const valid = require('semver/functions/valid') const clean = require('semver/functions/clean') const fs = require('node:fs/promises') const path = require('node:path') const { log } = require('proc-log') /** * @type {import('hosted-git-info')} */ let _hostedGitInfo function lazyHostedGitInfo () { if (!_hostedGitInfo) { _hostedGitInfo = require('hosted-git-info') } return _hostedGitInfo } /** * @type {import('glob').glob} */ let _glob function lazyLoadGlob () { if (!_glob) { _glob = require('glob').glob } return _glob } // used to be npm-normalize-package-bin function normalizePackageBin (pkg, changes) { if (pkg.bin) { if (typeof pkg.bin === 'string' && pkg.name) { changes?.push('"bin" was converted to an object') pkg.bin = { [pkg.name]: pkg.bin } } else if (Array.isArray(pkg.bin)) { changes?.push('"bin" was converted to an object') pkg.bin = pkg.bin.reduce((acc, k) => { acc[path.basename(k)] = k return acc }, {}) } if (typeof pkg.bin === 'object') { for (const binKey in pkg.bin) { if (typeof pkg.bin[binKey] !== 'string') { delete pkg.bin[binKey] changes?.push(`removed invalid "bin[${binKey}]"`) continue } const base = path.basename(secureAndUnixifyPath(binKey)) if (!base) { delete pkg.bin[binKey] changes?.push(`removed invalid "bin[${binKey}]"`) continue } const binTarget = secureAndUnixifyPath(pkg.bin[binKey]) if (!binTarget) { delete pkg.bin[binKey] changes?.push(`removed invalid "bin[${binKey}]"`) continue } if (base !== binKey) { delete pkg.bin[binKey] changes?.push(`"bin[${binKey}]" was renamed to "bin[${base}]"`) } if (binTarget !== pkg.bin[binKey]) { changes?.push(`"bin[${base}]" script name was cleaned`) } pkg.bin[base] = binTarget } if (Object.keys(pkg.bin).length === 0) { changes?.push('empty "bin" was removed') delete pkg.bin } return pkg } } delete pkg.bin } function normalizePackageMan (pkg, changes) { if (pkg.man) { const mans = [] for (const man of (Array.isArray(pkg.man) ? pkg.man : [pkg.man])) { if (typeof man !== 'string') { changes?.push(`removed invalid "man [${man}]"`) } else { mans.push(secureAndUnixifyPath(man)) } } if (!mans.length) { changes?.push('empty "man" was removed') } else { pkg.man = mans return pkg } } delete pkg.man } function isCorrectlyEncodedName (spec) { return !spec.match(/[/@\s+%:]/) && spec === encodeURIComponent(spec) } function isValidScopedPackageName (spec) { if (spec.charAt(0) !== '@') { return false } const rest = spec.slice(1).split('/') if (rest.length !== 2) { return false } return rest[0] && rest[1] && rest[0] === encodeURIComponent(rest[0]) && rest[1] === encodeURIComponent(rest[1]) } function unixifyPath (ref) { return ref.replace(/\\|:/g, '/') } function secureAndUnixifyPath (ref) { const secured = unixifyPath(path.join('.', path.join('/', unixifyPath(ref)))) return secured.startsWith('./') ? '' : secured } // We don't want the `changes` array in here by default because this is a hot // path for parsing packuments during install. So the calling method passes it // in if it wants to track changes. const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase }) => { if (!pkg.content) { throw new Error('Can not normalize without content') } const data = pkg.content const scripts = data.scripts || {} const pkgId = `${data.name ?? ''}@${data.version ?? ''}` // name and version are load bearing so we have to clean them up first if (steps.includes('fixNameField') || steps.includes('normalizeData')) { if (!data.name && !strict) { changes?.push('Missing "name" field was set to an empty string') data.name = '' } else { if (typeof data.name !== 'string') { throw new Error('name field must be a string.') } if (!strict) { const name = data.name.trim() if (data.name !== name) { changes?.push(`Whitespace was trimmed from "name"`) data.name = name } } if (data.name.startsWith('.') || !(isValidScopedPackageName(data.name) || isCorrectlyEncodedName(data.name)) || (strict && (!allowLegacyCase) && data.name !