npm ls promzard in npm's source tree will show:
-npm@8.13.1 /path/to/npm
+npm@8.13.2 /path/to/npm
└─┬ init-package-json@0.0.4
└── promzard@0.1.5
diff --git a/deps/npm/docs/output/commands/npm-run-script.html b/deps/npm/docs/output/commands/npm-run-script.html
index d74acb05644c68..5b1150cf4b9b3f 100644
--- a/deps/npm/docs/output/commands/npm-run-script.html
+++ b/deps/npm/docs/output/commands/npm-run-script.html
@@ -142,7 +142,7 @@ npm-run-script
Table of contents
-
+
Synopsis
@@ -319,6 +319,18 @@ ignore-scripts
will not run any pre- or post-scripts.
+foreground-scripts
+
+- Default: false
+- Type: Boolean
+
+Run all build scripts (ie, preinstall, install, and postinstall)
+scripts for installed packages in the foreground process, sharing standard
+input, output, and error with the main npm process.
+Note that this will generally make installs run slower, and be much noisier,
+but can be useful for debugging.
+
+
script-shell
- Default: '/bin/sh' on POSIX systems, 'cmd.exe' on Windows
diff --git a/deps/npm/docs/output/commands/npm.html b/deps/npm/docs/output/commands/npm.html
index c7b7dd5dc7a046..9a0446af631e4f 100644
--- a/deps/npm/docs/output/commands/npm.html
+++ b/deps/npm/docs/output/commands/npm.html
@@ -149,7 +149,7 @@ Table of contents
Version
-8.13.1
+8.13.2
Description
npm is the package manager for the Node JavaScript platform. It puts
modules in place so that node can find them, and manages dependency
diff --git a/deps/npm/lib/commands/run-script.js b/deps/npm/lib/commands/run-script.js
index a1591c7900b446..8507dbe79a90e8 100644
--- a/deps/npm/lib/commands/run-script.js
+++ b/deps/npm/lib/commands/run-script.js
@@ -35,6 +35,7 @@ class RunScript extends BaseCommand {
'include-workspace-root',
'if-present',
'ignore-scripts',
+ 'foreground-scripts',
'script-shell',
]
diff --git a/deps/npm/man/man1/npm-ls.1 b/deps/npm/man/man1/npm-ls.1
index a24c524909f9ff..5a78c46a6e6da4 100644
--- a/deps/npm/man/man1/npm-ls.1
+++ b/deps/npm/man/man1/npm-ls.1
@@ -26,7 +26,7 @@ example, running \fBnpm ls promzard\fP in npm's source tree will show:
.P
.RS 2
.nf
-npm@8\.13\.1 /path/to/npm
+npm@8\.13\.2 /path/to/npm
└─┬ init\-package\-json@0\.0\.4
└── promzard@0\.1\.5
.fi
diff --git a/deps/npm/man/man1/npm-run-script.1 b/deps/npm/man/man1/npm-run-script.1
index c9dc22f4eb6bd4..c9c2925ff121ed 100644
--- a/deps/npm/man/man1/npm-run-script.1
+++ b/deps/npm/man/man1/npm-run-script.1
@@ -246,6 +246,21 @@ Note that commands explicitly intended to run a particular script, such as
\fBnpm start\fP, \fBnpm stop\fP, \fBnpm restart\fP, \fBnpm test\fP, and \fBnpm run\-script\fP
will still run their intended script if \fBignore\-scripts\fP is set, but they
will \fInot\fR run any pre\- or post\-scripts\.
+.SS \fBforeground\-scripts\fP
+.RS 0
+.IP \(bu 2
+Default: false
+.IP \(bu 2
+Type: Boolean
+
+.RE
+.P
+Run all build scripts (ie, \fBpreinstall\fP, \fBinstall\fP, and \fBpostinstall\fP)
+scripts for installed packages in the foreground process, sharing standard
+input, output, and error with the main npm process\.
+.P
+Note that this will generally make installs run slower, and be much noisier,
+but can be useful for debugging\.
