Skip to content

Commit

Permalink
deps: upgrade npm to 8.15.0
Browse files Browse the repository at this point in the history
PR-URL: #43917
Reviewed-By: Myles Borins <[email protected]>
Reviewed-By: Mestery <[email protected]>
Reviewed-By: Mohammed Keyvanzadeh <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
  • Loading branch information
npm-cli-bot authored Jul 21, 2022
1 parent e119614 commit 81fe9a3
Show file tree
Hide file tree
Showing 48 changed files with 475 additions and 114 deletions.
57 changes: 49 additions & 8 deletions deps/npm/docs/content/commands/npm-audit.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,14 +43,55 @@ output, it simply changes the command's failure threshold.

### Audit Signatures

This command can also audit the integrity values of the packages in your
tree against any signatures present in the registry they were downloaded
from. npm will attempt to download the keys from `/-/npm/v1/keys` on
each the registry used to download any given package. It will then
check the `dist.signatures` object in the package itself, and verify the
`sig` present there using the `keyid` there, matching it with a key
returned from the registry. The command for this is `npm audit
signatures`
To ensure the integrity of packages you download from the public npm registry, or any registry that supports signatures, you can verify the registry signatures of downloaded packages using the npm CLI.

Registry signatures can be verified using the following `audit` command:

```bash
$ npm audit signatures
```

The npm CLI supports registry signatures and signing keys provided by any registry if the following conventions are followed:

1. Signatures are provided in the package's `packument` in each published version within the `dist` object:

```json
"dist":{
"..omitted..": "..omitted..",
"signatures": [{
"keyid": "SHA256:{{SHA256_PUBLIC_KEY}}",
"sig": "a312b9c3cb4a1b693e8ebac5ee1ca9cc01f2661c14391917dcb111517f72370809..."
}]
}
```

See this [example](https://registry.npmjs.org/light-cycle/1.4.3) of a signed package from the public npm registry.

The `sig` is generated using the following template: `${package.name}@${package.version}:${package.dist.integrity}` and the `keyid` has to match one of the public signing keys below.

2. Public signing keys are provided at `registry-host.tld/-/npm/v1/keys` in the following format:

```
{
"keys": [{
"expires": null,
"keyid": "SHA256:{{SHA256_PUBLIC_KEY}}",
"keytype": "ecdsa-sha2-nistp256",
"scheme": "ecdsa-sha2-nistp256",
"key": "{{B64_PUBLIC_KEY}}"
}]
}
```

Keys response:

- `expires`: null or a simplified extended <a href="https://en.wikipedia.org/wiki/ISO_8601" target="_blank">ISO 8601 format</a>: `YYYY-MM-DDTHH:mm:ss.sssZ`
- `keydid`: sha256 fingerprint of the public key
- `keytype`: only `ecdsa-sha2-nistp256` is currently supported by the npm CLI
- `scheme`: only `ecdsa-sha2-nistp256` is currently supported by the npm CLI
- `key`: base64 encoded public key

See this <a href="https://registry.npmjs.org/-/npm/v1/keys" target="_blank">example key's response from the public npm registry</a>.

### Audit Endpoints

Expand Down
2 changes: 1 addition & 1 deletion deps/npm/docs/content/configuring-npm/folders.md
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,7 @@ For a graphical breakdown of what is installed where, use `npm ls`.
#### Publishing
Upon publishing, npm will look in the `node_modules` folder. If any of
the items there are not in the `bundledDependencies` array, then they will
the items there are not in the `bundleDependencies` array, then they will
not be included in the package tarball.
This allows a package maintainer to install all of their dependencies
Expand Down
10 changes: 5 additions & 5 deletions deps/npm/docs/content/configuring-npm/package-json.md
Original file line number Diff line number Diff line change
Expand Up @@ -829,14 +829,14 @@ if the `soy-milk` package is not installed on the host. This allows you to
integrate and interact with a variety of host packages without requiring
all of them to be installed.

### bundledDependencies
### bundleDependencies

This defines an array of package names that will be bundled when publishing
the package.

In cases where you need to preserve npm packages locally or have them
available through a single file download, you can bundle the packages in a
tarball file by specifying the package names in the `bundledDependencies`
tarball file by specifying the package names in the `bundleDependencies`
array and executing `npm pack`.

For example:
Expand All @@ -847,7 +847,7 @@ If we define a package.json like this:
{
"name": "awesome-web-framework",
"version": "1.0.0",
"bundledDependencies": [
"bundleDependencies": [
"renderized",
"super-streams"
]
Expand All @@ -860,9 +860,9 @@ can be installed in a new project by executing `npm install
awesome-web-framework-1.0.0.tgz`. Note that the package names do not
include any versions, as that information is specified in `dependencies`.

