[pull] latest from npm:latest

node_modules/@npmcli/agent/lib/agents.js

@@ -203,4 +203,56 @@ module.exports = class Agent extends AgentBase {
 
     return super.addRequest(request, options)
   }
+
+  // When connect() rejects, agent-base removes only its placeholder socket, so Node never drains this.requests[name] and requests queued past maxSockets hang forever.
+  // On a failure we dispatch the next queued request ourselves.
+  // See npm/cli#9386 and TooTallNate/proxy-agents#427.
+  createSocket (req, options, cb) {
+    super.createSocket(req, options, (err, socket) => {
+      if (err) {
+        this.#drainPendingRequests(req, options)
+      }
+      cb(err, socket)
+    })
+  }
+
+  // Dispatch the next request queued behind maxSockets, reusing the slot the failed connection freed.
+  #drainPendingRequests (failedReq, options) {
+    const name = this.getName(options)
+    const queue = this.requests[name]
+    if (!queue || queue.length === 0) {
+      return
+    }
+
+    // Node's removeSocket() picks a queued request without shifting it off, so drop the failed one to avoid dispatching it twice.
+    const failedIndex = queue.indexOf(failedReq)
+    if (failedIndex !== -1) {
+      queue.splice(failedIndex, 1)
+    }
+    if (queue.length === 0) {
+      delete this.requests[name]
+      return
+    }
+
+    // Safety belt: only dispatch if a socket slot is genuinely free.
+    const socketCount = this.sockets[name] ? this.sockets[name].length : 0
+    if (socketCount >= this.maxSockets || this.totalSocketCount >= this.maxTotalSockets) {
+      return
+    }
+
+    const nextReq = queue.shift()
+    if (queue.length === 0) {
+      delete this.requests[name]
+    }
+
+    // All queued requests share this origin, so the failed request's options suit the next one.
+    // createSocket() recurses here if this connection also fails, draining the whole queue.
+    this.createSocket(nextReq, options, (err, socket) => {
+      if (err) {
+        nextReq.onSocket(null, err)
+      } else {
+        nextReq.onSocket(socket)
+      }
+    })
+  }
 }

node_modules/@npmcli/agent/lib/options.js

@@ -37,6 +37,10 @@ const normalizeOptions = (opts) => {
   // remove timeout since we already used it to set our own idle timeout
   delete normalized.timeout
 
+  // since opts is often passed when initiating requests, it may contain
+  // headers, which should not be saved in an agent
+  delete normalized.headers
+
   return normalized
 }
 

node_modules/@npmcli/agent/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/agent",
-  "version": "4.0.0",
+  "version": "4.0.2",
   "description": "the http/https agent used by the npm cli",
   "main": "lib/index.js",
   "scripts": {
@@ -29,8 +29,10 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.25.0",
-    "publish": "true"
+    "version": "4.30.0",
+    "publish": "true",
+    "updateNpm": false,
+    "latestCiVersion": 24
   },
   "dependencies": {
     "agent-base": "^7.1.0",
@@ -40,11 +42,11 @@
     "socks-proxy-agent": "^8.0.3"
   },
   "devDependencies": {
-    "@npmcli/eslint-config": "^5.0.0",
-    "@npmcli/template-oss": "4.25.0",
-    "minipass-fetch": "^4.0.1",
+    "@npmcli/eslint-config": "^6.0.0",
+    "@npmcli/template-oss": "4.30.0",
+    "ip-address": "^10.1.0",
+    "minipass-fetch": "^5.0.0",
     "nock": "^14.0.3",
-    "socksv5": "^0.0.6",
     "tap": "^16.3.0"
   },
   "repository": {

node_modules/@sigstore/core/dist/dsse.js

@@ -19,12 +19,11 @@ limitations under the License.
 const PAE_PREFIX = 'DSSEv1';
 // DSSE Pre-Authentication Encoding
 function preAuthEncoding(payloadType, payload) {
-    const prefix = [
-        PAE_PREFIX,
-        payloadType.length,
-        payloadType,
-        payload.length,
-        '',
-    ].join(' ');
-    return Buffer.concat([Buffer.from(prefix, 'ascii'), payload]);
+    const typeBytes = Buffer.from(payloadType, 'utf-8');
+    return Buffer.concat([
+        Buffer.from(`${PAE_PREFIX} ${typeBytes.length} `, 'ascii'),
+        typeBytes,
+        Buffer.from(` ${payload.length} `, 'ascii'),
+        payload,
+    ]);
 }

node_modules/@sigstore/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/core",
-  "version": "3.2.0",
+  "version": "3.2.1",
   "description": "Base library for Sigstore",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

node_modules/@sigstore/verify/dist/key/index.js

@@ -56,9 +56,17 @@ function getSigner(cert) {
     else {
         issuer = cert.extension(OID_FULCIO_ISSUER_V1)?.value.toString('ascii');
     }
+    const oids = cert.extensions.map((ext) => {
+        const oid = ext.subs[0].toOID();
+        return {
+            oid: { id: oid.split('.').map(Number) },
+            value: ext.subs[ext.subs.length - 1].value,
+        };
+    });
     const identity = {
         extensions: { issuer },
         subjectAlternativeName: cert.subjectAltName,
+        oids,
     };
     return {
         key: core_1.crypto.createPublicKey(cert.publicKey),