.SS \fBscript\-shell\fP
.RS 0
.IP \(bu 2
diff --git a/deps/npm/man/man1/npm.1 b/deps/npm/man/man1/npm.1
index a26c713a11000f..1e2c15ebae15a8 100644
--- a/deps/npm/man/man1/npm.1
+++ b/deps/npm/man/man1/npm.1
@@ -4,7 +4,7 @@
.SS Synopsis
.SS Version
.P
-8\.13\.1
+8\.13\.2
.SS Description
.P
npm is the package manager for the Node JavaScript platform\. It puts
diff --git a/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js b/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
index d30838e7384f62..1f479a90dd999f 100644
--- a/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
+++ b/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
@@ -166,8 +166,8 @@ class Advisory {
// we can try to be a *little* smarter up front by doing x-y for all
// contiguous version sets in the list
const ranges = []
- this.versions = semver.sort(this.versions)
- this.vulnerableVersions = semver.sort(this.vulnerableVersions)
+ this.versions = semver.sort(this.versions, semverOpt)
+ this.vulnerableVersions = semver.sort(this.vulnerableVersions, semverOpt)
for (let v = 0, vulnVer = 0; v < this.versions.length; v++) {
// figure out the vulnerable subrange
const vr = [this.versions[v]]
diff --git a/deps/npm/node_modules/@npmcli/metavuln-calculator/package.json b/deps/npm/node_modules/@npmcli/metavuln-calculator/package.json
index 2c04e0fd420bfd..2e7209ffc7da0e 100644
--- a/deps/npm/node_modules/@npmcli/metavuln-calculator/package.json
+++ b/deps/npm/node_modules/@npmcli/metavuln-calculator/package.json
@@ -1,6 +1,6 @@
{
"name": "@npmcli/metavuln-calculator",
- "version": "3.1.0",
+ "version": "3.1.1",
"main": "lib/index.js",
"files": [
"bin/",
@@ -33,7 +33,7 @@
},
"devDependencies": {
"@npmcli/eslint-config": "^3.0.1",
- "@npmcli/template-oss": "3.2.0",
+ "@npmcli/template-oss": "3.5.0",
"require-inject": "^1.4.4",
"tap": "^16.0.1"
},
@@ -48,6 +48,6 @@
},
"templateOSS": {
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
- "version": "3.2.0"
+ "version": "3.5.0"
}
}
diff --git a/deps/npm/node_modules/@npmcli/run-script/lib/escape.js b/deps/npm/node_modules/@npmcli/run-script/lib/escape.js
index 5254be24bf7ab8..3c574371bcf94e 100644
--- a/deps/npm/node_modules/@npmcli/run-script/lib/escape.js
+++ b/deps/npm/node_modules/@npmcli/run-script/lib/escape.js
@@ -65,7 +65,13 @@ const sh = (input) => {
return result
}
+// disabling the no-control-regex rule for this line as we very specifically _do_ want to
+// replace those characters if they somehow exist at this point, which is highly unlikely
+// eslint-disable-next-line no-control-regex
+const filename = (input) => input.replace(/[<>:"/\\|?*\x00-\x31]/g, '')
+
module.exports = {
cmd,
sh,
+ filename,
}
diff --git a/deps/npm/node_modules/@npmcli/run-script/lib/make-spawn-args.js b/deps/npm/node_modules/@npmcli/run-script/lib/make-spawn-args.js
index 660588e3ee9aa6..47f73463011be0 100644
--- a/deps/npm/node_modules/@npmcli/run-script/lib/make-spawn-args.js
+++ b/deps/npm/node_modules/@npmcli/run-script/lib/make-spawn-args.js
@@ -30,6 +30,7 @@ const makeSpawnArgs = options => {
npm_config_node_gyp,
})
+ const fileName = escape.filename(`${event}-${Date.now()}`)
let scriptFile
let script = ''
@@ -61,7 +62,7 @@ const makeSpawnArgs = options => {
const doubleEscape = pathToInitial.endsWith('.cmd') || pathToInitial.endsWith('.bat')
- scriptFile = resolve(tmpdir(), `${event}-${Date.now()}.cmd`)
+ scriptFile = resolve(tmpdir(), `${fileName}.cmd`)
script += '@echo off\n'
script += cmd
if (args.length) {
@@ -71,7 +72,7 @@ const makeSpawnArgs = options => {
const shebang = isAbsolute(scriptShell)
? `#!${scriptShell}`
: `#!/usr/bin/env ${scriptShell}`
- scriptFile = resolve(tmpdir(), `${event}-${Date.now()}.sh`)
+ scriptFile = resolve(tmpdir(), `${fileName}.sh`)
script += `${shebang}\n`
script += cmd
if (args.length) {
diff --git a/deps/npm/node_modules/@npmcli/run-script/package.json b/deps/npm/node_modules/@npmcli/run-script/package.json
