diff --git a/deps/npm/docs/content/commands/npm-approve-scripts.md b/deps/npm/docs/content/commands/npm-approve-scripts.md
index a89a250a769dc1..c4d3c15a8149f2 100644
--- a/deps/npm/docs/content/commands/npm-approve-scripts.md
+++ b/deps/npm/docs/content/commands/npm-approve-scripts.md
@@ -59,6 +59,14 @@ the command cannot infer. Existing `false` entries always win;
`approve-scripts` will not silently re-allow a package you previously
denied.
+If a registry dependency has no `resolved` URL in your `package-lock.json`
+(for example, an older lockfile or one written with
+`omit-lockfile-registry-resolved`), npm cannot verify a trusted version for
+it and cannot pin it: a `pkg@1.2.3` entry never matches, so the package
+keeps appearing under `--allow-scripts-pending`. `approve-scripts` approves
+these by name (`pkg: true`) and warns when it does. To restore pinning,
+refresh the lockfile with `npm install`.
+
### Examples
```bash
diff --git a/deps/npm/docs/content/commands/npm-ci.md b/deps/npm/docs/content/commands/npm-ci.md
index bc460070459604..741caf5eae7026 100644
--- a/deps/npm/docs/content/commands/npm-ci.md
+++ b/deps/npm/docs/content/commands/npm-ci.md
@@ -74,8 +74,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+
+We recommend that package authors use `--install-strategy=linked` during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+`import` of a package that was never added to `package.json` can fail
+instead of resolving by accident and shipping broken. See [Catching
+undeclared ("phantom")
+dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
@@ -298,6 +306,10 @@ silently skipped; this setting only affects unreviewed entries.
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
+their install scripts never run.
+
#### `dangerously-allow-all-scripts`
diff --git a/deps/npm/docs/content/commands/npm-dedupe.md b/deps/npm/docs/content/commands/npm-dedupe.md
index 8186ee2c1f31c7..a48bf1bd622e5c 100644
--- a/deps/npm/docs/content/commands/npm-dedupe.md
+++ b/deps/npm/docs/content/commands/npm-dedupe.md
@@ -74,8 +74,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+
+We recommend that package authors use `--install-strategy=linked` during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+`import` of a package that was never added to `package.json` can fail
+instead of resolving by accident and shipping broken. See [Catching
+undeclared ("phantom")
+dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
diff --git a/deps/npm/docs/content/commands/npm-exec.md b/deps/npm/docs/content/commands/npm-exec.md
index 13a0939209a5ea..ff08d07786a8d3 100644
--- a/deps/npm/docs/content/commands/npm-exec.md
+++ b/deps/npm/docs/content/commands/npm-exec.md
@@ -194,6 +194,10 @@ silently skipped; this setting only affects unreviewed entries.
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
+their install scripts never run.
+
#### `dangerously-allow-all-scripts`
diff --git a/deps/npm/docs/content/commands/npm-find-dupes.md b/deps/npm/docs/content/commands/npm-find-dupes.md
index 52bb59b9f81b57..2d72186fe5a22e 100644
--- a/deps/npm/docs/content/commands/npm-find-dupes.md
+++ b/deps/npm/docs/content/commands/npm-find-dupes.md
@@ -25,8 +25,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+
+We recommend that package authors use `--install-strategy=linked` during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+`import` of a package that was never added to `package.json` can fail
+instead of resolving by accident and shipping broken. See [Catching
+undeclared ("phantom")
+dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
diff --git a/deps/npm/docs/content/commands/npm-install-ci-test.md b/deps/npm/docs/content/commands/npm-install-ci-test.md
index 4528f63dfe28e8..2194a4df84a80c 100644
--- a/deps/npm/docs/content/commands/npm-install-ci-test.md
+++ b/deps/npm/docs/content/commands/npm-install-ci-test.md
@@ -27,8 +27,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+
+We recommend that package authors use `--install-strategy=linked` during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+`import` of a package that was never added to `package.json` can fail
+instead of resolving by accident and shipping broken. See [Catching
+undeclared ("phantom")
+dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
@@ -251,6 +259,10 @@ silently skipped; this setting only affects unreviewed entries.
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
+their install scripts never run.
+
#### `dangerously-allow-all-scripts`
diff --git a/deps/npm/docs/content/commands/npm-install-scripts.md b/deps/npm/docs/content/commands/npm-install-scripts.md
new file mode 100644
index 00000000000000..4182392c9a3d1e
--- /dev/null
+++ b/deps/npm/docs/content/commands/npm-install-scripts.md
@@ -0,0 +1,166 @@
+---
+title: npm-install-scripts
+section: 1
+description: Manage install-script approvals for dependencies
+---
+
+### Synopsis
+
+```bash
+npm install-scripts approve [ ...]
+npm install-scripts approve --all
+npm install-scripts deny [ ...]
+npm install-scripts deny --all
+npm install-scripts ls
+npm install-scripts prune
+```
+
+Note: This command is unaware of workspaces.
+
+### Description
+
+Manages the `allowScripts` field in your project's `package.json`, which
+records which of your dependencies are permitted to run install scripts
+(`preinstall`, `install`, `postinstall`, and `prepare` for non-registry
+sources). This is the recommended way to maintain that field.
+
+Dependency install scripts are blocked by default. Install commands
+silently skip lifecycle scripts for any dependency that does not have a
+matching entry in `allowScripts`, and end with a list of the packages
+whose scripts were skipped so you can review them here.
+
+This command only works inside a project that has a `package.json`. Running
+it with `--global` (`-g`) fails with an `EGLOBAL` error, since global
+installs (`npm install -g`) and one-off executions (`npm exec` / `npx`) have
+no project `package.json` to write to. To allow install scripts in those
+contexts, use the `--allow-scripts` flag at install time (for example
+`npm install -g --allow-scripts=canvas,sharp`) or persist the setting with
+`npm config set allow-scripts=canvas,sharp --location=user`.
+
+There are four subcommands:
+
+```bash
+npm install-scripts approve [ ...]
+npm install-scripts approve --all
+npm install-scripts deny [ ...]
+npm install-scripts deny --all
+npm install-scripts ls
+npm install-scripts prune
+```
+
+`approve` allows install scripts for the named packages. `` matches
+every installed version of that package. By default it writes pinned entries
+(`pkg@1.2.3`), which keep their approval narrowed to the specific version you
+reviewed. Pass `--no-allow-scripts-pin` to write name-only entries that allow
+any future version. `--all` approves every package with unreviewed install
+scripts in one go.
+
+`deny` records an explicit denial for the named packages (a name-only `false`
+entry), which survives `npm install-scripts approve --all` and excludes the
+package from any future blanket approval. `--all` denies every package with
+unreviewed install scripts.
+
+`ls` is read-only: it lists every package whose install scripts are not yet
+covered by `allowScripts`, without modifying `package.json`.
+
+`prune` removes `allowScripts` entries that no longer match an installed
+package with an install script, either because the package is no longer
+installed (a transitive dependency changed, or a pinned `pkg@1.2.3` was
+upgraded) or because it no longer has an install script. Both approvals
+(`true`) and denials (`false`) are removed. It edits only the `allowScripts`
+field in `package.json`, never `.npmrc` or `--allow-scripts`. Pass `--dry-run`
+to preview without writing. Unparseable keys are left alone.
+
+`approve` honours the asymmetric pin rule: if you re-approve a package whose
+installed version has changed, the existing pin is rewritten to track the new
+installed version. Multi-version statements (`pkg@1 || 2`) are left alone,
+since they likely capture intent that the command cannot infer. Existing
+`false` entries always win; `approve` will not silently re-allow a package you
+previously denied.
+
+The standalone commands [`npm approve-scripts`](/commands/npm-approve-scripts)
+and [`npm deny-scripts`](/commands/npm-deny-scripts) are aliases for
+`npm install-scripts approve` and `npm install-scripts deny`.
+
+### Examples
+
+```bash
+# Approve all currently-installed install scripts after reviewing them
+npm install-scripts approve --all
+
+# Approve specific packages, pinned to their installed version
+npm install-scripts approve canvas sharp
+
+# Deny a package so it stays blocked
+npm install-scripts deny telemetry-pkg
+
+# Preview which packages still need review
+npm install-scripts ls
+
+# Preview stale allowScripts entries, then remove them
+npm install-scripts prune --dry-run
+npm install-scripts prune
+```
+
+### Configuration
+
+#### `all`
+
+* Default: false
+* Type: Boolean
+
+Show or act on all packages, not just the ones your project directly depends
+on. For `npm outdated` and `npm ls` this lists every outdated or installed
+package. For `npm approve-scripts` and `npm deny-scripts` it selects every
+package with pending install scripts.
+
+
+
+#### `allow-scripts-pin`
+
+* Default: true
+* Type: Boolean
+
+Write pinned (`pkg@version`) entries when approving install scripts. Set to
+`false` to write name-only entries that allow any version. Has no effect on
+`npm deny-scripts`, which always writes name-only entries regardless of this
+setting.
+
+
+
+#### `dry-run`
+
+* Default: false
+* Type: Boolean
+
+Indicates that you don't want npm to make any changes and that it should
+only report what it would have done. This can be passed into any of the
+commands that modify your local installation, eg, `install`, `update`,
+`dedupe`, `uninstall`, as well as `pack` and `publish`.
+
+Note: This is NOT honored by other network related commands, eg `dist-tags`,
+`owner`, etc.
+
+
+
+#### `json`
+
+* Default: false
+* Type: Boolean
+
+Whether or not to output JSON data, rather than the normal output.
+
+* In `npm pkg set` it enables parsing set values with JSON.parse() before
+ saving them to your `package.json`.
+
+Not supported by all npm commands.
+
+
+
+### See Also
+
+* [npm approve-scripts](/commands/npm-approve-scripts)
+* [npm deny-scripts](/commands/npm-deny-scripts)
+* [npm install](/commands/npm-install)
+* [npm rebuild](/commands/npm-rebuild)
+* [package.json](/configuring-npm/package-json)
diff --git a/deps/npm/docs/content/commands/npm-install-test.md b/deps/npm/docs/content/commands/npm-install-test.md
index 44de058c56aa05..e13f79a51e6f18 100644
--- a/deps/npm/docs/content/commands/npm-install-test.md
+++ b/deps/npm/docs/content/commands/npm-install-test.md
@@ -68,8 +68,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+
+We recommend that package authors use `--install-strategy=linked` during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+`import` of a package that was never added to `package.json` can fail
+instead of resolving by accident and shipping broken. See [Catching
+undeclared ("phantom")
+dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
@@ -328,6 +336,10 @@ silently skipped; this setting only affects unreviewed entries.
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
+their install scripts never run.
+
#### `dangerously-allow-all-scripts`
@@ -375,6 +387,10 @@ sources, the standard precedence applies (cli > env > project > user >
global), so a higher-priority source can always relax or override a
lower-priority one.
+As with `min-release-age`, when this cutoff blocks a fix that `npm audit
+fix` would install, npm keeps the vulnerable version, warns, and exits with
+a non-zero code.
+
Packages whose names match `min-release-age-exclude` are exempt from this
filter.
@@ -397,6 +413,12 @@ your `.npmrc` is preserved when npm internally spawns a sub-process with
apply, `before` wins within a single source and across sources the standard
precedence rules apply.
+When this window stops `npm audit fix` from installing a patched version
+(because the fix was published too recently), npm keeps the package at its
+vulnerable version, warns that the fix was blocked, and exits with a
+non-zero code. To install the fix, add the package to
+`min-release-age-exclude`, or relax `min-release-age` or `before`.
+
Packages whose names match `min-release-age-exclude` are exempt from this
filter.
diff --git a/deps/npm/docs/content/commands/npm-install.md b/deps/npm/docs/content/commands/npm-install.md
index 5bd36c1fa45320..98d69d5e842451 100644
--- a/deps/npm/docs/content/commands/npm-install.md
+++ b/deps/npm/docs/content/commands/npm-install.md
@@ -410,8 +410,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+
+We recommend that package authors use `--install-strategy=linked` during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+`import` of a package that was never added to `package.json` can fail
+instead of resolving by accident and shipping broken. See [Catching
+undeclared ("phantom")
+dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
@@ -670,6 +678,10 @@ silently skipped; this setting only affects unreviewed entries.
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
+their install scripts never run.
+
#### `dangerously-allow-all-scripts`
@@ -717,6 +729,10 @@ sources, the standard precedence applies (cli > env > project > user >
global), so a higher-priority source can always relax or override a
lower-priority one.
+As with `min-release-age`, when this cutoff blocks a fix that `npm audit
+fix` would install, npm keeps the vulnerable version, warns, and exits with
+a non-zero code.
+
Packages whose names match `min-release-age-exclude` are exempt from this
filter.
@@ -739,6 +755,12 @@ your `.npmrc` is preserved when npm internally spawns a sub-process with
apply, `before` wins within a single source and across sources the standard
precedence rules apply.
+When this window stops `npm audit fix` from installing a patched version
+(because the fix was published too recently), npm keeps the package at its
+vulnerable version, warns that the fix was blocked, and exits with a
+non-zero code. To install the fix, add the package to
+`min-release-age-exclude`, or relax `min-release-age` or `before`.
+
Packages whose names match `min-release-age-exclude` are exempt from this
filter.
diff --git a/deps/npm/docs/content/commands/npm-link.md b/deps/npm/docs/content/commands/npm-link.md
index 37efda66408fbd..fa9626c4edd804 100644
--- a/deps/npm/docs/content/commands/npm-link.md
+++ b/deps/npm/docs/content/commands/npm-link.md
@@ -138,8 +138,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+
+We recommend that package authors use `--install-strategy=linked` during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+`import` of a package that was never added to `package.json` can fail
+instead of resolving by accident and shipping broken. See [Catching
+undeclared ("phantom")
+dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
diff --git a/deps/npm/docs/content/commands/npm-ls.md b/deps/npm/docs/content/commands/npm-ls.md
index ae8e64ada95551..fba77fd01cffaf 100644
--- a/deps/npm/docs/content/commands/npm-ls.md
+++ b/deps/npm/docs/content/commands/npm-ls.md
@@ -23,7 +23,7 @@ Note that nested packages will *also* show the paths to the specified packages.
For example, running `npm ls promzard` in npm's source tree will show:
```bash
-npm@11.17.0 /path/to/npm
+npm@11.18.0 /path/to/npm
└─┬ init-package-json@0.0.4
└── promzard@0.1.5
```
diff --git a/deps/npm/docs/content/commands/npm-outdated.md b/deps/npm/docs/content/commands/npm-outdated.md
index 1f368132c465a5..40f7e835a68a51 100644
--- a/deps/npm/docs/content/commands/npm-outdated.md
+++ b/deps/npm/docs/content/commands/npm-outdated.md
@@ -172,6 +172,10 @@ sources, the standard precedence applies (cli > env > project > user >
global), so a higher-priority source can always relax or override a
lower-priority one.
+As with `min-release-age`, when this cutoff blocks a fix that `npm audit
+fix` would install, npm keeps the vulnerable version, warns, and exits with
+a non-zero code.
+
Packages whose names match `min-release-age-exclude` are exempt from this
filter.
@@ -194,6 +198,12 @@ your `.npmrc` is preserved when npm internally spawns a sub-process with
apply, `before` wins within a single source and across sources the standard
precedence rules apply.
+When this window stops `npm audit fix` from installing a patched version
+(because the fix was published too recently), npm keeps the package at its
+vulnerable version, warns that the fix was blocked, and exits with a
+non-zero code. To install the fix, add the package to
+`min-release-age-exclude`, or relax `min-release-age` or `before`.
+
Packages whose names match `min-release-age-exclude` are exempt from this
filter.
diff --git a/deps/npm/docs/content/commands/npm-query.md b/deps/npm/docs/content/commands/npm-query.md
index 83ea73188f7f10..4349e47ad23e06 100644
--- a/deps/npm/docs/content/commands/npm-query.md
+++ b/deps/npm/docs/content/commands/npm-query.md
@@ -284,6 +284,10 @@ sources, the standard precedence applies (cli > env > project > user >
global), so a higher-priority source can always relax or override a
lower-priority one.
+As with `min-release-age`, when this cutoff blocks a fix that `npm audit
+fix` would install, npm keeps the vulnerable version, warns, and exits with
+a non-zero code.
+
Packages whose names match `min-release-age-exclude` are exempt from this
filter.
@@ -306,6 +310,12 @@ your `.npmrc` is preserved when npm internally spawns a sub-process with
apply, `before` wins within a single source and across sources the standard
precedence rules apply.
+When this window stops `npm audit fix` from installing a patched version
+(because the fix was published too recently), npm keeps the package at its
+vulnerable version, warns that the fix was blocked, and exits with a
+non-zero code. To install the fix, add the package to
+`min-release-age-exclude`, or relax `min-release-age` or `before`.
+
Packages whose names match `min-release-age-exclude` are exempt from this
filter.
diff --git a/deps/npm/docs/content/commands/npm-rebuild.md b/deps/npm/docs/content/commands/npm-rebuild.md
index 18b1d37c779956..c70307a2a7fe2d 100644
--- a/deps/npm/docs/content/commands/npm-rebuild.md
+++ b/deps/npm/docs/content/commands/npm-rebuild.md
@@ -136,6 +136,10 @@ silently skipped; this setting only affects unreviewed entries.
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
+their install scripts never run.
+
#### `dangerously-allow-all-scripts`
diff --git a/deps/npm/docs/content/commands/npm-update.md b/deps/npm/docs/content/commands/npm-update.md
index ee61e27dcda0e6..317f85f7d0dbd6 100644
--- a/deps/npm/docs/content/commands/npm-update.md
+++ b/deps/npm/docs/content/commands/npm-update.md
@@ -177,8 +177,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+
+We recommend that package authors use `--install-strategy=linked` during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+`import` of a package that was never added to `package.json` can fail
+instead of resolving by accident and shipping broken. See [Catching
+undeclared ("phantom")
+dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
@@ -338,6 +346,10 @@ silently skipped; this setting only affects unreviewed entries.
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
+their install scripts never run.
+
#### `dangerously-allow-all-scripts`
@@ -385,6 +397,10 @@ sources, the standard precedence applies (cli > env > project > user >
global), so a higher-priority source can always relax or override a
lower-priority one.
+As with `min-release-age`, when this cutoff blocks a fix that `npm audit
+fix` would install, npm keeps the vulnerable version, warns, and exits with
+a non-zero code.
+
Packages whose names match `min-release-age-exclude` are exempt from this
filter.
@@ -407,6 +423,12 @@ your `.npmrc` is preserved when npm internally spawns a sub-process with
apply, `before` wins within a single source and across sources the standard
precedence rules apply.
+When this window stops `npm audit fix` from installing a patched version
+(because the fix was published too recently), npm keeps the package at its
+vulnerable version, warns that the fix was blocked, and exits with a
+non-zero code. To install the fix, add the package to
+`min-release-age-exclude`, or relax `min-release-age` or `before`.
+
Packages whose names match `min-release-age-exclude` are exempt from this
filter.
diff --git a/deps/npm/docs/content/commands/npm.md b/deps/npm/docs/content/commands/npm.md
index d924d23c0ece0e..088553c6ffc486 100644
--- a/deps/npm/docs/content/commands/npm.md
+++ b/deps/npm/docs/content/commands/npm.md
@@ -14,7 +14,7 @@ Note: This command is unaware of workspaces.
### Version
-11.17.0
+11.18.0
### Description
diff --git a/deps/npm/docs/content/using-npm/config.md b/deps/npm/docs/content/using-npm/config.md
index 6bbb68fdf56528..5d951493e8a1c1 100644
--- a/deps/npm/docs/content/using-npm/config.md
+++ b/deps/npm/docs/content/using-npm/config.md
@@ -349,6 +349,10 @@ sources, the standard precedence applies (cli > env > project > user >
global), so a higher-priority source can always relax or override a
lower-priority one.
+As with `min-release-age`, when this cutoff blocks a fix that `npm audit
+fix` would install, npm keeps the vulnerable version, warns, and exits with
+a non-zero code.
+
Packages whose names match `min-release-age-exclude` are exempt from this
filter.
@@ -1029,8 +1033,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+
+We recommend that package authors use `--install-strategy=linked` during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+`import` of a package that was never added to `package.json` can fail
+instead of resolving by accident and shipping broken. See [Catching
+undeclared ("phantom")
+dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
@@ -1224,6 +1236,12 @@ your `.npmrc` is preserved when npm internally spawns a sub-process with
apply, `before` wins within a single source and across sources the standard
precedence rules apply.
+When this window stops `npm audit fix` from installing a patched version
+(because the fix was published too recently), npm keeps the package at its
+vulnerable version, warns that the fix was blocked, and exits with a
+non-zero code. To install the fix, add the package to
+`min-release-age-exclude`, or relax `min-release-age` or `before`.
+
Packages whose names match `min-release-age-exclude` are exempt from this
filter.
@@ -1620,7 +1638,14 @@ registry (https://registry.npmjs.org) to the configured registry. If set to
"never", then use the registry value. If set to "always", then replace the
registry host with the configured host every time.
-You may also specify a bare hostname (e.g., "registry.npmjs.org").
+You may also specify a bare hostname (e.g., "registry.npmjs.org") to only
+replace URLs coming from that host.
+
+You may also specify a full URL including a path (e.g.,
+"https://old-registry.example.com/npm/path"). In that case, resolved URLs
+whose host and path begin with that prefix will have the entire prefix
+replaced with the configured registry URL (host and path), without
+duplicating path segments.
@@ -1877,6 +1902,10 @@ silently skipped; this setting only affects unreviewed entries.
`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching `os`, `cpu`, or `libc`) are not flagged, because
+their install scripts never run.
+
#### `strict-peer-deps`
diff --git a/deps/npm/docs/content/using-npm/developers.md b/deps/npm/docs/content/using-npm/developers.md
index de0cb848c59ff4..b1fff0e3894f30 100644
--- a/deps/npm/docs/content/using-npm/developers.md
+++ b/deps/npm/docs/content/using-npm/developers.md
@@ -171,6 +171,24 @@ to install it locally into the node_modules folder in that other place.
Then go into the node-repl, and try using require("my-thing") to bring in your module's main module.
+#### Catching undeclared ("phantom") dependencies
+
+Under the default hoisted `node_modules` layout, your package can `import` a dependency it never declared and still resolve it.
+A transitive dependency hoisted alongside it, or your workspace root's `node_modules`, happens to satisfy the `import`.
+That undeclared ("phantom") dependency passes your own build silently, then fails for anyone who installs your package on its own.
+
+We recommend developing your package under [`install-strategy=linked`](/using-npm/config#install-strategy).
+The isolated layout only exposes a package's *declared* dependencies, so an `import` of an undeclared package fails for you during development instead of resolving by accident, shipping broken, and failing for your users:
+
+```bash
+npm install --install-strategy=linked
+npm test
+```
+
+> **Note:** This doesn't catch every case.
+> A dependency that's still satisfied at your build by a `devDependency` or by your workspace root's `node_modules` can resolve fine for you and still be missing for whoever installs your package.
+> So treat it as one check, not a guarantee, alongside auditing the dependencies your published package actually uses.
+
### Create a User Account
Create a user with the adduser command.
diff --git a/deps/npm/docs/output/commands/npm-access.html b/deps/npm/docs/output/commands/npm-access.html
index fd3ccdbdf886aa..13475a5d16f425 100644
--- a/deps/npm/docs/output/commands/npm-access.html
+++ b/deps/npm/docs/output/commands/npm-access.html
@@ -186,9 +186,9 @@
-
+
npm-access
- @11.17.0
+ @11.18.0
Set access level on published packages
diff --git a/deps/npm/docs/output/commands/npm-adduser.html b/deps/npm/docs/output/commands/npm-adduser.html
index 56679269f19860..e43659736fec33 100644
--- a/deps/npm/docs/output/commands/npm-adduser.html
+++ b/deps/npm/docs/output/commands/npm-adduser.html
@@ -186,9 +186,9 @@
-
+
npm-adduser
- @11.17.0
+ @11.18.0
Add a registry user account
diff --git a/deps/npm/docs/output/commands/npm-approve-scripts.html b/deps/npm/docs/output/commands/npm-approve-scripts.html
index 8d13f05fb30d4b..c3bc0172b5a4db 100644
--- a/deps/npm/docs/output/commands/npm-approve-scripts.html
+++ b/deps/npm/docs/output/commands/npm-approve-scripts.html
@@ -186,9 +186,9 @@
-
+
npm-approve-scripts
- @11.17.0
+ @11.18.0
Approve install scripts for specific dependencies
@@ -238,6 +238,13 @@ Description
the command cannot infer. Existing false entries always win;
approve-scripts will not silently re-allow a package you previously
denied.
+If a registry dependency has no resolved URL in your package-lock.json
+(for example, an older lockfile or one written with
+omit-lockfile-registry-resolved), npm cannot verify a trusted version for
+it and cannot pin it: a pkg@1.2.3 entry never matches, so the package
+keeps appearing under --allow-scripts-pending. approve-scripts approves
+these by name (pkg: true) and warns when it does. To restore pinning,
+refresh the lockfile with npm install.
Examples
# Approve all currently-installed install scripts after reviewing them
npm approve-scripts --all
diff --git a/deps/npm/docs/output/commands/npm-audit.html b/deps/npm/docs/output/commands/npm-audit.html
index e250ae85e00907..61042b6fbb07c0 100644
--- a/deps/npm/docs/output/commands/npm-audit.html
+++ b/deps/npm/docs/output/commands/npm-audit.html
@@ -186,9 +186,9 @@
-
+
npm-audit
- @11.17.0
+ @11.18.0
Run a security audit
diff --git a/deps/npm/docs/output/commands/npm-bugs.html b/deps/npm/docs/output/commands/npm-bugs.html
index 9d7cabb2eb07a9..660f011d1a0d9f 100644
--- a/deps/npm/docs/output/commands/npm-bugs.html
+++ b/deps/npm/docs/output/commands/npm-bugs.html
@@ -186,9 +186,9 @@
-
+
npm-bugs
- @11.17.0
+ @11.18.0
Report bugs for a package in a web browser
diff --git a/deps/npm/docs/output/commands/npm-cache.html b/deps/npm/docs/output/commands/npm-cache.html
index 49b091085717d2..553a38d06f42ab 100644
--- a/deps/npm/docs/output/commands/npm-cache.html
+++ b/deps/npm/docs/output/commands/npm-cache.html
@@ -186,9 +186,9 @@
-
+
npm-cache
- @11.17.0
+ @11.18.0
Manipulates packages cache
diff --git a/deps/npm/docs/output/commands/npm-ci.html b/deps/npm/docs/output/commands/npm-ci.html
index f01388a8be4ff3..3e61cba31beaa8 100644
--- a/deps/npm/docs/output/commands/npm-ci.html
+++ b/deps/npm/docs/output/commands/npm-ci.html
@@ -186,9 +186,9 @@
-
+
npm-ci
- @11.17.0
+ @11.18.0
Clean install a project
@@ -251,8 +251,15 @@ install-strategy
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+We recommend that package authors use --install-strategy=linked during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+import of a package that was never added to package.json can fail
+instead of resolving by accident and shipping broken. See Catching
+undeclared ("phantom")
+dependencies .
legacy-bundling
Default: false
@@ -419,6 +426,9 @@ strict-allow-scripts
silently skipped; this setting only affects unreviewed entries.
--ignore-scripts and --dangerously-allow-all-scripts both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching os, cpu, or libc) are not flagged, because
+their install scripts never run.
dangerously-allow-all-scripts
Default: false
diff --git a/deps/npm/docs/output/commands/npm-completion.html b/deps/npm/docs/output/commands/npm-completion.html
index e0769eb5665c5a..d24da48ebb03ff 100644
--- a/deps/npm/docs/output/commands/npm-completion.html
+++ b/deps/npm/docs/output/commands/npm-completion.html
@@ -186,9 +186,9 @@
-
+
npm-completion
- @11.17.0
+ @11.18.0
Tab Completion for npm
diff --git a/deps/npm/docs/output/commands/npm-config.html b/deps/npm/docs/output/commands/npm-config.html
index 83b7a3b0eeab8c..a3c0dab2dee799 100644
--- a/deps/npm/docs/output/commands/npm-config.html
+++ b/deps/npm/docs/output/commands/npm-config.html
@@ -186,9 +186,9 @@
-
+
npm-config
- @11.17.0
+ @11.18.0
Manage the npm configuration files
diff --git a/deps/npm/docs/output/commands/npm-dedupe.html b/deps/npm/docs/output/commands/npm-dedupe.html
index 26065b3862e16c..fa8d4b7084379d 100644
--- a/deps/npm/docs/output/commands/npm-dedupe.html
+++ b/deps/npm/docs/output/commands/npm-dedupe.html
@@ -186,9 +186,9 @@
-
+
npm-dedupe
- @11.17.0
+ @11.18.0
Reduce duplication in the package tree
@@ -245,8 +245,15 @@ install-strategy
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+We recommend that package authors use --install-strategy=linked during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+import of a package that was never added to package.json can fail
+instead of resolving by accident and shipping broken. See Catching
+undeclared ("phantom")
+dependencies .
legacy-bundling
Default: false
diff --git a/deps/npm/docs/output/commands/npm-deny-scripts.html b/deps/npm/docs/output/commands/npm-deny-scripts.html
index 957193be87c446..4f7653c40173a6 100644
--- a/deps/npm/docs/output/commands/npm-deny-scripts.html
+++ b/deps/npm/docs/output/commands/npm-deny-scripts.html
@@ -186,9 +186,9 @@
-
+
npm-deny-scripts
- @11.17.0
+ @11.18.0
Deny install scripts for specific dependencies
diff --git a/deps/npm/docs/output/commands/npm-deprecate.html b/deps/npm/docs/output/commands/npm-deprecate.html
index b58d5388a985b9..30c4c912238480 100644
--- a/deps/npm/docs/output/commands/npm-deprecate.html
+++ b/deps/npm/docs/output/commands/npm-deprecate.html
@@ -186,9 +186,9 @@
-
+
npm-deprecate
- @11.17.0
+ @11.18.0
Deprecate a version of a package
diff --git a/deps/npm/docs/output/commands/npm-diff.html b/deps/npm/docs/output/commands/npm-diff.html
index a092efb1faf40c..6cf770360c1076 100644
--- a/deps/npm/docs/output/commands/npm-diff.html
+++ b/deps/npm/docs/output/commands/npm-diff.html
@@ -186,9 +186,9 @@
-
+
npm-diff
- @11.17.0
+ @11.18.0
The registry diff command
diff --git a/deps/npm/docs/output/commands/npm-dist-tag.html b/deps/npm/docs/output/commands/npm-dist-tag.html
index 2fc358fef37ca3..59985e4a43f316 100644
--- a/deps/npm/docs/output/commands/npm-dist-tag.html
+++ b/deps/npm/docs/output/commands/npm-dist-tag.html
@@ -186,9 +186,9 @@
-
+
npm-dist-tag
- @11.17.0
+ @11.18.0
Modify package distribution tags
diff --git a/deps/npm/docs/output/commands/npm-docs.html b/deps/npm/docs/output/commands/npm-docs.html
index 2eaade58d4d9ae..884f20d70d2f93 100644
--- a/deps/npm/docs/output/commands/npm-docs.html
+++ b/deps/npm/docs/output/commands/npm-docs.html
@@ -186,9 +186,9 @@
-
+
npm-docs
- @11.17.0
+ @11.18.0
Open documentation for a package in a web browser
diff --git a/deps/npm/docs/output/commands/npm-doctor.html b/deps/npm/docs/output/commands/npm-doctor.html
index e7a3771d5d654e..13bb25228dd28b 100644
--- a/deps/npm/docs/output/commands/npm-doctor.html
+++ b/deps/npm/docs/output/commands/npm-doctor.html
@@ -186,9 +186,9 @@
-
+
npm-doctor
- @11.17.0
+ @11.18.0
Check the health of your npm environment
diff --git a/deps/npm/docs/output/commands/npm-edit.html b/deps/npm/docs/output/commands/npm-edit.html
index 6f1ee44d54b0fe..6d1215ebfe1038 100644
--- a/deps/npm/docs/output/commands/npm-edit.html
+++ b/deps/npm/docs/output/commands/npm-edit.html
@@ -186,9 +186,9 @@
-
+
npm-edit
- @11.17.0
+ @11.18.0
Edit an installed package
diff --git a/deps/npm/docs/output/commands/npm-exec.html b/deps/npm/docs/output/commands/npm-exec.html
index d64cf7d587da27..3f57293a17fc56 100644
--- a/deps/npm/docs/output/commands/npm-exec.html
+++ b/deps/npm/docs/output/commands/npm-exec.html
@@ -186,9 +186,9 @@
-
+
npm-exec
- @11.17.0
+ @11.18.0
Run a command from a local or remote npm package
@@ -336,6 +336,9 @@ strict-allow-scripts
silently skipped; this setting only affects unreviewed entries.
--ignore-scripts and --dangerously-allow-all-scripts both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching os, cpu, or libc) are not flagged, because
+their install scripts never run.
dangerously-allow-all-scripts
Default: false
diff --git a/deps/npm/docs/output/commands/npm-explain.html b/deps/npm/docs/output/commands/npm-explain.html
index 4c61e4dc5fbf14..5d5f6cea5ce113 100644
--- a/deps/npm/docs/output/commands/npm-explain.html
+++ b/deps/npm/docs/output/commands/npm-explain.html
@@ -186,9 +186,9 @@
-
+
npm-explain
- @11.17.0
+ @11.18.0
Explain installed packages
diff --git a/deps/npm/docs/output/commands/npm-explore.html b/deps/npm/docs/output/commands/npm-explore.html
index 68f61b31ed7d1b..d1ecb4e81886a8 100644
--- a/deps/npm/docs/output/commands/npm-explore.html
+++ b/deps/npm/docs/output/commands/npm-explore.html
@@ -186,9 +186,9 @@
-
+
npm-explore
- @11.17.0
+ @11.18.0
Browse an installed package
diff --git a/deps/npm/docs/output/commands/npm-find-dupes.html b/deps/npm/docs/output/commands/npm-find-dupes.html
index c6dea14d12f997..28a9066398760c 100644
--- a/deps/npm/docs/output/commands/npm-find-dupes.html
+++ b/deps/npm/docs/output/commands/npm-find-dupes.html
@@ -186,9 +186,9 @@
-
+
npm-find-dupes
- @11.17.0
+ @11.18.0
Find duplication in the package tree
@@ -213,8 +213,15 @@ install-strategy
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+We recommend that package authors use --install-strategy=linked during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+import of a package that was never added to package.json can fail
+instead of resolving by accident and shipping broken. See Catching
+undeclared ("phantom")
+dependencies .
legacy-bundling
Default: false
diff --git a/deps/npm/docs/output/commands/npm-fund.html b/deps/npm/docs/output/commands/npm-fund.html
index 0b7602251f020f..26761cc90196c8 100644
--- a/deps/npm/docs/output/commands/npm-fund.html
+++ b/deps/npm/docs/output/commands/npm-fund.html
@@ -186,9 +186,9 @@
-
+
npm-fund
- @11.17.0
+ @11.18.0
Retrieve funding information
diff --git a/deps/npm/docs/output/commands/npm-get.html b/deps/npm/docs/output/commands/npm-get.html
index e81310c39b33c0..e8fe5dfc0373ea 100644
--- a/deps/npm/docs/output/commands/npm-get.html
+++ b/deps/npm/docs/output/commands/npm-get.html
@@ -186,9 +186,9 @@
-
+
npm-get
- @11.17.0
+ @11.18.0
Get a value from the npm configuration
diff --git a/deps/npm/docs/output/commands/npm-help-search.html b/deps/npm/docs/output/commands/npm-help-search.html
index b44eddadf701b0..24f4ddafaea589 100644
--- a/deps/npm/docs/output/commands/npm-help-search.html
+++ b/deps/npm/docs/output/commands/npm-help-search.html
@@ -186,9 +186,9 @@
-
+
npm-help-search
- @11.17.0
+ @11.18.0
Search npm help documentation
diff --git a/deps/npm/docs/output/commands/npm-help.html b/deps/npm/docs/output/commands/npm-help.html
index d22edb7c826b09..4fb2ef4be76c30 100644
--- a/deps/npm/docs/output/commands/npm-help.html
+++ b/deps/npm/docs/output/commands/npm-help.html
@@ -186,9 +186,9 @@
-
+
npm-help
- @11.17.0
+ @11.18.0
Get help on npm
diff --git a/deps/npm/docs/output/commands/npm-init.html b/deps/npm/docs/output/commands/npm-init.html
index 836969ed135304..deeaf25a2348a0 100644
--- a/deps/npm/docs/output/commands/npm-init.html
+++ b/deps/npm/docs/output/commands/npm-init.html
@@ -186,9 +186,9 @@
-
+
npm-init
- @11.17.0
+ @11.18.0
Create a package.json file
diff --git a/deps/npm/docs/output/commands/npm-install-ci-test.html b/deps/npm/docs/output/commands/npm-install-ci-test.html
index 6f633c2c18a02d..2227da94885950 100644
--- a/deps/npm/docs/output/commands/npm-install-ci-test.html
+++ b/deps/npm/docs/output/commands/npm-install-ci-test.html
@@ -186,9 +186,9 @@
-
+
npm-install-ci-test
- @11.17.0
+ @11.18.0
Install a project with a clean slate and run tests
@@ -215,8 +215,15 @@ install-strategy
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+We recommend that package authors use --install-strategy=linked during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+import of a package that was never added to package.json can fail
+instead of resolving by accident and shipping broken. See Catching
+undeclared ("phantom")
+dependencies .
legacy-bundling
Default: false
@@ -383,6 +390,9 @@ strict-allow-scripts
silently skipped; this setting only affects unreviewed entries.
--ignore-scripts and --dangerously-allow-all-scripts both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching os, cpu, or libc) are not flagged, because
+their install scripts never run.
dangerously-allow-all-scripts
Default: false
diff --git a/deps/npm/docs/output/commands/npm-install-scripts.html b/deps/npm/docs/output/commands/npm-install-scripts.html
new file mode 100644
index 00000000000000..1b036581f6a36e
--- /dev/null
+++ b/deps/npm/docs/output/commands/npm-install-scripts.html
@@ -0,0 +1,341 @@
+
+
+npm-install-scripts
+
+
+
+
+
+
+
+
+
+
+
+npm command-line interface
+
+
+
+
+
+
+
+ npm-install-scripts
+ @11.18.0
+
+Manage install-script approvals for dependencies
+
+
+
+
+Synopsis
+
npm install-scripts approve <pkg> [<pkg> ...]
+npm install-scripts approve --all
+npm install-scripts deny <pkg> [<pkg> ...]
+npm install-scripts deny --all
+npm install-scripts ls
+npm install-scripts prune
+
+
Note: This command is unaware of workspaces.
+
Description
+
Manages the allowScripts field in your project's package.json, which
+records which of your dependencies are permitted to run install scripts
+(preinstall, install, postinstall, and prepare for non-registry
+sources). This is the recommended way to maintain that field.
+
Dependency install scripts are blocked by default. Install commands
+silently skip lifecycle scripts for any dependency that does not have a
+matching entry in allowScripts, and end with a list of the packages
+whose scripts were skipped so you can review them here.
+
This command only works inside a project that has a package.json. Running
+it with --global (-g) fails with an EGLOBAL error, since global
+installs (npm install -g) and one-off executions (npm exec / npx) have
+no project package.json to write to. To allow install scripts in those
+contexts, use the --allow-scripts flag at install time (for example
+npm install -g --allow-scripts=canvas,sharp) or persist the setting with
+npm config set allow-scripts=canvas,sharp --location=user.
+
There are four subcommands:
+
npm install-scripts approve <pkg> [<pkg> ...]
+npm install-scripts approve --all
+npm install-scripts deny <pkg> [<pkg> ...]
+npm install-scripts deny --all
+npm install-scripts ls
+npm install-scripts prune
+
+
approve allows install scripts for the named packages. <pkg> matches
+every installed version of that package. By default it writes pinned entries
+(pkg@1.2.3), which keep their approval narrowed to the specific version you
+reviewed. Pass --no-allow-scripts-pin to write name-only entries that allow
+any future version. --all approves every package with unreviewed install
+scripts in one go.
+
deny records an explicit denial for the named packages (a name-only false
+entry), which survives npm install-scripts approve --all and excludes the
+package from any future blanket approval. --all denies every package with
+unreviewed install scripts.
+
ls is read-only: it lists every package whose install scripts are not yet
+covered by allowScripts, without modifying package.json.
+
prune removes allowScripts entries that no longer match an installed
+package with an install script, either because the package is no longer
+installed (a transitive dependency changed, or a pinned pkg@1.2.3 was
+upgraded) or because it no longer has an install script. Both approvals
+(true) and denials (false) are removed. It edits only the allowScripts
+field in package.json, never .npmrc or --allow-scripts. Pass --dry-run
+to preview without writing. Unparseable keys are left alone.
+
approve honours the asymmetric pin rule: if you re-approve a package whose
+installed version has changed, the existing pin is rewritten to track the new
+installed version. Multi-version statements (pkg@1 || 2) are left alone,
+since they likely capture intent that the command cannot infer. Existing
+false entries always win; approve will not silently re-allow a package you
+previously denied.
+
The standalone commands npm approve-scripts
+and npm deny-scripts are aliases for
+npm install-scripts approve and npm install-scripts deny.
+
Examples
+
# Approve all currently-installed install scripts after reviewing them
+npm install-scripts approve --all
+
+# Approve specific packages, pinned to their installed version
+npm install-scripts approve canvas sharp
+
+# Deny a package so it stays blocked
+npm install-scripts deny telemetry-pkg
+
+# Preview which packages still need review
+npm install-scripts ls
+
+# Preview stale allowScripts entries, then remove them
+npm install-scripts prune --dry-run
+npm install-scripts prune
+
+
Configuration
+
all
+
+Default: false
+Type: Boolean
+
+
Show or act on all packages, not just the ones your project directly depends
+on. For npm outdated and npm ls this lists every outdated or installed
+package. For npm approve-scripts and npm deny-scripts it selects every
+package with pending install scripts.
+
allow-scripts-pin
+
+Default: true
+Type: Boolean
+
+
Write pinned (pkg@version) entries when approving install scripts. Set to
+false to write name-only entries that allow any version. Has no effect on
+npm deny-scripts, which always writes name-only entries regardless of this
+setting.
+
dry-run
+
+Default: false
+Type: Boolean
+
+
Indicates that you don't want npm to make any changes and that it should
+only report what it would have done. This can be passed into any of the
+commands that modify your local installation, eg, install, update,
+dedupe, uninstall, as well as pack and publish.
+
Note: This is NOT honored by other network related commands, eg dist-tags,
+owner, etc.
+
json
+
+Default: false
+Type: Boolean
+
+
Whether or not to output JSON data, rather than the normal output.
+
+In npm pkg set it enables parsing set values with JSON.parse() before
+saving them to your package.json.
+
+
Not supported by all npm commands.
+
See Also
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/deps/npm/docs/output/commands/npm-install-test.html b/deps/npm/docs/output/commands/npm-install-test.html
index bd12094e8ca1c6..94231076345ad4 100644
--- a/deps/npm/docs/output/commands/npm-install-test.html
+++ b/deps/npm/docs/output/commands/npm-install-test.html
@@ -186,9 +186,9 @@
-
+
npm-install-test
- @11.17.0
+ @11.18.0
Install package(s) and run tests
@@ -246,8 +246,15 @@ install-strategy
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+We recommend that package authors use --install-strategy=linked during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+import of a package that was never added to package.json can fail
+instead of resolving by accident and shipping broken. See Catching
+undeclared ("phantom")
+dependencies .
legacy-bundling
Default: false
@@ -439,6 +446,9 @@ strict-allow-scripts
silently skipped; this setting only affects unreviewed entries.
--ignore-scripts and --dangerously-allow-all-scripts both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching os, cpu, or libc) are not flagged, because
+their install scripts never run.
dangerously-allow-all-scripts
Default: false
@@ -475,6 +485,8 @@ before
sources, the standard precedence applies (cli > env > project > user >
global), so a higher-priority source can always relax or override a
lower-priority one.
+As with min-release-age, when this cutoff blocks a fix that npm audit fix would install, npm keeps the vulnerable version, warns, and exits with
+a non-zero code.
Packages whose names match min-release-age-exclude are exempt from this
filter.
min-release-age
@@ -492,6 +504,11 @@ min-release-age
--before while preparing a git: or github: dependency); when both
apply, before wins within a single source and across sources the standard
precedence rules apply.
+When this window stops npm audit fix from installing a patched version
+(because the fix was published too recently), npm keeps the package at its
+vulnerable version, warns that the fix was blocked, and exits with a
+non-zero code. To install the fix, add the package to
+min-release-age-exclude, or relax min-release-age or before.
Packages whose names match min-release-age-exclude are exempt from this
filter.
This value is not exported to the environment for child processes.
diff --git a/deps/npm/docs/output/commands/npm-install.html b/deps/npm/docs/output/commands/npm-install.html
index 767a65f28bbd2c..fd6fe12eb8cd6d 100644
--- a/deps/npm/docs/output/commands/npm-install.html
+++ b/deps/npm/docs/output/commands/npm-install.html
@@ -186,9 +186,9 @@
-
+
npm-install
- @11.17.0
+ @11.18.0
Install a package
@@ -521,8 +521,15 @@ install-strategy
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+We recommend that package authors use --install-strategy=linked during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+import of a package that was never added to package.json can fail
+instead of resolving by accident and shipping broken. See Catching
+undeclared ("phantom")
+dependencies .
legacy-bundling
Default: false
@@ -714,6 +721,9 @@ strict-allow-scripts
silently skipped; this setting only affects unreviewed entries.
--ignore-scripts and --dangerously-allow-all-scripts both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching os, cpu, or libc) are not flagged, because
+their install scripts never run.
dangerously-allow-all-scripts
Default: false
@@ -750,6 +760,8 @@ before
sources, the standard precedence applies (cli > env > project > user >
global), so a higher-priority source can always relax or override a
lower-priority one.
+As with min-release-age, when this cutoff blocks a fix that npm audit fix would install, npm keeps the vulnerable version, warns, and exits with
+a non-zero code.
Packages whose names match min-release-age-exclude are exempt from this
filter.
min-release-age
@@ -767,6 +779,11 @@ min-release-age
--before while preparing a git: or github: dependency); when both
apply, before wins within a single source and across sources the standard
precedence rules apply.
+When this window stops npm audit fix from installing a patched version
+(because the fix was published too recently), npm keeps the package at its
+vulnerable version, warns that the fix was blocked, and exits with a
+non-zero code. To install the fix, add the package to
+min-release-age-exclude, or relax min-release-age or before.
Packages whose names match min-release-age-exclude are exempt from this
filter.
This value is not exported to the environment for child processes.
diff --git a/deps/npm/docs/output/commands/npm-link.html b/deps/npm/docs/output/commands/npm-link.html
index 42fd82304ecf17..e4c9f092f37c09 100644
--- a/deps/npm/docs/output/commands/npm-link.html
+++ b/deps/npm/docs/output/commands/npm-link.html
@@ -186,9 +186,9 @@
-
+
npm-link
- @11.17.0
+ @11.18.0
Symlink a package folder
@@ -288,8 +288,15 @@ install-strategy
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+We recommend that package authors use --install-strategy=linked during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+import of a package that was never added to package.json can fail
+instead of resolving by accident and shipping broken. See Catching
+undeclared ("phantom")
+dependencies .
legacy-bundling
Default: false
diff --git a/deps/npm/docs/output/commands/npm-ll.html b/deps/npm/docs/output/commands/npm-ll.html
index e288cc8a65d634..a7e3061ddf98bf 100644
--- a/deps/npm/docs/output/commands/npm-ll.html
+++ b/deps/npm/docs/output/commands/npm-ll.html
@@ -186,9 +186,9 @@
-
+
npm-ll
- @11.17.0
+ @11.18.0
List installed packages
diff --git a/deps/npm/docs/output/commands/npm-login.html b/deps/npm/docs/output/commands/npm-login.html
index 7ead867b8d396c..b08ac7b3357030 100644
--- a/deps/npm/docs/output/commands/npm-login.html
+++ b/deps/npm/docs/output/commands/npm-login.html
@@ -186,9 +186,9 @@
-
+
npm-login
- @11.17.0
+ @11.18.0
Login to a registry user account
diff --git a/deps/npm/docs/output/commands/npm-logout.html b/deps/npm/docs/output/commands/npm-logout.html
index 19ecf24f01efad..dfc1b256538f45 100644
--- a/deps/npm/docs/output/commands/npm-logout.html
+++ b/deps/npm/docs/output/commands/npm-logout.html
@@ -186,9 +186,9 @@
-
+
npm-logout
- @11.17.0
+ @11.18.0
Log out of the registry
diff --git a/deps/npm/docs/output/commands/npm-ls.html b/deps/npm/docs/output/commands/npm-ls.html
index 181541d978ea07..a3de66d0323c8e 100644
--- a/deps/npm/docs/output/commands/npm-ls.html
+++ b/deps/npm/docs/output/commands/npm-ls.html
@@ -186,9 +186,9 @@
-
+
npm-ls
- @11.17.0
+ @11.18.0
List installed packages
@@ -209,7 +209,7 @@ Description
Positional arguments are name@version-range identifiers, which will limit the results to only the paths to the packages named.
Note that nested packages will also show the paths to the specified packages.
For example, running npm ls promzard in npm's source tree will show:
-npm@11.17.0 /path/to/npm
+npm@11.18.0 /path/to/npm
└─┬ init-package-json@0.0.4
└── promzard@0.1.5
diff --git a/deps/npm/docs/output/commands/npm-org.html b/deps/npm/docs/output/commands/npm-org.html
index 361f44be6f3040..7c0526d750c62f 100644
--- a/deps/npm/docs/output/commands/npm-org.html
+++ b/deps/npm/docs/output/commands/npm-org.html
@@ -186,9 +186,9 @@
-
+
npm-org
- @11.17.0
+ @11.18.0
Manage orgs
diff --git a/deps/npm/docs/output/commands/npm-outdated.html b/deps/npm/docs/output/commands/npm-outdated.html
index 9703cf4bacf71f..5bf8ee630c262c 100644
--- a/deps/npm/docs/output/commands/npm-outdated.html
+++ b/deps/npm/docs/output/commands/npm-outdated.html
@@ -186,9 +186,9 @@
-
+
npm-outdated
- @11.17.0
+ @11.18.0
Check for outdated packages
@@ -334,6 +334,8 @@ before
sources, the standard precedence applies (cli > env > project > user >
global), so a higher-priority source can always relax or override a
lower-priority one.
+As with min-release-age, when this cutoff blocks a fix that npm audit fix would install, npm keeps the vulnerable version, warns, and exits with
+a non-zero code.
Packages whose names match min-release-age-exclude are exempt from this
filter.
min-release-age
@@ -351,6 +353,11 @@ min-release-age
--before while preparing a git: or github: dependency); when both
apply, before wins within a single source and across sources the standard
precedence rules apply.
+When this window stops npm audit fix from installing a patched version
+(because the fix was published too recently), npm keeps the package at its
+vulnerable version, warns that the fix was blocked, and exits with a
+non-zero code. To install the fix, add the package to
+min-release-age-exclude, or relax min-release-age or before.
Packages whose names match min-release-age-exclude are exempt from this
filter.
This value is not exported to the environment for child processes.
diff --git a/deps/npm/docs/output/commands/npm-owner.html b/deps/npm/docs/output/commands/npm-owner.html
index 649e7408130966..c4947a01ae92a3 100644
--- a/deps/npm/docs/output/commands/npm-owner.html
+++ b/deps/npm/docs/output/commands/npm-owner.html
@@ -186,9 +186,9 @@
-
+
npm-owner
- @11.17.0
+ @11.18.0
Manage package owners
diff --git a/deps/npm/docs/output/commands/npm-pack.html b/deps/npm/docs/output/commands/npm-pack.html
index ab45154d21a3e2..a875a527f81f37 100644
--- a/deps/npm/docs/output/commands/npm-pack.html
+++ b/deps/npm/docs/output/commands/npm-pack.html
@@ -186,9 +186,9 @@
-
+
npm-pack
- @11.17.0
+ @11.18.0
Create a tarball from a package
diff --git a/deps/npm/docs/output/commands/npm-ping.html b/deps/npm/docs/output/commands/npm-ping.html
index 2f2ad0f779fa0a..74a7e2adc927e4 100644
--- a/deps/npm/docs/output/commands/npm-ping.html
+++ b/deps/npm/docs/output/commands/npm-ping.html
@@ -186,9 +186,9 @@
-
+
npm-ping
- @11.17.0
+ @11.18.0
Ping npm registry
diff --git a/deps/npm/docs/output/commands/npm-pkg.html b/deps/npm/docs/output/commands/npm-pkg.html
index 7462527a590499..9aec2f5f560235 100644
--- a/deps/npm/docs/output/commands/npm-pkg.html
+++ b/deps/npm/docs/output/commands/npm-pkg.html
@@ -186,9 +186,9 @@
-
+
npm-pkg
- @11.17.0
+ @11.18.0
Manages your package.json
diff --git a/deps/npm/docs/output/commands/npm-prefix.html b/deps/npm/docs/output/commands/npm-prefix.html
index 3fe3a77f2baf7c..887a4f26432c3c 100644
--- a/deps/npm/docs/output/commands/npm-prefix.html
+++ b/deps/npm/docs/output/commands/npm-prefix.html
@@ -186,9 +186,9 @@
-
+
npm-prefix
- @11.17.0
+ @11.18.0
Display prefix
diff --git a/deps/npm/docs/output/commands/npm-profile.html b/deps/npm/docs/output/commands/npm-profile.html
index 9a03fa2579618f..c45be8a6052c7f 100644
--- a/deps/npm/docs/output/commands/npm-profile.html
+++ b/deps/npm/docs/output/commands/npm-profile.html
@@ -186,9 +186,9 @@
-
+
npm-profile
- @11.17.0
+ @11.18.0
Change settings on your registry profile
diff --git a/deps/npm/docs/output/commands/npm-prune.html b/deps/npm/docs/output/commands/npm-prune.html
index 539533b3e9a824..bfb3914265bd60 100644
--- a/deps/npm/docs/output/commands/npm-prune.html
+++ b/deps/npm/docs/output/commands/npm-prune.html
@@ -186,9 +186,9 @@
-
+
npm-prune
- @11.17.0
+ @11.18.0
Remove extraneous packages
diff --git a/deps/npm/docs/output/commands/npm-publish.html b/deps/npm/docs/output/commands/npm-publish.html
index 4200a9105d2376..f2a7ba05905630 100644
--- a/deps/npm/docs/output/commands/npm-publish.html
+++ b/deps/npm/docs/output/commands/npm-publish.html
@@ -186,9 +186,9 @@
-
+
npm-publish
- @11.17.0
+ @11.18.0
Publish a package
diff --git a/deps/npm/docs/output/commands/npm-query.html b/deps/npm/docs/output/commands/npm-query.html
index 862a6a6ad62f9d..7d9bf80b88d216 100644
--- a/deps/npm/docs/output/commands/npm-query.html
+++ b/deps/npm/docs/output/commands/npm-query.html
@@ -186,9 +186,9 @@
-
+
npm-query
- @11.17.0
+ @11.18.0
Dependency selector query
@@ -432,6 +432,8 @@ before
sources, the standard precedence applies (cli > env > project > user >
global), so a higher-priority source can always relax or override a
lower-priority one.
+As with min-release-age, when this cutoff blocks a fix that npm audit fix would install, npm keeps the vulnerable version, warns, and exits with
+a non-zero code.
Packages whose names match min-release-age-exclude are exempt from this
filter.
min-release-age
@@ -449,6 +451,11 @@ min-release-age
--before while preparing a git: or github: dependency); when both
apply, before wins within a single source and across sources the standard
precedence rules apply.
+When this window stops npm audit fix from installing a patched version
+(because the fix was published too recently), npm keeps the package at its
+vulnerable version, warns that the fix was blocked, and exits with a
+non-zero code. To install the fix, add the package to
+min-release-age-exclude, or relax min-release-age or before.
Packages whose names match min-release-age-exclude are exempt from this
filter.
This value is not exported to the environment for child processes.
diff --git a/deps/npm/docs/output/commands/npm-rebuild.html b/deps/npm/docs/output/commands/npm-rebuild.html
index 822091ab35b0ed..5245b156b685ce 100644
--- a/deps/npm/docs/output/commands/npm-rebuild.html
+++ b/deps/npm/docs/output/commands/npm-rebuild.html
@@ -186,9 +186,9 @@
-
+
npm-rebuild
- @11.17.0
+ @11.18.0
Rebuild a package
@@ -298,6 +298,9 @@ strict-allow-scripts
silently skipped; this setting only affects unreviewed entries.
--ignore-scripts and --dangerously-allow-all-scripts both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching os, cpu, or libc) are not flagged, because
+their install scripts never run.
dangerously-allow-all-scripts
Default: false
diff --git a/deps/npm/docs/output/commands/npm-repo.html b/deps/npm/docs/output/commands/npm-repo.html
index c18499bd35e937..c210a4efd30802 100644
--- a/deps/npm/docs/output/commands/npm-repo.html
+++ b/deps/npm/docs/output/commands/npm-repo.html
@@ -186,9 +186,9 @@
-
+
npm-repo
- @11.17.0
+ @11.18.0
Open package repository page in the browser
diff --git a/deps/npm/docs/output/commands/npm-restart.html b/deps/npm/docs/output/commands/npm-restart.html
index e9be582f21a6b0..cc0ee51c458eee 100644
--- a/deps/npm/docs/output/commands/npm-restart.html
+++ b/deps/npm/docs/output/commands/npm-restart.html
@@ -186,9 +186,9 @@
-
+
npm-restart
- @11.17.0
+ @11.18.0
Restart a package
diff --git a/deps/npm/docs/output/commands/npm-root.html b/deps/npm/docs/output/commands/npm-root.html
index 2aaae514e72d49..6f0af8585373f7 100644
--- a/deps/npm/docs/output/commands/npm-root.html
+++ b/deps/npm/docs/output/commands/npm-root.html
@@ -186,9 +186,9 @@
-
+
npm-root
- @11.17.0
+ @11.18.0
Display npm root
diff --git a/deps/npm/docs/output/commands/npm-run.html b/deps/npm/docs/output/commands/npm-run.html
index 4036f6e0153b30..c7119fea964e7f 100644
--- a/deps/npm/docs/output/commands/npm-run.html
+++ b/deps/npm/docs/output/commands/npm-run.html
@@ -186,9 +186,9 @@
-
+
npm-run
- @11.17.0
+ @11.18.0
Run arbitrary package scripts
diff --git a/deps/npm/docs/output/commands/npm-sbom.html b/deps/npm/docs/output/commands/npm-sbom.html
index be951feb19036c..70eb4780c5c9e5 100644
--- a/deps/npm/docs/output/commands/npm-sbom.html
+++ b/deps/npm/docs/output/commands/npm-sbom.html
@@ -186,9 +186,9 @@
-
+
npm-sbom
- @11.17.0
+ @11.18.0
Generate a Software Bill of Materials (SBOM)
diff --git a/deps/npm/docs/output/commands/npm-search.html b/deps/npm/docs/output/commands/npm-search.html
index 8b397932b4bd7c..b417f9ba815c2b 100644
--- a/deps/npm/docs/output/commands/npm-search.html
+++ b/deps/npm/docs/output/commands/npm-search.html
@@ -186,9 +186,9 @@
-
+
npm-search
- @11.17.0
+ @11.18.0
Search for packages
diff --git a/deps/npm/docs/output/commands/npm-set.html b/deps/npm/docs/output/commands/npm-set.html
index 4be22387a40786..dfd53bcf72f287 100644
--- a/deps/npm/docs/output/commands/npm-set.html
+++ b/deps/npm/docs/output/commands/npm-set.html
@@ -186,9 +186,9 @@
-
+
npm-set
- @11.17.0
+ @11.18.0
Set a value in the npm configuration
diff --git a/deps/npm/docs/output/commands/npm-shrinkwrap.html b/deps/npm/docs/output/commands/npm-shrinkwrap.html
index 83e1f76e657287..8989040dd9f6c5 100644
--- a/deps/npm/docs/output/commands/npm-shrinkwrap.html
+++ b/deps/npm/docs/output/commands/npm-shrinkwrap.html
@@ -186,9 +186,9 @@
-
+
npm-shrinkwrap
- @11.17.0
+ @11.18.0
Lock down dependency versions for publication
diff --git a/deps/npm/docs/output/commands/npm-stage.html b/deps/npm/docs/output/commands/npm-stage.html
index 7a72369ac86e7a..de76caf167e94b 100644
--- a/deps/npm/docs/output/commands/npm-stage.html
+++ b/deps/npm/docs/output/commands/npm-stage.html
@@ -186,9 +186,9 @@
-
+
npm-stage
- @11.17.0
+ @11.18.0
Stage packages for publishing
diff --git a/deps/npm/docs/output/commands/npm-star.html b/deps/npm/docs/output/commands/npm-star.html
index a58d3d91913c47..0642cfefb4bc83 100644
--- a/deps/npm/docs/output/commands/npm-star.html
+++ b/deps/npm/docs/output/commands/npm-star.html
@@ -186,9 +186,9 @@
-
+
npm-star
- @11.17.0
+ @11.18.0
Mark your favorite packages
diff --git a/deps/npm/docs/output/commands/npm-stars.html b/deps/npm/docs/output/commands/npm-stars.html
index b13d859bffac06..3f586b4fb0a84a 100644
--- a/deps/npm/docs/output/commands/npm-stars.html
+++ b/deps/npm/docs/output/commands/npm-stars.html
@@ -186,9 +186,9 @@
-
+
npm-stars
- @11.17.0
+ @11.18.0
View packages marked as favorites
diff --git a/deps/npm/docs/output/commands/npm-start.html b/deps/npm/docs/output/commands/npm-start.html
index 0c88d59c649266..35a7c7798f85d4 100644
--- a/deps/npm/docs/output/commands/npm-start.html
+++ b/deps/npm/docs/output/commands/npm-start.html
@@ -186,9 +186,9 @@
-
+
npm-start
- @11.17.0
+ @11.18.0
Start a package
diff --git a/deps/npm/docs/output/commands/npm-stop.html b/deps/npm/docs/output/commands/npm-stop.html
index 12b8779cc221e9..37c8d91d4ba01b 100644
--- a/deps/npm/docs/output/commands/npm-stop.html
+++ b/deps/npm/docs/output/commands/npm-stop.html
@@ -186,9 +186,9 @@
-
+
npm-stop
- @11.17.0
+ @11.18.0
Stop a package
diff --git a/deps/npm/docs/output/commands/npm-team.html b/deps/npm/docs/output/commands/npm-team.html
index 9e311e6d52ad51..66263e4f1f5327 100644
--- a/deps/npm/docs/output/commands/npm-team.html
+++ b/deps/npm/docs/output/commands/npm-team.html
@@ -186,9 +186,9 @@
-
+
npm-team
- @11.17.0
+ @11.18.0
Manage organization teams and team memberships
diff --git a/deps/npm/docs/output/commands/npm-test.html b/deps/npm/docs/output/commands/npm-test.html
index dddced02bd1fd4..b9e84c47671532 100644
--- a/deps/npm/docs/output/commands/npm-test.html
+++ b/deps/npm/docs/output/commands/npm-test.html
@@ -186,9 +186,9 @@
-
+
npm-test
- @11.17.0
+ @11.18.0
Test a package
diff --git a/deps/npm/docs/output/commands/npm-token.html b/deps/npm/docs/output/commands/npm-token.html
index 45962d19ed7b8f..c3c59a86cabe85 100644
--- a/deps/npm/docs/output/commands/npm-token.html
+++ b/deps/npm/docs/output/commands/npm-token.html
@@ -186,9 +186,9 @@
-
+
npm-token
- @11.17.0
+ @11.18.0
Manage your authentication tokens
diff --git a/deps/npm/docs/output/commands/npm-trust.html b/deps/npm/docs/output/commands/npm-trust.html
index 761283abca7cc1..00d389d044c840 100644
--- a/deps/npm/docs/output/commands/npm-trust.html
+++ b/deps/npm/docs/output/commands/npm-trust.html
@@ -186,9 +186,9 @@
-
+
npm-trust
- @11.17.0
+ @11.18.0
Manage trusted publishing relationships between packages and CI/CD providers
diff --git a/deps/npm/docs/output/commands/npm-undeprecate.html b/deps/npm/docs/output/commands/npm-undeprecate.html
index ccabc141b24e8f..06ca5b07fbb355 100644
--- a/deps/npm/docs/output/commands/npm-undeprecate.html
+++ b/deps/npm/docs/output/commands/npm-undeprecate.html
@@ -186,9 +186,9 @@
-
+
npm-undeprecate
- @11.17.0
+ @11.18.0
Undeprecate a version of a package
diff --git a/deps/npm/docs/output/commands/npm-uninstall.html b/deps/npm/docs/output/commands/npm-uninstall.html
index e15dd8bfa7dcd8..f82cbbc1dcec2b 100644
--- a/deps/npm/docs/output/commands/npm-uninstall.html
+++ b/deps/npm/docs/output/commands/npm-uninstall.html
@@ -186,9 +186,9 @@
-
+
npm-uninstall
- @11.17.0
+ @11.18.0
Remove a package
diff --git a/deps/npm/docs/output/commands/npm-unpublish.html b/deps/npm/docs/output/commands/npm-unpublish.html
index df9f218803c022..f6557a7a40abef 100644
--- a/deps/npm/docs/output/commands/npm-unpublish.html
+++ b/deps/npm/docs/output/commands/npm-unpublish.html
@@ -186,9 +186,9 @@
-
+
npm-unpublish
- @11.17.0
+ @11.18.0
Remove a package from the registry
diff --git a/deps/npm/docs/output/commands/npm-unstar.html b/deps/npm/docs/output/commands/npm-unstar.html
index fbe3311b6f7155..d91decf5f96356 100644
--- a/deps/npm/docs/output/commands/npm-unstar.html
+++ b/deps/npm/docs/output/commands/npm-unstar.html
@@ -186,9 +186,9 @@
-
+
npm-unstar
- @11.17.0
+ @11.18.0
Remove an item from your favorite packages
diff --git a/deps/npm/docs/output/commands/npm-update.html b/deps/npm/docs/output/commands/npm-update.html
index dc8794bcb36ed1..9b395086246d71 100644
--- a/deps/npm/docs/output/commands/npm-update.html
+++ b/deps/npm/docs/output/commands/npm-update.html
@@ -186,9 +186,9 @@
-
+
npm-update
- @11.17.0
+ @11.18.0
Update packages
@@ -317,8 +317,15 @@ install-strategy
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+We recommend that package authors use --install-strategy=linked during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+import of a package that was never added to package.json can fail
+instead of resolving by accident and shipping broken. See Catching
+undeclared ("phantom")
+dependencies .
legacy-bundling
Default: false
@@ -435,6 +442,9 @@ strict-allow-scripts
silently skipped; this setting only affects unreviewed entries.
--ignore-scripts and --dangerously-allow-all-scripts both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching os, cpu, or libc) are not flagged, because
+their install scripts never run.
dangerously-allow-all-scripts
Default: false
@@ -471,6 +481,8 @@ before
sources, the standard precedence applies (cli > env > project > user >
global), so a higher-priority source can always relax or override a
lower-priority one.
+As with min-release-age, when this cutoff blocks a fix that npm audit fix would install, npm keeps the vulnerable version, warns, and exits with
+a non-zero code.
Packages whose names match min-release-age-exclude are exempt from this
filter.
min-release-age
@@ -488,6 +500,11 @@ min-release-age
--before while preparing a git: or github: dependency); when both
apply, before wins within a single source and across sources the standard
precedence rules apply.
+When this window stops npm audit fix from installing a patched version
+(because the fix was published too recently), npm keeps the package at its
+vulnerable version, warns that the fix was blocked, and exits with a
+non-zero code. To install the fix, add the package to
+min-release-age-exclude, or relax min-release-age or before.
Packages whose names match min-release-age-exclude are exempt from this
filter.
This value is not exported to the environment for child processes.
diff --git a/deps/npm/docs/output/commands/npm-version.html b/deps/npm/docs/output/commands/npm-version.html
index ca53ca723f3dd7..17e504dd49ef3b 100644
--- a/deps/npm/docs/output/commands/npm-version.html
+++ b/deps/npm/docs/output/commands/npm-version.html
@@ -186,9 +186,9 @@
-
+
npm-version
- @11.17.0
+ @11.18.0
Bump a package version
diff --git a/deps/npm/docs/output/commands/npm-view.html b/deps/npm/docs/output/commands/npm-view.html
index 24b933c2bcd11c..6424eed09df9d2 100644
--- a/deps/npm/docs/output/commands/npm-view.html
+++ b/deps/npm/docs/output/commands/npm-view.html
@@ -186,9 +186,9 @@
-
+
npm-view
- @11.17.0
+ @11.18.0
View registry info
diff --git a/deps/npm/docs/output/commands/npm-whoami.html b/deps/npm/docs/output/commands/npm-whoami.html
index 6cbef18cbef7ba..9830a8c3c8d2f3 100644
--- a/deps/npm/docs/output/commands/npm-whoami.html
+++ b/deps/npm/docs/output/commands/npm-whoami.html
@@ -186,9 +186,9 @@
-
+
npm-whoami
- @11.17.0
+ @11.18.0
Display npm username
diff --git a/deps/npm/docs/output/commands/npm.html b/deps/npm/docs/output/commands/npm.html
index 1e26458f7cf02a..cef7c6a5f2c88e 100644
--- a/deps/npm/docs/output/commands/npm.html
+++ b/deps/npm/docs/output/commands/npm.html
@@ -186,9 +186,9 @@
-
+
npm
- @11.17.0
+ @11.18.0
javascript package manager
@@ -203,7 +203,7 @@ Table of contents
Note: This command is unaware of workspaces.
Version
-11.17.0
+11.18.0
Description
npm is the package manager for the Node JavaScript platform.
It puts modules in place so that node can find them, and manages dependency conflicts intelligently.
diff --git a/deps/npm/docs/output/commands/npx.html b/deps/npm/docs/output/commands/npx.html
index 8cd5c4dcaf6302..f06143a5c2cd56 100644
--- a/deps/npm/docs/output/commands/npx.html
+++ b/deps/npm/docs/output/commands/npx.html
@@ -186,9 +186,9 @@
-
+
npx
- @11.17.0
+ @11.18.0
Run a command from a local or remote npm package
diff --git a/deps/npm/docs/output/configuring-npm/folders.html b/deps/npm/docs/output/configuring-npm/folders.html
index 6523b966186e45..78f9f0f1ebd7e9 100644
--- a/deps/npm/docs/output/configuring-npm/folders.html
+++ b/deps/npm/docs/output/configuring-npm/folders.html
@@ -186,9 +186,9 @@
-
+
Folders
- @11.17.0
+ @11.18.0
Folder structures used by npm
diff --git a/deps/npm/docs/output/configuring-npm/install.html b/deps/npm/docs/output/configuring-npm/install.html
index 21589fead823df..9ae64ab1d402dd 100644
--- a/deps/npm/docs/output/configuring-npm/install.html
+++ b/deps/npm/docs/output/configuring-npm/install.html
@@ -186,9 +186,9 @@
-
+
Install
- @11.17.0
+ @11.18.0
Download and install node and npm
diff --git a/deps/npm/docs/output/configuring-npm/npm-global.html b/deps/npm/docs/output/configuring-npm/npm-global.html
index 6523b966186e45..78f9f0f1ebd7e9 100644
--- a/deps/npm/docs/output/configuring-npm/npm-global.html
+++ b/deps/npm/docs/output/configuring-npm/npm-global.html
@@ -186,9 +186,9 @@
-
+
Folders
- @11.17.0
+ @11.18.0
Folder structures used by npm
diff --git a/deps/npm/docs/output/configuring-npm/npm-json.html b/deps/npm/docs/output/configuring-npm/npm-json.html
index bccbdcc5d32753..cb9a3626a0ce04 100644
--- a/deps/npm/docs/output/configuring-npm/npm-json.html
+++ b/deps/npm/docs/output/configuring-npm/npm-json.html
@@ -186,9 +186,9 @@
-
+
package.json
- @11.17.0
+ @11.18.0
Specifics of npm's package.json handling
diff --git a/deps/npm/docs/output/configuring-npm/npm-shrinkwrap-json.html b/deps/npm/docs/output/configuring-npm/npm-shrinkwrap-json.html
index 0b58b9608ecda9..ecbc9d9e1502ec 100644
--- a/deps/npm/docs/output/configuring-npm/npm-shrinkwrap-json.html
+++ b/deps/npm/docs/output/configuring-npm/npm-shrinkwrap-json.html
@@ -186,9 +186,9 @@
-
+
npm-shrinkwrap.json
- @11.17.0
+ @11.18.0
A publishable lockfile
diff --git a/deps/npm/docs/output/configuring-npm/npmrc.html b/deps/npm/docs/output/configuring-npm/npmrc.html
index 1bea346797ae61..bad73af8064b6d 100644
--- a/deps/npm/docs/output/configuring-npm/npmrc.html
+++ b/deps/npm/docs/output/configuring-npm/npmrc.html
@@ -186,9 +186,9 @@
-
+
.npmrc
- @11.17.0
+ @11.18.0
The npm config files
diff --git a/deps/npm/docs/output/configuring-npm/package-json.html b/deps/npm/docs/output/configuring-npm/package-json.html
index bccbdcc5d32753..cb9a3626a0ce04 100644
--- a/deps/npm/docs/output/configuring-npm/package-json.html
+++ b/deps/npm/docs/output/configuring-npm/package-json.html
@@ -186,9 +186,9 @@
-
+
package.json
- @11.17.0
+ @11.18.0
Specifics of npm's package.json handling
diff --git a/deps/npm/docs/output/configuring-npm/package-lock-json.html b/deps/npm/docs/output/configuring-npm/package-lock-json.html
index 25d262fadf53da..834e14f626389a 100644
--- a/deps/npm/docs/output/configuring-npm/package-lock-json.html
+++ b/deps/npm/docs/output/configuring-npm/package-lock-json.html
@@ -186,9 +186,9 @@
-
+
package-lock.json
- @11.17.0
+ @11.18.0
A manifestation of the manifest
diff --git a/deps/npm/docs/output/using-npm/config.html b/deps/npm/docs/output/using-npm/config.html
index 17e7bd13896348..f52caeefd1847d 100644
--- a/deps/npm/docs/output/using-npm/config.html
+++ b/deps/npm/docs/output/using-npm/config.html
@@ -186,9 +186,9 @@
-
+
Config
- @11.17.0
+ @11.18.0
About npm configuration
@@ -464,6 +464,8 @@ before
sources, the standard precedence applies (cli > env > project > user >
global), so a higher-priority source can always relax or override a
lower-priority one.
+As with min-release-age, when this cutoff blocks a fix that npm audit fix would install, npm keeps the vulnerable version, warns, and exits with
+a non-zero code.
Packages whose names match min-release-age-exclude are exempt from this
filter.
bin-links
@@ -948,8 +950,15 @@ install-strategy
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+We recommend that package authors use --install-strategy=linked during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+import of a package that was never added to package.json can fail
+instead of resolving by accident and shipping broken. See Catching
+undeclared ("phantom")
+dependencies .
json
Default: false
@@ -1089,6 +1098,11 @@ min-release-age
--before while preparing a git: or github: dependency); when both
apply, before wins within a single source and across sources the standard
precedence rules apply.
+When this window stops npm audit fix from installing a patched version
+(because the fix was published too recently), npm keeps the package at its
+vulnerable version, warns that the fix was blocked, and exits with a
+non-zero code. To install the fix, add the package to
+min-release-age-exclude, or relax min-release-age or before.
Packages whose names match min-release-age-exclude are exempt from this
filter.
This value is not exported to the environment for child processes.
@@ -1371,7 +1385,13 @@ replace-registry-host
registry (https://registry.npmjs.org ) to the configured registry. If set to
"never", then use the registry value. If set to "always", then replace the
registry host with the configured host every time.
-You may also specify a bare hostname (e.g., "registry.npmjs.org").
+You may also specify a bare hostname (e.g., "registry.npmjs.org") to only
+replace URLs coming from that host.
+You may also specify a full URL including a path (e.g.,
+"https://old-registry.example.com/npm/path "). In that case, resolved URLs
+whose host and path begin with that prefix will have the entire prefix
+replaced with the configured registry URL (host and path), without
+duplicating path segments.
save
Default: true unless when using npm update where it defaults to false
@@ -1551,6 +1571,9 @@ strict-allow-scripts
silently skipped; this setting only affects unreviewed entries.
--ignore-scripts and --dangerously-allow-all-scripts both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching os, cpu, or libc) are not flagged, because
+their install scripts never run.
strict-peer-deps
Default: false
diff --git a/deps/npm/docs/output/using-npm/dependency-selectors.html b/deps/npm/docs/output/using-npm/dependency-selectors.html
index abe0ea1e6d887f..f3001125637eb2 100644
--- a/deps/npm/docs/output/using-npm/dependency-selectors.html
+++ b/deps/npm/docs/output/using-npm/dependency-selectors.html
@@ -186,9 +186,9 @@
-
+
Dependency Selectors
- @11.17.0
+ @11.18.0
Dependency Selector Syntax & Querying
diff --git a/deps/npm/docs/output/using-npm/developers.html b/deps/npm/docs/output/using-npm/developers.html
index 713b2303b0e0c7..66a27a8a3dd640 100644
--- a/deps/npm/docs/output/using-npm/developers.html
+++ b/deps/npm/docs/output/using-npm/developers.html
@@ -186,16 +186,16 @@
-
+
Developers
- @11.17.0
+ @11.18.0
Developer guide
Description
@@ -331,6 +331,20 @@
Before Publ
to install it locally into the node_modules folder in that other place.
Then go into the node-repl, and try using require("my-thing") to bring in your module's main module.
+
Catching undeclared ("phantom") dependencies
+
Under the default hoisted node_modules layout, your package can import a dependency it never declared and still resolve it.
+A transitive dependency hoisted alongside it, or your workspace root's node_modules, happens to satisfy the import.
+That undeclared ("phantom") dependency passes your own build silently, then fails for anyone who installs your package on its own.
+
We recommend developing your package under install-strategy=linked .
+The isolated layout only exposes a package's declared dependencies, so an import of an undeclared package fails for you during development instead of resolving by accident, shipping broken, and failing for your users:
+
npm install --install-strategy=linked
+npm test
+
+
+Note: This doesn't catch every case.
+A dependency that's still satisfied at your build by a devDependency or by your workspace root's node_modules can resolve fine for you and still be missing for whoever installs your package.
+So treat it as one check, not a guarantee, alongside auditing the dependencies your published package actually uses.
+
Create a User Account
Create a user with the adduser command.
It works like this:
diff --git a/deps/npm/docs/output/using-npm/logging.html b/deps/npm/docs/output/using-npm/logging.html
index bbba11e5508a6b..19c47d4adc3906 100644
--- a/deps/npm/docs/output/using-npm/logging.html
+++ b/deps/npm/docs/output/using-npm/logging.html
@@ -186,9 +186,9 @@
-
+
Logging
- @11.17.0
+ @11.18.0
Why, What & How we Log
diff --git a/deps/npm/docs/output/using-npm/orgs.html b/deps/npm/docs/output/using-npm/orgs.html
index ae4920f10c3ca4..3444f3bf1c4c97 100644
--- a/deps/npm/docs/output/using-npm/orgs.html
+++ b/deps/npm/docs/output/using-npm/orgs.html
@@ -186,9 +186,9 @@
-
+
Organizations
- @11.17.0
+ @11.18.0
Working with teams & organizations
diff --git a/deps/npm/docs/output/using-npm/package-spec.html b/deps/npm/docs/output/using-npm/package-spec.html
index 47d02ec2b6b94f..92cd9d2af617d8 100644
--- a/deps/npm/docs/output/using-npm/package-spec.html
+++ b/deps/npm/docs/output/using-npm/package-spec.html
@@ -186,9 +186,9 @@
-
+
Package spec
- @11.17.0
+ @11.18.0
Package name specifier
diff --git a/deps/npm/docs/output/using-npm/registry.html b/deps/npm/docs/output/using-npm/registry.html
index 2c221dee07a0ed..ed47e3a6ed7171 100644
--- a/deps/npm/docs/output/using-npm/registry.html
+++ b/deps/npm/docs/output/using-npm/registry.html
@@ -186,9 +186,9 @@
-
+
Registry
- @11.17.0
+ @11.18.0
The JavaScript Package Registry
diff --git a/deps/npm/docs/output/using-npm/removal.html b/deps/npm/docs/output/using-npm/removal.html
index 932d43121c9dea..57f02ed1ee2b7f 100644
--- a/deps/npm/docs/output/using-npm/removal.html
+++ b/deps/npm/docs/output/using-npm/removal.html
@@ -186,9 +186,9 @@
-
+
Removal
- @11.17.0
+ @11.18.0
Cleaning the slate
diff --git a/deps/npm/docs/output/using-npm/scope.html b/deps/npm/docs/output/using-npm/scope.html
index 657021503ff52c..11861347920567 100644
--- a/deps/npm/docs/output/using-npm/scope.html
+++ b/deps/npm/docs/output/using-npm/scope.html
@@ -186,9 +186,9 @@
-
+
Scope
- @11.17.0
+ @11.18.0
Scoped packages
diff --git a/deps/npm/docs/output/using-npm/scripts.html b/deps/npm/docs/output/using-npm/scripts.html
index 3a87423e11f529..65ff19a4673afd 100644
--- a/deps/npm/docs/output/using-npm/scripts.html
+++ b/deps/npm/docs/output/using-npm/scripts.html
@@ -186,9 +186,9 @@
-
+
Scripts
- @11.17.0
+ @11.18.0
How npm handles the "scripts" field
diff --git a/deps/npm/docs/output/using-npm/workspaces.html b/deps/npm/docs/output/using-npm/workspaces.html
index 2e5ac47adfc8a4..fd75a0ad62a641 100644
--- a/deps/npm/docs/output/using-npm/workspaces.html
+++ b/deps/npm/docs/output/using-npm/workspaces.html
@@ -186,9 +186,9 @@
-
+
Workspaces
- @11.17.0
+ @11.18.0
Working with workspaces
diff --git a/deps/npm/lib/commands/audit.js b/deps/npm/lib/commands/audit.js
index a8d742cc73a6e4..6a55af43135840 100644
--- a/deps/npm/lib/commands/audit.js
+++ b/deps/npm/lib/commands/audit.js
@@ -73,6 +73,19 @@ class Audit extends ArboristWorkspaceCmd {
await arb.audit({ fix })
if (fix) {
await reifyFinish(this.npm, arb)
+ // Report any fix that a `min-release-age`/`before` window blocked from
+ // installing, and exit non-zero so a blocked fix is not missed.
+ const report = arb.auditReport
+ const blocked = report instanceof Map
+ ? [...report.values()].filter(v => v.fixBlockedByReleaseAge).map(v => v.name)
+ : []
+ if (blocked.length) {
+ log.warn('audit', `${blocked.length} package(s) left at a vulnerable version because ` +
+ `a fix is newer than the release-age cutoff: ${blocked.join(', ')}.\n` +
+ 'Add the package to min-release-age-exclude, or relax min-release-age or before, ' +
+ 'to install the fix.')
+ process.exitCode = 1
+ }
} else {
// will throw if there's an error, because this is an audit command
auditError(this.npm, arb.auditReport)
diff --git a/deps/npm/lib/commands/exec.js b/deps/npm/lib/commands/exec.js
index 23c47a0cc1ad77..7b7d8ad30fcd55 100644
--- a/deps/npm/lib/commands/exec.js
+++ b/deps/npm/lib/commands/exec.js
@@ -42,7 +42,7 @@ class Exec extends BaseCommand {
}
}
- async callExec (args, { name, locationMsg, runPath } = {}) {
+ async callExec (args, { locationMsg, runPath } = {}) {
let localBin = this.npm.localBin
let pkgPath = this.npm.localPrefix
@@ -50,8 +50,8 @@ class Exec extends BaseCommand {
if (!runPath) {
runPath = process.cwd()
} else {
- // We have to consider if the workspace has its own separate versions libnpmexec will walk up to localDir after looking here
- localBin = resolve(this.npm.localDir, name, 'node_modules', '.bin')
+ // Use the workspace's own node_modules/.bin, not localDir/, since the linked strategy does not symlink workspaces into the root node_modules.
+ localBin = resolve(runPath, 'node_modules', '.bin')
// We also need to look for `bin` entries in the workspace package.json
// libnpmexec will NOT look in the project root for the bin entry
pkgPath = runPath
diff --git a/deps/npm/lib/commands/install-scripts.js b/deps/npm/lib/commands/install-scripts.js
new file mode 100644
index 00000000000000..c6f91f87b08765
--- /dev/null
+++ b/deps/npm/lib/commands/install-scripts.js
@@ -0,0 +1,53 @@
+const AllowScriptsCmd = require('../utils/allow-scripts-cmd.js')
+
+// Namespaced front-end for install-script approvals.
+// `approve`/`deny` write the `allowScripts` policy, `ls` lists unreviewed packages,
+// `prune` drops entries that no longer match an installed package with an install script.
+// `npm approve-scripts` / `npm deny-scripts` are aliases for `approve` / `deny`.
+class InstallScripts extends AllowScriptsCmd {
+ static description = 'Manage install-script approvals for dependencies'
+ static name = 'install-scripts'
+ static usage = [
+ 'approve [ ...]',
+ 'approve --all',
+ 'deny [ ...]',
+ 'deny --all',
+ 'ls',
+ 'prune',
+ ]
+
+ static params = ['all', 'allow-scripts-pin', 'dry-run', 'json']
+
+ static async completion (opts) {
+ const argv = opts.conf.argv.remain
+ const subcommands = ['approve', 'deny', 'ls', 'prune']
+ if (argv.length === 2) {
+ return subcommands
+ }
+ if (subcommands.includes(argv[2])) {
+ return []
+ }
+ throw new Error(`${argv[2]} not recognized`)
+ }
+
+ async exec (args) {
+ const [sub, ...rest] = args
+ switch (sub) {
+ case 'approve':
+ return this.runMode('approve', rest)
+ case 'deny':
+ return this.runMode('deny', rest)
+ case 'ls':
+ case 'list':
+ return this.runMode('list', rest)
+ case 'prune':
+ return this.runMode('prune', rest)
+ default:
+ throw this.usageError(
+ sub ? `\`${sub}\` is not a recognized subcommand.` : undefined
+ )
+ }
+ }
+}
+
+module.exports = InstallScripts
diff --git a/deps/npm/lib/commands/link.js b/deps/npm/lib/commands/link.js
index 160ba2b707efd8..cad499b2df8efb 100644
--- a/deps/npm/lib/commands/link.js
+++ b/deps/npm/lib/commands/link.js
@@ -5,6 +5,7 @@ const pkgJson = require('@npmcli/package-json')
const semver = require('semver')
const reifyFinish = require('../utils/reify-finish.js')
const resolveAllowScripts = require('../utils/resolve-allow-scripts.js')
+const strictAllowScriptsPreflight = require('../utils/strict-allow-scripts-preflight.js')
const ArboristWorkspaceCmd = require('../arborist-cmd.js')
class Link extends ArboristWorkspaceCmd {
@@ -68,12 +69,16 @@ class Link extends ArboristWorkspaceCmd {
// load current packages from the global space, and then add symlinks installs locally
const globalTop = resolve(this.npm.globalDir, '..')
const Arborist = require('@npmcli/arborist')
+ // Resolve the policy up front so it also gates the global install of
+ // missing packages, not just the local link.
+ const { policy: allowScriptsPolicy } = await resolveAllowScripts(this.npm)
const globalOpts = {
...this.npm.flatOptions,
Arborist,
path: globalTop,
global: true,
prune: false,
+ allowScripts: allowScriptsPolicy,
}
const globalArb = new Arborist(globalOpts)
@@ -86,10 +91,17 @@ class Link extends ArboristWorkspaceCmd {
// any extra arg that is missing from the current global space should be reified there first
const missing = this.missingArgsFromTree(globals, args)
if (missing.length) {
- await globalArb.reify({
+ const globalReifyOpts = {
...globalOpts,
add: missing,
+ }
+ // Gate the global install with the same preflight as `npm install`.
+ await strictAllowScriptsPreflight({
+ arb: globalArb,
+ npm: this.npm,
+ idealTreeOpts: globalReifyOpts,
})
+ await globalArb.reify(globalReifyOpts)
}
// get a list of module names that should be linked in the local prefix
@@ -116,12 +128,13 @@ class Link extends ArboristWorkspaceCmd {
)
// create a new arborist instance for the local prefix and
// reify all the pending names as symlinks there
- const { policy: allowScriptsPolicy } = await resolveAllowScripts(this.npm)
const localArb = new Arborist({
...this.npm.flatOptions,
prune: false,
path: this.npm.prefix,
save,
+ // Arborist reads this.options.workspaces (set at construction) to decide which node receives the add, so it must be set here, not only at reify time.
+ workspaces: this.workspaceNames,
allowScripts: allowScriptsPolicy,
})
await localArb.reify({
diff --git a/deps/npm/lib/commands/ls.js b/deps/npm/lib/commands/ls.js
index 5dacd3919882e8..8b9b4f3f5d2e2d 100644
--- a/deps/npm/lib/commands/ls.js
+++ b/deps/npm/lib/commands/ls.js
@@ -135,7 +135,7 @@ class LS extends ArboristWorkspaceCmd {
omit,
}) : () => true)
.filter(installStrategy === 'linked'
- ? filterLinkedStrategyEdges({ node, currentDepth })
+ ? filterLinkedStrategyEdges({ currentDepth })
: () => true)
.map(mapEdgesToNodes({ seenPaths }))
.concat(appendExtraneousChildren({ node, seenPaths }))
@@ -400,32 +400,16 @@ const getJsonOutputItem = (node, { global, long }) => {
return augmentItemWithIncludeMetadata(node, item)
}
-// In linked strategy, two types of edges produce false UNMET DEPENDENCYs:
-// 1. Workspace edges for undeclared workspaces: the lockfile records edges from root to ALL workspaces, but only declared workspaces are hoisted to root/node_modules in linked mode. Undeclared ones are intentionally absent.
-// 2. Dev edges on non-root packages: store package link targets have no parent in the node tree, so they are treated as "top" nodes and their devDependencies are loaded as edges. Those devDeps are never installed.
-const filterLinkedStrategyEdges = ({ node, currentDepth }) => {
- const declaredDeps = new Set(Object.keys(Object.assign({},
- node.target.package.dependencies,
- node.target.package.devDependencies,
- node.target.package.optionalDependencies,
- node.target.package.peerDependencies
- )))
-
- return (edge) => {
- // Skip workspace edges for undeclared workspaces at root level
- if (currentDepth === 0 && edge.type === 'workspace' && edge.missing) {
- if (!declaredDeps.has(edge.name)) {
- return false
- }
- }
-
- // Skip dev edges for non-root packages (store packages)
- if (currentDepth > 0 && edge.dev) {
- return false
- }
-
- return true
+// In linked strategy, dev edges on non-root packages produce false UNMET DEPENDENCYs: store package link targets have no parent in the node tree, so they are treated as "top" nodes and their devDependencies are loaded as edges. Those devDeps are never installed.
+// Undeclared workspaces no longer need filtering here: loadActual synthesizes their root links so their edges resolve instead of reporting missing.
+const filterLinkedStrategyEdges = ({ currentDepth }) => (edge) => {
+ // Skip dev edges for non-root packages (store packages)
+ /* istanbul ignore next: store packages no longer carry dev edges, so this guard is not exercised by tests */
+ if (currentDepth > 0 && edge.dev) {
+ return false
}
+
+ return true
}
const filterByEdgesTypes = ({ link, omit }) => (edge) => {
diff --git a/deps/npm/lib/commands/query.js b/deps/npm/lib/commands/query.js
index 63bd00c3206b33..f826cdc52659e5 100644
--- a/deps/npm/lib/commands/query.js
+++ b/deps/npm/lib/commands/query.js
@@ -2,6 +2,15 @@ const { resolve } = require('node:path')
const BaseCommand = require('../base-cmd.js')
const { log, output } = require('proc-log')
+// Ranks competing representations of the same physical package so the most logical one is reported.
+// A top-level placement (e.g. node_modules/) beats the canonical store node, which beats an internal store symlink.
+const locationRank = (node) => {
+ if (!node.location.includes('node_modules/.store/')) {
+ return 2
+ }
+ return node.isLink ? 0 : 1
+}
+
class QuerySelectorItem {
constructor (node) {
// all enumerable properties from the target
@@ -9,8 +18,11 @@ class QuerySelectorItem {
// append extra info
this.pkgid = node.target.pkgid
- this.location = node.target.location
- this.path = node.target.path
+ // For a dep symlinked into the isolated store, report the logical link location (node_modules/) rather than the .store backing path.
+ // Workspaces and regular nodes keep the target location (e.g. packages/).
+ const logical = node.target.isInStore ? node : node.target
+ this.location = logical.location
+ this.path = logical.path
this.realpath = node.target.realpath
this.resolved = node.target.resolved
this.from = []
@@ -33,7 +45,7 @@ class QuerySelectorItem {
class Query extends BaseCommand {
#response = [] // response is the query response
- #seen = new Set() // paths we've seen so we can keep response deduped
+ #seen = new Map() // physical location -> index in #response, to keep response deduped
static description = 'Retrieve a filtered list of packages'
static name = 'query'
@@ -127,12 +139,22 @@ class Query extends BaseCommand {
async #queryTree (tree, arg) {
const items = await tree.querySelectorAll(arg, this.npm.flatOptions)
for (const node of items) {
+ // Dedup by the target's physical location so multiple logical links to the same store node collapse to one result.
const { location } = node.target
- if (!location || !this.#seen.has(location)) {
- const item = new QuerySelectorItem(node)
- this.#response.push(item)
- if (location) {
- this.#seen.add(item.location)
+ if (!location) {
+ this.#response.push(new QuerySelectorItem(node))
+ continue
+ }
+ const seen = this.#seen.get(location)
+ if (seen === undefined) {
+ this.#seen.set(location, { index: this.#response.length, rank: locationRank(node) })
+ this.#response.push(new QuerySelectorItem(node))
+ } else {
+ // Replace the stored representation only with a more logical one for the same physical package.
+ const rank = locationRank(node)
+ if (rank > seen.rank) {
+ this.#response[seen.index] = new QuerySelectorItem(node)
+ seen.rank = rank
}
}
}
diff --git a/deps/npm/lib/commands/rebuild.js b/deps/npm/lib/commands/rebuild.js
index 3f8cb98154d552..17595aa4eb72e2 100644
--- a/deps/npm/lib/commands/rebuild.js
+++ b/deps/npm/lib/commands/rebuild.js
@@ -75,13 +75,13 @@ class Rebuild extends ArboristWorkspaceCmd {
if (unreviewed.length > 0) {
const count = unreviewed.length
const noun = count === 1 ? 'package has' : 'packages have'
- // `npm approve-scripts` writes to a project package.json, which doesn't
+ // `npm install-scripts` writes to a project package.json, which doesn't
// exist for global rebuilds. Point global users at `npm config set`,
// which writes the `allow-scripts` setting to their user .npmrc.
const names = unreviewed.map(({ node }) => trustedDisplay(node).name)
const remediation = this.npm.global
? `Run \`${configSetAllowScripts(names)}\` to allow their scripts.`
- : 'Run `npm approve-scripts --allow-scripts-pending` to review.'
+ : 'Run `npm install-scripts ls` to review.'
log.warn(
'rebuild',
`${count} ${noun} install scripts not yet covered by allowScripts. ` +
diff --git a/deps/npm/lib/commands/token.js b/deps/npm/lib/commands/token.js
index b248d6a789a1f8..8f54e9d8725dfb 100644
--- a/deps/npm/lib/commands/token.js
+++ b/deps/npm/lib/commands/token.js
@@ -73,17 +73,22 @@ class Token extends BaseCommand {
const parseable = this.npm.config.get('parseable')
log.info('token', 'getting list')
const tokens = await paginate('/-/npm/v1/tokens', this.npm.flatOptions)
+
+ this.generateTokenIds(tokens, 6)
+
if (json) {
output.buffer(tokens)
return
}
if (parseable) {
- output.standard(['key', 'token', 'created', 'readonly', 'CIDR whitelist'].join('\t'))
+ output.standard(['key', 'token', 'id', 'name', 'created', 'readonly', 'CIDR whitelist'].join('\t'))
tokens.forEach(token => {
output.standard(
[
token.key,
token.token,
+ token.id,
+ token.name,
token.created,
token.readonly ? 'true' : 'false',
token.cidr_whitelist ? token.cidr_whitelist.join(',') : '',
@@ -92,11 +97,10 @@ class Token extends BaseCommand {
})
return
}
- this.generateTokenIds(tokens, 6)
const chalk = this.npm.chalk
for (const token of tokens) {
const created = String(token.created).slice(0, 10)
- output.standard(`${chalk.blue('Token')} ${token.token}… with id ${chalk.cyan(token.id)} created ${created}`)
+ output.standard(`${chalk.blue('Token')} ${token.token}… with id ${chalk.cyan(token.id)} name ${chalk.magenta(token.name)} created ${created}`)
if (token.cidr_whitelist) {
output.standard(`with IP whitelist: ${chalk.green(token.cidr_whitelist.join(','))}`)
}
diff --git a/deps/npm/lib/utils/allow-scripts-cmd.js b/deps/npm/lib/utils/allow-scripts-cmd.js
index b6ec663124fe84..315b7b0b4fb9ce 100644
--- a/deps/npm/lib/utils/allow-scripts-cmd.js
+++ b/deps/npm/lib/utils/allow-scripts-cmd.js
@@ -3,6 +3,7 @@ const npa = require('npm-package-arg')
const semver = require('semver')
const pkgJson = require('@npmcli/package-json')
const { trustedDisplay } = require('@npmcli/arborist/lib/script-allowed.js')
+const getInstallScripts = require('@npmcli/arborist/lib/install-scripts.js')
const checkAllowScripts = require('./check-allow-scripts.js')
const resolveAllowScripts = require('./resolve-allow-scripts.js')
const {
@@ -10,6 +11,7 @@ const {
applyDenyForPackage,
nameKeyFor,
} = require('./allow-scripts-writer.js')
+const { classifyUnusedEntries } = require('./allow-scripts-prune.js')
const BaseCommand = require('../base-cmd.js')
// Parse a positional arg into a name and an optional version range. A bare
@@ -34,8 +36,9 @@ const parsePositional = (arg) => {
return { name, range: null }
}
-// Shared implementation for `npm approve-scripts` and `npm deny-scripts`.