If this is spelled `"bundleDependencies"`, then that is also honored.
If this is spelled `"bundledDependencies"`, then that is also honored.

Alternatively, `"bundledDependencies"` can be defined as a boolean value. A
Alternatively, `"bundleDependencies"` can be defined as a boolean value. A
value of `true` will bundle all dependencies, a value of `false` will bundle
none.

Expand Down
8 changes: 5 additions & 3 deletions deps/npm/docs/content/using-npm/config.md
Original file line number Diff line number Diff line change
Expand Up @@ -357,8 +357,9 @@ newlines replaced by the string "\n". For example:
cert="-----BEGIN CERTIFICATE-----\nXXXX\nXXXX\n-----END CERTIFICATE-----"
```

It is _not_ the path to a certificate file (and there is no "certfile"
option).
It is _not_ the path to a certificate file, though you can set a
registry-scoped "certfile" path like
"//other-registry.tld/:certfile=/path/to/cert.pem".

<!-- automatically generated, do not edit manually -->
<!-- see lib/utils/config/definitions.js -->
Expand Down Expand Up @@ -946,7 +947,8 @@ format with newlines replaced by the string "\n". For example:
key="-----BEGIN PRIVATE KEY-----\nXXXX\nXXXX\n-----END PRIVATE KEY-----"
```

It is _not_ the path to a key file (and there is no "keyfile" option).
It is _not_ the path to a key file, though you can set a registry-scoped
"keyfile" path like "//other-registry.tld/:keyfile=/path/to/key.pem".

<!-- automatically generated, do not edit manually -->
<!-- see lib/utils/config/definitions.js -->
Expand Down
47 changes: 40 additions & 7 deletions deps/npm/docs/output/commands/npm-audit.html
Original file line number Diff line number Diff line change
Expand Up @@ -171,13 +171,46 @@ <h3 id="description">Description</h3>
will cause the command to fail. This option does not filter the report
output, it simply changes the command's failure threshold.</p>
<h3 id="audit-signatures">Audit Signatures</h3>
<p>This command can also audit the integrity values of the packages in your
tree against any signatures present in the registry they were downloaded
from. npm will attempt to download the keys from <code>/-/npm/v1/keys</code> on
each the registry used to download any given package. It will then
check the <code>dist.signatures</code> object in the package itself, and verify the
<code>sig</code> present there using the <code>keyid</code> there, matching it with a key
returned from the registry. The command for this is <code>npm audit signatures</code></p>
<p>To ensure the integrity of packages you download from the public npm registry, or any registry that supports signatures, you can verify the registry signatures of downloaded packages using the npm CLI.</p>
<p>Registry signatures can be verified using the following <code>audit</code> command:</p>
<pre lang="bash"><code>$ npm audit signatures
</code></pre>
<p>The npm CLI supports registry signatures and signing keys provided by any registry if the following conventions are followed:</p>
<ol>
<li>Signatures are provided in the package's <code>packument</code> in each published version within the <code>dist</code> object:</li>
</ol>
<pre lang="json"><code>"dist":{
"..omitted..": "..omitted..",
"signatures": [{
"keyid": "SHA256:{{SHA256_PUBLIC_KEY}}",
"sig": "a312b9c3cb4a1b693e8ebac5ee1ca9cc01f2661c14391917dcb111517f72370809..."
}]
}
</code></pre>
<p>See this <a href="https://registry.npmjs.org/light-cycle/1.4.3">example</a> of a signed package from the public npm registry.</p>
<p>The <code>sig</code> is generated using the following template: <code>${package.name}@${package.version}:${package.dist.integrity}</code> and the <code>keyid</code> has to match one of the public signing keys below.</p>
<ol start="2">
<li>Public signing keys are provided at <code>registry-host.tld/-/npm/v1/keys</code> in the following format:</li>
</ol>
<pre><code>{
"keys": [{
"expires": null,
"keyid": "SHA256:{{SHA256_PUBLIC_KEY}}",
"keytype": "ecdsa-sha2-nistp256",
"scheme": "ecdsa-sha2-nistp256",
"key": "{{B64_PUBLIC_KEY}}"
}]
}
</code></pre>
<p>Keys response:</p>
<ul>
<li><code>expires</code>: null or a simplified extended <!-- raw HTML omitted -->ISO 8601 format<!-- raw HTML omitted -->: <code>YYYY-MM-DDTHH:mm:ss.sssZ</code></li>
<li><code>keydid</code>: sha256 fingerprint of the public key</li>
<li><code>keytype</code>: only <code>ecdsa-sha2-nistp256</code> is currently supported by the npm CLI</li>
<li><code>scheme</code>: only <code>ecdsa-sha2-nistp256</code> is currently supported by the npm CLI</li>
<li><code>key</code>: base64 encoded public key</li>
</ul>
<p>See this <!-- raw HTML omitted -->example key's response from the public npm registry<!-- raw HTML omitted -->.</p>
<h3 id="audit-endpoints">Audit Endpoints</h3>
<p>There are two audit endpoints that npm may use to fetch vulnerability
information: the <code>Bulk Advisory</code> endpoint and the <code>Quick Audit</code> endpoint.</p>
Expand Down
2 changes: 1 addition & 1 deletion deps/npm/docs/output/commands/npm-ls.html
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@ <h3 id="description">Description</h3>
the results to only the paths to the packages named. Note that nested
packages will <em>also</em> show the paths to the specified packages. For
example, running <code>npm ls promzard</code> in npm's source tree will show:</p>
<pre lang="bash"><code>npm@8.14.0 /path/to/npm
<pre lang="bash"><code>npm@8.15.0 /path/to/npm
└─┬ [email protected]
└── [email protected]
</code></pre>
Expand Down
2 changes: 1 addition & 1 deletion deps/npm/docs/output/commands/npm.html
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ <h2 id="table-of-contents">Table of contents</h2>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<h3 id="version">Version</h3>
<p>8.14.0</p>
<p>8.15.0</p>
<h3 id="description">Description</h3>
<p>npm is the package manager for the Node JavaScript platform. It puts
modules in place so that node can find them, and manages dependency
Expand Down
2 changes: 1 addition & 1 deletion deps/npm/docs/output/configuring-npm/folders.html
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 +291,7 @@ <h4 id="example">Example</h4>
<p>For a graphical breakdown of what is installed where, use <code>npm ls</code>.</p>
<h4 id="publishing">Publishing</h4>
<p>Upon publishing, npm will look in the <code>node_modules</code> folder. If any of
the items there are not in the <code>bundledDependencies</code> array, then they will
the items there are not in the <code>bundleDependencies</code> array, then they will
not be included in the package tarball.</p>
<p>This allows a package maintainer to install all of their dependencies
(and dev dependencies) locally, but only re-publish those items that
Expand Down
12 changes: 6 additions & 6 deletions deps/npm/docs/output/configuring-npm/package-json.html
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ <h1 id="packagejson">package.json</h1>

