From 6083c4dc102b4da306faaf81469e33687f30daf1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kat=20March=C3=A1n?= Date: Sun, 28 May 2017 21:04:08 -0700 Subject: [PATCH] deps: upgrade npm to 5.0.0 PR-URL: https://github.com/nodejs/node/pull/13276 Reviewed-By: James M Snell Reviewed-By: Colin Ihrig Reviewed-By: Jeremiah Senkpiel --- deps/npm/CHANGELOG.md | 1581 +---------------- deps/npm/TODO.org | 32 +- deps/npm/appveyor.yml | 1 - deps/npm/changelogs/CHANGELOG-4.md | 1566 ++++++++++++++++ deps/npm/doc/cli/npm-cache.md | 60 +- deps/npm/doc/cli/npm-install.md | 124 +- deps/npm/doc/cli/npm-publish.md | 4 + deps/npm/doc/cli/npm-shrinkwrap.md | 185 +- deps/npm/doc/files/npm-package-locks.md | 145 ++ deps/npm/doc/files/npm-shrinkwrap.json.md | 27 + deps/npm/doc/files/package-lock.json.md | 132 ++ deps/npm/doc/misc/npm-config.md | 28 +- deps/npm/doc/misc/npm-index.md | 14 +- deps/npm/doc/misc/npm-scripts.md | 16 +- deps/npm/html/doc/README.html | 2 +- deps/npm/html/doc/cli/npm-access.html | 2 +- deps/npm/html/doc/cli/npm-adduser.html | 2 +- deps/npm/html/doc/cli/npm-bin.html | 2 +- deps/npm/html/doc/cli/npm-bugs.html | 2 +- deps/npm/html/doc/cli/npm-build.html | 2 +- deps/npm/html/doc/cli/npm-bundle.html | 2 +- deps/npm/html/doc/cli/npm-cache.html | 61 +- deps/npm/html/doc/cli/npm-completion.html | 2 +- deps/npm/html/doc/cli/npm-config.html | 2 +- deps/npm/html/doc/cli/npm-dedupe.html | 2 +- deps/npm/html/doc/cli/npm-deprecate.html | 2 +- deps/npm/html/doc/cli/npm-dist-tag.html | 2 +- deps/npm/html/doc/cli/npm-docs.html | 2 +- deps/npm/html/doc/cli/npm-doctor.html | 2 +- deps/npm/html/doc/cli/npm-edit.html | 2 +- deps/npm/html/doc/cli/npm-explore.html | 2 +- deps/npm/html/doc/cli/npm-help-search.html | 2 +- deps/npm/html/doc/cli/npm-help.html | 2 +- deps/npm/html/doc/cli/npm-init.html | 2 +- deps/npm/html/doc/cli/npm-install-test.html | 2 +- deps/npm/html/doc/cli/npm-install.html | 123 +- deps/npm/html/doc/cli/npm-link.html | 2 +- deps/npm/html/doc/cli/npm-logout.html | 2 +- deps/npm/html/doc/cli/npm-ls.html | 4 +- deps/npm/html/doc/cli/npm-outdated.html | 2 +- deps/npm/html/doc/cli/npm-owner.html | 2 +- deps/npm/html/doc/cli/npm-pack.html | 2 +- deps/npm/html/doc/cli/npm-ping.html | 2 +- deps/npm/html/doc/cli/npm-prefix.html | 2 +- deps/npm/html/doc/cli/npm-prune.html | 2 +- deps/npm/html/doc/cli/npm-publish.html | 5 +- deps/npm/html/doc/cli/npm-rebuild.html | 2 +- deps/npm/html/doc/cli/npm-repo.html | 2 +- deps/npm/html/doc/cli/npm-restart.html | 2 +- deps/npm/html/doc/cli/npm-root.html | 2 +- deps/npm/html/doc/cli/npm-run-script.html | 2 +- deps/npm/html/doc/cli/npm-search.html | 2 +- deps/npm/html/doc/cli/npm-shrinkwrap.html | 159 +- deps/npm/html/doc/cli/npm-star.html | 2 +- deps/npm/html/doc/cli/npm-stars.html | 2 +- deps/npm/html/doc/cli/npm-start.html | 2 +- deps/npm/html/doc/cli/npm-stop.html | 2 +- deps/npm/html/doc/cli/npm-team.html | 2 +- deps/npm/html/doc/cli/npm-test.html | 2 +- deps/npm/html/doc/cli/npm-uninstall.html | 2 +- deps/npm/html/doc/cli/npm-unpublish.html | 2 +- deps/npm/html/doc/cli/npm-update.html | 2 +- deps/npm/html/doc/cli/npm-version.html | 2 +- deps/npm/html/doc/cli/npm-view.html | 2 +- deps/npm/html/doc/cli/npm-whoami.html | 2 +- deps/npm/html/doc/cli/npm.html | 6 +- deps/npm/html/doc/files/npm-folders.html | 2 +- deps/npm/html/doc/files/npm-global.html | 2 +- deps/npm/html/doc/files/npm-json.html | 2 +- .../npm/html/doc/files/npm-package-locks.html | 148 ++ .../html/doc/files/npm-shrinkwrap.json.html | 45 + deps/npm/html/doc/files/npmrc.html | 2 +- .../npm/html/doc/files/package-lock.json.html | 127 ++ deps/npm/html/doc/files/package.json.html | 2 +- deps/npm/html/doc/index.html | 10 +- deps/npm/html/doc/misc/npm-coding-style.html | 2 +- deps/npm/html/doc/misc/npm-config.html | 26 +- deps/npm/html/doc/misc/npm-developers.html | 2 +- deps/npm/html/doc/misc/npm-disputes.html | 12 +- deps/npm/html/doc/misc/npm-index.html | 10 +- deps/npm/html/doc/misc/npm-orgs.html | 2 +- deps/npm/html/doc/misc/npm-registry.html | 2 +- deps/npm/html/doc/misc/npm-scope.html | 2 +- deps/npm/html/doc/misc/npm-scripts.html | 18 +- deps/npm/html/doc/misc/removing-npm.html | 2 +- deps/npm/html/doc/misc/semver.html | 2 +- deps/npm/lib/config/cmd-list.js | 1 + deps/npm/lib/config/defaults.js | 5 + deps/npm/lib/config/pacote.js | 127 +- deps/npm/lib/fetch-package-metadata.js | 9 +- deps/npm/lib/install.js | 85 +- deps/npm/lib/install/action/extract.js | 11 +- deps/npm/lib/install/action/finalize.js | 5 +- deps/npm/lib/install/action/preinstall.js | 3 +- .../install/action/refresh-package-json.js | 8 +- deps/npm/lib/install/deps.js | 91 +- deps/npm/lib/install/inflate-shrinkwrap.js | 37 +- deps/npm/lib/install/is-extraneous.js | 10 - .../lib/install/mutate-into-logical-tree.js | 3 +- deps/npm/lib/install/read-shrinkwrap.js | 17 +- deps/npm/lib/install/save.js | 37 +- deps/npm/lib/pack.js | 118 +- deps/npm/lib/prune.js | 3 +- deps/npm/lib/publish.js | 12 +- deps/npm/lib/shrinkwrap.js | 36 +- deps/npm/lib/uninstall.js | 82 +- deps/npm/lib/utils/error-handler.js | 10 +- deps/npm/lib/utils/link.js | 2 +- deps/npm/lib/utils/package-integrity.js | 21 - deps/npm/lib/utils/tar.js | 19 - deps/npm/man/man1/npm-cache.1 | 67 +- deps/npm/man/man1/npm-install.1 | 124 +- deps/npm/man/man1/npm-ls.1 | 2 +- deps/npm/man/man1/npm-publish.1 | 4 + deps/npm/man/man1/npm-shrinkwrap.1 | 229 +-- deps/npm/man/man1/npm.1 | 2 +- deps/npm/man/man5/npm-package-locks.5 | 183 ++ deps/npm/man/man5/npm-shrinkwrap.json.5 | 32 + deps/npm/man/man5/package-lock.json.5 | 144 ++ deps/npm/man/man7/npm-config.7 | 35 +- deps/npm/man/man7/npm-index.7 | 11 +- deps/npm/man/man7/npm-scripts.7 | 18 +- deps/npm/node_modules/cacache/CHANGELOG.md | 70 + deps/npm/node_modules/cacache/README.md | 44 +- deps/npm/node_modules/cacache/en.js | 3 + deps/npm/node_modules/cacache/es.js | 3 + deps/npm/node_modules/cacache/index.js | 10 +- .../node_modules/cacache/lib/content/read.js | 5 +- .../node_modules/cacache/lib/content/rm.js | 10 +- .../node_modules/cacache/lib/content/write.js | 11 +- .../node_modules/cacache/lib/entry-index.js | 7 +- deps/npm/node_modules/cacache/lib/util/y.js | 25 + deps/npm/node_modules/cacache/locales/en.js | 42 + deps/npm/node_modules/cacache/locales/en.json | 6 + deps/npm/node_modules/cacache/locales/es.js | 44 + deps/npm/node_modules/cacache/locales/es.json | 6 + .../cacache/node_modules/y18n/LICENSE | 13 + .../cacache/node_modules/y18n/README.md | 91 + .../cacache/node_modules/y18n/index.js | 172 ++ .../cacache/node_modules/y18n/package.json | 65 + deps/npm/node_modules/cacache/package.json | 55 +- deps/npm/node_modules/glob/glob.js | 2 - .../glob/node_modules/minimatch/package.json | 36 +- deps/npm/node_modules/glob/package.json | 30 +- deps/npm/node_modules/pacote/CHANGELOG.md | 91 + .../pacote/lib/fetchers/registry/fetch.js | 19 +- .../make-fetch-happen/CHANGELOG.md | 62 + .../node_modules/make-fetch-happen/agent.js | 29 +- .../node_modules/make-fetch-happen/cache.js | 2 +- .../node_modules/make-fetch-happen/index.js | 61 +- .../node_modules/humanize-ms/History.md | 5 + .../node_modules/humanize-ms/LICENSE | 17 + .../humanize-ms/node_modules/ms/index.js | 77 +- .../humanize-ms/node_modules/ms/package.json | 67 +- .../humanize-ms/node_modules/ms/readme.md | 3 +- .../node_modules/humanize-ms/package.json | 17 +- .../node_modules/debug/CHANGELOG.md | 11 +- .../node_modules/debug/README.md | 2 +- .../node_modules/debug/component.json | 2 +- .../debug/node_modules/ms/index.js | 77 +- .../debug/node_modules/ms/package.json | 67 +- .../debug/node_modules/ms/readme.md | 3 +- .../node_modules/debug/package.json | 17 +- .../node_modules/debug/src/browser.js | 8 +- .../node_modules/debug/src/node.js | 7 +- .../node_modules/debug/CHANGELOG.md | 11 +- .../node_modules/debug/README.md | 2 +- .../node_modules/debug/component.json | 2 +- .../debug/node_modules/ms/index.js | 77 +- .../debug/node_modules/ms/package.json | 67 +- .../debug/node_modules/ms/readme.md | 3 +- .../node_modules/debug/package.json | 17 +- .../node_modules/debug/src/browser.js | 8 +- .../node_modules/debug/src/node.js | 7 +- .../node_modules/node-fetch-npm/CHANGELOG.md | 10 + .../json-parse-helpfulerror/.editorconfig | 14 + .../json-parse-helpfulerror/.npmignore | 28 + .../json-parse-helpfulerror/LICENSE | 21 + .../json-parse-helpfulerror/README.md | 29 + .../json-parse-helpfulerror/index.js | 21 + .../node_modules/jju/.npmignore | 9 + .../node_modules/jju/LICENSE | 13 + .../node_modules/jju/README.md | 242 +++ .../node_modules/jju/index.js | 32 + .../node_modules/jju/lib/analyze.js | 91 + .../node_modules/jju/lib/document.js | 484 +++++ .../node_modules/jju/lib/parse.js | 764 ++++++++ .../node_modules/jju/lib/stringify.js | 382 ++++ .../node_modules/jju/lib/unicode.js | 71 + .../node_modules/jju/lib/utils.js | 45 + .../node_modules/jju/package.json | 65 + .../node_modules/jju/package.yaml | 45 + .../json-parse-helpfulerror/package.json | 63 + .../json-parse-helpfulerror/test/test.js | 32 + .../node_modules/node-fetch-npm/package.json | 16 +- .../node_modules/node-fetch-npm/src/body.js | 3 +- .../socks-proxy-agent/.travis.yml | 25 +- .../node_modules/socks-proxy-agent/History.md | 10 + .../node_modules/socks-proxy-agent/README.md | 2 +- .../socks-proxy-agent/package.json | 15 +- .../socks-proxy-agent/socks-proxy-agent.js | 14 +- .../socks-proxy-agent/test/server.crt | 13 - .../socks-proxy-agent/test/server.key | 15 - .../test/ssl-cert-snakeoil.key | 15 + .../test/ssl-cert-snakeoil.pem | 12 + .../socks-proxy-agent/test/test.js | 4 +- .../make-fetch-happen/package.json | 31 +- deps/npm/node_modules/pacote/package.json | 45 +- .../node_modules => }/safe-buffer/.travis.yml | 0 .../node_modules => }/safe-buffer/LICENSE | 0 .../node_modules => }/safe-buffer/README.md | 0 .../node_modules => }/safe-buffer/browser.js | 0 .../node_modules => }/safe-buffer/index.js | 0 .../safe-buffer/package.json | 24 +- .../node_modules => }/safe-buffer/test.js | 0 deps/npm/node_modules/ssri/CHANGELOG.md | 10 + deps/npm/node_modules/ssri/index.js | 13 +- deps/npm/node_modules/ssri/package.json | 32 +- deps/npm/package.json | 14 +- deps/npm/test/tap/bearer-token-check.js | 5 +- deps/npm/test/tap/config-meta.js | 1 + deps/npm/test/tap/gently-rm-linked-module.js | 68 +- deps/npm/test/tap/no-scan-full-global-dir.js | 35 +- .../test/tap/noargs-install-config-save.js | 2 +- .../npm/test/tap/shrinkwrap-extra-metadata.js | 5 - .../test/tap/shrinkwrap-package-integrity.js | 50 - deps/npm/test/tap/shrinkwrap-scoped-auth.js | 24 +- deps/npm/test/tap/uninstall-link-clean.js | 14 +- deps/npm/test/tap/uninstall-save.js | 96 +- deps/npm/test/tap/unit-link.js | 2 +- 230 files changed, 7639 insertions(+), 3413 deletions(-) create mode 100644 deps/npm/changelogs/CHANGELOG-4.md create mode 100644 deps/npm/doc/files/npm-package-locks.md create mode 100644 deps/npm/doc/files/npm-shrinkwrap.json.md create mode 100644 deps/npm/doc/files/package-lock.json.md create mode 100644 deps/npm/html/doc/files/npm-package-locks.html create mode 100644 deps/npm/html/doc/files/npm-shrinkwrap.json.html create mode 100644 deps/npm/html/doc/files/package-lock.json.html delete mode 100644 deps/npm/lib/utils/package-integrity.js create mode 100644 deps/npm/man/man5/npm-package-locks.5 create mode 100644 deps/npm/man/man5/npm-shrinkwrap.json.5 create mode 100644 deps/npm/man/man5/package-lock.json.5 create mode 100644 deps/npm/node_modules/cacache/en.js create mode 100644 deps/npm/node_modules/cacache/es.js create mode 100644 deps/npm/node_modules/cacache/lib/util/y.js create mode 100644 deps/npm/node_modules/cacache/locales/en.js create mode 100644 deps/npm/node_modules/cacache/locales/en.json create mode 100644 deps/npm/node_modules/cacache/locales/es.js create mode 100644 deps/npm/node_modules/cacache/locales/es.json create mode 100644 deps/npm/node_modules/cacache/node_modules/y18n/LICENSE create mode 100644 deps/npm/node_modules/cacache/node_modules/y18n/README.md create mode 100644 deps/npm/node_modules/cacache/node_modules/y18n/index.js create mode 100644 deps/npm/node_modules/cacache/node_modules/y18n/package.json create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/LICENSE create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/.editorconfig create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/.npmignore create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/LICENSE create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/README.md create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/index.js create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/.npmignore create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/LICENSE create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/README.md create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/index.js create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/analyze.js create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/document.js create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/parse.js create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/stringify.js create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/unicode.js create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/utils.js create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/package.json create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/package.yaml create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/package.json create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/test/test.js delete mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/server.crt delete mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/server.key create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/ssl-cert-snakeoil.key create mode 100644 deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/ssl-cert-snakeoil.pem rename deps/npm/node_modules/{pacote/node_modules => }/safe-buffer/.travis.yml (100%) rename deps/npm/node_modules/{pacote/node_modules => }/safe-buffer/LICENSE (100%) rename deps/npm/node_modules/{pacote/node_modules => }/safe-buffer/README.md (100%) rename deps/npm/node_modules/{pacote/node_modules => }/safe-buffer/browser.js (100%) rename deps/npm/node_modules/{pacote/node_modules => }/safe-buffer/index.js (100%) rename deps/npm/node_modules/{pacote/node_modules => }/safe-buffer/package.json (74%) rename deps/npm/node_modules/{pacote/node_modules => }/safe-buffer/test.js (100%) delete mode 100644 deps/npm/test/tap/shrinkwrap-package-integrity.js diff --git a/deps/npm/CHANGELOG.md b/deps/npm/CHANGELOG.md index e55bcab3daa339..e2a8004b8d9b37 100644 --- a/deps/npm/CHANGELOG.md +++ b/deps/npm/CHANGELOG.md @@ -1,1566 +1,125 @@ -## v4.6.1 (2017-04-21) +## v5.0.0 (2017-05-25) -A little release to tide you over while we hammer out the last bits for npm@5. +Wowowowowow npm@5! -### FEATURES +This release marks months of hard work for the young, scrappy, and hungry CLI +team, and includes some changes we've been hoping to do for literally years. +npm@5 takes npm a pretty big step forward, significantly improving its +performance in almost all common situations, fixing a bunch of old errors due to +the architecture, and just generally making it more robust and fault-tolerant. +It comes with changes to make life easier for people doing monorepos, for users +who want consistency/security guarantees, and brings semver support to git +dependencies. See below for all the deets! -* [`d13c9b2f2`](https://github.com/npm/npm/commit/d13c9b2f24b6380427f359b6e430b149ac8aaa79) - `init-package-json@1.10.0`: - The `name:` prompt is now `package name:` to make this less ambiguous for new users. +### Breaking Changes - The default package name is now a valid package name. For example: If your package directory - has mixed case, the default package name will be all lower case. -* [`f08c66323`](https://github.com/npm/npm/commit/f08c663231099f7036eb82b92770806a3a79cdf1) - [#16213](https://github.com/npm/npm/pull/16213) - Add `--allow-same-version` option to `npm version` so that you can use `npm version` to run - your version lifecycles and tag your git repo without actually changing the version number in - your `package.json`. - ([@lucastheisen](https://github.com/lucastheisen)) -* [`f5e8becd0`](https://github.com/npm/npm/commit/f5e8becd05e0426379eb0c999abdbc8e87a7f6f2) - Timing has been added throughout the install implementation. You can see it by running - a command with `--loglevel=timing`. You can also run commands with `--timing` which will write - an `npm-debug.log` even on success and add an entry to `_timing.json` in your cache with - the timing information from that run. - ([@iarna](https://github.com/iarna)) +* Existing npm caches will no longer be used: you will have to redownload any cached packages. There is no tool or intention to reuse old caches. ([#15666](https://github.com/npm/npm/pull/15666)) -### BUG FIXES +* `npm install ./packages/subdir` will now create a symlink instead of a regular installation. `file://path/to/tarball.tgz` will not change -- only directories are symlinked. ([#15900](https://github.com/npm/npm/pull/15900)) -* [`9c860f2ed`](https://github.com/npm/npm/commit/9c860f2ed3bdea1417ed059b019371cd253db2ad) - [#16021](https://github.com/npm/npm/pull/16021) - Fix a crash in `npm doctor` when used with a registry that does not support - the `ping` API endpoint. - ([@watilde](https://github.com/watilde)) -* [`65b9943e9`](https://github.com/npm/npm/commit/65b9943e9424c67547b0029f02b0258e35ba7d26) - [#16364](https://github.com/npm/npm/pull/16364) - Shorten the ELIFECYCLE error message. The shorter error message should make it much - easier to discern the actual cause of the error. - ([@j-f1](https://github.com/j-f1)) -* [`a87a4a835`](https://github.com/npm/npm/commit/a87a4a8359693518ee41dfeb13c5a8929136772a) - `npmlog@4.0.2`: - Fix flashing of the progress bar when your terminal is very narrow. - ([@iarna](https://github.com/iarna)) -* [`41c10974f`](https://github.com/npm/npm/commit/41c10974fe95a2e520e33e37725570c75f6126ea) - `write-file-atomic@1.3.2`: - Wait for `fsync` to complete before considering our file written to disk. - This will improve certain sorts of Windows diagnostic problems. -* [`2afa9240c`](https://github.com/npm/npm/commit/2afa9240ce5b391671ed5416464f2882d18a94bc) - [#16336](https://github.com/npm/npm/pull/16336) - Don't ham-it-up when expecting JSON. - ([@bdukes](https://github.com/bdukes)) +* npm will now scold you if you capitalize its name. seriously it will fight you. -### DOCUMENTATION FIXES +* [npm will `--save` by default now](https://twitter.com/maybekatz/status/859229741676625920). Additionally, `package-lock.json` will be automatically created unless an `npm-shrinkwrap.json` exists. ([#15666](https://github.com/npm/npm/pull/15666)) -* [`566f3eebe`](https://github.com/npm/npm/commit/566f3eebe741f935b7c1e004bebf19b8625a1413) - [#16296](https://github.com/npm/npm/pull/16296) - Use a single convention when referring to the `` you're running. - ([@desfero](https://github.com/desfero)) -* [`ccbb94934`](https://github.com/npm/npm/commit/ccbb94934d4f677f680c3e2284df3d0ae0e65758) - [#16267](https://github.com/npm/npm/pull/16267) - Fix a missing space in the example package.json. - ([@famousgarkin](https://github.com/famousgarkin)) +* Git dependencies support semver through `user/repo#semver:^1.2.3` ([#15308](https://github.com/npm/npm/pull/15308)) ([#15666](https://github.com/npm/npm/pull/15666)) ([@sankethkatta](https://github.com/sankethkatta)) -### DEPENDENCY UPDATES +* Git dependencies with `prepare` scripts will have their `devDependencies` installed, and `npm install` run in their directory before being packed. -* [`ebde4ea33`](https://github.com/npm/npm/commit/ebde4ea3363dfc154c53bd537189503863c9b3a4) - `hosted-git-info@2.4.2` -* [`c46ad71bb`](https://github.com/npm/npm/commit/c46ad71bbe27aaa9ee10e107d8bcd665d98544d7) - `init-package-json@1.9.6` -* [`d856d570d`](https://github.com/npm/npm/commit/d856d570d2df602767c039cf03439d647bba2e3d) - `npm-registry-client@8.1.1` -* [`4a2e14436`](https://github.com/npm/npm/commit/4a2e1443613a199665e7adbda034d5b9d10391a2) - `readable-stream@2.2.9` -* [`f0399138e`](https://github.com/npm/npm/commit/f0399138e6d6f1cd7f807d523787a3b129996301) - `normalize-package-data@2.3.8` +* `npm cache` commands have been rewritten and don't really work anything like they did before. ([#15666](https://github.com/npm/npm/pull/15666)) -### v4.5.0 (2017-03-24) +* `--cache-min` and `--cache-max` have been deprecated. ([#15666](https://github.com/npm/npm/pull/15666)) -Welcome a wrinkle on npm's registry API! +* Running npm while offline will no longer insist on retrying network requests. npm will now immediately fall back to cache if possible, or fail. ([#15666](https://github.com/npm/npm/pull/15666)) -Codename: Corgi +* package locks no longer exclude `optionalDependencies` that failed to build. This means package-lock.json and npm-shrinkwrap.json should now be cross-platform. ([#15900](https://github.com/npm/npm/pull/15900)) -![corgi-meme](https://cloud.githubusercontent.com/assets/757502/24126107/64c14268-0d89-11e7-871b-d457e6d0082b.jpg) +* If you generated your package lock against registry A, and you switch to registry B, npm will now try to [install the packages from registry B, instead of A](https://twitter.com/maybekatz/status/862834964932435969). If you want to use different registries for different packages, use scope-specific registries (`npm config set @myscope:registry=https://myownregist.ry/packages/`). Different registries for different unscoped packages are not supported anymore. -This release has some bug fixes, but it's mostly about bringing support for -MUCH smaller package metadata. How much smaller? Well, for npm itself it -reduces 416K of gzip compressed JSON to 24K. +* Shrinkwrap and package-lock no longer warn and exit without saving the lockfile. -As a user, all you have to do is update to get to use the new API. If -you're interested in the details we've [documented the -changes](https://github.com/npm/registry/blob/master/docs/responses/package-metadata.md) -in detail. +* Local tarballs can now only be installed if they have a file extensions `.tar`, `.tar.gz`, or `.tgz`. -#### CORGUMENTS +* A new loglevel, `notice`, has been added and set as default. -Package metadata: now smaller. This means a smaller cache and less to download. +* One binary to rule them all: `./cli.js` has been removed in favor of `./bin/npm-cli.js`. In case you were doing something with `./cli.js` itself. ([#12096](https://github.com/npm/npm/pull/12096)) ([@watilde](https://github.com/watilde)) -* [`86dad0d74`](https://github.com/npm/npm/commit/86dad0d747f288eab467d49c9635644d3d44d6f0) - Add support for filtered package metadata. - ([@iarna](https://github.com/iarna)) -* [`41789cffa`](https://github.com/npm/npm/commit/41789cffac9845603f4bdf3f5b03f412144a0e9f) - `npm-registry-client@8.1.0` - ([@iarna](https://github.com/iarna)) +* Stub file removed ([#16204](https://github.com/npm/npm/pull/16204)) ([@watilde](https://github.com/watilde)) -#### NO SHRINKWRAP, NO PROBLEM +* The "extremely legacy" `_token` couchToken has been removed. ([#12986](https://github.com/npm/npm/pull/12986)) -Previously we needed to extract every package's tarball to look for an -`npm-shrinkwrap.json` before we could begin working through what its -dependencies were. This was one of the things stopping npm's network -accesses from happening more concurrently. The new filtered package -metadata provides a new key, `_hasShrinkwrap`. When that's set to `false` -then we know we don't have to look for one. +### Feature Summary -* [`4f5060eb3`](https://github.com/npm/npm/commit/4f5060eb31b9091013e1d6a34050973613a294a3) - [#15969](https://github.com/npm/npm/pull/15969) - Add support for skipping `npm-shrinkwrap.json` extraction when the - registry can affirm that one doesn't exist. - ([@iarna](https://github.com/iarna)) +#### Installer changes -#### INTERRUPTING SCRIPTS +* A new, standardised lockfile feature meant for cross-package-manager compatibility (`package-lock.json`), and a new format and semantics for shrinkwrap. ([#16441](https://github.com/npm/npm/pull/16441)) -* [`878aceb25`](https://github.com/npm/npm/commit/878aceb25e6d6052dac15da74639ce274c8e62c5) - [#16129](https://github.com/npm/npm/pull/16129) - Better handle Ctrl-C while running scripts. `npm` will now no longer exit - until the script it is running has exited. If you press Ctrl-C a second - time it kill the script rather than just forwarding the Ctrl-C. - ([@jaridmargolin](https://github.com/jaridmargolin)) +* `--save` is no longer necessary. All installs will be saved by default. You can prevent saving with `--no-save`. Installing optional and dev deps is unchanged: use `-D/--save-dev` and `-O/--save-optional` if you want them saved into those fields instead. Note that since npm@3, npm will automatically update npm-shrinkwrap.json when you save: this will also be true for `package-lock.json`. ([#15666](https://github.com/npm/npm/pull/15666)) -#### DEPENDENCY UPDATES: +* Installing a package directory now ends up creating a symlink and does the Right Thing™ as far as saving to and installing from the package lock goes. If you have a monorepo, this might make things much easier to work with, and probably a lot faster too. 😁 ([#15900](https://github.com/npm/npm/pull/15900)) -* [`def75eebf`](https://github.com/npm/npm/commit/def75eebf1ad437bf4fd3f5e103cc2d963bd2a73) - `hosted-git-info@2.4.1`: - Preserve case of the user name part of shortcut specifiers, previously they were lowercased. - ([@iarna](https://github.com/iarna)) -* [`eb3789fd1`](https://github.com/npm/npm/commit/eb3789fd18cfb063de9e6f80c3049e314993d235) - `node-gyp@3.6.0`: Add support for VS2017 and Chakracore improvements. - ([@refack](https://github.com/refack)) - ([@kunalspathak](https://github.com/kunalspathak)) -* [`245e25315`](https://github.com/npm/npm/commit/245e25315524b95c0a71c980223a27719392ba75) - `readable-stream@2.2.6` ([@mcollina](https://github.com/mcollina)) -* [`30357ebc5`](https://github.com/npm/npm/commit/30357ebc5691d7c9e9cdc6e0fe7dc6253220c9c2) - `which@1.2.14` ([@isaacs](https://github.com/isaacs)) +* Project-level (toplevel) `preinstall` scripts now run before anything else, and can modify `node_modules` before the CLI reads it. -### v4.4.4 (2017-03-16) +* Two new scripts have been added, `prepack` and `postpack`, which will run on both `npm pack` and `npm publish`, but NOT on `npm install` (without arguments). Combined with the fact that `prepublishOnly` is run before the tarball is generated, this should round out the general story as far as putzing around with your code before publication. -😩😤😅 Okay! We have another `next` -release for ya today. So, yes! With v4.4.3 we fixed the bug that made -bundled scoped modules uninstallable. But somehow I overlooked the fact -that we: A) were using these and B) that made upgrading to v4.4.3 impossible. 😭 +* Git dependencies with `prepare` scripts will now [have their devDependencies installed, and their prepare script executed](https://twitter.com/maybekatz/status/860363896443371520) as if under `npm pack`. -So I've renamed those two scoped modules to no longer use scopes and we now -have a shiny new test to ensure that scoped modules don't creep into our -transitive deps and make it impossible to upgrade to `npm`. +* Git dependencies now support semver-based matching: `npm install git://github.com/npm/npm#semver:^5` (#15308, #15666) -(None of our woes applies to most of you all because most of you all don't -use bundled dependencies. `npm` does because we want the published artifact to be -installable without having to already have `npm`.) - -* [`2a7409fcb`](https://github.com/npm/npm/commit/2a7409fcba6a8fab716c80f56987b255983e048e) - [#16066](https://github.com/npm/npm/pull/16066) - Ensure we aren't using any scoped modules - Because `npm`s prior 4.4.3 can't install dependencies that have bundled scoped - modules. This didn't show up sooner because they ALSO had a bug that caused - bundled scoped modules to not be included in the bundle. - ([@iarna](https://github.com/iarna)) -* [`eb4c70796`](https://github.com/npm/npm/commit/eb4c70796c38f24ee9357f5d4a0116db582cc7a9) - [#16066](https://github.com/npm/npm/pull/16066) - Switch to move-concurrently to remove scoped dependency - ([@iarna](https://github.com/iarna)) - -### v4.4.3 (2017-03-15) - -This is a small patch release, mostly because the published tarball for -v4.4.2 was missing a couple of modules, due to a bug involving scoped -modules, bundled dependencies and legacy tree layouts. - -There are a couple of other things here that happened to be ready to go. So -without further ado… - -#### BUG FIXES - -* [`3d80f8f70`](https://github.com/npm/npm/commit/3d80f8f70679ad2b8ce7227d20e8dbce257a47b9) - [npm/fs-vacuum#6](https://github.com/npm/fs-vacuum/pull/6) - `fs-vacuum@1.2.1`: Make sure we never, ever remove home directories. Previously if your - home directory was entirely empty then we might `rmdir` it. - ([@helio-frota](https://github.com/helio-frota)) -* [`1af85ca9f`](https://github.com/npm/npm/commit/1af85ca9f4d625f948e85961372de7df3f3774e2) - [#16040](https://github.com/npm/npm/pull/16040) - Fix bug where bundled transitive dependencies that happened to be - installed under bundled scoped dependencies wouldn't be included in the - tarball when building a package. - ([@iarna](https://github.com/iarna)) -* [`13c7fdc2e`](https://github.com/npm/npm/commit/13c7fdc2e87456a87b1c9385a3daeae228ed7c95) - [#16040](https://github.com/npm/npm/pull/16040) - Fix a bug where bundled scoped dependencies couldn't be extracted. - ([@iarna](https://github.com/iarna)) -* [`d6cde98c2`](https://github.com/npm/npm/commit/d6cde98c2513fe160eab41e31c3198dfde993207) - [#16040](https://github.com/npm/npm/pull/16040) - Stop printing `ENOENT` errors more than once. - ([@iarna](https://github.com/iarna)) -* [`722fbf0f6`](https://github.com/npm/npm/commit/722fbf0f6cf4413cdc24b610bbd60a7dbaf2adfe) - [#16040](https://github.com/npm/npm/pull/16040) - Rewrite the `extract` action for greater clarity. - Specifically, this involves moving things around structurally to do the same - thing [`d0c6d194`](https://github.com/npm/npm/commit/d0c6d194) did, but in a more comprehensive manner. - This also fixes a long standing bug where errors from the move step would be - eaten during this phase and as a result we would get mysterious crashes in - the finalize phase when finalize tried to act on them. - ([@iarna](https://github.com/iarna)) -* [`6754dabb6`](https://github.com/npm/npm/commit/6754dabb6bd3301504efb3b62f36d3fe70958c19) - [#16040](https://github.com/npm/npm/pull/16040) - Flatten out `@npmcorp/move`'s deps for backwards compatibility reasons. Versions prior to this - one will fail to install any package that bundles a scoped dependency. This was responsible - for `ENOENT` errors during the `finalize` phase. - ([@iarna](https://github.com/iarna)) - -#### DOC UPDATES - -* [`fba51c582`](https://github.com/npm/npm/commit/fba51c582d1d08dd4aa6eb27f9044dddba91bb18) - [#15960](https://github.com/npm/npm/pull/15960) - Update troubleshooting and contribution guide links. - ([@watilde](https://github.com/watilde)) - - -### v4.4.2 (2017-03-09): - -This week, the focus on the release was mainly going through [all of npm's deps -that we manage -ourselves](https://github.com/npm/npm/wiki/npm-maintained-dependencies), and -making sure all their PRs and versions were up to date. That means there's a few -fixes here and there. Nothing too big codewise, though. - -The most exciting part of this release is probably our [shiny new -Contributing](https://github.com/npm/npm/blob/latest/CONTRIBUTING.md) and -[Troubleshooting](https://github.com/npm/npm/blob/latest/TROUBLESHOOTING.md) -docs! [@snopeks](https://github.com/snopeks) did some ✨fantastic✨ work hashing it -out, and we're really hoping this is a nice big step towards making contributing -to npm easier. The troubleshooting doc will also hopefully solve common issues -for people! Do you think something is missing from it? File a PR and we'll add -it! The current document is just a baseline for further editing and additions. - -Also there's maybe a bit of an easter egg in this release. 'Cause those are fun and I'm a huge nerd. 😉 - -#### DOCUMENTATION AHOY - -* [`07e997a`](https://github.com/npm/npm/commit/07e997a7ecedba7b29ad76ffb2ce990d5c0200fc) - [#15756](https://github.com/npm/npm/pull/15756) - Overhaul `CONTRIBUTING.md` and add new `TROUBLESHOOTING.md` files. 🙌🏼 - ([@snopeks](https://github.com/snopeks)) -* [`2f3e4b6`](https://github.com/npm/npm/commit/2f3e4b645cdc268889cf95ba24b2aae572d722ad) - [#15833](https://github.com/npm/npm/pull/15833) - Mention the [24-hour unpublish - policy](http://blog.npmjs.org/post/141905368000/changes-to-npms-unpublish-policy) - on the main registry. - ([@carols10cents](https://github.com/carols10cents)) - -#### NOT REALLY FEATURES, NOT REALLY BUGFIXES. MORE LIKE TWEAKS? 🤔 - -* [`84be534`](https://github.com/npm/npm/commit/84be534aedb78c65cd8012427fc04871ceeccf90) - [#15888](https://github.com/npm/npm/pull/15888) - Stop flattening `ls`-tree output. From now on, deduped deps will be marked as - such in the place where they would've been before getting hoisted by the - installer. - ([@iarna](https://github.com/iarna)) -* [`e9a5dca`](https://github.com/npm/npm/commit/e9a5dca369ead646ab5922326cede1406c62bd3b) - [#15967](https://github.com/npm/npm/pull/15967) - Limit metadata fetches to 10 concurrent requests. - ([@iarna](https://github.com/iarna)) -* [`46aa9bc`](https://github.com/npm/npm/commit/46aa9bcae088740df86234fc199f7aef53b116df) - [#15967](https://github.com/npm/npm/pull/15967) - Limit concurrent installer actions to 10. - ([@iarna](https://github.com/iarna)) - -#### BUGFIXES - -* [`c3b994b`](https://github.com/npm/npm/commit/c3b994b71565eb4f943cce890bb887d810e6e2d4) - [#15901](https://github.com/npm/npm/pull/15901) - Use EXDEV aware move instead of rename. This will allow moving across devices - and moving when filesystems don't support renaming directories full of files. It might make folks using Docker a bit happier. - ([@iarna](https://github.com/iarna)) -* [`0de1a9c`](https://github.com/npm/npm/commit/0de1a9c1db90e6705c65c068df1fe82899e60d68) - [#15735](https://github.com/npm/npm/pull/15735) - Autocomplete support for npm scripts with `:` colons in the name. - ([@beyondcompute](https://github.com/beyondcompute)) -* [`84b0b92`](https://github.com/npm/npm/commit/84b0b92e7f78ec4add42e8161c555325c99b7f98) - [#15874](https://github.com/npm/npm/pull/15874) - Stop using [undocumented](https://github.com/nodejs/node/pull/11355) - `res.writeHeader` alias for `res.writeHead`. - ([@ChALkeR](https://github.com/ChALkeR)) -* [`895ffe4`](https://github.com/npm/npm/commit/895ffe4f3eecd674796395f91c30eda88aca6b36) - [#15824](https://github.com/npm/npm/pull/15824) - Fix empty versions column in `npm search` output. - ([@bcoe](https://github.com/bcoe)) -* [`38c8d7a`](https://github.com/npm/npm/commit/38c8d7adc1f43ab357d1e729ae7cd5d801a26e68) - `init-package-json@1.9.5`: [npm/init-package-json#61](https://github.com/npm/init-package-json/pull/61) Exclude existing `devDependencies` from being added to `dependencies`. Fixes [#12260](https://github.com/npm/npm/issues/12260). - ([@addaleax](https://github.com/addaleax)) - -### v4.4.1 (2017-03-06): - -This is a quick little patch release to forgo the update notification -checker if you're on an unsuported (but not otherwise broken) version of -Node.js. Right now that means 0.10 or 0.12. - -* [`56ac249`](https://github.com/npm/npm/commit/56ac249ef8ede1021f1bc62a0e4fe1e9ba556af2) - [#15864](https://github.com/npm/npm/pull/15864) - Only use `update-notifier` on supported versions. - ([@legodude17](https://github.com/legodude17)) - -### v4.4.0 (2017-02-23): - -Aaaah, [@iarna](https://github.com/iarna) here, it's been a little while -since I did one of these! This is a nice little release, we've got an -update notifier, vastly less verbose error messages, new warnings on package -metadata that will probably give you a bad day, and a sprinkling of bug -fixes. - -#### UPDATE NOTIFICATIONS - -We now have a little nudge to update your `npm`, courtesy of -[update-notifier](https://www.npmjs.com/package/update-notifier). - -* [`148ee66`](https://github.com/npm/npm/commit/148ee663740aa05877c64f16cdf18eba33fbc371) - [#15774](https://github.com/npm/npm/pull/15774) - `npm` will now check at start up to see if a newer version is available. - It will check once a day. If you want to disable this, set `optOut` to `true` in - `~/.config/configstore/update-notifier-npm.json`. - ([@ceejbot](https://github.com/ceejbot)) - -#### LESS VERBOSE ERROR MESSAGES - -`npm` has, for a long time, had very verbose error messages. There was a -lot of info in there, including the cause of the error you were seeing but -without a lot of experience reading them pulling that out was time consuming -and difficult. - -With this change the output is cut down substantially, centering the error -message. So, for example if you try to `npm run sdlkfj` then the entire -error you'll get will be: +* `node-gyp` now supports `node-gyp.cmd` on Windows ([#14568](https://github.com/npm/npm/pull/14568)) +* npm no longer blasts your screen with the whole installed tree. Instead, you'll see a summary report of the install that is much kinder on your shell real-estate. Specially for large projects. ([#15914](https://github.com/npm/npm/pull/15914)): ``` -npm ERR! missing script: sldkfj - -npm ERR! A complete log of this run can be found in: -npm ERR! /Users/rebecca/.npm/_logs/2017-02-24T00_41_36_988Z-debug.log +$ npm install +npm added 125, removed 32, updated 148 and moved 5 packages in 5.032s. +$ ``` -The CLI team has discussed cutting this down even further and stripping the -`npm ERR!` prefix off those lines too. We'd appreciate your feedback on -this! - -* [`e544124`](https://github.com/npm/npm/commit/e544124592583654f2970ec332003cfd00d04f2b) - [#15716](https://github.com/npm/npm/pull/15716) - Make error output less verbose. - ([@iarna](https://github.com/iarna)) -* [`166bda9`](https://github.com/npm/npm/commit/166bda97410d0518b42ed361020ade1887e684af) - [#15716](https://github.com/npm/npm/pull/15716) - Stop encouraging users to visit the issue tracker unless we know for - certain that it's an npm bug. - ([@iarna](https://github.com/iarna)) - -#### OTHER NEW FEATURES - -* [`53412eb`](https://github.com/npm/npm/commit/53412eb22c1c75d768e30f96d69ed620dfedabde) - [#15772](https://github.com/npm/npm/pull/15772) - We now warn if you have a module listed in both dependencies and - devDependencies. - ([@TedYav](https://github.com/TedYav)) -* [`426b180`](https://github.com/npm/npm/commit/426b1805904a13bdc5c0dd504105ba037270cbee) - [#15757](https://github.com/npm/npm/pull/15757) - Default reporting metrics to default registry. Previously it defaulted to using - `https://registry.npmjs.org`, now it will default to the result of - `npm config get registry`. For most folks this won't actually change anything, but it - means that folks who use a private registry will have metrics routed there by default. - This has the potential to be interesting because it means that in the - future private registry products ([npme](https://npme.npmjs.com/docs/)!) - will be able to report on these metrics. - ([@iarna](https://github.com/iarna)) - -#### BUG FIXES - -* [`8ea0de9`](https://github.com/npm/npm/commit/8ea0de98563648ba0db032acd4d23d27c4a50a66) - [#15716](https://github.com/npm/npm/pull/15716) - Write logs for `cb() never called` errors. -* [`c4e83dc`](https://github.com/npm/npm/commit/c4e83dca830b24305e3cb3201a42452d56d2d864) - Make it so that errors while reading the existing node_modules tree can't - result in installer crashes. - ([@iarna](https://github.com/iarna)) -* [`2690dc2`](https://github.com/npm/npm/commit/2690dc2684a975109ef44953c2cf0746dbe343bb) - Update `npm doctor` to not treat broken symlinks in your global modules as - a permission failure. This is particularly important if you link modules and your text - editor uses the convention of creating symlinks from `.#filename.js` to a - machine name and pid to lock files (eg emacs and compatible things). - ([@iarna](https://github.com/iarna)) -* [`f4c3f48`](https://github.com/npm/npm/commit/f4c3f489aa5787cf0d60e8436be2190e4b0d0ff7) - [#15777](https://github.com/npm/npm/pull/15777) - Not exactly a bug, but change a parameterless `.apply` to `.call`. - ([@notarseniy](https://github.com/notarseniy)) - -#### DEPENDENCY UPDATES - -* [`549dcff`](https://github.com/npm/npm/commit/549dcff58c7aaa1e7ba71abaa14008fdf2697297) - `rimraf@2.6.0`: - Retry EBUSY, ENOTEMPTY and EPERM on non-Windows platforms too. - More reliable `rimraf.sync` on Windows. - ([@isaacs](https://github.com/isaacs)) -* [`052dfb6`](https://github.com/npm/npm/commit/052dfb623da508f2b5f681da0258125552a18a4a) - `validate-npm-package-name@3.0.0`: - Remove ableist language in README. - Stop allowing ~'!()* in package names. - ([@tomdale](https://github.com/tomdale)) - ([@chrisdickinson](https://github.com/chrisdickinson)) -* [`6663ea6`](https://github.com/npm/npm/commit/6663ea6ac0f0ecec5a3f04a3c01a71499632f4dc) - `abbrev@1.1.0` ([@isaacs](https://github.com/isaacs)) -* [`be6de9a`](https://github.com/npm/npm/commit/be6de9aab9e20b6eac70884e8626161eebf8721a) - `opener@1.4.3` ([@dominic](https://github.com/dominic)) -* [`900a5e3`](https://github.com/npm/npm/commit/900a5e3e3411ec221306455f99b24b9ce35757c0) - `readable-stream@2.2.3` ([@RangerMauve](https://github.com/RangerMauve)) ([@mcollina](https://github.com/mcollina)) -* [`c972a8b`](https://github.com/npm/npm/commit/c972a8b0f20a61a79c45b6642f870bea8c55c7e4) - `tacks@1.2.6` - ([@iarna](https://github.com/iarna)) -* [`85a36ef`](https://github.com/npm/npm/commit/85a36efdac0c24501876875cb9ad40292024e0b0) - [`7ac9265`](https://github.com/npm/npm/commit/7ac9265c56b4d9eeaca6fcfb29513f301713e7bb) - `tap@10.2.0` - ([@isaacs](https://github.com/saacs)) - -### v4.3.0 (2017-02-09): - -Yay! Release time! It's a rainy day, and we have another smallish release for -y'all. These things are not necessarily related. Or are they 🌧🤔 - -As far as news go, you may have noticed that the CLI team dropped support for -`node@0.12` when that version went out of maintenance. Still, we've avoided -explicitly breaking it and `node@0.10` so far -- but not much longer. - -Sometime soon, the CLI team plans on switching over to language features only -available as of `node@4 LTS`, and will likely start dropping old versions of node -as they go out of maintenance. The new features are exciting! We're really -looking forward to using them in the core CLI (and its dependencies) as we keep up -with our current feature work. - -And speaking of features, this release is a minor bump due to a small change in -how `npm login` works for the sake of supporting OAuth-based login for npm -Enterprise users. But we won't leave the rest of y'all out -- we're working on a -larger version of this feature. Soon enough, you'll be able to log in to npm -with, say, GitHub -- and use some shiny features that come from the integration. -Or turn on 2FA and other such security features. Keep your eyes peeled for new -on this in the next few releases and our weekly newsletter! - -#### NEW AUTH TYPES - -There's a new command line option: `--auth-type`, which can be used to log in to -a supporting registry with OAuth2 or SAML. The current implementation is mainly -meant to support npmE customers, so if you're one of those: ask us about using -it! If not, just hold off cause we'll have a much more complete version of this -feature out soon. - -* [`ac8595e`](https://github.com/npm/npm/commit/ac8595e3c9b615ff95abc3301fac1262c434792c) [`bcf2dd8`](https://github.com/npm/npm/commit/bcf2dd8a165843255c06515fa044c6e4d3b71ca4) [`9298d20`](https://github.com/npm/npm/commit/9298d20af58b92572515bfa9cf7377bd4221dc7d) [`66b61bc`](https://github.com/npm/npm/commit/66b61bc42e81ee8a1ee00fc63517f62284140688) [`dc85de7`](https://github.com/npm/npm/commit/dc85de7df6bb61f7788611813ee82ae695a18f1f) - [#13389](https://github.com/npm/npm/pull/13389) - Implement single-sign-on support with `--auth-type` option. - ([@zkat](https://github.com/zkat)) - -#### FASTER STARTUP. SOMETIMES! - -`request` is pretty heavy. And it loads a bunch of things. It's actually a -pretty big chunk of npm's load time. This small patch by Rebecca will make it so -npm only loads that module when we're actually intending to make network -requests. Those of you who use npm commands that run offline might see a small -speedup in startup time. - -* [`ac73568`](https://github.com/npm/npm/commit/ac735682e666e8724549d56146821f3b8b018e25) - [#15631](https://github.com/npm/npm/pull/15631) - Lazy load `caching-registry-client`. - ([@iarna](https://github.com/iarna)) - -#### DOCUMENTATION - -* [`4ad9247`](https://github.com/npm/npm/commit/4ad9247aa82f7553c9667ee93c74ec7399d6ceec) - [#15630](https://github.com/npm/npm/pull/15630) - Fix formatting/rendering for root npm README. - ([@ungoldman](https://github.com/ungoldman)) - -#### DEPENDENCY UPDATES - -* [`8cc1112`](https://github.com/npm/npm/commit/8cc1112958638ff88ac2c24c4a065acacb93d64b) - [npm/hosted-git-info#21](https://github.com/npm/hosted-git-info/pull/21) - `hosted-git-info@2.2.0`: - Add support for `.tarball()` URLs. - ([@zkat](https://github.com/zkat)) -* [`6eacc1b`](https://github.com/npm/npm/commit/6eacc1bc1925fe3cc79fc97bdc3194d944fce55e) - `npm-registry-mock@1.1.0` - ([@addaleax](https://github.com/addaleax)) -* [`a9b6d77`](https://github.com/npm/npm/commit/a9b6d775e61cf090df0e13514c624f99bf31d1e7) - `aproba@1.1.1` - ([@iarna](https://github.com/iarna)) - -### v4.2.0 (2017-01-26): - -Hi all! I'm Kat, and I'm currently sitting in a train traveling at ~300km/h -through Spain. So clearly, this release should have *something* to do with -speed. And it does! Heck, with this release, you could say we're really -_blazing_, even. 