deps: upgrade npm to 9.1.3

[npm-cli-bot]

This PR contains changes from: npm@9.0.0 npm@9.0.1 npm@9.1.0 npm@9.1.1 npm@9.1.2 npm@9.1.3

This PR replaces: nodejs/node#45491

---

Summary of Breaking Changes

Based on the list of guidelines we've established on integrating npm and node, here is a grouped list of the breaking changes with the reasoning as to why they fit within the guidelines linked above. Note that all the breaking changes were made in 9.0.0 which can be seen in it's original format but by expanding the 9.0.0 details section below. All subsequent minor and patch releases after npm@9.0.0 do not contain any breaking changes.

Engines

Explanation: the node engines supported by npm@9 make it safe to allow npm@9 as the default in any LTS version of 14 or 16, as well as anything later than or including 18.0.0

• npm is now compatible with the following semver range for node: ^14.17.0 || ^16.13.0 || >=18.0.0

Filesystem

Explanation: when run as root previous versions of npm attempted to manage file ownership automatically on the user's behalf. this behavior was problematic in many cases and has been removed in favor of allowing users to manage their own filesystem permissions

• npm will no longer attempt to modify ownership of files it creates

Auth

Explanation: any errors thrown from users having unsupported auth configurations will show npm config fix in the remediation instructions, which will allow the user to automatically have their auth config fixed.

• the presence of auth related settings that are not scoped to a specific registry found in a config file is no longer supported and will throw errors

Login

Explanation: the default auth-type has changed and users can opt back into the old behavior with npm config set auth-type=legacy. login and adduser have also been seperated making each command more closely match it's name instead of being aliases for each other.

• legacy auth types sso, saml & legacy have been consolidated into "legacy"
• auth-type defaults to "web"
• login and adduser are now separate commands that send different data to the registry.
• auth-type config values web and legacy only try their respective methods, npm no longer tries them all and waits to see which one doesn't fail.

Tarball Packing

Explanation: previously using multiple ignore/allow lists when packing was an undefined behavior, and now the order of operations is strictly defined when packing a tarball making it easier to follow and should only affect users relying on the previously undefined behavior.

• npm pack now follows a strict order of operations when applying ignore rules. If a files array is present in the package.json, then rules in .gitignore and .npmignore files from the root will be ignored.

Display/Debug/Timing Info

Explanation: these changes center around the display of information to the terminal including timing and debug log info. We do not anticipate these changes breaking any existing workflows.

• links generated from git urls will now use HEAD instead of master as the default ref
• timing has been removed as a value for --loglevel
• --timing will show timing information regardless of --loglevel, except when --silent
• When run with the --timing flag, npm now writes timing data to a file alongside the debug log data, respecting the logs-dir option and falling back to <CACHE>/_logs/ dir, instead of directly inside the cache directory.
• The timing file data is no longer newline delimited JSON, and instead each run will create a uniquely named <ID>-timing.json file, with the <ID> portion being the same as the debug log.
• npm now outputs some json errors on stdout. Previously npm would output all json formatted errors on stderr, making it difficult to parse as the stderr stream usually has logs already written to it.

Config/Command Deprecations or Removals

Explanation: install-links is the only config or command in the list that has an effect on package installs. We fixed a number of issues that came up during prereleases with this change. It will also only be applied to new package trees created without a package-lock.json file. Any install with an existing lock file will not be changed.

• deprecate boolean install flags in favor of --install-strategy
• npm config set will no longer accept deprecated or invalid config options
• install-links config defaults to "true"
• node-version config has been removed
• npm-version config has been removed
• npm access subcommands have been renamed
• npm birthday has been removed
• npm set-script has been removed
• npm bin has been removed (use npx or npm exec to execute binaries)

---

9.0.0

9.0.0 (2022-10-19)

