Merge remote-tracking branch 'ry/v0.10'

Conflicts:
	AUTHORS
	ChangeLog
	lib/dgram.js
	lib/http.js
	src/node_crypto.cc
	src/node_version.h

ChangeLog

@@ -214,6 +214,25 @@
 * console: `console.dir()` bypasses inspect() methods (Nathan Rajlich)
 
 
+2013.08.16, Version 0.10.16 (Stable), 50b4c905a4425430ae54db4906f88982309e128d
+
+* v8: back-port fix for CVE-2013-2882
+
+* npm: Upgrade to 1.3.8
+
+* crypto: fix assert() on malformed hex input (Ben Noordhuis)
+
+* crypto: fix memory leak in randomBytes() error path (Ben Noordhuis)
+
+* events: fix memory leak, don't leak event names (Ben Noordhuis)
+
+* http: Handle hex/base64 encodings properly (isaacs)
+
+* http: improve chunked res.write(buf) performance (Ben Noordhuis)
+
+* stream: Fix double pipe error emit (Eran Hammer)
+
+
 2013.07.25, Version 0.10.15 (Stable), 2426d65af860bda7be9f0832a99601cc43c6cf63
 
 * src: fix process.getuid() return value (Ben Noordhuis)

deps/npm/.npmignore

@@ -10,6 +10,7 @@ npm-debug.log
 node_modules/ronn
 node_modules/tap
 node_modules/.bin
+node_modules/npm-registry-mock
 /npmrc
 /release/
 

deps/npm/LICENSE

@@ -1,7 +1,7 @@
 Copyright (c) Isaac Z. Schlueter
 All rights reserved.
 
-npm is released under the Artistic 2.0 License.
+npm is released under the Artistic License 2.0.
 The text of the License follows:
 
 
@@ -119,15 +119,15 @@ you do at least ONE of the following:
     make the Source form of the Modified Version available to others
     under
 
-	(i)  the Original License or
+        (i)  the Original License or
 
-	(ii)  a license that permits the licensee to freely copy,
-	modify and redistribute the Modified Version using the same
-	licensing terms that apply to the copy that the licensee
-	received, and requires that the Source form of the Modified
-	Version, and of any works derived from it, be made freely
-	available in that license fees are prohibited but Distributor
-	Fees are allowed.
+        (ii)  a license that permits the licensee to freely copy,
+        modify and redistribute the Modified Version using the same
+        licensing terms that apply to the copy that the licensee
+        received, and requires that the Source form of the Modified
+        Version, and of any works derived from it, be made freely
+        available in that license fees are prohibited but Distributor
+        Fees are allowed.
 
 
 Distribution of Compiled Forms of the Standard Version

deps/npm/README.md

@@ -234,6 +234,6 @@ will no doubt tell you to put the output in a gist or email.
 ## SEE ALSO
 
 * npm(1)
-* npm-faq(1)
+* npm-faq(7)
 * npm-help(1)
-* npm-index(1)
+* npm-index(7)

deps/npm/doc/api/npm.md

@@ -4,7 +4,7 @@ npm(3) -- node package manager
 ## SYNOPSIS
 
     var npm = require("npm")
-    npm.load([configObject,] function (er, npm) {
+    npm.load([configObject], function (er, npm) {
       // use the npm object, now that it's loaded.
 
       npm.config.set(key, val)

deps/npm/doc/api/repo.md

@@ -0,0 +1,19 @@
+npm-repo(3) -- Open package repository page in the browser
+========================================================
+
+## SYNOPSIS
+
+    npm.commands.repo(package, callback)
+
+## DESCRIPTION
+
+This command tries to guess at the likely location of a package's
+repository URL, and then tries to open it using the `--browser`
+config param.
+
+Like other commands, the first parameter is an array. This command only
+uses the first element, which is expected to be a package name with an
+optional version number.
+
+This command will launch a browser, so this command may not be the most
+friendly for programmatic use.

deps/npm/doc/cli/npm-link.md

@@ -16,7 +16,7 @@ symbolic link from `prefix/package-name` to the current folder.
 Next, in some other location, `npm link package-name` will create a
 symlink from the local `node_modules` folder to the global symlink.
 
-Note that `package-name` is taken from `package.json` ,
+Note that `package-name` is taken from `package.json`,
 not from directory name.
 
 When creating tarballs for `npm publish`, the linked packages are

deps/npm/doc/cli/npm-version.md

@@ -42,4 +42,4 @@ in your git config for this to work properly.  For example:
 
 * npm-init(1)
 * package.json(5)
-* npm-semver(7)
+* semver(7)

deps/npm/doc/cli/repo.md

@@ -0,0 +1,26 @@
+npm-repo(1) -- Open package repository page in the browser
+========================================================
+
+## SYNOPSIS
+
+    npm repo <pkgname>
+
+## DESCRIPTION
+
+This command tries to guess at the likely location of a package's
+repository URL, and then tries to open it using the `--browser`
+config param.
+
+## CONFIGURATION
+
+### browser
+
+* Default: OS X: `"open"`, Windows: `"start"`, Others: `"xdg-open"`
+* Type: String
+
+The browser that is called by the `npm repo` command to open websites.
+
+## SEE ALSO
+
+* npm-docs(1)
+* npm-config(1)

deps/npm/doc/files/package.json.md

@@ -68,18 +68,7 @@ Version must be parseable by
 [node-semver](https://github.com/isaacs/node-semver), which is bundled
 with npm as a dependency.  (`npm install semver` to use it yourself.)
 
