deps: upgrade npm to 8.0.0

PR-URL: #40369
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Danielle Adams <adamzdanielle@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

deps/npm/docs/content/configuring-npm/package-lock-json.md

@@ -138,7 +138,8 @@ Package descriptors have the following fields:
   the case of packages fetched from the registry, this will be a url to a
   tarball.  In the case of git dependencies, this will be the full git url
   with commit sha.  In the case of link dependencies, this will be the
-  location of the link target.
+  location of the link target. `registry.npmjs.org` is a magic value meaning
+  "the currently configured registry".
 
 * integrity: A `sha512` or `sha1` [Standard Subresource
   Integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/)
@@ -201,7 +202,8 @@ Dependency objects have the following fields:
 
 * resolved: For registry sources this is path of the tarball relative to
   the registry URL.  If the tarball URL isn't on the same server as the
-  registry URL then this is a complete URL.
+  registry URL then this is a complete URL. `registry.npmjs.org` is a magic
+  value meaning "the currently configured registry".
 
 * bundled:  If true, this is the bundled dependency and will be installed
   by the parent module.  When installing, this module will be extracted

deps/npm/docs/content/using-npm/registry.md

@@ -30,6 +30,13 @@ The registry URL used is determined by the scope of the package (see
 supplied by the `registry` config parameter.  See [`npm config`](/commands/npm-config),
 [`npmrc`](/configuring-npm/npmrc), and [`config`](/using-npm/config) for more on managing npm's configuration.
 
+When the default registry is used in a package-lock or shrinkwrap is has the
+special meaning of "the currently configured registry". If you create a lock
+file while using the default registry you can switch to another registry and
+npm will install packages from the new registry, but if you create a lock
+file while using a custom registry packages will be installed from that
+registry even after you change to another registry.
+
 ### Does npm send any information about me back to the registry?
 
 Yes.

deps/npm/docs/content/using-npm/scope.md

@@ -98,7 +98,8 @@ desired, with `npm access` or on the npmjs.com website.
 
 Scopes can be associated with a separate registry. This allows you to
 seamlessly use a mix of packages from the primary npm registry and one or more
-private registries, such as npm Enterprise.
+private registries, such as [GitHub Packages](https://github.com/features/packages) or the open source [Verdaccio](https://verdaccio.org)
+project.
 
 You can associate a scope with a registry at login, e.g.
 

deps/npm/docs/content/using-npm/workspaces.md

@@ -176,6 +176,22 @@ npm run test --workspaces
 
 Will run the `test` script in both `./packages/a` and `./packages/b`.
 
+Commands will be run in each workspace in the order they appear in your `package.json`
+
+```
+{
+  "workspaces": [ "packages/a", "packages/b" ]
+}
+```
+
+Order of run is different with:
+
+```
+{
+  "workspaces": [ "packages/b", "packages/a" ]
+}
+```
+
 ### Ignoring missing scripts
 
 It is not required for all of the workspaces to implement scripts run with the `npm run` command.

deps/npm/docs/output/commands/npm-ls.html

@@ -159,7 +159,7 @@ <h3 id="description">Description</h3>
 the results to only the paths to the packages named.  Note that nested
 packages will <em>also</em> show the paths to the specified packages.  For
 example, running <code>npm ls promzard</code> in npm’s source tree will show:</p>
-<pre lang="bash"><code>npm@7.24.0 /path/to/npm
+<pre lang="bash"><code>npm@8.0.0 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 </code></pre>

deps/npm/docs/output/commands/npm.html

@@ -148,7 +148,7 @@ <h2 id="table-of-contents">Table of contents</h2>
 <pre lang="bash"><code>npm &lt;command&gt; [args]
 </code></pre>
 <h3 id="version">Version</h3>
-<p>7.24.0</p>
+<p>8.0.0</p>
 <h3 id="description">Description</h3>
 <p>npm is the package manager for the Node JavaScript platform.  It puts
 modules in place so that node can find them, and manages dependency

