diff --git a/deps/npm/.licensee.json b/deps/npm/.licensee.json index ad7c8123673..5b815d601ee 100644 --- a/deps/npm/.licensee.json +++ b/deps/npm/.licensee.json @@ -1,7 +1,12 @@ { - "license": "(MIT OR BSD-2-Clause OR BSD-3-Clause OR Apache-2.0 OR ISC OR Unlicense OR CC-BY-3.0 OR CC0-1.0 OR Artistic-2.0)", + "licenses": { + "spdx": [ + "CC-BY-3.0" + ], + "blueOak": "bronze" + }, "corrections": true, - "whitelist": { + "packages": { "config-chain": "1.1.12", "cyclist": "0.2.2", "json-schema": "0.2.3", diff --git a/deps/npm/.travis.yml b/deps/npm/.travis.yml index 72b0f9a52db..07bae65e664 100644 --- a/deps/npm/.travis.yml +++ b/deps/npm/.travis.yml @@ -7,7 +7,7 @@ language: node_js matrix: include: # LTS is our most important target - - node_js: "10" + - node_js: "12" # DEPLOY_VERSION is used to set the couchapp setup mode for test/tap/registry.js # only gather coverage info for LTS env: DEPLOY_VERSION=testing COVERALLS_REPO_TOKEN="$COVERALLS_OPTIONAL_TOKEN" @@ -15,18 +15,16 @@ matrix: - "node . run tap-cover -- \"test/tap/*.js\"" - "unset COVERALLS_REPO_TOKEN ; node . run tap -- \"test/broken-under-*/*.js\"" # previous LTS is next most important - - node_js: "6" - env: DEPLOY_VERSION=testing - - node_js: "8" - env: DEPLOY_VERSION=testing - - node_js: "9" - env: DEPLOY_VERSION=testing - - node_js: "11" + - node_js: "10" env: DEPLOY_VERSION=testing script: - "npx standard" - "node . run licenses" - "node . run tap -- \"test/tap/*.js\" \"test/broken-under-nyc/*.js\"" + - node_js: "8" + env: DEPLOY_VERSION=testing + - node_js: "6" + env: DEPLOY_VERSION=testing notifications: slack: npm-inc:kRqQjto7YbINqHPb1X6nS3g8 cache: diff --git a/deps/npm/AUTHORS b/deps/npm/AUTHORS index b9aee778afd..551e9340bd2 100644 --- a/deps/npm/AUTHORS +++ b/deps/npm/AUTHORS @@ -630,3 +630,14 @@ Amadou Sall Chris Manson vlasy Emilis Dambauskas (Tokenmill) +George Czabania +Jonathan Underwood +Nick Graef +James George +John O'Sullivan +ossdev +Raphael Goulais +COURIER, CALEB [AG/1000] +CalebCourier +Florian Keller +Sreeram Jayan diff --git a/deps/npm/CHANGELOG.md b/deps/npm/CHANGELOG.md index 51141fc6545..58b2f49bd9d 100644 --- a/deps/npm/CHANGELOG.md +++ b/deps/npm/CHANGELOG.md @@ -1,4 +1,189 @@ -## v6.9.0 (2018-02-20): +## v6.10.0 (2019-07-03): + +### FEATURES + +* [`87fef4e35`](https://github.com/npm/cli/commit/87fef4e35) + [#176](https://github.com/npm/cli/pull/176) fix: Always return JSON for + outdated --json ([@sreeramjayan](https://github.com/sreeramjayan)) +* [`f101d44fc`](https://github.com/npm/cli/commit/f101d44fc) + [#203](https://github.com/npm/cli/pull/203) fix(unpublish): add space + after hyphen ([@ffflorian](https://github.com/ffflorian)) +* [`a4475de4c`](https://github.com/npm/cli/commit/a4475de4c) + [#202](https://github.com/npm/cli/pull/202) enable production flag for + npm audit ([@CalebCourier](https://github.com/CalebCourier)) +* [`d192904d0`](https://github.com/npm/cli/commit/d192904d0) + [#178](https://github.com/npm/cli/pull/178) fix: Return a value for + `view` when in silent mode + ([@stayradiated](https://github.com/stayradiated)) +* [`39d473adf`](https://github.com/npm/cli/commit/39d473adf) + [#185](https://github.com/npm/cli/pull/185) Allow git to follow global + tagsign config ([@junderw](https://github.com/junderw)) + +### BUGFIXES + +* [`d9238af0b`](https://github.com/npm/cli/commit/d9238af0b) + [#201](https://github.com/npm/cli/pull/163) + [npm/npm#17858](https://github.com/npm/npm/issues/17858) + [npm/npm#18042](https://github.com/npm/npm/issues/18042) + [npm.community#644](https://npm.community/t/644) do not crash when + removing nameless packages + ([@SteveVanOpstal](https://github.com/SteveVanOpstal) and + [@isaacs](https://github.com/isaacs)) +* [`4bec4f111`](https://github.com/npm/cli/commit/4bec4f111) + [#200](https://github.com/npm/cli/pull/200) Check for `node` (as well as + `node.exe`) in npm's local dir on Windows + ([@rgoulais](https://github.com/rgoulais)) +* [`ce93dab2d`](https://github.com/npm/cli/commit/ce93dab2db423ef23b3e08a0612dafbeb2d25789) + [#180](https://github.com/npm/cli/pull/180) + [npm.community#6187](https://npm.community/t/6187) Fix handling of + `remote` deps in `npm outdated` ([@larsgw](https://github.com/larsgw)) + +### TESTING + +* [`a823f3084`](https://github.com/npm/cli/commit/a823f3084) travis: Update + to include new v12 LTS ([@isaacs](https://github.com/isaacs)) +* [`33e2d1dac`](https://github.com/npm/cli/commit/33e2d1dac) fix flaky + debug-logs test ([@isaacs](https://github.com/isaacs)) +* [`e9411c6cd`](https://github.com/npm/cli/commit/e9411c6cd) Don't time out + waiting for gpg user input ([@isaacs](https://github.com/isaacs)) +* [`d2d301704`](https://github.com/npm/cli/commit/d2d301704) + [#195](https://github.com/npm/cli/pull/195) Add the arm64 check for + legacy-platform-all.js test case. + ([@ossdev07](https://github.com/ossdev07)) +* [`a4dc34243`](https://github.com/npm/cli/commit/a4dc34243) parallel tests + ([@isaacs](https://github.com/isaacs)) + +### DOCUMENTATION + +* [`f5857e263`](https://github.com/npm/cli/commit/f5857e263) + [#192](https://github.com/npm/cli/pull/192) Clarify usage of + bundledDependencies + ([@john-osullivan](https://github.com/john-osullivan)) +* [`747fdaf66`](https://github.com/npm/cli/commit/747fdaf66) + [#159](https://github.com/npm/cli/pull/159) doc: add --audit-level param + ([@ngraef](https://github.com/ngraef)) + +### DEPENDENCIES + +* [`e36b3c320`](https://github.com/npm/cli/commit/e36b3c320) + graceful-fs@4.2.0 ([@isaacs](https://github.com/isaacs)) +* [`6bb935c09`](https://github.com/npm/cli/commit/6bb935c09) + read-package-tree@5.3.1 ([@isaacs](https://github.com/isaacs)) + * [`e9cd536`](https://github.com/npm/read-package-tree/commit/e9cd536) + Use custom caching `realpath` implementation, dramatically reducing + `lstat` calls when reading the package tree + ([@isaacs](https://github.com/isaacs)) +* [`39538b460`](https://github.com/npm/cli/commit/39538b460) + write-file-atomic@2.4.3 ([@isaacs](https://github.com/isaacs)) + * [`f8b1552`](https://github.com/npm/write-file-atomic/commit/f8b1552) + [#38](https://github.com/npm/write-file-atomic/pull/38) Ignore errors + raised by `fs.closeSync` ([@lukeapage](https://github.com/lukeapage)) +* [`042193069`](https://github.com/npm/cli/commit/042193069) pacote@9.5.1 + ([@isaacs](https://github.com/isaacs)) + * [`8bbd051`](https://github.com/npm/pacote/commit/8bbd051) + [#172](https://github.com/zkat/pacote/pull/172) limit git retry + times, avoid unlimited retries ([小秦](https://github.com/xqin)) + * [`92f5e4c`](https://github.com/npm/pacote/commit/92f5e4c) + [#170](https://github.com/zkat/pacote/pull/170) fix(errors): Fix + "TypeError: err.code.match is not a function" error + ([@jviotti](https://github.com/jviotti)) +* [`8bd8e909f`](https://github.com/npm/cli/commit/8bd8e909f) cacache@11.3.3 + ([@isaacs](https://github.com/isaacs)) + * [`47de8f5`](https://github.com/npm/cacache/commit/47de8f5) + [#146](https://github.com/zkat/cacache/pull/146) + [npm.community#2395](https://npm.community/t/2395) fix(config): Add + ssri config 'error' option ([@larsgw](https://github.com/larsgw)) + * [`5156561`](https://github.com/npm/cacache/commit/5156561) + fix(write): avoid a `cb never called` situation + ([@zkat](https://github.com/zkat)) + * [`90f40f0`](https://github.com/npm/cacache/commit/90f40f0) + [#166](https://github.com/zkat/cacache/pull/166) + [#165](https://github.com/zkat/cacache/issues/165) docs: Fix docs for + `path` property in get.info + ([@hdgarrood](https://github.com/hdgarrood)) +* [`bf61c45c6`](https://github.com/npm/cli/commit/bf61c45c6) bluebird@3.5.5 + ([@isaacs](https://github.com/isaacs)) +* [`f75d46a9d`](https://github.com/npm/cli/commit/f75d46a9d) tar@4.4.10 + ([@isaacs](https://github.com/isaacs)) + * [`c80341a`](https://github.com/npm/node-tar/commit/c80341a) + [#215](https://github.com/npm/node-tar/pull/215) Fix + encoding/decoding of base-256 numbers + ([@justfalter](https://github.com/justfalter)) + * [`77522f0`](https://github.com/npm/node-tar/commit/77522f0) + [#204](https://github.com/npm/node-tar/issues/204) + [#214](https://github.com/npm/node-tar/issues/214) Use `stat` instead + of `lstat` when checking CWD ([@stkb](https://github.com/stkb)) +* [`ec6236210`](https://github.com/npm/cli/commit/ec6236210) + npm-packlist@1.4.4 ([@isaacs](https://github.com/isaacs)) + * [`63d1e3e`](https://github.com/npm/npm-packlist/commit/63d1e3e) + [#30](https://github.com/npm/npm-packlist/issues/30) Sort package + tarball entries by file type for compression benefits + ([@isaacs](https://github.com/isaacs)) + * [`7fcd045`](https://github.com/npm/npm-packlist/commit/7fcd045) + Ignore `.DS_Store` files as well as folders + ([@isaacs](https://github.com/isaacs)) + * [`68b7c96`](https://github.com/npm/npm-packlist/commit/68b7c96) Never + include .git folders in package root. (Note: this prevents the issue + that broke the v6.9.1 release.) + ([@isaacs](https://github.com/isaacs)) +* [`57bef61bc`](https://github.com/npm/cli/commit/57bef61bc) update fstream + in node-gyp ([@isaacs](https://github.com/isaacs)) + * Addresses [security advisory + #886](https://www.npmjs.com/advisories/886) +* [`acbbf7eee`](https://github.com/npm/cli/commit/acbbf7eee) + [#183](https://github.com/npm/cli/pull/183) licensee@7.0.2 + ([@kemitchell](https://github.com/kemitchell)) +* [`011ae67f0`](https://github.com/npm/cli/commit/011ae67f0) + readable-stream@3.3.0 ([@isaacs](https://github.com/isaacs)) +* [`f5e884909`](https://github.com/npm/cli/commit/f5e884909) + npm-registry-mock@1.2.1 ([@isaacs](https://github.com/isaacs)) +* [`b57d07e35`](https://github.com/npm/cli/commit/b57d07e35) + npm-registry-couchapp@2.7.2 ([@isaacs](https://github.com/isaacs)) + +## v6.9.2 (2019-06-27): + +This release is identical to v6.9.1, but we had to publish a new version +due to [a .git directory in the release](https://npm.community/t/8454). + +## v6.9.1 (2019-06-26): + +### BUGFIXES + +* [`6b1a9da0e`](https://github.com/npm/cli/commit/6b1a9da0e0f5c295cdaf4dea4b73bd221d778611) + [#165](https://github.com/npm/cli/pull/165) + Update `knownBroken` version. + ([@ljharb](https://github.com/ljharb)) +* [`d07547154`](https://github.com/npm/cli/commit/d07547154eb8a88aa4fde8a37e128e1e3272adc1) + [npm.community#5929](https://npm.community/t/npm-outdated-throw-an-error-cannot-read-property-length-of-undefined/5929) + Fix `outdated` rendering for global dependencies. + ([@zkat](https://github.com/zkat)) +* [`e4a1f1745`](https://github.com/npm/cli/commit/e4a1f174514a57580fd5e0fa33eee0f42bba77fc) + [npm.community#6259](https://npm.community/t/npm-token-create-doesnt-work-in-6-6-0-6-9-0/6259) + Fix OTP for token create and remove. + ([@zkat](https://github.com/zkat)) + +### DEPENDENCIES + +* [`a163a9c35`](https://github.com/npm/cli/commit/a163a9c35f6f341de343562368056258bba5d7dc) + `sha@3.0.0` + ([@aeschright](https://github.com/aeschright)) +* [`47b08b3b9`](https://github.com/npm/cli/commit/47b08b3b9860438b416efb438e975a628ec2eed5) + `query-string@6.4.0` + ([@aeschright](https://github.com/aeschright)) +* [`d6a956cff`](https://github.com/npm/cli/commit/d6a956cff6357e6de431848e578c391768685a64) + `readable-stream@3.2.0` + ([@aeschright](https://github.com/aeschright)) +* [`10b8bed2b`](https://github.com/npm/cli/commit/10b8bed2bb0afac5451164e87f25924cc1ac6f2e) + `tacks@1.3.0` + ([@aeschright](https://github.com/aeschright)) +* [`e7483704d`](https://github.com/npm/cli/commit/e7483704dda1acffc8c6b8c165c14c8a7512f3c8) + `tap@12.6.0` + ([@aeschright](https://github.com/aeschright)) +* [`3242fe698`](https://github.com/npm/cli/commit/3242fe698ead46a9cda94e1a4d489cd84a85d7e3) + `tar-stream@2.0.1` + ([@aeschright](https://github.com/aeschright)) + +## v6.9.0 (2019-02-20): ### FEATURES diff --git a/deps/npm/bin/npm b/deps/npm/bin/npm index 5acd6fb61a7..4183703a785 100755 --- a/deps/npm/bin/npm +++ b/deps/npm/bin/npm @@ -8,6 +8,9 @@ case `uname` in esac NODE_EXE="$basedir/node.exe" +if ! [ -x "$NODE_EXE" ]; then + NODE_EXE="$basedir/node" +fi if ! [ -x "$NODE_EXE" ]; then NODE_EXE=node fi diff --git a/deps/npm/doc/cli/npm-audit.md b/deps/npm/doc/cli/npm-audit.md index f63bbd356d5..10039ea09cb 100644 --- a/deps/npm/doc/cli/npm-audit.md +++ b/deps/npm/doc/cli/npm-audit.md @@ -3,8 +3,10 @@ npm-audit(1) -- Run a security audit ## SYNOPSIS - npm audit [--json|--parseable] - npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=dev] + npm audit [--json|--parseable|--audit-level=(low|moderate|high|critical)] + npm audit fix [--force|--package-lock-only|--dry-run] + + common options: [--production] [--only=(dev|prod)] ## EXAMPLES @@ -60,6 +62,11 @@ To parse columns, you can use for example `awk`, and just print some of them: $ npm audit --parseable | awk -F $'\t' '{print $1,$4}' ``` +Fail an audit only if the results include a vulnerability with a level of moderate or higher: +``` +$ npm audit --audit-level=moderate +``` + ## DESCRIPTION The audit command submits a description of the dependencies configured in @@ -75,6 +82,12 @@ runs a full-fledged `npm install` under the hood, all configs that apply to the installer will also apply to `npm install` -- so things like `npm audit fix --package-lock-only` will work as expected. +By default, the audit command will exit with a non-zero code if any vulnerability +is found. It may be useful in CI environments to include the `--audit-level` parameter +to specify the minimum vulnerability level that will cause the command to fail. This +option does not filter the report output, it simply changes the command's failure +threshold. + ## CONTENT SUBMITTED * npm_version diff --git a/deps/npm/doc/files/package.json.md b/deps/npm/doc/files/package.json.md index 95e77d34c5f..6324caf64a5 100644 --- a/deps/npm/doc/files/package.json.md +++ b/deps/npm/doc/files/package.json.md @@ -648,7 +648,8 @@ If we define a package.json like this: we can obtain `awesome-web-framework-1.0.0.tgz` file by running `npm pack`. This file contains the dependencies `renderized` and `super-streams` which can be installed in a new project by executing `npm install -awesome-web-framework-1.0.0.tgz`. +awesome-web-framework-1.0.0.tgz`. Note that the package names do not include +any versions, as that information is specified in `dependencies`. If this is spelled `"bundleDependencies"`, then that is also honored. diff --git a/deps/npm/html/doc/README.html b/deps/npm/html/doc/README.html index c575f39bab3..47012985aaa 100644 --- a/deps/npm/html/doc/README.html +++ b/deps/npm/html/doc/README.html @@ -118,5 +118,5 @@ doubt tell you to put the output in a gist or email.

