.release-please-manifest.json

@@ -1,14 +1,14 @@
 {
-  ".": "9.0.0",
-  "workspaces/arborist": "6.0.0",
+  ".": "9.0.1",
+  "workspaces/arborist": "6.1.0",
   "workspaces/libnpmaccess": "7.0.0",
-  "workspaces/libnpmdiff": "5.0.0",
-  "workspaces/libnpmexec": "5.0.0",
-  "workspaces/libnpmfund": "4.0.0",
+  "workspaces/libnpmdiff": "5.0.1",
+  "workspaces/libnpmexec": "5.0.1",
+  "workspaces/libnpmfund": "4.0.1",
   "workspaces/libnpmhook": "9.0.0",
   "workspaces/libnpmorg": "5.0.0",
-  "workspaces/libnpmpack": "5.0.0",
-  "workspaces/libnpmpublish": "7.0.0",
+  "workspaces/libnpmpack": "5.0.1",
+  "workspaces/libnpmpublish": "7.0.1",
   "workspaces/libnpmsearch": "6.0.0",
   "workspaces/libnpmteam": "5.0.0",
   "workspaces/libnpmversion": "4.0.0"

CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## [9.0.1](https://github.com/npm/cli/compare/v9.0.0...v9.0.1) (2022-10-26)
+
+### Documentation
+
+* [`b5fadd0`](https://github.com/npm/cli/commit/b5fadd0cec392f4bf6d60fa1358f96400be94667) [#5742](https://github.com/npm/cli/pull/5742) Better npx link (#5742) (@mrienstra)
+
+### Dependencies
+
+* [`de6618e`](https://github.com/npm/cli/commit/de6618e93182ba00b4be516db1efb3c51efa17ba) [#5757](https://github.com/npm/cli/pull/5757) `@npmcli/promise-spawn@5.0.0` (#5757)
+* [`5625274`](https://github.com/npm/cli/commit/562527456d3862d871d042fa4ff6e38354e320ea) [#5755](https://github.com/npm/cli/pull/5755) `hosted-git-info@6.1.0` (#5755)
+* [`32bdd68`](https://github.com/npm/cli/commit/32bdd686ccf826050075e770ffddf7401efa79c9) [#5754](https://github.com/npm/cli/pull/5754) `npm-packlist@7.0.2` (#5754)
+* [Workspace](https://github.com/npm/cli/compare/arborist-v6.0.0...arborist-v6.1.0): `@npmcli/arborist@6.1.0`
+* [Workspace](https://github.com/npm/cli/compare/libnpmdiff-v5.0.0...libnpmdiff-v5.0.1): `libnpmdiff@5.0.1`
+* [Workspace](https://github.com/npm/cli/compare/libnpmexec-v5.0.0...libnpmexec-v5.0.1): `libnpmexec@5.0.1`
+* [Workspace](https://github.com/npm/cli/compare/libnpmfund-v4.0.0...libnpmfund-v4.0.1): `libnpmfund@4.0.1`
+* [Workspace](https://github.com/npm/cli/compare/libnpmpack-v5.0.0...libnpmpack-v5.0.1): `libnpmpack@5.0.1`
+* [Workspace](https://github.com/npm/cli/compare/libnpmpublish-v7.0.0...libnpmpublish-v7.0.1): `libnpmpublish@7.0.1`
+
 ## [9.0.0](https://github.com/npm/cli/compare/v9.0.0-pre.6...v9.0.0) (2022-10-19)
 