-Here's how npm's semver implementation deviates from what's on semver.org:
-
-* Versions can start with "v"
-* A numeric item separated from the main three-number version by a hyphen
-  will be interpreted as a "build" number, and will *increase* the version.
-  But, if the tag is not a number separated by a hyphen, then it's treated
-  as a pre-release tag, and is *less than* the version without a tag.
-  So, `0.1.2-7 > 0.1.2-7-beta > 0.1.2-6 > 0.1.2 > 0.1.2beta`
-
-This is a little bit confusing to explain, but matches what you see in practice
-when people create tags in git like "v1.2.3" and then do "git describe" to generate
-a patch version.
+More on version numbers and ranges at semver(7).
 
 ## description
 
@@ -335,24 +324,23 @@ configs.
 
 ## dependencies
 
-Dependencies are specified with a simple hash of package name to version
-range. The version range is EITHER a string which has one or more
-space-separated descriptors, OR a range like "fromVersion - toVersion"
+Dependencies are specified with a simple hash of package name to
+version range. The version range is a string which has one or more
+space-separated descriptors.  Dependencies can also be identified with
+a tarball or git URL.
 
-**Please do not put test harnesses in your `dependencies` hash.**  See
-`devDependencies`, below.
+**Please do not put test harnesses or transpilers in your
+`dependencies` hash.**  See `devDependencies`, below.
 
-Version range descriptors may be any of the following styles, where "version"
-is a semver compatible version identifier.
+See semver(7) for more details about specifying version ranges.
 
 * `version` Must match `version` exactly
-* `=version` Same as just `version`
 * `>version` Must be greater than `version`
 * `>=version` etc
 * `<version`
 * `<=version`
-* `~version` See 'Tilde Version Ranges' below
-* `1.2.x` See 'X Version Ranges' below
+* `~version` "Approximately equivalent to version"  See semver(7)
+* `1.2.x` 1.2.0, 1.2.1, etc., but not 1.3.0
 * `http://...` See 'URLs as Dependencies' below
 * `*` Matches any version
 * `""` (just an empty string) Same as `*`
@@ -376,40 +364,9 @@ For example, these are all valid:
       }
     }
 
-### Tilde Version Ranges
-
-A range specifier starting with a tilde `~` character is matched against
-a version in the following fashion.
-
-* The version must be at least as high as the range.
-* The version must be less than the next major revision above the range.
-
-For example, the following are equivalent:
-
-* `"~1.2.3" = ">=1.2.3 <1.3.0"`
-* `"~1.2" = ">=1.2.0 <1.3.0"`
-* `"~1" = ">=1.0.0 <1.1.0"`
-
-### X Version Ranges
-
-An "x" in a version range specifies that the version number must start
-with the supplied digits, but any digit may be used in place of the x.
-
-The following are equivalent:
-
-* `"1.2.x" = ">=1.2.0 <1.3.0"`
-* `"1.x.x" = ">=1.0.0 <2.0.0"`
-* `"1.2" = "1.2.x"`
-* `"1.x" = "1.x.x"`
-* `"1" = "1.x.x"`
-
-You may not supply a comparator with a version containing an x.  Any
-digits after the first "x" are ignored.
-
 ### URLs as Dependencies
 
-Starting with npm version 0.2.14, you may specify a tarball URL in place
-of a version range.
+You may specify a tarball URL in place of a version range.
 
 This tarball will be downloaded and installed locally to your package at
 install time.
@@ -436,11 +393,35 @@ the external test or documentation framework that you use.
 In this case, it's best to list these additional items in a
 `devDependencies` hash.
 
-These things will be installed whenever the `--dev` configuration flag
-is set.  This flag is set automatically when doing `npm link` or when doing
-`npm install` from the root of a package, and can be managed like any other npm
+These things will be installed when doing `npm link` or `npm install`
+from the root of a package, and can be managed like any other npm
 configuration param.  See `npm-config(7)` for more on the topic.
 
+For build steps that are not platform-specific, such as compiling
+CoffeeScript or other languages to JavaScript, use the `prepublish`
+script to do this, and make the required package a devDependency.
+
+For example:
+
+```json
+{ "name": "ethopia-waza",
+  "description": "a delightfully fruity coffee varietal",
+  "version": "1.2.3",
+  "devDependencies": {
+    "coffee-script": "~1.6.3"
+  },
+  "scripts": {
+    "prepublish": "coffee -o lib/ -c src/waza.coffee"
+  },
+  "main": "lib/waza.js"
+}
+```
+
+The `prepublish` script will be run before publishing, so that users
+can consume the functionality without requiring them to compile it
+themselves.  In dev mode (ie, locally running `npm install`), it'll
+run this script as well, so that you can test it easily.
+
 ## bundledDependencies
 
 Array of package names that will be bundled when publishing the package.
@@ -481,7 +462,7 @@ Entries in `optionalDependencies` will override entries of the same name in
 
 You can specify the version of node that your stuff works on:
 
-    { "engines" : { "node" : ">=0.1.27 <0.1.30" } }
+    { "engines" : { "node" : ">=0.10.3 <0.12" } }
 
 And, like with dependencies, if you don't specify the version (or if you
 specify "\*" as the version), then any version of node will do.
@@ -576,7 +557,7 @@ overridden.
 
