deps: pacote@21.4.0

wraithgar · wraithgar · commit 20ef5a5b6596 · 2026-02-24T15:08:12.000-08:00
diff --git a/DEPENDENCIES.md b/DEPENDENCIES.md
@@ -654,6 +654,7 @@ graph LR;
   npmcli-smoke-tests-->which;
   pacote-->cacache;
   pacote-->fs-minipass;
+  pacote-->gar-promise-retry["@gar/promise-retry"];
   pacote-->minipass;
   pacote-->npm-package-arg;
   pacote-->npm-packlist;
@@ -665,7 +666,6 @@ graph LR;
   pacote-->npmcli-promise-spawn["@npmcli/promise-spawn"];
   pacote-->npmcli-run-script["@npmcli/run-script"];
   pacote-->proc-log;
-  pacote-->promise-retry;
   pacote-->sigstore;
   pacote-->ssri;
   pacote-->tar;
diff --git a/node_modules/pacote/lib/fetcher.js b/node_modules/pacote/lib/fetcher.js
@@ -10,7 +10,7 @@ const cacache = require('cacache')
 const fsm = require('fs-minipass')
 const getContents = require('@npmcli/installed-package-contents')
 const npa = require('npm-package-arg')
-const retry = require('promise-retry')
+const { promiseRetry } = require('@gar/promise-retry')
 const ssri = require('ssri')
 const tar = require('tar')
 const { Minipass } = require('minipass')
@@ -319,7 +319,7 @@ class FetcherBase {
           this.spec
         }. Extracting by manifest.`)
       }
-      return this.resolve().then(() => retry(tryAgain =>
+      return this.resolve().then(() => promiseRetry(tryAgain =>
         streamHandler(this.#istream(this[_.tarballFromResolved]()))
           .catch(streamErr => {
           // Most likely data integrity.  A cache ENOENT error is unlikely
@@ -502,6 +502,7 @@ FetcherBase.get = (rawSpec, opts = {}) => {
     case 'range':
     case 'tag':
     case 'alias':
+      canUse({ allow: opts.allowRegistry, isRoot: opts._isRoot, allowType: 'registry', spec })
       return new RegistryFetcher(spec.subSpec || spec, opts)
 
     case 'file':
diff --git a/node_modules/pacote/lib/registry.js b/node_modules/pacote/lib/registry.js
@@ -229,7 +229,7 @@ class RegistryFetcher extends Fetcher {
         if (this.opts.verifyAttestations) {
           // Always fetch attestations from the current registry host
           const attestationsPath = new URL(dist.attestations.url).pathname
-          const attestationsUrl = removeTrailingSlashes(this.registry) + attestationsPath
+          const attestationsUrl = new URL(attestationsPath, this.registry).href
           const res = await fetch(attestationsUrl, {
             ...this.opts,
             // disable integrity check for attestations json payload, we check the
@@ -256,7 +256,10 @@ class RegistryFetcher extends Fetcher {
           const attestationKeyIds = bundles.map((b) => b.keyid).filter((k) => !!k)
           const attestationRegistryKeys = (this.registryKeys || [])
             .filter(key => attestationKeyIds.includes(key.keyid))
-          if (!attestationRegistryKeys.length) {
+          // Only require registry keys when there are keyed attestations.
+          // Keyless (Sigstore/Fulcio) attestations embed their signing
+          // certificate in the bundle and don't need registry keys.
