deps: pacote@17.0.5

Author: wraithgar

node_modules/pacote/lib/registry.js

@@ -14,6 +14,10 @@ const sigstore = require('sigstore')
 const corgiDoc = 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*'
 const fullDoc = 'application/json'
 
+// Some really old packages have no time field in their packument so we need a
+// cutoff date.
+const MISSING_TIME_CUTOFF = '2015-01-01T00:00:00.000Z'
+
 const fetch = require('npm-registry-fetch')
 
 const _headers = Symbol('_headers')
@@ -115,6 +119,13 @@ class RegistryFetcher extends Fetcher {
       return this.package
     }
 
+    // When verifying signatures, we need to fetch the full/uncompressed
+    // packument to get publish time as this is not included in the
+    // corgi/compressed packument.
+    if (this.opts.verifySignatures) {
+      this.fullMetadata = true
+    }
+
     const packument = await this.packument()
     let mani = await pickManifest(packument, this.spec.fetchSpec, {
       ...this.opts,
@@ -124,6 +135,12 @@ class RegistryFetcher extends Fetcher {
     mani = rpj.normalize(mani)
     /* XXX add ETARGET and E403 revalidation of cached packuments here */
 
+    // add _time from packument if fetched with fullMetadata
+    const time = packument.time?.[mani.version]
+    if (time) {
+      mani._time = time
+    }
+
     // add _resolved and _integrity from dist object
     const { dist } = mani
     if (dist) {
@@ -171,8 +188,10 @@ class RegistryFetcher extends Fetcher {
                   'but no corresponding public key can be found'
               ), { code: 'EMISSINGSIGNATUREKEY' })
             }
-            const validPublicKey =
-              !publicKey.expires || (Date.parse(publicKey.expires) > Date.now())
+
+            const publishedTime = Date.parse(mani._time || MISSING_TIME_CUTOFF)
+            const validPublicKey = !publicKey.expires ||
+              publishedTime < Date.parse(publicKey.expires)
             if (!validPublicKey) {
               throw Object.assign(new Error(
                   `${mani._id} has a registry signature with keyid: ${signature.keyid} ` +
@@ -254,8 +273,13 @@ class RegistryFetcher extends Fetcher {
                 ), { code: 'EMISSINGSIGNATUREKEY' })
               }
 
-              const validPublicKey =
-                !publicKey.expires || (Date.parse(publicKey.expires) > Date.now())
+              const integratedTime = new Date(
+                Number(
+                  bundle.verificationMaterial.tlogEntries[0].integratedTime
+                ) * 1000
+              )
+              const validPublicKey = !publicKey.expires ||
+                (integratedTime < Date.parse(publicKey.expires))
               if (!validPublicKey) {
                 throw Object.assign(new Error(
                   `${mani._id} has attestations with keyid: ${keyid} ` +

node_modules/pacote/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pacote",
-  "version": "17.0.4",
+  "version": "17.0.5",
   "description": "JavaScript package downloader",
   "author": "GitHub Inc.",
   "bin": {
@@ -25,9 +25,9 @@
     ]
   },
   "devDependencies": {
-    "@npmcli/arborist": "^6.0.0 || ^6.0.0-pre.0",
+    "@npmcli/arborist": "^7.1.0",
     "@npmcli/eslint-config": "^4.0.0",
-    "@npmcli/template-oss": "4.18.0",
+    "@npmcli/template-oss": "4.19.0",
     "hosted-git-info": "^7.0.0",
     "mutate-fs": "^2.1.1",
     "nock": "^13.2.4",
@@ -72,13 +72,7 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "ciVersions": [
-      "16.14.0",
-      "16.x",
-      "18.0.0",
-      "18.x"
-    ],
-    "version": "4.18.0",
+    "version": "4.19.0",
     "windowsCI": false,
     "publish": "true"
   }

package-lock.json

@@ -143,7 +143,7 @@
         "npm-user-validate": "^2.0.0",
         "npmlog": "^7.0.1",
         "p-map": "^4.0.0",
-        "pacote": "^17.0.4",
+        "pacote": "^17.0.5",
         "parse-conflict-json": "^3.0.1",
         "proc-log": "^3.0.0",
         "qrcode-terminal": "^0.12.0",
@@ -12471,9 +12471,9 @@
       }
     },
     "node_modules/pacote": {
-      "version": "17.0.4",
-      "resolved": "https://registry.npmjs.org/pacote/-/pacote-17.0.4.tgz",
-      "integrity": "sha512-eGdLHrV/g5b5MtD5cTPyss+JxOlaOloSMG3UwPMAvL8ywaLJ6beONPF40K4KKl/UI6q5hTKCJq5rCu8tkF+7Dg==",
+      "version": "17.0.5",
+      "resolved": "https://registry.npmjs.org/pacote/-/pacote-17.0.5.tgz",
+      "integrity": "sha512-TAE0m20zSDMnchPja9vtQjri19X3pZIyRpm2TJVeI+yU42leJBBDTRYhOcWFsPhaMxf+3iwQkFiKz16G9AEeeA==",
       "inBundle": true,
       "dependencies": {
         "@npmcli/git": "^5.0.0",

package.json

@@ -105,7 +105,7 @@
     "npm-user-validate": "^2.0.0",
     "npmlog": "^7.0.1",
     "p-map": "^4.0.0",
-    "pacote": "^17.0.4",
+    "pacote": "^17.0.5",
     "parse-conflict-json": "^3.0.1",
     "proc-log": "^3.0.0",
     "qrcode-terminal": "^0.12.0",