node_modules/@sigstore/verify/dist/policy.js

@@ -2,7 +2,12 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.verifySubjectAlternativeName = verifySubjectAlternativeName;
 exports.verifyExtensions = verifyExtensions;
+exports.verifyOIDs = verifyOIDs;
 const error_1 = require("./error");
+// Verifies that the signer's SAN matches the policy identity. The
+// policyIdentity is treated as a JavaScript regular expression pattern and
+// tested against the full signerIdentity string. For exact matching, use
+// anchored patterns (e.g. '^user@example\\.com$').
 function verifySubjectAlternativeName(policyIdentity, signerIdentity) {
     if (signerIdentity === undefined || !signerIdentity.match(policyIdentity)) {
         throw new error_1.PolicyError({
@@ -22,3 +27,24 @@ function verifyExtensions(policyExtensions, signerExtensions = {}) {
         }
     }
 }
+function verifyOIDs(policyOIDs, signerOIDs = []) {
+    for (const policyOID of policyOIDs) {
+        const match = signerOIDs.find((signerOID) => oidEquals(policyOID.oid?.id, signerOID.oid?.id) &&
+            policyOID.value.equals(signerOID.value));
+        if (!match) {
+            /* istanbul ignore next */
+            const oid = policyOID.oid?.id.join('.') ?? '<unknown>';
+            throw new error_1.PolicyError({
+                code: 'UNTRUSTED_SIGNER_ERROR',
+                message: `invalid certificate extension - missing OID ${oid}`,
+            });
+        }
+    }
+}
+function oidEquals(a, b) {
+    /* istanbul ignore if */
+    if (a === undefined || b === undefined) {
+        return false;
+    }
+    return a.length === b.length && a.every((v, i) => v === b[i]);
+}

node_modules/@sigstore/verify/dist/timestamp/index.js

@@ -12,6 +12,10 @@ function getTSATimestamp(timestamp, data, timestampAuthorities) {
     };
 }
 function getTLogTimestamp(entry) {
+    // Only entries with an inclusion promise provide a verifiable timestamp
+    if (!entry.inclusionPromise) {
+        return undefined;
+    }
     return {
         type: 'transparency-log',
         logID: entry.logId.keyId,

node_modules/@sigstore/verify/dist/verifier.js

@@ -46,28 +46,33 @@ class Verifier {
     }
     // Checks that all of the timestamps in the entity are valid and returns them
     verifyTimestamps(entity) {
-        let timestampCount = 0;
-        const timestamps = entity.timestamps.map((timestamp) => {
+        const timestamps = [];
+        for (const timestamp of entity.timestamps) {
             switch (timestamp.$case) {
                 case 'timestamp-authority':
-                    timestampCount++;
-                    return (0, timestamp_1.getTSATimestamp)(timestamp.timestamp, entity.signature.signature, this.trustMaterial.timestampAuthorities);
-                case 'transparency-log':
-                    timestampCount++;
-                    return (0, timestamp_1.getTLogTimestamp)(timestamp.tlogEntry);
+                    timestamps.push((0, timestamp_1.getTSATimestamp)(timestamp.timestamp, entity.signature.signature, this.trustMaterial.timestampAuthorities));
+                    break;
+                case 'transparency-log': {
+                    const result = (0, timestamp_1.getTLogTimestamp)(timestamp.tlogEntry);
+                    /* istanbul ignore else */
+                    if (result) {
+                        timestamps.push(result);
+                    }
+                    break;
+                }
             }
-        });
+        }
         // Check for duplicate timestamps
         if (containsDupes(timestamps)) {
             throw new error_1.VerificationError({
                 code: 'TIMESTAMP_ERROR',
                 message: 'duplicate timestamp',
             });
         }
-        if (timestampCount < this.options.timestampThreshold) {
+        if (timestamps.length < this.options.timestampThreshold) {
             throw new error_1.VerificationError({
                 code: 'TIMESTAMP_ERROR',
-                message: `expected ${this.options.timestampThreshold} timestamps, got ${timestampCount}`,
+                message: `expected ${this.options.timestampThreshold} timestamps, got ${timestamps.length}`,
             });
         }
         return timestamps.map((t) => t.timestamp);
@@ -133,6 +138,11 @@ class Verifier {
         if (policy.extensions) {
             (0, policy_1.verifyExtensions)(policy.extensions, identity.extensions);
         }
+        // Check that the OIDs of the signer match the policy
+        /* istanbul ignore if */
+        if (policy.oids) {
+            (0, policy_1.verifyOIDs)(policy.oids, identity.oids);
+        }
     }
 }
 exports.Verifier = Verifier;

node_modules/@sigstore/verify/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/verify",
-  "version": "3.1.0",
+  "version": "3.1.1",
   "description": "Verification of Sigstore signatures",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -28,7 +28,7 @@
   "dependencies": {
     "@sigstore/protobuf-specs": "^0.5.0",
     "@sigstore/bundle": "^4.0.0",
-    "@sigstore/core": "^3.1.0"
+    "@sigstore/core": "^3.2.1"
   },
   "engines": {
     "node": "^20.17.0 || >=22.9.0"