 ## SEE ALSO
 
-* npm-semver(7)
+* semver(7)
 * npm-init(1)
 * npm-version(1)
 * npm-config(1)

deps/npm/doc/misc/npm-index.md

@@ -191,6 +191,10 @@ View registry info
 
 Display npm username
 
+## repo(1)
+
+Open package repository page in the browser
+
 # API Documentation
 
 ## npm(3)
@@ -345,6 +349,10 @@ View registry info
 
 Display npm username
 
+## repo(3)
+
+Open package repository page in the browser
+
 # Files
 
 ## npm-folders(5)

deps/npm/doc/misc/npm-registry.md

@@ -53,33 +53,8 @@ otherwise.
 
 ## Do I have to use couchdb to build a registry that npm can talk to?
 
-No, but it's way easier.
-
-## I published something elsewhere, and want to tell the npm registry about it.
-
-That is supported, but not using the npm client.  You'll have to get
-your hands dirty and do some HTTP.  The request looks something like
-this:
-
-    PUT /my-foreign-package
-    content-type:application/json
-    accept:application/json
-    authorization:Basic $base_64_encoded
-
-    { "name":"my-foreign-package"
-    , "maintainers":["owner","usernames"]
-    , "description":"A package that is hosted elsewhere"
-    , "keywords":["nih","my cheese smells the best"]
-    , "url":"http://my-different-registry.com/blerg/my-local-package"
-    }
-
-(Keywords and description are optional, but recommended.  Name,
-maintainers, and url are required.)
-
-Then, when a user tries to install "my-foreign-package", it'll redirect
-to your registry.  If that doesn't resolve to a valid package entry,
-then it'll fail, so please make sure that you understand the spec, and
-ask for help on the <[email protected]> mailing list.
+No, but it's way easier.  Basically, yes, you do, or you have to
+effectively implement the entire CouchDB API anyway.
 
 ## Is there a website or something to see package docs and such?
 

deps/npm/doc/misc/npm-scripts.md

@@ -33,7 +33,7 @@ following scripts:
   Run by the `npm restart` command. Note: `npm restart` will run the
   stop and start scripts if no `restart` script is provided.
 
-Additionally, arbitrary scrips can be run by doing
+Additionally, arbitrary scripts can be run by doing
 `npm run-script <stage> <pkg>`.
 
 ## NOTE: INSTALL SCRIPTS ARE AN ANTIPATTERN

deps/npm/html/doc/README.html

@@ -238,9 +238,9 @@ <h2 id="BUGS">BUGS</h2>
 
 <h2 id="SEE-ALSO">SEE ALSO</h2>
 
-<ul><li><a href="cli/npm.html">npm(1)</a></li><li><a href="cli/npm-faq.html">npm-faq(1)</a></li><li><a href="cli/npm-help.html">npm-help(1)</a></li><li><a href="cli/npm-index.html">npm-index(1)</a></li></ul>
+<ul><li><a href="cli/npm.html">npm(1)</a></li><li><a href="misc/npm-faq.html">npm-faq(7)</a></li><li><a href="cli/npm-help.html">npm-help(1)</a></li><li><a href="misc/npm-index.html">npm-index(7)</a></li></ul>
 </div>
-<p id="footer"><a href="../doc/README.html">README</a> &mdash; [email protected].6</p>
+<p id="footer"><a href="../doc/README.html">README</a> &mdash; [email protected].8</p>
 <script>
 ;(function () {
 var wrapper = document.getElementById("wrapper")

deps/npm/html/doc/api/npm-bin.html

@@ -19,7 +19,7 @@ <h2 id="DESCRIPTION">DESCRIPTION</h2>
 <p>This function should not be used programmatically.  Instead, just refer
 to the <code>npm.bin</code> member.</p>
 </div>
-<p id="footer">npm-bin &mdash; [email protected].6</p>
+<p id="footer">npm-bin &mdash; [email protected].8</p>
 <script>
 ;(function () {
 var wrapper = document.getElementById("wrapper")

deps/npm/html/doc/api/npm-bugs.html

@@ -25,7 +25,7 @@ <h2 id="DESCRIPTION">DESCRIPTION</h2>
 <p>This command will launch a browser, so this command may not be the most
 friendly for programmatic use.</p>
 </div>
-<p id="footer">npm-bugs &mdash; [email protected].6</p>
+<p id="footer">npm-bugs &mdash; [email protected].8</p>
 <script>
 ;(function () {
 var wrapper = document.getElementById("wrapper")