diff --git a/deps/npm/.github/CODEOWNERS b/deps/npm/.github/CODEOWNERS new file mode 100644 index 00000000000000..ef8743136d8a1c --- /dev/null +++ b/deps/npm/.github/CODEOWNERS @@ -0,0 +1 @@ +* @npm/cli-team diff --git a/deps/npm/.travis.yml b/deps/npm/.travis.yml index 95255d8d8072bb..e63df7e47bf3e3 100644 --- a/deps/npm/.travis.yml +++ b/deps/npm/.travis.yml @@ -22,6 +22,9 @@ matrix: # then master - node_js: "8" env: DEPLOY_VERSION=testing + script: + - "standard" + - "node . run tap -- \"test/tap/*.js\" \"test/broken-under-nyc/*.js\"" before_install: # required by test/tap/registry.js - "mkdir -p /var/run/couchdb" @@ -29,25 +32,8 @@ notifications: slack: npm-inc:kRqQjto7YbINqHPb1X6nS3g8 cache: directories: - - $HOME/.npm - - html/doc - - man - - node_modules/.bin - node_modules/.cache - - node_modules/deep-equal - - node_modules/marked - - node_modules/marked-man - - node_modules/npm-registry-couchapp - - node_modules/npm-registry-mock - - node_modules/require-inject - - node_modules/sprintf-js - - node_modules/standard - - node_modules/tacks - - node_modules/tap install: - - "node . rebuild --depth=0" - - "node . install --ignore-scripts" - - "node . prune" - - "make -j4 doc" + - "node . install" script: - "node . run tap -- \"test/tap/*.js\" \"test/broken-under-nyc/*.js\"" diff --git a/deps/npm/AUTHORS b/deps/npm/AUTHORS index 7357c4a1bd5bdd..6b4e02a4208ceb 100644 --- a/deps/npm/AUTHORS +++ b/deps/npm/AUTHORS @@ -475,3 +475,26 @@ Jason Wohlgemuth Ryan Graham Hirse Colin Rotherham +Aki +Emily Marigold Klassen +Ramana Venkata +kierendixon +Rácz Tibor Zoltán +Guangcong Luo +Steven +Jan Pilzer +Leonard Martin +Teddy Katz +Simon Legg +Kin Lum +dax +Jože Mlakar +happylynx +Dominic Watson +Enrico Weigelt, metux IT consult +Brian Beck +Ramana Venkata +mmkal +Andrew Schmadel +AJ Jordan +Mark Banner diff --git a/deps/npm/BROKEN.org b/deps/npm/BROKEN.org deleted file mode 100644 index 65b1db9a1de612..00000000000000 --- a/deps/npm/BROKEN.org +++ /dev/null @@ -1,37 +0,0 @@ -* Broken test files - * add-remote-git-get-resolved.js (needs porting to pacote) - * bugs.js (I think because opts.fullMetadata) - * builtin-config.js (freezes) - * check-cpu-reqs.js (uhhh? it's not checking?) - * check-engine-reqs.js (same?) - * check-os-reqs.js (same?) - * doctor.js (needs rewrite) - * full-warning-messages.js - * get.js - * git-npmignore.js - * git-races.js - * github-shortcut.js - * ignore-shrinkwrap.js - * install-shrinkwrapped-git.js - * install-with-dev-dep-duplicate.js - * legacy-npm-self-install.js (one check failed) - * ls-depth-cli.js - * outdated-local.js - * outdated-notarget.js - * outdated-private.js - * peer-deps-invalid.js - * peer-deps-toplevel.js - * peer-deps-without-package-json.js - * repo.js - * retry-on-stale-cache.js - * scope-header.js - * shrinkwrap-default-arg-ver.js - * shrinkwrap-local-dependency.js - * shrinkwrap-optional-dependency.js - * shrinkwrap-optional-property.js - * shrinkwrap-prod-dependency.js - * shrinkwrap-shared-dev-dependency.js - * splat-with-only-prerelease-to-latest.js - * url-dependencies.js - * verify-no-lifecycle-on-repo.js - * network/legacy-shrinkwrap.js diff --git a/deps/npm/CHANGELOG.md b/deps/npm/CHANGELOG.md index 03b7e29d91e869..0d3e70aa7f8679 100644 --- a/deps/npm/CHANGELOG.md +++ b/deps/npm/CHANGELOG.md @@ -1,3 +1,414 @@ +## v5.2.0 (2017-07-05): + +It's only been a couple of days but we've got some bug fixes we wanted to +get out to you all. We also believe that +[`npx`](https://medium.com/@maybekatz/introducing-npx-an-npm-package-runner-55f7d4bd282b) is ready to be bundled +with npm, which we're really excited about! + +### npx!!! + +npx is a tool intended to help round out the experience of using packages +from the npm registry — the same way npm makes it super easy to install and +manage dependencies hosted on the registry, npx is meant to make it easy to +use CLI tools and other executables hosted on the registry. It greatly +simplifies a number of things that, until now, required a bit of ceremony to +do with plain npm. + +![](https://cdn-images-1.medium.com/max/1600/1*OlIRsvVO5aK7ja9HmwXz_Q.gif) + +[@zkat](https://github.com/zkat) has a [great introduction post to npx](https://medium.com/@maybekatz/introducing-npx-an-npm-package-runner-55f7d4bd282b) +that I highly recommend you give a read + +* [`fb040bee0`](https://github.com/npm/npm/commit/fb040bee0710759c60e45bf8fa2a3b8ddcf4212a) + [#17685](https://github.com/npm/npm/pull/17685) + Bundle npx with npm itself. + ([@zkat](https://github.com/zkat)) + +### BUG FIXES + +* [`9fe905c39`](https://github.com/npm/npm/commit/9fe905c399d07a3c00c7b22035ddb6b7762731e6) + [#17652](https://github.com/npm/npm/pull/17652) + Fix max callstack exceeded loops with trees with circular links. + ([@iarna](https://github.com/iarna)) +* [`c0a289b1b`](https://github.com/npm/npm/commit/c0a289b1ba6b99652c43a955b23acbf1de0b56ae) + [#17606](https://github.com/npm/npm/pull/17606) + Make sure that when write package.json and package-lock.json we always use unix path separators. + ([@Standard8](https://github.com/Standard8)) +* [`1658b79ca`](https://github.com/npm/npm/commit/1658b79cad89ccece5ae5ce3c2f691d44b933116) + [#17654](https://github.com/npm/npm/pull/17654) + Make `npm outdated` show results for globals again. Previously it never thought they were out of date. + ([@iarna](https://github.com/iarna)) +* [`06c154fd6`](https://github.com/npm/npm/commit/06c154fd653d18725d2e760ba825d43cdd807420) + [#17678](https://github.com/npm/npm/pull/17678) + Stop flattening modules that have peer dependencies. We're making this + change to support scenarios where the module requiring a peer dependency + is flattened but the peer dependency itself is not, due to conflicts. In + those cases the module requiring the peer dep can't be flattened past the + location its peer dep was placed in. This initial fix is naive, never + flattening peer deps, and we can look into doing something more + sophisticated later on. + ([@iarna](https://github.com/iarna)) +* [`88aafee8b`](https://github.com/npm/npm/commit/88aafee8b5b232b7eeb5690279a098d056575791) + [#17677](https://github.com/npm/npm/pull/17677) + There was an issue where updating a flattened dependency would sometimes + unflatten it. This only happened when the dependency had dependencies + that in turn required the original dependency. + ([@iarna](https://github.com/iarna)) +* [`b58ec8eab`](https://github.com/npm/npm/commit/b58ec8eab3b4141e7f1b8b42d8cc24f716a804d8) + [#17626](https://github.com/npm/npm/pull/17626) + Integrators who were building their own copies of npm ran into issues because + `make install` and https://npmjs.com/install.sh weren't aware that + `npm install` creates links now when given a directory to work on. This does not impact folks + installing npm with `npm install -g npm`. + ([@iarna](https://github.com/iarna)) + +### DOC FIXES + +* [`10bef735e`](https://github.com/npm/npm/commit/10bef735e825acc8278827d34df415dfcd8c67d4) + [#17645](https://github.com/npm/npm/pull/17645) + Fix