<section id="table_of_contents">
<h2 id="table-of-contents">Table of contents</h2>
<div id="_table_of_contents"><ul><li><a href="#description">Description</a></li><li><a href="#name">name</a></li><li><a href="#version">version</a></li><li><a href="#description2">description</a></li><li><a href="#keywords">keywords</a></li><li><a href="#homepage">homepage</a></li><li><a href="#bugs">bugs</a></li><li><a href="#license">license</a></li><li><a href="#people-fields-author-contributors">people fields: author, contributors</a></li><li><a href="#funding">funding</a></li><li><a href="#files">files</a></li><li><a href="#main">main</a></li><li><a href="#browser">browser</a></li><li><a href="#bin">bin</a></li><li><a href="#man">man</a></li><li><a href="#directories">directories</a></li><ul><li><a href="#directoriesbin">directories.bin</a></li><li><a href="#directoriesman">directories.man</a></li></ul><li><a href="#repository">repository</a></li><li><a href="#scripts">scripts</a></li><li><a href="#config">config</a></li><li><a href="#dependencies">dependencies</a></li><ul><li><a href="#urls-as-dependencies">URLs as Dependencies</a></li><li><a href="#git-urls-as-dependencies">Git URLs as Dependencies</a></li><li><a href="#github-urls">GitHub URLs</a></li><li><a href="#local-paths">Local Paths</a></li></ul><li><a href="#devdependencies">devDependencies</a></li><li><a href="#peerdependencies">peerDependencies</a></li><li><a href="#peerdependenciesmeta">peerDependenciesMeta</a></li><li><a href="#bundleddependencies">bundledDependencies</a></li><li><a href="#optionaldependencies">optionalDependencies</a></li><li><a href="#overrides">overrides</a></li><li><a href="#engines">engines</a></li><li><a href="#os">os</a></li><li><a href="#cpu">cpu</a></li><li><a href="#private">private</a></li><li><a href="#publishconfig">publishConfig</a></li><li><a href="#workspaces">workspaces</a></li><li><a href="#default-values">DEFAULT VALUES</a></li><li><a href="#see-also">SEE ALSO</a></li></ul></div>
<div id="_table_of_contents"><ul><li><a href="#description">Description</a></li><li><a href="#name">name</a></li><li><a href="#version">version</a></li><li><a href="#description2">description</a></li><li><a href="#keywords">keywords</a></li><li><a href="#homepage">homepage</a></li><li><a href="#bugs">bugs</a></li><li><a href="#license">license</a></li><li><a href="#people-fields-author-contributors">people fields: author, contributors</a></li><li><a href="#funding">funding</a></li><li><a href="#files">files</a></li><li><a href="#main">main</a></li><li><a href="#browser">browser</a></li><li><a href="#bin">bin</a></li><li><a href="#man">man</a></li><li><a href="#directories">directories</a></li><ul><li><a href="#directoriesbin">directories.bin</a></li><li><a href="#directoriesman">directories.man</a></li></ul><li><a href="#repository">repository</a></li><li><a href="#scripts">scripts</a></li><li><a href="#config">config</a></li><li><a href="#dependencies">dependencies</a></li><ul><li><a href="#urls-as-dependencies">URLs as Dependencies</a></li><li><a href="#git-urls-as-dependencies">Git URLs as Dependencies</a></li><li><a href="#github-urls">GitHub URLs</a></li><li><a href="#local-paths">Local Paths</a></li></ul><li><a href="#devdependencies">devDependencies</a></li><li><a href="#peerdependencies">peerDependencies</a></li><li><a href="#peerdependenciesmeta">peerDependenciesMeta</a></li><li><a href="#bundledependencies">bundleDependencies</a></li><li><a href="#optionaldependencies">optionalDependencies</a></li><li><a href="#overrides">overrides</a></li><li><a href="#engines">engines</a></li><li><a href="#os">os</a></li><li><a href="#cpu">cpu</a></li><li><a href="#private">private</a></li><li><a href="#publishconfig">publishConfig</a></li><li><a href="#workspaces">workspaces</a></li><li><a href="#default-values">DEFAULT VALUES</a></li><li><a href="#see-also">SEE ALSO</a></li></ul></div>
</section>

