nodejs · npm-robot · Dec 9, 2021
diff --git a/deps/npm/docs/content/configuring-npm/package-json.md b/deps/npm/docs/content/configuring-npm/package-json.md
@@ -871,6 +871,109 @@ if (foo) {
 Entries in `optionalDependencies` will override entries of the same name in
 `dependencies`, so it's usually best to only put in one place.
 
+### overrides
+
+If you need to make specific changes to dependencies of your dependencies, for
+example replacing the version of a dependency with a known security issue,
+replacing an existing dependency with a fork, or making sure that the same
+version of a package is used everywhere, then you may add an override.
+
+Overrides provide a way to replace a package in your dependency tree with
+another version, or another package entirely. These changes can be scoped as
+specific or as vague as desired.
+
+To make sure the package `foo` is always installed as version `1.0.0` no matter
+what version your dependencies rely on:
+
+```json
+{
+  "overrides": {
+    "foo": "1.0.0"
+  }
+}
+```
+
+The above is a short hand notation, the full object form can be used to allow
+overriding a package itself as well as a child of the package. This will cause
+`foo` to always be `1.0.0` while also making `bar` at any depth beyond `foo`
+also `1.0.0`:
+
+```json
+{
+  "overrides": {
+    "foo": {
+      ".": "1.0.0",
+      "bar": "1.0.0"
+    }
+  }
+}
+```
+
+To only override `foo` to be `1.0.0` when it's a child (or grandchild, or great
+grandchild, etc) of the package `bar`:
+
+```json
+{
+  "overrides": {
+    "bar": {
+      "foo": "1.0.0"
+    }
+  }
+}
+```
+
+Keys can be nested to any arbitrary length. To override `foo` only when it's a
+child of `bar` and only when `bar` is a child of `baz`:
+
+```json
+{
+  "overrides": {
+    "baz": {
+      "bar": {
+        "foo": "1.0.0"
+      }
+    }
+  }
+}
+```
+
+The key of an override can also include a version, or range of versions.
+To override `foo` to `1.0.0`, but only when it's a child of `bar@2.0.0`:
+
+```json
+{
+  "overrides": {
+    "bar@2.0.0": {
+      "foo": "1.0.0"
+    }
+  }
+}
+```
+
+You may not set an override for a package that you directly depend on unless
+both the dependency and the override itself share the exact same spec. To make
+this limitation easier to deal with, overrides may also be defined as a
+reference to a spec for a direct dependency by prefixing the name of the
+package you wish the version to match with a `$`.
+
+```json
+{
+  "dependencies": {
+    "foo": "^1.0.0"
+  },
+  "overrides": {
+    // BAD, will throw an EOVERRIDE error
+    // "foo": "^2.0.0"
+    // GOOD, specs match so override is allowed
+    // "foo": "^1.0.0"
+    // BEST, the override is defined as a reference to the dependency
+    "foo": "$foo",
+    // the referenced package does not need to match the overridden one
+    "bar": "$foo"
+  }
+}
+```
+
 ### engines
 
 You can specify the version of node that your stuff works on:

diff --git a/deps/npm/docs/output/commands/npm-ls.html b/deps/npm/docs/output/commands/npm-ls.html
@@ -160,7 +160,7 @@ <h3 id="description">Description</h3>
 the results to only the paths to the packages named.  Note that nested
 packages will <em>also</em> show the paths to the specified packages.  For
 example, running <code>npm ls promzard</code> in npm's source tree will show:</p>
-<pre lang="bash"><code>npm@8.2.0 /path/to/npm
+<pre lang="bash"><code>npm@8.3.0 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 </code></pre>

diff --git a/deps/npm/docs/output/commands/npm.html b/deps/npm/docs/output/commands/npm.html
@@ -149,7 +149,7 @@ <h2 id="table-of-contents">Table of contents</h2>
 <pre lang="bash"><code>npm &lt;command&gt; [args]
 </code></pre>
 <h3 id="version">Version</h3>
-<p>8.2.0</p>
+<p>8.3.0</p>
 <h3 id="description">Description</h3>
 <p>npm is the package manager for the Node JavaScript platform.  It puts
 modules in place so that node can find them, and manages dependency

diff --git a/deps/npm/docs/output/configuring-npm/package-json.html b/deps/npm/docs/output/configuring-npm/package-json.html
@@ -142,7 +142,7 @@ <h1 id="packagejson">package.json</h1>
 
