deps: update npm to 5.5.1

Closes: #16280 PR-URL: #16509 Fixes: #14161 Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michaël Zasso <targos@protonmail.com>
nodejs · Oct 30, 2017 · 0d7e4d2 · 0d7e4d2
1 parent 4359a93
commit 0d7e4d2
Show file tree

Hide file tree

Showing 1,388 changed files with 92,493 additions and 19,935 deletions.
diff --git a/deps/npm/CHANGELOG.md b/deps/npm/CHANGELOG.md
@@ -1,3 +1,118 @@
+## v5.5.1 (2017-10-04):
+
+A very quick, record time, patch release, of a bug fix to a (sigh) last minute bug fix.
+
+* [`e628e058b`](https://github.com/npm/npm/commit/e628e058b)
+ Fix login to properly recognize OTP request and store bearer tokens.
+ ([@Rebecca Turner](https://github.com/Rebecca Turner))
+
+## v5.5.0 (2017-10-04):
+
+Hey y'all, this is a big new feature release! We've got some security
+related goodies plus a some quality-of-life improvements for anyone who uses
+the public registry (so, virtually everyone).
+
+The changes largely came together in one piece, so I'm just gonna leave the commit line here:
+
+* [`f6ebf5e8b`](https://github.com/npm/npm/commit/f6ebf5e8bd6a212c7661e248c62c423f2b54d978)
+ [`f97ad6a38`](https://github.com/npm/npm/commit/f97ad6a38412581d059108ea29be470acb4fa510)
+ [`f644018e6`](https://github.com/npm/npm/commit/f644018e6ef1ff7523c6ec60ae55a24e87a9d9ae)
+ [`8af91528c`](https://github.com/npm/npm/commit/8af91528ce6277cd3a8c7ca8c8102671baf10d2f)
+ [`346a34260`](https://github.com/npm/npm/commit/346a34260b5fba7de62717135f3e083cc4820853)
+ Two factor authentication, profile editing and token management.
+ ([@iarna](https://github.com/iarna))
+
+### TWO FACTOR AUTHENTICATION
+
+You can now enable two-factor authentication for your npm account. You can
+even do it from the CLI. In fact, you have to, for the time being:
+
+```
+npm profile enable-tfa
+```
+
+With the default two-factor authentication mode you'll be prompted to enter
+a one-time password when logging in, when publishing and when modifying access rights to
+your modules.
+
+### TOKEN MANAGEMENT
+
+You can now create, list and delete authentication tokens from the comfort
+of the command line. Authentication tokens created this way can have NEW
+restrictions placed on them. For instance, you can create a `read-only`
+token to give to your CI. It will be able to download your private modules
+but it won't be able to publish or modify modules. You can also create
+tokens that can only be used from certain network addresses. This way you
+can lock down access to your corporate VPN or other trusted machines.
+
+Deleting tokens isn't new, you could [do it via the
+website](https://www.npmjs.com/settings/tokens) but now you can do it via
+the CLI as well.
+
+### CHANGE YOUR PASSWORD, SET YOUR EMAIL
+
+You can finally change your password from the CLI with `npm profile set
+password`! You can also update your email address with `npm profile set
+email <address>`. If you change your email address we'll send you a new
+verification email so you verify that its yours.
+
+### AND EVERYTHING ELSE ON YOUR PROFILE
+
+You can also update all of the other attributes of your profile that
+previously you could only update via the website: `fullname`, `homepage`,
+`freenode`, `twitter` and `github`.
+
+### AVAILABLE STAND ALONE
+
+All of these features were implemented in a stand alone library, so if you
+have use for them in your own project you can find them in
+[npm-profile](https://www.npmjs.com/package/npm-profile) on the registry.
+There's also a little mini-cli written just for it at
+[npm-profile-cli](https://www.npmjs.com/package/npm-profile-cli). You might
+also be interested in the [API
+documentation](https://github.com/npm/registry/tree/master/docs) for these
+new features: [user profile editing](https://github.com/npm/registry/blob/master/docs/user/profile.md) and
+[authentication](https://github.com/npm/registry/blob/master/docs/user/authentication.md).
+
+### BUG FIXES
+
+* [`5ee55dc71`](https://github.com/npm/npm/commit/5ee55dc71b8b74b8418c3d5ec17483a07b3b6777)
+ install.sh: Drop support for upgrading from npm@1 as npm@5 can't run on
+ any Node.js version that ships npm@1. This fixes an issue some folks were seeing when trying
+ to upgrade using `curl | http://npmjs.com/install.sh`.
+ ([@iarna](https://github.com/iarna))
+* [`5cad1699a`](https://github.com/npm/npm/commit/5cad1699a7a0fc85ac7f77a95087a9647f75e344)
+ `npm-lifecycle@1.0.3` Fix a bug where when more than one lifecycle script
+ got queued to run, npm would crash.
+ ([@zkat](https://github.com/zkat))
+* [`cd256cbb2`](https://github.com/npm/npm/commit/cd256cbb2f97fcbcb82237e94b66eac80e493626)
+ `npm-packlist@1.1.9` Fix a bug where test directories would always be
+ excluded from published modules.
+ ([@isaacs](https://github.com/isaacs))
+* [`2a11f0215`](https://github.com/npm/npm/commit/2a11f021561acb1eb1ad4ad45ad955793b1eb4af)
+ Fix formatting of unsupported version warning
+ ([@iarna](https://github.com/iarna))
+
+### DEPENDENCY UPDATES
+
+* [`6d2a285a5`](https://github.com/npm/npm/commit/6d2a285a58655f10834f64d38449eb1f3c8b6c47)
+ `npm-registry-client@8.5.0`
+* [`69e64e27b`](https://github.com/npm/npm/commit/69e64e27bf58efd0b76b3cf6e8182c77f8cc452f)
+ `request@2.83.0`
+* [`34e0f4209`](https://github.com/npm/npm/commit/34e0f42090f6153eb5462f742e402813e4da56c8)
+ `abbrev@1.1.1`
+* [`10d31739d`](https://github.com/npm/npm/commit/10d31739d39765f1f0249f688bd934ffad92f872)
+ `aproba@1.2.0`
+* [`2b02e86c0`](https://github.com/npm/npm/commit/2b02e86c06cf2a5fe7146404f5bfd27f190ee4f4)
+ `meant@1.0.1`
+* [`b81fff808`](https://github.com/npm/npm/commit/b81fff808ee269361d3dcf38c1b6019f1708ae02)
+ `rimraf@2.6.2`:
+ Fixes a long standing bug in rimraf's attempts to work around Windows limitations
+ where it owns a file and can change its perms but can't remove it without
+ first changing its perms. This _may_ be an improvement for Windows users of npm under
+ some circumstances.
+ ([@isaacs](https://github.com/isaacs))
+
 ## v5.4.2 (2017-09-14):
 
