Release: npm@6.6.0

AUTHORS

@@ -612,3 +612,10 @@ Joe Bottigliero <joe@bottigliero.com>
 Nikolai Vavilov <vvnicholas@gmail.com>
 Kelvin Jin <kelvinjin@google.com>
 乱序 <midare@utakana.de>
+Audrey Eschright <audrey@npmjs.com>
+Xu Meng <dmabupt@gmail.com>
+George <george.taveras1231@gmail.com>
+Beni von Cheni <benjaminlchen@gmail.com>
+Frédéric Harper <fharper@npmjs.com>
+Johannes Würbach <johannes.wuerbach@googlemail.com>
+ƇʘƁ̆ąƇ́ <anchnk@users.noreply.github.com>

doc/cli/npm-access.md

@@ -9,6 +9,9 @@ npm-access(1) -- Set access level on published packages
     npm access grant <read-only|read-write> <scope:team> [<package>]
     npm access revoke <scope:team> [<package>]
 
+    npm access 2fa-required [<package>]
+    npm access 2fa-not-required [<package>]
+
     npm access ls-packages [<user>|<scope>|<scope:team>]
     npm access ls-collaborators [<package> [<user>]]
     npm access edit [<package>]
@@ -28,6 +31,10 @@ subcommand.
   Add or remove the ability of users and teams to have read-only or read-write
   access to a package.
 
+* 2fa-required / 2fa-not-required:
+  Configure whether a package requires that anyone publishing it have two-factor
+  authentication enabled on their account.
+
 * ls-packages:
   Show all of the packages a user or a team is able to access, along with the
   access level, except for read-only public packages (it won't print the whole
@@ -70,6 +77,7 @@ Management of teams and team memberships is done with the `npm team` command.
 
 ## SEE ALSO
 
+* [`libnpmaccess`](https://npm.im/libnpmaccess)
 * npm-team(1)
 * npm-publish(1)
 * npm-config(7)

doc/cli/npm-dist-tag.md

@@ -26,6 +26,8 @@ Add, remove, and enumerate distribution tags on a package:
   Show all of the dist-tags for a package, defaulting to the package in
   the current prefix.
 
+  This is the default action if none is specified.
+
 A tag can be used when installing packages as a reference to a version instead
 of using a specific version number:
 

doc/cli/npm-prefix.md

@@ -8,7 +8,8 @@ npm-prefix(1) -- Display prefix
 ## DESCRIPTION
 
 Print the local prefix to standard out. This is the closest parent directory
-to contain a package.json file unless `-g` is also specified.
+to contain a `package.json` file or `node_modules` directory, unless `-g` is
+also specified.
 
 If `-g` is specified, this will be the value of the global prefix. See
 `npm-config(7)` for more detail.

doc/cli/npm-token.md

@@ -9,7 +9,7 @@ npm-token(1) -- Manage your authentication tokens
 
 ## DESCRIPTION
 
-This list you list, create and revoke authentication tokens.
+This lets you list, create and revoke authentication tokens.
 
 * `npm token list`:
   Shows a table of all active authentication tokens. You can request this as