deps/npm/docs/output/configuring-npm/package-lock-json.html

@@ -262,7 +262,8 @@ <h4 id="packages"><code>packages</code></h4>
 the case of packages fetched from the registry, this will be a url to a
 tarball.  In the case of git dependencies, this will be the full git url
 with commit sha.  In the case of link dependencies, this will be the
-location of the link target.</p>
+location of the link target. <code>registry.npmjs.org</code> is a magic value meaning
+“the currently configured registry”.</p>
 </li>
 <li>
 <p>integrity: A <code>sha512</code> or <code>sha1</code> <a href="https://w3c.github.io/webappsec/specs/subresourceintegrity/">Standard Subresource
@@ -334,7 +335,8 @@ <h4 id="dependencies">dependencies</h4>
 <li>
 <p>resolved: For registry sources this is path of the tarball relative to
 the registry URL.  If the tarball URL isn’t on the same server as the
-registry URL then this is a complete URL.</p>
+registry URL then this is a complete URL. <code>registry.npmjs.org</code> is a magic
+value meaning “the currently configured registry”.</p>
 </li>
 <li>
 <p>bundled:  If true, this is the bundled dependency and will be installed

deps/npm/docs/output/using-npm/registry.html

@@ -163,6 +163,12 @@ <h2 id="table-of-contents">Table of contents</h2>
 <a href="../using-npm/scope.html"><code>scope</code></a>. If no scope is specified, the default registry is used, which is
 supplied by the <code>registry</code> config parameter.  See <a href="../commands/npm-config.html"><code>npm config</code></a>,
 <a href="../configuring-npm/npmrc.html"><code>npmrc</code></a>, and <a href="../using-npm/config.html"><code>config</code></a> for more on managing npm’s configuration.</p>
+<p>When the default registry is used in a package-lock or shrinkwrap is has the
+special meaning of “the currently configured registry”. If you create a lock
+file while using the default registry you can switch to another registry and
+npm will install packages from the new registry, but if you create a lock
+file while using a custom registry packages will be installed from that
+registry even after you change to another registry.</p>
 <h3 id="does-npm-send-any-information-about-me-back-to-the-registry">Does npm send any information about me back to the registry?</h3>
 <p>Yes.</p>
 <p>When making requests of the registry npm adds two headers with information

deps/npm/docs/output/using-npm/scope.html

@@ -206,7 +206,8 @@ <h4 id="publishing-private-scoped-packages-to-the-npm-registry">Publishing priva
 <h3 id="associating-a-scope-with-a-registry">Associating a scope with a registry</h3>
 <p>Scopes can be associated with a separate registry. This allows you to
 seamlessly use a mix of packages from the primary npm registry and one or more
-private registries, such as npm Enterprise.</p>
+private registries, such as <a href="https://github.com/features/packages">GitHub Packages</a> or the open source <a href="https://verdaccio.org">Verdaccio</a>
+project.</p>
 <p>You can associate a scope with a registry at login, e.g.</p>
 <pre lang="bash"><code>npm login --registry=http://reg.example.com --scope=@myco
 </code></pre>

deps/npm/docs/output/using-npm/workspaces.html

@@ -264,6 +264,16 @@ <h3 id="running-commands-in-the-context-of-workspaces">Running commands in the c
 <pre><code>npm run test --workspaces
 </code></pre>
 <p>Will run the <code>test</code> script in both <code>./packages/a</code> and <code>./packages/b</code>.</p>
+<p>Commands will be run in each workspace in the order they appear in your <code>package.json</code></p>
+<pre><code>{
+  "workspaces": [ "packages/a", "packages/b" ]
+}
+</code></pre>
+<p>Order of run is different with:</p>
+<pre><code>{
+  "workspaces": [ "packages/b", "packages/a" ]
+}
+</code></pre>
 <h3 id="ignoring-missing-scripts">Ignoring missing scripts</h3>
 <p>It is not required for all of the workspaces to implement scripts run with the <code>npm run</code> command.</p>
 <p>By running the command with the <code>--if-present</code> flag, npm will ignore workspaces missing target script.</p>