-// Subclasses set `verb` to `'approve'` or `'deny'`.
+// Shared implementation for `npm approve-scripts`, `npm deny-scripts`, and the `npm install-scripts` namespace.
+// `npm install-scripts` dispatches to `runMode('approve' | 'deny' | 'list', ...)`.
+// The standalone commands set `static verb` and run through the default `exec`.
//
// Extends `BaseCommand` rather than `ArboristCmd` on purpose. Per RFC,
// `allowScripts` is read from the workspace root's `package.json` only;
@@ -48,13 +51,23 @@ class AllowScriptsCmd extends BaseCommand {
static params = ['all', 'allow-scripts-pending', 'allow-scripts-pin', 'json']
static ignoreImplicitWorkspace = false
- // Subclasses set `static verb = 'approve' | 'deny'`.
+ // Mode of the current run, set by runMode.
+ // One of 'approve', 'deny', 'list', or 'prune'.
+ #mode = null
+
+ // verb drives the writers and summaries, which only run in the two write modes, so it is never read while listing.
get verb () {
- /* istanbul ignore next: every concrete subclass declares static verb */
- return this.constructor.verb
+ return this.#mode
}
+ // Standalone `npm approve-scripts` / `npm deny-scripts` pick their mode from `static verb`.
async exec (args) {
+ return this.runMode(this.constructor.verb, args)
+ }
+
+ async runMode (mode, args) {
+ this.#mode = mode
+
if (this.npm.global) {
throw Object.assign(
new Error(`\`npm ${this.constructor.name}\` does not work for global installs`),
@@ -62,19 +75,33 @@ class AllowScriptsCmd extends BaseCommand {
)
}
- const pending = !!this.npm.config.get('allow-scripts-pending')
+ // `prune` has its own flow: it reads the literal package.json#allowScripts
+ // map, not the resolved policy.
+ if (mode === 'prune') {
+ return this.runPrune(args)
+ }
+
+ // `--allow-scripts-pending` is only honored by commands that declare it; the namespace lists via `ls` instead.
+ const pending = this.constructor.params.includes('allow-scripts-pending') &&
+ !!this.npm.config.get('allow-scripts-pending')
const all = !!this.npm.config.get('all')
+ // The `ls` subcommand lists, and so does `--allow-scripts-pending` on the write commands.
+ const list = mode === 'list' || pending
- if (pending && (args.length > 0 || all)) {
+ if (list && (args.length > 0 || all)) {
+ const what = mode === 'list' ? '`npm install-scripts ls`' : '`--allow-scripts-pending`'
throw this.usageError(
- '`--allow-scripts-pending` cannot be combined with positional arguments or `--all`.'
+ `${what} cannot be combined with positional arguments or \`--all\`.`
)
}
- if (!pending && !all && args.length === 0) {
+ if (!list && !all && args.length === 0) {
throw this.usageError()
}
- if (this.verb === 'deny' && pending) {
- throw this.usageError('`npm deny-scripts --allow-scripts-pending` is not supported.')
+ if (mode === 'deny' && pending) {
+ throw this.usageError(
+ '`npm deny-scripts --allow-scripts-pending` is not supported; ' +
+ 'run `npm install-scripts ls` to list unreviewed packages.'
+ )
}
const Arborist = require('@npmcli/arborist')
@@ -91,7 +118,7 @@ class AllowScriptsCmd extends BaseCommand {
// only lists; nothing runs.
const unreviewed = await checkAllowScripts({ arb, npm: this.npm, includeWhenIgnored: true })
- if (pending) {
+ if (list) {
return this.runPending(unreviewed)
}
@@ -129,7 +156,8 @@ class AllowScriptsCmd extends BaseCommand {
}
output.standard('')
output.standard(
- 'Run `npm approve-scripts ` to allow, or `npm deny-scripts ` to deny.'
+ 'Run `npm install-scripts approve ` to allow, ' +
+ 'or `npm install-scripts deny ` to deny.'
)
}
@@ -298,6 +326,78 @@ class AllowScriptsCmd extends BaseCommand {
output.standard(`Nothing to ${this.verb}; allowScripts unchanged.`)
}
}
+
+ // `npm install-scripts prune`: drop package.json#allowScripts entries that no
+ // longer match an installed package with an install script. Edits only
+ // package.json (never `.npmrc`/CLI policy); `--dry-run` reports without writing.
+ async runPrune (args) {
+ const all = !!this.npm.config.get('all')
+ if (args.length > 0 || all) {
+ throw this.usageError(
+ '`npm install-scripts prune` cannot be combined with positional arguments or `--all`.'
+ )
+ }
+
+ const dryRun = !!this.npm.config.get('dry-run')
+ const pkg = await pkgJson.load(this.npm.prefix)
+ const existing = pkg.content.allowScripts && typeof pkg.content.allowScripts === 'object'
+ ? pkg.content.allowScripts
+ : {}
+
+ let removed = []
+ if (Object.keys(existing).length > 0) {
+ const Arborist = require('@npmcli/arborist')
+ const arb = new Arborist({
+ ...this.npm.flatOptions,
+ path: this.npm.prefix,
+ })
+ await arb.loadActual()
+
+ // Candidate install nodes (mirrors collectUnreviewedScripts), tagged with
+ // whether each has install scripts so the classifier can tell "gone" from
+ // "no longer has scripts".
+ const nodes = []
+ for (const node of arb.actualTree.inventory.values()) {
+ if (node.isProjectRoot || node.isWorkspace || node.isLink || node.inBundle || node.inert) {
+ continue
+ }
+ const scripts = await getInstallScripts(node)
+ nodes.push({ node, hasScripts: Object.keys(scripts).length > 0 })
+ }
+
+ const { remaining, removed: unused } = classifyUnusedEntries(existing, nodes)
+ removed = unused
+
+ if (removed.length > 0 && !dryRun) {
+ // Drop the field entirely when nothing is left rather than leaving `{}`.
+ pkg.update({
+ allowScripts: Object.keys(remaining).length > 0 ? remaining : undefined,
+ })
+ await pkg.save()
+ }
+ }
+
+ this.printPruneSummary({ removed, dryRun })
+ }
+
+ printPruneSummary ({ removed, dryRun }) {
+ if (this.npm.flatOptions.json) {
+ output.buffer({ allowScripts: { removed, dryRun } })
+ return
+ }
+ if (removed.length === 0) {
+ output.standard('No unused allowScripts entries.')
+ return
+ }
+ const entry = removed.length === 1 ? 'entry' : 'entries'
+ output.standard(
+ `${dryRun ? 'Would remove' : 'Removed'} ${removed.length} unused allowScripts ${entry}:`
+ )
+ for (const { key, reason } of removed) {
+ const text = reason === 'not-installed' ? 'package not installed' : 'no install scripts'
+ output.standard(` ${key} (${text})`)
+ }
+ }
}
module.exports = AllowScriptsCmd
diff --git a/deps/npm/lib/utils/allow-scripts-prune.js b/deps/npm/lib/utils/allow-scripts-prune.js
new file mode 100644
index 00000000000000..1111b45d9ca3fd
--- /dev/null
+++ b/deps/npm/lib/utils/allow-scripts-prune.js
@@ -0,0 +1,47 @@
+const npa = require('npm-package-arg')
+const { matches } = require('@npmcli/arborist/lib/script-allowed.js')
+
+// Pure classifier behind `npm install-scripts prune`.
+//
+// Splits the `package.json#allowScripts` map into entries to keep (`remaining`)
+// and unused ones to drop (`removed`). `nodes` is the install candidates as
+// `{ node, hasScripts }`; the caller gathers them so this stays sync.
+//
+// An entry is unused (version-aware, by trusted identity) when:
+// - no installed node matches the key -> reason 'not-installed'
+// - it matches but none have scripts -> reason 'no-scripts'
+//
+// Unparseable keys are kept (prune never drops what it can't parse). Both
+// `true` (approve) and `false` (deny) entries are pruned.
+const classifyUnusedEntries = (allowScripts, nodes) => {
+ const remaining = {}
+ const removed = []
+
+ for (const [key, value] of Object.entries(allowScripts || {})) {
+ let parseable = true
+ try {
+ npa(key)
+ } catch {
+ parseable = false
+ }
+ if (!parseable) {
+ remaining[key] = value
+ continue
+ }
+
+ const matching = nodes.filter(({ node }) => matches(node, key))
+ if (matching.length === 0) {
+ removed.push({ key, value, reason: 'not-installed' })
+ continue
+ }
+ if (!matching.some(({ hasScripts }) => hasScripts)) {
+ removed.push({ key, value, reason: 'no-scripts' })
+ continue
+ }
+ remaining[key] = value
+ }
+
+ return { remaining, removed }
+}
+
+module.exports = { classifyUnusedEntries }
diff --git a/deps/npm/lib/utils/allow-scripts-writer.js b/deps/npm/lib/utils/allow-scripts-writer.js
index 310e22412a4a44..b9476905d427b0 100644
--- a/deps/npm/lib/utils/allow-scripts-writer.js
+++ b/deps/npm/lib/utils/allow-scripts-writer.js
@@ -108,15 +108,15 @@ const isSingleVersionPin = (key) => {
// an approval. Per RFC, a name-only deny ("pkg": false) is widest and
// the only remediation is to remove the entry. A versioned deny
// ("pkg@1.2.3": false or a disjunction) blocks only specific versions;
-// the user can either widen it via `npm deny-scripts ` or remove
-// it to approve the currently-installed version only.
+// the user can either widen it via `npm install-scripts deny ` or
+// remove it to approve the currently-installed version only.
const denyWarning = (key, subject, name) => {
if (isNameOnlyKey(key)) {
return `${key} is denied; remove the entry from allowScripts to approve ${subject}.`
}
/* istanbul ignore next: name fallback is defensive; callers pass nameKeyFor(sample) */
const widenTarget = name || 'this package'
- return `${key} is a versioned deny; run \`npm deny-scripts ${widenTarget}\` ` +
+ return `${key} is a versioned deny; run \`npm install-scripts deny ${widenTarget}\` ` +
`to widen the deny to all versions of ${widenTarget}, or remove the entry ` +
`to approve ${subject}.`
}
@@ -250,7 +250,41 @@ const applyApprovalForPackage = (existing, nodes, { pin = true } = {}) => {
// package are removed. Per the RFC's pin-mismatch table, an existing
// name-only entry (`pkg: true`) is replaced by `pkg@x.y.z: true` once
// every installed version has a pin.
- const installedKeys = new Set(nodes.map(versionedKeyFor).filter(Boolean))
+ const versionedKeys = nodes.map(versionedKeyFor)
+ const installedKeys = new Set(versionedKeys.filter(Boolean))
+
+ // A registry dep with no `resolved` URL in the lockfile has no trustable
+ // version (getTrustedRegistryIdentity won't trust the tarball's
+ // node.version), so versionedKeyFor returns null and a `pkg@x.y.z` pin can
+ // never match it (npm/cli#9558). When any installed version can't be
+ // pinned, approve the whole package by name and drop now-redundant pins.
+ if (name && versionedKeys.some(key => !key)) {
+ for (const key of Object.keys(allowScripts)) {
+ if (
+ keyTargetsNode(key, sample) &&
+ key !== name &&
+ isSingleVersionPin(key) &&
+ allowScripts[key] === true
+ ) {
+ delete allowScripts[key]
+ changes.push({ key, change: 'removed-pinned-allow' })
+ }
+ }
+ if (allowScripts[name] !== true) {
+ allowScripts[name] = true
+ changes.push({ key: name, change: 'added' })
+ }
+ return {
+ allowScripts,
+ changes,
+ warning: changes.length
+ ? `${name}: approved by name (all versions) because its ` +
+ `package-lock.json entry has no "resolved" URL, so npm can't pin a ` +
+ `specific version. Run \`npm install\` to refresh the lockfile and ` +
+ `enable pinning.`
+ : undefined,
+ }
+ }
for (const key of Object.keys(allowScripts)) {
if (
diff --git a/deps/npm/lib/utils/cmd-list.js b/deps/npm/lib/utils/cmd-list.js
index 1909df0d045469..8816d8294716ef 100644
--- a/deps/npm/lib/utils/cmd-list.js
+++ b/deps/npm/lib/utils/cmd-list.js
@@ -31,6 +31,7 @@ const commands = [
'init',
'install',
'install-ci-test',
+ 'install-scripts',
'install-test',
'link',
'll',
diff --git a/deps/npm/lib/utils/reify-output.js b/deps/npm/lib/utils/reify-output.js
index 1ccbd4d0cad71a..6e25f94340632a 100644
--- a/deps/npm/lib/utils/reify-output.js
+++ b/deps/npm/lib/utils/reify-output.js
@@ -66,7 +66,8 @@ const reifyOutput = (npm, arb, extras = {}) => {
if (showDiff) {
output.standard(`${chalk.green('add')} ${d.ideal.name} ${d.ideal.package.version}`)
}
- if (actualTree.inventory.has(d.ideal)) {
+ // Linked store packages live under .store, absent from the logical actualTree, so identity lookup misses them; count each store package node (non-link).
+ if (actualTree.inventory.has(d.ideal) || (d.ideal.isInStore && !d.ideal.isLink)) {
summary.added++
summary.add.push({
name: d.ideal.name,
@@ -268,7 +269,7 @@ const unreviewedScriptsMessage = (npm, unreviewedScripts) => {
)
}
-// `npm approve-scripts` writes to a project package.json, which doesn't
+// `npm install-scripts` writes to a project package.json, which doesn't
// exist for global installs (it throws EGLOBAL). For those, point users at
// the mechanism that does work globally: the `--allow-scripts` flag for a
// one-off, or `npm config set allow-scripts` to persist it.
@@ -282,8 +283,8 @@ const remediationLines = (npm, names) => {
]
}
return [
- 'Run `npm approve-scripts --allow-scripts-pending` to review, ' +
- 'or `npm approve-scripts ` to allow.',
+ 'Run `npm install-scripts ls` to review, ' +
+ 'or `npm install-scripts approve ` to allow.',
]
}
diff --git a/deps/npm/lib/utils/sbom-cyclonedx.js b/deps/npm/lib/utils/sbom-cyclonedx.js
index fe368e968baaa7..bd741718bef0d6 100644
--- a/deps/npm/lib/utils/sbom-cyclonedx.js
+++ b/deps/npm/lib/utils/sbom-cyclonedx.js
@@ -76,7 +76,7 @@ const toCyclonedxItem = (node, { packageType }) => {
// Calculate purl from package spec
let spec = npa(node.pkgid)
spec = (spec.type === 'alias') ? spec.subSpec : spec
- const purl = npa.toPurl(spec) + (isGitNode(node) ? `?vcs_url=${node.resolved}` : '')
+ const purl = npa.toPurl(spec) + (isGitNode(node) ? `?vcs_url=${encodeURIComponent(node.resolved)}` : '')
if (node.package) {
const toNormalize = new PackageJson()
diff --git a/deps/npm/lib/utils/sbom-spdx.js b/deps/npm/lib/utils/sbom-spdx.js
index 8ea75c688bc862..88797fd03effba 100644
--- a/deps/npm/lib/utils/sbom-spdx.js
+++ b/deps/npm/lib/utils/sbom-spdx.js
@@ -109,7 +109,7 @@ const toSpdxItem = (node, { packageType }) => {
// Calculate purl from package spec
let spec = npa(node.pkgid)
spec = (spec.type === 'alias') ? spec.subSpec : spec
- const purl = npa.toPurl(spec) + (isGitNode(node) ? `?vcs_url=${node.resolved}` : '')
+ const purl = npa.toPurl(spec) + (isGitNode(node) ? `?vcs_url=${encodeURIComponent(node.resolved)}` : '')
/* For workspace nodes, use the location from their linkNode */
let location = node.location
diff --git a/deps/npm/lib/utils/strict-allow-scripts-preflight.js b/deps/npm/lib/utils/strict-allow-scripts-preflight.js
index d3575289fa8ed6..0c500018184c2e 100644
--- a/deps/npm/lib/utils/strict-allow-scripts-preflight.js
+++ b/deps/npm/lib/utils/strict-allow-scripts-preflight.js
@@ -48,19 +48,19 @@ const strictAllowScriptsPreflight = async ({ arb, npm, idealTreeOpts }) => {
return ` ${label} (${events})`
}).join('\n')
- // `npm approve-scripts` / `npm deny-scripts` write to a project
- // package.json, which doesn't exist for global installs. Point global
- // users at the `--allow-scripts` flag and `npm config set allow-scripts`,
- // which both work for global installs. Use the trusted display identity
- // so the suggested `npm config set` value matches what the policy matches
- // on, not the tarball's self-reported name.
+ // `npm install-scripts` writes to a project package.json, which doesn't
+ // exist for global installs. Point global users at the `--allow-scripts`
+ // flag and `npm config set allow-scripts`, which both work for global
+ // installs. Use the trusted display identity so the suggested `npm config
+ // set` value matches what the policy matches on, not the tarball's
+ // self-reported name.
const names = unreviewed.map(({ node }) => trustedDisplay(node).name)
const remediation = npm.global
? 'Allow them with `--allow-scripts`, persist them with ' +
`\`${configSetAllowScripts(names)}\`, or bypass this ` +
'check with `--dangerously-allow-all-scripts`.'
- : 'Approve them with `npm approve-scripts`, deny them with ' +
- '`npm deny-scripts`, or bypass this check with ' +
+ : 'Approve them with `npm install-scripts approve`, deny them with ' +
+ '`npm install-scripts deny`, or bypass this check with ' +
'`--dangerously-allow-all-scripts`.'
throw Object.assign(
diff --git a/deps/npm/man/man1/npm-access.1 b/deps/npm/man/man1/npm-access.1
index 5ffc6914ad0633..707bc69f167c40 100644
--- a/deps/npm/man/man1/npm-access.1
+++ b/deps/npm/man/man1/npm-access.1
@@ -1,4 +1,4 @@
-.TH "NPM-ACCESS" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-ACCESS" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-access\fR - Set access level on published packages
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-adduser.1 b/deps/npm/man/man1/npm-adduser.1
index 83f72e33008086..091bcf2e3fe833 100644
--- a/deps/npm/man/man1/npm-adduser.1
+++ b/deps/npm/man/man1/npm-adduser.1
@@ -1,4 +1,4 @@
-.TH "NPM-ADDUSER" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-ADDUSER" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-adduser\fR - Add a registry user account
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-approve-scripts.1 b/deps/npm/man/man1/npm-approve-scripts.1
index 1fa1807f197223..cd2aee3190b791 100644
--- a/deps/npm/man/man1/npm-approve-scripts.1
+++ b/deps/npm/man/man1/npm-approve-scripts.1
@@ -1,4 +1,4 @@
-.TH "NPM-APPROVE-SCRIPTS" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-APPROVE-SCRIPTS" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-approve-scripts\fR - Approve install scripts for specific dependencies
.SS "Synopsis"
@@ -37,6 +37,8 @@ npm approve-scripts --allow-scripts-pending
\fB--allow-scripts-pending\fR is read-only: it lists every package whose install scripts are not yet covered by \fBallowScripts\fR, without modifying \fBpackage.json\fR.
.P
\fBapprove-scripts\fR honours the asymmetric pin rule: if you re-approve a package whose installed version has changed, the existing pin is rewritten to track the new installed version. Multi-version statements (\fBpkg@1 || 2\fR) are left alone, since they likely capture intent that the command cannot infer. Existing \fBfalse\fR entries always win; \fBapprove-scripts\fR will not silently re-allow a package you previously denied.
+.P
+If a registry dependency has no \fBresolved\fR URL in your \fBpackage-lock.json\fR (for example, an older lockfile or one written with \fBomit-lockfile-registry-resolved\fR), npm cannot verify a trusted version for it and cannot pin it: a \fBpkg@1.2.3\fR entry never matches, so the package keeps appearing under \fB--allow-scripts-pending\fR. \fBapprove-scripts\fR approves these by name (\fBpkg: true\fR) and warns when it does. To restore pinning, refresh the lockfile with \fBnpm install\fR.
.SS "Examples"
.P
.RS 2
diff --git a/deps/npm/man/man1/npm-audit.1 b/deps/npm/man/man1/npm-audit.1
index 9dca2a16806cd8..4c9bf13ecc27ba 100644
--- a/deps/npm/man/man1/npm-audit.1
+++ b/deps/npm/man/man1/npm-audit.1
@@ -1,4 +1,4 @@
-.TH "NPM-AUDIT" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-AUDIT" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-audit\fR - Run a security audit
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-bugs.1 b/deps/npm/man/man1/npm-bugs.1
index 4e9fb5d6d1ddf7..529f369d12dac4 100644
--- a/deps/npm/man/man1/npm-bugs.1
+++ b/deps/npm/man/man1/npm-bugs.1
@@ -1,4 +1,4 @@
-.TH "NPM-BUGS" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-BUGS" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-bugs\fR - Report bugs for a package in a web browser
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-cache.1 b/deps/npm/man/man1/npm-cache.1
index 056647fd1f366c..1f609ffd785afe 100644
--- a/deps/npm/man/man1/npm-cache.1
+++ b/deps/npm/man/man1/npm-cache.1
@@ -1,4 +1,4 @@
-.TH "NPM-CACHE" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-CACHE" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-cache\fR - Manipulates packages cache
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-ci.1 b/deps/npm/man/man1/npm-ci.1
index 88d49e4cfd29a5..2e62f4a1e73fcb 100644
--- a/deps/npm/man/man1/npm-ci.1
+++ b/deps/npm/man/man1/npm-ci.1
@@ -1,4 +1,4 @@
-.TH "NPM-CI" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-CI" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-ci\fR - Clean install a project
.SS "Synopsis"
@@ -75,7 +75,9 @@ Type: "hoisted", "nested", "shallow", or "linked"
.RE 0
.P
-Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: (experimental) install in node_modules/.store, link in place, unhoisted.
+Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: install in node_modules/.store, link in place, unhoisted.
+.P
+We recommend that package authors use \fB--install-strategy=linked\fR during development to catch undeclared ("phantom") dependencies before publishing: the isolated layout only exposes a package's declared dependencies, so an \fBimport\fR of a package that was never added to \fBpackage.json\fR can fail instead of resolving by accident and shipping broken. See \fBCatching undeclared ("phantom") dependencies\fR \fI\(la/using-npm/developers#catching-undeclared-phantom-dependencies\(ra\fR.
.SS "\fBlegacy-bundling\fR"
.RS 0
.IP \(bu 4
@@ -242,6 +244,8 @@ Type: Boolean
If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
.P
Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.P
+Optional dependencies that cannot be installed on the current platform or engine (a non-matching \fBos\fR, \fBcpu\fR, or \fBlibc\fR) are not flagged, because their install scripts never run.
.SS "\fBdangerously-allow-all-scripts\fR"
.RS 0
.IP \(bu 4
diff --git a/deps/npm/man/man1/npm-completion.1 b/deps/npm/man/man1/npm-completion.1
index 15444b319c7642..5327001ec3f12e 100644
--- a/deps/npm/man/man1/npm-completion.1
+++ b/deps/npm/man/man1/npm-completion.1
@@ -1,4 +1,4 @@
-.TH "NPM-COMPLETION" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-COMPLETION" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-completion\fR - Tab Completion for npm
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-config.1 b/deps/npm/man/man1/npm-config.1
index 446486b119387b..82fd108f72c0c7 100644
--- a/deps/npm/man/man1/npm-config.1
+++ b/deps/npm/man/man1/npm-config.1
@@ -1,4 +1,4 @@
-.TH "NPM-CONFIG" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-CONFIG" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-config\fR - Manage the npm configuration files
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-dedupe.1 b/deps/npm/man/man1/npm-dedupe.1
index c370607b6fc112..68e369035eae76 100644
--- a/deps/npm/man/man1/npm-dedupe.1
+++ b/deps/npm/man/man1/npm-dedupe.1
@@ -1,4 +1,4 @@
-.TH "NPM-DEDUPE" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-DEDUPE" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-dedupe\fR - Reduce duplication in the package tree
.SS "Synopsis"
@@ -74,7 +74,9 @@ Type: "hoisted", "nested", "shallow", or "linked"
.RE 0
.P
-Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: (experimental) install in node_modules/.store, link in place, unhoisted.
+Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: install in node_modules/.store, link in place, unhoisted.
+.P
+We recommend that package authors use \fB--install-strategy=linked\fR during development to catch undeclared ("phantom") dependencies before publishing: the isolated layout only exposes a package's declared dependencies, so an \fBimport\fR of a package that was never added to \fBpackage.json\fR can fail instead of resolving by accident and shipping broken. See \fBCatching undeclared ("phantom") dependencies\fR \fI\(la/using-npm/developers#catching-undeclared-phantom-dependencies\(ra\fR.
.SS "\fBlegacy-bundling\fR"
.RS 0
.IP \(bu 4
diff --git a/deps/npm/man/man1/npm-deny-scripts.1 b/deps/npm/man/man1/npm-deny-scripts.1
index f60c26b5a3c410..67daaa87b720ee 100644
--- a/deps/npm/man/man1/npm-deny-scripts.1
+++ b/deps/npm/man/man1/npm-deny-scripts.1
@@ -1,4 +1,4 @@
-.TH "NPM-DENY-SCRIPTS" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-DENY-SCRIPTS" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-deny-scripts\fR - Deny install scripts for specific dependencies
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-deprecate.1 b/deps/npm/man/man1/npm-deprecate.1
index e04d1228f86db9..1d89f067e7305e 100644
--- a/deps/npm/man/man1/npm-deprecate.1
+++ b/deps/npm/man/man1/npm-deprecate.1
@@ -1,4 +1,4 @@
-.TH "NPM-DEPRECATE" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-DEPRECATE" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-deprecate\fR - Deprecate a version of a package
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-diff.1 b/deps/npm/man/man1/npm-diff.1
index ed49280aa5a1e9..cc06fc95438658 100644
--- a/deps/npm/man/man1/npm-diff.1
+++ b/deps/npm/man/man1/npm-diff.1
@@ -1,4 +1,4 @@
-.TH "NPM-DIFF" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-DIFF" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-diff\fR - The registry diff command
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-dist-tag.1 b/deps/npm/man/man1/npm-dist-tag.1
index 3aeacd51dccecc..6c3e74e3c6513d 100644
--- a/deps/npm/man/man1/npm-dist-tag.1
+++ b/deps/npm/man/man1/npm-dist-tag.1
@@ -1,4 +1,4 @@
-.TH "NPM-DIST-TAG" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-DIST-TAG" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-dist-tag\fR - Modify package distribution tags
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-docs.1 b/deps/npm/man/man1/npm-docs.1
index e3e9a43aac9cf8..952c18cf115f69 100644
--- a/deps/npm/man/man1/npm-docs.1
+++ b/deps/npm/man/man1/npm-docs.1
@@ -1,4 +1,4 @@
-.TH "NPM-DOCS" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-DOCS" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-docs\fR - Open documentation for a package in a web browser
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-doctor.1 b/deps/npm/man/man1/npm-doctor.1
index 1e89fec2f3f986..1e8813a13a1488 100644
--- a/deps/npm/man/man1/npm-doctor.1
+++ b/deps/npm/man/man1/npm-doctor.1
@@ -1,4 +1,4 @@
-.TH "NPM-DOCTOR" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-DOCTOR" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-doctor\fR - Check the health of your npm environment
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-edit.1 b/deps/npm/man/man1/npm-edit.1
index 530543a029b114..d46ea046ddb046 100644
--- a/deps/npm/man/man1/npm-edit.1
+++ b/deps/npm/man/man1/npm-edit.1
@@ -1,4 +1,4 @@
-.TH "NPM-EDIT" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-EDIT" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-edit\fR - Edit an installed package
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-exec.1 b/deps/npm/man/man1/npm-exec.1
index 3122968e406543..93245000380fb7 100644
--- a/deps/npm/man/man1/npm-exec.1
+++ b/deps/npm/man/man1/npm-exec.1
@@ -1,4 +1,4 @@
-.TH "NPM-EXEC" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-EXEC" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-exec\fR - Run a command from a local or remote npm package
.SS "Synopsis"
@@ -193,6 +193,8 @@ Type: Boolean
If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
.P
Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.P
+Optional dependencies that cannot be installed on the current platform or engine (a non-matching \fBos\fR, \fBcpu\fR, or \fBlibc\fR) are not flagged, because their install scripts never run.
.SS "\fBdangerously-allow-all-scripts\fR"
.RS 0
.IP \(bu 4
diff --git a/deps/npm/man/man1/npm-explain.1 b/deps/npm/man/man1/npm-explain.1
index ad4b6a15bf64ce..0c4b22410bf64a 100644
--- a/deps/npm/man/man1/npm-explain.1
+++ b/deps/npm/man/man1/npm-explain.1
@@ -1,4 +1,4 @@
-.TH "NPM-EXPLAIN" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-EXPLAIN" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-explain\fR - Explain installed packages
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-explore.1 b/deps/npm/man/man1/npm-explore.1
index ee12137b4d6270..bd6788e463ea42 100644
--- a/deps/npm/man/man1/npm-explore.1
+++ b/deps/npm/man/man1/npm-explore.1
@@ -1,4 +1,4 @@
-.TH "NPM-EXPLORE" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-EXPLORE" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-explore\fR - Browse an installed package
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-find-dupes.1 b/deps/npm/man/man1/npm-find-dupes.1
index 287971553cc917..8cab256a973b0f 100644
--- a/deps/npm/man/man1/npm-find-dupes.1
+++ b/deps/npm/man/man1/npm-find-dupes.1
@@ -1,4 +1,4 @@
-.TH "NPM-FIND-DUPES" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-FIND-DUPES" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-find-dupes\fR - Find duplication in the package tree
.SS "Synopsis"
@@ -21,7 +21,9 @@ Type: "hoisted", "nested", "shallow", or "linked"
.RE 0
.P
-Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: (experimental) install in node_modules/.store, link in place, unhoisted.
+Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: install in node_modules/.store, link in place, unhoisted.
+.P
+We recommend that package authors use \fB--install-strategy=linked\fR during development to catch undeclared ("phantom") dependencies before publishing: the isolated layout only exposes a package's declared dependencies, so an \fBimport\fR of a package that was never added to \fBpackage.json\fR can fail instead of resolving by accident and shipping broken. See \fBCatching undeclared ("phantom") dependencies\fR \fI\(la/using-npm/developers#catching-undeclared-phantom-dependencies\(ra\fR.
.SS "\fBlegacy-bundling\fR"
.RS 0
.IP \(bu 4
diff --git a/deps/npm/man/man1/npm-fund.1 b/deps/npm/man/man1/npm-fund.1
index fbe8cdc9bee951..a334c59e990078 100644
--- a/deps/npm/man/man1/npm-fund.1
+++ b/deps/npm/man/man1/npm-fund.1
@@ -1,4 +1,4 @@
-.TH "NPM-FUND" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-FUND" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-fund\fR - Retrieve funding information
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-get.1 b/deps/npm/man/man1/npm-get.1
index 03c66b0379ffdd..1eb86d69f161e0 100644
--- a/deps/npm/man/man1/npm-get.1
+++ b/deps/npm/man/man1/npm-get.1
@@ -1,4 +1,4 @@
-.TH "NPM-GET" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-GET" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-get\fR - Get a value from the npm configuration
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-help-search.1 b/deps/npm/man/man1/npm-help-search.1
index 00a4a24dce4a23..b1752ad2b563be 100644
--- a/deps/npm/man/man1/npm-help-search.1
+++ b/deps/npm/man/man1/npm-help-search.1
@@ -1,4 +1,4 @@
-.TH "NPM-HELP-SEARCH" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-HELP-SEARCH" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-help-search\fR - Search npm help documentation
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-help.1 b/deps/npm/man/man1/npm-help.1
index 7462b626b6f017..aef5394daaa26a 100644
--- a/deps/npm/man/man1/npm-help.1
+++ b/deps/npm/man/man1/npm-help.1
@@ -1,4 +1,4 @@
-.TH "NPM-HELP" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-HELP" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-help\fR - Get help on npm
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-init.1 b/deps/npm/man/man1/npm-init.1
index 80e94e4140e090..990e0a58ed2820 100644
--- a/deps/npm/man/man1/npm-init.1
+++ b/deps/npm/man/man1/npm-init.1
@@ -1,4 +1,4 @@
-.TH "NPM-INIT" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-INIT" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-init\fR - Create a package.json file
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-install-ci-test.1 b/deps/npm/man/man1/npm-install-ci-test.1
index 77d75105800b89..88db36a8799a22 100644
--- a/deps/npm/man/man1/npm-install-ci-test.1
+++ b/deps/npm/man/man1/npm-install-ci-test.1
@@ -1,4 +1,4 @@
-.TH "NPM-INSTALL-CI-TEST" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-INSTALL-CI-TEST" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-install-ci-test\fR - Install a project with a clean slate and run tests
.SS "Synopsis"
@@ -23,7 +23,9 @@ Type: "hoisted", "nested", "shallow", or "linked"
.RE 0
.P
-Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: (experimental) install in node_modules/.store, link in place, unhoisted.
+Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: install in node_modules/.store, link in place, unhoisted.
+.P
+We recommend that package authors use \fB--install-strategy=linked\fR during development to catch undeclared ("phantom") dependencies before publishing: the isolated layout only exposes a package's declared dependencies, so an \fBimport\fR of a package that was never added to \fBpackage.json\fR can fail instead of resolving by accident and shipping broken. See \fBCatching undeclared ("phantom") dependencies\fR \fI\(la/using-npm/developers#catching-undeclared-phantom-dependencies\(ra\fR.
.SS "\fBlegacy-bundling\fR"
.RS 0
.IP \(bu 4
@@ -190,6 +192,8 @@ Type: Boolean
If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
.P
Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.P
+Optional dependencies that cannot be installed on the current platform or engine (a non-matching \fBos\fR, \fBcpu\fR, or \fBlibc\fR) are not flagged, because their install scripts never run.
.SS "\fBdangerously-allow-all-scripts\fR"
.RS 0
.IP \(bu 4
diff --git a/deps/npm/man/man1/npm-install-scripts.1 b/deps/npm/man/man1/npm-install-scripts.1
new file mode 100644
index 00000000000000..457b55c9fb7a8b
--- /dev/null
+++ b/deps/npm/man/man1/npm-install-scripts.1
@@ -0,0 +1,133 @@
+.TH "NPM-INSTALL-SCRIPTS" "1" "June 2026" "NPM@11.18.0" ""
+.SH "NAME"
+\fBnpm-install-scripts\fR - Manage install-script approvals for dependencies
+.SS "Synopsis"
+.P
+.RS 2
+.nf
+npm install-scripts approve \[lB] ...\[rB]
+npm install-scripts approve --all
+npm install-scripts deny \[lB] ...\[rB]
+npm install-scripts deny --all
+npm install-scripts ls
+npm install-scripts prune
+.fi
+.RE
+.P
+Note: This command is unaware of workspaces.
+.SS "Description"
+.P
+Manages the \fBallowScripts\fR field in your project's \fBpackage.json\fR, which records which of your dependencies are permitted to run install scripts (\fBpreinstall\fR, \fBinstall\fR, \fBpostinstall\fR, and \fBprepare\fR for non-registry sources). This is the recommended way to maintain that field.
+.P
+Dependency install scripts are blocked by default. Install commands silently skip lifecycle scripts for any dependency that does not have a matching entry in \fBallowScripts\fR, and end with a list of the packages whose scripts were skipped so you can review them here.
+.P
+This command only works inside a project that has a \fBpackage.json\fR. Running it with \fB--global\fR (\fB-g\fR) fails with an \fBEGLOBAL\fR error, since global installs (\fBnpm install -g\fR) and one-off executions (\fBnpm exec\fR / \fBnpx\fR) have no project \fBpackage.json\fR to write to. To allow install scripts in those contexts, use the \fB--allow-scripts\fR flag at install time (for example \fBnpm install -g --allow-scripts=canvas,sharp\fR) or persist the setting with \fBnpm config set allow-scripts=canvas,sharp --location=user\fR.
+.P
+There are four subcommands:
+.P
+.RS 2
+.nf
+npm install-scripts approve \[lB] ...\[rB]
+npm install-scripts approve --all
+npm install-scripts deny \[lB] ...\[rB]
+npm install-scripts deny --all
+npm install-scripts ls
+npm install-scripts prune
+.fi
+.RE
+.P
+\fBapprove\fR allows install scripts for the named packages. \fB\fR matches every installed version of that package. By default it writes pinned entries (\fBpkg@1.2.3\fR), which keep their approval narrowed to the specific version you reviewed. Pass \fB--no-allow-scripts-pin\fR to write name-only entries that allow any future version. \fB--all\fR approves every package with unreviewed install scripts in one go.
+.P
+\fBdeny\fR records an explicit denial for the named packages (a name-only \fBfalse\fR entry), which survives \fBnpm install-scripts approve --all\fR and excludes the package from any future blanket approval. \fB--all\fR denies every package with unreviewed install scripts.
+.P
+\fBls\fR is read-only: it lists every package whose install scripts are not yet covered by \fBallowScripts\fR, without modifying \fBpackage.json\fR.
+.P
+\fBprune\fR removes \fBallowScripts\fR entries that no longer match an installed package with an install script, either because the package is no longer installed (a transitive dependency changed, or a pinned \fBpkg@1.2.3\fR was upgraded) or because it no longer has an install script. Both approvals (\fBtrue\fR) and denials (\fBfalse\fR) are removed. It edits only the \fBallowScripts\fR field in \fBpackage.json\fR, never \fB.npmrc\fR or \fB--allow-scripts\fR. Pass \fB--dry-run\fR to preview without writing. Unparseable keys are left alone.
+.P
+\fBapprove\fR honours the asymmetric pin rule: if you re-approve a package whose installed version has changed, the existing pin is rewritten to track the new installed version. Multi-version statements (\fBpkg@1 || 2\fR) are left alone, since they likely capture intent that the command cannot infer. Existing \fBfalse\fR entries always win; \fBapprove\fR will not silently re-allow a package you previously denied.
+.P
+The standalone commands npm help approve-scripts and npm help deny-scripts are aliases for \fBnpm install-scripts approve\fR and \fBnpm install-scripts deny\fR.
+.SS "Examples"
+.P
+.RS 2
+.nf
+# Approve all currently-installed install scripts after reviewing them
+npm install-scripts approve --all
+
+# Approve specific packages, pinned to their installed version
+npm install-scripts approve canvas sharp
+
+# Deny a package so it stays blocked
+npm install-scripts deny telemetry-pkg
+
+# Preview which packages still need review
+npm install-scripts ls
+
+# Preview stale allowScripts entries, then remove them
+npm install-scripts prune --dry-run
+npm install-scripts prune
+.fi
+.RE
+.SS "Configuration"
+.SS "\fBall\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+Show or act on all packages, not just the ones your project directly depends on. For \fBnpm outdated\fR and \fBnpm ls\fR this lists every outdated or installed package. For \fBnpm approve-scripts\fR and \fBnpm deny-scripts\fR it selects every package with pending install scripts.
+.SS "\fBallow-scripts-pin\fR"
+.RS 0
+.IP \(bu 4
+Default: true
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+Write pinned (\fBpkg@version\fR) entries when approving install scripts. Set to \fBfalse\fR to write name-only entries that allow any version. Has no effect on \fBnpm deny-scripts\fR, which always writes name-only entries regardless of this setting.
+.SS "\fBdry-run\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, \fBinstall\fR, \fBupdate\fR, \fBdedupe\fR, \fBuninstall\fR, as well as \fBpack\fR and \fBpublish\fR.
+.P
+Note: This is NOT honored by other network related commands, eg \fBdist-tags\fR, \fBowner\fR, etc.
+.SS "\fBjson\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+Whether or not to output JSON data, rather than the normal output.
+.RS 0
+.IP \(bu 4
+In \fBnpm pkg set\fR it enables parsing set values with JSON.parse() before saving them to your \fBpackage.json\fR.
+.RE 0
+
+.P
+Not supported by all npm commands.
+.SS "See Also"
+.RS 0
+.IP \(bu 4
+npm help approve-scripts
+.IP \(bu 4
+npm help deny-scripts
+.IP \(bu 4
+npm help install
+.IP \(bu 4
+npm help rebuild
+.IP \(bu 4
+\fBpackage.json\fR \fI\(la/configuring-npm/package-json\(ra\fR
+.RE 0
diff --git a/deps/npm/man/man1/npm-install-test.1 b/deps/npm/man/man1/npm-install-test.1
index bea21d8f9996f4..56a0a454c8e601 100644
--- a/deps/npm/man/man1/npm-install-test.1
+++ b/deps/npm/man/man1/npm-install-test.1
@@ -1,4 +1,4 @@
-.TH "NPM-INSTALL-TEST" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-INSTALL-TEST" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-install-test\fR - Install package(s) and run tests
.SS "Synopsis"
@@ -66,7 +66,9 @@ Type: "hoisted", "nested", "shallow", or "linked"
.RE 0
.P
-Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: (experimental) install in node_modules/.store, link in place, unhoisted.
+Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: install in node_modules/.store, link in place, unhoisted.
+.P
+We recommend that package authors use \fB--install-strategy=linked\fR during development to catch undeclared ("phantom") dependencies before publishing: the isolated layout only exposes a package's declared dependencies, so an \fBimport\fR of a package that was never added to \fBpackage.json\fR can fail instead of resolving by accident and shipping broken. See \fBCatching undeclared ("phantom") dependencies\fR \fI\(la/using-npm/developers#catching-undeclared-phantom-dependencies\(ra\fR.
.SS "\fBlegacy-bundling\fR"
.RS 0
.IP \(bu 4
@@ -267,6 +269,8 @@ Type: Boolean
If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
.P
Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.P
+Optional dependencies that cannot be installed on the current platform or engine (a non-matching \fBos\fR, \fBcpu\fR, or \fBlibc\fR) are not flagged, because their install scripts never run.
.SS "\fBdangerously-allow-all-scripts\fR"
.RS 0
.IP \(bu 4
@@ -302,6 +306,9 @@ If the requested version is a \fBdist-tag\fR and the given tag does not pass the
.P
If \fBbefore\fR and \fBmin-release-age\fR are both set in the same source, \fBbefore\fR wins (an explicit absolute date overrides a relative window). Across sources, the standard precedence applies (cli > env > project > user > global), so a higher-priority source can always relax or override a lower-priority one.
.P
+As with \fBmin-release-age\fR, when this cutoff blocks a fix that \fBnpm audit
+fix\fR would install, npm keeps the vulnerable version, warns, and exits with a non-zero code.
+.P
Packages whose names match \fBmin-release-age-exclude\fR are exempt from this filter.
.SS "\fBmin-release-age\fR"
.RS 0
@@ -316,6 +323,8 @@ If set, npm will build the npm tree such that only versions that were available
.P
This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days. The two may coexist (e.g. \fBmin-release-age\fR in your \fB.npmrc\fR is preserved when npm internally spawns a sub-process with \fB--before\fR while preparing a \fBgit:\fR or \fBgithub:\fR dependency); when both apply, \fBbefore\fR wins within a single source and across sources the standard precedence rules apply.
.P
+When this window stops \fBnpm audit fix\fR from installing a patched version (because the fix was published too recently), npm keeps the package at its vulnerable version, warns that the fix was blocked, and exits with a non-zero code. To install the fix, add the package to \fBmin-release-age-exclude\fR, or relax \fBmin-release-age\fR or \fBbefore\fR.
+.P
Packages whose names match \fBmin-release-age-exclude\fR are exempt from this filter.
.P
This value is not exported to the environment for child processes.
diff --git a/deps/npm/man/man1/npm-install.1 b/deps/npm/man/man1/npm-install.1
index c4a9d33e00e736..1c853a06d9e7a1 100644
--- a/deps/npm/man/man1/npm-install.1
+++ b/deps/npm/man/man1/npm-install.1
@@ -1,4 +1,4 @@
-.TH "NPM-INSTALL" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-INSTALL" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-install\fR - Install a package
.SS "Synopsis"
@@ -456,7 +456,9 @@ Type: "hoisted", "nested", "shallow", or "linked"
.RE 0
.P
-Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: (experimental) install in node_modules/.store, link in place, unhoisted.
+Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: install in node_modules/.store, link in place, unhoisted.
+.P
+We recommend that package authors use \fB--install-strategy=linked\fR during development to catch undeclared ("phantom") dependencies before publishing: the isolated layout only exposes a package's declared dependencies, so an \fBimport\fR of a package that was never added to \fBpackage.json\fR can fail instead of resolving by accident and shipping broken. See \fBCatching undeclared ("phantom") dependencies\fR \fI\(la/using-npm/developers#catching-undeclared-phantom-dependencies\(ra\fR.
.SS "\fBlegacy-bundling\fR"
.RS 0
.IP \(bu 4
@@ -657,6 +659,8 @@ Type: Boolean
If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
.P
Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.P
+Optional dependencies that cannot be installed on the current platform or engine (a non-matching \fBos\fR, \fBcpu\fR, or \fBlibc\fR) are not flagged, because their install scripts never run.
.SS "\fBdangerously-allow-all-scripts\fR"
.RS 0
.IP \(bu 4
@@ -692,6 +696,9 @@ If the requested version is a \fBdist-tag\fR and the given tag does not pass the
.P
If \fBbefore\fR and \fBmin-release-age\fR are both set in the same source, \fBbefore\fR wins (an explicit absolute date overrides a relative window). Across sources, the standard precedence applies (cli > env > project > user > global), so a higher-priority source can always relax or override a lower-priority one.
.P
+As with \fBmin-release-age\fR, when this cutoff blocks a fix that \fBnpm audit
+fix\fR would install, npm keeps the vulnerable version, warns, and exits with a non-zero code.
+.P
Packages whose names match \fBmin-release-age-exclude\fR are exempt from this filter.
.SS "\fBmin-release-age\fR"
.RS 0
@@ -706,6 +713,8 @@ If set, npm will build the npm tree such that only versions that were available
.P
This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days. The two may coexist (e.g. \fBmin-release-age\fR in your \fB.npmrc\fR is preserved when npm internally spawns a sub-process with \fB--before\fR while preparing a \fBgit:\fR or \fBgithub:\fR dependency); when both apply, \fBbefore\fR wins within a single source and across sources the standard precedence rules apply.
.P
+When this window stops \fBnpm audit fix\fR from installing a patched version (because the fix was published too recently), npm keeps the package at its vulnerable version, warns that the fix was blocked, and exits with a non-zero code. To install the fix, add the package to \fBmin-release-age-exclude\fR, or relax \fBmin-release-age\fR or \fBbefore\fR.
+.P
Packages whose names match \fBmin-release-age-exclude\fR are exempt from this filter.
.P
This value is not exported to the environment for child processes.
diff --git a/deps/npm/man/man1/npm-link.1 b/deps/npm/man/man1/npm-link.1
index 52b718e15e9cab..9b45424b521c13 100644
--- a/deps/npm/man/man1/npm-link.1
+++ b/deps/npm/man/man1/npm-link.1
@@ -1,4 +1,4 @@
-.TH "NPM-LINK" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-LINK" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-link\fR - Symlink a package folder
.SS "Synopsis"
@@ -133,7 +133,9 @@ Type: "hoisted", "nested", "shallow", or "linked"
.RE 0
.P
-Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: (experimental) install in node_modules/.store, link in place, unhoisted.
+Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: install in node_modules/.store, link in place, unhoisted.
+.P
+We recommend that package authors use \fB--install-strategy=linked\fR during development to catch undeclared ("phantom") dependencies before publishing: the isolated layout only exposes a package's declared dependencies, so an \fBimport\fR of a package that was never added to \fBpackage.json\fR can fail instead of resolving by accident and shipping broken. See \fBCatching undeclared ("phantom") dependencies\fR \fI\(la/using-npm/developers#catching-undeclared-phantom-dependencies\(ra\fR.
.SS "\fBlegacy-bundling\fR"
.RS 0
.IP \(bu 4
diff --git a/deps/npm/man/man1/npm-ll.1 b/deps/npm/man/man1/npm-ll.1
index cd62068571d750..76cca43a86c547 100644
--- a/deps/npm/man/man1/npm-ll.1
+++ b/deps/npm/man/man1/npm-ll.1
@@ -1,4 +1,4 @@
-.TH "NPM-LL" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-LL" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-ll\fR - List installed packages
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-login.1 b/deps/npm/man/man1/npm-login.1
index 3848cf175db3cf..c08365bf41b291 100644
--- a/deps/npm/man/man1/npm-login.1
+++ b/deps/npm/man/man1/npm-login.1
@@ -1,4 +1,4 @@
-.TH "NPM-LOGIN" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-LOGIN" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-login\fR - Login to a registry user account
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-logout.1 b/deps/npm/man/man1/npm-logout.1
index ebb1c62f319920..e27692a1f361d6 100644
--- a/deps/npm/man/man1/npm-logout.1
+++ b/deps/npm/man/man1/npm-logout.1
@@ -1,4 +1,4 @@
-.TH "NPM-LOGOUT" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-LOGOUT" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-logout\fR - Log out of the registry
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-ls.1 b/deps/npm/man/man1/npm-ls.1
index f1d982134141bd..8d6a48be7adb13 100644
--- a/deps/npm/man/man1/npm-ls.1
+++ b/deps/npm/man/man1/npm-ls.1
@@ -1,4 +1,4 @@
-.TH "NPM-LS" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-LS" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-ls\fR - List installed packages
.SS "Synopsis"
@@ -20,7 +20,7 @@ Positional arguments are \fBname@version-range\fR identifiers, which will limit
.P
.RS 2
.nf
-npm@11.17.0 /path/to/npm
+npm@11.18.0 /path/to/npm
└─┬ init-package-json@0.0.4
└── promzard@0.1.5
.fi
diff --git a/deps/npm/man/man1/npm-org.1 b/deps/npm/man/man1/npm-org.1
index 879be21b203a8f..87b14daf94bb7e 100644
--- a/deps/npm/man/man1/npm-org.1
+++ b/deps/npm/man/man1/npm-org.1
@@ -1,4 +1,4 @@
-.TH "NPM-ORG" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-ORG" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-org\fR - Manage orgs
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-outdated.1 b/deps/npm/man/man1/npm-outdated.1
index 446ddba893f360..0b2677ecbe64e4 100644
--- a/deps/npm/man/man1/npm-outdated.1
+++ b/deps/npm/man/man1/npm-outdated.1
@@ -1,4 +1,4 @@
-.TH "NPM-OUTDATED" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-OUTDATED" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-outdated\fR - Check for outdated packages
.SS "Synopsis"
@@ -182,6 +182,9 @@ If the requested version is a \fBdist-tag\fR and the given tag does not pass the
.P
If \fBbefore\fR and \fBmin-release-age\fR are both set in the same source, \fBbefore\fR wins (an explicit absolute date overrides a relative window). Across sources, the standard precedence applies (cli > env > project > user > global), so a higher-priority source can always relax or override a lower-priority one.
.P
+As with \fBmin-release-age\fR, when this cutoff blocks a fix that \fBnpm audit
+fix\fR would install, npm keeps the vulnerable version, warns, and exits with a non-zero code.
+.P
Packages whose names match \fBmin-release-age-exclude\fR are exempt from this filter.
.SS "\fBmin-release-age\fR"
.RS 0
@@ -196,6 +199,8 @@ If set, npm will build the npm tree such that only versions that were available
.P
This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days. The two may coexist (e.g. \fBmin-release-age\fR in your \fB.npmrc\fR is preserved when npm internally spawns a sub-process with \fB--before\fR while preparing a \fBgit:\fR or \fBgithub:\fR dependency); when both apply, \fBbefore\fR wins within a single source and across sources the standard precedence rules apply.
.P
+When this window stops \fBnpm audit fix\fR from installing a patched version (because the fix was published too recently), npm keeps the package at its vulnerable version, warns that the fix was blocked, and exits with a non-zero code. To install the fix, add the package to \fBmin-release-age-exclude\fR, or relax \fBmin-release-age\fR or \fBbefore\fR.
+.P
Packages whose names match \fBmin-release-age-exclude\fR are exempt from this filter.
.P
This value is not exported to the environment for child processes.
diff --git a/deps/npm/man/man1/npm-owner.1 b/deps/npm/man/man1/npm-owner.1
index f257550482ccad..b4239474547451 100644
--- a/deps/npm/man/man1/npm-owner.1
+++ b/deps/npm/man/man1/npm-owner.1
@@ -1,4 +1,4 @@
-.TH "NPM-OWNER" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-OWNER" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-owner\fR - Manage package owners
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-pack.1 b/deps/npm/man/man1/npm-pack.1
index 64de415452732e..4220d6eab1ba48 100644
--- a/deps/npm/man/man1/npm-pack.1
+++ b/deps/npm/man/man1/npm-pack.1
@@ -1,4 +1,4 @@
-.TH "NPM-PACK" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-PACK" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-pack\fR - Create a tarball from a package
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-ping.1 b/deps/npm/man/man1/npm-ping.1
index 8f4292b8b5e9a2..b214ef9bbe299f 100644
--- a/deps/npm/man/man1/npm-ping.1
+++ b/deps/npm/man/man1/npm-ping.1
@@ -1,4 +1,4 @@
-.TH "NPM-PING" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-PING" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-ping\fR - Ping npm registry
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-pkg.1 b/deps/npm/man/man1/npm-pkg.1
index fba0a9b61aee9e..e61280ea9b3b51 100644
--- a/deps/npm/man/man1/npm-pkg.1
+++ b/deps/npm/man/man1/npm-pkg.1
@@ -1,4 +1,4 @@
-.TH "NPM-PKG" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-PKG" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-pkg\fR - Manages your package.json
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-prefix.1 b/deps/npm/man/man1/npm-prefix.1
index 17248aa54d5396..8e5f186bc4940d 100644
--- a/deps/npm/man/man1/npm-prefix.1
+++ b/deps/npm/man/man1/npm-prefix.1
@@ -1,4 +1,4 @@
-.TH "NPM-PREFIX" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-PREFIX" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-prefix\fR - Display prefix
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-profile.1 b/deps/npm/man/man1/npm-profile.1
index c050f580f4c853..7a3a7c3e73aed3 100644
--- a/deps/npm/man/man1/npm-profile.1
+++ b/deps/npm/man/man1/npm-profile.1
@@ -1,4 +1,4 @@
-.TH "NPM-PROFILE" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-PROFILE" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-profile\fR - Change settings on your registry profile
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-prune.1 b/deps/npm/man/man1/npm-prune.1
index d70133afd0dcfc..d36938d3e27db9 100644
--- a/deps/npm/man/man1/npm-prune.1
+++ b/deps/npm/man/man1/npm-prune.1
@@ -1,4 +1,4 @@
-.TH "NPM-PRUNE" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-PRUNE" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-prune\fR - Remove extraneous packages
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-publish.1 b/deps/npm/man/man1/npm-publish.1
index d25d25c7590460..36ad2d781aca22 100644
--- a/deps/npm/man/man1/npm-publish.1
+++ b/deps/npm/man/man1/npm-publish.1
@@ -1,4 +1,4 @@
-.TH "NPM-PUBLISH" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-PUBLISH" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-publish\fR - Publish a package
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-query.1 b/deps/npm/man/man1/npm-query.1
index 654f2c33242b56..f5e07ec1954db5 100644
--- a/deps/npm/man/man1/npm-query.1
+++ b/deps/npm/man/man1/npm-query.1
@@ -1,4 +1,4 @@
-.TH "NPM-QUERY" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-QUERY" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-query\fR - Dependency selector query
.SS "Synopsis"
@@ -289,6 +289,9 @@ If the requested version is a \fBdist-tag\fR and the given tag does not pass the
.P
If \fBbefore\fR and \fBmin-release-age\fR are both set in the same source, \fBbefore\fR wins (an explicit absolute date overrides a relative window). Across sources, the standard precedence applies (cli > env > project > user > global), so a higher-priority source can always relax or override a lower-priority one.
.P
+As with \fBmin-release-age\fR, when this cutoff blocks a fix that \fBnpm audit
+fix\fR would install, npm keeps the vulnerable version, warns, and exits with a non-zero code.
+.P
Packages whose names match \fBmin-release-age-exclude\fR are exempt from this filter.
.SS "\fBmin-release-age\fR"
.RS 0
@@ -303,6 +306,8 @@ If set, npm will build the npm tree such that only versions that were available
.P
This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days. The two may coexist (e.g. \fBmin-release-age\fR in your \fB.npmrc\fR is preserved when npm internally spawns a sub-process with \fB--before\fR while preparing a \fBgit:\fR or \fBgithub:\fR dependency); when both apply, \fBbefore\fR wins within a single source and across sources the standard precedence rules apply.
.P
+When this window stops \fBnpm audit fix\fR from installing a patched version (because the fix was published too recently), npm keeps the package at its vulnerable version, warns that the fix was blocked, and exits with a non-zero code. To install the fix, add the package to \fBmin-release-age-exclude\fR, or relax \fBmin-release-age\fR or \fBbefore\fR.
+.P
Packages whose names match \fBmin-release-age-exclude\fR are exempt from this filter.
.P
This value is not exported to the environment for child processes.
diff --git a/deps/npm/man/man1/npm-rebuild.1 b/deps/npm/man/man1/npm-rebuild.1
index 9c4aac4a249191..972bb0fadefa4c 100644
--- a/deps/npm/man/man1/npm-rebuild.1
+++ b/deps/npm/man/man1/npm-rebuild.1
@@ -1,4 +1,4 @@
-.TH "NPM-REBUILD" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-REBUILD" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-rebuild\fR - Rebuild a package
.SS "Synopsis"
@@ -127,6 +127,8 @@ Type: Boolean
If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
.P
Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.P
+Optional dependencies that cannot be installed on the current platform or engine (a non-matching \fBos\fR, \fBcpu\fR, or \fBlibc\fR) are not flagged, because their install scripts never run.
.SS "\fBdangerously-allow-all-scripts\fR"
.RS 0
.IP \(bu 4
diff --git a/deps/npm/man/man1/npm-repo.1 b/deps/npm/man/man1/npm-repo.1
index 2ddf9937d8e715..f354706b7a96bc 100644
--- a/deps/npm/man/man1/npm-repo.1
+++ b/deps/npm/man/man1/npm-repo.1
@@ -1,4 +1,4 @@
-.TH "NPM-REPO" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-REPO" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-repo\fR - Open package repository page in the browser
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-restart.1 b/deps/npm/man/man1/npm-restart.1
index 2b9b1161058b44..754c1450517e85 100644
--- a/deps/npm/man/man1/npm-restart.1
+++ b/deps/npm/man/man1/npm-restart.1
@@ -1,4 +1,4 @@
-.TH "NPM-RESTART" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-RESTART" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-restart\fR - Restart a package
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-root.1 b/deps/npm/man/man1/npm-root.1
index 7b85912e45cfb0..21a04731a3c84f 100644
--- a/deps/npm/man/man1/npm-root.1
+++ b/deps/npm/man/man1/npm-root.1
@@ -1,4 +1,4 @@
-.TH "NPM-ROOT" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-ROOT" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-root\fR - Display npm root
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-run.1 b/deps/npm/man/man1/npm-run.1
index 0beb0b5fd04437..c481d3ea7f3a57 100644
--- a/deps/npm/man/man1/npm-run.1
+++ b/deps/npm/man/man1/npm-run.1
@@ -1,4 +1,4 @@
-.TH "NPM-RUN" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-RUN" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-run\fR - Run arbitrary package scripts
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-sbom.1 b/deps/npm/man/man1/npm-sbom.1
index c04aca73069b15..4528c2287d3689 100644
--- a/deps/npm/man/man1/npm-sbom.1
+++ b/deps/npm/man/man1/npm-sbom.1
@@ -1,4 +1,4 @@
-.TH "NPM-SBOM" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-SBOM" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-sbom\fR - Generate a Software Bill of Materials (SBOM)
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-search.1 b/deps/npm/man/man1/npm-search.1
index 72e8175649c820..88088ac8303093 100644
--- a/deps/npm/man/man1/npm-search.1
+++ b/deps/npm/man/man1/npm-search.1
@@ -1,4 +1,4 @@
-.TH "NPM-SEARCH" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-SEARCH" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-search\fR - Search for packages
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-set.1 b/deps/npm/man/man1/npm-set.1
index 84190092eaa846..feee9c27be677c 100644
--- a/deps/npm/man/man1/npm-set.1
+++ b/deps/npm/man/man1/npm-set.1
@@ -1,4 +1,4 @@
-.TH "NPM-SET" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-SET" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-set\fR - Set a value in the npm configuration
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-shrinkwrap.1 b/deps/npm/man/man1/npm-shrinkwrap.1
index faf1d8081df6a9..12d1b01f5553f4 100644
--- a/deps/npm/man/man1/npm-shrinkwrap.1
+++ b/deps/npm/man/man1/npm-shrinkwrap.1
@@ -1,4 +1,4 @@
-.TH "NPM-SHRINKWRAP" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-SHRINKWRAP" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-shrinkwrap\fR - Lock down dependency versions for publication
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-stage.1 b/deps/npm/man/man1/npm-stage.1
index 20549ea1b36821..9e14f2c5b25179 100644
--- a/deps/npm/man/man1/npm-stage.1
+++ b/deps/npm/man/man1/npm-stage.1
@@ -1,4 +1,4 @@
-.TH "NPM-STAGE" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-STAGE" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-stage\fR - Stage packages for publishing
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-star.1 b/deps/npm/man/man1/npm-star.1
index 545945e0bdbc12..37d94b17a7c376 100644
--- a/deps/npm/man/man1/npm-star.1
+++ b/deps/npm/man/man1/npm-star.1
@@ -1,4 +1,4 @@
-.TH "NPM-STAR" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-STAR" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-star\fR - Mark your favorite packages
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-stars.1 b/deps/npm/man/man1/npm-stars.1
index 1eb8ca9b8f31ab..4db22ed60395ec 100644
--- a/deps/npm/man/man1/npm-stars.1
+++ b/deps/npm/man/man1/npm-stars.1
@@ -1,4 +1,4 @@
-.TH "NPM-STARS" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-STARS" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-stars\fR - View packages marked as favorites
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-start.1 b/deps/npm/man/man1/npm-start.1
index 7722f5aa5bfab9..0729d9cd175465 100644
--- a/deps/npm/man/man1/npm-start.1
+++ b/deps/npm/man/man1/npm-start.1
@@ -1,4 +1,4 @@
-.TH "NPM-START" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-START" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-start\fR - Start a package
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-stop.1 b/deps/npm/man/man1/npm-stop.1
index df8ec8448baad3..e9261943c03c6e 100644
--- a/deps/npm/man/man1/npm-stop.1
+++ b/deps/npm/man/man1/npm-stop.1
@@ -1,4 +1,4 @@
-.TH "NPM-STOP" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-STOP" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-stop\fR - Stop a package
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-team.1 b/deps/npm/man/man1/npm-team.1
index 4ef28794fc6c2d..d1e9e481cd882f 100644
--- a/deps/npm/man/man1/npm-team.1
+++ b/deps/npm/man/man1/npm-team.1
@@ -1,4 +1,4 @@
-.TH "NPM-TEAM" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-TEAM" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-team\fR - Manage organization teams and team memberships
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-test.1 b/deps/npm/man/man1/npm-test.1
index b000e1bc6417fb..a9c28e79e980e5 100644
--- a/deps/npm/man/man1/npm-test.1
+++ b/deps/npm/man/man1/npm-test.1
@@ -1,4 +1,4 @@
-.TH "NPM-TEST" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-TEST" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-test\fR - Test a package
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-token.1 b/deps/npm/man/man1/npm-token.1
index a6823c2e2fa530..383a825d14fbde 100644
--- a/deps/npm/man/man1/npm-token.1
+++ b/deps/npm/man/man1/npm-token.1
@@ -1,4 +1,4 @@
-.TH "NPM-TOKEN" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-TOKEN" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-token\fR - Manage your authentication tokens
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-trust.1 b/deps/npm/man/man1/npm-trust.1
index 9d20c2d45e8e59..5dc2dfc702a25f 100644
--- a/deps/npm/man/man1/npm-trust.1
+++ b/deps/npm/man/man1/npm-trust.1
@@ -1,4 +1,4 @@
-.TH "NPM-TRUST" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-TRUST" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-trust\fR - Manage trusted publishing relationships between packages and CI/CD providers
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-undeprecate.1 b/deps/npm/man/man1/npm-undeprecate.1
index 896fdb1f228fd7..2fc8e0050091b9 100644
--- a/deps/npm/man/man1/npm-undeprecate.1
+++ b/deps/npm/man/man1/npm-undeprecate.1
@@ -1,4 +1,4 @@
-.TH "NPM-UNDEPRECATE" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-UNDEPRECATE" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-undeprecate\fR - Undeprecate a version of a package
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-uninstall.1 b/deps/npm/man/man1/npm-uninstall.1
index 7384f0c4b2ac20..d2843a8a330506 100644
--- a/deps/npm/man/man1/npm-uninstall.1
+++ b/deps/npm/man/man1/npm-uninstall.1
@@ -1,4 +1,4 @@
-.TH "NPM-UNINSTALL" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-UNINSTALL" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-uninstall\fR - Remove a package
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-unpublish.1 b/deps/npm/man/man1/npm-unpublish.1
index 15ece4ea1512d5..7c62b0c1324a31 100644
--- a/deps/npm/man/man1/npm-unpublish.1
+++ b/deps/npm/man/man1/npm-unpublish.1
@@ -1,4 +1,4 @@
-.TH "NPM-UNPUBLISH" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-UNPUBLISH" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-unpublish\fR - Remove a package from the registry
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-unstar.1 b/deps/npm/man/man1/npm-unstar.1
index 756d74ff719167..fe080180b661e7 100644
--- a/deps/npm/man/man1/npm-unstar.1
+++ b/deps/npm/man/man1/npm-unstar.1
@@ -1,4 +1,4 @@
-.TH "NPM-UNSTAR" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-UNSTAR" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-unstar\fR - Remove an item from your favorite packages
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-update.1 b/deps/npm/man/man1/npm-update.1
index 1d2904e2000df9..5ad8146b0da980 100644
--- a/deps/npm/man/man1/npm-update.1
+++ b/deps/npm/man/man1/npm-update.1
@@ -1,4 +1,4 @@
-.TH "NPM-UPDATE" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-UPDATE" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-update\fR - Update packages
.SS "Synopsis"
@@ -174,7 +174,9 @@ Type: "hoisted", "nested", "shallow", or "linked"
.RE 0
.P
-Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: (experimental) install in node_modules/.store, link in place, unhoisted.
+Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: install in node_modules/.store, link in place, unhoisted.
+.P
+We recommend that package authors use \fB--install-strategy=linked\fR during development to catch undeclared ("phantom") dependencies before publishing: the isolated layout only exposes a package's declared dependencies, so an \fBimport\fR of a package that was never added to \fBpackage.json\fR can fail instead of resolving by accident and shipping broken. See \fBCatching undeclared ("phantom") dependencies\fR \fI\(la/using-npm/developers#catching-undeclared-phantom-dependencies\(ra\fR.
.SS "\fBlegacy-bundling\fR"
.RS 0
.IP \(bu 4
@@ -303,6 +305,8 @@ Type: Boolean
If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
.P
Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.P
+Optional dependencies that cannot be installed on the current platform or engine (a non-matching \fBos\fR, \fBcpu\fR, or \fBlibc\fR) are not flagged, because their install scripts never run.
.SS "\fBdangerously-allow-all-scripts\fR"
.RS 0
.IP \(bu 4
@@ -338,6 +342,9 @@ If the requested version is a \fBdist-tag\fR and the given tag does not pass the
.P
If \fBbefore\fR and \fBmin-release-age\fR are both set in the same source, \fBbefore\fR wins (an explicit absolute date overrides a relative window). Across sources, the standard precedence applies (cli > env > project > user > global), so a higher-priority source can always relax or override a lower-priority one.
.P
+As with \fBmin-release-age\fR, when this cutoff blocks a fix that \fBnpm audit
+fix\fR would install, npm keeps the vulnerable version, warns, and exits with a non-zero code.
+.P
Packages whose names match \fBmin-release-age-exclude\fR are exempt from this filter.
.SS "\fBmin-release-age\fR"
.RS 0
@@ -352,6 +359,8 @@ If set, npm will build the npm tree such that only versions that were available
.P
This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days. The two may coexist (e.g. \fBmin-release-age\fR in your \fB.npmrc\fR is preserved when npm internally spawns a sub-process with \fB--before\fR while preparing a \fBgit:\fR or \fBgithub:\fR dependency); when both apply, \fBbefore\fR wins within a single source and across sources the standard precedence rules apply.
.P
+When this window stops \fBnpm audit fix\fR from installing a patched version (because the fix was published too recently), npm keeps the package at its vulnerable version, warns that the fix was blocked, and exits with a non-zero code. To install the fix, add the package to \fBmin-release-age-exclude\fR, or relax \fBmin-release-age\fR or \fBbefore\fR.
+.P
Packages whose names match \fBmin-release-age-exclude\fR are exempt from this filter.
.P
This value is not exported to the environment for child processes.
diff --git a/deps/npm/man/man1/npm-version.1 b/deps/npm/man/man1/npm-version.1
index 165689083e7fd8..d80b0e8288c096 100644
--- a/deps/npm/man/man1/npm-version.1
+++ b/deps/npm/man/man1/npm-version.1
@@ -1,4 +1,4 @@
-.TH "NPM-VERSION" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-VERSION" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-version\fR - Bump a package version
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-view.1 b/deps/npm/man/man1/npm-view.1
index f487a05cc30e92..1c965ded858613 100644
--- a/deps/npm/man/man1/npm-view.1
+++ b/deps/npm/man/man1/npm-view.1
@@ -1,4 +1,4 @@
-.TH "NPM-VIEW" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-VIEW" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-view\fR - View registry info
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-whoami.1 b/deps/npm/man/man1/npm-whoami.1
index 93c147ae162664..7ddb5ca6a84e76 100644
--- a/deps/npm/man/man1/npm-whoami.1
+++ b/deps/npm/man/man1/npm-whoami.1
@@ -1,4 +1,4 @@
-.TH "NPM-WHOAMI" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-WHOAMI" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-whoami\fR - Display npm username
.SS "Synopsis"
diff --git a/deps/npm/man/man1/npm.1 b/deps/npm/man/man1/npm.1
index 29634dd59b29b6..58f6815ebadf92 100644
--- a/deps/npm/man/man1/npm.1
+++ b/deps/npm/man/man1/npm.1
@@ -1,4 +1,4 @@
-.TH "NPM" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPM" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm\fR - javascript package manager
.SS "Synopsis"
@@ -12,7 +12,7 @@ npm
Note: This command is unaware of workspaces.
.SS "Version"
.P
-11.17.0
+11.18.0
.SS "Description"
.P
npm is the package manager for the Node JavaScript platform. It puts modules in place so that node can find them, and manages dependency conflicts intelligently.
diff --git a/deps/npm/man/man1/npx.1 b/deps/npm/man/man1/npx.1
index d8d510d6d9bf09..c3a4f521f66762 100644
--- a/deps/npm/man/man1/npx.1
+++ b/deps/npm/man/man1/npx.1
@@ -1,4 +1,4 @@
-.TH "NPX" "1" "June 2026" "NPM@11.17.0" ""
+.TH "NPX" "1" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpx\fR - Run a command from a local or remote npm package
.SS "Synopsis"
diff --git a/deps/npm/man/man5/folders.5 b/deps/npm/man/man5/folders.5
index 5dd5cc2f5c537f..0202a97198c8f9 100644
--- a/deps/npm/man/man5/folders.5
+++ b/deps/npm/man/man5/folders.5
@@ -1,4 +1,4 @@
-.TH "FOLDERS" "5" "June 2026" "NPM@11.17.0" ""
+.TH "FOLDERS" "5" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBFolders\fR - Folder structures used by npm
.SS "Description"
diff --git a/deps/npm/man/man5/install.5 b/deps/npm/man/man5/install.5
index ecd657bf2a4ba8..8e23936cba2da1 100644
--- a/deps/npm/man/man5/install.5
+++ b/deps/npm/man/man5/install.5
@@ -1,4 +1,4 @@
-.TH "INSTALL" "5" "June 2026" "NPM@11.17.0" ""
+.TH "INSTALL" "5" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBInstall\fR - Download and install node and npm
.SS "Description"
diff --git a/deps/npm/man/man5/npm-global.5 b/deps/npm/man/man5/npm-global.5
index 5dd5cc2f5c537f..0202a97198c8f9 100644
--- a/deps/npm/man/man5/npm-global.5
+++ b/deps/npm/man/man5/npm-global.5
@@ -1,4 +1,4 @@
-.TH "FOLDERS" "5" "June 2026" "NPM@11.17.0" ""
+.TH "FOLDERS" "5" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBFolders\fR - Folder structures used by npm
.SS "Description"
diff --git a/deps/npm/man/man5/npm-json.5 b/deps/npm/man/man5/npm-json.5
index b1a7646edc8f3b..bd9d1bd5b7ee94 100644
--- a/deps/npm/man/man5/npm-json.5
+++ b/deps/npm/man/man5/npm-json.5
@@ -1,4 +1,4 @@
-.TH "PACKAGE.JSON" "5" "June 2026" "NPM@11.17.0" ""
+.TH "PACKAGE.JSON" "5" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBpackage.json\fR - Specifics of npm's package.json handling
.SS "Description"
diff --git a/deps/npm/man/man5/npm-shrinkwrap-json.5 b/deps/npm/man/man5/npm-shrinkwrap-json.5
index 25c446d6238919..5f1f80576e9a09 100644
--- a/deps/npm/man/man5/npm-shrinkwrap-json.5
+++ b/deps/npm/man/man5/npm-shrinkwrap-json.5
@@ -1,4 +1,4 @@
-.TH "NPM-SHRINKWRAP.JSON" "5" "June 2026" "NPM@11.17.0" ""
+.TH "NPM-SHRINKWRAP.JSON" "5" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBnpm-shrinkwrap.json\fR - A publishable lockfile
.SS "Description"
diff --git a/deps/npm/man/man5/npmrc.5 b/deps/npm/man/man5/npmrc.5
index f57ca1f46819c5..14d449b3111b7e 100644
--- a/deps/npm/man/man5/npmrc.5
+++ b/deps/npm/man/man5/npmrc.5
@@ -1,4 +1,4 @@
-.TH ".NPMRC" "5" "June 2026" "NPM@11.17.0" ""
+.TH ".NPMRC" "5" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fB.npmrc\fR - The npm config files
.SS "Description"
diff --git a/deps/npm/man/man5/package-json.5 b/deps/npm/man/man5/package-json.5
index b1a7646edc8f3b..bd9d1bd5b7ee94 100644
--- a/deps/npm/man/man5/package-json.5
+++ b/deps/npm/man/man5/package-json.5
@@ -1,4 +1,4 @@
-.TH "PACKAGE.JSON" "5" "June 2026" "NPM@11.17.0" ""
+.TH "PACKAGE.JSON" "5" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBpackage.json\fR - Specifics of npm's package.json handling
.SS "Description"
diff --git a/deps/npm/man/man5/package-lock-json.5 b/deps/npm/man/man5/package-lock-json.5
index 527fc62ab1bb65..0223c95c68a4d5 100644
--- a/deps/npm/man/man5/package-lock-json.5
+++ b/deps/npm/man/man5/package-lock-json.5
@@ -1,4 +1,4 @@
-.TH "PACKAGE-LOCK.JSON" "5" "June 2026" "NPM@11.17.0" ""
+.TH "PACKAGE-LOCK.JSON" "5" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBpackage-lock.json\fR - A manifestation of the manifest
.SS "Description"
diff --git a/deps/npm/man/man7/config.7 b/deps/npm/man/man7/config.7
index 75c854342d85ae..eb4145df952600 100644
--- a/deps/npm/man/man7/config.7
+++ b/deps/npm/man/man7/config.7
@@ -1,4 +1,4 @@
-.TH "CONFIG" "7" "June 2026" "NPM@11.17.0" ""
+.TH "CONFIG" "7" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBConfig\fR - About npm configuration
.SS "Description"
@@ -333,6 +333,9 @@ If the requested version is a \fBdist-tag\fR and the given tag does not pass the
.P
If \fBbefore\fR and \fBmin-release-age\fR are both set in the same source, \fBbefore\fR wins (an explicit absolute date overrides a relative window). Across sources, the standard precedence applies (cli > env > project > user > global), so a higher-priority source can always relax or override a lower-priority one.
.P
+As with \fBmin-release-age\fR, when this cutoff blocks a fix that \fBnpm audit
+fix\fR would install, npm keeps the vulnerable version, warns, and exits with a non-zero code.
+.P
Packages whose names match \fBmin-release-age-exclude\fR are exempt from this filter.
.SS "\fBbin-links\fR"
.RS 0
@@ -1020,7 +1023,9 @@ Type: "hoisted", "nested", "shallow", or "linked"
.RE 0
.P
-Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: (experimental) install in node_modules/.store, link in place, unhoisted.
+Sets the strategy for installing packages in node_modules. hoisted (default): Install non-duplicated in top-level, and duplicated as necessary within directory structure. nested: (formerly --legacy-bundling) install in place, no hoisting. shallow (formerly --global-style) only install direct deps at top-level. linked: install in node_modules/.store, link in place, unhoisted.
+.P
+We recommend that package authors use \fB--install-strategy=linked\fR during development to catch undeclared ("phantom") dependencies before publishing: the isolated layout only exposes a package's declared dependencies, so an \fBimport\fR of a package that was never added to \fBpackage.json\fR can fail instead of resolving by accident and shipping broken. See \fBCatching undeclared ("phantom") dependencies\fR \fI\(la/using-npm/developers#catching-undeclared-phantom-dependencies\(ra\fR.
.SS "\fBjson\fR"
.RS 0
.IP \(bu 4
@@ -1202,6 +1207,8 @@ If set, npm will build the npm tree such that only versions that were available
.P
This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days. The two may coexist (e.g. \fBmin-release-age\fR in your \fB.npmrc\fR is preserved when npm internally spawns a sub-process with \fB--before\fR while preparing a \fBgit:\fR or \fBgithub:\fR dependency); when both apply, \fBbefore\fR wins within a single source and across sources the standard precedence rules apply.
.P
+When this window stops \fBnpm audit fix\fR from installing a patched version (because the fix was published too recently), npm keeps the package at its vulnerable version, warns that the fix was blocked, and exits with a non-zero code. To install the fix, add the package to \fBmin-release-age-exclude\fR, or relax \fBmin-release-age\fR or \fBbefore\fR.
+.P
Packages whose names match \fBmin-release-age-exclude\fR are exempt from this filter.
.P
This value is not exported to the environment for child processes.
@@ -1586,7 +1593,9 @@ Defines behavior for replacing the registry host in a lockfile with the configur
.P
The default behavior is to replace package dist URLs from the default registry (https://registry.npmjs.org) to the configured registry. If set to "never", then use the registry value. If set to "always", then replace the registry host with the configured host every time.
.P
-You may also specify a bare hostname (e.g., "registry.npmjs.org").
+You may also specify a bare hostname (e.g., "registry.npmjs.org") to only replace URLs coming from that host.
+.P
+You may also specify a full URL including a path (e.g., "https://old-registry.example.com/npm/path"). In that case, resolved URLs whose host and path begin with that prefix will have the entire prefix replaced with the configured registry URL (host and path), without duplicating path segments.
.SS "\fBsave\fR"
.RS 0
.IP \(bu 4
@@ -1847,6 +1856,8 @@ Type: Boolean
If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
.P
Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.P
+Optional dependencies that cannot be installed on the current platform or engine (a non-matching \fBos\fR, \fBcpu\fR, or \fBlibc\fR) are not flagged, because their install scripts never run.
.SS "\fBstrict-peer-deps\fR"
.RS 0
.IP \(bu 4
diff --git a/deps/npm/man/man7/dependency-selectors.7 b/deps/npm/man/man7/dependency-selectors.7
index be698295b15fae..0a9ea65ac2a4f9 100644
--- a/deps/npm/man/man7/dependency-selectors.7
+++ b/deps/npm/man/man7/dependency-selectors.7
@@ -1,4 +1,4 @@
-.TH "SELECTORS" "7" "June 2026" "NPM@11.17.0" ""
+.TH "SELECTORS" "7" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBSelectors\fR - Dependency Selector Syntax & Querying
.SS "Description"
diff --git a/deps/npm/man/man7/developers.7 b/deps/npm/man/man7/developers.7
index 0956c032d8f6c2..85cc7a5f794032 100644
--- a/deps/npm/man/man7/developers.7
+++ b/deps/npm/man/man7/developers.7
@@ -1,4 +1,4 @@
-.TH "DEVELOPERS" "7" "June 2026" "NPM@11.17.0" ""
+.TH "DEVELOPERS" "7" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBDevelopers\fR - Developer guide
.SS "Description"
@@ -184,6 +184,23 @@ npm install ../my-package
to install it locally into the node_modules folder in that other place.
.P
Then go into the node-repl, and try using require("my-thing") to bring in your module's main module.
+.SS "Catching undeclared (\"phantom\") dependencies"
+.P
+Under the default hoisted \fBnode_modules\fR layout, your package can \fBimport\fR a dependency it never declared and still resolve it. A transitive dependency hoisted alongside it, or your workspace root's \fBnode_modules\fR, happens to satisfy the \fBimport\fR. That undeclared ("phantom") dependency passes your own build silently, then fails for anyone who installs your package on its own.
+.P
+We recommend developing your package under \fB\[rs]fBinstall-strategy=linked\[rs]fR\fR \fI\(la/using-npm/config#install-strategy\(ra\fR. The isolated layout only exposes a package's \fIdeclared\fR dependencies, so an \fBimport\fR of an undeclared package fails for you during development instead of resolving by accident, shipping broken, and failing for your users:
+.P
+.RS 2
+.nf
+npm install --install-strategy=linked
+npm test
+.fi
+.RE
+.RS 0
+.P
+\fBNote:\fR This doesn't catch every case. A dependency that's still satisfied at your build by a \fBdevDependency\fR or by your workspace root's \fBnode_modules\fR can resolve fine for you and still be missing for whoever installs your package. So treat it as one check, not a guarantee, alongside auditing the dependencies your published package actually uses.
+.RE 0
+
.SS "Create a User Account"
.P
Create a user with the adduser command. It works like this:
diff --git a/deps/npm/man/man7/logging.7 b/deps/npm/man/man7/logging.7
index 3d037957e5566d..350348aa714eb8 100644
--- a/deps/npm/man/man7/logging.7
+++ b/deps/npm/man/man7/logging.7
@@ -1,4 +1,4 @@
-.TH "LOGGING" "7" "June 2026" "NPM@11.17.0" ""
+.TH "LOGGING" "7" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBLogging\fR - Why, What & How we Log
.SS "Description"
diff --git a/deps/npm/man/man7/orgs.7 b/deps/npm/man/man7/orgs.7
index 3224946c994e53..bb6cad63c5113e 100644
--- a/deps/npm/man/man7/orgs.7
+++ b/deps/npm/man/man7/orgs.7
@@ -1,4 +1,4 @@
-.TH "ORGANIZATIONS" "7" "June 2026" "NPM@11.17.0" ""
+.TH "ORGANIZATIONS" "7" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBOrganizations\fR - Working with teams & organizations
.SS "Description"
diff --git a/deps/npm/man/man7/package-spec.7 b/deps/npm/man/man7/package-spec.7
index 8c57645a9ca7fa..2ec37301d540ef 100644
--- a/deps/npm/man/man7/package-spec.7
+++ b/deps/npm/man/man7/package-spec.7
@@ -1,4 +1,4 @@
-.TH "SPEC" "7" "June 2026" "NPM@11.17.0" ""
+.TH "SPEC" "7" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBspec\fR - Package name specifier
.SS "Description"
diff --git a/deps/npm/man/man7/registry.7 b/deps/npm/man/man7/registry.7
index 6fc1fa42503ec1..49f471fd2cc1e8 100644
--- a/deps/npm/man/man7/registry.7
+++ b/deps/npm/man/man7/registry.7
@@ -1,4 +1,4 @@
-.TH "REGISTRY" "7" "June 2026" "NPM@11.17.0" ""
+.TH "REGISTRY" "7" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBRegistry\fR - The JavaScript Package Registry
.SS "Description"
diff --git a/deps/npm/man/man7/removal.7 b/deps/npm/man/man7/removal.7
index 63295bda59554e..de875cb8e0c922 100644
--- a/deps/npm/man/man7/removal.7
+++ b/deps/npm/man/man7/removal.7
@@ -1,4 +1,4 @@
-.TH "REMOVAL" "7" "June 2026" "NPM@11.17.0" ""
+.TH "REMOVAL" "7" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBRemoval\fR - Cleaning the slate
.SS "Synopsis"
diff --git a/deps/npm/man/man7/scope.7 b/deps/npm/man/man7/scope.7
index 5d81873536a680..793031ca011065 100644
--- a/deps/npm/man/man7/scope.7
+++ b/deps/npm/man/man7/scope.7
@@ -1,4 +1,4 @@
-.TH "SCOPE" "7" "June 2026" "NPM@11.17.0" ""
+.TH "SCOPE" "7" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBScope\fR - Scoped packages
.SS "Description"
diff --git a/deps/npm/man/man7/scripts.7 b/deps/npm/man/man7/scripts.7
index 6f104de691ad61..368e0fd18930fa 100644
--- a/deps/npm/man/man7/scripts.7
+++ b/deps/npm/man/man7/scripts.7
@@ -1,4 +1,4 @@
-.TH "SCRIPTS" "7" "June 2026" "NPM@11.17.0" ""
+.TH "SCRIPTS" "7" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBScripts\fR - How npm handles the "scripts" field
.SS "Description"
diff --git a/deps/npm/man/man7/workspaces.7 b/deps/npm/man/man7/workspaces.7
index d68c1394c1c877..5dfa00e6492796 100644
--- a/deps/npm/man/man7/workspaces.7
+++ b/deps/npm/man/man7/workspaces.7
@@ -1,4 +1,4 @@
-.TH "WORKSPACES" "7" "June 2026" "NPM@11.17.0" ""
+.TH "WORKSPACES" "7" "June 2026" "NPM@11.18.0" ""
.SH "NAME"
\fBWorkspaces\fR - Working with workspaces
.SS "Description"
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js
index 68527972b1fc39..63157b9a550de6 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js
@@ -97,6 +97,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
#loadFailures = new Set()
#manifests = new Map()
#mutateTree = false
+ #requestedTreeMutation = false
// a map of each module in a peer set to the thing that depended on
// that set of peers in the first place. Use a WeakMap so that we
// don't hold onto references for nodes that are garbage collected.
@@ -261,12 +262,13 @@ module.exports = cls => class IdealTreeBuilder extends cls {
// set if we add anything, but also set here if we know we'll make
// changes and thus have to maybe prune later.
- this.#mutateTree = !!(
+ this.#requestedTreeMutation = !!(
options.add ||
options.rm ||
update.all ||
update.names.length
)
+ this.#mutateTree = this.#requestedTreeMutation
}
// load the initial tree, either the virtualTree from a shrinkwrap,
@@ -344,7 +346,9 @@ module.exports = cls => class IdealTreeBuilder extends cls {
filter: node => node,
visit: node => {
for (const edge of node.edgesOut.values()) {
- const skipPeerOptional = edge.type === 'peerOptional' && this.options.save === false
+ const skipPeerOptional = edge.type === 'peerOptional' &&
+ this.options.save === false &&
+ !this.#requestedTreeMutation
if (!skipPeerOptional && (!edge.to || !edge.valid)) {
this.#depsQueue.push(node)
break // no need to continue the loop after the first hit
@@ -579,6 +583,17 @@ module.exports = cls => class IdealTreeBuilder extends cls {
// and leaving the user subject to getting it overwritten later anyway.
async #queueVulnDependents (options) {
for (const vuln of this.auditReport.values()) {
+ // A fix is available in-range but a release-age window blocks the patched
+ // version, so audit fix leaves this package at a vulnerable version.
+ if (vuln.fixBlockedByReleaseAge) {
+ const { version, before } = vuln.fixBlockedByReleaseAge
+ const cutoff = new Date(before).toISOString().slice(0, 10)
+ log.warn('audit', `A fix for ${vuln.name} is available (${vuln.name}@${version}) ` +
+ `but was published after the configured release-age cutoff (${cutoff}), so ` +
+ `${vuln.name} was left at a vulnerable version.\n` +
+ `To install it, add "${vuln.name}" to min-release-age-exclude, or relax ` +
+ 'min-release-age or before.')
+ }
for (const node of vuln.nodes) {
const bundler = node.getBundler()
@@ -1036,9 +1051,16 @@ This is a one-time fix-up, please be patient...
}
const { from, valid, peerConflicted } = edgeIn
if (!peerConflicted && !valid) {
- if (this.#depsSeen.has(from) && this.options.save) {
- // Re-queue already-processed nodes when a newly placed dep creates an invalid edge during npm install (save=true).
- // This handles the case where a peerOptional dep was valid (missing) when the node was first processed, but becomes invalid when the dep is later placed by another path with a version that doesn't satisfy the peer spec.
+ if (this.#depsSeen.has(from) &&
+ (this.options.save ||
+ (this.options.save === false && this.#requestedTreeMutation))) {
+ // Re-queue already-processed nodes when a newly placed dep
+ // creates an invalid edge during npm install or another
+ // lockfile-mutating operation. This handles the case where a
+ // peerOptional dep was valid (missing) when the node was
+ // first processed, but becomes invalid when the dep is later
+ // placed by another path with a version that doesn't satisfy
+ // the peer spec.
// See npm/cli#8726.
this.#depsSeen.delete(from)
this.#depsQueue.push(from)
@@ -1249,11 +1271,16 @@ This is a one-time fix-up, please be patient...
continue
}
- // If the edge has an error, there's a problem, unless it's peerOptional and we're not saving (e.g. npm ci), in which case we trust the lockfile and skip re-resolution.
- // When saving (npm install), peerOptional invalid edges ARE treated as problems so the lockfile gets fixed.
+ // If the edge has an error, there's a problem, unless it's peerOptional
+ // and we're not saving or otherwise mutating (e.g. npm ci), in which
+ // case we trust the lockfile and skip re-resolution. When saving (npm
+ // install) or updating, peerOptional invalid edges ARE treated as
+ // problems so the lockfile gets fixed.
// See npm/cli#8726.
if (!edge.valid) {
- if (edge.type !== 'peerOptional' || this.options.save !== false) {
+ if (edge.type !== 'peerOptional' ||
+ this.options.save !== false ||
+ this.#requestedTreeMutation) {
problems.push(edge)
}
continue
@@ -1568,6 +1595,10 @@ This is a one-time fix-up, please be patient...
!link.target.parent &&
!link.target.fsParent ||
unseenLink) {
+ // Forward the link's overrides before its subtree resolves, so a root override reaches a transitive dep across the link boundary (npm/cli#9659).
+ if (link.overrides) {
+ link.target.updateOverridesEdgeInAdded(link.overrides)
+ }
this.addTracker('idealTree', link.target.name, link.target.location)
this.#depsQueue.push(link.target)
}
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/isolated-reifier.js b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/isolated-reifier.js
index a63f607ef6877a..a07c55e3f283c6 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/isolated-reifier.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/isolated-reifier.js
@@ -266,7 +266,9 @@ module.exports = cls => class IsolatedReifier extends cls {
}
// local `file:` deps (non-workspace fsChildren) should be treated as local dependencies, not external, so they get symlinked directly instead of being extracted into the store.
- const isLocal = (n) => n.isWorkspace || node.fsChildren?.has(n)
+ // A file: dep surfaces as a Link edge whose resolved spec starts with file:; detect it from the edge so the target is treated as local even when it is absent from idealTree.fsChildren (a workspace consumer, or a target outside the repo root via npm link).
+ const fileLinkTargets = new Set(edges.filter(e => e.to?.isLink && e.to.resolved?.startsWith('file:')).map(e => e.to.target))
+ const isLocal = (n) => n.isWorkspace || node.fsChildren?.has(n) || fileLinkTargets.has(n)
const optionalDeps = edges.filter(edge => edge.optional).map(edge => edge.to.target)
// Optional peers declared only in peerDependenciesMeta (e.g. `@types/react`) have no edge, so the materialization above misses them.
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/load-actual.js b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/load-actual.js
index 2356227a5baa31..2158f6d32ae1aa 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/load-actual.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/load-actual.js
@@ -1,6 +1,6 @@
// mix-in implementing the loadActual method
-const { dirname, join, normalize, relative, resolve } = require('node:path')
+const { dirname, join, normalize, relative, resolve, sep } = require('node:path')
const PackageJson = require('@npmcli/package-json')
const { readdirScoped } = require('@npmcli/fs')
@@ -70,6 +70,7 @@ module.exports = cls => class ActualLoader extends cls {
// only reset root flags if we're not re-rooting,
// otherwise leave as-is
calcDepFlags(tree, !options.root)
+ this.#repropagateOverrides()
this.actualTree = treeCheck(tree)
return this.actualTree
})
@@ -141,6 +142,7 @@ module.exports = cls => class ActualLoader extends cls {
root: this.#actualTree,
})
await this[_setWorkspaces](this.#actualTree)
+ this.#linkActualWorkspaces()
this.#transplant(root)
return this.#actualTree
@@ -173,6 +175,8 @@ module.exports = cls => class ActualLoader extends cls {
await Promise.all(promises)
}
+ this.#linkActualWorkspaces()
+
if (!ignoreMissing) {
await this.#findMissingEdges()
}
@@ -211,6 +215,48 @@ module.exports = cls => class ActualLoader extends cls {
return this.#actualTree
}
+ // Under the linked (isolated) strategy, workspaces the root does not depend on are not symlinked into the root node_modules, so neither the on-disk scan nor the hidden lockfile gives the root's workspace edges a node_modules/ link to resolve to.
+ // Synthesize those links from the authoritative workspaces map so npm ls and npm query surface the workspaces, matching hoisted and the logical package-lock.
+ #linkActualWorkspaces () {
+ const root = this.#actualTree
+ if (this.options.installStrategy !== 'linked' || !root.workspaces) {
+ return
+ }
+ // Declared workspaces ARE symlinked at root node_modules under linked, so a missing link there is a real problem that must surface as UNMET.
+ // Only undeclared workspaces are intentionally absent from root node_modules and need a synthesized link so their root edges resolve.
+ const pkg = root.package
+ const declared = new Set(Object.keys(Object.assign({},
+ pkg.dependencies,
+ pkg.devDependencies,
+ pkg.optionalDependencies,
+ pkg.peerDependencies
+ )))
+ // index loaded workspace targets by both path and realpath, so a workspace reached through a symlinked dir still matches
+ const byLoc = new Map()
+ for (const node of root.fsChildren) {
+ byLoc.set(node.path, node)
+ byLoc.set(node.realpath, node)
+ }
+ for (const [name, path] of root.workspaces.entries()) {
+ // declared workspaces, and any name already a root child, resolve their edge without a synthesized link
+ if (declared.has(name) || root.children.has(name)) {
+ continue
+ }
+ const target = byLoc.get(path)
+ if (target) {
+ // eslint-disable-next-line no-new
+ new Link({
+ name,
+ path: resolve(root.path, 'node_modules', name),
+ realpath: target.realpath,
+ target,
+ parent: root,
+ root,
+ })
+ }
+ }
+ }
+
#transplant (root) {
if (!root || root === this.#actualTree) {
return
@@ -263,6 +309,9 @@ module.exports = cls => class ActualLoader extends cls {
parent,
root,
loadOverrides,
+ // A package physically located in the linked strategy's store is a transitive dependency, not a real tree top, so it must not load its devDependencies.
+ // Never flag the loaded root itself, even if its own path happens to sit under a .store directory.
+ isInStore: path !== this.path && real.includes(`${sep}node_modules${sep}.store${sep}`),
}
try {
@@ -352,6 +401,18 @@ module.exports = cls => class ActualLoader extends cls {
}
}
+ // Re-forward overrides through links once all edges are resolved, since a Link may forward before its subtree resolves and miss a transitive match (npm/cli#9619, #9659).
+ #repropagateOverrides () {
+ if (!this.#actualTree.overrides) {
+ return
+ }
+ for (const node of this.#actualTree.inventory.values()) {
+ if (node.isLink && node.overrides) {
+ node.recalculateOutEdgesOverrides()
+ }
+ }
+ }
+
async #findMissingEdges () {
// try to resolve any missing edges by walking up the directory tree,
// checking for the package in each node_modules folder. stop at the
@@ -368,9 +429,10 @@ module.exports = cls => class ActualLoader extends cls {
const depPromises = []
for (const [name, edge] of node.edgesOut.entries()) {
- const notMissing = !edge.missing &&
- !(edge.to && (edge.to.dummy || edge.to.parent !== node))
- if (notMissing) {
+ // An unresolved optional edge reports missing === false, so check the target directly.
+ // Otherwise an installed optional dep that lives only as a store sibling is never loaded.
+ const resolved = edge.to && !edge.to.dummy && edge.to.parent === node
+ if (resolved) {
continue
}
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/rebuild.js b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/rebuild.js
index e70a2186c29713..a99d328f5d2947 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/rebuild.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/rebuild.js
@@ -11,7 +11,7 @@ const { depth: dfwalk } = require('treeverse')
const { isNodeGypPackage, defaultGypInstallScript } = require('@npmcli/node-gyp')
const { promiseRetry } = require('@gar/promise-retry')
const { log, time } = require('proc-log')
-const { resolve } = require('node:path')
+const { resolve, delimiter } = require('node:path')
const { isScriptAllowed } = require('../script-allowed.js')
const boolEnv = b => b ? '1' : ''
@@ -199,10 +199,21 @@ module.exports = cls => class Builder extends cls {
const { package: { bin, scripts = {} } } = node.target
const { preinstall, install, postinstall, prepare } = scripts
const tests = { bin, preinstall, install, postinstall, prepare }
+ // A denied package (allowScripts resolves to `false`) still gets its
+ // bins linked; only its lifecycle scripts are skipped, matching
+ // --ignore-scripts (npm/cli#9681). --dangerously-allow-all-scripts
+ // bypasses the gate.