 ### Features

DEPENDENCIES.md

@@ -207,7 +207,6 @@ graph LR;
   npmcli-metavuln-calculator-->pacote;
   npmcli-metavuln-calculator-->semver;
   npmcli-package-json-->json-parse-even-better-errors;
-  npmcli-promise-spawn-->infer-owner;
   npmcli-run-script-->npmcli-node-gyp["@npmcli/node-gyp"];
   npmcli-run-script-->npmcli-promise-spawn["@npmcli/promise-spawn"];
   npmcli-run-script-->read-package-json-fast;
@@ -870,7 +869,6 @@ graph LR;
   npmcli-move-file-->mkdirp;
   npmcli-move-file-->rimraf;
   npmcli-package-json-->json-parse-even-better-errors;
-  npmcli-promise-spawn-->infer-owner;
   npmcli-query-->postcss-selector-parser;
   npmcli-run-script-->node-gyp;
   npmcli-run-script-->npmcli-node-gyp["@npmcli/node-gyp"];
@@ -1102,5 +1100,5 @@ packages higher up the chain.
  - npm-registry-fetch, libnpmversion
  - @npmcli/git, make-fetch-happen, @npmcli/config, init-package-json
  - @npmcli/installed-package-contents, @npmcli/map-workspaces, cacache, npm-pick-manifest, @npmcli/run-script, read-package-json, readdir-scoped-modules, promzard
- - @npmcli/docs, npm-bundled, read-package-json-fast, @npmcli/fs, unique-filename, @npmcli/promise-spawn, npm-install-checks, npm-package-arg, npm-packlist, normalize-package-data, @npmcli/package-json, bin-links, nopt, npmlog, parse-conflict-json, dezalgo, read
- - ignore-walk, @npmcli/eslint-config, @npmcli/template-oss, npm-normalize-package-bin, @npmcli/name-from-folder, json-parse-even-better-errors, semver, @npmcli/move-file, fs-minipass, ssri, unique-slug, infer-owner, hosted-git-info, proc-log, validate-npm-package-name, @npmcli/node-gyp, minipass-fetch, @npmcli/query, cmd-shim, read-cmd-shim, write-file-atomic, abbrev, are-we-there-yet, gauge, wrappy, treeverse, minify-registry-metadata, @npmcli/disparity-colors, @npmcli/ci-detect, mute-stream, ini, npm-audit-report, npm-user-validate
+ - @npmcli/docs, npm-bundled, read-package-json-fast, @npmcli/fs, unique-filename, npm-install-checks, npm-package-arg, npm-packlist, normalize-package-data, @npmcli/package-json, bin-links, nopt, npmlog, parse-conflict-json, dezalgo, read
+ - ignore-walk, @npmcli/eslint-config, @npmcli/template-oss, npm-normalize-package-bin, @npmcli/name-from-folder, json-parse-even-better-errors, semver, @npmcli/move-file, fs-minipass, ssri, unique-slug, @npmcli/promise-spawn, hosted-git-info, proc-log, validate-npm-package-name, @npmcli/node-gyp, minipass-fetch, @npmcli/query, cmd-shim, read-cmd-shim, write-file-atomic, abbrev, are-we-there-yet, gauge, wrappy, treeverse, minify-registry-metadata, @npmcli/disparity-colors, @npmcli/ci-detect, mute-stream, ini, npm-audit-report, npm-user-validate

lib/commands/init.js

@@ -103,7 +103,7 @@ class Init extends BaseCommand {
         throw Object.assign(new Error(
           'Unrecognized initializer: ' + initerName +
           '\nFor more package binary executing power check out `npx`:' +
-          '\nhttps://www.npmjs.com/package/npx'
+          '\nhttps://docs.npmjs.com/cli/commands/npx'
         ), { code: 'EUNSUPPORTED' })
       }
     }

node_modules/@npmcli/git/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/git",
-  "version": "4.0.1",
+  "version": "4.0.2",
   "main": "lib/index.js",
   "files": [
     "bin/",
@@ -32,14 +32,14 @@
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^4.0.0",
-    "@npmcli/template-oss": "4.5.1",
-    "npm-package-arg": "^9.1.0",
+    "@npmcli/template-oss": "4.7.1",
+    "npm-package-arg": "^10.0.0",
     "rimraf": "^3.0.2",
     "slash": "^3.0.0",
     "tap": "^16.0.1"
   },
   "dependencies": {
-    "@npmcli/promise-spawn": "^4.0.0",
+    "@npmcli/promise-spawn": "^5.0.0",
     "lru-cache": "^7.4.4",
     "mkdirp": "^1.0.4",
     "npm-pick-manifest": "^8.0.0",
@@ -55,6 +55,6 @@
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
     "windowsCI": false,
-    "version": "4.5.1"
+    "version": "4.7.1"
   }
 }

node_modules/@npmcli/installed-package-contents/package.json

@@ -1,11 +1,11 @@
 {
   "name": "@npmcli/installed-package-contents",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "Get the list of files installed in a package in node_modules, including bundled dependencies",
   "author": "GitHub Inc.",
   "main": "lib/index.js",
   "bin": {
-    "installed-package-contents": "index.js"
+    "installed-package-contents": "lib/index.js"
   },
   "license": "ISC",
   "scripts": {
@@ -19,7 +19,7 @@
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^4.0.0",
-    "@npmcli/template-oss": "4.5.1",
+    "@npmcli/template-oss": "4.6.2",
     "mkdirp": "^1.0.4",
     "require-inject": "^1.4.4",
     "tap": "^16.3.0"
@@ -41,7 +41,7 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.5.1"
+    "version": "4.6.2"
   },
   "tap": {
     "nyc-arg": [

node_modules/@npmcli/promise-spawn/lib/index.js

@@ -1,5 +1,4 @@
 const { spawn } = require('child_process')
-const inferOwner = require('infer-owner')
 
 const isPipe = (stdio = 'pipe', fd) =>
   stdio === 'pipe' || stdio === null ? true
@@ -8,28 +7,6 @@ const isPipe = (stdio = 'pipe', fd) =>
 