 <section id="table_of_contents">
 <h2 id="table-of-contents">Table of contents</h2>
-<div id="_table_of_contents"><ul><li><a href="#description">Description</a></li><li><a href="#name">name</a></li><li><a href="#version">version</a></li><li><a href="#description2">description</a></li><li><a href="#keywords">keywords</a></li><li><a href="#homepage">homepage</a></li><li><a href="#bugs">bugs</a></li><li><a href="#license">license</a></li><li><a href="#people-fields-author-contributors">people fields: author, contributors</a></li><li><a href="#funding">funding</a></li><li><a href="#files">files</a></li><li><a href="#main">main</a></li><li><a href="#browser">browser</a></li><li><a href="#bin">bin</a></li><li><a href="#man">man</a></li><li><a href="#directories">directories</a></li><ul><li><a href="#directoriesbin">directories.bin</a></li><li><a href="#directoriesman">directories.man</a></li></ul><li><a href="#repository">repository</a></li><li><a href="#scripts">scripts</a></li><li><a href="#config">config</a></li><li><a href="#dependencies">dependencies</a></li><ul><li><a href="#urls-as-dependencies">URLs as Dependencies</a></li><li><a href="#git-urls-as-dependencies">Git URLs as Dependencies</a></li><li><a href="#github-urls">GitHub URLs</a></li><li><a href="#local-paths">Local Paths</a></li></ul><li><a href="#devdependencies">devDependencies</a></li><li><a href="#peerdependencies">peerDependencies</a></li><li><a href="#peerdependenciesmeta">peerDependenciesMeta</a></li><li><a href="#bundleddependencies">bundledDependencies</a></li><li><a href="#optionaldependencies">optionalDependencies</a></li><li><a href="#engines">engines</a></li><li><a href="#os">os</a></li><li><a href="#cpu">cpu</a></li><li><a href="#private">private</a></li><li><a href="#publishconfig">publishConfig</a></li><li><a href="#workspaces">workspaces</a></li><li><a href="#default-values">DEFAULT VALUES</a></li><li><a href="#see-also">SEE ALSO</a></li></ul></div>
+<div id="_table_of_contents"><ul><li><a href="#description">Description</a></li><li><a href="#name">name</a></li><li><a href="#version">version</a></li><li><a href="#description2">description</a></li><li><a href="#keywords">keywords</a></li><li><a href="#homepage">homepage</a></li><li><a href="#bugs">bugs</a></li><li><a href="#license">license</a></li><li><a href="#people-fields-author-contributors">people fields: author, contributors</a></li><li><a href="#funding">funding</a></li><li><a href="#files">files</a></li><li><a href="#main">main</a></li><li><a href="#browser">browser</a></li><li><a href="#bin">bin</a></li><li><a href="#man">man</a></li><li><a href="#directories">directories</a></li><ul><li><a href="#directoriesbin">directories.bin</a></li><li><a href="#directoriesman">directories.man</a></li></ul><li><a href="#repository">repository</a></li><li><a href="#scripts">scripts</a></li><li><a href="#config">config</a></li><li><a href="#dependencies">dependencies</a></li><ul><li><a href="#urls-as-dependencies">URLs as Dependencies</a></li><li><a href="#git-urls-as-dependencies">Git URLs as Dependencies</a></li><li><a href="#github-urls">GitHub URLs</a></li><li><a href="#local-paths">Local Paths</a></li></ul><li><a href="#devdependencies">devDependencies</a></li><li><a href="#peerdependencies">peerDependencies</a></li><li><a href="#peerdependenciesmeta">peerDependenciesMeta</a></li><li><a href="#bundleddependencies">bundledDependencies</a></li><li><a href="#optionaldependencies">optionalDependencies</a></li><li><a href="#overrides">overrides</a></li><li><a href="#engines">engines</a></li><li><a href="#os">os</a></li><li><a href="#cpu">cpu</a></li><li><a href="#private">private</a></li><li><a href="#publishconfig">publishConfig</a></li><li><a href="#workspaces">workspaces</a></li><li><a href="#default-values">DEFAULT VALUES</a></li><li><a href="#see-also">SEE ALSO</a></li></ul></div>
 </section>
 
