deps: upgrade npm to 8.4.1

PR-URL: #41836
Reviewed-By: Ruy Adorno <[email protected]>
Reviewed-By: Mohammed Keyvanzadeh <[email protected]>
Reviewed-By: Beth Griggs <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Mestery <[email protected]>

deps/npm/docs/content/configuring-npm/package-json.md

@@ -838,6 +838,10 @@ include any versions, as that information is specified in `dependencies`.
 
 If this is spelled `"bundleDependencies"`, then that is also honored.
 
+Alternatively, `"bundledDependencies"` can be defined as a boolean value. A
+value of `true` will bundle all dependencies, a value of `false` will bundle
+none.
+
 ### optionalDependencies
 
 If a dependency can be used, but you would like npm to proceed if it cannot

deps/npm/docs/content/using-npm/config.md

@@ -1190,6 +1190,8 @@ When package package-locks are disabled, automatic pruning of extraneous
 modules will also be disabled. To remove extraneous modules with
 package-locks disabled use `npm prune`.
 
+This configuration does not affect `npm ci`.
+
 <!-- automatically generated, do not edit manually -->
 <!-- see lib/utils/config/definitions.js -->
 

deps/npm/docs/output/commands/npm-ls.html

@@ -160,7 +160,7 @@ <h3 id="description">Description</h3>
 the results to only the paths to the packages named.  Note that nested
 packages will <em>also</em> show the paths to the specified packages.  For
 example, running <code>npm ls promzard</code> in npm's source tree will show:</p>
-<pre lang="bash"><code>npm@8.3.2 /path/to/npm
+<pre lang="bash"><code>npm@8.4.1 /path/to/npm
 └─┬ [email protected]
   └── [email protected]
 </code></pre>

deps/npm/docs/output/commands/npm.html

@@ -149,7 +149,7 @@ <h2 id="table-of-contents">Table of contents</h2>
 <pre lang="bash"><code>npm &lt;command&gt; [args]
 </code></pre>
 <h3 id="version">Version</h3>
-<p>8.3.2</p>
+<p>8.4.1</p>
 <h3 id="description">Description</h3>
 <p>npm is the package manager for the Node JavaScript platform.  It puts
 modules in place so that node can find them, and manages dependency

deps/npm/docs/output/configuring-npm/package-json.html

@@ -774,6 +774,9 @@ <h3 id="bundleddependencies">bundledDependencies</h3>
 can be installed in a new project by executing <code>npm install awesome-web-framework-1.0.0.tgz</code>.  Note that the package names do not
 include any versions, as that information is specified in <code>dependencies</code>.</p>
 <p>If this is spelled <code>"bundleDependencies"</code>, then that is also honored.</p>
+<p>Alternatively, <code>"bundledDependencies"</code> can be defined as a boolean value. A
+value of <code>true</code> will bundle all dependencies, a value of <code>false</code> will bundle
+none.</p>
 <h3 id="optionaldependencies">optionalDependencies</h3>
 <p>If a dependency can be used, but you would like npm to proceed if it cannot
 be found or fails to install, then you may put it in the

deps/npm/docs/output/using-npm/config.html

@@ -1100,6 +1100,7 @@ <h4 id="package-lock"><code>package-lock</code></h4>
 <p>When package package-locks are disabled, automatic pruning of extraneous
 modules will also be disabled. To remove extraneous modules with
 package-locks disabled use <code>npm prune</code>.</p>
+<p>This configuration does not affect <code>npm ci</code>.</p>
 <!-- raw HTML omitted -->
 <!-- raw HTML omitted -->
 <h4 id="package-lock-only"><code>package-lock-only</code></h4>

deps/npm/lib/commands/access.js

@@ -3,6 +3,7 @@ const path = require('path')
 const libaccess = require('libnpmaccess')
 const readPackageJson = require('read-package-json-fast')
 
+const log = require('../utils/log-shim.js')
 const otplease = require('../utils/otplease.js')
 const getIdentity = require('../utils/get-identity.js')
 const BaseCommand = require('../base-command.js')
@@ -76,7 +77,10 @@ class Access extends BaseCommand {
       throw this.usageError(`${cmd} is not a recognized subcommand.`)
     }
 