 // 'extra' object is for decorating the error a bit more
 const promiseSpawn = (cmd, args, opts = {}, extra = {}) => {
-  const cwd = opts.cwd || process.cwd()
-  const isRoot = process.getuid && process.getuid() === 0
-  const { uid, gid } = isRoot ? inferOwner.sync(cwd) : {}
-  return promiseSpawnUid(cmd, args, {
-    ...opts,
-    cwd,
-    uid,
-    gid,
-  }, extra)
-}
-
-const stdioResult = (stdout, stderr, { stdioString, stdio }) =>
-  stdioString ? {
-    stdout: isPipe(stdio, 1) ? Buffer.concat(stdout).toString() : null,
-    stderr: isPipe(stdio, 2) ? Buffer.concat(stderr).toString() : null,
-  }
-  : {
-    stdout: isPipe(stdio, 1) ? Buffer.concat(stdout) : null,
-    stderr: isPipe(stdio, 2) ? Buffer.concat(stderr) : null,
-  }
-
-const promiseSpawnUid = (cmd, args, opts, extra) => {
   let proc
   const p = new Promise((res, rej) => {
     proc = spawn(cmd, args, opts)
@@ -72,4 +49,14 @@ const promiseSpawnUid = (cmd, args, opts, extra) => {
   return p
 }
 
+const stdioResult = (stdout, stderr, { stdioString, stdio }) =>
+  stdioString ? {
+    stdout: isPipe(stdio, 1) ? Buffer.concat(stdout).toString().trim() : null,
+    stderr: isPipe(stdio, 2) ? Buffer.concat(stderr).toString().trim() : null,
+  }
+  : {
+    stdout: isPipe(stdio, 1) ? Buffer.concat(stdout) : null,
+    stderr: isPipe(stdio, 2) ? Buffer.concat(stderr) : null,
+  }
+
 module.exports = promiseSpawn

node_modules/@npmcli/promise-spawn/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/promise-spawn",
-  "version": "4.0.0",
+  "version": "5.0.0",
   "files": [
     "bin/",
     "lib/"
@@ -31,8 +31,8 @@
     ]
   },
   "devDependencies": {
-    "@npmcli/eslint-config": "^3.0.1",
-    "@npmcli/template-oss": "4.5.1",
+    "@npmcli/eslint-config": "^4.0.0",
+    "@npmcli/template-oss": "4.7.1",
     "minipass": "^3.1.1",
     "tap": "^16.0.1"
   },
@@ -41,9 +41,6 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.5.1"
-  },
-  "dependencies": {
-    "infer-owner": "^1.0.4"
+    "version": "4.7.1"
   }
 }

node_modules/@npmcli/run-script/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/run-script",
-  "version": "5.0.0",
+  "version": "5.0.1",
   "description": "Run a lifecycle script for a package (descendant of npm-lifecycle)",
   "author": "GitHub Inc.",
   "license": "ISC",
@@ -16,14 +16,14 @@
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^4.0.0",
-    "@npmcli/template-oss": "4.5.1",
+    "@npmcli/template-oss": "4.7.1",
     "minipass": "^3.1.6",
     "require-inject": "^1.4.4",
     "tap": "^16.0.1"
   },
   "dependencies": {
     "@npmcli/node-gyp": "^3.0.0",
-    "@npmcli/promise-spawn": "^4.0.0",
+    "@npmcli/promise-spawn": "^5.0.0",
     "node-gyp": "^9.0.0",
     "read-package-json-fast": "^3.0.0",
     "which": "^2.0.2"
@@ -42,7 +42,7 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.5.1"
+    "version": "4.7.1"
   },
   "tap": {
     "nyc-arg": [

node_modules/hosted-git-info/lib/from-url.js

@@ -1,44 +1,6 @@
 'use strict'
 
-const url = require('url')
-
-const safeUrl = (u) => {
-  try {
-    return new url.URL(u)
-  } catch {
-    // this fn should never throw
-  }
-}
-
-const lastIndexOfBefore = (str, char, beforeChar) => {
-  const startPosition = str.indexOf(beforeChar)
-  return str.lastIndexOf(char, startPosition > -1 ? startPosition : Infinity)
-}
-
-// accepts input like git:github.com:user/repo and inserts the // after the first :
-const correctProtocol = (arg, protocols) => {
-  const firstColon = arg.indexOf(':')
-  const proto = arg.slice(0, firstColon + 1)
-  if (Object.prototype.hasOwnProperty.call(protocols, proto)) {
-    return arg
-  }
-
-  const firstAt = arg.indexOf('@')
-  if (firstAt > -1) {
-    if (firstAt > firstColon) {
-      return `git+ssh://${arg}`
-    } else {
-      return arg
-    }
-  }
-
-  const doubleSlash = arg.indexOf('//')
-  if (doubleSlash === firstColon + 1) {
-    return arg
-  }
-
-  return `${arg.slice(0, firstColon + 1)}//${arg.slice(firstColon + 1)}`
-}
+const parseUrl = require('./parse-url')
 
 // look for github shorthand inputs, such as npm/cli
 const isGitHubShorthand = (arg) => {
@@ -71,49 +33,13 @@ const isGitHubShorthand = (arg) => {
     secondSlashOnlyAfterHash
 }
 