deps/npm/lib/cache.js

@@ -8,6 +8,7 @@ const semver = require('semver')
 const BaseCommand = require('./base-command.js')
 const npa = require('npm-package-arg')
 const jsonParse = require('json-parse-even-better-errors')
+const localeCompare = require('@isaacs/string-locale-compare')('en')
 
 const searchCachePackage = async (path, spec, cacheKeys) => {
   const parsed = npa(spec)
@@ -212,10 +213,10 @@ class Cache extends BaseCommand {
         for (const key of keySet)
           results.add(key)
       }
-      [...results].sort((a, b) => a.localeCompare(b, 'en')).forEach(key => this.npm.output(key))
+      [...results].sort(localeCompare).forEach(key => this.npm.output(key))
       return
     }
-    cacheKeys.sort((a, b) => a.localeCompare(b, 'en')).forEach(key => this.npm.output(key))
+    cacheKeys.sort(localeCompare).forEach(key => this.npm.output(key))
   }
 }
 

deps/npm/lib/config.js

@@ -10,6 +10,7 @@ const writeFile = promisify(fs.writeFile)
 const { spawn } = require('child_process')
 const { EOL } = require('os')
 const ini = require('ini')
+const localeCompare = require('@isaacs/string-locale-compare')('en')
 
 // take an array of `[key, value, k2=v2, k3, v3, ...]` and turn into
 // { key: value, k2: v2, k3: v3 }
@@ -209,7 +210,7 @@ class Config extends BaseCommand {
 ; Configs like \`//<hostname>/:_authToken\` are auth that is restricted
 ; to the registry host specified.
 
-${data.split('\n').sort((a, b) => a.localeCompare(b, 'en')).join('\n').trim()}
+${data.split('\n').sort(localeCompare).join('\n').trim()}
 
 ;;;;
 ; all available options shown below with default values
@@ -238,7 +239,7 @@ ${defData}
       if (where === 'default' && !long)
         continue
 
-      const keys = Object.keys(data).sort((a, b) => a.localeCompare(b, 'en'))
+      const keys = Object.keys(data).sort(localeCompare)
       if (!keys.length)
         continue
 

deps/npm/lib/deprecate.js

@@ -49,7 +49,7 @@ class Deprecate extends BaseCommand {
   }
 
   async deprecate ([pkg, msg]) {
-    // msg == null becase '' is a valid value, it indicates undeprecate
+    // msg == null because '' is a valid value, it indicates undeprecate
     if (!pkg || msg == null)
       throw this.usageError()
 

deps/npm/lib/help.js

@@ -3,6 +3,7 @@ const path = require('path')
 const openUrl = require('./utils/open-url.js')
 const { promisify } = require('util')
 const glob = promisify(require('glob'))
+const localeCompare = require('@isaacs/string-locale-compare')('en')
 
 const BaseCommand = require('./base-command.js')
 
@@ -82,7 +83,7 @@ class Help extends BaseCommand {
       if (aManNumber !== bManNumber)
         return aManNumber - bManNumber
 
-      return a.localeCompare(b, 'en')
+      return localeCompare(a, b)
     })
     const man = mans[0]
 

deps/npm/lib/ls.js

@@ -22,6 +22,7 @@ const _problems = Symbol('problems')
 const _required = Symbol('required')
 const _type = Symbol('type')
 const ArboristWorkspaceCmd = require('./workspaces/arborist-cmd.js')
+const localeCompare = require('@isaacs/string-locale-compare')('en')
 
 class LS extends ArboristWorkspaceCmd {
   /* istanbul ignore next - see test/lib/load-all-commands.js */
@@ -503,8 +504,7 @@ const augmentNodesWithMetadata = ({
   return node
 }
 