 This is a small bug fix release wrapping up most of the issues introduced with 5.4.0.

diff --git a/deps/npm/doc/cli/npm-access.md b/deps/npm/doc/cli/npm-access.md
@@ -60,6 +60,9 @@ You must have privileges to set the access of a package:
 * You have been given read-write privileges for a package, either as a member
  of a team or directly as an owner.
 
+If you have two-factor authentication enabled then you'll have to pass in an
+otp with `--otp` when making access changes.
+
 If your account is not paid, then attempts to publish scoped packages will fail
 with an HTTP 402 status code (logically enough), unless you use
 `--access=public`.

diff --git a/deps/npm/doc/cli/npm-dist-tag.md b/deps/npm/doc/cli/npm-dist-tag.md
@@ -15,7 +15,9 @@ Add, remove, and enumerate distribution tags on a package:
 
 * add:
  Tags the specified version of the package with the specified tag, or the
- `--tag` config if not specified.
+ `--tag` config if not specified. The tag you're adding is `latest` and you
+ have two-factor authentication on auth-and-writes then you'll need to include
+ an otp on the command line with `--otp`.
 
 * rm:
  Clear a tag that is no longer in use from the package.

diff --git a/deps/npm/doc/cli/npm-owner.md b/deps/npm/doc/cli/npm-owner.md
@@ -27,6 +27,10 @@ Note that there is only one level of access. Either you can modify a package,
 or you can't. Future versions may contain more fine-grained access levels, but
 that is not implemented at this time.
 
+If you have two-factor authentication enabled with `auth-and-writes` then
+you'll need to include an otp on the command line when changing ownership
+with `--otp`.
+
 ## SEE ALSO
 