+ const scriptsDenied =
+ !this.options.dangerouslyAllowAllScripts &&
+ isScriptAllowed(node, this.options.allowScripts) === false
for (const [key, has] of Object.entries(tests)) {
- if (has) {
- this.#queues[key].push(node)
+ if (!has) {
+ continue
}
+ if (key !== 'bin' && scriptsDenied) {
+ continue
+ }
+ this.#queues[key].push(node)
}
}
timeEnd()
@@ -226,18 +237,6 @@ module.exports = cls => class Builder extends cls {
return
}
- // Phase 1 allowScripts gate: a `false` verdict from the policy matcher
- // means the user explicitly denied install scripts for this node, so skip
- // it. `true` and `null` (unreviewed) both fall through to the existing
- // detection logic — unreviewed nodes still run their scripts in Phase 1
- // and are surfaced via the post-reify advisory warning. The global
- // --ignore-scripts kill switch in #build() still takes precedence, and
- // --dangerously-allow-all-scripts bypasses this gate entirely.
- if (!this.options.dangerouslyAllowAllScripts &&
- isScriptAllowed(node, this.options.allowScripts) === false) {
- return
- }
-
if (this.#oldMeta === null) {
const { root: { meta } } = node
this.#oldMeta = meta && meta.loadedFromDisk &&
@@ -301,6 +300,7 @@ module.exports = cls => class Builder extends cls {
await promiseCallLimit(queue.map(node => async () => {
const {
path,
+ name,
integrity,
resolved,
optional,
@@ -309,6 +309,7 @@ module.exports = cls => class Builder extends cls {
devOptional,
package: pkg,
location,
+ isInStore,
} = node.target
// skip any that we know we'll be deleting
@@ -330,6 +331,12 @@ module.exports = cls => class Builder extends cls {
npm_package_dev_optional:
boolEnv(devOptional && !dev && !optional),
}
+ // In the linked strategy a store package's dependencies are symlinked siblings in its store node_modules.
+ // A separate bin invoked by the script (e.g. napi-postinstall) resolves modules from its own realpath in the store and cannot see those deps, so expose them via NODE_PATH.
+ if (isInStore) {
+ const storeNodeModules = resolve(path, ...name.split('/').map(() => '..'))
+ env.NODE_PATH = [storeNodeModules, process.env.NODE_PATH].filter(Boolean).join(delimiter)
+ }
const runOpts = {
event,
path,
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/reify.js b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/reify.js
index c49f352cef1404..db5171ff7367b3 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/reify.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/reify.js
@@ -11,7 +11,7 @@ const { callLimit: promiseCallLimit } = require('promise-call-limit')
const { depth: dfwalk } = require('treeverse')
const { dirname, resolve, relative, join, sep } = require('node:path')
const { log, time } = require('proc-log')
-const { existsSync } = require('node:fs')
+const { existsSync, realpathSync } = require('node:fs')
const { lstat, mkdir, readdir, readlink, rm, symlink } = require('node:fs/promises')
const { moveFile } = require('@npmcli/fs')
const { subset, intersects } = require('semver')
@@ -26,7 +26,8 @@ const optionalSet = require('../optional-set.js')
const relpath = require('../relpath.js')
const retirePath = require('../retire-path.js')
const treeCheck = require('../tree-check.js')
-const { defaultLockfileVersion } = require('../shrinkwrap.js')
+const Shrinkwrap = require('../shrinkwrap.js')
+const { defaultLockfileVersion } = Shrinkwrap
const { saveTypeMap, hasSubKey } = require('../add-rm-pkg-deps.js')
const { IsolatedNode, IsolatedLink } = require('../isolated-classes.js')
@@ -77,6 +78,9 @@ module.exports = cls => class Reifier extends cls {
#sparseTreeDirs = new Set()
#sparseTreeRoots = new Set()
#linkedActualForDiff = null
+ // Under the linked strategy the audit runs against this non-isolated ideal tree.
+ // The isolated tree's inventory has no queryable indexes and its edges route through symlinks, so auditing it reports no vulnerabilities.
+ #linkedIdealForAudit = null
constructor (options) {
super(options)
@@ -86,7 +90,9 @@ module.exports = cls => class Reifier extends cls {
// public method
async reify (options = {}) {
- const linked = (options.installStrategy || this.options.installStrategy) === 'linked'
+ // Global installs are normalized to the shallow strategy in the constructor; honor that here so a per-call installStrategy:'linked' can't re-engage the unsupported linked path.
+ const linked = !this.options.global &&
+ (options.installStrategy || this.options.installStrategy) === 'linked'
if (this.options.packageLockOnly && this.options.global) {
const er = new Error('cannot generate lockfile for global packages')
@@ -112,32 +118,50 @@ module.exports = cls => class Reifier extends cls {
await this[_loadTrees](options)
const oldTree = this.idealTree
+ // Kept to serialize the hidden lockfile from the on-disk .store/symlink layout.
+ let isolatedTree = null
if (linked) {
// swap out the tree with the isolated tree
// this is currently technical debt which will be resolved in a refactor
// of Node/Link trees
- log.warn('reify', 'The "linked" install strategy is EXPERIMENTAL and may contain bugs.')
this.idealTree = await this.createIsolatedTree()
+ isolatedTree = this.idealTree
if (this.actualTree) {
this.#linkedActualForDiff = this.#buildLinkedActualForDiff(
this.idealTree, this.actualTree
)
}
+ // Keep the non-isolated tree so the quick audit can run against it.
+ this.#linkedIdealForAudit = oldTree
}
- await this[_diffTrees]()
- await this.#reifyPackages()
- if (linked) {
- // The sweep mutates node_modules on disk, so skip it for dry runs and lockfile-only installs (those modes also short-circuit #reifyPackages).
- // The sweep itself scopes to in-filter workspaces when a filter is active, so it's safe to run for filtered installs too.
- if (!this.options.dryRun && !this.options.packageLockOnly) {
- await this.#cleanOrphanedStoreEntries()
+ try {
+ await this[_diffTrees]()
+ await this.#reifyPackages()
+ if (linked) {
+ // The sweep mutates node_modules on disk, so skip it for dry runs and lockfile-only installs (those modes also short-circuit #reifyPackages).
+ // The sweep itself scopes to in-filter workspaces when a filter is active, so it's safe to run for filtered installs too.
+ if (!this.options.dryRun && !this.options.packageLockOnly) {
+ await this.#cleanOrphanedStoreEntries()
+ }
+ } else if (!this.options.dryRun && !this.options.packageLockOnly) {
+ // The .store directory is exclusively a linked-strategy artifact, and load-actual ignores dot-directories, so the diff never sees it.
+ // Remove it here when switching away from linked so it does not linger under hoisted/nested.
+ // Only do this for a full-project install: a workspace-filtered or --workspaces=false install may leave out-of-scope workspaces with links still pointing into the store.
+ const filtered = this.options.workspaces.length > 0 || !this.options.workspacesEnabled
+ if (!filtered) {
+ await this.#removeStaleStoreDir()
+ }
+ }
+ } finally {
+ // Restore the non-isolated tree so the lockfile is preserved and a reused Arborist never sees the isolated tree, even if reify throws.
+ if (linked) {
+ this.idealTree = oldTree
}
- // swap back in the idealTree
- // so that the lockfile is preserved
- this.idealTree = oldTree
+ // The quick audit has captured its tree synchronously by now, so drop the stashed references even on throw.
+ this.#linkedIdealForAudit = null
+ this.#linkedActualForDiff = null
}
await this[_saveIdealTree](options)
- this.#linkedActualForDiff = null
// clean inert
for (const node of this.idealTree.inventory.values()) {
if (node.inert) {
@@ -230,17 +254,24 @@ module.exports = cls => class Reifier extends cls {
calcDepFlags(this.idealTree)
}
- // save the ideal's meta as a hidden lockfile after we actualize it
- this.idealTree.meta.filename =
- this.idealTree.realpath + '/node_modules/.package-lock.json'
- this.idealTree.meta.hiddenLockfile = true
- this.idealTree.meta.lockfileVersion = defaultLockfileVersion
+ // save the ideal's meta as a hidden lockfile after we actualize it.
+ // Under linked the logical tree is the hoisted layout, so the hidden lockfile is serialized from the isolated tree instead.
+ if (!linked) {
+ this.idealTree.meta.filename =
+ this.idealTree.realpath + '/node_modules/.package-lock.json'
+ this.idealTree.meta.hiddenLockfile = true
+ this.idealTree.meta.lockfileVersion = defaultLockfileVersion
+ }
this.actualTree = this.idealTree
this.idealTree = null
if (!this.options.global && !this.options.dryRun) {
- await this.actualTree.meta.save()
+ if (linked) {
+ await this.#saveLinkedHiddenLockfile(isolatedTree)
+ } else {
+ await this.actualTree.meta.save()
+ }
const ignoreScripts = !!this.options.ignoreScripts
// if we aren't doing a dry run or ignoring scripts and we actually made changes to the dep
// tree, then run the dependencies scripts
@@ -452,7 +483,10 @@ module.exports = cls => class Reifier extends cls {
}
if (includeRootDeps) {
// add all non-workspace nodes to filterNodes
- for (const tree of [this.idealTree, this.actualTree]) {
+ // Skip the actual tree under the linked diff wrapper: its edge targets have root===actualTree, not the wrapper, which trips Diff.calculate's filterNode guard.
+ // The ideal-side targets alone scope the diff.
+ const trees = this.#linkedActualForDiff ? [this.idealTree] : [this.idealTree, this.actualTree]
+ for (const tree of trees) {
for (const { type, to } of tree.edgesOut.values()) {
if (type !== 'workspace' && to) {
filterNodes.push(to)
@@ -823,6 +857,47 @@ module.exports = cls => class Reifier extends cls {
return join(filePath)
}
+ // Serialize the hidden lockfile from the isolated tree, which mirrors the on-disk .store/symlink layout.
+ // Its children are every materialized node_modules entry: store package dirs and all symlinks.
+ async #saveLinkedHiddenLockfile (isolatedTree) {
+ const path = isolatedTree.realpath
+ const meta = new Shrinkwrap({
+ path,
+ hiddenLockfile: true,
+ lockfileVersion: defaultLockfileVersion,
+ resolveOptions: this.options,
+ })
+ meta.reset()
+ meta.filename = resolve(path, 'node_modules/.package-lock.json')
+ const storeRe = /^(.*\/\.store\/.+?)\/node_modules\//
+ const containers = new Set()
+ const nodes = new Set()
+ for (const node of isolatedTree.children.values()) {
+ // Tree-only undeclared workspace self-links aren't on disk.
+ if (node.isUndeclaredWorkspaceLink) {
+ continue
+ }
+ nodes.add(node)
+ // Record the enclosing .store/ dir so loadVirtual can resolve a store package's sibling deps.
+ // node.location uses the platform separator; lockfile keys are posix.
+ const m = node.location.replace(/\\/g, '/').match(storeRe)
+ if (m) {
+ containers.add(m[1])
+ }
+ }
+ // Workspace dirs hold their own dep symlinks; record them so the cache can validate those subtrees.
+ for (const ws of isolatedTree.fsChildren) {
+ nodes.add(ws)
+ }
+ for (const node of nodes) {
+ meta.add(node)
+ }
+ for (const loc of containers) {
+ meta.data.packages[loc] = {}
+ }
+ await meta.save()
+ }
+
// Build a flat actual tree wrapper for linked installs so the diff can correctly match store entries that already exist on disk.
// The proxy tree from createIsolatedTree() is flat (all children on root), but loadActual() produces a nested tree where store entries are deep link targets.
// This wrapper surfaces them at the root level for comparison.
@@ -841,6 +916,10 @@ module.exports = cls => class Reifier extends cls {
if (child.isLink && child.resolved?.startsWith('file:.store/') && !existsSync(child.realpath)) {
continue
}
+ // Skip a link whose on-disk target is a valid-but-wrong store key (e.g. an interrupted update), so the diff repoints it via ADD.
+ if (child.isLink && this.#linkTargetMismatch(child)) {
+ continue
+ }
let entry
if (child.isLink) {
entry = new IsolatedLink(child)
@@ -880,6 +959,12 @@ module.exports = cls => class Reifier extends cls {
return wrapper
}
+ // True when the link's on-disk target resolves to a different path than its ideal target.
+ // The caller only invokes this once both paths exist, so realpathSync won't throw.
+ #linkTargetMismatch (child) {
+ return realpathSync(child.path) !== realpathSync(child.realpath)
+ }
+
// When extracting a registry-resolved package, the spec we hand to pacote is name@URL.
// pacote re-parses that with npa and gets spec.type === 'remote', so without an override the allow-remote gate would fire on every registry tarball (both =none and =root mis-fire).
// Returns true only when we are confident this is a registry-mediated install.
@@ -888,12 +973,14 @@ module.exports = cls => class Reifier extends cls {
return false
}
try {
- const resolved = new URL(node.resolved)
+ // Match the effective fetch URL, not the raw lockfile value.
+ // #registryResolved applies replace-registry-host, rewriting a public-registry pin to the configured proxy/mirror so it matches.
+ const resolvedURL = new URL(this.#registryResolved(node.resolved))
// pickRegistry only consults spec.scope, so a bare-name (tag) parse is sufficient and avoids a node.version dependency.
const registry = new URL(pickRegistry(npa(node.name), this.options))
const registryPath = registry.pathname.replace(/\/?$/, '/')
- return resolved.origin === registry.origin &&
- (registryPath === '/' || resolved.pathname.startsWith(registryPath))
+ return resolvedURL.origin === registry.origin &&
+ (registryPath === '/' || resolvedURL.pathname.startsWith(registryPath))
} catch {
return false
}
@@ -910,36 +997,42 @@ module.exports = cls => class Reifier extends cls {
// the default reg as the magical animal that it has been.
try {
const resolvedURL = hgi.parseUrl(resolved)
+ const registryURL = new URL(this.registry)
+ const registryPath = registryURL.pathname.replace(/\/$/, '')
- if ((this.options.replaceRegistryHost === resolvedURL.hostname) ||
- this.options.replaceRegistryHost === 'always') {
- const registryURL = new URL(this.registry)
+ let matchURL = null
+ try {
+ matchURL = new URL(this.options.replaceRegistryHost)
+ } catch {
+ // keep matchURL null
+ }
- // Replace the host with the registry host while keeping the path intact
- resolvedURL.hostname = registryURL.hostname
- resolvedURL.port = registryURL.port
- resolvedURL.protocol = registryURL.protocol
+ const matchHost = matchURL?.hostname ?? this.options.replaceRegistryHost
+ const matchPath = matchURL?.pathname.replace(/\/$/, '') ?? null
+ const hasPathPrefix = (pathname, prefix) =>
+ pathname === prefix || pathname.startsWith(`${prefix}/`)
- // Make sure we don't double-include the path if it's already there
- const registryPath = registryURL.pathname.replace(/\/$/, '')
+ const hostMatches = this.options.replaceRegistryHost === 'always' || matchHost === resolvedURL.hostname
+ const pathMatches = !matchPath || hasPathPrefix(resolvedURL.pathname, matchPath)
- if (registryPath && registryPath !== '/') {
- // Check if the resolved pathname already starts with the registry path
- // We need to ensure it's a proper path prefix, not just a string prefix
- // e.g., registry path '/npm' should not match '/npm-run-path'
- const hasRegistryPath = resolvedURL.pathname === registryPath ||
- resolvedURL.pathname.startsWith(registryPath + '/')
+ if (!hostMatches || !pathMatches) {
+ return resolved
+ }
- if (!hasRegistryPath) {
- // Since hostname is changed, we need to ensure the registry path is included
- resolvedURL.pathname = registryPath + resolvedURL.pathname
- }
- }
+ resolvedURL.protocol = registryURL.protocol
+ resolvedURL.hostname = registryURL.hostname
+ resolvedURL.port = registryURL.port
- return resolvedURL.toString()
+ if (matchPath) {
+ // full-URL prefix: swap old path prefix for the registry path
+ resolvedURL.pathname = registryPath + resolvedURL.pathname.slice(matchPath.length)
+ } else if (registryPath && !hasPathPrefix(resolvedURL.pathname, registryPath)) {
+ // host-only: prepend registry path if not already present
+ resolvedURL.pathname = registryPath + resolvedURL.pathname
}
- return resolved
- } catch (e) {
+
+ return resolvedURL.toString()
+ } catch {
// if we could not parse the url at all then returning nothing
// here means it will get removed from the tree in the next step
return undefined
@@ -1150,7 +1243,8 @@ module.exports = cls => class Reifier extends cls {
// with the reification, and be resolved at a later time.
const timeEnd = time.start('reify:audit')
const options = { ...this.options }
- const tree = this.idealTree
+ // Under the linked strategy idealTree is the isolated tree, which the audit cannot traverse; audit the non-isolated tree instead.
+ const tree = this.#linkedIdealForAudit || this.idealTree
// if we're operating on a workspace, only audit the workspace deps
if (this.options.workspaces.length) {
@@ -1357,6 +1451,18 @@ module.exports = cls => class Reifier extends cls {
timeEnd()
}
+ // Remove the root .store left behind by a previous linked install when reifying under a non-linked strategy.
+ async #removeStaleStoreDir () {
+ const storeDir = resolve(this.path, 'node_modules', '.store')
+ if (!existsSync(storeDir)) {
+ return
+ }
+ log.silly('reify', 'removing stale .store from a previous linked install')
+ await rm(storeDir, { recursive: true, force: true })
+ .catch(/* istanbul ignore next -- rm with force rarely fails */
+ er => log.warn('cleanup', 'Failed to remove stale .store directory', er))
+ }
+
// After a linked install, scan node_modules/.store/ and remove any directories that are not referenced by the current ideal tree.
// Store entries become orphaned when dependencies are updated or removed, because the diff never sees the old store keys.
// Then sweep the top-level node_modules/ for orphaned symlinks (e.g. an uninstalled dep whose store entry was just removed) so we don't leave dangling links.
@@ -1395,6 +1501,8 @@ module.exports = cls => class Reifier extends cls {
// Locations are normalized to forward slashes here because IsolatedNode/IsolatedLink locations are built with path.join, which uses backslashes on Windows.
const validKeys = new Set()
const nmDirs = new Map()
+ // Valid bin shim names per node_modules dir, collected from each top-level entry's package.bin so the .bin sweep keeps only shims a still-installed package provides.
+ const binsByDir = new Map()
const NM_PREFIX = 'node_modules/'
const STORE_MARKER = '/.store/'
for (const child of this.idealTree.children.values()) {
@@ -1407,13 +1515,11 @@ module.exports = cls => class Reifier extends cls {
validKeys.add(key)
continue
}
- if (!child.isLink) {
- continue
- }
// Tree-only Links never exist on disk; skipping them lets the sweep remove any stale self-link left by an older npm version.
- if (child.isUndeclaredWorkspaceLink) {
+ if (child.isLink && child.isUndeclaredWorkspaceLink) {
continue
}
+ // Real top-level Nodes (e.g. the root's bundled deps) fall through here too, so they are recorded as valid and never swept as stale.
const nmIdx = loc.lastIndexOf(NM_PREFIX)
if (nmIdx === -1 || loc.includes(STORE_MARKER)) {
continue
@@ -1434,6 +1540,19 @@ module.exports = cls => class Reifier extends cls {
nmDirs.set(dir, set)
}
set.add(entry)
+
+ // package.bin is normalized to an object keyed by bin name; shim names are unscoped even for scoped packages.
+ const bin = child.package?.bin
+ if (bin && typeof bin === 'object') {
+ let binSet = binsByDir.get(dir)
+ if (!binSet) {
+ binSet = new Set()
+ binsByDir.set(dir, binSet)
+ }
+ for (const bn of Object.keys(bin)) {
+ binSet.add(bn)
+ }
+ }
}
// Determine which node_modules directories to sweep.
@@ -1507,14 +1626,47 @@ module.exports = cls => class Reifier extends cls {
for (const [dir, valid] of nmDirs) {
await this.#cleanOrphanedTopLevelLinks(dir, valid)
+ await this.#cleanStaleBinLinks(dir, binsByDir.get(dir))
}
}
+ // Remove stale bin shims left in node_modules/.bin after an uninstall under linked, where the diff never emits an action to drop them.
+ // A shim is stale when no still-linked package provides its name, or when it is a dangling symlink; matching by name handles both POSIX symlinks and Windows .cmd/.ps1 shims.
+ async #cleanStaleBinLinks (nmDir, validBins = new Set()) {
+ const binDir = resolve(nmDir, '.bin')
+ let names
+ try {
+ names = await readdir(binDir)
+ } catch {
+ return
+ }
+
+ const stale = names.filter(name => {
+ const base = name.replace(/\.(cmd|ps1)$/, '')
+ return !validBins.has(base) || !existsSync(resolve(binDir, name))
+ })
+
+ if (!stale.length) {
+ return
+ }
+
+ log.silly('reify', 'cleaning stale bin links', stale)
+ await promiseAllRejectLate(
+ stale.map(name =>
+ rm(resolve(binDir, name), { force: true })
+ .catch(/* istanbul ignore next -- rm with force rarely fails */
+ er => log.warn('cleanup', `Failed to remove stale bin link ${name}`, er))
+ )
+ )
+ }
+
// Remove node_modules/ entries that aren't represented in the ideal tree.
// Run for the project root and each workspace's node_modules.
// The linked diff path can't see these because #buildLinkedActualForDiff derives the actual tree from the ideal, so removed deps are never compared.
- // Only symlinks whose target resolves inside the project root are removed — that covers store links (node_modules/.store/...) and workspace self-links (e.g. node_modules/ -> ../packages/) that npm itself created.
- // Symlinks pointing outside the project (e.g. `npm link foo` without --save targeting the global prefix, or hand-made `ln -s` to an external path) and real directories are preserved.
+ // Two kinds of stale entry are removed:
+ // - symlinks whose target resolves inside the project root — store links (node_modules/.store/...) and workspace self-links (e.g. node_modules/ -> ../packages/) that npm itself created.
+ // - real package directories — hoisted-layout deps left behind when switching from the hoisted strategy to linked, where every valid top-level entry is a symlink.
+ // Symlinks pointing outside the project (e.g. `npm link foo` without --save targeting the global prefix, or hand-made `ln -s` to an external path) and non-package real directories are preserved.
async #cleanOrphanedTopLevelLinks (nmDir, validTopLevel) {
const projectPrefix = resolve(this.path) + sep
let dirents
@@ -1535,7 +1687,15 @@ module.exports = cls => class Reifier extends cls {
return resolve(dirname(linkPath), target).startsWith(projectPrefix)
}
+ // A real directory is stale only when it is an actual package (has a package.json), so unrelated user directories are never touched.
+ const isStaleRealPkg = (dirent, entPath) =>
+ dirent.isDirectory() && existsSync(resolve(entPath, 'package.json'))
+
+ const isOrphan = async (dirent, entPath) =>
+ (dirent.isSymbolicLink() && await isOurOrphan(entPath)) || isStaleRealPkg(dirent, entPath)
+
const orphaned = []
+ const scopes = new Set()
for (const ent of dirents) {
// skip npm-managed entries (.bin, .store, .package-lock.json, etc)
if (ent.name.startsWith('.')) {
@@ -1551,11 +1711,12 @@ module.exports = cls => class Reifier extends cls {
}
for (const pkgEnt of scoped) {
const key = `${ent.name}${sep}${pkgEnt.name}`
- if (!validTopLevel.has(key) && pkgEnt.isSymbolicLink() && await isOurOrphan(resolve(nmDir, key))) {
+ if (!validTopLevel.has(key) && await isOrphan(pkgEnt, resolve(nmDir, key))) {
orphaned.push(key)
+ scopes.add(ent.name)
}
}
- } else if (!validTopLevel.has(ent.name) && ent.isSymbolicLink() && await isOurOrphan(resolve(nmDir, ent.name))) {
+ } else if (!validTopLevel.has(ent.name) && await isOrphan(ent, resolve(nmDir, ent.name))) {
orphaned.push(ent.name)
}
}
@@ -1564,14 +1725,29 @@ module.exports = cls => class Reifier extends cls {
return
}
- log.silly('reify', 'cleaning orphaned top-level links', orphaned)
+ log.silly('reify', 'cleaning orphaned top-level entries', orphaned)
await promiseAllRejectLate(
orphaned.map(name =>
rm(resolve(nmDir, name), { recursive: true, force: true })
.catch(/* istanbul ignore next -- rm with force rarely fails */
- er => log.warn('cleanup', `Failed to remove orphaned link ${name}`, er))
+ er => log.warn('cleanup', `Failed to remove orphaned entry ${name}`, er))
)
)
+
+ // Removing the last package under a scope leaves an empty @scope directory behind, so prune any scope directory that is now empty.
+ await promiseAllRejectLate(
+ [...scopes].map(async scope => {
+ const scopeDir = resolve(nmDir, scope)
+ try {
+ const remaining = await readdir(scopeDir)
+ if (!remaining.length) {
+ await rm(scopeDir, { recursive: true, force: true })
+ }
+ } catch {
+ /* istanbul ignore next -- readdir of a scope dir we just listed should not fail */
+ }
+ })
+ )
}
// last but not least, we save the ideal tree metadata to the package-lock
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/audit-report.js b/deps/npm/node_modules/@npmcli/arborist/lib/audit-report.js
index 3e74e100b6c537..1c3e15dee1924c 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/audit-report.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/audit-report.js
@@ -6,6 +6,7 @@ const pickManifest = require('npm-pick-manifest')
const Vuln = require('./vuln.js')
const Calculator = require('@npmcli/metavuln-calculator')
+const { isReleaseAgeExcluded } = require('./release-age-exclude.js')
const { log, time } = require('proc-log')
@@ -151,11 +152,6 @@ class AuditReport extends Map {
continue
}
- // we will have loaded the source already if this is a metavuln
- if (advisory.type === 'metavuln') {
- vuln.addVia(this.get(advisory.dependency))
- }
-
// already marked this one, no need to do it again
if (vuln.nodes.has(node)) {
continue
@@ -173,6 +169,11 @@ class AuditReport extends Map {
// depends on root.
this.topVulns.set(vuln.name, vuln)
vuln.topNodes.add(dep)
+ } else {
+ // An in-range fix exists, but a `min-release-age`/`before`
+ // window may put the patched version out of reach, leaving the
+ // vulnerable version installed.
+ vuln.fixBlockedByReleaseAge = this.#fixBlockedByReleaseAge(vuln, spec)
}
} else {
// calculate a metavuln, if necessary
@@ -213,6 +214,17 @@ class AuditReport extends Map {
}
}
+ // post-loop reconciliation: establish all via links
+ // done here to ensure all vulns exist, avoid redundant setter triggers,
+ // and correctly handle multiple paths and omission cleanups.
+ for (const vuln of this.values()) {
+ for (const advisory of vuln.advisories) {
+ if (advisory.type === 'metavuln') {
+ vuln.addVia(this.get(advisory.dependency))
+ }
+ }
+ }
+
timeEnd()
}
@@ -251,6 +263,53 @@ class AuditReport extends Map {
}
}
+ // A fix that `#fixAvailable` reports as installable in-range can still be
+ // unreachable when a release-age window (`before` / `min-release-age`) is set,
+ // because the patched version was published after the cutoff. `npm audit fix`
+ // then resolves back to a version that is still vulnerable, so detect that
+ // here and let callers warn about it. Only meaningful when an in-range fix
+ // exists (fixAvailable === true). Returns the blocked fix as
+ // `{ version, before }`, or `false` when nothing is blocked.
+ #fixBlockedByReleaseAge (vuln, spec) {
+ const { before, minReleaseAgeExclude } = this.options
+ // No window, or this package is explicitly exempt from it.
+ if (!before || isReleaseAgeExcluded(vuln.name, minReleaseAgeExclude)) {
+ return false
+ }
+
+ // For `npm:` aliases the fix resolves against the alias target, so feed
+ // pickManifest the underlying range rather than the alias spec (which it
+ // rejects). Mirrors `#fixAvailable`.
+ const specObj = npa(spec)
+ if (specObj.subSpec) {
+ spec = specObj.subSpec.rawSpec
+ }
+
+ // The version that would be installed if the window were lifted.
+ const { version } = pickManifest(vuln.packument, spec, {
+ ...this.options,
+ before: null,
+ avoid: vuln.range,
+ })
+
+ // What resolution can actually reach within the window. This mirrors how
+ // `build-ideal-tree` re-resolves the edge (non-strict avoid + `before`).
+ let windowed
+ try {
+ windowed = pickManifest(vuln.packument, spec, {
+ ...this.options,
+ avoid: vuln.range,
+ })
+ } catch {
+ // Nothing is old enough to install at all: the fix is blocked.
+ return { version, before }
+ }
+
+ // `_shouldAvoid` means the best version available within the window is still
+ // in the vulnerable range, so the only non-vulnerable fix is too new.
+ return windowed._shouldAvoid ? { version, before } : false
+ }
+
set () {
throw new Error('do not call AuditReport.set() directly')
}
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/calc-dep-flags.js b/deps/npm/node_modules/@npmcli/arborist/lib/calc-dep-flags.js
index 5f2484858094dc..965127f5ac9dd9 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/calc-dep-flags.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/calc-dep-flags.js
@@ -35,12 +35,32 @@ const calcDepFlags = (tree, resetRoot = true) => {
if (node.target == null) {
continue
}
- node.target.dev = node.dev
- node.target.optional = node.optional
- node.target.devOptional = node.devOptional
- node.target.peer = node.peer
- node.target.extraneous = node.extraneous
- queue.push(node.target)
+ // Only unset flags, matching the edge walk below, so multiple links to one target can't clobber a correct value.
+ let changed = false
+ if (node.target.dev && !node.dev) {
+ node.target.dev = false
+ changed = true
+ }
+ if (node.target.optional && !node.optional) {
+ node.target.optional = false
+ changed = true
+ }
+ if (node.target.devOptional && !node.devOptional) {
+ node.target.devOptional = false
+ changed = true
+ }
+ if (node.target.peer && !node.peer) {
+ node.target.peer = false
+ changed = true
+ }
+ if (node.target.extraneous && !node.extraneous) {
+ node.target.extraneous = false
+ changed = true
+ }
+ // queue target on first visit so its deps are walked
+ if (changed || !seen.has(node.target)) {
+ queue.push(node.target)
+ }
continue
}
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/isolated-classes.js b/deps/npm/node_modules/@npmcli/arborist/lib/isolated-classes.js
index 3a2ade64bbb3e8..fc119119664d98 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/isolated-classes.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/isolated-classes.js
@@ -2,13 +2,6 @@
const CaseInsensitiveMap = require('./case-insensitive-map.js')
const { resolve } = require('node:path')
-// fake lib/inventory.js
-class IsolatedInventory extends Map {
- query () {
- return []
- }
-}
-
// fake lib/node.js
class IsolatedNode {
binPaths = []
@@ -18,7 +11,7 @@ class IsolatedNode {
fsChildren = new Set()
hasShrinkwrap = false
integrity = null
- inventory = new IsolatedInventory()
+ inventory = new Map()
isInStore = false
inBundle = false
isRegistryDependency = false
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/link.js b/deps/npm/node_modules/@npmcli/arborist/lib/link.js
index 3824dc81ffb3cb..89f993bb169004 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/link.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/link.js
@@ -109,21 +109,12 @@ class Link extends Node {
// so this is a no-op
[_loadDeps] () {}
- // When a Link receives overrides (via edgesIn), forward them to the target node which holds the actual edgesOut — but only when the OverrideSet has at least one rule that names a dep the target actually depends on.
- // Without this scope, the link forwards a generic ancestor OverrideSet that has no real effect on the target's edges, but still flips the target to "has overrides", which changes downstream `canReplaceWith` / placement decisions and causes `npm ci` to re-resolve lockfile-pinned edges from the registry.
- // See npm/cli#9357.
+ // Forward overrides to the target only when a rule names a dep it needs, directly or transitively (npm/cli#9357, #9619).
recalculateOutEdgesOverrides () {
if (!this.target || !this.overrides) {
return
}
- let hasMatchingRule = false
- for (const rule of this.overrides.ruleset.values()) {
- if (this.target.edgesOut.has(rule.name)) {
- hasMatchingRule = true
- break
- }
- }
- if (!hasMatchingRule) {
+ if (!overrideMatchesSubtree(this.overrides, this.target)) {
return
}
this.target.updateOverridesEdgeInAdded(this.overrides)
@@ -143,4 +134,29 @@ class Link extends Node {
}
}
+// True when an override rule applies to an edge reachable from the target at any depth.
+// getEdgeRule matches on name and spec, returning the set itself when nothing applies, so a non-applicable version-qualified rule doesn't flip an intermediate node to "has overrides" (npm/cli#9357).
+// Not a method: runs from the Node super-constructor, before subclass private methods exist.
+const overrideMatchesSubtree = (overrides, target) => {
+ const seen = new Set()
+ const stack = [target]
+ while (stack.length) {
+ const node = stack.pop()
+ const resolved = node.isLink ? node.target : node
+ if (seen.has(resolved)) {
+ continue
+ }
+ seen.add(resolved)
+ for (const edge of resolved.edgesOut.values()) {
+ if (overrides.getEdgeRule(edge).name === edge.name) {
+ return true
+ }
+ if (edge.to) {
+ stack.push(edge.to)
+ }
+ }
+ }
+ return false
+}
+
module.exports = Link
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/node.js b/deps/npm/node_modules/@npmcli/arborist/lib/node.js
index 451ede1e52cbf6..87b0ac41740bd6 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/node.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/node.js
@@ -927,7 +927,8 @@ class Node {
isTop: srcTop,
path: srcPath,
} = sourceReference || {}
- const thisDev = isTop && !globalTop && path
+ // A package in the linked strategy's .store is a transitive dependency that is structurally a tree top, but its devDependencies are never installed or required, so they must not be loaded.
+ const thisDev = isTop && !globalTop && path && !this.isInStore
const srcDev = !sourceReference || srcTop && !srcGlobalTop && srcPath
if (thisDev && srcDev) {
this.#loadDepType(this.package.devDependencies, 'dev', ad)
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/query-selector-all.js b/deps/npm/node_modules/@npmcli/arborist/lib/query-selector-all.js
index 3a6c15139d40bd..05faa551f76ee8 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/query-selector-all.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/query-selector-all.js
@@ -798,7 +798,8 @@ const hasParent = (node, compareNodes) => {
// Only match if the node has a link whose parent is the compareNode. Without this check, nodes deep in the store (linked strategy) would incorrectly match as children of root via their fsParent chain.
if (node.isTop && (node.resolveParent === compareNode)) {
for (const link of node.linksIn) {
- if (link.parent === compareNode) {
+ // A store-backing node (linked strategy) is reached through its logical Link, which matches via edgesIn below, so the store node itself is never a direct child.
+ if (link.parent === compareNode && !node.isInStore) {
return true
}
}
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/script-allowed.js b/deps/npm/node_modules/@npmcli/arborist/lib/script-allowed.js
index 89e24339791f1e..8c9b3fe118a8ed 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/script-allowed.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/script-allowed.js
@@ -43,7 +43,9 @@ const isScriptAllowed = (node, policy) => {
let anyDeny = false
for (const [key, value] of Object.entries(policy)) {
- if (!matches(node, key)) {
+ // Pass deny intent so matchRegistry can fail closed on an unverifiable
+ // version: a deny still blocks, an allow stays refused.
+ if (!matches(node, key, value === false)) {
continue
}
if (value === false) {
@@ -66,7 +68,7 @@ const isScriptAllowed = (node, policy) => {
return null
}
-const matches = (node, key) => {
+const matches = (node, key, failClosed) => {
let parsed
try {
parsed = npa(key)
@@ -78,7 +80,7 @@ const matches = (node, key) => {
case 'tag':
case 'range':
case 'version':
- return matchRegistry(node, parsed)
+ return matchRegistry(node, parsed, failClosed)
case 'git':
return matchGit(node, parsed)
case 'file':
@@ -132,7 +134,7 @@ const resolvedSourceSpecs = (node) => {
return specs
}
-const matchRegistry = (node, parsed) => {
+const matchRegistry = (node, parsed, failClosed) => {
// If this node is not a registry dep, refuse the match. A registry-style
// key (`pkg`, `pkg@1`, `pkg@1 || 2`) must not match a tarball or git node
// even if their names happen to coincide.
@@ -168,9 +170,14 @@ const matchRegistry = (node, parsed) => {
if (parsed.fetchSpec === '*' || parsed.rawSpec === '' || parsed.rawSpec === '*') {
return true
}
- if (!trusted.version || !isExactVersionDisjunction(parsed.fetchSpec)) {
+ if (!isExactVersionDisjunction(parsed.fetchSpec)) {
return false
}
+ // Unverifiable version (omit-lockfile-registry-resolved): a deny blocks,
+ // an allow is refused.
+ if (!trusted.version) {
+ return failClosed
+ }
return semver.satisfies(trusted.version, parsed.fetchSpec, { loose: true })
}
@@ -178,6 +185,10 @@ const matchRegistry = (node, parsed) => {
/* istanbul ignore else: parsed.type at this point is always 'version';
the istanbul-ignored fallback below handles the impossible case. */
if (parsed.type === 'version') {
+ // Unverifiable version: a deny blocks, an allow is refused.
+ if (!trusted.version) {
+ return failClosed
+ }
return trusted.version === parsed.fetchSpec
}
@@ -366,6 +377,7 @@ const trustedDisplay = (node) => {
module.exports = isScriptAllowed
module.exports.isScriptAllowed = isScriptAllowed
+module.exports.matches = matches
module.exports.isExactVersionDisjunction = isExactVersionDisjunction
module.exports.getTrustedRegistryIdentity = getTrustedRegistryIdentity
module.exports.resolvedSourceSpecs = resolvedSourceSpecs
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/shrinkwrap.js b/deps/npm/node_modules/@npmcli/arborist/lib/shrinkwrap.js
index cf27bcf4ac726e..03cc86edbd4e92 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/shrinkwrap.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/shrinkwrap.js
@@ -172,6 +172,35 @@ const assertNoNewer = async (path, data, lockTime, dir, seen) => {
return
}
+ // The walk above can't reach two linked-strategy layouts: a store package's sibling deps under .store//node_modules (.store is a skipped dot-dir), and an undeclared workspace not symlinked into root node_modules. Walk those dirs, derived from the lockfile entries.
+ // A dir reachable through a link entry is skipped: it was already reached (or, if the symlink is stale, correctly stays unseen so the lockfile is rejected). This keeps the hoisted strategy's stale-symlink detection intact, since there every workspace is a link target.
+ const linkTargets = new Set()
+ for (const loc in data.packages) {
+ const { link, resolved } = data.packages[loc]
+ if (link && resolved) {
+ linkTargets.add(resolved.replace(/\\/g, '/'))
+ }
+ }
+ const extraDirs = new Set()
+ for (const loc in data.packages) {
+ const store = loc.match(/^(.*\/\.store\/.+?)\/node_modules\//)
+ if (store) {
+ // .store/ is never walked but has no entry, so mark it seen.
+ seen.add(store[1])
+ extraDirs.add(`${store[1]}/node_modules`)
+ continue
+ }
+ // A workspace/fsChild dir outside node_modules, e.g. packages/a.
+ const i = loc.indexOf('/node_modules/')
+ const root = i === -1 ? loc : loc.slice(0, i)
+ if (root && !/(^|\/)node_modules(\/|$)/.test(root) && !linkTargets.has(root)) {
+ extraDirs.add(root)
+ }
+ }
+ for (const rel of extraDirs) {
+ await assertNoNewer(path, data, lockTime, resolve(path, rel), seen)
+ }
+
// assert that all the entries in the lockfile were seen
for (const loc in data.packages) {
if (!seen.has(loc)) {
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/unreviewed-scripts.js b/deps/npm/node_modules/@npmcli/arborist/lib/unreviewed-scripts.js
index 587d06bf8fe56b..f7bed387845ec0 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/unreviewed-scripts.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/unreviewed-scripts.js
@@ -50,6 +50,13 @@ const collectUnreviewedScripts = async ({
// its own lifecycle scripts.
continue
}
+ if (node.inert) {
+ // Inert = an optional dep that can't be installed here (failed the
+ // os/cpu/libc or engine check, or failed to load). reify drops it
+ // before any script runs, so its install scripts never execute and it
+ // must not be flagged (npm/cli#9562).
+ continue
+ }
const verdict = isScriptAllowed(node, resolvedPolicy)
if (verdict === true || verdict === false) {
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/vuln.js b/deps/npm/node_modules/@npmcli/arborist/lib/vuln.js
index 2bffe54f2dacdc..e6c6bbab383ea7 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/vuln.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/vuln.js
@@ -41,6 +41,7 @@ class Vuln {
this.effects = new Set()
this.topNodes = new Set()
this.nodes = new Set()
+ this.fixBlockedByReleaseAge = false
this.addAdvisory(advisory)
this.packument = advisory.packument
this.versions = advisory.versions
@@ -126,6 +127,9 @@ class Vuln {
range: this.simpleRange,
nodes: [...this.nodes].map(n => n.location).sort(localeCompare),
fixAvailable: this.#fixAvailable,
+ ...(this.fixBlockedByReleaseAge
+ ? { fixBlockedByReleaseAge: this.fixBlockedByReleaseAge }
+ : {}),
}
}
diff --git a/deps/npm/node_modules/@npmcli/arborist/package.json b/deps/npm/node_modules/@npmcli/arborist/package.json
index 9a5e883cefe2f3..11c142a0092a4f 100644
--- a/deps/npm/node_modules/@npmcli/arborist/package.json
+++ b/deps/npm/node_modules/@npmcli/arborist/package.json
@@ -1,6 +1,6 @@
{
"name": "@npmcli/arborist",
- "version": "9.8.0",
+ "version": "9.9.0",
"description": "Manage node_modules trees",
"dependencies": {
"@gar/promise-retry": "^1.0.0",
diff --git a/deps/npm/node_modules/@npmcli/config/lib/definitions/definitions.js b/deps/npm/node_modules/@npmcli/config/lib/definitions/definitions.js
index a4933facff6315..2bb1713458af9f 100644
--- a/deps/npm/node_modules/@npmcli/config/lib/definitions/definitions.js
+++ b/deps/npm/node_modules/@npmcli/config/lib/definitions/definitions.js
@@ -341,6 +341,10 @@ const definitions = {
user > global), so a higher-priority source can always relax or
override a lower-priority one.
+ As with \`min-release-age\`, when this cutoff blocks a fix that
+ \`npm audit fix\` would install, npm keeps the vulnerable version, warns,
+ and exits with a non-zero code.
+
Packages whose names match \`min-release-age-exclude\` are exempt from
this filter.
`,
@@ -1204,8 +1208,15 @@ const definitions = {
necessary within directory structure.
nested: (formerly --legacy-bundling) install in place, no hoisting.
shallow (formerly --global-style) only install direct deps at top-level.
- linked: (experimental) install in node_modules/.store, link in place,
- unhoisted.
+ linked: install in node_modules/.store, link in place, unhoisted.
+
+ We recommend that package authors use \`--install-strategy=linked\`
+ during development to catch undeclared ("phantom") dependencies before
+ publishing: the isolated layout only exposes a package's declared
+ dependencies, so an \`import\` of a package that was never added to
+ \`package.json\` can fail instead of resolving by accident and shipping
+ broken. See [Catching undeclared ("phantom")
+ dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
`,
flatten,
}),
@@ -1475,6 +1486,12 @@ const definitions = {
\`github:\` dependency); when both apply, \`before\` wins within a
single source and across sources the standard precedence rules apply.
+ When this window stops \`npm audit fix\` from installing a patched
+ version (because the fix was published too recently), npm keeps the
+ package at its vulnerable version, warns that the fix was blocked, and
+ exits with a non-zero code. To install the fix, add the package to
+ \`min-release-age-exclude\`, or relax \`min-release-age\` or \`before\`.
+
Packages whose names match \`min-release-age-exclude\` are exempt from
this filter.
`,
@@ -1913,7 +1930,7 @@ const definitions = {
}),
'replace-registry-host': new Definition('replace-registry-host', {
default: 'npmjs',
- hint: ' | hostname',
+ hint: ' | hostname | url',
type: ['npmjs', 'never', 'always', String],
description: `
Defines behavior for replacing the registry host in a lockfile with the
@@ -1924,7 +1941,14 @@ const definitions = {
"never", then use the registry value. If set to "always", then replace the
registry host with the configured host every time.
- You may also specify a bare hostname (e.g., "registry.npmjs.org").
+ You may also specify a bare hostname (e.g., "registry.npmjs.org") to only
+ replace URLs coming from that host.
+
+ You may also specify a full URL including a path (e.g.,
+ "https://old-registry.example.com/npm/path"). In that case, resolved URLs
+ whose host and path begin with that prefix will have the entire prefix
+ replaced with the configured registry URL (host and path), without
+ duplicating path segments.
`,
flatten,
}),
@@ -2361,6 +2385,10 @@ const definitions = {
always silently skipped; this setting only affects unreviewed entries.
\`--ignore-scripts\` and \`--dangerously-allow-all-scripts\` both
override this setting.
+
+ Optional dependencies that cannot be installed on the current platform
+ or engine (a non-matching \`os\`, \`cpu\`, or \`libc\`) are not flagged,
+ because their install scripts never run.
`,
flatten,
}),
diff --git a/deps/npm/node_modules/@npmcli/config/package.json b/deps/npm/node_modules/@npmcli/config/package.json
index 2d91ded3f9a149..360b0ab128a03c 100644
--- a/deps/npm/node_modules/@npmcli/config/package.json
+++ b/deps/npm/node_modules/@npmcli/config/package.json
@@ -1,6 +1,6 @@
{
"name": "@npmcli/config",
- "version": "10.11.0",
+ "version": "10.12.0",
"files": [
"bin/",
"lib/"
diff --git a/deps/npm/node_modules/brace-expansion/dist/commonjs/index.js b/deps/npm/node_modules/brace-expansion/dist/commonjs/index.js
index 33063dd3552cd6..e4e5bd87666d1b 100644
--- a/deps/npm/node_modules/brace-expansion/dist/commonjs/index.js
+++ b/deps/npm/node_modules/brace-expansion/dist/commonjs/index.js
@@ -95,19 +95,23 @@ function gte(i, y) {
function expand_(str, max, isTop) {
/** @type {string[]} */
const expansions = [];
- const m = (0, balanced_match_1.balanced)('{', '}', str);
- if (!m)
- return [str];
- // no need to expand pre, since it is guaranteed to be free of brace-sets
- const pre = m.pre;
- const post = m.post.length ? expand_(m.post, max, false) : [''];
- if (/\$$/.test(m.pre)) {
- for (let k = 0; k < post.length && k < max; k++) {
- const expansion = pre + '{' + m.body + '}' + post[k];
- expansions.push(expansion);
+ // The `{a},b}` rewrite below restarts expansion on a rewritten string with
+ // the same `max` and `isTop = true`. Loop instead of recursing so a long run
+ // of non-expanding `{}` groups can't exhaust the call stack.
+ for (;;) {
+ const m = (0, balanced_match_1.balanced)('{', '}', str);
+ if (!m)
+ return [str];
+ // no need to expand pre, since it is guaranteed to be free of brace-sets
+ const pre = m.pre;
+ if (/\$$/.test(m.pre)) {
+ const post = m.post.length ? expand_(m.post, max, false) : [''];
+ for (let k = 0; k < post.length && k < max; k++) {
+ const expansion = pre + '{' + m.body + '}' + post[k];
+ expansions.push(expansion);
+ }
+ return expansions;
}
- }
- else {
const isNumericSequence = /^-?\d+\.\.-?\d+(?:\.\.-?\d+)?$/.test(m.body);
const isAlphaSequence = /^[a-zA-Z]\.\.[a-zA-Z](?:\.\.-?\d+)?$/.test(m.body);
const isSequence = isNumericSequence || isAlphaSequence;
@@ -116,10 +120,16 @@ function expand_(str, max, isTop) {
// {a},b}
if (m.post.match(/,(?!,).*\}/)) {
str = m.pre + '{' + m.body + escClose + m.post;
- return expand_(str, max, true);
+ isTop = true;
+ continue;
}
return [str];
}
+ // Only expand post once we know this brace set actually expands. Computing
+ // it before the early returns above expanded post a second time on every
+ // non-expanding `{}`, which is what made inputs like `a{},{},{}...` blow up
+ // exponentially.
+ const post = m.post.length ? expand_(m.post, max, false) : [''];
let n;
if (isSequence) {
n = m.body.split(/\.\./);
@@ -195,7 +205,7 @@ function expand_(str, max, isTop) {
}
}
}
+ return expansions;
}
- return expansions;
}
//# sourceMappingURL=index.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/brace-expansion/dist/esm/index.js b/deps/npm/node_modules/brace-expansion/dist/esm/index.js
index 32399e7b2f5cf1..b2d2aa91bb1c31 100644
--- a/deps/npm/node_modules/brace-expansion/dist/esm/index.js
+++ b/deps/npm/node_modules/brace-expansion/dist/esm/index.js
@@ -91,19 +91,23 @@ function gte(i, y) {
function expand_(str, max, isTop) {
/** @type {string[]} */
const expansions = [];
- const m = balanced('{', '}', str);
- if (!m)
- return [str];
- // no need to expand pre, since it is guaranteed to be free of brace-sets
- const pre = m.pre;
- const post = m.post.length ? expand_(m.post, max, false) : [''];
- if (/\$$/.test(m.pre)) {
- for (let k = 0; k < post.length && k < max; k++) {
- const expansion = pre + '{' + m.body + '}' + post[k];
- expansions.push(expansion);
+ // The `{a},b}` rewrite below restarts expansion on a rewritten string with
+ // the same `max` and `isTop = true`. Loop instead of recursing so a long run
+ // of non-expanding `{}` groups can't exhaust the call stack.
+ for (;;) {
+ const m = balanced('{', '}', str);
+ if (!m)
+ return [str];
+ // no need to expand pre, since it is guaranteed to be free of brace-sets
+ const pre = m.pre;
+ if (/\$$/.test(m.pre)) {
+ const post = m.post.length ? expand_(m.post, max, false) : [''];
+ for (let k = 0; k < post.length && k < max; k++) {
+ const expansion = pre + '{' + m.body + '}' + post[k];
+ expansions.push(expansion);
+ }
+ return expansions;
}
- }
- else {
const isNumericSequence = /^-?\d+\.\.-?\d+(?:\.\.-?\d+)?$/.test(m.body);
const isAlphaSequence = /^[a-zA-Z]\.\.[a-zA-Z](?:\.\.-?\d+)?$/.test(m.body);
const isSequence = isNumericSequence || isAlphaSequence;
@@ -112,10 +116,16 @@ function expand_(str, max, isTop) {
// {a},b}
if (m.post.match(/,(?!,).*\}/)) {
str = m.pre + '{' + m.body + escClose + m.post;
- return expand_(str, max, true);
+ isTop = true;
+ continue;
}
return [str];
}
+ // Only expand post once we know this brace set actually expands. Computing
+ // it before the early returns above expanded post a second time on every
+ // non-expanding `{}`, which is what made inputs like `a{},{},{}...` blow up
+ // exponentially.
+ const post = m.post.length ? expand_(m.post, max, false) : [''];
let n;
if (isSequence) {
n = m.body.split(/\.\./);
@@ -191,7 +201,7 @@ function expand_(str, max, isTop) {
}
}
}
+ return expansions;
}
- return expansions;
}
//# sourceMappingURL=index.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/brace-expansion/package.json b/deps/npm/node_modules/brace-expansion/package.json
index 81524809e58612..a5142f2787b665 100644
--- a/deps/npm/node_modules/brace-expansion/package.json
+++ b/deps/npm/node_modules/brace-expansion/package.json
@@ -1,7 +1,7 @@
{
"name": "brace-expansion",
"description": "Brace expansion as known from sh/bash",
- "version": "5.0.6",
+ "version": "5.0.7",
"files": [
"dist"
],
@@ -59,6 +59,6 @@
"module": "./dist/esm/index.js",
"repository": {
"type": "git",
- "url": "git+ssh://git@github.com/juliangruber/brace-expansion.git"
+ "url": "git+https://github.com/juliangruber/brace-expansion.git"
}
}
diff --git a/deps/npm/node_modules/libnpmdiff/package.json b/deps/npm/node_modules/libnpmdiff/package.json
index 0e2a7968c74c7a..31aadc1a771808 100644
--- a/deps/npm/node_modules/libnpmdiff/package.json
+++ b/deps/npm/node_modules/libnpmdiff/package.json
@@ -1,6 +1,6 @@
{
"name": "libnpmdiff",
- "version": "8.1.10",
+ "version": "8.1.11",
"description": "The registry diff",
"repository": {
"type": "git",
@@ -47,7 +47,7 @@
"tap": "^16.3.8"
},
"dependencies": {
- "@npmcli/arborist": "^9.8.0",
+ "@npmcli/arborist": "^9.9.0",
"@npmcli/installed-package-contents": "^4.0.0",
"binary-extensions": "^3.0.0",
"diff": "^8.0.2",
diff --git a/deps/npm/node_modules/libnpmexec/lib/index.js b/deps/npm/node_modules/libnpmexec/lib/index.js
index 35452f796246b8..4d7c1266546891 100644
--- a/deps/npm/node_modules/libnpmexec/lib/index.js
+++ b/deps/npm/node_modules/libnpmexec/lib/index.js
@@ -19,8 +19,6 @@ const runScript = require('./run-script.js')
const isWindows = require('./is-windows.js')
const withLock = require('./with-lock.js')
-const binPaths = []
-
// when checking the local tree we look up manifests, cache those results by
// spec.raw so we don't have to fetch again when we check npxCache
const manifests = new Map()
@@ -113,6 +111,8 @@ const exec = async (opts) => {
...flatOptions
} = opts
+ const binPaths = []
+
let pkgPaths = opts.pkgPath
if (typeof pkgPaths === 'string') {
pkgPaths = [pkgPaths]
@@ -196,7 +196,11 @@ const exec = async (opts) => {
let commandManifest
await Promise.all(packages.map(async (pkg, i) => {
const spec = npa(pkg, path)
- const { manifest, node } = await missingFromTree({ spec, tree: localTree, flatOptions })
+ const { manifest, node } = await missingFromTree({
+ spec,
+ tree: localTree,
+ flatOptions,
+ })
if (manifest) {
// Package does not exist in the local tree
needInstall.push({ spec, manifest })
diff --git a/deps/npm/node_modules/libnpmexec/package.json b/deps/npm/node_modules/libnpmexec/package.json
index 77af2f57ccd508..097673618ae8dd 100644
--- a/deps/npm/node_modules/libnpmexec/package.json
+++ b/deps/npm/node_modules/libnpmexec/package.json
@@ -1,6 +1,6 @@
{
"name": "libnpmexec",
- "version": "10.3.0",
+ "version": "10.3.1",
"files": [
"bin/",
"lib/"
@@ -61,7 +61,7 @@
},
"dependencies": {
"@gar/promise-retry": "^1.0.0",
- "@npmcli/arborist": "^9.8.0",
+ "@npmcli/arborist": "^9.9.0",
"@npmcli/package-json": "^7.0.0",
"@npmcli/run-script": "^10.0.0",
"ci-info": "^4.0.0",
diff --git a/deps/npm/node_modules/libnpmfund/package.json b/deps/npm/node_modules/libnpmfund/package.json
index a03c4e89d63fb2..a6dc15e4b727c9 100644
--- a/deps/npm/node_modules/libnpmfund/package.json
+++ b/deps/npm/node_modules/libnpmfund/package.json
@@ -1,6 +1,6 @@
{
"name": "libnpmfund",
- "version": "7.0.24",
+ "version": "7.0.25",
"main": "lib/index.js",
"files": [
"bin/",
@@ -46,7 +46,7 @@
"tap": "^16.3.8"
},
"dependencies": {
- "@npmcli/arborist": "^9.8.0"
+ "@npmcli/arborist": "^9.9.0"
},
"engines": {
"node": "^20.17.0 || >=22.9.0"
diff --git a/deps/npm/node_modules/libnpmpack/package.json b/deps/npm/node_modules/libnpmpack/package.json
index 5c285836d35364..92aa96af6408ea 100644
--- a/deps/npm/node_modules/libnpmpack/package.json
+++ b/deps/npm/node_modules/libnpmpack/package.json
@@ -1,6 +1,6 @@
{
"name": "libnpmpack",
- "version": "9.1.10",
+ "version": "9.1.11",
"description": "Programmatic API for the bits behind npm pack",
"author": "GitHub Inc.",
"main": "lib/index.js",
@@ -37,7 +37,7 @@
"bugs": "https://github.com/npm/libnpmpack/issues",
"homepage": "https://npmjs.com/package/libnpmpack",
"dependencies": {
- "@npmcli/arborist": "^9.8.0",
+ "@npmcli/arborist": "^9.9.0",
"@npmcli/run-script": "^10.0.0",
"npm-package-arg": "^13.0.0",
"pacote": "^21.0.2"
diff --git a/deps/npm/node_modules/npm-profile/lib/index.js b/deps/npm/node_modules/npm-profile/lib/index.js
index 83ab5e1b46b68e..734e08abb655ff 100644
--- a/deps/npm/node_modules/npm-profile/lib/index.js
+++ b/deps/npm/node_modules/npm-profile/lib/index.js
@@ -49,6 +49,33 @@ const isValidUrl = u => {
}
}
+// npm's web-login response names the canonical npmjs registry in `doneUrl`, which a proxy/mirror forwards verbatim.
+// The poll would then hit npmjs.org instead of the proxy that holds the session, so rewrite only that npmjs host to the configured registry origin, preserving the path prefix and query string.
+// Any other done host is left untouched, since a non-npmjs canonical host cannot be inferred here and may be served intentionally.
+const CANONICAL_REGISTRY_HOST = 'registry.npmjs.org'
+
+// doneUrl is already validated by isValidUrl and registry is the origin a prior
+// POST /-/v1/login succeeded against, so both parse cleanly here.
+const replaceDoneUrlOrigin = (doneUrl, registry) => {
+ if (!registry) {
+ return doneUrl
+ }
+ const done = new URL(doneUrl)
+ if (done.hostname !== CANONICAL_REGISTRY_HOST) {
+ return doneUrl
+ }
+ const reg = new URL(registry)
+ done.protocol = reg.protocol
+ done.host = reg.host
+ const prefix = reg.pathname.replace(/\/$/, '')
+ if (prefix && prefix !== '/' &&
+ done.pathname !== prefix &&
+ !done.pathname.startsWith(prefix + '/')) {
+ done.pathname = prefix + done.pathname
+ }
+ return done.href
+}
+
const webAuth = async (opener, opts, body) => {
try {
const res = await fetch('/-/v1/login', {
@@ -65,7 +92,7 @@ const webAuth = async (opener, opts, body) => {
throw new WebLoginInvalidResponse('POST', res, content)
}
- return await webAuthOpener(opener, loginUrl, doneUrl, opts)
+ return await webAuthOpener(opener, loginUrl, replaceDoneUrlOrigin(doneUrl, opts.registry), opts)
} catch (er) {
if ((er.statusCode >= 400 && er.statusCode <= 499) || er.statusCode === 500) {
throw new WebLoginNotSupported('POST', {
diff --git a/deps/npm/node_modules/npm-profile/package.json b/deps/npm/node_modules/npm-profile/package.json
index 0f97cc1efa1934..bb7f23ec83121b 100644
--- a/deps/npm/node_modules/npm-profile/package.json
+++ b/deps/npm/node_modules/npm-profile/package.json
@@ -1,13 +1,13 @@
{
"name": "npm-profile",
- "version": "12.0.1",
+ "version": "12.0.2",
"description": "Library for updating an npmjs.com profile",
"keywords": [],
"author": "GitHub Inc.",
"license": "ISC",
"dependencies": {
"npm-registry-fetch": "^19.0.0",
- "proc-log": "^6.0.0"
+ "proc-log": "^6.1.0"
},
"main": "./lib/index.js",
"repository": {
@@ -19,8 +19,8 @@
"lib/"
],
"devDependencies": {
- "@npmcli/eslint-config": "^5.0.0",
- "@npmcli/template-oss": "4.27.1",
+ "@npmcli/eslint-config": "^7.0.0",
+ "@npmcli/template-oss": "5.1.1",
"nock": "^13.5.6",
"tap": "^16.0.1"
},
@@ -46,7 +46,7 @@
},
"templateOSS": {
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
- "version": "4.27.1",
+ "version": "5.1.1",
"publish": true
}
}
diff --git a/deps/npm/node_modules/semver/classes/range.js b/deps/npm/node_modules/semver/classes/range.js
index 766d505a226919..a7d6556febb4e5 100644
--- a/deps/npm/node_modules/semver/classes/range.js
+++ b/deps/npm/node_modules/semver/classes/range.js
@@ -299,6 +299,10 @@ const replaceTildes = (comp, options) => {
const replaceTilde = (comp, options) => {
const r = options.loose ? re[t.TILDELOOSE] : re[t.TILDE]
+ // if we're including prereleases in the match, then the lower bound is
+ // -0, the lowest possible prerelease value, just like x-ranges and carets.
+ // this keeps `~1.2` equivalent to the `1.2.x` x-range it's documented as.
+ const z = options.includePrerelease ? '-0' : ''
return comp.replace(r, (_, M, m, p, pr) => {
debug('tilde', comp, _, M, m, p, pr)
let ret
@@ -306,10 +310,10 @@ const replaceTilde = (comp, options) => {
if (isX(M)) {
ret = ''
} else if (isX(m)) {
- ret = `>=${M}.0.0 <${+M + 1}.0.0-0`
+ ret = `>=${M}.0.0${z} <${+M + 1}.0.0-0`
} else if (isX(p)) {
// ~1.2 == >=1.2.0 <1.3.0-0
- ret = `>=${M}.${m}.0 <${M}.${+m + 1}.0-0`
+ ret = `>=${M}.${m}.0${z} <${M}.${+m + 1}.0-0`
} else if (pr) {
debug('replaceTilde pr', pr)
ret = `>=${M}.${m}.${p}-${pr
diff --git a/deps/npm/node_modules/semver/package.json b/deps/npm/node_modules/semver/package.json
index ddedbf7bdaba6f..0cb7c7bb465ea4 100644
--- a/deps/npm/node_modules/semver/package.json
+++ b/deps/npm/node_modules/semver/package.json
@@ -1,6 +1,6 @@
{
"name": "semver",
- "version": "7.8.4",
+ "version": "7.8.5",
"description": "The semantic version parser used by npm.",
"main": "index.js",
"scripts": {
diff --git a/deps/npm/node_modules/tar/dist/commonjs/header.js b/deps/npm/node_modules/tar/dist/commonjs/header.js
index d6e8f0ec342678..f4a84fb76c3462 100644
--- a/deps/npm/node_modules/tar/dist/commonjs/header.js
+++ b/deps/npm/node_modules/tar/dist/commonjs/header.js
@@ -41,6 +41,7 @@ exports.Header = void 0;
const node_path_1 = require("node:path");
const large = __importStar(require("./large-numbers.js"));
const types = __importStar(require("./types.js"));
+const notNegative = (n) => n === undefined || n < 0 ? undefined : n;
class Header {
cksumValid = false;
needPax = false;
@@ -99,10 +100,9 @@ class Header {
exForFields?.uid ?? gexForFields?.uid ?? decNumber(buf, off + 108, 8);
this.gid =
exForFields?.gid ?? gexForFields?.gid ?? decNumber(buf, off + 116, 8);
- this.size =
- exForFields?.size ??
- gexForFields?.size ??
- decNumber(buf, off + 124, 12);
+ this.size = notNegative(exForFields?.size ??
+ gexForFields?.size ??
+ decNumber(buf, off + 124, 12));
this.mtime =
exForFields?.mtime ??
gexForFields?.mtime ??
@@ -188,6 +188,7 @@ class Header {
// null/undefined values are ignored.
return !(v === null ||
v === undefined ||
+ (k === 'size' && Number(v) < 0) ||
(k === 'path' && gex) ||
(k === 'linkpath' && gex) ||
k === 'global');
diff --git a/deps/npm/node_modules/tar/dist/commonjs/index.min.js b/deps/npm/node_modules/tar/dist/commonjs/index.min.js
index 6bce016bcece46..1a229a01e5a5f8 100644
--- a/deps/npm/node_modules/tar/dist/commonjs/index.min.js
+++ b/deps/npm/node_modules/tar/dist/commonjs/index.min.js
@@ -1,4 +1,4 @@
-"use strict";var d=(s,e)=>()=>(e||s((e={exports:{}}).exports,e),e.exports);var We=d(F=>{"use strict";var Ro=F&&F.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(F,"__esModule",{value:!0});F.Minipass=F.isWritable=F.isReadable=F.isStream=void 0;var Br=typeof process=="object"&&process?process:{stdout:null,stderr:null},is=require("node:events"),jr=Ro(require("node:stream")),vo=require("node:string_decoder"),To=s=>!!s&&typeof s=="object"&&(s instanceof Zt||s instanceof jr.default||(0,F.isReadable)(s)||(0,F.isWritable)(s));F.isStream=To;var Do=s=>!!s&&typeof s=="object"&&s instanceof is.EventEmitter&&typeof s.pipe=="function"&&s.pipe!==jr.default.Writable.prototype.pipe;F.isReadable=Do;var Po=s=>!!s&&typeof s=="object"&&s instanceof is.EventEmitter&&typeof s.write=="function"&&typeof s.end=="function";F.isWritable=Po;var le=Symbol("EOF"),ue=Symbol("maybeEmitEnd"),_e=Symbol("emittedEnd"),xt=Symbol("emittingEnd"),dt=Symbol("emittedError"),jt=Symbol("closed"),zr=Symbol("read"),Ut=Symbol("flush"),kr=Symbol("flushChunk"),K=Symbol("encoding"),Ue=Symbol("decoder"),O=Symbol("flowing"),mt=Symbol("paused"),qe=Symbol("resume"),R=Symbol("buffer"),I=Symbol("pipes"),v=Symbol("bufferLength"),$i=Symbol("bufferPush"),qt=Symbol("bufferShift"),N=Symbol("objectMode"),y=Symbol("destroyed"),Xi=Symbol("error"),Qi=Symbol("emitData"),xr=Symbol("emitEnd"),Ji=Symbol("emitEnd2"),J=Symbol("async"),es=Symbol("abort"),Wt=Symbol("aborted"),pt=Symbol("signal"),Ne=Symbol("dataListeners"),x=Symbol("discarded"),_t=s=>Promise.resolve().then(s),No=s=>s(),Mo=s=>s==="end"||s==="finish"||s==="prefinish",Lo=s=>s instanceof ArrayBuffer||!!s&&typeof s=="object"&&s.constructor&&s.constructor.name==="ArrayBuffer"&&s.byteLength>=0,Ao=s=>!Buffer.isBuffer(s)&&ArrayBuffer.isView(s),Ht=class{src;dest;opts;ondrain;constructor(e,t,i){this.src=e,this.dest=t,this.opts=i,this.ondrain=()=>e[qe](),this.dest.on("drain",this.ondrain)}unpipe(){this.dest.removeListener("drain",this.ondrain)}proxyErrors(e){}end(){this.unpipe(),this.opts.end&&this.dest.end()}},ts=class extends Ht{unpipe(){this.src.removeListener("error",this.proxyErrors),super.unpipe()}constructor(e,t,i){super(e,t,i),this.proxyErrors=r=>this.dest.emit("error",r),e.on("error",this.proxyErrors)}},Io=s=>!!s.objectMode,Fo=s=>!s.objectMode&&!!s.encoding&&s.encoding!=="buffer",Zt=class extends is.EventEmitter{[O]=!1;[mt]=!1;[I]=[];[R]=[];[N];[K];[J];[Ue];[le]=!1;[_e]=!1;[xt]=!1;[jt]=!1;[dt]=null;[v]=0;[y]=!1;[pt];[Wt]=!1;[Ne]=0;[x]=!1;writable=!0;readable=!0;constructor(...e){let t=e[0]||{};if(super(),t.objectMode&&typeof t.encoding=="string")throw new TypeError("Encoding and objectMode may not be used together");Io(t)?(this[N]=!0,this[K]=null):Fo(t)?(this[K]=t.encoding,this[N]=!1):(this[N]=!1,this[K]=null),this[J]=!!t.async,this[Ue]=this[K]?new vo.StringDecoder(this[K]):null,t&&t.debugExposeBuffer===!0&&Object.defineProperty(this,"buffer",{get:()=>this[R]}),t&&t.debugExposePipes===!0&&Object.defineProperty(this,"pipes",{get:()=>this[I]});let{signal:i}=t;i&&(this[pt]=i,i.aborted?this[es]():i.addEventListener("abort",()=>this[es]()))}get bufferLength(){return this[v]}get encoding(){return this[K]}set encoding(e){throw new Error("Encoding must be set at instantiation time")}setEncoding(e){throw new Error("Encoding must be set at instantiation time")}get objectMode(){return this[N]}set objectMode(e){throw new Error("objectMode must be set at instantiation time")}get async(){return this[J]}set async(e){this[J]=this[J]||!!e}[es](){this[Wt]=!0,this.emit("abort",this[pt]?.reason),this.destroy(this[pt]?.reason)}get aborted(){return this[Wt]}set aborted(e){}write(e,t,i){if(this[Wt])return!1;if(this[le])throw new Error("write after end");if(this[y])return this.emit("error",Object.assign(new Error("Cannot call write after a stream was destroyed"),{code:"ERR_STREAM_DESTROYED"})),!0;typeof t=="function"&&(i=t,t="utf8"),t||(t="utf8");let r=this[J]?_t:No;if(!this[N]&&!Buffer.isBuffer(e)){if(Ao(e))e=Buffer.from(e.buffer,e.byteOffset,e.byteLength);else if(Lo(e))e=Buffer.from(e);else if(typeof e!="string")throw new Error("Non-contiguous data written to non-objectMode stream")}return this[N]?(this[O]&&this[v]!==0&&this[Ut](!0),this[O]?this.emit("data",e):this[$i](e),this[v]!==0&&this.emit("readable"),i&&r(i),this[O]):e.length?(typeof e=="string"&&!(t===this[K]&&!this[Ue]?.lastNeed)&&(e=Buffer.from(e,t)),Buffer.isBuffer(e)&&this[K]&&(e=this[Ue].write(e)),this[O]&&this[v]!==0&&this[Ut](!0),this[O]?this.emit("data",e):this[$i](e),this[v]!==0&&this.emit("readable"),i&&r(i),this[O]):(this[v]!==0&&this.emit("readable"),i&&r(i),this[O])}read(e){if(this[y])return null;if(this[x]=!1,this[v]===0||e===0||e&&e>this[v])return this[ue](),null;this[N]&&(e=null),this[R].length>1&&!this[N]&&(this[R]=[this[K]?this[R].join(""):Buffer.concat(this[R],this[v])]);let t=this[zr](e||null,this[R][0]);return this[ue](),t}[zr](e,t){if(this[N])this[qt]();else{let i=t;e===i.length||e===null?this[qt]():typeof i=="string"?(this[R][0]=i.slice(e),t=i.slice(0,e),this[v]-=e):(this[R][0]=i.subarray(e),t=i.subarray(0,e),this[v]-=e)}return this.emit("data",t),!this[R].length&&!this[le]&&this.emit("drain"),t}end(e,t,i){return typeof e=="function"&&(i=e,e=void 0),typeof t=="function"&&(i=t,t="utf8"),e!==void 0&&this.write(e,t),i&&this.once("end",i),this[le]=!0,this.writable=!1,(this[O]||!this[mt])&&this[ue](),this}[qe](){this[y]||(!this[Ne]&&!this[I].length&&(this[x]=!0),this[mt]=!1,this[O]=!0,this.emit("resume"),this[R].length?this[Ut]():this[le]?this[ue]():this.emit("drain"))}resume(){return this[qe]()}pause(){this[O]=!1,this[mt]=!0,this[x]=!1}get destroyed(){return this[y]}get flowing(){return this[O]}get paused(){return this[mt]}[$i](e){this[N]?this[v]+=1:this[v]+=e.length,this[R].push(e)}[qt](){return this[N]?this[v]-=1:this[v]-=this[R][0].length,this[R].shift()}[Ut](e=!1){do;while(this[kr](this[qt]())&&this[R].length);!e&&!this[R].length&&!this[le]&&this.emit("drain")}[kr](e){return this.emit("data",e),this[O]}pipe(e,t){if(this[y])return e;this[x]=!1;let i=this[_e];return t=t||{},e===Br.stdout||e===Br.stderr?t.end=!1:t.end=t.end!==!1,t.proxyErrors=!!t.proxyErrors,i?t.end&&e.end():(this[I].push(t.proxyErrors?new ts(this,e,t):new Ht(this,e,t)),this[J]?_t(()=>this[qe]()):this[qe]()),e}unpipe(e){let t=this[I].find(i=>i.dest===e);t&&(this[I].length===1?(this[O]&&this[Ne]===0&&(this[O]=!1),this[I]=[]):this[I].splice(this[I].indexOf(t),1),t.unpipe())}addListener(e,t){return this.on(e,t)}on(e,t){let i=super.on(e,t);if(e==="data")this[x]=!1,this[Ne]++,!this[I].length&&!this[O]&&this[qe]();else if(e==="readable"&&this[v]!==0)super.emit("readable");else if(Mo(e)&&this[_e])super.emit(e),this.removeAllListeners(e);else if(e==="error"&&this[dt]){let r=t;this[J]?_t(()=>r.call(this,this[dt])):r.call(this,this[dt])}return i}removeListener(e,t){return this.off(e,t)}off(e,t){let i=super.off(e,t);return e==="data"&&(this[Ne]=this.listeners("data").length,this[Ne]===0&&!this[x]&&!this[I].length&&(this[O]=!1)),i}removeAllListeners(e){let t=super.removeAllListeners(e);return(e==="data"||e===void 0)&&(this[Ne]=0,!this[x]&&!this[I].length&&(this[O]=!1)),t}get emittedEnd(){return this[_e]}[ue](){!this[xt]&&!this[_e]&&!this[y]&&this[R].length===0&&this[le]&&(this[xt]=!0,this.emit("end"),this.emit("prefinish"),this.emit("finish"),this[jt]&&this.emit("close"),this[xt]=!1)}emit(e,...t){let i=t[0];if(e!=="error"&&e!=="close"&&e!==y&&this[y])return!1;if(e==="data")return!this[N]&&!i?!1:this[J]?(_t(()=>this[Qi](i)),!0):this[Qi](i);if(e==="end")return this[xr]();if(e==="close"){if(this[jt]=!0,!this[_e]&&!this[y])return!1;let n=super.emit("close");return this.removeAllListeners("close"),n}else if(e==="error"){this[dt]=i,super.emit(Xi,i);let n=!this[pt]||this.listeners("error").length?super.emit("error",i):!1;return this[ue](),n}else if(e==="resume"){let n=super.emit("resume");return this[ue](),n}else if(e==="finish"||e==="prefinish"){let n=super.emit(e);return this.removeAllListeners(e),n}let r=super.emit(e,...t);return this[ue](),r}[Qi](e){for(let i of this[I])i.dest.write(e)===!1&&this.pause();let t=this[x]?!1:super.emit("data",e);return this[ue](),t}[xr](){return this[_e]?!1:(this[_e]=!0,this.readable=!1,this[J]?(_t(()=>this[Ji]()),!0):this[Ji]())}[Ji](){if(this[Ue]){let t=this[Ue].end();if(t){for(let i of this[I])i.dest.write(t);this[x]||super.emit("data",t)}}for(let t of this[I])t.end();let e=super.emit("end");return this.removeAllListeners("end"),e}async collect(){let e=Object.assign([],{dataLength:0});this[N]||(e.dataLength=0);let t=this.promise();return this.on("data",i=>{e.push(i),this[N]||(e.dataLength+=i.length)}),await t,e}async concat(){if(this[N])throw new Error("cannot concat in objectMode");let e=await this.collect();return this[K]?e.join(""):Buffer.concat(e,e.dataLength)}async promise(){return new Promise((e,t)=>{this.on(y,()=>t(new Error("stream destroyed"))),this.on("error",i=>t(i)),this.on("end",()=>e())})}[Symbol.asyncIterator](){this[x]=!1;let e=!1,t=async()=>(this.pause(),e=!0,{value:void 0,done:!0});return{next:()=>{if(e)return t();let r=this.read();if(r!==null)return Promise.resolve({done:!1,value:r});if(this[le])return t();let n,o,h=c=>{this.off("data",a),this.off("end",l),this.off(y,u),t(),o(c)},a=c=>{this.off("error",h),this.off("end",l),this.off(y,u),this.pause(),n({value:c,done:!!this[le]})},l=()=>{this.off("error",h),this.off("data",a),this.off(y,u),t(),n({done:!0,value:void 0})},u=()=>h(new Error("stream destroyed"));return new Promise((c,E)=>{o=E,n=c,this.once(y,u),this.once("error",h),this.once("end",l),this.once("data",a)})},throw:t,return:t,[Symbol.asyncIterator](){return this},[Symbol.asyncDispose]:async()=>{}}}[Symbol.iterator](){this[x]=!1;let e=!1,t=()=>(this.pause(),this.off(Xi,t),this.off(y,t),this.off("end",t),e=!0,{done:!0,value:void 0}),i=()=>{if(e)return t();let r=this.read();return r===null?t():{done:!1,value:r}};return this.once("end",t),this.once(Xi,t),this.once(y,t),{next:i,throw:t,return:t,[Symbol.iterator](){return this},[Symbol.dispose]:()=>{}}}destroy(e){if(this[y])return e?this.emit("error",e):this.emit(y),this;this[y]=!0,this[x]=!0,this[R].length=0,this[v]=0;let t=this;return typeof t.close=="function"&&!this[jt]&&t.close(),e?this.emit("error",e):this.emit(y),this}static get isStream(){return F.isStream}};F.Minipass=Zt});var Ke=d(W=>{"use strict";var Ur=W&&W.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(W,"__esModule",{value:!0});W.WriteStreamSync=W.WriteStream=W.ReadStreamSync=W.ReadStream=void 0;var Co=Ur(require("events")),z=Ur(require("fs")),Bo=We(),zo=z.default.writev,ye=Symbol("_autoClose"),$=Symbol("_close"),wt=Symbol("_ended"),p=Symbol("_fd"),ss=Symbol("_finished"),fe=Symbol("_flags"),rs=Symbol("_flush"),hs=Symbol("_handleChunk"),ls=Symbol("_makeBuf"),Et=Symbol("_mode"),Gt=Symbol("_needDrain"),Ge=Symbol("_onerror"),Ye=Symbol("_onopen"),ns=Symbol("_onread"),He=Symbol("_onwrite"),Ee=Symbol("_open"),V=Symbol("_path"),we=Symbol("_pos"),ee=Symbol("_queue"),Ze=Symbol("_read"),os=Symbol("_readSize"),ce=Symbol("_reading"),yt=Symbol("_remain"),as=Symbol("_size"),Yt=Symbol("_write"),Me=Symbol("_writing"),Kt=Symbol("_defaultFlag"),Le=Symbol("_errored"),Vt=class extends Bo.Minipass{[Le]=!1;[p];[V];[os];[ce]=!1;[as];[yt];[ye];constructor(e,t){if(t=t||{},super(t),this.readable=!0,this.writable=!1,typeof e!="string")throw new TypeError("path must be a string");this[Le]=!1,this[p]=typeof t.fd=="number"?t.fd:void 0,this[V]=e,this[os]=t.readSize||16*1024*1024,this[ce]=!1,this[as]=typeof t.size=="number"?t.size:1/0,this[yt]=this[as],this[ye]=typeof t.autoClose=="boolean"?t.autoClose:!0,typeof this[p]=="number"?this[Ze]():this[Ee]()}get fd(){return this[p]}get path(){return this[V]}write(){throw new TypeError("this is a readable stream")}end(){throw new TypeError("this is a readable stream")}[Ee](){z.default.open(this[V],"r",(e,t)=>this[Ye](e,t))}[Ye](e,t){e?this[Ge](e):(this[p]=t,this.emit("open",t),this[Ze]())}[ls](){return Buffer.allocUnsafe(Math.min(this[os],this[yt]))}[Ze](){if(!this[ce]){this[ce]=!0;let e=this[ls]();if(e.length===0)return process.nextTick(()=>this[ns](null,0,e));z.default.read(this[p],e,0,e.length,null,(t,i,r)=>this[ns](t,i,r))}}[ns](e,t,i){this[ce]=!1,e?this[Ge](e):this[hs](t,i)&&this[Ze]()}[$](){if(this[ye]&&typeof this[p]=="number"){let e=this[p];this[p]=void 0,z.default.close(e,t=>t?this.emit("error",t):this.emit("close"))}}[Ge](e){this[ce]=!0,this[$](),this.emit("error",e)}[hs](e,t){let i=!1;return this[yt]-=e,e>0&&(i=super.write(ethis[Ye](e,t))}[Ye](e,t){this[Kt]&&this[fe]==="r+"&&e&&e.code==="ENOENT"?(this[fe]="w",this[Ee]()):e?this[Ge](e):(this[p]=t,this.emit("open",t),this[Me]||this[rs]())}end(e,t){return e&&this.write(e,t),this[wt]=!0,!this[Me]&&!this[ee].length&&typeof this[p]=="number"&&this[He](null,0),this}write(e,t){return typeof e=="string"&&(e=Buffer.from(e,t)),this[wt]?(this.emit("error",new Error("write() after end()")),!1):this[p]===void 0||this[Me]||this[ee].length?(this[ee].push(e),this[Gt]=!0,!1):(this[Me]=!0,this[Yt](e),!0)}[Yt](e){z.default.write(this[p],e,0,e.length,this[we],(t,i)=>this[He](t,i))}[He](e,t){e?this[Ge](e):(this[we]!==void 0&&typeof t=="number"&&(this[we]+=t),this[ee].length?this[rs]():(this[Me]=!1,this[wt]&&!this[ss]?(this[ss]=!0,this[$](),this.emit("finish")):this[Gt]&&(this[Gt]=!1,this.emit("drain"))))}[rs](){if(this[ee].length===0)this[wt]&&this[He](null,0);else if(this[ee].length===1)this[Yt](this[ee].pop());else{let e=this[ee];this[ee]=[],zo(this[p],e,this[we],(t,i)=>this[He](t,i))}}[$](){if(this[ye]&&typeof this[p]=="number"){let e=this[p];this[p]=void 0,z.default.close(e,t=>t?this.emit("error",t):this.emit("close"))}}};W.WriteStream=$t;var cs=class extends $t{[Ee](){let e;if(this[Kt]&&this[fe]==="r+")try{e=z.default.openSync(this[V],this[fe],this[Et])}catch(t){if(t?.code==="ENOENT")return this[fe]="w",this[Ee]();throw t}else e=z.default.openSync(this[V],this[fe],this[Et]);this[Ye](null,e)}[$](){if(this[ye]&&typeof this[p]=="number"){let e=this[p];this[p]=void 0,z.default.closeSync(e),this.emit("close")}}[Yt](e){let t=!0;try{this[He](null,z.default.writeSync(this[p],e,0,e.length,this[we])),t=!1}finally{if(t)try{this[$]()}catch{}}}};W.WriteStreamSync=cs});var Xt=d(b=>{"use strict";Object.defineProperty(b,"__esModule",{value:!0});b.dealias=b.isNoFile=b.isFile=b.isAsync=b.isSync=b.isAsyncNoFile=b.isSyncNoFile=b.isAsyncFile=b.isSyncFile=void 0;var ko=new Map([["C","cwd"],["f","file"],["z","gzip"],["P","preservePaths"],["U","unlink"],["strip-components","strip"],["stripComponents","strip"],["keep-newer","newer"],["keepNewer","newer"],["keep-newer-files","newer"],["keepNewerFiles","newer"],["k","keep"],["keep-existing","keep"],["keepExisting","keep"],["m","noMtime"],["no-mtime","noMtime"],["p","preserveOwner"],["L","follow"],["h","follow"],["onentry","onReadEntry"]]),xo=s=>!!s.sync&&!!s.file;b.isSyncFile=xo;var jo=s=>!s.sync&&!!s.file;b.isAsyncFile=jo;var Uo=s=>!!s.sync&&!s.file;b.isSyncNoFile=Uo;var qo=s=>!s.sync&&!s.file;b.isAsyncNoFile=qo;var Wo=s=>!!s.sync;b.isSync=Wo;var Ho=s=>!s.sync;b.isAsync=Ho;var Zo=s=>!!s.file;b.isFile=Zo;var Go=s=>!s.file;b.isNoFile=Go;var Yo=s=>{let e=ko.get(s);return e||s},Ko=(s={})=>{if(!s)return{};let e={};for(let[t,i]of Object.entries(s)){let r=Yo(t);e[r]=i}return e.chmod===void 0&&e.noChmod===!1&&(e.chmod=!0),delete e.noChmod,e};b.dealias=Ko});var Ve=d(Qt=>{"use strict";Object.defineProperty(Qt,"__esModule",{value:!0});Qt.makeCommand=void 0;var bt=Xt(),Vo=(s,e,t,i,r)=>Object.assign((n=[],o,h)=>{Array.isArray(n)&&(o=n,n={}),typeof o=="function"&&(h=o,o=void 0),o=o?Array.from(o):[];let a=(0,bt.dealias)(n);if(r?.(a,o),(0,bt.isSyncFile)(a)){if(typeof h=="function")throw new TypeError("callback not supported for sync tar functions");return s(a,o)}else if((0,bt.isAsyncFile)(a)){let l=e(a,o);return h?l.then(()=>h(),h):l}else if((0,bt.isSyncNoFile)(a)){if(typeof h=="function")throw new TypeError("callback not supported for sync tar functions");return t(a,o)}else if((0,bt.isAsyncNoFile)(a)){if(typeof h=="function")throw new TypeError("callback only supported with file option");return i(a,o)}throw new Error("impossible options??")},{syncFile:s,asyncFile:e,syncNoFile:t,asyncNoFile:i,validate:r});Qt.makeCommand=Vo});var fs=d($e=>{"use strict";var $o=$e&&$e.