deps: upgrade npm to 7.21.0

[npm-robot]

v7.21.0 (2021-08-19)

FEATURES

• ff34d6cd6 #3592 feat(cache): initial implementation of ls and rm (@fritzy)

BUG FIXES

• 32e88c943 #3640 fix(did-you-mean): switch levenshtein libraries (@wraithgar)
• 487731cd5 #3658 fix(logging): sanitize logged argv (@wraithgar)
• 68a19bb02 #3661 fix(error-message): look for er.path not er.file (@wraithgar)

DEPENDENCIES

• df57f0d53 @npmcli/run-script@1.8.6
• 8183976cf normalize-package-data@3.0.3:
  • fix: account for "licence" as spelling variant
• f07772401 init-package-json@2.0.4
• 991a3bd39 read-package-json@4.0.0
• e9e5ee560 @npmcli/arborist@2.8.2:
  • fix: treat top-level global packages as "top" nodes
  • fix: load global symlinks implicitly as file: deps
  • fix(reify): debug crash when extracting into symlink
  • fix: node_modules must be a directory
  • fix: make Node.children() a case-insensitive Map
  • fix(reify): verify existing deps in nm are dirs
• b6f40b5f8 tar@6.1.10:
  • fix: prune dirCache properly for unicode, windows
  • fix: reserve paths properly for unicode, windows
  • fix: prevent path escape using drive-relative paths
  • fix: drop dirCache for symlink on all platforms
• 218cacadc is-core-module@2.6.0
• 7ac621cd1 smart-buffer@4.2.0
• 94f92de13 make-fetch-happen@9.0.5
• 71cdfd898 spdx-license-ids@3.0.10:
  • update license list to v3.14

v7.20.6 (2021-08-12)

DEPENDENCIES

• 5bebf280f tar@6.1.8
  • fix: reserve paths case-insensitively
• 5d89de44d tar@6.1.7:
  • fix: normalize paths on Windows systems
• a1bdbea97 #3569 remove byte-size (@wraithgar)
• 61782fa85 @npmcli/map-workspaces@1.0.4:
  • fix: better error message for duplicate workspace names
• b88f770fa @npmcli/arborist@2.8.1:
  • #3632 Fix "cannot read property path of null" error in 'npm dedupe'
  • fix(shrinkwrap): always set name on the root node

DOCUMENTATION

• 001f2c1b7 #3621 fix(docs): do not include certain files (@AkiJoey)
• d1812f1a6 #3630 fix(docs): update npm-publish access flag info (@austincho)
• d5a099c7b #3615 fix(readme): add nvm-windows to installers links (@Yash-Singh1)

v7.20.5 (2021-08-05)

DEPENDENCIES

• 44377738e graceful-fs@4.2.8
  • fix: start retrying immediately, stop after 60 seconds

v7.20.4 (2021-08-05)

BUG FIXES

• 6a8086e25 #3463 fix(tests): move more tests to use real npm (@wraithgar)

DEPENDENCIES

• 15fae4941 tar@6.1.6:
  • fix: properly handle top-level files when using strip
  • Avoid an unlikely but theoretically possible redos
  • WriteEntry backpressure
  • fix(unpack): always resume parsing after an entry error
  • fix(unpack): fix hang on large file on open() fail
  • fix: properly prefix hard links
• 745326de0 libnpmexec@2.0.1:
  • Clear progress bar which overlays confirm prompt
• e82bcd4e8 graceful-fs@4.2.7:
  • fix: start retrying immediately, stop after 10 attempts

[github-actions]

Fast-track has been requested by @nodejs-github-bot. Please 👍 to approve.

[npm-robot]

Supersedes #39681

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/39602/

[MylesBorins]

LGTM

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/39604/

[lpinca]

Landed in 248f4c3.

[targos]

@nodejs/npm this doesn't land cleanly on v16.x-staging. Can you please backport (if possible, in a way that future updates can be cherry-picked from master)?

[MylesBorins]

@targos I've landed the change in cce95c4

Will double check with team to ensure it is correct (I'm running the update script to ensure the output is expected / consistent)

edit: I've manually confirmed that the release is exactly what is expectd 🎉

[targos]

@MylesBorins awesome, thanks!

[redick-simon]

Hi team,
When we can expect this to be shipped with node 16.x, current npm 7.20.3 has some vulnerability issue due to tar 6.1.0

Please let me know in case we can expect a node release in this week.

Thanks!!

[targos]

Expect a release in the next 24 hours: #39875

[Trott]

Hi team,
When we can expect this to be shipped with node 16.x, current npm 7.20.3 has some vulnerability issue due to tar 6.1.0

Please let me know in case we can expect a node release in this week.

Thanks!!

@redick-simon npm install -g npm will install the updated version on your system. You don't need to wait for a Node.js release to get the update. (You might already know this and you want/need a release with it for a specific use case, in which case this comment is for the benefit of other readers/observers.)

[redick-simon]

Thanks @Trott ! Actually I'm waiting for node docker image free of tar vulnerability issue.