deps: upgrade npm to 8.19.1

deps/npm/docs/content/commands/npm-access.md

@@ -35,29 +35,28 @@ For all of the subcommands, `npm access` will perform actions on the packages
 in the current working directory if no package name is passed to the
 subcommand.
 
-* public / restricted:
+* public / restricted (deprecated):
   Set a package to be either publicly accessible or restricted.
 
-* grant / revoke:
+* grant / revoke (deprecated):
   Add or remove the ability of users and teams to have read-only or read-write
   access to a package.
 
-* 2fa-required / 2fa-not-required:
+* 2fa-required / 2fa-not-required (deprecated):
   Configure whether a package requires that anyone publishing it have two-factor
   authentication enabled on their account.
 
-* ls-packages:
+* ls-packages (deprecated):
   Show all of the packages a user or a team is able to access, along with the
   access level, except for read-only public packages (it won't print the whole
   registry listing)
 
-* ls-collaborators:
+* ls-collaborators (deprecated):
   Show all of the access privileges for a package. Will only show permissions
   for packages to which you have at least read access. If `<user>` is passed in,
   the list is filtered only to teams _that_ user happens to belong to.
 
-* edit:
-  Set the access privileges for a package at once using `$EDITOR`.
+* edit (not implemented)
 
 ### Details
 

deps/npm/docs/content/commands/npm-query.md

@@ -232,4 +232,4 @@ This value is not exported to the environment for child processes.
 <!-- AUTOGENERATED CONFIG DESCRIPTIONS END -->
 ## See Also
 
-* [dependency selector](/using-npm/dependency-selector)
+* [dependency selectors](/using-npm/dependency-selectors)

deps/npm/docs/content/configuring-npm/npmrc.md

@@ -91,6 +91,34 @@ consistent across updates.  Set fields in here using the `./configure`
 script that comes with npm.  This is primarily for distribution maintainers
 to override default configs in a standard and consistent manner.
 
+### Auth related configuration
+
+The settings `_auth`, `_authToken`, `username` and `_password` must all be
+scoped to a specific registry. This ensures that `npm` will never send
+credentials to the wrong host.
+
+In order to scope these values, they must be prefixed by a URI fragment.
+If the credential is meant for any request to a registry on a single host,
+the scope may look like `//registry.npmjs.org/:`. If it must be scoped to a
+specific path on the host that path may also be provided, such as
+`//my-custom-registry.org/unique/path:`.
+
+```
+; bad config
+_authToken=MYTOKEN
+
+; good config
+@myorg:registry=https://somewhere-else.com/myorg
+@another:registry=https://somewhere-else.com/another
+//registry.npmjs.org/:_authToken=MYTOKEN
+; would apply to both @myorg and @another
+; //somewhere-else.com/:_authToken=MYTOKEN
+; would apply only to @myorg
+//somewhere-else.com/myorg/:_authToken=MYTOKEN1
+; would apply only to @another
+//somewhere-else.com/another/:_authToken=MYTOKEN2
+```
+
 ### See also
 
 * [npm folders](/configuring-npm/folders)

deps/npm/docs/content/using-npm/dependency-selectors.md

@@ -144,7 +144,7 @@ const arb = new Arborist({})
 
 ```js
 // root-level
-arb.loadActual((tree) => {
+arb.loadActual().then(async (tree) => {
   // query all production dependencies
   const results = await tree.querySelectorAll('.prod')
   console.log(results)
@@ -153,7 +153,7 @@ arb.loadActual((tree) => {
 
 ```js
 // iterative
-arb.loadActual((tree) => {
+arb.loadActual().then(async (tree) => {
   // query for the deduped version of react
   const results = await tree.querySelectorAll('#react:not(:deduped)')
   // query the deduped react for git deps