-// attempt to correct an scp style url so that it will parse with `new URL()`
-const correctUrl = (giturl) => {
-  // ignore @ that come after the first hash since the denotes the start
-  // of a committish which can contain @ characters
-  const firstAt = lastIndexOfBefore(giturl, '@', '#')
-  // ignore colons that come after the hash since that could include colons such as:
-  // git@github.com:user/package-2#semver:^1.0.0
-  const lastColonBeforeHash = lastIndexOfBefore(giturl, ':', '#')
-
-  if (lastColonBeforeHash > firstAt) {
-    // the last : comes after the first @ (or there is no @)
-    // like it would in:
-    // proto://hostname.com:user/repo
-    // username@hostname.com:user/repo
-    // :password@hostname.com:user/repo
-    // username:password@hostname.com:user/repo
-    // proto://username@hostname.com:user/repo
-    // proto://:password@hostname.com:user/repo
-    // proto://username:password@hostname.com:user/repo
-    // then we replace the last : with a / to create a valid path
-    giturl = giturl.slice(0, lastColonBeforeHash) + '/' + giturl.slice(lastColonBeforeHash + 1)
-  }
-
-  if (lastIndexOfBefore(giturl, ':', '#') === -1 && giturl.indexOf('//') === -1) {
-    // we have no : at all
-    // as it would be in:
-    // username@hostname.com/user/repo
-    // then we prepend a protocol
-    giturl = `git+ssh://${giturl}`
-  }
-
-  return giturl
-}
-
 module.exports = (giturl, opts, { gitHosts, protocols }) => {
   if (!giturl) {
     return
   }
 
-  const correctedUrl = isGitHubShorthand(giturl)
-    ? `github:${giturl}`
-    : correctProtocol(giturl, protocols)
-  const parsed = safeUrl(correctedUrl) || safeUrl(correctUrl(correctedUrl))
+  const correctedUrl = isGitHubShorthand(giturl) ? `github:${giturl}` : giturl
+  const parsed = parseUrl(correctedUrl, protocols)
   if (!parsed) {
     return
   }

node_modules/hosted-git-info/lib/index.js

@@ -3,6 +3,8 @@
 const LRU = require('lru-cache')
 const hosts = require('./hosts.js')
 const fromUrl = require('./from-url.js')
+const parseUrl = require('./parse-url.js')
+const getProtocols = require('./protocols.js')
 
 const cache = new LRU({ max: 1000 })
 
@@ -20,15 +22,7 @@ class GitHost {
   }
 
   static #gitHosts = { byShortcut: {}, byDomain: {} }
-  static #protocols = {
-    'git+ssh:': { name: 'sshurl' },
-    'ssh:': { name: 'sshurl' },
-    'git+https:': { name: 'https', auth: true },
-    'git:': { auth: true },
-    'http:': { auth: true },
-    'https:': { auth: true },
-    'git+http:': { auth: true },
-  }
+  static #protocols = getProtocols()
 
   static addHost (name, host) {
     GitHost.#gitHosts[name] = host
@@ -55,6 +49,10 @@ class GitHost {
     return cache.get(key)
   }
 
+  static parseUrl (url) {
+    return parseUrl(url)
+  }
+
   #fill (template, opts) {
     if (typeof template !== 'function') {
       return null

package.json

@@ -1,5 +1,5 @@
 {
-  "version": "9.0.0",
+  "version": "9.0.1",
   "name": "npm",
   "description": "a package manager for JavaScript",
   "workspaces": [
@@ -56,7 +56,7 @@
   },
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
-    "@npmcli/arborist": "^6.0.0",
+    "@npmcli/arborist": "^6.1.0",
     "@npmcli/ci-detect": "^3.0.0",
     "@npmcli/config": "^6.0.1",
     "@npmcli/map-workspaces": "^3.0.0",
@@ -73,19 +73,19 @@
     "fs-minipass": "^2.1.0",
     "glob": "^8.0.1",
     "graceful-fs": "^4.2.10",
-    "hosted-git-info": "^6.0.0",
+    "hosted-git-info": "^6.1.0",
     "ini": "^3.0.1",
     "init-package-json": "^4.0.1",
     "is-cidr": "^4.0.2",
     "json-parse-even-better-errors": "^3.0.0",
     "libnpmaccess": "^7.0.0",
-    "libnpmdiff": "^5.0.0",
-    "libnpmexec": "^5.0.0",
-    "libnpmfund": "^4.0.0",
+    "libnpmdiff": "^5.0.1",
+    "libnpmexec": "^5.0.1",
+    "libnpmfund": "^4.0.1",
     "libnpmhook": "^9.0.0",
     "libnpmorg": "^5.0.0",
-    "libnpmpack": "^5.0.0",
-    "libnpmpublish": "^7.0.0",
+    "libnpmpack": "^5.0.1",
+    "libnpmpublish": "^7.0.1",
     "libnpmsearch": "^6.0.0",
     "libnpmteam": "^5.0.0",
     "libnpmversion": "^4.0.0",
@@ -202,7 +202,7 @@
     "@npmcli/docs": "^1.0.0",
     "@npmcli/eslint-config": "^4.0.0",
     "@npmcli/git": "^4.0.1",
-    "@npmcli/promise-spawn": "^4.0.0",
+    "@npmcli/promise-spawn": "^5.0.0",
     "@npmcli/template-oss": "4.6.2",
     "licensee": "^8.2.0",
     "nock": "^13.2.4",