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty($e,"__esModule",{value:!0});$e.constants=void 0;var Xo=$o(require("zlib")),Qo=Xo.default.constants||{ZLIB_VERNUM:4736};$e.constants=Object.freeze(Object.assign(Object.create(null),{Z_NO_FLUSH:0,Z_PARTIAL_FLUSH:1,Z_SYNC_FLUSH:2,Z_FULL_FLUSH:3,Z_FINISH:4,Z_BLOCK:5,Z_OK:0,Z_STREAM_END:1,Z_NEED_DICT:2,Z_ERRNO:-1,Z_STREAM_ERROR:-2,Z_DATA_ERROR:-3,Z_MEM_ERROR:-4,Z_BUF_ERROR:-5,Z_VERSION_ERROR:-6,Z_NO_COMPRESSION:0,Z_BEST_SPEED:1,Z_BEST_COMPRESSION:9,Z_DEFAULT_COMPRESSION:-1,Z_FILTERED:1,Z_HUFFMAN_ONLY:2,Z_RLE:3,Z_FIXED:4,Z_DEFAULT_STRATEGY:0,DEFLATE:1,INFLATE:2,GZIP:3,GUNZIP:4,DEFLATERAW:5,INFLATERAW:6,UNZIP:7,BROTLI_DECODE:8,BROTLI_ENCODE:9,Z_MIN_WINDOWBITS:8,Z_MAX_WINDOWBITS:15,Z_DEFAULT_WINDOWBITS:15,Z_MIN_CHUNK:64,Z_MAX_CHUNK:1/0,Z_DEFAULT_CHUNK:16384,Z_MIN_MEMLEVEL:1,Z_MAX_MEMLEVEL:9,Z_DEFAULT_MEMLEVEL:8,Z_MIN_LEVEL:-1,Z_MAX_LEVEL:9,Z_DEFAULT_LEVEL:-1,BROTLI_OPERATION_PROCESS:0,BROTLI_OPERATION_FLUSH:1,BROTLI_OPERATION_FINISH:2,BROTLI_OPERATION_EMIT_METADATA:3,BROTLI_MODE_GENERIC:0,BROTLI_MODE_TEXT:1,BROTLI_MODE_FONT:2,BROTLI_DEFAULT_MODE:0,BROTLI_MIN_QUALITY:0,BROTLI_MAX_QUALITY:11,BROTLI_DEFAULT_QUALITY:11,BROTLI_MIN_WINDOW_BITS:10,BROTLI_MAX_WINDOW_BITS:24,BROTLI_LARGE_MAX_WINDOW_BITS:30,BROTLI_DEFAULT_WINDOW:22,BROTLI_MIN_INPUT_BLOCK_BITS:16,BROTLI_MAX_INPUT_BLOCK_BITS:24,BROTLI_PARAM_MODE:0,BROTLI_PARAM_QUALITY:1,BROTLI_PARAM_LGWIN:2,BROTLI_PARAM_LGBLOCK:3,BROTLI_PARAM_DISABLE_LITERAL_CONTEXT_MODELING:4,BROTLI_PARAM_SIZE_HINT:5,BROTLI_PARAM_LARGE_WINDOW:6,BROTLI_PARAM_NPOSTFIX:7,BROTLI_PARAM_NDIRECT:8,BROTLI_DECODER_RESULT_ERROR:0,BROTLI_DECODER_RESULT_SUCCESS:1,BROTLI_DECODER_RESULT_NEEDS_MORE_INPUT:2,BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_PARAM_DISABLE_RING_BUFFER_REALLOCATION:0,BROTLI_DECODER_PARAM_LARGE_WINDOW:1,BROTLI_DECODER_NO_ERROR:0,BROTLI_DECODER_SUCCESS:1,BROTLI_DECODER_NEEDS_MORE_INPUT:2,BROTLI_DECODER_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_NIBBLE:-1,BROTLI_DECODER_ERROR_FORMAT_RESERVED:-2,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_META_NIBBLE:-3,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_ALPHABET:-4,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_SAME:-5,BROTLI_DECODER_ERROR_FORMAT_CL_SPACE:-6,BROTLI_DECODER_ERROR_FORMAT_HUFFMAN_SPACE:-7,BROTLI_DECODER_ERROR_FORMAT_CONTEXT_MAP_REPEAT:-8,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_1:-9,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_2:-10,BROTLI_DECODER_ERROR_FORMAT_TRANSFORM:-11,BROTLI_DECODER_ERROR_FORMAT_DICTIONARY:-12,BROTLI_DECODER_ERROR_FORMAT_WINDOW_BITS:-13,BROTLI_DECODER_ERROR_FORMAT_PADDING_1:-14,BROTLI_DECODER_ERROR_FORMAT_PADDING_2:-15,BROTLI_DECODER_ERROR_FORMAT_DISTANCE:-16,BROTLI_DECODER_ERROR_DICTIONARY_NOT_SET:-19,BROTLI_DECODER_ERROR_INVALID_ARGUMENTS:-20,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MODES:-21,BROTLI_DECODER_ERROR_ALLOC_TREE_GROUPS:-22,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MAP:-25,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_1:-26,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_2:-27,BROTLI_DECODER_ERROR_ALLOC_BLOCK_TYPE_TREES:-30,BROTLI_DECODER_ERROR_UNREACHABLE:-31},Qo))});var Ds=d(f=>{"use strict";var Jo=f&&f.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),ea=f&&f.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),ta=f&&f.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;rs,ds=Wr?.writable===!0||Wr?.set!==void 0?s=>{Ae.Buffer.concat=s?oa:na}:s=>{},Ie=Symbol("_superWrite"),Fe=class extends Error{code;errno;constructor(e,t){super("zlib: "+e.message,{cause:e}),this.code=e.code,this.errno=e.errno,this.code||(this.code="ZLIB_ERROR"),this.message="zlib: "+e.message,Error.captureStackTrace(this,t??this.constructor)}get name(){return"ZlibError"}};f.ZlibError=Fe;var ms=Symbol("flushFlag"),St=class extends sa.Minipass{#e=!1;#i=!1;#s;#n;#r;#t;#o;get sawError(){return this.#e}get handle(){return this.#t}get flushFlag(){return this.#s}constructor(e,t){if(!e||typeof e!="object")throw new TypeError("invalid options for ZlibBase constructor");if(super(e),this.#s=e.flush??0,this.#n=e.finishFlush??0,this.#r=e.fullFlushFlag??0,typeof qr[t]!="function")throw new TypeError("Compression method not supported: "+t);try{this.#t=new qr[t](e)}catch(i){throw new Fe(i,this.constructor)}this.#o=i=>{this.#e||(this.#e=!0,this.close(),this.emit("error",i))},this.#t?.on("error",i=>this.#o(new Fe(i))),this.once("end",()=>this.close)}close(){this.#t&&(this.#t.close(),this.#t=void 0,this.emit("close"))}reset(){if(!this.#e)return(0,ps.default)(this.#t,"zlib binding closed"),this.#t.reset?.()}flush(e){this.ended||(typeof e!="number"&&(e=this.#r),this.write(Object.assign(Ae.Buffer.alloc(0),{[ms]:e})))}end(e,t,i){return typeof e=="function"&&(i=e,t=void 0,e=void 0),typeof t=="function"&&(i=t,t=void 0),e&&(t?this.write(e,t):this.write(e)),this.flush(this.#n),this.#i=!0,super.end(i)}get ended(){return this.#i}[Ie](e){return super.write(e)}write(e,t,i){if(typeof t=="function"&&(i=t,t="utf8"),typeof e=="string"&&(e=Ae.Buffer.from(e,t)),this.#e)return;(0,ps.default)(this.#t,"zlib binding closed");let r=this.#t._handle,n=r.close;r.close=()=>{};let o=this.#t.close;this.#t.close=()=>{},ds(!0);let h;try{let l=typeof e[ms]=="number"?e[ms]:this.#s;h=this.#t._processChunk(e,l),ds(!1)}catch(l){ds(!1),this.#o(new Fe(l,this.write))}finally{this.#t&&(this.#t._handle=r,r.close=n,this.#t.close=o,this.#t.removeAllListeners("error"))}this.#t&&this.#t.on("error",l=>this.#o(new Fe(l,this.write)));let a;if(h)if(Array.isArray(h)&&h.length>0){let l=h[0];a=this[Ie](Ae.Buffer.from(l));for(let u=1;u{typeof r=="function"&&(n=r,r=this.flushFlag),this.flush(r),n?.()};try{this.handle.params(e,t)}finally{this.handle.flush=i}this.handle&&(this.#e=e,this.#i=t)}}}};f.Zlib=ie;var _s=class extends ie{constructor(e){super(e,"Deflate")}};f.Deflate=_s;var ws=class extends ie{constructor(e){super(e,"Inflate")}};f.Inflate=ws;var ys=class extends ie{#e;constructor(e){super(e,"Gzip"),this.#e=e&&!!e.portable}[Ie](e){return this.#e?(this.#e=!1,e[9]=255,super[Ie](e)):super[Ie](e)}};f.Gzip=ys;var Es=class extends ie{constructor(e){super(e,"Gunzip")}};f.Gunzip=Es;var bs=class extends ie{constructor(e){super(e,"DeflateRaw")}};f.DeflateRaw=bs;var Ss=class extends ie{constructor(e){super(e,"InflateRaw")}};f.InflateRaw=Ss;var gs=class extends ie{constructor(e){super(e,"Unzip")}};f.Unzip=gs;var Jt=class extends St{constructor(e,t){e=e||{},e.flush=e.flush||te.constants.BROTLI_OPERATION_PROCESS,e.finishFlush=e.finishFlush||te.constants.BROTLI_OPERATION_FINISH,e.fullFlushFlag=te.constants.BROTLI_OPERATION_FLUSH,super(e,t)}},Os=class extends Jt{constructor(e){super(e,"BrotliCompress")}};f.BrotliCompress=Os;var Rs=class extends Jt{constructor(e){super(e,"BrotliDecompress")}};f.BrotliDecompress=Rs;var ei=class extends St{constructor(e,t){e=e||{},e.flush=e.flush||te.constants.ZSTD_e_continue,e.finishFlush=e.finishFlush||te.constants.ZSTD_e_end,e.fullFlushFlag=te.constants.ZSTD_e_flush,super(e,t)}},vs=class extends ei{constructor(e){super(e,"ZstdCompress")}};f.ZstdCompress=vs;var Ts=class extends ei{constructor(e){super(e,"ZstdDecompress")}};f.ZstdDecompress=Ts});var Gr=d(Xe=>{"use strict";Object.defineProperty(Xe,"__esModule",{value:!0});Xe.parse=Xe.encode=void 0;var aa=(s,e)=>{if(Number.isSafeInteger(s))s<0?la(s,e):ha(s,e);else throw Error("cannot encode number outside of javascript safe integer range");return e};Xe.encode=aa;var ha=(s,e)=>{e[0]=128;for(var t=e.length;t>1;t--)e[t-1]=s&255,s=Math.floor(s/256)},la=(s,e)=>{e[0]=255;var t=!1;s=s*-1;for(var i=e.length;i>1;i--){var r=s&255;s=Math.floor(s/256),t?e[i-1]=Hr(r):r===0?e[i-1]=0:(t=!0,e[i-1]=Zr(r))}},ua=s=>{let e=s[0],t=e===128?fa(s.subarray(1,s.length)):e===255?ca(s):null;if(t===null)throw Error("invalid base256 encoding");if(!Number.isSafeInteger(t))throw Error("parsed number outside of javascript safe integer range");return t};Xe.parse=ua;var ca=s=>{for(var e=s.length,t=0,i=!1,r=e-1;r>-1;r--){var n=Number(s[r]),o;i?o=Hr(n):n===0?o=n:(i=!0,o=Zr(n)),o!==0&&(t-=o*Math.pow(256,e-r-1))}return t},fa=s=>{for(var e=s.length,t=0,i=e-1;i>-1;i--){var r=Number(s[i]);r!==0&&(t+=r*Math.pow(256,e-i-1))}return t},Hr=s=>(255^s)&255,Zr=s=>(255^s)+1&255});var Ps=d(C=>{"use strict";Object.defineProperty(C,"__esModule",{value:!0});C.code=C.name=C.normalFsTypes=C.isName=C.isCode=void 0;var da=s=>C.name.has(s);C.isCode=da;var ma=s=>C.code.has(s);C.isName=ma;C.normalFsTypes=new Set(["0","","1","2","3","4","5","6","7","D"]);C.name=new Map([["0","File"],["","OldFile"],["1","Link"],["2","SymbolicLink"],["3","CharacterDevice"],["4","BlockDevice"],["5","Directory"],["6","FIFO"],["7","ContiguousFile"],["g","GlobalExtendedHeader"],["x","ExtendedHeader"],["A","SolarisACL"],["D","GNUDumpDir"],["I","Inode"],["K","NextFileHasLongLinkpath"],["L","NextFileHasLongPath"],["M","ContinuationFile"],["N","OldGnuLongPath"],["S","SparseFile"],["V","TapeVolumeHeader"],["X","OldExtendedHeader"]]);C.code=new Map(Array.from(C.name).map(s=>[s[1],s[0]]))});var et=d(se=>{"use strict";var pa=se&&se.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),_a=se&&se.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),Yr=se&&se.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r=t+512))throw new Error("need 512 bytes for header");let n=Ce(e,t+156,1),o=Je.normalFsTypes.has(n),h=o?i:void 0,a=o?r:void 0;if(this.path=h?.path??Ce(e,t,100),this.mode=h?.mode??a?.mode??be(e,t+100,8),this.uid=h?.uid??a?.uid??be(e,t+108,8),this.gid=h?.gid??a?.gid??be(e,t+116,8),this.size=h?.size??a?.size??be(e,t+124,12),this.mtime=h?.mtime??a?.mtime??Ns(e,t+136,12),this.cksum=be(e,t+148,12),a&&this.#i(a,!0),h&&this.#i(h),Je.isCode(n)&&(this.#e=n||"0"),this.#e==="0"&&this.path.slice(-1)==="/"&&(this.#e="5"),this.#e==="5"&&(this.size=0),this.linkpath=Ce(e,t+157,100),e.subarray(t+257,t+265).toString()==="ustar\x0000")if(this.uname=h?.uname??a?.uname??Ce(e,t+265,32),this.gname=h?.gname??a?.gname??Ce(e,t+297,32),this.devmaj=h?.devmaj??a?.devmaj??be(e,t+329,8)??0,this.devmin=h?.devmin??a?.devmin??be(e,t+337,8)??0,e[t+475]!==0){let u=Ce(e,t+345,155);this.path=u+"/"+this.path}else{let u=Ce(e,t+345,130);u&&(this.path=u+"/"+this.path),this.atime=i?.atime??r?.atime??Ns(e,t+476,12),this.ctime=i?.ctime??r?.ctime??Ns(e,t+488,12)}let l=256;for(let u=t;u!(r==null||i==="path"&&t||i==="linkpath"&&t||i==="global"))))}encode(e,t=0){if(e||(e=this.block=Buffer.alloc(512)),this.#e==="Unsupported"&&(this.#e="0"),!(e.length>=t+512))throw new Error("need 512 bytes for header");let i=this.ctime||this.atime?130:155,r=wa(this.path||"",i),n=r[0],o=r[1];this.needPax=!!r[2],this.needPax=Be(e,t,100,n)||this.needPax,this.needPax=Se(e,t+100,8,this.mode)||this.needPax,this.needPax=Se(e,t+108,8,this.uid)||this.needPax,this.needPax=Se(e,t+116,8,this.gid)||this.needPax,this.needPax=Se(e,t+124,12,this.size)||this.needPax,this.needPax=Ms(e,t+136,12,this.mtime)||this.needPax,e[t+156]=Number(this.#e.codePointAt(0)),this.needPax=Be(e,t+157,100,this.linkpath)||this.needPax,e.write("ustar\x0000",t+257,8),this.needPax=Be(e,t+265,32,this.uname)||this.needPax,this.needPax=Be(e,t+297,32,this.gname)||this.needPax,this.needPax=Se(e,t+329,8,this.devmaj)||this.needPax,this.needPax=Se(e,t+337,8,this.devmin)||this.needPax,this.needPax=Be(e,t+345,i,o)||this.needPax,e[t+475]!==0?this.needPax=Be(e,t+345,155,o)||this.needPax:(this.needPax=Be(e,t+345,130,o)||this.needPax,this.needPax=Ms(e,t+476,12,this.atime)||this.needPax,this.needPax=Ms(e,t+488,12,this.ctime)||this.needPax);let h=256;for(let a=t;a{let i=s,r="",n,o=Qe.posix.parse(s).root||".";if(Buffer.byteLength(i)<100)n=[i,r,!1];else{r=Qe.posix.dirname(i),i=Qe.posix.basename(i);do Buffer.byteLength(i)<=100&&Buffer.byteLength(r)<=e?n=[i,r,!1]:Buffer.byteLength(i)>100&&Buffer.byteLength(r)<=e?n=[i.slice(0,99),r,!0]:(i=Qe.posix.join(Qe.posix.basename(r),i),r=Qe.posix.dirname(r));while(r!==o&&n===void 0);n||(n=[s.slice(0,99),"",!0])}return n},Ce=(s,e,t)=>s.subarray(e,e+t).toString("utf8").replace(/\0.*/,""),Ns=(s,e,t)=>ya(be(s,e,t)),ya=s=>s===void 0?void 0:new Date(s*1e3),be=(s,e,t)=>Number(s[e])&128?Kr.parse(s.subarray(e,e+t)):ba(s,e,t),Ea=s=>isNaN(s)?void 0:s,ba=(s,e,t)=>Ea(parseInt(s.subarray(e,e+t).toString("utf8").replace(/\0.*$/,"").trim(),8)),Sa={12:8589934591,8:2097151},Se=(s,e,t,i)=>i===void 0?!1:i>Sa[t]||i<0?(Kr.encode(i,s.subarray(e,e+t)),!0):(ga(s,e,t,i),!1),ga=(s,e,t,i)=>s.write(Oa(i,t),e,t,"ascii"),Oa=(s,e)=>Ra(Math.floor(s).toString(8),e),Ra=(s,e)=>(s.length===e-1?s:new Array(e-s.length-1).join("0")+s+" ")+"\0",Ms=(s,e,t,i)=>i===void 0?!1:Se(s,e,t,i.getTime()/1e3),va=new Array(156).join("\0"),Be=(s,e,t,i)=>i===void 0?!1:(s.write(i+va,e,t,"utf8"),i.length!==Buffer.byteLength(i)||i.length>t)});var ii=d(ti=>{"use strict";Object.defineProperty(ti,"__esModule",{value:!0});ti.Pax=void 0;var Ta=require("node:path"),Da=et(),As=class s{atime;mtime;ctime;charset;comment;gid;uid;gname;uname;linkpath;dev;ino;nlink;path;size;mode;global;constructor(e,t=!1){this.atime=e.atime,this.charset=e.charset,this.comment=e.comment,this.ctime=e.ctime,this.dev=e.dev,this.gid=e.gid,this.global=t,this.gname=e.gname,this.ino=e.ino,this.linkpath=e.linkpath,this.mtime=e.mtime,this.nlink=e.nlink,this.path=e.path,this.size=e.size,this.uid=e.uid,this.uname=e.uname}encode(){let e=this.encodeBody();if(e==="")return Buffer.allocUnsafe(0);let t=Buffer.byteLength(e),i=512*Math.ceil(1+t/512),r=Buffer.allocUnsafe(i);for(let n=0;n<512;n++)r[n]=0;new Da.Header({path:("PaxHeader/"+(0,Ta.basename)(this.path??"")).slice(0,99),mode:this.mode||420,uid:this.uid,gid:this.gid,size:t,mtime:this.mtime,type:this.global?"GlobalExtendedHeader":"ExtendedHeader",linkpath:"",uname:this.uname||"",gname:this.gname||"",devmaj:0,devmin:0,atime:this.atime,ctime:this.ctime}).encode(r),r.write(e,512,t,"utf8");for(let n=t+512;n=Math.pow(10,o)&&(o+=1),o+n+r}static parse(e,t,i=!1){return new s(Pa(Na(e),t),i)}};ti.Pax=As;var Pa=(s,e)=>e?Object.assign({},e,s):s,Na=s=>s.replace(/\n$/,"").split(`
-`).reduce(Ma,Object.create(null)),Ma=(s,e)=>{let t=parseInt(e,10);if(t!==Buffer.byteLength(e)+1)return s;e=e.slice((t+" ").length);let i=e.split("="),r=i.shift();if(!r)return s;let n=r.replace(/^SCHILY\.(dev|ino|nlink)/,"$1"),o=i.join("=");return s[n]=/^([A-Z]+\.)?([mac]|birth|creation)time$/.test(n)?new Date(Number(o)*1e3):/^[0-9]+$/.test(o)?+o:o,s}});var tt=d(si=>{"use strict";Object.defineProperty(si,"__esModule",{value:!0});si.normalizeWindowsPath=void 0;var La=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform;si.normalizeWindowsPath=La!=="win32"?s=>s:s=>s&&s.replaceAll(/\\/g,"/")});var Fs=d(ni=>{"use strict";Object.defineProperty(ni,"__esModule",{value:!0});ni.ReadEntry=void 0;var Aa=We(),ri=tt(),Is=class extends Aa.Minipass{extended;globalExtended;header;startBlockSize;blockRemain;remain;type;meta=!1;ignore=!1;path;mode;uid;gid;uname;gname;size=0;mtime;atime;ctime;linkpath;dev;ino;nlink;invalid=!1;absolute;unsupported=!1;constructor(e,t,i){switch(super({}),this.pause(),this.extended=t,this.globalExtended=i,this.header=e,this.remain=e.size??0,this.startBlockSize=512*Math.ceil(this.remain/512),this.blockRemain=this.startBlockSize,this.type=e.type,this.type){case"File":case"OldFile":case"Link":case"SymbolicLink":case"CharacterDevice":case"BlockDevice":case"Directory":case"FIFO":case"ContiguousFile":case"GNUDumpDir":break;case"NextFileHasLongLinkpath":case"NextFileHasLongPath":case"OldGnuLongPath":case"GlobalExtendedHeader":case"ExtendedHeader":case"OldExtendedHeader":this.meta=!0;break;default:this.ignore=!0}if(!e.path)throw new Error("no path provided for tar.ReadEntry");this.path=(0,ri.normalizeWindowsPath)(e.path),this.mode=e.mode,this.mode&&(this.mode=this.mode&4095),this.uid=e.uid,this.gid=e.gid,this.uname=e.uname,this.gname=e.gname,this.size=this.remain,this.mtime=e.mtime,this.atime=e.atime,this.ctime=e.ctime,this.linkpath=e.linkpath?(0,ri.normalizeWindowsPath)(e.linkpath):void 0,this.uname=e.uname,this.gname=e.gname,t&&this.#e(t),i&&this.#e(i,!0)}write(e){let t=e.length;if(t>this.blockRemain)throw new Error("writing more to entry than is appropriate");let i=this.remain,r=this.blockRemain;return this.remain=Math.max(0,i-t),this.blockRemain=Math.max(0,r-t),this.ignore?!0:i>=t?super.write(e):super.write(e.subarray(0,i))}#e(e,t=!1){e.path&&(e.path=(0,ri.normalizeWindowsPath)(e.path)),e.linkpath&&(e.linkpath=(0,ri.normalizeWindowsPath)(e.linkpath)),Object.assign(this,Object.fromEntries(Object.entries(e).filter(([i,r])=>!(r==null||i==="path"&&t))))}};ni.ReadEntry=Is});var ai=d(oi=>{"use strict";Object.defineProperty(oi,"__esModule",{value:!0});oi.warnMethod=void 0;var Ia=(s,e,t,i={})=>{s.file&&(i.file=s.file),s.cwd&&(i.cwd=s.cwd),i.code=t instanceof Error&&t.code||e,i.tarCode=e,!s.strict&&i.recoverable!==!1?(t instanceof Error&&(i=Object.assign(t,i),t=t.message),s.emit("warn",e,t,i)):t instanceof Error?s.emit("error",Object.assign(t,i)):s.emit("error",Object.assign(new Error(`${e}: ${t}`),i))};oi.warnMethod=Ia});var pi=d(mi=>{"use strict";Object.defineProperty(mi,"__esModule",{value:!0});mi.Parser=void 0;var Fa=require("events"),Cs=Ds(),Vr=et(),$r=ii(),Ca=Fs(),Ba=ai(),za=1024*1024,js=Buffer.from([31,139]),Us=Buffer.from([40,181,47,253]),ka=Math.max(js.length,Us.length),H=Symbol("state"),ze=Symbol("writeEntry"),de=Symbol("readEntry"),Bs=Symbol("nextEntry"),Xr=Symbol("processEntry"),re=Symbol("extendedHeader"),gt=Symbol("globalExtendedHeader"),ge=Symbol("meta"),Qr=Symbol("emitMeta"),_=Symbol("buffer"),me=Symbol("queue"),Oe=Symbol("ended"),zs=Symbol("emittedEnd"),ke=Symbol("emit"),S=Symbol("unzip"),hi=Symbol("consumeChunk"),li=Symbol("consumeChunkSub"),ks=Symbol("consumeBody"),Jr=Symbol("consumeMeta"),en=Symbol("consumeHeader"),Ot=Symbol("consuming"),xs=Symbol("bufferConcat"),ui=Symbol("maybeEnd"),it=Symbol("writing"),Re=Symbol("aborted"),ci=Symbol("onDone"),xe=Symbol("sawValidEntry"),fi=Symbol("sawNullBlock"),di=Symbol("sawEOF"),tn=Symbol("closeStream"),xa=()=>!0,qs=class extends Fa.EventEmitter{file;strict;maxMetaEntrySize;filter;brotli;zstd;writable=!0;readable=!1;[me]=[];[_];[de];[ze];[H]="begin";[ge]="";[re];[gt];[Oe]=!1;[S];[Re]=!1;[xe];[fi]=!1;[di]=!1;[it]=!1;[Ot]=!1;[zs]=!1;constructor(e={}){super(),this.file=e.file||"",this.on(ci,()=>{(this[H]==="begin"||this[xe]===!1)&&this.warn("TAR_BAD_ARCHIVE","Unrecognized archive format")}),e.ondone?this.on(ci,e.ondone):this.on(ci,()=>{this.emit("prefinish"),this.emit("finish"),this.emit("end")}),this.strict=!!e.strict,this.maxMetaEntrySize=e.maxMetaEntrySize||za,this.filter=typeof e.filter=="function"?e.filter:xa;let t=e.file&&(e.file.endsWith(".tar.br")||e.file.endsWith(".tbr"));this.brotli=!(e.gzip||e.zstd)&&e.brotli!==void 0?e.brotli:t?void 0:!1;let i=e.file&&(e.file.endsWith(".tar.zst")||e.file.endsWith(".tzst"));this.zstd=!(e.gzip||e.brotli)&&e.zstd!==void 0?e.zstd:i?!0:void 0,this.on("end",()=>this[tn]()),typeof e.onwarn=="function"&&this.on("warn",e.onwarn),typeof e.onReadEntry=="function"&&this.on("entry",e.onReadEntry)}warn(e,t,i={}){(0,Ba.warnMethod)(this,e,t,i)}[en](e,t){this[xe]===void 0&&(this[xe]=!1);let i;try{i=new Vr.Header(e,t,this[re],this[gt])}catch(r){return this.warn("TAR_ENTRY_INVALID",r)}if(i.nullBlock)this[fi]?(this[di]=!0,this[H]==="begin"&&(this[H]="header"),this[ke]("eof")):(this[fi]=!0,this[ke]("nullBlock"));else if(this[fi]=!1,!i.cksumValid)this.warn("TAR_ENTRY_INVALID","checksum failure",{header:i});else if(!i.path)this.warn("TAR_ENTRY_INVALID","path is required",{header:i});else{let r=i.type;if(/^(Symbolic)?Link$/.test(r)&&!i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath required",{header:i});else if(!/^(Symbolic)?Link$/.test(r)&&!/^(Global)?ExtendedHeader$/.test(r)&&i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath forbidden",{header:i});else{let n=this[ze]=new Ca.ReadEntry(i,this[re],this[gt]);if(!this[xe])if(n.remain){let o=()=>{n.invalid||(this[xe]=!0)};n.on("end",o)}else this[xe]=!0;n.meta?n.size>this.maxMetaEntrySize?(n.ignore=!0,this[ke]("ignoredEntry",n),this[H]="ignore",n.resume()):n.size>0&&(this[ge]="",n.on("data",o=>this[ge]+=o),this[H]="meta"):(this[re]=void 0,n.ignore=n.ignore||!this.filter(n.path,n),n.ignore?(this[ke]("ignoredEntry",n),this[H]=n.remain?"ignore":"header",n.resume()):(n.remain?this[H]="body":(this[H]="header",n.end()),this[de]?this[me].push(n):(this[me].push(n),this[Bs]())))}}}[tn](){queueMicrotask(()=>this.emit("close"))}[Xr](e){let t=!0;if(!e)this[de]=void 0,t=!1;else if(Array.isArray(e)){let[i,...r]=e;this.emit(i,...r)}else this[de]=e,this.emit("entry",e),e.emittedEnd||(e.on("end",()=>this[Bs]()),t=!1);return t}[Bs](){do;while(this[Xr](this[me].shift()));if(this[me].length===0){let e=this[de];!e||e.flowing||e.size===e.remain?this[it]||this.emit("drain"):e.once("drain",()=>this.emit("drain"))}}[ks](e,t){let i=this[ze];if(!i)throw new Error("attempt to consume body without entry??");let r=i.blockRemain??0,n=r>=e.length&&t===0?e:e.subarray(t,t+r);return i.write(n),i.blockRemain||(this[H]="header",this[ze]=void 0,i.end()),n.length}[Jr](e,t){let i=this[ze],r=this[ks](e,t);return!this[ze]&&i&&this[Qr](i),r}[ke](e,t,i){this[me].length===0&&!this[de]?this.emit(e,t,i):this[me].push([e,t,i])}[Qr](e){switch(this[ke]("meta",this[ge]),e.type){case"ExtendedHeader":case"OldExtendedHeader":this[re]=$r.Pax.parse(this[ge],this[re],!1);break;case"GlobalExtendedHeader":this[gt]=$r.Pax.parse(this[ge],this[gt],!0);break;case"NextFileHasLongPath":case"OldGnuLongPath":{let t=this[re]??Object.create(null);this[re]=t,t.path=this[ge].replace(/\0.*/,"");break}case"NextFileHasLongLinkpath":{let t=this[re]||Object.create(null);this[re]=t,t.linkpath=this[ge].replace(/\0.*/,"");break}default:throw new Error("unknown meta: "+e.type)}}abort(e){this[Re]=!0,this.emit("abort",e),this.warn("TAR_ABORT",e,{recoverable:!1})}write(e,t,i){if(typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,typeof t=="string"?t:"utf8")),this[Re])return i?.(),!1;if((this[S]===void 0||this.brotli===void 0&&this[S]===!1)&&e){if(this[_]&&(e=Buffer.concat([this[_],e]),this[_]=void 0),e.lengththis[hi](u)),this[S].on("error",u=>this.abort(u)),this[S].on("end",()=>{this[Oe]=!0,this[hi]()}),this[it]=!0;let l=!!this[S][a?"end":"write"](e);return this[it]=!1,i?.(),l}}this[it]=!0,this[S]?this[S].write(e):this[hi](e),this[it]=!1;let n=this[me].length>0?!1:this[de]?this[de].flowing:!0;return!n&&this[me].length===0&&this[de]?.once("drain",()=>this.emit("drain")),i?.(),n}[xs](e){e&&!this[Re]&&(this[_]=this[_]?Buffer.concat([this[_],e]):e)}[ui](){if(this[Oe]&&!this[zs]&&!this[Re]&&!this[Ot]){this[zs]=!0;let e=this[ze];if(e&&e.blockRemain){let t=this[_]?this[_].length:0;this.warn("TAR_BAD_ARCHIVE",`Truncated input (needed ${e.blockRemain} more bytes, only ${t} available)`,{entry:e}),this[_]&&e.write(this[_]),e.end()}this[ke](ci)}}[hi](e){if(this[Ot]&&e)this[xs](e);else if(!e&&!this[_])this[ui]();else if(e){if(this[Ot]=!0,this[_]){this[xs](e);let t=this[_];this[_]=void 0,this[li](t)}else this[li](e);for(;this[_]&&this[_]?.length>=512&&!this[Re]&&!this[di];){let t=this[_];this[_]=void 0,this[li](t)}this[Ot]=!1}(!this[_]||this[Oe])&&this[ui]()}[li](e){let t=0,i=e.length;for(;t+512<=i&&!this[Re]&&!this[di];)switch(this[H]){case"begin":case"header":this[en](e,t),t+=512;break;case"ignore":case"body":t+=this[ks](e,t);break;case"meta":t+=this[Jr](e,t);break;default:throw new Error("invalid state: "+this[H])}t{"use strict";Object.defineProperty(_i,"__esModule",{value:!0});_i.stripTrailingSlashes=void 0;var ja=s=>{let e=s.length-1,t=-1;for(;e>-1&&s.charAt(e)==="/";)t=e,e--;return t===-1?s:s.slice(0,t)};_i.stripTrailingSlashes=ja});var rt=d(B=>{"use strict";var Ua=B&&B.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),qa=B&&B.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),Wa=B&&B.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r{let e=s.onReadEntry;s.onReadEntry=e?t=>{e(t),t.resume()}:t=>t.resume()},Ka=(s,e)=>{let t=new Map(e.map(n=>[(0,Ws.stripTrailingSlashes)(n),!0])),i=s.filter,r=(n,o="")=>{let h=o||(0,sn.parse)(n).root||".",a;if(n===h)a=!1;else{let l=t.get(n);a=l!==void 0?l:r((0,sn.dirname)(n),h)}return t.set(n,a),a};s.filter=i?(n,o)=>i(n,o)&&r((0,Ws.stripTrailingSlashes)(n)):n=>r((0,Ws.stripTrailingSlashes)(n))};B.filesFilter=Ka;var Va=s=>{let e=new yi.Parser(s),t=s.file,i;try{i=st.default.openSync(t,"r");let r=st.default.fstatSync(i),n=s.maxReadSize||16*1024*1024;if(r.size{let t=new yi.Parser(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,h)=>{t.on("error",h),t.on("end",o),st.default.stat(r,(a,l)=>{if(a)h(a);else{let u=new Za.ReadStream(r,{readSize:i,size:l.size});u.on("error",h),u.pipe(t)}})})};B.list=(0,Ga.makeCommand)(Va,$a,s=>new yi.Parser(s),s=>new yi.Parser(s),(s,e)=>{e?.length&&(0,B.filesFilter)(s,e),s.noResume||Ya(s)})});var rn=d(Ei=>{"use strict";Object.defineProperty(Ei,"__esModule",{value:!0});Ei.modeFix=void 0;var Xa=(s,e,t)=>(s&=4095,t&&(s=(s|384)&-19),e&&(s&256&&(s|=64),s&32&&(s|=8),s&4&&(s|=1)),s);Ei.modeFix=Xa});var Hs=d(bi=>{"use strict";Object.defineProperty(bi,"__esModule",{value:!0});bi.stripAbsolutePath=void 0;var Qa=require("node:path"),{isAbsolute:Ja,parse:nn}=Qa.win32,eh=s=>{let e="",t=nn(s);for(;Ja(s)||t.root;){let i=s.charAt(0)==="/"&&s.slice(0,4)!=="//?/"?"/":t.root;s=s.slice(i.length),e+=i,t=nn(s)}return[e,s]};bi.stripAbsolutePath=eh});var Gs=d(nt=>{"use strict";Object.defineProperty(nt,"__esModule",{value:!0});nt.decode=nt.encode=void 0;var Si=["|","<",">","?",":"],Zs=Si.map(s=>String.fromCodePoint(61440+Number(s.codePointAt(0)))),th=new Map(Si.map((s,e)=>[s,Zs[e]])),ih=new Map(Zs.map((s,e)=>[s,Si[e]])),sh=s=>Si.reduce((e,t)=>e.split(t).join(th.get(t)),s);nt.encode=sh;var rh=s=>Zs.reduce((e,t)=>e.split(t).join(ih.get(t)),s);nt.decode=rh});var sr=d(M=>{"use strict";var nh=M&&M.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),oh=M&&M.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),ah=M&&M.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;re?(s=(0,ne.normalizeWindowsPath)(s).replace(/^\.(\/|$)/,""),(0,hh.stripTrailingSlashes)(e)+"/"+s):(0,ne.normalizeWindowsPath)(s),uh=16*1024*1024,an=Symbol("process"),hn=Symbol("file"),ln=Symbol("directory"),Ks=Symbol("symlink"),un=Symbol("hardlink"),Rt=Symbol("header"),gi=Symbol("read"),Vs=Symbol("lstat"),Oi=Symbol("onlstat"),$s=Symbol("onread"),Xs=Symbol("onreadlink"),Qs=Symbol("openfile"),Js=Symbol("onopenfile"),ve=Symbol("close"),Ri=Symbol("mode"),er=Symbol("awaitDrain"),Ys=Symbol("ondrain"),ae=Symbol("prefix"),vi=class extends fn.Minipass{path;portable;myuid=process.getuid&&process.getuid()||0;myuser=process.env.USER||"";maxReadSize;linkCache;statCache;preservePaths;cwd;strict;mtime;noPax;noMtime;prefix;fd;blockLen=0;blockRemain=0;buf;pos=0;remain=0;length=0;offset=0;win32;absolute;header;type;linkpath;stat;onWriteEntry;#e=!1;constructor(e,t={}){let i=(0,pn.dealias)(t);super(),this.path=(0,ne.normalizeWindowsPath)(e),this.portable=!!i.portable,this.maxReadSize=i.maxReadSize||uh,this.linkCache=i.linkCache||new Map,this.statCache=i.statCache||new Map,this.preservePaths=!!i.preservePaths,this.cwd=(0,ne.normalizeWindowsPath)(i.cwd||process.cwd()),this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.mtime=i.mtime,this.prefix=i.prefix?(0,ne.normalizeWindowsPath)(i.prefix):void 0,this.onWriteEntry=i.onWriteEntry,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let r=!1;if(!this.preservePaths){let[o,h]=(0,wn.stripAbsolutePath)(this.path);o&&typeof h=="string"&&(this.path=h,r=o)}this.win32=!!i.win32||process.platform==="win32",this.win32&&(this.path=lh.decode(this.path.replaceAll(/\\/g,"/")),e=e.replaceAll(/\\/g,"/")),this.absolute=(0,ne.normalizeWindowsPath)(i.absolute||on.default.resolve(this.cwd,e)),this.path===""&&(this.path="./"),r&&this.warn("TAR_ENTRY_INFO",`stripping ${r} from absolute path`,{entry:this,path:r+this.path});let n=this.statCache.get(this.absolute);n?this[Oi](n):this[Vs]()}warn(e,t,i={}){return(0,yn.warnMethod)(this,e,t,i)}emit(e,...t){return e==="error"&&(this.#e=!0),super.emit(e,...t)}[Vs](){oe.default.lstat(this.absolute,(e,t)=>{if(e)return this.emit("error",e);this[Oi](t)})}[Oi](e){this.statCache.set(this.absolute,e),this.stat=e,e.isFile()||(e.size=0),this.type=ch(e),this.emit("stat",e),this[an]()}[an](){switch(this.type){case"File":return this[hn]();case"Directory":return this[ln]();case"SymbolicLink":return this[Ks]();default:return this.end()}}[Ri](e){return(0,mn.modeFix)(e,this.type==="Directory",this.portable)}[ae](e){return En(e,this.prefix)}[Rt](){if(!this.stat)throw new Error("cannot write header before stat");this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.onWriteEntry?.(this),this.header=new dn.Header({path:this[ae](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[ae](this.linkpath):this.linkpath,mode:this[Ri](this.stat.mode),uid:this.portable?void 0:this.stat.uid,gid:this.portable?void 0:this.stat.gid,size:this.stat.size,mtime:this.noMtime?void 0:this.mtime||this.stat.mtime,type:this.type==="Unsupported"?void 0:this.type,uname:this.portable?void 0:this.stat.uid===this.myuid?this.myuser:"",atime:this.portable?void 0:this.stat.atime,ctime:this.portable?void 0:this.stat.ctime}),this.header.encode()&&!this.noPax&&super.write(new _n.Pax({atime:this.portable?void 0:this.header.atime,ctime:this.portable?void 0:this.header.ctime,gid:this.portable?void 0:this.header.gid,mtime:this.noMtime?void 0:this.mtime||this.header.mtime,path:this[ae](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[ae](this.linkpath):this.linkpath,size:this.header.size,uid:this.portable?void 0:this.header.uid,uname:this.portable?void 0:this.header.uname,dev:this.portable?void 0:this.stat.dev,ino:this.portable?void 0:this.stat.ino,nlink:this.portable?void 0:this.stat.nlink}).encode());let e=this.header?.block;if(!e)throw new Error("failed to encode header");super.write(e)}[ln](){if(!this.stat)throw new Error("cannot create directory entry without stat");this.path.slice(-1)!=="/"&&(this.path+="/"),this.stat.size=0,this[Rt](),this.end()}[Ks](){oe.default.readlink(this.absolute,(e,t)=>{if(e)return this.emit("error",e);this[Xs](t)})}[Xs](e){this.linkpath=(0,ne.normalizeWindowsPath)(e),this[Rt](),this.end()}[un](e){if(!this.stat)throw new Error("cannot create link entry without stat");this.type="Link",this.linkpath=(0,ne.normalizeWindowsPath)(on.default.relative(this.cwd,e)),this.stat.size=0,this[Rt](),this.end()}[hn](){if(!this.stat)throw new Error("cannot create file entry without stat");if(this.stat.nlink>1){let e=`${this.stat.dev}:${this.stat.ino}`,t=this.linkCache.get(e);if(t?.indexOf(this.cwd)===0)return this[un](t);this.linkCache.set(e,this.absolute)}if(this[Rt](),this.stat.size===0)return this.end();this[Qs]()}[Qs](){oe.default.open(this.absolute,"r",(e,t)=>{if(e)return this.emit("error",e);this[Js](t)})}[Js](e){if(this.fd=e,this.#e)return this[ve]();if(!this.stat)throw new Error("should stat before calling onopenfile");this.blockLen=512*Math.ceil(this.stat.size/512),this.blockRemain=this.blockLen;let t=Math.min(this.blockLen,this.maxReadSize);this.buf=Buffer.allocUnsafe(t),this.offset=0,this.pos=0,this.remain=this.stat.size,this.length=this.buf.length,this[gi]()}[gi](){let{fd:e,buf:t,offset:i,length:r,pos:n}=this;if(e===void 0||t===void 0)throw new Error("cannot read file without first opening");oe.default.read(e,t,i,r,n,(o,h)=>{if(o)return this[ve](()=>this.emit("error",o));this[$s](h)})}[ve](e=()=>{}){this.fd!==void 0&&oe.default.close(this.fd,e)}[$s](e){if(e<=0&&this.remain>0){let r=Object.assign(new Error("encountered unexpected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[ve](()=>this.emit("error",r))}if(e>this.remain){let r=Object.assign(new Error("did not encounter expected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[ve](()=>this.emit("error",r))}if(!this.buf)throw new Error("should have created buffer prior to reading");if(e===this.remain)for(let r=e;rthis[Ys]())}[er](e){this.once("drain",e)}write(e,t,i){if(typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,typeof t=="string"?t:"utf8")),this.blockRemaine?this.emit("error",e):this.end());if(!this.buf)throw new Error("buffer lost somehow in ONDRAIN");this.offset>=this.length&&(this.buf=Buffer.allocUnsafe(Math.min(this.blockRemain,this.buf.length)),this.offset=0),this.length=this.buf.length-this.offset,this[gi]()}};M.WriteEntry=vi;var tr=class extends vi{sync=!0;[Vs](){this[Oi](oe.default.lstatSync(this.absolute))}[Ks](){this[Xs](oe.default.readlinkSync(this.absolute))}[Qs](){this[Js](oe.default.openSync(this.absolute,"r"))}[gi](){let e=!0;try{let{fd:t,buf:i,offset:r,length:n,pos:o}=this;if(t===void 0||i===void 0)throw new Error("fd and buf must be set in READ method");let h=oe.default.readSync(t,i,r,n,o);this[$s](h),e=!1}finally{if(e)try{this[ve](()=>{})}catch{}}}[er](e){e()}[ve](e=()=>{}){this.fd!==void 0&&oe.default.closeSync(this.fd),e()}};M.WriteEntrySync=tr;var ir=class extends fn.Minipass{blockLen=0;blockRemain=0;buf=0;pos=0;remain=0;length=0;preservePaths;portable;strict;noPax;noMtime;readEntry;type;prefix;path;mode;uid;gid;uname;gname;header;mtime;atime;ctime;linkpath;size;onWriteEntry;warn(e,t,i={}){return(0,yn.warnMethod)(this,e,t,i)}constructor(e,t={}){let i=(0,pn.dealias)(t);super(),this.preservePaths=!!i.preservePaths,this.portable=!!i.portable,this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.onWriteEntry=i.onWriteEntry,this.readEntry=e;let{type:r}=e;if(r==="Unsupported")throw new Error("writing entry that should be ignored");this.type=r,this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.prefix=i.prefix,this.path=(0,ne.normalizeWindowsPath)(e.path),this.mode=e.mode!==void 0?this[Ri](e.mode):void 0,this.uid=this.portable?void 0:e.uid,this.gid=this.portable?void 0:e.gid,this.uname=this.portable?void 0:e.uname,this.gname=this.portable?void 0:e.gname,this.size=e.size,this.mtime=this.noMtime?void 0:i.mtime||e.mtime,this.atime=this.portable?void 0:e.atime,this.ctime=this.portable?void 0:e.ctime,this.linkpath=e.linkpath!==void 0?(0,ne.normalizeWindowsPath)(e.linkpath):void 0,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let n=!1;if(!this.preservePaths){let[h,a]=(0,wn.stripAbsolutePath)(this.path);h&&typeof a=="string"&&(this.path=a,n=h)}this.remain=e.size,this.blockRemain=e.startBlockSize,this.onWriteEntry?.(this),this.header=new dn.Header({path:this[ae](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[ae](this.linkpath):this.linkpath,mode:this.mode,uid:this.portable?void 0:this.uid,gid:this.portable?void 0:this.gid,size:this.size,mtime:this.noMtime?void 0:this.mtime,type:this.type,uname:this.portable?void 0:this.uname,atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime}),n&&this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute path`,{entry:this,path:n+this.path}),this.header.encode()&&!this.noPax&&super.write(new _n.Pax({atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime,gid:this.portable?void 0:this.gid,mtime:this.noMtime?void 0:this.mtime,path:this[ae](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[ae](this.linkpath):this.linkpath,size:this.size,uid:this.portable?void 0:this.uid,uname:this.portable?void 0:this.uname,dev:this.portable?void 0:this.readEntry.dev,ino:this.portable?void 0:this.readEntry.ino,nlink:this.portable?void 0:this.readEntry.nlink}).encode());let o=this.header?.block;if(!o)throw new Error("failed to encode header");super.write(o),e.pipe(this)}[ae](e){return En(e,this.prefix)}[Ri](e){return(0,mn.modeFix)(e,this.type==="Directory",this.portable)}write(e,t,i){typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,typeof t=="string"?t:"utf8"));let r=e.length;if(r>this.blockRemain)throw new Error("writing more to entry than is appropriate");return this.blockRemain-=r,super.write(e,i)}end(e,t,i){return this.blockRemain&&super.write(Buffer.alloc(this.blockRemain)),typeof e=="function"&&(i=e,t=void 0,e=void 0),typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,t??"utf8")),i&&this.once("finish",i),e?super.end(e,i):super.end(i),this}};M.WriteEntryTar=ir;var ch=s=>s.isFile()?"File":s.isDirectory()?"Directory":s.isSymbolicLink()?"SymbolicLink":"Unsupported"});var bn=d(at=>{"use strict";Object.defineProperty(at,"__esModule",{value:!0});at.Node=at.Yallist=void 0;var rr=class s{tail;head;length=0;static create(e=[]){return new s(e)}constructor(e=[]){for(let t of e)this.push(t)}*[Symbol.iterator](){for(let e=this.head;e;e=e.next)yield e.value}removeNode(e){if(e.list!==this)throw new Error("removing node which does not belong to this list");let t=e.next,i=e.prev;return t&&(t.prev=i),i&&(i.next=t),e===this.head&&(this.head=t),e===this.tail&&(this.tail=i),this.length--,e.next=void 0,e.prev=void 0,e.list=void 0,t}unshiftNode(e){if(e===this.head)return;e.list&&e.list.removeNode(e);let t=this.head;e.list=this,e.next=t,t&&(t.prev=e),this.head=e,this.tail||(this.tail=e),this.length++}pushNode(e){if(e===this.tail)return;e.list&&e.list.removeNode(e);let t=this.tail;e.list=this,e.prev=t,t&&(t.next=e),this.tail=e,this.head||(this.head=e),this.length++}push(...e){for(let t=0,i=e.length;t1)i=t;else if(this.head)r=this.head.next,i=this.head.value;else throw new TypeError("Reduce of empty list with no initial value");for(var n=0;r;n++)i=e(i,r.value,n),r=r.next;return i}reduceReverse(e,t){let i,r=this.tail;if(arguments.length>1)i=t;else if(this.tail)r=this.tail.prev,i=this.tail.value;else throw new TypeError("Reduce of empty list with no initial value");for(let n=this.length-1;r;n--)i=e(i,r.value,n),r=r.prev;return i}toArray(){let e=new Array(this.length);for(let t=0,i=this.head;i;t++)e[t]=i.value,i=i.next;return e}toArrayReverse(){let e=new Array(this.length);for(let t=0,i=this.tail;i;t++)e[t]=i.value,i=i.prev;return e}slice(e=0,t=this.length){t<0&&(t+=this.length),e<0&&(e+=this.length);let i=new s;if(tthis.length&&(t=this.length);let r=this.head,n=0;for(n=0;r&&nthis.length&&(t=this.length);let r=this.length,n=this.tail;for(;n&&r>t;r--)n=n.prev;for(;n&&r>e;r--,n=n.prev)i.push(n.value);return i}splice(e,t=0,...i){e>this.length&&(e=this.length-1),e<0&&(e=this.length+e);let r=this.head;for(let o=0;r&&o{"use strict";var ph=L&&L.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),_h=L&&L.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),wh=L&&L.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r1)throw new TypeError("gzip, brotli, zstd are mutually exclusive");if(e.gzip&&(typeof e.gzip!="object"&&(e.gzip={}),this.portable&&(e.gzip.portable=!0),this.zip=new nr.Gzip(e.gzip)),e.brotli&&(typeof e.brotli!="object"&&(e.brotli={}),this.zip=new nr.BrotliCompress(e.brotli)),e.zstd&&(typeof e.zstd!="object"&&(e.zstd={}),this.zip=new nr.ZstdCompress(e.zstd)),!this.zip)throw new Error("impossible");let t=this.zip;t.on("data",i=>super.write(i)),t.on("end",()=>super.end()),t.on("drain",()=>this[hr]()),this.on("resume",()=>t.resume())}else this.on("drain",this[hr]);this.noDirRecurse=!!e.noDirRecurse,this.follow=!!e.follow,this.noMtime=!!e.noMtime,e.mtime&&(this.mtime=e.mtime),this.filter=typeof e.filter=="function"?e.filter:()=>!0,this[X]=new Eh.Yallist,this[Q]=0,this.jobs=Number(e.jobs)||4,this[Dt]=!1,this[vt]=!1}[Tn](e){return super.write(e)}add(e){return this.write(e),this}end(e,t,i){return typeof e=="function"&&(i=e,e=void 0),typeof t=="function"&&(i=t,t=void 0),e&&this.add(e),this[vt]=!0,this[je](),i&&i(),this}write(e){if(this[vt])throw new Error("write after end");return typeof e=="string"?this[Pi](e):this[gn](e),this.flowing}[gn](e){let t=(0,lr.normalizeWindowsPath)(Rn.default.resolve(this.cwd,e.path));if(!this.filter(e.path,e))e.resume();else{let i=new Pt(e.path,t);i.entry=new ur.WriteEntryTar(e,this[ar](i)),i.entry.on("end",()=>this[or](i)),this[Q]+=1,this[X].push(i)}this[je]()}[Pi](e){let t=(0,lr.normalizeWindowsPath)(Rn.default.resolve(this.cwd,e));this[X].push(new Pt(e,t)),this[je]()}[cr](e){e.pending=!0,this[Q]+=1;let t=this.follow?"stat":"lstat";Ai.default[t](e.absolute,(i,r)=>{e.pending=!1,this[Q]-=1,i?this.emit("error",i):this[Di](e,r)})}[Di](e,t){if(this.statCache.set(e.absolute,t),e.stat=t,!this.filter(e.path,t))e.ignore=!0;else if(t.isFile()&&t.nlink>1&&!this.linkCache.get(`${t.dev}:${t.ino}`)&&!this.sync)if(e===this[Te])this[Ti](e);else{let i=`${t.dev}:${t.ino}`,r=this[Tt].get(i);r?r.push(e):this[Tt].set(i,[e]),e.pendingLink=!0,e.pending=!0}this[je]()}[fr](e){e.pending=!0,this[Q]+=1,Ai.default.readdir(e.absolute,(t,i)=>{if(e.pending=!1,this[Q]-=1,t)return this.emit("error",t);this[Ni](e,i)})}[Ni](e,t){this.readdirCache.set(e.absolute,t),e.readdir=t,this[je]()}[je](){if(!this[Dt]){this[Dt]=!0;for(let e=this[X].head;e&&this[Q]1){let i=`${t.dev}:${t.ino}`,r=this[Tt].get(i);if(r){this[Tt].delete(i);for(let n of r)n.pending=!1,this[Ti](n)}}this[je]()}[Ti](e){if(e.pending&&e.pendingLink&&e===this[Te]&&(e.pending=!1,e.pendingLink=!1),!e.pending){if(e.entry){e===this[Te]&&!e.piped&&this[Mi](e);return}if(!e.stat){let t=this.statCache.get(e.absolute);t?this[Di](e,t):this[cr](e)}if(e.stat&&!e.ignore){if(!this.noDirRecurse&&e.stat.isDirectory()&&!e.readdir){let t=this.readdirCache.get(e.absolute);if(t?this[Ni](e,t):this[fr](e),!e.readdir)return}if(e.entry=this[On](e),!e.entry){e.ignore=!0;return}e===this[Te]&&!e.piped&&this[Mi](e)}}}[ar](e){return{onwarn:(t,i,r)=>this.warn(t,i,r),noPax:this.noPax,cwd:this.cwd,absolute:e.absolute,preservePaths:this.preservePaths,maxReadSize:this.maxReadSize,strict:this.strict,portable:this.portable,linkCache:this.linkCache,statCache:this.statCache,noMtime:this.noMtime,mtime:this.mtime,prefix:this.prefix,onWriteEntry:this.onWriteEntry}}[On](e){this[Q]+=1;try{return new this[Li](e.path,this[ar](e)).on("end",()=>this[or](e)).on("error",i=>this.emit("error",i))}catch(t){this.emit("error",t)}}[hr](){this[Te]&&this[Te].entry&&this[Te].entry.resume()}[Mi](e){e.piped=!0,e.readdir&&e.readdir.forEach(r=>{let n=e.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[Pi](o+r)});let t=e.entry,i=this.zip;if(!t)throw new Error("cannot pipe without source");i?t.on("data",r=>{i.write(r)||t.pause()}):t.on("data",r=>{super.write(r)||t.pause()})}pause(){return this.zip&&this.zip.pause(),super.pause()}warn(e,t,i={}){(0,bh.warnMethod)(this,e,t,i)}};L.Pack=Ii;var dr=class extends Ii{sync=!0;constructor(e){super(e),this[Li]=ur.WriteEntrySync}pause(){}resume(){}[cr](e){let t=this.follow?"statSync":"lstatSync";this[Di](e,Ai.default[t](e.absolute))}[fr](e){this[Ni](e,Ai.default.readdirSync(e.absolute))}[Mi](e){let t=e.entry,i=this.zip;if(e.readdir&&e.readdir.forEach(r=>{let n=e.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[Pi](o+r)}),!t)throw new Error("Cannot pipe without source");i?t.on("data",r=>{i.write(r)}):t.on("data",r=>{super[Tn](r)})}};L.PackSync=dr});var mr=d(ht=>{"use strict";var Sh=ht&&ht.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(ht,"__esModule",{value:!0});ht.create=void 0;var Dn=Ke(),Pn=Sh(require("node:path")),Nn=rt(),gh=Ve(),Ci=Fi(),Oh=(s,e)=>{let t=new Ci.PackSync(s),i=new Dn.WriteStreamSync(s.file,{mode:s.mode||438});t.pipe(i),Mn(t,e)},Rh=(s,e)=>{let t=new Ci.Pack(s),i=new Dn.WriteStream(s.file,{mode:s.mode||438});t.pipe(i);let r=new Promise((n,o)=>{i.on("error",o),i.on("close",n),t.on("error",o)});return Ln(t,e).catch(n=>t.emit("error",n)),r},Mn=(s,e)=>{e.forEach(t=>{t.charAt(0)==="@"?(0,Nn.list)({file:Pn.default.resolve(s.cwd,t.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(t)}),s.end()},Ln=async(s,e)=>{for(let t of e)t.charAt(0)==="@"?await(0,Nn.list)({file:Pn.default.resolve(String(s.cwd),t.slice(1)),noResume:!0,onReadEntry:i=>{s.add(i)}}):s.add(t);s.end()},vh=(s,e)=>{let t=new Ci.PackSync(s);return Mn(t,e),t},Th=(s,e)=>{let t=new Ci.Pack(s);return Ln(t,e).catch(i=>t.emit("error",i)),t};ht.create=(0,gh.makeCommand)(Oh,Rh,vh,Th,(s,e)=>{if(!e?.length)throw new TypeError("no paths specified to add to archive")})});var jn=d(lt=>{"use strict";var Dh=lt&<.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(lt,"__esModule",{value:!0});lt.getWriteFlag=void 0;var Fn=Dh(require("fs")),Ph=process.env.__FAKE_PLATFORM__||process.platform,Cn=Ph==="win32",{O_CREAT:Bn,O_NOFOLLOW:An,O_TRUNC:zn,O_WRONLY:kn}=Fn.default.constants,xn=Number(process.env.__FAKE_FS_O_FILENAME__)||Fn.default.constants.UV_FS_O_FILEMAP||0,Nh=Cn&&!!xn,Mh=512*1024,Lh=xn|zn|Bn|kn,In=!Cn&&typeof An=="number"?An|zn|Bn|kn:null;lt.getWriteFlag=In!==null?()=>In:Nh?s=>s"w"});var qn=d(he=>{"use strict";var Un=he&&he.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(he,"__esModule",{value:!0});he.chownrSync=he.chownr=void 0;var zi=Un(require("node:fs")),Nt=Un(require("node:path")),pr=(s,e,t)=>{try{return zi.default.lchownSync(s,e,t)}catch(i){if(i?.code!=="ENOENT")throw i}},Bi=(s,e,t,i)=>{zi.default.lchown(s,e,t,r=>{i(r&&r?.code!=="ENOENT"?r:null)})},Ah=(s,e,t,i,r)=>{if(e.isDirectory())(0,he.chownr)(Nt.default.resolve(s,e.name),t,i,n=>{if(n)return r(n);let o=Nt.default.resolve(s,e.name);Bi(o,t,i,r)});else{let n=Nt.default.resolve(s,e.name);Bi(n,t,i,r)}},Ih=(s,e,t,i)=>{zi.default.readdir(s,{withFileTypes:!0},(r,n)=>{if(r){if(r.code==="ENOENT")return i();if(r.code!=="ENOTDIR"&&r.code!=="ENOTSUP")return i(r)}if(r||!n.length)return Bi(s,e,t,i);let o=n.length,h=null,a=l=>{if(!h){if(l)return i(h=l);if(--o===0)return Bi(s,e,t,i)}};for(let l of n)Ah(s,l,e,t,a)})};he.chownr=Ih;var Fh=(s,e,t,i)=>{e.isDirectory()&&(0,he.chownrSync)(Nt.default.resolve(s,e.name),t,i),pr(Nt.default.resolve(s,e.name),t,i)},Ch=(s,e,t)=>{let i;try{i=zi.default.readdirSync(s,{withFileTypes:!0})}catch(r){let n=r;if(n?.code==="ENOENT")return;if(n?.code==="ENOTDIR"||n?.code==="ENOTSUP")return pr(s,e,t);throw n}for(let r of i)Fh(s,r,e,t);return pr(s,e,t)};he.chownrSync=Ch});var Wn=d(ki=>{"use strict";Object.defineProperty(ki,"__esModule",{value:!0});ki.CwdError=void 0;var _r=class extends Error{path;code;syscall="chdir";constructor(e,t){super(`${t}: Cannot cd into '${e}'`),this.path=e,this.code=t}get name(){return"CwdError"}};ki.CwdError=_r});var yr=d(xi=>{"use strict";Object.defineProperty(xi,"__esModule",{value:!0});xi.SymlinkError=void 0;var wr=class extends Error{path;symlink;syscall="symlink";code="TAR_SYMLINK_ERROR";constructor(e,t){super("TAR_SYMLINK_ERROR: Cannot extract through symbolic link"),this.symlink=e,this.path=t}get name(){return"SymlinkError"}};xi.SymlinkError=wr});var Kn=d(De=>{"use strict";var br=De&&De.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(De,"__esModule",{value:!0});De.mkdirSync=De.mkdir=void 0;var Hn=qn(),j=br(require("node:fs")),Bh=br(require("node:fs/promises")),ji=br(require("node:path")),Zn=Wn(),pe=tt(),Gn=yr(),zh=(s,e)=>{j.default.stat(s,(t,i)=>{(t||!i.isDirectory())&&(t=new Zn.CwdError(s,t?.code||"ENOTDIR")),e(t)})},kh=(s,e,t)=>{s=(0,pe.normalizeWindowsPath)(s);let i=e.umask??18,r=e.mode|448,n=(r&i)!==0,o=e.uid,h=e.gid,a=typeof o=="number"&&typeof h=="number"&&(o!==e.processUid||h!==e.processGid),l=e.preserve,u=e.unlink,c=(0,pe.normalizeWindowsPath)(e.cwd),E=(w,P)=>{w?t(w):P&&a?(0,Hn.chownr)(P,o,h,kt=>E(kt)):n?j.default.chmod(s,r,t):t()};if(s===c)return zh(s,E);if(l)return Bh.default.mkdir(s,{mode:r,recursive:!0}).then(w=>E(null,w??void 0),E);let A=(0,pe.normalizeWindowsPath)(ji.default.relative(c,s)).split("/");Er(c,A,r,u,c,void 0,E)};De.mkdir=kh;var Er=(s,e,t,i,r,n,o)=>{if(e.length===0)return o(null,n);let h=e.shift(),a=(0,pe.normalizeWindowsPath)(ji.default.resolve(s+"/"+h));j.default.mkdir(a,t,Yn(a,e,t,i,r,n,o))},Yn=(s,e,t,i,r,n,o)=>h=>{h?j.default.lstat(s,(a,l)=>{if(a)a.path=a.path&&(0,pe.normalizeWindowsPath)(a.path),o(a);else if(l.isDirectory())Er(s,e,t,i,r,n,o);else if(i)j.default.unlink(s,u=>{if(u)return o(u);j.default.mkdir(s,t,Yn(s,e,t,i,r,n,o))});else{if(l.isSymbolicLink())return o(new Gn.SymlinkError(s,s+"/"+e.join("/")));o(h)}}):(n=n||s,Er(s,e,t,i,r,n,o))},xh=s=>{let e=!1,t;try{e=j.default.statSync(s).isDirectory()}catch(i){t=i?.code}finally{if(!e)throw new Zn.CwdError(s,t??"ENOTDIR")}},jh=(s,e)=>{s=(0,pe.normalizeWindowsPath)(s);let t=e.umask??18,i=e.mode|448,r=(i&t)!==0,n=e.uid,o=e.gid,h=typeof n=="number"&&typeof o=="number"&&(n!==e.processUid||o!==e.processGid),a=e.preserve,l=e.unlink,u=(0,pe.normalizeWindowsPath)(e.cwd),c=w=>{w&&h&&(0,Hn.chownrSync)(w,n,o),r&&j.default.chmodSync(s,i)};if(s===u)return xh(u),c();if(a)return c(j.default.mkdirSync(s,{mode:i,recursive:!0})??void 0);let D=(0,pe.normalizeWindowsPath)(ji.default.relative(u,s)).split("/"),A;for(let w=D.shift(),P=u;w&&(P+="/"+w);w=D.shift()){P=(0,pe.normalizeWindowsPath)(ji.default.resolve(P));try{j.default.mkdirSync(P,i),A=A||P}catch{let kt=j.default.lstatSync(P);if(kt.isDirectory())continue;if(l){j.default.unlinkSync(P),j.default.mkdirSync(P,i),A=A||P;continue}else if(kt.isSymbolicLink())return new Gn.SymlinkError(P,P+"/"+D.join("/"))}}return c(A)};De.mkdirSync=jh});var $n=d(Ui=>{"use strict";Object.defineProperty(Ui,"__esModule",{value:!0});Ui.normalizeUnicode=void 0;var Sr=Object.create(null),Vn=1e4,ut=new Set,Uh=s=>{ut.has(s)?ut.delete(s):Sr[s]=s.normalize("NFD").toLocaleLowerCase("en").toLocaleUpperCase("en"),ut.add(s);let e=Sr[s],t=ut.size-Vn;if(t>Vn/10){for(let i of ut)if(ut.delete(i),delete Sr[i],--t<=0)break}return e};Ui.normalizeUnicode=Uh});var Qn=d(qi=>{"use strict";Object.defineProperty(qi,"__esModule",{value:!0});qi.PathReservations=void 0;var Xn=require("node:path"),qh=$n(),Wh=wi(),Hh=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,Zh=Hh==="win32",Gh=s=>s.split("/").slice(0,-1).reduce((t,i)=>{let r=t.at(-1);return r!==void 0&&(i=(0,Xn.join)(r,i)),t.push(i||"/"),t},[]),gr=class{#e=new Map;#i=new Map;#s=new Set;reserve(e,t){e=Zh?["win32 parallelization disabled"]:e.map(r=>(0,Wh.stripTrailingSlashes)((0,Xn.join)((0,qh.normalizeUnicode)(r))));let i=new Set(e.map(r=>Gh(r)).reduce((r,n)=>r.concat(n)));this.#i.set(t,{dirs:i,paths:e});for(let r of e){let n=this.#e.get(r);n?n.push(t):this.#e.set(r,[t])}for(let r of i){let n=this.#e.get(r);if(!n)this.#e.set(r,[new Set([t])]);else{let o=n.at(-1);o instanceof Set?o.add(t):n.push(new Set([t]))}}return this.#r(t)}#n(e){let t=this.#i.get(e);if(!t)throw new Error("function does not have any path reservations");return{paths:t.paths.map(i=>this.#e.get(i)),dirs:[...t.dirs].map(i=>this.#e.get(i))}}check(e){let{paths:t,dirs:i}=this.#n(e);return t.every(r=>r&&r[0]===e)&&i.every(r=>r&&r[0]instanceof Set&&r[0].has(e))}#r(e){return this.#s.has(e)||!this.check(e)?!1:(this.#s.add(e),e(()=>this.#t(e)),!0)}#t(e){if(!this.#s.has(e))return!1;let t=this.#i.get(e);if(!t)throw new Error("invalid reservation");let{paths:i,dirs:r}=t,n=new Set;for(let o of i){let h=this.#e.get(o);if(!h||h?.[0]!==e)continue;let a=h[1];if(!a){this.#e.delete(o);continue}if(h.shift(),typeof a=="function")n.add(a);else for(let l of a)n.add(l)}for(let o of r){let h=this.#e.get(o),a=h?.[0];if(!(!h||!(a instanceof Set)))if(a.size===1&&h.length===1){this.#e.delete(o);continue}else if(a.size===1){h.shift();let l=h[0];typeof l=="function"&&n.add(l)}else a.delete(e)}return this.#s.delete(e),n.forEach(o=>this.#r(o)),!0}};qi.PathReservations=gr});var Jn=d(Wi=>{"use strict";Object.defineProperty(Wi,"__esModule",{value:!0});Wi.umask=void 0;var Yh=()=>process.umask();Wi.umask=Yh});var Ir=d(k=>{"use strict";var Kh=k&&k.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),Vh=k&&k.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),lo=k&&k.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r{if(!Bt)return m.default.unlink(s,e);let t=s+".DELETE."+(0,uo.randomBytes)(16).toString("hex");m.default.rename(s,t,i=>{if(i)return e(i);m.default.unlink(t,e)})},nl=s=>{if(!Bt)return m.default.unlinkSync(s);let e=s+".DELETE."+(0,uo.randomBytes)(16).toString("hex");m.default.renameSync(s,e),m.default.unlinkSync(e)},ho=(s,e,t)=>s!==void 0&&s===s>>>0?s:e!==void 0&&e===e>>>0?e:t,Gi=class extends Qh.Parser{[Rr]=!1;[Ct]=!1;[Hi]=0;reservations=new el.PathReservations;transform;writable=!0;readable=!1;uid;gid;setOwner;preserveOwner;processGid;processUid;maxDepth;forceChown;win32;newer;keep;noMtime;preservePaths;unlink;cwd;strip;processUmask;umask;dmode;fmode;chmod;constructor(e={}){if(e.ondone=()=>{this[Rr]=!0,this[vr]()},super(e),this.transform=e.transform,this.chmod=!!e.chmod,typeof e.uid=="number"||typeof e.gid=="number"){if(typeof e.uid!="number"||typeof e.gid!="number")throw new TypeError("cannot set owner without number uid and gid");if(e.preserveOwner)throw new TypeError("cannot preserve owner in archive and also set owner explicitly");this.uid=e.uid,this.gid=e.gid,this.setOwner=!0}else this.uid=void 0,this.gid=void 0,this.setOwner=!1;this.preserveOwner=e.preserveOwner===void 0&&typeof e.uid!="number"?!!(process.getuid&&process.getuid()===0):!!e.preserveOwner,this.processUid=(this.preserveOwner||this.setOwner)&&process.getuid?process.getuid():void 0,this.processGid=(this.preserveOwner||this.setOwner)&&process.getgid?process.getgid():void 0,this.maxDepth=typeof e.maxDepth=="number"?e.maxDepth:sl,this.forceChown=e.forceChown===!0,this.win32=!!e.win32||Bt,this.newer=!!e.newer,this.keep=!!e.keep,this.noMtime=!!e.noMtime,this.preservePaths=!!e.preservePaths,this.unlink=!!e.unlink,this.cwd=(0,U.normalizeWindowsPath)(g.default.resolve(e.cwd||process.cwd())),this.strip=Number(e.strip)||0,this.processUmask=this.chmod?typeof e.processUmask=="number"?e.processUmask:(0,tl.umask)():0,this.umask=typeof e.umask=="number"?e.umask:this.processUmask,this.dmode=e.dmode||511&~this.umask,this.fmode=e.fmode||438&~this.umask,this.on("entry",t=>this[to](t))}warn(e,t,i={}){return(e==="TAR_BAD_ARCHIVE"||e==="TAR_ABORT")&&(i.recoverable=!1),super.warn(e,t,i)}[vr](){this[Rr]&&this[Hi]===0&&(this.emit("prefinish"),this.emit("finish"),this.emit("end"))}[Or](e,t){let i=e[t],{type:r}=e;if(!i||this.preservePaths)return!0;let[n,o]=(0,Jh.stripAbsolutePath)(i),h=o.replaceAll(/\\/g,"/").split("/");if(h.includes("..")||Bt&&/^[a-z]:\.\.$/i.test(h[0]??"")){if(t==="path"||r==="Link")return this.warn("TAR_ENTRY_ERROR",`${t} contains '..'`,{entry:e,[t]:i}),!1;let a=g.default.posix.dirname(e.path),l=g.default.posix.normalize(g.default.posix.join(a,h.join("/")));if(l.startsWith("../")||l==="..")return this.warn("TAR_ENTRY_ERROR",`${t} escapes extraction directory`,{entry:e,[t]:i}),!1}return n&&(e[t]=String(o),this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute ${t}`,{entry:e,[t]:i})),!0}[oo](e){let t=(0,U.normalizeWindowsPath)(e.path),i=t.split("/");if(this.strip){if(i.length=this.strip)e.linkpath=r.slice(this.strip).join("/");else return!1}i.splice(0,this.strip),e.path=i.join("/")}if(isFinite(this.maxDepth)&&i.length>this.maxDepth)return this.warn("TAR_ENTRY_ERROR","path excessively deep",{entry:e,path:t,depth:i.length,maxDepth:this.maxDepth}),!1;if(!this[Or](e,"path")||!this[Or](e,"linkpath"))return!1;if(e.absolute=g.default.isAbsolute(e.path)?(0,U.normalizeWindowsPath)(g.default.resolve(e.path)):(0,U.normalizeWindowsPath)(g.default.resolve(this.cwd,e.path)),!this.preservePaths&&typeof e.absolute=="string"&&e.absolute.indexOf(this.cwd+"/")!==0&&e.absolute!==this.cwd)return this.warn("TAR_ENTRY_ERROR","path escaped extraction target",{entry:e,path:(0,U.normalizeWindowsPath)(e.path),resolvedPath:e.absolute,cwd:this.cwd}),!1;if(e.absolute===this.cwd&&e.type!=="Directory"&&e.type!=="GNUDumpDir")return!1;if(this.win32){let{root:r}=g.default.win32.parse(String(e.absolute));e.absolute=r+eo.encode(String(e.absolute).slice(r.length));let{root:n}=g.default.win32.parse(e.path);e.path=n+eo.encode(e.path.slice(n.length))}return!0}[to](e){if(!this[oo](e))return e.resume();switch(Xh.default.equal(typeof e.absolute,"string"),e.type){case"Directory":case"GNUDumpDir":e.mode&&(e.mode=e.mode|448);case"File":case"OldFile":case"ContiguousFile":case"Link":case"SymbolicLink":return this[Tr](e);default:return this[no](e)}}[T](e,t){e.name==="CwdError"?this.emit("error",e):(this.warn("TAR_ENTRY_ERROR",e,{entry:t}),this[ct](),t.resume())}[Pe](e,t,i){(0,fo.mkdir)((0,U.normalizeWindowsPath)(e),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:t},i)}[At](e){return this.forceChown||this.preserveOwner&&(typeof e.uid=="number"&&e.uid!==this.processUid||typeof e.gid=="number"&&e.gid!==this.processGid)||typeof this.uid=="number"&&this.uid!==this.processUid||typeof this.gid=="number"&&this.gid!==this.processGid}[It](e){return ho(this.uid,e.uid,this.processUid)}[Ft](e){return ho(this.gid,e.gid,this.processGid)}[Pr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.fmode,r=new $h.WriteStream(String(e.absolute),{flags:(0,co.getWriteFlag)(e.size),mode:i,autoClose:!1});r.on("error",a=>{r.fd&&m.default.close(r.fd,()=>{}),r.write=()=>!0,this[T](a,e),t()});let n=1,o=a=>{if(a){r.fd&&m.default.close(r.fd,()=>{}),this[T](a,e),t();return}--n===0&&r.fd!==void 0&&m.default.close(r.fd,l=>{l?this[T](l,e):this[ct](),t()})};r.on("finish",()=>{let a=String(e.absolute),l=r.fd;if(typeof l=="number"&&e.mtime&&!this.noMtime){n++;let u=e.atime||new Date,c=e.mtime;m.default.futimes(l,u,c,E=>E?m.default.utimes(a,u,c,D=>o(D&&E)):o())}if(typeof l=="number"&&this[At](e)){n++;let u=this[It](e),c=this[Ft](e);typeof u=="number"&&typeof c=="number"&&m.default.fchown(l,u,c,E=>E?m.default.chown(a,u,c,D=>o(D&&E)):o())}o()});let h=this.transform&&this.transform(e)||e;h!==e&&(h.on("error",a=>{this[T](a,e),t()}),e.pipe(h)),h.pipe(r)}[Nr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.dmode;this[Pe](String(e.absolute),i,r=>{if(r){this[T](r,e),t();return}let n=1,o=()=>{--n===0&&(t(),this[ct](),e.resume())};e.mtime&&!this.noMtime&&(n++,m.default.utimes(String(e.absolute),e.atime||new Date,e.mtime,o)),this[At](e)&&(n++,m.default.chown(String(e.absolute),Number(this[It](e)),Number(this[Ft](e)),o)),o()})}[no](e){e.unsupported=!0,this.warn("TAR_ENTRY_UNSUPPORTED",`unsupported entry type: ${e.type}`,{entry:e}),e.resume()}[so](e,t){let i=(0,U.normalizeWindowsPath)(g.default.relative(this.cwd,g.default.resolve(g.default.dirname(String(e.absolute)),String(e.linkpath)))).split("/");this[Lt](e,this.cwd,i,()=>this[Zi](e,String(e.linkpath),"symlink",t),r=>{this[T](r,e),t()})}[ro](e,t){let i=(0,U.normalizeWindowsPath)(g.default.resolve(this.cwd,String(e.linkpath))),r=(0,U.normalizeWindowsPath)(String(e.linkpath)).split("/");this[Lt](e,this.cwd,r,()=>this[Zi](e,i,"link",t),n=>{this[T](n,e),t()})}[Lt](e,t,i,r,n){let o=i.shift();if(this.preservePaths||o===void 0)return r();let h=g.default.resolve(t,o);m.default.lstat(h,(a,l)=>{if(a)return r();if(l?.isSymbolicLink())return n(new mo.SymlinkError(h,g.default.resolve(h,i.join("/"))));this[Lt](e,h,i,r,n)})}[ao](){this[Hi]++}[ct](){this[Hi]--,this[vr]()}[Mr](e){this[ct](),e.resume()}[Dr](e,t){return e.type==="File"&&!this.unlink&&t.isFile()&&t.nlink<=1&&!Bt}[Tr](e){this[ao]();let t=[e.path];e.linkpath&&t.push(e.linkpath),this.reservations.reserve(t,i=>this[io](e,i))}[io](e,t){let i=h=>{t(h)},r=()=>{this[Pe](this.cwd,this.dmode,h=>{if(h){this[T](h,e),i();return}this[Ct]=!0,n()})},n=()=>{if(e.absolute!==this.cwd){let h=(0,U.normalizeWindowsPath)(g.default.dirname(String(e.absolute)));if(h!==this.cwd)return this[Pe](h,this.dmode,a=>{if(a){this[T](a,e),i();return}o()})}o()},o=()=>{m.default.lstat(String(e.absolute),(h,a)=>{if(a&&(this.keep||this.newer&&a.mtime>(e.mtime??a.mtime))){this[Mr](e),i();return}if(h||this[Dr](e,a))return this[Z](null,e,i);if(a.isDirectory()){if(e.type==="Directory"){let l=this.chmod&&e.mode&&(a.mode&4095)!==e.mode,u=c=>this[Z](c??null,e,i);return l?m.default.chmod(String(e.absolute),Number(e.mode),u):u()}if(e.absolute!==this.cwd)return m.default.rmdir(String(e.absolute),l=>this[Z](l??null,e,i))}if(e.absolute===this.cwd)return this[Z](null,e,i);rl(String(e.absolute),l=>this[Z](l??null,e,i))})};this[Ct]?n():r()}[Z](e,t,i){if(e){this[T](e,t),i();return}switch(t.type){case"File":case"OldFile":case"ContiguousFile":return this[Pr](t,i);case"Link":return this[ro](t,i);case"SymbolicLink":return this[so](t,i);case"Directory":case"GNUDumpDir":return this[Nr](t,i)}}[Zi](e,t,i,r){m.default[i](t,String(e.absolute),n=>{n?this[T](n,e):(this[ct](),e.resume()),r()})}};k.Unpack=Gi;var Mt=s=>{try{return[null,s()]}catch(e){return[e,null]}},Lr=class extends Gi{sync=!0;[Z](e,t){return super[Z](e,t,()=>{})}[Tr](e){if(!this[Ct]){let n=this[Pe](this.cwd,this.dmode);if(n)return this[T](n,e);this[Ct]=!0}if(e.absolute!==this.cwd){let n=(0,U.normalizeWindowsPath)(g.default.dirname(String(e.absolute)));if(n!==this.cwd){let o=this[Pe](n,this.dmode);if(o)return this[T](o,e)}}let[t,i]=Mt(()=>m.default.lstatSync(String(e.absolute)));if(i&&(this.keep||this.newer&&i.mtime>(e.mtime??i.mtime)))return this[Mr](e);if(t||this[Dr](e,i))return this[Z](null,e);if(i.isDirectory()){if(e.type==="Directory"){let o=this.chmod&&e.mode&&(i.mode&4095)!==e.mode,[h]=o?Mt(()=>{m.default.chmodSync(String(e.absolute),Number(e.mode))}):[];return this[Z](h,e)}let[n]=Mt(()=>m.default.rmdirSync(String(e.absolute)));this[Z](n,e)}let[r]=e.absolute===this.cwd?[]:Mt(()=>nl(String(e.absolute)));this[Z](r,e)}[Pr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.fmode,r=h=>{let a;try{m.default.closeSync(n)}catch(l){a=l}(h||a)&&this[T](h||a,e),t()},n;try{n=m.default.openSync(String(e.absolute),(0,co.getWriteFlag)(e.size),i)}catch(h){return r(h)}let o=this.transform&&this.transform(e)||e;o!==e&&(o.on("error",h=>this[T](h,e)),e.pipe(o)),o.on("data",h=>{try{m.default.writeSync(n,h,0,h.length)}catch(a){r(a)}}),o.on("end",()=>{let h=null;if(e.mtime&&!this.noMtime){let a=e.atime||new Date,l=e.mtime;try{m.default.futimesSync(n,a,l)}catch(u){try{m.default.utimesSync(String(e.absolute),a,l)}catch{h=u}}}if(this[At](e)){let a=this[It](e),l=this[Ft](e);try{m.default.fchownSync(n,Number(a),Number(l))}catch(u){try{m.default.chownSync(String(e.absolute),Number(a),Number(l))}catch{h=h||u}}}r(h)})}[Nr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.dmode,r=this[Pe](String(e.absolute),i);if(r){this[T](r,e),t();return}if(e.mtime&&!this.noMtime)try{m.default.utimesSync(String(e.absolute),e.atime||new Date,e.mtime)}catch{}if(this[At](e))try{m.default.chownSync(String(e.absolute),Number(this[It](e)),Number(this[Ft](e)))}catch{}t(),e.resume()}[Pe](e,t){try{return(0,fo.mkdirSync)((0,U.normalizeWindowsPath)(e),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:t})}catch(i){return i}}[Lt](e,t,i,r,n){if(this.preservePaths||i.length===0)return r();let o=t;for(let h of i){o=g.default.resolve(o,h);let[a,l]=Mt(()=>m.default.lstatSync(o));if(a)return r();if(l.isSymbolicLink())return n(new mo.SymlinkError(o,g.default.resolve(t,i.join("/"))))}r()}[Zi](e,t,i,r){let n=`${i}Sync`;try{m.default[n](t,String(e.absolute)),r(),e.resume()}catch(o){return this[T](o,e)}}};k.UnpackSync=Lr});var Fr=d(G=>{"use strict";var ol=G&&G.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),al=G&&G.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),hl=G&&G.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r{let e=new Yi.UnpackSync(s),t=s.file,i=_o.default.statSync(t),r=s.maxReadSize||16*1024*1024;new po.ReadStreamSync(t,{readSize:r,size:i.size}).pipe(e)},dl=(s,e)=>{let t=new Yi.Unpack(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,h)=>{t.on("error",h),t.on("close",o),_o.default.stat(r,(a,l)=>{if(a)h(a);else{let u=new po.ReadStream(r,{readSize:i,size:l.size});u.on("error",h),u.pipe(t)}})})};G.extract=(0,cl.makeCommand)(fl,dl,s=>new Yi.UnpackSync(s),s=>new Yi.Unpack(s),(s,e)=>{e?.length&&(0,ul.filesFilter)(s,e)})});var Ki=d(ft=>{"use strict";var wo=ft&&ft.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(ft,"__esModule",{value:!0});ft.replace=void 0;var yo=Ke(),q=wo(require("node:fs")),Eo=wo(require("node:path")),bo=et(),So=rt(),ml=Ve(),pl=Xt(),go=Fi(),_l=(s,e)=>{let t=new go.PackSync(s),i=!0,r,n;try{try{r=q.default.openSync(s.file,"r+")}catch(a){if(a?.code==="ENOENT")r=q.default.openSync(s.file,"w+");else throw a}let o=q.default.fstatSync(r),h=Buffer.alloc(512);e:for(n=0;no.size)break;n+=l,s.mtimeCache&&a.mtime&&s.mtimeCache.set(String(a.path),a.mtime)}i=!1,wl(s,t,n,r,e)}finally{if(i)try{q.default.closeSync(r)}catch{}}},wl=(s,e,t,i,r)=>{let n=new yo.WriteStreamSync(s.file,{fd:i,start:t});e.pipe(n),El(e,r)},yl=(s,e)=>{e=Array.from(e);let t=new go.Pack(s),i=(n,o,h)=>{let a=(D,A)=>{D?q.default.close(n,w=>h(D)):h(null,A)},l=0;if(o===0)return a(null,0);let u=0,c=Buffer.alloc(512),E=(D,A)=>{if(D||A===void 0)return a(D);if(u+=A,u<512&&A)return q.default.read(n,c,u,c.length-u,l+u,E);if(l===0&&c[0]===31&&c[1]===139)return a(new Error("cannot append to compressed archives"));if(u<512)return a(null,l);let w=new bo.Header(c);if(!w.cksumValid)return a(null,l);let P=512*Math.ceil((w.size??0)/512);if(l+P+512>o||(l+=P+512,l>=o))return a(null,l);s.mtimeCache&&w.mtime&&s.mtimeCache.set(String(w.path),w.mtime),u=0,q.default.read(n,c,0,512,l,E)};q.default.read(n,c,0,512,l,E)};return new Promise((n,o)=>{t.on("error",o);let h="r+",a=(l,u)=>{if(l&&l.code==="ENOENT"&&h==="r+")return h="w+",q.default.open(s.file,h,a);if(l||!u)return o(l);q.default.fstat(u,(c,E)=>{if(c)return q.default.close(u,()=>o(c));i(u,E.size,(D,A)=>{if(D)return o(D);let w=new yo.WriteStream(s.file,{fd:u,start:A});t.pipe(w),w.on("error",o),w.on("close",n),bl(t,e)})})};q.default.open(s.file,h,a)})},El=(s,e)=>{e.forEach(t=>{t.charAt(0)==="@"?(0,So.list)({file:Eo.default.resolve(s.cwd,t.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(t)}),s.end()},bl=async(s,e)=>{for(let t of e)t.charAt(0)==="@"?await(0,So.list)({file:Eo.default.resolve(String(s.cwd),t.slice(1)),noResume:!0,onReadEntry:i=>s.add(i)}):s.add(t);s.end()};ft.replace=(0,ml.makeCommand)(_l,yl,()=>{throw new TypeError("file is required")},()=>{throw new TypeError("file is required")},(s,e)=>{if(!(0,pl.isFile)(s))throw new TypeError("file is required");if(s.gzip||s.brotli||s.zstd||s.file.endsWith(".br")||s.file.endsWith(".tbr"))throw new TypeError("cannot append to compressed archives");if(!e?.length)throw new TypeError("no paths specified to add/replace")})});var Cr=d(Vi=>{"use strict";Object.defineProperty(Vi,"__esModule",{value:!0});Vi.update=void 0;var Sl=Ve(),zt=Ki();Vi.update=(0,Sl.makeCommand)(zt.replace.syncFile,zt.replace.asyncFile,zt.replace.syncNoFile,zt.replace.asyncNoFile,(s,e=[])=>{zt.replace.validate?.(s,e),gl(s)});var gl=s=>{let e=s.filter;s.mtimeCache||(s.mtimeCache=new Map),s.filter=e?(t,i)=>e(t,i)&&!((s.mtimeCache?.get(t)??i.mtime??0)>(i.mtime??0)):(t,i)=>!((s.mtimeCache?.get(t)??i.mtime??0)>(i.mtime??0))}});var Oo=exports&&exports.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),Ol=exports&&exports.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),Y=exports&&exports.__exportStar||function(s,e){for(var t in s)t!=="default"&&!Object.prototype.hasOwnProperty.call(e,t)&&Oo(e,s,t)},Rl=exports&&exports.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r()=>(e||s((e={exports:{}}).exports,e),e.exports);var We=d(F=>{"use strict";var Do=F&&F.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(F,"__esModule",{value:!0});F.Minipass=F.isWritable=F.isReadable=F.isStream=void 0;var kr=typeof process=="object"&&process?process:{stdout:null,stderr:null},ss=require("node:events"),qr=Do(require("node:stream")),Po=require("node:string_decoder"),No=s=>!!s&&typeof s=="object"&&(s instanceof Zt||s instanceof qr.default||(0,F.isReadable)(s)||(0,F.isWritable)(s));F.isStream=No;var Mo=s=>!!s&&typeof s=="object"&&s instanceof ss.EventEmitter&&typeof s.pipe=="function"&&s.pipe!==qr.default.Writable.prototype.pipe;F.isReadable=Mo;var Lo=s=>!!s&&typeof s=="object"&&s instanceof ss.EventEmitter&&typeof s.write=="function"&&typeof s.end=="function";F.isWritable=Lo;var ce=Symbol("EOF"),ue=Symbol("maybeEmitEnd"),we=Symbol("emittedEnd"),jt=Symbol("emittingEnd"),dt=Symbol("emittedError"),Ut=Symbol("closed"),xr=Symbol("read"),qt=Symbol("flush"),jr=Symbol("flushChunk"),K=Symbol("encoding"),Ue=Symbol("decoder"),R=Symbol("flowing"),mt=Symbol("paused"),qe=Symbol("resume"),O=Symbol("buffer"),I=Symbol("pipes"),v=Symbol("bufferLength"),Xi=Symbol("bufferPush"),Wt=Symbol("bufferShift"),N=Symbol("objectMode"),y=Symbol("destroyed"),Qi=Symbol("error"),Ji=Symbol("emitData"),Ur=Symbol("emitEnd"),es=Symbol("emitEnd2"),J=Symbol("async"),ts=Symbol("abort"),Ht=Symbol("aborted"),pt=Symbol("signal"),Ne=Symbol("dataListeners"),x=Symbol("discarded"),_t=s=>Promise.resolve().then(s),Ao=s=>s(),Io=s=>s==="end"||s==="finish"||s==="prefinish",Fo=s=>s instanceof ArrayBuffer||!!s&&typeof s=="object"&&s.constructor&&s.constructor.name==="ArrayBuffer"&&s.byteLength>=0,Co=s=>!Buffer.isBuffer(s)&&ArrayBuffer.isView(s),Gt=class{src;dest;opts;ondrain;constructor(e,t,i){this.src=e,this.dest=t,this.opts=i,this.ondrain=()=>e[qe](),this.dest.on("drain",this.ondrain)}unpipe(){this.dest.removeListener("drain",this.ondrain)}proxyErrors(e){}end(){this.unpipe(),this.opts.end&&this.dest.end()}},is=class extends Gt{unpipe(){this.src.removeListener("error",this.proxyErrors),super.unpipe()}constructor(e,t,i){super(e,t,i),this.proxyErrors=r=>this.dest.emit("error",r),e.on("error",this.proxyErrors)}},Bo=s=>!!s.objectMode,zo=s=>!s.objectMode&&!!s.encoding&&s.encoding!=="buffer",Zt=class extends ss.EventEmitter{[R]=!1;[mt]=!1;[I]=[];[O]=[];[N];[K];[J];[Ue];[ce]=!1;[we]=!1;[jt]=!1;[Ut]=!1;[dt]=null;[v]=0;[y]=!1;[pt];[Ht]=!1;[Ne]=0;[x]=!1;writable=!0;readable=!0;constructor(...e){let t=e[0]||{};if(super(),t.objectMode&&typeof t.encoding=="string")throw new TypeError("Encoding and objectMode may not be used together");Bo(t)?(this[N]=!0,this[K]=null):zo(t)?(this[K]=t.encoding,this[N]=!1):(this[N]=!1,this[K]=null),this[J]=!!t.async,this[Ue]=this[K]?new Po.StringDecoder(this[K]):null,t&&t.debugExposeBuffer===!0&&Object.defineProperty(this,"buffer",{get:()=>this[O]}),t&&t.debugExposePipes===!0&&Object.defineProperty(this,"pipes",{get:()=>this[I]});let{signal:i}=t;i&&(this[pt]=i,i.aborted?this[ts]():i.addEventListener("abort",()=>this[ts]()))}get bufferLength(){return this[v]}get encoding(){return this[K]}set encoding(e){throw new Error("Encoding must be set at instantiation time")}setEncoding(e){throw new Error("Encoding must be set at instantiation time")}get objectMode(){return this[N]}set objectMode(e){throw new Error("objectMode must be set at instantiation time")}get async(){return this[J]}set async(e){this[J]=this[J]||!!e}[ts](){this[Ht]=!0,this.emit("abort",this[pt]?.reason),this.destroy(this[pt]?.reason)}get aborted(){return this[Ht]}set aborted(e){}write(e,t,i){if(this[Ht])return!1;if(this[ce])throw new Error("write after end");if(this[y])return this.emit("error",Object.assign(new Error("Cannot call write after a stream was destroyed"),{code:"ERR_STREAM_DESTROYED"})),!0;typeof t=="function"&&(i=t,t="utf8"),t||(t="utf8");let r=this[J]?_t:Ao;if(!this[N]&&!Buffer.isBuffer(e)){if(Co(e))e=Buffer.from(e.buffer,e.byteOffset,e.byteLength);else if(Fo(e))e=Buffer.from(e);else if(typeof e!="string")throw new Error("Non-contiguous data written to non-objectMode stream")}return this[N]?(this[R]&&this[v]!==0&&this[qt](!0),this[R]?this.emit("data",e):this[Xi](e),this[v]!==0&&this.emit("readable"),i&&r(i),this[R]):e.length?(typeof e=="string"&&!(t===this[K]&&!this[Ue]?.lastNeed)&&(e=Buffer.from(e,t)),Buffer.isBuffer(e)&&this[K]&&(e=this[Ue].write(e)),this[R]&&this[v]!==0&&this[qt](!0),this[R]?this.emit("data",e):this[Xi](e),this[v]!==0&&this.emit("readable"),i&&r(i),this[R]):(this[v]!==0&&this.emit("readable"),i&&r(i),this[R])}read(e){if(this[y])return null;if(this[x]=!1,this[v]===0||e===0||e&&e>this[v])return this[ue](),null;this[N]&&(e=null),this[O].length>1&&!this[N]&&(this[O]=[this[K]?this[O].join(""):Buffer.concat(this[O],this[v])]);let t=this[xr](e||null,this[O][0]);return this[ue](),t}[xr](e,t){if(this[N])this[Wt]();else{let i=t;e===i.length||e===null?this[Wt]():typeof i=="string"?(this[O][0]=i.slice(e),t=i.slice(0,e),this[v]-=e):(this[O][0]=i.subarray(e),t=i.subarray(0,e),this[v]-=e)}return this.emit("data",t),!this[O].length&&!this[ce]&&this.emit("drain"),t}end(e,t,i){return typeof e=="function"&&(i=e,e=void 0),typeof t=="function"&&(i=t,t="utf8"),e!==void 0&&this.write(e,t),i&&this.once("end",i),this[ce]=!0,this.writable=!1,(this[R]||!this[mt])&&this[ue](),this}[qe](){this[y]||(!this[Ne]&&!this[I].length&&(this[x]=!0),this[mt]=!1,this[R]=!0,this.emit("resume"),this[O].length?this[qt]():this[ce]?this[ue]():this.emit("drain"))}resume(){return this[qe]()}pause(){this[R]=!1,this[mt]=!0,this[x]=!1}get destroyed(){return this[y]}get flowing(){return this[R]}get paused(){return this[mt]}[Xi](e){this[N]?this[v]+=1:this[v]+=e.length,this[O].push(e)}[Wt](){return this[N]?this[v]-=1:this[v]-=this[O][0].length,this[O].shift()}[qt](e=!1){do;while(this[jr](this[Wt]())&&this[O].length);!e&&!this[O].length&&!this[ce]&&this.emit("drain")}[jr](e){return this.emit("data",e),this[R]}pipe(e,t){if(this[y])return e;this[x]=!1;let i=this[we];return t=t||{},e===kr.stdout||e===kr.stderr?t.end=!1:t.end=t.end!==!1,t.proxyErrors=!!t.proxyErrors,i?t.end&&e.end():(this[I].push(t.proxyErrors?new is(this,e,t):new Gt(this,e,t)),this[J]?_t(()=>this[qe]()):this[qe]()),e}unpipe(e){let t=this[I].find(i=>i.dest===e);t&&(this[I].length===1?(this[R]&&this[Ne]===0&&(this[R]=!1),this[I]=[]):this[I].splice(this[I].indexOf(t),1),t.unpipe())}addListener(e,t){return this.on(e,t)}on(e,t){let i=super.on(e,t);if(e==="data")this[x]=!1,this[Ne]++,!this[I].length&&!this[R]&&this[qe]();else if(e==="readable"&&this[v]!==0)super.emit("readable");else if(Io(e)&&this[we])super.emit(e),this.removeAllListeners(e);else if(e==="error"&&this[dt]){let r=t;this[J]?_t(()=>r.call(this,this[dt])):r.call(this,this[dt])}return i}removeListener(e,t){return this.off(e,t)}off(e,t){let i=super.off(e,t);return e==="data"&&(this[Ne]=this.listeners("data").length,this[Ne]===0&&!this[x]&&!this[I].length&&(this[R]=!1)),i}removeAllListeners(e){let t=super.removeAllListeners(e);return(e==="data"||e===void 0)&&(this[Ne]=0,!this[x]&&!this[I].length&&(this[R]=!1)),t}get emittedEnd(){return this[we]}[ue](){!this[jt]&&!this[we]&&!this[y]&&this[O].length===0&&this[ce]&&(this[jt]=!0,this.emit("end"),this.emit("prefinish"),this.emit("finish"),this[Ut]&&this.emit("close"),this[jt]=!1)}emit(e,...t){let i=t[0];if(e!=="error"&&e!=="close"&&e!==y&&this[y])return!1;if(e==="data")return!this[N]&&!i?!1:this[J]?(_t(()=>this[Ji](i)),!0):this[Ji](i);if(e==="end")return this[Ur]();if(e==="close"){if(this[Ut]=!0,!this[we]&&!this[y])return!1;let n=super.emit("close");return this.removeAllListeners("close"),n}else if(e==="error"){this[dt]=i,super.emit(Qi,i);let n=!this[pt]||this.listeners("error").length?super.emit("error",i):!1;return this[ue](),n}else if(e==="resume"){let n=super.emit("resume");return this[ue](),n}else if(e==="finish"||e==="prefinish"){let n=super.emit(e);return this.removeAllListeners(e),n}let r=super.emit(e,...t);return this[ue](),r}[Ji](e){for(let i of this[I])i.dest.write(e)===!1&&this.pause();let t=this[x]?!1:super.emit("data",e);return this[ue](),t}[Ur](){return this[we]?!1:(this[we]=!0,this.readable=!1,this[J]?(_t(()=>this[es]()),!0):this[es]())}[es](){if(this[Ue]){let t=this[Ue].end();if(t){for(let i of this[I])i.dest.write(t);this[x]||super.emit("data",t)}}for(let t of this[I])t.end();let e=super.emit("end");return this.removeAllListeners("end"),e}async collect(){let e=Object.assign([],{dataLength:0});this[N]||(e.dataLength=0);let t=this.promise();return this.on("data",i=>{e.push(i),this[N]||(e.dataLength+=i.length)}),await t,e}async concat(){if(this[N])throw new Error("cannot concat in objectMode");let e=await this.collect();return this[K]?e.join(""):Buffer.concat(e,e.dataLength)}async promise(){return new Promise((e,t)=>{this.on(y,()=>t(new Error("stream destroyed"))),this.on("error",i=>t(i)),this.on("end",()=>e())})}[Symbol.asyncIterator](){this[x]=!1;let e=!1,t=async()=>(this.pause(),e=!0,{value:void 0,done:!0});return{next:()=>{if(e)return t();let r=this.read();if(r!==null)return Promise.resolve({done:!1,value:r});if(this[ce])return t();let n,o,a=u=>{this.off("data",h),this.off("end",l),this.off(y,c),t(),o(u)},h=u=>{this.off("error",a),this.off("end",l),this.off(y,c),this.pause(),n({value:u,done:!!this[ce]})},l=()=>{this.off("error",a),this.off("data",h),this.off(y,c),t(),n({done:!0,value:void 0})},c=()=>a(new Error("stream destroyed"));return new Promise((u,E)=>{o=E,n=u,this.once(y,c),this.once("error",a),this.once("end",l),this.once("data",h)})},throw:t,return:t,[Symbol.asyncIterator](){return this},[Symbol.asyncDispose]:async()=>{}}}[Symbol.iterator](){this[x]=!1;let e=!1,t=()=>(this.pause(),this.off(Qi,t),this.off(y,t),this.off("end",t),e=!0,{done:!0,value:void 0}),i=()=>{if(e)return t();let r=this.read();return r===null?t():{done:!1,value:r}};return this.once("end",t),this.once(Qi,t),this.once(y,t),{next:i,throw:t,return:t,[Symbol.iterator](){return this},[Symbol.dispose]:()=>{}}}destroy(e){if(this[y])return e?this.emit("error",e):this.emit(y),this;this[y]=!0,this[x]=!0,this[O].length=0,this[v]=0;let t=this;return typeof t.close=="function"&&!this[Ut]&&t.close(),e?this.emit("error",e):this.emit(y),this}static get isStream(){return F.isStream}};F.Minipass=Zt});var Ke=d(W=>{"use strict";var Wr=W&&W.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(W,"__esModule",{value:!0});W.WriteStreamSync=W.WriteStream=W.ReadStreamSync=W.ReadStream=void 0;var ko=Wr(require("events")),z=Wr(require("fs")),xo=We(),jo=z.default.writev,Ee=Symbol("_autoClose"),$=Symbol("_close"),wt=Symbol("_ended"),p=Symbol("_fd"),rs=Symbol("_finished"),de=Symbol("_flags"),ns=Symbol("_flush"),ls=Symbol("_handleChunk"),cs=Symbol("_makeBuf"),Et=Symbol("_mode"),Yt=Symbol("_needDrain"),Ze=Symbol("_onerror"),Ye=Symbol("_onopen"),os=Symbol("_onread"),He=Symbol("_onwrite"),be=Symbol("_open"),V=Symbol("_path"),ye=Symbol("_pos"),ee=Symbol("_queue"),Ge=Symbol("_read"),as=Symbol("_readSize"),fe=Symbol("_reading"),yt=Symbol("_remain"),hs=Symbol("_size"),Kt=Symbol("_write"),Me=Symbol("_writing"),Vt=Symbol("_defaultFlag"),Le=Symbol("_errored"),$t=class extends xo.Minipass{[Le]=!1;[p];[V];[as];[fe]=!1;[hs];[yt];[Ee];constructor(e,t){if(t=t||{},super(t),this.readable=!0,this.writable=!1,typeof e!="string")throw new TypeError("path must be a string");this[Le]=!1,this[p]=typeof t.fd=="number"?t.fd:void 0,this[V]=e,this[as]=t.readSize||16*1024*1024,this[fe]=!1,this[hs]=typeof t.size=="number"?t.size:1/0,this[yt]=this[hs],this[Ee]=typeof t.autoClose=="boolean"?t.autoClose:!0,typeof this[p]=="number"?this[Ge]():this[be]()}get fd(){return this[p]}get path(){return this[V]}write(){throw new TypeError("this is a readable stream")}end(){throw new TypeError("this is a readable stream")}[be](){z.default.open(this[V],"r",(e,t)=>this[Ye](e,t))}[Ye](e,t){e?this[Ze](e):(this[p]=t,this.emit("open",t),this[Ge]())}[cs](){return Buffer.allocUnsafe(Math.min(this[as],this[yt]))}[Ge](){if(!this[fe]){this[fe]=!0;let e=this[cs]();if(e.length===0)return process.nextTick(()=>this[os](null,0,e));z.default.read(this[p],e,0,e.length,null,(t,i,r)=>this[os](t,i,r))}}[os](e,t,i){this[fe]=!1,e?this[Ze](e):this[ls](t,i)&&this[Ge]()}[$](){if(this[Ee]&&typeof this[p]=="number"){let e=this[p];this[p]=void 0,z.default.close(e,t=>t?this.emit("error",t):this.emit("close"))}}[Ze](e){this[fe]=!0,this[$](),this.emit("error",e)}[ls](e,t){let i=!1;return this[yt]-=e,e>0&&(i=super.write(ethis[Ye](e,t))}[Ye](e,t){this[Vt]&&this[de]==="r+"&&e&&e.code==="ENOENT"?