deps/npm/docs/output/commands/npm-access.html

@@ -169,34 +169,33 @@ <h3 id="description">Description</h3>
 subcommand.</p>
 <ul>
 <li>
-<p>public / restricted:
+<p>public / restricted (deprecated):
 Set a package to be either publicly accessible or restricted.</p>
 </li>
 <li>
-<p>grant / revoke:
+<p>grant / revoke (deprecated):
 Add or remove the ability of users and teams to have read-only or read-write
 access to a package.</p>
 </li>
 <li>
-<p>2fa-required / 2fa-not-required:
+<p>2fa-required / 2fa-not-required (deprecated):
 Configure whether a package requires that anyone publishing it have two-factor
 authentication enabled on their account.</p>
 </li>
 <li>
-<p>ls-packages:
+<p>ls-packages (deprecated):
 Show all of the packages a user or a team is able to access, along with the
 access level, except for read-only public packages (it won't print the whole
 registry listing)</p>
 </li>
 <li>
-<p>ls-collaborators:
+<p>ls-collaborators (deprecated):
 Show all of the access privileges for a package. Will only show permissions
 for packages to which you have at least read access. If <code>&lt;user&gt;</code> is passed in,
 the list is filtered only to teams <em>that</em> user happens to belong to.</p>
 </li>
 <li>
-<p>edit:
-Set the access privileges for a package at once using <code>$EDITOR</code>.</p>
+<p>edit (not implemented)</p>
 </li>
 </ul>
 <h3 id="details">Details</h3>

deps/npm/docs/output/commands/npm-ls.html

@@ -166,7 +166,7 @@ <h3 id="description">Description</h3>
 the results to only the paths to the packages named.  Note that nested
 packages will <em>also</em> show the paths to the specified packages.  For
 example, running <code>npm ls promzard</code> in npm's source tree will show:</p>
-<pre lang="bash"><code>npm@8.18.0 /path/to/npm
+<pre lang="bash"><code>npm@8.19.1 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 </code></pre>

deps/npm/docs/output/commands/npm-query.html

@@ -344,7 +344,7 @@ <h4 id="include-workspace-root"><code>include-workspace-root</code></h4>
 <!-- raw HTML omitted -->
 <h2 id="see-also">See Also</h2>
 <ul>
-<li><a href="../using-npm/dependency-selector.html">dependency selector</a></li>
+<li><a href="../using-npm/dependency-selectors.html">dependency selectors</a></li>
 </ul>
 </div>
 

deps/npm/docs/output/commands/npm.html

@@ -149,7 +149,7 @@ <h2 id="table-of-contents">Table of contents</h2>
 <!-- raw HTML omitted -->
 <!-- raw HTML omitted -->
 <h3 id="version">Version</h3>
-<p>8.18.0</p>
+<p>8.19.1</p>
 <h3 id="description">Description</h3>
 <p>npm is the package manager for the Node JavaScript platform.  It puts
 modules in place so that node can find them, and manages dependency

deps/npm/docs/output/configuring-npm/npmrc.html

@@ -142,7 +142,7 @@ <h1 id="npmrc">npmrc</h1>
 
 <section id="table_of_contents">
 <h2 id="table-of-contents">Table of contents</h2>
-<div id="_table_of_contents"><ul><li><a href="#description">Description</a></li><li><a href="#files">Files</a></li><ul><li><a href="#comments">Comments</a></li><li><a href="#per-project-config-file">Per-project config file</a></li><li><a href="#per-user-config-file">Per-user config file</a></li><li><a href="#global-config-file">Global config file</a></li><li><a href="#built-in-config-file">Built-in config file</a></li></ul><li><a href="#see-also">See also</a></li></ul></div>
+<div id="_table_of_contents"><ul><li><a href="#description">Description</a></li><li><a href="#files">Files</a></li><ul><li><a href="#comments">Comments</a></li><li><a href="#per-project-config-file">Per-project config file</a></li><li><a href="#per-user-config-file">Per-user config file</a></li><li><a href="#global-config-file">Global config file</a></li><li><a href="#built-in-config-file">Built-in config file</a></li></ul><li><a href="#auth-related-configuration">Auth related configuration</a></li><li><a href="#see-also">See also</a></li></ul></div>
 </section>
 