some github issue links in the 5.1.0 changelog + ([@schmod](https://github.com/schmod)) +* [`85fa9dcb2`](https://github.com/npm/npm/commit/85fa9dcb2f0b4f51b515358e0184ec82a5845227) + [#17634](https://github.com/npm/npm/pull/17634) + Fix typo in package-lock docs. + ([@sonicdoe](https://github.com/sonicdoe)) +* [`688699bef`](https://github.com/npm/npm/commit/688699befc2d147288c69a9405fb8354ecaebe36) + [#17628](https://github.com/npm/npm/pull/17628) + Recommend that folks looking for support join us on https://package.community/ or message + [@npm_support](https://twitter.com/npm_support) on Twitter. + ([@strugee](https://github.com/strugee)) + + +## v5.1.0 (2017-07-05): + +Hey y'all~ + +We've got some goodies for you here, including `npm@5`'s first semver-minor +release! This version includes a huge number of fixes, particularly for some of +the critical bugs users were running into after upgrading npm. You should +overall see a much more stable experience, and we're going to continue hacking +on fixes for the time being. Semver-major releases, specially for tools like +npm, are bound to cause some instability, and getting `npm@5` stable is the CLI +team's top priority for now! + +Not that bugfixes are the only things that landed, either: between improvements +that fell out of the bugfixes, and some really cool work by community members +like [@mikesherov](https://github.com/mikesherov), `npm@5.1.0` is **_twice as +fast_** as `npm@5.0.0` in some benchmarks. We're not stopping there, either: you +can expect a steady stream of speed improvements over the course of the year. +It's not _top_ priority, but we'll keep doing what we can to make sure npm saves +its users as much time as possible. + +Hang on to your seats. At **100 commits**, this release is a bit of a doozy. 😎 + +### FEATURES + +Semver-minor releases, of course, mean that there's a new feature somewhere, +right? Here's what's bumping that number for us this time: + +* [`a09c1a69d`](https://github.com/npm/npm/commit/a09c1a69df05b753464cc1272cdccc6af0f4da5a) + [#16687](https://github.com/npm/npm/pull/16687) + Allow customizing the shell used to execute `run-script`s. + ([@mmkal](https://github.com/mmkal)) +* [`4f45ba222`](https://github.com/npm/npm/commit/4f45ba222e2ac6dbe6d696cb7a8e678bbda7c839) [`a48958598`](https://github.com/npm/npm/commit/a489585985540deed4edc03418636c9e97aa9e40) [`901bef0e1`](https://github.com/npm/npm/commit/901bef0e1ea806fc08d8d58744a9f813b6c020ab) + [#17508](https://github.com/npm/npm/pull/17508) + Add a new `requires` field to `package-lock.json` with information about the + _logical_ dependency tree. This includes references to the specific version + each package is intended to see, and can be used for many things, such as + [converting `package-lock.json` to other lockfile + formats](https://twitter.com/maybekatz/status/880578566907248640), various + optimizations, and verifying correctness of a package tree. + ([@iarna](https://github.com/iarna)) +* [`47e8fc8eb`](https://github.com/npm/npm/commit/47e8fc8eb9b5faccef9e03ab991cf37458c16249) + [#17508](https://github.com/npm/npm/pull/17508) + Make `npm ls` take package locks (and shrinkwraps) into account. This means + `npm ls` can now be used to see [which dependencies are + missing](https://twitter.com/maybekatz/status/880446509547794437), so long as + a package lock has been previously generated with it in. + ([@iarna](https://github.com/iarna)) +* [`f0075e7ca`](https://github.com/npm/npm/commit/f0075e7caa3e151424a254d7809ae4489ed8df90) + [#17508](https://github.com/npm/npm/pull/17508) + Take `package.json` changes into account when running installs -- if you + remove or add a dependency to `package.json` manually, npm will now pick that + up and update your tree and package lock accordingly. + ([@iarna](https://github.com/iarna)) +* [`83a5455aa`](https://github.com/npm/npm/commit/83a5455aac3c5cc2511ab504923b652b13bd66a0) + [#17205](https://github.com/npm/npm/pull/17205) + Add `npm udpate` as an alias for `npm update`, for symmetry with + `install`/`isntall`. + ([@gdassori](https://github.com/gdassori)) +* [`57225d394`](https://github.com/npm/npm/commit/57225d394b6174eb0be48393d8e18da0991f67b6) + [#17120](https://github.com/npm/npm/pull/17120) + npm will no longer warn about `preferGlobal`, and the option is now + deprecated. + ([@zkat](https://github.com/zkat)) +* [`82df7bb16`](https://github.com/npm/npm/commit/82df7bb16fc29c47a024db4a8c393e55f883744b) + [#17351](https://github.com/npm/npm/pull/17351) + As some of you may already know `npm build` doesn't do what a lot of people + expect: It's mainly an npm plumbing command, and is part of the more familiar + `npm rebuild` command. That said, a lot of users assume that this is the way + to run an npm `run-script` named `build`, which is an incredibly common script + name to use. To clarify things for users, and encourage them to use `npm run + build` instead, npm will now warn if `npm build` is run without any arguments. + ([@lennym](https://github.com/lennym)) + +### PERFORMANCE + +* [`59f86ef90`](https://github.com/npm/npm/commit/59f86ef90a58d8dc925c9613f1c96e68bee5ec7b) [`43be9d222`](https://github.com/npm/npm/commit/43be9d2222b23ebb0a427ed91824ae217e6d077a) [`e906cdd98`](https://github.com/npm/npm/commit/e906cdd980b4722e66618ce295c682b9a8ffaf8f) + [#16633](https://github.com/npm/npm/pull/16633) + npm now parallelizes tarball extraction across multiple child process workers. + This can significantly speed up installations, specially when installing from + cache, and will improve with number of processors. + ([@zkat](https://github.com/zkat)) +* [`e0849878d`](https://github.com/npm/npm/commit/e0849878dd248de8988c2ef3fc941054625712ca) + [#17441](https://github.com/npm/npm/pull/17441) + Avoid building environment for empty lifecycle scripts. This change alone + accounted for as much as a 15% speed boost for npm installations by outright + skipping entire steps of the installer when not needed. + ([@mikesherov](https://github.com/mikesherov)) +* [`265c2544c`](https://github.com/npm/npm/commit/265c2544c8ded10854909243482e6437ed03c261) + [npm/hosted-git-info#24](https://github.com/npm/hosted-git-info/pull/24) + `hosted-git-info@2.5.0`: Add caching to `fromURL`, which gets called many, + many times by the installer. This improved installation performance by around + 10% on realistic application repositories. + ([@mikesherov](https://github.com/mikesherov)) +* [`901d26cb`](https://github.com/npm/npm/commit/901d26cb656e7e773d9a38ef4eac9263b95e07c8) + [npm/read-package-json#20](https://github.com/npm/read-package-json/pull/70) + `read-package-json@2.0.9`: Speed up installs by as much as 20% by + reintroducing a previously-removed cache and making it actually be correct + this time around. + ([@mikesherov](https://github.com/mikesherov)) +* [`44e37045d`](https://github.com/npm/npm/commit/44e37045d77bc40adf339b423d42bf5e9b4d4d91) + Eliminate `Bluebird.promisifyAll` from