latest _npmVersion: "6.1.0" still publish with _from key.

This issue is initially posted in: https://github.com/npm/registry/issues/331, without the code log testing. Then in: https://github.com/npm/npm/issues/20797.