 <div id="_content"><h3 id="description">Description</h3>
@@ -204,6 +204,29 @@ <h4 id="built-in-config-file">Built-in config file</h4>
 consistent across updates.  Set fields in here using the <code>./configure</code>
 script that comes with npm.  This is primarily for distribution maintainers
 to override default configs in a standard and consistent manner.</p>
+<h3 id="auth-related-configuration">Auth related configuration</h3>
+<p>The settings <code>_auth</code>, <code>_authToken</code>, <code>username</code> and <code>_password</code> must all be
+scoped to a specific registry. This ensures that <code>npm</code> will never send
+credentials to the wrong host.</p>
+<p>In order to scope these values, they must be prefixed by a URI fragment.
+If the credential is meant for any request to a registry on a single host,
+the scope may look like <code>//registry.npmjs.org/:</code>. If it must be scoped to a
+specific path on the host that path may also be provided, such as
+<code>//my-custom-registry.org/unique/path:</code>.</p>
+<pre><code>; bad config
+_authToken=MYTOKEN
+
+; good config
+@myorg:registry=https://somewhere-else.com/myorg
+@another:registry=https://somewhere-else.com/another
+//registry.npmjs.org/:_authToken=MYTOKEN
+; would apply to both @myorg and @another
+; //somewhere-else.com/:_authToken=MYTOKEN
+; would apply only to @myorg
+//somewhere-else.com/myorg/:_authToken=MYTOKEN1
+; would apply only to @another
+//somewhere-else.com/another/:_authToken=MYTOKEN2
+</code></pre>
 <h3 id="see-also">See also</h3>
 <ul>
 <li><a href="../configuring-npm/folders.html">npm folders</a></li>

deps/npm/docs/output/using-npm/dependency-selectors.html

@@ -264,14 +264,14 @@ <h3 id="programmatic-usage">Programmatic Usage</h3>
 const arb = new Arborist({})
 </code></pre>
 <pre lang="js"><code>// root-level
-arb.loadActual((tree) =&gt; {
+arb.loadActual().then(async (tree) =&gt; {
   // query all production dependencies
   const results = await tree.querySelectorAll('.prod')
   console.log(results)
 })
 </code></pre>
 <pre lang="js"><code>// iterative
-arb.loadActual((tree) =&gt; {
+arb.loadActual().then(async (tree) =&gt; {
   // query for the deduped version of react
   const results = await tree.querySelectorAll('#react:not(:deduped)')
   // query the deduped react for git deps

deps/npm/lib/commands/access.js

@@ -5,6 +5,7 @@ const readPackageJson = require('read-package-json-fast')
 
 const otplease = require('../utils/otplease.js')
 const getIdentity = require('../utils/get-identity.js')
+const log = require('../utils/log-shim.js')
 const BaseCommand = require('../base-command.js')
 
 const subcommands = [
@@ -19,6 +20,15 @@ const subcommands = [
   '2fa-not-required',
 ]
 
+const deprecated = [
+  '2fa-not-required',
+  '2fa-required',
+  'ls-collaborators',
+  'ls-packages',
+  'public',
+  'restricted',
+]
+
 class Access extends BaseCommand {
   static description = 'Set access level on published packages'
   static name = 'access'
@@ -78,6 +88,10 @@ class Access extends BaseCommand {
       throw this.usageError(`${cmd} is not a recognized subcommand.`)
     }
 
+    if (deprecated.includes(cmd)) {
+      log.warn('access', `${cmd} subcommand will be removed in the next version of npm`)
+    }
+
     return this[cmd](args, {
       ...this.npm.flatOptions,
     })
@@ -175,7 +189,7 @@ class Access extends BaseCommand {
   }
 
   async edit () {
-    throw new Error('edit subcommand is not implemented yet')
+    throw new Error('edit subcommand is not implemented')
   }
 
   modifyPackage (pkg, opts, fn, requireScope = true) {

deps/npm/lib/commands/audit.js

@@ -178,11 +178,12 @@ class VerifySignatures {
     let name = edge.name
     try {
       name = npa(edge.spec).subSpec.name
-    } catch (_) {
+    } catch {
+      // leave it as edge.name
     }
     try {
       return npa(`${name}@${edge.spec}`)
-    } catch (_) {
+    } catch {
       // Skip packages with invalid spec
     }
   }

deps/npm/lib/commands/edit.js

@@ -58,11 +58,16 @@ class Edit extends BaseCommand {
         }
         const [bin, ...args] = this.npm.config.get('editor').split(/\s+/)
         const editor = cp.spawn(bin, [...args, dir], { stdio: 'inherit' })
-        editor.on('exit', (code) => {
+        editor.on('exit', async (code) => {
           if (code) {
             return reject(new Error(`editor process exited with code: ${code}`))
           }
-          this.npm.exec('rebuild', [dir]).catch(reject).then(resolve)
+          try {
+            await this.npm.exec('rebuild', [dir])
+          } catch (err) {
+            reject(err)
+          }
+          resolve()
         })
       })
     })