our codebase. + ([@iarna](https://github.com/iarna)) +* [`3b4681b53`](https://github.com/npm/npm/commit/3b4681b53db7757985223932072875d099694677) + [#17508](https://github.com/npm/npm/pull/17508) + Stop calling `addBundle` on locked deps, speeding up the + `package-lock.json`-based fast path. + ([@iarna](https://github.com/iarna)) + +### BUGFIXES + +* [#17508](https://github.com/npm/npm/pull/17508) + This is a big PR that fixes a variety of issues when installing from package + locks. If you were previously having issues with missing dependencies or + unwanted removals, this might have fixed it: + * It introduces a new `package-lock.json` field, called `requires`, which tracks which modules a given module requires. + * It fixes [#16839](https://github.com/npm/npm/issues/16839) which was caused by not having this information available, particularly when git dependencies were involved. + * It fixes [#16866](https://github.com/npm/npm/issues/16866), allowing the `package.json` to trump the `package-lock.json`. + * `npm ls` now loads the shrinkwrap, which opens the door to showing a full tree of dependencies even when nothing is yet installed. (It doesn't do that yet though.) + ([@iarna](https://github.com/iarna)) +* [`656544c31`](https://github.com/npm/npm/commit/656544c31cdef3cef64fc10c24f03a8ae2685e35) [`d21ab57c3`](https://github.com/npm/npm/commit/d21ab57c3ef4f01d41fb6c2103debe884a17dc22) + [#16637](https://github.com/npm/npm/pull/16637) + Fix some cases where `npm prune` was leaving some dependencies unpruned if + to-be-pruned dependencies depended on them. + ([@exogen](https://github.com/exogen)) +* [`394436b09`](https://github.com/npm/npm/commit/394436b098dcca2d252061f95c4eeb92c4a7027c) + [#17552](https://github.com/npm/npm/pull/17552) + Make `refresh-package-json` re-verify the package platform. This fixes an + issue most notably experienced by Windows users using `create-react-app` where + `fsevents` would not short-circuit and cause a crash during its + otherwise-skipped native build phase. + ([@zkat](https://github.com/zkat)) +* [`9e5a94354`](https://github.com/npm/npm/commit/9e5a943547b29c8d022192afd9398b3a136a7e5a) + [#17590](https://github.com/npm/npm/pull/17590) + Fix an issue where `npm@5` would crash when trying to remove packages + installed with `npm@<5`. + ([@iarna](https://github.com/iarna)) +* [`c3b586aaf`](https://github.com/npm/npm/commit/c3b586aafa9eabac572eb6e2b8a7266536dbc65b) + [#17141](https://github.com/npm/npm/issues/17141) + Don't update the package.json when modifying packages that don't go there. + This was previously causing `package.json` to get a `"false": {}` field added. + ([@iarna](https://github.com/iarna)) +* [`d04a23de2`](https://github.com/npm/npm/commit/d04a23de21dd9991b32029d839b71e10e07b400d) [`4a5b360d5`](https://github.com/npm/npm/commit/4a5b360d561f565703024085da0927ccafe8793e) [`d9e53db48`](https://github.com/npm/npm/commit/d9e53db48ca227b21bb67df48c9b3580cb390e9e) + `pacote@2.7.38`: + * [zkat/pacote#102](https://github.com/zkat/pacote/pull/102) Fix issue with tar extraction and special characters. + * Enable loose semver parsing in some missing corner cases. + ([@colinrotherham](https://github.com/colinrotherham), [@zkat](https://github.com/zkat), [@mcibique](https://github.com/mcibique)) +* [`e2f815f87`](https://github.com/npm/npm/commit/e2f815f87676b7c50b896e939cee15a01aa976e4) + [#17104](https://github.com/npm/npm/pull/17104) + Write an empty str and wait for flush to exit to reduce issues with npm + exiting before all output is complete when it's a child process. + ([@zkat](https://github.com/zkat)) +* [`835fcec60`](https://github.com/npm/npm/commit/835fcec601204971083aa3a281c3a9da6061a7c2) + [#17060](https://github.com/npm/npm/pull/17060) + Make git repos with prepare scripts always install with both dev and prod + flags. + ([@intellix](https://github.com/intellix)) +* [`f1dc8a175`](https://github.com/npm/npm/commit/f1dc8a175eed56f1ed23bd5773e5e10beaf6cb31) + [#16879](https://github.com/npm/npm/pull/16879) + Fix support for `always-auth` and `_auth`. They are now both available in both + unscoped and registry-scoped configurations. + ([@jozemlakar](https://github.com/jozemlakar)) +* [`ddd8a1ca2`](https://github.com/npm/npm/commit/ddd8a1ca2fa3377199af74ede9d0c1a406d19793) + Serialize package specs to prevent `[object Object]` showing up in logs during + extraction. + ([@zkat](https://github.com/zkat)) +* [`99ef3b52c`](https://github.com/npm/npm/commit/99ef3b52caa7507e87a4257e622f8964b1c1f5f3) + [#17505](https://github.com/npm/npm/pull/17505) + Stop trying to commit updated `npm-shrinkwrap.json` and `package-lock.json` if + they're `.gitignore`d. + ([@zkat](https://github.com/zkat)) +* [`58be2ec59`](https://github.com/npm/npm/commit/58be2ec596dfb0353ad2570e6750e408339f1478) + Make sure uid and gid are getting correctly set even when they're `0`. This + should fix some Docker-related issues with bad permissions/broken ownership. + ([@rgrove](https://github.com/rgrove)) + ([@zkat](https://github.com/zkat)) +* [`9d1e3b6fa`](https://github.com/npm/npm/commit/9d1e3b6fa01bb563d76018ee153259d9507658cf) + [#17506](https://github.com/npm/npm/pull/17506) + Skip writing package.json and locks if on-disk version is identical to the new + one. + ([@zkat](https://github.com/zkat)) +* [`3fc6477a8`](https://github.com/npm/npm/commit/3fc6477a89773786e6c43ef43a23e5cdc662ff8e) + [#17592](https://github.com/npm/npm/pull/17592) + Fix an issue where `npm install -g .` on a package with no `name` field would + cause the entire global `node_modules` directory to be replaced with a symlink + to `$CWD`. lol. + ([@iarna](https://github.com/iarna)) +* [`06ba0a14a`](https://github.com/npm/npm/commit/06ba0a14a6c1c8cdcc8c062b68c8c63041b0cec0) + [#17591](https://github.com/npm/npm/pull/17591) + Fix spurious removal reporting: if you tried to remove something that didn't + actually exist, npm would tell you it removed 1 package even though there was + nothing to do. + ([@iarna](https://github.com/iarna)) +* [`20ff05f8`](https://github.com/npm/npm/commit/20ff05f8fe0ad8c36e1323d30b63b4d2ff7e11ef) + [#17629](https://github.com/npm/npm/pull/17629) + When removing a link, keep dependencies installed inside of it instead of + removing them, if the link is outside the scope of the current project. This + fixes an issue where removing globally-linked packages would remove all their + dependencies in the source directory, as well as some ergonomic issues when + using links in other situations. + ([@iarna](https://github.com/iarna)) + +### DOCS + +* [`fd5fab595`](https://github.com/npm/npm/commit/fd5fab5955a20a9bb8c0e77092ada1435f73a8d2) + [#16441](https://github.com/npm/npm/pull/16441) + Add spec for `npm-shrinkwrap.json` and `package-lock.json` from RFC. + ([@iarna](https://github.com/iarna)) +* [`9589c1ccb`](https://github.com/npm/npm/commit/9589c1ccb3f794abaaa48c2a647ada311dd881ef) + [#17451](https://github.com/npm/npm/pull/17451) + Fix