⚠️ BREAKING CHANGES

• npm is now compatible with the following semver range for node: ^14.17.0 || ^16.13.0 || >=18.0.0
• npm will no longer attempt to modify ownership of files it creates
• the presence of auth related settings that are not scoped to a specific registry found in a config file is no longer supported and will throw errors
• login, adduser, and auth-type changes
  • legacy auth types sso, saml & legacy have been consolidated into "legacy"
  • auth-type defaults to "web"
  • login and adduser are now separate commands that send different data to
    the registry.
  • auth-type config values web and legacy only try
    their respective methods, npm no longer tries them all and waits to see
    which one doesn't fail.
• npm pack now follows a strict order of operations when applying ignore rules. If a files array is present in the package.json, then rules in .gitignore and .npmignore files from the root will be ignored.
• links generated from git urls will now use HEAD instead of master as the default ref
• timing and loglevel changes
  • timing has been removed as a value for --loglevel
  • --timing will show timing information regardless of
    --loglevel, except when --silent
• --timing file changes:
  • When run with the --timing flag, npm now writes timing data to a
    file alongside the debug log data, respecting the logs-dir option and
    falling back to <CACHE>/_logs/ dir, instead of directly inside the
    cache directory.
  • The timing file data is no longer newline delimited JSON, and instead
    each run will create a uniquely named <ID>-timing.json file, with the
    <ID> portion being the same as the debug log.
  • Finally, the data inside the file now has three top level keys,
    metadata, timers, and unfinishedTimers instead of everything being
    a top level key.
• npm now outputs some json errors on stdout. Previously npm would output all json formatted errors on stderr, making it difficult to parse as the stderr stream usually has logs already written to it. In the future, npm will differentiate between errors and crashes. Errors, such as E404 and ERESOLVE, will be handled and will continue to be output on stdout. In the case of a crash, npm will log the error as usual but will not attempt to display it as json, even in --json mode. Moving a case from the category of an error to a crash will not be considered a breaking change. For more information see npm/rfcs#482.
• deprecate boolean install flags in favor of --install-strategy
  • deprecate --global-style, --global now sets --install-strategy=shallow
  • deprecate --legacy-bundling, now sets --install-strategy=nested
• npm config set will no longer accept deprecated or invalid config options
• install-links config defaults to "true"
• node-version config has been removed
• npm-version config has been removed
• npm access subcommands have been renamed
• npm birthday has been removed
• npm set-script has been removed
• npm bin has been removed (use npx or npm exec to execute binaries)

Features

• a09e19d #5696 introduce the npm config fix command (@nlf)
• d2963c6 explicitly validate config within the cli (@nlf)
• a5fec08 rewrite: docs generation (@lukekarrys)
• 9609e9e #5605 use v3 lockfiles by default (@fritzy)
• 3ae796d implement new npm-packlist behavior (@lukekarrys)
• e64d69a #5581 write eresolve error files to the logs directory (@lukekarrys)
• 3445da0 timings are now written alongside debug log files (@lukekarrys)
• 66ed584 #5551 default auth-type to "web" (@wraithgar)
• 6ee5b32 query: display queryContext in results (@nlf)
• 314311c #5550 separate login/adduser & remove unnecessary auth types (@wraithgar)
• 9c32c6c rewrite: npm access (@wraithgar)
• 854521b rewrite: libnpmaccess (@wraithgar)
• e95017a #5485 feat(workspaces): update supported node engines in package.json (@lukekarrys)
• de2d33f add --install-strategy=hoisted|nested|shallow, deprecate --global-style, --legacy-bundling (#5709) (@fritzy)
• 49bbb2f #5455 remove npm birthday (@wraithgar)
• 926f0ad #5456 remove npm set-script (@wraithgar)
• 2a8c2fc #5458 default install-links to "true" (@wraithgar)
• 2e92800 #5459 remove npm bin (@wraithgar)
• 457d388 #5475 update supported node engines in package.json (@wraithgar)
• 46d038f #5716 output json formatted errors on stdout (@lukekarrys)
• 0a69db4 #5719 refuse to set deprecated/invalid config (@wraithgar)
• 6e4961f separate configs for --timing and --loglevel (@lukekarrys)
• 6a27a7b #5712 deprecated key, cert config options and updated registry scoped auth docs (@fritzy)

Bug Fixes

• c3d7549 add tag to publish log message (@wraithgar)
• a35c784 #5691 config: remove node-version and npm-version (@wraithgar)
• e4e8ae2 libnpmpack: obey foregroundScripts (@winterqt)
• 07fabc9 #5633 npm link should override --install-links (@fritzy)
• 02fcbb6 #5634 ensure Arborist constructor gets passed around everywhere for pacote (@nlf)
• 0d90a01 #5480 audit: add a condition to allow third-party registries returning E400 (@juanheyns, Juan Heyns)
• 41481f8 #5475 attempt more graceful failure in older node versions (@wraithgar)
• fc82298 #5295 npm hook ls duplicates hook name prefixes (@gennadiygashev)
• 3f1fcf0 account for new npm-package-arg behavior (@wraithgar)
• 353b5bb #5710 remove chownr and mkdirp-infer-owner (@nlf)

Documentation

• 285b39f #5324 add documentation for expanded :semver selector (@nlf)
• fd0eebe update registry docs header (@hughlilly)
• 542efdb update folders page for modern npm (@shalvah)
• f37caad #5606 accurately describe install-links effect on relative paths (@lukekarrys)
• 130bc9f #5626 remove circular reference (#5626) (@giovanniPepi)
• f0e7584 #5601 update docs/logging for new --access default (@wraithgar)
• 2d756cb #5527 add instruction to query objects with npm view (@moonith)
• 8743366 #5519 add hash to "tag" config link (@mrienstra, @lukekarrys)
• 5645c51 #5521 link mentions of config parameters (@mrienstra)
• 19762b4 #5529 modify misleading doc about bins (@Hafizur046)
• 19762b4 #5529 modify misleading doc about package.json:bin (@Hafizur046)
• 8402fd8 #5547 add :outdated pseudo selector to docs (@nlf)