(this[de]="w",this[be]()):e?this[Ze](e):(this[p]=t,this.emit("open",t),this[Me]||this[ns]())}end(e,t){return e&&this.write(e,t),this[wt]=!0,!this[Me]&&!this[ee].length&&typeof this[p]=="number"&&this[He](null,0),this}write(e,t){return typeof e=="string"&&(e=Buffer.from(e,t)),this[wt]?(this.emit("error",new Error("write() after end()")),!1):this[p]===void 0||this[Me]||this[ee].length?(this[ee].push(e),this[Yt]=!0,!1):(this[Me]=!0,this[Kt](e),!0)}[Kt](e){z.default.write(this[p],e,0,e.length,this[ye],(t,i)=>this[He](t,i))}[He](e,t){e?this[Ze](e):(this[ye]!==void 0&&typeof t=="number"&&(this[ye]+=t),this[ee].length?this[ns]():(this[Me]=!1,this[wt]&&!this[rs]?(this[rs]=!0,this[$](),this.emit("finish")):this[Yt]&&(this[Yt]=!1,this.emit("drain"))))}[ns](){if(this[ee].length===0)this[wt]&&this[He](null,0);else if(this[ee].length===1)this[Kt](this[ee].pop());else{let e=this[ee];this[ee]=[],jo(this[p],e,this[ye],(t,i)=>this[He](t,i))}}[$](){if(this[Ee]&&typeof this[p]=="number"){let e=this[p];this[p]=void 0,z.default.close(e,t=>t?this.emit("error",t):this.emit("close"))}}};W.WriteStream=Xt;var fs=class extends Xt{[be](){let e;if(this[Vt]&&this[de]==="r+")try{e=z.default.openSync(this[V],this[de],this[Et])}catch(t){if(t?.code==="ENOENT")return this[de]="w",this[be]();throw t}else e=z.default.openSync(this[V],this[de],this[Et]);this[Ye](null,e)}[$](){if(this[Ee]&&typeof this[p]=="number"){let e=this[p];this[p]=void 0,z.default.closeSync(e),this.emit("close")}}[Kt](e){let t=!0;try{this[He](null,z.default.writeSync(this[p],e,0,e.length,this[ye])),t=!1}finally{if(t)try{this[$]()}catch{}}}};W.WriteStreamSync=fs});var Qt=d(b=>{"use strict";Object.defineProperty(b,"__esModule",{value:!0});b.dealias=b.isNoFile=b.isFile=b.isAsync=b.isSync=b.isAsyncNoFile=b.isSyncNoFile=b.isAsyncFile=b.isSyncFile=void 0;var Uo=new Map([["C","cwd"],["f","file"],["z","gzip"],["P","preservePaths"],["U","unlink"],["strip-components","strip"],["stripComponents","strip"],["keep-newer","newer"],["keepNewer","newer"],["keep-newer-files","newer"],["keepNewerFiles","newer"],["k","keep"],["keep-existing","keep"],["keepExisting","keep"],["m","noMtime"],["no-mtime","noMtime"],["p","preserveOwner"],["L","follow"],["h","follow"],["onentry","onReadEntry"]]),qo=s=>!!s.sync&&!!s.file;b.isSyncFile=qo;var Wo=s=>!s.sync&&!!s.file;b.isAsyncFile=Wo;var Ho=s=>!!s.sync&&!s.file;b.isSyncNoFile=Ho;var Go=s=>!s.sync&&!s.file;b.isAsyncNoFile=Go;var Zo=s=>!!s.sync;b.isSync=Zo;var Yo=s=>!s.sync;b.isAsync=Yo;var Ko=s=>!!s.file;b.isFile=Ko;var Vo=s=>!s.file;b.isNoFile=Vo;var $o=s=>{let e=Uo.get(s);return e||s},Xo=(s={})=>{if(!s)return{};let e={};for(let[t,i]of Object.entries(s)){let r=$o(t);e[r]=i}return e.chmod===void 0&&e.noChmod===!1&&(e.chmod=!0),delete e.noChmod,e};b.dealias=Xo});var Ve=d(Jt=>{"use strict";Object.defineProperty(Jt,"__esModule",{value:!0});Jt.makeCommand=void 0;var bt=Qt(),Qo=(s,e,t,i,r)=>Object.assign((n=[],o,a)=>{Array.isArray(n)&&(o=n,n={}),typeof o=="function"&&(a=o,o=void 0),o=o?Array.from(o):[];let h=(0,bt.dealias)(n);if(r?.(h,o),(0,bt.isSyncFile)(h)){if(typeof a=="function")throw new TypeError("callback not supported for sync tar functions");return s(h,o)}else if((0,bt.isAsyncFile)(h)){let l=e(h,o);return a?l.then(()=>a(),a):l}else if((0,bt.isSyncNoFile)(h)){if(typeof a=="function")throw new TypeError("callback not supported for sync tar functions");return t(h,o)}else if((0,bt.isAsyncNoFile)(h)){if(typeof a=="function")throw new TypeError("callback only supported with file option");return i(h,o)}throw new Error("impossible options??")},{syncFile:s,asyncFile:e,syncNoFile:t,asyncNoFile:i,validate:r});Jt.makeCommand=Qo});var ds=d($e=>{"use strict";var Jo=$e&&$e.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty($e,"__esModule",{value:!0});$e.constants=void 0;var ea=Jo(require("zlib")),ta=ea.default.constants||{ZLIB_VERNUM:4736};$e.constants=Object.freeze(Object.assign(Object.create(null),{Z_NO_FLUSH:0,Z_PARTIAL_FLUSH:1,Z_SYNC_FLUSH:2,Z_FULL_FLUSH:3,Z_FINISH:4,Z_BLOCK:5,Z_OK:0,Z_STREAM_END:1,Z_NEED_DICT:2,Z_ERRNO:-1,Z_STREAM_ERROR:-2,Z_DATA_ERROR:-3,Z_MEM_ERROR:-4,Z_BUF_ERROR:-5,Z_VERSION_ERROR:-6,Z_NO_COMPRESSION:0,Z_BEST_SPEED:1,Z_BEST_COMPRESSION:9,Z_DEFAULT_COMPRESSION:-1,Z_FILTERED:1,Z_HUFFMAN_ONLY:2,Z_RLE:3,Z_FIXED:4,Z_DEFAULT_STRATEGY:0,DEFLATE:1,INFLATE:2,GZIP:3,GUNZIP:4,DEFLATERAW:5,INFLATERAW:6,UNZIP:7,BROTLI_DECODE:8,BROTLI_ENCODE:9,Z_MIN_WINDOWBITS:8,Z_MAX_WINDOWBITS:15,Z_DEFAULT_WINDOWBITS:15,Z_MIN_CHUNK:64,Z_MAX_CHUNK:1/0,Z_DEFAULT_CHUNK:16384,Z_MIN_MEMLEVEL:1,Z_MAX_MEMLEVEL:9,Z_DEFAULT_MEMLEVEL:8,Z_MIN_LEVEL:-1,Z_MAX_LEVEL:9,Z_DEFAULT_LEVEL:-1,BROTLI_OPERATION_PROCESS:0,BROTLI_OPERATION_FLUSH:1,BROTLI_OPERATION_FINISH:2,BROTLI_OPERATION_EMIT_METADATA:3,BROTLI_MODE_GENERIC:0,BROTLI_MODE_TEXT:1,BROTLI_MODE_FONT:2,BROTLI_DEFAULT_MODE:0,BROTLI_MIN_QUALITY:0,BROTLI_MAX_QUALITY:11,BROTLI_DEFAULT_QUALITY:11,BROTLI_MIN_WINDOW_BITS:10,BROTLI_MAX_WINDOW_BITS:24,BROTLI_LARGE_MAX_WINDOW_BITS:30,BROTLI_DEFAULT_WINDOW:22,BROTLI_MIN_INPUT_BLOCK_BITS:16,BROTLI_MAX_INPUT_BLOCK_BITS:24,BROTLI_PARAM_MODE:0,BROTLI_PARAM_QUALITY:1,BROTLI_PARAM_LGWIN:2,BROTLI_PARAM_LGBLOCK:3,BROTLI_PARAM_DISABLE_LITERAL_CONTEXT_MODELING:4,BROTLI_PARAM_SIZE_HINT:5,BROTLI_PARAM_LARGE_WINDOW:6,BROTLI_PARAM_NPOSTFIX:7,BROTLI_PARAM_NDIRECT:8,BROTLI_DECODER_RESULT_ERROR:0,BROTLI_DECODER_RESULT_SUCCESS:1,BROTLI_DECODER_RESULT_NEEDS_MORE_INPUT:2,BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_PARAM_DISABLE_RING_BUFFER_REALLOCATION:0,BROTLI_DECODER_PARAM_LARGE_WINDOW:1,BROTLI_DECODER_NO_ERROR:0,BROTLI_DECODER_SUCCESS:1,BROTLI_DECODER_NEEDS_MORE_INPUT:2,BROTLI_DECODER_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_NIBBLE:-1,BROTLI_DECODER_ERROR_FORMAT_RESERVED:-2,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_META_NIBBLE:-3,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_ALPHABET:-4,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_SAME:-5,BROTLI_DECODER_ERROR_FORMAT_CL_SPACE:-6,BROTLI_DECODER_ERROR_FORMAT_HUFFMAN_SPACE:-7,BROTLI_DECODER_ERROR_FORMAT_CONTEXT_MAP_REPEAT:-8,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_1:-9,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_2:-10,BROTLI_DECODER_ERROR_FORMAT_TRANSFORM:-11,BROTLI_DECODER_ERROR_FORMAT_DICTIONARY:-12,BROTLI_DECODER_ERROR_FORMAT_WINDOW_BITS:-13,BROTLI_DECODER_ERROR_FORMAT_PADDING_1:-14,BROTLI_DECODER_ERROR_FORMAT_PADDING_2:-15,BROTLI_DECODER_ERROR_FORMAT_DISTANCE:-16,BROTLI_DECODER_ERROR_DICTIONARY_NOT_SET:-19,BROTLI_DECODER_ERROR_INVALID_ARGUMENTS:-20,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MODES:-21,BROTLI_DECODER_ERROR_ALLOC_TREE_GROUPS:-22,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MAP:-25,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_1:-26,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_2:-27,BROTLI_DECODER_ERROR_ALLOC_BLOCK_TYPE_TREES:-30,BROTLI_DECODER_ERROR_UNREACHABLE:-31},ta))});var Ps=d(f=>{"use strict";var ia=f&&f.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),sa=f&&f.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),ra=f&&f.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;rs,ms=Gr?.writable===!0||Gr?.set!==void 0?s=>{Ae.Buffer.concat=s?la:ha}:s=>{},Ie=Symbol("_superWrite"),Fe=class extends Error{code;errno;constructor(e,t){super("zlib: "+e.message,{cause:e}),this.code=e.code,this.errno=e.errno,this.code||(this.code="ZLIB_ERROR"),this.message="zlib: "+e.message,Error.captureStackTrace(this,t??this.constructor)}get name(){return"ZlibError"}};f.ZlibError=Fe;var ps=Symbol("flushFlag"),St=class extends oa.Minipass{#e=!1;#i=!1;#s;#n;#r;#t;#o;get sawError(){return this.#e}get handle(){return this.#t}get flushFlag(){return this.#s}constructor(e,t){if(!e||typeof e!="object")throw new TypeError("invalid options for ZlibBase constructor");if(super(e),this.#s=e.flush??0,this.#n=e.finishFlush??0,this.#r=e.fullFlushFlag??0,typeof Hr[t]!="function")throw new TypeError("Compression method not supported: "+t);try{this.#t=new Hr[t](e)}catch(i){throw new Fe(i,this.constructor)}this.#o=i=>{this.#e||(this.#e=!0,this.close(),this.emit("error",i))},this.#t?.on("error",i=>this.#o(new Fe(i))),this.once("end",()=>this.close)}close(){this.#t&&(this.#t.close(),this.#t=void 0,this.emit("close"))}reset(){if(!this.#e)return(0,_s.default)(this.#t,"zlib binding closed"),this.#t.reset?.()}flush(e){this.ended||(typeof e!="number"&&(e=this.#r),this.write(Object.assign(Ae.Buffer.alloc(0),{[ps]:e})))}end(e,t,i){return typeof e=="function"&&(i=e,t=void 0,e=void 0),typeof t=="function"&&(i=t,t=void 0),e&&(t?this.write(e,t):this.write(e)),this.flush(this.#n),this.#i=!0,super.end(i)}get ended(){return this.#i}[Ie](e){return super.write(e)}write(e,t,i){if(typeof t=="function"&&(i=t,t="utf8"),typeof e=="string"&&(e=Ae.Buffer.from(e,t)),this.#e)return;(0,_s.default)(this.#t,"zlib binding closed");let r=this.#t._handle,n=r.close;r.close=()=>{};let o=this.#t.close;this.#t.close=()=>{},ms(!0);let a;try{let l=typeof e[ps]=="number"?e[ps]:this.#s;a=this.#t._processChunk(e,l),ms(!1)}catch(l){ms(!1),this.#o(new Fe(l,this.write))}finally{this.#t&&(this.#t._handle=r,r.close=n,this.#t.close=o,this.#t.removeAllListeners("error"))}this.#t&&this.#t.on("error",l=>this.#o(new Fe(l,this.write)));let h;if(a)if(Array.isArray(a)&&a.length>0){let l=a[0];h=this[Ie](Ae.Buffer.from(l));for(let c=1;c{typeof r=="function"&&(n=r,r=this.flushFlag),this.flush(r),n?.()};try{this.handle.params(e,t)}finally{this.handle.flush=i}this.handle&&(this.#e=e,this.#i=t)}}}};f.Zlib=ie;var ws=class extends ie{constructor(e){super(e,"Deflate")}};f.Deflate=ws;var ys=class extends ie{constructor(e){super(e,"Inflate")}};f.Inflate=ys;var Es=class extends ie{#e;constructor(e){super(e,"Gzip"),this.#e=e&&!!e.portable}[Ie](e){return this.#e?(this.#e=!1,e[9]=255,super[Ie](e)):super[Ie](e)}};f.Gzip=Es;var bs=class extends ie{constructor(e){super(e,"Gunzip")}};f.Gunzip=bs;var Ss=class extends ie{constructor(e){super(e,"DeflateRaw")}};f.DeflateRaw=Ss;var gs=class extends ie{constructor(e){super(e,"InflateRaw")}};f.InflateRaw=gs;var Rs=class extends ie{constructor(e){super(e,"Unzip")}};f.Unzip=Rs;var ei=class extends St{constructor(e,t){e=e||{},e.flush=e.flush||te.constants.BROTLI_OPERATION_PROCESS,e.finishFlush=e.finishFlush||te.constants.BROTLI_OPERATION_FINISH,e.fullFlushFlag=te.constants.BROTLI_OPERATION_FLUSH,super(e,t)}},Os=class extends ei{constructor(e){super(e,"BrotliCompress")}};f.BrotliCompress=Os;var vs=class extends ei{constructor(e){super(e,"BrotliDecompress")}};f.BrotliDecompress=vs;var ti=class extends St{constructor(e,t){e=e||{},e.flush=e.flush||te.constants.ZSTD_e_continue,e.finishFlush=e.finishFlush||te.constants.ZSTD_e_end,e.fullFlushFlag=te.constants.ZSTD_e_flush,super(e,t)}},Ts=class extends ti{constructor(e){super(e,"ZstdCompress")}};f.ZstdCompress=Ts;var Ds=class extends ti{constructor(e){super(e,"ZstdDecompress")}};f.ZstdDecompress=Ds});var Kr=d(Xe=>{"use strict";Object.defineProperty(Xe,"__esModule",{value:!0});Xe.parse=Xe.encode=void 0;var ca=(s,e)=>{if(Number.isSafeInteger(s))s<0?fa(s,e):ua(s,e);else throw Error("cannot encode number outside of javascript safe integer range");return e};Xe.encode=ca;var ua=(s,e)=>{e[0]=128;for(var t=e.length;t>1;t--)e[t-1]=s&255,s=Math.floor(s/256)},fa=(s,e)=>{e[0]=255;var t=!1;s=s*-1;for(var i=e.length;i>1;i--){var r=s&255;s=Math.floor(s/256),t?e[i-1]=Zr(r):r===0?e[i-1]=0:(t=!0,e[i-1]=Yr(r))}},da=s=>{let e=s[0],t=e===128?pa(s.subarray(1,s.length)):e===255?ma(s):null;if(t===null)throw Error("invalid base256 encoding");if(!Number.isSafeInteger(t))throw Error("parsed number outside of javascript safe integer range");return t};Xe.parse=da;var ma=s=>{for(var e=s.length,t=0,i=!1,r=e-1;r>-1;r--){var n=Number(s[r]),o;i?o=Zr(n):n===0?o=n:(i=!0,o=Yr(n)),o!==0&&(t-=o*Math.pow(256,e-r-1))}return t},pa=s=>{for(var e=s.length,t=0,i=e-1;i>-1;i--){var r=Number(s[i]);r!==0&&(t+=r*Math.pow(256,e-i-1))}return t},Zr=s=>(255^s)&255,Yr=s=>(255^s)+1&255});var Ns=d(C=>{"use strict";Object.defineProperty(C,"__esModule",{value:!0});C.code=C.name=C.normalFsTypes=C.isName=C.isCode=void 0;var _a=s=>C.name.has(s);C.isCode=_a;var wa=s=>C.code.has(s);C.isName=wa;C.normalFsTypes=new Set(["0","","1","2","3","4","5","6","7","D"]);C.name=new Map([["0","File"],["","OldFile"],["1","Link"],["2","SymbolicLink"],["3","CharacterDevice"],["4","BlockDevice"],["5","Directory"],["6","FIFO"],["7","ContiguousFile"],["g","GlobalExtendedHeader"],["x","ExtendedHeader"],["A","SolarisACL"],["D","GNUDumpDir"],["I","Inode"],["K","NextFileHasLongLinkpath"],["L","NextFileHasLongPath"],["M","ContinuationFile"],["N","OldGnuLongPath"],["S","SparseFile"],["V","TapeVolumeHeader"],["X","OldExtendedHeader"]]);C.code=new Map(Array.from(C.name).map(s=>[s[1],s[0]]))});var et=d(se=>{"use strict";var ya=se&&se.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),Ea=se&&se.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),Vr=se&&se.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;rs===void 0||s<0?void 0:s,As=class{cksumValid=!1;needPax=!1;nullBlock=!1;block;path;mode;uid;gid;size;cksum;#e="Unsupported";linkpath;uname;gname;devmaj=0;devmin=0;atime;ctime;mtime;charset;comment;constructor(e,t=0,i,r){Buffer.isBuffer(e)?this.decode(e,t||0,i,r):e&&this.#i(e)}decode(e,t,i,r){if(t||(t=0),!e||!(e.length>=t+512))throw new Error("need 512 bytes for header");let n=Ce(e,t+156,1),o=Je.normalFsTypes.has(n),a=o?i:void 0,h=o?r:void 0;if(this.path=a?.path??Ce(e,t,100),this.mode=a?.mode??h?.mode??Se(e,t+100,8),this.uid=a?.uid??h?.uid??Se(e,t+108,8),this.gid=a?.gid??h?.gid??Se(e,t+116,8),this.size=ba(a?.size??h?.size??Se(e,t+124,12)),this.mtime=a?.mtime??h?.mtime??Ms(e,t+136,12),this.cksum=Se(e,t+148,12),h&&this.#i(h,!0),a&&this.#i(a),Je.isCode(n)&&(this.#e=n||"0"),this.#e==="0"&&this.path.slice(-1)==="/"&&(this.#e="5"),this.#e==="5"&&(this.size=0),this.linkpath=Ce(e,t+157,100),e.subarray(t+257,t+265).toString()==="ustar\x0000")if(this.uname=a?.uname??h?.uname??Ce(e,t+265,32),this.gname=a?.gname??h?.gname??Ce(e,t+297,32),this.devmaj=a?.devmaj??h?.devmaj??Se(e,t+329,8)??0,this.devmin=a?.devmin??h?.devmin??Se(e,t+337,8)??0,e[t+475]!==0){let c=Ce(e,t+345,155);this.path=c+"/"+this.path}else{let c=Ce(e,t+345,130);c&&(this.path=c+"/"+this.path),this.atime=i?.atime??r?.atime??Ms(e,t+476,12),this.ctime=i?.ctime??r?.ctime??Ms(e,t+488,12)}let l=256;for(let c=t;c!(r==null||i==="size"&&Number(r)<0||i==="path"&&t||i==="linkpath"&&t||i==="global"))))}encode(e,t=0){if(e||(e=this.block=Buffer.alloc(512)),this.#e==="Unsupported"&&(this.#e="0"),!(e.length>=t+512))throw new Error("need 512 bytes for header");let i=this.ctime||this.atime?130:155,r=Sa(this.path||"",i),n=r[0],o=r[1];this.needPax=!!r[2],this.needPax=Be(e,t,100,n)||this.needPax,this.needPax=ge(e,t+100,8,this.mode)||this.needPax,this.needPax=ge(e,t+108,8,this.uid)||this.needPax,this.needPax=ge(e,t+116,8,this.gid)||this.needPax,this.needPax=ge(e,t+124,12,this.size)||this.needPax,this.needPax=Ls(e,t+136,12,this.mtime)||this.needPax,e[t+156]=Number(this.#e.codePointAt(0)),this.needPax=Be(e,t+157,100,this.linkpath)||this.needPax,e.write("ustar\x0000",t+257,8),this.needPax=Be(e,t+265,32,this.uname)||this.needPax,this.needPax=Be(e,t+297,32,this.gname)||this.needPax,this.needPax=ge(e,t+329,8,this.devmaj)||this.needPax,this.needPax=ge(e,t+337,8,this.devmin)||this.needPax,this.needPax=Be(e,t+345,i,o)||this.needPax,e[t+475]!==0?this.needPax=Be(e,t+345,155,o)||this.needPax:(this.needPax=Be(e,t+345,130,o)||this.needPax,this.needPax=Ls(e,t+476,12,this.atime)||this.needPax,this.needPax=Ls(e,t+488,12,this.ctime)||this.needPax);let a=256;for(let h=t;h{let i=s,r="",n,o=Qe.posix.parse(s).root||".";if(Buffer.byteLength(i)<100)n=[i,r,!1];else{r=Qe.posix.dirname(i),i=Qe.posix.basename(i);do Buffer.byteLength(i)<=100&&Buffer.byteLength(r)<=e?n=[i,r,!1]:Buffer.byteLength(i)>100&&Buffer.byteLength(r)<=e?n=[i.slice(0,99),r,!0]:(i=Qe.posix.join(Qe.posix.basename(r),i),r=Qe.posix.dirname(r));while(r!==o&&n===void 0);n||(n=[s.slice(0,99),"",!0])}return n},Ce=(s,e,t)=>s.subarray(e,e+t).toString("utf8").replace(/\0.*/,""),Ms=(s,e,t)=>ga(Se(s,e,t)),ga=s=>s===void 0?void 0:new Date(s*1e3),Se=(s,e,t)=>Number(s[e])&128?$r.parse(s.subarray(e,e+t)):Oa(s,e,t),Ra=s=>isNaN(s)?void 0:s,Oa=(s,e,t)=>Ra(parseInt(s.subarray(e,e+t).toString("utf8").replace(/\0.*$/,"").trim(),8)),va={12:8589934591,8:2097151},ge=(s,e,t,i)=>i===void 0?!1:i>va[t]||i<0?($r.encode(i,s.subarray(e,e+t)),!0):(Ta(s,e,t,i),!1),Ta=(s,e,t,i)=>s.write(Da(i,t),e,t,"ascii"),Da=(s,e)=>Pa(Math.floor(s).toString(8),e),Pa=(s,e)=>(s.length===e-1?s:new Array(e-s.length-1).join("0")+s+" ")+"\0",Ls=(s,e,t,i)=>i===void 0?!1:ge(s,e,t,i.getTime()/1e3),Na=new Array(156).join("\0"),Be=(s,e,t,i)=>i===void 0?!1:(s.write(i+Na,e,t,"utf8"),i.length!==Buffer.byteLength(i)||i.length>t)});var si=d(ii=>{"use strict";Object.defineProperty(ii,"__esModule",{value:!0});ii.Pax=void 0;var Ma=require("node:path"),La=et(),Is=class s{atime;mtime;ctime;charset;comment;gid;uid;gname;uname;linkpath;dev;ino;nlink;path;size;mode;global;constructor(e,t=!1){this.atime=e.atime,this.charset=e.charset,this.comment=e.comment,this.ctime=e.ctime,this.dev=e.dev,this.gid=e.gid,this.global=t,this.gname=e.gname,this.ino=e.ino,this.linkpath=e.linkpath,this.mtime=e.mtime,this.nlink=e.nlink,this.path=e.path,this.size=e.size,this.uid=e.uid,this.uname=e.uname}encode(){let e=this.encodeBody();if(e==="")return Buffer.allocUnsafe(0);let t=Buffer.byteLength(e),i=512*Math.ceil(1+t/512),r=Buffer.allocUnsafe(i);for(let n=0;n<512;n++)r[n]=0;new La.Header({path:("PaxHeader/"+(0,Ma.basename)(this.path??"")).slice(0,99),mode:this.mode||420,uid:this.uid,gid:this.gid,size:t,mtime:this.mtime,type:this.global?"GlobalExtendedHeader":"ExtendedHeader",linkpath:"",uname:this.uname||"",gname:this.gname||"",devmaj:0,devmin:0,atime:this.atime,ctime:this.ctime}).encode(r),r.write(e,512,t,"utf8");for(let n=t+512;n=Math.pow(10,o)&&(o+=1),o+n+r}static parse(e,t,i=!1){return new s(Aa(Ia(e),t),i)}};ii.Pax=Is;var Aa=(s,e)=>e?Object.assign({},e,s):s,Ia=s=>s.replace(/\n$/,"").split(`
+`).reduce(Fa,Object.create(null)),Fa=(s,e)=>{let t=parseInt(e,10);if(t!==Buffer.byteLength(e)+1)return s;e=e.slice((t+" ").length);let i=e.split("="),r=i.shift();if(!r)return s;let n=r.replace(/^SCHILY\.(dev|ino|nlink)/,"$1"),o=i.join("=").replace(/\0.*/,"");switch(n){case"path":case"linkpath":case"type":case"charset":case"comment":case"gname":case"uname":s[n]=o;break;case"ctime":case"atime":case"mtime":s[n]=new Date(Number(o)*1e3);break;case"size":let a=+o;a>=0&&(s[n]=a);break;case"gid":case"uid":case"dev":case"ino":case"nlink":case"mode":s[n]=+o;break}return s}});var tt=d(ri=>{"use strict";Object.defineProperty(ri,"__esModule",{value:!0});ri.normalizeWindowsPath=void 0;var Ca=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform;ri.normalizeWindowsPath=Ca!=="win32"?s=>String(s):s=>String(s).replaceAll(/\\/g,"/")});var Cs=d(oi=>{"use strict";Object.defineProperty(oi,"__esModule",{value:!0});oi.ReadEntry=void 0;var Ba=We(),ni=tt(),Fs=class extends Ba.Minipass{extended;globalExtended;header;startBlockSize;blockRemain;remain;type;meta=!1;ignore=!1;path;mode;uid;gid;uname;gname;size=0;mtime;atime;ctime;linkpath;dev;ino;nlink;invalid=!1;absolute;unsupported=!1;constructor(e,t,i){switch(super({}),this.pause(),this.extended=t,this.globalExtended=i,this.header=e,this.remain=e.size??0,this.startBlockSize=512*Math.ceil(this.remain/512),this.blockRemain=this.startBlockSize,this.type=e.type,this.type){case"File":case"OldFile":case"Link":case"SymbolicLink":case"CharacterDevice":case"BlockDevice":case"Directory":case"FIFO":case"ContiguousFile":case"GNUDumpDir":break;case"NextFileHasLongLinkpath":case"NextFileHasLongPath":case"OldGnuLongPath":case"GlobalExtendedHeader":case"ExtendedHeader":case"OldExtendedHeader":this.meta=!0;break;default:this.ignore=!0}if(!e.path)throw new Error("no path provided for tar.ReadEntry");this.path=(0,ni.normalizeWindowsPath)(e.path),this.mode=e.mode,this.mode&&(this.mode=this.mode&4095),this.uid=e.uid,this.gid=e.gid,this.uname=e.uname,this.gname=e.gname,this.size=this.remain,this.mtime=e.mtime,this.atime=e.atime,this.ctime=e.ctime,this.linkpath=e.linkpath?(0,ni.normalizeWindowsPath)(e.linkpath):void 0,this.uname=e.uname,this.gname=e.gname,t&&this.#e(t),i&&this.#e(i,!0)}write(e){let t=e.length;if(t>this.blockRemain)throw new Error("writing more to entry than is appropriate");let i=this.remain,r=this.blockRemain;return this.remain=Math.max(0,i-t),this.blockRemain=Math.max(0,r-t),this.ignore?!0:i>=t?super.write(e):super.write(e.subarray(0,i))}#e(e,t=!1){e.path&&(e.path=(0,ni.normalizeWindowsPath)(e.path)),e.linkpath&&(e.linkpath=(0,ni.normalizeWindowsPath)(e.linkpath)),Object.assign(this,Object.fromEntries(Object.entries(e).filter(([i,r])=>!(r==null||i==="path"&&t))))}};oi.ReadEntry=Fs});var hi=d(ai=>{"use strict";Object.defineProperty(ai,"__esModule",{value:!0});ai.warnMethod=void 0;var za=(s,e,t,i={})=>{s.file&&(i.file=s.file),s.cwd&&(i.cwd=s.cwd),i.code=t instanceof Error&&t.code||e,i.tarCode=e,!s.strict&&i.recoverable!==!1?(t instanceof Error&&(i=Object.assign(t,i),t=t.message),s.emit("warn",e,t,i)):t instanceof Error?s.emit("error",Object.assign(t,i)):s.emit("error",Object.assign(new Error(`${e}: ${t}`),i))};ai.warnMethod=za});var _i=d(pi=>{"use strict";Object.defineProperty(pi,"__esModule",{value:!0});pi.Parser=void 0;var ka=require("events"),Bs=Ps(),Xr=et(),Qr=si(),xa=Cs(),ja=hi(),Ua=1024*1024,qs=Buffer.from([31,139]),Ws=Buffer.from([40,181,47,253]),qa=Math.max(qs.length,Ws.length),H=Symbol("state"),ze=Symbol("writeEntry"),me=Symbol("readEntry"),zs=Symbol("nextEntry"),Jr=Symbol("processEntry"),re=Symbol("extendedHeader"),gt=Symbol("globalExtendedHeader"),Re=Symbol("meta"),en=Symbol("emitMeta"),_=Symbol("buffer"),pe=Symbol("queue"),Oe=Symbol("ended"),ks=Symbol("emittedEnd"),ke=Symbol("emit"),S=Symbol("unzip"),li=Symbol("consumeChunk"),ci=Symbol("consumeChunkSub"),xs=Symbol("consumeBody"),tn=Symbol("consumeMeta"),sn=Symbol("consumeHeader"),Rt=Symbol("consuming"),js=Symbol("bufferConcat"),ui=Symbol("maybeEnd"),it=Symbol("writing"),ne=Symbol("aborted"),fi=Symbol("onDone"),xe=Symbol("sawValidEntry"),di=Symbol("sawNullBlock"),mi=Symbol("sawEOF"),rn=Symbol("closeStream"),Wa=1e3,Ot=Symbol("compressedBytesRead"),Us=Symbol("decompressedBytesRead"),nn=Symbol("checkDecompressionRatio"),Ha=()=>!0,Hs=class extends ka.EventEmitter{file;strict;maxMetaEntrySize;filter;brotli;zstd;maxDecompressionRatio;writable=!0;readable=!1;[pe]=[];[_];[me];[ze];[H]="begin";[Re]="";[re];[gt];[Oe]=!1;[S];[ne]=!1;[xe];[di]=!1;[mi]=!1;[it]=!1;[Rt]=!1;[ks]=!1;[Ot]=0;[Us]=0;constructor(e={}){super(),this.file=e.file||"",this.on(fi,()=>{(this[H]==="begin"||this[xe]===!1)&&this.warn("TAR_BAD_ARCHIVE","Unrecognized archive format")}),e.ondone?this.on(fi,e.ondone):this.on(fi,()=>{this.emit("prefinish"),this.emit("finish"),this.emit("end")}),this.strict=!!e.strict,this.maxDecompressionRatio=typeof e.maxDecompressionRatio=="number"?e.maxDecompressionRatio:Wa,this.maxMetaEntrySize=e.maxMetaEntrySize||Ua,this.filter=typeof e.filter=="function"?e.filter:Ha;let t=e.file&&(e.file.endsWith(".tar.br")||e.file.endsWith(".tbr"));this.brotli=!(e.gzip||e.zstd)&&e.brotli!==void 0?e.brotli:t?void 0:!1;let i=e.file&&(e.file.endsWith(".tar.zst")||e.file.endsWith(".tzst"));this.zstd=!(e.gzip||e.brotli)&&e.zstd!==void 0?e.zstd:i?!0:void 0,this.on("end",()=>this[rn]()),typeof e.onwarn=="function"&&this.on("warn",e.onwarn),typeof e.onReadEntry=="function"&&this.on("entry",e.onReadEntry)}warn(e,t,i={}){(0,ja.warnMethod)(this,e,t,i)}[sn](e,t){this[xe]===void 0&&(this[xe]=!1);let i;try{i=new Xr.Header(e,t,this[re],this[gt])}catch(r){return this.warn("TAR_ENTRY_INVALID",r)}if(i.nullBlock)this[di]?(this[mi]=!0,this[H]==="begin"&&(this[H]="header"),this[ke]("eof")):(this[di]=!0,this[ke]("nullBlock"));else if(this[di]=!1,!i.cksumValid)this.warn("TAR_ENTRY_INVALID","checksum failure",{header:i});else if(!i.path)this.warn("TAR_ENTRY_INVALID","path is required",{header:i});else{let r=i.type;if(/^(Symbolic)?Link$/.test(r)&&!i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath required",{header:i});else if(!/^(Symbolic)?Link$/.test(r)&&!/^(Global)?ExtendedHeader$/.test(r)&&i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath forbidden",{header:i});else{let n=this[ze]=new xa.ReadEntry(i,this[re],this[gt]);if(!this[xe])if(n.remain){let o=()=>{n.invalid||(this[xe]=!0)};n.on("end",o)}else this[xe]=!0;n.meta?n.size>this.maxMetaEntrySize?(n.ignore=!0,this[ke]("ignoredEntry",n),this[H]="ignore",n.resume()):n.size>0&&(this[Re]="",n.on("data",o=>this[Re]+=o),this[H]="meta"):(this[re]=void 0,n.ignore=n.ignore||!this.filter(n.path,n),n.ignore?(this[ke]("ignoredEntry",n),this[H]=n.remain?"ignore":"header",n.resume()):(n.remain?this[H]="body":(this[H]="header",n.end()),this[me]?this[pe].push(n):(this[pe].push(n),this[zs]())))}}}[rn](){queueMicrotask(()=>this.emit("close"))}[Jr](e){let t=!0;if(!e)this[me]=void 0,t=!1;else if(Array.isArray(e)){let[i,...r]=e;this.emit(i,...r)}else this[me]=e,this.emit("entry",e),e.emittedEnd||(e.on("end",()=>this[zs]()),t=!1);return t}[zs](){do;while(this[Jr](this[pe].shift()));if(this[pe].length===0){let e=this[me];!e||e.flowing||e.size===e.remain?this[it]||this.emit("drain"):e.once("drain",()=>this.emit("drain"))}}[xs](e,t){let i=this[ze];if(!i)throw new Error("attempt to consume body without entry??");let r=i.blockRemain??0,n=r>=e.length&&t===0?e:e.subarray(t,t+r);return i.write(n),i.blockRemain||(this[H]="header",this[ze]=void 0,i.end()),n.length}[tn](e,t){let i=this[ze],r=this[xs](e,t);return!this[ze]&&i&&this[en](i),r}[ke](e,t,i){this[pe].length===0&&!this[me]?this.emit(e,t,i):this[pe].push([e,t,i])}[en](e){switch(this[ke]("meta",this[Re]),e.type){case"ExtendedHeader":case"OldExtendedHeader":this[re]=Qr.Pax.parse(this[Re],this[re],!1);break;case"GlobalExtendedHeader":this[gt]=Qr.Pax.parse(this[Re],this[gt],!0);break;case"NextFileHasLongPath":case"OldGnuLongPath":{let t=this[re]??Object.create(null);this[re]=t,t.path=this[Re].replace(/\0.*/,"");break}case"NextFileHasLongLinkpath":{let t=this[re]||Object.create(null);this[re]=t,t.linkpath=this[Re].replace(/\0.*/,"");break}default:throw new Error("unknown meta: "+e.type)}}abort(e){this[ne]||(this[ne]=!0,this.emit("abort",e),this.warn("TAR_ABORT",e,{recoverable:!1}))}[nn](e){this[Us]+=e.length;let t=this[Us]/this[Ot];return t>this.maxDecompressionRatio?(this.abort(new Error(`max decompression ratio exceeded: ${t.toFixed(2)} > ${this.maxDecompressionRatio}`)),!1):!0}write(e,t,i){if(typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,typeof t=="string"?t:"utf8")),this[ne])return i?.(),!1;if((this[S]===void 0||this.brotli===void 0&&this[S]===!1)&&e){if(this[_]&&(e=Buffer.concat([this[_],e]),this[_]=void 0),e.length{this[nn](c)&&this[li](c)}),this[S].on("error",c=>{this[ne]||this.abort(c)}),this[S].on("end",()=>{this[Oe]=!0,this[li]()}),this[it]=!0,this[Ot]+=e.length;let l=!!this[S][h?"end":"write"](e);return this[it]=!1,i?.(),l}}this[it]=!0,this[S]?(this[Ot]+=e.length,this[S].write(e)):this[li](e),this[it]=!1;let n=this[pe].length>0?!1:this[me]?this[me].flowing:!0;return!n&&this[pe].length===0&&this[me]?.once("drain",()=>this.emit("drain")),i?.(),n}[js](e){e&&!this[ne]&&(this[_]=this[_]?Buffer.concat([this[_],e]):e)}[ui](){if(this[Oe]&&!this[ks]&&!this[ne]&&!this[Rt]){this[ks]=!0;let e=this[ze];if(e?.blockRemain){let t=this[_]?this[_].length:0;this.warn("TAR_BAD_ARCHIVE",`Truncated input (needed ${e.blockRemain} more bytes, only ${t} available)`,{entry:e}),this[_]&&e.write(this[_]),e.end()}this[ke](fi)}}[li](e){if(this[Rt]&&e)this[js](e);else if(!e&&!this[_])this[ui]();else if(e){if(this[Rt]=!0,this[_]){this[js](e);let t=this[_];this[_]=void 0,this[ci](t)}else this[ci](e);for(;this[_]&&this[_]?.length>=512&&!this[ne]&&!this[mi];){let t=this[_];this[_]=void 0,this[ci](t)}this[Rt]=!1}(!this[_]||this[Oe])&&this[ui]()}[ci](e){let t=0,i=e.length;for(;t+512<=i&&!this[ne]&&!this[mi];)switch(this[H]){case"begin":case"header":this[sn](e,t),t+=512;break;case"ignore":case"body":t+=this[xs](e,t);break;case"meta":t+=this[tn](e,t);break;default:throw new Error("invalid state: "+this[H])}t{"use strict";Object.defineProperty(wi,"__esModule",{value:!0});wi.stripTrailingSlashes=void 0;var Ga=s=>{let e=s.length-1,t=-1;for(;e>-1&&s.charAt(e)==="/";)t=e,e--;return t===-1?s:s.slice(0,t)};wi.stripTrailingSlashes=Ga});var rt=d(B=>{"use strict";var Za=B&&B.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),Ya=B&&B.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),Ka=B&&B.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r{let e=s.onReadEntry;s.onReadEntry=e?t=>{e(t),t.resume()}:t=>t.resume()},Ja=(s,e)=>{let t=new Map(e.map(n=>[(0,Gs.stripTrailingSlashes)(n),!0])),i=s.filter,r=(n,o="")=>{let a=o||(0,on.parse)(n).root||".",h;if(n===a)h=!1;else{let l=t.get(n);h=l!==void 0?l:r((0,on.dirname)(n),a)}return t.set(n,h),h};s.filter=i?(n,o)=>i(n,o)&&r((0,Gs.stripTrailingSlashes)(n)):n=>r((0,Gs.stripTrailingSlashes)(n))};B.filesFilter=Ja;var eh=s=>{let e=new Ei.Parser(s),t=s.file,i;try{i=st.default.openSync(t,"r");let r=st.default.fstatSync(i),n=s.maxReadSize||16*1024*1024;if(r.size{let t=new Ei.Parser(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,a)=>{t.on("error",a),t.on("end",o),st.default.stat(r,(h,l)=>{if(h)a(h);else{let c=new $a.ReadStream(r,{readSize:i,size:l.size});c.on("error",a),c.pipe(t)}})})};B.list=(0,Xa.makeCommand)(eh,th,s=>new Ei.Parser(s),s=>new Ei.Parser(s),(s,e)=>{e?.length&&(0,B.filesFilter)(s,e),s.noResume||Qa(s)})});var an=d(bi=>{"use strict";Object.defineProperty(bi,"__esModule",{value:!0});bi.modeFix=void 0;var ih=(s,e,t)=>(s&=4095,t&&(s=(s|384)&-19),e&&(s&256&&(s|=64),s&32&&(s|=8),s&4&&(s|=1)),s);bi.modeFix=ih});var Zs=d(Si=>{"use strict";Object.defineProperty(Si,"__esModule",{value:!0});Si.stripAbsolutePath=void 0;var sh=require("node:path"),{isAbsolute:rh,parse:hn}=sh.win32,nh=s=>{let e="",t=hn(s);for(;rh(s)||t.root;){let i=s.charAt(0)==="/"&&s.slice(0,4)!=="//?/"?"/":t.root;s=s.slice(i.length),e+=i,t=hn(s)}return[e,s]};Si.stripAbsolutePath=nh});var Ks=d(nt=>{"use strict";Object.defineProperty(nt,"__esModule",{value:!0});nt.decode=nt.encode=void 0;var gi=["|","<",">","?",":"],Ys=gi.map(s=>String.fromCodePoint(61440+Number(s.codePointAt(0)))),oh=new Map(gi.map((s,e)=>[s,Ys[e]])),ah=new Map(Ys.map((s,e)=>[s,gi[e]])),hh=s=>gi.reduce((e,t)=>e.split(t).join(oh.get(t)),s);nt.encode=hh;var lh=s=>Ys.reduce((e,t)=>e.split(t).join(ah.get(t)),s);nt.decode=lh});var nr=d(M=>{"use strict";var ch=M&&M.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),uh=M&&M.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),fh=M&&M.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;re?(s=(0,oe.normalizeWindowsPath)(s).replace(/^\.(\/|$)/,""),(0,dh.stripTrailingSlashes)(e)+"/"+s):(0,oe.normalizeWindowsPath)(s),ph=16*1024*1024,cn=Symbol("process"),un=Symbol("file"),fn=Symbol("directory"),$s=Symbol("symlink"),dn=Symbol("hardlink"),vt=Symbol("header"),Ri=Symbol("read"),Xs=Symbol("lstat"),Oi=Symbol("onlstat"),Qs=Symbol("onread"),Js=Symbol("onreadlink"),er=Symbol("openfile"),tr=Symbol("onopenfile"),ve=Symbol("close"),vi=Symbol("mode"),ir=Symbol("awaitDrain"),Vs=Symbol("ondrain"),he=Symbol("prefix"),Ti=class extends pn.Minipass{path;portable;myuid=process.getuid&&process.getuid()||0;myuser=process.env.USER||"";maxReadSize;linkCache;statCache;preservePaths;cwd;strict;mtime;noPax;noMtime;prefix;fd;blockLen=0;blockRemain=0;buf;pos=0;remain=0;length=0;offset=0;win32;absolute;header;type;linkpath;stat;onWriteEntry;#e=!1;constructor(e,t={}){let i=(0,yn.dealias)(t);super(),this.path=(0,oe.normalizeWindowsPath)(e),this.portable=!!i.portable,this.maxReadSize=i.maxReadSize||ph,this.linkCache=i.linkCache||new Map,this.statCache=i.statCache||new Map,this.preservePaths=!!i.preservePaths,this.cwd=(0,oe.normalizeWindowsPath)(i.cwd||process.cwd()),this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.mtime=i.mtime,this.prefix=i.prefix?(0,oe.normalizeWindowsPath)(i.prefix):void 0,this.onWriteEntry=i.onWriteEntry,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let r=!1;if(!this.preservePaths){let[o,a]=(0,bn.stripAbsolutePath)(this.path);o&&typeof a=="string"&&(this.path=a,r=o)}this.win32=!!i.win32||process.platform==="win32",this.win32&&(this.path=mh.decode(this.path.replaceAll(/\\/g,"/")),e=e.replaceAll(/\\/g,"/")),this.absolute=(0,oe.normalizeWindowsPath)(i.absolute||ln.default.resolve(this.cwd,e)),this.path===""&&(this.path="./"),r&&this.warn("TAR_ENTRY_INFO",`stripping ${r} from absolute path`,{entry:this,path:r+this.path});let n=this.statCache.get(this.absolute);n?this[Oi](n):this[Xs]()}warn(e,t,i={}){return(0,Sn.warnMethod)(this,e,t,i)}emit(e,...t){return e==="error"&&(this.#e=!0),super.emit(e,...t)}[Xs](){ae.default.lstat(this.absolute,(e,t)=>{if(e)return this.emit("error",e);this[Oi](t)})}[Oi](e){this.statCache.set(this.absolute,e),this.stat=e,e.isFile()||(e.size=0),this.type=_h(e),this.emit("stat",e),this[cn]()}[cn](){switch(this.type){case"File":return this[un]();case"Directory":return this[fn]();case"SymbolicLink":return this[$s]();default:return this.end()}}[vi](e){return(0,wn.modeFix)(e,this.type==="Directory",this.portable)}[he](e){return gn(e,this.prefix)}[vt](){if(!this.stat)throw new Error("cannot write header before stat");this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.onWriteEntry?.(this),this.header=new _n.Header({path:this[he](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[he](this.linkpath):this.linkpath,mode:this[vi](this.stat.mode),uid:this.portable?void 0:this.stat.uid,gid:this.portable?void 0:this.stat.gid,size:this.stat.size,mtime:this.noMtime?void 0:this.mtime||this.stat.mtime,type:this.type==="Unsupported"?void 0:this.type,uname:this.portable?void 0:this.stat.uid===this.myuid?this.myuser:"",atime:this.portable?void 0:this.stat.atime,ctime:this.portable?void 0:this.stat.ctime}),this.header.encode()&&!this.noPax&&super.write(new En.Pax({atime:this.portable?void 0:this.header.atime,ctime:this.portable?void 0:this.header.ctime,gid:this.portable?void 0:this.header.gid,mtime:this.noMtime?void 0:this.mtime||this.header.mtime,path:this[he](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[he](this.linkpath):this.linkpath,size:this.header.size,uid:this.portable?void 0:this.header.uid,uname:this.portable?void 0:this.header.uname,dev:this.portable?void 0:this.stat.dev,ino:this.portable?void 0:this.stat.ino,nlink:this.portable?void 0:this.stat.nlink}).encode());let e=this.header?.block;if(!e)throw new Error("failed to encode header");super.write(e)}[fn](){if(!this.stat)throw new Error("cannot create directory entry without stat");this.path.slice(-1)!=="/"&&(this.path+="/"),this.stat.size=0,this[vt](),this.end()}[$s](){ae.default.readlink(this.absolute,(e,t)=>{if(e)return this.emit("error",e);this[Js](t)})}[Js](e){this.linkpath=(0,oe.normalizeWindowsPath)(e),this[vt](),this.end()}[dn](e){if(!this.stat)throw new Error("cannot create link entry without stat");this.type="Link",this.linkpath=(0,oe.normalizeWindowsPath)(ln.default.relative(this.cwd,e)),this.stat.size=0,this[vt](),this.end()}[un](){if(!this.stat)throw new Error("cannot create file entry without stat");if(this.stat.nlink>1){let e=`${this.stat.dev}:${this.stat.ino}`,t=this.linkCache.get(e);if(t?.indexOf(this.cwd)===0)return this[dn](t);this.linkCache.set(e,this.absolute)}if(this[vt](),this.stat.size===0)return this.end();this[er]()}[er](){ae.default.open(this.absolute,"r",(e,t)=>{if(e)return this.emit("error",e);this[tr](t)})}[tr](e){if(this.fd=e,this.#e)return this[ve]();if(!this.stat)throw new Error("should stat before calling onopenfile");this.blockLen=512*Math.ceil(this.stat.size/512),this.blockRemain=this.blockLen;let t=Math.min(this.blockLen,this.maxReadSize);this.buf=Buffer.allocUnsafe(t),this.offset=0,this.pos=0,this.remain=this.stat.size,this.length=this.buf.length,this[Ri]()}[Ri](){let{fd:e,buf:t,offset:i,length:r,pos:n}=this;if(e===void 0||t===void 0)throw new Error("cannot read file without first opening");ae.default.read(e,t,i,r,n,(o,a)=>{if(o)return this[ve](()=>this.emit("error",o));this[Qs](a)})}[ve](e=()=>{}){this.fd!==void 0&&ae.default.close(this.fd,e)}[Qs](e){if(e<=0&&this.remain>0){let r=Object.assign(new Error("encountered unexpected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[ve](()=>this.emit("error",r))}if(e>this.remain){let r=Object.assign(new Error("did not encounter expected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[ve](()=>this.emit("error",r))}if(!this.buf)throw new Error("should have created buffer prior to reading");if(e===this.remain)for(let r=e;rthis[Vs]())}[ir](e){this.once("drain",e)}write(e,t,i){if(typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,typeof t=="string"?t:"utf8")),this.blockRemaine?this.emit("error",e):this.end());if(!this.buf)throw new Error("buffer lost somehow in ONDRAIN");this.offset>=this.length&&(this.buf=Buffer.allocUnsafe(Math.min(this.blockRemain,this.buf.length)),this.offset=0),this.length=this.buf.length-this.offset,this[Ri]()}};M.WriteEntry=Ti;var sr=class extends Ti{sync=!0;[Xs](){this[Oi](ae.default.lstatSync(this.absolute))}[$s](){this[Js](ae.default.readlinkSync(this.absolute))}[er](){this[tr](ae.default.openSync(this.absolute,"r"))}[Ri](){let e=!0;try{let{fd:t,buf:i,offset:r,length:n,pos:o}=this;if(t===void 0||i===void 0)throw new Error("fd and buf must be set in READ method");let a=ae.default.readSync(t,i,r,n,o);this[Qs](a),e=!1}finally{if(e)try{this[ve](()=>{})}catch{}}}[ir](e){e()}[ve](e=()=>{}){this.fd!==void 0&&ae.default.closeSync(this.fd),e()}};M.WriteEntrySync=sr;var rr=class extends pn.Minipass{blockLen=0;blockRemain=0;buf=0;pos=0;remain=0;length=0;preservePaths;portable;strict;noPax;noMtime;readEntry;type;prefix;path;mode;uid;gid;uname;gname;header;mtime;atime;ctime;linkpath;size;onWriteEntry;warn(e,t,i={}){return(0,Sn.warnMethod)(this,e,t,i)}constructor(e,t={}){let i=(0,yn.dealias)(t);super(),this.preservePaths=!!i.preservePaths,this.portable=!!i.portable,this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.onWriteEntry=i.onWriteEntry,this.readEntry=e;let{type:r}=e;if(r==="Unsupported")throw new Error("writing entry that should be ignored");this.type=r,this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.prefix=i.prefix,this.path=(0,oe.normalizeWindowsPath)(e.path),this.mode=e.mode!==void 0?this[vi](e.mode):void 0,this.uid=this.portable?void 0:e.uid,this.gid=this.portable?void 0:e.gid,this.uname=this.portable?void 0:e.uname,this.gname=this.portable?void 0:e.gname,this.size=e.size,this.mtime=this.noMtime?void 0:i.mtime||e.mtime,this.atime=this.portable?void 0:e.atime,this.ctime=this.portable?void 0:e.ctime,this.linkpath=e.linkpath!==void 0?(0,oe.normalizeWindowsPath)(e.linkpath):void 0,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let n=!1;if(!this.preservePaths){let[a,h]=(0,bn.stripAbsolutePath)(this.path);a&&typeof h=="string"&&(this.path=h,n=a)}this.remain=e.size,this.blockRemain=e.startBlockSize,this.onWriteEntry?.(this),this.header=new _n.Header({path:this[he](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[he](this.linkpath):this.linkpath,mode:this.mode,uid:this.portable?void 0:this.uid,gid:this.portable?void 0:this.gid,size:this.size,mtime:this.noMtime?void 0:this.mtime,type:this.type,uname:this.portable?void 0:this.uname,atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime}),n&&this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute path`,{entry:this,path:n+this.path}),this.header.encode()&&!this.noPax&&super.write(new En.Pax({atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime,gid:this.portable?void 0:this.gid,mtime:this.noMtime?void 0:this.mtime,path:this[he](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[he](this.linkpath):this.linkpath,size:this.size,uid:this.portable?void 0:this.uid,uname:this.portable?void 0:this.uname,dev:this.portable?void 0:this.readEntry.dev,ino:this.portable?void 0:this.readEntry.ino,nlink:this.portable?void 0:this.readEntry.nlink}).encode());let o=this.header?.block;if(!o)throw new Error("failed to encode header");super.write(o),e.pipe(this)}[he](e){return gn(e,this.prefix)}[vi](e){return(0,wn.modeFix)(e,this.type==="Directory",this.portable)}write(e,t,i){typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,typeof t=="string"?t:"utf8"));let r=e.length;if(r>this.blockRemain)throw new Error("writing more to entry than is appropriate");return this.blockRemain-=r,super.write(e,i)}end(e,t,i){return this.blockRemain&&super.write(Buffer.alloc(this.blockRemain)),typeof e=="function"&&(i=e,t=void 0,e=void 0),typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,t??"utf8")),i&&this.once("finish",i),e?super.end(e,i):super.end(i),this}};M.WriteEntryTar=rr;var _h=s=>s.isFile()?"File":s.isDirectory()?"Directory":s.isSymbolicLink()?"SymbolicLink":"Unsupported"});var Rn=d(at=>{"use strict";Object.defineProperty(at,"__esModule",{value:!0});at.Node=at.Yallist=void 0;var or=class s{tail;head;length=0;static create(e=[]){return new s(e)}constructor(e=[]){for(let t of e)this.push(t)}*[Symbol.iterator](){for(let e=this.head;e;e=e.next)yield e.value}removeNode(e){if(e.list!==this)throw new Error("removing node which does not belong to this list");let t=e.next,i=e.prev;return t&&(t.prev=i),i&&(i.next=t),e===this.head&&(this.head=t),e===this.tail&&(this.tail=i),this.length--,e.next=void 0,e.prev=void 0,e.list=void 0,t}unshiftNode(e){if(e===this.head)return;e.list&&e.list.removeNode(e);let t=this.head;e.list=this,e.next=t,t&&(t.prev=e),this.head=e,this.tail||(this.tail=e),this.length++}pushNode(e){if(e===this.tail)return;e.list&&e.list.removeNode(e);let t=this.tail;e.list=this,e.prev=t,t&&(t.next=e),this.tail=e,this.head||(this.head=e),this.length++}push(...e){for(let t=0,i=e.length;t1)i=t;else if(this.head)r=this.head.next,i=this.head.value;else throw new TypeError("Reduce of empty list with no initial value");for(var n=0;r;n++)i=e(i,r.value,n),r=r.next;return i}reduceReverse(e,t){let i,r=this.tail;if(arguments.length>1)i=t;else if(this.tail)r=this.tail.prev,i=this.tail.value;else throw new TypeError("Reduce of empty list with no initial value");for(let n=this.length-1;r;n--)i=e(i,r.value,n),r=r.prev;return i}toArray(){let e=new Array(this.length);for(let t=0,i=this.head;i;t++)e[t]=i.value,i=i.next;return e}toArrayReverse(){let e=new Array(this.length);for(let t=0,i=this.tail;i;t++)e[t]=i.value,i=i.prev;return e}slice(e=0,t=this.length){t<0&&(t+=this.length),e<0&&(e+=this.length);let i=new s;if(tthis.length&&(t=this.length);let r=this.head,n=0;for(n=0;r&&nthis.length&&(t=this.length);let r=this.length,n=this.tail;for(;n&&r>t;r--)n=n.prev;for(;n&&r>e;r--,n=n.prev)i.push(n.value);return i}splice(e,t=0,...i){e>this.length&&(e=this.length-1),e<0&&(e=this.length+e);let r=this.head;for(let o=0;r&&o{"use strict";var bh=L&&L.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),Sh=L&&L.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),gh=L&&L.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r1)throw new TypeError("gzip, brotli, zstd are mutually exclusive");if(e.gzip&&(typeof e.gzip!="object"&&(e.gzip={}),this.portable&&(e.gzip.portable=!0),this.zip=new ar.Gzip(e.gzip)),e.brotli&&(typeof e.brotli!="object"&&(e.brotli={}),this.zip=new ar.BrotliCompress(e.brotli)),e.zstd&&(typeof e.zstd!="object"&&(e.zstd={}),this.zip=new ar.ZstdCompress(e.zstd)),!this.zip)throw new Error("impossible");let t=this.zip;t.on("data",i=>super.write(i)),t.on("end",()=>super.end()),t.on("drain",()=>this[cr]()),this.on("resume",()=>t.resume())}else this.on("drain",this[cr]);this.noDirRecurse=!!e.noDirRecurse,this.follow=!!e.follow,this.noMtime=!!e.noMtime,e.mtime&&(this.mtime=e.mtime),this.filter=typeof e.filter=="function"?e.filter:()=>!0,this[X]=new Oh.Yallist,this[Q]=0,this.jobs=Number(e.jobs)||4,this[Pt]=!1,this[Tt]=!1}[Nn](e){return super.write(e)}add(e){return this.write(e),this}end(e,t,i){return typeof e=="function"&&(i=e,e=void 0),typeof t=="function"&&(i=t,t=void 0),e&&this.add(e),this[Tt]=!0,this[je](),i&&i(),this}write(e){if(this[Tt])throw new Error("write after end");return typeof e=="string"?this[Ni](e):this[vn](e),this.flowing}[vn](e){let t=(0,ur.normalizeWindowsPath)(Dn.default.resolve(this.cwd,e.path));if(!this.filter(e.path,e))e.resume();else{let i=new Nt(e.path,t);i.entry=new fr.WriteEntryTar(e,this[lr](i)),i.entry.on("end",()=>this[hr](i)),this[Q]+=1,this[X].push(i)}this[je]()}[Ni](e){let t=(0,ur.normalizeWindowsPath)(Dn.default.resolve(this.cwd,e));this[X].push(new Nt(e,t)),this[je]()}[dr](e){e.pending=!0,this[Q]+=1;let t=this.follow?"stat":"lstat";Ii.default[t](e.absolute,(i,r)=>{e.pending=!1,this[Q]-=1,i?this.emit("error",i):this[Pi](e,r)})}[Pi](e,t){if(this.statCache.set(e.absolute,t),e.stat=t,!this.filter(e.path,t))e.ignore=!0;else if(t.isFile()&&t.nlink>1&&!this.linkCache.get(`${t.dev}:${t.ino}`)&&!this.sync)if(e===this[Te])this[Di](e);else{let i=`${t.dev}:${t.ino}`,r=this[Dt].get(i);r?r.push(e):this[Dt].set(i,[e]),e.pendingLink=!0,e.pending=!0}this[je]()}[mr](e){e.pending=!0,this[Q]+=1,Ii.default.readdir(e.absolute,(t,i)=>{if(e.pending=!1,this[Q]-=1,t)return this.emit("error",t);this[Mi](e,i)})}[Mi](e,t){this.readdirCache.set(e.absolute,t),e.readdir=t,this[je]()}[je](){if(!this[Pt]){this[Pt]=!0;for(let e=this[X].head;e&&this[Q]1){let i=`${t.dev}:${t.ino}`,r=this[Dt].get(i);if(r){this[Dt].delete(i);for(let n of r)n.pending=!1,this[Di](n)}}this[je]()}[Di](e){if(e.pending&&e.pendingLink&&e===this[Te]&&(e.pending=!1,e.pendingLink=!1),!e.pending){if(e.entry){e===this[Te]&&!e.piped&&this[Li](e);return}if(!e.stat){let t=this.statCache.get(e.absolute);t?this[Pi](e,t):this[dr](e)}if(e.stat&&!e.ignore){if(!this.noDirRecurse&&e.stat.isDirectory()&&!e.readdir){let t=this.readdirCache.get(e.absolute);if(t?this[Mi](e,t):this[mr](e),!e.readdir)return}if(e.entry=this[Tn](e),!e.entry){e.ignore=!0;return}e===this[Te]&&!e.piped&&this[Li](e)}}}[lr](e){return{onwarn:(t,i,r)=>this.warn(t,i,r),noPax:this.noPax,cwd:this.cwd,absolute:e.absolute,preservePaths:this.preservePaths,maxReadSize:this.maxReadSize,strict:this.strict,portable:this.portable,linkCache:this.linkCache,statCache:this.statCache,noMtime:this.noMtime,mtime:this.mtime,prefix:this.prefix,onWriteEntry:this.onWriteEntry}}[Tn](e){this[Q]+=1;try{return new this[Ai](e.path,this[lr](e)).on("end",()=>this[hr](e)).on("error",i=>this.emit("error",i))}catch(t){this.emit("error",t)}}[cr](){this[Te]&&this[Te].entry&&this[Te].entry.resume()}[Li](e){e.piped=!0,e.readdir&&e.readdir.forEach(r=>{let n=e.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[Ni](o+r)});let t=e.entry,i=this.zip;if(!t)throw new Error("cannot pipe without source");i?t.on("data",r=>{i.write(r)||t.pause()}):t.on("data",r=>{super.write(r)||t.pause()})}pause(){return this.zip&&this.zip.pause(),super.pause()}warn(e,t,i={}){(0,vh.warnMethod)(this,e,t,i)}};L.Pack=Fi;var pr=class extends Fi{sync=!0;constructor(e){super(e),this[Ai]=fr.WriteEntrySync}pause(){}resume(){}[dr](e){let t=this.follow?"statSync":"lstatSync";this[Pi](e,Ii.default[t](e.absolute))}[mr](e){this[Mi](e,Ii.default.readdirSync(e.absolute))}[Li](e){let t=e.entry,i=this.zip;if(e.readdir&&e.readdir.forEach(r=>{let n=e.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[Ni](o+r)}),!t)throw new Error("Cannot pipe without source");i?t.on("data",r=>{i.write(r)}):t.on("data",r=>{super[Nn](r)})}};L.PackSync=pr});var _r=d(ht=>{"use strict";var Th=ht&&ht.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(ht,"__esModule",{value:!0});ht.create=void 0;var Mn=Ke(),Ln=Th(require("node:path")),An=rt(),Dh=Ve(),Bi=Ci(),Ph=(s,e)=>{let t=new Bi.PackSync(s),i=new Mn.WriteStreamSync(s.file,{mode:s.mode||438});t.pipe(i),In(t,e)},Nh=(s,e)=>{let t=new Bi.Pack(s),i=new Mn.WriteStream(s.file,{mode:s.mode||438});t.pipe(i);let r=new Promise((n,o)=>{i.on("error",o),i.on("close",n),t.on("error",o)});return Fn(t,e).catch(n=>t.emit("error",n)),r},In=(s,e)=>{e.forEach(t=>{t.charAt(0)==="@"?(0,An.list)({file:Ln.default.resolve(s.cwd,t.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(t)}),s.end()},Fn=async(s,e)=>{for(let t of e)t.charAt(0)==="@"?await(0,An.list)({file:Ln.default.resolve(String(s.cwd),t.slice(1)),noResume:!0,onReadEntry:i=>{s.add(i)}}):s.add(t);s.end()},Mh=(s,e)=>{let t=new Bi.PackSync(s);return In(t,e),t},Lh=(s,e)=>{let t=new Bi.Pack(s);return Fn(t,e).catch(i=>t.emit("error",i)),t};ht.create=(0,Dh.makeCommand)(Ph,Nh,Mh,Lh,(s,e)=>{if(!e?.length)throw new TypeError("no paths specified to add to archive")})});var Wn=d(lt=>{"use strict";var Ah=lt&<.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(lt,"__esModule",{value:!0});lt.getWriteFlag=void 0;var zn=Ah(require("fs")),Ih=process.env.__FAKE_PLATFORM__||process.platform,kn=Ih==="win32",{O_CREAT:xn,O_NOFOLLOW:Cn,O_TRUNC:jn,O_WRONLY:Un}=zn.default.constants,qn=Number(process.env.__FAKE_FS_O_FILENAME__)||zn.default.constants.UV_FS_O_FILEMAP||0,Fh=kn&&!!qn,Ch=512*1024,Bh=qn|jn|xn|Un,Bn=!kn&&typeof Cn=="number"?Cn|jn|xn|Un:null;lt.getWriteFlag=Bn!==null?()=>Bn:Fh?s=>s"w"});var Gn=d(le=>{"use strict";var Hn=le&&le.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(le,"__esModule",{value:!0});le.chownrSync=le.chownr=void 0;var ki=Hn(require("node:fs")),Mt=Hn(require("node:path")),wr=(s,e,t)=>{try{return ki.default.lchownSync(s,e,t)}catch(i){if(i?.code!=="ENOENT")throw i}},zi=(s,e,t,i)=>{ki.default.lchown(s,e,t,r=>{i(r&&r?.code!=="ENOENT"?r:null)})},zh=(s,e,t,i,r)=>{if(e.isDirectory())(0,le.chownr)(Mt.default.resolve(s,e.name),t,i,n=>{if(n)return r(n);let o=Mt.default.resolve(s,e.name);zi(o,t,i,r)});else{let n=Mt.default.resolve(s,e.name);zi(n,t,i,r)}},kh=(s,e,t,i)=>{ki.default.readdir(s,{withFileTypes:!0},(r,n)=>{if(r){if(r.code==="ENOENT")return i();if(r.code!=="ENOTDIR"&&r.code!=="ENOTSUP")return i(r)}if(r||!n.length)return zi(s,e,t,i);let o=n.length,a=null,h=l=>{if(!a){if(l)return i(a=l);if(--o===0)return zi(s,e,t,i)}};for(let l of n)zh(s,l,e,t,h)})};le.chownr=kh;var xh=(s,e,t,i)=>{e.isDirectory()&&(0,le.chownrSync)(Mt.default.resolve(s,e.name),t,i),wr(Mt.default.resolve(s,e.name),t,i)},jh=(s,e,t)=>{let i;try{i=ki.default.readdirSync(s,{withFileTypes:!0})}catch(r){let n=r;if(n?.code==="ENOENT")return;if(n?.code==="ENOTDIR"||n?.code==="ENOTSUP")return wr(s,e,t);throw n}for(let r of i)xh(s,r,e,t);return wr(s,e,t)};le.chownrSync=jh});var Zn=d(xi=>{"use strict";Object.defineProperty(xi,"__esModule",{value:!0});xi.CwdError=void 0;var yr=class extends Error{path;code;syscall="chdir";constructor(e,t){super(`${t}: Cannot cd into '${e}'`),this.path=e,this.code=t}get name(){return"CwdError"}};xi.CwdError=yr});var br=d(ji=>{"use strict";Object.defineProperty(ji,"__esModule",{value:!0});ji.SymlinkError=void 0;var Er=class extends Error{path;symlink;syscall="symlink";code="TAR_SYMLINK_ERROR";constructor(e,t){super("TAR_SYMLINK_ERROR: Cannot extract through symbolic link"),this.symlink=e,this.path=t}get name(){return"SymlinkError"}};ji.SymlinkError=Er});var Xn=d(De=>{"use strict";var gr=De&&De.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(De,"__esModule",{value:!0});De.mkdirSync=De.mkdir=void 0;var Yn=Gn(),j=gr(require("node:fs")),Uh=gr(require("node:fs/promises")),Ui=gr(require("node:path")),Kn=Zn(),_e=tt(),Vn=br(),qh=(s,e)=>{j.default.stat(s,(t,i)=>{(t||!i.isDirectory())&&(t=new Kn.CwdError(s,t?.code||"ENOTDIR")),e(t)})},Wh=(s,e,t)=>{s=(0,_e.normalizeWindowsPath)(s);let i=e.umask??18,r=e.mode|448,n=(r&i)!==0,o=e.uid,a=e.gid,h=typeof o=="number"&&typeof a=="number"&&(o!==e.processUid||a!==e.processGid),l=e.preserve,c=e.unlink,u=(0,_e.normalizeWindowsPath)(e.cwd),E=(w,P)=>{w?t(w):P&&h?(0,Yn.chownr)(P,o,a,xt=>E(xt)):n?j.default.chmod(s,r,t):t()};if(s===u)return qh(s,E);if(l)return Uh.default.mkdir(s,{mode:r,recursive:!0}).then(w=>E(null,w??void 0),E);let A=(0,_e.normalizeWindowsPath)(Ui.default.relative(u,s)).split("/");Sr(u,A,r,c,u,void 0,E)};De.mkdir=Wh;var Sr=(s,e,t,i,r,n,o)=>{if(e.length===0)return o(null,n);let a=e.shift(),h=(0,_e.normalizeWindowsPath)(Ui.default.resolve(s+"/"+a));j.default.mkdir(h,t,$n(h,e,t,i,r,n,o))},$n=(s,e,t,i,r,n,o)=>a=>{a?j.default.lstat(s,(h,l)=>{if(h)h.path=h.path&&(0,_e.normalizeWindowsPath)(h.path),o(h);else if(l.isDirectory())Sr(s,e,t,i,r,n,o);else if(i)j.default.unlink(s,c=>{if(c)return o(c);j.default.mkdir(s,t,$n(s,e,t,i,r,n,o))});else{if(l.isSymbolicLink())return o(new Vn.SymlinkError(s,s+"/"+e.join("/")));o(a)}}):(n=n||s,Sr(s,e,t,i,r,n,o))},Hh=s=>{let e=!1,t;try{e=j.default.statSync(s).isDirectory()}catch(i){t=i?.code}finally{if(!e)throw new Kn.CwdError(s,t??"ENOTDIR")}},Gh=(s,e)=>{s=(0,_e.normalizeWindowsPath)(s);let t=e.umask??18,i=e.mode|448,r=(i&t)!==0,n=e.uid,o=e.gid,a=typeof n=="number"&&typeof o=="number"&&(n!==e.processUid||o!==e.processGid),h=e.preserve,l=e.unlink,c=(0,_e.normalizeWindowsPath)(e.cwd),u=w=>{w&&a&&(0,Yn.chownrSync)(w,n,o),r&&j.default.chmodSync(s,i)};if(s===c)return Hh(c),u();if(h)return u(j.default.mkdirSync(s,{mode:i,recursive:!0})??void 0);let D=(0,_e.normalizeWindowsPath)(Ui.default.relative(c,s)).split("/"),A;for(let w=D.shift(),P=c;w&&(P+="/"+w);w=D.shift()){P=(0,_e.normalizeWindowsPath)(Ui.default.resolve(P));try{j.default.mkdirSync(P,i),A=A||P}catch{let xt=j.default.lstatSync(P);if(xt.isDirectory())continue;if(l){j.default.unlinkSync(P),j.default.mkdirSync(P,i),A=A||P;continue}else if(xt.isSymbolicLink())return new Vn.SymlinkError(P,P+"/"+D.join("/"))}}return u(A)};De.mkdirSync=Gh});var Jn=d(qi=>{"use strict";Object.defineProperty(qi,"__esModule",{value:!0});qi.normalizeUnicode=void 0;var Rr=Object.create(null),Qn=1e4,ct=new Set,Zh=s=>{ct.has(s)?ct.delete(s):Rr[s]=s.normalize("NFD").toLocaleLowerCase("en").toLocaleUpperCase("en"),ct.add(s);let e=Rr[s],t=ct.size-Qn;if(t>Qn/10){for(let i of ct)if(ct.delete(i),delete Rr[i],--t<=0)break}return e};qi.normalizeUnicode=Zh});var to=d(Wi=>{"use strict";Object.defineProperty(Wi,"__esModule",{value:!0});Wi.PathReservations=void 0;var eo=require("node:path"),Yh=Jn(),Kh=yi(),Vh=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,$h=Vh==="win32",Xh=s=>s.split("/").slice(0,-1).reduce((t,i)=>{let r=t.at(-1);return r!==void 0&&(i=(0,eo.join)(r,i)),t.push(i||"/"),t},[]),Or=class{#e=new Map;#i=new Map;#s=new Set;reserve(e,t){e=$h?["win32 parallelization disabled"]:e.map(r=>(0,Kh.stripTrailingSlashes)((0,eo.join)((0,Yh.normalizeUnicode)(r))));let i=new Set(e.map(r=>Xh(r)).reduce((r,n)=>r.concat(n)));this.#i.set(t,{dirs:i,paths:e});for(let r of e){let n=this.#e.get(r);n?n.push(t):this.#e.set(r,[t])}for(let r of i){let n=this.#e.get(r);if(!n)this.#e.set(r,[new Set([t])]);else{let o=n.at(-1);o instanceof Set?o.add(t):n.push(new Set([t]))}}return this.#r(t)}#n(e){let t=this.#i.get(e);if(!t)throw new Error("function does not have any path reservations");return{paths:t.paths.map(i=>this.#e.get(i)),dirs:[...t.dirs].map(i=>this.#e.get(i))}}check(e){let{paths:t,dirs:i}=this.#n(e);return t.every(r=>r&&r[0]===e)&&i.every(r=>r&&r[0]instanceof Set&&r[0].has(e))}#r(e){return this.#s.has(e)||!this.check(e)?!1:(this.#s.add(e),e(()=>this.#t(e)),!0)}#t(e){if(!this.#s.has(e))return!1;let t=this.#i.get(e);if(!t)throw new Error("invalid reservation");let{paths:i,dirs:r}=t,n=new Set;for(let o of i){let a=this.#e.get(o);if(!a||a?.[0]!==e)continue;let h=a[1];if(!h){this.#e.delete(o);continue}if(a.shift(),typeof h=="function")n.add(h);else for(let l of h)n.add(l)}for(let o of r){let a=this.#e.get(o),h=a?.[0];if(!(!a||!(h instanceof Set)))if(h.size===1&&a.length===1){this.#e.delete(o);continue}else if(h.size===1){a.shift();let l=a[0];typeof l=="function"&&n.add(l)}else h.delete(e)}return this.#s.delete(e),n.forEach(o=>this.#r(o)),!0}};Wi.PathReservations=Or});var io=d(Hi=>{"use strict";Object.defineProperty(Hi,"__esModule",{value:!0});Hi.umask=void 0;var Qh=()=>process.umask();Hi.umask=Qh});var Cr=d(k=>{"use strict";var Jh=k&&k.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),el=k&&k.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),fo=k&&k.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r{if(!zt)return m.default.unlink(s,e);let t=s+".DELETE."+(0,mo.randomBytes)(16).toString("hex");m.default.rename(s,t,i=>{if(i)return e(i);m.default.unlink(t,e)})},cl=s=>{if(!zt)return m.default.unlinkSync(s);let e=s+".DELETE."+(0,mo.randomBytes)(16).toString("hex");m.default.renameSync(s,e),m.default.unlinkSync(e)},uo=(s,e,t)=>s!==void 0&&s===s>>>0?s:e!==void 0&&e===e>>>0?e:t,Yi=class extends sl.Parser{[Tr]=!1;[Bt]=!1;[Gi]=0;reservations=new nl.PathReservations;transform;writable=!0;readable=!1;uid;gid;setOwner;preserveOwner;processGid;processUid;maxDepth;forceChown;win32;newer;keep;noMtime;preservePaths;unlink;cwd;strip;processUmask;umask;dmode;fmode;chmod;constructor(e={}){if(e.ondone=()=>{this[Tr]=!0,this[Dr]()},super(e),this.transform=e.transform,this.chmod=!!e.chmod,typeof e.uid=="number"||typeof e.gid=="number"){if(typeof e.uid!="number"||typeof e.gid!="number")throw new TypeError("cannot set owner without number uid and gid");if(e.preserveOwner)throw new TypeError("cannot preserve owner in archive and also set owner explicitly");this.uid=e.uid,this.gid=e.gid,this.setOwner=!0}else this.uid=void 0,this.gid=void 0,this.setOwner=!1;this.preserveOwner=e.preserveOwner===void 0&&typeof e.uid!="number"?process.getuid?.()===0:!!e.preserveOwner,this.processUid=(this.preserveOwner||this.setOwner)&&process.getuid?process.getuid():void 0,this.processGid=(this.preserveOwner||this.setOwner)&&process.getgid?process.getgid():void 0,this.maxDepth=typeof e.maxDepth=="number"?e.maxDepth:hl,this.forceChown=e.forceChown===!0,this.win32=!!e.win32||zt,this.newer=!!e.newer,this.keep=!!e.keep,this.noMtime=!!e.noMtime,this.preservePaths=!!e.preservePaths,this.unlink=!!e.unlink,this.cwd=(0,U.normalizeWindowsPath)(g.default.resolve(e.cwd||process.cwd())),this.strip=Number(e.strip)||0,this.processUmask=this.chmod?typeof e.processUmask=="number"?e.processUmask:(0,ol.umask)():0,this.umask=typeof e.umask=="number"?e.umask:this.processUmask,this.dmode=e.dmode||511&~this.umask,this.fmode=e.fmode||438&~this.umask,this.on("entry",t=>this[ro](t))}warn(e,t,i={}){return(e==="TAR_BAD_ARCHIVE"||e==="TAR_ABORT")&&(i.recoverable=!1),super.warn(e,t,i)}[Dr](){this[Tr]&&this[Gi]===0&&(this.emit("prefinish"),this.emit("finish"),this.emit("end"))}[vr](e,t){let i=e[t],{type:r}=e;if(!i||this.preservePaths)return!0;let[n,o]=(0,rl.stripAbsolutePath)(i),a=o.replaceAll(/\\/g,"/").split("/");if(a.includes("..")||zt&&/^[a-z]:\.\.$/i.test(a[0]??"")){if(t==="path"||r==="Link")return this.warn("TAR_ENTRY_ERROR",`${t} contains '..'`,{entry:e,[t]:i}),!1;let h=g.default.posix.dirname(e.path),l=g.default.posix.normalize(g.default.posix.join(h,a.join("/")));if(l.startsWith("../")||l==="..")return this.warn("TAR_ENTRY_ERROR",`${t} escapes extraction directory`,{entry:e,[t]:i}),!1}return n&&(e[t]=String(o),this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute ${t}`,{entry:e,[t]:i})),!0}[lo](e){let t=(0,U.normalizeWindowsPath)(e.path),i=t.split("/");if(this.strip){if(i.length=this.strip)e.linkpath=r.slice(this.strip).join("/");else return!1}i.splice(0,this.strip),e.path=i.join("/")}if(isFinite(this.maxDepth)&&i.length>this.maxDepth)return this.warn("TAR_ENTRY_ERROR","path excessively deep",{entry:e,path:t,depth:i.length,maxDepth:this.maxDepth}),!1;if(!this[vr](e,"path")||!this[vr](e,"linkpath"))return!1;if(e.absolute=g.default.isAbsolute(e.path)?(0,U.normalizeWindowsPath)(g.default.resolve(e.path)):(0,U.normalizeWindowsPath)(g.default.resolve(this.cwd,e.path)),!this.preservePaths&&typeof e.absolute=="string"&&e.absolute.indexOf(this.cwd+"/")!==0&&e.absolute!==this.cwd)return this.warn("TAR_ENTRY_ERROR","path escaped extraction target",{entry:e,path:(0,U.normalizeWindowsPath)(e.path),resolvedPath:e.absolute,cwd:this.cwd}),!1;if(e.absolute===this.cwd&&e.type!=="Directory"&&e.type!=="GNUDumpDir")return!1;if(this.win32){let{root:r}=g.default.win32.parse(String(e.absolute));e.absolute=r+so.encode(String(e.absolute).slice(r.length));let{root:n}=g.default.win32.parse(e.path);e.path=n+so.encode(e.path.slice(n.length))}return!0}[ro](e){if(!this[lo](e))return e.resume();switch(il.default.equal(typeof e.absolute,"string"),e.type){case"Directory":case"GNUDumpDir":e.mode&&(e.mode=e.mode|448);case"File":case"OldFile":case"ContiguousFile":case"Link":case"SymbolicLink":return this[Pr](e);default:return this[ho](e)}}[T](e,t){e.name==="CwdError"?this.emit("error",e):(this.warn("TAR_ENTRY_ERROR",e,{entry:t}),this[ut](),t.resume())}[Pe](e,t,i){(0,_o.mkdir)((0,U.normalizeWindowsPath)(e),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:t},i)}[It](e){return this.forceChown||this.preserveOwner&&(typeof e.uid=="number"&&e.uid!==this.processUid||typeof e.gid=="number"&&e.gid!==this.processGid)||typeof this.uid=="number"&&this.uid!==this.processUid||typeof this.gid=="number"&&this.gid!==this.processGid}[Ft](e){return uo(this.uid,e.uid,this.processUid)}[Ct](e){return uo(this.gid,e.gid,this.processGid)}[Mr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.fmode,r=new tl.WriteStream(String(e.absolute),{flags:(0,po.getWriteFlag)(e.size),mode:i,autoClose:!1});r.on("error",h=>{r.fd&&m.default.close(r.fd,()=>{}),r.write=()=>!0,this[T](h,e),t()});let n=1,o=h=>{if(h){r.fd&&m.default.close(r.fd,()=>{}),this[T](h,e),t();return}--n===0&&r.fd!==void 0&&m.default.close(r.fd,l=>{l?this[T](l,e):this[ut](),t()})};r.on("finish",()=>{let h=String(e.absolute),l=r.fd;if(typeof l=="number"&&e.mtime&&!this.noMtime){n++;let c=e.atime||new Date,u=e.mtime;m.default.futimes(l,c,u,E=>E?m.default.utimes(h,c,u,D=>o(D&&E)):o())}if(typeof l=="number"&&this[It](e)){n++;let c=this[Ft](e),u=this[Ct](e);typeof c=="number"&&typeof u=="number"&&m.default.fchown(l,c,u,E=>E?m.default.chown(h,c,u,D=>o(D&&E)):o())}o()});let a=this.transform&&this.transform(e)||e;a!==e&&(a.on("error",h=>{this[T](h,e),t()}),e.pipe(a)),a.pipe(r)}[Lr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.dmode;this[Pe](String(e.absolute),i,r=>{if(r){this[T](r,e),t();return}let n=1,o=()=>{--n===0&&(t(),this[ut](),e.resume())};e.mtime&&!this.noMtime&&(n++,m.default.utimes(String(e.absolute),e.atime||new Date,e.mtime,o)),this[It](e)&&(n++,m.default.chown(String(e.absolute),Number(this[Ft](e)),Number(this[Ct](e)),o)),o()})}[ho](e){e.unsupported=!0,this.warn("TAR_ENTRY_UNSUPPORTED",`unsupported entry type: ${e.type}`,{entry:e}),e.resume()}[oo](e,t){let i=(0,U.normalizeWindowsPath)(g.default.relative(this.cwd,g.default.resolve(g.default.dirname(String(e.absolute)),String(e.linkpath)))).split("/");this[At](e,this.cwd,i,()=>this[Zi](e,String(e.linkpath),"symlink",t),r=>{this[T](r,e),t()})}[ao](e,t){let i=(0,U.normalizeWindowsPath)(g.default.resolve(this.cwd,String(e.linkpath))),r=(0,U.normalizeWindowsPath)(String(e.linkpath)).split("/");this[At](e,this.cwd,r,()=>this[Zi](e,i,"link",t),n=>{this[T](n,e),t()})}[At](e,t,i,r,n){let o=i.shift();if(this.preservePaths||o===void 0)return r();let a=g.default.resolve(t,o);m.default.lstat(a,(h,l)=>{if(h)return r();if(l?.isSymbolicLink())return n(new wo.SymlinkError(a,g.default.resolve(a,i.join("/"))));this[At](e,a,i,r,n)})}[co](){this[Gi]++}[ut](){this[Gi]--,this[Dr]()}[Ar](e){this[ut](),e.resume()}[Nr](e,t){return e.type==="File"&&!this.unlink&&t.isFile()&&t.nlink<=1&&!zt}[Pr](e){this[co]();let t=[e.path];e.linkpath&&t.push(e.linkpath),this.reservations.reserve(t,i=>this[no](e,i))}[no](e,t){let i=a=>{t(a)},r=()=>{this[Pe](this.cwd,this.dmode,a=>{if(a){this[T](a,e),i();return}this[Bt]=!0,n()})},n=()=>{if(e.absolute!==this.cwd){let a=(0,U.normalizeWindowsPath)(g.default.dirname(String(e.absolute)));if(a!==this.cwd)return this[Pe](a,this.dmode,h=>{if(h){this[T](h,e),i();return}o()})}o()},o=()=>{m.default.lstat(String(e.absolute),(a,h)=>{if(h&&(this.keep||this.newer&&h.mtime>(e.mtime??h.mtime))){this[Ar](e),i();return}if(a||this[Nr](e,h))return this[G](null,e,i);if(h.isDirectory()){if(e.type==="Directory"){let l=this.chmod&&e.mode&&(h.mode&4095)!==e.mode,c=u=>this[G](u??null,e,i);return l?m.default.chmod(String(e.absolute),Number(e.mode),c):c()}if(e.absolute!==this.cwd)return m.default.rmdir(String(e.absolute),l=>this[G](l??null,e,i))}if(e.absolute===this.cwd)return this[G](null,e,i);ll(String(e.absolute),l=>this[G](l??null,e,i))})};this[Bt]?n():r()}[G](e,t,i){if(e){this[T](e,t),i();return}switch(t.type){case"File":case"OldFile":case"ContiguousFile":return this[Mr](t,i);case"Link":return this[ao](t,i);case"SymbolicLink":return this[oo](t,i);case"Directory":case"GNUDumpDir":return this[Lr](t,i)}}[Zi](e,t,i,r){m.default[i](t,String(e.absolute),n=>{n?this[T](n,e):(this[ut](),e.resume()),r()})}};k.Unpack=Yi;var Lt=s=>{try{return[null,s()]}catch(e){return[e,null]}},Ir=class extends Yi{sync=!0;[G](e,t){return super[G](e,t,()=>{})}[Pr](e){if(!this[Bt]){let n=this[Pe](this.cwd,this.dmode);if(n)return this[T](n,e);this[Bt]=!0}if(e.absolute!==this.cwd){let n=(0,U.normalizeWindowsPath)(g.default.dirname(String(e.absolute)));if(n!==this.cwd){let o=this[Pe](n,this.dmode);if(o)return this[T](o,e)}}let[t,i]=Lt(()=>m.default.lstatSync(String(e.absolute)));if(i&&(this.keep||this.newer&&i.mtime>(e.mtime??i.mtime)))return this[Ar](e);if(t||this[Nr](e,i))return this[G](null,e);if(i.isDirectory()){if(e.type==="Directory"){let o=this.chmod&&e.mode&&(i.mode&4095)!==e.mode,[a]=o?Lt(()=>{m.default.chmodSync(String(e.absolute),Number(e.mode))}):[];return this[G](a,e)}let[n]=Lt(()=>m.default.rmdirSync(String(e.absolute)));this[G](n,e)}let[r]=e.absolute===this.cwd?[]:Lt(()=>cl(String(e.absolute)));this[G](r,e)}[Mr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.fmode,r=a=>{let h;try{m.default.closeSync(n)}catch(l){h=l}(a||h)&&this[T](a||h,e),t()},n;try{n=m.default.openSync(String(e.absolute),(0,po.getWriteFlag)(e.size),i)}catch(a){return r(a)}let o=this.transform&&this.transform(e)||e;o!==e&&(o.on("error",a=>this[T](a,e)),e.pipe(o)),o.on("data",a=>{try{m.default.writeSync(n,a,0,a.length)}catch(h){r(h)}}),o.on("end",()=>{let a=null;if(e.mtime&&!this.noMtime){let h=e.atime||new Date,l=e.mtime;try{m.default.futimesSync(n,h,l)}catch(c){try{m.default.utimesSync(String(e.absolute),h,l)}catch{a=c}}}if(this[It](e)){let h=this[Ft](e),l=this[Ct](e);try{m.default.fchownSync(n,Number(h),Number(l))}catch(c){try{m.default.chownSync(String(e.absolute),Number(h),Number(l))}catch{a=a||c}}}r(a)})}[Lr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.dmode,r=this[Pe](String(e.absolute),i);if(r){this[T](r,e),t();return}if(e.mtime&&!this.noMtime)try{m.default.utimesSync(String(e.absolute),e.atime||new Date,e.mtime)}catch{}if(this[It](e))try{m.default.chownSync(String(e.absolute),Number(this[Ft](e)),Number(this[Ct](e)))}catch{}t(),e.resume()}[Pe](e,t){try{return(0,_o.mkdirSync)((0,U.normalizeWindowsPath)(e),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:t})}catch(i){return i}}[At](e,t,i,r,n){if(this.preservePaths||i.length===0)return r();let o=t;for(let a of i){o=g.default.resolve(o,a);let[h,l]=Lt(()=>m.default.lstatSync(o));if(h)return r();if(l.isSymbolicLink())return n(new wo.SymlinkError(o,g.default.resolve(t,i.join("/"))))}r()}[Zi](e,t,i,r){let n=`${i}Sync`;try{m.default[n](t,String(e.absolute)),r(),e.resume()}catch(o){return this[T](o,e)}}};k.UnpackSync=Ir});var Br=d(Z=>{"use strict";var ul=Z&&Z.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),fl=Z&&Z.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),dl=Z&&Z.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r{let e=new Ki.UnpackSync(s),t=s.file,i=Eo.default.statSync(t),r=s.maxReadSize||16*1024*1024;new yo.ReadStreamSync(t,{readSize:r,size:i.size}).pipe(e)},yl=(s,e)=>{let t=new Ki.Unpack(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,a)=>{t.on("error",a),t.on("close",o),Eo.default.stat(r,(h,l)=>{if(h)a(h);else{let c=new yo.ReadStream(r,{readSize:i,size:l.size});c.on("error",a),c.pipe(t)}})})};Z.extract=(0,_l.makeCommand)(wl,yl,s=>new Ki.UnpackSync(s),s=>new Ki.Unpack(s),(s,e)=>{e?.length&&(0,pl.filesFilter)(s,e)})});var Vi=d(ft=>{"use strict";var bo=ft&&ft.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(ft,"__esModule",{value:!0});ft.replace=void 0;var So=Ke(),q=bo(require("node:fs")),go=bo(require("node:path")),Ro=et(),Oo=rt(),El=Ve(),bl=Qt(),vo=Ci(),Sl=(s,e)=>{let t=new vo.PackSync(s),i=!0,r,n;try{try{r=q.default.openSync(s.file,"r+")}catch(h){if(h?.code==="ENOENT")r=q.default.openSync(s.file,"w+");else throw h}let o=q.default.fstatSync(r),a=Buffer.alloc(512);e:for(n=0;no.size)break;n+=l,s.mtimeCache&&h.mtime&&s.mtimeCache.set(String(h.path),h.mtime)}i=!1,gl(s,t,n,r,e)}finally{if(i)try{q.default.closeSync(r)}catch{}}},gl=(s,e,t,i,r)=>{let n=new So.WriteStreamSync(s.file,{fd:i,start:t});e.pipe(n),Ol(e,r)},Rl=(s,e)=>{e=Array.from(e);let t=new vo.Pack(s),i=(n,o,a)=>{let h=(D,A)=>{D?q.default.close(n,w=>a(D)):a(null,A)},l=0;if(o===0)return h(null,0);let c=0,u=Buffer.alloc(512),E=(D,A)=>{if(D||A===void 0)return h(D);if(c+=A,c<512&&A)return q.default.read(n,u,c,u.length-c,l+c,E);if(l===0&&u[0]===31&&u[1]===139)return h(new Error("cannot append to compressed archives"));if(c<512)return h(null,l);let w=new Ro.Header(u);if(!w.cksumValid)return h(null,l);let P=512*Math.ceil((w.size??0)/512);if(l+P+512>o||(l+=P+512,l>=o))return h(null,l);s.mtimeCache&&w.mtime&&s.mtimeCache.set(String(w.path),w.mtime),c=0,q.default.read(n,u,0,512,l,E)};q.default.read(n,u,0,512,l,E)};return new Promise((n,o)=>{t.on("error",o);let a="r+",h=(l,c)=>{if(l&&l.code==="ENOENT"&&a==="r+")return a="w+",q.default.open(s.file,a,h);if(l||!c)return o(l);q.default.fstat(c,(u,E)=>{if(u)return q.default.close(c,()=>o(u));i(c,E.size,(D,A)=>{if(D)return o(D);let w=new So.WriteStream(s.file,{fd:c,start:A});t.pipe(w),w.on("error",o),w.on("close",n),vl(t,e)})})};q.default.open(s.file,a,h)})},Ol=(s,e)=>{e.forEach(t=>{t.charAt(0)==="@"?(0,Oo.list)({file:go.default.resolve(s.cwd,t.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(t)}),s.end()},vl=async(s,e)=>{for(let t of e)t.charAt(0)==="@"?await(0,Oo.list)({file:go.default.resolve(String(s.cwd),t.slice(1)),noResume:!0,onReadEntry:i=>s.add(i)}):s.add(t);s.end()};ft.replace=(0,El.makeCommand)(Sl,Rl,()=>{throw new TypeError("file is required")},()=>{throw new TypeError("file is required")},(s,e)=>{if(!(0,bl.isFile)(s))throw new TypeError("file is required");if(s.gzip||s.brotli||s.zstd||s.file.endsWith(".br")||s.file.endsWith(".tbr"))throw new TypeError("cannot append to compressed archives");if(!e?.length)throw new TypeError("no paths specified to add/replace")})});var zr=d($i=>{"use strict";Object.defineProperty($i,"__esModule",{value:!0});$i.update=void 0;var Tl=Ve(),kt=Vi();$i.update=(0,Tl.makeCommand)(kt.replace.syncFile,kt.replace.asyncFile,kt.replace.syncNoFile,kt.replace.asyncNoFile,(s,e=[])=>{kt.replace.validate?.(s,e),Dl(s)});var Dl=s=>{let e=s.filter;s.mtimeCache||(s.mtimeCache=new Map),s.filter=e?(t,i)=>e(t,i)&&!((s.mtimeCache?.get(t)??i.mtime??0)>(i.mtime??0)):(t,i)=>!((s.mtimeCache?.get(t)??i.mtime??0)>(i.mtime??0))}});var To=exports&&exports.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),Pl=exports&&exports.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),Y=exports&&exports.__exportStar||function(s,e){for(var t in s)t!=="default"&&!Object.prototype.hasOwnProperty.call(e,t)&&To(e,s,t)},Nl=exports&&exports.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r p
- : (p) => p && p.replaceAll(/\\/g, '/');
+ (p) => String(p)
+ : (p) => String(p).replaceAll(/\\/g, '/');
//# sourceMappingURL=normalize-windows-path.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/tar/dist/commonjs/parse.js b/deps/npm/node_modules/tar/dist/commonjs/parse.js
index 999873ec64032e..2968e861ee68e5 100644
--- a/deps/npm/node_modules/tar/dist/commonjs/parse.js
+++ b/deps/npm/node_modules/tar/dist/commonjs/parse.js
@@ -60,6 +60,10 @@ const SAW_VALID_ENTRY = Symbol('sawValidEntry');
const SAW_NULL_BLOCK = Symbol('sawNullBlock');
const SAW_EOF = Symbol('sawEOF');
const CLOSESTREAM = Symbol('closeStream');
+const MAX_DECOMPRESSION_RATIO = 1000;
+const COMPRESSEDBYTESREAD = Symbol('compressedBytesRead');
+const DECOMPRESSEDBYTESREAD = Symbol('decompressedBytesRead');
+const CHECKDECOMPRESSIONRATIO = Symbol('checkDecompressionRatio');
const noop = () => true;
class Parser extends events_1.EventEmitter {
file;
@@ -68,6 +72,7 @@ class Parser extends events_1.EventEmitter {
filter;
brotli;
zstd;
+ maxDecompressionRatio;
writable = true;
readable = false;
[QUEUE] = [];
@@ -87,6 +92,8 @@ class Parser extends events_1.EventEmitter {
[WRITING] = false;
[CONSUMING] = false;
[EMITTEDEND] = false;
+ [COMPRESSEDBYTESREAD] = 0;
+ [DECOMPRESSEDBYTESREAD] = 0;
constructor(opt = {}) {
super();
this.file = opt.file || '';
@@ -109,6 +116,10 @@ class Parser extends events_1.EventEmitter {
});
}
this.strict = !!opt.strict;
+ this.maxDecompressionRatio =
+ typeof opt.maxDecompressionRatio === 'number' ?
+ opt.maxDecompressionRatio
+ : MAX_DECOMPRESSION_RATIO;
this.maxMetaEntrySize = opt.maxMetaEntrySize || maxMetaEntrySize;
this.filter = typeof opt.filter === 'function' ? opt.filter : noop;
// Unlike gzip, brotli doesn't have any magic bytes to identify it
@@ -362,11 +373,23 @@ class Parser extends events_1.EventEmitter {
}
}
abort(error) {
+ if (this[ABORTED]) {
+ return;
+ }
this[ABORTED] = true;
this.emit('abort', error);
// always throws, even in non-strict mode
this.warn('TAR_ABORT', error, { recoverable: false });
}
+ [CHECKDECOMPRESSIONRATIO](chunk) {
+ this[DECOMPRESSEDBYTESREAD] += chunk.length;
+ const ratio = this[DECOMPRESSEDBYTESREAD] / this[COMPRESSEDBYTESREAD];
+ if (ratio > this.maxDecompressionRatio) {
+ this.abort(new Error(`max decompression ratio exceeded: ${ratio.toFixed(2)} > ${this.maxDecompressionRatio}`));
+ return false;
+ }
+ return true;
+ }
write(chunk, encoding, cb) {
if (typeof encoding === 'function') {
cb = encoding;
@@ -450,13 +473,22 @@ class Parser extends events_1.EventEmitter {
this[UNZIP] === undefined ? new minizlib_1.Unzip({})
: isZstd ? new minizlib_1.ZstdDecompress({})
: new minizlib_1.BrotliDecompress({});
- this[UNZIP].on('data', chunk => this[CONSUMECHUNK](chunk));
- this[UNZIP].on('error', er => this.abort(er));
+ this[UNZIP].on('data', chunk => {
+ if (this[CHECKDECOMPRESSIONRATIO](chunk)) {
+ this[CONSUMECHUNK](chunk);
+ }
+ });
+ this[UNZIP].on('error', er => {
+ if (!this[ABORTED]) {
+ this.abort(er);
+ }
+ });
this[UNZIP].on('end', () => {
this[ENDED] = true;
this[CONSUMECHUNK]();
});
this[WRITING] = true;
+ this[COMPRESSEDBYTESREAD] += chunk.length;
const ret = !!this[UNZIP][ended ? 'end' : 'write'](chunk);
this[WRITING] = false;
cb?.();
@@ -465,6 +497,7 @@ class Parser extends events_1.EventEmitter {
}
this[WRITING] = true;
if (this[UNZIP]) {
+ this[COMPRESSEDBYTESREAD] += chunk.length;
this[UNZIP].write(chunk);
}
else {
@@ -495,7 +528,7 @@ class Parser extends events_1.EventEmitter {
!this[CONSUMING]) {
this[EMITTEDEND] = true;
const entry = this[WRITEENTRY];
- if (entry && entry.blockRemain) {
+ if (entry?.blockRemain) {
// truncated, likely a damaged file
const have = this[BUFFER] ? this[BUFFER].length : 0;
this.warn('TAR_BAD_ARCHIVE', `Truncated input (needed ${entry.blockRemain} more bytes, only ${have} available)`, { entry });
@@ -589,8 +622,10 @@ class Parser extends events_1.EventEmitter {
if (!this[ABORTED]) {
if (this[UNZIP]) {
/* c8 ignore start */
- if (chunk)
+ if (chunk) {
+ this[COMPRESSEDBYTESREAD] += chunk.length;
this[UNZIP].write(chunk);
+ }
/* c8 ignore stop */
this[UNZIP].end();
}
diff --git a/deps/npm/node_modules/tar/dist/commonjs/pax.js b/deps/npm/node_modules/tar/dist/commonjs/pax.js
index d30c0f3efbe9ea..fce37f63058e10 100644
--- a/deps/npm/node_modules/tar/dist/commonjs/pax.js
+++ b/deps/npm/node_modules/tar/dist/commonjs/pax.js
@@ -147,12 +147,36 @@ const parseKVLine = (set, line) => {
return set;
}
const k = r.replace(/^SCHILY\.(dev|ino|nlink)/, '$1');
- const v = kv.join('=');
- set[k] =
- /^([A-Z]+\.)?([mac]|birth|creation)time$/.test(k) ?
- new Date(Number(v) * 1000)
- : /^[0-9]+$/.test(v) ? +v
- : v;
+ const v = kv.join('=').replace(/\0.*/, '');
+ switch (k) {
+ case 'path':
+ case 'linkpath':
+ case 'type':
+ case 'charset':
+ case 'comment':
+ case 'gname':
+ case 'uname':
+ set[k] = v;
+ break;
+ case 'ctime':
+ case 'atime':
+ case 'mtime':
+ set[k] = new Date(Number(v) * 1000);
+ break;
+ case 'size':
+ const s = +v;
+ if (s >= 0)
+ set[k] = s;
+ break;
+ case 'gid':
+ case 'uid':
+ case 'dev':
+ case 'ino':
+ case 'nlink':
+ case 'mode':
+ set[k] = +v;
+ break;
+ }
return set;
};
//# sourceMappingURL=pax.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/tar/dist/commonjs/unpack.js b/deps/npm/node_modules/tar/dist/commonjs/unpack.js
index 3df1031d84cbe5..0e9f861abb87cb 100644
--- a/deps/npm/node_modules/tar/dist/commonjs/unpack.js
+++ b/deps/npm/node_modules/tar/dist/commonjs/unpack.js
@@ -185,7 +185,7 @@ class Unpack extends parse_js_1.Parser {
// default true for root
this.preserveOwner =
opt.preserveOwner === undefined && typeof opt.uid !== 'number' ?
- !!(process.getuid && process.getuid() === 0)
+ !!(process.getuid?.() === 0)
: !!opt.preserveOwner;
this.processUid =
(this.preserveOwner || this.setOwner) && process.getuid ?
@@ -406,7 +406,7 @@ class Unpack extends parse_js_1.Parser {
}
}
[MKDIR](dir, mode, cb) {
- (0, mkdir_js_1.mkdir)((0, normalize_windows_path_js_1.normalizeWindowsPath)(dir), {
+ void (0, mkdir_js_1.mkdir)((0, normalize_windows_path_js_1.normalizeWindowsPath)(dir), {
uid: this.uid,
gid: this.gid,
processUid: this.processUid,
diff --git a/deps/npm/node_modules/tar/dist/esm/header.js b/deps/npm/node_modules/tar/dist/esm/header.js
index fe8c09928e46c9..068c4ea039885e 100644
--- a/deps/npm/node_modules/tar/dist/esm/header.js
+++ b/deps/npm/node_modules/tar/dist/esm/header.js
@@ -5,6 +5,7 @@
import { posix as pathModule } from 'node:path';
import * as large from './large-numbers.js';
import * as types from './types.js';
+const notNegative = (n) => n === undefined || n < 0 ? undefined : n;
export class Header {
cksumValid = false;
needPax = false;
@@ -63,10 +64,9 @@ export class Header {
exForFields?.uid ?? gexForFields?.uid ?? decNumber(buf, off + 108, 8);
this.gid =
exForFields?.gid ?? gexForFields?.gid ?? decNumber(buf, off + 116, 8);
- this.size =
- exForFields?.size ??
