From 8b6f12ed4f9b1c810c7d1df2c80a81e330cafe0b Mon Sep 17 00:00:00 2001
From: "npm-cli+bot@github.com" Description
the results to only the paths to the packages named. Note that nested
packages will also show the paths to the specified packages. For
example, running npm ls promzard
in npm's source tree will show:
npm@8.13.1 /path/to/npm
+npm@8.13.2 /path/to/npm
└─┬ init-package-json@0.0.4
└── promzard@0.1.5
diff --git a/deps/npm/docs/output/commands/npm-run-script.html b/deps/npm/docs/output/commands/npm-run-script.html
index d74acb05644c68..5b1150cf4b9b3f 100644
--- a/deps/npm/docs/output/commands/npm-run-script.html
+++ b/deps/npm/docs/output/commands/npm-run-script.html
@@ -142,7 +142,7 @@ npm-run-script
Table of contents
-
+
Synopsis
@@ -319,6 +319,18 @@ ignore-scripts
will not run any pre- or post-scripts.
+foreground-scripts
+
+- Default: false
+- Type: Boolean
+
+Run all build scripts (ie, preinstall
, install
, and postinstall
)
+scripts for installed packages in the foreground process, sharing standard
+input, output, and error with the main npm process.
+Note that this will generally make installs run slower, and be much noisier,
+but can be useful for debugging.
+
+
script-shell
- Default: '/bin/sh' on POSIX systems, 'cmd.exe' on Windows
diff --git a/deps/npm/docs/output/commands/npm.html b/deps/npm/docs/output/commands/npm.html
index c7b7dd5dc7a046..9a0446af631e4f 100644
--- a/deps/npm/docs/output/commands/npm.html
+++ b/deps/npm/docs/output/commands/npm.html
@@ -149,7 +149,7 @@ Table of contents
Version
-8.13.1
+8.13.2
Description
npm is the package manager for the Node JavaScript platform. It puts
modules in place so that node can find them, and manages dependency
diff --git a/deps/npm/lib/commands/run-script.js b/deps/npm/lib/commands/run-script.js
index a1591c7900b446..8507dbe79a90e8 100644
--- a/deps/npm/lib/commands/run-script.js
+++ b/deps/npm/lib/commands/run-script.js
@@ -35,6 +35,7 @@ class RunScript extends BaseCommand {
'include-workspace-root',
'if-present',
'ignore-scripts',
+ 'foreground-scripts',
'script-shell',
]
diff --git a/deps/npm/man/man1/npm-ls.1 b/deps/npm/man/man1/npm-ls.1
index a24c524909f9ff..5a78c46a6e6da4 100644
--- a/deps/npm/man/man1/npm-ls.1
+++ b/deps/npm/man/man1/npm-ls.1
@@ -26,7 +26,7 @@ example, running \fBnpm ls promzard\fP in npm's source tree will show:
.P
.RS 2
.nf
-npm@8\.13\.1 /path/to/npm
+npm@8\.13\.2 /path/to/npm
└─┬ init\-package\-json@0\.0\.4
└── promzard@0\.1\.5
.fi
diff --git a/deps/npm/man/man1/npm-run-script.1 b/deps/npm/man/man1/npm-run-script.1
index c9dc22f4eb6bd4..c9c2925ff121ed 100644
--- a/deps/npm/man/man1/npm-run-script.1
+++ b/deps/npm/man/man1/npm-run-script.1
@@ -246,6 +246,21 @@ Note that commands explicitly intended to run a particular script, such as
\fBnpm start\fP, \fBnpm stop\fP, \fBnpm restart\fP, \fBnpm test\fP, and \fBnpm run\-script\fP
will still run their intended script if \fBignore\-scripts\fP is set, but they
will \fInot\fR run any pre\- or post\-scripts\.
+.SS \fBforeground\-scripts\fP
+.RS 0
+.IP \(bu 2
+Default: false
+.IP \(bu 2
+Type: Boolean
+
+.RE
+.P
+Run all build scripts (ie, \fBpreinstall\fP, \fBinstall\fP, and \fBpostinstall\fP)
+scripts for installed packages in the foreground process, sharing standard
+input, output, and error with the main npm process\.
+.P
+Note that this will generally make installs run slower, and be much noisier,
+but can be useful for debugging\.