smoke-tests/package.json

@@ -19,7 +19,7 @@
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^4.0.0",
-    "@npmcli/promise-spawn": "^4.0.0",
+    "@npmcli/promise-spawn": "^5.0.0",
     "@npmcli/template-oss": "4.6.2",
     "minify-registry-metadata": "^2.2.0",
     "rimraf": "^3.0.2",

smoke-tests/tap-snapshots/test/index.js.test.cjs

@@ -39,7 +39,6 @@ More configuration info: npm help config
 Configuration fields: npm help 7 config
 
 npm {CWD}
-
 `
 
 exports[`test/index.js TAP npm ci > should throw mismatch deps in lock file error 1`] = `
@@ -70,7 +69,6 @@ npm ERR! Run "npm help ci" for more info
 
 npm ERR! A complete log of this run can be found in:
 
-
 `
 
 exports[`test/index.js TAP npm diff > should have expected diff output 1`] = `
@@ -325,22 +323,18 @@ index v1.0.4..v1.1.1
 +function lexSort (a, b) {
 +  return a === b ? 0 : a > b ? 1 : -1
 +}
-
 `
 
 exports[`test/index.js TAP npm explain > should have expected explain output 1`] = `
 abbrev@1.0.4
 node_modules/abbrev
   abbrev@"^1.0.4" from the root project
-
 `
 
 exports[`test/index.js TAP npm fund > should have expected fund output 1`] = `
 project@1.0.0
 \`-- https://github.com/sponsors/isaacs
     \`-- promise-all-reject-late@1.0.1
-
-
 `
 
 exports[`test/index.js TAP npm init > should have successful npm init result 1`] = `
@@ -358,9 +352,6 @@ Wrote to {CWD}/smoke-tests/test/tap-testdir-index/project/package.json:
   "author": "",
   "license": "ISC"
 }
-
-
-
 `
 
 exports[`test/index.js TAP npm install dev dep > should have expected dev dep added lockfile result 1`] = `
@@ -423,18 +414,14 @@ exports[`test/index.js TAP npm install dev dep > should have expected dev dep ad
 `
 
 exports[`test/index.js TAP npm install dev dep > should have expected dev dep added reify output 1`] = `
-
 added 1 package 
 
 1 package is looking for funding
   run \`npm fund\` for details
-
 `
 
 exports[`test/index.js TAP npm install prodDep@version > should have expected install reify output 1`] = `
-
 added 1 package 
-
 `
 
 exports[`test/index.js TAP npm install prodDep@version > should have expected lockfile result 1`] = `
@@ -485,14 +472,11 @@ exports[`test/index.js TAP npm ls > should have expected ls output 1`] = `
 project@1.0.0 {CWD}/smoke-tests/test/tap-testdir-index/project
 +-- abbrev@1.0.4
 \`-- promise-all-reject-late@1.0.1
-
-
 `
 
 exports[`test/index.js TAP npm outdated > should have expected outdated output 1`] = `
 Package  Current  Wanted  Latest  Location             Depended by
 abbrev     1.0.4   1.1.1   1.1.1  node_modules/abbrev  project
-
 `
 
 exports[`test/index.js TAP npm pkg > should have expected npm pkg delete modified package.json result 1`] = `
@@ -546,7 +530,6 @@ exports[`test/index.js TAP npm pkg > should have expected pkg delete output 1`]
 
 exports[`test/index.js TAP npm pkg > should have expected pkg get output 1`] = `
 "ISC"
-
 `
 
 exports[`test/index.js TAP npm pkg > should have expected pkg set output 1`] = `
@@ -575,7 +558,6 @@ exports[`test/index.js TAP npm pkg > should print package.json contents 1`] = `
     ]
   }
 }
-
 `
 
 exports[`test/index.js TAP npm pkg set scripts > should have expected script added package.json result 1`] = `
@@ -607,16 +589,13 @@ exports[`test/index.js TAP npm pkg set scripts > should have expected set-script
 
 exports[`test/index.js TAP npm prefix > should have expected prefix output 1`] = `
 {CWD}/smoke-tests/test/tap-testdir-index/project
-
 `
 
 exports[`test/index.js TAP npm run-script > should have expected run-script output 1`] = `
-
 > project@1.0.0 hello
 > echo Hello
 
 Hello
-
 `
 
 exports[`test/index.js TAP npm uninstall > should have expected uninstall lockfile result 1`] = `
@@ -665,9 +644,7 @@ exports[`test/index.js TAP npm uninstall > should have expected uninstall packag
 `
 
 exports[`test/index.js TAP npm uninstall > should have expected uninstall reify output 1`] = `
-
 removed 1 package 
-
 `
 
 exports[`test/index.js TAP npm update dep > should have expected update lockfile result 1`] = `
@@ -731,16 +708,13 @@ exports[`test/index.js TAP npm update dep > should have expected update package.
 `
 
 exports[`test/index.js TAP npm update dep > should have expected update reify output 1`] = `
-
 changed 1 package 
 