== data.name.toLowerCase()) || data.name.toLowerCase() === 'node_modules' || data.name.toLowerCase() === 'favicon.ico') { throw new Error('Invalid name: ' + JSON.stringify(data.name)) } } } if (steps.includes('fixVersionField') || steps.includes('normalizeData')) { // allow "loose" semver 1.0 versions in non-strict mode // enforce strict semver 2.0 compliance in strict mode const loose = !strict if (!data.version) { data.version = '' } else { if (!valid(data.version, loose)) { throw new Error(`Invalid version: "${data.version}"`) } const version = clean(data.version, loose) if (version !== data.version) { changes?.push(`"version" was cleaned and set to "${version}"`) data.version = version } } } // remove attributes that start with "_" if (steps.includes('_attributes')) { for (const key in data) { if (key.startsWith('_')) { changes?.push(`"${key}" was removed`) delete pkg.content[key] } } } // build the "_id" attribute if (steps.includes('_id')) { if (data.name && data.version) { changes?.push(`"_id" was set to ${pkgId}`) data._id = pkgId } } // fix bundledDependencies typo // normalize bundleDependencies if (steps.includes('bundledDependencies')) { if (data.bundleDependencies === undefined && data.bundledDependencies !== undefined) { data.bundleDependencies = data.bundledDependencies } changes?.push(`Deleted incorrect "bundledDependencies"`) delete data.bundledDependencies } // expand "bundleDependencies: true or translate from object" if (steps.includes('bundleDependencies')) { const bd = data.bundleDependencies if (bd === false && !steps.includes('bundleDependenciesDeleteFalse')) { changes?.push(`"bundleDependencies" was changed from "false" to "[]"`) data.bundleDependencies = [] } else if (bd === true) { changes?.push(`"bundleDependencies" was auto-populated from "dependencies"`) data.bundleDependencies = Object.keys(data.dependencies || {}) } else if (bd && typeof bd === 'object') { if (!Array.isArray(bd)) { changes?.push(`"bundleDependencies" was changed from an object to an array`) data.bundleDependencies = Object.keys(bd) } } else if ('bundleDependencies' in data) { changes?.push(`"bundleDependencies" was removed`) delete data.bundleDependencies } } // it was once common practice to list deps both in optionalDependencies and // in dependencies, to support npm versions that did not know about // optionalDependencies. This is no longer a relevant need, so duplicating // the deps in two places is unnecessary and excessive. if (steps.includes('optionalDedupe')) { if (data.dependencies && data.optionalDependencies && typeof data.optionalDependencies === 'object') { for (const name in data.optionalDependencies) { changes?.push(`optionalDependencies."${name}" was removed`) delete data.dependencies[name] } if (!Object.keys(data.dependencies).length) { changes?.push(`Empty "optionalDependencies" was removed`) delete data.dependencies } } } // add "install" attribute if any "*.gyp" files exist if (steps.includes('gypfile')) { if (!scripts.install && !scripts.preinstall && data.gypfile !== false) { const files = await lazyLoadGlob()('*.gyp', { cwd: pkg.path }) if (files.length) { scripts.install = 'node-gyp rebuild' data.scripts = scripts data.gypfile = true changes?.push(`"scripts.install" was set to "node-gyp rebuild"`) changes?.push(`"gypfile" was set to "true"`) } } } // add "start" attribute if "server.js" exists if (steps.includes('serverjs') && !scripts.start) { try { await fs.access(path.join(pkg.path, 'server.js')) scripts.start = 'node server.js' data.scripts = scripts changes?.push('"scripts.start" was set to "node server.js"') } catch { // do nothing } } // strip "node_modules/.bin" from scripts entries // remove invalid scripts entries (non-strings) if ((steps.includes('scripts') || steps.includes('scriptpath')) && data.scripts !== undefined) { const spre = /^(\.[/\\])?node_modules[/\\].bin[\\/]/ if (typeof data.scripts === 'object') { for (const name in data.scripts) { if (typeof data.scripts[name] !== 'string') { delete data.scripts[name] changes?.push(`Invalid scripts."