typo in changelog. + ([@watilde](https://github.com/watilde)) +* [`f8e76d856`](https://github.com/npm/npm/commit/f8e76d8566ae1965e57d348df74edad0643b66a6) + [#17370](https://github.com/npm/npm/pull/17370) + Correct the default prefix config path for Windows operating systems in the + documentation for npm folders. + ([@kierendixon](https://github.com/kierendixon)) +* [`d0f3b5a12`](https://github.com/npm/npm/commit/d0f3b5a127718b0347c6622a2b9c28341c530d36) + [#17369](https://github.com/npm/npm/pull/17369) + Fix `npm-config` reference to `userconfig` & `globalconfig` environment + variables. + ([@racztiborzoltan](https://github.com/racztiborzoltan)) +* [`87629880a`](https://github.com/npm/npm/commit/87629880a71baec352c1b5345bc29268d6212467) + [#17336](https://github.com/npm/npm/pull/17336) + Remove note in docs about `prepublish` being entirely removed. + ([@Hirse](https://github.com/Hirse)) +* [`a1058afd9`](https://github.com/npm/npm/commit/a1058afd9a7a569bd0ac65b86eadd4fe077a7221) + [#17169](https://github.com/npm/npm/pull/17169) + Document `--no-package-lock` flag. + ([@leggsimon](https://github.com/leggsimon)) +* [`32fc6e41a`](https://github.com/npm/npm/commit/32fc6e41a2ce4dbcd5ce1e5f291e2e2efc779d48) + [#17250](https://github.com/npm/npm/pull/17250) + Fix a typo in the shrinkwrap docs. + ([@Zarel](https://github.com/Zarel)) +* [`f19bd3c8c`](https://github.com/npm/npm/commit/f19bd3c8cbd37c8a99487d6b5035282580ac3e9d) + [#17249](https://github.com/npm/npm/pull/17249) + Fix a package-lock.json cross-reference link. + ([@not-an-aardvark](https://github.com/not-an-aardvark)) +* [`153245edc`](https://github.com/npm/npm/commit/153245edc4845db670ada5e95ef384561706a751) + [#17075](https://github.com/npm/npm/pull/17075/files) + Fix a typo in `npm-config` docs. + ([@KennethKinLum](https://github.com/KennethKinLum)) +* [`c9b534a14`](https://github.com/npm/npm/commit/c9b534a148818d1a97787c0dfdba5f64ce3618a6) + [#17074](https://github.com/npm/npm/pull/17074) + Clarify config documention with multiple boolean flags. + ([@KennethKinLum](https://github.com/KennethKinLum)) +* [`e111b0a40`](https://github.com/npm/npm/commit/e111b0a40c4bc6691d7b8d67ddce5419e67bfd27) + [#16768](https://github.com/npm/npm/pull/16768) + Document the `-l` option to `npm config list`. + ([@happylynx](https://github.com/happylynx)) +* [`5a803ebad`](https://github.com/npm/npm/commit/5a803ebadd61229bca3d64fb3ef1981729b2548e) + [#16548](https://github.com/npm/npm/pull/16548) + Fix permissions for documentation files. Some of them had `+x` set. (???) + ([@metux](https://github.com/metux)) +* [`d57d4f48c`](https://github.com/npm/npm/commit/d57d4f48c6cd00fdf1e694eb49e9358071d8e105) + [#17319](https://github.com/npm/npm/pull/17319) + Document that the `--silent` option for `npm run-script` can be used to + suppress `npm ERR!` output on errors. + ([@styfle](https://github.com/styfle)) + +### MISC + +Not all contributions need to be visible features, docs, or bugfixes! It's super +helpful when community members go over our code and help clean it up, too! + +* [`9e5b76140`](https://github.com/npm/npm/commit/9e5b76140ffdb7dcd12aa402793644213fb8c5d7) + [#17411](https://github.com/npm/npm/pull/17411) + Convert all callback-style `move` usage to use Promises. + ([@vramana](https://github.com/vramana)) +* [`0711c08f7`](https://github.com/npm/npm/commit/0711c08f779ac641ec42ecc96f604c8861008b28) + [#17394](https://github.com/npm/npm/pull/17394) + Remove unused argument in `deepSortObject`. + ([@vramana](https://github.com/vramana)) +* [`7d650048c`](https://github.com/npm/npm/commit/7d650048c8ed5faa0486492f1eeb698e7383e32f) + [#17563](https://github.com/npm/npm/pull/17563) + Refactor some code to use `Object.assign`. + ([@vramana](https://github.com/vramana)) +* [`993f673f0`](https://github.com/npm/npm/commit/993f673f056aea5f602ea04b1e697b027c267a2d) + [#17600](https://github.com/npm/npm/pull/17600) + Remove an old comment. + ([@vramana](https://github.com/vramana)) + +## v5.0.4 (2017-06-13): + +Hey y'all. This is another minor patch release with a variety of little fixes +we've been accumulating~ + +* [`f0a37ace9`](https://github.com/npm/npm/commit/f0a37ace9ab7879cab20f2b0fcd7840bfc305feb) + Fix `npm doctor` when hitting registries without `ping`. + ([@zkat](https://github.com/zkat)) +* [`64f0105e8`](https://github.com/npm/npm/commit/64f0105e81352b42b72900d83b437b90afc6d9ce) + Fix invalid format error when setting cache-related headers. + ([@zkat](https://github.com/zkat)) +* [`d2969c80e`](https://github.com/npm/npm/commit/d2969c80e4178faebf0f7c4cab6eb610dd953cc6) + Fix spurious `EINTEGRITY` issue. + ([@zkat](https://github.com/zkat)) +* [`800cb2b4e`](https://github.com/npm/npm/commit/800cb2b4e2d0bd00b5c9082a896f2110e907eb0b) + [#17076](https://github.com/npm/npm/pull/17076) + Use legacy `from` field to improve upgrade experience from legacy shrinkwraps + and installs. + ([@zkat](https://github.com/zkat)) +* [`4100d47ea`](https://github.com/npm/npm/commit/4100d47ea58b4966c02604f71350b5316108df6a) + [#17007](https://github.com/npm/npm/pull/17007) + Restore loose semver parsing to match older npm behavior when running into + invalid semver ranges in dependencies. + ([@zkat](https://github.com/zkat)) +* [`35316cce2`](https://github.com/npm/npm/commit/35316cce2ca2d8eb94161ec7fe7e8f7bec7b3aa7) + [#17005](https://github.com/npm/npm/pull/17005) + Emulate npm@4's behavior of simply marking the peerDep as invalid, instead of + crashing. + ([@zkat](https://github.com/zkat)) +* [`e7e8ee5c5`](https://github.com/npm/npm/commit/e7e8ee5c57c7238655677e118a8809b652019f53) + [#16937](https://github.com/npm/npm/pull/16937) + Workaround for separate bug where `requested` was somehow null. + ([@forivall](https://github.com/forivall)) +* [`2d9629bb2`](https://github.com/npm/npm/commit/2d9629bb2043cff47eaad2654a64d2cef5725356) + Better logging output for git errors. + ([@zkat](https://github.com/zkat)) +* [`2235aea73`](https://github.com/npm/npm/commit/2235aea73569fb9711a06fa6344ef31247177dcd) + More scp-url fixes: parsing only worked correctly when a committish was + present. + ([@zkat](https://github.com/zkat)) +* [`80c33cf5e`](https://github.com/npm/npm/commit/80c33cf5e6ef207450949764de41ea96538c636e) + Standardize package permissions on tarball extraction, instead of using perms + from the tarball. This matches previous npm behavior and fixes a number of + incompatibilities in the wild. + ([@zkat](https://github.com/zkat)) +* [`2b1e40efb`](https://github.com/npm/npm/commit/2b1e40efba0b3d1004259efa4275cf42144e3ce3) + Limit shallow cloning to hosts which are known to support it. + ([@zkat](https://github.com/zkat)) + ## v5.0.3 (2017-06-05) Happy Monday, y'all! We've got another npm release for you with the fruits of diff --git a/deps/npm/Makefile b/deps/npm/Makefile index 7b69df98fe1831..53ab16a29063c2 100644 --- a/deps/npm/Makefile +++ b/deps/npm/Makefile @@ -14,7 +14,8 @@ html_docdeps = html/dochead.html \ cli_mandocs = $(shell find doc/cli -name '*.md' \ |sed 's|.md|.1|g' \ |sed 's|doc/cli/|man/man1/|g' ) \ - man/man1/npm-README.1 + man/man1/npm-README.1 \ + man/man1/npx.1 files_mandocs = $(shell find doc/files -name '*.md' \ |sed 's|.md|.5|g' \ @@ -56,7 +57,7 @@ latest: node bin/npm-cli.js install -g -f npm ${NPMOPTS} install: all - node bin/npm-cli.js install -g -f ${NPMOPTS} + node bin/npm-cli.js install -g -f ${NPMOPTS} $(shell node bin/npm-cli.js pack | tail -1) # backwards compat dev: install @@ -96,6 +97,9 @@ man/man1/%.1: doc/cli/%.md scripts/doc-build.sh package.json @[ -d man/man1 ] || mkdir -p man/man1 scripts/doc-build.sh $< $@ +man/man1/npx.1: node_modules/libnpx/libnpx.1 + cat $< | sed s/libnpx/npx/ > $@ + man/man5/npm-json.5: man/man5/package.json.5 cp $< $@ diff --git a/deps/npm/README.md b/deps/npm/README.md index 3a96074afb4f09..ce79f41ec2b13b 100644 --- a/deps/npm/README.md +++ b/deps/npm/README.md @@ -158,8 +158,9 @@ When you find issues, please report them: Be sure to include *all* of the output from the npm command that didn't work as expected. The `npm-debug.log` file is also helpful to provide. -You can also look for isaacs in #node.js on irc://irc.freenode.net. She -will no doubt tell you to put the output in a gist or email. +You can also find npm people in `#npm` on https://package.community/ or +[on Twitter](https://twitter.com/npm_support). Whoever responds will no +doubt tell you to put the output in a gist or email. ## SEE ALSO diff --git a/deps/npm/TODO.org b/deps/npm/TODO.org deleted file mode 100644 index 9ccceba595ff8a..00000000000000 --- a/deps/npm/TODO.org +++ /dev/null @@ -1,86 +0,0 @@ -* Finished - * [COMPLETED] npm: remove packageIntegrity - * [COMPLETED] npm: fix lifecycle stuff - * pack: - * pre-: immediately before tarball contents are packed. Need to re-read package.json immediately after - * pack: No pack lifecycle - * post-: immediately after tarball reaches its final destination (not immediately after packaging) - * prepare: `npm install`, immediately before `postinstall`, and immediately before `prepack`, never if `--prod`, after prepublish, before prepublishOnly - * prepublish: alias for `prepare` - * prepublishOnly: ONLY on `npm publish` (never on `npm pack`), runs before prepack (which takes care of re-reading package.json), re-reads package.json immediately after - * [COMPLETED] pacote: fix always-auth bug - * [COMPLETED] pacote: figure out why cache is being written as root - * [COMPLETED] npm: make `npm update` save files as the right type - * [COMPLETED] npm: update docs with npm5 changes - * [COMPLETED] npm: don't write "problems" into package-lock - * [COMPLETED] npm: add `created-with`, `shrinkwrap-version`, and `package-integrity` - * [COMPLETED] npm: warn on incompatible package-lock version - * [COMPLETED] npm: warn if both shrinkwrap and package-lock are there - * [COMPLETED] npm: fix git-prepare - * [COMPLETED] npm: fix auth failure for locked scoped deps - * [COMPLETED] npm: send the user-agent through to pacote - * [COMPLETED] npm: get https://github.com/npm/write-file-atomic/pull/23 merged - * [COMPLETED] npm: get https://github.com/npm/fstream-npm/pull/27 merged - * [COMPLETED] npm: if local deps exist w/o needed metadata, fetch it - * [COMPLETED] Run `prepare` during git tarball packing phase - * [COMPLETED] npm: put npm cache clear behind --force - * [COMPLETED] npm: package-lock.json - * lib/install/read-shrinkwrap.js - * lib/shrinkwrap.js - * lib/install/save.js (?) - * lib/utils/tar.js (add autoignore) - * fstream-npm (add autoignore) - * lib/version.js - * [COMPLETED] npm: --save by default - * [COMPLETED] npm: make sure `npm i ` defaults to package.json - * it only happens for command line arguments - * getAllMetadata - * Apparently, I did this way back when and totally forgot. lol. - * [COMPLETED] make-fetch-happen: make sure other options npm used are implemented - * look at the comment at the bottom of pacote.js - * [COMPLETED] make-fetch-happen: support strictSSL option - * [COMPLETED] Write npm@5 speeds presentation for Friday - * [COMPLETED] pacote: support `opts.fullMetadata` for `pkg.manifest` - * [COMPLETED] npm: fix invalid package: null error - * [COMPLETED] make-fetch-happen: case-insensitive http_proxy/proxy/https_proxy - * [COMPLETED] cacache: integrate cacache@8 into npm/pacote/mfh - * [COMPLETED] make-fetch-happen: literally vendor in node-fetch. sigh. - * basically, the whole tarball situation prevents shrinkwrap. sux :< - * note: solved this by forking node-fetch into node-fetch-npm - * [COMPLETED] pacote: http auth and alwaysAuth - * https://github.com/zkat/pacote/issues/77 - * [COMPLETED] make-fetch-happen: NO_PROXY support - * https://github.com/zkat/make-fetch-happen/issues/17 - * [COMPLETED] npm: calculate sri with ssri and add it to dist.integrity - * [COMPLETED] pacote: refactor handler API - * maybe use Protoduck? - * [COMPLETED] npm: nag Ryan about when sha512 is happening - * He says it's delayed 😭 - * I can still start sending integrity in the publish - * [COMPLETED] npm: fix bundle replacement issues (see: npm i nyc warning spam) - * need fromBundle attribute on shrinkwrap and pass it through. the sw.version && sw.integrity-based fake node needs to have this there. -* Backlog - * [TODO] make-fetch-happen: integrity failures are being thrown - * [TODO] write-file-atomic: review https://github.com/npm/write-file-atomic/pull/22 - * [TODO] pacote: write tests for git handlers - * https://github.com/zkat/pacote/issues/70 - * [TODO] pacote: offline feature support for git deps - * [TODO] npm: get logging working during the recalculateMetadata spam - * [TODO] pacote: opts.extraHeaders - * https://github.com/zkat/pacote/issues/79 - * [TODO] pacote: ECONNRESET recovery - * https://github.com/zkat/pacote/issues/8 - * [TODO] pacote: skip node_modules extraction for non-bundleDeps - * https://github.com/zkat/pacote/issues/49 - * [TODO] pacote: write tests for file/directory handlers - * [TODO] npm: `npm publish --dry-run` -> https://npm.im/pkgfiles ? - * Rebecca says yea - * [TODO] make-fetch-happen: write tests for agent pooling/proxy - * https://github.com/zkat/make-fetch-happen/issues/16 - * [TODO] make-fetch-happen: retry notification - * https://github.com/zkat/make-fetch-happen/issues/21 - * [TODO] npm: more informative logging when building git deps -* Needed for npm@5 -* Active - * [TODO] npm: figure out https://github.com/npm/npm/issues/16665 - * [TODO] npm: first-run notice about npm5 still having known issues diff --git a/deps/npm/bin/npx b/deps/npm/bin/npx new file mode 100644 index 00000000000000..a49c608bab89ba --- /dev/null +++ b/deps/npm/bin/npx @@ -0,0 +1,34 @@ +#!