- gexForFields?.size ??
- decNumber(buf, off + 124, 12);
+ this.size = notNegative(exForFields?.size ??
+ gexForFields?.size ??
+ decNumber(buf, off + 124, 12));
this.mtime =
exForFields?.mtime ??
gexForFields?.mtime ??
@@ -152,6 +152,7 @@ export class Header {
// null/undefined values are ignored.
return !(v === null ||
v === undefined ||
+ (k === 'size' && Number(v) < 0) ||
(k === 'path' && gex) ||
(k === 'linkpath' && gex) ||
k === 'global');
diff --git a/deps/npm/node_modules/tar/dist/esm/index.min.js b/deps/npm/node_modules/tar/dist/esm/index.min.js
index 57c1c7a4df9a80..bf4036b4115e85 100644
--- a/deps/npm/node_modules/tar/dist/esm/index.min.js
+++ b/deps/npm/node_modules/tar/dist/esm/index.min.js
@@ -1,4 +1,4 @@
-var Mr=Object.defineProperty;var Br=(s,t)=>{for(var e in t)Mr(s,e,{get:t[e],enumerable:!0})};import $r from"events";import I from"fs";import{EventEmitter as Li}from"node:events";import As from"node:stream";import{StringDecoder as Pr}from"node:string_decoder";var xs=typeof process=="object"&&process?process:{stdout:null,stderr:null},zr=s=>!!s&&typeof s=="object"&&(s instanceof A||s instanceof As||Ur(s)||Hr(s)),Ur=s=>!!s&&typeof s=="object"&&s instanceof Li&&typeof s.pipe=="function"&&s.pipe!==As.Writable.prototype.pipe,Hr=s=>!!s&&typeof s=="object"&&s instanceof Li&&typeof s.write=="function"&&typeof s.end=="function",q=Symbol("EOF"),Q=Symbol("maybeEmitEnd"),rt=Symbol("emittedEnd"),Le=Symbol("emittingEnd"),qt=Symbol("emittedError"),Ne=Symbol("closed"),Ls=Symbol("read"),De=Symbol("flush"),Ns=Symbol("flushChunk"),z=Symbol("encoding"),Mt=Symbol("decoder"),g=Symbol("flowing"),Qt=Symbol("paused"),Bt=Symbol("resume"),b=Symbol("buffer"),D=Symbol("pipes"),_=Symbol("bufferLength"),gi=Symbol("bufferPush"),Ae=Symbol("bufferShift"),L=Symbol("objectMode"),w=Symbol("destroyed"),bi=Symbol("error"),_i=Symbol("emitData"),Ds=Symbol("emitEnd"),Oi=Symbol("emitEnd2"),Z=Symbol("async"),Ti=Symbol("abort"),Ie=Symbol("aborted"),Jt=Symbol("signal"),Rt=Symbol("dataListeners"),F=Symbol("discarded"),jt=s=>Promise.resolve().then(s),Wr=s=>s(),Gr=s=>s==="end"||s==="finish"||s==="prefinish",Zr=s=>s instanceof ArrayBuffer||!!s&&typeof s=="object"&&s.constructor&&s.constructor.name==="ArrayBuffer"&&s.byteLength>=0,Yr=s=>!Buffer.isBuffer(s)&&ArrayBuffer.isView(s),Fe=class{src;dest;opts;ondrain;constructor(t,e,i){this.src=t,this.dest=e,this.opts=i,this.ondrain=()=>t[Bt](),this.dest.on("drain",this.ondrain)}unpipe(){this.dest.removeListener("drain",this.ondrain)}proxyErrors(t){}end(){this.unpipe(),this.opts.end&&this.dest.end()}},xi=class extends Fe{unpipe(){this.src.removeListener("error",this.proxyErrors),super.unpipe()}constructor(t,e,i){super(t,e,i),this.proxyErrors=r=>this.dest.emit("error",r),t.on("error",this.proxyErrors)}},Kr=s=>!!s.objectMode,Vr=s=>!s.objectMode&&!!s.encoding&&s.encoding!=="buffer",A=class extends Li{[g]=!1;[Qt]=!1;[D]=[];[b]=[];[L];[z];[Z];[Mt];[q]=!1;[rt]=!1;[Le]=!1;[Ne]=!1;[qt]=null;[_]=0;[w]=!1;[Jt];[Ie]=!1;[Rt]=0;[F]=!1;writable=!0;readable=!0;constructor(...t){let e=t[0]||{};if(super(),e.objectMode&&typeof e.encoding=="string")throw new TypeError("Encoding and objectMode may not be used together");Kr(e)?(this[L]=!0,this[z]=null):Vr(e)?(this[z]=e.encoding,this[L]=!1):(this[L]=!1,this[z]=null),this[Z]=!!e.async,this[Mt]=this[z]?new Pr(this[z]):null,e&&e.debugExposeBuffer===!0&&Object.defineProperty(this,"buffer",{get:()=>this[b]}),e&&e.debugExposePipes===!0&&Object.defineProperty(this,"pipes",{get:()=>this[D]});let{signal:i}=e;i&&(this[Jt]=i,i.aborted?this[Ti]():i.addEventListener("abort",()=>this[Ti]()))}get bufferLength(){return this[_]}get encoding(){return this[z]}set encoding(t){throw new Error("Encoding must be set at instantiation time")}setEncoding(t){throw new Error("Encoding must be set at instantiation time")}get objectMode(){return this[L]}set objectMode(t){throw new Error("objectMode must be set at instantiation time")}get async(){return this[Z]}set async(t){this[Z]=this[Z]||!!t}[Ti](){this[Ie]=!0,this.emit("abort",this[Jt]?.reason),this.destroy(this[Jt]?.reason)}get aborted(){return this[Ie]}set aborted(t){}write(t,e,i){if(this[Ie])return!1;if(this[q])throw new Error("write after end");if(this[w])return this.emit("error",Object.assign(new Error("Cannot call write after a stream was destroyed"),{code:"ERR_STREAM_DESTROYED"})),!0;typeof e=="function"&&(i=e,e="utf8"),e||(e="utf8");let r=this[Z]?jt:Wr;if(!this[L]&&!Buffer.isBuffer(t)){if(Yr(t))t=Buffer.from(t.buffer,t.byteOffset,t.byteLength);else if(Zr(t))t=Buffer.from(t);else if(typeof t!="string")throw new Error("Non-contiguous data written to non-objectMode stream")}return this[L]?(this[g]&&this[_]!==0&&this[De](!0),this[g]?this.emit("data",t):this[gi](t),this[_]!==0&&this.emit("readable"),i&&r(i),this[g]):t.length?(typeof t=="string"&&!(e===this[z]&&!this[Mt]?.lastNeed)&&(t=Buffer.from(t,e)),Buffer.isBuffer(t)&&this[z]&&(t=this[Mt].write(t)),this[g]&&this[_]!==0&&this[De](!0),this[g]?this.emit("data",t):this[gi](t),this[_]!==0&&this.emit("readable"),i&&r(i),this[g]):(this[_]!==0&&this.emit("readable"),i&&r(i),this[g])}read(t){if(this[w])return null;if(this[F]=!1,this[_]===0||t===0||t&&t>this[_])return this[Q](),null;this[L]&&(t=null),this[b].length>1&&!this[L]&&(this[b]=[this[z]?this[b].join(""):Buffer.concat(this[b],this[_])]);let e=this[Ls](t||null,this[b][0]);return this[Q](),e}[Ls](t,e){if(this[L])this[Ae]();else{let i=e;t===i.length||t===null?this[Ae]():typeof i=="string"?(this[b][0]=i.slice(t),e=i.slice(0,t),this[_]-=t):(this[b][0]=i.subarray(t),e=i.subarray(0,t),this[_]-=t)}return this.emit("data",e),!this[b].length&&!this[q]&&this.emit("drain"),e}end(t,e,i){return typeof t=="function"&&(i=t,t=void 0),typeof e=="function"&&(i=e,e="utf8"),t!==void 0&&this.write(t,e),i&&this.once("end",i),this[q]=!0,this.writable=!1,(this[g]||!this[Qt])&&this[Q](),this}[Bt](){this[w]||(!this[Rt]&&!this[D].length&&(this[F]=!0),this[Qt]=!1,this[g]=!0,this.emit("resume"),this[b].length?this[De]():this[q]?this[Q]():this.emit("drain"))}resume(){return this[Bt]()}pause(){this[g]=!1,this[Qt]=!0,this[F]=!1}get destroyed(){return this[w]}get flowing(){return this[g]}get paused(){return this[Qt]}[gi](t){this[L]?this[_]+=1:this[_]+=t.length,this[b].push(t)}[Ae](){return this[L]?this[_]-=1:this[_]-=this[b][0].length,this[b].shift()}[De](t=!1){do;while(this[Ns](this[Ae]())&&this[b].length);!t&&!this[b].length&&!this[q]&&this.emit("drain")}[Ns](t){return this.emit("data",t),this[g]}pipe(t,e){if(this[w])return t;this[F]=!1;let i=this[rt];return e=e||{},t===xs.stdout||t===xs.stderr?e.end=!1:e.end=e.end!==!1,e.proxyErrors=!!e.proxyErrors,i?e.end&&t.end():(this[D].push(e.proxyErrors?new xi(this,t,e):new Fe(this,t,e)),this[Z]?jt(()=>this[Bt]()):this[Bt]()),t}unpipe(t){let e=this[D].find(i=>i.dest===t);e&&(this[D].length===1?(this[g]&&this[Rt]===0&&(this[g]=!1),this[D]=[]):this[D].splice(this[D].indexOf(e),1),e.unpipe())}addListener(t,e){return this.on(t,e)}on(t,e){let i=super.on(t,e);if(t==="data")this[F]=!1,this[Rt]++,!this[D].length&&!this[g]&&this[Bt]();else if(t==="readable"&&this[_]!==0)super.emit("readable");else if(Gr(t)&&this[rt])super.emit(t),this.removeAllListeners(t);else if(t==="error"&&this[qt]){let r=e;this[Z]?jt(()=>r.call(this,this[qt])):r.call(this,this[qt])}return i}removeListener(t,e){return this.off(t,e)}off(t,e){let i=super.off(t,e);return t==="data"&&(this[Rt]=this.listeners("data").length,this[Rt]===0&&!this[F]&&!this[D].length&&(this[g]=!1)),i}removeAllListeners(t){let e=super.removeAllListeners(t);return(t==="data"||t===void 0)&&(this[Rt]=0,!this[F]&&!this[D].length&&(this[g]=!1)),e}get emittedEnd(){return this[rt]}[Q](){!this[Le]&&!this[rt]&&!this[w]&&this[b].length===0&&this[q]&&(this[Le]=!0,this.emit("end"),this.emit("prefinish"),this.emit("finish"),this[Ne]&&this.emit("close"),this[Le]=!1)}emit(t,...e){let i=e[0];if(t!=="error"&&t!=="close"&&t!==w&&this[w])return!1;if(t==="data")return!this[L]&&!i?!1:this[Z]?(jt(()=>this[_i](i)),!0):this[_i](i);if(t==="end")return this[Ds]();if(t==="close"){if(this[Ne]=!0,!this[rt]&&!this[w])return!1;let n=super.emit("close");return this.removeAllListeners("close"),n}else if(t==="error"){this[qt]=i,super.emit(bi,i);let n=!this[Jt]||this.listeners("error").length?super.emit("error",i):!1;return this[Q](),n}else if(t==="resume"){let n=super.emit("resume");return this[Q](),n}else if(t==="finish"||t==="prefinish"){let n=super.emit(t);return this.removeAllListeners(t),n}let r=super.emit(t,...e);return this[Q](),r}[_i](t){for(let i of this[D])i.dest.write(t)===!1&&this.pause();let e=this[F]?!1:super.emit("data",t);return this[Q](),e}[Ds](){return this[rt]?!1:(this[rt]=!0,this.readable=!1,this[Z]?(jt(()=>this[Oi]()),!0):this[Oi]())}[Oi](){if(this[Mt]){let e=this[Mt].end();if(e){for(let i of this[D])i.dest.write(e);this[F]||super.emit("data",e)}}for(let e of this[D])e.end();let t=super.emit("end");return this.removeAllListeners("end"),t}async collect(){let t=Object.assign([],{dataLength:0});this[L]||(t.dataLength=0);let e=this.promise();return this.on("data",i=>{t.push(i),this[L]||(t.dataLength+=i.length)}),await e,t}async concat(){if(this[L])throw new Error("cannot concat in objectMode");let t=await this.collect();return this[z]?t.join(""):Buffer.concat(t,t.dataLength)}async promise(){return new Promise((t,e)=>{this.on(w,()=>e(new Error("stream destroyed"))),this.on("error",i=>e(i)),this.on("end",()=>t())})}[Symbol.asyncIterator](){this[F]=!1;let t=!1,e=async()=>(this.pause(),t=!0,{value:void 0,done:!0});return{next:()=>{if(t)return e();let r=this.read();if(r!==null)return Promise.resolve({done:!1,value:r});if(this[q])return e();let n,o,a=d=>{this.off("data",h),this.off("end",l),this.off(w,c),e(),o(d)},h=d=>{this.off("error",a),this.off("end",l),this.off(w,c),this.pause(),n({value:d,done:!!this[q]})},l=()=>{this.off("error",a),this.off("data",h),this.off(w,c),e(),n({done:!0,value:void 0})},c=()=>a(new Error("stream destroyed"));return new Promise((d,S)=>{o=S,n=d,this.once(w,c),this.once("error",a),this.once("end",l),this.once("data",h)})},throw:e,return:e,[Symbol.asyncIterator](){return this},[Symbol.asyncDispose]:async()=>{}}}[Symbol.iterator](){this[F]=!1;let t=!1,e=()=>(this.pause(),this.off(bi,e),this.off(w,e),this.off("end",e),t=!0,{done:!0,value:void 0}),i=()=>{if(t)return e();let r=this.read();return r===null?e():{done:!1,value:r}};return this.once("end",e),this.once(bi,e),this.once(w,e),{next:i,throw:e,return:e,[Symbol.iterator](){return this},[Symbol.dispose]:()=>{}}}destroy(t){if(this[w])return t?this.emit("error",t):this.emit(w),this;this[w]=!0,this[F]=!0,this[b].length=0,this[_]=0;let e=this;return typeof e.close=="function"&&!this[Ne]&&e.close(),t?this.emit("error",t):this.emit(w),this}static get isStream(){return zr}};var Xr=I.writev,ot=Symbol("_autoClose"),H=Symbol("_close"),te=Symbol("_ended"),m=Symbol("_fd"),Ni=Symbol("_finished"),j=Symbol("_flags"),Di=Symbol("_flush"),Ci=Symbol("_handleChunk"),ki=Symbol("_makeBuf"),ie=Symbol("_mode"),Ce=Symbol("_needDrain"),Ut=Symbol("_onerror"),Ht=Symbol("_onopen"),Ai=Symbol("_onread"),Pt=Symbol("_onwrite"),ht=Symbol("_open"),U=Symbol("_path"),nt=Symbol("_pos"),Y=Symbol("_queue"),zt=Symbol("_read"),Ii=Symbol("_readSize"),J=Symbol("_reading"),ee=Symbol("_remain"),Fi=Symbol("_size"),ke=Symbol("_write"),gt=Symbol("_writing"),ve=Symbol("_defaultFlag"),bt=Symbol("_errored"),_t=class extends A{[bt]=!1;[m];[U];[Ii];[J]=!1;[Fi];[ee];[ot];constructor(t,e){if(e=e||{},super(e),this.readable=!0,this.writable=!1,typeof t!="string")throw new TypeError("path must be a string");this[bt]=!1,this[m]=typeof e.fd=="number"?e.fd:void 0,this[U]=t,this[Ii]=e.readSize||16*1024*1024,this[J]=!1,this[Fi]=typeof e.size=="number"?e.size:1/0,this[ee]=this[Fi],this[ot]=typeof e.autoClose=="boolean"?e.autoClose:!0,typeof this[m]=="number"?this[zt]():this[ht]()}get fd(){return this[m]}get path(){return this[U]}write(){throw new TypeError("this is a readable stream")}end(){throw new TypeError("this is a readable stream")}[ht](){I.open(this[U],"r",(t,e)=>this[Ht](t,e))}[Ht](t,e){t?this[Ut](t):(this[m]=e,this.emit("open",e),this[zt]())}[ki](){return Buffer.allocUnsafe(Math.min(this[Ii],this[ee]))}[zt](){if(!this[J]){this[J]=!0;let t=this[ki]();if(t.length===0)return process.nextTick(()=>this[Ai](null,0,t));I.read(this[m],t,0,t.length,null,(e,i,r)=>this[Ai](e,i,r))}}[Ai](t,e,i){this[J]=!1,t?this[Ut](t):this[Ci](e,i)&&this[zt]()}[H](){if(this[ot]&&typeof this[m]=="number"){let t=this[m];this[m]=void 0,I.close(t,e=>e?this.emit("error",e):this.emit("close"))}}[Ut](t){this[J]=!0,this[H](),this.emit("error",t)}[Ci](t,e){let i=!1;return this[ee]-=t,t>0&&(i=super.write(tthis[Ht](t,e))}[Ht](t,e){this[ve]&&this[j]==="r+"&&t&&t.code==="ENOENT"?(this[j]="w",this[ht]()):t?this[Ut](t):(this[m]=e,this.emit("open",e),this[gt]||this[Di]())}end(t,e){return t&&this.write(t,e),this[te]=!0,!this[gt]&&!this[Y].length&&typeof this[m]=="number"&&this[Pt](null,0),this}write(t,e){return typeof t=="string"&&(t=Buffer.from(t,e)),this[te]?(this.emit("error",new Error("write() after end()")),!1):this[m]===void 0||this[gt]||this[Y].length?(this[Y].push(t),this[Ce]=!0,!1):(this[gt]=!0,this[ke](t),!0)}[ke](t){I.write(this[m],t,0,t.length,this[nt],(e,i)=>this[Pt](e,i))}[Pt](t,e){t?this[Ut](t):(this[nt]!==void 0&&typeof e=="number"&&(this[nt]+=e),this[Y].length?this[Di]():(this[gt]=!1,this[te]&&!this[Ni]?(this[Ni]=!0,this[H](),this.emit("finish")):this[Ce]&&(this[Ce]=!1,this.emit("drain"))))}[Di](){if(this[Y].length===0)this[te]&&this[Pt](null,0);else if(this[Y].length===1)this[ke](this[Y].pop());else{let t=this[Y];this[Y]=[],Xr(this[m],t,this[nt],(e,i)=>this[Pt](e,i))}}[H](){if(this[ot]&&typeof this[m]=="number"){let t=this[m];this[m]=void 0,I.close(t,e=>e?this.emit("error",e):this.emit("close"))}}},Wt=class extends tt{[ht](){let t;if(this[ve]&&this[j]==="r+")try{t=I.openSync(this[U],this[j],this[ie])}catch(e){if(e?.code==="ENOENT")return this[j]="w",this[ht]();throw e}else t=I.openSync(this[U],this[j],this[ie]);this[Ht](null,t)}[H](){if(this[ot]&&typeof this[m]=="number"){let t=this[m];this[m]=void 0,I.closeSync(t),this.emit("close")}}[ke](t){let e=!0;try{this[Pt](null,I.writeSync(this[m],t,0,t.length,this[nt])),e=!1}finally{if(e)try{this[H]()}catch{}}}};import hr from"node:path";import Kt from"node:fs";import{dirname as Nn,parse as Dn}from"path";var qr=new Map([["C","cwd"],["f","file"],["z","gzip"],["P","preservePaths"],["U","unlink"],["strip-components","strip"],["stripComponents","strip"],["keep-newer","newer"],["keepNewer","newer"],["keep-newer-files","newer"],["keepNewerFiles","newer"],["k","keep"],["keep-existing","keep"],["keepExisting","keep"],["m","noMtime"],["no-mtime","noMtime"],["p","preserveOwner"],["L","follow"],["h","follow"],["onentry","onReadEntry"]]),Is=s=>!!s.sync&&!!s.file,Fs=s=>!s.sync&&!!s.file,Cs=s=>!!s.sync&&!s.file,ks=s=>!s.sync&&!s.file;var vs=s=>!!s.file;var Qr=s=>{let t=qr.get(s);return t||s},se=(s={})=>{if(!s)return{};let t={};for(let[e,i]of Object.entries(s)){let r=Qr(e);t[r]=i}return t.chmod===void 0&&t.noChmod===!1&&(t.chmod=!0),delete t.noChmod,t};var K=(s,t,e,i,r)=>Object.assign((n=[],o,a)=>{Array.isArray(n)&&(o=n,n={}),typeof o=="function"&&(a=o,o=void 0),o=o?Array.from(o):[];let h=se(n);if(r?.(h,o),Is(h)){if(typeof a=="function")throw new TypeError("callback not supported for sync tar functions");return s(h,o)}else if(Fs(h)){let l=t(h,o);return a?l.then(()=>a(),a):l}else if(Cs(h)){if(typeof a=="function")throw new TypeError("callback not supported for sync tar functions");return e(h,o)}else if(ks(h)){if(typeof a=="function")throw new TypeError("callback only supported with file option");return i(h,o)}throw new Error("impossible options??")},{syncFile:s,asyncFile:t,syncNoFile:e,asyncNoFile:i,validate:r});import{EventEmitter as On}from"events";import Pi from"assert";import{Buffer as Ot}from"buffer";import*as Ms from"zlib";import Jr from"zlib";var jr=Jr.constants||{ZLIB_VERNUM:4736},M=Object.freeze(Object.assign(Object.create(null),{Z_NO_FLUSH:0,Z_PARTIAL_FLUSH:1,Z_SYNC_FLUSH:2,Z_FULL_FLUSH:3,Z_FINISH:4,Z_BLOCK:5,Z_OK:0,Z_STREAM_END:1,Z_NEED_DICT:2,Z_ERRNO:-1,Z_STREAM_ERROR:-2,Z_DATA_ERROR:-3,Z_MEM_ERROR:-4,Z_BUF_ERROR:-5,Z_VERSION_ERROR:-6,Z_NO_COMPRESSION:0,Z_BEST_SPEED:1,Z_BEST_COMPRESSION:9,Z_DEFAULT_COMPRESSION:-1,Z_FILTERED:1,Z_HUFFMAN_ONLY:2,Z_RLE:3,Z_FIXED:4,Z_DEFAULT_STRATEGY:0,DEFLATE:1,INFLATE:2,GZIP:3,GUNZIP:4,DEFLATERAW:5,INFLATERAW:6,UNZIP:7,BROTLI_DECODE:8,BROTLI_ENCODE:9,Z_MIN_WINDOWBITS:8,Z_MAX_WINDOWBITS:15,Z_DEFAULT_WINDOWBITS:15,Z_MIN_CHUNK:64,Z_MAX_CHUNK:1/0,Z_DEFAULT_CHUNK:16384,Z_MIN_MEMLEVEL:1,Z_MAX_MEMLEVEL:9,Z_DEFAULT_MEMLEVEL:8,Z_MIN_LEVEL:-1,Z_MAX_LEVEL:9,Z_DEFAULT_LEVEL:-1,BROTLI_OPERATION_PROCESS:0,BROTLI_OPERATION_FLUSH:1,BROTLI_OPERATION_FINISH:2,BROTLI_OPERATION_EMIT_METADATA:3,BROTLI_MODE_GENERIC:0,BROTLI_MODE_TEXT:1,BROTLI_MODE_FONT:2,BROTLI_DEFAULT_MODE:0,BROTLI_MIN_QUALITY:0,BROTLI_MAX_QUALITY:11,BROTLI_DEFAULT_QUALITY:11,BROTLI_MIN_WINDOW_BITS:10,BROTLI_MAX_WINDOW_BITS:24,BROTLI_LARGE_MAX_WINDOW_BITS:30,BROTLI_DEFAULT_WINDOW:22,BROTLI_MIN_INPUT_BLOCK_BITS:16,BROTLI_MAX_INPUT_BLOCK_BITS:24,BROTLI_PARAM_MODE:0,BROTLI_PARAM_QUALITY:1,BROTLI_PARAM_LGWIN:2,BROTLI_PARAM_LGBLOCK:3,BROTLI_PARAM_DISABLE_LITERAL_CONTEXT_MODELING:4,BROTLI_PARAM_SIZE_HINT:5,BROTLI_PARAM_LARGE_WINDOW:6,BROTLI_PARAM_NPOSTFIX:7,BROTLI_PARAM_NDIRECT:8,BROTLI_DECODER_RESULT_ERROR:0,BROTLI_DECODER_RESULT_SUCCESS:1,BROTLI_DECODER_RESULT_NEEDS_MORE_INPUT:2,BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_PARAM_DISABLE_RING_BUFFER_REALLOCATION:0,BROTLI_DECODER_PARAM_LARGE_WINDOW:1,BROTLI_DECODER_NO_ERROR:0,BROTLI_DECODER_SUCCESS:1,BROTLI_DECODER_NEEDS_MORE_INPUT:2,BROTLI_DECODER_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_NIBBLE:-1,BROTLI_DECODER_ERROR_FORMAT_RESERVED:-2,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_META_NIBBLE:-3,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_ALPHABET:-4,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_SAME:-5,BROTLI_DECODER_ERROR_FORMAT_CL_SPACE:-6,BROTLI_DECODER_ERROR_FORMAT_HUFFMAN_SPACE:-7,BROTLI_DECODER_ERROR_FORMAT_CONTEXT_MAP_REPEAT:-8,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_1:-9,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_2:-10,BROTLI_DECODER_ERROR_FORMAT_TRANSFORM:-11,BROTLI_DECODER_ERROR_FORMAT_DICTIONARY:-12,BROTLI_DECODER_ERROR_FORMAT_WINDOW_BITS:-13,BROTLI_DECODER_ERROR_FORMAT_PADDING_1:-14,BROTLI_DECODER_ERROR_FORMAT_PADDING_2:-15,BROTLI_DECODER_ERROR_FORMAT_DISTANCE:-16,BROTLI_DECODER_ERROR_DICTIONARY_NOT_SET:-19,BROTLI_DECODER_ERROR_INVALID_ARGUMENTS:-20,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MODES:-21,BROTLI_DECODER_ERROR_ALLOC_TREE_GROUPS:-22,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MAP:-25,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_1:-26,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_2:-27,BROTLI_DECODER_ERROR_ALLOC_BLOCK_TYPE_TREES:-30,BROTLI_DECODER_ERROR_UNREACHABLE:-31},jr));var tn=Ot.concat,Bs=Object.getOwnPropertyDescriptor(Ot,"concat"),en=s=>s,Mi=Bs?.writable===!0||Bs?.set!==void 0?s=>{Ot.concat=s?en:tn}:s=>{},Tt=Symbol("_superWrite"),Gt=class extends Error{code;errno;constructor(t,e){super("zlib: "+t.message,{cause:t}),this.code=t.code,this.errno=t.errno,this.code||(this.code="ZLIB_ERROR"),this.message="zlib: "+t.message,Error.captureStackTrace(this,e??this.constructor)}get name(){return"ZlibError"}},Bi=Symbol("flushFlag"),re=class extends A{#t=!1;#i=!1;#s;#n;#r;#e;#o;get sawError(){return this.#t}get handle(){return this.#e}get flushFlag(){return this.#s}constructor(t,e){if(!t||typeof t!="object")throw new TypeError("invalid options for ZlibBase constructor");if(super(t),this.#s=t.flush??0,this.#n=t.finishFlush??0,this.#r=t.fullFlushFlag??0,typeof Ms[e]!="function")throw new TypeError("Compression method not supported: "+e);try{this.#e=new Ms[e](t)}catch(i){throw new Gt(i,this.constructor)}this.#o=i=>{this.#t||(this.#t=!0,this.close(),this.emit("error",i))},this.#e?.on("error",i=>this.#o(new Gt(i))),this.once("end",()=>this.close)}close(){this.#e&&(this.#e.close(),this.#e=void 0,this.emit("close"))}reset(){if(!this.#t)return Pi(this.#e,"zlib binding closed"),this.#e.reset?.()}flush(t){this.ended||(typeof t!="number"&&(t=this.#r),this.write(Object.assign(Ot.alloc(0),{[Bi]:t})))}end(t,e,i){return typeof t=="function"&&(i=t,e=void 0,t=void 0),typeof e=="function"&&(i=e,e=void 0),t&&(e?this.write(t,e):this.write(t)),this.flush(this.#n),this.#i=!0,super.end(i)}get ended(){return this.#i}[Tt](t){return super.write(t)}write(t,e,i){if(typeof e=="function"&&(i=e,e="utf8"),typeof t=="string"&&(t=Ot.from(t,e)),this.#t)return;Pi(this.#e,"zlib binding closed");let r=this.#e._handle,n=r.close;r.close=()=>{};let o=this.#e.close;this.#e.close=()=>{},Mi(!0);let a;try{let l=typeof t[Bi]=="number"?t[Bi]:this.#s;a=this.#e._processChunk(t,l),Mi(!1)}catch(l){Mi(!1),this.#o(new Gt(l,this.write))}finally{this.#e&&(this.#e._handle=r,r.close=n,this.#e.close=o,this.#e.removeAllListeners("error"))}this.#e&&this.#e.on("error",l=>this.#o(new Gt(l,this.write)));let h;if(a)if(Array.isArray(a)&&a.length>0){let l=a[0];h=this[Tt](Ot.from(l));for(let c=1;c{typeof r=="function"&&(n=r,r=this.flushFlag),this.flush(r),n?.()};try{this.handle.params(t,e)}finally{this.handle.flush=i}this.handle&&(this.#t=t,this.#i=e)}}}};var Pe=class extends Be{#t;constructor(t){super(t,"Gzip"),this.#t=t&&!!t.portable}[Tt](t){return this.#t?(this.#t=!1,t[9]=255,super[Tt](t)):super[Tt](t)}};var ze=class extends Be{constructor(t){super(t,"Unzip")}},Ue=class extends re{constructor(t,e){t=t||{},t.flush=t.flush||M.BROTLI_OPERATION_PROCESS,t.finishFlush=t.finishFlush||M.BROTLI_OPERATION_FINISH,t.fullFlushFlag=M.BROTLI_OPERATION_FLUSH,super(t,e)}},He=class extends Ue{constructor(t){super(t,"BrotliCompress")}},We=class extends Ue{constructor(t){super(t,"BrotliDecompress")}},Ge=class extends re{constructor(t,e){t=t||{},t.flush=t.flush||M.ZSTD_e_continue,t.finishFlush=t.finishFlush||M.ZSTD_e_end,t.fullFlushFlag=M.ZSTD_e_flush,super(t,e)}},Ze=class extends Ge{constructor(t){super(t,"ZstdCompress")}},Ye=class extends Ge{constructor(t){super(t,"ZstdDecompress")}};import{posix as Zt}from"node:path";var Ps=(s,t)=>{if(Number.isSafeInteger(s))s<0?nn(s,t):rn(s,t);else throw Error("cannot encode number outside of javascript safe integer range");return t},rn=(s,t)=>{t[0]=128;for(var e=t.length;e>1;e--)t[e-1]=s&255,s=Math.floor(s/256)},nn=(s,t)=>{t[0]=255;var e=!1;s=s*-1;for(var i=t.length;i>1;i--){var r=s&255;s=Math.floor(s/256),e?t[i-1]=Us(r):r===0?t[i-1]=0:(e=!0,t[i-1]=Hs(r))}},zs=s=>{let t=s[0],e=t===128?hn(s.subarray(1,s.length)):t===255?on(s):null;if(e===null)throw Error("invalid base256 encoding");if(!Number.isSafeInteger(e))throw Error("parsed number outside of javascript safe integer range");return e},on=s=>{for(var t=s.length,e=0,i=!1,r=t-1;r>-1;r--){var n=Number(s[r]),o;i?o=Us(n):n===0?o=n:(i=!0,o=Hs(n)),o!==0&&(e-=o*Math.pow(256,t-r-1))}return e},hn=s=>{for(var t=s.length,e=0,i=t-1;i>-1;i--){var r=Number(s[i]);r!==0&&(e+=r*Math.pow(256,t-i-1))}return e},Us=s=>(255^s)&255,Hs=s=>(255^s)+1&255;var Ui={};Br(Ui,{code:()=>Ke,isCode:()=>ne,isName:()=>ln,name:()=>oe,normalFsTypes:()=>zi});var ne=s=>oe.has(s),ln=s=>Ke.has(s),zi=new Set(["0","","1","2","3","4","5","6","7","D"]),oe=new Map([["0","File"],["","OldFile"],["1","Link"],["2","SymbolicLink"],["3","CharacterDevice"],["4","BlockDevice"],["5","Directory"],["6","FIFO"],["7","ContiguousFile"],["g","GlobalExtendedHeader"],["x","ExtendedHeader"],["A","SolarisACL"],["D","GNUDumpDir"],["I","Inode"],["K","NextFileHasLongLinkpath"],["L","NextFileHasLongPath"],["M","ContinuationFile"],["N","OldGnuLongPath"],["S","SparseFile"],["V","TapeVolumeHeader"],["X","OldExtendedHeader"]]),Ke=new Map(Array.from(oe).map(s=>[s[1],s[0]]));var C=class{cksumValid=!1;needPax=!1;nullBlock=!1;block;path;mode;uid;gid;size;cksum;#t="Unsupported";linkpath;uname;gname;devmaj=0;devmin=0;atime;ctime;mtime;charset;comment;constructor(t,e=0,i,r){Buffer.isBuffer(t)?this.decode(t,e||0,i,r):t&&this.#i(t)}decode(t,e,i,r){if(e||(e=0),!t||!(t.length>=e+512))throw new Error("need 512 bytes for header");let n=xt(t,e+156,1),o=zi.has(n),a=o?i:void 0,h=o?r:void 0;if(this.path=a?.path??xt(t,e,100),this.mode=a?.mode??h?.mode??at(t,e+100,8),this.uid=a?.uid??h?.uid??at(t,e+108,8),this.gid=a?.gid??h?.gid??at(t,e+116,8),this.size=a?.size??h?.size??at(t,e+124,12),this.mtime=a?.mtime??h?.mtime??Hi(t,e+136,12),this.cksum=at(t,e+148,12),h&&this.#i(h,!0),a&&this.#i(a),ne(n)&&(this.#t=n||"0"),this.#t==="0"&&this.path.slice(-1)==="/"&&(this.#t="5"),this.#t==="5"&&(this.size=0),this.linkpath=xt(t,e+157,100),t.subarray(e+257,e+265).toString()==="ustar\x0000")if(this.uname=a?.uname??h?.uname??xt(t,e+265,32),this.gname=a?.gname??h?.gname??xt(t,e+297,32),this.devmaj=a?.devmaj??h?.devmaj??at(t,e+329,8)??0,this.devmin=a?.devmin??h?.devmin??at(t,e+337,8)??0,t[e+475]!==0){let c=xt(t,e+345,155);this.path=c+"/"+this.path}else{let c=xt(t,e+345,130);c&&(this.path=c+"/"+this.path),this.atime=i?.atime??r?.atime??Hi(t,e+476,12),this.ctime=i?.ctime??r?.ctime??Hi(t,e+488,12)}let l=256;for(let c=e;c!(r==null||i==="path"&&e||i==="linkpath"&&e||i==="global"))))}encode(t,e=0){if(t||(t=this.block=Buffer.alloc(512)),this.#t==="Unsupported"&&(this.#t="0"),!(t.length>=e+512))throw new Error("need 512 bytes for header");let i=this.ctime||this.atime?130:155,r=cn(this.path||"",i),n=r[0],o=r[1];this.needPax=!!r[2],this.needPax=Lt(t,e,100,n)||this.needPax,this.needPax=lt(t,e+100,8,this.mode)||this.needPax,this.needPax=lt(t,e+108,8,this.uid)||this.needPax,this.needPax=lt(t,e+116,8,this.gid)||this.needPax,this.needPax=lt(t,e+124,12,this.size)||this.needPax,this.needPax=Wi(t,e+136,12,this.mtime)||this.needPax,t[e+156]=Number(this.#t.codePointAt(0)),this.needPax=Lt(t,e+157,100,this.linkpath)||this.needPax,t.write("ustar\x0000",e+257,8),this.needPax=Lt(t,e+265,32,this.uname)||this.needPax,this.needPax=Lt(t,e+297,32,this.gname)||this.needPax,this.needPax=lt(t,e+329,8,this.devmaj)||this.needPax,this.needPax=lt(t,e+337,8,this.devmin)||this.needPax,this.needPax=Lt(t,e+345,i,o)||this.needPax,t[e+475]!==0?this.needPax=Lt(t,e+345,155,o)||this.needPax:(this.needPax=Lt(t,e+345,130,o)||this.needPax,this.needPax=Wi(t,e+476,12,this.atime)||this.needPax,this.needPax=Wi(t,e+488,12,this.ctime)||this.needPax);let a=256;for(let h=e;h{let i=s,r="",n,o=Zt.parse(s).root||".";if(Buffer.byteLength(i)<100)n=[i,r,!1];else{r=Zt.dirname(i),i=Zt.basename(i);do Buffer.byteLength(i)<=100&&Buffer.byteLength(r)<=t?n=[i,r,!1]:Buffer.byteLength(i)>100&&Buffer.byteLength(r)<=t?n=[i.slice(0,99),r,!0]:(i=Zt.join(Zt.basename(r),i),r=Zt.dirname(r));while(r!==o&&n===void 0);n||(n=[s.slice(0,99),"",!0])}return n},xt=(s,t,e)=>s.subarray(t,t+e).toString("utf8").replace(/\0.*/,""),Hi=(s,t,e)=>fn(at(s,t,e)),fn=s=>s===void 0?void 0:new Date(s*1e3),at=(s,t,e)=>Number(s[t])&128?zs(s.subarray(t,t+e)):un(s,t,e),dn=s=>isNaN(s)?void 0:s,un=(s,t,e)=>dn(parseInt(s.subarray(t,t+e).toString("utf8").replace(/\0.*$/,"").trim(),8)),mn={12:8589934591,8:2097151},lt=(s,t,e,i)=>i===void 0?!1:i>mn[e]||i<0?(Ps(i,s.subarray(t,t+e)),!0):(pn(s,t,e,i),!1),pn=(s,t,e,i)=>s.write(En(i,e),t,e,"ascii"),En=(s,t)=>wn(Math.floor(s).toString(8),t),wn=(s,t)=>(s.length===t-1?s:new Array(t-s.length-1).join("0")+s+" ")+"\0",Wi=(s,t,e,i)=>i===void 0?!1:lt(s,t,e,i.getTime()/1e3),Sn=new Array(156).join("\0"),Lt=(s,t,e,i)=>i===void 0?!1:(s.write(i+Sn,t,e,"utf8"),i.length!==Buffer.byteLength(i)||i.length>e);import{basename as yn}from"node:path";var ct=class s{atime;mtime;ctime;charset;comment;gid;uid;gname;uname;linkpath;dev;ino;nlink;path;size;mode;global;constructor(t,e=!1){this.atime=t.atime,this.charset=t.charset,this.comment=t.comment,this.ctime=t.ctime,this.dev=t.dev,this.gid=t.gid,this.global=e,this.gname=t.gname,this.ino=t.ino,this.linkpath=t.linkpath,this.mtime=t.mtime,this.nlink=t.nlink,this.path=t.path,this.size=t.size,this.uid=t.uid,this.uname=t.uname}encode(){let t=this.encodeBody();if(t==="")return Buffer.allocUnsafe(0);let e=Buffer.byteLength(t),i=512*Math.ceil(1+e/512),r=Buffer.allocUnsafe(i);for(let n=0;n<512;n++)r[n]=0;new C({path:("PaxHeader/"+yn(this.path??"")).slice(0,99),mode:this.mode||420,uid:this.uid,gid:this.gid,size:e,mtime:this.mtime,type:this.global?"GlobalExtendedHeader":"ExtendedHeader",linkpath:"",uname:this.uname||"",gname:this.gname||"",devmaj:0,devmin:0,atime:this.atime,ctime:this.ctime}).encode(r),r.write(t,512,e,"utf8");for(let n=e+512;n=Math.pow(10,o)&&(o+=1),o+n+r}static parse(t,e,i=!1){return new s(Rn(gn(t),e),i)}},Rn=(s,t)=>t?Object.assign({},t,s):s,gn=s=>s.replace(/\n$/,"").split(`
-`).reduce(bn,Object.create(null)),bn=(s,t)=>{let e=parseInt(t,10);if(e!==Buffer.byteLength(t)+1)return s;t=t.slice((e+" ").length);let i=t.split("="),r=i.shift();if(!r)return s;let n=r.replace(/^SCHILY\.(dev|ino|nlink)/,"$1"),o=i.join("=");return s[n]=/^([A-Z]+\.)?([mac]|birth|creation)time$/.test(n)?new Date(Number(o)*1e3):/^[0-9]+$/.test(o)?+o:o,s};var _n=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,f=_n!=="win32"?s=>s:s=>s&&s.replaceAll(/\\/g,"/");var Ve=class extends A{extended;globalExtended;header;startBlockSize;blockRemain;remain;type;meta=!1;ignore=!1;path;mode;uid;gid;uname;gname;size=0;mtime;atime;ctime;linkpath;dev;ino;nlink;invalid=!1;absolute;unsupported=!1;constructor(t,e,i){switch(super({}),this.pause(),this.extended=e,this.globalExtended=i,this.header=t,this.remain=t.size??0,this.startBlockSize=512*Math.ceil(this.remain/512),this.blockRemain=this.startBlockSize,this.type=t.type,this.type){case"File":case"OldFile":case"Link":case"SymbolicLink":case"CharacterDevice":case"BlockDevice":case"Directory":case"FIFO":case"ContiguousFile":case"GNUDumpDir":break;case"NextFileHasLongLinkpath":case"NextFileHasLongPath":case"OldGnuLongPath":case"GlobalExtendedHeader":case"ExtendedHeader":case"OldExtendedHeader":this.meta=!0;break;default:this.ignore=!0}if(!t.path)throw new Error("no path provided for tar.ReadEntry");this.path=f(t.path),this.mode=t.mode,this.mode&&(this.mode=this.mode&4095),this.uid=t.uid,this.gid=t.gid,this.uname=t.uname,this.gname=t.gname,this.size=this.remain,this.mtime=t.mtime,this.atime=t.atime,this.ctime=t.ctime,this.linkpath=t.linkpath?f(t.linkpath):void 0,this.uname=t.uname,this.gname=t.gname,e&&this.#t(e),i&&this.#t(i,!0)}write(t){let e=t.length;if(e>this.blockRemain)throw new Error("writing more to entry than is appropriate");let i=this.remain,r=this.blockRemain;return this.remain=Math.max(0,i-e),this.blockRemain=Math.max(0,r-e),this.ignore?!0:i>=e?super.write(t):super.write(t.subarray(0,i))}#t(t,e=!1){t.path&&(t.path=f(t.path)),t.linkpath&&(t.linkpath=f(t.linkpath)),Object.assign(this,Object.fromEntries(Object.entries(t).filter(([i,r])=>!(r==null||i==="path"&&e))))}};var Nt=(s,t,e,i={})=>{s.file&&(i.file=s.file),s.cwd&&(i.cwd=s.cwd),i.code=e instanceof Error&&e.code||t,i.tarCode=t,!s.strict&&i.recoverable!==!1?(e instanceof Error&&(i=Object.assign(e,i),e=e.message),s.emit("warn",t,e,i)):e instanceof Error?s.emit("error",Object.assign(e,i)):s.emit("error",Object.assign(new Error(`${t}: ${e}`),i))};var Tn=1024*1024,Vi=Buffer.from([31,139]),$i=Buffer.from([40,181,47,253]),xn=Math.max(Vi.length,$i.length),B=Symbol("state"),Dt=Symbol("writeEntry"),et=Symbol("readEntry"),Gi=Symbol("nextEntry"),Ws=Symbol("processEntry"),V=Symbol("extendedHeader"),he=Symbol("globalExtendedHeader"),ft=Symbol("meta"),Gs=Symbol("emitMeta"),p=Symbol("buffer"),it=Symbol("queue"),dt=Symbol("ended"),Zi=Symbol("emittedEnd"),At=Symbol("emit"),y=Symbol("unzip"),$e=Symbol("consumeChunk"),Xe=Symbol("consumeChunkSub"),Yi=Symbol("consumeBody"),Zs=Symbol("consumeMeta"),Ys=Symbol("consumeHeader"),ae=Symbol("consuming"),Ki=Symbol("bufferConcat"),qe=Symbol("maybeEnd"),Yt=Symbol("writing"),ut=Symbol("aborted"),Qe=Symbol("onDone"),It=Symbol("sawValidEntry"),Je=Symbol("sawNullBlock"),je=Symbol("sawEOF"),Ks=Symbol("closeStream"),Ln=()=>!0,st=class extends On{file;strict;maxMetaEntrySize;filter;brotli;zstd;writable=!0;readable=!1;[it]=[];[p];[et];[Dt];[B]="begin";[ft]="";[V];[he];[dt]=!1;[y];[ut]=!1;[It];[Je]=!1;[je]=!1;[Yt]=!1;[ae]=!1;[Zi]=!1;constructor(t={}){super(),this.file=t.file||"",this.on(Qe,()=>{(this[B]==="begin"||this[It]===!1)&&this.warn("TAR_BAD_ARCHIVE","Unrecognized archive format")}),t.ondone?this.on(Qe,t.ondone):this.on(Qe,()=>{this.emit("prefinish"),this.emit("finish"),this.emit("end")}),this.strict=!!t.strict,this.maxMetaEntrySize=t.maxMetaEntrySize||Tn,this.filter=typeof t.filter=="function"?t.filter:Ln;let e=t.file&&(t.file.endsWith(".tar.br")||t.file.endsWith(".tbr"));this.brotli=!(t.gzip||t.zstd)&&t.brotli!==void 0?t.brotli:e?void 0:!1;let i=t.file&&(t.file.endsWith(".tar.zst")||t.file.endsWith(".tzst"));this.zstd=!(t.gzip||t.brotli)&&t.zstd!==void 0?t.zstd:i?!0:void 0,this.on("end",()=>this[Ks]()),typeof t.onwarn=="function"&&this.on("warn",t.onwarn),typeof t.onReadEntry=="function"&&this.on("entry",t.onReadEntry)}warn(t,e,i={}){Nt(this,t,e,i)}[Ys](t,e){this[It]===void 0&&(this[It]=!1);let i;try{i=new C(t,e,this[V],this[he])}catch(r){return this.warn("TAR_ENTRY_INVALID",r)}if(i.nullBlock)this[Je]?(this[je]=!0,this[B]==="begin"&&(this[B]="header"),this[At]("eof")):(this[Je]=!0,this[At]("nullBlock"));else if(this[Je]=!1,!i.cksumValid)this.warn("TAR_ENTRY_INVALID","checksum failure",{header:i});else if(!i.path)this.warn("TAR_ENTRY_INVALID","path is required",{header:i});else{let r=i.type;if(/^(Symbolic)?Link$/.test(r)&&!i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath required",{header:i});else if(!/^(Symbolic)?Link$/.test(r)&&!/^(Global)?ExtendedHeader$/.test(r)&&i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath forbidden",{header:i});else{let n=this[Dt]=new Ve(i,this[V],this[he]);if(!this[It])if(n.remain){let o=()=>{n.invalid||(this[It]=!0)};n.on("end",o)}else this[It]=!0;n.meta?n.size>this.maxMetaEntrySize?(n.ignore=!0,this[At]("ignoredEntry",n),this[B]="ignore",n.resume()):n.size>0&&(this[ft]="",n.on("data",o=>this[ft]+=o),this[B]="meta"):(this[V]=void 0,n.ignore=n.ignore||!this.filter(n.path,n),n.ignore?(this[At]("ignoredEntry",n),this[B]=n.remain?"ignore":"header",n.resume()):(n.remain?this[B]="body":(this[B]="header",n.end()),this[et]?this[it].push(n):(this[it].push(n),this[Gi]())))}}}[Ks](){queueMicrotask(()=>this.emit("close"))}[Ws](t){let e=!0;if(!t)this[et]=void 0,e=!1;else if(Array.isArray(t)){let[i,...r]=t;this.emit(i,...r)}else this[et]=t,this.emit("entry",t),t.emittedEnd||(t.on("end",()=>this[Gi]()),e=!1);return e}[Gi](){do;while(this[Ws](this[it].shift()));if(this[it].length===0){let t=this[et];!t||t.flowing||t.size===t.remain?this[Yt]||this.emit("drain"):t.once("drain",()=>this.emit("drain"))}}[Yi](t,e){let i=this[Dt];if(!i)throw new Error("attempt to consume body without entry??");let r=i.blockRemain??0,n=r>=t.length&&e===0?t:t.subarray(e,e+r);return i.write(n),i.blockRemain||(this[B]="header",this[Dt]=void 0,i.end()),n.length}[Zs](t,e){let i=this[Dt],r=this[Yi](t,e);return!this[Dt]&&i&&this[Gs](i),r}[At](t,e,i){this[it].length===0&&!this[et]?this.emit(t,e,i):this[it].push([t,e,i])}[Gs](t){switch(this[At]("meta",this[ft]),t.type){case"ExtendedHeader":case"OldExtendedHeader":this[V]=ct.parse(this[ft],this[V],!1);break;case"GlobalExtendedHeader":this[he]=ct.parse(this[ft],this[he],!0);break;case"NextFileHasLongPath":case"OldGnuLongPath":{let e=this[V]??Object.create(null);this[V]=e,e.path=this[ft].replace(/\0.*/,"");break}case"NextFileHasLongLinkpath":{let e=this[V]||Object.create(null);this[V]=e,e.linkpath=this[ft].replace(/\0.*/,"");break}default:throw new Error("unknown meta: "+t.type)}}abort(t){this[ut]=!0,this.emit("abort",t),this.warn("TAR_ABORT",t,{recoverable:!1})}write(t,e,i){if(typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,typeof e=="string"?e:"utf8")),this[ut])return i?.(),!1;if((this[y]===void 0||this.brotli===void 0&&this[y]===!1)&&t){if(this[p]&&(t=Buffer.concat([this[p],t]),this[p]=void 0),t.lengththis[$e](c)),this[y].on("error",c=>this.abort(c)),this[y].on("end",()=>{this[dt]=!0,this[$e]()}),this[Yt]=!0;let l=!!this[y][h?"end":"write"](t);return this[Yt]=!1,i?.(),l}}this[Yt]=!0,this[y]?this[y].write(t):this[$e](t),this[Yt]=!1;let n=this[it].length>0?!1:this[et]?this[et].flowing:!0;return!n&&this[it].length===0&&this[et]?.once("drain",()=>this.emit("drain")),i?.(),n}[Ki](t){t&&!this[ut]&&(this[p]=this[p]?Buffer.concat([this[p],t]):t)}[qe](){if(this[dt]&&!this[Zi]&&!this[ut]&&!this[ae]){this[Zi]=!0;let t=this[Dt];if(t&&t.blockRemain){let e=this[p]?this[p].length:0;this.warn("TAR_BAD_ARCHIVE",`Truncated input (needed ${t.blockRemain} more bytes, only ${e} available)`,{entry:t}),this[p]&&t.write(this[p]),t.end()}this[At](Qe)}}[$e](t){if(this[ae]&&t)this[Ki](t);else if(!t&&!this[p])this[qe]();else if(t){if(this[ae]=!0,this[p]){this[Ki](t);let e=this[p];this[p]=void 0,this[Xe](e)}else this[Xe](t);for(;this[p]&&this[p]?.length>=512&&!this[ut]&&!this[je];){let e=this[p];this[p]=void 0,this[Xe](e)}this[ae]=!1}(!this[p]||this[dt])&&this[qe]()}[Xe](t){let e=0,i=t.length;for(;e+512<=i&&!this[ut]&&!this[je];)switch(this[B]){case"begin":case"header":this[Ys](t,e),e+=512;break;case"ignore":case"body":e+=this[Yi](t,e);break;case"meta":e+=this[Zs](t,e);break;default:throw new Error("invalid state: "+this[B])}e{let t=s.length-1,e=-1;for(;t>-1&&s.charAt(t)==="/";)e=t,t--;return e===-1?s:s.slice(0,e)};var An=s=>{let t=s.onReadEntry;s.onReadEntry=t?e=>{t(e),e.resume()}:e=>e.resume()},Xi=(s,t)=>{let e=new Map(t.map(n=>[mt(n),!0])),i=s.filter,r=(n,o="")=>{let a=o||Dn(n).root||".",h;if(n===a)h=!1;else{let l=e.get(n);h=l!==void 0?l:r(Nn(n),a)}return e.set(n,h),h};s.filter=i?(n,o)=>i(n,o)&&r(mt(n)):n=>r(mt(n))},In=s=>{let t=new st(s),e=s.file,i;try{i=Kt.openSync(e,"r");let r=Kt.fstatSync(i),n=s.maxReadSize||16*1024*1024;if(r.size{let e=new st(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,a)=>{e.on("error",a),e.on("end",o),Kt.stat(r,(h,l)=>{if(h)a(h);else{let c=new _t(r,{readSize:i,size:l.size});c.on("error",a),c.pipe(e)}})})},Ft=K(In,Fn,s=>new st(s),s=>new st(s),(s,t)=>{t?.length&&Xi(s,t),s.noResume||An(s)});import ui from"fs";import $ from"fs";import qs from"path";var qi=(s,t,e)=>(s&=4095,e&&(s=(s|384)&-19),t&&(s&256&&(s|=64),s&32&&(s|=8),s&4&&(s|=1)),s);import{win32 as Cn}from"node:path";var{isAbsolute:kn,parse:Vs}=Cn,le=s=>{let t="",e=Vs(s);for(;kn(s)||e.root;){let i=s.charAt(0)==="/"&&s.slice(0,4)!=="//?/"?"/":e.root;s=s.slice(i.length),t+=i,e=Vs(s)}return[t,s]};var ti=["|","<",">","?",":"],Qi=ti.map(s=>String.fromCodePoint(61440+Number(s.codePointAt(0)))),vn=new Map(ti.map((s,t)=>[s,Qi[t]])),Mn=new Map(Qi.map((s,t)=>[s,ti[t]])),Ji=s=>ti.reduce((t,e)=>t.split(e).join(vn.get(e)),s),$s=s=>Qi.reduce((t,e)=>t.split(e).join(Mn.get(e)),s);var er=(s,t)=>t?(s=f(s).replace(/^\.(\/|$)/,""),mt(t)+"/"+s):f(s),Bn=16*1024*1024,Qs=Symbol("process"),Js=Symbol("file"),js=Symbol("directory"),ts=Symbol("symlink"),tr=Symbol("hardlink"),ce=Symbol("header"),ei=Symbol("read"),es=Symbol("lstat"),ii=Symbol("onlstat"),is=Symbol("onread"),ss=Symbol("onreadlink"),rs=Symbol("openfile"),ns=Symbol("onopenfile"),pt=Symbol("close"),si=Symbol("mode"),os=Symbol("awaitDrain"),ji=Symbol("ondrain"),X=Symbol("prefix"),fe=class extends A{path;portable;myuid=process.getuid&&process.getuid()||0;myuser=process.env.USER||"";maxReadSize;linkCache;statCache;preservePaths;cwd;strict;mtime;noPax;noMtime;prefix;fd;blockLen=0;blockRemain=0;buf;pos=0;remain=0;length=0;offset=0;win32;absolute;header;type;linkpath;stat;onWriteEntry;#t=!1;constructor(t,e={}){let i=se(e);super(),this.path=f(t),this.portable=!!i.portable,this.maxReadSize=i.maxReadSize||Bn,this.linkCache=i.linkCache||new Map,this.statCache=i.statCache||new Map,this.preservePaths=!!i.preservePaths,this.cwd=f(i.cwd||process.cwd()),this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.mtime=i.mtime,this.prefix=i.prefix?f(i.prefix):void 0,this.onWriteEntry=i.onWriteEntry,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let r=!1;if(!this.preservePaths){let[o,a]=le(this.path);o&&typeof a=="string"&&(this.path=a,r=o)}this.win32=!!i.win32||process.platform==="win32",this.win32&&(this.path=$s(this.path.replaceAll(/\\/g,"/")),t=t.replaceAll(/\\/g,"/")),this.absolute=f(i.absolute||qs.resolve(this.cwd,t)),this.path===""&&(this.path="./"),r&&this.warn("TAR_ENTRY_INFO",`stripping ${r} from absolute path`,{entry:this,path:r+this.path});let n=this.statCache.get(this.absolute);n?this[ii](n):this[es]()}warn(t,e,i={}){return Nt(this,t,e,i)}emit(t,...e){return t==="error"&&(this.#t=!0),super.emit(t,...e)}[es](){$.lstat(this.absolute,(t,e)=>{if(t)return this.emit("error",t);this[ii](e)})}[ii](t){this.statCache.set(this.absolute,t),this.stat=t,t.isFile()||(t.size=0),this.type=Pn(t),this.emit("stat",t),this[Qs]()}[Qs](){switch(this.type){case"File":return this[Js]();case"Directory":return this[js]();case"SymbolicLink":return this[ts]();default:return this.end()}}[si](t){return qi(t,this.type==="Directory",this.portable)}[X](t){return er(t,this.prefix)}[ce](){if(!this.stat)throw new Error("cannot write header before stat");this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.onWriteEntry?.(this),this.header=new C({path:this[X](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[X](this.linkpath):this.linkpath,mode:this[si](this.stat.mode),uid:this.portable?void 0:this.stat.uid,gid:this.portable?void 0:this.stat.gid,size:this.stat.size,mtime:this.noMtime?void 0:this.mtime||this.stat.mtime,type:this.type==="Unsupported"?void 0:this.type,uname:this.portable?void 0:this.stat.uid===this.myuid?this.myuser:"",atime:this.portable?void 0:this.stat.atime,ctime:this.portable?void 0:this.stat.ctime}),this.header.encode()&&!this.noPax&&super.write(new ct({atime:this.portable?void 0:this.header.atime,ctime:this.portable?void 0:this.header.ctime,gid:this.portable?void 0:this.header.gid,mtime:this.noMtime?void 0:this.mtime||this.header.mtime,path:this[X](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[X](this.linkpath):this.linkpath,size:this.header.size,uid:this.portable?void 0:this.header.uid,uname:this.portable?void 0:this.header.uname,dev:this.portable?void 0:this.stat.dev,ino:this.portable?void 0:this.stat.ino,nlink:this.portable?void 0:this.stat.nlink}).encode());let t=this.header?.block;if(!t)throw new Error("failed to encode header");super.write(t)}[js](){if(!this.stat)throw new Error("cannot create directory entry without stat");this.path.slice(-1)!=="/"&&(this.path+="/"),this.stat.size=0,this[ce](),this.end()}[ts](){$.readlink(this.absolute,(t,e)=>{if(t)return this.emit("error",t);this[ss](e)})}[ss](t){this.linkpath=f(t),this[ce](),this.end()}[tr](t){if(!this.stat)throw new Error("cannot create link entry without stat");this.type="Link",this.linkpath=f(qs.relative(this.cwd,t)),this.stat.size=0,this[ce](),this.end()}[Js](){if(!this.stat)throw new Error("cannot create file entry without stat");if(this.stat.nlink>1){let t=`${this.stat.dev}:${this.stat.ino}`,e=this.linkCache.get(t);if(e?.indexOf(this.cwd)===0)return this[tr](e);this.linkCache.set(t,this.absolute)}if(this[ce](),this.stat.size===0)return this.end();this[rs]()}[rs](){$.open(this.absolute,"r",(t,e)=>{if(t)return this.emit("error",t);this[ns](e)})}[ns](t){if(this.fd=t,this.#t)return this[pt]();if(!this.stat)throw new Error("should stat before calling onopenfile");this.blockLen=512*Math.ceil(this.stat.size/512),this.blockRemain=this.blockLen;let e=Math.min(this.blockLen,this.maxReadSize);this.buf=Buffer.allocUnsafe(e),this.offset=0,this.pos=0,this.remain=this.stat.size,this.length=this.buf.length,this[ei]()}[ei](){let{fd:t,buf:e,offset:i,length:r,pos:n}=this;if(t===void 0||e===void 0)throw new Error("cannot read file without first opening");$.read(t,e,i,r,n,(o,a)=>{if(o)return this[pt](()=>this.emit("error",o));this[is](a)})}[pt](t=()=>{}){this.fd!==void 0&&$.close(this.fd,t)}[is](t){if(t<=0&&this.remain>0){let r=Object.assign(new Error("encountered unexpected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[pt](()=>this.emit("error",r))}if(t>this.remain){let r=Object.assign(new Error("did not encounter expected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[pt](()=>this.emit("error",r))}if(!this.buf)throw new Error("should have created buffer prior to reading");if(t===this.remain)for(let r=t;rthis[ji]())}[os](t){this.once("drain",t)}write(t,e,i){if(typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,typeof e=="string"?e:"utf8")),this.blockRemaint?this.emit("error",t):this.end());if(!this.buf)throw new Error("buffer lost somehow in ONDRAIN");this.offset>=this.length&&(this.buf=Buffer.allocUnsafe(Math.min(this.blockRemain,this.buf.length)),this.offset=0),this.length=this.buf.length-this.offset,this[ei]()}},ri=class extends fe{sync=!0;[es](){this[ii]($.lstatSync(this.absolute))}[ts](){this[ss]($.readlinkSync(this.absolute))}[rs](){this[ns]($.openSync(this.absolute,"r"))}[ei](){let t=!0;try{let{fd:e,buf:i,offset:r,length:n,pos:o}=this;if(e===void 0||i===void 0)throw new Error("fd and buf must be set in READ method");let a=$.readSync(e,i,r,n,o);this[is](a),t=!1}finally{if(t)try{this[pt](()=>{})}catch{}}}[os](t){t()}[pt](t=()=>{}){this.fd!==void 0&&$.closeSync(this.fd),t()}},ni=class extends A{blockLen=0;blockRemain=0;buf=0;pos=0;remain=0;length=0;preservePaths;portable;strict;noPax;noMtime;readEntry;type;prefix;path;mode;uid;gid;uname;gname;header;mtime;atime;ctime;linkpath;size;onWriteEntry;warn(t,e,i={}){return Nt(this,t,e,i)}constructor(t,e={}){let i=se(e);super(),this.preservePaths=!!i.preservePaths,this.portable=!!i.portable,this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.onWriteEntry=i.onWriteEntry,this.readEntry=t;let{type:r}=t;if(r==="Unsupported")throw new Error("writing entry that should be ignored");this.type=r,this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.prefix=i.prefix,this.path=f(t.path),this.mode=t.mode!==void 0?this[si](t.mode):void 0,this.uid=this.portable?void 0:t.uid,this.gid=this.portable?void 0:t.gid,this.uname=this.portable?void 0:t.uname,this.gname=this.portable?void 0:t.gname,this.size=t.size,this.mtime=this.noMtime?void 0:i.mtime||t.mtime,this.atime=this.portable?void 0:t.atime,this.ctime=this.portable?void 0:t.ctime,this.linkpath=t.linkpath!==void 0?f(t.linkpath):void 0,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let n=!1;if(!this.preservePaths){let[a,h]=le(this.path);a&&typeof h=="string"&&(this.path=h,n=a)}this.remain=t.size,this.blockRemain=t.startBlockSize,this.onWriteEntry?.(this),this.header=new C({path:this[X](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[X](this.linkpath):this.linkpath,mode:this.mode,uid:this.portable?void 0:this.uid,gid:this.portable?void 0:this.gid,size:this.size,mtime:this.noMtime?void 0:this.mtime,type:this.type,uname:this.portable?void 0:this.uname,atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime}),n&&this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute path`,{entry:this,path:n+this.path}),this.header.encode()&&!this.noPax&&super.write(new ct({atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime,gid:this.portable?void 0:this.gid,mtime:this.noMtime?void 0:this.mtime,path:this[X](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[X](this.linkpath):this.linkpath,size:this.size,uid:this.portable?void 0:this.uid,uname:this.portable?void 0:this.uname,dev:this.portable?void 0:this.readEntry.dev,ino:this.portable?void 0:this.readEntry.ino,nlink:this.portable?void 0:this.readEntry.nlink}).encode());let o=this.header?.block;if(!o)throw new Error("failed to encode header");super.write(o),t.pipe(this)}[X](t){return er(t,this.prefix)}[si](t){return qi(t,this.type==="Directory",this.portable)}write(t,e,i){typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,typeof e=="string"?e:"utf8"));let r=t.length;if(r>this.blockRemain)throw new Error("writing more to entry than is appropriate");return this.blockRemain-=r,super.write(t,i)}end(t,e,i){return this.blockRemain&&super.write(Buffer.alloc(this.blockRemain)),typeof t=="function"&&(i=t,e=void 0,t=void 0),typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,e??"utf8")),i&&this.once("finish",i),t?super.end(t,i):super.end(i),this}},Pn=s=>s.isFile()?"File":s.isDirectory()?"Directory":s.isSymbolicLink()?"SymbolicLink":"Unsupported";var oi=class s{tail;head;length=0;static create(t=[]){return new s(t)}constructor(t=[]){for(let e of t)this.push(e)}*[Symbol.iterator](){for(let t=this.head;t;t=t.next)yield t.value}removeNode(t){if(t.list!==this)throw new Error("removing node which does not belong to this list");let e=t.next,i=t.prev;return e&&(e.prev=i),i&&(i.next=e),t===this.head&&(this.head=e),t===this.tail&&(this.tail=i),this.length--,t.next=void 0,t.prev=void 0,t.list=void 0,e}unshiftNode(t){if(t===this.head)return;t.list&&t.list.removeNode(t);let e=this.head;t.list=this,t.next=e,e&&(e.prev=t),this.head=t,this.tail||(this.tail=t),this.length++}pushNode(t){if(t===this.tail)return;t.list&&t.list.removeNode(t);let e=this.tail;t.list=this,t.prev=e,e&&(e.next=t),this.tail=t,this.head||(this.head=t),this.length++}push(...t){for(let e=0,i=t.length;e1)i=e;else if(this.head)r=this.head.next,i=this.head.value;else throw new TypeError("Reduce of empty list with no initial value");for(var n=0;r;n++)i=t(i,r.value,n),r=r.next;return i}reduceReverse(t,e){let i,r=this.tail;if(arguments.length>1)i=e;else if(this.tail)r=this.tail.prev,i=this.tail.value;else throw new TypeError("Reduce of empty list with no initial value");for(let n=this.length-1;r;n--)i=t(i,r.value,n),r=r.prev;return i}toArray(){let t=new Array(this.length);for(let e=0,i=this.head;i;e++)t[e]=i.value,i=i.next;return t}toArrayReverse(){let t=new Array(this.length);for(let e=0,i=this.tail;i;e++)t[e]=i.value,i=i.prev;return t}slice(t=0,e=this.length){e<0&&(e+=this.length),t<0&&(t+=this.length);let i=new s;if(ethis.length&&(e=this.length);let r=this.head,n=0;for(n=0;r&&nthis.length&&(e=this.length);let r=this.length,n=this.tail;for(;n&&r>e;r--)n=n.prev;for(;n&&r>t;r--,n=n.prev)i.push(n.value);return i}splice(t,e=0,...i){t>this.length&&(t=this.length-1),t<0&&(t=this.length+t);let r=this.head;for(let o=0;r&&o1)throw new TypeError("gzip, brotli, zstd are mutually exclusive");if(t.gzip&&(typeof t.gzip!="object"&&(t.gzip={}),this.portable&&(t.gzip.portable=!0),this.zip=new Pe(t.gzip)),t.brotli&&(typeof t.brotli!="object"&&(t.brotli={}),this.zip=new He(t.brotli)),t.zstd&&(typeof t.zstd!="object"&&(t.zstd={}),this.zip=new Ze(t.zstd)),!this.zip)throw new Error("impossible");let e=this.zip;e.on("data",i=>super.write(i)),e.on("end",()=>super.end()),e.on("drain",()=>this[ls]()),this.on("resume",()=>e.resume())}else this.on("drain",this[ls]);this.noDirRecurse=!!t.noDirRecurse,this.follow=!!t.follow,this.noMtime=!!t.noMtime,t.mtime&&(this.mtime=t.mtime),this.filter=typeof t.filter=="function"?t.filter:()=>!0,this[W]=new oi,this[G]=0,this.jobs=Number(t.jobs)||4,this[pe]=!1,this[ue]=!1}[or](t){return super.write(t)}add(t){return this.write(t),this}end(t,e,i){return typeof t=="function"&&(i=t,t=void 0),typeof e=="function"&&(i=e,e=void 0),t&&this.add(t),this[ue]=!0,this[Ct](),i&&i(),this}write(t){if(this[ue])throw new Error("write after end");return typeof t=="string"?this[li](t):this[sr](t),this.flowing}[sr](t){let e=f(nr.resolve(this.cwd,t.path));if(!this.filter(t.path,t))t.resume();else{let i=new mi(t.path,e);i.entry=new ni(t,this[as](i)),i.entry.on("end",()=>this[hs](i)),this[G]+=1,this[W].push(i)}this[Ct]()}[li](t){let e=f(nr.resolve(this.cwd,t));this[W].push(new mi(t,e)),this[Ct]()}[cs](t){t.pending=!0,this[G]+=1;let e=this.follow?"stat":"lstat";ui[e](t.absolute,(i,r)=>{t.pending=!1,this[G]-=1,i?this.emit("error",i):this[ai](t,r)})}[ai](t,e){if(this.statCache.set(t.absolute,e),t.stat=e,!this.filter(t.path,e))t.ignore=!0;else if(e.isFile()&&e.nlink>1&&!this.linkCache.get(`${e.dev}:${e.ino}`)&&!this.sync)if(t===this[Et])this[hi](t);else{let i=`${e.dev}:${e.ino}`,r=this[me].get(i);r?r.push(t):this[me].set(i,[t]),t.pendingLink=!0,t.pending=!0}this[Ct]()}[fs](t){t.pending=!0,this[G]+=1,ui.readdir(t.absolute,(e,i)=>{if(t.pending=!1,this[G]-=1,e)return this.emit("error",e);this[ci](t,i)})}[ci](t,e){this.readdirCache.set(t.absolute,e),t.readdir=e,this[Ct]()}[Ct](){if(!this[pe]){this[pe]=!0;for(let t=this[W].head;t&&this[G]1){let i=`${e.dev}:${e.ino}`,r=this[me].get(i);if(r){this[me].delete(i);for(let n of r)n.pending=!1,this[hi](n)}}this[Ct]()}[hi](t){if(t.pending&&t.pendingLink&&t===this[Et]&&(t.pending=!1,t.pendingLink=!1),!t.pending){if(t.entry){t===this[Et]&&!t.piped&&this[fi](t);return}if(!t.stat){let e=this.statCache.get(t.absolute);e?this[ai](t,e):this[cs](t)}if(t.stat&&!t.ignore){if(!this.noDirRecurse&&t.stat.isDirectory()&&!t.readdir){let e=this.readdirCache.get(t.absolute);if(e?this[ci](t,e):this[fs](t),!t.readdir)return}if(t.entry=this[rr](t),!t.entry){t.ignore=!0;return}t===this[Et]&&!t.piped&&this[fi](t)}}}[as](t){return{onwarn:(e,i,r)=>this.warn(e,i,r),noPax:this.noPax,cwd:this.cwd,absolute:t.absolute,preservePaths:this.preservePaths,maxReadSize:this.maxReadSize,strict:this.strict,portable:this.portable,linkCache:this.linkCache,statCache:this.statCache,noMtime:this.noMtime,mtime:this.mtime,prefix:this.prefix,onWriteEntry:this.onWriteEntry}}[rr](t){this[G]+=1;try{return new this[di](t.path,this[as](t)).on("end",()=>this[hs](t)).on("error",i=>this.emit("error",i))}catch(e){this.emit("error",e)}}[ls](){this[Et]&&this[Et].entry&&this[Et].entry.resume()}[fi](t){t.piped=!0,t.readdir&&t.readdir.forEach(r=>{let n=t.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[li](o+r)});let e=t.entry,i=this.zip;if(!e)throw new Error("cannot pipe without source");i?e.on("data",r=>{i.write(r)||e.pause()}):e.on("data",r=>{super.write(r)||e.pause()})}pause(){return this.zip&&this.zip.pause(),super.pause()}warn(t,e,i={}){Nt(this,t,e,i)}},kt=class extends wt{sync=!0;constructor(t){super(t),this[di]=ri}pause(){}resume(){}[cs](t){let e=this.follow?"statSync":"lstatSync";this[ai](t,ui[e](t.absolute))}[fs](t){this[ci](t,ui.readdirSync(t.absolute))}[fi](t){let e=t.entry,i=this.zip;if(t.readdir&&t.readdir.forEach(r=>{let n=t.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[li](o+r)}),!e)throw new Error("Cannot pipe without source");i?e.on("data",r=>{i.write(r)}):e.on("data",r=>{super[or](r)})}};var Wn=(s,t)=>{let e=new kt(s),i=new Wt(s.file,{mode:s.mode||438});e.pipe(i),ar(e,t)},Gn=(s,t)=>{let e=new wt(s),i=new tt(s.file,{mode:s.mode||438});e.pipe(i);let r=new Promise((n,o)=>{i.on("error",o),i.on("close",n),e.on("error",o)});return lr(e,t).catch(n=>e.emit("error",n)),r},ar=(s,t)=>{t.forEach(e=>{e.charAt(0)==="@"?Ft({file:hr.resolve(s.cwd,e.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(e)}),s.end()},lr=async(s,t)=>{for(let e of t)e.charAt(0)==="@"?await Ft({file:hr.resolve(String(s.cwd),e.slice(1)),noResume:!0,onReadEntry:i=>{s.add(i)}}):s.add(e);s.end()},Zn=(s,t)=>{let e=new kt(s);return ar(e,t),e},Yn=(s,t)=>{let e=new wt(s);return lr(e,t).catch(i=>e.emit("error",i)),e},Kn=K(Wn,Gn,Zn,Yn,(s,t)=>{if(!t?.length)throw new TypeError("no paths specified to add to archive")});import kr from"node:fs";import no from"node:assert";import{randomBytes as Cr}from"node:crypto";import u from"node:fs";import R from"node:path";import dr from"fs";var Vn=process.env.__FAKE_PLATFORM__||process.platform,ur=Vn==="win32",{O_CREAT:mr,O_NOFOLLOW:cr,O_TRUNC:pr,O_WRONLY:Er}=dr.constants,wr=Number(process.env.__FAKE_FS_O_FILENAME__)||dr.constants.UV_FS_O_FILEMAP||0,$n=ur&&!!wr,Xn=512*1024,qn=wr|pr|mr|Er,fr=!ur&&typeof cr=="number"?cr|pr|mr|Er:null,ds=fr!==null?()=>fr:$n?s=>s"w";import Ei from"node:fs";import Ee from"node:path";var us=(s,t,e)=>{try{return Ei.lchownSync(s,t,e)}catch(i){if(i?.code!=="ENOENT")throw i}},pi=(s,t,e,i)=>{Ei.lchown(s,t,e,r=>{i(r&&r?.code!=="ENOENT"?r:null)})},Qn=(s,t,e,i,r)=>{if(t.isDirectory())ms(Ee.resolve(s,t.name),e,i,n=>{if(n)return r(n);let o=Ee.resolve(s,t.name);pi(o,e,i,r)});else{let n=Ee.resolve(s,t.name);pi(n,e,i,r)}},ms=(s,t,e,i)=>{Ei.readdir(s,{withFileTypes:!0},(r,n)=>{if(r){if(r.code==="ENOENT")return i();if(r.code!=="ENOTDIR"&&r.code!=="ENOTSUP")return i(r)}if(r||!n.length)return pi(s,t,e,i);let o=n.length,a=null,h=l=>{if(!a){if(l)return i(a=l);if(--o===0)return pi(s,t,e,i)}};for(let l of n)Qn(s,l,t,e,h)})},Jn=(s,t,e,i)=>{t.isDirectory()&&ps(Ee.resolve(s,t.name),e,i),us(Ee.resolve(s,t.name),e,i)},ps=(s,t,e)=>{let i;try{i=Ei.readdirSync(s,{withFileTypes:!0})}catch(r){let n=r;if(n?.code==="ENOENT")return;if(n?.code==="ENOTDIR"||n?.code==="ENOTSUP")return us(s,t,e);throw n}for(let r of i)Jn(s,r,t,e);return us(s,t,e)};import k from"node:fs";import jn from"node:fs/promises";import wi from"node:path";var we=class extends Error{path;code;syscall="chdir";constructor(t,e){super(`${e}: Cannot cd into '${t}'`),this.path=t,this.code=e}get name(){return"CwdError"}};var St=class extends Error{path;symlink;syscall="symlink";code="TAR_SYMLINK_ERROR";constructor(t,e){super("TAR_SYMLINK_ERROR: Cannot extract through symbolic link"),this.symlink=t,this.path=e}get name(){return"SymlinkError"}};var to=(s,t)=>{k.stat(s,(e,i)=>{(e||!i.isDirectory())&&(e=new we(s,e?.code||"ENOTDIR")),t(e)})},Sr=(s,t,e)=>{s=f(s);let i=t.umask??18,r=t.mode|448,n=(r&i)!==0,o=t.uid,a=t.gid,h=typeof o=="number"&&typeof a=="number"&&(o!==t.processUid||a!==t.processGid),l=t.preserve,c=t.unlink,d=f(t.cwd),S=(E,x)=>{E?e(E):x&&h?ms(x,o,a,xe=>S(xe)):n?k.chmod(s,r,e):e()};if(s===d)return to(s,S);if(l)return jn.mkdir(s,{mode:r,recursive:!0}).then(E=>S(null,E??void 0),S);let N=f(wi.relative(d,s)).split("/");Es(d,N,r,c,d,void 0,S)},Es=(s,t,e,i,r,n,o)=>{if(t.length===0)return o(null,n);let a=t.shift(),h=f(wi.resolve(s+"/"+a));k.mkdir(h,e,yr(h,t,e,i,r,n,o))},yr=(s,t,e,i,r,n,o)=>a=>{a?k.lstat(s,(h,l)=>{if(h)h.path=h.path&&f(h.path),o(h);else if(l.isDirectory())Es(s,t,e,i,r,n,o);else if(i)k.unlink(s,c=>{if(c)return o(c);k.mkdir(s,e,yr(s,t,e,i,r,n,o))});else{if(l.isSymbolicLink())return o(new St(s,s+"/"+t.join("/")));o(a)}}):(n=n||s,Es(s,t,e,i,r,n,o))},eo=s=>{let t=!1,e;try{t=k.statSync(s).isDirectory()}catch(i){e=i?.code}finally{if(!t)throw new we(s,e??"ENOTDIR")}},Rr=(s,t)=>{s=f(s);let e=t.umask??18,i=t.mode|448,r=(i&e)!==0,n=t.uid,o=t.gid,a=typeof n=="number"&&typeof o=="number"&&(n!==t.processUid||o!==t.processGid),h=t.preserve,l=t.unlink,c=f(t.cwd),d=E=>{E&&a&&ps(E,n,o),r&&k.chmodSync(s,i)};if(s===c)return eo(c),d();if(h)return d(k.mkdirSync(s,{mode:i,recursive:!0})??void 0);let T=f(wi.relative(c,s)).split("/"),N;for(let E=T.shift(),x=c;E&&(x+="/"+E);E=T.shift()){x=f(wi.resolve(x));try{k.mkdirSync(x,i),N=N||x}catch{let xe=k.lstatSync(x);if(xe.isDirectory())continue;if(l){k.unlinkSync(x),k.mkdirSync(x,i),N=N||x;continue}else if(xe.isSymbolicLink())return new St(x,x+"/"+T.join("/"))}}return d(N)};import{join as _r}from"node:path";var ws=Object.create(null),gr=1e4,Vt=new Set,br=s=>{Vt.has(s)?Vt.delete(s):ws[s]=s.normalize("NFD").toLocaleLowerCase("en").toLocaleUpperCase("en"),Vt.add(s);let t=ws[s],e=Vt.size-gr;if(e>gr/10){for(let i of Vt)if(Vt.delete(i),delete ws[i],--e<=0)break}return t};var io=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,so=io==="win32",ro=s=>s.split("/").slice(0,-1).reduce((e,i)=>{let r=e.at(-1);return r!==void 0&&(i=_r(r,i)),e.push(i||"/"),e},[]),Si=class{#t=new Map;#i=new Map;#s=new Set;reserve(t,e){t=so?["win32 parallelization disabled"]:t.map(r=>mt(_r(br(r))));let i=new Set(t.map(r=>ro(r)).reduce((r,n)=>r.concat(n)));this.#i.set(e,{dirs:i,paths:t});for(let r of t){let n=this.#t.get(r);n?n.push(e):this.#t.set(r,[e])}for(let r of i){let n=this.#t.get(r);if(!n)this.#t.set(r,[new Set([e])]);else{let o=n.at(-1);o instanceof Set?o.add(e):n.push(new Set([e]))}}return this.#r(e)}#n(t){let e=this.#i.get(t);if(!e)throw new Error("function does not have any path reservations");return{paths:e.paths.map(i=>this.#t.get(i)),dirs:[...e.dirs].map(i=>this.#t.get(i))}}check(t){let{paths:e,dirs:i}=this.#n(t);return e.every(r=>r&&r[0]===t)&&i.every(r=>r&&r[0]instanceof Set&&r[0].has(t))}#r(t){return this.#s.has(t)||!this.check(t)?!1:(this.#s.add(t),t(()=>this.#e(t)),!0)}#e(t){if(!this.#s.has(t))return!1;let e=this.#i.get(t);if(!e)throw new Error("invalid reservation");let{paths:i,dirs:r}=e,n=new Set;for(let o of i){let a=this.#t.get(o);if(!a||a?.[0]!==t)continue;let h=a[1];if(!h){this.#t.delete(o);continue}if(a.shift(),typeof h=="function")n.add(h);else for(let l of h)n.add(l)}for(let o of r){let a=this.#t.get(o),h=a?.[0];if(!(!a||!(h instanceof Set)))if(h.size===1&&a.length===1){this.#t.delete(o);continue}else if(h.size===1){a.shift();let l=a[0];typeof l=="function"&&n.add(l)}else h.delete(t)}return this.#s.delete(t),n.forEach(o=>this.#r(o)),!0}};var Or=()=>process.umask();var Tr=Symbol("onEntry"),gs=Symbol("checkFs"),xr=Symbol("checkFs2"),bs=Symbol("isReusable"),P=Symbol("makeFs"),_s=Symbol("file"),Os=Symbol("directory"),Ri=Symbol("link"),Lr=Symbol("symlink"),Nr=Symbol("hardlink"),ye=Symbol("ensureNoSymlink"),Dr=Symbol("unsupported"),Ar=Symbol("checkPath"),Ss=Symbol("stripAbsolutePath"),yt=Symbol("mkdir"),O=Symbol("onError"),yi=Symbol("pending"),Ir=Symbol("pend"),$t=Symbol("unpend"),ys=Symbol("ended"),Rs=Symbol("maybeClose"),Ts=Symbol("skip"),Re=Symbol("doChown"),ge=Symbol("uid"),be=Symbol("gid"),_e=Symbol("checkedCwd"),oo=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,Oe=oo==="win32",ho=1024,ao=(s,t)=>{if(!Oe)return u.unlink(s,t);let e=s+".DELETE."+Cr(16).toString("hex");u.rename(s,e,i=>{if(i)return t(i);u.unlink(e,t)})},lo=s=>{if(!Oe)return u.unlinkSync(s);let t=s+".DELETE."+Cr(16).toString("hex");u.renameSync(s,t),u.unlinkSync(t)},Fr=(s,t,e)=>s!==void 0&&s===s>>>0?s:t!==void 0&&t===t>>>0?t:e,Xt=class extends st{[ys]=!1;[_e]=!1;[yi]=0;reservations=new Si;transform;writable=!0;readable=!1;uid;gid;setOwner;preserveOwner;processGid;processUid;maxDepth;forceChown;win32;newer;keep;noMtime;preservePaths;unlink;cwd;strip;processUmask;umask;dmode;fmode;chmod;constructor(t={}){if(t.ondone=()=>{this[ys]=!0,this[Rs]()},super(t),this.transform=t.transform,this.chmod=!!t.chmod,typeof t.uid=="number"||typeof t.gid=="number"){if(typeof t.uid!="number"||typeof t.gid!="number")throw new TypeError("cannot set owner without number uid and gid");if(t.preserveOwner)throw new TypeError("cannot preserve owner in archive and also set owner explicitly");this.uid=t.uid,this.gid=t.gid,this.setOwner=!0}else this.uid=void 0,this.gid=void 0,this.setOwner=!1;this.preserveOwner=t.preserveOwner===void 0&&typeof t.uid!="number"?!!(process.getuid&&process.getuid()===0):!!t.preserveOwner,this.processUid=(this.preserveOwner||this.setOwner)&&process.getuid?process.getuid():void 0,this.processGid=(this.preserveOwner||this.setOwner)&&process.getgid?process.getgid():void 0,this.maxDepth=typeof t.maxDepth=="number"?t.maxDepth:ho,this.forceChown=t.forceChown===!0,this.win32=!!t.win32||Oe,this.newer=!!t.newer,this.keep=!!t.keep,this.noMtime=!!t.noMtime,this.preservePaths=!!t.preservePaths,this.unlink=!!t.unlink,this.cwd=f(R.resolve(t.cwd||process.cwd())),this.strip=Number(t.strip)||0,this.processUmask=this.chmod?typeof t.processUmask=="number"?t.processUmask:Or():0,this.umask=typeof t.umask=="number"?t.umask:this.processUmask,this.dmode=t.dmode||511&~this.umask,this.fmode=t.fmode||438&~this.umask,this.on("entry",e=>this[Tr](e))}warn(t,e,i={}){return(t==="TAR_BAD_ARCHIVE"||t==="TAR_ABORT")&&(i.recoverable=!1),super.warn(t,e,i)}[Rs](){this[ys]&&this[yi]===0&&(this.emit("prefinish"),this.emit("finish"),this.emit("end"))}[Ss](t,e){let i=t[e],{type:r}=t;if(!i||this.preservePaths)return!0;let[n,o]=le(i),a=o.replaceAll(/\\/g,"/").split("/");if(a.includes("..")||Oe&&/^[a-z]:\.\.$/i.test(a[0]??"")){if(e==="path"||r==="Link")return this.warn("TAR_ENTRY_ERROR",`${e} contains '..'`,{entry:t,[e]:i}),!1;let h=R.posix.dirname(t.path),l=R.posix.normalize(R.posix.join(h,a.join("/")));if(l.startsWith("../")||l==="..")return this.warn("TAR_ENTRY_ERROR",`${e} escapes extraction directory`,{entry:t,[e]:i}),!1}return n&&(t[e]=String(o),this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute ${e}`,{entry:t,[e]:i})),!0}[Ar](t){let e=f(t.path),i=e.split("/");if(this.strip){if(i.length=this.strip)t.linkpath=r.slice(this.strip).join("/");else return!1}i.splice(0,this.strip),t.path=i.join("/")}if(isFinite(this.maxDepth)&&i.length>this.maxDepth)return this.warn("TAR_ENTRY_ERROR","path excessively deep",{entry:t,path:e,depth:i.length,maxDepth:this.maxDepth}),!1;if(!this[Ss](t,"path")||!this[Ss](t,"linkpath"))return!1;if(t.absolute=R.isAbsolute(t.path)?f(R.resolve(t.path)):f(R.resolve(this.cwd,t.path)),!this.preservePaths&&typeof t.absolute=="string"&&t.absolute.indexOf(this.cwd+"/")!==0&&t.absolute!==this.cwd)return this.warn("TAR_ENTRY_ERROR","path escaped extraction target",{entry:t,path:f(t.path),resolvedPath:t.absolute,cwd:this.cwd}),!1;if(t.absolute===this.cwd&&t.type!=="Directory"&&t.type!=="GNUDumpDir")return!1;if(this.win32){let{root:r}=R.win32.parse(String(t.absolute));t.absolute=r+Ji(String(t.absolute).slice(r.length));let{root:n}=R.win32.parse(t.path);t.path=n+Ji(t.path.slice(n.length))}return!0}[Tr](t){if(!this[Ar](t))return t.resume();switch(no.equal(typeof t.absolute,"string"),t.type){case"Directory":case"GNUDumpDir":t.mode&&(t.mode=t.mode|448);case"File":case"OldFile":case"ContiguousFile":case"Link":case"SymbolicLink":return this[gs](t);default:return this[Dr](t)}}[O](t,e){t.name==="CwdError"?this.emit("error",t):(this.warn("TAR_ENTRY_ERROR",t,{entry:e}),this[$t](),e.resume())}[yt](t,e,i){Sr(f(t),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:e},i)}[Re](t){return this.forceChown||this.preserveOwner&&(typeof t.uid=="number"&&t.uid!==this.processUid||typeof t.gid=="number"&&t.gid!==this.processGid)||typeof this.uid=="number"&&this.uid!==this.processUid||typeof this.gid=="number"&&this.gid!==this.processGid}[ge](t){return Fr(this.uid,t.uid,this.processUid)}[be](t){return Fr(this.gid,t.gid,this.processGid)}[_s](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.fmode,r=new tt(String(t.absolute),{flags:ds(t.size),mode:i,autoClose:!1});r.on("error",h=>{r.fd&&u.close(r.fd,()=>{}),r.write=()=>!0,this[O](h,t),e()});let n=1,o=h=>{if(h){r.fd&&u.close(r.fd,()=>{}),this[O](h,t),e();return}--n===0&&r.fd!==void 0&&u.close(r.fd,l=>{l?this[O](l,t):this[$t](),e()})};r.on("finish",()=>{let h=String(t.absolute),l=r.fd;if(typeof l=="number"&&t.mtime&&!this.noMtime){n++;let c=t.atime||new Date,d=t.mtime;u.futimes(l,c,d,S=>S?u.utimes(h,c,d,T=>o(T&&S)):o())}if(typeof l=="number"&&this[Re](t)){n++;let c=this[ge](t),d=this[be](t);typeof c=="number"&&typeof d=="number"&&u.fchown(l,c,d,S=>S?u.chown(h,c,d,T=>o(T&&S)):o())}o()});let a=this.transform&&this.transform(t)||t;a!==t&&(a.on("error",h=>{this[O](h,t),e()}),t.pipe(a)),a.pipe(r)}[Os](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.dmode;this[yt](String(t.absolute),i,r=>{if(r){this[O](r,t),e();return}let n=1,o=()=>{--n===0&&(e(),this[$t](),t.resume())};t.mtime&&!this.noMtime&&(n++,u.utimes(String(t.absolute),t.atime||new Date,t.mtime,o)),this[Re](t)&&(n++,u.chown(String(t.absolute),Number(this[ge](t)),Number(this[be](t)),o)),o()})}[Dr](t){t.unsupported=!0,this.warn("TAR_ENTRY_UNSUPPORTED",`unsupported entry type: ${t.type}`,{entry:t}),t.resume()}[Lr](t,e){let i=f(R.relative(this.cwd,R.resolve(R.dirname(String(t.absolute)),String(t.linkpath)))).split("/");this[ye](t,this.cwd,i,()=>this[Ri](t,String(t.linkpath),"symlink",e),r=>{this[O](r,t),e()})}[Nr](t,e){let i=f(R.resolve(this.cwd,String(t.linkpath))),r=f(String(t.linkpath)).split("/");this[ye](t,this.cwd,r,()=>this[Ri](t,i,"link",e),n=>{this[O](n,t),e()})}[ye](t,e,i,r,n){let o=i.shift();if(this.preservePaths||o===void 0)return r();let a=R.resolve(e,o);u.lstat(a,(h,l)=>{if(h)return r();if(l?.isSymbolicLink())return n(new St(a,R.resolve(a,i.join("/"))));this[ye](t,a,i,r,n)})}[Ir](){this[yi]++}[$t](){this[yi]--,this[Rs]()}[Ts](t){this[$t](),t.resume()}[bs](t,e){return t.type==="File"&&!this.unlink&&e.isFile()&&e.nlink<=1&&!Oe}[gs](t){this[Ir]();let e=[t.path];t.linkpath&&e.push(t.linkpath),this.reservations.reserve(e,i=>this[xr](t,i))}[xr](t,e){let i=a=>{e(a)},r=()=>{this[yt](this.cwd,this.dmode,a=>{if(a){this[O](a,t),i();return}this[_e]=!0,n()})},n=()=>{if(t.absolute!==this.cwd){let a=f(R.dirname(String(t.absolute)));if(a!==this.cwd)return this[yt](a,this.dmode,h=>{if(h){this[O](h,t),i();return}o()})}o()},o=()=>{u.lstat(String(t.absolute),(a,h)=>{if(h&&(this.keep||this.newer&&h.mtime>(t.mtime??h.mtime))){this[Ts](t),i();return}if(a||this[bs](t,h))return this[P](null,t,i);if(h.isDirectory()){if(t.type==="Directory"){let l=this.chmod&&t.mode&&(h.mode&4095)!==t.mode,c=d=>this[P](d??null,t,i);return l?u.chmod(String(t.absolute),Number(t.mode),c):c()}if(t.absolute!==this.cwd)return u.rmdir(String(t.absolute),l=>this[P](l??null,t,i))}if(t.absolute===this.cwd)return this[P](null,t,i);ao(String(t.absolute),l=>this[P](l??null,t,i))})};this[_e]?n():r()}[P](t,e,i){if(t){this[O](t,e),i();return}switch(e.type){case"File":case"OldFile":case"ContiguousFile":return this[_s](e,i);case"Link":return this[Nr](e,i);case"SymbolicLink":return this[Lr](e,i);case"Directory":case"GNUDumpDir":return this[Os](e,i)}}[Ri](t,e,i,r){u[i](e,String(t.absolute),n=>{n?this[O](n,t):(this[$t](),t.resume()),r()})}},Se=s=>{try{return[null,s()]}catch(t){return[t,null]}},Te=class extends Xt{sync=!0;[P](t,e){return super[P](t,e,()=>{})}[gs](t){if(!this[_e]){let n=this[yt](this.cwd,this.dmode);if(n)return this[O](n,t);this[_e]=!0}if(t.absolute!==this.cwd){let n=f(R.dirname(String(t.absolute)));if(n!==this.cwd){let o=this[yt](n,this.dmode);if(o)return this[O](o,t)}}let[e,i]=Se(()=>u.lstatSync(String(t.absolute)));if(i&&(this.keep||this.newer&&i.mtime>(t.mtime??i.mtime)))return this[Ts](t);if(e||this[bs](t,i))return this[P](null,t);if(i.isDirectory()){if(t.type==="Directory"){let o=this.chmod&&t.mode&&(i.mode&4095)!==t.mode,[a]=o?Se(()=>{u.chmodSync(String(t.absolute),Number(t.mode))}):[];return this[P](a,t)}let[n]=Se(()=>u.rmdirSync(String(t.absolute)));this[P](n,t)}let[r]=t.absolute===this.cwd?[]:Se(()=>lo(String(t.absolute)));this[P](r,t)}[_s](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.fmode,r=a=>{let h;try{u.closeSync(n)}catch(l){h=l}(a||h)&&this[O](a||h,t),e()},n;try{n=u.openSync(String(t.absolute),ds(t.size),i)}catch(a){return r(a)}let o=this.transform&&this.transform(t)||t;o!==t&&(o.on("error",a=>this[O](a,t)),t.pipe(o)),o.on("data",a=>{try{u.writeSync(n,a,0,a.length)}catch(h){r(h)}}),o.on("end",()=>{let a=null;if(t.mtime&&!this.noMtime){let h=t.atime||new Date,l=t.mtime;try{u.futimesSync(n,h,l)}catch(c){try{u.utimesSync(String(t.absolute),h,l)}catch{a=c}}}if(this[Re](t)){let h=this[ge](t),l=this[be](t);try{u.fchownSync(n,Number(h),Number(l))}catch(c){try{u.chownSync(String(t.absolute),Number(h),Number(l))}catch{a=a||c}}}r(a)})}[Os](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.dmode,r=this[yt](String(t.absolute),i);if(r){this[O](r,t),e();return}if(t.mtime&&!this.noMtime)try{u.utimesSync(String(t.absolute),t.atime||new Date,t.mtime)}catch{}if(this[Re](t))try{u.chownSync(String(t.absolute),Number(this[ge](t)),Number(this[be](t)))}catch{}e(),t.resume()}[yt](t,e){try{return Rr(f(t),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:e})}catch(i){return i}}[ye](t,e,i,r,n){if(this.preservePaths||i.length===0)return r();let o=e;for(let a of i){o=R.resolve(o,a);let[h,l]=Se(()=>u.lstatSync(o));if(h)return r();if(l.isSymbolicLink())return n(new St(o,R.resolve(e,i.join("/"))))}r()}[Ri](t,e,i,r){let n=`${i}Sync`;try{u[n](e,String(t.absolute)),r(),t.resume()}catch(o){return this[O](o,t)}}};var co=s=>{let t=new Te(s),e=s.file,i=kr.statSync(e),r=s.maxReadSize||16*1024*1024;new Me(e,{readSize:r,size:i.size}).pipe(t)},fo=(s,t)=>{let e=new Xt(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,a)=>{e.on("error",a),e.on("close",o),kr.stat(r,(h,l)=>{if(h)a(h);else{let c=new _t(r,{readSize:i,size:l.size});c.on("error",a),c.pipe(e)}})})},uo=K(co,fo,s=>new Te(s),s=>new Xt(s),(s,t)=>{t?.length&&Xi(s,t)});import v from"node:fs";import vr from"node:path";var mo=(s,t)=>{let e=new kt(s),i=!0,r,n;try{try{r=v.openSync(s.file,"r+")}catch(h){if(h?.code==="ENOENT")r=v.openSync(s.file,"w+");else throw h}let o=v.fstatSync(r),a=Buffer.alloc(512);t:for(n=0;no.size)break;n+=l,s.mtimeCache&&h.mtime&&s.mtimeCache.set(String(h.path),h.mtime)}i=!1,po(s,e,n,r,t)}finally{if(i)try{v.closeSync(r)}catch{}}},po=(s,t,e,i,r)=>{let n=new Wt(s.file,{fd:i,start:e});t.pipe(n),wo(t,r)},Eo=(s,t)=>{t=Array.from(t);let e=new wt(s),i=(n,o,a)=>{let h=(T,N)=>{T?v.close(n,E=>a(T)):a(null,N)},l=0;if(o===0)return h(null,0);let c=0,d=Buffer.alloc(512),S=(T,N)=>{if(T||N===void 0)return h(T);if(c+=N,c<512&&N)return v.read(n,d,c,d.length-c,l+c,S);if(l===0&&d[0]===31&&d[1]===139)return h(new Error("cannot append to compressed archives"));if(c<512)return h(null,l);let E=new C(d);if(!E.cksumValid)return h(null,l);let x=512*Math.ceil((E.size??0)/512);if(l+x+512>o||(l+=x+512,l>=o))return h(null,l);s.mtimeCache&&E.mtime&&s.mtimeCache.set(String(E.path),E.mtime),c=0,v.read(n,d,0,512,l,S)};v.read(n,d,0,512,l,S)};return new Promise((n,o)=>{e.on("error",o);let a="r+",h=(l,c)=>{if(l&&l.code==="ENOENT"&&a==="r+")return a="w+",v.open(s.file,a,h);if(l||!c)return o(l);v.fstat(c,(d,S)=>{if(d)return v.close(c,()=>o(d));i(c,S.size,(T,N)=>{if(T)return o(T);let E=new tt(s.file,{fd:c,start:N});e.pipe(E),E.on("error",o),E.on("close",n),So(e,t)})})};v.open(s.file,a,h)})},wo=(s,t)=>{t.forEach(e=>{e.charAt(0)==="@"?Ft({file:vr.resolve(s.cwd,e.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(e)}),s.end()},So=async(s,t)=>{for(let e of t)e.charAt(0)==="@"?await Ft({file:vr.resolve(String(s.cwd),e.slice(1)),noResume:!0,onReadEntry:i=>s.add(i)}):s.add(e);s.end()},vt=K(mo,Eo,()=>{throw new TypeError("file is required")},()=>{throw new TypeError("file is required")},(s,t)=>{if(!vs(s))throw new TypeError("file is required");if(s.gzip||s.brotli||s.zstd||s.file.endsWith(".br")||s.file.endsWith(".tbr"))throw new TypeError("cannot append to compressed archives");if(!t?.length)throw new TypeError("no paths specified to add/replace")});var yo=K(vt.syncFile,vt.asyncFile,vt.syncNoFile,vt.asyncNoFile,(s,t=[])=>{vt.validate?.(s,t),Ro(s)}),Ro=s=>{let t=s.filter;s.mtimeCache||(s.mtimeCache=new Map),s.filter=t?(e,i)=>t(e,i)&&!((s.mtimeCache?.get(e)??i.mtime??0)>(i.mtime??0)):(e,i)=>!((s.mtimeCache?.get(e)??i.mtime??0)>(i.mtime??0))};export{C as Header,wt as Pack,mi as PackJob,kt as PackSync,st as Parser,ct as Pax,Ve as ReadEntry,Xt as Unpack,Te as UnpackSync,fe as WriteEntry,ri as WriteEntrySync,ni as WriteEntryTar,Kn as c,Kn as create,uo as extract,Xi as filesFilter,Ft as list,vt as r,vt as replace,Ft as t,Ui as types,yo as u,yo as update,uo as x};