 * npm-publish(1)

diff --git a/deps/npm/doc/cli/npm-profile.md b/deps/npm/doc/cli/npm-profile.md
@@ -0,0 +1,74 @@
+npm-profile(1) -- Change settings on your registry profile
+==========================================================
+
+## SYNOPSIS
+
+ npm profile get [--json|--parseable] [<property>]
+ npm profile set [--json|--parseable] <property> <value>
+ npm profile set password
+ npm profile enable-2fa [auth-and-writes|auth-only]
+ npm profile disable-2fa
+
+## DESCRIPTION
+
+Change your profile information on the registry. This not be available if
+you're using a non-npmjs registry.
+
+* `npm profile get [<property>]`:
+ Display all of the properties of your profile, or one or more specific
+ properties. It looks like:
+
+```
++-----------------+---------------------------+
+| name | example |
++-----------------+---------------------------+
+| email | me@example.com (verified) |
++-----------------+---------------------------+
+| two factor auth | auth-and-writes |
++-----------------+---------------------------+
+| fullname | Example User |
++-----------------+---------------------------+
+| homepage | |
++-----------------+---------------------------+
+| freenode | |
++-----------------+---------------------------+
+| twitter | |
++-----------------+---------------------------+
+| github | |
++-----------------+---------------------------+
+| created | 2015-02-26T01:38:35.892Z |
++-----------------+---------------------------+
+| updated | 2017-10-02T21:29:45.922Z |
++-----------------+---------------------------+
+```
+
+* `npm profile set <property> <value>`:
+ Set the value of a profile property. You can set the following properties this way:
+ email, fullname, homepage, freenode, twitter, github
+
+* `npm profile set password`:
+ Change your password. This is interactive, you'll be prompted for your
+ current password and a new password. You'll also be prompted for an OTP
+ if you have two-factor authentication enabled.
+
+* `npm profile enable-2fa [auth-and-writes|auth-only]`:
+ Enables two-factor authentication. Defaults to `auth-and-writes` mode. Modes are:
+ * `auth-only`: Require an OTP when logging in or making changes to your
+ account's authentication. The OTP will be required on both the website
+ and the command line.
+ * `auth-and-writes`: Requires an OTP at all the times `auth-only` does, and also requires one when
+ publishing a module, setting the `latest` dist-tag, or changing access
+ via `npm access` and `npm owner`.
+
+* `npm profile disable-2fa`:
+ Disables two-factor authentication.
+
+## DETAILS
+
+All of the `npm profile` subcommands accept `--json` and `--parseable` and
+will tailor their output based on those. Some of these commands may not be
+available on non npmjs.com registries.
+
+## SEE ALSO
+
+* npm-config(7)
diff --git a/deps/npm/doc/cli/npm-publish.md b/deps/npm/doc/cli/npm-publish.md
@@ -4,7 +4,7 @@ npm-publish(1) -- Publish a package
 
 ## SYNOPSIS
 
- npm publish [<tarball>|<folder>] [--tag <tag>] [--access <public|restricted>]
+ npm publish [<tarball>|<folder>] [--tag <tag>] [--access <public|restricted>] [--otp otpcode]
 
  Publishes '.' if no argument supplied
  Sets tag 'latest' if no --tag specified
@@ -41,6 +41,11 @@ specifying a different default registry or using a `npm-scope(7)` in the name
  If you don't have a paid account, you must publish with `--access public`
  to publish scoped packages.
 
+* `[--otp <otpcode>]`
+ If you have two-factor authentication enabled in `auth-and-writes` mode
+ then you can provide a code from your authenticator with this. If you
+ don't include this and you're running from a TTY then you'll be prompted.
+
 Fails if the package name and version combination already exists in
 the specified registry.
 
