npm · wraithgar · Dec 6, 2024 · Nov 25, 2024 · Nov 25, 2024 · Nov 26, 2024
@@ -1,4 +1,4 @@
-const fetch = require('npm-registry-fetch')
+const npmFetch = require('npm-registry-fetch')
 const { otplease } = require('../utils/auth.js')
 const npa = require('npm-package-arg')
 const { log } = require('proc-log')
@@ -47,7 +47,7 @@ class Deprecate extends BaseCommand {
     }
 
     const uri = '/' + p.escapedName
-    const packument = await fetch.json(uri, {
+    const packument = await npmFetch.json(uri, {
       ...this.npm.flatOptions,
       spec: p,
       query: { write: true },
@@ -60,7 +60,7 @@ class Deprecate extends BaseCommand {
       for (const v of versions) {
         packument.versions[v].deprecated = msg
       }
-      return otplease(this.npm, this.npm.flatOptions, opts => fetch(uri, {
+      return otplease(this.npm, this.npm.flatOptions, opts => npmFetch(uri, {
         ...opts,
         spec: p,
         method: 'PUT',

@@ -1,5 +1,5 @@
 const npa = require('npm-package-arg')
-const regFetch = require('npm-registry-fetch')
+const npmFetch = require('npm-registry-fetch')
 const semver = require('semver')
 const { log, output } = require('proc-log')
 const { otplease } = require('../utils/auth.js')
@@ -119,7 +119,7 @@ class DistTag extends BaseCommand {
       },
       spec,
     }
-    await otplease(this.npm, reqOpts, o => regFetch(url, o))
+    await otplease(this.npm, reqOpts, o => npmFetch(url, o))
     output.standard(`+${t}: ${spec.name}@${version}`)
   }
 
@@ -145,7 +145,7 @@ class DistTag extends BaseCommand {
       method: 'DELETE',
       spec,
     }
-    await otplease(this.npm, reqOpts, o => regFetch(url, o))
+    await otplease(this.npm, reqOpts, o => npmFetch(url, o))
     output.standard(`-${tag}: ${spec.name}@${version}`)
   }
 
@@ -191,7 +191,7 @@ class DistTag extends BaseCommand {
   }
 
   async fetchTags (spec, opts) {
-    const data = await regFetch.json(
+    const data = await npmFetch.json(
       `/-/package/${spec.escapedName}/dist-tags`,
       { ...opts, 'prefer-online': true, spec }
     )

@@ -1,6 +1,6 @@
 const cacache = require('cacache')
 const { access, lstat, readdir, constants: { R_OK, W_OK, X_OK } } = require('node:fs/promises')
-const fetch = require('make-fetch-happen')
+const npmFetch = require('make-fetch-happen')
 const which = require('which')
 const pacote = require('pacote')
 const { resolve } = require('node:path')
@@ -166,7 +166,7 @@ class Doctor extends BaseCommand {
     const currentRange = `^${current}`
     const url = 'https://nodejs.org/dist/index.json'
     log.info('doctor', 'Getting Node.js release information')
-    const res = await fetch(url, { method: 'GET', ...this.npm.flatOptions })
+    const res = await npmFetch(url, { method: 'GET', ...this.npm.flatOptions })
     const data = await res.json()
     let maxCurrent = '0.0.0'
     let maxLTS = '0.0.0'

@@ -120,7 +120,7 @@ class Publish extends BaseCommand {
     const isDefaultTag = this.npm.config.isDefault('tag')
 
     if (isPreRelease && isDefaultTag) {
-      throw new Error('You must specify a tag using --tag when publishing a prerelease version')
+      throw new Error('You must specify a tag using --tag when publishing a prerelease version.')
     }
 
     // If we are not in JSON mode then we show the user the contents of the tarball
@@ -157,6 +157,14 @@ class Publish extends BaseCommand {
       }
     }
 
+    const latestVersion = await this.#latestPublishedVersion(resolved, registry)
+    const latestSemverIsGreater = !!latestVersion && semver.gte(latestVersion, manifest.version)
+
+    if (latestSemverIsGreater && isDefaultTag) {
+      /* eslint-disable-next-line max-len */
+      throw new Error(`Cannot implicitly apply the "latest" tag because published version ${latestVersion} is higher than the new version ${manifest.version}. You must specify a tag using --tag.`)
+    }
+
     const access = opts.access === null ? 'default' : opts.access
     let msg = `Publishing to ${outputRegistry} with tag ${defaultTag} and ${access} access`
     if (dryRun) {
@@ -196,6 +204,28 @@ class Publish extends BaseCommand {
     }
   }
 