/bin/sh +(set -o igncr) 2>/dev/null && set -o igncr; # cygwin encoding fix + +basedir=`dirname "$0"` + +case `uname` in + *CYGWIN*) basedir=`cygpath -w "$basedir"`;; +esac + +NODE_EXE="$basedir/node.exe" +if ! [ -x "$NODE_EXE" ]; then + NODE_EXE=node +fi + +NPX_CLI_JS="$basedir/node_modules/npm/bin/npx-cli.js" + +case `uname` in + *MINGW*) + NPM_PREFIX=`"$NODE_EXE" "$NPX_CLI_JS" prefix -g` + NPM_PREFIX_NPX_CLI_JS="$NPM_PREFIX/node_modules/npm/bin/npx-cli.js" + if [ -f "$NPM_PREFIX_NPX_CLI_JS" ]; then + NPX_CLI_JS="$NPM_PREFIX_NPX_CLI_JS" + fi + ;; + *CYGWIN*) + NPM_PREFIX=`"$NODE_EXE" "$NPX_CLI_JS" prefix -g` + NPM_PREFIX_NPX_CLI_JS="$NPM_PREFIX/node_modules/npm/bin/npx-cli.js" + if [ -f "$NPM_PREFIX_NPX_CLI_JS" ]; then + NPX_CLI_JS="$NPM_PREFIX_NPX_CLI_JS" + fi + ;; +esac + +"$NODE_EXE" "$NPX_CLI_JS" "$@" diff --git a/deps/npm/bin/npx-cli.js b/deps/npm/bin/npx-cli.js new file mode 100755 index 00000000000000..f4043650599d77 --- /dev/null +++ b/deps/npm/bin/npx-cli.js @@ -0,0 +1,8 @@ +#!/usr/bin/env node + +const npx = require('libnpx') +const path = require('path') + +const NPM_PATH = path.join(__dirname, 'npm-cli.js') + +npx(npx.parseArgs(process.argv, NPM_PATH)) diff --git a/deps/npm/bin/npx.cmd b/deps/npm/bin/npx.cmd new file mode 100644 index 00000000000000..02fcbd9ffc2325 --- /dev/null +++ b/deps/npm/bin/npx.cmd @@ -0,0 +1,19 @@ +:: Created by npm, please don't edit manually. +@ECHO OFF + +SETLOCAL + +SET "NODE_EXE=%~dp0\node.exe" +IF NOT EXIST "%NODE_EXE%" ( + SET "NODE_EXE=node" +) + +SET "NPX_CLI_JS=%~dp0\node_modules\npm\bin\npx-cli.js" +FOR /F "delims=" %%F IN ('CALL "%NODE_EXE%" "%NPX_CLI_JS%" prefix -g') DO ( + SET "NPM_PREFIX_NPX_CLI_JS=%%F\node_modules\npm\bin\npx-cli.js" +) +IF EXIST "%NPM_PREFIX_NPX_CLI_JS%" ( + SET "NPX_CLI_JS=%NPM_PREFIX_NPX_CLI_JS%" +) + +"%NODE_EXE%" "%NPX_CLI_JS%" %* diff --git a/deps/npm/doc/cli/npm-config.md b/deps/npm/doc/cli/npm-config.md index 5aecb2c3acbb97..aad9e0dffea90d 100644 --- a/deps/npm/doc/cli/npm-config.md +++ b/deps/npm/doc/cli/npm-config.md @@ -6,7 +6,7 @@ npm-config(1) -- Manage the npm configuration files npm config set [-g|--global] npm config get npm config delete - npm config list + npm config list [-l] npm config edit npm get npm set [-g|--global] @@ -48,7 +48,7 @@ Echo the config value to stdout. npm config list -Show all the config settings. +Show all the config settings. Use `-l` to also show defaults. ### delete diff --git a/deps/npm/doc/cli/npm-install.md b/deps/npm/doc/cli/npm-install.md index 44cb68792bfff7..74e5e04bca4fd6 100644 --- a/deps/npm/doc/cli/npm-install.md +++ b/deps/npm/doc/cli/npm-install.md @@ -343,6 +343,9 @@ being installed. The `--no-shrinkwrap` argument, which will ignore an available package lock or shrinkwrap file and use the package.json instead. +The `--no-package-lock` argument will prevent npm from creating a +`package-lock.json` file. + The `--nodedir=/path/to/node/source` argument will allow npm to find the node source code so that npm can compile native modules. diff --git a/deps/npm/doc/cli/npm-run-script.md b/deps/npm/doc/cli/npm-run-script.md index f1389c21c623fd..b79d58fb01952c 100644 --- a/deps/npm/doc/cli/npm-run-script.md +++ b/deps/npm/doc/cli/npm-run-script.md @@ -3,7 +3,7 @@ npm-run-script(1) -- Run arbitrary package scripts ## SYNOPSIS - npm run-script [-- ...] + npm run-script [--silent] [-- ...] alias: npm run @@ -50,6 +50,8 @@ not found in the `PATH`. If you try to run a script without having a `node_modules` directory and it fails, you will be given a warning to run `npm install`, just in case you've forgotten. +You can use the `--silent` flag to prevent showing `npm ERR!` output on error. + ## SEE ALSO * npm-scripts(7) diff --git a/deps/npm/doc/files/npm-folders.md b/deps/npm/doc/files/npm-folders.md index 62ecebc27a3166..74c78834435f92 100644 --- a/deps/npm/doc/files/npm-folders.md +++ b/deps/npm/doc/files/npm-folders.md @@ -20,10 +20,9 @@ This document will tell you what it puts where. ### prefix Configuration The `prefix` config defaults to the location where node is installed. -On most systems, this is `/usr/local`. On windows, this is the exact -location of the node.exe binary. On Unix systems, it's one level up, -since node is typically installed at `{prefix}/bin/node` rather than -`{prefix}/node.exe`. +On most systems, this is `/usr/local`. On Windows, it's `%AppData%\npm`. +On Unix systems, it's one level up, since node is typically installed at +`{prefix}/bin/node` rather than `{prefix}/node.exe`. When the `global` flag is set, npm installs things into this prefix. When it is not set, it uses the root of the current package, or the diff --git a/deps/npm/doc/files/npm-shrinkwrap.json.md b/deps/npm/doc/files/npm-shrinkwrap.json.md index 8256398e86b1a8..541a1f5a6d7656 100644 --- a/deps/npm/doc/files/npm-shrinkwrap.json.md +++ b/deps/npm/doc/files/npm-shrinkwrap.json.md @@ -5,7 +5,7 @@ npm-shrinkwrap.json(5) -- A publishable lockfile `npm-shrinkwrap.json` is a file created by npm-shrinkwrap(1). It is identical to `package-lock.json`, with one major caveat: Unlike `package-lock.json`, -`npm-shrinwkrap.json` may be included when publishing a package. +`npm-shrinkwrap.json` may be included when publishing a package. The recommended use-case for `npm-shrinkwrap.json` is applications deployed through the publishing process on the registry: for example, daemons and @@ -13,7 +13,7 @@ command-line tools intended as global installs or `devDependencies`. It's strongly discouraged for library authors to publish this file, since that would prevent end users from having control over transitive dependency updates. -Additionally, if both `package-lock.json` and `npm-shrinwkrap.json` are present +Additionally, if both `package-lock.json` and `npm-shrinkwrap.json` are present in a package root, `package-lock.json` will be ignored in favor of this file. For full details and description of the `npm-shrinkwrap.json` file format, refer diff --git a/deps/npm/doc/files/package-lock.json.md b/deps/npm/doc/files/package-lock.json.md index f6dde3649237b0..4c134fc229ecb1 100644 --- a/deps/npm/doc/files/package-lock.json.md +++ b/deps/npm/doc/files/package-lock.json.md @@ -127,6 +127,6 @@ The dependencies of this dependency, exactly as at the top level. ## SEE ALSO * npm-shrinkwrap(1) -* package-lock.json(5) +* npm-shrinkwrap.json(5) * package.json(5) * npm-install(1) diff --git a/deps/npm/doc/files/package.json.md b/deps/npm/doc/files/package.json.md index 1a06ff794b6784..c5bc46cdc8c128 100644 --- a/deps/npm/doc/files/package.json.md +++ b/deps/npm/doc/files/package.json.md @@ -700,12 +700,11 @@ The host architecture is determined by `process.arch` ## preferGlobal -If your package is primarily a command-line application that should be -installed globally, then set this value to `true` to provide a warning -if it is installed locally. +**DEPRECATED** -It doesn't actually prevent users from installing it locally, but it -does help prevent some confusion if it doesn't work as expected. +This option used to trigger an npm warning, but it will no longer warn. It is +purely there for informational purposes. It is now recommended that you install +any binaries as local devDependencies wherever possible. ## private diff --git a/deps/npm/doc/misc/npm-config.md b/deps/npm/doc/misc/npm-config.md index 6fee98a90c7f9a..dd0993d6bb7958 