Release: npm@6.10.0

.gitignore

@@ -21,3 +21,5 @@ npm-debug.log
 .jshintrc
 .eslintrc
 .nyc_output
+/test/npm_cache*
+/node_modules/.cache

.licensee.json

@@ -1,7 +1,12 @@
 {
-  "license": "(MIT OR BSD-2-Clause OR BSD-3-Clause OR Apache-2.0 OR ISC OR Unlicense OR CC-BY-3.0 OR CC0-1.0 OR Artistic-2.0)",
+  "licenses": {
+    "spdx": [
+      "CC-BY-3.0"
+    ],
+    "blueOak": "bronze"
+  },
   "corrections": true,
-  "whitelist": {
+  "packages": {
     "config-chain": "1.1.12",
     "cyclist": "0.2.2",
     "json-schema": "0.2.3",

.travis.yml

@@ -7,26 +7,24 @@ language: node_js
 matrix:
   include:
     # LTS is our most important target
-    - node_js: "10"
+    - node_js: "12"
       # DEPLOY_VERSION is used to set the couchapp setup mode for test/tap/registry.js
       # only gather coverage info for LTS
       env: DEPLOY_VERSION=testing COVERALLS_REPO_TOKEN="$COVERALLS_OPTIONAL_TOKEN"
       script:
         - "node . run tap-cover -- \"test/tap/*.js\""
         - "unset COVERALLS_REPO_TOKEN ; node . run tap -- \"test/broken-under-*/*.js\""
     # previous LTS is next most important
-    - node_js: "6"
-      env: DEPLOY_VERSION=testing
-    - node_js: "8"
-      env: DEPLOY_VERSION=testing
-    - node_js: "9"
-      env: DEPLOY_VERSION=testing
-    - node_js: "11"
+    - node_js: "10"
       env: DEPLOY_VERSION=testing
       script:
       - "npx standard"
       - "node . run licenses"
       - "node . run tap -- \"test/tap/*.js\" \"test/broken-under-nyc/*.js\""
+    - node_js: "8"
+      env: DEPLOY_VERSION=testing
+    - node_js: "6"
+      env: DEPLOY_VERSION=testing
 notifications:
     slack: npm-inc:kRqQjto7YbINqHPb1X6nS3g8
 cache:

AUTHORS

@@ -630,3 +630,14 @@ Amadou Sall <ahasall.dev@gmail.com>
 Chris Manson <mansona@users.noreply.github.com>
 vlasy <vlasy@users.noreply.github.com>
 Emilis Dambauskas (Tokenmill) <emilis.dambauskas@tokenmill.lt>
+George Czabania <george@mish.guru>
+Jonathan Underwood <junderwood@bitcoinbank.co.jp>
+Nick Graef <nicholas.a.graef@gmail.com>
+James George <jamesgeorge998001@gmail.com>
+John O'Sullivan <j.osullivan42@gmail.com>
+ossdev <ossdev@puresoftware.com>
+Raphael Goulais <raphael.goulais@f5c.fr>
+COURIER, CALEB [AG/1000] <caleb.courier@monsanto.com>
+CalebCourier <caleb.courier@monsanto.com>
+Florian Keller <florian.keller@wire.com>
+Sreeram Jayan <sreeram.jayan@cerner.com>