+  async #latestPublishedVersion (spec, registry) {
+    try {
+      const packument = await pacote.packument(spec, {
+        ...this.npm.flatOptions,
+        preferOnline: true,
+        registry,
+      })
+      if (typeof packument?.versions === 'undefined') {
+        return null
+      }
+      const ordered = Object.keys(packument?.versions)
+        .flatMap(v => {
+          const s = new semver.SemVer(v)
+          return s.prerelease.length > 0 ? [] : s
+        })
+        .sort((a, b) => b.compare(a))
+      return ordered.length >= 1 ? ordered[0].version : null
+    } catch (e) {
+      return null
+    }
+  }
+
   // if it's a directory, read it from the file system
   // otherwise, get the full metadata from whatever it is
   // XXX can't pacote read the manifest from a directory?

@@ -1,4 +1,4 @@
-const fetch = require('npm-registry-fetch')
+const npmFetch = require('npm-registry-fetch')
 const npa = require('npm-package-arg')
 const { log, output } = require('proc-log')
 const getIdentity = require('../utils/get-identity')
@@ -32,7 +32,7 @@ class Star extends BaseCommand {
     const username = await getIdentity(this.npm, this.npm.flatOptions)
 
     for (const pkg of pkgs) {
-      const fullData = await fetch.json(pkg.escapedName, {
+      const fullData = await npmFetch.json(pkg.escapedName, {
         ...this.npm.flatOptions,
         spec: pkg,
         query: { write: true },
@@ -55,7 +55,7 @@ class Star extends BaseCommand {
         log.verbose('unstar', 'unstarring', body)
       }
 
-      const data = await fetch.json(pkg.escapedName, {
+      const data = await npmFetch.json(pkg.escapedName, {
         ...this.npm.flatOptions,
         spec: pkg,
         method: 'PUT',

@@ -1,4 +1,4 @@
-const fetch = require('npm-registry-fetch')
+const npmFetch = require('npm-registry-fetch')
 const { log, output } = require('proc-log')
 const getIdentity = require('../utils/get-identity.js')
 const BaseCommand = require('../base-cmd.js')
@@ -16,7 +16,7 @@ class Stars extends BaseCommand {
         user = await getIdentity(this.npm, this.npm.flatOptions)
       }
 
-      const { rows } = await fetch.json('/-/_view/starredByUser', {
+      const { rows } = await npmFetch.json('/-/_view/starredByUser', {
         ...this.npm.flatOptions,
         query: { key: `"${user}"` },
       })

@@ -1,7 +1,7 @@
 // ping the npm registry
 // used by the ping and doctor commands
-const fetch = require('npm-registry-fetch')
+const npmFetch = require('npm-registry-fetch')
 module.exports = async (flatOptions) => {
-  const res = await fetch('/-/ping', { ...flatOptions, cache: false })
+  const res = await npmFetch('/-/ping', { ...flatOptions, cache: false })
   return res.json().catch(() => ({}))
 }
@@ -1,4 +1,4 @@
-const fetch = require('npm-registry-fetch')
+const npmFetch = require('npm-registry-fetch')
 const localeCompare = require('@isaacs/string-locale-compare')('en')
 const npa = require('npm-package-arg')
 const pacote = require('pacote')
@@ -202,7 +202,7 @@ class VerifySignatures {
 
     // If keys not found in Sigstore TUF repo, fallback to registry keys API
     if (!keys) {
-      keys = await fetch.json('/-/npm/v1/keys', {
+      keys = await npmFetch.json('/-/npm/v1/keys', {
         ...this.npm.flatOptions,
         registry,
       }).then(({ keys: ks }) => ks.map((key) => ({
@@ -253,7 +253,7 @@ class VerifySignatures {
   }
 
   getSpecRegistry (spec) {
-    return fetch.pickRegistry(spec, this.npm.flatOptions)
+    return npmFetch.pickRegistry(spec, this.npm.flatOptions)
   }
 
   getValidPackageInfo (edge) {

@@ -351,13 +351,30 @@ class MockRegistry {
   }
 
   // full unpublish of an entire package
-  async unpublish ({ manifest }) {
+  unpublish ({ manifest }) {
     let nock = this.nock
     const spec = npa(manifest.name)
     nock = nock.delete(this.fullPath(`/${spec.escapedName}/-rev/${manifest._rev}`)).reply(201)
     return nock
   }
 