🌲🔥😏 - -#### IMPROVED CLI SEARCH~ - -You might recall if you've been keeping up that one of the reasons for a -semver-major bump to `npm@4` was an improved CLI search (read: no longer blowing -up Node). The work done for that new search system, while still relying on a -full metadata download and local search, was also meant to act as groundwork for -then-ongoing work on a brand-new, smarter search system for npm. Shortly after -`npm@4` came out, the bulk of the server-side work was done, and with this -release, the npm CLI has integrated use of the new endpoint for high-quality, -fast-turnaround searches. - -No, seriously, it's *fast*. And *relevant*: - -[![GOTTA GO FAST! This is a gif of the new npm search returning results in around a second for `npm search web framework`.](https://cloud.githubusercontent.com/assets/17535/21954136/f007e8be-d9fd-11e6-9231-f899c12790e0.gif)](https://github.com/npm/npm/pull/15481) - -Give it a shot! And remember to check out the new website version of the search, -too, which uses the same backend as the CLI now. 🎉 - -Incidentally, the backend is a public service, so you can write your own search -tools, be they web-based, CLI, or GUI-based. You can read up on the [full -documentation for the search -endpoint](https://github.com/npm/registry/blob/master/docs/REGISTRY-API.md#get-v1search), -and let us know about the cool things you come up with! - -* [`ce3ca51`](https://github.com/npm/npm/commit/ce3ca51ca2d60e15e901c8bf6256338e53e1eca2) - [#15481](https://github.com/npm/npm/pull/15481) - Add an internal `gunzip-maybe` utility for optional gunzipping. - ([@zkat](https://github.com/zkat)) -* [`e322932`](https://github.com/npm/npm/commit/e3229324d507fda10ea9e94fd4de8a4ae5025c75) [`a53055e`](https://github.com/npm/npm/commit/a53055e423f1fe168f05047aa0dfec6d963cb211) [`a1f4365`](https://github.com/npm/npm/commit/a1f436570730c6e4a173ca92d1967a87c29b7f2d) [`c56618c`](https://github.com/npm/npm/commit/c56618c62854ea61f6f716dffe7bcac80b5f4144) - [#15481](https://github.com/npm/npm/pull/15481) - Add support for using the new npm search endpoint for fast, quality search - results. Includes a fallback to "classic" search. - ([@zkat](https://github.com/zkat)) - -#### WHERE DID THE DEBUG LOGS GO - -This is another pretty significant change: Usually, when the npm process -crashed, you would get an `npm-debug.log` in your current working directory. -This debug log would get cleared out as soon as you ran npm again. This was a -bit annoying because 1) you would get a random file in your `git status` that -you might accidentally commit, and 2) if you hit a hard-to-reproduce bug and -instinctually tried again, you would no longer have access to the repro -`npm-debug.log`. - -So now, any time a crash happens, we'll save your debug logs to your cache -folder, under `_logs` (`~/.npm` on *nix, by default -- use `npm config get -cache` to see what your current value is). The cache will now hold a -(configurable) number of `npm-debug.log` files, which you can access in the -future. Hopefully this will help clean stuff up and reduce frustration from -missed repros! In the future, this will also be used by `npm report` to make it -super easy to put up issues about crashes you run into with npm. 💃🕺🏿👯‍♂️ - -* [`04fca22`](https://github.com/npm/npm/commit/04fca223a0f704b69340c5f81b26907238fad878) - [#11439](https://github.com/npm/npm/pull/11439) - Put debug logs in `$(npm get cache)/_logs` and store multiple log files. - ([@KenanY](https://github.com/KenanY)) - ([@othiym23](https://github.com/othiym23)) - ([@isaacs](https://github.com/isaacs)) - ([@iarna](https://github.com/iarna)) - -#### DOCS - -* [`ae8e71c`](https://github.com/npm/npm/commit/ae8e71c2b7d64d782af287a21e146d7cea6e5273) - [#15402](https://github.com/npm/npm/pull/15402) - Add missing backtick in one of the `npm doctor` messages. - ([@watilde](https://github.com/watilde), [@charlotteis](https://github.com/charlotteis)) -* [`821fee6`](https://github.com/npm/npm/commit/821fee6d0b12a324e035c397ae73904db97d07d2) - [#15480](https://github.com/npm/npm/pull/15480) - Clarify that unscoped packages can depend on scoped packages and vice-versa. - ([@chocolateboy](https://github.com/chocolateboy)) -* [`2ee45a8`](https://github.com/npm/npm/commit/2ee45a884137ae0706b7c741c671fef2cb3bac96) - [#15515](https://github.com/npm/npm/pull/15515) - Update minimum supported Node version number in the README to `node@>=4`. - ([@watilde](https://github.com/watilde)) -* [`af06aa9`](https://github.com/npm/npm/commit/af06aa9a357578a8fd58c575f3dbe55bc65fc376) - [#15520](https://github.com/npm/npm/pull/15520) - Add section to `npm-scope` docs to explain that scope owners will own scoped - packages with that scope. That is, user `@alice` is not allowed to publish to - `@bob/my-package` unless explicitly made an owner by user (or org) `@bob`. - ([@hzoo](https://github.com/hzoo)) -* [`bc892e6`](https://github.com/npm/npm/commit/bc892e6d07a4c6646480703641a4d71129c38b6d) - [#15539](https://github.com/npm/npm/pull/15539) - Replace `http` with `https` and fix typos in some docs. - ([@watilde](https://github.com/watilde)) -* [`1dfe875`](https://github.com/npm/npm/commit/1dfe875b9ac61a0ab9f61a2eab02bacf6cce583c) - [#15545](https://github.com/npm/npm/pull/15545) - Update Node.js download link to point to the right place. - ([@watilde](https://github.com/watilde)) - -#### DEPENDENCIES - - * [`b824bfb`](https://github.com/npm/npm/commit/b824bfbeb2d89c92762e9170b026af98b5a3668a) - `ansi-regex@2.1.1` - * [`81ea3e8`](https://github.com/npm/npm/commit/81ea3e8e4ea34cd9c2b418512dcb508abcee1380) - `mississippi@1.3.0` - -#### MISC - -* [`98df212`](https://github.com/npm/npm/commit/98df212a91fd6ff4a02b9cd247f4166f93d3977a) - [#15492](https://github.com/npm/npm/pull/15492) - Update the "master" node version used for AppVeyor to `node@7`. - ([@watilde](https://github.com/watilde)) -* [`d75fc03`](https://github.com/npm/npm/commit/d75fc03eda5364f12ac266fa4f66e31c2e44e864) - [#15413](https://github.com/npm/npm/pull/15413) - `npm run-script` now exits with the child process' exit code on exit. - ([@kapals](https://github.com/kapals)) - -### v4.1.2 (2017-01-12) - -We have a twee little release this week as we come back from the holidays. - -#### 0.12 IS UNSUPPORTED NOW (really) - -After [jumping the gun a -little](https://github.com/npm/npm/releases/tag/v4.0.2), we can now -officially remove 0.12 from our supported versions list. The Node.js -project has now officially ended even maintenance support for 0.12 and thus, -so will we. To reiterate from the last time we did this: - -What this means: - -* Your contributions will no longer block on the tests passing on 0.12. -* We will no longer block dependency upgrades on working with 0.12. -* Bugs filed on the npm CLI that are due to incompatibilities with 0.12 - (and older versions) will be closed with a strong urging to upgrade to a - supported version of Node. -* On the flip side, we'll continue to (happily!) accept patches that - address regressions seen when running the CLI with Node.js 0.12. - -What this doesn't mean: - -* The CLI is going to start depending on ES2015+ features. npm continues - to work, in almost all cases, all the way back to Node.js 0.8, and our - long history of backwards compatibility is a source of pride for the - team. -* We aren't concerned about the problems of users who, for whatever - reason, can't update to newer versions of npm. As mentioned above, we're - happy to take community patches intended to address regressions. - -We're not super interested in taking sides on what version of Node.js -you "should" be running. We're a workflow tool, and we understand that -you all have a diverse set of operational environments you need to be -able to support. At the same time, we _are_ a small team, and we need -to put some limits on what we support. Tracking what's supported by our -runtime's own team seems most practical, so that's what we're doing. - -* [`c7bbba8`](https://github.com/npm/npm/commit/c7bbba8744b62448103a1510c65d9751288abb5d) - Remove 0.12 from our supported versions list. - ([@iarna](https://github.com/iarna)) - -#### WRITING TO SYMLINKED `package.json` (AND OTHER FILES) - -If your `package.json`, `npm-shrinkwrap.json` or `.npmrc` were a symlink and -you used an `npm` command that modified one of these (eg `npm config set` or -`npm install --save`) then previously we would have removed your symlink and -replaced it with an ordinary file. While making these files symlinks is pretty -uncommon, this was still surprising behavior. With this fix we now overwrite -the _destination_ of the symlink and preserve the symlink itself. - -* [`a583983`](https://github.com/npm/npm/commit/a5839833d3de7072be06884b91902c093aff1aed) - [write-file-atomic/#5](https://github.com/npm/write-file-atomic/issues/5) - [#10223](https://github.com/npm/npm/10223) - `write-file-atomic@1.3.1`: - When the target is a symlink, write-file-atomic now overwrites the - _destination_ of the symlink, instead of replacing the symlink itself. This - makes it's behavior match `fs.writeFile`. - - Fixed a bug where it would ALWAYS fs.stat to look up default mode and chown - values even if you'd passed them in. (It still used the values you passed - in, but did a needless stat.) - ([@iarna](https://github.com/iarna)) - -#### DEPENDENCY UPDATES - -* [`521f230`](https://github.com/npm/npm/commit/521f230dd57261e64ac9613b3db62f5312971dca) - `node-gyp@3.5.0`: - Improvements to how Python is located. New `--devdir` flag. - ([@bnoordhuis](https://github.com/bnoordhuis)) - ([@mhart](https://github.com/mhart)) -* [`ccd83e8`](https://github.com/npm/npm/commit/ccd83e8a70d35fb0904f8a9adb2ff7ac8a6b2706) - `JSONStream@1.3.0`: - Add new emitPath option. - ([@nathanwills](https://github.com/nathanwills)) - -#### TEST IMPROVEMENTS - -* [`d76e084`](https://github.com/npm/npm/commit/d76e08463fd65705217624b861a1443811692f34) - Disable metric reporting for test suite even if the user has it enabled. - ([@iarna](https://github.com/iarna)) - -### v4.1.1 (2016-12-16) - -This fixes a bug in the metrics reporting where, if you had enabled it then -installs would create a metrics reporting process, that would create a -metrics reporting process, that would… well, you get the idea. The only -way to actually kill these processes is to turn off your networking, then -on MacOS/Linux kill them with `kill -9`. Alternatively you can just reboot. - -Anyway, this is a quick release to fix that bug: - -* [`51c393f`](https://github.com/npm/npm/commit/51c393feff5f4908c8a9fb02baef505b1f2259be) - [#15237](https://github.com/npm/npm/pull/15237) - Don't launch a metrics sender process if we're running from a metrics - sender process. - ([@iarna](https://github.com/iarna)) - -### v4.1.0 (2016-12-15) - -I'm really excited about `npm@4.1.0`. I know, I know, I'm kinda overexcited -in my changelogs, but this one is GREAT. We've got a WHOLE NEW subcommand, I -mean, when was the last time you saw that? YEARS! And we have the beginnings -of usage metrics reporting. Then there's a fix for a really subtle bug that -resulted in `shasum` errors. And then we also have a few more bug fixes and -other improvements. - -#### ANONYMOUS METRIC REPORTING - -We're adding the ability for you all to help us track the quality of your -experiences using `npm`. Metrics will be sent if you run: - -``` -npm config set send-metrics true -``` - -Then `npm` will report to `registry.npmjs.org` the number of successful and -failed installations you've had. The data contains no identifying -information and npm will not attempt to correlate things like IP address -with the metrics being submitted. - -Currently we only track number of successful and failed installations. In -the future we would like to find additional metrics to help us better -quantify the quality of the `npm` experience. - -* [`190a658`](https://github.com/npm/npm/commit/190a658c4222f6aa904cbc640fc394a5c875e4db) - [#15084](https://github.com/npm/npm/pull/15084) - Add facility for recording and reporting success metrics. - ([@iarna](https://github.com/iarna)) -* [`87afc8b`](https://github.com/npm/npm/commit/87afc8b466f553fb49746c932c259173de48d0a4) - [npm/npm-registry-client#147](https://github.com/npm/npm-registry-client/pull/148) - `npm-registry-client@7.4.5`: - Add support for sending anonymous CLI metrics. - ([@iarna](https://github.com/iarna), - [@sisidovski](https://github.com/sisidovski)) - -### NPM DOCTOR - -
-Check                               Value                        Recommendation
-npm ping                            ok
-npm -v                              v4.0.5
-node -v                             v4.6.1                       Use node v6.9.2
-npm config get registry             https://registry.npmjs.org/
-which git                           /Users/rebecca/bin/git
-Perms check on cached files         ok
-Perms check on global node_modules  ok
-Perms check on local node_modules   ok
-Checksum cached files               ok
-
- -It's a rare day that we add a new command to `npm`, so I'm excited to -present to you `npm doctor`. It checks for a number of common problems and -provides some recommended solutions. It was put together through the hard -work of [@watilde](https://github.com/watilde). - -* [`2359505`](https://github.com/npm/npm/commit/23595055669f76c9fe8f5f1cf4a705c2e794f0dc) - [`0209ee5`](https://github.com/npm/npm/commit/0209ee50448441695fbf9699019d34178b69ba73) - [#14582](https://github.com/npm/npm/pull/14582) - Add new `npm doctor` to give your project environment a health check. - ([@watilde](https://github.com/watilde)) - -#### FIX MAJOR SOURCE OF SHASUM ERRORS - -If you've been getting intermittent shasum errors then you'll be pleased to -know that we've tracked down at least one source of them, if not THE source -of them. - -* [`87afc8b`](https://github.com/npm/npm/commit/87afc8b466f553fb49746c932c259173de48d0a4) - [#14626](https://github.com/npm/npm/issues/14626) - [npm/npm-registry-client#148](https://github.com/npm/npm-registry-client/pull/148) - `npm-registry-client@7.4.5`: - Fix a bug where an `ECONNRESET` while fetching a package file would result - in a partial download that would be reported as a "shasum mismatch". It - now throws away the partial download and retries it. - ([@iarna](https://github.com/iarna)) - -#### FILE URLS AND NODE.JS 7 - -When `npm` was formatting `file` URLs we took advantage of `url.format` to -construct them. Node.js 7 changed the behavior in such a way that our use of -`url.format` stopped producing URLs that we could make use of. - -The reasons for this have to do with the `file` URL specification and how -invalid (according to the specification) URLs are handled. How this changed -is most easily explained with a table: - - - - - - - -
URLNode.js <= 6npm's understandingNode.js 7npm's understanding
VALIDfile:///abc/deffile:///abc/def/abc/deffile:///abc/def/abc/def
invalidfile:/abc/deffile:/abc/def/abc/deffile:///abc/def/abc/def
invalidfile:abc/deffile:abc/def$CWD/abc/deffile://abc/def/def on the abc host
invalidfile:../abc/deffile:../abc/def$CWD/../abc/deffile://../abc/def/abc/def on the .. host
- -So the result was that passing a `file` URL that npm had received that used -through Node.js 7's `url.format` changed its meaning as far as `npm` was -concerned. As those kinds of URLs are, per the specification, invalid, how -they should be handled is undefined and so the change in Node.js wasn't a -bug per se. - -Our solution is to stop using `url.format` when constructing this kind of -URL. - -* [`173935b`](https://github.com/npm/npm/commit/173935b4298e09c4fdcb8f3a44b06134d5aff181) - [#15114](https://github.com/npm/npm/issues/15114) - Stop using `url.format` for relative local dep paths. - ([@zkat](https://github.com/zkat)) - -#### EXTRANEOUS LIFECYCLE SCRIPT EXECUTION WHEN REMOVING - -* [`afb1dfd`](https://github.com/npm/npm/commit/afb1dfd944e57add25a05770c0d52d983dc4e96c) - [#15090](https://github.com/npm/npm/pull/15090) - Skip top level lifecycles when uninstalling. - ([@iarna](https://github.com/iarna)) - -#### REFACTORING AND INTERNALS - -* [`c9b279a`](https://github.com/npm/npm/commit/c9b279aca0fcb8d0e483e534c7f9a7250e2a9392) - [#15205](https://github.com/npm/npm/pull/15205) - [#15196](https://github.com/npm/npm/pull/15196) - Only have one function that determines which version of a package to use - given a specifier and a list of versions. - ([@iarna](https://github.com/iarna), - [@zkat](https://github.com/zkat)) - -* [`981ce63`](https://github.com/npm/npm/commit/981ce6395e7892dde2591b44e484e191f8625431) - [#15090](https://github.com/npm/npm/pull/15090) - Rewrite prune to use modern npm plumbing. - ([@iarna](https://github.com/iarna)) - -* [`bc4b739`](https://github.com/npm/npm/commit/bc4b73911f58a11b4a2d28b49e24b4dd7365f95b) - [#15089](https://github.com/npm/npm/pull/15089) - Rename functions and variables in the module that computes what changes to - make to your installation. - ([@iarna](https://github.com/iarna)) - -* [`2449f74`](https://github.com/npm/npm/commit/2449f74a202b3efdb1b2f5a83356a78ea9ecbe35) - [#15089](https://github.com/npm/npm/pull/15089) - When computing changes to make to your installation, use a function to add - new actions to take instead of just pushing on a list. - ([@iarna](https://github.com/iarna)) - -#### IMPROVED LOGGING - -* [`335933a`](https://github.com/npm/npm/commit/335933a05396258eead139d27eea3f7668ccdfab) - [#15089](https://github.com/npm/npm/pull/15089) - Log when we remove obsolete dependencies in the tree. - ([@iarna](https://github.com/iarna)) - -#### DOCUMENTATION - -* [`33ca4e6`](https://github.com/npm/npm/commit/33ca4e6db3c1878cbc40d5e862ab49bb0e82cfb2) - [#15157](https://github.com/npm/npm/pull/15157) - Update `npm cache` docs to use more consistent language - ([@JonahMoses](https://github.com/JonahMoses)) - -#### DEPENDENCY UPDATES - -* [`c2d22fa`](https://github.com/npm/npm/commit/c2d22faf916e8260136a1cc95913ca474421c0d3) - [#15215](https://github.com/npm/npm/pull/15215) - `nopt@4.0.1`: - The breaking change is a small tweak to how empty string values are - handled. See the brand-new - [CHANGELOG.md for nopt](https://github.com/npm/nopt/blob/v4.0.1/CHANGELOG.md) for further - details about what's changed in this release! - ([@adius](https://github.com/adius), - [@samjonester](https://github.com/samjonester), - [@elidoran](https://github.com/elidoran), - [@helio](https://github.com/helio), - [@silkentrance](https://github.com/silkentrance), - [@othiym23](https://github.com/othiym23)) -* [`54d949b`](https://github.com/npm/npm/commit/54d949b05adefffeb7b5b10229c5fe0ccb929ac3) - [npm/lockfile#24](https://github.com/npm/lockfile/pull/24) - `lockfile@1.0.3`: - Handled case where callback was not passed in by the user. - ([@ORESoftware](https://github.com/ORESoftware)) -* [`54acc03`](https://github.com/npm/npm/commit/54acc0389b39850c0725d0868cb5e61317b57503) - `npmlog@4.0.2`: - Documentation update. - ([@helio-frota](https://github.com/helio-frota)) -* [`57f4bc1`](https://github.com/npm/npm/commit/57f4bc1150322294c1ea0a287ad0a8e457c151e6) - `osenv@0.1.4`: - Test changes. - ([@isaacs](https://github.com/isaacs)) -* [`bea1a2d`](https://github.com/npm/npm/commit/bea1a2d0db566560e13ecc1d5f42e55811269c88) - `retry@0.10.1`: - No changes. - ([@tim-kos](https://github.com/tim-kos)) -* [`6749e39`](https://github.com/npm/npm/commit/6749e395f868109afd97f79d36507e6567dd48fb) - [kapouer/marked-man#9](https://github.com/kapouer/marked-man/pull/9) - `marked-man@0.2.0`: - Add table support. - ([@gholk](https://github.com/gholk)) - -### v4.0.5 (2016-12-01) - -It's that time of year! December is upon us, which means y'all are just going to -be doing a lot less, in general, for the next month or so. The "Xmas Chasm", as -we like to call it, has already begun. So for those of you reading it from the -other side: Hi! Welcome back! - -This week's release is a relatively small one, involving just a few bugfixes and -dependency upgrades. The CLI team has been busy recently with scoping out -`npm@5`, and starting to do initial spec work for in-scope stuff. - -#### BUGFIXES - -On to the actual changes! - -* [`9776d8f`](https://github.com/npm/npm/commit/9776d8f70a0ea8d921cbbcab7a54e52c15fc455f) - [#15081](https://github.com/npm/npm/pull/15081) - `bundledDependencies` are intended to be left untouched by the installer, as - much as possible -- if they're bundled, we assume that you want to be - particular about the contents of your bundle. - - The installer used to have a corner case where existing dependencies that had - bundledDependencies would get clobbered by as the installer moved stuff - around, even though the installer already avoided moving deps that were - themselves bundled. This is now fixed, along with the connected crasher, and - your bundledDeps should be left even more intact than before! - ([@iarna](https://github.com/iarna)) -* [`fc61c08`](https://github.com/npm/npm/commit/fc61c082122104031ccfb2a888432c9f809a0e8b) - [#15082](https://github.com/npm/npm/pull/15082) - Initialize nodes from bundled dependencies. This should address - [#14427](https://github.com/npm/npm/issues/14427) and related issues, but it's - turned out to be a tremendously difficult issue to reproduce in a test. We - decided to include it even pending tests, because we found the root cause of - the errors. - ([@iarna](https://github.com/iarna)) -* [`d8471a2`](https://github.com/npm/npm/commit/d8471a294ef848fc893f60e17d6ec6695b975d16) - [#12811](https://github.com/npm/npm/pull/12811) - Consider `devDependencies` when deciding whether to hoist a package. This - should resolve a variety of missing dependency issues some folks were seeing - when `devDependencies` happened to also be dependencies of your - `dependencies`. This often manifested as modules going missing, or only being - installed, after `npm install` was called twice. - ([@schmod](https://github.com/schmod)) - -#### DEPENDENCY UPDATES - -* [`5978703`](https://github.com/npm/npm/commit/5978703da8669adae464789b1b15ee71d7f8d55d) - `graceful-fs@4.1.11`: - `EPERM` errors are Windows are now handled more gracefully. Windows users that - tended to see these errors due to, say, an antivirus-induced race condition, - should see them much more rarely, if at all. - ([@zkatr](https://github.com/zkat)) -* [`85b0174`](https://github.com/npm/npm/commit/85b0174ba9842e8e89f3c33d009e4b4a9e877c7d) - `request@2.79.0` - ([@zkat](https://github.com/zkat)) -* [`9664d36`](https://github.com/npm/npm/commit/9664d36653503247737630440bc2ff657de965c3) - `tap@8.0.1` - ([@zkat](https://github.com/zkat)) - -#### MISCELLANEOUS - -* [`f0f7b0f`](https://github.com/npm/npm/commit/f0f7b0fd025daa2b69994130345e6e8fdaaa0304) - [#15083](https://github.com/npm/npm/pull/15083) - Removed dead code. - ([@iarna](https://github.com/iarna)) * [`bc32afe`](https://github.com/npm/npm/commit/bc32afe4d12e3760fb5a26466dc9c26a5a2981d5) [`c8a22fe`](https://github.com/npm/npm/commit/c8a22fe5320550e09c978abe560b62ce732686f4) [`db2666d`](https://github.com/npm/npm/commit/db2666d8c078fc69d0c02c6a3de9b31be1e995e9) - [#15085](https://github.com/npm/npm/pull/15085) - Change some network tests so they can run offline. - ([@iarna](https://github.com/iarna)) -* [`744a39b`](https://github.com/npm/npm/commit/744a39b836821b388ad8c848bd898c1d006689a9) - [#15085](https://github.com/npm/npm/pull/15085) - Make Node.js tests compatible with Windows. - ([@iarna](https://github.com/iarna)) - -### v4.0.3 (2016-11-17) - -Hey you all, we've got a couple of bug fixes for you, a slew of -documentation improvements and some improvements to our CI environment. I -know we just got v4 out the door, but the CLI team is already busy planning -v5. We'll have more for you in early December. - -#### BUG FIXES - -* [`45d40d9`](https://github.com/npm/npm/commit/45d40d96d2cd145f1e36702d6ade8cd033f7f332) - [`ba2adc2`](https://github.com/npm/npm/commit/ba2adc2e822d5e75021c12f13e3f74ea2edbde32) - [`1dc8908`](https://github.com/npm/npm/commit/1dc890807bd78a1794063688af31287ed25a2f06) - [`2ba19ee`](https://github.com/npm/npm/commit/2ba19ee643d612d103cdd8f288d313b00d05ee87) - [#14403](https://github.com/npm/npm/pull/14403) - Fix a bug where a scoped module could produce crashes when incorrectly - computing the paths related to their location. This patch reorganizes how path information - is passed in to eliminate the possibility of this sort of bug. - ([@iarna](https://github.com/iarna)) - ([@NatalieWolfe](https://github.com/NatalieWolfe)) -* [`1011ec6`](https://github.com/npm/npm/commit/1011ec61230288c827a1c256735c55cf03d6228f) - [npm/npmlog#46](https://github.com/npm/npmlog/pull/46) - `npmlog@4.0.1`: Fix a bug where the progress bar would still display even if - you passed in `--no-progress`. - ([@iarna](https://github.com/iarna)) - -#### DOCUMENTATION UPDATES - -* [`c3ac177`](https://github.com/npm/npm/commit/c3ac177236124c80524c5f252ba8f6670f05dcd8) - [#14406](https://github.com/npm/npm/pull/14406) - Sync up the dispute policy included with the CLI with the [current official text](https://www.npmjs.com/policies/disputes). - ([@mike-engel](https://github.com/mike-engel)) -* [`9c663b2`](https://github.com/npm/npm/commit/9c663b2dd8552f892dc0205330bbc73a484ecd81) - [#14627](https://github.com/npm/npm/pull/14627) - Update build status branch in README. - ([@cameronroe](https://github.com/cameronroe)) -* [`8a8a0a3`](https://github.com/npm/npm/commit/8a8a0a3d490fc767def208f925cdff57e16e565b) - [#14609](https://github.com/npm/npm/pull/14609) - Update examples URLs of GitHub repos where those repos have moved to new URLs. - ([@dougwilson](https://github.com/dougwilson)) -* [`7a6425b`](https://github.com/npm/npm/commit/7a6425bcd4decde5d4b0af8b507e98723a07c680) - [#14472](https://github.com/npm/npm/pull/14472) - Document `sign-git-tag` in - [npm-version(1)](https://github.com/npm/npm/blob/release-next/doc/cli/npm-version.md)'s - configuration section. - ([@strugee](https://github.com/strugee)) -* [`f3087cc`](https://github.com/npm/npm/commit/f3087cc58c903d9a70275be805ebaf0eadbcbe1b) - [#14546](https://github.com/npm/npm/pull/14546) - Add a note about the dangers of configuring npm via uppercase env vars. - ([@tuhoojabotti](https://github.com/tuhoojabotti)) -* [`50e51b0`](https://github.com/npm/npm/commit/50e51b04a143959048cf9e1e4c8fe15094f480b0) - [#14559](https://github.com/npm/npm/pull/14559) - Remove documentation that incorrectly stated that we check `.npmrc` permissions. - ([@iarna](https://github.com/iarna)) - -##### OH UH, HELLO AGAIN NODE.JS 0.12 - -* [`6f0c353`](https://github.com/npm/npm/commit/6f0c353e4e89b0378a4c88c829ccf9a1c5ae829d) - [`f78bde6`](https://github.com/npm/npm/commit/f78bde6983bdca63d5fcb9c220c87e8f75ffb70e) - [#14591](https://github.com/npm/npm/pull/14591) - Reintroduce Node.js 0.12 to our support matrix. We jumped the gun when - removing it. We won't drop support for it till the Node.js project does - so at the end of December 2016. - ([@othiym23](https://github.com/othiym23)) - -#### TEST/CI UPDATES - -* [`aa73d1c`](https://github.com/npm/npm/commit/aa73d1c1cc22608f95382a35b33da252addff38e) - [`c914e80`](https://github.com/npm/npm/commit/c914e80f5abcb16c572fe756c89cf0bcef4ff991) -* [`58fe064`](https://github.com/npm/npm/commit/58fe064dcc80bc08c677647832f2adb4a56b538a) - [#14602](https://github.com/npm/npm/pull/14602) - When running tests with coverage, use nyc's cache. This provides an 8x speedup! - ([@bcoe](https://github.com/bcoe)) -* [`ba091ce`](https://github.com/npm/npm/commit/ba091ce843af5d694f4540e825b095435b3558d8) - [#14435](https://github.com/npm/npm/pull/14435) - Remove an unused zero byte `package.json` found in the test fixtures. - ([@baderbuddy](https://github.com/baderbuddy)) - -#### DEPENDENCY UPDATES - -* [`442e01e`](https://github.com/npm/npm/commit/442e01e42d8a439809f6726032e3b73ac0d2b2f8) - `readable-stream@2.2.2`: - Bring in latest changes from Node.js 7.x. - ([@calvinmetcalf](https://github.com/calvinmetcalf)) -* [`bfc4a1c`](https://github.com/npm/npm/commit/bfc4a1c0c17ef0a00dfaa09beba3389598a46535) - `which@1.2.12`: - Remove unused require. - ([@isaacs](https://github.com/isaacs)) - -#### DEV DEPENDENCY UPDATES - -* [`7075b05`](https://github.com/npm/npm/commit/7075b054d8d2452bb53bee9b170498a48a0dc4e9) - `marked-man@0.1.6` - ([@kapouer](https://github.com/kapouer)) -* [`3e13fea`](https://github.com/npm/npm/commit/3e13fea907ee1141506a6de7d26cbc91c28fdb80) - `tap@8.0.0` - ([@isaacs](https://github.com/isaacs)) - -### v4.0.2 (2016-11-03) - -Hola, amigxs. I know it's been a long time since I rapped at ya, but I -been spending a lotta time quietly reflecting on all the things going on -in my life. I was, like, [in Japan for a while](https://gist.github.com/othiym23/c98bd4ef5d9fb3f496835bd481ef40ae), -and before that my swell colleagues [@zkat](https://github.com/zkat) and -[@iarna](https://github.com/iarna) have been very capably managing the release -process for quite a while. But I returned from Japan somewhat refreshed, very -jetlagged, and filled with a burning urge to get `npm@4` as stable as possible -before we push it out to the user community at large, so I decided to do this -release myself. (Also, huge thanks to Kat and Rebecca for putting out `npm@4` -so capably while I was on vacation! So cool to return to a major release having -gone so well without my involvement!) - -That said... - -#### NEVER TRUST AN X.0.0 RELEASE - -Even though 4.0.1 came out hard on the heels of 4.0.0 with a couple -critical fixes, we've found a couple other major issues that we want to -see fixed before making `npm@4` into `npm@latest`. Some of these are -arguably breaking changes on their own, so now is the time to get them -out if we're going to do so before `npm@5`, and all of them are pretty -significant blockers for a substantial number of users, so now is the -best time to fix them. - -##### PREPUBLISHONLY WHOOPS - -The code running the `publish*` lifecycle events was very confusingly written. -In fact, we didn't really figure out what it was doing until we added the new -`prepublishOnly` event and it was running people's scripts from the wrong -directory. We made it simpler. See the [commit -message](https://github.com/npm/npm/commit/8b32d67aa277fd7e62edbed886387a855f58387f) -for details. - -Because the change is no longer running publish events when publishing prebuilt -artifacts, it's technically a breaking / semver-major change. In the off chance -that the new behavior breaks any of y'all's workflows, let us know, and we can -roll some or all of this change back until `npm@5` (or forever, if that works -better for you). - -* [`8b32d67`](https://github.com/npm/npm/commit/8b32d67aa277fd7e62edbed886387a855f58387f) - [#14502](https://github.com/npm/npm/pull/14502) - Simplify lifecycle invocation and fix `prepublishOnly`. - ([@othiym23](https://github.com/othiym23)) - -##### G'BYE NODE.JS 0.10, 0.12, and 5.X; HI THERE, NODE 7 - -With the advent of the second official Node.js LTS release, Node 6.x -'Boron', the Node.js project has now officially dropped versions 0.10 -and 0.12 out of the maintenance phase of LTS. (Also, Node 5 was never -part of LTS, and will see no further support now that Node 7 has been -released.) As a small team with limited resources, the npm CLI team is -following suit and dropping those versions of Node from its CI test -matrix. - -What this means: - -* Your contributions will no longer block on the tests passing on 0.10 and 0.12. -* We will no longer block dependency upgrades on working with 0.10 and 0.12. -* Bugs filed on the npm CLI that are due to incompatibilities with 0.10 - or 0.12 (and older versions) will be closed with a strong urging to - upgrade to a supported version of Node. -* On the flip side, we'll continue to (happily!) accept patches that - address regressions seen when running the CLI with Node.js 0.10 and - 0.12. - -What this doesn't mean: - -* The CLI is going to start depending on ES2015+ features. npm continues - to work, in almost all cases, all the way back to Node.js 0.8, and our - long history of backwards compatibility is a source of pride for the - team. -* We aren't concerned about the problems of users who, for whatever - reason, can't update to newer versions of npm. As mentioned above, we're - happy to take community patches intended to address regressions. - -We're not super interested in taking sides on what version of Node.js -you "should" be running. We're a workflow tool, and we understand that -you all have a diverse set of operational environments you need to be -able to support. At the same time, we _are_ a small team, and we need -to put some limits on what we support. Tracking what's supported by our -runtime's own team seems most practical, so that's what we're doing. - -* [`ab630c9`](https://github.com/npm/npm/commit/ab630c9a7a1b40cdd4f1244be976c25ab1525907) - [#14503](https://github.com/npm/npm/pull/14503) - Node 6 is LTS; 5.x, 0.10, and 0.12 are unsupported. - ([@othiym23](https://github.com/othiym23)) -* [`731ae52`](https://github.com/npm/npm/commit/731ae526fb6e9951c43d82a26ccd357b63cc56c2) - [#14503](https://github.com/npm/npm/pull/14503) - Update supported version expression. - ([@othiym23](https://github.com/othiym23)) - -##### DISENTANGLING SCOPE - -The new `Npm-Scope` header was previously reusing the `scope` -configuration option to pass the current scope back to your current -registry (which, as [described -previously](https://github.com/npm/npm/blob/release-next/CHANGELOG.md#send-extra-headers-to-registry), is meant to set up some upcoming -registry features). It turns out that had some [seriously weird -consequences](https://github.com/npm/npm/issues/14412) in the case where -you were already configuring `scope` in your own environment. The CLI -now uses separate configuration for this. - -* [`39358f7`](https://github.com/npm/npm/commit/39358f732ded4aa46d86d593393a0d6bca5dc12a) - [#14477](https://github.com/npm/npm/pull/14477) - Differentiate registry scope from project scope in configuration. - ([@zkat](https://github.com/zkat)) - -#### SMALLER CHANGES - -* [`7f41295`](https://github.com/npm/npm/commit/7f41295775f28b958a926f9cb371cb37b05771dd) - [#14519](https://github.com/npm/npm/pull/14519) - Document that as of `npm@4.0.1`, `npm shrinkwrap` now includes `devDependencies` unless - instructed otherwise. - ([@iarna](https://github.com/iarna)) -* [`bdc2f9e`](https://github.com/npm/npm/commit/bdc2f9e255ddf1a47fd13ec8749d17ed41638b2c) - [#14501](https://github.com/npm/npm/pull/14501) - The `ENOSELF` error message is tricky to word. It's also an error that - normally bites new users. Clean it up in an effort to make it easier - to understand what's going on. - ([@snopeks](https://github.com/snopeks), [@zkat](https://github.com/zkat)) - -#### DEPENDENCY UPGRADES - -* [`a52d0f0`](https://github.com/npm/npm/commit/a52d0f0c9cf2de5caef77e12eabd7dca9e89b49c) - `glob@7.1.1`: - - Handle files without associated perms on Windows. - - Fix failing case with `absolute` option. - ([@isaacs](https://github.com/isaacs), [@phated](https://github.com/phated)) -* [`afda66d`](https://github.com/npm/npm/commit/afda66d9afcdcbae1d148f589287583c4182d124) - [isaacs/node-graceful-fs#97](https://github.com/isaacs/node-graceful-fs/pull/97) - `graceful-fs@4.1.10`: Better backoff for EPERM on Windows. - ([@sam-github](https://github.com/sam-github)) -* [`e0023c0`](https://github.com/npm/npm/commit/e0023c089ded9161fbcbe544f12b07e12e3e5729) - [npm/inflight#3](https://github.com/npm/inflight/pull/3) - `inflight@1.0.6`: Clean up even if / when a callback throws. - ([@phated](https://github.com/phated)) -* [`1d91594`](https://github.com/npm/npm/commit/1d9159440364d2fe21e8bc15e08e284aaa118347) - `request@2.78.0` - ([@othiym23](https://github.com/othiym23)) - -### v4.0.1 (2016-10-24) - -Ayyyy~ 🌊 - -So thanks to folks who were running on `npm@next`, we managed to find a few -issues of notes in that preview version, and we're rolling out a small patch -change to fix them. Most notably, anyone who was using a symlinked `node` binary -(for example, if they installed Node.js through `homebrew`), was getting a very -loud warning every time they ran scripts. Y'all should get warnings in a more -useful way, now that we're resolving those path symlinks. - -Another fairly big change that we decided to slap into this version, since -`npm@4.0.0` is never going to be `latest`, is to make it so `devDependencies` -are included in `npm-shrinkwrap.json` by default -- if you do not want this, use -`--production` with `npm shrinkwrap`. - -#### BIG FIXES/CHANGES - -* [`eff46dd`](https://github.com/npm/npm/commit/eff46dd498ed007bfa77ab7782040a3a828b852d) - [#14374](https://github.com/npm/npm/pull/14374) - Fully resolve the path for `node` executables in both `$PATH` and - `process.execPath` to avoid issues with symlinked `node`. - ([@addaleax](https://github.com/addaleax)) -* [`964f2d3`](https://github.com/npm/npm/commit/964f2d3a0675584267e6ece95b0115a53c6ca6a9) - [#14375](https://github.com/npm/npm/pull/14375) - Make including `devDependencies` in `npm-shrinkwrap.json` the default. This - should help make the transition to `npm@5` smoother in the future. - ([@iarna](https://github.com/iarna)) - -#### BUGFIXES - -* [`a5b0a8d`](https://github.com/npm/npm/commit/a5b0a8db561916086fc7dbd6eb2836c952a42a7e) - [#14400](https://github.com/npm/npm/pull/14400) - Recently, we've had some consistent timeout failures while running the test - suite under Travis. This tweak to tests should take care of those issues and - Travis should go back to being reliably green. - ([@iarna](https://github.com/iarna)) - -#### DOC PATCHES - -* [`c5907b2`](https://github.com/npm/npm/commit/c5907b2fc1a82ec919afe3b370ecd34d8895c7a2) - [#14251](https://github.com/npm/npm/pull/14251) - Update links to Node.js downloads. They previously pointed to 404 pages.😬 - ([@ArtskydJ](https://github.com/ArtskydJ)) -* [`0c122f2`](https://github.com/npm/npm/commit/0c122f24ff1d4d400975edda2b7262aaaf6f7d69) - [#14380](https://github.com/npm/npm/pull/14380) - Add note and clarification on when `prepare` script is run. Make it more - consistent with surrounding descriptions. - ([@SimenB](https://github.com/SimenB)) -* [`51a62ab`](https://github.com/npm/npm/commit/51a62abd88324ba3dad18e18ca5e741f1d60883c) - [#14359](https://github.com/npm/npm/pull/14359) - Fixes typo in `npm@4` changelog. - ([@kimroen](https://github.com/kimroen)) - -### v4.0.0 (2016-10-20) - -Welcome to `npm@4`, friends! - -This is our first semver major release since the release of `npm@3` just over a -year ago. Back then, `@3` turned out to be a bit of a ground-shaking release, -with a brand-new installer with significant structural changes to how npm set up -your tree. This is the end of an era, in a way. `npm@4` also marks the release -when we move *both* `npm@2` and `npm@3` into maintenance: We will no longer be -updating those release branches with anything except critical bugfixes and -security patches. - -While its predecessor had some pretty serious impaact, `npm@4` is expected to -have a much smaller effect on your day-to-day use of npm. Over the past year, -we've collected a handful of breaking changes that we wanted to get in which are -only breaking under a strict semver interpretation (which we follow). Some of -these are simple usability improvements, while others fix crashes and serious -issues that required a major release to include. - -We hope this release sees you well, and you can look forward to an accelerated -release pace now that the CLI team is done focusing on sustaining work -- our -Windows fixing and big bugs pushes -- and we can start focusing again on -usability, features, and performance. Keep an eye out for `npm@5` in Q1 2017, -too: We're planning a major overhaul of `shrinkwrap` as well as various speed -and usability fixes for that release. It's gonna be a fun ride. I promise. 😘 - -#### BRIEF OVERVIEW OF **BREAKING** CHANGES - -The following breaking changes are included in this release: - -* `npm search` rewritten to stream results, and no longer supports sorting. -* `npm scripts` no longer prepend the path of the node executable used to run - npm before running scripts. A `--scripts-prepend-node-path` option has been - added to configure this behavior. -* `npat` has been removed. -* `prepublish` has been deprecated, replaced by `prepare`. A `prepublishOnly` - script has been temporarily added, which will *only* run on `npm publish`. -* `npm outdated` exits with exit code `1` if it finds any outdated packages. -* `npm tag` has been removed after a deprecation cycle. Use `npm dist-tag`. -* Partial shrinkwraps are no longer supported. `npm-shrinkwrap.json` is - considered a complete installation manifest except for `devDependencies`. -* npm's default git branch is no longer `master`. We'll be using `latest` from - now on. - -#### SEARCH REWRITE (**BREAKING**) - -Let's face it -- `npm search` simply doesn't work anymore. Apart from the fact -that it grew slower over the years, it's reached a point where we can no longer -fit the entire registry metadata in memory, and anyone who tries to use the -command now sees a really awful memory overflow crash from node. - -It's still going to be some time before the CLI, registry, and web team are able -to overhaul `npm search` altogether, but until then, we've rewritten the -previous `npm search` implementation to *stream* results on the fly, from both -the search endpoint and a local cache. In absolute terms, you won't see a -performance increase and this patch *does* come at the cost of sorting -capabilities, but what it does do is start outputting results as it finds them. -This should make the experience much better, overall, and we believe this is an -acceptable band-aid until we have that search endpoint in place. - -Incidentally, if you want a really nice search experience, we recommend checking -out [npms.io](http://npms.io), which includes a handy-dandy -[`npms-cli`](https://npm.im/npms-cli) for command-line usage -- it's an npm -search site that returns high-quality results quickly and is operated by members -of the npm community. - -* [`cfd43b4`](https://github.com/npm/npm/commit/cfd43b49aed36d0e8ea6c35b07ed8b303b69be61) [`2b8057b`](https://github.com/npm/npm/commit/2b8057be2e1b51e97b1f8f38d7f58edf3ce2c145) - [#13746](https://github.com/npm/npm/pull/13746) - Stream search process end-to-end. - ([@zkat](https://github.com/zkat) and [@aredridel](https://github.com/aredridel)) -* [`50f4ec8`](https://github.com/npm/npm/commit/50f4ec8e8ce642aa6a58cb046b2b770ccf0029db) [`70b4bc2`](https://github.com/npm/npm/commit/70b4bc22ec8e81cd33b9448f5b45afd1a50d50ba) [`8fb470f`](https://github.com/npm/npm/commit/8fb470fe755c4ad3295cb75d7b4266f8e67f8d38) [`ac3a6e0`](https://github.com/npm/npm/commit/ac3a6e0eba61fb40099b1370c74ad1598777def4) [`bad54dd`](https://github.com/npm/npm/commit/bad54dd9f1119fe900a8d065f8537c6f1968b589) [`87d504e`](https://github.com/npm/npm/commit/87d504e0a61bccf09f5e975007d018de3a1c5f50) - [#13746](https://github.com/npm/npm/pull/13746) - Updated search-related tests. - ([@zkat](https://github.com/zkat)) -* [`3596de8`](https://github.com/npm/npm/commit/3596de88598c69eb5bae108703c8e74ca198b20c) - [#13746](https://github.com/npm/npm/pull/13746) - `JSONStream@1.2.1` - ([@zkat](https://github.com/zkat)) -* [`4b09209`](https://github.com/npm/npm/commit/4b09209bb605f547243065032a8b37772669745f) - [#13746](https://github.com/npm/npm/pull/13746) - `mississippi@1.2.0` - ([@zkat](https://github.com/zkat)) -* [`b650b39`](https://github.com/npm/npm/commit/b650b39d42654abb9eed1c7cd463b1c595ca2ef9) - [#13746](https://github.com/npm/npm/pull/13746) - `sorted-union-stream@2.1.3` - ([@zkat](https://github.com/zkat)) - -#### SCRIPT NODE PATH (**BREAKING**) - -Thanks to some great work by [@addaleax](https://github.com/addaleax), we've -addressed a fairly tricky issue involving the node process used by `npm -scripts`. - -Previously, npm would prefix the path of the node executable to the script's -`PATH`. This had the benefit of making sure that the node process would be the -same for both npm and `scripts` unless you had something like -[`node-bin`](https://npm.im/node-bin) in your `node_modules`. And it turns out -lots of people relied on this behavior being this way! - -It turns out that this had some unintended consequences: it broke systems like -[`nyc`](https://npm.im/nyc), but also completely broke/defeated things like -[`rvm`](https://rvm.io/) and -[`virtualenv`](https://virtualenv.pypa.io/en/stable/) by often causing things -that relied on them to fall back to the global system versions of ruby and -python. - -In the face of two perfectly valid, and used alternatives, we decided that the -second case was much more surprising for users, and that we should err on the -side of doing what those users expect. Anna put some hard work in and managed to -put together a patch that changes npm's behavior such that we no longer prepend -the node executable's path *by default*, and adds a new option, -`--scripts-prepend-node-path`, to allow users who rely on this behavior to have -it add the node path for them. - -This patch also makes it so this feature is discoverable by people who might run -into the first case above, by warning if the node executable is either missing -or shadowed by another one in `PATH`. This warning can also be disabled with the -`--scripts-prepend-node-path` option as needed. - -* [`3fb1eb3`](https://github.com/npm/npm/commit/3fb1eb3e00b5daf37f14e437d2818e9b65a43392) [`6a7d375`](https://github.com/npm/npm/commit/6a7d375d779ba5416fd5df154c6da673dd745d9d) [`378ae08`](https://github.com/npm/npm/commit/378ae08851882d6d2bc9b631b16b8c875d0b9704) - [#13409](https://github.com/npm/npm/pull/13409) - Add a `--scripts-prepend-node-path` option to configure whether npm prepends - the current node executable's path to `PATH`. - ([@addaleax](https://github.com/addaleax)) -* [`70b352c`](https://github.com/npm/npm/commit/70b352c6db41533b9a4bfaa9d91f7a2a1178f74e) - [#13409](https://github.com/npm/npm/pull/13409) - Change the default behaviour of npm to never prepending the current node - executable’s directory to `PATH` but printing a warning in the cases in which - it previously did. - ([@addaleax](https://github.com/addaleax)) - -#### REMOVE `npat` (**BREAKING**) - -Let's be real here -- almost no one knows this feature ever existed, and it's a -vestigial feature of the days when the ideal for npm was to distribute full -packages that could be directly developed on, even from the registry. - -It turns out the npm community decided to go a different way: primarily -publishing packages in a production-ready format, with no tests, build tools, -etc. And so, we say goodbye to `npat`. - -* [`e16c14a`](https://github.com/npm/npm/commit/e16c14afb6f52cb8b7adf60b2b26427f76773f2e) - [#14329](https://github.com/npm/npm/pull/14329) - Remove the npat feature. - ([@iarna](https://github.com/iarna)) - -#### NEW `prepare` SCRIPT. `prepublish` DEPRECATED (**BREAKING**) - -If there's anything that really seemed to confuse users, it's that the -`prepublish` script ran when invoking `npm install` without any arguments. - -Turns out many, many people really expected that it would only run on `npm -publish`, even if it actually did what most people expected: prepare the package -for publishing on the registry. +* `--parseable` and `--json` now work more consistently across various commands, particularly `install` and `ls`. -And so, we've added a `prepare` command that runs in the exact same cases where -`prepublish` ran, and we've begun a deprecation cycle for `prepublish` itself -**only when run by `npm install`**, which will now include a warning any time -you use it that way. +* Indentation is now [detected and preserved](https://twitter.com/maybekatz/status/860690502932340737) for `package.json`, `package-lock.json`, and `npm-shrinkwrap.json`. If the package lock is missing, it will default to `package.json`'s current indentation. -We've also added a `prepublishOnly` script which will execute **only** when `npm -publish` is invoked. Eventually, `prepublish` will stop executing on `npm -install`, and `prepublishOnly` will be removed, leaving `prepare` and -`prepublish` as two distinct lifecycles. +#### Publishing -* [`9b4a227`](https://github.com/npm/npm/commit/9b4a2278cee0a410a107c8ea4d11614731e0a943) [`bc32078`](https://github.com/npm/npm/commit/bc32078fa798acef0e036414cb448645f135b570) - [#14290](https://github.com/npm/npm/pull/14290) - Add `prepare` and `prepublishOnly` lifecyle events. - ([@othiym23](https://github.com/othiym23)) -* [`52fdefd`](https://github.com/npm/npm/commit/52fdefddb48f0c39c6e8eb4c118eb306c9436117) - [#14290](https://github.com/npm/npm/pull/14290) - Warn when running `prepublish` on `npm pack`. - ([@othiym23](https://github.com/othiym23)) -* [`4c2a948`](https://github.com/npm/npm/commit/4c2a9481b564cae3df3f4643766db4b987018a7b) [`a55bd65`](https://github.com/npm/npm/commit/a55bd651284552b93f7d972a2e944f65c1aa6c35) - [#14290](https://github.com/npm/npm/pull/14290) - Added `prepublish` warnings to `npm install`. - ([@zkat](https://github.com/zkat)) -* [`c27412b`](https://github.com/npm/npm/commit/c27412bb9fc7b09f7707c7d9ad23128959ae1abc) - [#14290](https://github.com/npm/npm/pull/14290) - Replace `prepublish` with `prepare` in `npm help package.json` documentation. - ([@zkat](https://github.com/zkat)) +* New [publishes will now include *both* `sha512`](https://twitter.com/maybekatz/status/863201943082065920) and `sha1` checksums. Versions of npm from 5 onwards will use the strongest algorithm available to verify downloads. [npm/npm-registry-client#157](https://github.com/npm/npm-registry-client/pull/157) -#### NO MORE PARTIAL SHRINKWRAPS (**BREAKING**) +#### Cache Rewrite! -That's right. No more partial shrinkwraps. That means that if you have an -`npm-shrinkwrap.json` in your project, npm will no longer install anything that -isn't explicitly listed there, unless it's a `devDependency`. This will open -doors to some nice optimizations and make use of `npm shrinkwrap` just generally -smoother by removing some awful corner cases. We will also skip `devDependency` -installation from `package.json` if you added `devDependencies` to your -shrinkwrap by using `npm shrinkwrap --dev`. +We've been talking about rewriting the cache for a loooong time. So here it is. +Lots of exciting stuff ahead. The rewrite will also enable some exciting future +features, but we'll talk about those when they're actually in the works. #15666 +is the main PR for all these changes. Additional PRs/commits are linked inline. -* [`b7dfae8`](https://github.com/npm/npm/commit/b7dfae8fd4dc0456605f7a921d20a829afd50864) - [#14327](https://github.com/npm/npm/pull/14327) - Use `readShrinkwrap` to read top level shrinkwrap. There's no reason for npm - to be doing its own bespoke heirloom-grade artisanal thing here. - ([@iarna](https://github.com/iarna)) -* [`0ae1f4b`](https://github.com/npm/npm/commit/0ae1f4b9d83af2d093974beb33f26d77fcc95bb9) [`4a54997`](https://github.com/npm/npm/commit/4a549970dc818d78b6de97728af08a1edb5ae7f0) [`f22a1ae`](https://github.com/npm/npm/commit/f22a1ae54b5d47f1a056a6e70868013ebaf66b79) [`3f61189`](https://github.com/npm/npm/commit/3f61189cb3843fee9f54288fefa95ade9cace066) - [#14327](https://github.com/npm/npm/pull/14327) - Treat shrinkwrap as canonical. That is, don't try to fill in for partial - shrinkwraps. Partial shrinkwraps should produce partial installs. If your - shrinkwrap contains NO `devDependencies` then we'll still try to install them - from your `package.json` instead of assuming you NEVER want `devDependencies`. - ([@iarna](https://github.com/iarna)) +* Package metadata, package download, and caching infrastructure replaced. -#### `npm tag` REMOVED (**BREAKING**) +* It's a bit faster. [Hopefully it will be noticeable](https://twitter.com/maybekatz/status/865393382260056064). 