CHANGELOG.md

@@ -1,6 +1,149 @@
+## v6.10.0 (2019-07-03):
+
+### FEATURES
+
+* [`87fef4e35`](https://github.com/npm/cli/commit/87fef4e35)
+  [#176](https://github.com/npm/cli/pull/176) fix: Always return JSON for
+  outdated --json ([@sreeramjayan](https://github.com/sreeramjayan))
+* [`f101d44fc`](https://github.com/npm/cli/commit/f101d44fc)
+  [#203](https://github.com/npm/cli/pull/203) fix(unpublish): add space
+  after hyphen ([@ffflorian](https://github.com/ffflorian))
+* [`a4475de4c`](https://github.com/npm/cli/commit/a4475de4c)
+  [#202](https://github.com/npm/cli/pull/202) enable production flag for
+  npm audit ([@CalebCourier](https://github.com/CalebCourier))
+* [`d192904d0`](https://github.com/npm/cli/commit/d192904d0)
+  [#178](https://github.com/npm/cli/pull/178) fix: Return a value for
+  `view` when in silent mode
+  ([@stayradiated](https://github.com/stayradiated))
+* [`39d473adf`](https://github.com/npm/cli/commit/39d473adf)
+  [#185](https://github.com/npm/cli/pull/185) Allow git to follow global
+  tagsign config ([@junderw](https://github.com/junderw))
+
+### BUGFIXES
+
+* [`d9238af0b`](https://github.com/npm/cli/commit/d9238af0b)
+  [#201](https://github.com/npm/cli/pull/163)
+  [npm/npm#17858](https://github.com/npm/npm/issues/17858)
+  [npm/npm#18042](https://github.com/npm/npm/issues/18042)
+  [npm.community#644](https://npm.community/t/644) do not crash when
+  removing nameless packages
+  ([@SteveVanOpstal](https://github.com/SteveVanOpstal) and
+  [@isaacs](https://github.com/isaacs))
+* [`4bec4f111`](https://github.com/npm/cli/commit/4bec4f111)
+  [#200](https://github.com/npm/cli/pull/200) Check for `node` (as well as
+  `node.exe`) in npm's local dir on Windows
+  ([@rgoulais](https://github.com/rgoulais))
+* [`ce93dab2d`](https://github.com/npm/cli/commit/ce93dab2db423ef23b3e08a0612dafbeb2d25789)
+  [#180](https://github.com/npm/cli/pull/180)
+  [npm.community#6187](https://npm.community/t/6187) Fix handling of
+  `remote` deps in `npm outdated` ([@larsgw](https://github.com/larsgw))
+
+### TESTING
+
+* [`a823f3084`](https://github.com/npm/cli/commit/a823f3084) travis: Update
+  to include new v12 LTS ([@isaacs](https://github.com/isaacs))
+* [`33e2d1dac`](https://github.com/npm/cli/commit/33e2d1dac) fix flaky
+  debug-logs test ([@isaacs](https://github.com/isaacs))
+* [`e9411c6cd`](https://github.com/npm/cli/commit/e9411c6cd) Don't time out
+  waiting for gpg user input ([@isaacs](https://github.com/isaacs))
+* [`d2d301704`](https://github.com/npm/cli/commit/d2d301704)
+  [#195](https://github.com/npm/cli/pull/195) Add the arm64 check for
+  legacy-platform-all.js test case.
+  ([@ossdev07](https://github.com/ossdev07))
+* [`a4dc34243`](https://github.com/npm/cli/commit/a4dc34243) parallel tests
+  ([@isaacs](https://github.com/isaacs))
+
+### DOCUMENTATION
+
+* [`f5857e263`](https://github.com/npm/cli/commit/f5857e263)
+  [#192](https://github.com/npm/cli/pull/192) Clarify usage of
+  bundledDependencies
+  ([@john-osullivan](https://github.com/john-osullivan))
+* [`747fdaf66`](https://github.com/npm/cli/commit/747fdaf66)
+  [#159](https://github.com/npm/cli/pull/159) doc: add --audit-level param
+  ([@ngraef](https://github.com/ngraef))
+
+### DEPENDENCIES
+
+* [`e36b3c320`](https://github.com/npm/cli/commit/e36b3c320)
+  graceful-fs@4.2.0 ([@isaacs](https://github.com/isaacs))
+* [`6bb935c09`](https://github.com/npm/cli/commit/6bb935c09)
+  read-package-tree@5.3.1 ([@isaacs](https://github.com/isaacs))
+    * [`e9cd536`](https://github.com/npm/read-package-tree/commit/e9cd536)
+      Use custom caching `realpath` implementation, dramatically reducing
+      `lstat` calls when reading the package tree
+      ([@isaacs](https://github.com/isaacs))
+* [`39538b460`](https://github.com/npm/cli/commit/39538b460)
+  write-file-atomic@2.4.3 ([@isaacs](https://github.com/isaacs))