 <div id="_content"><h3 id="description">Description</h3>
@@ -800,6 +800,88 @@ <h3 id="optionaldependencies">optionalDependencies</h3>
 </code></pre>
 <p>Entries in <code>optionalDependencies</code> will override entries of the same name in
 <code>dependencies</code>, so it's usually best to only put in one place.</p>
+<h3 id="overrides">overrides</h3>
+<p>If you need to make specific changes to dependencies of your dependencies, for
+example replacing the version of a dependency with a known security issue,
+replacing an existing dependency with a fork, or making sure that the same
+version of a package is used everywhere, then you may add an override.</p>
+<p>Overrides provide a way to replace a package in your dependency tree with
+another version, or another package entirely. These changes can be scoped as
+specific or as vague as desired.</p>
+<p>To make sure the package <code>foo</code> is always installed as version <code>1.0.0</code> no matter
+what version your dependencies rely on:</p>
+<pre lang="json"><code>{
+  "overrides": {
+    "foo": "1.0.0"
+  }
+}
+</code></pre>
+<p>The above is a short hand notation, the full object form can be used to allow
+overriding a package itself as well as a child of the package. This will cause
+<code>foo</code> to always be <code>1.0.0</code> while also making <code>bar</code> at any depth beyond <code>foo</code>
+also <code>1.0.0</code>:</p>
+<pre lang="json"><code>{
+  "overrides": {
+    "foo": {
+      ".": "1.0.0",
+      "bar": "1.0.0"
+    }
+  }
+}
+</code></pre>
+<p>To only override <code>foo</code> to be <code>1.0.0</code> when it's a child (or grandchild, or great
+grandchild, etc) of the package <code>bar</code>:</p>
+<pre lang="json"><code>{
+  "overrides": {
+    "bar": {
+      "foo": "1.0.0"
+    }
+  }
+}
+</code></pre>
+<p>Keys can be nested to any arbitrary length. To override <code>foo</code> only when it's a
+child of <code>bar</code> and only when <code>bar</code> is a child of <code>baz</code>:</p>
+<pre lang="json"><code>{
+  "overrides": {
+    "baz": {
+      "bar": {
+        "foo": "1.0.0"
+      }
+    }
+  }
+}
+</code></pre>
+<p>The key of an override can also include a version, or range of versions.
+To override <code>foo</code> to <code>1.0.0</code>, but only when it's a child of <code>bar@2.0.0</code>:</p>
+<pre lang="json"><code>{
+  "overrides": {
+    "bar@2.0.0": {
+      "foo": "1.0.0"
+    }
+  }
+}
+</code></pre>
+<p>You may not set an override for a package that you directly depend on unless
+both the dependency and the override itself share the exact same spec. To make
+this limitation easier to deal with, overrides may also be defined as a
+reference to a spec for a direct dependency by prefixing the name of the
+package you wish the version to match with a <code>$</code>.</p>
+<pre lang="json"><code>{
+  "dependencies": {
+    "foo": "^1.0.0"
+  },
+  "overrides": {
+    // BAD, will throw an EOVERRIDE error
+    // "foo": "^2.0.0"
+    // GOOD, specs match so override is allowed
+    // "foo": "^1.0.0"
+    // BEST, the override is defined as a reference to the dependency
+    "foo": "$foo",
+    // the referenced package does not need to match the overridden one
+    "bar": "$foo"
+  }
+}
+</code></pre>
 <h3 id="engines">engines</h3>
 <p>You can specify the version of node that your stuff works on:</p>
 <pre lang="json"><code>{