🤔 -* [`94255da`](https://github.com/npm/npm/commit/94255da8ffc2d9ed6a0434001a643c1ad82fa483) - [#14328](https://github.com/npm/npm/pull/14328) - Remove deprecated tag command. Folks must use the `dist-tag` command from now - on. - ([@iarna](https://github.com/iarna)) +* With the shrinkwrap and package-lock changes, tarballs will be looked up in the cache by content address (and verified with it). -#### NON-ZERO EXIT CODE ON OUTDATED DEPENDENCIES (**BREAKING**) +* Corrupted cache entries will [automatically be removed and re-fetched](https://twitter.com/maybekatz/status/854933138182557696) on integrity check failure. -* [`40a04d8`](https://github.com/npm/npm/commit/40a04d888d10a5952d5ca4080f2f5d2339d2038a) [`e2fa18d`](https://github.com/npm/npm/commit/e2fa18d9f7904eb048db7280b40787cb2cdf87b3) [`3ee3948`](https://github.com/npm/npm/commit/3ee39488b74c7d35fbb5c14295e33b5a77578104) [`3fa25d0`](https://github.com/npm/npm/commit/3fa25d02a8ff07c42c595f84ae4821bc9ee908df) - [#14013](https://github.com/npm/npm/pull/14013) - Do `exit 1` if any outdated dependencies are found by `npm outdated`. - ([@watilde](https://github.com/watilde)) -* [`c81838a`](https://github.com/npm/npm/commit/c81838ae96b253f4b1ac66af619317a3a9da418e) - [#14013](https://github.com/npm/npm/pull/14013) - Log non-zero exit codes at `verbose` level -- this isn't something command - line tools tend to do. It's generally the shell's job to display, if at all. - ([@zkat](https://github.com/zkat)) +* npm CLI now supports tarball hashes with any hash function supported by Node.js. That is, it will [use `sha512` for tarballs from registries that send a `sha512` checksum as the tarball hash](https://twitter.com/maybekatz/status/858137093624573953). Publishing with `sha512` is added by [npm/npm-registry-client#157](https://github.com/npm/npm-registry-client/pull/157) and may be backfilled by the registry for older entries. -#### SEND EXTRA HEADERS TO REGISTRY +* Remote tarball requests are now cached. This means that even if you're missing the `integrity` field in your shrinkwrap or package-lock, npm will be able to install from the cache. -For the purposes of supporting shiny new registry features, we've started -sending `Npm-Scope` and `Npm-In-CI` headers in outgoing requests. +* Downloads for large packages are streamed in and out of disk. npm is now able to install packages of """any""" size without running out of memory. Support for publishing them is pending (due to registry limitations). -* [`846f61c`](https://github.com/npm/npm/commit/846f61c1dd4a033f77aa736ab01c27ae6724fe1c) - [npm/npm-registry-client#145](https://github.com/npm/npm-registry-client/pull/145) - [npm/npm-registry-client#147](https://github.com/npm/npm-registry-client/pull/147) - `npm-registry-client@7.3.0`: - * Allow npm to add headers to outgoing requests. - * Add `Npm-In-CI` header that reports whether we're running in CI. - ([@iarna](https://github.com/iarna)) -* [`6b6bb08`](https://github.com/npm/npm/commit/6b6bb08af661221224a81df8adb0b72019ca3e11) - [#14129](https://github.com/npm/npm/pull/14129) - Send `Npm-Scope` header along with requests to registry. `Npm-Scope` is set to - the `@scope` of the current top level project. This will allow registries to - implement user/scope-aware features and services. - ([@iarna](https://github.com/iarna)) -* [`506de80`](https://github.com/npm/npm/commit/506de80dc0a0576ec2aab0ed8dc3eef3c1dabc23) - [#14129](https://github.com/npm/npm/pull/14129) - Add test to ensure `Npm-In-CI` header is being sent when CI is set in env. - ([@iarna](https://github.com/iarna)) +* [Automatic fallback-to-offline mode](https://twitter.com/maybekatz/status/854176565587984384). npm will seamlessly use your cache if you are offline, or if you lose access to a particular registry (for example, if you can no longer access a private npm repo, or if your git host is unavailable). -#### BUGFIXES +* A new `--prefer-offline` option will make npm skip any conditional requests (304 checks) for stale cache data, and *only* hit the network if something is missing from the cache. -* [`bc84012`](https://github.com/npm/npm/commit/bc84012c2c615024b08868acbd8df53a7ca8d146) - [#14117](https://github.com/npm/npm/pull/14117) - Fixes a bug where installing a shrinkwrapped package would fail if the - platform failed to install an optional dependency included in the shrinkwrap. - ([@watilde](https://github.com/watilde)) -* [`a40b32d`](https://github.com/npm/npm/commit/a40b32dc7fe18f007a672219a12d6fecef800f9d) - [#13519](https://github.com/npm/npm/pull/13519) - If a package has malformed metadata, `node.requiredBy` is sometimes missing. - Stop crashing when that happens. - ([@creationix](https://github.com/creationix)) +* A new `--prefer-online` option that will force npm to revalidate cached data (with 304 checks), ignoring any staleness checks, and refreshing the cache with revalidated, fresh data. -#### OTHER PATCHES +* A new `--offline` option will force npm to use the cache or exit. It will error with an `ENOTCACHED` code if anything it tries to install isn't already in the cache. -* [`643dae2`](https://github.com/npm/npm/commit/643dae2197c56f1c725ecc6539786bf82962d0fe) - [#14244](https://github.com/npm/npm/pull/14244) - Remove some ancient aliases that we'd rather not have around. - ([@zkat](https://github.com/zkat)) -* [`bdeac3e`](https://github.com/npm/npm/commit/bdeac3e0fb226e4777d4be5cd3c3bec8231c8044) - [#14230](https://github.com/npm/npm/pull/14230) - Detect unsupported Node.js versions and warn about it. Also error on really - old versions where we know we can't work. - ([@iarna](https://github.com/iarna)) +* A new `npm cache verify` command that will garbage collect your cache, reducing disk usage for things you don't need (-handwave-), and will do full integrity verification on both the index and the content. This is also hooked into `npm doctor` as part of its larger suite of checking tools. -#### DOC UPDATES +* The new cache is *very* fault tolerant and supports concurrent access. + * Multiple npm processes will not corrupt a shared cache. + * Corrupted data will not be installed. Data is checked on both insertion and extraction, and treated as if it were missing if found to be corrupted. I will literally bake you a cookie if you manage to corrupt the cache in such a way that you end up with the wrong data in your installation (installer bugs notwithstanding). + * `npm cache clear` is no longer useful for anything except clearing up disk space. -* [`9ca18ad`](https://github.com/npm/npm/commit/9ca18ada7cc1c10b2d32bbb59d5a99dd1c743109) - [#13746](https://github.com/npm/npm/pull/13746) - Updated docs for `npm search` options. - ([@zkat](https://github.com/zkat)) -* [`e02a47f`](https://github.com/npm/npm/commit/e02a47f9698ff082488dc2b1738afabb0912793e) - Move the `npm@3` changelog into the archived changelogs directory. - ([@zkat](https://github.com/zkat)) -* [`c12bbf8`](https://github.com/npm/npm/commit/c12bbf8c5a5dff24a191b66ac638f552bfb76601) - [#14290](https://github.com/npm/npm/pull/14290) - Document prepublish-on-install deprecation. - ([@othiym23](https://github.com/othiym23)) -* [`c246a75`](https://github.com/npm/npm/commit/c246a75ac8697f4ca11d316b7e7db5f24af7972b) - [#14129](https://github.com/npm/npm/pull/14129) - Document headers added by npm to outgoing registry requests. - ([@iarna](https://github.com/iarna)) +* Package metadata is cached separately per registry and package type: you can't have package name conflicts between locally-installed packages, private repo packages, and public repo packages. Identical tarball data will still be shared/deduplicated as long as their hashes match. -#### DEPENDENCIES +* HTTP cache-related headers and features are "fully" (lol) supported for both metadata and tarball requests -- if you have your own registry, you can define your own cache settings the CLI will obey! -* [`cb20c73`](https://github.com/npm/npm/commit/cb20c7373a32daaccba2c1ad32d0b7e1fc01a681) - [#13953](https://github.com/npm/npm/pull/13953) - `signal-exit@3.0.1` - ([@benjamincoe](https://github.com/benjamincoe)) +* `prepublishOnly` now runs *before* the tarball to publish is created, after `prepare` has run. diff --git a/deps/npm/TODO.org b/deps/npm/TODO.org index bbc1f73a8fc6a3..9ccceba595ff8a 100644 --- a/deps/npm/TODO.org +++ b/deps/npm/TODO.org @@ -1,4 +1,18 @@ * Finished + * [COMPLETED] npm: remove packageIntegrity + * [COMPLETED] npm: fix lifecycle stuff + * pack: + * pre-: immediately before tarball contents are packed. Need to re-read package.json immediately after + * pack: No pack lifecycle + * post-: immediately after tarball reaches its final destination (not immediately after packaging) + * prepare: `npm install`, immediately before `postinstall`, and immediately before `prepack`, never if `--prod`, after prepublish, before prepublishOnly + * prepublish: alias for `prepare` + * prepublishOnly: ONLY on `npm publish` (never on `npm pack`), runs before prepack (which takes care of re-reading package.json), re-reads package.json immediately after + * [COMPLETED] pacote: fix always-auth bug + * [COMPLETED] pacote: figure out why cache is being written as root + * [COMPLETED] npm: make `npm update` save files as the right type + * [COMPLETED] npm: update docs with npm5 changes + * [COMPLETED] npm: don't write "problems" into package-lock * [COMPLETED] npm: add `created-with`, `shrinkwrap-version`, and `package-integrity` * [COMPLETED] npm: warn on incompatible package-lock version * [COMPLETED] npm: warn if both shrinkwrap and package-lock are there @@ -46,6 +60,12 @@ * [COMPLETED] npm: fix bundle replacement issues (see: npm i nyc warning spam) * need fromBundle attribute on shrinkwrap and pass it through. the sw.version && sw.integrity-based fake node needs to have this there. * Backlog + * [TODO] make-fetch-happen: integrity failures are being thrown + * [TODO] write-file-atomic: review https://github.com/npm/write-file-atomic/pull/22 + * [TODO] pacote: write tests for git handlers + * https://github.com/zkat/pacote/issues/70 + * [TODO] pacote: offline feature support for git deps + * [TODO] npm: get logging working during the recalculateMetadata spam * [TODO] pacote: opts.extraHeaders * https://github.com/zkat/pacote/issues/79 * [TODO] pacote: ECONNRESET recovery @@ -59,14 +79,8 @@ * https://github.com/zkat/make-fetch-happen/issues/16 * [TODO] make-fetch-happen: retry notification * https://github.com/zkat/make-fetch-happen/issues/21 - * [TODO] npm: move addBundled call from inflate-shrinkwrap to extract - * fix the fucking bundling thing while at it + * [TODO] npm: more informative logging when building git deps * Needed for npm@5 - * [TODO] pacote: write tests for git handlers - * https://github.com/zkat/pacote/issues/70 - * [TODO] pacote: offline feature support for git deps - * [TODO] npm: get logging working during the recalculateMetadata spam - * [TODO] write-file-atomic: review https://github.com/npm/write-file-atomic/pull/22 * Active - * [TODO] npm: make `npm update` save files as the right type - * [TODO] node: track down lifecycle signal failure + * [TODO] npm: figure out https://github.com/npm/npm/issues/16665 + * [TODO] npm: first-run notice about npm5 still having known issues diff --git a/deps/npm/appveyor.yml b/deps/npm/appveyor.yml index eefca16071f636..d808b2dbcca4eb 100644 --- a/deps/npm/appveyor.yml +++ b/deps/npm/appveyor.yml @@ -15,7 +15,6 @@ install: - ps: Install-Product node $env:nodejs_version $env:platform - npm config set spin false - npm rebuild - - npm i -g "npm/npm#release-beta-5" - node . install -g . - set "PATH=%APPDATA%\npm;C:\Program Files\Git\mingw64\libexec;%PATH%" - npm install --loglevel=http diff --git a/deps/npm/changelogs/CHANGELOG-4.md b/deps/npm/changelogs/CHANGELOG-4.md new file mode 100644 index 00000000000000..e55bcab3daa339 --- /dev/null +++ b/deps/npm/changelogs/CHANGELOG-4.md @@ -0,0 +1,1566 @@ +## v4.6.1 (2017-04-21) + +A little release to tide you over while we hammer out the last bits for npm@5. + +### FEATURES + +* [`d13c9b2f2`](https://github.com/npm/npm/commit/d13c9b2f24b6380427f359b6e430b149ac8aaa79) + `init-package-json@1.10.0`: + The `name:` prompt is now `package name:` to make this less ambiguous for new users. + + The default package name is now a valid package name. For example: If your package directory + has mixed case, the default package name will be all lower case. +* [`f08c66323`](https://github.com/npm/npm/commit/f08c663231099f7036eb82b92770806a3a79cdf1) + [#16213](https://github.com/npm/npm/pull/16213) + Add `--allow-same-version` option to `npm version` so that you can use `npm version` to run + your version lifecycles and tag your git repo without actually changing the version number in + your `package.json`. + ([@lucastheisen](https://github.com/lucastheisen)) +* [`f5e8becd0`](https://github.com/npm/npm/commit/f5e8becd05e0426379eb0c999abdbc8e87a7f6f2) + Timing has been added throughout the install implementation. You can see it by running + a command with `--loglevel=timing`. You can also run commands with `--timing` which will write + an `npm-debug.log` even on success and add an entry to `_timing.json` in your cache with + the timing information from that run. + ([@iarna](https://github.com/iarna)) + +### BUG FIXES + +* [`9c860f2ed`](https://github.com/npm/npm/commit/9c860f2ed3bdea1417ed059b019371cd253db2ad) + [#16021](https://github.com/npm/npm/pull/16021) + Fix a crash in `npm doctor` when used with a registry that does not support + the `ping` API endpoint. + ([@watilde](https://github.com/watilde)) +* [`65b9943e9`](https://github.com/npm/npm/commit/65b9943e9424c67547b0029f02b0258e35ba7d26) + [#16364](https://github.com/npm/npm/pull/16364) + Shorten the ELIFECYCLE error message. The shorter error message should make it much + easier to discern the actual cause of the error. + ([@j-f1](https://github.com/j-f1)) +* [`a87a4a835`](https://github.com/npm/npm/commit/a87a4a8359693518ee41dfeb13c5a8929136772a) + `npmlog@4.0.2`: + Fix flashing of the progress bar when your terminal is very narrow. + ([@iarna](https://github.com/iarna)) +* [`41c10974f`](https://github.com/npm/npm/commit/41c10974fe95a2e520e33e37725570c75f6126ea) + `write-file-atomic@1.3.2`: + Wait for `fsync` to complete before considering our file written to disk. + This will improve certain sorts of Windows diagnostic problems. +* [`2afa9240c`](https://github.com/npm/npm/commit/2afa9240ce5b391671ed5416464f2882d18a94bc) + [#16336](https://github.com/npm/npm/pull/16336) + Don't ham-it-up when expecting JSON. + ([@bdukes](https://github.com/bdukes)) + +### DOCUMENTATION FIXES + +* [`566f3eebe`](https://github.com/npm/npm/commit/566f3eebe741f935b7c1e004bebf19b8625a1413) + [#16296](https://github.com/npm/npm/pull/16296) + Use a single convention when referring to the `` you're running. + ([@desfero](https://github.com/desfero)) +* [`ccbb94934`](https://github.com/npm/npm/commit/ccbb94934d4f677f680c3e2284df3d0ae0e65758) + [#16267](https://github.com/npm/npm/pull/16267) + Fix a missing space in the example package.json. + ([@famousgarkin](https://github.com/famousgarkin)) + +### DEPENDENCY UPDATES + +* [`ebde4ea33`](https://github.com/npm/npm/commit/ebde4ea3363dfc154c53bd537189503863c9b3a4) + `hosted-git-info@2.4.2` +* [`c46ad71bb`](https://github.com/npm/npm/commit/c46ad71bbe27aaa9ee10e107d8bcd665d98544d7) + `init-package-json@1.9.6` +* [`d856d570d`](https://github.com/npm/npm/commit/d856d570d2df602767c039cf03439d647bba2e3d) + `npm-registry-client@8.1.1` +* [`4a2e14436`](https://github.com/npm/npm/commit/4a2e1443613a199665e7adbda034d5b9d10391a2) + `readable-stream@2.2.9` +* [`f0399138e`](https://github.com/npm/npm/commit/f0399138e6d6f1cd7f807d523787a3b129996301) + `normalize-package-data@2.3.8` + +### v4.5.0 (2017-03-24) + +Welcome a wrinkle on npm's registry API! + +Codename: Corgi + +![corgi-meme](https://cloud.githubusercontent.com/assets/757502/24126107/64c14268-0d89-11e7-871b-d457e6d0082b.jpg) + +This release has some bug fixes, but it's mostly about bringing support for +MUCH smaller package metadata. How much smaller? Well, for npm itself it +reduces 416K of gzip compressed JSON to 24K. + +As a user, all you have to do is update to get to use the new API. If +you're interested in the details we've [documented the +changes](https://github.com/npm/registry/blob/master/docs/responses/package-metadata.md) +in detail. + +#### CORGUMENTS + +Package metadata: now smaller. This means a smaller cache and less to download. + +* [`86dad0d74`](https://github.com/npm/npm/commit/86dad0d747f288eab467d49c9635644d3d44d6f0) + Add support for filtered package metadata. + ([@iarna](https://github.com/iarna)) +* [`41789cffa`](https://github.com/npm/npm/commit/41789cffac9845603f4bdf3f5b03f412144a0e9f) + `npm-registry-client@8.1.0` + ([@iarna](https://github.com/iarna)) + +#### NO SHRINKWRAP, NO PROBLEM + +Previously we needed to extract every package's tarball to look for an +`npm-shrinkwrap.json` before we could begin working through what its +dependencies were. This was one of the things stopping npm's network +accesses from happening more concurrently. The new filtered package +metadata provides a new key, `_hasShrinkwrap`. When that's set to `false` +then we know we don't have to look for one. + +* [`4f5060eb3`](https://github.com/npm/npm/commit/4f5060eb31b9091013e1d6a34050973613a294a3) + [#15969](https://github.com/npm/npm/pull/15969) + Add support for skipping `npm-shrinkwrap.json` extraction when the + registry can affirm that one doesn't exist. + ([@iarna](https://github.com/iarna)) + +#### INTERRUPTING SCRIPTS + +* [`878aceb25`](https://github.com/npm/npm/commit/878aceb25e6d6052dac15da74639ce274c8e62c5) + [#16129](https://github.com/npm/npm/pull/16129) + Better handle Ctrl-C while running scripts. `npm` will now no longer exit + until the script it is running has exited. If you press Ctrl-C a second + time it kill the script rather than just forwarding the Ctrl-C. + ([@jaridmargolin](https://github.com/jaridmargolin)) + +#### DEPENDENCY UPDATES: + +* [`def75eebf`](https://github.com/npm/npm/commit/def75eebf1ad437bf4fd3f5e103cc2d963bd2a73) + `hosted-git-info@2.4.1`: + Preserve case of the user name part of shortcut specifiers, previously they were lowercased. + ([@iarna](https://github.com/iarna)) +* [`eb3789fd1`](https://github.com/npm/npm/commit/eb3789fd18cfb063de9e6f80c3049e314993d235) + `node-gyp@3.6.0`: Add support for VS2017 and Chakracore improvements. + ([@refack](https://github.com/refack)) + ([@kunalspathak](https://github.com/kunalspathak)) +* [`245e25315`](https://github.com/npm/npm/commit/245e25315524b95c0a71c980223a27719392ba75) + `readable-stream@2.2.6` ([@mcollina](https://github.com/mcollina)) +* [`30357ebc5`](https://github.com/npm/npm/commit/30357ebc5691d7c9e9cdc6e0fe7dc6253220c9c2) + `which@1.2.14` ([@isaacs](https://github.com/isaacs)) + +### v4.4.4 (2017-03-16) + +😩😤😅 Okay! We have another `next` +release for ya today. So, yes! With v4.4.3 we fixed the bug that made +bundled scoped modules uninstallable. But somehow I overlooked the fact +that we: A) were using these and B) that made upgrading to v4.4.3 impossible. 😭 + +So I've renamed those two scoped modules to no longer use scopes and we now +have a shiny new test to ensure that scoped modules don't creep into our +transitive deps and make it impossible to upgrade to `npm`. + +(None of our woes applies to most of you all because most of you all don't +use bundled dependencies. `npm` does because we want the published artifact to be +installable without having to already have `npm`.) + +* [`2a7409fcb`](https://github.com/npm/npm/commit/2a7409fcba6a8fab716c80f56987b255983e048e) + [#16066](https://github.com/npm/npm/pull/16066) + Ensure we aren't using any scoped modules + Because `npm`s prior 4.4.3 can't install dependencies that have bundled scoped + modules. This didn't show up sooner because they ALSO had a bug that caused + bundled scoped modules to not be included in the bundle. + ([@iarna](https://github.com/iarna)) +* [`eb4c70796`](https://github.com/npm/npm/commit/eb4c70796c38f24ee9357f5d4a0116db582cc7a9) + [#16066](https://github.com/npm/npm/pull/16066) + Switch to move-concurrently to remove scoped dependency + ([@iarna](https://github.com/iarna)) + +### v4.4.3 (2017-03-15) + +This is a small patch release, mostly because the published tarball for +v4.4.2 was missing a couple of modules, due to a bug involving scoped +modules, bundled dependencies and legacy tree layouts. + +There are a couple of other things here that happened to be ready to go. So +without further ado… + +#### BUG FIXES + +* [`3d80f8f70`](https://github.com/npm/npm/commit/3d80f8f70679ad2b8ce7227d20e8dbce257a47b9) + [npm/fs-vacuum#6](https://github.com/npm/fs-vacuum/pull/6) + `fs-vacuum@1.2.1`: Make sure we never, ever remove home directories. Previously if your + home directory was entirely empty then we might `rmdir` it. + ([@helio-frota](https://github.com/helio-frota)) +* [`1af85ca9f`](https://github.com/npm/npm/commit/1af85ca9f4d625f948e85961372de7df3f3774e2) + [#16040](https://github.com/npm/npm/pull/16040) + Fix bug where bundled transitive dependencies that happened to be + installed under bundled scoped dependencies wouldn't be included in the + tarball when building a package. + ([@iarna](https://github.com/iarna)) +* [`13c7fdc2e`](https://github.com/npm/npm/commit/13c7fdc2e87456a87b1c9385a3daeae228ed7c95) + [#16040](https://github.com/npm/npm/pull/16040) + Fix a bug where bundled scoped dependencies couldn't be extracted. + ([@iarna](https://github.com/iarna)) +* [`d6cde98c2`](https://github.com/npm/npm/commit/d6cde98c2513fe160eab41e31c3198dfde993207) + [#16040](https://github.com/npm/npm/pull/16040) + Stop printing `ENOENT` errors more than once. + ([@iarna](https://github.com/iarna)) +* [`722fbf0f6`](https://github.com/npm/npm/commit/722fbf0f6cf4413cdc24b610bbd60a7dbaf2adfe) + [#16040](https://github.com/npm/npm/pull/16040) + Rewrite the `extract` action for greater clarity. + Specifically, this involves moving things around structurally to do the same + thing [`d0c6d194`](https://github.com/npm/npm/commit/d0c6d194) did, but in a more comprehensive manner. + This also fixes a long standing bug where errors from the move step would be + eaten during this phase and as a result we would get mysterious crashes in + the finalize phase when finalize tried to act on them. + ([@iarna](https://github.com/iarna)) +* [`6754dabb6`](https://github.com/npm/npm/commit/6754dabb6bd3301504efb3b62f36d3fe70958c19) + [#16040](https://github.com/npm/npm/pull/16040) + Flatten out `@npmcorp/move`'s deps for backwards compatibility reasons. Versions prior to this + one will fail to install any package that bundles a scoped dependency. This was responsible + for `ENOENT` errors during the `finalize` phase. + ([@iarna](https://github.com/iarna)) + +#### DOC UPDATES + +* [`fba51c582`](https://github.com/npm/npm/commit/fba51c582d1d08dd4aa6eb27f9044dddba91bb18) + [#15960](https://github.com/npm/npm/pull/15960) + Update troubleshooting and contribution guide links. + ([@watilde](https://github.com/watilde)) + + +### v4.4.2 (2017-03-09): + +This week, the focus on the release was mainly going through [all of npm's deps +that we manage +ourselves](https://github.com/npm/npm/wiki/npm-maintained-dependencies), and +making sure all their PRs and versions were up to date. That means there's a few +fixes here and there. Nothing too big codewise, though. + +The most exciting part of this release is probably our [shiny new +Contributing](https://github.com/npm/npm/blob/latest/CONTRIBUTING.md) and +[Troubleshooting](https://github.com/npm/npm/blob/latest/TROUBLESHOOTING.md) +docs! [@snopeks](https://github.com/snopeks) did some ✨fantastic✨ work hashing it +out, and we're really hoping this is a nice big step towards making contributing +to npm easier. The troubleshooting doc will also hopefully solve common issues +for people! Do you think something is missing from it? File a PR and we'll add +it! The current document is just a baseline for further editing and additions. + +Also there's maybe a bit of an easter egg in this release. 'Cause those are fun and I'm a huge nerd. 😉 + +#### DOCUMENTATION AHOY + +* [`07e997a`](https://github.com/npm/npm/commit/07e997a7ecedba7b29ad76ffb2ce990d5c0200fc) + [#15756](https://github.com/npm/npm/pull/15756) + Overhaul `CONTRIBUTING.md` and add new `TROUBLESHOOTING.md` files. 🙌🏼 + ([@snopeks](https://github.com/snopeks)) +* [`2f3e4b6`](https://github.com/npm/npm/commit/2f3e4b645cdc268889cf95ba24b2aae572d722ad) + [#15833](https://github.com/npm/npm/pull/15833) + Mention the [24-hour unpublish + policy](http://blog.npmjs.org/post/141905368000/changes-to-npms-unpublish-policy) + on the main registry. + ([@carols10cents](https://github.com/carols10cents)) + +#### NOT REALLY FEATURES, NOT REALLY BUGFIXES. MORE LIKE TWEAKS? 🤔 + +* [`84be534`](https://github.com/npm/npm/commit/84be534aedb78c65cd8012427fc04871ceeccf90) + [#15888](https://github.com/npm/npm/pull/15888) + Stop flattening `ls`-tree output. From now on, deduped deps will be marked as + such in the place where they would've been before getting hoisted by the + installer. + ([@iarna](https://github.com/iarna)) +* [`e9a5dca`](https://github.com/npm/npm/commit/e9a5dca369ead646ab5922326cede1406c62bd3b) + [#15967](https://github.com/npm/npm/pull/15967) + Limit metadata fetches to 10 concurrent requests. + ([@iarna](https://github.com/iarna)) +* [`46aa9bc`](https://github.com/npm/npm/commit/46aa9bcae088740df86234fc199f7aef53b116df) + [#15967](https://github.com/npm/npm/pull/15967) + Limit concurrent installer actions to 10. + ([@iarna](https://github.com/iarna)) + +#### BUGFIXES + +* [`c3b994b`](https://github.com/npm/npm/commit/c3b994b71565eb4f943cce890bb887d810e6e2d4) + [#15901](https://github.com/npm/npm/pull/15901) + Use EXDEV aware move instead of rename. This will allow moving across devices + and moving when filesystems don't support renaming directories full of files. It might make folks using Docker a bit happier. + ([@iarna](https://github.com/iarna)) +* [`0de1a9c`](https://github.com/npm/npm/commit/0de1a9c1db90e6705c65c068df1fe82899e60d68) + [#15735](https://github.com/npm/npm/pull/15735) + Autocomplete support for npm scripts with `:` colons in the name. + ([@beyondcompute](https://github.com/beyondcompute)) +* [`84b0b92`](https://github.com/npm/npm/commit/84b0b92e7f78ec4add42e8161c555325c99b7f98) + [#15874](https://github.com/npm/npm/pull/15874) + Stop using [undocumented](https://github.com/nodejs/node/pull/11355) + `res.writeHeader` alias for `res.writeHead`. + ([@ChALkeR](https://github.com/ChALkeR)) +* [`895ffe4`](https://github.com/npm/npm/commit/895ffe4f3eecd674796395f91c30eda88aca6b36) + [#15824](https://github.com/npm/npm/pull/15824) + Fix empty versions column in `npm search` output. + ([@bcoe](https://github.com/bcoe)) +* [`38c8d7a`](https://github.com/npm/npm/commit/38c8d7adc1f43ab357d1e729ae7cd5d801a26e68) + `init-package-json@1.9.5`: [npm/init-package-json#61](https://github.com/npm/init-package-json/pull/61) Exclude existing `devDependencies` from being added to `dependencies`. Fixes [#12260](https://github.com/npm/npm/issues/12260). + ([@addaleax](https://github.com/addaleax)) + +### v4.4.1 (2017-03-06): + +This is a quick little patch release to forgo the update notification +checker if you're on an unsuported (but not otherwise broken) version of +Node.js. Right now that means 0.10 or 0.12. + +* [`56ac249`](https://github.com/npm/npm/commit/56ac249ef8ede1021f1bc62a0e4fe1e9ba556af2) + [#15864](https://github.com/npm/npm/pull/15864) + Only use `update-notifier` on supported versions. + ([@legodude17](https://github.com/legodude17)) + +### v4.4.0 (2017-02-23): + +Aaaah, [@iarna](https://github.com/iarna) here, it's been a little while +since I did one of these! This is a nice little release, we've got an +update notifier, vastly less verbose error messages, new warnings on package +metadata that will probably give you a bad day, and a sprinkling of bug +fixes. + +#### UPDATE NOTIFICATIONS + +We now have a little nudge to update your `npm`, courtesy of +[update-notifier](https://www.npmjs.com/package/update-notifier). + +* [`148ee66`](https://github.com/npm/npm/commit/148ee663740aa05877c64f16cdf18eba33fbc371) + [#15774](https://github.com/npm/npm/pull/15774) + `npm` will now check at start up to see if a newer version is available. + It will check once a day. If you want to disable this, set `optOut` to `true` in + `~/.config/configstore/update-notifier-npm.json`. + ([@ceejbot](https://github.com/ceejbot)) + +#### LESS VERBOSE ERROR MESSAGES + +`npm` has, for a long time, had very verbose error messages. There was a +lot of info in there, including the cause of the error you were seeing but +without a lot of experience reading them pulling that out was time consuming +and difficult. + +With this change the output is cut down substantially, centering the error +message. So, for example if you try to `npm run sdlkfj` then the entire +error you'll get will be: + +``` +npm ERR! missing script: sldkfj + +npm ERR! A complete log of this run can be found in: +npm ERR! /Users/rebecca/.npm/_logs/2017-02-24T00_41_36_988Z-debug.log +``` + +The CLI team has discussed cutting this down even further and stripping the +`npm ERR!` prefix off those lines too. We'd appreciate your feedback on +this! + +* [`e544124`](https://github.com/npm/npm/commit/e544124592583654f2970ec332003cfd00d04f2b) + [#15716](https://github.com/npm/npm/pull/15716) + Make error output less verbose. + ([@iarna](https://github.com/iarna)) +* [`166bda9`](https://github.com/npm/npm/commit/166bda97410d0518b42ed361020ade1887e684af) + [#15716](https://github.com/npm/npm/pull/15716) + Stop encouraging users to visit the issue tracker unless we know for + certain that it's an npm bug. + ([@iarna](https://github.com/iarna)) + +#### OTHER NEW FEATURES + +* [`53412eb`](https://github.com/npm/npm/commit/53412eb22c1c75d768e30f96d69ed620dfedabde) + [#15772](https://github.com/npm/npm/pull/15772) + We now warn if you have a module listed in both dependencies and + devDependencies. + ([@TedYav](https://github.com/TedYav)) +* [`426b180`](https://github.com/npm/npm/commit/426b1805904a13bdc5c0dd504105ba037270cbee) + [#15757](https://github.com/npm/npm/pull/15757) + Default reporting metrics to default registry. Previously it defaulted to using + `https://registry.npmjs.org`, now it will default to the result of + `npm config get registry`. For most folks this won't actually change anything, but it + means that folks who use a private registry will have metrics routed there by default. + This has the potential to be interesting because it means that in the + future private registry products ([npme](https://npme.npmjs.com/docs/)!) + will be able to report on these metrics. + ([@iarna](https://github.com/iarna)) + +#### BUG FIXES + +* [`8ea0de9`](https://github.com/npm/npm/commit/8ea0de98563648ba0db032acd4d23d27c4a50a66) + [#15716](https://github.com/npm/npm/pull/15716) + Write logs for `cb() never called` errors. +* [`c4e83dc`](https://github.com/npm/npm/commit/c4e83dca830b24305e3cb3201a42452d56d2d864) + Make it so that errors while reading the existing node_modules tree can't + result in installer crashes. + ([@iarna](https://github.com/iarna)) +* [`2690dc2`](https://github.com/npm/npm/commit/2690dc2684a975109ef44953c2cf0746dbe343bb) + Update `npm doctor` to not treat broken symlinks in your global modules as + a permission failure. This is particularly important if you link modules and your text + editor uses the convention of creating symlinks from `.#filename.js` to a + machine name and pid to lock files (eg emacs and compatible things). + ([@iarna](https://github.com/iarna)) +* [`f4c3f48`](https://github.com/npm/npm/commit/f4c3f489aa5787cf0d60e8436be2190e4b0d0ff7) + [#15777](https://github.com/npm/npm/pull/15777) + Not exactly a bug, but change a parameterless `.apply` to `.call`. + ([@notarseniy](https://github.com/notarseniy)) + +#### DEPENDENCY UPDATES + +* [`549dcff`](https://github.com/npm/npm/commit/549dcff58c7aaa1e7ba71abaa14008fdf2697297) + `rimraf@2.6.0`: + Retry EBUSY, ENOTEMPTY and EPERM on non-Windows platforms too. + More reliable `rimraf.sync` on Windows. + ([@isaacs](https://github.com/isaacs)) +* [`052dfb6`](https://github.com/npm/npm/commit/052dfb623da508f2b5f681da0258125552a18a4a) + `validate-npm-package-name@3.0.0`: + Remove ableist language in README. + Stop allowing ~'!()* in package names. + ([@tomdale](https://github.com/tomdale)) + ([@chrisdickinson](https://github.com/chrisdickinson)) +* [`6663ea6`](https://github.com/npm/npm/commit/6663ea6ac0f0ecec5a3f04a3c01a71499632f4dc) + `abbrev@1.1.0` ([@isaacs](https://github.com/isaacs)) +* [`be6de9a`](https://github.com/npm/npm/commit/be6de9aab9e20b6eac70884e8626161eebf8721a) + `opener@1.4.3` ([@dominic](https://github.com/dominic)) +* [`900a5e3`](https://github.com/npm/npm/commit/900a5e3e3411ec221306455f99b24b9ce35757c0) + `readable-stream@2.2.3` ([@RangerMauve](https://github.com/RangerMauve)) ([@mcollina](https://github.com/mcollina)) +* [`c972a8b`](https://github.com/npm/npm/commit/c972a8b0f20a61a79c45b6642f870bea8c55c7e4) + `tacks@1.2.6` + ([@iarna](https://github.com/iarna)) +* [`85a36ef`](https://github.com/npm/npm/commit/85a36efdac0c24501876875cb9ad40292024e0b0) + [`7ac9265`](https://github.com/npm/npm/commit/7ac9265c56b4d9eeaca6fcfb29513f301713e7bb) + `tap@10.2.0` + ([@isaacs](https://github.com/saacs)) + +### v4.3.0 (2017-02-09): + +Yay! Release time! It's a rainy day, and we have another smallish release for +y'all. These things are not necessarily related. Or are they 🌧🤔 + +As far as news go, you may have noticed that the CLI team dropped support for +`node@0.12` when that version went out of maintenance. Still, we've avoided +explicitly breaking it and `node@0.10` so far -- but not much longer. + +Sometime soon, the CLI team plans on switching over to language features only +available as of `node@4 LTS`, and will likely start dropping old versions of node +as they go out of maintenance. The new features are exciting! We're really +looking forward to using them in the core CLI (and its dependencies) as we keep up +with our current feature work. + +And speaking of features, this release is a minor bump due to a small change in +how `npm login` works for the sake of supporting OAuth-based login for npm +Enterprise users. But we won't leave the rest of y'all out -- we're working on a +larger version of this feature. Soon enough, you'll be able to log in to npm +with, say, GitHub -- and use some shiny features that come from the integration. +Or turn on 2FA and other such security features. Keep your eyes peeled for new +on this in the next few releases and our weekly newsletter! + +#### NEW AUTH TYPES + +There's a new command line option: `--auth-type`, which can be used to log in to +a supporting registry with OAuth2 or SAML. The current implementation is mainly +meant to support npmE customers, so if you're one of those: ask us about using +it! If not, just hold off cause we'll have a much more complete version of this +feature out soon. + +* [`ac8595e`](https://github.com/npm/npm/commit/ac8595e3c9b615ff95abc3301fac1262c434792c) [`bcf2dd8`](https://github.com/npm/npm/commit/bcf2dd8a165843255c06515fa044c6e4d3b71ca4) [`9298d20`](https://github.com/npm/npm/commit/9298d20af58b92572515bfa9cf7377bd4221dc7d) [`66b61bc`](https://github.com/npm/npm/commit/66b61bc42e81ee8a1ee00fc63517f62284140688) [`dc85de7`](https://github.com/npm/npm/commit/dc85de7df6bb61f7788611813ee82ae695a18f1f) + [#13389](https://github.com/npm/npm/pull/13389) + Implement single-sign-on support with `--auth-type` option. + ([@zkat](https://github.com/zkat)) + +#### FASTER STARTUP. SOMETIMES! + +`request` is pretty heavy. And it loads a bunch of things. It's actually a +pretty big chunk of npm's load time. This small patch by Rebecca will make it so +npm only loads that module when we're actually intending to make network +requests. Those of you who use npm commands that run offline might see a small +speedup in startup time. + +* [`ac73568`](https://github.com/npm/npm/commit/ac735682e666e8724549d56146821f3b8b018e25) + [#15631](https://github.com/npm/npm/pull/15631) + Lazy load `caching-registry-client`. + ([@iarna](https://github.com/iarna)) + +#### DOCUMENTATION + +* [`4ad9247`](https://github.com/npm/npm/commit/4ad9247aa82f7553c9667ee93c74ec7399d6ceec) + [#15630](https://github.com/npm/npm/pull/15630) + Fix formatting/rendering for root npm README. + ([@ungoldman](https://github.com/ungoldman)) + +#### DEPENDENCY UPDATES + +* [`8cc1112`](https://github.com/npm/npm/commit/8cc1112958638ff88ac2c24c4a065acacb93d64b) + [npm/hosted-git-info#21](https://github.com/npm/hosted-git-info/pull/21) + `hosted-git-info@2.2.0`: + Add support for `.tarball()` URLs. + ([@zkat](https://github.com/zkat)) +* [`6eacc1b`](https://github.com/npm/npm/commit/6eacc1bc1925fe3cc79fc97bdc3194d944fce55e) + `npm-registry-mock@1.1.0` + ([@addaleax](https://github.com/addaleax)) +* [`a9b6d77`](https://github.com/npm/npm/commit/a9b6d775e61cf090df0e13514c624f99bf31d1e7) + `aproba@1.1.1` + ([@iarna](https://github.com/iarna)) + +### v4.2.0 (2017-01-26): + +Hi all! I'm Kat, and I'm currently sitting in a train traveling at ~300km/h +through Spain. So clearly, this release should have *something* to do with +speed. And it does! Heck, with this release, you could say we're really +_blazing_, even. 🌲🔥😏 + +#### IMPROVED CLI SEARCH~ + +You might recall if you've been keeping up that one of the reasons for a +semver-major bump to `npm@4` was an improved CLI search (read: no longer blowing +up Node). The work done for that new search system, while still relying on a +full metadata download and local search, was also meant to act as groundwork for +then-ongoing work on a brand-new, smarter search system for npm. Shortly after +`npm@4` came out, the bulk of the server-side work was done, and with this +release, the npm CLI has integrated use of the new endpoint for high-quality, +fast-turnaround searches. + +No, seriously, it's *fast*. And *relevant*: + +[![GOTTA GO FAST! This is a gif of the new npm search returning results in around a second for `npm search web framework`.](https://cloud.githubusercontent.com/assets/17535/21954136/f007e8be-d9fd-11e6-9231-f899c12790e0.gif)](https://github.com/npm/npm/pull/15481) + +Give it a shot! And remember to check out the new website version of the search, +too, which uses the same backend as the CLI now. 🎉 + +Incidentally, the backend is a public service, so you can write your own search +tools, be they web-based, CLI, or GUI-based. You can read up on the [full +documentation for the search +endpoint](https://github.com/npm/registry/blob/master/docs/REGISTRY-API.md#get-v1search), +and let us know about the cool things you come up with! + +* [`ce3ca51`](https://github.com/npm/npm/commit/ce3ca51ca2d60e15e901c8bf6256338e53e1eca2) + [#15481](https://github.com/npm/npm/pull/15481) + Add an internal `gunzip-maybe` utility for optional gunzipping. + ([@zkat](https://github.com/zkat)) +* [`e322932`](https://github.com/npm/npm/commit/e3229324d507fda10ea9e94fd4de8a4ae5025c75) [`a53055e`](https://github.com/npm/npm/commit/a53055e423f1fe168f05047aa0dfec6d963cb211) [`a1f4365`](https://github.com/npm/npm/commit/a1f436570730c6e4a173ca92d1967a87c29b7f2d) [`c56618c`](https://github.com/npm/npm/commit/c56618c62854ea61f6f716dffe7bcac80b5f4144) + [#15481](https://github.com/npm/npm/pull/15481) + Add support for using the new npm search endpoint for fast, quality search + results. Includes a fallback to "classic" search. + ([@zkat](https://github.com/zkat)) + +#### WHERE DID THE DEBUG LOGS GO + +This is another pretty significant change: Usually, when the npm process +crashed, you would get an `npm-debug.log` in your current working directory. +This debug log would get cleared out as soon as you ran npm again. This was a +bit annoying because 1) you would get a random file in your `git status` that +you might accidentally commit, and 2) if you hit a hard-to-reproduce bug and +instinctually tried again, you would no longer have access to the repro +`npm-debug.log`. + +So now, any time a crash happens, we'll save your debug logs to your cache +folder, under `_logs` (`~/.npm` on *nix, by default -- use `npm config get +cache` to see what your current value is). The cache will now hold a +(configurable) number of `npm-debug.log` files, which you can access in the +future. Hopefully this will help clean stuff up and reduce frustration from +missed repros! In the future, this will also be used by `npm report` to make it +super easy to put up issues about crashes you run into with npm. 