doc/misc/semver.md

@@ -29,8 +29,6 @@ As a command-line utility:
 ```
 $ semver -h
 
-SemVer 5.3.0
-
 A JavaScript implementation of the http://semver.org/ specification
 Copyright Isaac Z. Schlueter
 
@@ -54,6 +52,9 @@ Options:
 -l --loose
         Interpret versions and ranges loosely
 
+-p --include-prerelease
+        Always include prerelease versions in range matching
+
 -c --coerce
         Coerce a string into SemVer if possible
         (does not imply --loose)
@@ -289,9 +290,19 @@ part       ::= nr | [-0-9A-Za-z]+
 
 ## Functions
 
-All methods and classes take a final `loose` boolean argument that, if
-true, will be more forgiving about not-quite-valid semver strings.
-The resulting output will always be 100% strict, of course.
+All methods and classes take a final `options` object argument.  All
+options in this object are `false` by default.  The options supported
+are:
+
+- `loose`  Be more forgiving about not-quite-valid semver strings.
+  (Any resulting output will always be 100% strict compliant, of
+  course.)  For backwards compatibility reasons, if the `options`
+  argument is a boolean value instead of an object, it is interpreted
+  to be the `loose` param.
+- `includePrerelease`  Set to suppress the [default
+  behavior](https://github.com/npm/node-semver#prerelease-tags) of
+  excluding prerelease tagged versions from ranges unless they are
+  explicitly opted into.
 
 Strict-mode Comparators and Ranges will be strict about the SemVer
 strings that they parse.

lib/access.js

@@ -1,28 +1,50 @@
 'use strict'
 /* eslint-disable standard/no-callback-literal */
 
-var resolve = require('path').resolve
+const BB = require('bluebird')
 
-var readPackageJson = require('read-package-json')
-var mapToRegistry = require('./utils/map-to-registry.js')
-var npm = require('./npm.js')
-var output = require('./utils/output.js')
-
-var whoami = require('./whoami')
+const figgyPudding = require('figgy-pudding')
+const libaccess = require('libnpm/access')
+const npmConfig = require('./config/figgy-config.js')
+const output = require('./utils/output.js')
+const otplease = require('./utils/otplease.js')
+const path = require('path')
+const prefix = require('./npm.js').prefix
+const readPackageJson = BB.promisify(require('read-package-json'))
+const usage = require('./utils/usage.js')
+const whoami = require('./whoami.js')
 
 module.exports = access
 
-access.usage =
+access.usage = usage(
+  'npm access',
   'npm access public [<package>]\n' +
   'npm access restricted [<package>]\n' +
   'npm access grant <read-only|read-write> <scope:team> [<package>]\n' +
   'npm access revoke <scope:team> [<package>]\n' +
+  'npm access 2fa-required [<package>]\n' +
+  'npm access 2fa-not-required [<package>]\n' +
   'npm access ls-packages [<user>|<scope>|<scope:team>]\n' +
   'npm access ls-collaborators [<package> [<user>]]\n' +
   'npm access edit [<package>]'
+)
+
+access.subcommands = [
+  'public', 'restricted', 'grant', 'revoke',
+  'ls-packages', 'ls-collaborators', 'edit',
+  '2fa-required', '2fa-not-required'
+]
+
+const AccessConfig = figgyPudding({
+  json: {}
+})
 
-access.subcommands = ['public', 'restricted', 'grant', 'revoke',
-  'ls-packages', 'ls-collaborators', 'edit']
+function UsageError (msg = '') {
+  throw Object.assign(new Error(
+    (msg ? `\nUsage: ${msg}\n\n` : '') +
+    access.usage
+  ), {code: 'EUSAGE'})
+}
 
 access.completion = function (opts, cb) {
   var argv = opts.conf.argv.remain
@@ -42,6 +64,8 @@ access.completion = function (opts, cb) {
     case 'ls-packages':
     case 'ls-collaborators':
     case 'edit':
+    case '2fa-required':
+    case '2fa-not-required':
       return cb(null, [])
     case 'revoke':
       return cb(null, [])
@@ -50,81 +74,125 @@ access.completion = function (opts, cb) {
   }
 }
 
-function access (args, cb) {
-  var cmd = args.shift()
-  var params
-  return parseParams(cmd, args, function (err, p) {
-    if (err) { return cb(err) }
-    params = p
-    return mapToRegistry(params.package, npm.config, invokeCmd)
-  })
+function access ([cmd, ...args], cb) {
+  return BB.try(() => {
+    const fn = access.subcommands.includes(cmd) && access[cmd]
+    if (!cmd) { UsageError('Subcommand is required.') }
+    if (!fn) { UsageError(`${cmd} is not a recognized subcommand.`) }
 
-  function invokeCmd (err, uri, auth, base) {
-    if (err) { return cb(err) }
-    params.auth = auth
-    try {
-      return npm.registry.access(cmd, uri, params, function (err, data) {
-        if (!err && data) {
-          output(JSON.stringify(data, undefined, 2))
-        }
-        cb(err, data)
-      })
-    } catch (e) {
-      cb(e.message + '\n\nUsage:\n' + access.usage)
-    }
-  }