@@ -65,3 +70,4 @@ packs them into a tarball to be uploaded to the registry.
 * npm-deprecate(1)
 * npm-dist-tag(1)
 * npm-pack(1)
+* npm-profile(1)
diff --git a/deps/npm/doc/cli/npm-token.md b/deps/npm/doc/cli/npm-token.md
@@ -0,0 +1,59 @@
+npm-token(1) -- Manage your authentication tokens
+=================================================
+
+## SYNOPSIS
+
+ npm token list [--json|--parseable]
+ npm token create [--read-only] [--cidr=1.1.1.1/24,2.2.2.2/16]
+ npm token delete <id|token>
+
+## DESCRIPTION
+
+This list you list, create and delete authentication tokens.
+
+* `npm token list`:
+ Shows a table of all active authentication tokens. You can request this as
+ JSON with `--json` or tab-separated values with `--parseable`.
+```
++--------+---------+------------+----------+----------------+
+| id | token | created | read-only | CIDR whitelist |
++--------+---------+------------+----------+----------------+
+| 7f3134 | 1fa9ba… | 2017-10-02 | yes | |
++--------+---------+------------+----------+----------------+
+| c03241 | af7aef… | 2017-10-02 | no | 192.168.0.1/24 |
++--------+---------+------------+----------+----------------+
+| e0cf92 | 3a436a… | 2017-10-02 | no | |
++--------+---------+------------+----------+----------------+
+| 63eb9d | 74ef35… | 2017-09-28 | no | |
++--------+---------+------------+----------+----------------+
+| 2daaa8 | cbad5f… | 2017-09-26 | no | |
++--------+---------+------------+----------+----------------+
+| 68c2fe | 127e51… | 2017-09-23 | no | |
++--------+---------+------------+----------+----------------+
+| 6334e1 | 1dadd1… | 2017-09-23 | no | |
++--------+---------+------------+----------+----------------+
+```
+
+* `npm token create [--read-only] [--cidr=<cidr-ranges>]`:
+ Create a new authentication token. It can be `--read-only` or accept a list of
+ [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) ranges to
+ limit use of this token to. This will prompt you for your password, and, if you have
+ two-factor authentication enabled, an otp.
+
+```
++----------------+--------------------------------------+
+| token | a73c9572-f1b9-8983-983d-ba3ac3cc913d |
++----------------+--------------------------------------+
+| cidr_whitelist | |
++----------------+--------------------------------------+
+| readonly | false |
++----------------+--------------------------------------+
+| created | 2017-10-02T07:52:24.838Z |
++----------------+--------------------------------------+
+```
+
+* `npm token delete <token|id>`:
+ This removes an authentication token, making it immediately unusable. This can accept
+ both complete tokens (as you get back from `npm token create` and will
+ find in your `.npmrc`) and ids as seen in the `npm token list` output.
+ This will NOT accept the truncated token found in `npm token list` output.
diff --git a/deps/npm/doc/misc/npm-config.md b/deps/npm/doc/misc/npm-config.md
@@ -269,6 +269,13 @@ PEM format (Windows calls it "Base-64 encoded X.509 (.CER)") with newlines repla
 
 It is _not_ the path to a certificate file (and there is no "certfile" option).
 
+### cidr
+
+* Default: `null`
+* Type: String, Array, null
+
+This is a list of CIDR address to be used when configuring limited access tokens with the `npm token create` command.
+
 ### color
 
 * Default: true
@@ -699,6 +706,14 @@ Attempt to install packages in the `optionalDependencies` object. Note
 that if these packages fail to install, the overall installation
 process is not aborted.
 
+### otp
+
+* Default: null
+* Type: Number
+
+This is a one-time password from a two-factor authenticator. It's needed
+when publishing or changing package permissions with `npm access`.
+
 ### package-lock
 
 * Default: true
@@ -773,6 +788,13 @@ A proxy to use for outgoing http requests. If the `HTTP_PROXY` or
 `http_proxy` environment variables are set, proxy settings will be
 honored by the underlying `request` library.
 
+### read-only
+
+* Default: false
+* Type: Boolean
+
+This is used to mark a token as unable to publish when configuring limited access tokens with the `npm token create` command.
+
 ### rebuild-bundle
 
 * Default: true

diff --git a/deps/npm/doc/misc/npm-index.md b/deps/npm/doc/misc/npm-index.md
@@ -129,6 +129,10 @@ Ping npm registry
 
 Display prefix
 
+### npm-profile(1)
+
+Change settings on your registry profile
+
 ### npm-prune(1)
 
 Remove extraneous packages
@@ -189,6 +193,10 @@ Manage organization teams and team memberships
 
 Test a package
 
+### npm-token(1)
+
+Manage your authentication tokens
+
 ### npm-uninstall(1)
 
 Remove a package

diff --git a/deps/npm/html/doc/README.html b/deps/npm/html/doc/README.html
@@ -127,5 +127,5 @@ <h2 id="see-also">SEE ALSO</h2>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer"><a href="../doc/README.html">README</a> &mdash; npm@5.4.2</p>
+<p id="footer"><a href="../doc/README.html">README</a> &mdash; npm@5.5.1</p>
 
diff --git a/deps/npm/html/doc/cli/npm-access.html b/deps/npm/html/doc/cli/npm-access.html
@@ -61,6 +61,8 @@ <h2 id="details">DETAILS</h2>
 <li>You have been given read-write privileges for a package, either as a member
 of a team or directly as an owner.</li>
 </ul>
+<p>If you have two-factor authentication enabled then you&#39;ll have to pass in an
+otp with <code>--otp</code> when making access changes.</p>
 <p>If your account is not paid, then attempts to publish scoped packages will fail
 with an HTTP 402 status code (logically enough), unless you use
 <code>--access=public</code>.</p>
@@ -84,5 +86,5 @@ <h2 id="see-also">SEE ALSO</h2>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-access &mdash; npm@5.4.2</p>
+<p id="footer">npm-access &mdash; npm@5.5.1</p>