nodejs
/
node
mirror of https://github.com/nodejs/node.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

deps: upgrade npm to 8.14.0 

PR-URL: https://github.com/nodejs/node/pull/43826
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
This commit is contained in:
npm CLI robot 2022-07-19 08:51:49 -07:00 committed by GitHub
parent 8657d6db07
commit dd167ff0ee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
133 changed files with 3788 additions and 512 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
deps/npm/docs/content/commands/npm-adduser.md vendored
View File

@ -93,13 +93,12 @@ npm init --scope=@foo --yes
#### `auth-type`
* Default: "legacy"
* Type: "legacy", "webauthn", "sso", "saml", or "oauth"
* DEPRECATED: The SSO/SAML/OAuth methods are deprecated and will be removed in
a future version of npm in favor of web-based login.
* Type: "legacy", "web", "sso", "saml", "oauth", or "webauthn"
What authentication strategy to use with `adduser`/`login`.
NOTE: auth-type values "sso", "saml", "oauth", and "webauthn" will be
removed in a future version.
Pass `webauthn` to use a web-based login.
What authentication strategy to use with `login`.
<!-- automatically generated, do not edit manually -->
<!-- see lib/utils/config/definitions.js -->

13
deps/npm/docs/content/commands/npm-audit.md vendored
View File

@ -11,7 +11,7 @@ description: Run a security audit
<!-- see lib/commands/audit.js -->
```bash
npm audit [fix]
npm audit [fix|signatures]
```
<!-- automatically generated, do not edit manually -->
@ -41,6 +41,17 @@ vulnerability is found. It may be useful in CI environments to include the
will cause the command to fail. This option does not filter the report
output, it simply changes the command's failure threshold.
### Audit Signatures
This command can also audit the integrity values of the packages in your
tree against any signatures present in the registry they were downloaded
from. npm will attempt to download the keys from `/-/npm/v1/keys` on
each the registry used to download any given package. It will then
check the `dist.signatures` object in the package itself, and verify the
`sig` present there using the `keyid` there, matching it with a key
returned from the registry. The command for this is `npm audit
signatures`
### Audit Endpoints
There are two audit endpoints that npm may use to fetch vulnerability

2
deps/npm/docs/content/commands/npm.md vendored
View File

@ -102,7 +102,7 @@ following help topics:
done via [`npm install`](/commands/npm-install)
* adduser:
Create an account or log in. When you do this, npm will store
credentials in the user config file config file.
credentials in the user config file.
* publish:
Use the [`npm publish`](/commands/npm-publish) command to upload your
code to the registry.

2
deps/npm/docs/content/configuring-npm/package-json.md vendored
View File

@ -124,7 +124,7 @@ IDs](https://spdx.org/licenses/). Ideally you should pick one that is
If your package is licensed under multiple common licenses, use an [SPDX
license expression syntax version 2.0
string](https://www.npmjs.com/package/spdx), like this:
string](https://spdx.dev/specifications/), like this:
```json
{

27
deps/npm/docs/content/using-npm/config.md vendored
View File

@ -215,6 +215,19 @@ exit code.
<!-- automatically generated, do not edit manually -->
<!-- see lib/utils/config/definitions.js -->
#### `auth-type`
* Default: "legacy"
* Type: "legacy", "web", "sso", "saml", "oauth", or "webauthn"
NOTE: auth-type values "sso", "saml", "oauth", and "webauthn" will be
removed in a future version.
What authentication strategy to use with `login`.
<!-- automatically generated, do not edit manually -->
<!-- see lib/utils/config/definitions.js -->
#### `before`
* Default: null
@ -1905,20 +1918,6 @@ When set to `dev` or `development`, this is an alias for `--include=dev`.
<!-- automatically generated, do not edit manually -->
<!-- see lib/utils/config/definitions.js -->
#### `auth-type`
* Default: "legacy"
* Type: "legacy", "webauthn", "sso", "saml", or "oauth"
* DEPRECATED: The SSO/SAML/OAuth methods are deprecated and will be removed in
a future version of npm in favor of web-based login.
What authentication strategy to use with `adduser`/`login`.
Pass `webauthn` to use a web-based login.
<!-- automatically generated, do not edit manually -->
<!-- see lib/utils/config/definitions.js -->
#### `cache-max`
* Default: Infinity

10
deps/npm/docs/content/using-npm/scripts.md vendored
View File

@ -39,7 +39,7 @@ There are some special life cycle scripts that happen only in certain
situations. These scripts happen in addition to the `pre<event>`, `post<event>`, and
`<event>` scripts.
* `prepare`, `prepublish`, `prepublishOnly`, `prepack`, `postpack`
* `prepare`, `prepublish`, `prepublishOnly`, `prepack`, `postpack`, `dependencies`
**prepare** (since `npm@4.0.0`)
* Runs any time before the package is packed, i.e. during `npm publish`
@ -71,6 +71,10 @@ situations. These scripts happen in addition to the `pre<event>`, `post<event>`,
**postpack**
* Runs AFTER the tarball has been generated but before it is moved to its final destination (if at all, publish does not save the tarball locally)
**dependencies**
* Runs AFTER any operations that modify the `node_modules` directory IF changes occurred.
* Does NOT run in global mode
#### Prepare and Prepublish
**Deprecation Note: prepublish**
@ -96,6 +100,10 @@ The advantage of doing these things at `prepublish` time is that they can be don
* You don't need to rely on your users having `curl` or `wget` or
other system tools on the target machines.
#### Dependencies
The `dependencies` script is run any time an `npm` command causes changes to the `node_modules` directory. It is run AFTER the changes have been applied and the `package.json` and `package-lock.json` files have been updated.
### Life Cycle Operation Order
#### [`npm cache add`](/commands/npm-cache)

8
deps/npm/docs/content/using-npm/workspaces.md vendored
View File

@ -57,7 +57,7 @@ structure of files and folders:
```
.
+-- node_modules
| `-- packages/a -> ../packages/a
| `-- a -> ../packages/a
+-- package-lock.json
+-- package.json
`-- packages
@ -112,15 +112,15 @@ respect the provided `workspace` configuration.
Given the [specifities of how Node.js handles module resolution](https://nodejs.org/dist/latest-v14.x/docs/api/modules.html#modules_all_together) it's possible to consume any defined workspace
by its declared `package.json` `name`. Continuing from the example defined
above, let's also create a Node.js script that will require the `workspace-a`
above, let's also create a Node.js script that will require the workspace `a`
example module, e.g:
```
// ./workspace-a/index.js
// ./packages/a/index.js
module.exports = 'a'
// ./lib/index.js
const moduleA = require('workspace-a')
const moduleA = require('a')
console.log(moduleA) // -> a
```

9
deps/npm/docs/output/commands/npm-adduser.html vendored
View File

@ -207,12 +207,11 @@ npm init --scope=@foo --yes
<h4 id="auth-type"><code>auth-type</code></h4>
<ul>
<li>Default: "legacy"</li>
<li>Type: "legacy", "webauthn", "sso", "saml", or "oauth"</li>
<li>DEPRECATED: The SSO/SAML/OAuth methods are deprecated and will be removed in
a future version of npm in favor of web-based login.</li>
<li>Type: "legacy", "web", "sso", "saml", "oauth", or "webauthn"</li>
</ul>
<p>What authentication strategy to use with <code>adduser</code>/<code>login</code>.</p>
<p>Pass <code>webauthn</code> to use a web-based login.</p>
<p>NOTE: auth-type values "sso", "saml", "oauth", and "webauthn" will be
removed in a future version.</p>
<p>What authentication strategy to use with <code>login</code>.</p>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->