-    return this[cmd](args, this.npm.flatOptions)
+    return this[cmd](args, {
+      ...this.npm.flatOptions,
+      log,
+    })
   }
 
   public ([pkg], opts) {

deps/npm/lib/commands/ci.js

@@ -6,6 +6,7 @@ const runScript = require('@npmcli/run-script')
 const fs = require('fs')
 const readdir = util.promisify(fs.readdir)
 const log = require('../utils/log-shim.js')
+const validateLockfile = require('../utils/validate-lockfile.js')
 
 const removeNodeModules = async where => {
   const rimrafOpts = { glob: false }
@@ -37,6 +38,7 @@ class CI extends ArboristWorkspaceCmd {
     const where = this.npm.prefix
     const opts = {
       ...this.npm.flatOptions,
+      packageLock: true, // npm ci should never skip lock files
       path: where,
       log,
       save: false, // npm ci should never modify the lockfile or package.json
@@ -55,6 +57,28 @@ class CI extends ArboristWorkspaceCmd {
       }),
       removeNodeModules(where),
     ])
+
+    // retrieves inventory of packages from loaded virtual tree (lock file)
+    const virtualInventory = new Map(arb.virtualTree.inventory)
+
+    // build ideal tree step needs to come right after retrieving the virtual
+    // inventory since it's going to erase the previous ref to virtualTree
+    await arb.buildIdealTree()
+
+    // verifies that the packages from the ideal tree will match
+    // the same versions that are present in the virtual tree (lock file)
+    // throws a validation error in case of mismatches
+    const errors = validateLockfile(virtualInventory, arb.idealTree.inventory)
+    if (errors.length) {
+      throw new Error(
+        '`npm ci` can only install packages when your package.json and ' +
+        'package-lock.json or npm-shrinkwrap.json are in sync. Please ' +
+        'update your lock file with `npm install` ' +
+        'before continuing.\n\n' +
+        errors.join('\n') + '\n'
+      )
+    }
+
     await arb.reify(opts)
 
     const ignoreScripts = this.npm.config.get('ignore-scripts')

deps/npm/lib/commands/deprecate.js

@@ -1,4 +1,5 @@
 const fetch = require('npm-registry-fetch')
+const log = require('../utils/log-shim.js')
 const otplease = require('../utils/otplease.js')
 const npa = require('npm-package-arg')
 const semver = require('semver')
@@ -50,6 +51,7 @@ class Deprecate extends BaseCommand {
       ...this.npm.flatOptions,
       spec: p,
       query: { write: true },
+      log,
     })
 
     Object.keys(packument.versions)
@@ -64,6 +66,7 @@ class Deprecate extends BaseCommand {
       method: 'PUT',
       body: packument,
       ignoreBody: true,
+      log,
     }))
   }
 }

deps/npm/lib/commands/diff.js

@@ -61,6 +61,7 @@ class Diff extends BaseCommand {
       ...this.npm.flatOptions,
       diffFiles: args,
       where: this.top,
+      log,
     })
     return this.npm.output(res)
   }
@@ -193,6 +194,7 @@ class Diff extends BaseCommand {
         const packument = await pacote.packument(spec, {
           ...this.npm.flatOptions,
           preferOnline: true,
+          log,
         })
         bSpec = pickManifest(
           packument,

deps/npm/lib/commands/dist-tag.js

@@ -29,7 +29,10 @@ class DistTag extends BaseCommand {
   }
 
   async exec ([cmdName, pkg, tag]) {
-    const opts = this.npm.flatOptions
+    const opts = {
+      ...this.npm.flatOptions,
+      log,
+    }
 
     if (['add', 'a', 'set', 's'].includes(cmdName)) {
       return this.add(pkg, tag, opts)

deps/npm/lib/commands/hook.js

@@ -2,6 +2,7 @@ const hookApi = require('libnpmhook')
 const otplease = require('../utils/otplease.js')
 const relativeDate = require('tiny-relative-date')
 const Table = require('cli-table3')
+const log = require('../utils/log-shim.js')
 
 const BaseCommand = require('../base-command.js')
 class Hook extends BaseCommand {
@@ -20,7 +21,10 @@ class Hook extends BaseCommand {
   ]
 