+          if (attestationKeyIds.length > 0 && !attestationRegistryKeys.length) {
             throw Object.assign(new Error(
               `${mani._id} has attestations but no corresponding public key(s) can be found`
             ), { code: 'EMISSINGSIGNATUREKEY' })
diff --git a/node_modules/pacote/package.json b/node_modules/pacote/package.json
@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "21.3.1",
+  "version": "21.4.0",
   "description": "JavaScript package downloader",
   "author": "GitHub Inc.",
   "bin": {
@@ -46,6 +46,7 @@
     "git"
   ],
   "dependencies": {
+    "@gar/promise-retry": "^1.0.0",
     "@npmcli/git": "^7.0.0",
     "@npmcli/installed-package-contents": "^4.0.0",
     "@npmcli/package-json": "^7.0.0",
@@ -59,7 +60,6 @@
     "npm-pick-manifest": "^11.0.1",
     "npm-registry-fetch": "^19.0.0",
     "proc-log": "^6.0.0",
-    "promise-retry": "^2.0.1",
     "sigstore": "^4.0.0",
     "ssri": "^13.0.0",
     "tar": "^7.4.3"
diff --git a/package-lock.json b/package-lock.json
@@ -133,7 +133,7 @@
         "npm-registry-fetch": "^19.1.1",
         "npm-user-validate": "^4.0.0",
         "p-map": "^7.0.4",
-        "pacote": "^21.3.1",
+        "pacote": "^21.4.0",
         "parse-conflict-json": "^5.0.1",
         "proc-log": "^6.1.0",
         "qrcode-terminal": "^0.12.0",
@@ -1181,6 +1181,7 @@
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/@gar/promise-retry/-/promise-retry-1.0.0.tgz",
       "integrity": "sha512-KcKKfklNXm3lop072VT58NnhnZYmMJmgKps9aqRT58tRDt939lnBT0frYR052xDpX6kdQB4AU05l/P3LU7dZxg==",
+      "inBundle": true,
       "license": "MIT",
       "dependencies": {
         "retry": "^0.13.1"
@@ -1193,6 +1194,7 @@
       "version": "0.13.1",
       "resolved": "https://registry.npmjs.org/retry/-/retry-0.13.1.tgz",
       "integrity": "sha512-XQBQ3I8W1Cge0Seh+6gjj03LbmRFWuoszgK9ooCpwYIrhhoO80pfq4cUkU5DkknwfOfFteRwlZ56PYOGYyFWdg==",
+      "inBundle": true,
       "license": "MIT",
       "engines": {
         "node": ">= 4"
@@ -9103,12 +9105,13 @@
       "license": "BlueOak-1.0.0"
     },
     "node_modules/pacote": {
-      "version": "21.3.1",
-      "resolved": "https://registry.npmjs.org/pacote/-/pacote-21.3.1.tgz",
-      "integrity": "sha512-O0EDXi85LF4AzdjG74GUwEArhdvawi/YOHcsW6IijKNj7wm8IvEWNF5GnfuxNpQ/ZpO3L37+v8hqdVh8GgWYhg==",
+      "version": "21.4.0",
+      "resolved": "https://registry.npmjs.org/pacote/-/pacote-21.4.0.tgz",
+      "integrity": "sha512-DR7mn7HUOomAX1BORnpYy678qVIidbvOojkBscqy27dRKN+s/hLeQT1MeYYrx1Cxh62jyKjiWiDV7RTTqB+ZEQ==",
       "inBundle": true,
       "license": "ISC",
       "dependencies": {
+        "@gar/promise-retry": "^1.0.0",
         "@npmcli/git": "^7.0.0",
         "@npmcli/installed-package-contents": "^4.0.0",
         "@npmcli/package-json": "^7.0.0",
@@ -9122,7 +9125,6 @@
         "npm-pick-manifest": "^11.0.1",
         "npm-registry-fetch": "^19.0.0",
         "proc-log": "^6.0.0",
-        "promise-retry": "^2.0.1",
         "sigstore": "^4.0.0",
         "ssri": "^13.0.0",
         "tar": "^7.4.3"
diff --git a/package.json b/package.json
@@ -101,7 +101,7 @@
     "npm-registry-fetch": "^19.1.1",
     "npm-user-validate": "^4.0.0",
     "p-map": "^7.0.4",
-    "pacote": "^21.3.1",
+    "pacote": "^21.4.0",
     "parse-conflict-json": "^5.0.1",
     "proc-log": "^6.1.0",
     "qrcode-terminal": "^0.12.0",