 1 package is looking for funding
   run \`npm fund\` for details
-
 `
 
 exports[`test/index.js TAP npm view > should have expected view output 1`] = `
-
 abbrev@1.0.4 | MIT | deps: none | versions: 8
 Like ruby's abbrev module, but in js
 https://github.com/isaacs/abbrev-js#readme
@@ -760,5 +734,4 @@ dist-tags:
 latest: 1.1.1
 
 published over a year ago by isaacs <i@izs.me>
-
 `

workspaces/arborist/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## [6.1.0](https://github.com/npm/cli/compare/arborist-v6.0.0...arborist-v6.1.0) (2022-10-26)
+
+### Features
+
+* [`3dd8d68`](https://github.com/npm/cli/commit/3dd8d68577817f65ea148629905acdee3a9b1902) [#5751](https://github.com/npm/cli/pull/5751) sort and quote yarn lock keys according to yarn rules (#5751) (@wraithgar, @shalvah)
+
+### Dependencies
+
+* [`de6618e`](https://github.com/npm/cli/commit/de6618e93182ba00b4be516db1efb3c51efa17ba) [#5757](https://github.com/npm/cli/pull/5757) `@npmcli/promise-spawn@5.0.0` (#5757)
+
 ## [6.0.0](https://github.com/npm/cli/compare/arborist-v6.0.0-pre.5...arborist-v6.0.0) (2022-10-19)
 
 ### Features

workspaces/arborist/lib/yarn-lock.js

@@ -7,9 +7,8 @@
 //     <key> <value>
 //
 // Assume that any key or value might be quoted, though that's only done
-// in practice if certain chars are in the string.  Quoting unnecessarily
-// does not cause problems for yarn, so that's what we do when we write
-// it back.
+// in practice if certain chars are in the string. When writing back, we follow
+// Yarn's rules for quoting, to cause minimal friction.
 //
 // The data format would support nested objects, but at this time, it
 // appears that yarn does not use that for anything, so in the interest
@@ -33,10 +32,44 @@ const consistentResolve = require('./consistent-resolve.js')
 const { dirname } = require('path')
 const { breadth } = require('treeverse')
 
+// Sort Yarn entries respecting the yarn.lock sort order
+const yarnEntryPriorities = {
+  name: 1,
+  version: 2,
+  uid: 3,
+  resolved: 4,
+  integrity: 5,
+  registry: 6,
+  dependencies: 7,
+}
+
+const priorityThenLocaleCompare = (a, b) => {
+  if (!yarnEntryPriorities[a] && !yarnEntryPriorities[b]) {
+    return localeCompare(a, b)
+  }
+  /* istanbul ignore next */
+  return (yarnEntryPriorities[a] || 100) > (yarnEntryPriorities[b] || 100) ? 1 : -1
+}
+
+const quoteIfNeeded = val => {
+  if (
+    typeof val === 'boolean' ||
+    typeof val === 'number' ||
+    val.startsWith('true') ||
+    val.startsWith('false') ||
+    /[:\s\n\\",[\]]/g.test(val) ||
+    !/^[a-zA-Z]/g.test(val)
+  ) {
+    return JSON.stringify(val)
+  }
+
+  return val
+}
+
 // sort a key/value object into a string of JSON stringified keys and vals
 const sortKV = obj => Object.keys(obj)
   .sort(localeCompare)
-  .map(k => `    ${JSON.stringify(k)} ${JSON.stringify(obj[k])}`)
+  .map(k => `    ${quoteIfNeeded(k)} ${quoteIfNeeded(obj[k])}`)
   .join('\n')
 
 // for checking against previous entries
@@ -171,7 +204,7 @@ class YarnLock {
   toString () {
     return prefix + [...new Set([...this.entries.values()])]
       .map(e => e.toString())
-      .sort(localeCompare).join('\n\n') + '\n'
+      .sort((a, b) => localeCompare(a.replace(/"/g, ''), b.replace(/"/g, ''))).join('\n\n') + '\n'
   }
 
   fromTree (tree) {
@@ -323,19 +356,14 @@ class YarnLockEntry {
     // sort objects to the bottom, then alphabetical
     return ([...this[_specs]]
       .sort(localeCompare)
-      .map(JSON.stringify).join(', ') +
+      .map(quoteIfNeeded).join(', ') +
       ':\n' +
       Object.getOwnPropertyNames(this)
         .filter(prop => this[prop] !== null)
-        .sort(
-          (a, b) =>
-          /* istanbul ignore next - sort call order is unpredictable */
-            (typeof this[a] === 'object') === (typeof this[b] === 'object')
-              ? localeCompare(a, b)
-              : typeof this[a] === 'object' ? 1 : -1)
+        .sort(priorityThenLocaleCompare)
         .map(prop =>
           typeof this[prop] !== 'object'
-            ? `  ${JSON.stringify(prop)} ${JSON.stringify(this[prop])}\n`
+            ? `  ${prop} ${prop === 'integrity' ? this[prop] : JSON.stringify(this[prop])}\n`
             : Object.keys(this[prop]).length === 0 ? ''
             : `  ${prop}:\n` + sortKV(this[prop]) + '\n')
         .join('')).trim()