12
deps/npm/docs/output/commands/npm-audit.html vendored
View File

@ -142,14 +142,14 @@ npm command-line interface
<section id="table_of_contents">
<h2 id="table-of-contents">Table of contents</h2>
<div id="_table_of_contents"><ul><li><a href="#synopsis">Synopsis</a></li><li><a href="#description">Description</a></li><li><a href="#audit-endpoints">Audit Endpoints</a></li><ul><li><a href="#bulk-advisory-endpoint">Bulk Advisory Endpoint</a></li><li><a href="#quick-audit-endpoint">Quick Audit Endpoint</a></li><li><a href="#scrubbing">Scrubbing</a></li><li><a href="#calculating-meta-vulnerabilities-and-remediations">Calculating Meta-Vulnerabilities and Remediations</a></li></ul><li><a href="#exit-code">Exit Code</a></li><li><a href="#examples">Examples</a></li><li><a href="#configuration">Configuration</a></li><ul><li><a href="#audit-level"><code>audit-level</code></a></li><li><a href="#dry-run"><code>dry-run</code></a></li><li><a href="#force"><code>force</code></a></li><li><a href="#json"><code>json</code></a></li><li><a href="#package-lock-only"><code>package-lock-only</code></a></li><li><a href="#omit"><code>omit</code></a></li><li><a href="#foreground-scripts"><code>foreground-scripts</code></a></li><li><a href="#ignore-scripts"><code>ignore-scripts</code></a></li><li><a href="#workspace"><code>workspace</code></a></li><li><a href="#workspaces"><code>workspaces</code></a></li><li><a href="#include-workspace-root"><code>include-workspace-root</code></a></li><li><a href="#install-links"><code>install-links</code></a></li></ul><li><a href="#see-also">See Also</a></li></ul></div>
<div id="_table_of_contents"><ul><li><a href="#synopsis">Synopsis</a></li><li><a href="#description">Description</a></li><li><a href="#audit-signatures">Audit Signatures</a></li><li><a href="#audit-endpoints">Audit Endpoints</a></li><ul><li><a href="#bulk-advisory-endpoint">Bulk Advisory Endpoint</a></li><li><a href="#quick-audit-endpoint">Quick Audit Endpoint</a></li><li><a href="#scrubbing">Scrubbing</a></li><li><a href="#calculating-meta-vulnerabilities-and-remediations">Calculating Meta-Vulnerabilities and Remediations</a></li></ul><li><a href="#exit-code">Exit Code</a></li><li><a href="#examples">Examples</a></li><li><a href="#configuration">Configuration</a></li><ul><li><a href="#audit-level"><code>audit-level</code></a></li><li><a href="#dry-run"><code>dry-run</code></a></li><li><a href="#force"><code>force</code></a></li><li><a href="#json"><code>json</code></a></li><li><a href="#package-lock-only"><code>package-lock-only</code></a></li><li><a href="#omit"><code>omit</code></a></li><li><a href="#foreground-scripts"><code>foreground-scripts</code></a></li><li><a href="#ignore-scripts"><code>ignore-scripts</code></a></li><li><a href="#workspace"><code>workspace</code></a></li><li><a href="#workspaces"><code>workspaces</code></a></li><li><a href="#include-workspace-root"><code>include-workspace-root</code></a></li><li><a href="#install-links"><code>install-links</code></a></li></ul><li><a href="#see-also">See Also</a></li></ul></div>
</section>
<div id="_content"><h3 id="synopsis">Synopsis</h3>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<pre lang="bash"><code>npm audit [fix]
<pre lang="bash"><code>npm audit [fix|signatures]
</code></pre>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
@ -170,6 +170,14 @@ vulnerability is found. It may be useful in CI environments to include the
<code>--audit-level</code> parameter to specify the minimum vulnerability level that
will cause the command to fail. This option does not filter the report
output, it simply changes the command's failure threshold.</p>
<h3 id="audit-signatures">Audit Signatures</h3>
<p>This command can also audit the integrity values of the packages in your
tree against any signatures present in the registry they were downloaded
from. npm will attempt to download the keys from <code>/-/npm/v1/keys</code> on
each the registry used to download any given package. It will then
check the <code>dist.signatures</code> object in the package itself, and verify the
<code>sig</code> present there using the <code>keyid</code> there, matching it with a key
returned from the registry. The command for this is <code>npm audit signatures</code></p>
<h3 id="audit-endpoints">Audit Endpoints</h3>
<p>There are two audit endpoints that npm may use to fetch vulnerability
information: the <code>Bulk Advisory</code> endpoint and the <code>Quick Audit</code> endpoint.</p>

2
deps/npm/docs/output/commands/npm-ls.html vendored
View File

@ -166,7 +166,7 @@ tree at all, use <a href="../commands/npm-explain.html"><code>npm explain</code>
the results to only the paths to the packages named. Note that nested
packages will <em>also</em> show the paths to the specified packages. For
example, running <code>npm ls promzard</code> in npm's source tree will show:</p>
<pre lang="bash"><code>npm@8.13.2 /path/to/npm
<pre lang="bash"><code>npm@8.14.0 /path/to/npm
└─┬ init-package-json@0.0.4
└── promzard@0.1.5
</code></pre>

4
deps/npm/docs/output/commands/npm.html vendored
View File

@ -149,7 +149,7 @@ npm command-line interface
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<h3 id="version">Version</h3>
<p>8.13.2</p>
<p>8.14.0</p>
<h3 id="description">Description</h3>
<p>npm is the package manager for the Node JavaScript platform. It puts
modules in place so that node can find them, and manages dependency
@ -219,7 +219,7 @@ link. Especially, installing other peoples code from the registry is
done via <a href="../commands/npm-install.html"><code>npm install</code></a></li>
<li>adduser:
Create an account or log in. When you do this, npm will store
credentials in the user config file config file.</li>
credentials in the user config file.</li>
<li>publish:
Use the <a href="../commands/npm-publish.html"><code>npm publish</code></a> command to upload your
code to the registry.</li>

2
deps/npm/docs/output/configuring-npm/package-json.html vendored
View File

@ -231,7 +231,7 @@ SPDX license identifier for the license you're using, like this:</p>
<p>You can check <a href="https://spdx.org/licenses/">the full list of SPDX license
IDs</a>. Ideally you should pick one that is
<a href="https://opensource.org/licenses/alphabetical">OSI</a> approved.</p>
<p>If your package is licensed under multiple common licenses, use an <a href="https://www.npmjs.com/package/spdx">SPDX
<p>If your package is licensed under multiple common licenses, use an <a href="https://spdx.dev/specifications/">SPDX
license expression syntax version 2.0
string</a>, like this:</p>
<pre lang="json"><code>{