   async exec (args) {
-    return otplease(this.npm.flatOptions, (opts) => {
+    return otplease({
+      ...this.npm.flatOptions,
+      log,
+    }, (opts) => {
       switch (args[0]) {
         case 'add':
           return this.add(args[1], args[2], args[3], opts)

deps/npm/lib/commands/logout.js

@@ -1,4 +1,4 @@
-const getAuth = require('npm-registry-fetch/auth.js')
+const getAuth = require('npm-registry-fetch/lib/auth.js')
 const npmFetch = require('npm-registry-fetch')
 const log = require('../utils/log-shim')
 const BaseCommand = require('../base-command.js')
@@ -25,6 +25,7 @@ class Logout extends BaseCommand {
         ...this.npm.flatOptions,
         method: 'DELETE',
         ignoreBody: true,
+        log,
       })
     } else if (auth.isBasicAuth) {
       log.verbose('logout', `clearing user credentials for ${reg}`)

deps/npm/lib/commands/outdated.js

@@ -193,7 +193,12 @@ class Outdated extends ArboristWorkspaceCmd {
   }
 
   async getOutdatedInfo (edge) {
-    const spec = npa(edge.name)
+    let alias = false
+    try {
+      alias = npa(edge.spec).subSpec
+    } catch (err) {
+    }
+    const spec = npa(alias ? alias.name : edge.name)
     const node = edge.to || edge
     const { path, location } = node
     const { version: current } = node.package || {}
@@ -217,7 +222,7 @@ class Outdated extends ArboristWorkspaceCmd {
 
     try {
       const packument = await this.getPackument(spec)
-      const expected = edge.spec
+      const expected = alias ? alias.fetchSpec : edge.spec
       // if it's not a range, version, or tag, skip it
       try {
         if (!npa(`${edge.name}@${edge.spec}`).registry) {
@@ -239,7 +244,7 @@ class Outdated extends ArboristWorkspaceCmd {
           : 'global'
 
         this.list.push({
-          name: edge.name,
+          name: alias ? edge.spec.replace('npm', edge.name) : edge.name,
           path,
           type,
           current,

deps/npm/lib/commands/owner.js

@@ -57,7 +57,10 @@ class Owner extends BaseCommand {
   }
 
   async exec ([action, ...args]) {
-    const opts = this.npm.flatOptions
+    const opts = {
+      ...this.npm.flatOptions,
+      log,
+    }
     switch (action) {
       case 'ls':
       case 'list':
@@ -195,6 +198,7 @@ class Owner extends BaseCommand {
         method: 'PUT',
         body,
         spec,
+        log,
       })
     })
 

deps/npm/lib/commands/ping.js

@@ -10,7 +10,7 @@ class Ping extends BaseCommand {
   async exec (args) {
     log.notice('PING', this.npm.config.get('registry'))
     const start = Date.now()
-    const details = await pingUtil(this.npm.flatOptions)
+    const details = await pingUtil({ ...this.npm.flatOptions, log })
     const time = Date.now() - start
     log.notice('PONG', `${time}ms`)
     if (this.npm.config.get('json')) {

deps/npm/lib/commands/profile.js

@@ -108,7 +108,7 @@ class Profile extends BaseCommand {
   async get (args) {
     const tfa = 'two-factor auth'
     const info = await pulseTillDone.withPromise(
-      npmProfile.get(this.npm.flatOptions)
+      npmProfile.get({ ...this.npm.flatOptions, log })
     )
 
     if (!info.cidr_whitelist) {
@@ -170,7 +170,7 @@ class Profile extends BaseCommand {
   }
 
   async set (args) {
-    const conf = this.npm.flatOptions
+    const conf = { ...this.npm.flatOptions, log }
     const prop = (args[0] || '').toLowerCase().trim()
 
     let value = args.length > 1 ? args.slice(1).join(' ') : null
@@ -285,7 +285,7 @@ class Profile extends BaseCommand {
     if (auth.basic) {
       log.info('profile', 'Updating authentication to bearer token')
       const result = await npmProfile.createToken(
-        auth.basic.password, false, [], this.npm.flatOptions
+        auth.basic.password, false, [], { ...this.npm.flatOptions, log }
       )
 
       if (!result.token) {
@@ -309,7 +309,7 @@ class Profile extends BaseCommand {
 
     log.info('profile', 'Determine if tfa is pending')
     const userInfo = await pulseTillDone.withPromise(
-      npmProfile.get(this.npm.flatOptions)
+      npmProfile.get({ ...this.npm.flatOptions, log })
     )
 
     const conf = { ...this.npm.flatOptions }

deps/npm/lib/commands/publish.js

@@ -61,7 +61,7 @@ class Publish extends BaseCommand {
       throw new Error('Tag name must not be a valid SemVer range: ' + defaultTag.trim())
     }
 