-const sortAlphabetically = (a, b) =>
-  a.pkgid.localeCompare(b.pkgid, 'en')
+const sortAlphabetically = ({ pkgid: a }, { pkgid: b }) => localeCompare(a, b)
 
 const humanOutput = ({ color, result, seenItems, unicode }) => {
   // we need to traverse the entire tree in order to determine which items

deps/npm/lib/npm.js

@@ -355,6 +355,3 @@ const npm = module.exports = new class extends EventEmitter {
     this.log.showProgress()
   }
 }()
-
-if (require.main === module)
-  require('./cli.js')(process)

deps/npm/lib/outdated.js

@@ -6,6 +6,7 @@ const color = require('chalk')
 const styles = require('ansistyles')
 const npa = require('npm-package-arg')
 const pickManifest = require('npm-pick-manifest')
+const localeCompare = require('@isaacs/string-locale-compare')('en')
 
 const Arborist = require('@npmcli/arborist')
 
@@ -85,7 +86,10 @@ class Outdated extends ArboristWorkspaceCmd {
     }))
 
     // sorts list alphabetically
-    const outdated = this.list.sort((a, b) => a.name.localeCompare(b.name, 'en'))
+    const outdated = this.list.sort((a, b) => localeCompare(a.name, b.name))
+
+    if (outdated.length > 0)
+      process.exitCode = 1
 
     // return if no outdated packages
     if (outdated.length === 0 && !this.npm.config.get('json'))

deps/npm/lib/utils/completion/installed-deep.js

@@ -1,5 +1,6 @@
 const { resolve } = require('path')
 const Arborist = require('@npmcli/arborist')
+const localeCompare = require('@isaacs/string-locale-compare')('en')
 
 const installedDeep = async (npm) => {
   const {
@@ -15,8 +16,7 @@ const installedDeep = async (npm) => {
         return i
       })
       .filter(i => (i.depth - 1) <= depth)
-      .sort((a, b) => a.depth - b.depth)
-      .sort((a, b) => a.depth === b.depth ? a.name.localeCompare(b.name, 'en') : 0)
+      .sort((a, b) => (a.depth - b.depth) || localeCompare(a.name, b.name))
 
   const res = new Set()
   const gArb = new Arborist({ global: true, path: resolve(npm.globalDir, '..') })

deps/npm/lib/utils/config/describe-all.js

@@ -1,4 +1,5 @@
 const definitions = require('./definitions.js')
+const localeCompare = require('@isaacs/string-locale-compare')('en')
 const describeAll = () => {
   // sort not-deprecated ones to the top
   /* istanbul ignore next - typically already sorted in the definitions file,
@@ -7,7 +8,7 @@ const describeAll = () => {
   const sort = ([keya, {deprecated: depa}], [keyb, {deprecated: depb}]) => {
     return depa && !depb ? 1
       : !depa && depb ? -1
-      : keya.localeCompare(keyb, 'en')
+      : localeCompare(keya, keyb)
   }
   return Object.entries(definitions).sort(sort)
     .map(([key, def]) => def.describe())

deps/npm/lib/utils/npm-usage.js

@@ -1,5 +1,6 @@
 const { dirname } = require('path')
 const { cmdList } = require('./cmd-list')
+const localeCompare = require('@isaacs/string-locale-compare')('en')
 
 module.exports = (npm) => {
   const usesBrowser = npm.config.get('viewer') === 'browser'
@@ -62,7 +63,7 @@ const usages = (npm) => {
     maxLen = Math.max(maxLen, c.length)
     return set
   }, [])
-    .sort((a, b) => a[0].localeCompare(b[0], 'en'))
+    .sort(([a], [b]) => localeCompare(a, b))
     .map(([c, usage]) => `\n    ${c}${' '.repeat(maxLen - c.length + 1)}${
       (usage.split('\n').join('\n' + ' '.repeat(maxLen + 5)))}`)
     .join('\n')

deps/npm/lib/utils/open-url.js

@@ -4,6 +4,7 @@ const { URL } = require('url')
 