23
deps/npm/docs/output/using-npm/config.html vendored
View File

File diff suppressed because one or more lines are too long

11
deps/npm/docs/output/using-npm/scripts.html vendored
View File

@ -142,7 +142,7 @@ npm command-line interface
<section id="table_of_contents">
<h2 id="table-of-contents">Table of contents</h2>
<div id="_table_of_contents"><ul><li><a href="#description">Description</a></li><li><a href="#pre--post-scripts">Pre &amp; Post Scripts</a></li><li><a href="#life-cycle-scripts">Life Cycle Scripts</a></li><ul><li><a href="#prepare-and-prepublish">Prepare and Prepublish</a></li></ul><li><a href="#life-cycle-operation-order">Life Cycle Operation Order</a></li><ul><li><a href="#npm-cache-add"><a href="../commands/npm-cache.html"><code>npm cache add</code></a></a></li><li><a href="#npm-ci"><a href="../commands/npm-ci.html"><code>npm ci</code></a></a></li><li><a href="#npm-diff"><a href="../commands/npm-diff.html"><code>npm diff</code></a></a></li><li><a href="#npm-install"><a href="../commands/npm-install.html"><code>npm install</code></a></a></li><li><a href="#npm-pack"><a href="../commands/npm-pack.html"><code>npm pack</code></a></a></li><li><a href="#npm-publish"><a href="../commands/npm-publish.html"><code>npm publish</code></a></a></li><li><a href="#npm-rebuild"><a href="../commands/npm-rebuild.html"><code>npm rebuild</code></a></a></li><li><a href="#npm-restart"><a href="../commands/npm-restart.html"><code>npm restart</code></a></a></li><li><a href="#npm-run-user-defined"><a href="../commands/npm-run-script.html"><code>npm run &lt;user defined&gt;</code></a></a></li><li><a href="#npm-start"><a href="../commands/npm-start.html"><code>npm start</code></a></a></li><li><a href="#npm-stop"><a href="../commands/npm-stop.html"><code>npm stop</code></a></a></li><li><a href="#npm-test"><a href="../commands/npm-test.html"><code>npm test</code></a></a></li><li><a href="#npm-version"><a href="../commands/npm-version.html"><code>npm version</code></a></a></li><li><a href="#a-note-on-a-lack-of-npm-uninstall-scripts">A Note on a lack of <a href="../commands/npm-uninstall.html"><code>npm uninstall</code></a> scripts</a></li></ul><li><a href="#user">User</a></li><li><a href="#environment">Environment</a></li><ul><li><a href="#path">path</a></li><li><a href="#packagejson-vars">package.json vars</a></li><li><a href="#current-lifecycle-event">current lifecycle event</a></li></ul><li><a href="#examples">Examples</a></li><li><a href="#exiting">Exiting</a></li><li><a href="#best-practices">Best Practices</a></li><li><a href="#see-also">See Also</a></li></ul></div>
<div id="_table_of_contents"><ul><li><a href="#description">Description</a></li><li><a href="#pre--post-scripts">Pre &amp; Post Scripts</a></li><li><a href="#life-cycle-scripts">Life Cycle Scripts</a></li><ul><li><a href="#prepare-and-prepublish">Prepare and Prepublish</a></li><li><a href="#dependencies">Dependencies</a></li></ul><li><a href="#life-cycle-operation-order">Life Cycle Operation Order</a></li><ul><li><a href="#npm-cache-add"><a href="../commands/npm-cache.html"><code>npm cache add</code></a></a></li><li><a href="#npm-ci"><a href="../commands/npm-ci.html"><code>npm ci</code></a></a></li><li><a href="#npm-diff"><a href="../commands/npm-diff.html"><code>npm diff</code></a></a></li><li><a href="#npm-install"><a href="../commands/npm-install.html"><code>npm install</code></a></a></li><li><a href="#npm-pack"><a href="../commands/npm-pack.html"><code>npm pack</code></a></a></li><li><a href="#npm-publish"><a href="../commands/npm-publish.html"><code>npm publish</code></a></a></li><li><a href="#npm-rebuild"><a href="../commands/npm-rebuild.html"><code>npm rebuild</code></a></a></li><li><a href="#npm-restart"><a href="../commands/npm-restart.html"><code>npm restart</code></a></a></li><li><a href="#npm-run-user-defined"><a href="../commands/npm-run-script.html"><code>npm run &lt;user defined&gt;</code></a></a></li><li><a href="#npm-start"><a href="../commands/npm-start.html"><code>npm start</code></a></a></li><li><a href="#npm-stop"><a href="../commands/npm-stop.html"><code>npm stop</code></a></a></li><li><a href="#npm-test"><a href="../commands/npm-test.html"><code>npm test</code></a></a></li><li><a href="#npm-version"><a href="../commands/npm-version.html"><code>npm version</code></a></a></li><li><a href="#a-note-on-a-lack-of-npm-uninstall-scripts">A Note on a lack of <a href="../commands/npm-uninstall.html"><code>npm uninstall</code></a> scripts</a></li></ul><li><a href="#user">User</a></li><li><a href="#environment">Environment</a></li><ul><li><a href="#path">path</a></li><li><a href="#packagejson-vars">package.json vars</a></li><li><a href="#current-lifecycle-event">current lifecycle event</a></li></ul><li><a href="#examples">Examples</a></li><li><a href="#exiting">Exiting</a></li><li><a href="#best-practices">Best Practices</a></li><li><a href="#see-also">See Also</a></li></ul></div>
</section>
<div id="_content"><h3 id="description">Description</h3>
@ -172,7 +172,7 @@ described.</p>
situations. These scripts happen in addition to the <code>pre&lt;event&gt;</code>, <code>post&lt;event&gt;</code>, and
<code>&lt;event&gt;</code> scripts.</p>
<ul>
<li><code>prepare</code>, <code>prepublish</code>, <code>prepublishOnly</code>, <code>prepack</code>, <code>postpack</code></li>
<li><code>prepare</code>, <code>prepublish</code>, <code>prepublishOnly</code>, <code>prepack</code>, <code>postpack</code>, <code>dependencies</code></li>
</ul>
<p><strong>prepare</strong> (since <code>npm@4.0.0</code>)</p>
<ul>
@ -221,6 +221,11 @@ and <code>npm install</code>. See below for more info.</li>
<ul>
<li>Runs AFTER the tarball has been generated but before it is moved to its final destination (if at all, publish does not save the tarball locally)</li>
</ul>
<p><strong>dependencies</strong></p>
<ul>
<li>Runs AFTER any operations that modify the <code>node_modules</code> directory IF changes occurred.</li>
<li>Does NOT run in global mode</li>
</ul>
<h4 id="prepare-and-prepublish">Prepare and Prepublish</h4>
<p><strong>Deprecation Note: prepublish</strong></p>
<p>Since <code>npm@1.1.71</code>, the npm CLI has run the <code>prepublish</code> script for both <code>npm publish</code> and <code>npm install</code>, because it's a convenient way to prepare a package for use (some common use cases are described in the section below). It has also turned out to be, in practice, <a href="https://github.com/npm/npm/issues/10074">very confusing</a>. As of <code>npm@4.0.0</code>, a new event has been introduced, <code>prepare</code>, that preserves this existing behavior. A <em>new</em> event, <code>prepublishOnly</code> has been added as a transitional strategy to allow users to avoid the confusing behavior of existing npm versions and only run on <code>npm publish</code> (for instance, running the tests one last time to ensure they're in good shape).</p>
@ -241,6 +246,8 @@ the size for your users.</li>
<li>You don't need to rely on your users having <code>curl</code> or <code>wget</code> or
other system tools on the target machines.</li>
</ul>
<h4 id="dependencies">Dependencies</h4>
<p>The <code>dependencies</code> script is run any time an <code>npm</code> command causes changes to the <code>node_modules</code> directory. It is run AFTER the changes have been applied and the <code>package.json</code> and <code>package-lock.json</code> files have been updated.</p>
<h3 id="life-cycle-operation-order">Life Cycle Operation Order</h3>
<h4 id="npm-cache-add"><a href="../commands/npm-cache.html"><code>npm cache add</code></a></h4>
<ul>

8
deps/npm/docs/output/using-npm/workspaces.html vendored
View File

@ -184,7 +184,7 @@ directory <code>.</code> is that the folder <code>packages/a</code> will get sym
structure of files and folders:</p>
<pre><code>.
+-- node_modules
| `-- packages/a -&gt; ../packages/a
| `-- a -&gt; ../packages/a
+-- package-lock.json
+-- package.json
`-- packages
@ -223,13 +223,13 @@ respect the provided <code>workspace</code> configuration.</p>
<h3 id="using-workspaces">Using workspaces</h3>
<p>Given the <a href="https://nodejs.org/dist/latest-v14.x/docs/api/modules.html#modules_all_together">specifities of how Node.js handles module resolution</a> it's possible to consume any defined workspace
by its declared <code>package.json</code> <code>name</code>. Continuing from the example defined
above, let's also create a Node.js script that will require the <code>workspace-a</code>
above, let's also create a Node.js script that will require the workspace <code>a</code>
example module, e.g:</p>
<pre><code>// ./workspace-a/index.js
<pre><code>// ./packages/a/index.js
module.exports = 'a'
// ./lib/index.js
const moduleA = require('workspace-a')
const moduleA = require('a')
console.log(moduleA) // -&gt; a
</code></pre>
<p>When running it with:</p>