Dependencies

df77a1f #5707 Update Major Versions of Dependencies

Updated:

• @npmcli/config@6.0.1
• @npmcli/disparity-colors@3.0.0
• @npmcli/git@4.0.1
• @npmcli/installed-package-contents@2.0.0
• @npmcli/map-workspaces@3.0.0
• @npmcli/metavuln-calculator@5.0.0
• @npmcli/move-file@3.0.0
• @npmcli/node-gyp@3.0.0
• @npmcli/package-json@3.0.0
• @npmcli/promise-spawn@4.0.0
• @npmcli/query@3.0.0
• @npmcli/run-script@5.0.0
• bin-links@4.0.1
• cacache@17.0.1
• ignore-walk@6.0.0
• init-package-json@4.0.1
• json-parse-even-better-errors@3.0.0
• make-fetch-happen@11.0.1
• normalize-package-data@5.0.0
• npm-audit-report@4.0.0
• npm-install-checks@6.0.0
• npm-packlist@7.0.1
• npm-pick-manifest@8.0.1
• npm-profile@7.0.1
• npm-registry-fetch@14.0.2
• npmlog@7.0.0
• pacote@15.0.1
• parse-conflict-json@3.0.0
• proc-log@3.0.0
• read-package-json-fast@3.0.1
• read-package-json@6.0.0
• ssri@10.0.0
• treeverse@3.0.0
• validate-npm-package-name@5.0.0
• write-file-atomic@5.0.0

Removed:

• @npmcli/fs

9.0.1

9.0.1 (2022-10-26)

Documentation

• b5fadd0 #5742 Better npx link (#5742) (@mrienstra)

Dependencies

• de6618e #5757 @npmcli/promise-spawn@5.0.0 (#5757)
• 5625274 #5755 hosted-git-info@6.1.0 (#5755)
• 32bdd68 #5754 npm-packlist@7.0.2 (#5754)
• Workspace: @npmcli/arborist@6.1.0
• Workspace: libnpmdiff@5.0.1
• Workspace: libnpmexec@5.0.1
• Workspace: libnpmfund@4.0.1
• Workspace: libnpmpack@5.0.1
• Workspace: libnpmpublish@7.0.1

9.1.0

9.1.0 (2022-11-02)

Features

• 706b3d3 #5779 set --no-audit when installing outside of a project (like --global) (@fritzy)

Bug Fixes

• 1f5382d #5789 don't set stdioString for any spawn/run-script calls (@lukekarrys)
• 8fd614a use promiseSpawn.open instead of opener (@nlf)
• 41843ad use an absolute path to notepad.exe by default, correct docs (@nlf)
• 0c5834e #5758 use hosted-git-info to parse registry urls (#5758) (@lukekarrys)

Documentation

• ce6745c #5763 fixed some typos (#5763) (@AndrewDawes)

Dependencies

• b89c19e #5795 cli-table3@0.6.3
• 6b6dfca fastest-levenshtein@1.0.16
• 9972ed1 @npmcli/ci-detect@3.0.1
• 024e612 abbrev@2.0.0
• 66f9bcd nopt@7.0.0
• 5730d17 tar@6.1.12
• 2fef570 node-gyp@9.3.0
• abfb28b @npmcli/run-script@6.0.0
• 205e2fd pacote@15.0.6
• ac25863 remove opener, @npmcli/promise-spawn@6.0.1, @npmcli/run-script@5.1.1, @npmcli/git@4.0.3, pacote@15.0.5, which@3.0.0
• Workspace: @npmcli/arborist@6.1.1
• Workspace: @npmcli/config@6.1.0
• Workspace: libnpmdiff@5.0.2
• Workspace: libnpmexec@5.0.2
• Workspace: libnpmfund@4.0.2
• Workspace: libnpmpack@5.0.2
• Workspace: libnpmpublish@7.0.2
• Workspace: libnpmversion@4.0.1

9.1.1

9.1.1 (2022-11-09)

Documentation

• 1bff064 #5819 config: document npm config fix (#5819) (@wraithgar)

Dependencies

• 335c7e4 #5813 cacache@17.0.2
• 878ddfb @npmcli/fs@3.1.0
• Workspace: @npmcli/arborist@6.1.2
• Workspace: libnpmdiff@5.0.3
• Workspace: libnpmexec@5.0.3
• Workspace: libnpmfund@4.0.3
• Workspace: libnpmpack@5.0.3
• Workspace: libnpmpublish@7.0.3