<div id="_content"><h3 id="description">Description</h3>
Expand Down Expand Up @@ -772,19 +772,19 @@ <h3 id="peerdependenciesmeta">peerDependenciesMeta</h3>
if the <code>soy-milk</code> package is not installed on the host. This allows you to
integrate and interact with a variety of host packages without requiring
all of them to be installed.</p>
<h3 id="bundleddependencies">bundledDependencies</h3>
<h3 id="bundledependencies">bundleDependencies</h3>
<p>This defines an array of package names that will be bundled when publishing
the package.</p>
<p>In cases where you need to preserve npm packages locally or have them
available through a single file download, you can bundle the packages in a
tarball file by specifying the package names in the <code>bundledDependencies</code>
tarball file by specifying the package names in the <code>bundleDependencies</code>
array and executing <code>npm pack</code>.</p>
<p>For example:</p>
<p>If we define a package.json like this:</p>
<pre lang="json"><code>{
"name": "awesome-web-framework",
"version": "1.0.0",
"bundledDependencies": [
"bundleDependencies": [
"renderized",
"super-streams"
]
Expand All @@ -794,8 +794,8 @@ <h3 id="bundleddependencies">bundledDependencies</h3>
This file contains the dependencies <code>renderized</code> and <code>super-streams</code> which
can be installed in a new project by executing <code>npm install awesome-web-framework-1.0.0.tgz</code>. Note that the package names do not
include any versions, as that information is specified in <code>dependencies</code>.</p>
<p>If this is spelled <code>"bundleDependencies"</code>, then that is also honored.</p>
<p>Alternatively, <code>"bundledDependencies"</code> can be defined as a boolean value. A
<p>If this is spelled <code>"bundledDependencies"</code>, then that is also honored.</p>
<p>Alternatively, <code>"bundleDependencies"</code> can be defined as a boolean value. A
value of <code>true</code> will bundle all dependencies, a value of <code>false</code> will bundle
none.</p>
<h3 id="optionaldependencies">optionalDependencies</h3>
Expand Down
8 changes: 5 additions & 3 deletions deps/npm/docs/output/using-npm/config.html
Original file line number Diff line number Diff line change
Expand Up @@ -428,8 +428,9 @@ <h4 id="cert"><code>cert</code></h4>
newlines replaced by the string "\n". For example:</p>
<pre lang="ini"><code>cert="-----BEGIN CERTIFICATE-----\nXXXX\nXXXX\n-----END CERTIFICATE-----"
</code></pre>
<p>It is <em>not</em> the path to a certificate file (and there is no "certfile"
option).</p>
<p>It is <em>not</em> the path to a certificate file, though you can set a
registry-scoped "certfile" path like
"//other-registry.tld/:certfile=/path/to/cert.pem".</p>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<h4 id="ci-name"><code>ci-name</code></h4>
Expand Down Expand Up @@ -907,7 +908,8 @@ <h4 id="key"><code>key</code></h4>
format with newlines replaced by the string "\n". For example:</p>
<pre lang="ini"><code>key="-----BEGIN PRIVATE KEY-----\nXXXX\nXXXX\n-----END PRIVATE KEY-----"
</code></pre>
<p>It is <em>not</em> the path to a key file (and there is no "keyfile" option).</p>
<p>It is <em>not</em> the path to a key file, though you can set a registry-scoped
"keyfile" path like "//other-registry.tld/:keyfile=/path/to/key.pem".</p>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<h4 id="legacy-bundling"><code>legacy-bundling</code></h4>
Expand Down
2 changes: 1 addition & 1 deletion deps/npm/lib/auth/sso.js
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ const login = async (npm, { creds, registry, scope }) => {
authType: ssoType,
}