100644 --- a/deps/npm/doc/misc/npm-config.md +++ b/deps/npm/doc/misc/npm-config.md @@ -9,8 +9,14 @@ npm gets its configuration values from the following sources, sorted by priority Putting `--foo bar` on the command line sets the `foo` configuration parameter to `"bar"`. A `--` argument tells the cli parser to stop -reading flags. A `--flag` parameter that is at the *end* of the -command will be given the value of `true`. +reading flags. Using `--flag` without specifying any value will set +the value to `true`. + +Example: `--flag1 --flag2` will set both configuration parameters +to `true`, while `--flag1 --flag2 bar` will set `flag1` to `true`, +and `flag2` to `bar`. Finally, `--flag1 --flag2 -- bar` will set +both configuration parameters to `true`, and the `bar` is taken +as a command argument. ### Environment Variables @@ -21,7 +27,7 @@ configuration parameter to `bar`. Any environment configurations that are not given a value will be given the value of `true`. Config values are case-insensitive, so `NPM_CONFIG_FOO=bar` will work the same. However, please note that inside [npm-scripts](/misc/scripts) -npm will set it's own environment variables and Node will prefer +npm will set its own environment variables and Node will prefer those lowercase versions over any uppercase ones that you might set. For details see [this issue](https://github.com/npm/npm/issues/14528). @@ -31,9 +37,9 @@ The four relevant files are: * per-project configuration file (`/path/to/my/project/.npmrc`) * per-user configuration file (defaults to `$HOME/.npmrc`; configurable via CLI - option `--userconfig` or environment variable `$NPM_CONF_USERCONFIG`) + option `--userconfig` or environment variable `$NPM_CONFIG_USERCONFIG`) * global configuration file (defaults to `$PREFIX/etc/npmrc`; configurable via - CLI option `--globalconfig` or environment variable `$NPM_CONF_GLOBALCONFIG`) + CLI option `--globalconfig` or environment variable `$NPM_CONFIG_GLOBALCONFIG`) * npm's built-in configuration file (`/path/to/npm/npmrc`) See npmrc(5) for more details. @@ -883,6 +889,13 @@ in to a private registry for the first time: will cause `@organization` to be mapped to the registry for future installation of packages specified according to the pattern `@organization/package`. +### script-shell + +* Default: `null` +* Type: path + +The shell to use for scripts run with the `npm run` command. + ### scripts-prepend-node-path * Default: "warn-only" diff --git a/deps/npm/doc/misc/npm-scripts.md b/deps/npm/doc/misc/npm-scripts.md index 0e9c3bc6e76816..9cdf588397c3ed 100644 --- a/deps/npm/doc/misc/npm-scripts.md +++ b/deps/npm/doc/misc/npm-scripts.md @@ -70,11 +70,6 @@ allow users to avoid the confusing behavior of existing npm versions and only run on `npm publish` (for instance, running the tests one last time to ensure they're in good shape). -**IMPORTANT:** As of `npm@5`, `prepublish` will _only_ be run for `npm -publish`. This will make its behavior identical to `prepublishOnly`, so -`npm@6` or later may drop support for the use of `prepublishOnly`, and then -maybe we can all forget this embarrassing thing ever happened. - See for a much lengthier justification, with further reading, for this change. diff --git a/deps/npm/doc/spec/package-lock.md b/deps/npm/doc/spec/package-lock.md new file mode 100644 index 00000000000000..e7a714113946d4 --- /dev/null +++ b/deps/npm/doc/spec/package-lock.md @@ -0,0 +1,276 @@ +# package-lock and npm-shrinkwrap + +`npm` can have one of two different lock files: + +* `package-lock.json`, which is ordinarily always present and is never published. +* `npm-shrinkwrap.json`, which is created with `npm shrinkwrap` and usually published. + +You can only have one of them and in the event that you have both, +`npm-shrinkwrap.json` takes precedence. The files are exactly the same +format and in fact all the `npm shrinkwrap` command does is rename your +`package-lock.json`. + +Through the rest of this document we will refer to the package-lock and +`package-lock.json` but everything also applies to `npm-shrinkwrap.json`. + +## File Format + +### name + +The name of the package this is a package-lock for. This must match what's in `package.json`. + +### version + +The version of the package this is a package-lock for. This must match what's in `package.json`. + +### lockfileVersion *(new)* + +An integer version, starting at `1` with the version number of this document +whose semantics were used when generating this `package-lock.json`. + +### preserveSymlinks *(new)* + +Indicates that the install was done with the environment variable +`NODE_PRESERVE_SYMLINKS` enabled. The installer should insist that the value of this +property match that environment variable. + +### dependencies + +These are the modules installed in the `node_modules`. Some of these are +dependencies some of these are transitive dependencies (that is, +dependencies of our dependencies). + +This is a mapping of package name to dependency object. Dependency objects have the +following properties: + +#### version *(changed)* + +This is a specifier that uniquely identifies this package and should be +usable in fetching a new copy of it. + +* bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes. +* registry sources: This is a version number. (eg, `1.2.3`) +* git sources: This is a git specifier with resolved committish. (eg, `git+https://example.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e`) +* http tarball sources: This is the URL of the tarball. (eg, `https://example.com/example-1.3.0.tgz`) +* local tarball sources: This is the file URL of the tarball. (eg `file:///opt/storage/example-1.3.0.tgz`) +* local link sources: This is the file URL of the link. (eg `file:libs/our-module`) + +#### integrity *(new)* + +This is a [Standard Subresource +Integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) for +this resource. + +* For bundled dependencies this is not included, regardless of source. +* For registry sources, this is the `integrity` that the registry provided, or if one wasn't provided the SHA1 in `shasum`. +* For git sources this is the specific commit hash we cloned from. +* For remote tarball sources this is an integrity based on a SHA512 of + the file. +* For local tarball sources: This is an integrity field based on the SHA512 of the file. + +#### resolved + +* For bundled dependencies this is not included, regardless of source. +* For registry sources this is path of the tarball relative to the registry + URL. If the tarball URL isn't on the same server as the registry URL then + this is a complete URL. + +#### link *(new)* + +If this module was symlinked in development but had semver in the +`package.json` then this is the relative path of that link. + +Discussion of the semantics of this will go in the symlinks RFC. + +Implementation note: To be implemented post npm@5. + +#### bundled *(new)* + +If true, this is the bundled dependency and will be installed by the parent +module. When installing, this module will be extracted from the parent +module during the extract phase, not installed as a separate dependency. + +#### dev + +If true then this dependency is either a development dependency ONLY of the +top level module or a transitive dependency of one. This is false for +dependencies that are both a development dependency of the top level and a +transitive dependency of a non-development dependency of the top level. + +#### optional + +If true then this dependency is either an optional dependency ONLY of the +top level module or a transitive dependency of one. This is false for +dependencies that are both an optional dependency of the top level and a +transitive dependency of a non-optional dependency of the top level. + +All optional dependencies should be included even if they're uninstallable +on the current platform. + +#### from *(deprecated)* + +This is a record of what specifier was used to originally install this +package. This should not be included in new `package-lock.json` files. + +#### requires + +This is a mapping of module name to version. This is a list of everything +this module requires, regardless of where it will be installed. The version +should match via normal matching rules a dependency either in our +`dependencies` or in a level higher than us. + +#### dependencies + +Exactly like `dependencies` at the top level, this is a list of modules to +install in the `node_modules` of this module. + +## Generating + +### `npm init` + +If neither a `package-lock.json` nor an `npm-shrinkwrap.json` exist then +`npm init` will create a `package-lock.json`. This is functionally +equivalent to running `npm shrinkwrap` after the current init completes and +renaming the result to `package-lock.json`. + +### `npm install --save` + +If either an `npm-shrinkwrap.json` or a `package-lock.json` exists then it +will be updated. + +If neither exist then a `package-lock.json` should be generated. + +If a `package.json` does not exist, it should be generated. The generated +`package.json` should be empty, as in: + +``` +{ + "dependencies": { + } +} +``` + +If the user wants to get a default package name/version added they can run `npm init`. + +### `npm shrinkwrap` + +If a `package-lock.json` exists, rename it to `npm-shrinkwrap.json`. +Refresh the data from the installer's ideal tree. + +The top level `name` and `version` come from the `package.json`. It is an +error if either are missing or invalid. + +#### dependencies.dev + +This is `true` if this dependency is ONLY installed to fulfill either a top +level development dependency, or one of its transitive dependencies. + +Given: +``` +B (Dev) → C +``` + +Then both B and C would be `dev: true`. + +Given: +``` +A → B → C +B (Dev) -> C +``` + +Then all dependencies would be `dev: false`. + +#### dependencies.optional + +This is `true` if this dependency is ONLY ever either an optional dependency +or a transitive dependency of optional dependencies. + +Given: +``` +A (Opt) → B → C +``` + +Then all three of A, B and C would be flagged as optional. + +Given: +``` +A (Opt) → B → C +D → C +``` + +Then A and B would be flagged as optional, but C would not be. + +Given: +``` +A (Opt) → B → C +D → A +``` + +Then none would be flagged as optional. + +## Installing + +If the `packageIntegrity` in the `package-lock.json` differs from the one +computed from the `package.json` then places where the `package.json` is +incompatible with the `package-lock.json` a new module should be installed. +That is, while the `package-lock.json` ordinarily defines the state of your +project, if your `package.json` is edited independently it will take +precedence. + +The `package-lock.json` describes the exact tree that `npm` should create. +Any deviation between the `package.json` and the shrinkwrap/lock should +result in a warning be issued. This includes: + +* Modules in `package.json` but missing from the `package-lock.json` +* Modules in the `package-lock.json` but missing from the `package.json`. +* Modules in `package.json` whose specifiers don't match the version in `package-lock.json`. + +Warn if the `lockfileVersion` in the `package-lock.json` is for a different +major version than we implement. + +Module resolution from package-lock data works as such: + +* If install was run with `--resolve-links` and a dependency has a `link` + property then a symlink is made using that. If the version of the + destination can not be matched to the package-lock and/or the package.json + then a warning will be issued. + +* Otherwise, if a `integrity` is available then we try to install it from the cache using it. + +If `integrity` is unavailable or we are unable to locate a module from the `integrity` then: + +* If `lockfileVersion` is set: + * Install using the value of `version` and validate the result against the + `integrity`. +* Otherwise, try these in turn and validate the result against the `integrity`: + * `resolved`, then `from`, then `version. + * `from` can be either `package@specifier` or just `specifier`. + +Regardless of how the module is installed the metadata in the installed +module should be identical to what it would have been if the module were +installed w/o a package-lock. + +## Implied Changes To Other Commands + +### `npm rm --save` + +Currently if you ask to remove a package that's both a direct and a +transitive dependency, we'll remove the package from `node_modules` even if +this results in a broken tree. This was chosen at the time because we felt +that users would expect `npm rm pkgname` to be equivalent of +`rm -rf node_modules/pkgname`. + +As you are no longer going to be allowed to put your `node_modules` in a +state that's not a valid package-lock, this means this behavior is no longer +valid. Instead we should follow normal rules, removing it from the +dependencies for the top level but only removing the module on disk if +nothing requires it any more. + +## Additional fields / Adding new fields + +Installers should ignore any field they aren't aware of. It's not an error +to have additional properities in the package-lock or lock file. + +Installers that want to add new fields should either have one added via RFC +in the npm issue tracker and an accompanying documentation PR, or should prefix +it with the name of their project. diff --git a/deps/npm/html/doc/README.html b/deps/npm/html/doc/README.html index 6668429083910b..00c74ed8cf010d 100644 --- a/deps/npm/html/doc/README.html +++ b/deps/npm/html/doc/README.html @@ -106,8 +106,9 @@

BUGS

Be sure to include all of the output from the npm command that didn't work as expected. The npm-debug.log file is also helpful to provide.

-

You can also look for isaacs in #node.js on irc://irc.freenode.net. She -will no doubt tell you to put the output in a gist or email.

+

You can also find npm people in #npm on https://package.community/ or +on Twitter. Whoever responds will no +doubt tell you to put the output in a gist or email.

SEE ALSO