       - + diff --git a/deps/npm/html/doc/cli/npm-access.html b/deps/npm/html/doc/cli/npm-access.html index c0e7943d6b3..910133c0562 100644 --- a/deps/npm/html/doc/cli/npm-access.html +++ b/deps/npm/html/doc/cli/npm-access.html @@ -93,5 +93,5 @@ with an HTTP 402 status code (logically enough), unless you use        - + diff --git a/deps/npm/html/doc/cli/npm-adduser.html b/deps/npm/html/doc/cli/npm-adduser.html index a946f67f66c..d2cbb013b19 100644 --- a/deps/npm/html/doc/cli/npm-adduser.html +++ b/deps/npm/html/doc/cli/npm-adduser.html @@ -78,5 +78,5 @@ username/password entry in legacy npm.

       - + diff --git a/deps/npm/html/doc/cli/npm-audit.html b/deps/npm/html/doc/cli/npm-audit.html index 7d6704ab9c8..158c9077192 100644 --- a/deps/npm/html/doc/cli/npm-audit.html +++ b/deps/npm/html/doc/cli/npm-audit.html @@ -11,8 +11,10 @@

npm-audit

Run a security audit

SYNOPSIS

-
npm audit [--json|--parseable]
-npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=dev]

EXAMPLES

+
npm audit [--json|--parseable|--audit-level=(low|moderate|high|critical)]
+npm audit fix [--force|--package-lock-only|--dry-run]
+
+common options: [--production] [--only=(dev|prod)]

EXAMPLES

Scan your project for vulnerabilities and automatically install any compatible updates to vulnerable dependencies:

$ npm audit fix

Run audit fix without modifying node_modules, but still updating the @@ -29,7 +31,8 @@ anything:

future reuse in scripting or command line post processing, like for example, selecting some of the columns printed:

$ npm audit --parseable

To parse columns, you can use for example awk, and just print some of them:

-
$ npm audit --parseable | awk -F $'\t' '{print $1,$4}'

DESCRIPTION

+
$ npm audit --parseable | awk -F $'\t' '{print $1,$4}'

Fail an audit only if the results include a vulnerability with a level of moderate or higher:

+
$ npm audit --audit-level=moderate

DESCRIPTION

The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities. The report returned includes instructions on how to act on @@ -41,6 +44,11 @@ will require manual intervention or review. Also note that since npm audit runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install -- so things like npm audit fix --package-lock-only will work as expected.

+

By default, the audit command will exit with a non-zero code if any vulnerability +is found. It may be useful in CI environments to include the --audit-level parameter +to specify the minimum vulnerability level that will cause the command to fail. This +option does not filter the report output, it simply changes the command's failure +threshold.

CONTENT SUBMITTED