💃🕺🏿👯‍♂️ + +* [`04fca22`](https://github.com/npm/npm/commit/04fca223a0f704b69340c5f81b26907238fad878) + [#11439](https://github.com/npm/npm/pull/11439) + Put debug logs in `$(npm get cache)/_logs` and store multiple log files. + ([@KenanY](https://github.com/KenanY)) + ([@othiym23](https://github.com/othiym23)) + ([@isaacs](https://github.com/isaacs)) + ([@iarna](https://github.com/iarna)) + +#### DOCS + +* [`ae8e71c`](https://github.com/npm/npm/commit/ae8e71c2b7d64d782af287a21e146d7cea6e5273) + [#15402](https://github.com/npm/npm/pull/15402) + Add missing backtick in one of the `npm doctor` messages. + ([@watilde](https://github.com/watilde), [@charlotteis](https://github.com/charlotteis)) +* [`821fee6`](https://github.com/npm/npm/commit/821fee6d0b12a324e035c397ae73904db97d07d2) + [#15480](https://github.com/npm/npm/pull/15480) + Clarify that unscoped packages can depend on scoped packages and vice-versa. + ([@chocolateboy](https://github.com/chocolateboy)) +* [`2ee45a8`](https://github.com/npm/npm/commit/2ee45a884137ae0706b7c741c671fef2cb3bac96) + [#15515](https://github.com/npm/npm/pull/15515) + Update minimum supported Node version number in the README to `node@>=4`. + ([@watilde](https://github.com/watilde)) +* [`af06aa9`](https://github.com/npm/npm/commit/af06aa9a357578a8fd58c575f3dbe55bc65fc376) + [#15520](https://github.com/npm/npm/pull/15520) + Add section to `npm-scope` docs to explain that scope owners will own scoped + packages with that scope. That is, user `@alice` is not allowed to publish to + `@bob/my-package` unless explicitly made an owner by user (or org) `@bob`. + ([@hzoo](https://github.com/hzoo)) +* [`bc892e6`](https://github.com/npm/npm/commit/bc892e6d07a4c6646480703641a4d71129c38b6d) + [#15539](https://github.com/npm/npm/pull/15539) + Replace `http` with `https` and fix typos in some docs. + ([@watilde](https://github.com/watilde)) +* [`1dfe875`](https://github.com/npm/npm/commit/1dfe875b9ac61a0ab9f61a2eab02bacf6cce583c) + [#15545](https://github.com/npm/npm/pull/15545) + Update Node.js download link to point to the right place. + ([@watilde](https://github.com/watilde)) + +#### DEPENDENCIES + + * [`b824bfb`](https://github.com/npm/npm/commit/b824bfbeb2d89c92762e9170b026af98b5a3668a) + `ansi-regex@2.1.1` + * [`81ea3e8`](https://github.com/npm/npm/commit/81ea3e8e4ea34cd9c2b418512dcb508abcee1380) + `mississippi@1.3.0` + +#### MISC + +* [`98df212`](https://github.com/npm/npm/commit/98df212a91fd6ff4a02b9cd247f4166f93d3977a) + [#15492](https://github.com/npm/npm/pull/15492) + Update the "master" node version used for AppVeyor to `node@7`. + ([@watilde](https://github.com/watilde)) +* [`d75fc03`](https://github.com/npm/npm/commit/d75fc03eda5364f12ac266fa4f66e31c2e44e864) + [#15413](https://github.com/npm/npm/pull/15413) + `npm run-script` now exits with the child process' exit code on exit. + ([@kapals](https://github.com/kapals)) + +### v4.1.2 (2017-01-12) + +We have a twee little release this week as we come back from the holidays. + +#### 0.12 IS UNSUPPORTED NOW (really) + +After [jumping the gun a +little](https://github.com/npm/npm/releases/tag/v4.0.2), we can now +officially remove 0.12 from our supported versions list. The Node.js +project has now officially ended even maintenance support for 0.12 and thus, +so will we. To reiterate from the last time we did this: + +What this means: + +* Your contributions will no longer block on the tests passing on 0.12. +* We will no longer block dependency upgrades on working with 0.12. +* Bugs filed on the npm CLI that are due to incompatibilities with 0.12 + (and older versions) will be closed with a strong urging to upgrade to a + supported version of Node. +* On the flip side, we'll continue to (happily!) accept patches that + address regressions seen when running the CLI with Node.js 0.12. + +What this doesn't mean: + +* The CLI is going to start depending on ES2015+ features. npm continues + to work, in almost all cases, all the way back to Node.js 0.8, and our + long history of backwards compatibility is a source of pride for the + team. +* We aren't concerned about the problems of users who, for whatever + reason, can't update to newer versions of npm. As mentioned above, we're + happy to take community patches intended to address regressions. + +We're not super interested in taking sides on what version of Node.js +you "should" be running. We're a workflow tool, and we understand that +you all have a diverse set of operational environments you need to be +able to support. At the same time, we _are_ a small team, and we need +to put some limits on what we support. Tracking what's supported by our +runtime's own team seems most practical, so that's what we're doing. + +* [`c7bbba8`](https://github.com/npm/npm/commit/c7bbba8744b62448103a1510c65d9751288abb5d) + Remove 0.12 from our supported versions list. + ([@iarna](https://github.com/iarna)) + +#### WRITING TO SYMLINKED `package.json` (AND OTHER FILES) + +If your `package.json`, `npm-shrinkwrap.json` or `.npmrc` were a symlink and +you used an `npm` command that modified one of these (eg `npm config set` or +`npm install --save`) then previously we would have removed your symlink and +replaced it with an ordinary file. While making these files symlinks is pretty +uncommon, this was still surprising behavior. With this fix we now overwrite +the _destination_ of the symlink and preserve the symlink itself. + +* [`a583983`](https://github.com/npm/npm/commit/a5839833d3de7072be06884b91902c093aff1aed) + [write-file-atomic/#5](https://github.com/npm/write-file-atomic/issues/5) + [#10223](https://github.com/npm/npm/10223) + `write-file-atomic@1.3.1`: + When the target is a symlink, write-file-atomic now overwrites the + _destination_ of the symlink, instead of replacing the symlink itself. This + makes it's behavior match `fs.writeFile`. + + Fixed a bug where it would ALWAYS fs.stat to look up default mode and chown + values even if you'd passed them in. (It still used the values you passed + in, but did a needless stat.) + ([@iarna](https://github.com/iarna)) + +#### DEPENDENCY UPDATES + +* [`521f230`](https://github.com/npm/npm/commit/521f230dd57261e64ac9613b3db62f5312971dca) + `node-gyp@3.5.0`: + Improvements to how Python is located. New `--devdir` flag. + ([@bnoordhuis](https://github.com/bnoordhuis)) + ([@mhart](https://github.com/mhart)) +* [`ccd83e8`](https://github.com/npm/npm/commit/ccd83e8a70d35fb0904f8a9adb2ff7ac8a6b2706) + `JSONStream@1.3.0`: + Add new emitPath option. + ([@nathanwills](https://github.com/nathanwills)) + +#### TEST IMPROVEMENTS + +* [`d76e084`](https://github.com/npm/npm/commit/d76e08463fd65705217624b861a1443811692f34) + Disable metric reporting for test suite even if the user has it enabled. + ([@iarna](https://github.com/iarna)) + +### v4.1.1 (2016-12-16) + +This fixes a bug in the metrics reporting where, if you had enabled it then +installs would create a metrics reporting process, that would create a +metrics reporting process, that would… well, you get the idea. The only +way to actually kill these processes is to turn off your networking, then +on MacOS/Linux kill them with `kill -9`. Alternatively you can just reboot. + +Anyway, this is a quick release to fix that bug: + +* [`51c393f`](https://github.com/npm/npm/commit/51c393feff5f4908c8a9fb02baef505b1f2259be) + [#15237](https://github.com/npm/npm/pull/15237) + Don't launch a metrics sender process if we're running from a metrics + sender process. + ([@iarna](https://github.com/iarna)) + +### v4.1.0 (2016-12-15) + +I'm really excited about `npm@4.1.0`. I know, I know, I'm kinda overexcited +in my changelogs, but this one is GREAT. We've got a WHOLE NEW subcommand, I +mean, when was the last time you saw that? YEARS! And we have the beginnings +of usage metrics reporting. Then there's a fix for a really subtle bug that +resulted in `shasum` errors. And then we also have a few more bug fixes and +other improvements. + +#### ANONYMOUS METRIC REPORTING + +We're adding the ability for you all to help us track the quality of your +experiences using `npm`. Metrics will be sent if you run: + +``` +npm config set send-metrics true +``` + +Then `npm` will report to `registry.npmjs.org` the number of successful and +failed installations you've had. The data contains no identifying +information and npm will not attempt to correlate things like IP address +with the metrics being submitted. + +Currently we only track number of successful and failed installations. In +the future we would like to find additional metrics to help us better +quantify the quality of the `npm` experience. + +* [`190a658`](https://github.com/npm/npm/commit/190a658c4222f6aa904cbc640fc394a5c875e4db) + [#15084](https://github.com/npm/npm/pull/15084) + Add facility for recording and reporting success metrics. + ([@iarna](https://github.com/iarna)) +* [`87afc8b`](https://github.com/npm/npm/commit/87afc8b466f553fb49746c932c259173de48d0a4) + [npm/npm-registry-client#147](https://github.com/npm/npm-registry-client/pull/148) + `npm-registry-client@7.4.5`: + Add support for sending anonymous CLI metrics. + ([@iarna](https://github.com/iarna), + [@sisidovski](https://github.com/sisidovski)) + +### NPM DOCTOR + +
+Check                               Value                        Recommendation
+npm ping                            ok
+npm -v                              v4.0.5
+node -v                             v4.6.1                       Use node v6.9.2
+npm config get registry             https://registry.npmjs.org/
+which git                           /Users/rebecca/bin/git
+Perms check on cached files         ok
+Perms check on global node_modules  ok
+Perms check on local node_modules   ok
+Checksum cached files               ok
+
+ +It's a rare day that we add a new command to `npm`, so I'm excited to +present to you `npm doctor`. It checks for a number of common problems and +provides some recommended solutions. It was put together through the hard +work of [@watilde](https://github.com/watilde). + +* [`2359505`](https://github.com/npm/npm/commit/23595055669f76c9fe8f5f1cf4a705c2e794f0dc) + [`0209ee5`](https://github.com/npm/npm/commit/0209ee50448441695fbf9699019d34178b69ba73) + [#14582](https://github.com/npm/npm/pull/14582) + Add new `npm doctor` to give your project environment a health check. + ([@watilde](https://github.com/watilde)) + +#### FIX MAJOR SOURCE OF SHASUM ERRORS + +If you've been getting intermittent shasum errors then you'll be pleased to +know that we've tracked down at least one source of them, if not THE source +of them. + +* [`87afc8b`](https://github.com/npm/npm/commit/87afc8b466f553fb49746c932c259173de48d0a4) + [#14626](https://github.com/npm/npm/issues/14626) + [npm/npm-registry-client#148](https://github.com/npm/npm-registry-client/pull/148) + `npm-registry-client@7.4.5`: + Fix a bug where an `ECONNRESET` while fetching a package file would result + in a partial download that would be reported as a "shasum mismatch". It + now throws away the partial download and retries it. + ([@iarna](https://github.com/iarna)) + +#### FILE URLS AND NODE.JS 7 + +When `npm` was formatting `file` URLs we took advantage of `url.format` to +construct them. Node.js 7 changed the behavior in such a way that our use of +`url.format` stopped producing URLs that we could make use of. + +The reasons for this have to do with the `file` URL specification and how +invalid (according to the specification) URLs are handled. How this changed +is most easily explained with a table: + + + + + + + +
URLNode.js <= 6npm's understandingNode.js 7npm's understanding
VALIDfile:///abc/deffile:///abc/def/abc/deffile:///abc/def/abc/def
invalidfile:/abc/deffile:/abc/def/abc/deffile:///abc/def/abc/def
invalidfile:abc/deffile:abc/def$CWD/abc/deffile://abc/def/def on the abc host
invalidfile:../abc/deffile:../abc/def$CWD/../abc/deffile://../abc/def/abc/def on the .. host
+ +So the result was that passing a `file` URL that npm had received that used +through Node.js 7's `url.format` changed its meaning as far as `npm` was +concerned. As those kinds of URLs are, per the specification, invalid, how +they should be handled is undefined and so the change in Node.js wasn't a +bug per se. + +Our solution is to stop using `url.format` when constructing this kind of +URL. + +* [`173935b`](https://github.com/npm/npm/commit/173935b4298e09c4fdcb8f3a44b06134d5aff181) + [#15114](https://github.com/npm/npm/issues/15114) + Stop using `url.format` for relative local dep paths. + ([@zkat](https://github.com/zkat)) + +#### EXTRANEOUS LIFECYCLE SCRIPT EXECUTION WHEN REMOVING + +* [`afb1dfd`](https://github.com/npm/npm/commit/afb1dfd944e57add25a05770c0d52d983dc4e96c) + [#15090](https://github.com/npm/npm/pull/15090) + Skip top level lifecycles when uninstalling. + ([@iarna](https://github.com/iarna)) + +#### REFACTORING AND INTERNALS + +* [`c9b279a`](https://github.com/npm/npm/commit/c9b279aca0fcb8d0e483e534c7f9a7250e2a9392) + [#15205](https://github.com/npm/npm/pull/15205) + [#15196](https://github.com/npm/npm/pull/15196) + Only have one function that determines which version of a package to use + given a specifier and a list of versions. + ([@iarna](https://github.com/iarna), + [@zkat](https://github.com/zkat)) + +* [`981ce63`](https://github.com/npm/npm/commit/981ce6395e7892dde2591b44e484e191f8625431) + [#15090](https://github.com/npm/npm/pull/15090) + Rewrite prune to use modern npm plumbing. + ([@iarna](https://github.com/iarna)) + +* [`bc4b739`](https://github.com/npm/npm/commit/bc4b73911f58a11b4a2d28b49e24b4dd7365f95b) + [#15089](https://github.com/npm/npm/pull/15089) + Rename functions and variables in the module that computes what changes to + make to your installation. + ([@iarna](https://github.com/iarna)) + +* [`2449f74`](https://github.com/npm/npm/commit/2449f74a202b3efdb1b2f5a83356a78ea9ecbe35) + [#15089](https://github.com/npm/npm/pull/15089) + When computing changes to make to your installation, use a function to add + new actions to take instead of just pushing on a list. + ([@iarna](https://github.com/iarna)) + +#### IMPROVED LOGGING + +* [`335933a`](https://github.com/npm/npm/commit/335933a05396258eead139d27eea3f7668ccdfab) + [#15089](https://github.com/npm/npm/pull/15089) + Log when we remove obsolete dependencies in the tree. + ([@iarna](https://github.com/iarna)) + +#### DOCUMENTATION + +* [`33ca4e6`](https://github.com/npm/npm/commit/33ca4e6db3c1878cbc40d5e862ab49bb0e82cfb2) + [#15157](https://github.com/npm/npm/pull/15157) + Update `npm cache` docs to use more consistent language + ([@JonahMoses](https://github.com/JonahMoses)) + +#### DEPENDENCY UPDATES + +* [`c2d22fa`](https://github.com/npm/npm/commit/c2d22faf916e8260136a1cc95913ca474421c0d3) + [#15215](https://github.com/npm/npm/pull/15215) + `nopt@4.0.1`: + The breaking change is a small tweak to how empty string values are + handled. See the brand-new + [CHANGELOG.md for nopt](https://github.com/npm/nopt/blob/v4.0.1/CHANGELOG.md) for further + details about what's changed in this release! + ([@adius](https://github.com/adius), + [@samjonester](https://github.com/samjonester), + [@elidoran](https://github.com/elidoran), + [@helio](https://github.com/helio), + [@silkentrance](https://github.com/silkentrance), + [@othiym23](https://github.com/othiym23)) +* [`54d949b`](https://github.com/npm/npm/commit/54d949b05adefffeb7b5b10229c5fe0ccb929ac3) + [npm/lockfile#24](https://github.com/npm/lockfile/pull/24) + `lockfile@1.0.3`: + Handled case where callback was not passed in by the user. + ([@ORESoftware](https://github.com/ORESoftware)) +* [`54acc03`](https://github.com/npm/npm/commit/54acc0389b39850c0725d0868cb5e61317b57503) + `npmlog@4.0.2`: + Documentation update. + ([@helio-frota](https://github.com/helio-frota)) +* [`57f4bc1`](https://github.com/npm/npm/commit/57f4bc1150322294c1ea0a287ad0a8e457c151e6) + `osenv@0.1.4`: + Test changes. + ([@isaacs](https://github.com/isaacs)) +* [`bea1a2d`](https://github.com/npm/npm/commit/bea1a2d0db566560e13ecc1d5f42e55811269c88) + `retry@0.10.1`: + No changes. + ([@tim-kos](https://github.com/tim-kos)) +* [`6749e39`](https://github.com/npm/npm/commit/6749e395f868109afd97f79d36507e6567dd48fb) + [kapouer/marked-man#9](https://github.com/kapouer/marked-man/pull/9) + `marked-man@0.2.0`: + Add table support. + ([@gholk](https://github.com/gholk)) + +### v4.0.5 (2016-12-01) + +It's that time of year! December is upon us, which means y'all are just going to +be doing a lot less, in general, for the next month or so. The "Xmas Chasm", as +we like to call it, has already begun. So for those of you reading it from the +other side: Hi! Welcome back! + +This week's release is a relatively small one, involving just a few bugfixes and +dependency upgrades. The CLI team has been busy recently with scoping out +`npm@5`, and starting to do initial spec work for in-scope stuff. + +#### BUGFIXES + +On to the actual changes! + +* [`9776d8f`](https://github.com/npm/npm/commit/9776d8f70a0ea8d921cbbcab7a54e52c15fc455f) + [#15081](https://github.com/npm/npm/pull/15081) + `bundledDependencies` are intended to be left untouched by the installer, as + much as possible -- if they're bundled, we assume that you want to be + particular about the contents of your bundle. + + The installer used to have a corner case where existing dependencies that had + bundledDependencies would get clobbered by as the installer moved stuff + around, even though the installer already avoided moving deps that were + themselves bundled. This is now fixed, along with the connected crasher, and + your bundledDeps should be left even more intact than before! + ([@iarna](https://github.com/iarna)) +* [`fc61c08`](https://github.com/npm/npm/commit/fc61c082122104031ccfb2a888432c9f809a0e8b) + [#15082](https://github.com/npm/npm/pull/15082) + Initialize nodes from bundled dependencies. This should address + [#14427](https://github.com/npm/npm/issues/14427) and related issues, but it's + turned out to be a tremendously difficult issue to reproduce in a test. We + decided to include it even pending tests, because we found the root cause of + the errors. + ([@iarna](https://github.com/iarna)) +* [`d8471a2`](https://github.com/npm/npm/commit/d8471a294ef848fc893f60e17d6ec6695b975d16) + [#12811](https://github.com/npm/npm/pull/12811) + Consider `devDependencies` when deciding whether to hoist a package. This + should resolve a variety of missing dependency issues some folks were seeing + when `devDependencies` happened to also be dependencies of your + `dependencies`. This often manifested as modules going missing, or only being + installed, after `npm install` was called twice. + ([@schmod](https://github.com/schmod)) + +#### DEPENDENCY UPDATES + +* [`5978703`](https://github.com/npm/npm/commit/5978703da8669adae464789b1b15ee71d7f8d55d) + `graceful-fs@4.1.11`: + `EPERM` errors are Windows are now handled more gracefully. Windows users that + tended to see these errors due to, say, an antivirus-induced race condition, + should see them much more rarely, if at all. + ([@zkatr](https://github.com/zkat)) +* [`85b0174`](https://github.com/npm/npm/commit/85b0174ba9842e8e89f3c33d009e4b4a9e877c7d) + `request@2.79.0` + ([@zkat](https://github.com/zkat)) +* [`9664d36`](https://github.com/npm/npm/commit/9664d36653503247737630440bc2ff657de965c3) + `tap@8.0.1` + ([@zkat](https://github.com/zkat)) + +#### MISCELLANEOUS + +* [`f0f7b0f`](https://github.com/npm/npm/commit/f0f7b0fd025daa2b69994130345e6e8fdaaa0304) + [#15083](https://github.com/npm/npm/pull/15083) + Removed dead code. + ([@iarna](https://github.com/iarna)) * [`bc32afe`](https://github.com/npm/npm/commit/bc32afe4d12e3760fb5a26466dc9c26a5a2981d5) [`c8a22fe`](https://github.com/npm/npm/commit/c8a22fe5320550e09c978abe560b62ce732686f4) [`db2666d`](https://github.com/npm/npm/commit/db2666d8c078fc69d0c02c6a3de9b31be1e995e9) + [#15085](https://github.com/npm/npm/pull/15085) + Change some network tests so they can run offline. + ([@iarna](https://github.com/iarna)) +* [`744a39b`](https://github.com/npm/npm/commit/744a39b836821b388ad8c848bd898c1d006689a9) + [#15085](https://github.com/npm/npm/pull/15085) + Make Node.js tests compatible with Windows. + ([@iarna](https://github.com/iarna)) + +### v4.0.3 (2016-11-17) + +Hey you all, we've got a couple of bug fixes for you, a slew of +documentation improvements and some improvements to our CI environment. I +know we just got v4 out the door, but the CLI team is already busy planning +v5. We'll have more for you in early December. + +#### BUG FIXES + +* [`45d40d9`](https://github.com/npm/npm/commit/45d40d96d2cd145f1e36702d6ade8cd033f7f332) + [`ba2adc2`](https://github.com/npm/npm/commit/ba2adc2e822d5e75021c12f13e3f74ea2edbde32) + [`1dc8908`](https://github.com/npm/npm/commit/1dc890807bd78a1794063688af31287ed25a2f06) + [`2ba19ee`](https://github.com/npm/npm/commit/2ba19ee643d612d103cdd8f288d313b00d05ee87) + [#14403](https://github.com/npm/npm/pull/14403) + Fix a bug where a scoped module could produce crashes when incorrectly + computing the paths related to their location. This patch reorganizes how path information + is passed in to eliminate the possibility of this sort of bug. + ([@iarna](https://github.com/iarna)) + ([@NatalieWolfe](https://github.com/NatalieWolfe)) +* [`1011ec6`](https://github.com/npm/npm/commit/1011ec61230288c827a1c256735c55cf03d6228f) + [npm/npmlog#46](https://github.com/npm/npmlog/pull/46) + `npmlog@4.0.1`: Fix a bug where the progress bar would still display even if + you passed in `--no-progress`. + ([@iarna](https://github.com/iarna)) + +#### DOCUMENTATION UPDATES + +* [`c3ac177`](https://github.com/npm/npm/commit/c3ac177236124c80524c5f252ba8f6670f05dcd8) + [#14406](https://github.com/npm/npm/pull/14406) + Sync up the dispute policy included with the CLI with the [current official text](https://www.npmjs.com/policies/disputes). + ([@mike-engel](https://github.com/mike-engel)) +* [`9c663b2`](https://github.com/npm/npm/commit/9c663b2dd8552f892dc0205330bbc73a484ecd81) + [#14627](https://github.com/npm/npm/pull/14627) + Update build status branch in README. + ([@cameronroe](https://github.com/cameronroe)) +* [`8a8a0a3`](https://github.com/npm/npm/commit/8a8a0a3d490fc767def208f925cdff57e16e565b) + [#14609](https://github.com/npm/npm/pull/14609) + Update examples URLs of GitHub repos where those repos have moved to new URLs. + ([@dougwilson](https://github.com/dougwilson)) +* [`7a6425b`](https://github.com/npm/npm/commit/7a6425bcd4decde5d4b0af8b507e98723a07c680) + [#14472](https://github.com/npm/npm/pull/14472) + Document `sign-git-tag` in + [npm-version(1)](https://github.com/npm/npm/blob/release-next/doc/cli/npm-version.md)'s + configuration section. + ([@strugee](https://github.com/strugee)) +* [`f3087cc`](https://github.com/npm/npm/commit/f3087cc58c903d9a70275be805ebaf0eadbcbe1b) + [#14546](https://github.com/npm/npm/pull/14546) + Add a note about the dangers of configuring npm via uppercase env vars. + ([@tuhoojabotti](https://github.com/tuhoojabotti)) +* [`50e51b0`](https://github.com/npm/npm/commit/50e51b04a143959048cf9e1e4c8fe15094f480b0) + [#14559](https://github.com/npm/npm/pull/14559) + Remove documentation that incorrectly stated that we check `.npmrc` permissions. + ([@iarna](https://github.com/iarna)) + +##### OH UH, HELLO AGAIN NODE.JS 0.12 + +* [`6f0c353`](https://github.com/npm/npm/commit/6f0c353e4e89b0378a4c88c829ccf9a1c5ae829d) + [`f78bde6`](https://github.com/npm/npm/commit/f78bde6983bdca63d5fcb9c220c87e8f75ffb70e) + [#14591](https://github.com/npm/npm/pull/14591) + Reintroduce Node.js 0.12 to our support matrix. We jumped the gun when + removing it. We won't drop support for it till the Node.js project does + so at the end of December 2016. + ([@othiym23](https://github.com/othiym23)) + +#### TEST/CI UPDATES + +* [`aa73d1c`](https://github.com/npm/npm/commit/aa73d1c1cc22608f95382a35b33da252addff38e) + [`c914e80`](https://github.com/npm/npm/commit/c914e80f5abcb16c572fe756c89cf0bcef4ff991) +* [`58fe064`](https://github.com/npm/npm/commit/58fe064dcc80bc08c677647832f2adb4a56b538a) + [#14602](https://github.com/npm/npm/pull/14602) + When running tests with coverage, use nyc's cache. This provides an 8x speedup! + ([@bcoe](https://github.com/bcoe)) +* [`ba091ce`](https://github.com/npm/npm/commit/ba091ce843af5d694f4540e825b095435b3558d8) + [#14435](https://github.com/npm/npm/pull/14435) + Remove an unused zero byte `package.json` found in the test fixtures. + ([@baderbuddy](https://github.com/baderbuddy)) + +#### DEPENDENCY UPDATES + +* [`442e01e`](https://github.com/npm/npm/commit/442e01e42d8a439809f6726032e3b73ac0d2b2f8) + `readable-stream@2.2.2`: + Bring in latest changes from Node.js 7.x. + ([@calvinmetcalf](https://github.com/calvinmetcalf)) +* [`bfc4a1c`](https://github.com/npm/npm/commit/bfc4a1c0c17ef0a00dfaa09beba3389598a46535) + `which@1.2.12`: + Remove unused require. + ([@isaacs](https://github.com/isaacs)) + +#### DEV DEPENDENCY UPDATES + +* [`7075b05`](https://github.com/npm/npm/commit/7075b054d8d2452bb53bee9b170498a48a0dc4e9) + `marked-man@0.1.6` + ([@kapouer](https://github.com/kapouer)) +* [`3e13fea`](https://github.com/npm/npm/commit/3e13fea907ee1141506a6de7d26cbc91c28fdb80) + `tap@8.0.0` + ([@isaacs](https://github.com/isaacs)) + +### v4.0.2 (2016-11-03) + +Hola, amigxs. I know it's been a long time since I rapped at ya, but I +been spending a lotta time quietly reflecting on all the things going on +in my life. I was, like, [in Japan for a while](https://gist.github.com/othiym23/c98bd4ef5d9fb3f496835bd481ef40ae), +and before that my swell colleagues [@zkat](https://github.com/zkat) and +[@iarna](https://github.com/iarna) have been very capably managing the release +process for quite a while. But I returned from Japan somewhat refreshed, very +jetlagged, and filled with a burning urge to get `npm@4` as stable as possible +before we push it out to the user community at large, so I decided to do this +release myself. (Also, huge thanks to Kat and Rebecca for putting out `npm@4` +so capably while I was on vacation! So cool to return to a major release having +gone so well without my involvement!) + +That said... + +#### NEVER TRUST AN X.0.0 RELEASE + +Even though 4.0.1 came out hard on the heels of 4.0.0 with a couple +critical fixes, we've found a couple other major issues that we want to +see fixed before making `npm@4` into `npm@latest`. Some of these are +arguably breaking changes on their own, so now is the time to get them +out if we're going to do so before `npm@5`, and all of them are pretty +significant blockers for a substantial number of users, so now is the +best time to fix them. + +##### PREPUBLISHONLY WHOOPS + +The code running the `publish*` lifecycle events was very confusingly written. +In fact, we didn't really figure out what it was doing until we added the new +`prepublishOnly` event and it was running people's scripts from the wrong +directory. We made it simpler. See the [commit +message](https://github.com/npm/npm/commit/8b32d67aa277fd7e62edbed886387a855f58387f) +for details. + +Because the change is no longer running publish events when publishing prebuilt +artifacts, it's technically a breaking / semver-major change. In the off chance +that the new behavior breaks any of y'all's workflows, let us know, and we can +roll some or all of this change back until `npm@5` (or forever, if that works +better for you). + +* [`8b32d67`](https://github.com/npm/npm/commit/8b32d67aa277fd7e62edbed886387a855f58387f) + [#14502](https://github.com/npm/npm/pull/14502) + Simplify lifecycle invocation and fix `prepublishOnly`. + ([@othiym23](https://github.com/othiym23)) + +##### G'BYE NODE.JS 0.10, 0.12, and 5.X; HI THERE, NODE 7 + +With the advent of the second official Node.js LTS release, Node 6.x +'Boron', the Node.js project has now officially dropped versions 0.10 +and 0.12 out of the maintenance phase of LTS. (Also, Node 5 was never +part of LTS, and will see no further support now that Node 7 has been +released.) As a small team with limited resources, the npm CLI team is +following suit and dropping those versions of Node from its CI test +matrix. + +What this means: + +* Your contributions will no longer block on the tests passing on 0.10 and 0.12. +* We will no longer block dependency upgrades on working with 0.10 and 0.12. +* Bugs filed on the npm CLI that are due to incompatibilities with 0.10 + or 0.12 (and older versions) will be closed with a strong urging to + upgrade to a supported version of Node. +* On the flip side, we'll continue to (happily!) accept patches that + address regressions seen when running the CLI with Node.js 0.10 and + 0.12. + +What this doesn't mean: + +* The CLI is going to start depending on ES2015+ features. npm continues + to work, in almost all cases, all the way back to Node.js 0.8, and our + long history of backwards compatibility is a source of pride for the + team. +* We aren't concerned about the problems of users who, for whatever + reason, can't update to newer versions of npm. As mentioned above, we're + happy to take community patches intended to address regressions. + +We're not super interested in taking sides on what version of Node.js +you "should" be running. We're a workflow tool, and we understand that +you all have a diverse set of operational environments you need to be +able to support. At the same time, we _are_ a small team, and we need +to put some limits on what we support. Tracking what's supported by our +runtime's own team seems most practical, so that's what we're doing. + +* [`ab630c9`](https://github.com/npm/npm/commit/ab630c9a7a1b40cdd4f1244be976c25ab1525907) + [#14503](https://github.com/npm/npm/pull/14503) + Node 6 is LTS; 5.x, 0.10, and 0.12 are unsupported. + ([@othiym23](https://github.com/othiym23)) +* [`731ae52`](https://github.com/npm/npm/commit/731ae526fb6e9951c43d82a26ccd357b63cc56c2) + [#14503](https://github.com/npm/npm/pull/14503) + Update supported version expression. + ([@othiym23](https://github.com/othiym23)) + +##### DISENTANGLING SCOPE + +The new `Npm-Scope` header was previously reusing the `scope` +configuration option to pass the current scope back to your current +registry (which, as [described +previously](https://github.com/npm/npm/blob/release-next/CHANGELOG.md#send-extra-headers-to-registry), is meant to set up some upcoming +registry features). It turns out that had some [seriously weird +consequences](https://github.com/npm/npm/issues/14412) in the case where +you were already configuring `scope` in your own environment. The CLI +now uses separate configuration for this. + +* [`39358f7`](https://github.com/npm/npm/commit/39358f732ded4aa46d86d593393a0d6bca5dc12a) + [#14477](https://github.com/npm/npm/pull/14477) + Differentiate registry scope from project scope in configuration. + ([@zkat](https://github.com/zkat)) + +#### SMALLER CHANGES + +* [`7f41295`](https://github.com/npm/npm/commit/7f41295775f28b958a926f9cb371cb37b05771dd) + [#14519](https://github.com/npm/npm/pull/14519) + Document that as of `npm@4.0.1`, `npm shrinkwrap` now includes `devDependencies` unless + instructed otherwise. + ([@iarna](https://github.com/iarna)) +* [`bdc2f9e`](https://github.com/npm/npm/commit/bdc2f9e255ddf1a47fd13ec8749d17ed41638b2c) + [#14501](https://github.com/npm/npm/pull/14501) + The `ENOSELF` error message is tricky to word. It's also an error that + normally bites new users. Clean it up in an effort to make it easier + to understand what's going on. + ([@snopeks](https://github.com/snopeks), [@zkat](https://github.com/zkat)) + +#### DEPENDENCY UPGRADES + +* [`a52d0f0`](https://github.com/npm/npm/commit/a52d0f0c9cf2de5caef77e12eabd7dca9e89b49c) + `glob@7.1.1`: + - Handle files without associated perms on Windows. + - Fix failing case with `absolute` option. + ([@isaacs](https://github.com/isaacs), [@phated](https://github.com/phated)) +* [`afda66d`](https://github.com/npm/npm/commit/afda66d9afcdcbae1d148f589287583c4182d124) + [isaacs/node-graceful-fs#97](https://github.com/isaacs/node-graceful-fs/pull/97) + `graceful-fs@4.1.10`: Better backoff for EPERM on Windows. + ([@sam-github](https://github.com/sam-github)) +* [`e0023c0`](https://github.com/npm/npm/commit/e0023c089ded9161fbcbe544f12b07e12e3e5729) + [npm/inflight#3](https://github.com/npm/inflight/pull/3) + `inflight@1.0.6`: Clean up even if / when a callback throws. + ([@phated](https://github.com/phated)) +* [`1d91594`](https://github.com/npm/npm/commit/1d9159440364d2fe21e8bc15e08e284aaa118347) + `request@2.78.0` + ([@othiym23](https://github.com/othiym23)) + +### v4.0.1 (2016-10-24) + +Ayyyy~ 🌊 + +So thanks to folks who were running on `npm@next`, we managed to find a few +issues of notes in that preview version, and we're rolling out a small patch +change to fix them. Most notably, anyone who was using a symlinked `node` binary +(for example, if they installed Node.js through `homebrew`), was getting a very +loud warning every time they ran scripts. Y'all should get warnings in a more +useful way, now that we're resolving those path symlinks. + +Another fairly big change that we decided to slap into this version, since +`npm@4.0.0` is never going to be `latest`, is to make it so `devDependencies` +are included in `npm-shrinkwrap.json` by default -- if you do not want this, use +`--production` with `npm shrinkwrap`. + +#### BIG FIXES/CHANGES + +* [`eff46dd`](https://github.com/npm/npm/commit/eff46dd498ed007bfa77ab7782040a3a828b852d) + [#14374](https://github.com/npm/npm/pull/14374) + Fully resolve the path for `node` executables in both `$PATH` and + `process.execPath` to avoid issues with symlinked `node`. + ([@addaleax](https://github.com/addaleax)) +* [`964f2d3`](https://github.com/npm/npm/commit/964f2d3a0675584267e6ece95b0115a53c6ca6a9) + [#14375](https://github.com/npm/npm/pull/14375) + Make including `devDependencies` in `npm-shrinkwrap.json` the default. This + should help make the transition to `npm@5` smoother in the future. + ([@iarna](https://github.com/iarna)) + +#### BUGFIXES + +* [`a5b0a8d`](https://github.com/npm/npm/commit/a5b0a8db561916086fc7dbd6eb2836c952a42a7e) + [#14400](https://github.com/npm/npm/pull/14400) + Recently, we've had some consistent timeout failures while running the test + suite under Travis. This tweak to tests should take care of those issues and + Travis should go back to being reliably green. + ([@iarna](https://github.com/iarna)) + +#### DOC PATCHES + +* [`c5907b2`](https://github.com/npm/npm/commit/c5907b2fc1a82ec919afe3b370ecd34d8895c7a2) + [#14251](https://github.com/npm/npm/pull/14251) + Update links to Node.js downloads. They previously pointed to 404 pages.😬 + ([@ArtskydJ](https://github.com/ArtskydJ)) +* [`0c122f2`](https://github.com/npm/npm/commit/0c122f24ff1d4d400975edda2b7262aaaf6f7d69) + [#14380](https://github.com/npm/npm/pull/14380) + Add note and clarification on when `prepare` script is run. Make it more + consistent with surrounding descriptions. + ([@SimenB](https://github.com/SimenB)) +* [`51a62ab`](https://github.com/npm/npm/commit/51a62abd88324ba3dad18e18ca5e741f1d60883c) + [#14359](https://github.com/npm/npm/pull/14359) + Fixes typo in `npm@4` changelog. + ([@kimroen](https://github.com/kimroen)) + +### v4.0.0 (2016-10-20) + +Welcome to `npm@4`, friends! + +This is our first semver major release since the release of `npm@3` just over a +year ago. Back then, `@3` turned out to be a bit of a ground-shaking release, +with a brand-new installer with significant structural changes to how npm set up +your tree. This is the end of an era, in a way. `npm@4` also marks the release +when we move *both* `npm@2` and `npm@3` into maintenance: We will no longer be +updating those release branches with anything except critical bugfixes and +security patches. + +While its predecessor had some pretty serious impaact, `npm@4` is expected to +have a much smaller effect on your day-to-day use of npm. Over the past year, +we've collected a handful of breaking changes that we wanted to get in which are +only breaking under a strict semver interpretation (which we follow). Some of +these are simple usability improvements, while others fix crashes and serious +issues that required a major release to include. + +We hope this release sees you well, and you can look forward to an accelerated +release pace now that the CLI team is done focusing on sustaining work -- our +Windows fixing and big bugs pushes -- and we can start focusing again on +usability, features, and performance. Keep an eye out for `npm@5` in Q1 2017, +too: We're planning a major overhaul of `shrinkwrap` as well as various speed +and usability fixes for that release. It's gonna be a fun ride. I promise. 😘 + +#### BRIEF OVERVIEW OF **BREAKING** CHANGES + +The following breaking changes are included in this release: + +* `npm search` rewritten to stream results, and no longer supports sorting. +* `npm scripts` no longer prepend the path of the node executable used to run + npm before running scripts. A `--scripts-prepend-node-path` option has been + added to configure this behavior. +* `npat` has been removed. +* `prepublish` has been deprecated, replaced by `prepare`. A `prepublishOnly` + script has been temporarily added, which will *only* run on `npm publish`. +* `npm outdated` exits with exit code `1` if it finds any outdated packages. +* `npm tag` has been removed after a deprecation cycle. Use `npm dist-tag`. +* Partial shrinkwraps are no longer supported. `npm-shrinkwrap.json` is + considered a complete installation manifest except for `devDependencies`. +* npm's default git branch is no longer `master`. We'll be using `latest` from + now on. + +#### SEARCH REWRITE (**BREAKING**) + +Let's face it -- `npm search` simply doesn't work anymore. Apart from the fact +that it grew slower over the years, it's reached a point where we can no longer +fit the entire registry metadata in memory, and anyone who tries to use the +command now sees a really awful memory overflow crash from node. + +It's still going to be some time before the CLI, registry, and web team are able +to overhaul `npm search` altogether, but until then, we've rewritten the +previous `npm search` implementation to *stream* results on the fly, from both +the search endpoint and a local cache. In absolute terms, you won't see a +performance increase and this patch *does* come at the cost of sorting +capabilities, but what it does do is start outputting results as it finds them. +This should make the experience much better, overall, and we believe this is an +acceptable band-aid until we have that search endpoint in place. + +Incidentally, if you want a really nice search experience, we recommend checking +out [npms.io](http://npms.io), which includes a handy-dandy +[`npms-cli`](https://npm.im/npms-cli) for command-line usage -- it's an npm +search site that returns high-quality results quickly and is operated by members +of the npm community. + +* [`cfd43b4`](https://github.com/npm/npm/commit/cfd43b49aed36d0e8ea6c35b07ed8b303b69be61) [`2b8057b`](https://github.com/npm/npm/commit/2b8057be2e1b51e97b1f8f38d7f58edf3ce2c145) + [#13746](https://github.com/npm/npm/pull/13746) + Stream search process end-to-end. + ([@zkat](https://github.com/zkat) and [@aredridel](https://github.com/aredridel)) +* [`50f4ec8`](https://github.com/npm/npm/commit/50f4ec8e8ce642aa6a58cb046b2b770ccf0029db) [`70b4bc2`](https://github.com/npm/npm/commit/70b4bc22ec8e81cd33b9448f5b45afd1a50d50ba) [`8fb470f`](https://github.com/npm/npm/commit/8fb470fe755c4ad3295cb75d7b4266f8e67f8d38) [`ac3a6e0`](https://github.com/npm/npm/commit/ac3a6e0eba61fb40099b1370c74ad1598777def4) [`bad54dd`](https://github.com/npm/npm/commit/bad54dd9f1119fe900a8d065f8537c6f1968b589) [`87d504e`](https://github.com/npm/npm/commit/87d504e0a61bccf09f5e975007d018de3a1c5f50) + [#13746](https://github.com/npm/npm/pull/13746) + Updated search-related tests. + ([@zkat](https://github.com/zkat)) +* [`3596de8`](https://github.com/npm/npm/commit/3596de88598c69eb5bae108703c8e74ca198b20c) + [#13746](https://github.com/npm/npm/pull/13746) + `JSONStream@1.2.1` + ([@zkat](https://github.com/zkat)) +* [`4b09209`](https://github.com/npm/npm/commit/4b09209bb605f547243065032a8b37772669745f) + [#13746](https://github.com/npm/npm/pull/13746) + `mississippi@1.2.0` + ([@zkat](https://github.com/zkat)) +* [`b650b39`](https://github.com/npm/npm/commit/b650b39d42654abb9eed1c7cd463b1c595ca2ef9) + [#13746](https://github.com/npm/npm/pull/13746) + `sorted-union-stream@2.1.3` + ([@zkat](https://github.com/zkat)) + +#### SCRIPT NODE PATH (**BREAKING**) + +Thanks to some great work by [@addaleax](https://github.com/addaleax), we've +addressed a fairly tricky issue involving the node process used by `npm +scripts`. + +Previously, npm would prefix the path of the node executable to the script's +`PATH`. This had the benefit of making sure that the node process would be the +same for both npm and `scripts` unless you had something like +[`node-bin`](https://npm.im/node-bin) in your `node_modules`. And it turns out +lots of people relied on this behavior being this way! + +It turns out that this had some unintended consequences: it broke systems like +[`nyc`](https://npm.im/nyc), but also completely broke/defeated things like +[`rvm`](https://rvm.io/) and +[`virtualenv`](https://virtualenv.pypa.io/en/stable/) by often causing things +that relied on them to fall back to the global system versions of ruby and +python. + +In the face of two perfectly valid, and used alternatives, we decided that the +second case was much more surprising for users, and that we should err on the +side of doing what those users expect. Anna put some hard work in and managed to +put together a patch that changes npm's behavior such that we no longer prepend +the node executable's path *by default*, and adds a new option, +`--scripts-prepend-node-path`, to allow users who rely on this behavior to have +it add the node path for them. + +This patch also makes it so this feature is discoverable by people who might run +into the first case above, by warning if the node executable is either missing +or shadowed by another one in `PATH`. This warning can also be disabled with the +`--scripts-prepend-node-path` option as needed. + +* [`3fb1eb3`](https://github.com/npm/npm/commit/3fb1eb3e00b5daf37f14e437d2818e9b65a43392) [`6a7d375`](https://github.com/npm/npm/commit/6a7d375d779ba5416fd5df154c6da673dd745d9d) [`378ae08`](https://github.com/npm/npm/commit/378ae08851882d6d2bc9b631b16b8c875d0b9704) + [#13409](https://github.com/npm/npm/pull/13409) + Add a `--scripts-prepend-node-path` option to configure whether npm prepends + the current node executable's path to `PATH`. + ([@addaleax](https://github.com/addaleax)) +* [`70b352c`](https://github.com/npm/npm/commit/70b352c6db41533b9a4bfaa9d91f7a2a1178f74e) + [#13409](https://github.com/npm/npm/pull/13409) + Change the default behaviour of npm to never prepending the current node + executable’s directory to `PATH` but printing a warning in the cases in which + it previously did. + ([@addaleax](https://github.com/addaleax)) + +#### REMOVE `npat` (**BREAKING**) + +Let's be real here -- almost no one knows this feature ever existed, and it's a +vestigial feature of the days when the ideal for npm was to distribute full +packages that could be directly developed on, even from the registry. + +It turns out the npm community decided to go a different way: primarily +publishing packages in a production-ready format, with no tests, build tools, +etc. And so, we say goodbye to `npat`. + +* [`e16c14a`](https://github.com/npm/npm/commit/e16c14afb6f52cb8b7adf60b2b26427f76773f2e) + [#14329](https://github.com/npm/npm/pull/14329) + Remove the npat feature. + ([@iarna](https://github.com/iarna)) + +#### NEW `prepare` SCRIPT. `prepublish` DEPRECATED (**BREAKING**) + +If there's anything that really seemed to confuse users, it's that the +`prepublish` script ran when invoking `npm install` without any arguments. + +Turns out many, many people really expected that it would only run on `npm +publish`, even if it actually did what most people expected: prepare the package +for publishing on the registry. + +And so, we've added a `prepare` command that runs in the exact same cases where +`prepublish` ran, and we've begun a deprecation cycle for `prepublish` itself +**only when run by `npm install`**, which will now include a warning any time +you use it that way. + +We've also added a `prepublishOnly` script which will execute **only** when `npm +publish` is invoked. Eventually, `prepublish` will stop executing on `npm +install`, and `prepublishOnly` will be removed, leaving `prepare` and +`prepublish` as two distinct lifecycles. + +* [`9b4a227`](https://github.com/npm/npm/commit/9b4a2278cee0a410a107c8ea4d11614731e0a943) [`bc32078`](https://github.com/npm/npm/commit/bc32078fa798acef0e036414cb448645f135b570) + [#14290](https://github.com/npm/npm/pull/14290) + Add `prepare` and `prepublishOnly` lifecyle events. + ([@othiym23](https://github.com/othiym23)) +* [`52fdefd`](https://github.com/npm/npm/commit/52fdefddb48f0c39c6e8eb4c118eb306c9436117) + [#14290](https://github.com/npm/npm/pull/14290) + Warn when running `prepublish` on `npm pack`. + ([@othiym23](https://github.com/othiym23)) +* [`4c2a948`](https://github.com/npm/npm/commit/4c2a9481b564cae3df3f4643766db4b987018a7b) [`a55bd65`](https://github.com/npm/npm/commit/a55bd651284552b93f7d972a2e944f65c1aa6c35) + [#14290](https://github.com/npm/npm/pull/14290) + Added `prepublish` warnings to `npm install`. + ([@zkat](https://github.com/zkat)) +* [`c27412b`](https://github.com/npm/npm/commit/c27412bb9fc7b09f7707c7d9ad23128959ae1abc) + [#14290](https://github.com/npm/npm/pull/14290) + Replace `prepublish` with `prepare` in `npm help package.json` documentation. + ([@zkat](https://github.com/zkat)) + +#### NO MORE PARTIAL SHRINKWRAPS (**BREAKING**) + +That's right. No more partial shrinkwraps. That means that if you have an +`npm-shrinkwrap.json` in your project, npm will no longer install anything that +isn't explicitly listed there, unless it's a `devDependency`. This will open +doors to some nice optimizations and make use of `npm shrinkwrap` just generally +smoother by removing some awful corner cases. We will also skip `devDependency` +installation from `package.json` if you added `devDependencies` to your +shrinkwrap by using `npm shrinkwrap --dev`. + +* [`b7dfae8`](https://github.com/npm/npm/commit/b7dfae8fd4dc0456605f7a921d20a829afd50864) + [#14327](https://github.com/npm/npm/pull/14327) + Use `readShrinkwrap` to read top level shrinkwrap. There's no reason for npm + to be doing its own bespoke heirloom-grade artisanal thing here. + ([@iarna](https://github.com/iarna)) +* [`0ae1f4b`](https://github.com/npm/npm/commit/0ae1f4b9d83af2d093974beb33f26d77fcc95bb9) [`4a54997`](https://github.com/npm/npm/commit/4a549970dc818d78b6de97728af08a1edb5ae7f0) [`f22a1ae`](https://github.com/npm/npm/commit/f22a1ae54b5d47f1a056a6e70868013ebaf66b79) [`3f61189`](https://github.com/npm/npm/commit/3f61189cb3843fee9f54288fefa95ade9cace066) + [#14327](https://github.com/npm/npm/pull/14327) + Treat shrinkwrap as canonical. That is, don't try to fill in for partial + shrinkwraps. Partial shrinkwraps should produce partial installs. If your + shrinkwrap contains NO `devDependencies` then we'll still try to install them + from your `package.json` instead of assuming you NEVER want `devDependencies`. + ([@iarna](https://github.com/iarna)) + +#### `npm tag` REMOVED (**BREAKING**) + +* [`94255da`](https://github.com/npm/npm/commit/94255da8ffc2d9ed6a0434001a643c1ad82fa483) + [#14328](https://github.com/npm/npm/pull/14328) + Remove deprecated tag command. Folks must use the `dist-tag` command from now + on. + ([@iarna](https://github.com/iarna)) + +#### NON-ZERO EXIT CODE ON OUTDATED DEPENDENCIES (**BREAKING**) + +* [`40a04d8`](https://github.com/npm/npm/commit/40a04d888d10a5952d5ca4080f2f5d2339d2038a) [`e2fa18d`](https://github.com/npm/npm/commit/e2fa18d9f7904eb048db7280b40787cb2cdf87b3) [`3ee3948`](https://github.com/npm/npm/commit/3ee39488b74c7d35fbb5c14295e33b5a77578104) [`3fa25d0`](https://github.com/npm/npm/commit/3fa25d02a8ff07c42c595f84ae4821bc9ee908df) + [#14013](https://github.com/npm/npm/pull/14013) + Do `exit 1` if any outdated dependencies are found by `npm outdated`. + ([@watilde](https://github.com/watilde)) +* [`c81838a`](https://github.com/npm/npm/commit/c81838ae96b253f4b1ac66af619317a3a9da418e) + [#14013](https://github.com/npm/npm/pull/14013) + Log non-zero exit codes at `verbose` level -- this isn't something command + line tools tend to do. It's generally the shell's job to display, if at all. + ([@zkat](https://github.com/zkat)) + +#### SEND EXTRA HEADERS TO REGISTRY + +For the purposes of supporting shiny new registry features, we've started +sending `Npm-Scope` and `Npm-In-CI` headers in outgoing requests. + +* [`846f61c`](https://github.com/npm/npm/commit/846f61c1dd4a033f77aa736ab01c27ae6724fe1c) + [npm/npm-registry-client#145](https://github.com/npm/npm-registry-client/pull/145) + [npm/npm-registry-client#147](https://github.com/npm/npm-registry-client/pull/147) + `npm-registry-client@7.3.0`: + * Allow npm to add headers to outgoing requests. + * Add `Npm-In-CI` header that reports whether we're running in CI. + ([@iarna](https://github.com/iarna)) +* [`6b6bb08`](https://github.com/npm/npm/commit/6b6bb08af661221224a81df8adb0b72019ca3e11) + [#14129](https://github.com/npm/npm/pull/14129) + Send `Npm-Scope` header along with requests to registry. `Npm-Scope` is set to + the `@scope` of the current top level project. This will allow registries to + implement user/scope-aware features and services. + ([@iarna](https://github.com/iarna)) +* [`506de80`](https://github.com/npm/npm/commit/506de80dc0a0576ec2aab0ed8dc3eef3c1dabc23) + [#14129](https://github.com/npm/npm/pull/14129) + Add test to ensure `Npm-In-CI` header is being sent when CI is set in env. + ([@iarna](https://github.com/iarna)) + +#### BUGFIXES + +* [`bc84012`](https://github.com/npm/npm/commit/bc84012c2c615024b08868acbd8df53a7ca8d146) + [#14117](https://github.com/npm/npm/pull/14117) + Fixes a bug where installing a shrinkwrapped package would fail if the + platform failed to install an optional dependency included in the shrinkwrap. + ([@watilde](https://github.com/watilde)) +* [`a40b32d`](https://github.com/npm/npm/commit/a40b32dc7fe18f007a672219a12d6fecef800f9d) + [#13519](https://github.com/npm/npm/pull/13519) + If a package has malformed metadata, `node.requiredBy` is sometimes missing. + Stop crashing when that happens. + ([@creationix](https://github.com/creationix)) + +#### OTHER PATCHES + +* [`643dae2`](https://github.com/npm/npm/commit/643dae2197c56f1c725ecc6539786bf82962d0fe) + [#14244](https://github.com/npm/npm/pull/14244) + Remove some ancient aliases that we'd rather not have around. + ([@zkat](https://github.com/zkat)) +* [`bdeac3e`](https://github.com/npm/npm/commit/bdeac3e0fb226e4777d4be5cd3c3bec8231c8044) + [#14230](https://github.com/npm/npm/pull/14230) + Detect unsupported Node.js versions and warn about it. Also error on really + old versions where we know we can't work. + ([@iarna](https://github.com/iarna)) + +#### DOC UPDATES + +* [`9ca18ad`](https://github.com/npm/npm/commit/9ca18ada7cc1c10b2d32bbb59d5a99dd1c743109) + [#13746](https://github.com/npm/npm/pull/13746) + Updated docs for `npm search` options. + ([@zkat](https://github.com/zkat)) +* [`e02a47f`](https://github.com/npm/npm/commit/e02a47f9698ff082488dc2b1738afabb0912793e) + Move the `npm@3` changelog into the archived changelogs directory. + ([@zkat](https://github.com/zkat)) +* [`c12bbf8`](https://github.com/npm/npm/commit/c12bbf8c5a5dff24a191b66ac638f552bfb76601) + [#14290](https://github.com/npm/npm/pull/14290) + Document prepublish-on-install deprecation. + ([@othiym23](https://github.com/othiym23)) +* [`c246a75`](https://github.com/npm/npm/commit/c246a75ac8697f4ca11d316b7e7db5f24af7972b) + [#14129](https://github.com/npm/npm/pull/14129) + Document headers added by npm to outgoing registry requests. + ([@iarna](https://github.com/iarna)) + +#### DEPENDENCIES + +* [`cb20c73`](https://github.com/npm/npm/commit/cb20c7373a32daaccba2c1ad32d0b7e1fc01a681) + [#13953](https://github.com/npm/npm/pull/13953) + `signal-exit@3.0.1` + ([@benjamincoe](https://github.com/benjamincoe)) diff --git a/deps/npm/doc/cli/npm-cache.md b/deps/npm/doc/cli/npm-cache.md index ea8cb1b9917759..92a6236c0c9e90 100644 --- a/deps/npm/doc/cli/npm-cache.md +++ b/deps/npm/doc/cli/npm-cache.md @@ -8,11 +8,11 @@ npm-cache(1) -- Manipulates packages cache npm cache add npm cache add @ - npm cache ls [] - npm cache clean [] aliases: npm cache clear, npm cache rm + npm cache verify + ## DESCRIPTION Used to add, list, or clean the npm cache folder. @@ -22,35 +22,45 @@ Used to add, list, or clean the npm cache folder. intended to be used internally by npm, but it can provide a way to add data to the local installation cache explicitly. -* ls: - Show the data in the cache. Argument is a path to show in the cache - folder. Works a bit like the `find` program, but limited by the - `depth` config. - * clean: - Delete data out of the cache folder. If an argument is provided, then - it specifies a subpath to delete. If no argument is provided, then - the entire cache is deleted. + Delete all data out of the cache folder. + +* verify: + Verify the contents of the cache folder, garbage collecting any unneeded data, + and verifying the integrity of the cache index and all cached data. ## DETAILS -npm stores cache data in the directory specified in `npm config get cache`. -For each package that is added to the cache, three pieces of information are -stored in `{cache}/{name}/{version}`: +npm stores cache data in an opaque directory within the configured `cache`, +named `_cacache`. This directory is a `cacache`-based content-addressable cache +that stores all http request data as well as other package-related data. This +directory is primarily accessed through `pacote`, the library responsible for +all package fetching as of npm@5. + +All data that passes through the cache is fully verified for integrity on both +insertion and extraction. Cache corruption will either trigger an error, or +signal to `pacote` that the data must be refetched, which it will do +automatically. For this reason, it should never be necessary to clear the cache +for any reason other than reclaiming disk space, thus why `clean` now requires +`--force` to run. + +There is currently no method exposed through npm to inspect or directly manage +the contents of this cache. In order to access it, `cacache` must be used +directly. + +npm will not remove data by itself: the cache will grow as new packages are +installed. -* .../package/package.json: - The package.json file, as npm sees it. -* .../package.tgz: - The tarball for that version. +## A NOTE ABOUT THE CACHE'S DESIGN -Additionally, whenever a registry request is made, a `.cache.json` file -is placed at the corresponding URI, to store the ETag and the requested -data. This is stored in `{cache}/{hostname}/{path}/.cache.json`. +The npm cache is strictly a cache: it should not be relied upon as a persistent +and reliable data store for package data. npm makes no guarantee that a +previously-cached piece of data will be available later, and will automatically +delete corrupted contents. The primary guarantee that the cache makes is that, +if it does return data, that data will be exactly the data that was inserted. -Commands that make non-essential registry requests (such as `search` and -`view`, or the completion scripts) generally specify a minimum timeout. -If the `.cache.json` file is younger than the specified timeout, then -they do not make an HTTP request to the registry. +To run an offline verification of existing cache contents, use `npm cache +verify`. ## CONFIGURATION @@ -69,3 +79,5 @@ The root cache folder. * npm-install(1) * npm-publish(1) * npm-pack(1) +* https://npm.im/cacache +* https://npm.im/pacote diff --git a/deps/npm/doc/cli/npm-install.md b/deps/npm/doc/cli/npm-install.md index 6a37fcc76b8bdf..44cb68792bfff7 100644 --- a/deps/npm/doc/cli/npm-install.md +++ b/deps/npm/doc/cli/npm-install.md @@ -8,18 +8,21 @@ npm-install(1) -- Install a package npm install [<@scope>/]@ npm install [<@scope>/]@ npm install [<@scope>/]@ + npm install :/ + npm install npm install npm install npm install alias: npm i - common options: [-S|--save|-D|--save-dev|-O|--save-optional] [-E|--save-exact] [-B|--save-bundle] [--dry-run] + common options: [-P|--save-prod|-D|--save-dev|-O|--save-optional] [-E|--save-exact] [-B|--save-bundle] [--no-save] [--dry-run] ## DESCRIPTION This command installs a package, and any packages that it depends on. If the -package has a shrinkwrap file, the installation of dependencies will be driven -by that. See npm-shrinkwrap(1). +package has a package-lock or shrinkwrap file, the installation of dependencies +will be driven by that, with an `npm-shrinkwrap.json` taking precedence if both +files exist. See package-lock.json(5) and npm-shrinkwrap(1). A `package` is: @@ -54,13 +57,17 @@ after packing it up into a tarball (b). * `npm install `: - Install a package that is sitting in a folder on the filesystem. + Install the package in the directory as a symlink in the current project. + Its dependencies will be installed before it's linked. If `` sits + inside the root of your project, its dependencies may be hoisted to the + toplevel `node_modules` as they would for other types of dependencies. * `npm install `: Install a package that is sitting on the filesystem. Note: if you just want to link a dev directory into your npm root, you can do this more easily by - using `npm link`. + using `npm link`. The filename *must* use `.tar`, `.tar.gz`, or `.tgz` as + the extension. Example: @@ -75,27 +82,31 @@ after packing it up into a tarball (b). npm install https://github.com/indexzero/forever/tarball/v0.5.6 -* `npm install [<@scope>/] [-S|--save|-D|--save-dev|-O|--save-optional]`: +* `npm install [<@scope>/]`: Do a `@` install, where `` is the "tag" config. (See `npm-config(7)`. The config's default value is `latest`.) - In most cases, this will install the latest version - of the module published on npm. + In most cases, this will install the version of the modules tagged as + `latest` on the npm registry. Example: npm install sax - `npm install` takes 3 exclusive, optional flags which save or update - the package version in your main package.json: + `npm install` saves any specified packages into `dependencies` by default. + Additionally, you can control where and how they get saved with some + additional flags: - * `-S, --save`: Package will appear in your `dependencies`. + * `-P, --save-prod`: Package will appear in your `dependencies`. This is the + default unless `-D` or `-O` are present. * `-D, --save-dev`: Package will appear in your `devDependencies`. * `-O, --save-optional`: Package will appear in your `optionalDependencies`. + * `--no-save`: Prevents saving to `dependencies`. + When using any of the above options to save dependencies to your package.json, there are two additional, optional flags: @@ -105,8 +116,8 @@ after packing it up into a tarball (b). * `-B, --save-bundle`: Saved dependencies will also be added to your `bundleDependencies` list. - Further, if you have an `npm-shrinkwrap.json` then it will be updated as - well. + Further, if you have an `npm-shrinkwrap.json` or `package-lock.json` then it + will be updated as well. `` is optional. The package will be downloaded from the registry associated with the specified scope. If no registry is associated with @@ -118,13 +129,13 @@ after packing it up into a tarball (b). Examples: - npm install sax --save + npm install sax npm install githubname/reponame npm install @myorg/privatepackage npm install node-tap --save-dev npm install dtrace-provider --save-optional - npm install readable-stream --save --save-exact - npm install ansi-regex --save --save-bundle + npm install readable-stream --save-exact + npm install ansi-regex --save-bundle **Note**: If there is a file or folder named `` in the current @@ -167,20 +178,30 @@ after packing it up into a tarball (b). * `npm install `: - Installs the package from the hosted git provider, cloning it with - `git`. First it tries via the https (git with github) and if that fails, via ssh. + Installs the package from the hosted git provider, cloning it with `git`. + For a full git remote url, only that URL will be attempted. + + ://[[:]@][:][:][/][# | #semver:] + + `` is one of `git`, `git+ssh`, `git+http`, `git+https`, or + `git+file`. - ://[[:]@][:][:][/][#] + If `#` is provided, it will be used to clone exactly that + commit. If the commit-ish has the format `#semver:`, `` can + be any valid semver range or exact version, and npm will look for any tags + or refs matching that range in the remote repository, much as it would for a + registry dependency. If neither `#` or `#semver:` is + specified, then `master` is used. - `` is one of `git`, `git+ssh`, `git+http`, `git+https`, - or `git+file`. - If no `` is specified, then `master` is used. + If the repository makes use of submodules, those submodules will be cloned + as well. - If the repository makes use of submodules, those submodules will - be cloned as well. + If the package being installed contains a `prepare` script, its + `dependencies` and `devDependencies` will be installed, and the prepare + script will be run, before the package is packaged and installed. - The following git environment variables are recognized by npm and will be added - to the environment when running git: + The following git environment variables are recognized by npm and will be + added to the environment when running git: * `GIT_ASKPASS` * `GIT_EXEC_PATH` @@ -195,6 +216,7 @@ after packing it up into a tarball (b). Examples: npm install git+ssh://git@github.com:npm/npm.git#v1.0.27 + npm install git+ssh://git@github.com:npm/npm#semver:^5.0 npm install git+https://isaacs@github.com/npm/npm.git npm install git://github.com/npm/npm.git#v1.0.27 GIT_SSH_COMMAND='ssh -i ~/.ssh/custom_ident' npm install git+ssh://git@github.com:npm/npm.git @@ -205,20 +227,31 @@ after packing it up into a tarball (b). Install the package at `https://github.com/githubname/githubrepo` by attempting to clone it using `git`. - If you don't specify a *commit-ish* then `master` will be used. + If `#` is provided, it will be used to clone exactly that + commit. If the commit-ish has the format `#semver:`, `` can + be any valid semver range or exact version, and npm will look for any tags + or refs matching that range in the remote repository, much as it would for a + registry dependency. If neither `#` or `#semver:` is + specified, then `master` is used. + + As with regular git dependencies, `dependencies` and `devDependencies` will + be installed if the package has a `prepare` script, before the package is + done installing. Examples: npm install mygithubuser/myproject npm install github:mygithubuser/myproject -* `npm install gist:[/][#]`: +* `npm install gist:[/][#|#semver:]`: Install the package at `https://gist.github.com/gistID` by attempting to clone it using `git`. The GitHub username associated with the gist is - optional and will not be saved in `package.json` if `-S` or `--save` is used. + optional and will not be saved in `package.json`. - If you don't specify a *commit-ish* then `master` will be used. + As with regular git dependencies, `dependencies` and `devDependencies` will + be installed if the package has a `prepare` script, before the package is + done installing. Example: @@ -229,7 +262,16 @@ after packing it up into a tarball (b). Install the package at `https://bitbucket.org/bitbucketname/bitbucketrepo` by attempting to clone it using `git`. - If you don't specify a *commit-ish* then `master` will be used. + If `#` is provided, it will be used to clone exactly that + commit. If the commit-ish has the format `#semver:`, `` can + be any valid semver range or exact version, and npm will look for any tags + or refs matching that range in the remote repository, much as it would for a + registry dependency. If neither `#` or `#semver:` is + specified, then `master` is used. + + As with regular git dependencies, `dependencies` and `devDependencies` will + be installed if the package has a `prepare` script, before the package is + done installing. Example: @@ -240,11 +282,21 @@ after packing it up into a tarball (b). Install the package at `https://gitlab.com/gitlabname/gitlabrepo` by attempting to clone it using `git`. - If you don't specify a *commit-ish* then `master` will be used. + If `#` is provided, it will be used to clone exactly that + commit. If the commit-ish has the format `#semver:`, `` can + be any valid semver range or exact version, and npm will look for any tags + or refs matching that range in the remote repository, much as it would for a + registry dependency. If neither `#` or `#semver:` is + specified, then `master` is used. + + As with regular git dependencies, `dependencies` and `devDependencies` will + be installed if the package has a `prepare` script, before the package is + done installing. Example: npm install gitlab:mygitlabuser/myproject + npm install gitlab:myusr/myproj#semver:^5.0 You may combine multiple arguments, and even multiple types of arguments. For example: @@ -272,7 +324,7 @@ global `node_modules` folder. Only your direct dependencies will show in `node_modules` and everything they depend on will be flattened in their `node_modules` folders. This obviously will eliminate some deduping. -The `--ignore-scripts` argument will cause npm to not execute any +The `--ignore-scripts` argument will cause npm to not execute any scripts defined in the package.json. See `npm-scripts(7)`. The `--legacy-bundling` argument will cause npm to install the package such @@ -289,7 +341,7 @@ The `--no-optional` argument will prevent optional dependencies from being installed. The `--no-shrinkwrap` argument, which will ignore an available -shrinkwrap file and use the package.json instead. +package lock or shrinkwrap file and use the package.json instead. The `--nodedir=/path/to/node/source` argument will allow npm to find the node source code so that npm can compile native modules. @@ -336,7 +388,9 @@ For `A{B,C}, B{C,D@1}, C{D@2}`, this algorithm produces: +-- D@1 Because B's D@1 will be installed in the top level, C now has to install D@2 -privately for itself. +privately for itself. This algorithm is deterministic, but different trees may +be produced if two dependencies are requested for installation in a different +order. See npm-folders(5) for a more detailed description of the specific folder structures that npm creates. diff --git a/deps/npm/doc/cli/npm-publish.md b/deps/npm/doc/cli/npm-publish.md index caf1fd24307500..892786b61d9556 100644 --- a/deps/npm/doc/cli/npm-publish.md +++ b/deps/npm/doc/cli/npm-publish.md @@ -48,6 +48,10 @@ Once a package is published with a given name and version, that specific name and version combination can never be used again, even if it is removed with npm-unpublish(1). +As of `npm@5`, both a sha1sum and an integrity field with a sha512sum of the +tarball will be submitted to the registry during publication. Subsequent +installs will use the strongest supported algorithm to verify downloads. + For a "dry run" that does everything except actually publishing to the registry, see `npm-pack(1)`, which figures out the files to be included and packs them into a tarball to be uploaded to the registry. diff --git a/deps/npm/doc/cli/npm-shrinkwrap.md b/deps/npm/doc/cli/npm-shrinkwrap.md index ae04bd02bbf8a0..4c223a86cc1b75 100644 --- a/deps/npm/doc/cli/npm-shrinkwrap.md +++ b/deps/npm/doc/cli/npm-shrinkwrap.md @@ -1,4 +1,4 @@ -npm-shrinkwrap(1) -- Lock down dependency versions +npm-shrinkwrap(1) -- Lock down dependency versions for publication ===================================================== ## SYNOPSIS @@ -7,181 +7,11 @@ npm-shrinkwrap(1) -- Lock down dependency versions ## DESCRIPTION -This command locks down the versions of a package's dependencies so -that you can control exactly which versions of each dependency will be -used when your package is installed. The `package.json` file is still -required if you want to use `npm install`. - -By default, `npm install` recursively installs the target's -dependencies (as specified in `package.json`), choosing the latest -available version that satisfies the dependency's semver pattern. In -some situations, particularly when shipping software where each change -is tightly managed, it's desirable to fully specify each version of -each dependency recursively so that subsequent builds and deploys do -not inadvertently pick up newer versions of a dependency that satisfy -the semver pattern. Specifying specific semver patterns in each -dependency's `package.json` would facilitate this, but that's not always -possible or desirable, as when another author owns the npm package. -It's also possible to check dependencies directly into source control, -but that may be undesirable for other reasons. - -As an example, consider package A: - - { - "name": "A", - "version": "0.1.0", - "dependencies": { - "B": "<0.1.0" - } - } - -package B: - - { - "name": "B", - "version": "0.0.1", - "dependencies": { - "C": "<0.1.0" - } - } - -and package C: - - { - "name": "C", - "version": "0.0.1" - } - -If these are the only versions of A, B, and C available in the -registry, then a normal `npm install A` will install: - - A@0.1.0 - `-- B@0.0.1 - `-- C@0.0.1 - -However, if B@0.0.2 is published, then a fresh `npm install A` will -install: - - A@0.1.0 - `-- B@0.0.2 - `-- C@0.0.1 - -assuming the new version did not modify B's dependencies. Of course, -the new version of B could include a new version of C and any number -of new dependencies. If such changes are undesirable, the author of A -could specify a dependency on B@0.0.1. However, if A's author and B's -author are not the same person, there's no way for A's author to say -that he or she does not want to pull in newly published versions of C -when B hasn't changed at all. - -In this case, A's author can run - - npm shrinkwrap - -This generates `npm-shrinkwrap.json`, which will look something like this: - - { - "name": "A", - "version": "0.1.0", - "dependencies": { - "B": { - "version": "0.0.1", - "from": "B@^0.0.1", - "resolved": "https://registry.npmjs.org/B/-/B-0.0.1.tgz", - "dependencies": { - "C": { - "version": "0.0.1", - "from": "org/C#v0.0.1", - "resolved": "git://github.com/org/C.git#5c380ae319fc4efe9e7f2d9c78b0faa588fd99b4" - } - } - } - } - } - -The shrinkwrap command has locked down the dependencies based on what's -currently installed in `node_modules`. The installation behavior is changed to: - -1. The module tree described by the shrinkwrap is reproduced. This means -reproducing the structure described in the file, using the specific files -referenced in "resolved" if available, falling back to normal package -resolution using "version" if one isn't. - -2. The tree is walked and any missing dependencies are installed in the usual fashion. - -If `preshrinkwrap`, `shrinkwrap` or `postshrinkwrap` are in the `scripts` property of the -`package.json`, they will be executed by running `npm shrinkwrap`. -`preshrinkwrap` and `shrinkwrap` are executed before the shrinkwrap, `postshrinkwrap` is -executed afterwards. For example to run some postprocessing on the generated file: - - "scripts": { "postshrinkwrap": "node fix-shrinkwrap.js" } - - -### Using shrinkwrapped packages - -Using a shrinkwrapped package is no different than using any other -package: you can `npm install` it by hand, or add a dependency to your -`package.json` file and `npm install` it. - -### Building shrinkwrapped packages - -To shrinkwrap an existing package: - -1. Run `npm install` in the package root to install the current - versions of all dependencies. -2. Validate that the package works as expected with these versions. -3. Run `npm shrinkwrap`, add `npm-shrinkwrap.json` to git, and publish - your package. - -To add or update a dependency in a shrinkwrapped package: - -1. Run `npm install` in the package root to install the current - versions of all dependencies. -2. Add or update dependencies. `npm install --save` or `npm install --save-dev` - each new or updated package individually to update the `package.json` and - the shrinkwrap. Note that they must be explicitly named in order to be - installed: running `npm install` with no arguments will merely reproduce - the existing shrinkwrap. -3. Validate that the package works as expected with the new - dependencies. -4. Commit the new `npm-shrinkwrap.json`, and publish your package. - -You can use npm-outdated(1) to view dependencies with newer versions -available. - -### Other Notes - -A shrinkwrap file must be consistent with the package's `package.json` -file. `npm shrinkwrap` will fail if required dependencies are not -already installed, since that would result in a shrinkwrap that -wouldn't actually work. Similarly, the command will fail if there are -extraneous packages (not referenced by `package.json`), since that would -indicate that `package.json` is not correct. - -Starting with npm v4.0.1, `devDependencies` are included when you run -`npm shrinkwrap` and follow the usual rules as to when they're installed. -As of npm v3.10.8, if you run `npm install --only=production` or -`npm install --production` with a shrinkwrap including your development -dependencies they won't be installed. Similarly, if the environment -variable `NODE_ENV` is `production` then they won't be installed. If you -need compatibility with versions of npm prior to v3.10.8 or otherwise -don't want them in your shrinkwrap you can exclude development -dependencies with: -`npm shrinkwrap --only=prod` or `npm shrinkwrap --production`. - -If shrinkwrapped package A depends on shrinkwrapped package B, B's -shrinkwrap will not be used as part of the installation of A. However, -because A's shrinkwrap is constructed from a valid installation of B -and recursively specifies all dependencies, the contents of B's -shrinkwrap will implicitly be included in A's shrinkwrap. - -### Caveats - -If you wish to lock down the specific bytes included in a package, for -example to have 100% confidence in being able to reproduce a -deployment or build, then you ought to check your dependencies into -source control, or pursue some other mechanism that can verify -contents rather than versions. +This command repurposes `package-lock.json` into a publishable +`npm-shrinkwrap.json` or simply creates a new one. The file created and updated +by this command will then take precedence over any other existing or future +`package-lock.json` files. For a detailed explanation of the design and purpose +of package locks in npm, see npm-package-locks(5). ## SEE ALSO @@ -189,4 +19,7 @@ contents rather than versions. * npm-run-script(1) * npm-scripts(7) * package.json(5) +* npm-package-locks(5) +* package-lock.json(5) +* npm-shrinkwrap.json(5) * npm-ls(1) diff --git a/deps/npm/doc/files/npm-package-locks.md b/deps/npm/doc/files/npm-package-locks.md new file mode 100644 index 00000000000000..73786dc91a3156 --- /dev/null +++ b/deps/npm/doc/files/npm-package-locks.md @@ -0,0 +1,145 @@ +npm-package-locks(5) -- An explanation of npm lockfiles +===================================================== + +## DESCRIPTION + +Conceptually, the "input" to npm-install(1) is a package.json(5), while its +"output" is a fully-formed `node_modules` tree: a representation of the +dependencies you declared. In an ideal world, npm would work like a pure +function: the same `package.json` should produce the exact same `node_modules` +tree, any time. In some cases, this is indeed true. But in many others, npm is +unable to do this. There are multiple reasons for this: + +* different versions of npm (or other package managers) may have been used to install a package, each using slightly different installation algorithms. + +* a new version of a direct semver-range package may have been published since the last time your packages were installed, and thus a newer version will be used. + +* A dependency of one of your dependencies may have published a new version, which will update even if you used pinned dependency specifiers (`1.2.3` instead of `^1.2.3`) + +* The registry you installed from is no longer available, or allows mutation of versions (unlike the primary npm registry), and a different version of a package exists under the same version number now. + +As an example, consider package A: + + { + "name": "A", + "version": "0.1.0", + "dependencies": { + "B": "<0.1.0" + } + } + +package B: + + { + "name": "B", + "version": "0.0.1", + "dependencies": { + "C": "<0.1.0" + } + } + +and package C: + + { + "name": "C", + "version": "0.0.1" + } + +If these are the only versions of A, B, and C available in the +registry, then a normal `npm install A` will install: + + A@0.1.0 + `-- B@0.0.1 + `-- C@0.0.1 + +However, if B@0.0.2 is published, then a fresh `npm install A` will +install: + + A@0.1.0 + `-- B@0.0.2 + `-- C@0.0.1 + +assuming the new version did not modify B's dependencies. Of course, +the new version of B could include a new version of C and any number +of new dependencies. If such changes are undesirable, the author of A +could specify a dependency on B@0.0.1. However, if A's author and B's +author are not the same person, there's no way for A's author to say +that he or she does not want to pull in newly published versions of C +when B hasn't changed at all. + +To prevent this potential issue, npm uses package-lock.json(5) or, if present, +npm-shrinkwrap.json(5). These files are called package locks, or lockfiles. + +Whenever you run `npm install`, npm generates or updates your package lock, +which will look something like this: + + { + "name": "A", + "version": "0.1.0", + ...metadata fields... + "dependencies": { + "B": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/B/-/B-0.0.1.tgz", + "integrity": "sha512-DeAdb33F+" + "dependencies": { + "C": { + "version": "git://github.com/org/C.git#5c380ae319fc4efe9e7f2d9c78b0faa588fd99b4" + } + } + } + } + } + +This file describes an *exact*, and more importantly *reproducible* +`node_modules` tree. Once it's present, and future installation will base its +work off this file, instead of recalculating dependency versions off +package.json(5). + +The presence of a package lock changes the installation behavior such that: + +1. The module tree described by the package lock is reproduced. This means +reproducing the structure described in the file, using the specific files +referenced in "resolved" if available, falling back to normal package resolution +using "version" if one isn't. + +2. The tree is walked and any missing dependencies are installed in the usual +fashion. + +If `preshrinkwrap`, `shrinkwrap` or `postshrinkwrap` are in the `scripts` +property of the `package.json`, they will be executed in order. `preshrinkwrap` +and `shrinkwrap` are executed before the shrinkwrap, `postshrinkwrap` is +executed afterwards. These scripts run for both `package-lock.json` and +`npm-shrinkwrap.json`. For example to run some postprocessing on the generated +file: + + "scripts": { + "postshrinkwrap": "json -I -e \"this.myMetadata = $MY_APP_METADATA\"" + } + + +### Using locked packages + +Using a locked package is no different than using any package without a package +lock: any commands that update `node_modules` and/or `package.json`'s +dependencies will automatically sync the existing lockfile. This includes `npm +install`, `npm rm`, `npm update`, etc. To prevent this update from happening, +you can use the `--no-save` option to prevent saving altogether, or +`--no-shrinkwrap` to allow `package.json` to be updated while leaving +`package-lock.json` or `npm-shrinkwrap.json` intact. + +It is highly recommended you commit the generated package lock to source +control: this will allow anyone else on your team, your deployments, your +CI/continuous integration, and anyone else who runs `npm install` in your +package source to get the exact same dependency tree that you were developing +on. Additionally, the diffs from these changes are human-readable and will +inform you of any changes npm has made to your `node_modules`, so you can notice +if any transitive dependencies were updated, hoisted, etc. + +## SEE ALSO + +* https://medium.com/@sdboyer/so-you-want-to-write-a-package-manager-4ae9c17d9527 +* package.json(5) +* package-lock.json(5) +* npm-shrinkwrap.json(5) +* npm-shrinkwrap(1) diff --git a/deps/npm/doc/files/npm-shrinkwrap.json.md b/deps/npm/doc/files/npm-shrinkwrap.json.md new file mode 100644 index 00000000000000..8256398e86b1a8 --- /dev/null +++ b/deps/npm/doc/files/npm-shrinkwrap.json.md @@ -0,0 +1,27 @@ +npm-shrinkwrap.json(5) -- A publishable lockfile +===================================================== + +## DESCRIPTION + +`npm-shrinkwrap.json` is a file created by npm-shrinkwrap(1). It is identical to +`package-lock.json`, with one major caveat: Unlike `package-lock.json`, +`npm-shrinwkrap.json` may be included when publishing a package. + +The recommended use-case for `npm-shrinkwrap.json` is applications deployed +through the publishing process on the registry: for example, daemons and +command-line tools intended as global installs or `devDependencies`. It's +strongly discouraged for library authors to publish this file, since that would +prevent end users from having control over transitive dependency updates. + +Additionally, if both `package-lock.json` and `npm-shrinwkrap.json` are present +in a package root, `package-lock.json` will be ignored in favor of this file. + +For full details and description of the `npm-shrinkwrap.json` file format, refer +to the manual page for package-lock.json(5). + +## SEE ALSO + +* npm-shrinkwrap(1) +* package-lock.json(5) +* package.json(5) +* npm-install(1) diff --git a/deps/npm/doc/files/package-lock.json.md b/deps/npm/doc/files/package-lock.json.md new file mode 100644 index 00000000000000..dad219b4a14dd9 --- /dev/null +++ b/deps/npm/doc/files/package-lock.json.md @@ -0,0 +1,132 @@ +package-lock.json(5) -- A manifestation of the manifest +===================================================== + +## DESCRIPTION + +`package-lock.json` is automatically generated for any operations where npm +modifies either the `node_modules` tree, or `package.json`. It describes the +exact tree that was generated, such that subsequent installs are able to +generate identical trees, regardless of intermediate dependency updates. + +This file is intended to be committed into source repositories, and serves +various purposes: + +* Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies. + +* Provide a facility for users to "time-travel" to previous states of `node_modules` without having to commit the directory itself. + +* To facilitate greater visibility of tree changes through readable source control diffs. + +* And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages. + +One key detail about `package-lock.json` is that it cannot be published, and it +will be ignored if found in any place other than the toplevel package. It shares +a format with npm-shrinkwrap.json(5), which is essentially the same file, but +allows publication. This is not recommended unless deploying a CLI tool or +otherwise using the publication process for producing production packages. + +If both `package-lock.json` and `npm-shrinkwrap.json` are present in the root of +a package, `package-lock.json` will be completely ignored. + + +## FILE FORMAT + +### name + +The name of the package this is a package-lock for. This must match what's in +`package.json`. + +### version + +The version of the package this is a package-lock for. This must match what's in +`package.json`. + +### lockfileVersion + +An integer version, starting at `1` with the version number of this document +whose semantics were used when generating this `package-lock.json`. + +### packageIntegrity + +This is a [subresource +integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) value +created from the `pacakge.json`. No preprocessing of the `package.json` should +be done. Subresource integrity strings can be produced by modules like +[`ssri`](https://www.npmjs.com/package/ssri). + +### preserveSymlinks + +Indicates that the install was done with the environment variable +`NODE_PRESERVE_SYMLINKS` enabled. The installer should insist that the value of +this property match that environment variable. + +### dependencies + +A mapping of package name to dependency object. Dependency objects have the +following properties: + +#### version + +This is a specifier that uniquely identifies this package and should be +usable in fetching a new copy of it. + +* bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes. +* registry sources: This is a version number. (eg, `1.2.3`) +* git sources: This is a git specifier with resolved committish. (eg, `git+https://example.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e`) +* http tarball sources: This is the URL of the tarball. (eg, `https://example.com/example-1.3.0.tgz`) +* local tarball sources: This is the file URL of the tarball. (eg `file:///opt/storage/example-1.3.0.tgz`) +* local link sources: This is the file URL of the link. (eg `file:libs/our-module`) + +#### integrity + +This is a [Standard Subresource +Integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) for this +resource. + +* For bundled dependencies this is not included, regardless of source. +* For registry sources, this is the `integrity` that the registry provided, or if one wasn't provided the SHA1 in `shasum`. +* For git sources this is the specific commit hash we cloned from. +* For remote tarball sources this is an integrity based on a SHA512 of + the file. +* For local tarball sources: This is an integrity field based on the SHA512 of the file. + +#### resolved + +* For bundled dependencies this is not included, regardless of source. +* For registry sources this is path of the tarball relative to the registry + URL. If the tarball URL isn't on the same server as the registry URL then + this is a complete URL. + +#### bundled + +If true, this is the bundled dependency and will be installed by the parent +module. When installing, this module will be extracted from the parent +module during the extract phase, not installed as a separate dependency. + +#### dev + +If true then this dependency is either a development dependency ONLY of the +top level module or a transitive dependency of one. This is false for +dependencies that are both a development dependency of the top level and a +transitive dependency of a non-development dependency of the top level. + +#### optional + +If true then this dependency is either an optional dependency ONLY of the +top level module or a transitive dependency of one. This is false for +dependencies that are both an optional dependency of the top level and a +transitive dependency of a non-optional dependency of the top level. + +All optional dependencies should be included even if they're uninstallable +on the current platform. + +#### dependencies + +The dependencies of this dependency, exactly as at the top level. + +## SEE ALSO + +* npm-shrinkwrap(1) +* package-lock.json(5) +* package.json(5) +* npm-install(1) diff --git a/deps/npm/doc/misc/npm-config.md b/deps/npm/doc/misc/npm-config.md index 0b7db2e0e5fa48..6fee98a90c7f9a 100644 --- a/deps/npm/doc/misc/npm-config.md +++ b/deps/npm/doc/misc/npm-config.md @@ -63,6 +63,7 @@ The following shorthands are parsed on the command-line: * `-f`: `--force` * `-desc`: `--description` * `-S`: `--save` +* `-P`: `--save-prod` * `-D`: `--save-dev` * `-O`: `--save-optional` * `-B`: `--save-bundle` @@ -682,6 +683,16 @@ Attempt to install packages in the `optionalDependencies` object. Note that if these packages fail to install, the overall installation process is not aborted. +### package-lock + +* Default: true +* Type: Boolean + +If set to false, then ignore `package-lock.json` files when installing. This +will also prevent _writing_ `package-lock.json` if `save` is true. + +This option is an alias for `--shrinkwrap`. + ### parseable * Default: false @@ -803,6 +814,17 @@ If a package would be saved at install time by the use of `--save`, When used with the `npm rm` command, it removes it from the bundledDependencies list. +### save-prod + +* Default: false +* Type: Boolean + +Makes sure that a package will be saved into `dependencies` specifically. This +is useful if a package already exists in `devDependencies` or +`optionalDependencies`, but you want to move it to be a production dep. This is +also the default behavior if `--save` is true, and neither `--save-dev` or +`--save-optional` are true. + ### save-dev * Default: false @@ -934,8 +956,10 @@ The shell to run for the `npm explore` command. * Default: true * Type: Boolean -If set to false, then ignore `npm-shrinkwrap.json` files when -installing. +If set to false, then ignore `npm-shrinkwrap.json` files when installing. This +will also prevent _writing_ `npm-shrinkwrap.json` if `save` is true. + +This option is an alias for `--package-lock`. ### sign-git-tag diff --git a/deps/npm/doc/misc/npm-index.md b/deps/npm/doc/misc/npm-index.md index 7569a225c7f146..ed478d84ad9119 100644 --- a/deps/npm/doc/misc/npm-index.md +++ b/deps/npm/doc/misc/npm-index.md @@ -163,7 +163,7 @@ Search for packages ### npm-shrinkwrap(1) -Lock down dependency versions +Lock down dependency versions for publication ### npm-star(1) @@ -225,10 +225,22 @@ File system structures npm uses Folder Structures Used by npm +### npm-package-locks(5) + +An explanation of npm lockfiles + +### npm-shrinkwrap.json(5) + +A publishable lockfile + ### npmrc(5) The npm config files +### package-lock.json(5) + +A manifestation of the manifest + ### package.json(5) Specifics of npm's package.json handling diff --git a/deps/npm/doc/misc/npm-scripts.md b/deps/npm/doc/misc/npm-scripts.md index 3f048716de693b..0e9c3bc6e76816 100644 --- a/deps/npm/doc/misc/npm-scripts.md +++ b/deps/npm/doc/misc/npm-scripts.md @@ -7,14 +7,20 @@ npm supports the "scripts" property of the package.json script, for the following scripts: * prepublish: - Run BEFORE the package is published. (Also run on local `npm - install` without any arguments. See below.) + Run BEFORE the package is packed and published, as well as on local `npm + install` without any arguments. (See below) * prepare: - Run both BEFORE the package is published, and on local `npm - install` without any arguments. (See below.) This is run + Run both BEFORE the package is packed and published, and on local `npm + install` without any arguments (See below). This is run AFTER `prepublish`, but BEFORE `prepublishOnly`. * prepublishOnly: - Run BEFORE the package is published. (See below.) + Run BEFORE the package is prepared and packed, ONLY on `npm publish`. (See + below.) +* prepack: + run BEFORE a tarball is packed (on `npm pack`, `npm publish`, and when + installing git dependencies) +* postpack: + Run AFTER the tarball has been generated and moved to its final destination. * publish, postpublish: Run AFTER the package is published. * preinstall: diff --git a/deps/npm/html/doc/README.html b/deps/npm/html/doc/README.html index 088f4f5fdb0402..eb4f72947d74b7 100644 --- a/deps/npm/html/doc/README.html +++ b/deps/npm/html/doc/README.html @@ -126,5 +126,5 @@