 // attempt to open URL in web-browser, print address otherwise:
 const open = async (npm, url, errMsg) => {
+  url = encodeURI(url)
   const browser = npm.config.get('browser')
 
   function printAlternateMsg () {

deps/npm/lib/utils/tar.js

@@ -3,6 +3,10 @@ const ssri = require('ssri')
 const npmlog = require('npmlog')
 const formatBytes = require('./format-bytes.js')
 const columnify = require('columnify')
+const localeCompare = require('@isaacs/string-locale-compare')('en', {
+  sensitivity: 'case',
+  numeric: true,
+})
 
 const logTar = (tarball, opts = {}) => {
   const { unicode = false, log = npmlog } = opts
@@ -75,12 +79,7 @@ const getContents = async (manifest, tarball) => {
     algorithms: ['sha1', 'sha512'],
   })
 
-  const comparator = (a, b) => {
-    return a.path.localeCompare(b.path, 'en', {
-      sensitivity: 'case',
-      numeric: true,
-    })
-  }
+  const comparator = ({ path: a }, { path: b }) => localeCompare(a, b)
 
   const isUpper = (str) => {
     const ch = str.charAt(0)

deps/npm/man/man1/npm-access.1

@@ -1,4 +1,4 @@
-.TH "NPM\-ACCESS" "1" "September 2021" "" ""
+.TH "NPM\-ACCESS" "1" "October 2021" "" ""
 .SH "NAME"
 \fBnpm-access\fR \- Set access level on published packages
 .SS Synopsis

deps/npm/man/man1/npm-adduser.1

@@ -1,4 +1,4 @@
-.TH "NPM\-ADDUSER" "1" "September 2021" "" ""
+.TH "NPM\-ADDUSER" "1" "October 2021" "" ""
 .SH "NAME"
 \fBnpm-adduser\fR \- Add a registry user account
 .SS Synopsis

deps/npm/man/man1/npm-audit.1

@@ -1,4 +1,4 @@
-.TH "NPM\-AUDIT" "1" "September 2021" "" ""
+.TH "NPM\-AUDIT" "1" "October 2021" "" ""
 .SH "NAME"
 \fBnpm-audit\fR \- Run a security audit
 .SS Synopsis

deps/npm/man/man1/npm-bin.1

@@ -1,4 +1,4 @@
-.TH "NPM\-BIN" "1" "September 2021" "" ""
+.TH "NPM\-BIN" "1" "October 2021" "" ""
 .SH "NAME"
 \fBnpm-bin\fR \- Display npm bin folder
 .SS Synopsis

deps/npm/man/man1/npm-bugs.1

@@ -1,4 +1,4 @@
-.TH "NPM\-BUGS" "1" "September 2021" "" ""
+.TH "NPM\-BUGS" "1" "October 2021" "" ""
 .SH "NAME"
 \fBnpm-bugs\fR \- Report bugs for a package in a web browser
 .SS Synopsis

deps/npm/man/man1/npm-cache.1

@@ -1,4 +1,4 @@
-.TH "NPM\-CACHE" "1" "September 2021" "" ""
+.TH "NPM\-CACHE" "1" "October 2021" "" ""
 .SH "NAME"
 \fBnpm-cache\fR \- Manipulates packages cache
 .SS Synopsis

deps/npm/man/man1/npm-ci.1

@@ -1,4 +1,4 @@
-.TH "NPM\-CI" "1" "September 2021" "" ""
+.TH "NPM\-CI" "1" "October 2021" "" ""
 .SH "NAME"
 \fBnpm-ci\fR \- Install a project with a clean slate
 .SS Synopsis

deps/npm/man/man1/npm-completion.1

@@ -1,4 +1,4 @@
-.TH "NPM\-COMPLETION" "1" "September 2021" "" ""
+.TH "NPM\-COMPLETION" "1" "October 2021" "" ""
 .SH "NAME"
 \fBnpm-completion\fR \- Tab Completion for npm
 .SS Synopsis

deps/npm/man/man1/npm-config.1

@@ -1,4 +1,4 @@
-.TH "NPM\-CONFIG" "1" "September 2021" "" ""
+.TH "NPM\-CONFIG" "1" "October 2021" "" ""
 .SH "NAME"
 \fBnpm-config\fR \- Manage the npm configuration files
 .SS Synopsis