5
deps/npm/lib/commands/adduser.js vendored
View File

@ -3,6 +3,7 @@ const replaceInfo = require('../utils/replace-info.js')
const BaseCommand = require('../base-command.js')
const authTypes = {
legacy: require('../auth/legacy.js'),
web: require('../auth/legacy.js'),
webauthn: require('../auth/legacy.js'),
oauth: require('../auth/oauth.js'),
saml: require('../auth/saml.js'),
@ -28,6 +29,10 @@ class AddUser extends BaseCommand {
log.disableProgress()
log.warn('adduser',
'`adduser` will be split into `login` and `register in a future version.'
+ ' `adduser` will become an alias of `register`.'
+ ' `login` (currently an alias) will become its own command.')
log.notice('', `Log in on ${replaceInfo(registry)}`)
const { message, newCreds } = await auth(this.npm, {

384
deps/npm/lib/commands/audit.js vendored
View File

@ -1,8 +1,336 @@
const Arborist = require('@npmcli/arborist')
const auditReport = require('npm-audit-report')
const reifyFinish = require('../utils/reify-finish.js')
const auditError = require('../utils/audit-error.js')
const fetch = require('npm-registry-fetch')
const localeCompare = require('@isaacs/string-locale-compare')('en')
const npa = require('npm-package-arg')
const pacote = require('pacote')
const pMap = require('p-map')
const ArboristWorkspaceCmd = require('../arborist-cmd.js')
const auditError = require('../utils/audit-error.js')
const log = require('../utils/log-shim.js')
const reifyFinish = require('../utils/reify-finish.js')
const sortAlphabetically = (a, b) => localeCompare(a.name, b.name)
class VerifySignatures {
constructor (tree, filterSet, npm, opts) {
this.tree = tree
this.filterSet = filterSet
this.npm = npm
this.opts = opts
this.keys = new Map()
this.invalid = []
this.missing = []
this.checkedPackages = new Set()
this.auditedWithKeysCount = 0
this.verifiedCount = 0
this.output = []
this.exitCode = 0
}
async run () {
const start = process.hrtime.bigint()
// Find all deps in tree
const { edges, registries } = this.getEdgesOut(this.tree.inventory.values(), this.filterSet)
if (edges.size === 0) {
throw new Error('found no installed dependencies to audit')
}
await Promise.all([...registries].map(registry => this.setKeys({ registry })))
const progress = log.newItem('verifying registry signatures', edges.size)
const mapper = async (edge) => {
progress.completeWork(1)
await this.getVerifiedInfo(edge)
}
await pMap(edges, mapper, { concurrency: 20, stopOnError: true })
// Didn't find any dependencies that could be verified, e.g. only local
// deps, missing version, not on a registry etc.
if (!this.auditedWithKeysCount) {
throw new Error('found no dependencies to audit that where installed from ' +
'a supported registry')
}
const invalid = this.invalid.sort(sortAlphabetically)
const missing = this.missing.sort(sortAlphabetically)
const hasNoInvalidOrMissing = invalid.length === 0 && missing.length === 0
if (!hasNoInvalidOrMissing) {
this.exitCode = 1
}
if (this.npm.config.get('json')) {
this.appendOutput(JSON.stringify({
invalid: this.makeJSON(invalid),
missing: this.makeJSON(missing),
}, null, 2))
return
}
const end = process.hrtime.bigint()
const elapsed = end - start
const auditedPlural = this.auditedWithKeysCount > 1 ? 's' : ''
const timing = `audited ${this.auditedWithKeysCount} package${auditedPlural} in ` +
`${Math.floor(Number(elapsed) / 1e9)}s`
this.appendOutput(`${timing}\n`)
if (this.verifiedCount) {
const verifiedBold = this.npm.chalk.bold('verified')
const msg = this.verifiedCount === 1 ?
`${this.verifiedCount} package has a ${verifiedBold} registry signature\n` :
`${this.verifiedCount} packages have ${verifiedBold} registry signatures\n`
this.appendOutput(msg)
}
if (missing.length) {
const missingClr = this.npm.chalk.bold(this.npm.chalk.red('missing'))
const msg = missing.length === 1 ?
`package has a ${missingClr} registry signature` :
`packages have ${missingClr} registry signatures`
this.appendOutput(
`${missing.length} ${msg} but the registry is ` +
`providing signing keys:\n`
)
this.appendOutput(this.humanOutput(missing))
}
if (invalid.length) {
const invalidClr = this.npm.chalk.bold(this.npm.chalk.red('invalid'))
const msg = invalid.length === 1 ?
`${invalid.length} package has an ${invalidClr} registry signature:\n` :
`${invalid.length} packages have ${invalidClr} registry signatures:\n`
this.appendOutput(
`${missing.length ? '\n' : ''}${msg}`
)
this.appendOutput(this.humanOutput(invalid))
const tamperMsg = invalid.length === 1 ?
`\nSomeone might have tampered with this package since it was ` +
`published on the registry!\n` :
`\nSomeone might have tampered with these packages since they where ` +
`published on the registry!\n`
this.appendOutput(tamperMsg)
}
}
appendOutput (...args) {
this.output.push(...args.flat())
}
report () {
return { report: this.output.join('\n'), exitCode: this.exitCode }
}
getEdgesOut (nodes, filterSet) {
const edges = new Set()
const registries = new Set()
for (const node of nodes) {
for (const edge of node.edgesOut.values()) {
const filteredOut =
edge.from
&& filterSet
&& filterSet.size > 0
&& !filterSet.has(edge.from.target)
if (!filteredOut) {
const spec = this.getEdgeSpec(edge)
if (spec) {
// Prefetch and cache public keys from used registries
registries.add(this.getSpecRegistry(spec))
}
edges.add(edge)
}
}
}
return { edges, registries }
}
async setKeys ({ registry }) {
const keys = await fetch.json('/-/npm/v1/keys', {
...this.npm.flatOptions,
registry,
}).then(({ keys }) => keys.map((key) => ({
...key,
pemkey: `-----BEGIN PUBLIC KEY-----\n${key.key}\n-----END PUBLIC KEY-----`,
}))).catch(err => {
if (err.code === 'E404') {
return null
} else {
throw err
}
})
if (keys) {
this.keys.set(registry, keys)
}
}
getEdgeType (edge) {
return edge.optional ? 'optionalDependencies'
: edge.peer ? 'peerDependencies'
: edge.dev ? 'devDependencies'
: 'dependencies'
}
getEdgeSpec (edge) {
let name = edge.name
try {
name = npa(edge.spec).subSpec.name
} catch (_) {
}
try {
return npa(`${name}@${edge.spec}`)
} catch (_) {
// Skip packages with invalid spec
}
}
buildRegistryConfig (registry) {
const keys = this.keys.get(registry) || []
const parsedRegistry = new URL(registry)
const regKey = `//${parsedRegistry.host}${parsedRegistry.pathname}`
return {
[`${regKey}:_keys`]: keys,
}
}
getSpecRegistry (spec) {
return fetch.pickRegistry(spec, this.npm.flatOptions)
}
getValidPackageInfo (edge) {
const type = this.getEdgeType(edge)
// Skip potentially optional packages that are not on disk, as these could
// be omitted during install
if (edge.error === 'MISSING' && type !== 'dependencies') {
return
}
const spec = this.getEdgeSpec(edge)
// Skip invalid version requirements
if (!spec) {
return
}
const node = edge.to || edge
const { version } = node.package || {}
if (node.isWorkspace || // Skip local workspaces packages
!version || // Skip packages that don't have a installed version, e.g. optonal dependencies
!spec.registry) { // Skip if not from registry, e.g. git package
return
}
for (const omitType of this.npm.config.get('omit')) {
if (node[omitType]) {
return
}
}
return {
name: spec.name,
version,
type,
location: node.location,
registry: this.getSpecRegistry(spec),
}
}
async verifySignatures (name, version, registry) {
const {
_integrity: integrity,
_signatures,
_resolved: resolved,
} = await pacote.manifest(`${name}@${version}`, {
verifySignatures: true,
...this.buildRegistryConfig(registry),
...this.npm.flatOptions,
})
const signatures = _signatures || []
return {
integrity,
signatures,
resolved,
}
}
async getVerifiedInfo (edge) {
const info = this.getValidPackageInfo(edge)
if (!info) {
return
}
const { name, version, location, registry, type } = info
if (this.checkedPackages.has(location)) {
// we already did or are doing this one
return
}
this.checkedPackages.add(location)
// We only "audit" or verify the signature, or the presence of it, on
// packages whose registry returns signing keys
const keys = this.keys.get(registry) || []
if (keys.length) {
this.auditedWithKeysCount += 1
}
try {
const { integrity, signatures, resolved } = await this.verifySignatures(
name, version, registry
)
// Currently we only care about missing signatures on registries that provide a public key
// We could make this configurable in the future with a strict/paranoid mode
if (signatures.length) {
this.verifiedCount += 1
} else if (keys.length) {
this.missing.push({
name,
version,
location,
resolved,
integrity,
registry,
})
}
} catch (e) {
if (e.code === 'EINTEGRITYSIGNATURE') {
const { signature, keyid, integrity, resolved } = e
this.invalid.push({
name,
type,
version,
resolved,
location,
integrity,
registry,
signature,
keyid,
})
} else {
throw e
}
}
}
humanOutput (list) {
return list.map(v =>
`${this.npm.chalk.red(`${v.name}@${v.version}`)} (${v.registry})`
).join('\n')
}
makeJSON (deps) {
return deps.map(d => ({
name: d.name,
version: d.version,
location: d.location,
resolved: d.resolved,
integrity: d.integrity,
signature: d.signature,
keyid: d.keyid,
}))
}
}
class Audit extends ArboristWorkspaceCmd {
static description = 'Run a security audit'
@ -19,7 +347,7 @@ class Audit extends ArboristWorkspaceCmd {
...super.params,
]
static usage = ['[fix]']
static usage = ['[fix|signatures]']
async completion (opts) {
const argv = opts.conf.argv.remain
@ -32,11 +360,21 @@ class Audit extends ArboristWorkspaceCmd {
case 'fix':
return []
default:
throw new Error(argv[2] + ' not recognized')
throw Object.assign(new Error(argv[2] + ' not recognized'), {
code: 'EUSAGE',
})
}
}
async exec (args) {
if (args[0] === 'signatures') {
await this.auditSignatures()
} else {
await this.auditAdvisories(args)
}
}
async auditAdvisories (args) {
const reporter = this.npm.config.get('json') ? 'json' : 'detail'
const opts = {
...this.npm.flatOptions,
@ -59,6 +397,44 @@ class Audit extends ArboristWorkspaceCmd {
this.npm.output(result.report)
}
}
async auditSignatures () {
if (this.npm.global) {
throw Object.assign(
new Error('`npm audit signatures` does not support global packages'), {
code: 'EAUDITGLOBAL',
}
)
}
log.verbose('loading installed dependencies')
const opts = {
...this.npm.flatOptions,
path: this.npm.prefix,
workspaces: this.workspaceNames,
}
const arb = new Arborist(opts)
const tree = await arb.loadActual()
let filterSet = new Set()
if (opts.workspaces && opts.workspaces.length) {
filterSet =
arb.workspaceDependencySet(
tree,
opts.workspaces,
this.npm.flatOptions.includeWorkspaceRoot
)
} else if (!this.npm.flatOptions.workspacesEnabled) {
filterSet =
arb.excludeWorkspacesDependencySet(tree)
}
const verify = new VerifySignatures(tree, filterSet, this.npm, { ...opts })
await verify.run()
const result = verify.report()
process.exitCode = process.exitCode || result.exitCode
this.npm.output(result.report)
}
}
module.exports = Audit