9.1.2

9.1.2 (2022-11-16)

Bug Fixes

• d9654cf #5861 remove unwanted package.json entries (#5861) (@wraithgar)

Dependencies

• a351685 #5858 move from @npmcli/ci-detect to ci-info (#5858)
• Workspace: @npmcli/arborist@6.1.3
• Workspace: libnpmdiff@5.0.4
• Workspace: libnpmexec@5.0.4
• Workspace: libnpmfund@4.0.4
• Workspace: libnpmpack@5.0.4
• Workspace: libnpmpublish@7.0.4

9.1.3

9.1.3 (2022-11-30)

Bug Fixes

• ffbdea2 #5894 npm pack filename on scoped packages (#5894) (@HenryNguyen5)
• c26d708 #5884 validate username at get-identity (#5884) (@sosoba, @nlf)

Documentation

• ea948dc #5881 update description of npm exec (#5881) (@styfle, @wraithgar)
• 40f2c21 #5865 ci-info url (#5865) (@wraithgar)
• 681a45b #5875 run the comand for directory workspaces (#5875) (@1aron)
• 681a45b #5875 add workspace directory example (#5875) (@1aron)

Dependencies

• Workspace: @npmcli/arborist@6.1.4
• Workspace: libnpmdiff@5.0.5
• Workspace: libnpmexec@5.0.5
• Workspace: libnpmfund@4.0.5
• Workspace: libnpmpack@5.0.5
• Workspace: libnpmpublish@7.0.5

[github-actions]

Fast-track has been requested by @nodejs-github-bot. Please 👍 to approve.

[Trott]

Rubber-stamp LGTM if it looks good to @nodejs/npm

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/48254/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/48258/

[styfle]

PR description needs to be updated:

include the above list of breaking changes and why we will ship it in a minor release

nodejs/Release#778 (comment)

[lukekarrys]

The PR body has been updated with a summary and explanation of the breaking changes. The npm team will be skipping our normal release scheduled for tomorrow, so this PR will be the latest version of npm until 2022-12-14.

[ruyadorno]

Thanks @lukekarrys! Seeing that it met all the requested items from nodejs/Release#778 and having discussed it extensively in the last two Release WG meetings, I'll go ahead and add it to the commit-queue (in case it fails I'll just manually land it).

[nodejs-github-bot]

Landed in 3bef549

[mhdawson]

@ruyadorno I think in the discussion the proposal was to have it bake a bit before it was backported to LTS lines. I'm going to add the dont-land labels for 18 and 16 so it does not flow back until that happens. Please let me know if that was not the consensus.

[ruyadorno]

Good call @mhdawson, in the last discussion of the Release WG we agreed to follow the timeline outlined here: nodejs/Release#778 (comment)

Given that the next scheduled released for v18.x is on January 3rd it's a good idea to have the labels for now. We just need to remember to remove them after that release so that the npm updates can be backported and land in v18.x-staging on time for the February release.

One other thing to keep in mind is to add the same labels to any subsequent npm update PRs until they're all ready to be backported, for now that's only #45780 but we need to keep an eye if there's a new one. All in all we should try to remember to remove the labels as soon as possible to avoid any extra headaches for the releasers.

[mhdawson]

This issue might be something of concern in terms of a breaking change being reported ? - #45881 as I think 19.3 might have been the first version with the bump to npm 9 ?

[lukekarrys]

#45881 as I think 19.3 might have been the first version with the bump to npm 9

yes, that is right. im triaging that issue now and i believe it's a bug and not a breaking change we intended to make. so we should be able to fix it in the next npm@9 release

[ljharb]

Was the auth-type change mentioned briefly above considered by node collaborators? In particular, in node 19.3 (with npm 9) my normal workflow (that worked in 19.2 with npm 8) of inputting an OTP code directly into the terminal no longer works. I have restored it by adding auth-type=legacy to my ~/.npmrc, but node may want to ship (in node 19, at least) a built-in npmrc that restores this default.

[MylesBorins]

The new auth type is a significant improvement in experience, especially with using webauthn to publish + login.

It might make more sense to have the otp flag infer the legacy auth type, since it essentially is broken right now. This seems more like a bug to be fixed rather than reverting the auth type change.

[ljharb]

That's a very subjective claim; it's not an improvement for me personally, it was a surprising disruption to my workflow.

[MylesBorins]

@ljharb FYI npm/statusboard#624 to fix the --otp issue. feel free to open a feedback issue if you have other ways your workflow is broken that we can attempt to imrprove / fix

[ljharb]

I wasn't using --otp - I'm saying that the completely unconfigured default should remain OTP within the node 19 major line