+  publish (name, {
+    packageJson, access, noPut, putCode, manifest, packuments,
+  } = {}) {
+    // this getPackage call is used to get the latest semver version before publish
+    if (manifest) {
+      this.getPackage(name, { code: 200, resp: manifest })
+    } else if (packuments) {
+      this.getPackage(name, { code: 200, resp: this.manifest({ name, packuments }) })
+    } else {
+      // assumes the package does not exist yet and will 404 x2 from pacote.manifest
+      this.getPackage(name, { times: 2, code: 404 })
+    }
+    if (!noPut) {
+      this.putPackage(name, { code: putCode, packageJson, access })
+    }
+  }
+
   getPackage (name, { times = 1, code = 200, query, resp = {} }) {
     let nock = this.nock
     nock = nock.get(`/${npa(name).escapedName}`).times(times)
@@ -372,6 +389,48 @@ class MockRegistry {
     this.nock = nock
   }
 
+  putPackage (name, { code = 200, resp = {}, ...putPackagePayload }) {
+    this.nock.put(`/${npa(name).escapedName}`, body => {
+      return this.#tap.match(body, this.putPackagePayload({ name, ...putPackagePayload }))
+    }).reply(code, resp)
+  }
+
+  putPackagePayload (opts) {
+    const pkg = opts.packageJson
+    const name = opts.name || pkg?.name
+    const registry = opts.registry || pkg?.publishConfig?.registry || 'https://registry.npmjs.org'
+    const access = opts.access || null
+
+    const nameProperties = !name ? {} : {
+      _id: name,
+      name: name,
+    }
+
+    const packageProperties = !pkg ? {} : {
+      'dist-tags': { latest: pkg.version },
+      versions: {
+        [pkg.version]: {
+          _id: `${pkg.name}@${pkg.version}`,
+          dist: {
+            shasum: /\.*/,
+            tarball:
+    `http://${new URL(registry).host}/${pkg.name}/-/${pkg.name}-${pkg.version}.tgz`,
+          },
+          ...pkg,
+        },
+      },
+      _attachments: {
+        [`${pkg.name}-${pkg.version}.tgz`]: {},
+      },
+    }
+
+    return {
+      access,
+      ...nameProperties,
+      ...packageProperties,
+    }
+  }
+
   getTokens (tokens) {
     return this.nock.get('/-/npm/v1/tokens')
       .reply(200, {

@@ -73,7 +73,9 @@ const getCleanPaths = async () => {
   })
 }
 
-module.exports = async (t, { testdir = {}, debug, mockRegistry = true, useProxy = false } = {}) => {
+module.exports = async (t, {
+  testdir = {}, debug, mockRegistry = true, strictRegistryNock = true, useProxy = false,
+} = {}) => {
   const debugLog = debug || CI ? (...a) => t.comment(...a) : () => {}
   debugLog({ SMOKE_PUBLISH_TARBALL, CI })
 
@@ -103,7 +105,7 @@ module.exports = async (t, { testdir = {}, debug, mockRegistry = true, useProxy
     tap: t,
     registry: MOCK_REGISTRY,
     debug,
-    strict: true,
+    strict: strictRegistryNock,
   })
 
   const proxyEnv = {}

@@ -103,6 +103,7 @@ t.test('publish and replace global self', async t => {
     getPaths,
     paths: { globalBin, globalNodeModules, cache },
   } = await setupNpmGlobal(t, {
+    strictRegistryNock: false,
     testdir: {
       home: {
         '.npmrc': `//${setup.MOCK_REGISTRY.host}/:_authToken = test-token`,

@@ -292,12 +292,26 @@ const setupMockNpm = async (t, {
 
 const loadNpmWithRegistry = async (t, opts) => {
   const mock = await setupMockNpm(t, opts)
+  return {
+    ...mock,
+    ...loadRegistry(t, mock, opts),
+    ...loadFsAssertions(t, mock),
+  }
+}
+
+const loadRegistry = (t, mock, opts) => {
   const registry = new MockRegistry({
     tap: t,
-    registry: mock.npm.config.get('registry'),
-    strict: true,
+    registry: opts.registry ?? mock.npm.config.get('registry'),
+    authorization: opts.authorization,
+    basic: opts.basic,
+    debug: opts.debugRegistry ?? false,
+    strict: opts.strictRegistryNock ?? true,
   })
+  return { registry }
+}
 
+const loadFsAssertions = (t, mock) => {
   const fileShouldExist = (filePath) => {
     t.equal(
       fsSync.existsSync(path.join(mock.npm.prefix, filePath)), true, `${filePath} should exist`
@@ -352,7 +366,7 @@ const loadNpmWithRegistry = async (t, opts) => {
     packageDirty,
   }
 
-  return { registry, assert, ...mock }
+  return { assert }
 }
 
 /** breaks down a spec "[email protected]" into different parts for mocking */