node_modules/lru-cache/package.json

@@ -1,7 +1,7 @@
 {
   "name": "lru-cache",
   "description": "A cache object that deletes the least-recently-used items.",
-  "version": "11.5.0",
+  "version": "11.5.1",
   "author": "Isaac Z. Schlueter <i@izs.me>",
   "keywords": [
     "mru",

node_modules/make-fetch-happen/package.json

@@ -1,6 +1,6 @@
 {
   "name": "make-fetch-happen",
-  "version": "15.0.5",
+  "version": "15.0.6",
   "description": "Opinionated, caching, retrying fetch client",
   "main": "lib/index.js",
   "files": [

node_modules/semver/classes/range.js

@@ -98,6 +98,9 @@ class Range {
   }
 
   parseRange (range) {
+    // strip build metadata so it can't bleed into the version
+    range = range.replace(BUILDSTRIPRE, '')
+
     // memoize range parsing for performance.
     // this is a very hot path, and fully deterministic.
     const memoOpts =
@@ -223,13 +226,17 @@ const debug = require('../internal/debug')
 const SemVer = require('./semver')
 const {
   safeRe: re,
+  src,
   t,
   comparatorTrimReplace,
   tildeTrimReplace,
   caretTrimReplace,
 } = require('../internal/re')
 const { FLAG_INCLUDE_PRERELEASE, FLAG_LOOSE } = require('../internal/constants')
 
+// unbounded global build-metadata stripper used by parseRange
+const BUILDSTRIPRE = new RegExp(src[t.BUILD], 'g')
+
 const isNullSet = c => c.value === '<0.0.0-0'
 const isAny = c => c.value === ''
 

node_modules/semver/package.json

@@ -1,6 +1,6 @@
 {
   "name": "semver",
-  "version": "7.8.0",
+  "version": "7.8.1",
   "description": "The semantic version parser used by npm.",
   "main": "index.js",
   "scripts": {

node_modules/semver/ranges/subset.js

@@ -174,7 +174,7 @@ const simpleSubset = (sub, dom, options) => {
         if (higher === c && higher !== gt) {
           return false
         }
-      } else if (gt.operator === '>=' && !satisfies(gt.semver, String(c), options)) {
+      } else if (gt.operator === '>=' && !c.test(gt.semver)) {
         return false
       }
     }
@@ -192,7 +192,7 @@ const simpleSubset = (sub, dom, options) => {
         if (lower === c && lower !== lt) {
           return false
         }
-      } else if (lt.operator === '<=' && !satisfies(lt.semver, String(c), options)) {
+      } else if (lt.operator === '<=' && !c.test(lt.semver)) {
         return false
       }
     }

node_modules/sigstore/dist/config.js

@@ -65,6 +65,12 @@ function createVerificationPolicy(options) {
     if (options.certificateIssuer) {
         policy.extensions = { issuer: options.certificateIssuer };
     }
+    if (options.certificateOIDs) {
+        policy.oids = Object.entries(options.certificateOIDs).map(([oid, value]) => ({
+            oid: { id: oid.split('.').map(Number) },
+            value: Buffer.from(value),
+        }));
+    }
     return policy;
 }
 // Instantiate the FulcioSigner based on the supplied options.

node_modules/sigstore/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sigstore",
-  "version": "4.1.0",
+  "version": "4.1.1",
   "description": "code-signing for npm packages",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -29,17 +29,17 @@
   "devDependencies": {
     "@sigstore/rekor-types": "^4.0.0",
     "@sigstore/jest": "^0.0.0",
-    "@sigstore/mock": "^0.11.0",
-    "@tufjs/repo-mock": "^4.0.0",
+    "@sigstore/mock": "^0.12.1",
+    "@tufjs/repo-mock": "^4.0.1",
     "@types/make-fetch-happen": "^10.0.4"
   },
   "dependencies": {
     "@sigstore/bundle": "^4.0.0",
-    "@sigstore/core": "^3.1.0",
+    "@sigstore/core": "^3.2.1",
     "@sigstore/protobuf-specs": "^0.5.0",
-    "@sigstore/sign": "^4.1.0",
-    "@sigstore/tuf": "^4.0.1",
-    "@sigstore/verify": "^3.1.0"
+    "@sigstore/sign": "^4.1.1",
+    "@sigstore/tuf": "^4.0.2",
+    "@sigstore/verify": "^3.1.1"
   },
   "engines": {
     "node": "^20.17.0 || >=22.9.0"

node_modules/undici/lib/dispatcher/agent.js

@@ -24,7 +24,6 @@ function defaultFactory (origin, opts) {
 
 class Agent extends DispatcherBase {
   constructor ({ factory = defaultFactory, maxRedirections = 0, connect, ...options } = {}) {
-
     if (typeof factory !== 'function') {
       throw new InvalidArgumentError('factory must be a function.')
     }