SEE ALSO

       - + diff --git a/deps/npm/html/doc/cli/npm-access.html b/deps/npm/html/doc/cli/npm-access.html index e9010b45d1ab49..f015aacdbc89db 100644 --- a/deps/npm/html/doc/cli/npm-access.html +++ b/deps/npm/html/doc/cli/npm-access.html @@ -84,5 +84,5 @@

SEE ALSO

       - + diff --git a/deps/npm/html/doc/cli/npm-adduser.html b/deps/npm/html/doc/cli/npm-adduser.html index 70a6d56bf78520..46385d7295f33d 100644 --- a/deps/npm/html/doc/cli/npm-adduser.html +++ b/deps/npm/html/doc/cli/npm-adduser.html @@ -81,5 +81,5 @@

SEE ALSO

       - + diff --git a/deps/npm/html/doc/cli/npm-bin.html b/deps/npm/html/doc/cli/npm-bin.html index 922be47ec57145..962a3282d81901 100644 --- a/deps/npm/html/doc/cli/npm-bin.html +++ b/deps/npm/html/doc/cli/npm-bin.html @@ -35,5 +35,5 @@

SEE ALSO

       - + diff --git a/deps/npm/html/doc/cli/npm-bugs.html b/deps/npm/html/doc/cli/npm-bugs.html index 420f373d8202a5..79e11b018ec61b 100644 --- a/deps/npm/html/doc/cli/npm-bugs.html +++ b/deps/npm/html/doc/cli/npm-bugs.html @@ -55,5 +55,5 @@

SEE ALSO

       - + diff --git a/deps/npm/html/doc/cli/npm-build.html b/deps/npm/html/doc/cli/npm-build.html index 0fc55f149ce310..ba59bba643ab0a 100644 --- a/deps/npm/html/doc/cli/npm-build.html +++ b/deps/npm/html/doc/cli/npm-build.html @@ -40,5 +40,5 @@

DESCRIPTION

       - + diff --git a/deps/npm/html/doc/cli/npm-bundle.html b/deps/npm/html/doc/cli/npm-bundle.html index 5971604ba39586..8f3510f5b8f2a5 100644 --- a/deps/npm/html/doc/cli/npm-bundle.html +++ b/deps/npm/html/doc/cli/npm-bundle.html @@ -31,5 +31,5 @@

SEE ALSO

       - + diff --git a/deps/npm/html/doc/cli/npm-cache.html b/deps/npm/html/doc/cli/npm-cache.html index 1d78e738c2924b..fdcf22363880ac 100644 --- a/deps/npm/html/doc/cli/npm-cache.html +++ b/deps/npm/html/doc/cli/npm-cache.html @@ -16,10 +16,10 @@

SYNOPSIS

npm cache add <tarball url> npm cache add <name>@<version> -npm cache ls [<path>] - npm cache clean [<path>] aliases: npm cache clear, npm cache rm + +npm cache verify

DESCRIPTION

Used to add, list, or clean the npm cache folder.