${name}" was removed`) } else if (steps.includes('scriptpath') && spre.test(data.scripts[name])) { data.scripts[name] = data.scripts[name].replace(spre, '') changes?.push(`scripts entry "${name}" was fixed to remove node_modules/.bin reference`) } } } else { changes?.push(`Removed invalid "scripts"`) delete data.scripts } } if (steps.includes('funding')) { if (data.funding && typeof data.funding === 'string') { data.funding = { url: data.funding } changes?.push(`"funding" was changed to an object with a url attribute`) } } // populate "authors" attribute if (steps.includes('authors') && !data.contributors) { try { const authorData = await fs.readFile(path.join(pkg.path, 'AUTHORS'), 'utf8') const authors = authorData.split(/\r?\n/g) .map(line => line.replace(/^\s*#.*$/, '').trim()) .filter(line => line) data.contributors = authors changes?.push('"contributors" was auto-populated with the contents of the "AUTHORS" file') } catch { // do nothing } } // populate "readme" attribute if (steps.includes('readme') && !data.readme) { const mdre = /\.m?a?r?k?d?o?w?n?$/i const files = await lazyLoadGlob()('{README,README.*}', { cwd: pkg.path, nocase: true, mark: true, }) let readmeFile for (const file of files) { // don't accept directories. if (!file.endsWith(path.sep)) { if (file.match(mdre)) { readmeFile = file break } if (file.endsWith('README')) { readmeFile = file } } } if (readmeFile) { const readmeData = await fs.readFile(path.join(pkg.path, readmeFile), 'utf8') data.readme = readmeData data.readmeFilename = readmeFile changes?.push(`"readme" was set to the contents of ${readmeFile}`) changes?.push(`"readmeFilename" was set to ${readmeFile}`) } if (!data.readme) { // this.warn('missingReadme') data.readme = 'ERROR: No README data found!' } } // expand directories.man if (steps.includes('mans')) { if (data.directories?.man && !data.man) { const manDir = secureAndUnixifyPath(data.directories.man) const cwd = path.resolve(pkg.path, manDir) const files = await lazyLoadGlob()('**/*.[0-9]', { cwd }) data.man = files.map(man => path.relative(pkg.path, path.join(cwd, man)).split(path.sep).join('/') ) } normalizePackageMan(data, changes) } if (steps.includes('bin') || steps.includes('binDir') || steps.includes('binRefs')) { normalizePackageBin(data, changes) } // expand "directories.bin" if (steps.includes('binDir') && data.directories?.bin && !data.bin) { const binsDir = path.resolve(pkg.path, secureAndUnixifyPath(data.directories.bin)) const bins = await lazyLoadGlob()('**', { cwd: binsDir }) data.bin = bins.reduce((acc, binFile) => { if (binFile && !binFile.startsWith('.')) { const binName = path.basename(binFile) acc[binName] = path.join(data.directories.bin, binFile) } return acc }, {}) // *sigh* normalizePackageBin(data, changes) } // populate "gitHead" attribute if (steps.includes('gitHead') && !data.gitHead) { const git = require('@npmcli/git') const gitRoot = await git.find({ cwd: pkg.path, root }) let head if (gitRoot) { try { head = await fs.readFile(path.resolve(gitRoot, '.git/HEAD'), 'utf8') } catch (err) { // do nothing } } let headData if (head) { if (head.startsWith('ref: ')) { const headRef = head.replace(/^ref: /, '').trim() const headFile = path.resolve(gitRoot, '.git', headRef) try { headData = await fs.readFile(headFile, 'utf8') headData = headData.replace(/^ref: /, '').trim() } catch (err) { // do nothing } if (!headData) { const packFile = path.resolve(gitRoot, '.git/packed-refs') try { let refs = await fs.readFile(packFile, 'utf8') if (refs) { refs = refs.split('\n') for (let i = 0; i < refs.length; i++) { const match = refs[i].match(/^([0-9a-f]{40}) (.+)$/) if (match && match[2].trim() === headRef) { headData = match[1] break } } } } catch { // do nothing } } } else { headData = head.trim() } } if (headData) { data.gitHead = headData } } // populate "types" attribute if (steps.includes('fillTypes')) { const index = data.main || 'index.js' if (typeof index !== 'string') { throw new TypeError('The "main" attribute must be of type string.') } // TODO exports is much more complicated than this in verbose format // We need to support for instance // "exports": { // ".": [ // { // "default": "./lib/npm.js" // }, // "./lib/npm.js" // ], // "./package.json": "./package.json" // }, // as well as conditional exports // if (data.exports && typeof data.exports === 'string') { // index = data.exports // } // if (data.exports && data.exports['.']) { // index = data.exports['.'] // if (typeof index !