index ef8b43f772de1b..1ce162dd8d19a5 100644
--- a/deps/npm/node_modules/@npmcli/run-script/package.json
+++ b/deps/npm/node_modules/@npmcli/run-script/package.json
@@ -1,6 +1,6 @@
{
"name": "@npmcli/run-script",
- "version": "4.1.3",
+ "version": "4.1.5",
"description": "Run a lifecycle script for a package (descendant of npm-lifecycle)",
"author": "GitHub Inc.",
"license": "ISC",
@@ -17,10 +17,6 @@
"posttest": "npm run lint",
"template-oss-apply": "template-oss-apply --force"
},
- "tap": {
- "check-coverage": true,
- "coverage-map": "map.js"
- },
"devDependencies": {
"@npmcli/eslint-config": "^3.0.1",
"@npmcli/template-oss": "3.5.0",
@@ -32,7 +28,8 @@
"@npmcli/node-gyp": "^2.0.0",
"@npmcli/promise-spawn": "^3.0.0",
"node-gyp": "^9.0.0",
- "read-package-json-fast": "^2.0.3"
+ "read-package-json-fast": "^2.0.3",
+ "which": "^2.0.2"
},
"files": [
"bin/",
diff --git a/deps/npm/node_modules/npm-packlist/lib/index.js b/deps/npm/node_modules/npm-packlist/lib/index.js
index e4a2e76c545f60..bd72329f027e61 100644
--- a/deps/npm/node_modules/npm-packlist/lib/index.js
+++ b/deps/npm/node_modules/npm-packlist/lib/index.js
@@ -34,10 +34,13 @@ const glob = require('glob')
const globify = pattern => pattern.split('\\').join('/')
const readOutOfTreeIgnoreFiles = (root, rel, result = '') => {
- for (const file of ['.gitignore', '.npmignore']) {
+ for (const file of ['.npmignore', '.gitignore']) {
try {
const ignoreContent = fs.readFileSync(path.join(root, file), { encoding: 'utf8' })
result += ignoreContent + '\n'
+ // break the loop immediately after concatting, this allows us to prioritize the
+ // .npmignore and discard the .gitignore if one exists
+ break
} catch (err) {
// we ignore ENOENT errors completely because we don't care if the file doesn't exist
// but we throw everything else because failing to read a file that does exist is
diff --git a/deps/npm/node_modules/npm-packlist/package.json b/deps/npm/node_modules/npm-packlist/package.json
index dfa0188b4c437b..4c63caf21e8107 100644
--- a/deps/npm/node_modules/npm-packlist/package.json
+++ b/deps/npm/node_modules/npm-packlist/package.json
@@ -1,6 +1,6 @@
{
"name": "npm-packlist",
- "version": "5.1.0",
+ "version": "5.1.1",
"description": "Get a list of the files to add from a folder into an npm package",
"directories": {
"test": "test"
diff --git a/deps/npm/package.json b/deps/npm/package.json
index a9d84ab62ce15a..95afa528fa144f 100644
--- a/deps/npm/package.json
+++ b/deps/npm/package.json
@@ -1,5 +1,5 @@
{
- "version": "8.13.1",
+ "version": "8.13.2",
"name": "npm",
"description": "a package manager for JavaScript",
"workspaces": [
@@ -62,7 +62,7 @@
"@npmcli/fs": "^2.1.0",
"@npmcli/map-workspaces": "^2.0.3",
"@npmcli/package-json": "^2.0.0",
- "@npmcli/run-script": "^4.1.3",
+ "@npmcli/run-script": "^4.1.5",
"abbrev": "~1.1.1",
"archy": "~1.0.0",
"cacache": "^16.1.1",
diff --git a/deps/npm/tap-snapshots/test/lib/load-all-commands.js.test.cjs b/deps/npm/tap-snapshots/test/lib/load-all-commands.js.test.cjs
index 13a3b06fe33d65..57dd6126660cdc 100644
--- a/deps/npm/tap-snapshots/test/lib/load-all-commands.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/load-all-commands.js.test.cjs
@@ -746,7 +746,7 @@ npm run-script [-- ]
Options:
[-w|--workspace [-w|--workspace ...]]
[-ws|--workspaces] [--include-workspace-root] [--if-present] [--ignore-scripts]
-[--script-shell ]
+[--foreground-scripts] [--script-shell ]
aliases: run, rum, urn
diff --git a/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs b/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs
index c59252f9e81a9e..5ae34e868771d6 100644
--- a/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs
@@ -790,7 +790,7 @@ All commands:
Options:
[-w|--workspace [-w|--workspace ...]]
[-ws|--workspaces] [--include-workspace-root] [--if-present] [--ignore-scripts]
- [--script-shell ]
+ [--foreground-scripts] [--script-shell ]
aliases: run, rum, urn