From eb8f7af3c102834856604c1be664b00ca0fe8ef2 Mon Sep 17 00:00:00 2001
From: isaacs <i@izs.me>
Date: Sun, 23 Feb 2020 21:40:58 -0800
Subject: [PATCH 1/2] fix: remove referer header and opts.refer

Re: https://github.com/npm/cli/issues/930

BREAKING CHANGE: Removes the 'opts.refer' option and the HTTP Referer
header (unless explicitly added to the 'headers' option, of course).

PR-URL: https://github.com/npm/npm-registry-fetch/pull/25
Credit: @isaacs
Close: #25
Reviewed-by: @mikemimik
---
 README.md     |  8 --------
 index.js      | 14 +++++++++-----
 test/index.js | 24 ++++++++++++++++++++++--
 3 files changed, 31 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index da722827..31a10a72 100644
--- a/README.md
+++ b/README.md
@@ -501,14 +501,6 @@ using
 If the request URI already has a query string, it will be merged with
 `opts.query`, preferring `opts.query` values.
 
-##### <a name="opts-refer"></a> `opts.refer`
-
-* Type: String
-* Default: null
-
-Value to use for the `Referer` header. The npm CLI itself uses this to serialize
-the npm command line using the given request.
-
 ##### <a name="opts-registry"></a> `opts.registry`
 
 * Type: URL
diff --git a/index.js b/index.js
index 2942db22..8e05f418 100644
--- a/index.js
+++ b/index.js
@@ -113,7 +113,6 @@ function regFetch (uri, /* istanbul ignore next */ opts_ = {}) {
     method: method,
     noProxy: opts.noProxy,
     proxy: opts.httpsProxy || opts.proxy,
-    referer: opts.refer,
     retry: opts.retry ? opts.retry : {
       retries: opts.fetchRetries,
       factor: opts.fetchRetryFactor,
@@ -176,12 +175,17 @@ function getCacheMode (opts) {
 function getHeaders (registry, uri, opts) {
   const headers = Object.assign({
     'npm-in-ci': !!opts.isFromCI,
-    'npm-scope': opts.projectScope,
-    'npm-session': opts.npmSession,
-    'user-agent': opts.userAgent,
-    referer: opts.refer
+    'user-agent': opts.userAgent
   }, opts.headers || {})
 
+  if (opts.projectScope) {
+    headers['npm-scope'] = opts.projectScope
+  }
+
+  if (opts.npmSession) {
+    headers['npm-session'] = opts.npmSession
+  }
+
   const auth = getAuth(registry, opts)
   // If a tarball is hosted on a different place than the manifest, only send
   // credentials on `alwaysAuth`
diff --git a/test/index.js b/test/index.js
index e618c3a6..5ad69170 100644
--- a/test/index.js
+++ b/test/index.js
@@ -497,6 +497,26 @@ test('npm-in-ci header with forced CI=false', t => {
 // TODO
 // * npm-session
 // * npm-scope
-// * referer (opts.refer)
 // * user-agent
-test('miscellaneous headers')
+test('miscellaneous headers', t => {
+  tnock(t, OPTS.registry)
+    .matchHeader('npm-session', session =>
+      t.strictSame(session, ['foobarbaz'], 'session set from options'))
+    .matchHeader('npm-scope', scope =>
+      t.strictSame(scope, ['@foo'], 'scope set from options'))
+    .matchHeader('user-agent', ua =>
+      t.strictSame(ua, ['agent of use'], 'UA set from options'))
+    .matchHeader('npm-in-ci', ci =>
+      t.strictSame(ci, ['false'], 'CI set from options'))
+    .get('/hello')
+    .reply(200, { hello: 'world' })
+
+  return fetch('/hello', {
+    ...OPTS,
+    npmSession: 'foobarbaz',
+    projectScope: '@foo',
+    userAgent: 'agent of use'
+  }).then(res => {
+    t.equal(res.status, 200, 'got successful response')
+  })
+})

From ebddbe78a5f67118c1f7af2e02c8a22bcaf9e850 Mon Sep 17 00:00:00 2001
From: isaacs <i@izs.me>
Date: Mon, 24 Feb 2020 13:22:54 -0800
Subject: [PATCH 2/2] chore(release): 8.0.0

---
 CHANGELOG.md      | 15 +++++++++++++++
 package-lock.json |  2 +-
 package.json      |  2 +-
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 70e951da..1f142a69 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,21 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [8.0.0](https://github.com/npm/registry-fetch/compare/v7.0.1...v8.0.0) (2020-02-24)
+
+
+### ⚠ BREAKING CHANGES
+
+* Removes the 'opts.refer' option and the HTTP Referer
+header (unless explicitly added to the 'headers' option, of course).
+
+PR-URL: https://github.com/npm/npm-registry-fetch/pull/25
+Credit: @isaacs
+
+### Bug Fixes
+
+* remove referer header and opts.refer ([eb8f7af](https://github.com/npm/registry-fetch/commit/eb8f7af3c102834856604c1be664b00ca0fe8ef2)), closes [#25](https://github.com/npm/registry-fetch/issues/25)
+
 ### [7.0.1](https://github.com/npm/registry-fetch/compare/v7.0.0...v7.0.1) (2020-02-24)
 
 ## [7.0.0](https://github.com/npm/registry-fetch/compare/v6.0.2...v7.0.0) (2020-02-18)
diff --git a/package-lock.json b/package-lock.json
index 5cd44d6a..705f3893 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "npm-registry-fetch",
-  "version": "7.0.1",
+  "version": "8.0.0",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
diff --git a/package.json b/package.json
index 987d6cb7..bfd52ce9 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "npm-registry-fetch",
-  "version": "7.0.1",
+  "version": "8.0.0",
   "description": "Fetch-based http client for use with npm registry APIs",
   "main": "index.js",
   "files": [