-    const opts = { ...this.npm.flatOptions }
+    const opts = { ...this.npm.flatOptions, log }
 
     // you can publish name@version, ./foo.tgz, etc.
     // even though the default is the 'file:.' cwd.

deps/npm/lib/commands/star.js

@@ -29,12 +29,13 @@ class Star extends BaseCommand {
     const pkgs = args.map(npa)
     for (const pkg of pkgs) {
       const [username, fullData] = await Promise.all([
-        getIdentity(this.npm, this.npm.flatOptions),
+        getIdentity(this.npm, { ...this.npm.flatOptions, log }),
         fetch.json(pkg.escapedName, {
           ...this.npm.flatOptions,
           spec: pkg,
           query: { write: true },
           preferOnline: true,
+          log,
         }),
       ])
 
@@ -63,6 +64,7 @@ class Star extends BaseCommand {
         spec: pkg,
         method: 'PUT',
         body,
+        log,
       })
 
       this.npm.output(show + ' ' + pkg.name)

deps/npm/lib/commands/team.js

@@ -1,6 +1,7 @@
 const columns = require('cli-columns')
 const libteam = require('libnpmteam')
 
+const log = require('../utils/log-shim.js')
 const otplease = require('../utils/otplease.js')
 
 const BaseCommand = require('../base-command.js')
@@ -42,7 +43,7 @@ class Team extends BaseCommand {
     // XXX: "description" option to libnpmteam is used as a description of the
     // team, but in npm's options, this is a boolean meaning "show the
     // description in npm search output".  Hence its being set to null here.
-    await otplease(this.npm.flatOptions, opts => {
+    await otplease({ ...this.npm.flatOptions, log }, opts => {
       entity = entity.replace(/^@/, '')
       switch (cmd) {
         case 'create': return this.create(entity, opts)

deps/npm/lib/commands/token.js

@@ -168,7 +168,7 @@ class Token extends BaseCommand {
   }
 
   config () {
-    const conf = { ...this.npm.flatOptions }
+    const conf = { ...this.npm.flatOptions, log }
     const creds = this.npm.config.getCredentialsByURI(conf.registry)
     if (creds.token) {
       conf.auth = { token: creds.token }

deps/npm/lib/commands/unpublish.js

@@ -32,7 +32,7 @@ class Unpublish extends BaseCommand {
       return []
     }
 
-    const opts = this.npm.flatOptions
+    const opts = { ...this.npm.flatOptions, log }
     const username = await getIdentity(this.npm, { ...opts }).catch(() => null)
     if (!username) {
       return []

deps/npm/lib/commands/whoami.js

@@ -1,4 +1,5 @@
 const getIdentity = require('../utils/get-identity.js')
+const log = require('../utils/log-shim.js')
 
 const BaseCommand = require('../base-command.js')
 class Whoami extends BaseCommand {
@@ -7,7 +8,7 @@ class Whoami extends BaseCommand {
   static params = ['registry']
 
   async exec (args) {
-    const username = await getIdentity(this.npm, this.npm.flatOptions)
+    const username = await getIdentity(this.npm, { ...this.npm.flatOptions, log })
     this.npm.output(
       this.npm.config.get('json') ? JSON.stringify(username) : username
     )

deps/npm/lib/utils/config/definitions.js

@@ -1417,6 +1417,8 @@ define('package-lock', {
     When package package-locks are disabled, automatic pruning of extraneous
     modules will also be disabled.  To remove extraneous modules with
     package-locks disabled use \`npm prune\`.
+
+    This configuration does not affect \`npm ci\`.
   `,
   flatten: (key, obj, flatOptions) => {
     flatten(key, obj, flatOptions)