    @@ -28,34 +28,39 @@

    SYNOPSIS

    intended to be used internally by npm, but it can provide a way to add data to the local installation cache explicitly.

    -

  • ls: -Show the data in the cache. Argument is a path to show in the cache -folder. Works a bit like the find program, but limited by the -depth config.

    -

  • clean: -Delete data out of the cache folder. If an argument is provided, then -it specifies a subpath to delete. If no argument is provided, then -the entire cache is deleted.

    +Delete all data out of the cache folder.

    +
    • +

  • verify: +Verify the contents of the cache folder, garbage collecting any unneeded data, +and verifying the integrity of the cache index and all cached data.

DETAILS

-

npm stores cache data in the directory specified in npm config get cache. -For each package that is added to the cache, three pieces of information are -stored in {cache}/{name}/{version}:

-
    -
  • .../package/package.json: -The package.json file, as npm sees it.
    • -
  • .../package.tgz: -The tarball for that version.
    • -
-

Additionally, whenever a registry request is made, a .cache.json file -is placed at the corresponding URI, to store the ETag and the requested -data. This is stored in {cache}/{hostname}/{path}/.cache.json.

-

Commands that make non-essential registry requests (such as search and -view, or the completion scripts) generally specify a minimum timeout. -If the .cache.json file is younger than the specified timeout, then -they do not make an HTTP request to the registry.

+

npm stores cache data in an opaque directory within the configured cache, +named _cacache. This directory is a cacache-based content-addressable cache +that stores all http request data as well as other package-related data. This +directory is primarily accessed through pacote, the library responsible for +all package fetching as of npm@5.

+

All data that passes through the cache is fully verified for integrity on both +insertion and extraction. Cache corruption will either trigger an error, or +signal to pacote that the data must be refetched, which it will do +automatically. For this reason, it should never be necessary to clear the cache +for any reason other than reclaiming disk space, thus why clean now requires +--force to run.

+

There is currently no method exposed through npm to inspect or directly manage +the contents of this cache. In order to access it, cacache must be used +directly.

+

npm will not remove data by itself: the cache will grow as new packages are +installed.

+

A NOTE ABOUT THE CACHE'S DESIGN

+

The npm cache is strictly a cache: it should not be relied upon as a persistent +and reliable data store for package data. npm makes no guarantee that a +previously-cached piece of data will be available later, and will automatically +delete corrupted contents. The primary guarantee that the cache makes is that, +if it does return data, that data will be exactly the data that was inserted.

+

To run an offline verification of existing cache contents, use npm cache +verify.

CONFIGURATION

cache

Default: ~/.npm on Posix, or %AppData%/npm-cache on Windows.

@@ -69,6 +74,8 @@

SEE ALSO

  • npm-install(1)
  • npm-publish(1)
  • npm-pack(1)
    • +
  • https://npm.im/cacache
    • +
  • https://npm.im/pacote
    • @@ -82,5 +89,5 @@

    SEE ALSO

           - + diff --git a/deps/npm/html/doc/cli/npm-completion.html b/deps/npm/html/doc/cli/npm-completion.html index b3515186e07f50..18d659ea837761 100644 --- a/deps/npm/html/doc/cli/npm-completion.html +++ b/deps/npm/html/doc/cli/npm-completion.html @@ -43,5 +43,5 @@

    SEE ALSO

           - + diff --git a/deps/npm/html/doc/cli/npm-config.html b/deps/npm/html/doc/cli/npm-config.html index d7a179a749b0f3..2ef422bd74f928 100644 --- a/deps/npm/html/doc/cli/npm-config.html +++ b/deps/npm/html/doc/cli/npm-config.html @@ -67,5 +67,5 @@

    SEE ALSO

           - + diff --git a/deps/npm/html/doc/cli/npm-dedupe.html b/deps/npm/html/doc/cli/npm-dedupe.html index fa1a78e18b9e20..d6ff8ce7608475 100644 --- a/deps/npm/html/doc/cli/npm-dedupe.html +++ b/deps/npm/html/doc/cli/npm-dedupe.html @@ -61,5 +61,5 @@

    SEE ALSO

           - + diff --git a/deps/npm/html/doc/cli/npm-deprecate.html b/deps/npm/html/doc/cli/npm-deprecate.html index 0fb651b563de21..6741f7478b7cda 100644 --- a/deps/npm/html/doc/cli/npm-deprecate.html +++ b/deps/npm/html/doc/cli/npm-deprecate.html @@ -38,5 +38,5 @@

    SEE ALSO

           - + diff --git a/deps/npm/html/doc/cli/npm-dist-tag.html b/deps/npm/html/doc/cli/npm-dist-tag.html index 41def9b127dc23..8fa52c2b33be05 100644 --- a/deps/npm/html/doc/cli/npm-dist-tag.html +++ b/deps/npm/html/doc/cli/npm-dist-tag.html @@ -86,5 +86,5 @@

    SEE ALSO

           - + diff --git a/deps/npm/html/doc/cli/npm-docs.html b/deps/npm/html/doc/cli/npm-docs.html index cbf16bb0d03c30..530a784ed9c307 100644 --- a/deps/npm/html/doc/cli/npm-docs.html +++ b/deps/npm/html/doc/cli/npm-docs.html @@ -56,5 +56,5 @@

    SEE ALSO

           - + diff --git a/deps/npm/html/doc/cli/npm-doctor.html b/deps/npm/html/doc/cli/npm-doctor.html index cefa6282149416..b75fcc561869f3 100644 --- a/deps/npm/html/doc/cli/npm-doctor.html +++ b/deps/npm/html/doc/cli/npm-doctor.html @@ -103,4 +103,4 @@

    SEE ALSO

           - + diff --git a/deps/npm/html/doc/cli/npm-edit.html b/deps/npm/html/doc/cli/npm-edit.html index 784e0fc56c7a8f..8860c492adc420 100644 --- a/deps/npm/html/doc/cli/npm-edit.html +++ b/deps/npm/html/doc/cli/npm-edit.html @@ -49,5 +49,5 @@

    SEE ALSO

           - + diff --git a/deps/npm/html/doc/cli/npm-explore.html b/deps/npm/html/doc/cli/npm-explore.html index c25bd194c9fcd3..115d43584cb63c 100644 --- a/deps/npm/html/doc/cli/npm-explore.html +++ b/deps/npm/html/doc/cli/npm-explore.html @@ -49,5 +49,5 @@

    SEE ALSO

           - + diff --git a/deps/npm/html/doc/cli/npm-help-search.html b/deps/npm/html/doc/cli/npm-help-search.html index 922f1dc2bbab66..a9cb77652bbf3d 100644 --- a/deps/npm/html/doc/cli/npm-help-search.html +++ b/deps/npm/html/doc/cli/npm-help-search.html @@ -45,5 +45,5 @@

    SEE ALSO

           - + diff --git a/deps/npm/html/doc/cli/npm-help.html b/deps/npm/html/doc/cli/npm-help.html index 1ed1413b353cef..bd72e9471ef38b 100644 --- a/deps/npm/html/doc/cli/npm-help.html +++ b/deps/npm/html/doc/cli/npm-help.html @@ -50,5 +50,5 @@

    SEE ALSO

           - + diff --git a/deps/npm/html/doc/cli/npm-init.html b/deps/npm/html/doc/cli/npm-init.html index cae2b1c4c4f786..6f053ddb1b522e 100644 --- a/deps/npm/html/doc/cli/npm-init.html +++ b/deps/npm/html/doc/cli/npm-init.html @@ -48,5 +48,5 @@

    SEE ALSO

           - + diff --git a/deps/npm/html/doc/cli/npm-install-test.html b/deps/npm/html/doc/cli/npm-install-test.html index c8c5bc2d7c201a..02866f73743fb8 100644 --- a/deps/npm/html/doc/cli/npm-install-test.html +++ b/deps/npm/html/doc/cli/npm-install-test.html @@ -42,5 +42,5 @@

    SEE ALSO

           - + diff --git a/deps/npm/html/doc/cli/npm-install.html b/deps/npm/html/doc/cli/npm-install.html index 655a7ac69f0738..55eaabcfd33b20 100644 --- a/deps/npm/html/doc/cli/npm-install.html +++ b/deps/npm/html/doc/cli/npm-install.html @@ -16,16 +16,19 @@

    SYNOPSIS

    npm install [<@scope>/]<name>@<tag> npm install [<@scope>/]<name>@<version> npm install [<@scope>/]<name>@<version range> +npm install <git-host>:<git-user>/<repo-name> +npm install <git repo url> npm install <tarball file> npm install <tarball url> npm install <folder> alias: npm i -common options: [-S|--save|-D|--save-dev|-O|--save-optional] [-E|--save-exact] [-B|--save-bundle] [--dry-run] +common options: [-P|--save-prod|-D|--save-dev|-O|--save-optional] [-E|--save-exact] [-B|--save-bundle] [--no-save] [--dry-run]

    DESCRIPTION

    This command installs a package, and any packages that it depends on. If the -package has a shrinkwrap file, the installation of dependencies will be driven -by that. See npm-shrinkwrap(1).

    +package has a package-lock or shrinkwrap file, the installation of dependencies +will be driven by that, with an npm-shrinkwrap.json taking precedence if both +files exist. See package-lock.json(5) and npm-shrinkwrap(1).

    A package is:

    • a) a folder containing a program described by a package.json(5) file
      • @@ -53,12 +56,16 @@

      SYNOPSIS

      devDependencies.

    • npm install <folder>:

      -

      Install a package that is sitting in a folder on the filesystem.

      +

      Install the package in the directory as a symlink in the current project. + Its dependencies will be installed before it's linked. If <folder> sits + inside the root of your project, its dependencies may be hoisted to the + toplevel node_modules as they would for other types of dependencies.

    • npm install <tarball file>:

      Install a package that is sitting on the filesystem. Note: if you just want to link a dev directory into your npm root, you can do this more easily by - using npm link.

      + using npm link. The filename must use .tar, .tar.gz, or .tgz as + the extension.

      Example:

          npm install ./package.tgz
      • @@ -68,21 +75,25 @@

      SYNOPSIS

      Example:

          npm install https://github.com/indexzero/forever/tarball/v0.5.6
      -

    • npm install [<@scope>/]<name> [-S|--save|-D|--save-dev|-O|--save-optional]:

      +

    • npm install [<@scope>/]<name>:

      Do a <name>@<tag> install, where <tag> is the "tag" config. (See npm-config(7). The config's default value is latest.)

      -

      In most cases, this will install the latest version - of the module published on npm.

      +

      In most cases, this will install the version of the modules tagged as + latest on the npm registry.

      Example:

          npm install sax
-

      npm install takes 3 exclusive, optional flags which save or update - the package version in your main package.json:

      +

      npm install saves any specified packages into dependencies by default. + Additionally, you can control where and how they get saved with some + additional flags:

        -

      • -S, --save: Package will appear in your dependencies.

        -
        • +

      • -P, --save-prod: Package will appear in your dependencies. This is the

        +
                       default unless `-D` or `-O` are present.
+

      • -D, --save-dev: Package will appear in your devDependencies.

      • -O, --save-optional: Package will appear in your optionalDependencies.

        +
        • +

      • --no-save: Prevents saving to dependencies.

        When using any of the above options to save dependencies to your package.json, there are two additional, optional flags:

        • @@ -91,8 +102,8 @@

        SYNOPSIS

        operator.

      • -B, --save-bundle: Saved dependencies will also be added to your bundleDependencies list.

        -

        Further, if you have an npm-shrinkwrap.json then it will be updated as -well.

        +

        Further, if you have an npm-shrinkwrap.json or package-lock.json then it +will be updated as well.

        <scope> is optional. The package will be downloaded from the registry associated with the specified scope. If no registry is associated with the given scope the default registry is assumed. See npm-scope(7).

        @@ -100,13 +111,13 @@

        SYNOPSIS

        interpret this as a GitHub repository instead, see below. Scopes names must also be followed by a slash.

        Examples:

        -
        npm install sax --save
+
        npm install sax
 npm install githubname/reponame
 npm install @myorg/privatepackage
 npm install node-tap --save-dev
 npm install dtrace-provider --save-optional
-npm install readable-stream --save --save-exact
-npm install ansi-regex --save --save-bundle
+npm install readable-stream --save-exact
+npm install ansi-regex --save-bundle
      • @@ -140,16 +151,24 @@

      SYNOPSIS

      npm install @myorg/privatepackage@">=0.1.0 <0.2.0"

    • npm install <git remote url>:

      -

      Installs the package from the hosted git provider, cloning it with - git. First it tries via the https (git with github) and if that fails, via ssh.

      -
          <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>[#<commit-ish>]
-

      <protocol> is one of git, git+ssh, git+http, git+https, - or git+file. - If no <commit-ish> is specified, then master is used.

      -

      If the repository makes use of submodules, those submodules will - be cloned as well.

      -

      The following git environment variables are recognized by npm and will be added - to the environment when running git:

      +

      Installs the package from the hosted git provider, cloning it with git. + For a full git remote url, only that URL will be attempted.

      +
          <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>[#<commit-ish> | #semver:<semver>]
+

      <protocol> is one of git, git+ssh, git+http, git+https, or + git+file.

      +

      If #<commit-ish> is provided, it will be used to clone exactly that + commit. If the commit-ish has the format #semver:<semver>, <semver> can + be any valid semver range or exact version, and npm will look for any tags + or refs matching that range in the remote repository, much as it would for a + registry dependency. If neither #<commit-ish> or #semver:<semver> is + specified, then master is used.

      +

      If the repository makes use of submodules, those submodules will be cloned + as well.

      +

      If the package being installed contains a prepare script, its + dependencies and devDependencies will be installed, and the prepare + script will be run, before the package is packaged and installed.

      +

      The following git environment variables are recognized by npm and will be + added to the environment when running git:

      • GIT_ASKPASS
      • GIT_EXEC_PATH
        • @@ -161,6 +180,7 @@

        SYNOPSIS

        See the git man page for details.

        Examples:

        npm install git+ssh://git@github.com:npm/npm.git#v1.0.27
+npm install git+ssh://git@github.com:npm/npm#semver:^5.0
 npm install git+https://isaacs@github.com/npm/npm.git
 npm install git://github.com/npm/npm.git#v1.0.27
 GIT_SSH_COMMAND='ssh -i ~/.ssh/custom_ident' npm install git+ssh://git@github.com:npm/npm.git
@@ -172,32 +192,59 @@ 
        SYNOPSIS
        
 
      • npm install github:<githubname>/<githubrepo>[#<commit-ish>]:
        
 
          Install the package at https://github.com/githubname/githubrepo by
   attempting to clone it using git.
        
-
          If you don't specify a commit-ish then master will be used.
        
+
          If #<commit-ish> is provided, it will be used to clone exactly that
+  commit. If the commit-ish has the format #semver:<semver>, <semver> can
+  be any valid semver range or exact version, and npm will look for any tags
+  or refs matching that range in the remote repository, much as it would for a
+  registry dependency. If neither #<commit-ish> or #semver:<semver> is
+  specified, then master is used.
        
+
          As with regular git dependencies, dependencies and devDependencies will
+  be installed if the package has a prepare script, before the package is
+  done installing.
        
 
          Examples:
        
 
            npm install mygithubuser/myproject
     npm install github:mygithubuser/myproject
 
        • 
-
      • npm install gist:[<githubname>/]<gistID>[#<commit-ish>]:
        
+
      • npm install gist:[<githubname>/]<gistID>[#<commit-ish>|#semver:<semver>]:
        
 
          Install the package at https://gist.github.com/gistID by attempting to
   clone it using git. The GitHub username associated with the gist is
-  optional and will not be saved in package.json if -S or --save is used.
        
-
          If you don't specify a commit-ish then master will be used.
        
+  optional and will not be saved in package.json.
        
+
          As with regular git dependencies, dependencies and devDependencies will
+  be installed if the package has a prepare script, before the package is
+  done installing.
        
 
          Example:
        
 
            npm install gist:101a11beef
 
        • 
 
      • npm install bitbucket:<bitbucketname>/<bitbucketrepo>[#<commit-ish>]:
        
 
          Install the package at https://bitbucket.org/bitbucketname/bitbucketrepo
   by attempting to clone it using git.
        
-
          If you don't specify a commit-ish then master will be used.
        
+
          If #<commit-ish> is provided, it will be used to clone exactly that
+  commit. If the commit-ish has the format #semver:<semver>, <semver> can
+  be any valid semver range or exact version, and npm will look for any tags
+  or refs matching that range in the remote repository, much as it would for a
+  registry dependency. If neither #<commit-ish> or #semver:<semver> is
+  specified, then master is used.
        
+
          As with regular git dependencies, dependencies and devDependencies will
+  be installed if the package has a prepare script, before the package is
+  done installing.
        
 
          Example:
        
 
            npm install bitbucket:mybitbucketuser/myproject
 
        • 
 
      • npm install gitlab:<gitlabname>/<gitlabrepo>[#<commit-ish>]:
        
 
          Install the package at https://gitlab.com/gitlabname/gitlabrepo
   by attempting to clone it using git.
        
-
          If you don't specify a commit-ish then master will be used.
        
+
          If #<commit-ish> is provided, it will be used to clone exactly that
+  commit. If the commit-ish has the format #semver:<semver>, <semver> can
+  be any valid semver range or exact version, and npm will look for any tags
+  or refs matching that range in the remote repository, much as it would for a
+  registry dependency. If neither #<commit-ish> or #semver:<semver> is
+  specified, then master is used.
        
+
          As with regular git dependencies, dependencies and devDependencies will
+  be installed if the package has a prepare script, before the package is
+  done installing.
        
 
          Example:
        
 
            npm install gitlab:mygitlabuser/myproject
+    npm install gitlab:myusr/myproj#semver:^5.0
 
        •

      You may combine multiple arguments, and even multiple types of arguments. @@ -218,7 +265,7 @@

      SYNOPSIS

      global node_modules folder. Only your direct dependencies will show in node_modules and everything they depend on will be flattened in their node_modules folders. This obviously will eliminate some deduping.

      -

      The --ignore-scripts argument will cause npm to not execute any +

      The --ignore-scripts argument will cause npm to not execute any scripts defined in the package.json. See npm-scripts(7).

      The --legacy-bundling argument will cause npm to install the package such that versions of npm prior to 1.4, such as the one included with node 0.8, @@ -230,7 +277,7 @@

      SYNOPSIS

      The --no-optional argument will prevent optional dependencies from being installed.

      The --no-shrinkwrap argument, which will ignore an available -shrinkwrap file and use the package.json instead.

      +package lock or shrinkwrap file and use the package.json instead.

      The --nodedir=/path/to/node/source argument will allow npm to find the node source code so that npm can compile native modules.

      The --only={prod[uction]|dev[elopment]} argument will cause either only @@ -265,7 +312,9 @@

      ALGORITHM

      `-- D@2 +-- D@1

      Because B's D@1 will be installed in the top level, C now has to install D@2 -privately for itself.

      +privately for itself. This algorithm is deterministic, but different trees may +be produced if two dependencies are requested for installation in a different +order.

      See npm-folders(5) for a more detailed description of the specific folder structures that npm creates.

      Limitations of npm's Install Algorithm

      @@ -316,5 +365,5 @@

      SEE ALSO

             - + diff --git a/deps/npm/html/doc/cli/npm-link.html b/deps/npm/html/doc/cli/npm-link.html index f952876a7100bf..b279ab4d3a85a4 100644 --- a/deps/npm/html/doc/cli/npm-link.html +++ b/deps/npm/html/doc/cli/npm-link.html @@ -74,5 +74,5 @@

      SYNOPSIS

             - + diff --git a/deps/npm/html/doc/cli/npm-logout.html b/deps/npm/html/doc/cli/npm-logout.html index 9a1393966acd11..3ecde84cc3e4e4 100644 --- a/deps/npm/html/doc/cli/npm-logout.html +++ b/deps/npm/html/doc/cli/npm-logout.html @@ -51,5 +51,5 @@

      scope

             - + diff --git a/deps/npm/html/doc/cli/npm-ls.html b/deps/npm/html/doc/cli/npm-ls.html index 8bd4c70beec132..af4103febf0d3c 100644 --- a/deps/npm/html/doc/cli/npm-ls.html +++ b/deps/npm/html/doc/cli/npm-ls.html @@ -21,7 +21,7 @@

      SYNOPSIS

      limit the results to only the paths to the packages named. Note that nested packages will also show the paths to the specified packages. For example, running npm ls promzard in npm's source tree will show:

      -
      npm@5.0.0-beta.56 /path/to/npm
+
      npm@5.0.0 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 
      It will print out extraneous, missing, and invalid packages.
      
@@ -104,5 +104,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-outdated.html b/deps/npm/html/doc/cli/npm-outdated.html
index e3d7a8540fa6f9..7b36dc7f5bc999 100644
--- a/deps/npm/html/doc/cli/npm-outdated.html
+++ b/deps/npm/html/doc/cli/npm-outdated.html
@@ -116,5 +116,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-owner.html b/deps/npm/html/doc/cli/npm-owner.html
index 920f5e5833cf15..aeaa8acb89269a 100644
--- a/deps/npm/html/doc/cli/npm-owner.html
+++ b/deps/npm/html/doc/cli/npm-owner.html
@@ -51,5 +51,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-pack.html b/deps/npm/html/doc/cli/npm-pack.html
index 3956a2a491cce8..d40a92437a4c63 100644
--- a/deps/npm/html/doc/cli/npm-pack.html
+++ b/deps/npm/html/doc/cli/npm-pack.html
@@ -41,5 +41,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-ping.html b/deps/npm/html/doc/cli/npm-ping.html
index 084cfdd834e0bd..e9a9f97b200173 100644
--- a/deps/npm/html/doc/cli/npm-ping.html
+++ b/deps/npm/html/doc/cli/npm-ping.html
@@ -32,5 +32,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-prefix.html b/deps/npm/html/doc/cli/npm-prefix.html
index d3c4f5af94b3ee..99dacb66606c7a 100644
--- a/deps/npm/html/doc/cli/npm-prefix.html
+++ b/deps/npm/html/doc/cli/npm-prefix.html
@@ -38,5 +38,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-prune.html b/deps/npm/html/doc/cli/npm-prune.html
index 97b39a188e6e9d..56e8b8ab293350 100644
--- a/deps/npm/html/doc/cli/npm-prune.html
+++ b/deps/npm/html/doc/cli/npm-prune.html
@@ -40,5 +40,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-publish.html b/deps/npm/html/doc/cli/npm-publish.html
index b5f62294845ce6..9b9cca3cb090b7 100644
--- a/deps/npm/html/doc/cli/npm-publish.html
+++ b/deps/npm/html/doc/cli/npm-publish.html
@@ -51,6 +51,9 @@ 
      SYNOPSIS
      
 
      Once a package is published with a given name and version, that
 specific name and version combination can never be used again, even if
 it is removed with npm-unpublish(1).
      
+
      As of npm@5, both a sha1sum and an integrity field with a sha512sum of the
+tarball will be submitted to the registry during publication. Subsequent
+installs will use the strongest supported algorithm to verify downloads.
      
 
      For a "dry run" that does everything except actually publishing to the
 registry, see npm-pack(1), which figures out the files to be included and
 packs them into a tarball to be uploaded to the registry.
      
@@ -76,5 +79,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-rebuild.html b/deps/npm/html/doc/cli/npm-rebuild.html
index ac88ecab844bbf..a2a1ad03ab1682 100644
--- a/deps/npm/html/doc/cli/npm-rebuild.html
+++ b/deps/npm/html/doc/cli/npm-rebuild.html
@@ -35,5 +35,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-repo.html b/deps/npm/html/doc/cli/npm-repo.html
index ab7311df12d3c2..83ec73d5f56083 100644
--- a/deps/npm/html/doc/cli/npm-repo.html
+++ b/deps/npm/html/doc/cli/npm-repo.html
@@ -41,5 +41,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-restart.html b/deps/npm/html/doc/cli/npm-restart.html
index 38607f97bbc686..c4d3296c251de2 100644
--- a/deps/npm/html/doc/cli/npm-restart.html
+++ b/deps/npm/html/doc/cli/npm-restart.html
@@ -53,5 +53,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-root.html b/deps/npm/html/doc/cli/npm-root.html
index 3376f30e1bef03..9b115bb0036fde 100644
--- a/deps/npm/html/doc/cli/npm-root.html
+++ b/deps/npm/html/doc/cli/npm-root.html
@@ -35,5 +35,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-run-script.html b/deps/npm/html/doc/cli/npm-run-script.html
index 9cc5c452f1e0b0..07e1c514d6270f 100644
--- a/deps/npm/html/doc/cli/npm-run-script.html
+++ b/deps/npm/html/doc/cli/npm-run-script.html
@@ -66,5 +66,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-search.html b/deps/npm/html/doc/cli/npm-search.html
index 4989b4760be500..02dc30d68e3675 100644
--- a/deps/npm/html/doc/cli/npm-search.html
+++ b/deps/npm/html/doc/cli/npm-search.html
@@ -109,5 +109,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-shrinkwrap.html b/deps/npm/html/doc/cli/npm-shrinkwrap.html
index 53592eabe8dabd..a1809977c592d2 100644
--- a/deps/npm/html/doc/cli/npm-shrinkwrap.html
+++ b/deps/npm/html/doc/cli/npm-shrinkwrap.html
@@ -9,163 +9,24 @@
   
     
      
 
-
      npm-shrinkwrap
       
      Lock down dependency versions
      
+
      npm-shrinkwrap
       
      Lock down dependency versions for publication
      
 
      SYNOPSIS
      
 
      npm shrinkwrap
 
      DESCRIPTION
      
-
      This command locks down the versions of a package's dependencies so
-that you can control exactly which versions of each dependency will be
-used when your package is installed. The package.json file is still
-required if you want to use npm install.
      
-
      By default, npm install recursively installs the target's
-dependencies (as specified in package.json), choosing the latest
-available version that satisfies the dependency's semver pattern. In
-some situations, particularly when shipping software where each change
-is tightly managed, it's desirable to fully specify each version of
-each dependency recursively so that subsequent builds and deploys do
-not inadvertently pick up newer versions of a dependency that satisfy
-the semver pattern. Specifying specific semver patterns in each
-dependency's package.json would facilitate this, but that's not always
-possible or desirable, as when another author owns the npm package.
-It's also possible to check dependencies directly into source control,
-but that may be undesirable for other reasons.
      
-
      As an example, consider package A:
      
-
      {
-  "name": "A",
-  "version": "0.1.0",
-  "dependencies": {
-    "B": "<0.1.0"
-  }
-}
-
      package B:
      
-
      {
-  "name": "B",
-  "version": "0.0.1",
-  "dependencies": {
-    "C": "<0.1.0"
-  }
-}
-
      and package C:
      
-
      {
-  "name": "C",
-  "version": "0.0.1"
-}
-
      If these are the only versions of A, B, and C available in the
-registry, then a normal npm install A will install:
      
-
      A@0.1.0
-`-- B@0.0.1
-    `-- C@0.0.1
-
      However, if B@0.0.2 is published, then a fresh npm install A will
-install:
      
-
      A@0.1.0
-`-- B@0.0.2
-    `-- C@0.0.1
-
      assuming the new version did not modify B's dependencies. Of course,
-the new version of B could include a new version of C and any number
-of new dependencies. If such changes are undesirable, the author of A
-could specify a dependency on B@0.0.1. However, if A's author and B's
-author are not the same person, there's no way for A's author to say
-that he or she does not want to pull in newly published versions of C
-when B hasn't changed at all.
      
-
      In this case, A's author can run
      
-
      npm shrinkwrap
-
      This generates npm-shrinkwrap.json, which will look something like this:
      
-
      {
-  "name": "A",
-  "version": "0.1.0",
-  "dependencies": {
-    "B": {
-      "version": "0.0.1",
-      "from": "B@^0.0.1",
-      "resolved": "https://registry.npmjs.org/B/-/B-0.0.1.tgz",
-      "dependencies": {
-        "C": {
-          "version": "0.0.1",
-          "from": "org/C#v0.0.1",
-          "resolved": "git://github.com/org/C.git#5c380ae319fc4efe9e7f2d9c78b0faa588fd99b4"
-        }
-      }
-    }
-  }
-}
-
      The shrinkwrap command has locked down the dependencies based on what's
-currently installed in node_modules.  The installation behavior is changed to:
      
-
        
-
      1. The module tree described by the shrinkwrap is reproduced. This means
-reproducing the structure described in the file, using the specific files
-referenced in "resolved" if available, falling back to normal package
-resolution using "version" if one isn't.
        
-
        2. 
-
      2. The tree is walked and any missing dependencies are installed in the usual fashion.
        
-
        3. 
-
      
-
      If preshrinkwrap, shrinkwrap or postshrinkwrap are in the scripts property of the
-package.json, they will be executed by running npm shrinkwrap.
-preshrinkwrap and shrinkwrap are executed before the shrinkwrap, postshrinkwrap is
-executed afterwards. For example to run some postprocessing on the generated file:
      
-
      "scripts": { "postshrinkwrap": "node fix-shrinkwrap.js" }
-
      Using shrinkwrapped packages
      
-
      Using a shrinkwrapped package is no different than using any other
-package: you can npm install it by hand, or add a dependency to your
-package.json file and npm install it.
      
-
      Building shrinkwrapped packages
      
-
      To shrinkwrap an existing package:
      
-
        
-
      1. Run npm install in the package root to install the current
-versions of all dependencies.
        2. 
-
      2. Validate that the package works as expected with these versions.
        3. 
-
      3. Run npm shrinkwrap, add npm-shrinkwrap.json to git, and publish
-your package.
        4. 
-
      
-
      To add or update a dependency in a shrinkwrapped package:
      
-
        
-
      1. Run npm install in the package root to install the current
-versions of all dependencies.
        2. 
-
      2. Add or update dependencies. npm install --save or npm install --save-dev
-each new or updated package individually to update the package.json and
-the shrinkwrap. Note that they must be explicitly named in order to be
-installed: running npm install with no arguments will merely reproduce
-the existing shrinkwrap.
        3. 
-
      3. Validate that the package works as expected with the new
-dependencies.
        4. 
-
      4. Commit the new npm-shrinkwrap.json, and publish your package.
        5. 
-
      
-
      You can use npm-outdated(1) to view dependencies with newer versions
-available.
      
-
      Other Notes
      
-
      A shrinkwrap file must be consistent with the package's package.json
-file. npm shrinkwrap will fail if required dependencies are not
-already installed, since that would result in a shrinkwrap that
-wouldn't actually work. Similarly, the command will fail if there are
-extraneous packages (not referenced by package.json), since that would
-indicate that package.json is not correct.
      
-
      Starting with npm v4.0.1, devDependencies are included when you run
-npm shrinkwrap and follow the usual rules as to when they're installed.
-As of npm v3.10.8, if you run npm install --only=production or
-npm install --production with a shrinkwrap including your development
-dependencies they won't be installed. Similarly, if the environment
-variable NODE_ENV is production then they won't be installed. If you
-need compatibility with versions of npm prior to v3.10.8 or otherwise
-don't want them in your shrinkwrap you can exclude development
-dependencies with:
-npm shrinkwrap --only=prod or npm shrinkwrap --production.
      
-
      If shrinkwrapped package A depends on shrinkwrapped package B, B's
-shrinkwrap will not be used as part of the installation of A. However,
-because A's shrinkwrap is constructed from a valid installation of B
-and recursively specifies all dependencies, the contents of B's
-shrinkwrap will implicitly be included in A's shrinkwrap.
      
-
      Caveats
      
-
      If you wish to lock down the specific bytes included in a package, for
-example to have 100% confidence in being able to reproduce a
-deployment or build, then you ought to check your dependencies into
-source control, or pursue some other mechanism that can verify
-contents rather than versions.
      
+
      This command repurposes package-lock.json into a publishable
+npm-shrinkwrap.json or simply creates a new one. The file created and updated
+by this command will then take precedence over any other existing or future
+package-lock.json files. For a detailed explanation of the design and purpose
+of package locks in npm, see npm-package-locks(5).
      
 
      SEE ALSO
      
 
 
@@ -180,5 +41,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-star.html b/deps/npm/html/doc/cli/npm-star.html
index 525da2c5e3f207..8fce9194617a37 100644
--- a/deps/npm/html/doc/cli/npm-star.html
+++ b/deps/npm/html/doc/cli/npm-star.html
@@ -36,5 +36,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-stars.html b/deps/npm/html/doc/cli/npm-stars.html
index b702e065e6b057..db7f2e06332197 100644
--- a/deps/npm/html/doc/cli/npm-stars.html
+++ b/deps/npm/html/doc/cli/npm-stars.html
@@ -36,5 +36,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-start.html b/deps/npm/html/doc/cli/npm-start.html
index 81dfed2f639962..756bc34e680068 100644
--- a/deps/npm/html/doc/cli/npm-start.html
+++ b/deps/npm/html/doc/cli/npm-start.html
@@ -39,5 +39,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-stop.html b/deps/npm/html/doc/cli/npm-stop.html
index 864bc7c563d0b1..31c18f4ba2500e 100644
--- a/deps/npm/html/doc/cli/npm-stop.html
+++ b/deps/npm/html/doc/cli/npm-stop.html
@@ -34,5 +34,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-team.html b/deps/npm/html/doc/cli/npm-team.html
index 4587cb2c75995c..13fd9474881f4b 100644
--- a/deps/npm/html/doc/cli/npm-team.html
+++ b/deps/npm/html/doc/cli/npm-team.html
@@ -67,5 +67,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-test.html b/deps/npm/html/doc/cli/npm-test.html
index 9befb62594bd6e..798519122a0123 100644
--- a/deps/npm/html/doc/cli/npm-test.html
+++ b/deps/npm/html/doc/cli/npm-test.html
@@ -36,5 +36,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-uninstall.html b/deps/npm/html/doc/cli/npm-uninstall.html
index 55a438b15e5d44..147b6e563e3ab4 100644
--- a/deps/npm/html/doc/cli/npm-uninstall.html
+++ b/deps/npm/html/doc/cli/npm-uninstall.html
@@ -60,5 +60,5 @@ 
      SYNOPSIS
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-unpublish.html b/deps/npm/html/doc/cli/npm-unpublish.html
index 82a74483db638e..587dad4259c8f8 100644
--- a/deps/npm/html/doc/cli/npm-unpublish.html
+++ b/deps/npm/html/doc/cli/npm-unpublish.html
@@ -51,5 +51,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-update.html b/deps/npm/html/doc/cli/npm-update.html
index b5bf305bd5cc38..ee1c38dc692c26 100644
--- a/deps/npm/html/doc/cli/npm-update.html
+++ b/deps/npm/html/doc/cli/npm-update.html
@@ -118,5 +118,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-version.html b/deps/npm/html/doc/cli/npm-version.html
index ab4f3bc1de06ef..00361d5174f551 100644
--- a/deps/npm/html/doc/cli/npm-version.html
+++ b/deps/npm/html/doc/cli/npm-version.html
@@ -114,5 +114,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-view.html b/deps/npm/html/doc/cli/npm-view.html
index 3427b1e1ac758c..9fa968fd636f2f 100644
--- a/deps/npm/html/doc/cli/npm-view.html
+++ b/deps/npm/html/doc/cli/npm-view.html
@@ -86,5 +86,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm-whoami.html b/deps/npm/html/doc/cli/npm-whoami.html
index 3f30703d854060..c25ad77e591243 100644
--- a/deps/npm/html/doc/cli/npm-whoami.html
+++ b/deps/npm/html/doc/cli/npm-whoami.html
@@ -33,5 +33,5 @@ 
      SEE ALSO
      
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/cli/npm.html b/deps/npm/html/doc/cli/npm.html
index 48c4396d748950..55495142954b77 100644
--- a/deps/npm/html/doc/cli/npm.html
+++ b/deps/npm/html/doc/cli/npm.html
@@ -13,7 +13,7 @@ 
      npm
       
      javascript package manager
      
 
      SYNOPSIS
      
 
      npm <command> [args]
 
      VERSION
      
-
      5.0.0-beta.56
      
+
      5.0.0
      
 
      DESCRIPTION
      
 
      npm is the package manager for the Node JavaScript platform.  It puts
 modules in place so that node can find them, and manages dependency
@@ -126,7 +126,7 @@ 
      AUTHOR
      
 
      Isaac Z. Schlueter ::
 isaacs ::
 @izs ::
-i@izs.me
      
+i@izs.me
      
 
      SEE ALSO
      
 
        
 
      • npm-help(1)
        • 
@@ -150,5 +150,5 @@ 
        SEE ALSO
        
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/files/npm-folders.html b/deps/npm/html/doc/files/npm-folders.html
index 795e779c19d7e2..4f9656a922b0a4 100644
--- a/deps/npm/html/doc/files/npm-folders.html
+++ b/deps/npm/html/doc/files/npm-folders.html
@@ -182,5 +182,5 @@ 
        SEE ALSO
        
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/files/npm-global.html b/deps/npm/html/doc/files/npm-global.html
index 795e779c19d7e2..4f9656a922b0a4 100644
--- a/deps/npm/html/doc/files/npm-global.html
+++ b/deps/npm/html/doc/files/npm-global.html
@@ -182,5 +182,5 @@ 
        SEE ALSO
        
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/files/npm-json.html b/deps/npm/html/doc/files/npm-json.html
index bf65afd5e57e2c..7d6ed1c78a18e4 100644
--- a/deps/npm/html/doc/files/npm-json.html
+++ b/deps/npm/html/doc/files/npm-json.html
@@ -586,5 +586,5 @@ 
        SEE ALSO
        
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/files/npm-package-locks.html b/deps/npm/html/doc/files/npm-package-locks.html
new file mode 100644
index 00000000000000..7f8851781ba030
--- /dev/null
+++ b/deps/npm/html/doc/files/npm-package-locks.html
@@ -0,0 +1,148 @@
+
+
+  npm-package-locks
+  
+  
+  
+  
+
+  
+    
        
+
+
        npm-package-locks
         
        An explanation of npm lockfiles
        
+
        DESCRIPTION
        
+
        Conceptually, the "input" to npm-install(1) is a package.json(5), while its
+"output" is a fully-formed node_modules tree: a representation of the
+dependencies you declared. In an ideal world, npm would work like a pure
+function: the same package.json should produce the exact same node_modules
+tree, any time. In some cases, this is indeed true. But in many others, npm is
+unable to do this. There are multiple reasons for this:
        
+
          
+
        • different versions of npm (or other package managers) may have been used to install a package, each using slightly different installation algorithms.
          