3
deps/npm/lib/package-url-cmd.js vendored
View File

@ -40,6 +40,9 @@ class PackageUrlCommand extends BaseCommand {
}
async execWorkspaces (args, filters) {
if (args && args.length) {
return this.exec(args)
}
await this.setWorkspaces(filters)
return this.exec(this.workspacePaths)
}

24
deps/npm/lib/utils/config/definitions.js vendored
View File

@ -3,6 +3,7 @@ module.exports = definitions
const Definition = require('./definition.js')
const log = require('../log-shim')
const { version: npmVersion } = require('../../../package.json')
const ciDetect = require('@npmcli/ci-detect')
const ciName = ciDetect()
@ -238,17 +239,24 @@ define('audit-level', {
define('auth-type', {
default: 'legacy',
type: ['legacy', 'webauthn', 'sso', 'saml', 'oauth'],
deprecated: `
The SSO/SAML/OAuth methods are deprecated and will be removed in
a future version of npm in favor of web-based login.
`,
type: ['legacy', 'web', 'sso', 'saml', 'oauth', 'webauthn'],
// deprecation in description rather than field, because not every value
// is deprecated
description: `
What authentication strategy to use with \`adduser\`/\`login\`.
NOTE: auth-type values "sso", "saml", "oauth", and "webauthn" will be
removed in a future version.
Pass \`webauthn\` to use a web-based login.
What authentication strategy to use with \`login\`.
`,
flatten,
flatten (key, obj, flatOptions) {
flatOptions.authType = obj[key]
if (obj[key] === 'sso') {
// no need to deprecate saml/oauth here, as sso-type will be set by these in
// lib/auth/ and is deprecated already
log.warn('config',
'--auth-type=sso is will be removed in a future version.')
}
},
})
define('before', {

2
deps/npm/man/man1/npm-access.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-ACCESS" "1" "June 2022" "" ""
.TH "NPM\-ACCESS" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-access\fR \- Set access level on published packages
.SS Synopsis

12
deps/npm/man/man1/npm-adduser.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-ADDUSER" "1" "June 2022" "" ""
.TH "NPM\-ADDUSER" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-adduser\fR \- Add a registry user account
.SS Synopsis
@ -82,16 +82,14 @@ npm init \-\-scope=@foo \-\-yes
.IP \(bu 2
Default: "legacy"
.IP \(bu 2
Type: "legacy", "webauthn", "sso", "saml", or "oauth"
.IP \(bu 2
DEPRECATED: The SSO/SAML/OAuth methods are deprecated and will be removed in
a future version of npm in favor of web\-based login\.
Type: "legacy", "web", "sso", "saml", "oauth", or "webauthn"
.RE
.P
What authentication strategy to use with \fBadduser\fP/\fBlogin\fP\|\.
NOTE: auth\-type values "sso", "saml", "oauth", and "webauthn" will be
removed in a future version\.
.P
Pass \fBwebauthn\fP to use a web\-based login\.
What authentication strategy to use with \fBlogin\fP\|\.
.SS See Also
.RS 0
.IP \(bu 2

14
deps/npm/man/man1/npm-audit.1 vendored
View File

@ -1,11 +1,11 @@
.TH "NPM\-AUDIT" "1" "June 2022" "" ""
.TH "NPM\-AUDIT" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-audit\fR \- Run a security audit
.SS Synopsis
.P
.RS 2
.nf
npm audit [fix]
npm audit [fix|signatures]
.fi
.RE
.SS Description
@ -29,6 +29,16 @@ vulnerability is found\. It may be useful in CI environments to include the
\fB\-\-audit\-level\fP parameter to specify the minimum vulnerability level that
will cause the command to fail\. This option does not filter the report
output, it simply changes the command's failure threshold\.
.SS Audit Signatures
.P
This command can also audit the integrity values of the packages in your
tree against any signatures present in the registry they were downloaded
from\. npm will attempt to download the keys from \fB/\-/npm/v1/keys\fP on
each the registry used to download any given package\. It will then
check the \fBdist\.signatures\fP object in the package itself, and verify the
\fBsig\fP present there using the \fBkeyid\fP there, matching it with a key
returned from the registry\. The command for this is \fBnpm audit
signatures\fP
.SS Audit Endpoints
.P
There are two audit endpoints that npm may use to fetch vulnerability