== 'string') { // } // } const extless = path.join(path.dirname(index), path.basename(index, path.extname(index))) const dts = `./${extless}.d.ts` const hasDTSFields = 'types' in data || 'typings' in data if (!hasDTSFields) { try { await fs.access(path.join(pkg.path, dts)) data.types = dts.split(path.sep).join('/') } catch { // do nothing } } } // "normalizeData" from "read-package-json", which was just a call through to // "normalize-package-data". We only call the "fixer" functions because // outside of that it was also clobbering _id (which we already conditionally // do) and also adding the gypfile script (which we also already // conditionally do) // Some steps are isolated so we can do a limited subset of these in `fix` if (steps.includes('fixRepositoryField') || steps.includes('normalizeData')) { if (data.repositories) { /* eslint-disable-next-line max-len */ changes?.push(`"repository" was set to the first entry in "repositories" (${data.repository})`) data.repository = data.repositories[0] } if (data.repository) { if (typeof data.repository === 'string') { changes?.push('"repository" was changed from a string to an object') data.repository = { type: 'git', url: data.repository, } } if (data.repository.url) { const hosted = lazyHostedGitInfo().fromUrl(data.repository.url) let r if (hosted) { if (hosted.getDefaultRepresentation() === 'shortcut') { r = hosted.https() } else { r = hosted.toString() } if (r !== data.repository.url) { changes?.push(`"repository.url" was normalized to "${r}"`) data.repository.url = r } } } } } if (steps.includes('fixDependencies') || steps.includes('normalizeData')) { // peerDependencies? // devDependencies is meaningless here, it's ignored on an installed package for (const type of ['dependencies', 'devDependencies', 'optionalDependencies']) { if (data[type]) { let secondWarning = true if (typeof data[type] === 'string') { changes?.push(`"${type}" was converted from a string into an object`) data[type] = data[type].trim().split(/[\n\r\s\t ,]+/) secondWarning = false } if (Array.isArray(data[type])) { if (secondWarning) { changes?.push(`"${type}" was converted from an array into an object`) } const o = {} for (const d of data[type]) { if (typeof d === 'string') { const dep = d.trim().split(/(:?[@\s><=])/) const dn = dep.shift() const dv = dep.join('').replace(/^@/, '').trim() o[dn] = dv } } data[type] = o } } } // normalize-package-data used to put optional dependencies BACK into // dependencies here, we no longer do this for (const deps of ['dependencies', 'devDependencies']) { if (deps in data) { if (!data[deps] || typeof data[deps] !== 'object') { changes?.push(`Removed invalid "${deps}"`) delete data[deps] } else { for (const d in data[deps]) { const r = data[deps][d] if (typeof r !== 'string') { changes?.push(`Removed invalid "${deps}.${d}"`) delete data[deps][d] } const hosted = lazyHostedGitInfo().fromUrl(data[deps][d])?.toString() if (hosted && hosted !== data[deps][d]) { changes?.push(`Normalized git reference to "${deps}.${d}"`) data[deps][d] = hosted.toString() } } } } } } if (steps.includes('normalizeData')) { const legacyFixer = require('normalize-package-data/lib/fixer.js') const legacyMakeWarning = require('normalize-package-data/lib/make_warning.js') legacyFixer.warn = function () { changes?.push(legacyMakeWarning.apply(null, arguments)) } const legacySteps = [ 'fixDescriptionField', 'fixModulesField', 'fixFilesField', 'fixManField', 'fixBugsField', 'fixKeywordsField', 'fixBundleDependenciesField', 'fixHomepageField', 'fixReadmeField', 'fixLicenseField', 'fixPeople', 'fixTypos', ] for (const legacyStep of legacySteps) { legacyFixer[legacyStep](data) } } // Warn if the bin references don't point to anything. This might be better // in normalize-package-data if it had access to the file path. if (steps.includes('binRefs') && data.bin instanceof Object) { for (const key in data.bin) { try { await fs.access(path.resolve(pkg.path, data.bin[key])) } catch { log.warn('package-json', pkgId, `No bin file found at ${data.bin[key]}`) // XXX: should a future breaking change delete bin entries that cannot be accessed? } } } } module.exports = normalize