.SS \fBscript\-shell\fP
.RS 0
.IP \(bu 2
diff --git a/deps/npm/man/man1/npm.1 b/deps/npm/man/man1/npm.1
index a26c713a11000f..1e2c15ebae15a8 100644
--- a/deps/npm/man/man1/npm.1
+++ b/deps/npm/man/man1/npm.1
@@ -4,7 +4,7 @@
.SS Synopsis
.SS Version
.P
-8\.13\.1
+8\.13\.2
.SS Description
.P
npm is the package manager for the Node JavaScript platform\. It puts
diff --git a/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js b/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
index d30838e7384f62..1f479a90dd999f 100644
--- a/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
+++ b/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
@@ -166,8 +166,8 @@ class Advisory {
// we can try to be a *little* smarter up front by doing x-y for all
// contiguous version sets in the list
const ranges = []
- this.versions = semver.sort(this.versions)
- this.vulnerableVersions = semver.sort(this.vulnerableVersions)
+ this.versions = semver.sort(this.versions, semverOpt)
+ this.vulnerableVersions = semver.sort(this.vulnerableVersions, semverOpt)
for (let v = 0, vulnVer = 0; v < this.versions.length; v++) {
// figure out the vulnerable subrange
const vr = [this.versions[v]]
diff --git a/deps/npm/node_modules/@npmcli/metavuln-calculator/package.json b/deps/npm/node_modules/@npmcli/metavuln-calculator/package.json
index 2c04e0fd420bfd..2e7209ffc7da0e 100644
--- a/deps/npm/node_modules/@npmcli/metavuln-calculator/package.json
+++ b/deps/npm/node_modules/@npmcli/metavuln-calculator/package.json
@@ -1,6 +1,6 @@
{
"name": "@npmcli/metavuln-calculator",
- "version": "3.1.0",
+ "version": "3.1.1",
"main": "lib/index.js",
"files": [
"bin/",
@@ -33,7 +33,7 @@
},
"devDependencies": {
"@npmcli/eslint-config": "^3.0.1",
- "@npmcli/template-oss": "3.2.0",
+ "@npmcli/template-oss": "3.5.0",
"require-inject": "^1.4.4",
"tap": "^16.0.1"
},
@@ -48,6 +48,6 @@
},
"templateOSS": {
"//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
- "version": "3.2.0"
+ "version": "3.5.0"
}
}
diff --git a/deps/npm/node_modules/@npmcli/run-script/lib/escape.js b/deps/npm/node_modules/@npmcli/run-script/lib/escape.js
index 5254be24bf7ab8..3c574371bcf94e 100644
--- a/deps/npm/node_modules/@npmcli/run-script/lib/escape.js
+++ b/deps/npm/node_modules/@npmcli/run-script/lib/escape.js
@@ -65,7 +65,13 @@ const sh = (input) => {
return result
}
+// disabling the no-control-regex rule for this line as we very specifically _do_ want to
+// replace those characters if they somehow exist at this point, which is highly unlikely
+// eslint-disable-next-line no-control-regex
+const filename = (input) => input.replace(/[<>:"/\\|?*\x00-\x31]/g, '')
+
module.exports = {
cmd,
sh,
+ filename,
}
diff --git a/deps/npm/node_modules/@npmcli/run-script/lib/make-spawn-args.js b/deps/npm/node_modules/@npmcli/run-script/lib/make-spawn-args.js
index 660588e3ee9aa6..47f73463011be0 100644
--- a/deps/npm/node_modules/@npmcli/run-script/lib/make-spawn-args.js
+++ b/deps/npm/node_modules/@npmcli/run-script/lib/make-spawn-args.js
@@ -30,6 +30,7 @@ const makeSpawnArgs = options => {
npm_config_node_gyp,
})
+ const fileName = escape.filename(`${event}-${Date.now()}`)
let scriptFile
let script = ''
@@ -61,7 +62,7 @@ const makeSpawnArgs = options => {
const doubleEscape = pathToInitial.endsWith('.cmd') || pathToInitial.endsWith('.bat')
- scriptFile = resolve(tmpdir(), `${event}-${Date.now()}.cmd`)
+ scriptFile = resolve(tmpdir(), `${fileName}.cmd`)
script += '@echo off\n'
script += cmd
if (args.length) {
@@ -71,7 +72,7 @@ const makeSpawnArgs = options => {
const shebang = isAbsolute(scriptShell)
? `#!${scriptShell}`
: `#!/usr/bin/env ${scriptShell}`
- scriptFile = resolve(tmpdir(), `${event}-${Date.now()}.sh`)
+ scriptFile = resolve(tmpdir(), `${fileName}.sh`)
script += `${shebang}\n`
script += cmd
if (args.length) {
diff --git a/deps/npm/node_modules/@npmcli/run-script/package.json b/deps/npm/node_modules/@npmcli/run-script/package.json