+    * [`f8b1552`](https://github.com/npm/write-file-atomic/commit/f8b1552)
+      [#38](https://github.com/npm/write-file-atomic/pull/38) Ignore errors
+      raised by `fs.closeSync` ([@lukeapage](https://github.com/lukeapage))
+* [`042193069`](https://github.com/npm/cli/commit/042193069) pacote@9.5.1
+  ([@isaacs](https://github.com/isaacs))
+    * [`8bbd051`](https://github.com/npm/pacote/commit/8bbd051)
+      [#172](https://github.com/zkat/pacote/pull/172) limit git retry
+      times, avoid unlimited retries ([小秦](https://github.com/xqin))
+    * [`92f5e4c`](https://github.com/npm/pacote/commit/92f5e4c)
+      [#170](https://github.com/zkat/pacote/pull/170) fix(errors): Fix
+      "TypeError: err.code.match is not a function" error
+      ([@jviotti](https://github.com/jviotti))
+* [`8bd8e909f`](https://github.com/npm/cli/commit/8bd8e909f) cacache@11.3.3
+  ([@isaacs](https://github.com/isaacs))
+    * [`47de8f5`](https://github.com/npm/cacache/commit/47de8f5)
+      [#146](https://github.com/zkat/cacache/pull/146)
+      [npm.community#2395](https://npm.community/t/2395) fix(config): Add
+      ssri config 'error' option ([@larsgw](https://github.com/larsgw))
+    * [`5156561`](https://github.com/npm/cacache/commit/5156561)
+      fix(write): avoid a `cb never called` situation
+      ([@zkat](https://github.com/zkat))
+    * [`90f40f0`](https://github.com/npm/cacache/commit/90f40f0)
+      [#166](https://github.com/zkat/cacache/pull/166)
+      [#165](https://github.com/zkat/cacache/issues/165) docs: Fix docs for
+      `path` property in get.info
+      ([@hdgarrood](https://github.com/hdgarrood))
+* [`bf61c45c6`](https://github.com/npm/cli/commit/bf61c45c6) bluebird@3.5.5
+  ([@isaacs](https://github.com/isaacs))
+* [`f75d46a9d`](https://github.com/npm/cli/commit/f75d46a9d) tar@4.4.10
+  ([@isaacs](https://github.com/isaacs))
+    * [`c80341a`](https://github.com/npm/node-tar/commit/c80341a)
+      [#215](https://github.com/npm/node-tar/pull/215) Fix
+      encoding/decoding of base-256 numbers
+      ([@justfalter](https://github.com/justfalter))
+    * [`77522f0`](https://github.com/npm/node-tar/commit/77522f0)
+      [#204](https://github.com/npm/node-tar/issues/204)
+      [#214](https://github.com/npm/node-tar/issues/214) Use `stat` instead
+      of `lstat` when checking CWD ([@stkb](https://github.com/stkb))
+* [`ec6236210`](https://github.com/npm/cli/commit/ec6236210)
+  npm-packlist@1.4.4 ([@isaacs](https://github.com/isaacs))
+    * [`63d1e3e`](https://github.com/npm/npm-packlist/commit/63d1e3e)
+      [#30](https://github.com/npm/npm-packlist/issues/30) Sort package
+      tarball entries by file type for compression benefits
+      ([@isaacs](https://github.com/isaacs))
+    * [`7fcd045`](https://github.com/npm/npm-packlist/commit/7fcd045)
+      Ignore `.DS_Store` files as well as folders
+      ([@isaacs](https://github.com/isaacs))
+    * [`68b7c96`](https://github.com/npm/npm-packlist/commit/68b7c96) Never
+      include .git folders in package root.  (Note: this prevents the issue
+      that broke the v6.9.1 release.)
+      ([@isaacs](https://github.com/isaacs))
+* [`57bef61bc`](https://github.com/npm/cli/commit/57bef61bc) update fstream
+  in node-gyp ([@isaacs](https://github.com/isaacs))
+    * Addresses [security advisory
+      #886](https://www.npmjs.com/advisories/886)
+* [`acbbf7eee`](https://github.com/npm/cli/commit/acbbf7eee)
+  [#183](https://github.com/npm/cli/pull/183) licensee@7.0.2
+  ([@kemitchell](https://github.com/kemitchell))
+* [`011ae67f0`](https://github.com/npm/cli/commit/011ae67f0)
+  readable-stream@3.3.0 ([@isaacs](https://github.com/isaacs))
+* [`f5e884909`](https://github.com/npm/cli/commit/f5e884909)
+  npm-registry-mock@1.2.1 ([@isaacs](https://github.com/isaacs))
+* [`b57d07e35`](https://github.com/npm/cli/commit/b57d07e35)
+  npm-registry-couchapp@2.7.2 ([@isaacs](https://github.com/isaacs))
+
 ## v6.9.2 (2019-06-27):
 