diff --git a/deps/npm/lib/commands/config.js b/deps/npm/lib/commands/config.js
@@ -2,7 +2,7 @@
 const configDefs = require('../utils/config/index.js')
 
 const mkdirp = require('mkdirp-infer-owner')
-const { dirname } = require('path')
+const { dirname, resolve } = require('path')
 const { promisify } = require('util')
 const fs = require('fs')
 const readFile = promisify(fs.readFile)
@@ -11,6 +11,7 @@ const { spawn } = require('child_process')
 const { EOL } = require('os')
 const ini = require('ini')
 const localeCompare = require('@isaacs/string-locale-compare')('en')
+const rpj = require('read-package-json-fast')
 const log = require('../utils/log-shim.js')
 
 // take an array of `[key, value, k2=v2, k3, v3, ...]` and turn into
@@ -28,7 +29,17 @@ const keyValues = args => {
   return kv
 }
 
-const publicVar = k => !/^(\/\/[^:]+:)?_/.test(k)
+const publicVar = k => {
+  // _password
+  if (k.startsWith('_')) {
+    return false
+  }
+  // //localhost:8080/:_password
+  if (k.startsWith('//') && k.includes(':_')) {
+    return false
+  }
+  return true
+}
 
 const BaseCommand = require('../base-command.js')
 class Config extends BaseCommand {
@@ -147,7 +158,7 @@ class Config extends BaseCommand {
     const out = []
     for (const key of keys) {
       if (!publicVar(key)) {
-        throw `The ${key} option is protected, and cannot be retrieved in this way`
+        throw new Error(`The ${key} option is protected, and cannot be retrieved in this way`)
       }
 
       const pref = keys.length > 1 ? `${key}=` : ''
@@ -257,6 +268,23 @@ ${defData}
         `; HOME = ${process.env.HOME}`,
         '; Run `npm config ls -l` to show all defaults.'
       )
+      msg.push('')
+    }
+
+    if (!this.npm.config.get('global')) {
+      const pkgPath = resolve(this.npm.prefix, 'package.json')
+      const pkg = await rpj(pkgPath).catch(() => ({}))
+
+      if (pkg.publishConfig) {
+        msg.push(`; "publishConfig" from ${pkgPath}`)
+        msg.push('; This set of config values will be used at publish-time.', '')
+        const pkgKeys = Object.keys(pkg.publishConfig).sort(localeCompare)
+        for (const k of pkgKeys) {
+          const v = publicVar(k) ? JSON.stringify(pkg.publishConfig[k]) : '(protected)'
+          msg.push(`${k} = ${v}`)
+        }
+        msg.push('')
+      }
     }
 
     this.npm.output(msg.join('\n').trim())

diff --git a/deps/npm/lib/commands/publish.js b/deps/npm/lib/commands/publish.js
@@ -104,11 +104,15 @@ class Publish extends BaseCommand {
       const resolved = npa.resolve(manifest.name, manifest.version)
       const registry = npmFetch.pickRegistry(resolved, opts)
       const creds = this.npm.config.getCredentialsByURI(registry)
+      const outputRegistry = replaceInfo(registry)
       if (!creds.token && !creds.username) {
-        throw Object.assign(new Error('This command requires you to be logged in.'), {
-          code: 'ENEEDAUTH',
-        })
+        throw Object.assign(
+          new Error(`This command requires you to be logged in to ${outputRegistry}`), {
+            code: 'ENEEDAUTH',
+          }
+        )
       }
+      log.notice('', `Publishing to ${outputRegistry}`)
       await otplease(opts, opts => libpub(manifest, tarballData, opts))
     }
 

diff --git a/deps/npm/lib/utils/exit-handler.js b/deps/npm/lib/utils/exit-handler.js
@@ -116,6 +116,7 @@ const exitHandler = err => {
       exitCode = err.code
       noLogMessage = true
     } else if (typeof err === 'string') {
+      // XXX: we should stop throwing strings
       log.error('', err)
       noLogMessage = true
     } else if (!(err instanceof Error)) {