workspaces/arborist/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "6.0.0",
+  "version": "6.1.0",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",

workspaces/arborist/tap-snapshots/test/arborist/rebuild.js.test.cjs

@@ -26,8 +26,8 @@ Array [
       "version": "1.0.0",
     },
     "signal": null,
-    "stderr": "stderr\\n",
-    "stdout": "npm_package_dev\\n",
+    "stderr": "stderr",
+    "stdout": "npm_package_dev",
   },
   Object {
     "cmd": "node ../../env.js",
@@ -42,8 +42,8 @@ Array [
       "version": "1.0.0",
     },
     "signal": null,
-    "stderr": "stderr\\n",
-    "stdout": "npm_package_dev_optional\\n",
+    "stderr": "stderr",
+    "stdout": "npm_package_dev_optional",
   },
   Object {
     "cmd": "node ../../env.js",
@@ -58,11 +58,10 @@ Array [
       "version": "1.0.0",
     },
     "signal": null,
-    "stderr": "stderr\\n",
+    "stderr": "stderr",
     "stdout": String(
       npm_package_dev
       npm_package_optional
-      
     ),
   },
   Object {
@@ -81,8 +80,8 @@ Array [
       "version": "1.0.0",
     },
     "signal": null,
-    "stderr": "stderr\\n",
-    "stdout": "npm_package_optional\\n",
+    "stderr": "stderr",
+    "stdout": "npm_package_optional",
   },
 ]
 `

workspaces/arborist/tap-snapshots/test/arborist/reify.js.test.cjs

@@ -46619,15 +46619,15 @@ exports[`test/arborist/reify.js TAP update a yarn.lock file > updated yarn lock
 # yarn lockfile v1
 
 
-"abbrev@^1.1.1":
-  "integrity" "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q=="
-  "resolved" "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz"
-  "version" "1.1.1"
+abbrev@^1.1.1:
+  version "1.1.1"
+  resolved "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz"
+  integrity sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==
 
-"mkdirp@^1.0.2":
-  "integrity" "sha512-N2REVrJ/X/jGPfit2d7zea2J1pf7EAR5chIUcfHffAZ7gmlam5U65sAm76+o4ntQbSRdTjYf7qZz3chuHlwXEA=="
-  "resolved" "https://registry.npmjs.org/mkdirp/-/mkdirp-1.0.2.tgz"
-  "version" "1.0.2"
+mkdirp@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.npmjs.org/mkdirp/-/mkdirp-1.0.2.tgz"
+  integrity sha512-N2REVrJ/X/jGPfit2d7zea2J1pf7EAR5chIUcfHffAZ7gmlam5U65sAm76+o4ntQbSRdTjYf7qZz3chuHlwXEA==
 
 `
 

workspaces/arborist/test/fixtures/yarn-stuff/yarn.lock

@@ -3,6 +3,9 @@
 
 
 abbrev@^1.1.1, "pinned@npm:abbrev@1.1.1", "reg@npm:abbrev@^1.1.1":
+  meta: "this is not a priority entry"
+  alpha: "this is not a priority entry either"
+  beta: "this is not a priority entry either 2"
   version "1.1.1"
   resolved "https://registry.yarnpkg.com/abbrev/-/abbrev-1.1.1.tgz#f8f2c887ad10bf67f634f005b6987fed3179aac8"
   integrity sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==

workspaces/arborist/test/yarn-lock.js

@@ -64,12 +64,12 @@ bar@foo:
 # yarn lockfile v1
 
 
-"bar@foo":
-  "version" "1.2.3"
+bar@foo:
+  version "1.2.3"
 
-"foo@bar":
-  "resolved" "https://registry.local/foo/-/foo-1.2.3.tgz"
-  "version" "1.2.3"
+foo@bar:
+  version "1.2.3"
+  resolved "https://registry.local/foo/-/foo-1.2.3.tgz"
 `)
   t.end()
 })

workspaces/libnpmdiff/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [5.0.1](https://github.com/npm/cli/compare/libnpmdiff-v5.0.0...libnpmdiff-v5.0.1) (2022-10-26)
+
+### Dependencies
+
+* [Workspace](https://github.com/npm/cli/compare/arborist-v6.0.0...arborist-v6.1.0): `@npmcli/arborist@6.1.0`
+
 ## [5.0.0](https://github.com/npm/cli/compare/libnpmdiff-v5.0.0-pre.3...libnpmdiff-v5.0.0) (2022-10-19)
 