+    return fn(args, AccessConfig(npmConfig()))
+  }).then(
+    x => cb(null, x),
+    err => err.code === 'EUSAGE' ? cb(err.message) : cb(err)
+  )
 }
 
-function parseParams (cmd, args, cb) {
-  // mapToRegistry will complain if package is undefined,
-  // but it's not needed for ls-packages
-  var params = { 'package': '' }
-  if (cmd === 'grant') {
-    params.permissions = args.shift()
-  }
-  if (['grant', 'revoke', 'ls-packages'].indexOf(cmd) !== -1) {
-    var entity = (args.shift() || '').split(':')
-    params.scope = entity[0]
-    params.team = entity[1]
-  }
+access.public = ([pkg], opts) => {
+  return modifyPackage(pkg, opts, libaccess.public)
+}
 
-  if (cmd === 'ls-packages') {
-    if (!params.scope) {
-      whoami([], true, function (err, scope) {
-        params.scope = scope
-        cb(err, params)
-      })
-    } else {
-      cb(null, params)
+access.restricted = ([pkg], opts) => {
+  return modifyPackage(pkg, opts, libaccess.restricted)
+}
+
+access.grant = ([perms, scopeteam, pkg], opts) => {
+  return BB.try(() => {
+    if (!perms || (perms !== 'read-only' && perms !== 'read-write')) {
+      UsageError('First argument must be either `read-only` or `read-write.`')
     }
-  } else {
-    getPackage(args.shift(), function (err, pkg) {
-      if (err) return cb(err)
-      params.package = pkg
+    if (!scopeteam) {
+      UsageError('`<scope:team>` argument is required.')
+    }
+    const [, scope, team] = scopeteam.match(/^@?([^:]+):(.*)$/) || []
+    if (!scope && !team) {
+      UsageError(
+        'Second argument used incorrect format.\n' +
+        'Example: @example:developers'
+      )
+    }
+    return modifyPackage(pkg, opts, (pkgName, opts) => {
+      return libaccess.grant(pkgName, scopeteam, perms, opts)
+    })
+  })
+}
 
-      if (cmd === 'ls-collaborators') params.user = args.shift()
-      cb(null, params)
+access.revoke = ([scopeteam, pkg], opts) => {
+  return BB.try(() => {
+    if (!scopeteam) {
+      UsageError('`<scope:team>` argument is required.')
+    }
+    const [, scope, team] = scopeteam.match(/^@?([^:]+):(.*)$/) || []
+    if (!scope || !team) {
+      UsageError(
+        'First argument used incorrect format.\n' +
+        'Example: @example:developers'
+      )
+    }
+    return modifyPackage(pkg, opts, (pkgName, opts) => {
+      return libaccess.revoke(pkgName, scopeteam, opts)
     })
-  }
+  })
+}
+
+access['2fa-required'] = access.tfaRequired = ([pkg], opts) => {
+  return modifyPackage(pkg, opts, libaccess.tfaRequired, false)
+}
+
+access['2fa-not-required'] = access.tfaNotRequired = ([pkg], opts) => {
+  return modifyPackage(pkg, opts, libaccess.tfaNotRequired, false)
+}
+
+access['ls-packages'] = access.lsPackages = ([owner], opts) => {
+  return (
+    owner ? BB.resolve(owner) : BB.fromNode(cb => whoami([], true, cb))
+  ).then(owner => {
+    return libaccess.lsPackages(owner, opts)
+  }).then(pkgs => {
+    // TODO - print these out nicely (breaking change)
+    output(JSON.stringify(pkgs, null, 2))
+  })
+}
+
+access['ls-collaborators'] = access.lsCollaborators = ([pkg, usr], opts) => {
+  return getPackage(pkg).then(pkgName =>
+    libaccess.lsCollaborators(pkgName, usr, opts)
+  ).then(collabs => {
+    // TODO - print these out nicely (breaking change)
+    output(JSON.stringify(collabs, null, 2))
+  })
 }
 
-function getPackage (name, cb) {
-  if (name && name.trim()) {
-    cb(null, name.trim())
-  } else {
-    readPackageJson(
-      resolve(npm.prefix, 'package.json'),
-      function (err, data) {
-        if (err) {
+access['edit'] = () => BB.reject(new Error('edit subcommand is not implemented yet'))
+
+function modifyPackage (pkg, opts, fn, requireScope = true) {
+  return getPackage(pkg, requireScope).then(pkgName =>
+    otplease(opts, opts => fn(pkgName, opts))
+  )
+}
+
+function getPackage (name, requireScope = true) {
+  return BB.try(() => {
+    if (name && name.trim()) {
+      return name.trim()
+    } else {
+      return readPackageJson(
+        path.resolve(prefix, 'package.json')
+      ).then(
+        data => data.name,
+        err => {
           if (err.code === 'ENOENT') {
-            cb(new Error('no package name passed to command and no package.json found'))
+            throw new Error('no package name passed to command and no package.json found')
           } else {
-            cb(err)
+            throw err
           }
-        } else {
-          cb(null, data.name)
         }
-      }
-    )
-  }
+      )
+    }
+  }).then(name => {
+    if (requireScope && !name.match(/^@[^/]+\/.*$/)) {
+      UsageError('This command is only available for scoped packages.')
+    } else {
+      return name
+    }
+  })
 }