const { token, sso } = await otplease(opts,
const { token, sso } = await otplease(npm, opts,
opts => profile.loginCouch(auth.username, auth.password, opts)
)

Expand Down
2 changes: 1 addition & 1 deletion deps/npm/lib/commands/access.js
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,7 @@ class Access extends BaseCommand {

modifyPackage (pkg, opts, fn, requireScope = true) {
return this.getPackage(pkg, requireScope)
.then(pkgName => otplease(opts, opts => fn(pkgName, opts)))
.then(pkgName => otplease(this.npm, opts, opts => fn(pkgName, opts)))
}

async getPackage (name, requireScope) {
Expand Down
2 changes: 1 addition & 1 deletion deps/npm/lib/commands/adduser.js
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ class AddUser extends BaseCommand {
log.disableProgress()

log.warn('adduser',
'`adduser` will be split into `login` and `register in a future version.'
'`adduser` will be split into `login` and `register` in a future version.'
+ ' `adduser` will become an alias of `register`.'
+ ' `login` (currently an alias) will become its own command.')
log.notice('', `Log in on ${replaceInfo(registry)}`)
Expand Down
2 changes: 1 addition & 1 deletion deps/npm/lib/commands/deprecate.js
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ class Deprecate extends BaseCommand {
packument.versions[v].deprecated = msg
})

return otplease(this.npm.flatOptions, opts => fetch(uri, {
return otplease(this.npm, this.npm.flatOptions, opts => fetch(uri, {
...opts,
spec: p,
method: 'PUT',
Expand Down
4 changes: 2 additions & 2 deletions deps/npm/lib/commands/dist-tag.js
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ class DistTag extends BaseCommand {
},
spec,
}
await otplease(reqOpts, reqOpts => regFetch(url, reqOpts))
await otplease(this.npm, reqOpts, reqOpts => regFetch(url, reqOpts))
this.npm.output(`+${t}: ${spec.name}@${version}`)
}

Expand All @@ -142,7 +142,7 @@ class DistTag extends BaseCommand {
method: 'DELETE',
spec,
}
await otplease(reqOpts, reqOpts => regFetch(url, reqOpts))
await otplease(this.npm, reqOpts, reqOpts => regFetch(url, reqOpts))
this.npm.output(`-${tag}: ${spec.name}@${version}`)
}

Expand Down
2 changes: 1 addition & 1 deletion deps/npm/lib/commands/hook.js
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ class Hook extends BaseCommand {
static ignoreImplicitWorkspace = true

async exec (args) {
return otplease({
return otplease(this.npm, {
...this.npm.flatOptions,
}, (opts) => {
switch (args[0]) {
Expand Down
2 changes: 1 addition & 1 deletion deps/npm/lib/commands/org.js
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ class Org extends BaseCommand {
}

async exec ([cmd, orgname, username, role], cb) {
return otplease({
return otplease(this.npm, {
...this.npm.flatOptions,
}, opts => {
switch (cmd) {
Expand Down
2 changes: 1 addition & 1 deletion deps/npm/lib/commands/owner.js
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,7 @@ class Owner extends BaseCommand {

const dataPath = `/${spec.escapedName}/-rev/${encodeURIComponent(data._rev)}`
try {
const res = await otplease(this.npm.flatOptions, opts => {
const res = await otplease(this.npm, this.npm.flatOptions, opts => {
return npmFetch.json(dataPath, {
...opts,
method: 'PUT',
Expand Down
Loading

0 comments on commit 81fe9a3

Please sign in to comment.