-This release is identical to v6.9.1, but we had to publish a new version due to [a .git directory in the release](https://npm.community/t/8454).
+This release is identical to v6.9.1, but we had to publish a new version
+due to [a .git directory in the release](https://npm.community/t/8454).
 
 ## v6.9.1 (2019-06-26):
 

bin/npm

@@ -8,6 +8,9 @@ case `uname` in
 esac
 
 NODE_EXE="$basedir/node.exe"
+if ! [ -x "$NODE_EXE" ]; then
+  NODE_EXE="$basedir/node"
+fi
 if ! [ -x "$NODE_EXE" ]; then
   NODE_EXE=node
 fi

doc/cli/npm-audit.md

@@ -3,8 +3,10 @@ npm-audit(1) -- Run a security audit
 
 ## SYNOPSIS
 
-    npm audit [--json|--parseable]
-    npm audit fix [--force|--package-lock-only|--dry-run|--production|--only=dev]
+    npm audit [--json|--parseable|--audit-level=(low|moderate|high|critical)]
+    npm audit fix [--force|--package-lock-only|--dry-run]
+
+    common options: [--production] [--only=(dev|prod)]
 
 ## EXAMPLES
 
@@ -60,6 +62,11 @@ To parse columns, you can use for example `awk`, and just print some of them:
 $ npm audit --parseable | awk -F $'\t' '{print $1,$4}'
 ```
 
+Fail an audit only if the results include a vulnerability with a level of moderate or higher:
+```
+$ npm audit --audit-level=moderate
+```
+
 ## DESCRIPTION
 
 The audit command submits a description of the dependencies configured in
@@ -75,6 +82,12 @@ runs a full-fledged `npm install` under the hood, all configs that apply to the
 installer will also apply to `npm install` -- so things like `npm audit fix
 --package-lock-only` will work as expected.
 
+By default, the audit command will exit with a non-zero code if any vulnerability
+is found. It may be useful in CI environments to include the `--audit-level` parameter
+to specify the minimum vulnerability level that will cause the command to fail. This
+option does not filter the report output, it simply changes the command's failure
+threshold.
+
 ## CONTENT SUBMITTED
 
 * npm_version

doc/files/package.json.md

@@ -648,7 +648,8 @@ If we define a package.json like this:
 we can obtain `awesome-web-framework-1.0.0.tgz` file by running `npm pack`.
 This file contains the dependencies `renderized` and `super-streams` which
 can be installed in a new project by executing `npm install
-awesome-web-framework-1.0.0.tgz`.
+awesome-web-framework-1.0.0.tgz`.  Note that the package names do not include
+any versions, as that information is specified in `dependencies`.
 
 If this is spelled `"bundleDependencies"`, then that is also honored.
 

lib/adduser.js

@@ -1,9 +1,9 @@
 module.exports = adduser
 
-var log = require('npmlog')
-var npm = require('./npm.js')
-var usage = require('./utils/usage')
-var crypto
+const log = require('npmlog')
+const npm = require('./npm.js')
+const usage = require('./utils/usage')
+let crypto
 
 try {
   crypto = require('crypto')
@@ -21,20 +21,21 @@ function adduser (args, cb) {
     ))
   }
 
-  var registry = npm.config.get('registry')
-  var scope = npm.config.get('scope')
-  var creds = npm.config.getCredentialsByURI(npm.config.get('registry'))
+  let registry = npm.config.get('registry')
+  const scope = npm.config.get('scope')
+  const creds = npm.config.getCredentialsByURI(npm.config.get('registry'))
 
   if (scope) {
-    var scopedRegistry = npm.config.get(scope + ':registry')
-    var cliRegistry = npm.config.get('registry', 'cli')
+    const scopedRegistry = npm.config.get(scope + ':registry')