2
deps/npm/man/man1/npm-bin.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-BIN" "1" "June 2022" "" ""
.TH "NPM\-BIN" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-bin\fR \- Display npm bin folder
.SS Synopsis

2
deps/npm/man/man1/npm-bugs.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-BUGS" "1" "June 2022" "" ""
.TH "NPM\-BUGS" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-bugs\fR \- Report bugs for a package in a web browser
.SS Synopsis

2
deps/npm/man/man1/npm-cache.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-CACHE" "1" "June 2022" "" ""
.TH "NPM\-CACHE" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-cache\fR \- Manipulates packages cache
.SS Synopsis

2
deps/npm/man/man1/npm-ci.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-CI" "1" "June 2022" "" ""
.TH "NPM\-CI" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-ci\fR \- Clean install a project
.SS Synopsis

2
deps/npm/man/man1/npm-completion.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-COMPLETION" "1" "June 2022" "" ""
.TH "NPM\-COMPLETION" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-completion\fR \- Tab Completion for npm
.SS Synopsis

2
deps/npm/man/man1/npm-config.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-CONFIG" "1" "June 2022" "" ""
.TH "NPM\-CONFIG" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-config\fR \- Manage the npm configuration files
.SS Synopsis

2
deps/npm/man/man1/npm-dedupe.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-DEDUPE" "1" "June 2022" "" ""
.TH "NPM\-DEDUPE" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-dedupe\fR \- Reduce duplication in the package tree
.SS Synopsis

2
deps/npm/man/man1/npm-deprecate.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-DEPRECATE" "1" "June 2022" "" ""
.TH "NPM\-DEPRECATE" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-deprecate\fR \- Deprecate a version of a package
.SS Synopsis

2
deps/npm/man/man1/npm-diff.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-DIFF" "1" "June 2022" "" ""
.TH "NPM\-DIFF" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-diff\fR \- The registry diff command
.SS Synopsis

2
deps/npm/man/man1/npm-dist-tag.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-DIST\-TAG" "1" "June 2022" "" ""
.TH "NPM\-DIST\-TAG" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-dist-tag\fR \- Modify package distribution tags
.SS Synopsis

2
deps/npm/man/man1/npm-docs.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-DOCS" "1" "June 2022" "" ""
.TH "NPM\-DOCS" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-docs\fR \- Open documentation for a package in a web browser
.SS Synopsis

2
deps/npm/man/man1/npm-doctor.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-DOCTOR" "1" "June 2022" "" ""
.TH "NPM\-DOCTOR" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-doctor\fR \- Check your npm environment
.SS Synopsis

2
deps/npm/man/man1/npm-edit.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-EDIT" "1" "June 2022" "" ""
.TH "NPM\-EDIT" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-edit\fR \- Edit an installed package
.SS Synopsis

2
deps/npm/man/man1/npm-exec.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-EXEC" "1" "June 2022" "" ""
.TH "NPM\-EXEC" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-exec\fR \- Run a command from a local or remote npm package
.SS Synopsis

2
deps/npm/man/man1/npm-explain.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-EXPLAIN" "1" "June 2022" "" ""
.TH "NPM\-EXPLAIN" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-explain\fR \- Explain installed packages
.SS Synopsis

2
deps/npm/man/man1/npm-explore.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-EXPLORE" "1" "June 2022" "" ""
.TH "NPM\-EXPLORE" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-explore\fR \- Browse an installed package
.SS Synopsis

2
deps/npm/man/man1/npm-find-dupes.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-FIND\-DUPES" "1" "June 2022" "" ""
.TH "NPM\-FIND\-DUPES" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-find-dupes\fR \- Find duplication in the package tree
.SS Synopsis

2
deps/npm/man/man1/npm-fund.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-FUND" "1" "June 2022" "" ""
.TH "NPM\-FUND" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-fund\fR \- Retrieve funding information
.SS Synopsis

2
deps/npm/man/man1/npm-help-search.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-HELP\-SEARCH" "1" "June 2022" "" ""
.TH "NPM\-HELP\-SEARCH" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-help-search\fR \- Search npm help documentation
.SS Synopsis

2
deps/npm/man/man1/npm-help.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-HELP" "1" "June 2022" "" ""
.TH "NPM\-HELP" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-help\fR \- Get help on npm
.SS Synopsis

2
deps/npm/man/man1/npm-hook.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-HOOK" "1" "June 2022" "" ""
.TH "NPM\-HOOK" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-hook\fR \- Manage registry hooks
.SS Synopsis

2
deps/npm/man/man1/npm-init.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-INIT" "1" "June 2022" "" ""
.TH "NPM\-INIT" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-init\fR \- Create a package\.json file
.SS Synopsis

2
deps/npm/man/man1/npm-install-ci-test.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-INSTALL\-CI\-TEST" "1" "June 2022" "" ""
.TH "NPM\-INSTALL\-CI\-TEST" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-install-ci-test\fR \- Install a project with a clean slate and run tests
.SS Synopsis

2
deps/npm/man/man1/npm-install-test.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-INSTALL\-TEST" "1" "June 2022" "" ""
.TH "NPM\-INSTALL\-TEST" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-install-test\fR \- Install package(s) and run tests
.SS Synopsis

2
deps/npm/man/man1/npm-install.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-INSTALL" "1" "June 2022" "" ""
.TH "NPM\-INSTALL" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-install\fR \- Install a package
.SS Synopsis

2
deps/npm/man/man1/npm-link.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-LINK" "1" "June 2022" "" ""
.TH "NPM\-LINK" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-link\fR \- Symlink a package folder
.SS Synopsis

2
deps/npm/man/man1/npm-logout.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-LOGOUT" "1" "June 2022" "" ""
.TH "NPM\-LOGOUT" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-logout\fR \- Log out of the registry
.SS Synopsis

4
deps/npm/man/man1/npm-ls.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-LS" "1" "June 2022" "" ""
.TH "NPM\-LS" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-ls\fR \- List installed packages
.SS Synopsis
@ -26,7 +26,7 @@ example, running \fBnpm ls promzard\fP in npm's source tree will show:
.P
.RS 2
.nf
npm@8\.13\.2 /path/to/npm
npm@8\.14\.0 /path/to/npm
└─┬ init\-package\-json@0\.0\.4
└── promzard@0\.1\.5
.fi

2
deps/npm/man/man1/npm-org.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-ORG" "1" "June 2022" "" ""
.TH "NPM\-ORG" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-org\fR \- Manage orgs
.SS Synopsis

2
deps/npm/man/man1/npm-outdated.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-OUTDATED" "1" "June 2022" "" ""
.TH "NPM\-OUTDATED" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-outdated\fR \- Check for outdated packages
.SS Synopsis

2
deps/npm/man/man1/npm-owner.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-OWNER" "1" "June 2022" "" ""
.TH "NPM\-OWNER" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-owner\fR \- Manage package owners
.SS Synopsis

2
deps/npm/man/man1/npm-pack.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-PACK" "1" "June 2022" "" ""
.TH "NPM\-PACK" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-pack\fR \- Create a tarball from a package
.SS Synopsis

2
deps/npm/man/man1/npm-ping.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-PING" "1" "June 2022" "" ""
.TH "NPM\-PING" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-ping\fR \- Ping npm registry
.SS Synopsis

2
deps/npm/man/man1/npm-pkg.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-PKG" "1" "June 2022" "" ""
.TH "NPM\-PKG" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-pkg\fR \- Manages your package\.json
.SS Synopsis

2
deps/npm/man/man1/npm-prefix.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-PREFIX" "1" "June 2022" "" ""
.TH "NPM\-PREFIX" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-prefix\fR \- Display prefix
.SS Synopsis

2
deps/npm/man/man1/npm-profile.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-PROFILE" "1" "June 2022" "" ""
.TH "NPM\-PROFILE" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-profile\fR \- Change settings on your registry profile
.SS Synopsis

2
deps/npm/man/man1/npm-prune.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-PRUNE" "1" "June 2022" "" ""
.TH "NPM\-PRUNE" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-prune\fR \- Remove extraneous packages
.SS Synopsis