+var zr=Object.defineProperty;var Ur=(s,t)=>{for(var e in t)zr(s,e,{get:t[e],enumerable:!0})};import Qr from"events";import I from"fs";import{EventEmitter as Di}from"node:events";import Cs from"node:stream";import{StringDecoder as Hr}from"node:string_decoder";var Ds=typeof process=="object"&&process?process:{stdout:null,stderr:null},Wr=s=>!!s&&typeof s=="object"&&(s instanceof A||s instanceof Cs||Gr(s)||Zr(s)),Gr=s=>!!s&&typeof s=="object"&&s instanceof Di&&typeof s.pipe=="function"&&s.pipe!==Cs.Writable.prototype.pipe,Zr=s=>!!s&&typeof s=="object"&&s instanceof Di&&typeof s.write=="function"&&typeof s.end=="function",Q=Symbol("EOF"),J=Symbol("maybeEmitEnd"),nt=Symbol("emittedEnd"),De=Symbol("emittingEnd"),qt=Symbol("emittedError"),Ne=Symbol("closed"),Ns=Symbol("read"),Ae=Symbol("flush"),As=Symbol("flushChunk"),z=Symbol("encoding"),Mt=Symbol("decoder"),g=Symbol("flowing"),Qt=Symbol("paused"),Bt=Symbol("resume"),b=Symbol("buffer"),N=Symbol("pipes"),_=Symbol("bufferLength"),bi=Symbol("bufferPush"),Ie=Symbol("bufferShift"),L=Symbol("objectMode"),w=Symbol("destroyed"),_i=Symbol("error"),Oi=Symbol("emitData"),Is=Symbol("emitEnd"),Ti=Symbol("emitEnd2"),Z=Symbol("async"),xi=Symbol("abort"),Ce=Symbol("aborted"),Jt=Symbol("signal"),Rt=Symbol("dataListeners"),C=Symbol("discarded"),jt=s=>Promise.resolve().then(s),Yr=s=>s(),Kr=s=>s==="end"||s==="finish"||s==="prefinish",Vr=s=>s instanceof ArrayBuffer||!!s&&typeof s=="object"&&s.constructor&&s.constructor.name==="ArrayBuffer"&&s.byteLength>=0,$r=s=>!Buffer.isBuffer(s)&&ArrayBuffer.isView(s),Fe=class{src;dest;opts;ondrain;constructor(t,e,i){this.src=t,this.dest=e,this.opts=i,this.ondrain=()=>t[Bt](),this.dest.on("drain",this.ondrain)}unpipe(){this.dest.removeListener("drain",this.ondrain)}proxyErrors(t){}end(){this.unpipe(),this.opts.end&&this.dest.end()}},Li=class extends Fe{unpipe(){this.src.removeListener("error",this.proxyErrors),super.unpipe()}constructor(t,e,i){super(t,e,i),this.proxyErrors=r=>this.dest.emit("error",r),t.on("error",this.proxyErrors)}},Xr=s=>!!s.objectMode,qr=s=>!s.objectMode&&!!s.encoding&&s.encoding!=="buffer",A=class extends Di{[g]=!1;[Qt]=!1;[N]=[];[b]=[];[L];[z];[Z];[Mt];[Q]=!1;[nt]=!1;[De]=!1;[Ne]=!1;[qt]=null;[_]=0;[w]=!1;[Jt];[Ce]=!1;[Rt]=0;[C]=!1;writable=!0;readable=!0;constructor(...t){let e=t[0]||{};if(super(),e.objectMode&&typeof e.encoding=="string")throw new TypeError("Encoding and objectMode may not be used together");Xr(e)?(this[L]=!0,this[z]=null):qr(e)?(this[z]=e.encoding,this[L]=!1):(this[L]=!1,this[z]=null),this[Z]=!!e.async,this[Mt]=this[z]?new Hr(this[z]):null,e&&e.debugExposeBuffer===!0&&Object.defineProperty(this,"buffer",{get:()=>this[b]}),e&&e.debugExposePipes===!0&&Object.defineProperty(this,"pipes",{get:()=>this[N]});let{signal:i}=e;i&&(this[Jt]=i,i.aborted?this[xi]():i.addEventListener("abort",()=>this[xi]()))}get bufferLength(){return this[_]}get encoding(){return this[z]}set encoding(t){throw new Error("Encoding must be set at instantiation time")}setEncoding(t){throw new Error("Encoding must be set at instantiation time")}get objectMode(){return this[L]}set objectMode(t){throw new Error("objectMode must be set at instantiation time")}get async(){return this[Z]}set async(t){this[Z]=this[Z]||!!t}[xi](){this[Ce]=!0,this.emit("abort",this[Jt]?.reason),this.destroy(this[Jt]?.reason)}get aborted(){return this[Ce]}set aborted(t){}write(t,e,i){if(this[Ce])return!1;if(this[Q])throw new Error("write after end");if(this[w])return this.emit("error",Object.assign(new Error("Cannot call write after a stream was destroyed"),{code:"ERR_STREAM_DESTROYED"})),!0;typeof e=="function"&&(i=e,e="utf8"),e||(e="utf8");let r=this[Z]?jt:Yr;if(!this[L]&&!Buffer.isBuffer(t)){if($r(t))t=Buffer.from(t.buffer,t.byteOffset,t.byteLength);else if(Vr(t))t=Buffer.from(t);else if(typeof t!="string")throw new Error("Non-contiguous data written to non-objectMode stream")}return this[L]?(this[g]&&this[_]!==0&&this[Ae](!0),this[g]?this.emit("data",t):this[bi](t),this[_]!==0&&this.emit("readable"),i&&r(i),this[g]):t.length?(typeof t=="string"&&!(e===this[z]&&!this[Mt]?.lastNeed)&&(t=Buffer.from(t,e)),Buffer.isBuffer(t)&&this[z]&&(t=this[Mt].write(t)),this[g]&&this[_]!==0&&this[Ae](!0),this[g]?this.emit("data",t):this[bi](t),this[_]!==0&&this.emit("readable"),i&&r(i),this[g]):(this[_]!==0&&this.emit("readable"),i&&r(i),this[g])}read(t){if(this[w])return null;if(this[C]=!1,this[_]===0||t===0||t&&t>this[_])return this[J](),null;this[L]&&(t=null),this[b].length>1&&!this[L]&&(this[b]=[this[z]?this[b].join(""):Buffer.concat(this[b],this[_])]);let e=this[Ns](t||null,this[b][0]);return this[J](),e}[Ns](t,e){if(this[L])this[Ie]();else{let i=e;t===i.length||t===null?this[Ie]():typeof i=="string"?(this[b][0]=i.slice(t),e=i.slice(0,t),this[_]-=t):(this[b][0]=i.subarray(t),e=i.subarray(0,t),this[_]-=t)}return this.emit("data",e),!this[b].length&&!this[Q]&&this.emit("drain"),e}end(t,e,i){return typeof t=="function"&&(i=t,t=void 0),typeof e=="function"&&(i=e,e="utf8"),t!==void 0&&this.write(t,e),i&&this.once("end",i),this[Q]=!0,this.writable=!1,(this[g]||!this[Qt])&&this[J](),this}[Bt](){this[w]||(!this[Rt]&&!this[N].length&&(this[C]=!0),this[Qt]=!1,this[g]=!0,this.emit("resume"),this[b].length?this[Ae]():this[Q]?this[J]():this.emit("drain"))}resume(){return this[Bt]()}pause(){this[g]=!1,this[Qt]=!0,this[C]=!1}get destroyed(){return this[w]}get flowing(){return this[g]}get paused(){return this[Qt]}[bi](t){this[L]?this[_]+=1:this[_]+=t.length,this[b].push(t)}[Ie](){return this[L]?this[_]-=1:this[_]-=this[b][0].length,this[b].shift()}[Ae](t=!1){do;while(this[As](this[Ie]())&&this[b].length);!t&&!this[b].length&&!this[Q]&&this.emit("drain")}[As](t){return this.emit("data",t),this[g]}pipe(t,e){if(this[w])return t;this[C]=!1;let i=this[nt];return e=e||{},t===Ds.stdout||t===Ds.stderr?e.end=!1:e.end=e.end!==!1,e.proxyErrors=!!e.proxyErrors,i?e.end&&t.end():(this[N].push(e.proxyErrors?new Li(this,t,e):new Fe(this,t,e)),this[Z]?jt(()=>this[Bt]()):this[Bt]()),t}unpipe(t){let e=this[N].find(i=>i.dest===t);e&&(this[N].length===1?(this[g]&&this[Rt]===0&&(this[g]=!1),this[N]=[]):this[N].splice(this[N].indexOf(e),1),e.unpipe())}addListener(t,e){return this.on(t,e)}on(t,e){let i=super.on(t,e);if(t==="data")this[C]=!1,this[Rt]++,!this[N].length&&!this[g]&&this[Bt]();else if(t==="readable"&&this[_]!==0)super.emit("readable");else if(Kr(t)&&this[nt])super.emit(t),this.removeAllListeners(t);else if(t==="error"&&this[qt]){let r=e;this[Z]?jt(()=>r.call(this,this[qt])):r.call(this,this[qt])}return i}removeListener(t,e){return this.off(t,e)}off(t,e){let i=super.off(t,e);return t==="data"&&(this[Rt]=this.listeners("data").length,this[Rt]===0&&!this[C]&&!this[N].length&&(this[g]=!1)),i}removeAllListeners(t){let e=super.removeAllListeners(t);return(t==="data"||t===void 0)&&(this[Rt]=0,!this[C]&&!this[N].length&&(this[g]=!1)),e}get emittedEnd(){return this[nt]}[J](){!this[De]&&!this[nt]&&!this[w]&&this[b].length===0&&this[Q]&&(this[De]=!0,this.emit("end"),this.emit("prefinish"),this.emit("finish"),this[Ne]&&this.emit("close"),this[De]=!1)}emit(t,...e){let i=e[0];if(t!=="error"&&t!=="close"&&t!==w&&this[w])return!1;if(t==="data")return!this[L]&&!i?!1:this[Z]?(jt(()=>this[Oi](i)),!0):this[Oi](i);if(t==="end")return this[Is]();if(t==="close"){if(this[Ne]=!0,!this[nt]&&!this[w])return!1;let n=super.emit("close");return this.removeAllListeners("close"),n}else if(t==="error"){this[qt]=i,super.emit(_i,i);let n=!this[Jt]||this.listeners("error").length?super.emit("error",i):!1;return this[J](),n}else if(t==="resume"){let n=super.emit("resume");return this[J](),n}else if(t==="finish"||t==="prefinish"){let n=super.emit(t);return this.removeAllListeners(t),n}let r=super.emit(t,...e);return this[J](),r}[Oi](t){for(let i of this[N])i.dest.write(t)===!1&&this.pause();let e=this[C]?!1:super.emit("data",t);return this[J](),e}[Is](){return this[nt]?!1:(this[nt]=!0,this.readable=!1,this[Z]?(jt(()=>this[Ti]()),!0):this[Ti]())}[Ti](){if(this[Mt]){let e=this[Mt].end();if(e){for(let i of this[N])i.dest.write(e);this[C]||super.emit("data",e)}}for(let e of this[N])e.end();let t=super.emit("end");return this.removeAllListeners("end"),t}async collect(){let t=Object.assign([],{dataLength:0});this[L]||(t.dataLength=0);let e=this.promise();return this.on("data",i=>{t.push(i),this[L]||(t.dataLength+=i.length)}),await e,t}async concat(){if(this[L])throw new Error("cannot concat in objectMode");let t=await this.collect();return this[z]?t.join(""):Buffer.concat(t,t.dataLength)}async promise(){return new Promise((t,e)=>{this.on(w,()=>e(new Error("stream destroyed"))),this.on("error",i=>e(i)),this.on("end",()=>t())})}[Symbol.asyncIterator](){this[C]=!1;let t=!1,e=async()=>(this.pause(),t=!0,{value:void 0,done:!0});return{next:()=>{if(t)return e();let r=this.read();if(r!==null)return Promise.resolve({done:!1,value:r});if(this[Q])return e();let n,o,h=d=>{this.off("data",a),this.off("end",l),this.off(w,c),e(),o(d)},a=d=>{this.off("error",h),this.off("end",l),this.off(w,c),this.pause(),n({value:d,done:!!this[Q]})},l=()=>{this.off("error",h),this.off("data",a),this.off(w,c),e(),n({done:!0,value:void 0})},c=()=>h(new Error("stream destroyed"));return new Promise((d,S)=>{o=S,n=d,this.once(w,c),this.once("error",h),this.once("end",l),this.once("data",a)})},throw:e,return:e,[Symbol.asyncIterator](){return this},[Symbol.asyncDispose]:async()=>{}}}[Symbol.iterator](){this[C]=!1;let t=!1,e=()=>(this.pause(),this.off(_i,e),this.off(w,e),this.off("end",e),t=!0,{done:!0,value:void 0}),i=()=>{if(t)return e();let r=this.read();return r===null?e():{done:!1,value:r}};return this.once("end",e),this.once(_i,e),this.once(w,e),{next:i,throw:e,return:e,[Symbol.iterator](){return this},[Symbol.dispose]:()=>{}}}destroy(t){if(this[w])return t?this.emit("error",t):this.emit(w),this;this[w]=!0,this[C]=!0,this[b].length=0,this[_]=0;let e=this;return typeof e.close=="function"&&!this[Ne]&&e.close(),t?this.emit("error",t):this.emit(w),this}static get isStream(){return Wr}};var Jr=I.writev,ht=Symbol("_autoClose"),H=Symbol("_close"),te=Symbol("_ended"),u=Symbol("_fd"),Ni=Symbol("_finished"),tt=Symbol("_flags"),Ai=Symbol("_flush"),ki=Symbol("_handleChunk"),vi=Symbol("_makeBuf"),ie=Symbol("_mode"),ke=Symbol("_needDrain"),Ut=Symbol("_onerror"),Ht=Symbol("_onopen"),Ii=Symbol("_onread"),Pt=Symbol("_onwrite"),at=Symbol("_open"),U=Symbol("_path"),ot=Symbol("_pos"),Y=Symbol("_queue"),zt=Symbol("_read"),Ci=Symbol("_readSize"),j=Symbol("_reading"),ee=Symbol("_remain"),Fi=Symbol("_size"),ve=Symbol("_write"),gt=Symbol("_writing"),Me=Symbol("_defaultFlag"),bt=Symbol("_errored"),_t=class extends A{[bt]=!1;[u];[U];[Ci];[j]=!1;[Fi];[ee];[ht];constructor(t,e){if(e=e||{},super(e),this.readable=!0,this.writable=!1,typeof t!="string")throw new TypeError("path must be a string");this[bt]=!1,this[u]=typeof e.fd=="number"?e.fd:void 0,this[U]=t,this[Ci]=e.readSize||16*1024*1024,this[j]=!1,this[Fi]=typeof e.size=="number"?e.size:1/0,this[ee]=this[Fi],this[ht]=typeof e.autoClose=="boolean"?e.autoClose:!0,typeof this[u]=="number"?this[zt]():this[at]()}get fd(){return this[u]}get path(){return this[U]}write(){throw new TypeError("this is a readable stream")}end(){throw new TypeError("this is a readable stream")}[at](){I.open(this[U],"r",(t,e)=>this[Ht](t,e))}[Ht](t,e){t?this[Ut](t):(this[u]=e,this.emit("open",e),this[zt]())}[vi](){return Buffer.allocUnsafe(Math.min(this[Ci],this[ee]))}[zt](){if(!this[j]){this[j]=!0;let t=this[vi]();if(t.length===0)return process.nextTick(()=>this[Ii](null,0,t));I.read(this[u],t,0,t.length,null,(e,i,r)=>this[Ii](e,i,r))}}[Ii](t,e,i){this[j]=!1,t?this[Ut](t):this[ki](e,i)&&this[zt]()}[H](){if(this[ht]&&typeof this[u]=="number"){let t=this[u];this[u]=void 0,I.close(t,e=>e?this.emit("error",e):this.emit("close"))}}[Ut](t){this[j]=!0,this[H](),this.emit("error",t)}[ki](t,e){let i=!1;return this[ee]-=t,t>0&&(i=super.write(tthis[Ht](t,e))}[Ht](t,e){this[Me]&&this[tt]==="r+"&&t&&t.code==="ENOENT"?(this[tt]="w",this[at]()):t?this[Ut](t):(this[u]=e,this.emit("open",e),this[gt]||this[Ai]())}end(t,e){return t&&this.write(t,e),this[te]=!0,!this[gt]&&!this[Y].length&&typeof this[u]=="number"&&this[Pt](null,0),this}write(t,e){return typeof t=="string"&&(t=Buffer.from(t,e)),this[te]?(this.emit("error",new Error("write() after end()")),!1):this[u]===void 0||this[gt]||this[Y].length?(this[Y].push(t),this[ke]=!0,!1):(this[gt]=!0,this[ve](t),!0)}[ve](t){I.write(this[u],t,0,t.length,this[ot],(e,i)=>this[Pt](e,i))}[Pt](t,e){t?this[Ut](t):(this[ot]!==void 0&&typeof e=="number"&&(this[ot]+=e),this[Y].length?this[Ai]():(this[gt]=!1,this[te]&&!this[Ni]?(this[Ni]=!0,this[H](),this.emit("finish")):this[ke]&&(this[ke]=!1,this.emit("drain"))))}[Ai](){if(this[Y].length===0)this[te]&&this[Pt](null,0);else if(this[Y].length===1)this[ve](this[Y].pop());else{let t=this[Y];this[Y]=[],Jr(this[u],t,this[ot],(e,i)=>this[Pt](e,i))}}[H](){if(this[ht]&&typeof this[u]=="number"){let t=this[u];this[u]=void 0,I.close(t,e=>e?this.emit("error",e):this.emit("close"))}}},Wt=class extends et{[at](){let t;if(this[Me]&&this[tt]==="r+")try{t=I.openSync(this[U],this[tt],this[ie])}catch(e){if(e?.code==="ENOENT")return this[tt]="w",this[at]();throw e}else t=I.openSync(this[U],this[tt],this[ie]);this[Ht](null,t)}[H](){if(this[ht]&&typeof this[u]=="number"){let t=this[u];this[u]=void 0,I.closeSync(t),this.emit("close")}}[ve](t){let e=!0;try{this[Pt](null,I.writeSync(this[u],t,0,t.length,this[ot])),e=!1}finally{if(e)try{this[H]()}catch{}}}};import cr from"node:path";import Kt from"node:fs";import{dirname as Fn,parse as kn}from"path";var jr=new Map([["C","cwd"],["f","file"],["z","gzip"],["P","preservePaths"],["U","unlink"],["strip-components","strip"],["stripComponents","strip"],["keep-newer","newer"],["keepNewer","newer"],["keep-newer-files","newer"],["keepNewerFiles","newer"],["k","keep"],["keep-existing","keep"],["keepExisting","keep"],["m","noMtime"],["no-mtime","noMtime"],["p","preserveOwner"],["L","follow"],["h","follow"],["onentry","onReadEntry"]]),Fs=s=>!!s.sync&&!!s.file,ks=s=>!s.sync&&!!s.file,vs=s=>!!s.sync&&!s.file,Ms=s=>!s.sync&&!s.file;var Bs=s=>!!s.file;var tn=s=>{let t=jr.get(s);return t||s},se=(s={})=>{if(!s)return{};let t={};for(let[e,i]of Object.entries(s)){let r=tn(e);t[r]=i}return t.chmod===void 0&&t.noChmod===!1&&(t.chmod=!0),delete t.noChmod,t};var K=(s,t,e,i,r)=>Object.assign((n=[],o,h)=>{Array.isArray(n)&&(o=n,n={}),typeof o=="function"&&(h=o,o=void 0),o=o?Array.from(o):[];let a=se(n);if(r?.(a,o),Fs(a)){if(typeof h=="function")throw new TypeError("callback not supported for sync tar functions");return s(a,o)}else if(ks(a)){let l=t(a,o);return h?l.then(()=>h(),h):l}else if(vs(a)){if(typeof h=="function")throw new TypeError("callback not supported for sync tar functions");return e(a,o)}else if(Ms(a)){if(typeof h=="function")throw new TypeError("callback only supported with file option");return i(a,o)}throw new Error("impossible options??")},{syncFile:s,asyncFile:t,syncNoFile:e,asyncNoFile:i,validate:r});import{EventEmitter as Dn}from"events";import zi from"assert";import{Buffer as Ot}from"buffer";import*as Ps from"zlib";import en from"zlib";var sn=en.constants||{ZLIB_VERNUM:4736},M=Object.freeze(Object.assign(Object.create(null),{Z_NO_FLUSH:0,Z_PARTIAL_FLUSH:1,Z_SYNC_FLUSH:2,Z_FULL_FLUSH:3,Z_FINISH:4,Z_BLOCK:5,Z_OK:0,Z_STREAM_END:1,Z_NEED_DICT:2,Z_ERRNO:-1,Z_STREAM_ERROR:-2,Z_DATA_ERROR:-3,Z_MEM_ERROR:-4,Z_BUF_ERROR:-5,Z_VERSION_ERROR:-6,Z_NO_COMPRESSION:0,Z_BEST_SPEED:1,Z_BEST_COMPRESSION:9,Z_DEFAULT_COMPRESSION:-1,Z_FILTERED:1,Z_HUFFMAN_ONLY:2,Z_RLE:3,Z_FIXED:4,Z_DEFAULT_STRATEGY:0,DEFLATE:1,INFLATE:2,GZIP:3,GUNZIP:4,DEFLATERAW:5,INFLATERAW:6,UNZIP:7,BROTLI_DECODE:8,BROTLI_ENCODE:9,Z_MIN_WINDOWBITS:8,Z_MAX_WINDOWBITS:15,Z_DEFAULT_WINDOWBITS:15,Z_MIN_CHUNK:64,Z_MAX_CHUNK:1/0,Z_DEFAULT_CHUNK:16384,Z_MIN_MEMLEVEL:1,Z_MAX_MEMLEVEL:9,Z_DEFAULT_MEMLEVEL:8,Z_MIN_LEVEL:-1,Z_MAX_LEVEL:9,Z_DEFAULT_LEVEL:-1,BROTLI_OPERATION_PROCESS:0,BROTLI_OPERATION_FLUSH:1,BROTLI_OPERATION_FINISH:2,BROTLI_OPERATION_EMIT_METADATA:3,BROTLI_MODE_GENERIC:0,BROTLI_MODE_TEXT:1,BROTLI_MODE_FONT:2,BROTLI_DEFAULT_MODE:0,BROTLI_MIN_QUALITY:0,BROTLI_MAX_QUALITY:11,BROTLI_DEFAULT_QUALITY:11,BROTLI_MIN_WINDOW_BITS:10,BROTLI_MAX_WINDOW_BITS:24,BROTLI_LARGE_MAX_WINDOW_BITS:30,BROTLI_DEFAULT_WINDOW:22,BROTLI_MIN_INPUT_BLOCK_BITS:16,BROTLI_MAX_INPUT_BLOCK_BITS:24,BROTLI_PARAM_MODE:0,BROTLI_PARAM_QUALITY:1,BROTLI_PARAM_LGWIN:2,BROTLI_PARAM_LGBLOCK:3,BROTLI_PARAM_DISABLE_LITERAL_CONTEXT_MODELING:4,BROTLI_PARAM_SIZE_HINT:5,BROTLI_PARAM_LARGE_WINDOW:6,BROTLI_PARAM_NPOSTFIX:7,BROTLI_PARAM_NDIRECT:8,BROTLI_DECODER_RESULT_ERROR:0,BROTLI_DECODER_RESULT_SUCCESS:1,BROTLI_DECODER_RESULT_NEEDS_MORE_INPUT:2,BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_PARAM_DISABLE_RING_BUFFER_REALLOCATION:0,BROTLI_DECODER_PARAM_LARGE_WINDOW:1,BROTLI_DECODER_NO_ERROR:0,BROTLI_DECODER_SUCCESS:1,BROTLI_DECODER_NEEDS_MORE_INPUT:2,BROTLI_DECODER_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_NIBBLE:-1,BROTLI_DECODER_ERROR_FORMAT_RESERVED:-2,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_META_NIBBLE:-3,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_ALPHABET:-4,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_SAME:-5,BROTLI_DECODER_ERROR_FORMAT_CL_SPACE:-6,BROTLI_DECODER_ERROR_FORMAT_HUFFMAN_SPACE:-7,BROTLI_DECODER_ERROR_FORMAT_CONTEXT_MAP_REPEAT:-8,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_1:-9,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_2:-10,BROTLI_DECODER_ERROR_FORMAT_TRANSFORM:-11,BROTLI_DECODER_ERROR_FORMAT_DICTIONARY:-12,BROTLI_DECODER_ERROR_FORMAT_WINDOW_BITS:-13,BROTLI_DECODER_ERROR_FORMAT_PADDING_1:-14,BROTLI_DECODER_ERROR_FORMAT_PADDING_2:-15,BROTLI_DECODER_ERROR_FORMAT_DISTANCE:-16,BROTLI_DECODER_ERROR_DICTIONARY_NOT_SET:-19,BROTLI_DECODER_ERROR_INVALID_ARGUMENTS:-20,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MODES:-21,BROTLI_DECODER_ERROR_ALLOC_TREE_GROUPS:-22,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MAP:-25,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_1:-26,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_2:-27,BROTLI_DECODER_ERROR_ALLOC_BLOCK_TYPE_TREES:-30,BROTLI_DECODER_ERROR_UNREACHABLE:-31},sn));var rn=Ot.concat,zs=Object.getOwnPropertyDescriptor(Ot,"concat"),nn=s=>s,Bi=zs?.writable===!0||zs?.set!==void 0?s=>{Ot.concat=s?nn:rn}:s=>{},Tt=Symbol("_superWrite"),Gt=class extends Error{code;errno;constructor(t,e){super("zlib: "+t.message,{cause:t}),this.code=t.code,this.errno=t.errno,this.code||(this.code="ZLIB_ERROR"),this.message="zlib: "+t.message,Error.captureStackTrace(this,e??this.constructor)}get name(){return"ZlibError"}},Pi=Symbol("flushFlag"),re=class extends A{#t=!1;#i=!1;#s;#n;#r;#e;#o;get sawError(){return this.#t}get handle(){return this.#e}get flushFlag(){return this.#s}constructor(t,e){if(!t||typeof t!="object")throw new TypeError("invalid options for ZlibBase constructor");if(super(t),this.#s=t.flush??0,this.#n=t.finishFlush??0,this.#r=t.fullFlushFlag??0,typeof Ps[e]!="function")throw new TypeError("Compression method not supported: "+e);try{this.#e=new Ps[e](t)}catch(i){throw new Gt(i,this.constructor)}this.#o=i=>{this.#t||(this.#t=!0,this.close(),this.emit("error",i))},this.#e?.on("error",i=>this.#o(new Gt(i))),this.once("end",()=>this.close)}close(){this.#e&&(this.#e.close(),this.#e=void 0,this.emit("close"))}reset(){if(!this.#t)return zi(this.#e,"zlib binding closed"),this.#e.reset?.()}flush(t){this.ended||(typeof t!="number"&&(t=this.#r),this.write(Object.assign(Ot.alloc(0),{[Pi]:t})))}end(t,e,i){return typeof t=="function"&&(i=t,e=void 0,t=void 0),typeof e=="function"&&(i=e,e=void 0),t&&(e?this.write(t,e):this.write(t)),this.flush(this.#n),this.#i=!0,super.end(i)}get ended(){return this.#i}[Tt](t){return super.write(t)}write(t,e,i){if(typeof e=="function"&&(i=e,e="utf8"),typeof t=="string"&&(t=Ot.from(t,e)),this.#t)return;zi(this.#e,"zlib binding closed");let r=this.#e._handle,n=r.close;r.close=()=>{};let o=this.#e.close;this.#e.close=()=>{},Bi(!0);let h;try{let l=typeof t[Pi]=="number"?t[Pi]:this.#s;h=this.#e._processChunk(t,l),Bi(!1)}catch(l){Bi(!1),this.#o(new Gt(l,this.write))}finally{this.#e&&(this.#e._handle=r,r.close=n,this.#e.close=o,this.#e.removeAllListeners("error"))}this.#e&&this.#e.on("error",l=>this.#o(new Gt(l,this.write)));let a;if(h)if(Array.isArray(h)&&h.length>0){let l=h[0];a=this[Tt](Ot.from(l));for(let c=1;c{typeof r=="function"&&(n=r,r=this.flushFlag),this.flush(r),n?.()};try{this.handle.params(t,e)}finally{this.handle.flush=i}this.handle&&(this.#t=t,this.#i=e)}}}};var ze=class extends Pe{#t;constructor(t){super(t,"Gzip"),this.#t=t&&!!t.portable}[Tt](t){return this.#t?(this.#t=!1,t[9]=255,super[Tt](t)):super[Tt](t)}};var Ue=class extends Pe{constructor(t){super(t,"Unzip")}},He=class extends re{constructor(t,e){t=t||{},t.flush=t.flush||M.BROTLI_OPERATION_PROCESS,t.finishFlush=t.finishFlush||M.BROTLI_OPERATION_FINISH,t.fullFlushFlag=M.BROTLI_OPERATION_FLUSH,super(t,e)}},We=class extends He{constructor(t){super(t,"BrotliCompress")}},Ge=class extends He{constructor(t){super(t,"BrotliDecompress")}},Ze=class extends re{constructor(t,e){t=t||{},t.flush=t.flush||M.ZSTD_e_continue,t.finishFlush=t.finishFlush||M.ZSTD_e_end,t.fullFlushFlag=M.ZSTD_e_flush,super(t,e)}},Ye=class extends Ze{constructor(t){super(t,"ZstdCompress")}},Ke=class extends Ze{constructor(t){super(t,"ZstdDecompress")}};import{posix as Zt}from"node:path";var Us=(s,t)=>{if(Number.isSafeInteger(s))s<0?an(s,t):hn(s,t);else throw Error("cannot encode number outside of javascript safe integer range");return t},hn=(s,t)=>{t[0]=128;for(var e=t.length;e>1;e--)t[e-1]=s&255,s=Math.floor(s/256)},an=(s,t)=>{t[0]=255;var e=!1;s=s*-1;for(var i=t.length;i>1;i--){var r=s&255;s=Math.floor(s/256),e?t[i-1]=Ws(r):r===0?t[i-1]=0:(e=!0,t[i-1]=Gs(r))}},Hs=s=>{let t=s[0],e=t===128?cn(s.subarray(1,s.length)):t===255?ln(s):null;if(e===null)throw Error("invalid base256 encoding");if(!Number.isSafeInteger(e))throw Error("parsed number outside of javascript safe integer range");return e},ln=s=>{for(var t=s.length,e=0,i=!1,r=t-1;r>-1;r--){var n=Number(s[r]),o;i?o=Ws(n):n===0?o=n:(i=!0,o=Gs(n)),o!==0&&(e-=o*Math.pow(256,t-r-1))}return e},cn=s=>{for(var t=s.length,e=0,i=t-1;i>-1;i--){var r=Number(s[i]);r!==0&&(e+=r*Math.pow(256,t-i-1))}return e},Ws=s=>(255^s)&255,Gs=s=>(255^s)+1&255;var Hi={};Ur(Hi,{code:()=>Ve,isCode:()=>ne,isName:()=>dn,name:()=>oe,normalFsTypes:()=>Ui});var ne=s=>oe.has(s),dn=s=>Ve.has(s),Ui=new Set(["0","","1","2","3","4","5","6","7","D"]),oe=new Map([["0","File"],["","OldFile"],["1","Link"],["2","SymbolicLink"],["3","CharacterDevice"],["4","BlockDevice"],["5","Directory"],["6","FIFO"],["7","ContiguousFile"],["g","GlobalExtendedHeader"],["x","ExtendedHeader"],["A","SolarisACL"],["D","GNUDumpDir"],["I","Inode"],["K","NextFileHasLongLinkpath"],["L","NextFileHasLongPath"],["M","ContinuationFile"],["N","OldGnuLongPath"],["S","SparseFile"],["V","TapeVolumeHeader"],["X","OldExtendedHeader"]]),Ve=new Map(Array.from(oe).map(s=>[s[1],s[0]]));var mn=s=>s===void 0||s<0?void 0:s,F=class{cksumValid=!1;needPax=!1;nullBlock=!1;block;path;mode;uid;gid;size;cksum;#t="Unsupported";linkpath;uname;gname;devmaj=0;devmin=0;atime;ctime;mtime;charset;comment;constructor(t,e=0,i,r){Buffer.isBuffer(t)?this.decode(t,e||0,i,r):t&&this.#i(t)}decode(t,e,i,r){if(e||(e=0),!t||!(t.length>=e+512))throw new Error("need 512 bytes for header");let n=xt(t,e+156,1),o=Ui.has(n),h=o?i:void 0,a=o?r:void 0;if(this.path=h?.path??xt(t,e,100),this.mode=h?.mode??a?.mode??lt(t,e+100,8),this.uid=h?.uid??a?.uid??lt(t,e+108,8),this.gid=h?.gid??a?.gid??lt(t,e+116,8),this.size=mn(h?.size??a?.size??lt(t,e+124,12)),this.mtime=h?.mtime??a?.mtime??Wi(t,e+136,12),this.cksum=lt(t,e+148,12),a&&this.#i(a,!0),h&&this.#i(h),ne(n)&&(this.#t=n||"0"),this.#t==="0"&&this.path.slice(-1)==="/"&&(this.#t="5"),this.#t==="5"&&(this.size=0),this.linkpath=xt(t,e+157,100),t.subarray(e+257,e+265).toString()==="ustar\x0000")if(this.uname=h?.uname??a?.uname??xt(t,e+265,32),this.gname=h?.gname??a?.gname??xt(t,e+297,32),this.devmaj=h?.devmaj??a?.devmaj??lt(t,e+329,8)??0,this.devmin=h?.devmin??a?.devmin??lt(t,e+337,8)??0,t[e+475]!==0){let c=xt(t,e+345,155);this.path=c+"/"+this.path}else{let c=xt(t,e+345,130);c&&(this.path=c+"/"+this.path),this.atime=i?.atime??r?.atime??Wi(t,e+476,12),this.ctime=i?.ctime??r?.ctime??Wi(t,e+488,12)}let l=256;for(let c=e;c!(r==null||i==="size"&&Number(r)<0||i==="path"&&e||i==="linkpath"&&e||i==="global"))))}encode(t,e=0){if(t||(t=this.block=Buffer.alloc(512)),this.#t==="Unsupported"&&(this.#t="0"),!(t.length>=e+512))throw new Error("need 512 bytes for header");let i=this.ctime||this.atime?130:155,r=un(this.path||"",i),n=r[0],o=r[1];this.needPax=!!r[2],this.needPax=Lt(t,e,100,n)||this.needPax,this.needPax=ct(t,e+100,8,this.mode)||this.needPax,this.needPax=ct(t,e+108,8,this.uid)||this.needPax,this.needPax=ct(t,e+116,8,this.gid)||this.needPax,this.needPax=ct(t,e+124,12,this.size)||this.needPax,this.needPax=Gi(t,e+136,12,this.mtime)||this.needPax,t[e+156]=Number(this.#t.codePointAt(0)),this.needPax=Lt(t,e+157,100,this.linkpath)||this.needPax,t.write("ustar\x0000",e+257,8),this.needPax=Lt(t,e+265,32,this.uname)||this.needPax,this.needPax=Lt(t,e+297,32,this.gname)||this.needPax,this.needPax=ct(t,e+329,8,this.devmaj)||this.needPax,this.needPax=ct(t,e+337,8,this.devmin)||this.needPax,this.needPax=Lt(t,e+345,i,o)||this.needPax,t[e+475]!==0?this.needPax=Lt(t,e+345,155,o)||this.needPax:(this.needPax=Lt(t,e+345,130,o)||this.needPax,this.needPax=Gi(t,e+476,12,this.atime)||this.needPax,this.needPax=Gi(t,e+488,12,this.ctime)||this.needPax);let h=256;for(let a=e;a{let i=s,r="",n,o=Zt.parse(s).root||".";if(Buffer.byteLength(i)<100)n=[i,r,!1];else{r=Zt.dirname(i),i=Zt.basename(i);do Buffer.byteLength(i)<=100&&Buffer.byteLength(r)<=t?n=[i,r,!1]:Buffer.byteLength(i)>100&&Buffer.byteLength(r)<=t?n=[i.slice(0,99),r,!0]:(i=Zt.join(Zt.basename(r),i),r=Zt.dirname(r));while(r!==o&&n===void 0);n||(n=[s.slice(0,99),"",!0])}return n},xt=(s,t,e)=>s.subarray(t,t+e).toString("utf8").replace(/\0.*/,""),Wi=(s,t,e)=>pn(lt(s,t,e)),pn=s=>s===void 0?void 0:new Date(s*1e3),lt=(s,t,e)=>Number(s[t])&128?Hs(s.subarray(t,t+e)):wn(s,t,e),En=s=>isNaN(s)?void 0:s,wn=(s,t,e)=>En(parseInt(s.subarray(t,t+e).toString("utf8").replace(/\0.*$/,"").trim(),8)),Sn={12:8589934591,8:2097151},ct=(s,t,e,i)=>i===void 0?!1:i>Sn[e]||i<0?(Us(i,s.subarray(t,t+e)),!0):(yn(s,t,e,i),!1),yn=(s,t,e,i)=>s.write(Rn(i,e),t,e,"ascii"),Rn=(s,t)=>gn(Math.floor(s).toString(8),t),gn=(s,t)=>(s.length===t-1?s:new Array(t-s.length-1).join("0")+s+" ")+"\0",Gi=(s,t,e,i)=>i===void 0?!1:ct(s,t,e,i.getTime()/1e3),bn=new Array(156).join("\0"),Lt=(s,t,e,i)=>i===void 0?!1:(s.write(i+bn,t,e,"utf8"),i.length!==Buffer.byteLength(i)||i.length>e);import{basename as _n}from"node:path";var ft=class s{atime;mtime;ctime;charset;comment;gid;uid;gname;uname;linkpath;dev;ino;nlink;path;size;mode;global;constructor(t,e=!1){this.atime=t.atime,this.charset=t.charset,this.comment=t.comment,this.ctime=t.ctime,this.dev=t.dev,this.gid=t.gid,this.global=e,this.gname=t.gname,this.ino=t.ino,this.linkpath=t.linkpath,this.mtime=t.mtime,this.nlink=t.nlink,this.path=t.path,this.size=t.size,this.uid=t.uid,this.uname=t.uname}encode(){let t=this.encodeBody();if(t==="")return Buffer.allocUnsafe(0);let e=Buffer.byteLength(t),i=512*Math.ceil(1+e/512),r=Buffer.allocUnsafe(i);for(let n=0;n<512;n++)r[n]=0;new F({path:("PaxHeader/"+_n(this.path??"")).slice(0,99),mode:this.mode||420,uid:this.uid,gid:this.gid,size:e,mtime:this.mtime,type:this.global?"GlobalExtendedHeader":"ExtendedHeader",linkpath:"",uname:this.uname||"",gname:this.gname||"",devmaj:0,devmin:0,atime:this.atime,ctime:this.ctime}).encode(r),r.write(t,512,e,"utf8");for(let n=e+512;n=Math.pow(10,o)&&(o+=1),o+n+r}static parse(t,e,i=!1){return new s(On(Tn(t),e),i)}},On=(s,t)=>t?Object.assign({},t,s):s,Tn=s=>s.replace(/\n$/,"").split(`
+`).reduce(xn,Object.create(null)),xn=(s,t)=>{let e=parseInt(t,10);if(e!==Buffer.byteLength(t)+1)return s;t=t.slice((e+" ").length);let i=t.split("="),r=i.shift();if(!r)return s;let n=r.replace(/^SCHILY\.(dev|ino|nlink)/,"$1"),o=i.join("=").replace(/\0.*/,"");switch(n){case"path":case"linkpath":case"type":case"charset":case"comment":case"gname":case"uname":s[n]=o;break;case"ctime":case"atime":case"mtime":s[n]=new Date(Number(o)*1e3);break;case"size":let h=+o;h>=0&&(s[n]=h);break;case"gid":case"uid":case"dev":case"ino":case"nlink":case"mode":s[n]=+o;break}return s};var Ln=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,f=Ln!=="win32"?s=>String(s):s=>String(s).replaceAll(/\\/g,"/");var $e=class extends A{extended;globalExtended;header;startBlockSize;blockRemain;remain;type;meta=!1;ignore=!1;path;mode;uid;gid;uname;gname;size=0;mtime;atime;ctime;linkpath;dev;ino;nlink;invalid=!1;absolute;unsupported=!1;constructor(t,e,i){switch(super({}),this.pause(),this.extended=e,this.globalExtended=i,this.header=t,this.remain=t.size??0,this.startBlockSize=512*Math.ceil(this.remain/512),this.blockRemain=this.startBlockSize,this.type=t.type,this.type){case"File":case"OldFile":case"Link":case"SymbolicLink":case"CharacterDevice":case"BlockDevice":case"Directory":case"FIFO":case"ContiguousFile":case"GNUDumpDir":break;case"NextFileHasLongLinkpath":case"NextFileHasLongPath":case"OldGnuLongPath":case"GlobalExtendedHeader":case"ExtendedHeader":case"OldExtendedHeader":this.meta=!0;break;default:this.ignore=!0}if(!t.path)throw new Error("no path provided for tar.ReadEntry");this.path=f(t.path),this.mode=t.mode,this.mode&&(this.mode=this.mode&4095),this.uid=t.uid,this.gid=t.gid,this.uname=t.uname,this.gname=t.gname,this.size=this.remain,this.mtime=t.mtime,this.atime=t.atime,this.ctime=t.ctime,this.linkpath=t.linkpath?f(t.linkpath):void 0,this.uname=t.uname,this.gname=t.gname,e&&this.#t(e),i&&this.#t(i,!0)}write(t){let e=t.length;if(e>this.blockRemain)throw new Error("writing more to entry than is appropriate");let i=this.remain,r=this.blockRemain;return this.remain=Math.max(0,i-e),this.blockRemain=Math.max(0,r-e),this.ignore?!0:i>=e?super.write(t):super.write(t.subarray(0,i))}#t(t,e=!1){t.path&&(t.path=f(t.path)),t.linkpath&&(t.linkpath=f(t.linkpath)),Object.assign(this,Object.fromEntries(Object.entries(t).filter(([i,r])=>!(r==null||i==="path"&&e))))}};var Dt=(s,t,e,i={})=>{s.file&&(i.file=s.file),s.cwd&&(i.cwd=s.cwd),i.code=e instanceof Error&&e.code||t,i.tarCode=t,!s.strict&&i.recoverable!==!1?(e instanceof Error&&(i=Object.assign(e,i),e=e.message),s.emit("warn",t,e,i)):e instanceof Error?s.emit("error",Object.assign(e,i)):s.emit("error",Object.assign(new Error(`${t}: ${e}`),i))};var Nn=1024*1024,Xi=Buffer.from([31,139]),qi=Buffer.from([40,181,47,253]),An=Math.max(Xi.length,qi.length),B=Symbol("state"),Nt=Symbol("writeEntry"),it=Symbol("readEntry"),Zi=Symbol("nextEntry"),Zs=Symbol("processEntry"),V=Symbol("extendedHeader"),he=Symbol("globalExtendedHeader"),dt=Symbol("meta"),Ys=Symbol("emitMeta"),p=Symbol("buffer"),st=Symbol("queue"),mt=Symbol("ended"),Yi=Symbol("emittedEnd"),At=Symbol("emit"),y=Symbol("unzip"),Xe=Symbol("consumeChunk"),qe=Symbol("consumeChunkSub"),Ki=Symbol("consumeBody"),Ks=Symbol("consumeMeta"),Vs=Symbol("consumeHeader"),ae=Symbol("consuming"),Vi=Symbol("bufferConcat"),Qe=Symbol("maybeEnd"),Yt=Symbol("writing"),$=Symbol("aborted"),Je=Symbol("onDone"),It=Symbol("sawValidEntry"),je=Symbol("sawNullBlock"),ti=Symbol("sawEOF"),$s=Symbol("closeStream"),In=1e3,le=Symbol("compressedBytesRead"),$i=Symbol("decompressedBytesRead"),Xs=Symbol("checkDecompressionRatio"),Cn=()=>!0,rt=class extends Dn{file;strict;maxMetaEntrySize;filter;brotli;zstd;maxDecompressionRatio;writable=!0;readable=!1;[st]=[];[p];[it];[Nt];[B]="begin";[dt]="";[V];[he];[mt]=!1;[y];[$]=!1;[It];[je]=!1;[ti]=!1;[Yt]=!1;[ae]=!1;[Yi]=!1;[le]=0;[$i]=0;constructor(t={}){super(),this.file=t.file||"",this.on(Je,()=>{(this[B]==="begin"||this[It]===!1)&&this.warn("TAR_BAD_ARCHIVE","Unrecognized archive format")}),t.ondone?this.on(Je,t.ondone):this.on(Je,()=>{this.emit("prefinish"),this.emit("finish"),this.emit("end")}),this.strict=!!t.strict,this.maxDecompressionRatio=typeof t.maxDecompressionRatio=="number"?t.maxDecompressionRatio:In,this.maxMetaEntrySize=t.maxMetaEntrySize||Nn,this.filter=typeof t.filter=="function"?t.filter:Cn;let e=t.file&&(t.file.endsWith(".tar.br")||t.file.endsWith(".tbr"));this.brotli=!(t.gzip||t.zstd)&&t.brotli!==void 0?t.brotli:e?void 0:!1;let i=t.file&&(t.file.endsWith(".tar.zst")||t.file.endsWith(".tzst"));this.zstd=!(t.gzip||t.brotli)&&t.zstd!==void 0?t.zstd:i?!0:void 0,this.on("end",()=>this[$s]()),typeof t.onwarn=="function"&&this.on("warn",t.onwarn),typeof t.onReadEntry=="function"&&this.on("entry",t.onReadEntry)}warn(t,e,i={}){Dt(this,t,e,i)}[Vs](t,e){this[It]===void 0&&(this[It]=!1);let i;try{i=new F(t,e,this[V],this[he])}catch(r){return this.warn("TAR_ENTRY_INVALID",r)}if(i.nullBlock)this[je]?(this[ti]=!0,this[B]==="begin"&&(this[B]="header"),this[At]("eof")):(this[je]=!0,this[At]("nullBlock"));else if(this[je]=!1,!i.cksumValid)this.warn("TAR_ENTRY_INVALID","checksum failure",{header:i});else if(!i.path)this.warn("TAR_ENTRY_INVALID","path is required",{header:i});else{let r=i.type;if(/^(Symbolic)?Link$/.test(r)&&!i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath required",{header:i});else if(!/^(Symbolic)?Link$/.test(r)&&!/^(Global)?ExtendedHeader$/.test(r)&&i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath forbidden",{header:i});else{let n=this[Nt]=new $e(i,this[V],this[he]);if(!this[It])if(n.remain){let o=()=>{n.invalid||(this[It]=!0)};n.on("end",o)}else this[It]=!0;n.meta?n.size>this.maxMetaEntrySize?(n.ignore=!0,this[At]("ignoredEntry",n),this[B]="ignore",n.resume()):n.size>0&&(this[dt]="",n.on("data",o=>this[dt]+=o),this[B]="meta"):(this[V]=void 0,n.ignore=n.ignore||!this.filter(n.path,n),n.ignore?(this[At]("ignoredEntry",n),this[B]=n.remain?"ignore":"header",n.resume()):(n.remain?this[B]="body":(this[B]="header",n.end()),this[it]?this[st].push(n):(this[st].push(n),this[Zi]())))}}}[$s](){queueMicrotask(()=>this.emit("close"))}[Zs](t){let e=!0;if(!t)this[it]=void 0,e=!1;else if(Array.isArray(t)){let[i,...r]=t;this.emit(i,...r)}else this[it]=t,this.emit("entry",t),t.emittedEnd||(t.on("end",()=>this[Zi]()),e=!1);return e}[Zi](){do;while(this[Zs](this[st].shift()));if(this[st].length===0){let t=this[it];!t||t.flowing||t.size===t.remain?this[Yt]||this.emit("drain"):t.once("drain",()=>this.emit("drain"))}}[Ki](t,e){let i=this[Nt];if(!i)throw new Error("attempt to consume body without entry??");let r=i.blockRemain??0,n=r>=t.length&&e===0?t:t.subarray(e,e+r);return i.write(n),i.blockRemain||(this[B]="header",this[Nt]=void 0,i.end()),n.length}[Ks](t,e){let i=this[Nt],r=this[Ki](t,e);return!this[Nt]&&i&&this[Ys](i),r}[At](t,e,i){this[st].length===0&&!this[it]?this.emit(t,e,i):this[st].push([t,e,i])}[Ys](t){switch(this[At]("meta",this[dt]),t.type){case"ExtendedHeader":case"OldExtendedHeader":this[V]=ft.parse(this[dt],this[V],!1);break;case"GlobalExtendedHeader":this[he]=ft.parse(this[dt],this[he],!0);break;case"NextFileHasLongPath":case"OldGnuLongPath":{let e=this[V]??Object.create(null);this[V]=e,e.path=this[dt].replace(/\0.*/,"");break}case"NextFileHasLongLinkpath":{let e=this[V]||Object.create(null);this[V]=e,e.linkpath=this[dt].replace(/\0.*/,"");break}default:throw new Error("unknown meta: "+t.type)}}abort(t){this[$]||(this[$]=!0,this.emit("abort",t),this.warn("TAR_ABORT",t,{recoverable:!1}))}[Xs](t){this[$i]+=t.length;let e=this[$i]/this[le];return e>this.maxDecompressionRatio?(this.abort(new Error(`max decompression ratio exceeded: ${e.toFixed(2)} > ${this.maxDecompressionRatio}`)),!1):!0}write(t,e,i){if(typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,typeof e=="string"?e:"utf8")),this[$])return i?.(),!1;if((this[y]===void 0||this.brotli===void 0&&this[y]===!1)&&t){if(this[p]&&(t=Buffer.concat([this[p],t]),this[p]=void 0),t.length{this[Xs](c)&&this[Xe](c)}),this[y].on("error",c=>{this[$]||this.abort(c)}),this[y].on("end",()=>{this[mt]=!0,this[Xe]()}),this[Yt]=!0,this[le]+=t.length;let l=!!this[y][a?"end":"write"](t);return this[Yt]=!1,i?.(),l}}this[Yt]=!0,this[y]?(this[le]+=t.length,this[y].write(t)):this[Xe](t),this[Yt]=!1;let n=this[st].length>0?!1:this[it]?this[it].flowing:!0;return!n&&this[st].length===0&&this[it]?.once("drain",()=>this.emit("drain")),i?.(),n}[Vi](t){t&&!this[$]&&(this[p]=this[p]?Buffer.concat([this[p],t]):t)}[Qe](){if(this[mt]&&!this[Yi]&&!this[$]&&!this[ae]){this[Yi]=!0;let t=this[Nt];if(t?.blockRemain){let e=this[p]?this[p].length:0;this.warn("TAR_BAD_ARCHIVE",`Truncated input (needed ${t.blockRemain} more bytes, only ${e} available)`,{entry:t}),this[p]&&t.write(this[p]),t.end()}this[At](Je)}}[Xe](t){if(this[ae]&&t)this[Vi](t);else if(!t&&!this[p])this[Qe]();else if(t){if(this[ae]=!0,this[p]){this[Vi](t);let e=this[p];this[p]=void 0,this[qe](e)}else this[qe](t);for(;this[p]&&this[p]?.length>=512&&!this[$]&&!this[ti];){let e=this[p];this[p]=void 0,this[qe](e)}this[ae]=!1}(!this[p]||this[mt])&&this[Qe]()}[qe](t){let e=0,i=t.length;for(;e+512<=i&&!this[$]&&!this[ti];)switch(this[B]){case"begin":case"header":this[Vs](t,e),e+=512;break;case"ignore":case"body":e+=this[Ki](t,e);break;case"meta":e+=this[Ks](t,e);break;default:throw new Error("invalid state: "+this[B])}e{let t=s.length-1,e=-1;for(;t>-1&&s.charAt(t)==="/";)e=t,t--;return e===-1?s:s.slice(0,e)};var vn=s=>{let t=s.onReadEntry;s.onReadEntry=t?e=>{t(e),e.resume()}:e=>e.resume()},Qi=(s,t)=>{let e=new Map(t.map(n=>[ut(n),!0])),i=s.filter,r=(n,o="")=>{let h=o||kn(n).root||".",a;if(n===h)a=!1;else{let l=e.get(n);a=l!==void 0?l:r(Fn(n),h)}return e.set(n,a),a};s.filter=i?(n,o)=>i(n,o)&&r(ut(n)):n=>r(ut(n))},Mn=s=>{let t=new rt(s),e=s.file,i;try{i=Kt.openSync(e,"r");let r=Kt.fstatSync(i),n=s.maxReadSize||16*1024*1024;if(r.size{let e=new rt(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,h)=>{e.on("error",h),e.on("end",o),Kt.stat(r,(a,l)=>{if(a)h(a);else{let c=new _t(r,{readSize:i,size:l.size});c.on("error",h),c.pipe(e)}})})},Ct=K(Mn,Bn,s=>new rt(s),s=>new rt(s),(s,t)=>{t?.length&&Qi(s,t),s.noResume||vn(s)});import ui from"fs";import X from"fs";import js from"path";var Ji=(s,t,e)=>(s&=4095,e&&(s=(s|384)&-19),t&&(s&256&&(s|=64),s&32&&(s|=8),s&4&&(s|=1)),s);import{win32 as Pn}from"node:path";var{isAbsolute:zn,parse:qs}=Pn,ce=s=>{let t="",e=qs(s);for(;zn(s)||e.root;){let i=s.charAt(0)==="/"&&s.slice(0,4)!=="//?/"?"/":e.root;s=s.slice(i.length),t+=i,e=qs(s)}return[t,s]};var ei=["|","<",">","?",":"],ji=ei.map(s=>String.fromCodePoint(61440+Number(s.codePointAt(0)))),Un=new Map(ei.map((s,t)=>[s,ji[t]])),Hn=new Map(ji.map((s,t)=>[s,ei[t]])),ts=s=>ei.reduce((t,e)=>t.split(e).join(Un.get(e)),s),Qs=s=>ji.reduce((t,e)=>t.split(e).join(Hn.get(e)),s);var rr=(s,t)=>t?(s=f(s).replace(/^\.(\/|$)/,""),ut(t)+"/"+s):f(s),Wn=16*1024*1024,tr=Symbol("process"),er=Symbol("file"),ir=Symbol("directory"),is=Symbol("symlink"),sr=Symbol("hardlink"),fe=Symbol("header"),ii=Symbol("read"),ss=Symbol("lstat"),si=Symbol("onlstat"),rs=Symbol("onread"),ns=Symbol("onreadlink"),os=Symbol("openfile"),hs=Symbol("onopenfile"),pt=Symbol("close"),ri=Symbol("mode"),as=Symbol("awaitDrain"),es=Symbol("ondrain"),q=Symbol("prefix"),de=class extends A{path;portable;myuid=process.getuid&&process.getuid()||0;myuser=process.env.USER||"";maxReadSize;linkCache;statCache;preservePaths;cwd;strict;mtime;noPax;noMtime;prefix;fd;blockLen=0;blockRemain=0;buf;pos=0;remain=0;length=0;offset=0;win32;absolute;header;type;linkpath;stat;onWriteEntry;#t=!1;constructor(t,e={}){let i=se(e);super(),this.path=f(t),this.portable=!!i.portable,this.maxReadSize=i.maxReadSize||Wn,this.linkCache=i.linkCache||new Map,this.statCache=i.statCache||new Map,this.preservePaths=!!i.preservePaths,this.cwd=f(i.cwd||process.cwd()),this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.mtime=i.mtime,this.prefix=i.prefix?f(i.prefix):void 0,this.onWriteEntry=i.onWriteEntry,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let r=!1;if(!this.preservePaths){let[o,h]=ce(this.path);o&&typeof h=="string"&&(this.path=h,r=o)}this.win32=!!i.win32||process.platform==="win32",this.win32&&(this.path=Qs(this.path.replaceAll(/\\/g,"/")),t=t.replaceAll(/\\/g,"/")),this.absolute=f(i.absolute||js.resolve(this.cwd,t)),this.path===""&&(this.path="./"),r&&this.warn("TAR_ENTRY_INFO",`stripping ${r} from absolute path`,{entry:this,path:r+this.path});let n=this.statCache.get(this.absolute);n?this[si](n):this[ss]()}warn(t,e,i={}){return Dt(this,t,e,i)}emit(t,...e){return t==="error"&&(this.#t=!0),super.emit(t,...e)}[ss](){X.lstat(this.absolute,(t,e)=>{if(t)return this.emit("error",t);this[si](e)})}[si](t){this.statCache.set(this.absolute,t),this.stat=t,t.isFile()||(t.size=0),this.type=Gn(t),this.emit("stat",t),this[tr]()}[tr](){switch(this.type){case"File":return this[er]();case"Directory":return this[ir]();case"SymbolicLink":return this[is]();default:return this.end()}}[ri](t){return Ji(t,this.type==="Directory",this.portable)}[q](t){return rr(t,this.prefix)}[fe](){if(!this.stat)throw new Error("cannot write header before stat");this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.onWriteEntry?.(this),this.header=new F({path:this[q](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[q](this.linkpath):this.linkpath,mode:this[ri](this.stat.mode),uid:this.portable?void 0:this.stat.uid,gid:this.portable?void 0:this.stat.gid,size:this.stat.size,mtime:this.noMtime?void 0:this.mtime||this.stat.mtime,type:this.type==="Unsupported"?void 0:this.type,uname:this.portable?void 0:this.stat.uid===this.myuid?this.myuser:"",atime:this.portable?void 0:this.stat.atime,ctime:this.portable?void 0:this.stat.ctime}),this.header.encode()&&!this.noPax&&super.write(new ft({atime:this.portable?void 0:this.header.atime,ctime:this.portable?void 0:this.header.ctime,gid:this.portable?void 0:this.header.gid,mtime:this.noMtime?void 0:this.mtime||this.header.mtime,path:this[q](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[q](this.linkpath):this.linkpath,size:this.header.size,uid:this.portable?void 0:this.header.uid,uname:this.portable?void 0:this.header.uname,dev:this.portable?void 0:this.stat.dev,ino:this.portable?void 0:this.stat.ino,nlink:this.portable?void 0:this.stat.nlink}).encode());let t=this.header?.block;if(!t)throw new Error("failed to encode header");super.write(t)}[ir](){if(!this.stat)throw new Error("cannot create directory entry without stat");this.path.slice(-1)!=="/"&&(this.path+="/"),this.stat.size=0,this[fe](),this.end()}[is](){X.readlink(this.absolute,(t,e)=>{if(t)return this.emit("error",t);this[ns](e)})}[ns](t){this.linkpath=f(t),this[fe](),this.end()}[sr](t){if(!this.stat)throw new Error("cannot create link entry without stat");this.type="Link",this.linkpath=f(js.relative(this.cwd,t)),this.stat.size=0,this[fe](),this.end()}[er](){if(!this.stat)throw new Error("cannot create file entry without stat");if(this.stat.nlink>1){let t=`${this.stat.dev}:${this.stat.ino}`,e=this.linkCache.get(t);if(e?.indexOf(this.cwd)===0)return this[sr](e);this.linkCache.set(t,this.absolute)}if(this[fe](),this.stat.size===0)return this.end();this[os]()}[os](){X.open(this.absolute,"r",(t,e)=>{if(t)return this.emit("error",t);this[hs](e)})}[hs](t){if(this.fd=t,this.#t)return this[pt]();if(!this.stat)throw new Error("should stat before calling onopenfile");this.blockLen=512*Math.ceil(this.stat.size/512),this.blockRemain=this.blockLen;let e=Math.min(this.blockLen,this.maxReadSize);this.buf=Buffer.allocUnsafe(e),this.offset=0,this.pos=0,this.remain=this.stat.size,this.length=this.buf.length,this[ii]()}[ii](){let{fd:t,buf:e,offset:i,length:r,pos:n}=this;if(t===void 0||e===void 0)throw new Error("cannot read file without first opening");X.read(t,e,i,r,n,(o,h)=>{if(o)return this[pt](()=>this.emit("error",o));this[rs](h)})}[pt](t=()=>{}){this.fd!==void 0&&X.close(this.fd,t)}[rs](t){if(t<=0&&this.remain>0){let r=Object.assign(new Error("encountered unexpected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[pt](()=>this.emit("error",r))}if(t>this.remain){let r=Object.assign(new Error("did not encounter expected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[pt](()=>this.emit("error",r))}if(!this.buf)throw new Error("should have created buffer prior to reading");if(t===this.remain)for(let r=t;rthis[es]())}[as](t){this.once("drain",t)}write(t,e,i){if(typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,typeof e=="string"?e:"utf8")),this.blockRemaint?this.emit("error",t):this.end());if(!this.buf)throw new Error("buffer lost somehow in ONDRAIN");this.offset>=this.length&&(this.buf=Buffer.allocUnsafe(Math.min(this.blockRemain,this.buf.length)),this.offset=0),this.length=this.buf.length-this.offset,this[ii]()}},ni=class extends de{sync=!0;[ss](){this[si](X.lstatSync(this.absolute))}[is](){this[ns](X.readlinkSync(this.absolute))}[os](){this[hs](X.openSync(this.absolute,"r"))}[ii](){let t=!0;try{let{fd:e,buf:i,offset:r,length:n,pos:o}=this;if(e===void 0||i===void 0)throw new Error("fd and buf must be set in READ method");let h=X.readSync(e,i,r,n,o);this[rs](h),t=!1}finally{if(t)try{this[pt](()=>{})}catch{}}}[as](t){t()}[pt](t=()=>{}){this.fd!==void 0&&X.closeSync(this.fd),t()}},oi=class extends A{blockLen=0;blockRemain=0;buf=0;pos=0;remain=0;length=0;preservePaths;portable;strict;noPax;noMtime;readEntry;type;prefix;path;mode;uid;gid;uname;gname;header;mtime;atime;ctime;linkpath;size;onWriteEntry;warn(t,e,i={}){return Dt(this,t,e,i)}constructor(t,e={}){let i=se(e);super(),this.preservePaths=!!i.preservePaths,this.portable=!!i.portable,this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.onWriteEntry=i.onWriteEntry,this.readEntry=t;let{type:r}=t;if(r==="Unsupported")throw new Error("writing entry that should be ignored");this.type=r,this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.prefix=i.prefix,this.path=f(t.path),this.mode=t.mode!==void 0?this[ri](t.mode):void 0,this.uid=this.portable?void 0:t.uid,this.gid=this.portable?void 0:t.gid,this.uname=this.portable?void 0:t.uname,this.gname=this.portable?void 0:t.gname,this.size=t.size,this.mtime=this.noMtime?void 0:i.mtime||t.mtime,this.atime=this.portable?void 0:t.atime,this.ctime=this.portable?void 0:t.ctime,this.linkpath=t.linkpath!==void 0?f(t.linkpath):void 0,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let n=!1;if(!this.preservePaths){let[h,a]=ce(this.path);h&&typeof a=="string"&&(this.path=a,n=h)}this.remain=t.size,this.blockRemain=t.startBlockSize,this.onWriteEntry?.(this),this.header=new F({path:this[q](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[q](this.linkpath):this.linkpath,mode:this.mode,uid:this.portable?void 0:this.uid,gid:this.portable?void 0:this.gid,size:this.size,mtime:this.noMtime?void 0:this.mtime,type:this.type,uname:this.portable?void 0:this.uname,atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime}),n&&this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute path`,{entry:this,path:n+this.path}),this.header.encode()&&!this.noPax&&super.write(new ft({atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime,gid:this.portable?void 0:this.gid,mtime:this.noMtime?void 0:this.mtime,path:this[q](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[q](this.linkpath):this.linkpath,size:this.size,uid:this.portable?void 0:this.uid,uname:this.portable?void 0:this.uname,dev:this.portable?void 0:this.readEntry.dev,ino:this.portable?void 0:this.readEntry.ino,nlink:this.portable?void 0:this.readEntry.nlink}).encode());let o=this.header?.block;if(!o)throw new Error("failed to encode header");super.write(o),t.pipe(this)}[q](t){return rr(t,this.prefix)}[ri](t){return Ji(t,this.type==="Directory",this.portable)}write(t,e,i){typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,typeof e=="string"?e:"utf8"));let r=t.length;if(r>this.blockRemain)throw new Error("writing more to entry than is appropriate");return this.blockRemain-=r,super.write(t,i)}end(t,e,i){return this.blockRemain&&super.write(Buffer.alloc(this.blockRemain)),typeof t=="function"&&(i=t,e=void 0,t=void 0),typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,e??"utf8")),i&&this.once("finish",i),t?super.end(t,i):super.end(i),this}},Gn=s=>s.isFile()?"File":s.isDirectory()?"Directory":s.isSymbolicLink()?"SymbolicLink":"Unsupported";var hi=class s{tail;head;length=0;static create(t=[]){return new s(t)}constructor(t=[]){for(let e of t)this.push(e)}*[Symbol.iterator](){for(let t=this.head;t;t=t.next)yield t.value}removeNode(t){if(t.list!==this)throw new Error("removing node which does not belong to this list");let e=t.next,i=t.prev;return e&&(e.prev=i),i&&(i.next=e),t===this.head&&(this.head=e),t===this.tail&&(this.tail=i),this.length--,t.next=void 0,t.prev=void 0,t.list=void 0,e}unshiftNode(t){if(t===this.head)return;t.list&&t.list.removeNode(t);let e=this.head;t.list=this,t.next=e,e&&(e.prev=t),this.head=t,this.tail||(this.tail=t),this.length++}pushNode(t){if(t===this.tail)return;t.list&&t.list.removeNode(t);let e=this.tail;t.list=this,t.prev=e,e&&(e.next=t),this.tail=t,this.head||(this.head=t),this.length++}push(...t){for(let e=0,i=t.length;e1)i=e;else if(this.head)r=this.head.next,i=this.head.value;else throw new TypeError("Reduce of empty list with no initial value");for(var n=0;r;n++)i=t(i,r.value,n),r=r.next;return i}reduceReverse(t,e){let i,r=this.tail;if(arguments.length>1)i=e;else if(this.tail)r=this.tail.prev,i=this.tail.value;else throw new TypeError("Reduce of empty list with no initial value");for(let n=this.length-1;r;n--)i=t(i,r.value,n),r=r.prev;return i}toArray(){let t=new Array(this.length);for(let e=0,i=this.head;i;e++)t[e]=i.value,i=i.next;return t}toArrayReverse(){let t=new Array(this.length);for(let e=0,i=this.tail;i;e++)t[e]=i.value,i=i.prev;return t}slice(t=0,e=this.length){e<0&&(e+=this.length),t<0&&(t+=this.length);let i=new s;if(ethis.length&&(e=this.length);let r=this.head,n=0;for(n=0;r&&nthis.length&&(e=this.length);let r=this.length,n=this.tail;for(;n&&r>e;r--)n=n.prev;for(;n&&r>t;r--,n=n.prev)i.push(n.value);return i}splice(t,e=0,...i){t>this.length&&(t=this.length-1),t<0&&(t=this.length+t);let r=this.head;for(let o=0;r&&o1)throw new TypeError("gzip, brotli, zstd are mutually exclusive");if(t.gzip&&(typeof t.gzip!="object"&&(t.gzip={}),this.portable&&(t.gzip.portable=!0),this.zip=new ze(t.gzip)),t.brotli&&(typeof t.brotli!="object"&&(t.brotli={}),this.zip=new We(t.brotli)),t.zstd&&(typeof t.zstd!="object"&&(t.zstd={}),this.zip=new Ye(t.zstd)),!this.zip)throw new Error("impossible");let e=this.zip;e.on("data",i=>super.write(i)),e.on("end",()=>super.end()),e.on("drain",()=>this[fs]()),this.on("resume",()=>e.resume())}else this.on("drain",this[fs]);this.noDirRecurse=!!t.noDirRecurse,this.follow=!!t.follow,this.noMtime=!!t.noMtime,t.mtime&&(this.mtime=t.mtime),this.filter=typeof t.filter=="function"?t.filter:()=>!0,this[W]=new hi,this[G]=0,this.jobs=Number(t.jobs)||4,this[Ee]=!1,this[ue]=!1}[lr](t){return super.write(t)}add(t){return this.write(t),this}end(t,e,i){return typeof t=="function"&&(i=t,t=void 0),typeof e=="function"&&(i=e,e=void 0),t&&this.add(t),this[ue]=!0,this[Ft](),i&&i(),this}write(t){if(this[ue])throw new Error("write after end");return typeof t=="string"?this[ci](t):this[or](t),this.flowing}[or](t){let e=f(ar.resolve(this.cwd,t.path));if(!this.filter(t.path,t))t.resume();else{let i=new pi(t.path,e);i.entry=new oi(t,this[cs](i)),i.entry.on("end",()=>this[ls](i)),this[G]+=1,this[W].push(i)}this[Ft]()}[ci](t){let e=f(ar.resolve(this.cwd,t));this[W].push(new pi(t,e)),this[Ft]()}[ds](t){t.pending=!0,this[G]+=1;let e=this.follow?"stat":"lstat";ui[e](t.absolute,(i,r)=>{t.pending=!1,this[G]-=1,i?this.emit("error",i):this[li](t,r)})}[li](t,e){if(this.statCache.set(t.absolute,e),t.stat=e,!this.filter(t.path,e))t.ignore=!0;else if(e.isFile()&&e.nlink>1&&!this.linkCache.get(`${e.dev}:${e.ino}`)&&!this.sync)if(t===this[Et])this[ai](t);else{let i=`${e.dev}:${e.ino}`,r=this[pe].get(i);r?r.push(t):this[pe].set(i,[t]),t.pendingLink=!0,t.pending=!0}this[Ft]()}[ms](t){t.pending=!0,this[G]+=1,ui.readdir(t.absolute,(e,i)=>{if(t.pending=!1,this[G]-=1,e)return this.emit("error",e);this[fi](t,i)})}[fi](t,e){this.readdirCache.set(t.absolute,e),t.readdir=e,this[Ft]()}[Ft](){if(!this[Ee]){this[Ee]=!0;for(let t=this[W].head;t&&this[G]1){let i=`${e.dev}:${e.ino}`,r=this[pe].get(i);if(r){this[pe].delete(i);for(let n of r)n.pending=!1,this[ai](n)}}this[Ft]()}[ai](t){if(t.pending&&t.pendingLink&&t===this[Et]&&(t.pending=!1,t.pendingLink=!1),!t.pending){if(t.entry){t===this[Et]&&!t.piped&&this[di](t);return}if(!t.stat){let e=this.statCache.get(t.absolute);e?this[li](t,e):this[ds](t)}if(t.stat&&!t.ignore){if(!this.noDirRecurse&&t.stat.isDirectory()&&!t.readdir){let e=this.readdirCache.get(t.absolute);if(e?this[fi](t,e):this[ms](t),!t.readdir)return}if(t.entry=this[hr](t),!t.entry){t.ignore=!0;return}t===this[Et]&&!t.piped&&this[di](t)}}}[cs](t){return{onwarn:(e,i,r)=>this.warn(e,i,r),noPax:this.noPax,cwd:this.cwd,absolute:t.absolute,preservePaths:this.preservePaths,maxReadSize:this.maxReadSize,strict:this.strict,portable:this.portable,linkCache:this.linkCache,statCache:this.statCache,noMtime:this.noMtime,mtime:this.mtime,prefix:this.prefix,onWriteEntry:this.onWriteEntry}}[hr](t){this[G]+=1;try{return new this[mi](t.path,this[cs](t)).on("end",()=>this[ls](t)).on("error",i=>this.emit("error",i))}catch(e){this.emit("error",e)}}[fs](){this[Et]&&this[Et].entry&&this[Et].entry.resume()}[di](t){t.piped=!0,t.readdir&&t.readdir.forEach(r=>{let n=t.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[ci](o+r)});let e=t.entry,i=this.zip;if(!e)throw new Error("cannot pipe without source");i?e.on("data",r=>{i.write(r)||e.pause()}):e.on("data",r=>{super.write(r)||e.pause()})}pause(){return this.zip&&this.zip.pause(),super.pause()}warn(t,e,i={}){Dt(this,t,e,i)}},kt=class extends wt{sync=!0;constructor(t){super(t),this[mi]=ni}pause(){}resume(){}[ds](t){let e=this.follow?"statSync":"lstatSync";this[li](t,ui[e](t.absolute))}[ms](t){this[fi](t,ui.readdirSync(t.absolute))}[di](t){let e=t.entry,i=this.zip;if(t.readdir&&t.readdir.forEach(r=>{let n=t.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[ci](o+r)}),!e)throw new Error("Cannot pipe without source");i?e.on("data",r=>{i.write(r)}):e.on("data",r=>{super[lr](r)})}};var Vn=(s,t)=>{let e=new kt(s),i=new Wt(s.file,{mode:s.mode||438});e.pipe(i),fr(e,t)},$n=(s,t)=>{let e=new wt(s),i=new et(s.file,{mode:s.mode||438});e.pipe(i);let r=new Promise((n,o)=>{i.on("error",o),i.on("close",n),e.on("error",o)});return dr(e,t).catch(n=>e.emit("error",n)),r},fr=(s,t)=>{t.forEach(e=>{e.charAt(0)==="@"?Ct({file:cr.resolve(s.cwd,e.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(e)}),s.end()},dr=async(s,t)=>{for(let e of t)e.charAt(0)==="@"?await Ct({file:cr.resolve(String(s.cwd),e.slice(1)),noResume:!0,onReadEntry:i=>{s.add(i)}}):s.add(e);s.end()},Xn=(s,t)=>{let e=new kt(s);return fr(e,t),e},qn=(s,t)=>{let e=new wt(s);return dr(e,t).catch(i=>e.emit("error",i)),e},Qn=K(Vn,$n,Xn,qn,(s,t)=>{if(!t?.length)throw new TypeError("no paths specified to add to archive")});import Br from"node:fs";import co from"node:assert";import{randomBytes as Mr}from"node:crypto";import m from"node:fs";import R from"node:path";import pr from"fs";var Jn=process.env.__FAKE_PLATFORM__||process.platform,Er=Jn==="win32",{O_CREAT:wr,O_NOFOLLOW:mr,O_TRUNC:Sr,O_WRONLY:yr}=pr.constants,Rr=Number(process.env.__FAKE_FS_O_FILENAME__)||pr.constants.UV_FS_O_FILEMAP||0,jn=Er&&!!Rr,to=512*1024,eo=Rr|Sr|wr|yr,ur=!Er&&typeof mr=="number"?mr|Sr|wr|yr:null,us=ur!==null?()=>ur:jn?s=>s"w";import wi from"node:fs";import we from"node:path";var ps=(s,t,e)=>{try{return wi.lchownSync(s,t,e)}catch(i){if(i?.code!=="ENOENT")throw i}},Ei=(s,t,e,i)=>{wi.lchown(s,t,e,r=>{i(r&&r?.code!=="ENOENT"?r:null)})},io=(s,t,e,i,r)=>{if(t.isDirectory())Es(we.resolve(s,t.name),e,i,n=>{if(n)return r(n);let o=we.resolve(s,t.name);Ei(o,e,i,r)});else{let n=we.resolve(s,t.name);Ei(n,e,i,r)}},Es=(s,t,e,i)=>{wi.readdir(s,{withFileTypes:!0},(r,n)=>{if(r){if(r.code==="ENOENT")return i();if(r.code!=="ENOTDIR"&&r.code!=="ENOTSUP")return i(r)}if(r||!n.length)return Ei(s,t,e,i);let o=n.length,h=null,a=l=>{if(!h){if(l)return i(h=l);if(--o===0)return Ei(s,t,e,i)}};for(let l of n)io(s,l,t,e,a)})},so=(s,t,e,i)=>{t.isDirectory()&&ws(we.resolve(s,t.name),e,i),ps(we.resolve(s,t.name),e,i)},ws=(s,t,e)=>{let i;try{i=wi.readdirSync(s,{withFileTypes:!0})}catch(r){let n=r;if(n?.code==="ENOENT")return;if(n?.code==="ENOTDIR"||n?.code==="ENOTSUP")return ps(s,t,e);throw n}for(let r of i)so(s,r,t,e);return ps(s,t,e)};import k from"node:fs";import ro from"node:fs/promises";import Si from"node:path";var Se=class extends Error{path;code;syscall="chdir";constructor(t,e){super(`${e}: Cannot cd into '${t}'`),this.path=t,this.code=e}get name(){return"CwdError"}};var St=class extends Error{path;symlink;syscall="symlink";code="TAR_SYMLINK_ERROR";constructor(t,e){super("TAR_SYMLINK_ERROR: Cannot extract through symbolic link"),this.symlink=t,this.path=e}get name(){return"SymlinkError"}};var no=(s,t)=>{k.stat(s,(e,i)=>{(e||!i.isDirectory())&&(e=new Se(s,e?.code||"ENOTDIR")),t(e)})},gr=(s,t,e)=>{s=f(s);let i=t.umask??18,r=t.mode|448,n=(r&i)!==0,o=t.uid,h=t.gid,a=typeof o=="number"&&typeof h=="number"&&(o!==t.processUid||h!==t.processGid),l=t.preserve,c=t.unlink,d=f(t.cwd),S=(E,x)=>{E?e(E):x&&a?Es(x,o,h,Le=>S(Le)):n?k.chmod(s,r,e):e()};if(s===d)return no(s,S);if(l)return ro.mkdir(s,{mode:r,recursive:!0}).then(E=>S(null,E??void 0),S);let D=f(Si.relative(d,s)).split("/");Ss(d,D,r,c,d,void 0,S)},Ss=(s,t,e,i,r,n,o)=>{if(t.length===0)return o(null,n);let h=t.shift(),a=f(Si.resolve(s+"/"+h));k.mkdir(a,e,br(a,t,e,i,r,n,o))},br=(s,t,e,i,r,n,o)=>h=>{h?k.lstat(s,(a,l)=>{if(a)a.path=a.path&&f(a.path),o(a);else if(l.isDirectory())Ss(s,t,e,i,r,n,o);else if(i)k.unlink(s,c=>{if(c)return o(c);k.mkdir(s,e,br(s,t,e,i,r,n,o))});else{if(l.isSymbolicLink())return o(new St(s,s+"/"+t.join("/")));o(h)}}):(n=n||s,Ss(s,t,e,i,r,n,o))},oo=s=>{let t=!1,e;try{t=k.statSync(s).isDirectory()}catch(i){e=i?.code}finally{if(!t)throw new Se(s,e??"ENOTDIR")}},_r=(s,t)=>{s=f(s);let e=t.umask??18,i=t.mode|448,r=(i&e)!==0,n=t.uid,o=t.gid,h=typeof n=="number"&&typeof o=="number"&&(n!==t.processUid||o!==t.processGid),a=t.preserve,l=t.unlink,c=f(t.cwd),d=E=>{E&&h&&ws(E,n,o),r&&k.chmodSync(s,i)};if(s===c)return oo(c),d();if(a)return d(k.mkdirSync(s,{mode:i,recursive:!0})??void 0);let T=f(Si.relative(c,s)).split("/"),D;for(let E=T.shift(),x=c;E&&(x+="/"+E);E=T.shift()){x=f(Si.resolve(x));try{k.mkdirSync(x,i),D=D||x}catch{let Le=k.lstatSync(x);if(Le.isDirectory())continue;if(l){k.unlinkSync(x),k.mkdirSync(x,i),D=D||x;continue}else if(Le.isSymbolicLink())return new St(x,x+"/"+T.join("/"))}}return d(D)};import{join as xr}from"node:path";var ys=Object.create(null),Or=1e4,Vt=new Set,Tr=s=>{Vt.has(s)?Vt.delete(s):ys[s]=s.normalize("NFD").toLocaleLowerCase("en").toLocaleUpperCase("en"),Vt.add(s);let t=ys[s],e=Vt.size-Or;if(e>Or/10){for(let i of Vt)if(Vt.delete(i),delete ys[i],--e<=0)break}return t};var ho=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,ao=ho==="win32",lo=s=>s.split("/").slice(0,-1).reduce((e,i)=>{let r=e.at(-1);return r!==void 0&&(i=xr(r,i)),e.push(i||"/"),e},[]),yi=class{#t=new Map;#i=new Map;#s=new Set;reserve(t,e){t=ao?["win32 parallelization disabled"]:t.map(r=>ut(xr(Tr(r))));let i=new Set(t.map(r=>lo(r)).reduce((r,n)=>r.concat(n)));this.#i.set(e,{dirs:i,paths:t});for(let r of t){let n=this.#t.get(r);n?n.push(e):this.#t.set(r,[e])}for(let r of i){let n=this.#t.get(r);if(!n)this.#t.set(r,[new Set([e])]);else{let o=n.at(-1);o instanceof Set?o.add(e):n.push(new Set([e]))}}return this.#r(e)}#n(t){let e=this.#i.get(t);if(!e)throw new Error("function does not have any path reservations");return{paths:e.paths.map(i=>this.#t.get(i)),dirs:[...e.dirs].map(i=>this.#t.get(i))}}check(t){let{paths:e,dirs:i}=this.#n(t);return e.every(r=>r&&r[0]===t)&&i.every(r=>r&&r[0]instanceof Set&&r[0].has(t))}#r(t){return this.#s.has(t)||!this.check(t)?!1:(this.#s.add(t),t(()=>this.#e(t)),!0)}#e(t){if(!this.#s.has(t))return!1;let e=this.#i.get(t);if(!e)throw new Error("invalid reservation");let{paths:i,dirs:r}=e,n=new Set;for(let o of i){let h=this.#t.get(o);if(!h||h?.[0]!==t)continue;let a=h[1];if(!a){this.#t.delete(o);continue}if(h.shift(),typeof a=="function")n.add(a);else for(let l of a)n.add(l)}for(let o of r){let h=this.#t.get(o),a=h?.[0];if(!(!h||!(a instanceof Set)))if(a.size===1&&h.length===1){this.#t.delete(o);continue}else if(a.size===1){h.shift();let l=h[0];typeof l=="function"&&n.add(l)}else a.delete(t)}return this.#s.delete(t),n.forEach(o=>this.#r(o)),!0}};var Lr=()=>process.umask();var Dr=Symbol("onEntry"),_s=Symbol("checkFs"),Nr=Symbol("checkFs2"),Os=Symbol("isReusable"),P=Symbol("makeFs"),Ts=Symbol("file"),xs=Symbol("directory"),gi=Symbol("link"),Ar=Symbol("symlink"),Ir=Symbol("hardlink"),Re=Symbol("ensureNoSymlink"),Cr=Symbol("unsupported"),Fr=Symbol("checkPath"),Rs=Symbol("stripAbsolutePath"),yt=Symbol("mkdir"),O=Symbol("onError"),Ri=Symbol("pending"),kr=Symbol("pend"),$t=Symbol("unpend"),gs=Symbol("ended"),bs=Symbol("maybeClose"),Ls=Symbol("skip"),ge=Symbol("doChown"),be=Symbol("uid"),_e=Symbol("gid"),Oe=Symbol("checkedCwd"),fo=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,Te=fo==="win32",mo=1024,uo=(s,t)=>{if(!Te)return m.unlink(s,t);let e=s+".DELETE."+Mr(16).toString("hex");m.rename(s,e,i=>{if(i)return t(i);m.unlink(e,t)})},po=s=>{if(!Te)return m.unlinkSync(s);let t=s+".DELETE."+Mr(16).toString("hex");m.renameSync(s,t),m.unlinkSync(t)},vr=(s,t,e)=>s!==void 0&&s===s>>>0?s:t!==void 0&&t===t>>>0?t:e,Xt=class extends rt{[gs]=!1;[Oe]=!1;[Ri]=0;reservations=new yi;transform;writable=!0;readable=!1;uid;gid;setOwner;preserveOwner;processGid;processUid;maxDepth;forceChown;win32;newer;keep;noMtime;preservePaths;unlink;cwd;strip;processUmask;umask;dmode;fmode;chmod;constructor(t={}){if(t.ondone=()=>{this[gs]=!0,this[bs]()},super(t),this.transform=t.transform,this.chmod=!!t.chmod,typeof t.uid=="number"||typeof t.gid=="number"){if(typeof t.uid!="number"||typeof t.gid!="number")throw new TypeError("cannot set owner without number uid and gid");if(t.preserveOwner)throw new TypeError("cannot preserve owner in archive and also set owner explicitly");this.uid=t.uid,this.gid=t.gid,this.setOwner=!0}else this.uid=void 0,this.gid=void 0,this.setOwner=!1;this.preserveOwner=t.preserveOwner===void 0&&typeof t.uid!="number"?process.getuid?.()===0:!!t.preserveOwner,this.processUid=(this.preserveOwner||this.setOwner)&&process.getuid?process.getuid():void 0,this.processGid=(this.preserveOwner||this.setOwner)&&process.getgid?process.getgid():void 0,this.maxDepth=typeof t.maxDepth=="number"?t.maxDepth:mo,this.forceChown=t.forceChown===!0,this.win32=!!t.win32||Te,this.newer=!!t.newer,this.keep=!!t.keep,this.noMtime=!!t.noMtime,this.preservePaths=!!t.preservePaths,this.unlink=!!t.unlink,this.cwd=f(R.resolve(t.cwd||process.cwd())),this.strip=Number(t.strip)||0,this.processUmask=this.chmod?typeof t.processUmask=="number"?t.processUmask:Lr():0,this.umask=typeof t.umask=="number"?t.umask:this.processUmask,this.dmode=t.dmode||511&~this.umask,this.fmode=t.fmode||438&~this.umask,this.on("entry",e=>this[Dr](e))}warn(t,e,i={}){return(t==="TAR_BAD_ARCHIVE"||t==="TAR_ABORT")&&(i.recoverable=!1),super.warn(t,e,i)}[bs](){this[gs]&&this[Ri]===0&&(this.emit("prefinish"),this.emit("finish"),this.emit("end"))}[Rs](t,e){let i=t[e],{type:r}=t;if(!i||this.preservePaths)return!0;let[n,o]=ce(i),h=o.replaceAll(/\\/g,"/").split("/");if(h.includes("..")||Te&&/^[a-z]:\.\.$/i.test(h[0]??"")){if(e==="path"||r==="Link")return this.warn("TAR_ENTRY_ERROR",`${e} contains '..'`,{entry:t,[e]:i}),!1;let a=R.posix.dirname(t.path),l=R.posix.normalize(R.posix.join(a,h.join("/")));if(l.startsWith("../")||l==="..")return this.warn("TAR_ENTRY_ERROR",`${e} escapes extraction directory`,{entry:t,[e]:i}),!1}return n&&(t[e]=String(o),this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute ${e}`,{entry:t,[e]:i})),!0}[Fr](t){let e=f(t.path),i=e.split("/");if(this.strip){if(i.length=this.strip)t.linkpath=r.slice(this.strip).join("/");else return!1}i.splice(0,this.strip),t.path=i.join("/")}if(isFinite(this.maxDepth)&&i.length>this.maxDepth)return this.warn("TAR_ENTRY_ERROR","path excessively deep",{entry:t,path:e,depth:i.length,maxDepth:this.maxDepth}),!1;if(!this[Rs](t,"path")||!this[Rs](t,"linkpath"))return!1;if(t.absolute=R.isAbsolute(t.path)?f(R.resolve(t.path)):f(R.resolve(this.cwd,t.path)),!this.preservePaths&&typeof t.absolute=="string"&&t.absolute.indexOf(this.cwd+"/")!==0&&t.absolute!==this.cwd)return this.warn("TAR_ENTRY_ERROR","path escaped extraction target",{entry:t,path:f(t.path),resolvedPath:t.absolute,cwd:this.cwd}),!1;if(t.absolute===this.cwd&&t.type!=="Directory"&&t.type!=="GNUDumpDir")return!1;if(this.win32){let{root:r}=R.win32.parse(String(t.absolute));t.absolute=r+ts(String(t.absolute).slice(r.length));let{root:n}=R.win32.parse(t.path);t.path=n+ts(t.path.slice(n.length))}return!0}[Dr](t){if(!this[Fr](t))return t.resume();switch(co.equal(typeof t.absolute,"string"),t.type){case"Directory":case"GNUDumpDir":t.mode&&(t.mode=t.mode|448);case"File":case"OldFile":case"ContiguousFile":case"Link":case"SymbolicLink":return this[_s](t);default:return this[Cr](t)}}[O](t,e){t.name==="CwdError"?this.emit("error",t):(this.warn("TAR_ENTRY_ERROR",t,{entry:e}),this[$t](),e.resume())}[yt](t,e,i){gr(f(t),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:e},i)}[ge](t){return this.forceChown||this.preserveOwner&&(typeof t.uid=="number"&&t.uid!==this.processUid||typeof t.gid=="number"&&t.gid!==this.processGid)||typeof this.uid=="number"&&this.uid!==this.processUid||typeof this.gid=="number"&&this.gid!==this.processGid}[be](t){return vr(this.uid,t.uid,this.processUid)}[_e](t){return vr(this.gid,t.gid,this.processGid)}[Ts](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.fmode,r=new et(String(t.absolute),{flags:us(t.size),mode:i,autoClose:!1});r.on("error",a=>{r.fd&&m.close(r.fd,()=>{}),r.write=()=>!0,this[O](a,t),e()});let n=1,o=a=>{if(a){r.fd&&m.close(r.fd,()=>{}),this[O](a,t),e();return}--n===0&&r.fd!==void 0&&m.close(r.fd,l=>{l?this[O](l,t):this[$t](),e()})};r.on("finish",()=>{let a=String(t.absolute),l=r.fd;if(typeof l=="number"&&t.mtime&&!this.noMtime){n++;let c=t.atime||new Date,d=t.mtime;m.futimes(l,c,d,S=>S?m.utimes(a,c,d,T=>o(T&&S)):o())}if(typeof l=="number"&&this[ge](t)){n++;let c=this[be](t),d=this[_e](t);typeof c=="number"&&typeof d=="number"&&m.fchown(l,c,d,S=>S?m.chown(a,c,d,T=>o(T&&S)):o())}o()});let h=this.transform&&this.transform(t)||t;h!==t&&(h.on("error",a=>{this[O](a,t),e()}),t.pipe(h)),h.pipe(r)}[xs](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.dmode;this[yt](String(t.absolute),i,r=>{if(r){this[O](r,t),e();return}let n=1,o=()=>{--n===0&&(e(),this[$t](),t.resume())};t.mtime&&!this.noMtime&&(n++,m.utimes(String(t.absolute),t.atime||new Date,t.mtime,o)),this[ge](t)&&(n++,m.chown(String(t.absolute),Number(this[be](t)),Number(this[_e](t)),o)),o()})}[Cr](t){t.unsupported=!0,this.warn("TAR_ENTRY_UNSUPPORTED",`unsupported entry type: ${t.type}`,{entry:t}),t.resume()}[Ar](t,e){let i=f(R.relative(this.cwd,R.resolve(R.dirname(String(t.absolute)),String(t.linkpath)))).split("/");this[Re](t,this.cwd,i,()=>this[gi](t,String(t.linkpath),"symlink",e),r=>{this[O](r,t),e()})}[Ir](t,e){let i=f(R.resolve(this.cwd,String(t.linkpath))),r=f(String(t.linkpath)).split("/");this[Re](t,this.cwd,r,()=>this[gi](t,i,"link",e),n=>{this[O](n,t),e()})}[Re](t,e,i,r,n){let o=i.shift();if(this.preservePaths||o===void 0)return r();let h=R.resolve(e,o);m.lstat(h,(a,l)=>{if(a)return r();if(l?.isSymbolicLink())return n(new St(h,R.resolve(h,i.join("/"))));this[Re](t,h,i,r,n)})}[kr](){this[Ri]++}[$t](){this[Ri]--,this[bs]()}[Ls](t){this[$t](),t.resume()}[Os](t,e){return t.type==="File"&&!this.unlink&&e.isFile()&&e.nlink<=1&&!Te}[_s](t){this[kr]();let e=[t.path];t.linkpath&&e.push(t.linkpath),this.reservations.reserve(e,i=>this[Nr](t,i))}[Nr](t,e){let i=h=>{e(h)},r=()=>{this[yt](this.cwd,this.dmode,h=>{if(h){this[O](h,t),i();return}this[Oe]=!0,n()})},n=()=>{if(t.absolute!==this.cwd){let h=f(R.dirname(String(t.absolute)));if(h!==this.cwd)return this[yt](h,this.dmode,a=>{if(a){this[O](a,t),i();return}o()})}o()},o=()=>{m.lstat(String(t.absolute),(h,a)=>{if(a&&(this.keep||this.newer&&a.mtime>(t.mtime??a.mtime))){this[Ls](t),i();return}if(h||this[Os](t,a))return this[P](null,t,i);if(a.isDirectory()){if(t.type==="Directory"){let l=this.chmod&&t.mode&&(a.mode&4095)!==t.mode,c=d=>this[P](d??null,t,i);return l?m.chmod(String(t.absolute),Number(t.mode),c):c()}if(t.absolute!==this.cwd)return m.rmdir(String(t.absolute),l=>this[P](l??null,t,i))}if(t.absolute===this.cwd)return this[P](null,t,i);uo(String(t.absolute),l=>this[P](l??null,t,i))})};this[Oe]?n():r()}[P](t,e,i){if(t){this[O](t,e),i();return}switch(e.type){case"File":case"OldFile":case"ContiguousFile":return this[Ts](e,i);case"Link":return this[Ir](e,i);case"SymbolicLink":return this[Ar](e,i);case"Directory":case"GNUDumpDir":return this[xs](e,i)}}[gi](t,e,i,r){m[i](e,String(t.absolute),n=>{n?this[O](n,t):(this[$t](),t.resume()),r()})}},ye=s=>{try{return[null,s()]}catch(t){return[t,null]}},xe=class extends Xt{sync=!0;[P](t,e){return super[P](t,e,()=>{})}[_s](t){if(!this[Oe]){let n=this[yt](this.cwd,this.dmode);if(n)return this[O](n,t);this[Oe]=!0}if(t.absolute!==this.cwd){let n=f(R.dirname(String(t.absolute)));if(n!==this.cwd){let o=this[yt](n,this.dmode);if(o)return this[O](o,t)}}let[e,i]=ye(()=>m.lstatSync(String(t.absolute)));if(i&&(this.keep||this.newer&&i.mtime>(t.mtime??i.mtime)))return this[Ls](t);if(e||this[Os](t,i))return this[P](null,t);if(i.isDirectory()){if(t.type==="Directory"){let o=this.chmod&&t.mode&&(i.mode&4095)!==t.mode,[h]=o?ye(()=>{m.chmodSync(String(t.absolute),Number(t.mode))}):[];return this[P](h,t)}let[n]=ye(()=>m.rmdirSync(String(t.absolute)));this[P](n,t)}let[r]=t.absolute===this.cwd?[]:ye(()=>po(String(t.absolute)));this[P](r,t)}[Ts](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.fmode,r=h=>{let a;try{m.closeSync(n)}catch(l){a=l}(h||a)&&this[O](h||a,t),e()},n;try{n=m.openSync(String(t.absolute),us(t.size),i)}catch(h){return r(h)}let o=this.transform&&this.transform(t)||t;o!==t&&(o.on("error",h=>this[O](h,t)),t.pipe(o)),o.on("data",h=>{try{m.writeSync(n,h,0,h.length)}catch(a){r(a)}}),o.on("end",()=>{let h=null;if(t.mtime&&!this.noMtime){let a=t.atime||new Date,l=t.mtime;try{m.futimesSync(n,a,l)}catch(c){try{m.utimesSync(String(t.absolute),a,l)}catch{h=c}}}if(this[ge](t)){let a=this[be](t),l=this[_e](t);try{m.fchownSync(n,Number(a),Number(l))}catch(c){try{m.chownSync(String(t.absolute),Number(a),Number(l))}catch{h=h||c}}}r(h)})}[xs](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.dmode,r=this[yt](String(t.absolute),i);if(r){this[O](r,t),e();return}if(t.mtime&&!this.noMtime)try{m.utimesSync(String(t.absolute),t.atime||new Date,t.mtime)}catch{}if(this[ge](t))try{m.chownSync(String(t.absolute),Number(this[be](t)),Number(this[_e](t)))}catch{}e(),t.resume()}[yt](t,e){try{return _r(f(t),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:e})}catch(i){return i}}[Re](t,e,i,r,n){if(this.preservePaths||i.length===0)return r();let o=e;for(let h of i){o=R.resolve(o,h);let[a,l]=ye(()=>m.lstatSync(o));if(a)return r();if(l.isSymbolicLink())return n(new St(o,R.resolve(e,i.join("/"))))}r()}[gi](t,e,i,r){let n=`${i}Sync`;try{m[n](e,String(t.absolute)),r(),t.resume()}catch(o){return this[O](o,t)}}};var Eo=s=>{let t=new xe(s),e=s.file,i=Br.statSync(e),r=s.maxReadSize||16*1024*1024;new Be(e,{readSize:r,size:i.size}).pipe(t)},wo=(s,t)=>{let e=new Xt(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,h)=>{e.on("error",h),e.on("close",o),Br.stat(r,(a,l)=>{if(a)h(a);else{let c=new _t(r,{readSize:i,size:l.size});c.on("error",h),c.pipe(e)}})})},So=K(Eo,wo,s=>new xe(s),s=>new Xt(s),(s,t)=>{t?.length&&Qi(s,t)});import v from"node:fs";import Pr from"node:path";var yo=(s,t)=>{let e=new kt(s),i=!0,r,n;try{try{r=v.openSync(s.file,"r+")}catch(a){if(a?.code==="ENOENT")r=v.openSync(s.file,"w+");else throw a}let o=v.fstatSync(r),h=Buffer.alloc(512);t:for(n=0;no.size)break;n+=l,s.mtimeCache&&a.mtime&&s.mtimeCache.set(String(a.path),a.mtime)}i=!1,Ro(s,e,n,r,t)}finally{if(i)try{v.closeSync(r)}catch{}}},Ro=(s,t,e,i,r)=>{let n=new Wt(s.file,{fd:i,start:e});t.pipe(n),bo(t,r)},go=(s,t)=>{t=Array.from(t);let e=new wt(s),i=(n,o,h)=>{let a=(T,D)=>{T?v.close(n,E=>h(T)):h(null,D)},l=0;if(o===0)return a(null,0);let c=0,d=Buffer.alloc(512),S=(T,D)=>{if(T||D===void 0)return a(T);if(c+=D,c<512&&D)return v.read(n,d,c,d.length-c,l+c,S);if(l===0&&d[0]===31&&d[1]===139)return a(new Error("cannot append to compressed archives"));if(c<512)return a(null,l);let E=new F(d);if(!E.cksumValid)return a(null,l);let x=512*Math.ceil((E.size??0)/512);if(l+x+512>o||(l+=x+512,l>=o))return a(null,l);s.mtimeCache&&E.mtime&&s.mtimeCache.set(String(E.path),E.mtime),c=0,v.read(n,d,0,512,l,S)};v.read(n,d,0,512,l,S)};return new Promise((n,o)=>{e.on("error",o);let h="r+",a=(l,c)=>{if(l&&l.code==="ENOENT"&&h==="r+")return h="w+",v.open(s.file,h,a);if(l||!c)return o(l);v.fstat(c,(d,S)=>{if(d)return v.close(c,()=>o(d));i(c,S.size,(T,D)=>{if(T)return o(T);let E=new et(s.file,{fd:c,start:D});e.pipe(E),E.on("error",o),E.on("close",n),_o(e,t)})})};v.open(s.file,h,a)})},bo=(s,t)=>{t.forEach(e=>{e.charAt(0)==="@"?Ct({file:Pr.resolve(s.cwd,e.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(e)}),s.end()},_o=async(s,t)=>{for(let e of t)e.charAt(0)==="@"?await Ct({file:Pr.resolve(String(s.cwd),e.slice(1)),noResume:!0,onReadEntry:i=>s.add(i)}):s.add(e);s.end()},vt=K(yo,go,()=>{throw new TypeError("file is required")},()=>{throw new TypeError("file is required")},(s,t)=>{if(!Bs(s))throw new TypeError("file is required");if(s.gzip||s.brotli||s.zstd||s.file.endsWith(".br")||s.file.endsWith(".tbr"))throw new TypeError("cannot append to compressed archives");if(!t?.length)throw new TypeError("no paths specified to add/replace")});var Oo=K(vt.syncFile,vt.asyncFile,vt.syncNoFile,vt.asyncNoFile,(s,t=[])=>{vt.validate?.(s,t),To(s)}),To=s=>{let t=s.filter;s.mtimeCache||(s.mtimeCache=new Map),s.filter=t?(e,i)=>t(e,i)&&!((s.mtimeCache?.get(e)??i.mtime??0)>(i.mtime??0)):(e,i)=>!((s.mtimeCache?.get(e)??i.mtime??0)>(i.mtime??0))};export{F as Header,wt as Pack,pi as PackJob,kt as PackSync,rt as Parser,ft as Pax,$e as ReadEntry,Xt as Unpack,xe as UnpackSync,de as WriteEntry,ni as WriteEntrySync,oi as WriteEntryTar,Qn as c,Qn as create,So as extract,Qi as filesFilter,Ct as list,vt as r,vt as replace,Ct as t,Hi as types,Oo as u,Oo as update,So as x};
//# sourceMappingURL=index.min.js.map
diff --git a/deps/npm/node_modules/tar/dist/esm/normalize-windows-path.js b/deps/npm/node_modules/tar/dist/esm/normalize-windows-path.js
index bde0c962344a30..cc75178aa9cee4 100644
--- a/deps/npm/node_modules/tar/dist/esm/normalize-windows-path.js
+++ b/deps/npm/node_modules/tar/dist/esm/normalize-windows-path.js
@@ -4,6 +4,6 @@
// so that we can use / as our one and only directory separator char.
const platform = process.env.TESTING_TAR_FAKE_PLATFORM || process.platform;
export const normalizeWindowsPath = platform !== 'win32' ?