+    const cliRegistry = npm.config.get('registry', 'cli')
     if (scopedRegistry && !cliRegistry) registry = scopedRegistry
   }
 
   log.disableProgress()
 
+  let auth
   try {
-    var auth = require('./auth/' + npm.config.get('auth-type'))
+    auth = require('./auth/' + npm.config.get('auth-type'))
   } catch (e) {
     return cb(new Error('no such auth module'))
   }

lib/audit.js

@@ -39,7 +39,7 @@ module.exports = auditCmd
 const usage = require('./utils/usage')
 auditCmd.usage = usage(
   'audit',
-  '\nnpm audit [--json]' +
+  '\nnpm audit [--json] [--production]' +
   '\nnpm audit fix ' +
   '[--force|--package-lock-only|--dry-run|--production|--only=(dev|prod)]'
 )
@@ -175,7 +175,7 @@ function auditCmd (args, cb) {
     const requires = Object.assign(
       {},
       (pkgJson && pkgJson.dependencies) || {},
-      (pkgJson && pkgJson.devDependencies) || {}
+      (!opts.production && pkgJson && pkgJson.devDependencies) || {}
     )
     return lockVerify(npm.prefix).then((result) => {
       if (result.status) return audit.generate(sw, requires)

lib/outdated.js

@@ -101,7 +101,10 @@ function outdated (args, silent, cb) {
         return aa[0].path.localeCompare(bb[0].path) ||
           aa[1].localeCompare(bb[1])
       })
-      if (er || silent || list.length === 0) return cb(er, list)
+      if (er || silent ||
+          (list.length === 0 && !opts.json)) {
+        return cb(er, list)
+      }
       if (opts.json) {
         output(makeJSON(list, opts))
       } else if (opts.parseable) {
@@ -129,7 +132,7 @@ function outdated (args, silent, cb) {
         }
         output(table(outTable, tableOpts))
       }
-      process.exitCode = 1
+      process.exitCode = list.length ? 1 : 0
       cb(null, list.map(function (item) { return [item[0].parent.path].concat(item.slice(1, 7)) }))
     })
   }))
@@ -366,6 +369,8 @@ function shouldUpdate (args, tree, dep, has, req, depth, pkgpath, opts, cb, type
     return doIt('git', 'git')
   } else if (parsed.type === 'file') {
     return updateLocalDeps()
+  } else if (parsed.type === 'remote') {
+    return doIt('remote', 'remote')
   } else {
     return packument(parsed, opts.concat({
       'prefer-online': true

lib/unbuild.js

@@ -58,7 +58,9 @@ function rmStuff (pkg, folder, cb) {
   // if it's global, and folder is in {prefix}/node_modules,
   // then bins are in {prefix}/bin
   // otherwise, then bins are in folder/../.bin
-  var parent = pkg.name[0] === '@' ? path.dirname(path.dirname(folder)) : path.dirname(folder)
+  var dir = path.dirname(folder)
+  var scope = path.basename(dir)
+  var parent = scope.charAt(0) === '@' ? path.dirname(dir) : dir
   var gnm = npm.dir
   // gnm might be an absolute path, parent might be relative
   // this checks they're the same directory regardless

lib/unpublish.js

@@ -99,7 +99,7 @@ function unpublish (args, cb) {
   }).then(
     ret => {
       if (!opts.silent && opts.loglevel !== 'silent') {
-        output(`-${spec.name}${
+        output(`- ${spec.name}${
           spec.type === 'version' ? `@${spec.rawSpec}` : ''
         }`)
       }

lib/version.js

@@ -301,7 +301,7 @@ function _commit (version, localData, cb) {
     ...(signCommit ? ['-S', '-m'] : ['-m']),
     message
   ])
-  const flagForTag = signTag ? '-sm' : '-am'
+  const flagForTag = signTag ? '-sm' : '-m'
 
   stagePackageFiles(localData, options).then(() => {
     return git.exec(commitArgs, options)