index ef8b43f772de1b..1ce162dd8d19a5 100644
--- a/deps/npm/node_modules/@npmcli/run-script/package.json
+++ b/deps/npm/node_modules/@npmcli/run-script/package.json
@@ -1,6 +1,6 @@
{
"name": "@npmcli/run-script",
- "version": "4.1.3",
+ "version": "4.1.5",
"description": "Run a lifecycle script for a package (descendant of npm-lifecycle)",
"author": "GitHub Inc.",
"license": "ISC",
@@ -17,10 +17,6 @@
"posttest": "npm run lint",
"template-oss-apply": "template-oss-apply --force"
},
- "tap": {
- "check-coverage": true,
- "coverage-map": "map.js"
- },
"devDependencies": {
"@npmcli/eslint-config": "^3.0.1",
"@npmcli/template-oss": "3.5.0",
@@ -32,7 +28,8 @@
"@npmcli/node-gyp": "^2.0.0",
"@npmcli/promise-spawn": "^3.0.0",
"node-gyp": "^9.0.0",
- "read-package-json-fast": "^2.0.3"
+ "read-package-json-fast": "^2.0.3",
+ "which": "^2.0.2"
},
"files": [
"bin/",
diff --git a/deps/npm/node_modules/npm-packlist/lib/index.js b/deps/npm/node_modules/npm-packlist/lib/index.js
index e4a2e76c545f60..bd72329f027e61 100644
--- a/deps/npm/node_modules/npm-packlist/lib/index.js
+++ b/deps/npm/node_modules/npm-packlist/lib/index.js
@@ -34,10 +34,13 @@ const glob = require('glob')
const globify = pattern => pattern.split('\\').join('/')
const readOutOfTreeIgnoreFiles = (root, rel, result = '') => {
- for (const file of ['.gitignore', '.npmignore']) {
+ for (const file of ['.npmignore', '.gitignore']) {
try {
const ignoreContent = fs.readFileSync(path.join(root, file), { encoding: 'utf8' })
result += ignoreContent + '\n'
+ // break the loop immediately after concatting, this allows us to prioritize the
+ // .npmignore and discard the .gitignore if one exists
+ break
} catch (err) {
// we ignore ENOENT errors completely because we don't care if the file doesn't exist
// but we throw everything else because failing to read a file that does exist is
diff --git a/deps/npm/node_modules/npm-packlist/package.json b/deps/npm/node_modules/npm-packlist/package.json
index dfa0188b4c437b..4c63caf21e8107 100644
--- a/deps/npm/node_modules/npm-packlist/package.json
+++ b/deps/npm/node_modules/npm-packlist/package.json
@@ -1,6 +1,6 @@
{
"name": "npm-packlist",
- "version": "5.1.0",
+ "version": "5.1.1",
"description": "Get a list of the files to add from a folder into an npm package",
"directories": {
"test": "test"
diff --git a/deps/npm/package.json b/deps/npm/package.json
index a9d84ab62ce15a..95afa528fa144f 100644
--- a/deps/npm/package.json
+++ b/deps/npm/package.json
@@ -1,5 +1,5 @@
{
- "version": "8.13.1",
+ "version": "8.13.2",
"name": "npm",
"description": "a package manager for JavaScript",
"workspaces": [
@@ -62,7 +62,7 @@
"@npmcli/fs": "^2.1.0",
"@npmcli/map-workspaces": "^2.0.3",
"@npmcli/package-json": "^2.0.0",
- "@npmcli/run-script": "^4.1.3",
+ "@npmcli/run-script": "^4.1.5",
"abbrev": "~1.1.1",
"archy": "~1.0.0",
"cacache": "^16.1.1",
diff --git a/deps/npm/tap-snapshots/test/lib/load-all-commands.js.test.cjs b/deps/npm/tap-snapshots/test/lib/load-all-commands.js.test.cjs
index 13a3b06fe33d65..57dd6126660cdc 100644
--- a/deps/npm/tap-snapshots/test/lib/load-all-commands.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/load-all-commands.js.test.cjs
@@ -746,7 +746,7 @@ npm run-script [-- ]
Options:
[-w|--workspace [-w|--workspace ...]]
[-ws|--workspaces] [--include-workspace-root] [--if-present] [--ignore-scripts]
-[--script-shell ]
+[--foreground-scripts] [--script-shell ]
aliases: run, rum, urn
diff --git a/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs b/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs
index c59252f9e81a9e..5ae34e868771d6 100644
--- a/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs
@@ -790,7 +790,7 @@ All commands:
Options:
[-w|--workspace [-w|--workspace ...]]
[-ws|--workspaces] [--include-workspace-root] [--if-present] [--ignore-scripts]
- [--script-shell ]
+ [--foreground-scripts] [--script-shell ]
aliases: run, rum, urn