- (p) => p
- : (p) => p && p.replaceAll(/\\/g, '/');
+ (p) => String(p)
+ : (p) => String(p).replaceAll(/\\/g, '/');
//# sourceMappingURL=normalize-windows-path.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/tar/dist/esm/parse.js b/deps/npm/node_modules/tar/dist/esm/parse.js
index 02454bfd2c4052..fb303a5171bea0 100644
--- a/deps/npm/node_modules/tar/dist/esm/parse.js
+++ b/deps/npm/node_modules/tar/dist/esm/parse.js
@@ -57,6 +57,10 @@ const SAW_VALID_ENTRY = Symbol('sawValidEntry');
const SAW_NULL_BLOCK = Symbol('sawNullBlock');
const SAW_EOF = Symbol('sawEOF');
const CLOSESTREAM = Symbol('closeStream');
+const MAX_DECOMPRESSION_RATIO = 1000;
+const COMPRESSEDBYTESREAD = Symbol('compressedBytesRead');
+const DECOMPRESSEDBYTESREAD = Symbol('decompressedBytesRead');
+const CHECKDECOMPRESSIONRATIO = Symbol('checkDecompressionRatio');
const noop = () => true;
export class Parser extends EE {
file;
@@ -65,6 +69,7 @@ export class Parser extends EE {
filter;
brotli;
zstd;
+ maxDecompressionRatio;
writable = true;
readable = false;
[QUEUE] = [];
@@ -84,6 +89,8 @@ export class Parser extends EE {
[WRITING] = false;
[CONSUMING] = false;
[EMITTEDEND] = false;
+ [COMPRESSEDBYTESREAD] = 0;
+ [DECOMPRESSEDBYTESREAD] = 0;
constructor(opt = {}) {
super();
this.file = opt.file || '';
@@ -106,6 +113,10 @@ export class Parser extends EE {
});
}
this.strict = !!opt.strict;
+ this.maxDecompressionRatio =
+ typeof opt.maxDecompressionRatio === 'number' ?
+ opt.maxDecompressionRatio
+ : MAX_DECOMPRESSION_RATIO;
this.maxMetaEntrySize = opt.maxMetaEntrySize || maxMetaEntrySize;
this.filter = typeof opt.filter === 'function' ? opt.filter : noop;
// Unlike gzip, brotli doesn't have any magic bytes to identify it
@@ -359,11 +370,23 @@ export class Parser extends EE {
}
}
abort(error) {
+ if (this[ABORTED]) {
+ return;
+ }
this[ABORTED] = true;
this.emit('abort', error);
// always throws, even in non-strict mode
this.warn('TAR_ABORT', error, { recoverable: false });
}
+ [CHECKDECOMPRESSIONRATIO](chunk) {
+ this[DECOMPRESSEDBYTESREAD] += chunk.length;
+ const ratio = this[DECOMPRESSEDBYTESREAD] / this[COMPRESSEDBYTESREAD];
+ if (ratio > this.maxDecompressionRatio) {
+ this.abort(new Error(`max decompression ratio exceeded: ${ratio.toFixed(2)} > ${this.maxDecompressionRatio}`));
+ return false;
+ }
+ return true;
+ }
write(chunk, encoding, cb) {
if (typeof encoding === 'function') {
cb = encoding;
@@ -447,13 +470,22 @@ export class Parser extends EE {
this[UNZIP] === undefined ? new Unzip({})
: isZstd ? new ZstdDecompress({})
: new BrotliDecompress({});
- this[UNZIP].on('data', chunk => this[CONSUMECHUNK](chunk));
- this[UNZIP].on('error', er => this.abort(er));
+ this[UNZIP].on('data', chunk => {
+ if (this[CHECKDECOMPRESSIONRATIO](chunk)) {
+ this[CONSUMECHUNK](chunk);
+ }
+ });
+ this[UNZIP].on('error', er => {
+ if (!this[ABORTED]) {
+ this.abort(er);
+ }
+ });
this[UNZIP].on('end', () => {
this[ENDED] = true;
this[CONSUMECHUNK]();
});
this[WRITING] = true;
+ this[COMPRESSEDBYTESREAD] += chunk.length;
const ret = !!this[UNZIP][ended ? 'end' : 'write'](chunk);
this[WRITING] = false;
cb?.();
@@ -462,6 +494,7 @@ export class Parser extends EE {
}
this[WRITING] = true;
if (this[UNZIP]) {
+ this[COMPRESSEDBYTESREAD] += chunk.length;
this[UNZIP].write(chunk);
}
else {
@@ -492,7 +525,7 @@ export class Parser extends EE {
!this[CONSUMING]) {
this[EMITTEDEND] = true;
const entry = this[WRITEENTRY];
- if (entry && entry.blockRemain) {
+ if (entry?.blockRemain) {
// truncated, likely a damaged file
const have = this[BUFFER] ? this[BUFFER].length : 0;
this.warn('TAR_BAD_ARCHIVE', `Truncated input (needed ${entry.blockRemain} more bytes, only ${have} available)`, { entry });
@@ -586,8 +619,10 @@ export class Parser extends EE {
if (!this[ABORTED]) {
if (this[UNZIP]) {
/* c8 ignore start */
- if (chunk)
+ if (chunk) {
+ this[COMPRESSEDBYTESREAD] += chunk.length;
this[UNZIP].write(chunk);
+ }
/* c8 ignore stop */
this[UNZIP].end();
}
diff --git a/deps/npm/node_modules/tar/dist/esm/pax.js b/deps/npm/node_modules/tar/dist/esm/pax.js
index 832808f344da53..907193a4b93257 100644
--- a/deps/npm/node_modules/tar/dist/esm/pax.js
+++ b/deps/npm/node_modules/tar/dist/esm/pax.js
@@ -143,12 +143,36 @@ const parseKVLine = (set, line) => {
return set;
}
const k = r.replace(/^SCHILY\.(dev|ino|nlink)/, '$1');
- const v = kv.join('=');
- set[k] =
- /^([A-Z]+\.)?([mac]|birth|creation)time$/.test(k) ?
- new Date(Number(v) * 1000)
- : /^[0-9]+$/.test(v) ? +v
- : v;
+ const v = kv.join('=').replace(/\0.*/, '');
+ switch (k) {
+ case 'path':
+ case 'linkpath':
+ case 'type':
+ case 'charset':
+ case 'comment':
+ case 'gname':
+ case 'uname':
+ set[k] = v;
+ break;
+ case 'ctime':
+ case 'atime':
+ case 'mtime':
+ set[k] = new Date(Number(v) * 1000);
+ break;
+ case 'size':
+ const s = +v;
+ if (s >= 0)
+ set[k] = s;
+ break;
+ case 'gid':
+ case 'uid':
+ case 'dev':
+ case 'ino':
+ case 'nlink':
+ case 'mode':
+ set[k] = +v;
+ break;
+ }
return set;
};
//# sourceMappingURL=pax.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/tar/dist/esm/unpack.js b/deps/npm/node_modules/tar/dist/esm/unpack.js
index 46c53db2ad57c6..3bbdad99bcd8a0 100644
--- a/deps/npm/node_modules/tar/dist/esm/unpack.js
+++ b/deps/npm/node_modules/tar/dist/esm/unpack.js
@@ -146,7 +146,7 @@ export class Unpack extends Parser {
// default true for root
this.preserveOwner =
opt.preserveOwner === undefined && typeof opt.uid !== 'number' ?
- !!(process.getuid && process.getuid() === 0)
+ !!(process.getuid?.() === 0)
: !!opt.preserveOwner;
this.processUid =
(this.preserveOwner || this.setOwner) && process.getuid ?
@@ -367,7 +367,7 @@ export class Unpack extends Parser {
}
}
[MKDIR](dir, mode, cb) {
- mkdir(normalizeWindowsPath(dir), {
+ void mkdir(normalizeWindowsPath(dir), {
uid: this.uid,
gid: this.gid,
processUid: this.processUid,
diff --git a/deps/npm/node_modules/tar/package.json b/deps/npm/node_modules/tar/package.json
index 556b3e7d9f2fb0..9d082e44049477 100644
--- a/deps/npm/node_modules/tar/package.json
+++ b/deps/npm/node_modules/tar/package.json
@@ -2,7 +2,7 @@
"author": "Isaac Z. Schlueter",
"name": "tar",
"description": "tar for node",
- "version": "7.5.16",
+ "version": "7.5.19",
"repository": {
"type": "git",
"url": "https://github.com/isaacs/node-tar.git"
diff --git a/deps/npm/node_modules/undici/docs/docs/api/Client.md b/deps/npm/node_modules/undici/docs/docs/api/Client.md
index fdee5ea702671b..e0d41b47805ec2 100644
--- a/deps/npm/node_modules/undici/docs/docs/api/Client.md
+++ b/deps/npm/node_modules/undici/docs/docs/api/Client.md
@@ -27,6 +27,7 @@ Returns: `Client`
* **maxHeaderSize** `number | null` (optional) - Default: `--max-http-header-size` or `16384` - The maximum length of request headers in bytes. Defaults to Node.js' --max-http-header-size or 16KiB.
* **maxResponseSize** `number | null` (optional) - Default: `-1` - The maximum length of response body in bytes. Set to `-1` to disable.
* **webSocket** `WebSocketOptions` (optional) - WebSocket-specific configuration options.
+ * **maxFragments** `number` (optional) - Default: `131072` - Maximum number of fragments in a message. Set to 0 to disable the limit.
* **maxPayloadSize** `number` (optional) - Default: `134217728` (128 MB) - Maximum allowed payload size in bytes for WebSocket messages. Applied to uncompressed messages, compressed frame payloads, and decompressed (permessage-deflate) messages. Set to 0 to disable the limit.
* **pipelining** `number | null` (optional) - Default: `1` - The amount of concurrent requests to be sent over the single TCP/TLS connection according to [RFC7230](https://tools.ietf.org/html/rfc7230#section-6.3.2). Carefully consider your workload and environment before enabling concurrent requests as pipelining may reduce performance if used incorrectly. Pipelining is sensitive to network stack settings as well as head of line blocking caused by e.g. long running requests. Set to `0` to disable keep-alive connections.
* **connect** `ConnectOptions | Function | null` (optional) - Default: `null`.
diff --git a/deps/npm/node_modules/undici/lib/dispatcher/client-h1.js b/deps/npm/node_modules/undici/lib/dispatcher/client-h1.js
index ef3d38ea4f2ed3..9455517a19b15f 100644
--- a/deps/npm/node_modules/undici/lib/dispatcher/client-h1.js
+++ b/deps/npm/node_modules/undici/lib/dispatcher/client-h1.js
@@ -57,6 +57,9 @@ const EMPTY_BUF = Buffer.alloc(0)
const FastBuffer = Buffer[Symbol.species]
const addListener = util.addListener
const removeAllListeners = util.removeAllListeners
+const kIdleSocketValidation = Symbol('kIdleSocketValidation')
+const kIdleSocketValidationTimeout = Symbol('kIdleSocketValidationTimeout')
+const kSocketUsed = Symbol('kSocketUsed')
let extractBody
@@ -371,6 +374,11 @@ class Parser {
return -1
}
+ if (client[kRunning] === 0) {
+ util.destroy(socket, new SocketError('bad response', util.getSocketInfo(socket)))
+ return -1
+ }
+
const request = client[kQueue][client[kRunningIdx]]
if (!request) {
return -1
@@ -474,6 +482,11 @@ class Parser {
return -1
}
+ if (client[kRunning] === 0) {
+ util.destroy(socket, new SocketError('bad response', util.getSocketInfo(socket)))
+ return -1
+ }
+
const request = client[kQueue][client[kRunningIdx]]
/* istanbul ignore next: difficult to make a test case for */
@@ -647,6 +660,7 @@ class Parser {
request.onComplete(headers)
client[kQueue][client[kRunningIdx]++] = null
+ socket[kSocketUsed] = true
if (socket[kWriting]) {
assert(client[kRunning] === 0)
@@ -705,6 +719,9 @@ async function connectH1 (client, socket) {
socket[kWriting] = false
socket[kReset] = false
socket[kBlocking] = false
+ socket[kIdleSocketValidation] = 0
+ socket[kIdleSocketValidationTimeout] = null
+ socket[kSocketUsed] = false
socket[kParser] = new Parser(client, socket, llhttpInstance)
addListener(socket, 'error', function (err) {
@@ -751,6 +768,8 @@ async function connectH1 (client, socket) {
const client = this[kClient]
const parser = this[kParser]
+ clearIdleSocketValidation(this)
+
if (parser) {
if (!this[kError] && parser.statusCode && !parser.shouldKeepAlive) {
this[kError] = parser.finish() || this[kError]
@@ -816,7 +835,7 @@ async function connectH1 (client, socket) {
return socket.destroyed
},
busy (request) {
- if (socket[kWriting] || socket[kReset] || socket[kBlocking]) {
+ if (socket[kWriting] || socket[kReset] || socket[kBlocking] || socket[kIdleSocketValidation] === 1) {
return true
}
@@ -854,6 +873,31 @@ async function connectH1 (client, socket) {
}
}
+function clearIdleSocketValidation (socket) {
+ if (socket[kIdleSocketValidationTimeout]) {
+ clearTimeout(socket[kIdleSocketValidationTimeout])
+ socket[kIdleSocketValidationTimeout] = null
+ }
+
+ socket[kIdleSocketValidation] = 0
+}
+
+function scheduleIdleSocketValidation (client, socket) {
+ socket[kIdleSocketValidation] = 1
+ socket[kIdleSocketValidationTimeout] = setTimeout(() => {
+ socket[kIdleSocketValidationTimeout] = null
+ socket[kIdleSocketValidation] = 2
+
+ if (client[kSocket] === socket && !socket.destroyed) {
+ client[kResume]()
+ }
+ }, 0)
+ socket[kIdleSocketValidationTimeout].unref?.()
+}
+
+/**
+ * @param {import('./client.js')} client
+ */
function resumeH1 (client) {
const socket = client[kSocket]
@@ -868,6 +912,32 @@ function resumeH1 (client) {
socket[kNoRef] = false
}
+ if (client[kRunning] === 0 && client[kPending] > 0 && socket[kSocketUsed]) {
+ if (socket[kIdleSocketValidation] === 0) {
+ scheduleIdleSocketValidation(client, socket)
+ socket[kParser].readMore()
+ if (socket.destroyed) {
+ return
+ }
+ return
+ }
+
+ if (socket[kIdleSocketValidation] === 1) {
+ socket[kParser].readMore()
+ if (socket.destroyed) {
+ return
+ }
+ return
+ }
+ }
+
+ if (client[kRunning] === 0) {
+ socket[kParser].readMore()
+ if (socket.destroyed) {
+ return
+ }
+ }
+
if (client[kSize] === 0) {
if (socket[kParser].timeoutType !== TIMEOUT_KEEP_ALIVE) {
socket[kParser].setTimeout(client[kKeepAliveTimeoutValue], TIMEOUT_KEEP_ALIVE)
@@ -961,6 +1031,7 @@ function writeH1 (client, request) {
}
const socket = client[kSocket]
+ clearIdleSocketValidation(socket)
const abort = (err) => {
if (request.aborted || request.completed) {
diff --git a/deps/npm/node_modules/undici/lib/dispatcher/dispatcher-base.js b/deps/npm/node_modules/undici/lib/dispatcher/dispatcher-base.js
index c999b2c2fb6740..371a3ea1f6f1e0 100644
--- a/deps/npm/node_modules/undici/lib/dispatcher/dispatcher-base.js
+++ b/deps/npm/node_modules/undici/lib/dispatcher/dispatcher-base.js
@@ -26,6 +26,7 @@ class DispatcherBase extends Dispatcher {
get webSocketOptions () {
return {
+ maxFragments: this[kWebSocketOptions].maxFragments ?? 131072,
maxPayloadSize: this[kWebSocketOptions].maxPayloadSize ?? 128 * 1024 * 1024
}
}
diff --git a/deps/npm/node_modules/undici/lib/web/cookies/parse.js b/deps/npm/node_modules/undici/lib/web/cookies/parse.js
index 3c48c26b93ffa0..b3c25fb9423e29 100644
--- a/deps/npm/node_modules/undici/lib/web/cookies/parse.js
+++ b/deps/npm/node_modules/undici/lib/web/cookies/parse.js
@@ -275,32 +275,25 @@ function parseUnparsedAttributes (unparsedAttributes, cookieAttributeList = {})
// If the attribute-name case-insensitively matches the string
// "SameSite", the user agent MUST process the cookie-av as follows:
- // 1. Let enforcement be "Default".
- let enforcement = 'Default'
-
const attributeValueLowercase = attributeValue.toLowerCase()
- // 2. If cookie-av's attribute-value is a case-insensitive match for
- // "None", set enforcement to "None".
- if (attributeValueLowercase.includes('none')) {
- enforcement = 'None'
- }
- // 3. If cookie-av's attribute-value is a case-insensitive match for
- // "Strict", set enforcement to "Strict".
- if (attributeValueLowercase.includes('strict')) {
- enforcement = 'Strict'
+ // 1. If cookie-av's attribute-value is a case-insensitive match for
+ // "None", append an attribute to the cookie-attribute-list with an
+ // attribute-name of "SameSite" and an attribute-value of "None".
+ if (attributeValueLowercase === 'none') {
+ cookieAttributeList.sameSite = 'None'
+ } else if (attributeValueLowercase === 'strict') {
+ // 2. If cookie-av's attribute-value is a case-insensitive match for
+ // "Strict", append an attribute to the cookie-attribute-list with
+ // an attribute-name of "SameSite" and an attribute-value of
+ // "Strict".
+ cookieAttributeList.sameSite = 'Strict'
+ } else if (attributeValueLowercase === 'lax') {
+ // 3. If cookie-av's attribute-value is a case-insensitive match for
+ // "Lax", append an attribute to the cookie-attribute-list with an
+ // attribute-name of "SameSite" and an attribute-value of "Lax".
+ cookieAttributeList.sameSite = 'Lax'
}
-
- // 4. If cookie-av's attribute-value is a case-insensitive match for
- // "Lax", set enforcement to "Lax".
- if (attributeValueLowercase.includes('lax')) {
- enforcement = 'Lax'
- }
-
- // 5. Append an attribute to the cookie-attribute-list with an
- // attribute-name of "SameSite" and an attribute-value of
- // enforcement.
- cookieAttributeList.sameSite = enforcement
} else {
cookieAttributeList.unparsed ??= []
diff --git a/deps/npm/node_modules/undici/lib/web/websocket/receiver.js b/deps/npm/node_modules/undici/lib/web/websocket/receiver.js
index 53e427eb2e4642..a7dea7fae1c1fc 100644
--- a/deps/npm/node_modules/undici/lib/web/websocket/receiver.js
+++ b/deps/npm/node_modules/undici/lib/web/websocket/receiver.js
@@ -20,6 +20,11 @@ const { closeWebSocketConnection } = require('./connection')
const { PerMessageDeflate } = require('./permessage-deflate')
const { MessageSizeExceededError } = require('../../core/errors')
+function failWebsocketConnectionWithCode (ws, code, reason) {
+ closeWebSocketConnection(ws, code, reason, Buffer.byteLength(reason))
+ failWebsocketConnection(ws, reason)
+}
+
// This code was influenced by ws released under the MIT license.
// Copyright (c) 2011 Einar Otto Stangvik
// Copyright (c) 2013 Arnout Kazemier and contributors
@@ -39,19 +44,23 @@ class ByteParser extends Writable {
/** @type {Map} */
#extensions
+ /** @type {number} */
+ #maxFragments
+
/** @type {number} */
#maxPayloadSize
/**
* @param {import('./websocket').WebSocket} ws
* @param {Map|null} extensions
- * @param {{ maxPayloadSize?: number }} [options]
+ * @param {{ maxFragments?: number, maxPayloadSize?: number }} [options]
*/
constructor (ws, extensions, options = {}) {
super()
this.ws = ws
this.#extensions = extensions == null ? new Map() : extensions
+ this.#maxFragments = options.maxFragments ?? 0
this.#maxPayloadSize = options.maxPayloadSize ?? 0
if (this.#extensions.has('permessage-deflate')) {
@@ -75,9 +84,9 @@ class ByteParser extends Writable {
if (
this.#maxPayloadSize > 0 &&
!isControlFrame(this.#info.opcode) &&
- this.#info.payloadLength > this.#maxPayloadSize
+ this.#info.payloadLength + this.#fragmentsBytes > this.#maxPayloadSize
) {
- failWebsocketConnection(this.ws, 'Payload size exceeds maximum allowed size')
+ failWebsocketConnectionWithCode(this.ws, 1009, 'Payload size exceeds maximum allowed size')
return false
}
@@ -242,10 +251,12 @@ class ByteParser extends Writable {
this.#state = parserStates.INFO
} else {
if (!this.#info.compressed) {
- this.writeFragments(body)
+ if (!this.writeFragments(body)) {
+ return
+ }
if (this.#maxPayloadSize > 0 && this.#fragmentsBytes > this.#maxPayloadSize) {
- failWebsocketConnection(this.ws, new MessageSizeExceededError().message)
+ failWebsocketConnectionWithCode(this.ws, 1009, new MessageSizeExceededError().message)
return
}
@@ -264,14 +275,17 @@ class ByteParser extends Writable {
this.#info.fin,
(error, data) => {
if (error) {
- failWebsocketConnection(this.ws, error.message)
+ const code = error instanceof MessageSizeExceededError ? 1009 : 1007
+ failWebsocketConnectionWithCode(this.ws, code, error.message)
return
}
- this.writeFragments(data)
+ if (!this.writeFragments(data)) {
+ return
+ }
if (this.#maxPayloadSize > 0 && this.#fragmentsBytes > this.#maxPayloadSize) {
- failWebsocketConnection(this.ws, new MessageSizeExceededError().message)
+ failWebsocketConnectionWithCode(this.ws, 1009, new MessageSizeExceededError().message)
return
}
@@ -341,8 +355,17 @@ class ByteParser extends Writable {
}
writeFragments (fragment) {
+ if (
+ this.#maxFragments > 0 &&
+ this.#fragments.length === this.#maxFragments
+ ) {
+ failWebsocketConnectionWithCode(this.ws, 1008, 'Too many message fragments')
+ return false
+ }
+
this.#fragmentsBytes += fragment.length
this.#fragments.push(fragment)
+ return true
}
consumeFragments () {
diff --git a/deps/npm/node_modules/undici/lib/web/websocket/websocket.js b/deps/npm/node_modules/undici/lib/web/websocket/websocket.js
index ccedb792169a10..80991e96a2e94f 100644
--- a/deps/npm/node_modules/undici/lib/web/websocket/websocket.js
+++ b/deps/npm/node_modules/undici/lib/web/websocket/websocket.js
@@ -435,9 +435,12 @@ class WebSocket extends EventTarget {
// once this happens, the connection is open
this[kResponse] = response
- const maxPayloadSize = this[kController]?.dispatcher?.webSocketOptions?.maxPayloadSize
+ const webSocketOptions = this[kController]?.dispatcher?.webSocketOptions
+ const maxFragments = webSocketOptions?.maxFragments
+ const maxPayloadSize = webSocketOptions?.maxPayloadSize
const parser = new ByteParser(this, parsedExtensions, {
+ maxFragments,
maxPayloadSize
})
parser.on('drain', onParserDrain)
diff --git a/deps/npm/node_modules/undici/package.json b/deps/npm/node_modules/undici/package.json
index d1eef502c4169f..3c2001f391e3f8 100644
--- a/deps/npm/node_modules/undici/package.json
+++ b/deps/npm/node_modules/undici/package.json
@@ -1,6 +1,6 @@
{
"name": "undici",
- "version": "6.26.0",
+ "version": "6.27.0",
"description": "An HTTP/1.1 client, written from scratch for Node.js",
"homepage": "https://undici.nodejs.org",
"bugs": {
diff --git a/deps/npm/package.json b/deps/npm/package.json
index 3309782d55e6db..b2ee14b3db8b6f 100644
--- a/deps/npm/package.json
+++ b/deps/npm/package.json
@@ -1,5 +1,5 @@
{
- "version": "11.17.0",
+ "version": "11.18.0",
"name": "npm",
"description": "a package manager for JavaScript",
"workspaces": [
@@ -52,8 +52,8 @@
},
"dependencies": {
"@isaacs/string-locale-compare": "^1.1.0",
- "@npmcli/arborist": "^9.8.0",
- "@npmcli/config": "^10.11.0",
+ "@npmcli/arborist": "^9.9.0",
+ "@npmcli/config": "^10.12.0",
"@npmcli/fs": "^5.0.0",
"@npmcli/map-workspaces": "^5.0.3",
"@npmcli/metavuln-calculator": "^9.0.3",
@@ -77,11 +77,11 @@
"is-cidr": "^6.0.4",
"json-parse-even-better-errors": "^5.0.0",
"libnpmaccess": "^10.0.3",
- "libnpmdiff": "^8.1.10",
- "libnpmexec": "^10.3.0",
- "libnpmfund": "^7.0.24",
+ "libnpmdiff": "^8.1.11",
+ "libnpmexec": "^10.3.1",
+ "libnpmfund": "^7.0.25",
"libnpmorg": "^8.0.1",
- "libnpmpack": "^9.1.10",
+ "libnpmpack": "^9.1.11",
"libnpmpublish": "^11.2.0",
"libnpmsearch": "^9.0.1",
"libnpmteam": "^8.0.2",
@@ -97,7 +97,7 @@
"npm-install-checks": "^8.0.0",
"npm-package-arg": "^13.0.2",
"npm-pick-manifest": "^11.0.3",
- "npm-profile": "^12.0.1",
+ "npm-profile": "^12.0.2",
"npm-registry-fetch": "^19.1.1",
"npm-user-validate": "^4.0.0",
"p-map": "^7.0.4",
@@ -106,11 +106,11 @@
"proc-log": "^6.1.0",
"qrcode-terminal": "^0.12.0",
"read": "^5.0.1",
- "semver": "^7.8.4",
+ "semver": "^7.8.5",
"spdx-expression-parse": "^4.0.0",
"ssri": "^13.0.1",
"supports-color": "^10.2.2",
- "tar": "^7.5.16",
+ "tar": "^7.5.19",
"text-table": "~0.2.0",
"tiny-relative-date": "^2.0.2",
"treeverse": "^3.0.0",
diff --git a/deps/npm/tap-snapshots/test/lib/commands/publish.js.test.cjs b/deps/npm/tap-snapshots/test/lib/commands/publish.js.test.cjs
index 143d08dda8ff4b..dbc6b9f13b0ac4 100644
--- a/deps/npm/tap-snapshots/test/lib/commands/publish.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/commands/publish.js.test.cjs
@@ -181,6 +181,7 @@ Object {
"man/man1/npm-help.1",
"man/man1/npm-init.1",
"man/man1/npm-install-ci-test.1",
+ "man/man1/npm-install-scripts.1",
"man/man1/npm-install-test.1",
"man/man1/npm-install.1",
"man/man1/npm-link.1",
diff --git a/deps/npm/tap-snapshots/test/lib/docs.js.test.cjs b/deps/npm/tap-snapshots/test/lib/docs.js.test.cjs
index c5fd6a2ecfe036..1e2799652c91fe 100644
--- a/deps/npm/tap-snapshots/test/lib/docs.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/docs.js.test.cjs
@@ -125,6 +125,7 @@ Array [
"init",
"install",
"install-ci-test",
+ "install-scripts",
"install-test",
"link",
"ll",
@@ -404,6 +405,10 @@ sources, the standard precedence applies (cli > env > project > user >
global), so a higher-priority source can always relax or override a
lower-priority one.
+As with \`min-release-age\`, when this cutoff blocks a fix that \`npm audit
+fix\` would install, npm keeps the vulnerable version, warns, and exits with
+a non-zero code.
+
Packages whose names match \`min-release-age-exclude\` are exempt from this
filter.
@@ -1084,8 +1089,16 @@ Sets the strategy for installing packages in node_modules. hoisted
(default): Install non-duplicated in top-level, and duplicated as necessary
within directory structure. nested: (formerly --legacy-bundling) install in
place, no hoisting. shallow (formerly --global-style) only install direct
-deps at top-level. linked: (experimental) install in node_modules/.store,
-link in place, unhoisted.
+deps at top-level. linked: install in node_modules/.store, link in place,
+unhoisted.
+
+We recommend that package authors use \`--install-strategy=linked\` during
+development to catch undeclared ("phantom") dependencies before publishing:
+the isolated layout only exposes a package's declared dependencies, so an
+\`import\` of a package that was never added to \`package.json\` can fail
+instead of resolving by accident and shipping broken. See [Catching
+undeclared ("phantom")
+dependencies](/using-npm/developers#catching-undeclared-phantom-dependencies).
@@ -1279,6 +1292,12 @@ your \`.npmrc\` is preserved when npm internally spawns a sub-process with
apply, \`before\` wins within a single source and across sources the standard
precedence rules apply.
+When this window stops \`npm audit fix\` from installing a patched version
+(because the fix was published too recently), npm keeps the package at its
+vulnerable version, warns that the fix was blocked, and exits with a
+non-zero code. To install the fix, add the package to
+\`min-release-age-exclude\`, or relax \`min-release-age\` or \`before\`.
+
Packages whose names match \`min-release-age-exclude\` are exempt from this
filter.
@@ -1675,7 +1694,14 @@ registry (https://registry.npmjs.org) to the configured registry. If set to
"never", then use the registry value. If set to "always", then replace the
registry host with the configured host every time.
-You may also specify a bare hostname (e.g., "registry.npmjs.org").
+You may also specify a bare hostname (e.g., "registry.npmjs.org") to only
+replace URLs coming from that host.
+
+You may also specify a full URL including a path (e.g.,
+"https://old-registry.example.com/npm/path"). In that case, resolved URLs
+whose host and path begin with that prefix will have the entire prefix
+replaced with the configured registry URL (host and path), without
+duplicating path segments.
@@ -1932,6 +1958,10 @@ silently skipped; this setting only affects unreviewed entries.
\`--ignore-scripts\` and \`--dangerously-allow-all-scripts\` both override this
setting.
+Optional dependencies that cannot be installed on the current platform or
+engine (a non-matching \`os\`, \`cpu\`, or \`libc\`) are not flagged, because
+their install scripts never run.
+
#### \`strict-peer-deps\`
@@ -4573,6 +4603,52 @@ aliases: cit, clean-install-test, sit
#### \`install-links\`
`
+exports[`test/lib/docs.js TAP usage install-scripts > must match snapshot 1`] = `
+Manage install-script approvals for dependencies
+
+Usage:
+npm install-scripts approve [ ...]
+npm install-scripts approve --all
+npm install-scripts deny [ ...]
+npm install-scripts deny --all
+npm install-scripts ls
+npm install-scripts prune
+
+Options:
+[-a|--all] [--no-allow-scripts-pin] [--dry-run] [--json]
+
+ -a|--all
+ Show or act on all packages, not just the ones your project directly
+
+ --allow-scripts-pin
+ Write pinned (\`pkg@version\`) entries when approving install scripts.
+
+ --dry-run
+ Indicates that you don't want npm to make any changes and that it should
+
+ --json
+ Whether or not to output JSON data, rather than the normal output.
+
+
+Run "npm help install-scripts" for more info
+
+\`\`\`bash
+npm install-scripts approve [ ...]
+npm install-scripts approve --all
+npm install-scripts deny [ ...]
+npm install-scripts deny --all
+npm install-scripts ls
+npm install-scripts prune
+\`\`\`
+
+Note: This command is unaware of workspaces.
+
+#### \`all\`
+#### \`allow-scripts-pin\`
+#### \`dry-run\`
+#### \`json\`
+`
+
exports[`test/lib/docs.js TAP usage install-test > must match snapshot 1`] = `
Install package(s) and run tests
diff --git a/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs b/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs
index dc1c95cd3c5763..a3837dc72ab761 100644
--- a/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs
@@ -35,12 +35,13 @@ All commands:
completion, config, dedupe, deny-scripts, deprecate, diff,
dist-tag, docs, doctor, edit, exec, explain, explore,
find-dupes, fund, get, help, help-search, init, install,
- install-ci-test, install-test, link, ll, login, logout, ls,
- org, outdated, owner, pack, ping, pkg, prefix, profile,
- prune, publish, query, rebuild, repo, restart, root, run,
- sbom, search, set, shrinkwrap, stage, star, stars, start,
- stop, team, test, token, trust, undeprecate, uninstall,
- unpublish, unstar, update, version, view, whoami
+ install-ci-test, install-scripts, install-test, link, ll,
+ login, logout, ls, org, outdated, owner, pack, ping, pkg,
+ prefix, profile, prune, publish, query, rebuild, repo,
+ restart, root, run, sbom, search, set, shrinkwrap, stage,
+ star, stars, start, stop, team, test, token, trust,
+ undeprecate, uninstall, unpublish, unstar, update, version,
+ view, whoami
Specify configs in the ini-formatted file:
{USERCONFIG}
@@ -81,6 +82,7 @@ All commands:
help-search, init,
install,
install-ci-test,
+ install-scripts,
install-test, link, ll,
login, logout, ls, org,
outdated, owner, pack,
@@ -136,6 +138,7 @@ All commands:
help-search, init,
install,
install-ci-test,
+ install-scripts,
install-test, link, ll,
login, logout, ls, org,
outdated, owner, pack,
@@ -182,12 +185,13 @@ All commands:
completion, config, dedupe, deny-scripts, deprecate, diff,
dist-tag, docs, doctor, edit, exec, explain, explore,
find-dupes, fund, get, help, help-search, init, install,
- install-ci-test, install-test, link, ll, login, logout, ls,
- org, outdated, owner, pack, ping, pkg, prefix, profile,
- prune, publish, query, rebuild, repo, restart, root, run,
- sbom, search, set, shrinkwrap, stage, star, stars, start,
- stop, team, test, token, trust, undeprecate, uninstall,
- unpublish, unstar, update, version, view, whoami
+ install-ci-test, install-scripts, install-test, link, ll,
+ login, logout, ls, org, outdated, owner, pack, ping, pkg,
+ prefix, profile, prune, publish, query, rebuild, repo,
+ restart, root, run, sbom, search, set, shrinkwrap, stage,
+ star, stars, start, stop, team, test, token, trust,
+ undeprecate, uninstall, unpublish, unstar, update, version,
+ view, whoami
Specify configs in the ini-formatted file:
{USERCONFIG}
@@ -228,6 +232,7 @@ All commands:
help-search, init,
install,
install-ci-test,
+ install-scripts,
install-test, link, ll,
login, logout, ls, org,
outdated, owner, pack,
@@ -283,6 +288,7 @@ All commands:
help-search, init,
install,
install-ci-test,
+ install-scripts,
install-test, link, ll,
login, logout, ls, org,
outdated, owner, pack,
@@ -337,6 +343,7 @@ All commands:
fund, get, help,
help-search, init,
install, install-ci-test,
+ install-scripts,
install-test, link, ll,
login, logout, ls, org,
outdated, owner, pack,
@@ -383,12 +390,13 @@ All commands:
completion, config, dedupe, deny-scripts, deprecate, diff,
dist-tag, docs, doctor, edit, exec, explain, explore,
find-dupes, fund, get, help, help-search, init, install,
- install-ci-test, install-test, link, ll, login, logout, ls,
- org, outdated, owner, pack, ping, pkg, prefix, profile,
- prune, publish, query, rebuild, repo, restart, root, run,
- sbom, search, set, shrinkwrap, stage, star, stars, start,
- stop, team, test, token, trust, undeprecate, uninstall,
- unpublish, unstar, update, version, view, whoami
+ install-ci-test, install-scripts, install-test, link, ll,
+ login, logout, ls, org, outdated, owner, pack, ping, pkg,
+ prefix, profile, prune, publish, query, rebuild, repo,
+ restart, root, run, sbom, search, set, shrinkwrap, stage,
+ star, stars, start, stop, team, test, token, trust,
+ undeprecate, uninstall, unpublish, unstar, update, version,
+ view, whoami
Specify configs in the ini-formatted file:
{USERCONFIG}
@@ -420,12 +428,13 @@ All commands:
completion, config, dedupe, deny-scripts, deprecate, diff,
dist-tag, docs, doctor, edit, exec, explain, explore,
find-dupes, fund, get, help, help-search, init, install,
- install-ci-test, install-test, link, ll, login, logout, ls,
- org, outdated, owner, pack, ping, pkg, prefix, profile,
- prune, publish, query, rebuild, repo, restart, root, run,
- sbom, search, set, shrinkwrap, stage, star, stars, start,
- stop, team, test, token, trust, undeprecate, uninstall,
- unpublish, unstar, update, version, view, whoami
+ install-ci-test, install-scripts, install-test, link, ll,
+ login, logout, ls, org, outdated, owner, pack, ping, pkg,
+ prefix, profile, prune, publish, query, rebuild, repo,
+ restart, root, run, sbom, search, set, shrinkwrap, stage,
+ star, stars, start, stop, team, test, token, trust,
+ undeprecate, uninstall, unpublish, unstar, update, version,
+ view, whoami
Specify configs in the ini-formatted file:
{USERCONFIG}
@@ -457,12 +466,13 @@ All commands:
completion, config, dedupe, deny-scripts, deprecate, diff,
dist-tag, docs, doctor, edit, exec, explain, explore,
find-dupes, fund, get, help, help-search, init, install,
- install-ci-test, install-test, link, ll, login, logout, ls,
- org, outdated, owner, pack, ping, pkg, prefix, profile,
- prune, publish, query, rebuild, repo, restart, root, run,
- sbom, search, set, shrinkwrap, stage, star, stars, start,
- stop, team, test, token, trust, undeprecate, uninstall,
- unpublish, unstar, update, version, view, whoami
+ install-ci-test, install-scripts, install-test, link, ll,
+ login, logout, ls, org, outdated, owner, pack, ping, pkg,
+ prefix, profile, prune, publish, query, rebuild, repo,
+ restart, root, run, sbom, search, set, shrinkwrap, stage,
+ star, stars, start, stop, team, test, token, trust,
+ undeprecate, uninstall, unpublish, unstar, update, version,
+ view, whoami
Specify configs in the ini-formatted file:
{USERCONFIG}
diff --git a/deps/npm/tap-snapshots/test/lib/utils/reify-output.js.test.cjs b/deps/npm/tap-snapshots/test/lib/utils/reify-output.js.test.cjs
index 40d4cd221ca024..828a99679eab6b 100644
--- a/deps/npm/tap-snapshots/test/lib/utils/reify-output.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/utils/reify-output.js.test.cjs
@@ -10,6 +10,11 @@ exports[`test/lib/utils/reify-output.js TAP added packages should be looked up w
added 1 package in {TIME}
`
+exports[`test/lib/utils/reify-output.js TAP added packages should be looked up within returned tree linked store package counted though absent from actualTree > must match snapshot 1`] = `
+
+added 1 package in {TIME}
+`
+
exports[`test/lib/utils/reify-output.js TAP added packages should be looked up within returned tree missing added pkg in inventory > must match snapshot 1`] = `
up to date in {TIME}
diff --git a/deps/npm/tap-snapshots/test/lib/utils/sbom-cyclonedx.js.test.cjs b/deps/npm/tap-snapshots/test/lib/utils/sbom-cyclonedx.js.test.cjs
index 124478bc829938..6963299566d53d 100644
--- a/deps/npm/tap-snapshots/test/lib/utils/sbom-cyclonedx.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/utils/sbom-cyclonedx.js.test.cjs
@@ -417,7 +417,7 @@ exports[`test/lib/utils/sbom-cyclonedx.js TAP single node - from git url > must
"version": "1.0.0",
"scope": "required",
"author": "Author",
- "purl": "pkg:npm/root@1.0.0?vcs_url=https://github.com/foo/bar#1234",
+ "purl": "pkg:npm/root@1.0.0?vcs_url=https%3A%2F%2Fgithub.com%2Ffoo%2Fbar%231234",
"properties": [],
"externalReferences": [
{
diff --git a/deps/npm/tap-snapshots/test/lib/utils/sbom-spdx.js.test.cjs b/deps/npm/tap-snapshots/test/lib/utils/sbom-spdx.js.test.cjs
index 6adb6d26de1435..eda01bcaa4ed6a 100644
--- a/deps/npm/tap-snapshots/test/lib/utils/sbom-spdx.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/utils/sbom-spdx.js.test.cjs
@@ -414,7 +414,7 @@ exports[`test/lib/utils/sbom-spdx.js TAP single node - from git url > must match
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
- "referenceLocator": "pkg:npm/root@1.0.0?vcs_url=https://github.com/foo/bar#1234"
+ "referenceLocator": "pkg:npm/root@1.0.0?vcs_url=https%3A%2F%2Fgithub.com%2Ffoo%2Fbar%231234"
}
]
}
diff --git a/deps/npm/test/lib/commands/approve-scripts.js b/deps/npm/test/lib/commands/approve-scripts.js
index 30325f41014c88..4b2e7e5a73e1f8 100644
--- a/deps/npm/test/lib/commands/approve-scripts.js
+++ b/deps/npm/test/lib/commands/approve-scripts.js
@@ -7,7 +7,7 @@ const mockNpm = async (t, opts = {}) => {
return _mockNpm(t, opts)
}
-const setupProject = ({ allowScripts, withScripts = ['canvas'] } = {}) => {
+const setupProject = ({ allowScripts, withScripts = ['canvas'], noResolved = [] } = {}) => {
const pkg = {
name: 'host',
version: '1.0.0',
@@ -28,11 +28,16 @@ const setupProject = ({ allowScripts, withScripts = ['canvas'] } = {}) => {
scripts: { install: 'echo install' },
}),
}
- lockPackages[`node_modules/${name}`] = {
+ const lockEntry = {
version: '1.0.0',
- resolved: tarUrl,
hasInstallScript: true,
}
+ // Some lockfiles omit `resolved` for registry deps. Those nodes have no
+ // trustable version, so they can only be approved by name.
+ if (!noResolved.includes(name)) {
+ lockEntry.resolved = tarUrl
+ }
+ lockPackages[`node_modules/${name}`] = lockEntry
}
return {
@@ -119,6 +124,51 @@ t.test('approve-scripts --all approves every unreviewed package', async t => {
})
})
+t.test('approve-scripts --all approves a dep without a resolved URL by name', async t => {
+ // Regression for npm/cli#9558: a dep with no `resolved` URL can't be
+ // pinned, but must still be approved by name, not silently skipped.
+ const { npm, prefix, logs } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas'], noResolved: ['canvas'] }),
+ config: { all: true },
+ })
+ await npm.exec('approve-scripts', [])
+
+ const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+ t.strictSame(pkg.allowScripts, { canvas: true }, 'approved by name, not skipped')
+ t.match(
+ logs.warn.byTitle('approve-scripts').join('\n'),
+ /no "resolved" URL/,
+ 'warns that a version pin could not be written'
+ )
+})
+
+t.test('approve-scripts approves a dep without a resolved URL by name', async t => {
+ const { npm, prefix } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas'], noResolved: ['canvas'] }),
+ })
+ await npm.exec('approve-scripts', ['canvas'])
+
+ const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+ t.strictSame(pkg.allowScripts, { canvas: true })
+})
+
+t.test('approve-scripts --pending is empty after a no-resolved dep is approved by name', async t => {
+ const { npm, joinedOutput } = await mockNpm(t, {
+ prefixDir: setupProject({
+ allowScripts: { canvas: true },
+ withScripts: ['canvas'],
+ noResolved: ['canvas'],
+ }),
+ config: { 'allow-scripts-pending': true },
+ })
+ await npm.exec('approve-scripts', [])
+ t.match(
+ joinedOutput(),
+ /No packages with unreviewed install scripts/,
+ 'name-only entry covers the dep even without a resolved URL'
+ )
+})
+
t.test('approve-scripts errors on unknown package', async t => {
const { npm } = await mockNpm(t, {
prefixDir: setupProject({ withScripts: ['canvas'] }),
diff --git a/deps/npm/test/lib/commands/audit.js b/deps/npm/test/lib/commands/audit.js
index 3bd5e5033c499f..61887417216eb0 100644
--- a/deps/npm/test/lib/commands/audit.js
+++ b/deps/npm/test/lib/commands/audit.js
@@ -163,6 +163,86 @@ t.test('audit fix - bulk endpoint', async t => {
)
})
+t.test('audit fix exits non-zero when min-release-age blocks a fix', async t => {
+ const { npm, logs } = await loadMockNpm(t, {
+ prefixDir: tree,
+ config: { 'min-release-age': 30 },
+ })
+ const registry = new MockRegistry({
+ tap: t,
+ registry: npm.config.get('registry'),
+ })
+ const manifest = registry.manifest({
+ name: 'test-dep-a',
+ packuments: [{ version: '1.0.0' }, { version: '1.0.1' }],
+ })
+ // 1.0.0 is old enough to install; the fix 1.0.1 was published too recently.
+ manifest.time['1.0.0'] = '2020-01-01T00:00:00.000Z'
+ manifest.time['1.0.1'] = new Date().toISOString()
+ await registry.package({
+ manifest,
+ tarballs: {
+ '1.0.0': path.join(npm.prefix, 'test-dep-a-vuln'),
+ },
+ times: 2,
+ })
+ const advisory = registry.advisory({ id: 100, vulnerable_versions: '<1.0.1' })
+ registry.nock.post('/-/npm/v1/security/advisories/bulk', body => {
+ const unzipped = JSON.parse(gunzip(Buffer.from(body, 'hex')))
+ return t.same(unzipped, { 'test-dep-a': ['1.0.0'] })
+ })
+ .reply(200, { 'test-dep-a': [advisory] })
+ .post('/-/npm/v1/security/advisories/bulk', body => {
+ const unzipped = JSON.parse(gunzip(Buffer.from(body, 'hex')))
+ return t.same(unzipped, { 'test-dep-a': ['1.0.0'] })
+ })
+ .reply(200, { 'test-dep-a': [advisory] })
+
+ await npm.exec('audit', ['fix'])
+
+ t.equal(process.exitCode, 1, 'exits non-zero because the fix was blocked')
+ t.ok(
+ logs.warn.some(w =>
+ /left at a vulnerable version because a fix is newer than the release-age cutoff/.test(w)),
+ 'warns that the fix was blocked by min-release-age'
+ )
+ const lock = JSON.parse(fs.readFileSync(path.join(npm.prefix, 'package-lock.json'), 'utf8'))
+ t.equal(lock.packages['node_modules/test-dep-a'].version, '1.0.0',
+ 'test-dep-a was left at the vulnerable version')
+})
+
+t.test('json audit reports fixBlockedByReleaseAge when a fix is too new', async t => {
+ const { npm, joinedOutput } = await loadMockNpm(t, {
+ prefixDir: tree,
+ config: {
+ json: true,
+ 'min-release-age': 30,
+ },
+ })
+ const registry = new MockRegistry({
+ tap: t,
+ registry: npm.config.get('registry'),
+ })
+ const manifest = registry.manifest({
+ name: 'test-dep-a',
+ packuments: [{ version: '1.0.0' }, { version: '1.0.1' }],
+ })
+ manifest.time['1.0.0'] = '2020-01-01T00:00:00.000Z'
+ manifest.time['1.0.1'] = new Date().toISOString()
+ await registry.package({ manifest })
+ const advisory = registry.advisory({ id: 100, vulnerable_versions: '<1.0.1' })
+ const bulkBody = gzip(JSON.stringify({ 'test-dep-a': ['1.0.0'] }))
+ registry.nock.post('/-/npm/v1/security/advisories/bulk', bulkBody)
+ .reply(200, {
+ 'test-dep-a': [advisory],
+ })
+
+ await npm.exec('audit', [])
+ const report = JSON.parse(joinedOutput())
+ t.match(report.vulnerabilities['test-dep-a'].fixBlockedByReleaseAge, { version: '1.0.1' },
+ 'json output flags the fix that min-release-age blocked')
+})
+
t.test('audit fix no package lock', async t => {
const { npm } = await loadMockNpm(t, {
config: {
diff --git a/deps/npm/test/lib/commands/deny-scripts.js b/deps/npm/test/lib/commands/deny-scripts.js
index 358b71d7da7bd6..1caf93b715134c 100644
--- a/deps/npm/test/lib/commands/deny-scripts.js
+++ b/deps/npm/test/lib/commands/deny-scripts.js
@@ -80,7 +80,10 @@ t.test('deny-scripts --pending is rejected', async t => {
prefixDir: setupProject({ withScripts: ['core-js'] }),
config: { 'allow-scripts-pending': true },
})
- await t.rejects(npm.exec('deny-scripts', []), { code: 'EUSAGE' })
+ await t.rejects(npm.exec('deny-scripts', []), {
+ code: 'EUSAGE',
+ message: /`npm deny-scripts --allow-scripts-pending` is not supported; run `npm install-scripts ls` to list unreviewed packages/,
+ })
})
t.test('deny-scripts --all denies every unreviewed package', async t => {
diff --git a/deps/npm/test/lib/commands/exec.js b/deps/npm/test/lib/commands/exec.js
index 92ea993e3edfb2..45e7634da5e100 100644
--- a/deps/npm/test/lib/commands/exec.js
+++ b/deps/npm/test/lib/commands/exec.js
@@ -220,6 +220,41 @@ t.test('finds workspace dep first', async t => {
t.ok(exists.isFile(), 'bin ran, creating file')
})
+t.test('finds workspace dep bin under linked install strategy', async t => {
+ const { npm } = await loadMockNpm(t, {
+ config: {
+ 'install-strategy': 'linked',
+ },
+ prefixDir: {
+ 'package.json': JSON.stringify({
+ name: '@npmcli/npx-workspace-root-test',
+ workspaces: ['workspace-a', 'tool'],
+ }),
+ 'workspace-a': {
+ 'package.json': JSON.stringify({
+ name: 'workspace-a',
+ dependencies: { tool: '*' },
+ }),
+ },
+ tool: {
+ 'package.json': JSON.stringify({
+ name: 'tool',
+ version: '1.0.0',
+ bin: { 'npx-test': 'index.js' },
+ }),
+ 'index.js': `#!/usr/bin/env node
+ require('fs').writeFileSync('npm-exec-test-success', '')`,
+ },
+ },
+ })
+
+ await npm.exec('install', [])
+ npm.config.set('workspace', ['workspace-a'])
+ await npm.exec('exec', ['npx-test'])
+ const exists = await fs.stat(path.join(npm.prefix, 'workspace-a', 'npm-exec-test-success'))
+ t.ok(exists.isFile(), 'workspace-local bin ran instead of falling back to the registry')
+})
+
t.test('npx --no-install @npmcli/npx-test', async t => {
const registry = new MockRegistry({
tap: t,
diff --git a/deps/npm/test/lib/commands/install-scripts.js b/deps/npm/test/lib/commands/install-scripts.js
new file mode 100644
index 00000000000000..523aba42bdd943
--- /dev/null
+++ b/deps/npm/test/lib/commands/install-scripts.js
@@ -0,0 +1,336 @@
+const t = require('tap')
+const fs = require('node:fs')
+const { resolve } = require('node:path')
+const _mockNpm = require('../../fixtures/mock-npm')
+const InstallScripts = require('../../../lib/commands/install-scripts.js')
+
+const mockNpm = async (t, opts = {}) => {
+ return _mockNpm(t, opts)
+}
+
+const setupProject = ({ allowScripts, withScripts = ['canvas'], noScripts = [] } = {}) => {
+ const pkg = {
+ name: 'host',
+ version: '1.0.0',
+ dependencies: Object.fromEntries([...withScripts, ...noScripts].map((n) => [n, '*'])),
+ }
+ if (allowScripts !== undefined) {
+ pkg.allowScripts = allowScripts
+ }
+
+ const lockPackages = { '': pkg }
+ const nodeModules = {}
+ for (const name of withScripts) {
+ nodeModules[name] = {
+ 'package.json': JSON.stringify({
+ name,
+ version: '1.0.0',
+ scripts: { install: 'echo install' },
+ }),
+ }
+ lockPackages[`node_modules/${name}`] = {
+ version: '1.0.0',
+ hasInstallScript: true,
+ resolved: `https://registry.npmjs.org/${name}/-/${name}-1.0.0.tgz`,
+ }
+ }
+ for (const name of noScripts) {
+ nodeModules[name] = {
+ 'package.json': JSON.stringify({ name, version: '1.0.0' }),
+ }
+ lockPackages[`node_modules/${name}`] = {
+ version: '1.0.0',
+ resolved: `https://registry.npmjs.org/${name}/-/${name}-1.0.0.tgz`,
+ }
+ }
+
+ return {
+ 'package.json': JSON.stringify(pkg, null, 2),
+ 'package-lock.json': JSON.stringify({
+ name: pkg.name,
+ version: pkg.version,
+ lockfileVersion: 3,
+ requires: true,
+ packages: lockPackages,
+ }),
+ node_modules: nodeModules,
+ }
+}
+
+t.test('completion', async t => {
+ const comp = (argv) =>
+ InstallScripts.completion({ conf: { argv: { remain: argv } } })
+
+ t.resolveMatch(comp(['npm', 'install-scripts']), ['approve', 'deny', 'ls', 'prune'])
+ t.resolveMatch(comp(['npm', 'install-scripts', 'approve']), [])
+ t.resolveMatch(comp(['npm', 'install-scripts', 'deny']), [])
+ t.resolveMatch(comp(['npm', 'install-scripts', 'ls']), [])
+ t.resolveMatch(comp(['npm', 'install-scripts', 'prune']), [])
+ await t.rejects(comp(['npm', 'install-scripts', 'frobnicate']), {
+ message: 'frobnicate not recognized',
+ })
+})
+
+t.test('install-scripts approve writes a pinned entry', async t => {
+ const { npm, prefix } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas'] }),
+ })
+ await npm.exec('install-scripts', ['approve', 'canvas'])
+
+ const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+ t.strictSame(pkg.allowScripts, { 'canvas@1.0.0': true })
+})
+
+t.test('install-scripts approve --all approves every unreviewed package', async t => {
+ const { npm, prefix } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas', 'sharp'] }),
+ config: { all: true },
+ })
+ await npm.exec('install-scripts', ['approve'])
+
+ const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+ t.strictSame(pkg.allowScripts, {
+ 'canvas@1.0.0': true,
+ 'sharp@1.0.0': true,
+ })
+})
+
+t.test('install-scripts deny writes a name-only false entry', async t => {
+ const { npm, prefix } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas'] }),
+ })
+ await npm.exec('install-scripts', ['deny', 'canvas'])
+
+ const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+ t.strictSame(pkg.allowScripts, { canvas: false })
+})
+
+t.test('install-scripts deny --all denies every unreviewed package', async t => {
+ const { npm, prefix } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas', 'sharp'] }),
+ config: { all: true },
+ })
+ await npm.exec('install-scripts', ['deny'])
+
+ const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+ t.strictSame(pkg.allowScripts, { canvas: false, sharp: false })
+})
+
+t.test('install-scripts ignores allow-scripts-pending and still writes', async t => {
+ // The namespace exposes listing through `ls`, so a stray
+ // `allow-scripts-pending` config must not divert approve into list mode.
+ const { npm, prefix } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas'] }),
+ config: { 'allow-scripts-pending': true },
+ })
+ await npm.exec('install-scripts', ['approve', 'canvas'])
+
+ const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+ t.strictSame(pkg.allowScripts, { 'canvas@1.0.0': true })
+})
+
+t.test('install-scripts ls lists unreviewed packages', async t => {
+ const { npm, joinedOutput } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas', 'sharp'] }),
+ })
+ await npm.exec('install-scripts', ['ls'])
+ const out = joinedOutput()
+ t.match(out, /2 packages have install scripts not yet covered by allowScripts/)
+ t.match(out, /canvas@1\.0\.0/)
+ t.match(out, /sharp@1\.0\.0/)
+})
+
+t.test('install-scripts ls with no unreviewed says so', async t => {
+ const { npm, joinedOutput } = await mockNpm(t, {
+ prefixDir: setupProject({ allowScripts: { canvas: true }, withScripts: ['canvas'] }),
+ })
+ await npm.exec('install-scripts', ['ls'])
+ t.match(joinedOutput(), /No packages with unreviewed install scripts/)
+})
+
+t.test('install-scripts ls rejects positional args', async t => {
+ const { npm } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas'] }),
+ })
+ await t.rejects(
+ npm.exec('install-scripts', ['ls', 'canvas']),
+ /cannot be combined with positional arguments/
+ )
+})
+
+t.test('install-scripts with no subcommand errors with usage', async t => {
+ const { npm } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas'] }),
+ })
+ await t.rejects(
+ npm.exec('install-scripts', []),
+ { code: 'EUSAGE' }
+ )
+})
+
+t.test('install-scripts with an unknown subcommand errors', async t => {
+ const { npm } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas'] }),
+ })
+ await t.rejects(
+ npm.exec('install-scripts', ['frobnicate']),
+ /`frobnicate` is not a recognized subcommand/
+ )
+})
+
+t.test('install-scripts approve errors on unknown package', async t => {
+ const { npm } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas'] }),
+ })
+ await t.rejects(
+ npm.exec('install-scripts', ['approve', 'not-installed']),
+ { code: 'ENOMATCH' }
+ )
+})
+
+t.test('install-scripts fails for global installs', async t => {
+ const { npm } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas'] }),
+ config: { global: true },
+ })
+ await t.rejects(
+ npm.exec('install-scripts', ['approve', 'canvas']),
+ { code: 'EGLOBAL' }
+ )
+})
+
+t.test('install-scripts prune removes not-installed and no-script entries', async t => {
+ const { npm, prefix, joinedOutput } = await mockNpm(t, {
+ prefixDir: setupProject({
+ withScripts: ['canvas'],
+ noScripts: ['no-scripts-pkg'],
+ allowScripts: {
+ 'canvas@1.0.0': true,
+ 'no-scripts-pkg': true,
+ gone: true,
+ },
+ }),
+ })
+ await npm.exec('install-scripts', ['prune'])
+
+ const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+ t.strictSame(pkg.allowScripts, { 'canvas@1.0.0': true })
+
+ const out = joinedOutput()
+ t.match(out, /Removed 2 unused allowScripts entries:/)
+ t.match(out, /no-scripts-pkg \(no install scripts\)/)
+ t.match(out, /gone \(package not installed\)/)
+})
+
+t.test('install-scripts prune removes unused deny entries too', async t => {
+ const { npm, prefix } = await mockNpm(t, {
+ prefixDir: setupProject({
+ withScripts: ['canvas'],
+ allowScripts: { 'canvas@1.0.0': true, 'denied-gone': false },
+ }),
+ })
+ await npm.exec('install-scripts', ['prune'])
+
+ const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+ t.strictSame(pkg.allowScripts, { 'canvas@1.0.0': true })
+})
+
+t.test('install-scripts prune removes a stale version pin and drops the field', async t => {
+ const { npm, prefix, joinedOutput } = await mockNpm(t, {
+ prefixDir: setupProject({
+ withScripts: ['canvas'],
+ allowScripts: { 'canvas@9.9.9': true },
+ }),
+ })
+ await npm.exec('install-scripts', ['prune'])
+
+ const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+ t.notOk('allowScripts' in pkg, 'allowScripts field is removed when empty')
+ // Singular wording for a single entry.
+ t.match(joinedOutput(), /Removed 1 unused allowScripts entry:/)
+})
+
+t.test('install-scripts prune --dry-run reports without writing', async t => {
+ const allowScripts = { 'canvas@1.0.0': true, gone: true }
+ const { npm, prefix, joinedOutput } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas'], allowScripts }),
+ config: { 'dry-run': true },
+ })
+ await npm.exec('install-scripts', ['prune'])
+
+ const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+ t.strictSame(pkg.allowScripts, allowScripts, 'package.json is unchanged')
+ t.match(joinedOutput(), /Would remove 1 unused allowScripts entry:/)
+})
+
+t.test('install-scripts prune --json emits a machine-readable summary', async t => {
+ const { npm, joinedOutput } = await mockNpm(t, {
+ prefixDir: setupProject({
+ withScripts: ['canvas'],
+ allowScripts: { 'canvas@1.0.0': true, gone: true },
+ }),
+ config: { json: true },
+ })
+ await npm.exec('install-scripts', ['prune'])
+
+ t.strictSame(JSON.parse(joinedOutput()), {
+ allowScripts: {
+ removed: [{ key: 'gone', value: true, reason: 'not-installed' }],
+ dryRun: false,
+ },
+ })
+})
+
+t.test('install-scripts prune with nothing unused says so', async t => {
+ const { npm, prefix, joinedOutput } = await mockNpm(t, {
+ prefixDir: setupProject({
+ withScripts: ['canvas'],
+ allowScripts: { 'canvas@1.0.0': true },
+ }),
+ })
+ await npm.exec('install-scripts', ['prune'])
+
+ const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+ t.strictSame(pkg.allowScripts, { 'canvas@1.0.0': true })
+ t.match(joinedOutput(), /No unused allowScripts entries\./)
+})
+
+t.test('install-scripts prune with no allowScripts field says so', async t => {
+ const { npm, joinedOutput } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas'] }),
+ })
+ await npm.exec('install-scripts', ['prune'])
+ t.match(joinedOutput(), /No unused allowScripts entries\./)
+})
+
+t.test('install-scripts prune rejects positional args', async t => {
+ const { npm } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas'] }),
+ })
+ await t.rejects(
+ npm.exec('install-scripts', ['prune', 'canvas']),
+ /cannot be combined with positional arguments/
+ )
+})
+
+t.test('install-scripts prune rejects --all', async t => {
+ const { npm } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas'] }),
+ config: { all: true },
+ })
+ await t.rejects(
+ npm.exec('install-scripts', ['prune']),
+ /cannot be combined with positional arguments or `--all`/
+ )
+})
+
+t.test('install-scripts prune fails for global installs', async t => {
+ const { npm } = await mockNpm(t, {
+ prefixDir: setupProject({ withScripts: ['canvas'] }),
+ config: { global: true },
+ })
+ await t.rejects(
+ npm.exec('install-scripts', ['prune']),
+ { code: 'EGLOBAL' }
+ )
+})
diff --git a/deps/npm/test/lib/commands/link.js b/deps/npm/test/lib/commands/link.js
index 4aaf24c9d0a287..11ed182edd94ba 100644
--- a/deps/npm/test/lib/commands/link.js
+++ b/deps/npm/test/lib/commands/link.js
@@ -289,6 +289,44 @@ t.test('link global linked pkg to local workspace using args', async t => {
t.matchSnapshot(await printLinks(), 'should create a local symlink to global pkg')
})
+t.test('link --workspace --save targets the workspace manifest, not the root', async t => {
+ const { link, prefix } = await mockLink(t, {
+ globalPrefixDir: {
+ node_modules: {
+ a: {
+ 'package.json': JSON.stringify({
+ name: 'a',
+ version: '1.0.0',
+ }),
+ },
+ },
+ },
+ prefixDir: {
+ 'package.json': JSON.stringify({
+ name: 'my-project',
+ version: '1.0.0',
+ workspaces: ['packages/*'],
+ }),
+ packages: {
+ x: {
+ 'package.json': JSON.stringify({
+ name: 'x',
+ version: '1.0.0',
+ }),
+ },
+ },
+ },
+ config: { workspace: 'x', save: true },
+ })
+
+ await link.exec(['a'])
+
+ const root = JSON.parse(fs.readFileSync(join(prefix, 'package.json'), 'utf8'))
+ const ws = JSON.parse(fs.readFileSync(join(prefix, 'packages', 'x', 'package.json'), 'utf8'))
+ t.notOk(root.dependencies, 'root manifest should not get the dependency')
+ t.match(ws.dependencies, { a: /^file:/ }, 'workspace manifest should get the file: dependency')
+})
+
t.test('link pkg already in global space', async t => {
const { npm, link, printLinks, prefix } = await mockLink(t, {
globalPrefixDir: {
@@ -554,3 +592,73 @@ t.test('link threads allowScripts policy through to arborist', async t => {
t.strictSame(localOpts.allowScripts, { canvas: true },
'local arborist opts.allowScripts populated from package.json')
})
+
+t.test('link threads allowScripts policy to the global install', async t => {
+ const capturedOpts = []
+ const FakeArborist = function (opts) {
+ capturedOpts.push(opts)
+ this.options = opts
+ this.actualTree = { inventory: new Map() }
+ }
+ FakeArborist.prototype.loadActual = async () => ({ isLink: false, children: new Map() })
+ FakeArborist.prototype.reify = async () => {}
+
+ const mock = await mockNpm(t, {
+ command: 'link',
+ prefixDir: {
+ 'package.json': JSON.stringify({
+ name: 'host',
+ version: '1.0.0',
+ allowScripts: { canvas: true },
+ }),
+ },
+ mocks: {
+ '@npmcli/arborist': FakeArborist,
+ '{LIB}/utils/reify-finish.js': async () => {},
+ },
+ })
+ await mock.npm.exec('link', ['canvas'])
+ // the global Arborist is constructed first; its missing-package install
+ // must carry the project policy.
+ t.strictSame(capturedOpts[0].allowScripts, { canvas: true },
+ 'global arborist opts.allowScripts populated from package.json')
+})
+
+t.test('link runs the strict-allow-scripts preflight before the global install', async t => {
+ // The mocked preflight stands in for strict mode finding an uncovered
+ // script. It must run and throw before the global reify.
+ const calls = []
+ const FakeArborist = function (opts) {
+ this.options = opts
+ this.actualTree = { inventory: new Map() }
+ }
+ FakeArborist.prototype.loadActual = async () => ({ isLink: false, children: new Map() })
+ FakeArborist.prototype.reify = async () => {
+ calls.push('reify')
+ }
+
+ const mock = await mockNpm(t, {
+ command: 'link',
+ prefixDir: {
+ 'package.json': JSON.stringify({
+ name: 'host',
+ version: '1.0.0',
+ }),
+ },
+ mocks: {
+ '@npmcli/arborist': FakeArborist,
+ '{LIB}/utils/reify-finish.js': async () => {},
+ '{LIB}/utils/strict-allow-scripts-preflight.js': async () => {
+ calls.push('preflight')
+ throw Object.assign(new Error('blocked'), { code: 'ESTRICTALLOWSCRIPTS' })
+ },
+ },
+ })
+ await t.rejects(
+ mock.npm.exec('link', ['canvas']),
+ { code: 'ESTRICTALLOWSCRIPTS' },
+ 'the strict preflight blocks the link'
+ )
+ t.strictSame(calls, ['preflight'],
+ 'preflight ran and the global reify never executed')
+})
diff --git a/deps/npm/test/lib/commands/login.js b/deps/npm/test/lib/commands/login.js
index 55568edd09f9d2..4ebc7147e46ae1 100644
--- a/deps/npm/test/lib/commands/login.js
+++ b/deps/npm/test/lib/commands/login.js
@@ -130,6 +130,19 @@ t.test('web', t => {
})
t.match(outputs[0], '/npm-cli-test/login/cli/00000000-0000-0000-0000-000000000000')
})
+ t.test('proxy registry whose doneUrl points at the canonical registry', async t => {
+ // Regression for npm/cli#8875: a proxy/mirror returns a doneUrl on registry.npmjs.org.
+ // npm must poll the configured proxy where the session lives, not the canonical registry.
+ const proxy = 'https://proxy.registry.example/'
+ const { npm, registry, login, rc } = await mockLogin(t, {
+ registry: proxy,
+ config: { 'auth-type': 'web', registry: proxy },
+ })
+ registry.weblogin({ token: 'npm_proxy-token', doneRegistry: 'https://registry.npmjs.org' })
+ await login.exec([])
+ t.same(npm.config.get('//proxy.registry.example/:_authToken'), 'npm_proxy-token')
+ t.match(rc(), { '//proxy.registry.example/:_authToken': 'npm_proxy-token' })
+ })
t.test('server error', async t => {
const { registry, login } = await mockLogin(t, {
config: { 'auth-type': 'web' },
diff --git a/deps/npm/test/lib/commands/ls.js b/deps/npm/test/lib/commands/ls.js
index ab98773bc68e5c..899a2b8169051b 100644
--- a/deps/npm/test/lib/commands/ls.js
+++ b/deps/npm/test/lib/commands/ls.js
@@ -5332,6 +5332,25 @@ t.test('ls --install-strategy=linked', async t => {
node_modules: {
'workspace-a': t.fixture('symlink', '../packages/workspace-a'),
// workspace-b intentionally NOT linked (undeclared in dependencies)
+ // The hidden lockfile a real linked install writes records only the
+ // declared workspace as linked into root node_modules, so loadActual
+ // resolves workspace-b's root edge as missing (the undeclared-workspace case).
+ '.package-lock.json': JSON.stringify({
+ lockfileVersion: 3,
+ requires: true,
+ packages: {
+ 'node_modules/workspace-a': {
+ resolved: 'packages/workspace-a',
+ link: true,
+ },
+ 'packages/workspace-a': {
+ version: '1.0.0',
+ },
+ 'packages/workspace-b': {
+ version: '1.0.0',
+ },
+ },
+ }),
},
},
})
@@ -5339,6 +5358,7 @@ t.test('ls --install-strategy=linked', async t => {
const output = cleanCwd(result())
t.notMatch(output, /UNMET DEPENDENCY/, 'should not report undeclared workspace as UNMET DEPENDENCY')
t.match(output, /workspace-a/, 'should list declared workspace')
+ t.match(output, /workspace-b/, 'should list undeclared workspace (npm/cli#9618)')
})
t.test('should not report devDeps of store packages as UNMET DEPENDENCY', async t => {
@@ -5397,7 +5417,20 @@ t.test('ls --install-strategy=linked', async t => {
},
},
node_modules: {
- // workspace-a is declared but its symlink is missing
+ // workspace-a is declared but its symlink is missing.
+ // The hidden lockfile records the workspace target without a root
+ // node_modules link, so loadActual resolves the declared workspace's
+ // root edge as missing (the declared-but-missing case), which must
+ // still be reported as UNMET DEPENDENCY.
+ '.package-lock.json': JSON.stringify({
+ lockfileVersion: 3,
+ requires: true,
+ packages: {
+ 'packages/workspace-a': {
+ version: '1.0.0',
+ },
+ },
+ }),
},
},
})
diff --git a/deps/npm/test/lib/commands/query.js b/deps/npm/test/lib/commands/query.js
index 40dadc88858363..cb9230c93fbcb3 100644
--- a/deps/npm/test/lib/commands/query.js
+++ b/deps/npm/test/lib/commands/query.js
@@ -160,6 +160,61 @@ t.test('linked node', async t => {
t.matchSnapshot(joinedOutput(), 'should return linked node res')
})
+t.test('linked strategy reports logical location, not store backing path', async t => {
+ /* linked layout: nopt (direct) symlinked to its store key, abbrev a transitive dep of nopt */
+ const linkedDir = {
+ prefixDir: {
+ node_modules: {
+ nopt: t.fixture('symlink', '.store/nopt-hash/node_modules/nopt'),
+ '.store': {
+ 'nopt-hash': {
+ node_modules: {
+ nopt: {
+ 'package.json': JSON.stringify({
+ name: 'nopt',
+ version: '7.2.1',
+ dependencies: { abbrev: '^2.0.0' },
+ }),
+ },
+ abbrev: t.fixture('symlink', '../../abbrev-hash/node_modules/abbrev'),
+ },
+ },
+ 'abbrev-hash': {
+ node_modules: {
+ abbrev: {
+ 'package.json': JSON.stringify({ name: 'abbrev', version: '2.0.0' }),
+ },
+ },
+ },
+ },
+ },
+ 'package.json': JSON.stringify({
+ name: 'project',
+ version: '1.0.0',
+ dependencies: { nopt: '^7.0.0' },
+ }),
+ },
+ }
+
+ await t.test(':root > * reports the logical link location', async t => {
+ const { npm, joinedOutput } = await loadMockNpm(t, linkedDir)
+ await npm.exec('query', [':root > *'])
+ const res = JSON.parse(joinedOutput())
+ t.equal(res.length, 1, 'returns a single result, not the store node duplicate')
+ t.equal(res[0].location, 'node_modules/nopt', 'reports the logical location')
+ t.match(res[0].realpath, /\.store/, 'realpath still resolves to the store')
+ })
+
+ await t.test(':root * keeps direct deps logical and transitive deps canonical', async t => {
+ const { npm, joinedOutput } = await loadMockNpm(t, linkedDir)
+ await npm.exec('query', [':root *'])
+ const byName = Object.fromEntries(JSON.parse(joinedOutput()).map(n => [n.name, n.location]))
+ t.equal(byName.nopt, 'node_modules/nopt', 'direct dep keeps its logical location')
+ t.equal(byName.abbrev, 'node_modules/.store/abbrev-hash/node_modules/abbrev',
+ 'transitive dep reports its canonical store key, not a consumer symlink')
+ })
+})
+
t.test('global', async t => {
const { npm, joinedOutput } = await loadMockNpm(t, {
config: {
@@ -434,3 +489,24 @@ t.test('missing', async t => {
await npm.exec('query', [':missing'])
t.matchSnapshot(joinedOutput(), 'should return missing node')
})
+
+t.test('linked strategy surfaces undeclared workspaces', async t => {
+ // npm/cli#9618: undeclared workspaces are not symlinked into root node_modules under linked, but must remain visible to `npm query`.
+ const { npm, joinedOutput } = await loadMockNpm(t, {
+ config: { 'install-strategy': 'linked' },
+ prefixDir: {
+ 'package.json': JSON.stringify({
+ name: 'root',
+ version: '1.0.0',
+ workspaces: ['packages/*'],
+ }),
+ packages: {
+ a: { 'package.json': JSON.stringify({ name: 'a', version: '1.0.0' }) },
+ b: { 'package.json': JSON.stringify({ name: 'b', version: '1.0.0' }) },
+ },
+ },
+ })
+ await npm.exec('query', [':root > *'])
+ const names = JSON.parse(joinedOutput()).map(n => n.name).sort()
+ t.same(names, ['a', 'b'], 'both undeclared workspaces are listed')
+})
diff --git a/deps/npm/test/lib/commands/token.js b/deps/npm/test/lib/commands/token.js
index 56ab906d921bec..34297a923c8972 100644
--- a/deps/npm/test/lib/commands/token.js
+++ b/deps/npm/test/lib/commands/token.js
@@ -13,6 +13,7 @@ const tokens = [
{
key: 'abcd1234abcd1234',
token: 'efgh5678efgh5678',
+ name: 'abcd001',
cidr_whitelist: null,
readonly: false,
created: now,
@@ -21,6 +22,7 @@ const tokens = [
{
key: 'abcd1256',
token: 'hgfe8765',
+ name: 'abcd002',
cidr_whitelist: ['192.168.1.1/32'],
readonly: true,
created: now,
@@ -63,9 +65,9 @@ t.test('token list', async t => {
registry.getTokens(tokens)
await npm.exec('token', [])
t.strictSame(outputs, [
- `Token efgh5678efgh5678… with id abcd123 created ${now.slice(0, 10)}`,
+ `Token efgh5678efgh5678… with id abcd123 name abcd001 created ${now.slice(0, 10)}`,
'',
- `Token hgfe8765… with id abcd125 created ${now.slice(0, 10)}`,
+ `Token hgfe8765… with id abcd125 name abcd002 created ${now.slice(0, 10)}`,
'with IP whitelist: 192.168.1.1/32',
'',
])
@@ -104,9 +106,9 @@ t.test('token list parseable output', async t => {
registry.getTokens(tokens)
await npm.exec('token', [])
t.strictSame(outputs, [
- 'key\ttoken\tcreated\treadonly\tCIDR whitelist',
- `abcd1234abcd1234\tefgh5678efgh5678\t${now}\tfalse\t`,
- `abcd1256\thgfe8765\t${now}\ttrue\t192.168.1.1/32`,
+ 'key\ttoken\tid\tname\tcreated\treadonly\tCIDR whitelist',
+ `abcd1234abcd1234\tefgh5678efgh5678\tabcd123\tabcd001\t${now}\tfalse\t`,
+ `abcd1256\thgfe8765\tabcd125\tabcd002\t${now}\ttrue\t192.168.1.1/32`,
])
})
diff --git a/deps/npm/test/lib/utils/allow-scripts-prune.js b/deps/npm/test/lib/utils/allow-scripts-prune.js
new file mode 100644
index 00000000000000..880b1dfe343717
--- /dev/null
+++ b/deps/npm/test/lib/utils/allow-scripts-prune.js
@@ -0,0 +1,90 @@
+const t = require('tap')
+const { classifyUnusedEntries } = require('../../../lib/utils/allow-scripts-prune.js')
+
+// Minimal registry node: `matches` derives name/version from the resolved URL.
+const node = ({ name = 'pkg', version = '1.0.0' } = {}) => ({
+ name,
+ version,
+ isRegistryDependency: true,
+ resolved: `https://registry.npmjs.org/${name}/-/${name}-${version}.tgz`,
+})
+
+const withScripts = (overrides) => ({ node: node(overrides), hasScripts: true })
+const noScripts = (overrides) => ({ node: node(overrides), hasScripts: false })
+
+t.test('empty / nullish policy', t => {
+ t.same(classifyUnusedEntries({}, []), { remaining: {}, removed: [] })
+ t.same(classifyUnusedEntries(null, []), { remaining: {}, removed: [] })
+ t.same(classifyUnusedEntries(undefined, [withScripts()]), { remaining: {}, removed: [] })
+ t.end()
+})
+
+t.test('keeps entries that match an installed package with scripts', t => {
+ const { remaining, removed } = classifyUnusedEntries(
+ { canvas: true, 'esbuild@1.0.0': true },
+ [withScripts({ name: 'canvas' }), withScripts({ name: 'esbuild', version: '1.0.0' })]
+ )
+ t.same(remaining, { canvas: true, 'esbuild@1.0.0': true })
+ t.same(removed, [])
+ t.end()
+})
+
+t.test('removes entries for packages no longer installed', t => {
+ const { remaining, removed } = classifyUnusedEntries(
+ { canvas: true, gone: true },
+ [withScripts({ name: 'canvas' })]
+ )
+ t.same(remaining, { canvas: true })
+ t.same(removed, [{ key: 'gone', value: true, reason: 'not-installed' }])
+ t.end()
+})
+
+t.test('removes entries whose package no longer has install scripts', t => {
+ const { remaining, removed } = classifyUnusedEntries(
+ { canvas: true },
+ [noScripts({ name: 'canvas' })]
+ )
+ t.same(remaining, {})
+ t.same(removed, [{ key: 'canvas', value: true, reason: 'no-scripts' }])
+ t.end()
+})
+
+t.test('a matching version with scripts keeps the entry even if another lacks them', t => {
+ const { remaining, removed } = classifyUnusedEntries(
+ { canvas: true },
+ [noScripts({ name: 'canvas', version: '1.0.0' }), withScripts({ name: 'canvas', version: '2.0.0' })]
+ )
+ t.same(remaining, { canvas: true })
+ t.same(removed, [])
+ t.end()
+})
+
+t.test('version-pinned entry is unused when that exact version is not installed', t => {
+ const { remaining, removed } = classifyUnusedEntries(
+ { 'canvas@1.0.0': true },
+ [withScripts({ name: 'canvas', version: '2.0.0' })]
+ )
+ t.same(remaining, {})
+ t.same(removed, [{ key: 'canvas@1.0.0', value: true, reason: 'not-installed' }])
+ t.end()
+})
+
+t.test('prunes unused deny (false) entries the same way', t => {
+ const { remaining, removed } = classifyUnusedEntries(
+ { 'denied-gone': false, 'denied-here': false },
+ [withScripts({ name: 'denied-here' })]
+ )
+ t.same(remaining, { 'denied-here': false })
+ t.same(removed, [{ key: 'denied-gone', value: false, reason: 'not-installed' }])
+ t.end()
+})
+
+t.test('keeps unparseable keys untouched', t => {
+ const { remaining, removed } = classifyUnusedEntries(
+ { 'a b': true, gone: true },
+ [withScripts({ name: 'canvas' })]
+ )
+ t.same(remaining, { 'a b': true })
+ t.same(removed, [{ key: 'gone', value: true, reason: 'not-installed' }])
+ t.end()
+})
diff --git a/deps/npm/test/lib/utils/allow-scripts-writer.js b/deps/npm/test/lib/utils/allow-scripts-writer.js
index f72a84eef113ba..8edf25be3079c7 100644
--- a/deps/npm/test/lib/utils/allow-scripts-writer.js
+++ b/deps/npm/test/lib/utils/allow-scripts-writer.js
@@ -24,6 +24,23 @@ const node = (overrides = {}) => {
}
}
+// A registry node with no `resolved` URL in the lockfile. Its trusted name
+// comes from a dependency edge, but its version isn't trustable, so
+// versionedKeyFor returns null (npm/cli#9558).
+const noResolvedNode = (overrides = {}) => {
+ const name = overrides.name ?? 'pkg'
+ const version = overrides.version ?? '1.0.0'
+ return {
+ name,
+ packageName: overrides.packageName ?? name,
+ version,
+ resolved: undefined,
+ location: `node_modules/${name}`,
+ isRegistryDependency: true,
+ edgesIn: new Set([{ name, spec: overrides.spec ?? `^${version}` }]),
+ }
+}
+
t.test('nameKeyFor / versionedKeyFor — registry', async t => {
const n = node({ name: 'canvas', version: '2.11.0' })
t.equal(nameKeyFor(n), 'canvas')
@@ -214,6 +231,73 @@ t.test('applyApprovalForPackage — keeps existing pin matching one installed, a
t.strictSame(allowScripts, { 'lodash@3.10.1': true, 'lodash@4.17.21': true })
})
+t.test('versionedKeyFor — registry dep without a resolved URL has no trustable version', async t => {
+ const n = noResolvedNode({ name: 'esbuild', version: '0.25.0' })
+ t.equal(nameKeyFor(n), 'esbuild', 'name still recoverable from the dependency edge')
+ t.equal(versionedKeyFor(n), null, 'version cannot be trusted without a resolved URL')
+})
+
+t.test('applyApprovalForPackage — pin mode falls back to name-only when version is not trustable', async t => {
+ const { allowScripts, changes, warning } = applyApprovalForPackage(
+ {},
+ [noResolvedNode({ name: 'esbuild', version: '0.25.0' })],
+ { pin: true }
+ )
+ t.strictSame(allowScripts, { esbuild: true }, 'approved by name instead of silently skipped')
+ t.strictSame(changes, [{ key: 'esbuild', change: 'added' }])
+ t.match(warning, /no "resolved" URL/, 'explains why a pin was not written')
+})
+
+t.test('applyApprovalForPackage — mixed resolved/no-resolved collapses to one name-only entry', async t => {
+ const { allowScripts, warning } = applyApprovalForPackage(
+ {},
+ [
+ node({ name: 'esbuild', version: '0.21.5' }),
+ noResolvedNode({ name: 'esbuild', version: '0.25.0' }),
+ ],
+ { pin: true }
+ )
+ t.strictSame(allowScripts, { esbuild: true }, 'no redundant pin alongside the name-only entry')
+ t.match(warning, /no "resolved" URL/)
+})
+
+t.test('applyApprovalForPackage — existing pin collapses into name-only when a sibling cannot be pinned', async t => {
+ const { allowScripts, changes } = applyApprovalForPackage(
+ { 'esbuild@0.21.5': true },
+ [
+ node({ name: 'esbuild', version: '0.21.5' }),
+ noResolvedNode({ name: 'esbuild', version: '0.25.0' }),
+ ],
+ { pin: true }
+ )
+ t.strictSame(allowScripts, { esbuild: true })
+ t.match(changes, [
+ { key: 'esbuild@0.21.5', change: 'removed-pinned-allow' },
+ { key: 'esbuild', change: 'added' },
+ ])
+})
+
+t.test('applyApprovalForPackage — no-resolved dep already approved by name is a no-op', async t => {
+ const { allowScripts, changes } = applyApprovalForPackage(
+ { esbuild: true },
+ [noResolvedNode({ name: 'esbuild', version: '0.25.0' })],
+ { pin: true }
+ )
+ t.strictSame(allowScripts, { esbuild: true })
+ t.strictSame(changes, [])
+})
+
+t.test('applyApprovalForPackage — no-resolved dep with name-only deny still loses to the deny', async t => {
+ const { allowScripts, changes, warning } = applyApprovalForPackage(
+ { esbuild: false },
+ [noResolvedNode({ name: 'esbuild', version: '0.25.0' })],
+ { pin: true }
+ )
+ t.strictSame(allowScripts, { esbuild: false }, 'deny wins; nothing approved')
+ t.strictSame(changes, [])
+ t.match(warning, /esbuild is denied/)
+})
+
t.test('applyDenyForPackage — empty allowScripts adds name-only false', async t => {
const { allowScripts, changes } = applyDenyForPackage(
{},
@@ -620,7 +704,7 @@ t.test('denyWarning branches on key shape per RFC §approve-scripts', async t =>
{ pin: true }
)
t.match(pinned.warning, /versioned deny/)
- t.match(pinned.warning, /npm deny-scripts canvas/)
+ t.match(pinned.warning, /npm install-scripts deny canvas/)
t.match(pinned.warning, /widen the deny to all versions/)
t.match(pinned.warning, /remove the entry/)
@@ -631,7 +715,7 @@ t.test('denyWarning branches on key shape per RFC §approve-scripts', async t =>
{ pin: true }
)
t.match(multi.warning, /versioned deny/)
- t.match(multi.warning, /npm deny-scripts canvas/)
+ t.match(multi.warning, /npm install-scripts deny canvas/)
})
t.test('denyWarning: tag-type key (pkg@latest: false) is name-only', async t => {
diff --git a/deps/npm/test/lib/utils/reify-output.js b/deps/npm/test/lib/utils/reify-output.js
index 597a03374815ba..0f2be24b0246e2 100644
--- a/deps/npm/test/lib/utils/reify-output.js
+++ b/deps/npm/test/lib/utils/reify-output.js
@@ -391,6 +391,25 @@ t.test('added packages should be looked up within returned tree', async t => {
t.matchSnapshot(out)
})
+
+ t.test('linked store package counted though absent from actualTree', async t => {
+ const out = await mockReify(t, {
+ actualTree: {
+ name: 'foo',
+ inventory: {
+ has: () => false,
+ },
+ },
+ diff: {
+ children: [
+ { action: 'ADD', ideal: { path: 'test/baz', name: 'baz', isInStore: true, isLink: false, package: { version: '1.0.0' } } },
+ { action: 'ADD', ideal: { path: 'test/baz-link', name: 'baz', isInStore: false, isLink: true, package: { version: '1.0.0' } } },
+ ],
+ },
+ })
+
+ t.matchSnapshot(out)
+ })
})
t.test('prints dedupe difference on dry-run', async t => {
@@ -484,7 +503,7 @@ t.test('prints unreviewed install scripts summary', async t => {
t.match(warn, /2 packages have install scripts not yet covered/)
t.match(warn, /canvas@2\.11\.0 \(install: node-gyp rebuild\)/)
t.match(warn, /sharp@0\.33\.2 \(preinstall: pre; postinstall: post\)/)
- t.match(warn, /npm approve-scripts --allow-scripts-pending/)
+ t.match(warn, /npm install-scripts ls/)
})
t.test('global install suggests --allow-scripts, not approve-scripts', async t => {
diff --git a/deps/npm/test/lib/utils/sbom-cyclonedx.js b/deps/npm/test/lib/utils/sbom-cyclonedx.js
index ea569d41c57d8b..f3105e3cd48798 100644
--- a/deps/npm/test/lib/utils/sbom-cyclonedx.js
+++ b/deps/npm/test/lib/utils/sbom-cyclonedx.js
@@ -257,6 +257,17 @@ t.test('single node - from git url', t => {
t.end()
})
+t.test('git url with special chars is encoded into the vcs_url qualifier', t => {
+ const node = { ...root, type: 'git', resolved: 'https://github.com/foo/bar.git?a=b&c=d#1234' }
+ const res = cyclonedxOutput({ npm, nodes: [node] })
+ const { purl } = res.metadata.component
+ // everything after vcs_url= must be a single percent-encoded value, so the
+ // committish/query can't leak out as an extra purl qualifier or subpath
+ t.equal(purl, 'pkg:npm/root@1.0.0?vcs_url=https%3A%2F%2Fgithub.com%2Ffoo%2Fbar.git%3Fa%3Db%26c%3Dd%231234')
+ t.notMatch(purl.split('vcs_url=')[1], /[#&]/)
+ t.end()
+})
+
t.test('single node - no package info', t => {
const node = { ...root, package: undefined }
const res = cyclonedxOutput({ npm, nodes: [node] })
diff --git a/deps/npm/test/lib/utils/sbom-spdx.js b/deps/npm/test/lib/utils/sbom-spdx.js
index d2599b0824510c..1e21c945ca75d5 100644
--- a/deps/npm/test/lib/utils/sbom-spdx.js
+++ b/deps/npm/test/lib/utils/sbom-spdx.js
@@ -223,6 +223,17 @@ t.test('single node - from git url', t => {
t.end()
})
+t.test('git url with special chars is encoded into the vcs_url qualifier', t => {
+ const node = { ...root, type: 'git', resolved: 'https://github.com/foo/bar.git?a=b&c=d#1234' }
+ const res = spdxOutput({ npm, nodes: [node] })
+ const purl = res.packages
+ .find(p => p.SPDXID === 'SPDXRef-Package-root-1.0.0')
+ .externalRefs.find(r => r.referenceType === 'purl').referenceLocator
+ t.equal(purl, 'pkg:npm/root@1.0.0?vcs_url=https%3A%2F%2Fgithub.com%2Ffoo%2Fbar.git%3Fa%3Db%26c%3Dd%231234')
+ t.notMatch(purl.split('vcs_url=')[1], /[#&]/)
+ t.end()
+})
+
t.test('single node - linked', t => {
const node = { ...root, isLink: true, target: { edgesOut: [] } }
const res = spdxOutput({ npm, nodes: [node] })
diff --git a/deps/npm/test/lib/utils/strict-allow-scripts-preflight.js b/deps/npm/test/lib/utils/strict-allow-scripts-preflight.js
index e0c54105f88632..c67a6e4853a12d 100644
--- a/deps/npm/test/lib/utils/strict-allow-scripts-preflight.js
+++ b/deps/npm/test/lib/utils/strict-allow-scripts-preflight.js
@@ -76,6 +76,19 @@ t.test('throws when unreviewed install scripts exist (idealTree path)', async t
)
})
+t.test('passes when the only unreviewed node is inert (platform-incompatible optional dep)', async t => {
+ // An inert dep is in the ideal tree but removed before any script runs, so
+ // strict mode must not reject it (npm/cli#9562).
+ const inertNode = { ...node({ name: 'fsevents' }), inert: true }
+ const arb = makeArb({ ideal: tree([inertNode]) })
+ await preflight({
+ arb,
+ npm: { flatOptions: { strictAllowScripts: true } },
+ idealTreeOpts: {},
+ })
+ t.pass('no error thrown for inert node')
+})
+
t.test('passes when all install-script nodes are explicitly approved', async t => {
const arb = makeArb({
ideal: tree([node({ name: 'canvas' })]),
@@ -190,7 +203,7 @@ t.test('error label falls back to node.name when package.version is missing', as
)
})
-t.test('project-scoped error suggests approve-scripts / deny-scripts', async t => {
+t.test('project-scoped error suggests install-scripts approve / deny', async t => {
const arb = makeArb({ ideal: tree([node({ name: 'canvas' })]) })
await t.rejects(
preflight({
@@ -198,7 +211,7 @@ t.test('project-scoped error suggests approve-scripts / deny-scripts', async t =
npm: { flatOptions: { strictAllowScripts: true } },
idealTreeOpts: {},
}),
- { message: /Approve them with `npm approve-scripts`/ }
+ { message: /Approve them with `npm install-scripts approve`/ }
)
})