2
deps/npm/man/man1/npm-publish.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-PUBLISH" "1" "June 2022" "" ""
.TH "NPM\-PUBLISH" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-publish\fR \- Publish a package
.SS Synopsis

2
deps/npm/man/man1/npm-rebuild.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-REBUILD" "1" "June 2022" "" ""
.TH "NPM\-REBUILD" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-rebuild\fR \- Rebuild a package
.SS Synopsis

2
deps/npm/man/man1/npm-repo.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-REPO" "1" "June 2022" "" ""
.TH "NPM\-REPO" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-repo\fR \- Open package repository page in the browser
.SS Synopsis

2
deps/npm/man/man1/npm-restart.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-RESTART" "1" "June 2022" "" ""
.TH "NPM\-RESTART" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-restart\fR \- Restart a package
.SS Synopsis

2
deps/npm/man/man1/npm-root.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-ROOT" "1" "June 2022" "" ""
.TH "NPM\-ROOT" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-root\fR \- Display npm root
.SS Synopsis

2
deps/npm/man/man1/npm-run-script.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-RUN\-SCRIPT" "1" "June 2022" "" ""
.TH "NPM\-RUN\-SCRIPT" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-run-script\fR \- Run arbitrary package scripts
.SS Synopsis

2
deps/npm/man/man1/npm-search.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-SEARCH" "1" "June 2022" "" ""
.TH "NPM\-SEARCH" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-search\fR \- Search for packages
.SS Synopsis

2
deps/npm/man/man1/npm-set-script.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-SET\-SCRIPT" "1" "June 2022" "" ""
.TH "NPM\-SET\-SCRIPT" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-set-script\fR \- Set tasks in the scripts section of package\.json
.SS Synopsis

2
deps/npm/man/man1/npm-shrinkwrap.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-SHRINKWRAP" "1" "June 2022" "" ""
.TH "NPM\-SHRINKWRAP" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-shrinkwrap\fR \- Lock down dependency versions for publication
.SS Synopsis

2
deps/npm/man/man1/npm-star.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-STAR" "1" "June 2022" "" ""
.TH "NPM\-STAR" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-star\fR \- Mark your favorite packages
.SS Synopsis

2
deps/npm/man/man1/npm-stars.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-STARS" "1" "June 2022" "" ""
.TH "NPM\-STARS" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-stars\fR \- View packages marked as favorites
.SS Synopsis

2
deps/npm/man/man1/npm-start.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-START" "1" "June 2022" "" ""
.TH "NPM\-START" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-start\fR \- Start a package
.SS Synopsis

2
deps/npm/man/man1/npm-stop.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-STOP" "1" "June 2022" "" ""
.TH "NPM\-STOP" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-stop\fR \- Stop a package
.SS Synopsis

2
deps/npm/man/man1/npm-team.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-TEAM" "1" "June 2022" "" ""
.TH "NPM\-TEAM" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-team\fR \- Manage organization teams and team memberships
.SS Synopsis

2
deps/npm/man/man1/npm-test.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-TEST" "1" "June 2022" "" ""
.TH "NPM\-TEST" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-test\fR \- Test a package
.SS Synopsis

2
deps/npm/man/man1/npm-token.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-TOKEN" "1" "June 2022" "" ""
.TH "NPM\-TOKEN" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-token\fR \- Manage your authentication tokens
.SS Synopsis

2
deps/npm/man/man1/npm-uninstall.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-UNINSTALL" "1" "June 2022" "" ""
.TH "NPM\-UNINSTALL" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-uninstall\fR \- Remove a package
.SS Synopsis

2
deps/npm/man/man1/npm-unpublish.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-UNPUBLISH" "1" "June 2022" "" ""
.TH "NPM\-UNPUBLISH" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-unpublish\fR \- Remove a package from the registry
.SS Synopsis

2
deps/npm/man/man1/npm-unstar.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-UNSTAR" "1" "June 2022" "" ""
.TH "NPM\-UNSTAR" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-unstar\fR \- Remove an item from your favorite packages
.SS Synopsis

2
deps/npm/man/man1/npm-update.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-UPDATE" "1" "June 2022" "" ""
.TH "NPM\-UPDATE" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-update\fR \- Update packages
.SS Synopsis

2
deps/npm/man/man1/npm-version.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-VERSION" "1" "June 2022" "" ""
.TH "NPM\-VERSION" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-version\fR \- Bump a package version
.SS Synopsis

2
deps/npm/man/man1/npm-view.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-VIEW" "1" "June 2022" "" ""
.TH "NPM\-VIEW" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-view\fR \- View registry info
.SS Synopsis

2
deps/npm/man/man1/npm-whoami.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-WHOAMI" "1" "June 2022" "" ""
.TH "NPM\-WHOAMI" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm-whoami\fR \- Display npm username
.SS Synopsis

6
deps/npm/man/man1/npm.1 vendored
View File

@ -1,10 +1,10 @@
.TH "NPM" "1" "June 2022" "" ""
.TH "NPM" "1" "July 2022" "" ""
.SH "NAME"
\fBnpm\fR \- javascript package manager
.SS Synopsis
.SS Version
.P
8\.13\.2
8\.14\.0
.SS Description
.P
npm is the package manager for the Node JavaScript platform\. It puts
@ -97,7 +97,7 @@ done via npm help \fBinstall\fP
.IP \(bu 2
adduser:
Create an account or log in\. When you do this, npm will store
credentials in the user config file config file\.
credentials in the user config file\.
.IP \(bu 2
publish:
Use the npm help \fBpublish\fP command to upload your

2
deps/npm/man/man1/npx.1 vendored
View File

@ -1,4 +1,4 @@
.TH "NPX" "1" "June 2022" "" ""
.TH "NPX" "1" "July 2022" "" ""
.SH "NAME"
\fBnpx\fR \- Run a command from a local or remote npm package
.SS Synopsis

2
deps/npm/man/man5/folders.5 vendored
View File

@ -1,4 +1,4 @@
.TH "FOLDERS" "5" "June 2022" "" ""
.TH "FOLDERS" "5" "July 2022" "" ""
.SH "NAME"
\fBfolders\fR \- Folder Structures Used by npm
.SS Description

2
deps/npm/man/man5/install.5 vendored
View File

@ -1,4 +1,4 @@
.TH "INSTALL" "5" "June 2022" "" ""
.TH "INSTALL" "5" "July 2022" "" ""
.SH "NAME"
\fBinstall\fR \- Download and install node and npm
.SS Description

2
deps/npm/man/man5/npm-shrinkwrap-json.5 vendored
View File

@ -1,4 +1,4 @@
.TH "NPM\-SHRINKWRAP\.JSON" "5" "June 2022" "" ""
.TH "NPM\-SHRINKWRAP\.JSON" "5" "July 2022" "" ""
.SH "NAME"
\fBnpm-shrinkwrap.json\fR \- A publishable lockfile
.SS Description

2
deps/npm/man/man5/npmrc.5 vendored
View File

@ -1,4 +1,4 @@
.TH "NPMRC" "5" "June 2022" "" ""
.TH "NPMRC" "5" "July 2022" "" ""
.SH "NAME"
\fBnpmrc\fR \- The npm config files
.SS Description

4
deps/npm/man/man5/package-json.5 vendored
View File

@ -1,4 +1,4 @@
.TH "PACKAGE\.JSON" "5" "June 2022" "" ""
.TH "PACKAGE\.JSON" "5" "July 2022" "" ""
.SH "NAME"
\fBpackage.json\fR \- Specifics of npm's package\.json handling
.SS Description
@ -132,7 +132,7 @@ OSI \fIhttps://opensource\.org/licenses/alphabetical\fR approved\.
.P
If your package is licensed under multiple common licenses, use an SPDX
license expression syntax version 2\.0
string \fIhttps://www\.npmjs\.com/package/spdx\fR, like this:
string \fIhttps://spdx\.dev/specifications/\fR, like this:
.P
.RS 2
.nf