 ### Features

workspaces/libnpmdiff/package.json

@@ -1,6 +1,6 @@
 {
   "name": "libnpmdiff",
-  "version": "5.0.0",
+  "version": "5.0.1",
   "description": "The registry diff",
   "repository": {
     "type": "git",
@@ -47,7 +47,7 @@
     "tap": "^16.0.1"
   },
   "dependencies": {
-    "@npmcli/arborist": "^6.0.0",
+    "@npmcli/arborist": "^6.1.0",
     "@npmcli/disparity-colors": "^3.0.0",
     "@npmcli/installed-package-contents": "^2.0.0",
     "binary-extensions": "^2.2.0",

workspaces/libnpmexec/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [5.0.1](https://github.com/npm/cli/compare/libnpmexec-v5.0.0...libnpmexec-v5.0.1) (2022-10-26)
+
+### Dependencies
+
+* [Workspace](https://github.com/npm/cli/compare/arborist-v6.0.0...arborist-v6.1.0): `@npmcli/arborist@6.1.0`
+
 ## [5.0.0](https://github.com/npm/cli/compare/libnpmexec-v5.0.0-pre.5...libnpmexec-v5.0.0) (2022-10-19)
 
 ### Features

workspaces/libnpmexec/package.json

@@ -1,6 +1,6 @@
 {
   "name": "libnpmexec",
-  "version": "5.0.0",
+  "version": "5.0.1",
   "files": [
     "bin/",
     "lib/"
@@ -58,7 +58,7 @@
     "tap": "^16.0.1"
   },
   "dependencies": {
-    "@npmcli/arborist": "^6.0.0",
+    "@npmcli/arborist": "^6.1.0",
     "@npmcli/ci-detect": "^3.0.0",
     "@npmcli/run-script": "^5.0.0",
     "chalk": "^4.1.0",

workspaces/libnpmfund/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [4.0.1](https://github.com/npm/cli/compare/libnpmfund-v4.0.0...libnpmfund-v4.0.1) (2022-10-26)
+
+### Dependencies
+
+* [Workspace](https://github.com/npm/cli/compare/arborist-v6.0.0...arborist-v6.1.0): `@npmcli/arborist@6.1.0`
+
 ## [4.0.0](https://github.com/npm/cli/compare/libnpmfund-v4.0.0-pre.5...libnpmfund-v4.0.0) (2022-10-19)
 
 ### Features

workspaces/libnpmfund/package.json

@@ -1,6 +1,6 @@
 {
   "name": "libnpmfund",
-  "version": "4.0.0",
+  "version": "4.0.1",
   "main": "lib/index.js",
   "files": [
     "bin/",
@@ -46,7 +46,7 @@
     "tap": "^16.0.1"
   },
   "dependencies": {
-    "@npmcli/arborist": "^6.0.0"
+    "@npmcli/arborist": "^6.1.0"
   },
   "engines": {
     "node": "^14.17.0 || ^16.13.0 || >=18.0.0"

workspaces/libnpmpack/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [5.0.1](https://github.com/npm/cli/compare/libnpmpack-v5.0.0...libnpmpack-v5.0.1) (2022-10-26)
+
+### Dependencies
+
+* [Workspace](https://github.com/npm/cli/compare/arborist-v6.0.0...arborist-v6.1.0): `@npmcli/arborist@6.1.0`
+
 ## [5.0.0](https://github.com/npm/cli/compare/libnpmpack-v5.0.0-pre.4...libnpmpack-v5.0.0) (2022-10-19)
 
 ### Features

workspaces/libnpmpack/package.json

@@ -1,6 +1,6 @@
 {
   "name": "libnpmpack",
-  "version": "5.0.0",
+  "version": "5.0.1",
   "description": "Programmatic API for the bits behind npm pack",
   "author": "GitHub Inc.",
   "main": "lib/index.js",
@@ -36,7 +36,7 @@
   "bugs": "https://github.com/npm/libnpmpack/issues",
   "homepage": "https://npmjs.com/package/libnpmpack",
   "dependencies": {
-    "@npmcli/arborist": "^6.0.0",
+    "@npmcli/arborist": "^6.1.0",
     "@npmcli/run-script": "^5.0.0",
     "npm-package-arg": "^10.0.0",
     "pacote": "^15.0.2"

workspaces/libnpmpublish/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [7.0.1](https://github.com/npm/cli/compare/libnpmpublish-v7.0.0...libnpmpublish-v7.0.1) (2022-10-26)
+
+### Dependencies
+
+* [Workspace](https://github.com/npm/cli/compare/libnpmpack-v5.0.0...libnpmpack-v5.0.1): `libnpmpack@5.0.1`
+
 ## [7.0.0](https://github.com/npm/cli/compare/libnpmpublish-v7.0.0-pre.4...libnpmpublish-v7.0.0) (2022-10-19)
 
 ### Features

workspaces/libnpmpublish/package.json

@@ -1,6 +1,6 @@
 {
   "name": "libnpmpublish",
-  "version": "7.0.0",
+  "version": "7.0.1",
   "description": "Programmatic API for the bits behind npm publish and unpublish",
   "author": "GitHub Inc.",
   "main": "lib/index.js",
@@ -26,7 +26,7 @@
   "devDependencies": {
     "@npmcli/eslint-config": "^4.0.0",
     "@npmcli/template-oss": "4.6.2",
-    "libnpmpack": "^5.0.0",
+    "libnpmpack": "^5.0.1",
     "lodash.clonedeep": "^4.5.0",
     "nock": "^13.2.4",
     "tap": "^16.0.1"