2
deps/npm/man/man5/package-lock-json.5 vendored
View File

@ -1,4 +1,4 @@
.TH "PACKAGE\-LOCK\.JSON" "5" "June 2022" "" ""
.TH "PACKAGE\-LOCK\.JSON" "5" "July 2022" "" ""
.SH "NAME"
\fBpackage-lock.json\fR \- A manifestation of the manifest
.SS Description

30
deps/npm/man/man7/config.7 vendored
View File

@ -1,4 +1,4 @@
.TH "CONFIG" "7" "June 2022" "" ""
.TH "CONFIG" "7" "July 2022" "" ""
.SH "NAME"
\fBconfig\fR \- More than you probably want to know about npm configuration
.SS Description
@ -247,6 +247,19 @@ Type: null, "info", "low", "moderate", "high", "critical", or "none"
.P
The minimum level of vulnerability for \fBnpm audit\fP to exit with a non\-zero
exit code\.
.SS \fBauth\-type\fP
.RS 0
.IP \(bu 2
Default: "legacy"
.IP \(bu 2
Type: "legacy", "web", "sso", "saml", "oauth", or "webauthn"
.RE
.P
NOTE: auth\-type values "sso", "saml", "oauth", and "webauthn" will be
removed in a future version\.
.P
What authentication strategy to use with \fBlogin\fP\|\.
.SS \fBbefore\fP
.RS 0
.IP \(bu 2
@ -1992,21 +2005,6 @@ DEPRECATED: Please use \-\-include=dev instead\.
.RE
.P
When set to \fBdev\fP or \fBdevelopment\fP, this is an alias for \fB\-\-include=dev\fP\|\.
.SS \fBauth\-type\fP
.RS 0
.IP \(bu 2
Default: "legacy"
.IP \(bu 2
Type: "legacy", "webauthn", "sso", "saml", or "oauth"
.IP \(bu 2
DEPRECATED: The SSO/SAML/OAuth methods are deprecated and will be removed in
a future version of npm in favor of web\-based login\.
.RE
.P
What authentication strategy to use with \fBadduser\fP/\fBlogin\fP\|\.
.P
Pass \fBwebauthn\fP to use a web\-based login\.
.SS \fBcache\-max\fP
.RS 0
.IP \(bu 2

2
deps/npm/man/man7/developers.7 vendored
View File

@ -1,4 +1,4 @@
.TH "DEVELOPERS" "7" "June 2022" "" ""
.TH "DEVELOPERS" "7" "July 2022" "" ""
.SH "NAME"
\fBdevelopers\fR \- Developer Guide
.SS Description

2
deps/npm/man/man7/logging.7 vendored
View File

@ -1,4 +1,4 @@
.TH "LOGGING" "7" "June 2022" "" ""
.TH "LOGGING" "7" "July 2022" "" ""
.SH "NAME"
\fBLogging\fR \- Why, What & How We Log
.SS Description

2
deps/npm/man/man7/orgs.7 vendored
View File

@ -1,4 +1,4 @@
.TH "ORGS" "7" "June 2022" "" ""
.TH "ORGS" "7" "July 2022" "" ""
.SH "NAME"
\fBorgs\fR \- Working with Teams & Orgs
.SS Description

2
deps/npm/man/man7/package-spec.7 vendored
View File

@ -1,4 +1,4 @@
.TH "PACKAGE\-SPEC" "7" "June 2022" "" ""
.TH "PACKAGE\-SPEC" "7" "July 2022" "" ""
.SH "NAME"
\fBpackage-spec\fR \- Package name specifier
.SS Description

2
deps/npm/man/man7/registry.7 vendored
View File

@ -1,4 +1,4 @@
.TH "REGISTRY" "7" "June 2022" "" ""
.TH "REGISTRY" "7" "July 2022" "" ""
.SH "NAME"
\fBregistry\fR \- The JavaScript Package Registry
.SS Description

2
deps/npm/man/man7/removal.7 vendored
View File

@ -1,4 +1,4 @@
.TH "REMOVAL" "7" "June 2022" "" ""
.TH "REMOVAL" "7" "July 2022" "" ""
.SH "NAME"
\fBremoval\fR \- Cleaning the Slate
.SS Synopsis

2
deps/npm/man/man7/scope.7 vendored
View File

@ -1,4 +1,4 @@
.TH "SCOPE" "7" "June 2022" "" ""
.TH "SCOPE" "7" "July 2022" "" ""
.SH "NAME"
\fBscope\fR \- Scoped packages
.SS Description

16
deps/npm/man/man7/scripts.7 vendored
View File

@ -1,4 +1,4 @@
.TH "SCRIPTS" "7" "June 2022" "" ""
.TH "SCRIPTS" "7" "July 2022" "" ""
.SH "NAME"
\fBscripts\fR \- How npm handles the "scripts" field
.SS Description
@ -37,7 +37,7 @@ situations\. These scripts happen in addition to the \fBpre<event>\fP, \fBpost<e
\fB<event>\fP scripts\.
.RS 0
.IP \(bu 2
\fBprepare\fP, \fBprepublish\fP, \fBprepublishOnly\fP, \fBprepack\fP, \fBpostpack\fP
\fBprepare\fP, \fBprepublish\fP, \fBprepublishOnly\fP, \fBprepack\fP, \fBpostpack\fP, \fBdependencies\fP
.RE
.P
@ -94,6 +94,15 @@ NOTE: "\fBnpm run pack\fP" is NOT the same as "\fBnpm pack\fP"\. "\fBnpm run pac
.IP \(bu 2
Runs AFTER the tarball has been generated but before it is moved to its final destination (if at all, publish does not save the tarball locally)
.RE
.P
\fBdependencies\fR
.RS 0
.IP \(bu 2
Runs AFTER any operations that modify the \fBnode_modules\fP directory IF changes occurred\.
.IP \(bu 2
Does NOT run in global mode
.RE
.SS Prepare and Prepublish
.P
@ -129,6 +138,9 @@ You don't need to rely on your users having \fBcurl\fP or \fBwget\fP or
other system tools on the target machines\.
.RE
.SS Dependencies
.P
The \fBdependencies\fP script is run any time an \fBnpm\fP command causes changes to the \fBnode_modules\fP directory\. It is run AFTER the changes have been applied and the \fBpackage\.json\fP and \fBpackage\-lock\.json\fP files have been updated\.
.SS Life Cycle Operation Order
.SS npm help \fBcache add\fP
.RS 0

10
deps/npm/man/man7/workspaces.7 vendored
View File

@ -1,4 +1,4 @@
.TH "WORKSPACES" "7" "June 2022" "" ""
.TH "WORKSPACES" "7" "July 2022" "" ""
.SH "NAME"
\fBworkspaces\fR \- Working with workspaces
.SS Description
@ -58,7 +58,7 @@ structure of files and folders:
.nf
\|\.
+\-\- node_modules
| `\-\- packages/a \-> \.\./packages/a
| `\-\- a \-> \.\./packages/a
+\-\- package\-lock\.json
+\-\- package\.json
`\-\- packages
@ -117,16 +117,16 @@ respect the provided \fBworkspace\fP configuration\.
.P
Given the specifities of how Node\.js handles module resolution \fIhttps://nodejs\.org/dist/latest\-v14\.x/docs/api/modules\.html#modules_all_together\fR it's possible to consume any defined workspace
by its declared \fBpackage\.json\fP \fBname\fP\|\. Continuing from the example defined
above, let's also create a Node\.js script that will require the \fBworkspace\-a\fP
above, let's also create a Node\.js script that will require the workspace \fBa\fP
example module, e\.g:
.P
.RS 2
.nf
// \./workspace\-a/index\.js
// \./packages/a/index\.js
module\.exports = 'a'
// \./lib/index\.js
const moduleA = require('workspace\-a')
const moduleA = require('a')
console\.log(moduleA) // \-> a
.fi
.RE

Some files were not shown because too many files have changed in this diff Show More