+
          • 
+
        • a new version of a direct semver-range package may have been published since the last time your packages were installed, and thus a newer version will be used.
          
+
          • 
+
        • A dependency of one of your dependencies may have published a new version, which will update even if you used pinned dependency specifiers (1.2.3 instead of ^1.2.3)
          
+
          • 
+
        • The registry you installed from is no longer available, or allows mutation of versions (unlike the primary npm registry), and a different version of a package exists under the same version number now.
          
+
          • 
+
        
+
        As an example, consider package A:
        
+
        {
+  "name": "A",
+  "version": "0.1.0",
+  "dependencies": {
+    "B": "<0.1.0"
+  }
+}
+
        package B:
        
+
        {
+  "name": "B",
+  "version": "0.0.1",
+  "dependencies": {
+    "C": "<0.1.0"
+  }
+}
+
        and package C:
        
+
        {
+  "name": "C",
+  "version": "0.0.1"
+}
+
        If these are the only versions of A, B, and C available in the
+registry, then a normal npm install A will install:
        
+
        A@0.1.0
+`-- B@0.0.1
+    `-- C@0.0.1
+
        However, if B@0.0.2 is published, then a fresh npm install A will
+install:
        
+
        A@0.1.0
+`-- B@0.0.2
+    `-- C@0.0.1
+
        assuming the new version did not modify B's dependencies. Of course,
+the new version of B could include a new version of C and any number
+of new dependencies. If such changes are undesirable, the author of A
+could specify a dependency on B@0.0.1. However, if A's author and B's
+author are not the same person, there's no way for A's author to say
+that he or she does not want to pull in newly published versions of C
+when B hasn't changed at all.
        
+
        To prevent this potential issue, npm uses package-lock.json(5) or, if present,
+npm-shrinkwrap.json(5). These files are called package locks, or lockfiles.
        
+
        Whenever you run npm install, npm generates or updates your package lock,
+which will look something like this:
        
+
        {
+  "name": "A",
+  "version": "0.1.0",
+  ...metadata fields...
+  "dependencies": {
+    "B": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/B/-/B-0.0.1.tgz",
+      "integrity": "sha512-DeAdb33F+"
+      "dependencies": {
+        "C": {
+          "version": "git://github.com/org/C.git#5c380ae319fc4efe9e7f2d9c78b0faa588fd99b4"
+        }
+      }
+    }
+  }
+}
+
        This file describes an exact, and more importantly reproducible
+node_modules tree. Once it's present, and future installation will base its
+work off this file, instead of recalculating dependency versions off
+package.json(5).
        
+
        The presence of a package lock changes the installation behavior such that:
        
+
          
+
        1. The module tree described by the package lock is reproduced. This means
+reproducing the structure described in the file, using the specific files
+referenced in "resolved" if available, falling back to normal package resolution
+using "version" if one isn't.
          
+
          2. 
+
        2. The tree is walked and any missing dependencies are installed in the usual
+fashion.
          
+
          3. 
+
        
+
        If preshrinkwrap, shrinkwrap or postshrinkwrap are in the scripts
+property of the package.json, they will be executed in order. preshrinkwrap
+and shrinkwrap are executed before the shrinkwrap, postshrinkwrap is
+executed afterwards. These scripts run for both package-lock.json and
+npm-shrinkwrap.json. For example to run some postprocessing on the generated
+file:
        
+
        "scripts": {
+  "postshrinkwrap": "json -I -e \"this.myMetadata = $MY_APP_METADATA\""
+}
+
        Using locked packages
        
+
        Using a locked package is no different than using any package without a package
+lock: any commands that update node_modules and/or package.json's
+dependencies will automatically sync the existing lockfile. This includes npm
+install, npm rm, npm update, etc. To prevent this update from happening,
+you can use the --no-save option to prevent saving altogether, or
+--no-shrinkwrap to allow package.json to be updated while leaving
+package-lock.json or npm-shrinkwrap.json intact.
        
+
        It is highly recommended you commit the generated package lock to source
+control: this will allow anyone else on your team, your deployments, your
+CI/continuous integration, and anyone else who runs npm install in your
+package source to get the exact same dependency tree that you were developing
+on. Additionally, the diffs from these changes are human-readable and will
+inform you of any changes npm has made to your node_modules, so you can notice
+if any transitive dependencies were updated, hoisted, etc.
        
+
        SEE ALSO
        
+
+
+
        
+
+
+
+
+
+
+
+
+
+
+
diff --git a/deps/npm/html/doc/files/npm-shrinkwrap.json.html b/deps/npm/html/doc/files/npm-shrinkwrap.json.html
new file mode 100644
index 00000000000000..3498af79217053
--- /dev/null
+++ b/deps/npm/html/doc/files/npm-shrinkwrap.json.html
@@ -0,0 +1,45 @@
+
+
+  npm-shrinkwrap.json
+  
+  
+  
+  
+
+  
+    
        
+
+
        npm-shrinkwrap.json
         
        A publishable lockfile
        
+
        DESCRIPTION
        
+
        npm-shrinkwrap.json is a file created by npm-shrinkwrap(1). It is identical to
+package-lock.json, with one major caveat: Unlike package-lock.json,
+npm-shrinwkrap.json may be included when publishing a package.
        
+
        The recommended use-case for npm-shrinkwrap.json is applications deployed
+through the publishing process on the registry: for example, daemons and
+command-line tools intended as global installs or devDependencies. It's
+strongly discouraged for library authors to publish this file, since that would
+prevent end users from having control over transitive dependency updates.
        
+
        Additionally, if both package-lock.json and npm-shrinwkrap.json are present
+in a package root, package-lock.json will be ignored in favor of this file.
        
+
        For full details and description of the npm-shrinkwrap.json file format, refer
+to the manual page for package-lock.json(5).
        
+
        SEE ALSO
        
+
+
+
        
+
+
+
+
+
+
+
+
+
+
+
diff --git a/deps/npm/html/doc/files/npmrc.html b/deps/npm/html/doc/files/npmrc.html
index 33b683292f06c5..ef6d01b6119952 100644
--- a/deps/npm/html/doc/files/npmrc.html
+++ b/deps/npm/html/doc/files/npmrc.html
@@ -85,5 +85,5 @@ 
        SEE ALSO
        
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/files/package-lock.json.html b/deps/npm/html/doc/files/package-lock.json.html
new file mode 100644
index 00000000000000..57423161bd84b2
--- /dev/null
+++ b/deps/npm/html/doc/files/package-lock.json.html
@@ -0,0 +1,127 @@
+
+
+  package-lock.json
+  
+  
+  
+  
+
+  
+    
        
+
+
        package-lock.json
         
        A manifestation of the manifest
        
+
        DESCRIPTION
        
+
        package-lock.json is automatically generated for any operations where npm
+modifies either the node_modules tree, or package.json. It describes the
+exact tree that was generated, such that subsequent installs are able to
+generate identical trees, regardless of intermediate dependency updates.
        
+
        This file is intended to be committed into source repositories, and serves
+various purposes:
        
+
          
+
        • Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
          
+
          • 
+
        • Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.
          
+
          • 
+
        • To facilitate greater visibility of tree changes through readable source control diffs.
          
+
          • 
+
        • And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.
          
+
          • 
+
        
+
        One key detail about package-lock.json is that it cannot be published, and it
+will be ignored if found in any place other than the toplevel package. It shares
+a format with npm-shrinkwrap.json(5), which is essentially the same file, but
+allows publication. This is not recommended unless deploying a CLI tool or
+otherwise using the publication process for producing production packages.
        
+
        If both package-lock.json and npm-shrinkwrap.json are present in the root of
+a package, package-lock.json will be completely ignored.
        
+
        FILE FORMAT
        
+
        name
        
+
        The name of the package this is a package-lock for. This must match what's in
+package.json.
        
+
        version
        
+
        The version of the package this is a package-lock for. This must match what's in
+package.json.
        
+
        lockfileVersion
        
+
        An integer version, starting at 1 with the version number of this document
+whose semantics were used when generating this package-lock.json.
        
+
        packageIntegrity
        
+
        This is a subresource
+integrity value
+created from the pacakge.json. No preprocessing of the package.json should
+be done. Subresource integrity strings can be produced by modules like
+ssri.
        
+
+
        Indicates that the install was done with the environment variable
+NODE_PRESERVE_SYMLINKS enabled. The installer should insist that the value of
+this property match that environment variable.
        
+
        dependencies
        
+
        A mapping of package name to dependency object.  Dependency objects have the
+following properties:
        
+
        version
        
+
        This is a specifier that uniquely identifies this package and should be
+usable in fetching a new copy of it.
        
+
          
+
        • bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes.
          • 
+
        • registry sources: This is a version number. (eg, 1.2.3)
          • 
+
        • git sources: This is a git specifier with resolved committish. (eg, git+https://example.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e)
          • 
+
        • http tarball sources: This is the URL of the tarball. (eg, https://example.com/example-1.3.0.tgz)
          • 
+
        • local tarball sources: This is the file URL of the tarball. (eg file:///opt/storage/example-1.3.0.tgz)
          • 
+
        • local link sources: This is the file URL of the link. (eg file:libs/our-module)
          • 
+
        
+
        integrity
        
+
        This is a Standard Subresource
+Integrity for this
+resource.
        
+
          
+
        • For bundled dependencies this is not included, regardless of source.
          • 
+
        • For registry sources, this is the integrity that the registry provided, or if one wasn't provided the SHA1 in shasum.
          • 
+
        • For git sources this is the specific commit hash we cloned from.
          • 
+
        • For remote tarball sources this is an integrity based on a SHA512 of
+the file.
          • 
+
        • For local tarball sources: This is an integrity field based on the SHA512 of the file.
          • 
+
        
+
        resolved
        
+
          
+
        • For bundled dependencies this is not included, regardless of source.
          • 
+
        • For registry sources this is path of the tarball relative to the registry
+URL.  If the tarball URL isn't on the same server as the registry URL then
+this is a complete URL.
          • 
+
        
+
        bundled
        
+
        If true, this is the bundled dependency and will be installed by the parent
+module.  When installing, this module will be extracted from the parent
+module during the extract phase, not installed as a separate dependency.
        
+
        dev
        
+
        If true then this dependency is either a development dependency ONLY of the
+top level module or a transitive dependency of one.  This is false for
+dependencies that are both a development dependency of the top level and a
+transitive dependency of a non-development dependency of the top level.
        
+
        optional
        
+
        If true then this dependency is either an optional dependency ONLY of the
+top level module or a transitive dependency of one.  This is false for
+dependencies that are both an optional dependency of the top level and a
+transitive dependency of a non-optional dependency of the top level.
        
+
        All optional dependencies should be included even if they're uninstallable
+on the current platform.
        
+
        dependencies
        
+
        The dependencies of this dependency, exactly as at the top level.
        
+
        SEE ALSO
        
+
+
+
        
+
+
+
+
+
+
+
+
+
+
+
diff --git a/deps/npm/html/doc/files/package.json.html b/deps/npm/html/doc/files/package.json.html
index bf65afd5e57e2c..7d6ed1c78a18e4 100644
--- a/deps/npm/html/doc/files/package.json.html
+++ b/deps/npm/html/doc/files/package.json.html
@@ -586,5 +586,5 @@ 
        SEE ALSO
        
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/index.html b/deps/npm/html/doc/index.html
index 39f5d8e02861da..75891616b89116 100644
--- a/deps/npm/html/doc/index.html
+++ b/deps/npm/html/doc/index.html
@@ -91,7 +91,7 @@ 
        npm-run-script(1)npm-search(1)
        
 
        Search for packages
        
 
        npm-shrinkwrap(1)
        
-
        Lock down dependency versions
        
+
        Lock down dependency versions for publication
        
 
        npm-star(1)
        
 
        Mark your favorite packages
        
 
        npm-stars(1)
        
@@ -122,8 +122,14 @@ 
        Files
        
 
        File system structures npm uses
        
 
        npm-folders(5)
        
 
        Folder Structures Used by npm
        
+
        npm-package-locks(5)
        
+
        An explanation of npm lockfiles
        
+
        npm-shrinkwrap.json(5)
        
+
        A publishable lockfile
        
 
        npmrc(5)
        
 
        The npm config files
        
+
        package-lock.json(5)
        
+
        A manifestation of the manifest
        
 
        package.json(5)
        
 
        Specifics of npm's package.json handling
        
 
        Misc
        
@@ -162,5 +168,5 @@ 
        semver(7)
        
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/misc/npm-coding-style.html b/deps/npm/html/doc/misc/npm-coding-style.html
index 77e6735e7d53ab..0048979e908ad1 100644
--- a/deps/npm/html/doc/misc/npm-coding-style.html
+++ b/deps/npm/html/doc/misc/npm-coding-style.html
@@ -153,5 +153,5 @@ 
        SEE ALSO
        
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/misc/npm-config.html b/deps/npm/html/doc/misc/npm-config.html
index 78e9569e5ba998..bed7aa07367ea7 100644
--- a/deps/npm/html/doc/misc/npm-config.html
+++ b/deps/npm/html/doc/misc/npm-config.html
@@ -61,6 +61,7 @@ 
        Shorthands and Other CLI Niceties
        -f: --force
 
      • -desc: --description
        • 
 
      • -S: --save
        • 
+
      • -P: --save-prod
        • 
 
      • -D: --save-dev
        • 
 
      • -O: --save-optional
        • 
 
      • -B: --save-bundle
        • 
@@ -586,6 +587,14 @@ 
        optional
        
 
        Attempt to install packages in the optionalDependencies object.  Note
 that if these packages fail to install, the overall installation
 process is not aborted.
        
+
        package-lock
        
+
          
+
        • Default: true
          • 
+
        • Type: Boolean
          • 
+
        
+
        If set to false, then ignore package-lock.json files when installing. This
+will also prevent writing package-lock.json if save is true.
        
+
        This option is an alias for --shrinkwrap.
        
 
        parseable
        
 
          
 
        • Default: false
          • 
@@ -689,6 +698,16 @@ 
          save-bundle
          
 bundleDependencies list.
          
 
          When used with the npm rm command, it removes it from the
 bundledDependencies list.
          
+
          save-prod
          
+
            
+
          • Default: false
            • 
+
          • Type: Boolean
            • 
+
          
+
          Makes sure that a package will be saved into dependencies specifically. This
+is useful if a package already exists in devDependencies or
+optionalDependencies, but you want to move it to be a production dep. This is
+also the default behavior if --save is true, and neither --save-dev or
+--save-optional are true.
          
 
          save-dev
          
 
            
 
          • Default: false
            • 
@@ -800,8 +819,9 @@ 
            shrinkwrap
            
 
          • Default: true
            • 
 
          • Type: Boolean
            • 
 
          
-
          If set to false, then ignore npm-shrinkwrap.json files when
-installing.
          
+
          If set to false, then ignore npm-shrinkwrap.json files when installing. This
+will also prevent writing npm-shrinkwrap.json if save is true.
          
+
          This option is an alias for --package-lock.
          
 
          sign-git-tag
          
 
            
 
          • Default: false
            • 
@@ -961,5 +981,5 @@ 
            SEE ALSO
            
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/misc/npm-developers.html b/deps/npm/html/doc/misc/npm-developers.html
index 52d1464490a8a2..d87e8c05fcd4be 100644
--- a/deps/npm/html/doc/misc/npm-developers.html
+++ b/deps/npm/html/doc/misc/npm-developers.html
@@ -194,5 +194,5 @@ 
            SEE ALSO
            
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/misc/npm-disputes.html b/deps/npm/html/doc/misc/npm-disputes.html
index f57404e375e5a2..e5d95529e6be02 100644
--- a/deps/npm/html/doc/misc/npm-disputes.html
+++ b/deps/npm/html/doc/misc/npm-disputes.html
@@ -20,7 +20,7 @@ 
            npm-disputes
             
            Handling Module
 
            TL;DR
            
 
              
 
            1. Get the author email with npm owner ls <pkgname>
              2. 
-
            2. Email the author, CC support@npmjs.com
              3. 
+
            3. Email the author, CC support@npmjs.com
              4. 
 
            4. After a few weeks, if there's no resolution, we'll sort it out.
              5. 
 
            
 
            Don't squat on package names.  Publish code or move out of the way.
            
@@ -55,12 +55,12 @@ 
            DESCRIPTION
            
 
 
          • Alice emails Yusuf, explaining the situation as respectfully as possible,
 and what she would like to do with the module name. She adds the npm support
-staff support@npmjs.com to the CC list of the email. Mention in the email
+staff support@npmjs.com to the CC list of the email. Mention in the email
 that Yusuf can run npm owner add alice foo to add Alice as an owner of the
 foo package.
            • 
 
          • After a reasonable amount of time, if Yusuf has not responded, or if Yusuf
 and Alice can't come to any sort of resolution, email support
-support@npmjs.com and we'll sort it out. ("Reasonable" is usually at least
+support@npmjs.com and we'll sort it out. ("Reasonable" is usually at least
 4 weeks.)
            • 
 
 
            REASONING
            
@@ -96,12 +96,12 @@ 
            EXCEPTIONS
            
 Code of Conduct such as hateful
 language, pornographic content, or harassment.
 
-
            If you see bad behavior like this, please report it to abuse@npmjs.com right
+
            If you see bad behavior like this, please report it to abuse@npmjs.com right
 away. You are never expected to resolve abusive behavior on your own. We are
 here to help.
            
 
            TRADEMARKS
            
 
            If you think another npm publisher is infringing your trademark, such as by
-using a confusingly similar package name, email abuse@npmjs.com with a link to
+using a confusingly similar package name, email abuse@npmjs.com with a link to
 the package or user account on https://npmjs.com. Attach a
 copy of your trademark registration certificate.
            
 
            If we see that the package's publisher is intentionally misleading others by
@@ -134,5 +134,5 @@ 
            SEE ALSO
            
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/misc/npm-index.html b/deps/npm/html/doc/misc/npm-index.html
index c2bd8c3574bd63..75956cc368a495 100644
--- a/deps/npm/html/doc/misc/npm-index.html
+++ b/deps/npm/html/doc/misc/npm-index.html
@@ -91,7 +91,7 @@ 
            npm-run-script(1
 
            npm-search(1)
            
 
            Search for packages
            
 
            npm-shrinkwrap(1)
            
-
            Lock down dependency versions
            
+
            Lock down dependency versions for publication
            
 
            npm-star(1)
            
 
            Mark your favorite packages
            
 
            npm-stars(1)
            
@@ -122,8 +122,14 @@ 
            Files
            
 
            File system structures npm uses
            
 
            npm-folders(5)
            
 
            Folder Structures Used by npm
            
+
            npm-package-locks(5)
            
+
            An explanation of npm lockfiles
            
+
            npm-shrinkwrap.json(5)
            
+
            A publishable lockfile
            
 
            npmrc(5)
            
 
            The npm config files
            
+
            package-lock.json(5)
            
+
            A manifestation of the manifest
            
 
            package.json(5)
            
 
            Specifics of npm's package.json handling
            
 
            Misc
            
@@ -162,5 +168,5 @@ 
            semver(7)
            
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/misc/npm-orgs.html b/deps/npm/html/doc/misc/npm-orgs.html
index 75c1850cc2cf34..1c769d1495d728 100644
--- a/deps/npm/html/doc/misc/npm-orgs.html
+++ b/deps/npm/html/doc/misc/npm-orgs.html
@@ -86,5 +86,5 @@ 
            Team Admins create teams
            
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/misc/npm-registry.html b/deps/npm/html/doc/misc/npm-registry.html
index 99e4d7592635b7..aca3dc550c74af 100644
--- a/deps/npm/html/doc/misc/npm-registry.html
+++ b/deps/npm/html/doc/misc/npm-registry.html
@@ -90,5 +90,5 @@ 
            SEE ALSO
            
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/misc/npm-scope.html b/deps/npm/html/doc/misc/npm-scope.html
index 481e367a0de2da..f15285ba784eae 100644
--- a/deps/npm/html/doc/misc/npm-scope.html
+++ b/deps/npm/html/doc/misc/npm-scope.html
@@ -99,5 +99,5 @@ 
            SEE ALSO
            
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/misc/npm-scripts.html b/deps/npm/html/doc/misc/npm-scripts.html
index be6269f081fa45..976695a05cc878 100644
--- a/deps/npm/html/doc/misc/npm-scripts.html
+++ b/deps/npm/html/doc/misc/npm-scripts.html
@@ -15,14 +15,20 @@ 
            DESCRIPTION
            
 following scripts:
            
 
              
 
            • prepublish:
-Run BEFORE the package is published.  (Also run on local npm
-install without any arguments. See below.)
              • 
+Run BEFORE the package is packed and published, as well as on local npm
+install without any arguments. (See below)
 
            • prepare:
-Run both BEFORE the package is published, and on local npm
-install without any arguments. (See below.) This is run
+Run both BEFORE the package is packed and published, and on local npm
+install without any arguments (See below). This is run
 AFTER prepublish, but BEFORE prepublishOnly.
              • 
 
            • prepublishOnly:
-Run BEFORE the package is published. (See below.)
              • 
+Run BEFORE the package is prepared and packed, ONLY on npm publish. (See
+below.)
+
            • prepack:
+run BEFORE a tarball is packed (on npm pack, npm publish, and when
+installing git dependencies)
              • 
+
            • postpack:
+Run AFTER the tarball has been generated and moved to its final destination.
              • 
 
            • publish, postpublish:
 Run AFTER the package is published.
              • 
 
            • preinstall:
@@ -237,5 +243,5 @@ 
              SEE ALSO
              
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/misc/removing-npm.html b/deps/npm/html/doc/misc/removing-npm.html
index 532c44588d3fd1..8a7a51e4b0629d 100644
--- a/deps/npm/html/doc/misc/removing-npm.html
+++ b/deps/npm/html/doc/misc/removing-npm.html
@@ -57,5 +57,5 @@ 
              SEE ALSO
              
   
    
 
-
+
 
diff --git a/deps/npm/html/doc/misc/semver.html b/deps/npm/html/doc/misc/semver.html
index 80827586f16839..5a8b556bcabcd4 100644
--- a/deps/npm/html/doc/misc/semver.html
+++ b/deps/npm/html/doc/misc/semver.html
@@ -325,5 +325,5 @@ 
              Ranges
              
   
    
 
-
+
 
diff --git a/deps/npm/lib/config/cmd-list.js b/deps/npm/lib/config/cmd-list.js
index a1abe80fb0b829..c54d105247f224 100644
--- a/deps/npm/lib/config/cmd-list.js
+++ b/deps/npm/lib/config/cmd-list.js
@@ -37,6 +37,7 @@ var affordances = {
   'info': 'view',
   'show': 'view',
   'find': 'search',
+  'add': 'install',
   'unlink': 'uninstall',
   'remove': 'uninstall',
   'rm': 'uninstall',
diff --git a/deps/npm/lib/config/defaults.js b/deps/npm/lib/config/defaults.js
index 517d82ae1e7251..da019ac4d6d196 100644
--- a/deps/npm/lib/config/defaults.js
+++ b/deps/npm/lib/config/defaults.js
@@ -178,6 +178,7 @@ Object.defineProperty(exports, 'defaults', {get: function () {
     'onload-script': false,
     only: null,
     optional: true,
+    'package-lock': true,
     parseable: false,
     'prefer-offline': false,
     'prefer-online': false,
@@ -200,6 +201,7 @@ Object.defineProperty(exports, 'defaults', {get: function () {
     'save-exact': false,
     'save-optional': false,
     'save-prefix': '^',
+    'save-prod': false,
     scope: '',
     'scripts-prepend-node-path': 'warn-only',
     searchopts: '',
@@ -304,6 +306,7 @@ exports.types = {
   'onload-script': [null, String],
   only: [null, 'dev', 'development', 'prod', 'production'],
   optional: Boolean,
+  'package-lock': Boolean,
   parseable: Boolean,
   'prefer-offline': Boolean,
   'prefer-online': Boolean,
@@ -321,6 +324,7 @@ exports.types = {
   'save-exact': Boolean,
   'save-optional': Boolean,
   'save-prefix': String,
+  'save-prod': Boolean,
   scope: String,
   'scripts-prepend-node-path': [false, true, 'auto', 'warn-only'],
   searchopts: String,
@@ -404,6 +408,7 @@ exports.shorthands = {
   D: ['--save-dev'],
   E: ['--save-exact'],
   O: ['--save-optional'],
+  P: ['--save-prod'],
   y: ['--yes'],
   n: ['--no-yes'],
   B: ['--save-bundle'],
diff --git a/deps/npm/lib/config/pacote.js b/deps/npm/lib/config/pacote.js
index 13b7b53f52e815..705544fe3cbad2 100644
--- a/deps/npm/lib/config/pacote.js
+++ b/deps/npm/lib/config/pacote.js
@@ -1,25 +1,24 @@
 'use strict'
 
-const BB = require('bluebird')
+const Buffer = require('safe-buffer').Buffer
 
-const cp = require('child_process')
 const npm = require('../npm')
 const log = require('npmlog')
-const packToStream = require('../utils/tar').packToStream
+let pack
 const path = require('path')
-const pipe = BB.promisify(require('mississippi').pipe)
-const readJson = BB.promisify(require('read-package-json'))
-const PassThrough = require('stream').PassThrough
 
 let effectiveOwner
 
 module.exports = pacoteOpts
 function pacoteOpts (moreOpts) {
+  if (!pack) {
+    pack = require('../pack.js')
+  }
   const ownerStats = calculateOwner()
   const opts = {
     cache: path.join(npm.config.get('cache'), '_cacache'),
     defaultTag: npm.config.get('tag'),
-    dirPacker: prepareAndPack,
+    dirPacker: pack.packGitDep,
     hashAlgorithm: 'sha1',
     localAddress: npm.config.get('local-address'),
     log: log,
@@ -44,17 +43,34 @@ function pacoteOpts (moreOpts) {
   }
 
   if (ownerStats.uid || ownerStats.gid) {
-    Object.assign(opts, ownerStats, {
-      cacheUid: ownerStats.uid,
-      cacheGid: ownerStats.gid
-    })
+    Object.assign(opts, ownerStats)
   }
 
   npm.config.keys.forEach(function (k) {
-    if (k[0] === '/' && k.match(/.*:_authToken$/)) {
+    const authMatch = k[0] === '/' && k.match(
+      /(.*):(_authToken|username|_password|password|email|always-auth)$/
+    )
+    if (authMatch) {
+      const nerfDart = authMatch[1]
+      const key = authMatch[2]
+      const val = npm.config.get(k)
       if (!opts.auth) { opts.auth = {} }
-      opts.auth[k.replace(/:_authToken$/, '')] = {
-        token: npm.config.get(k)
+      if (!opts.auth[nerfDart]) {
+        opts.auth[nerfDart] = {
+          alwaysAuth: !!npm.config.get('always-auth')
+        }
+      }
+      if (key === '_authToken') {
+        opts.auth[nerfDart].token = val
+      } else if (key.match(/password$/i)) {
+        opts.auth[nerfDart].password =
+        // the config file stores password auth already-encoded. pacote expects
+        // the actual username/password pair.
+        Buffer.from(val, 'base64').toString('utf8')
+      } else if (key === 'always-auth') {
+        opts.auth[nerfDart].alwaysAuth = val === 'false' ? false : !!val
+      } else {
+        opts.auth[nerfDart][key] = val
       }
     }
     if (k[0] === '@') {
@@ -90,86 +106,3 @@ function calculateOwner () {
 
   return effectiveOwner
 }
-
-const PASSTHROUGH_OPTS = [
-  'always-auth',
-  'auth-type',
-  'ca',
-  'cafile',
-  'cert',
-  'git',
-  'local-address',
-  'maxsockets',
-  'offline',
-  'prefer-offline',
-  'prefer-online',
-  'proxy',
-  'https-proxy',
-  'registry',
-  'send-metrics',
-  'sso-poll-frequency',
-  'sso-type',
-  'strict-ssl'
-]
-
-function prepareAndPack (manifest, dir) {
-  const stream = new PassThrough()
-  readJson(path.join(dir, 'package.json')).then((pkg) => {
-    if (pkg.scripts && pkg.scripts.prepare) {
-      log.verbose('prepareGitDep', `${manifest._spec}: installing devDeps and running prepare script.`)
-      const cliArgs = PASSTHROUGH_OPTS.reduce((acc, opt) => {
-        if (npm.config.get(opt, 'cli') != null) {
-          acc.push(`--${opt}=${npm.config.get(opt)}`)
-        }
-        return acc
-      }, [])
-      const child = cp.spawn(process.env.NODE || process.execPath, [
-        require.main.filename,
-        'install',
-        '--ignore-prepublish',
-        '--no-progress',
-        '--no-save'
-      ].concat(cliArgs), {
-        cwd: dir,
-        env: process.env
-      })
-      let errData = []
-      let errDataLen = 0
-      let outData = []
-      let outDataLen = 0
-      child.stdout.on('data', (data) => {
-        outData.push(data)
-        outDataLen += data.length
-        log.gauge.pulse('preparing git package')
-      })
-      child.stderr.on('data', (data) => {
-        errData.push(data)
-        errDataLen += data.length
-        log.gauge.pulse('preparing git package')
-      })
-      return BB.fromNode((cb) => {
-        child.on('error', cb)
-        child.on('exit', (code, signal) => {
-          if (code > 0) {
-            const err = new Error(`${signal}: npm exited with code ${code} while attempting to build ${manifest._requested}. Clone the repository manually and run 'npm install' in it for more information.`)
-            err.code = code
-            err.signal = signal
-            cb(err)
-          } else {
-            cb()
-          }
-        })
-      }).then(() => {
-        if (outDataLen > 0) log.silly('prepareGitDep', '1>', Buffer.concat(outData, outDataLen).toString())
-        if (errDataLen > 0) log.silly('prepareGitDep', '2>', Buffer.concat(errData, errDataLen).toString())
-      }, (err) => {
-        if (outDataLen > 0) log.error('prepareGitDep', '1>', Buffer.concat(outData, outDataLen).toString())
-        if (errDataLen > 0) log.error('prepareGitDep', '2>', Buffer.concat(errData, errDataLen).toString())
-        throw err
-      })
-    }
-  }).then(() => {
-    return pipe(packToStream(manifest, dir), stream)
-  }).catch((err) => stream.emit('error', err))
-  return stream
-}
diff --git a/deps/npm/lib/fetch-package-metadata.js b/deps/npm/lib/fetch-package-metadata.js
index 45d6acbfaeb899..cca6dc64f4168e 100644
--- a/deps/npm/lib/fetch-package-metadata.js
+++ b/deps/npm/lib/fetch-package-metadata.js
@@ -12,7 +12,7 @@ const npmlog = require('npmlog')
 const limit = require('call-limit')
 const tempFilename = require('./utils/temp-filename')
 const pacote = require('pacote')
-const pacoteOpts = require('./config/pacote')
+let pacoteOpts
 const isWindows = require('./utils/is-windows.js')
 
 function andLogAndFinish (spec, tracker, done) {
@@ -52,7 +52,9 @@ function fetchPackageMetadata (spec, where, opts, done) {
     err.code = 'EWINDOWSPATH'
     return logAndFinish(err)
   }
-
+  if (!pacoteOpts) {
+    pacoteOpts = require('./config/pacote')
+  }
   pacote.manifest(dep, pacoteOpts({
     annotate: true,
     fullMetadata: opts.fullMetadata,
@@ -83,6 +85,9 @@ function fetchPackageMetadata (spec, where, opts, done) {
 module.exports.addBundled = addBundled
 function addBundled (pkg, next) {
   validate('OF', arguments)
+  if (!pacoteOpts) {
+    pacoteOpts = require('./config/pacote')
+  }
   if (pkg._bundled !== undefined) return next(null, pkg)
 
   if (!pkg.bundleDependencies && pkg._requested.type !== 'directory') return next(null, pkg)
diff --git a/deps/npm/lib/install.js b/deps/npm/lib/install.js
index c567f624f93d4a..5d111b32c8b699 100644
--- a/deps/npm/lib/install.js
+++ b/deps/npm/lib/install.js
@@ -29,7 +29,7 @@ install.usage = usage(
   '\nnpm install ' +
   '\nnpm install ' +
   '\nnpm install /',
-  '[--save|--save-dev|--save-optional] [--save-exact]'
+  '[--save-prod|--save-dev|--save-optional] [--save-exact] [--no-save]'
 )
 
 install.completion = function (opts, cb) {
@@ -98,6 +98,7 @@ var path = require('path')
 // dependencies
 var log = require('npmlog')
 var readPackageTree = require('read-package-tree')
+var readPackageJson = require('read-package-json')
 var chain = require('slide').chain
 var asyncMap = require('slide').asyncMap
 var archy = require('archy')
@@ -137,10 +138,11 @@ var doReverseSerialActions = require('./install/actions.js').doReverseSerial
 var doParallelActions = require('./install/actions.js').doParallel
 var doOneAction = require('./install/actions.js').doOne
 var removeObsoleteDep = require('./install/deps.js').removeObsoleteDep
+var removeExtraneous = require('./install/deps.js').removeExtraneous
+var computeVersionSpec = require('./install/deps.js').computeVersionSpec
 var packageId = require('./utils/package-id.js')
 var moduleName = require('./utils/module-name.js')
 var errorMessage = require('./utils/error-message.js')
-var removeDeps = require('./install/deps.js').removeDeps
 var isExtraneous = require('./install/is-extraneous.js')
 
 function unlockCB (lockPath, name, cb) {
@@ -202,6 +204,11 @@ function Installer (where, dryrun, args) {
   this.where = where
   this.dryrun = dryrun
   this.args = args
+  // fakechildren are children created from the lockfile and lack relationship data
+  // the only exist when the tree does not match the lockfile
+  // this is fine when doing full tree installs/updates but not ok when modifying only
+  // a few deps via `npm install` or `npm uninstall`.
+  this.fakeChildren = true
   this.currentTree = null
   this.idealTree = null
   this.differences = []
@@ -245,6 +252,11 @@ Installer.prototype.run = function (_cb) {
 
   var installSteps = []
   var postInstallSteps = []
+  if (!this.dryrun) {
+    installSteps.push(
+      [this.newTracker(log, 'runTopLevelLifecycles', 2)],
+      [this, this.runPreinstallTopLevelLifecycles])
+  }
   installSteps.push(
     [this.newTracker(log, 'loadCurrentTree', 4)],
     [this, this.loadCurrentTree],
@@ -265,9 +277,6 @@ Installer.prototype.run = function (_cb) {
     [this, this.debugActions, 'decomposeActions', 'todo'])
   if (!this.dryrun) {
     installSteps.push(
-      [this.newTracker(log, 'runTopLevelLifecycles', 2)],
-      [this, this.runPreinstallTopLevelLifecycles],
-
       [this.newTracker(log, 'executeActions', 8)],
       [this, this.executeActions],
       [this, this.finishTracker, 'executeActions'])
@@ -313,9 +322,9 @@ Installer.prototype.run = function (_cb) {
 }
 
 Installer.prototype.loadArgMetadata = function (next) {
-  var self = this
-  getAllMetadata(this.args, this.currentTree, process.cwd(), iferr(next, function (args) {
-    self.args = args
+  getAllMetadata(this.args, this.currentTree, process.cwd(), iferr(next, (args) => {
+    this.args = args
+    if (args.length) this.fakeChildren = false
     next()
   }))
 }
@@ -354,6 +363,14 @@ var flatNameFromTree = require('./install/flatten-tree.js').flatNameFromTree
 Installer.prototype.normalizeCurrentTree = function (cb) {
   this.currentTree.isTop = true
   normalizeTree(this.currentTree)
+  // If the user didn't have a package.json then fill in deps with what was on disk
+  if (this.currentTree.error) {
+    for (let child of this.currentTree.children) {
+      if (!child.fakeChild && isExtraneous(child)) {
+        this.currentTree.package.dependencies[child.package.name] = computeVersionSpec(this.currentTree, child)
+      }
+    }
+  }
   return cb()
 
   function normalizeTree (tree) {
@@ -386,9 +403,9 @@ Installer.prototype.loadIdealTree = function (cb) {
 
 Installer.prototype.pruneIdealTree = function (cb) {
   var toPrune = this.idealTree.children
-    .filter((n) => !n.fromShrinkwrap && isExtraneous(n))
+    .filter((n) => !n.fakeChild && isExtraneous(n))
     .map((n) => ({name: moduleName(n)}))
-  return removeDeps(toPrune, this.idealTree, null, log.newGroup('pruneDeps'), cb)
+  return removeExtraneous(toPrune, this.idealTree, cb)
 }
 
 Installer.prototype.loadAllDepsIntoIdealTree = function (cb) {
@@ -400,14 +417,14 @@ Installer.prototype.loadAllDepsIntoIdealTree = function (cb) {
   var installNewModules = !!this.args.length
   var steps = []
 
+  const depsToPreload = Object.assign({},
+    this.dev ? this.idealTree.package.devDependencies : {},
+    this.prod ? this.idealTree.package.dependencies : {}
+  )
   if (installNewModules) {
     steps.push([validateArgs, this.idealTree, this.args])
     steps.push([loadRequestedDeps, this.args, this.idealTree, saveDeps, cg.newGroup('loadRequestedDeps')])
   } else {
-    const depsToPreload = Object.assign({},
-      this.dev ? this.idealTree.package.devDependencies : {},
-      this.prod ? this.idealTree.package.dependencies : {}
-    )
     if (this.prod || this.dev) {
       steps.push(
         [prefetchDeps, this.idealTree, depsToPreload, cg.newGroup('prefetchDeps')])
@@ -549,13 +566,16 @@ Installer.prototype.runPreinstallTopLevelLifecycles = function (cb) {
   if (this.failing) return cb()
   if (!this.topLevelLifecycles) return cb()
   log.silly('install', 'runPreinstallTopLevelLifecycles')
-  var steps = []
-  var trackLifecycle = this.progress.runTopLevelLifecycles
 
-  steps.push(
-    [doOneAction, 'preinstall', this.idealTree.path, this.idealTree, trackLifecycle.newGroup('preinstall:.')]
-  )
-  chain(steps, cb)
+  readPackageJson(path.join(this.where, 'package.json'), log, false, (err, data) => {
+    if (err) return cb()
+    this.currentTree = createNode({
+      isTop: true,
+      package: data,
+      path: this.where
+    })
+    doOneAction('preinstall', this.where, this.currentTree, log.newGroup('preinstall:.'), cb)
+  })
 }
 
 Installer.prototype.runPostinstallTopLevelLifecycles = function (cb) {
@@ -581,7 +601,7 @@ Installer.prototype.saveToDependencies = function (cb) {
   validate('F', arguments)
   if (this.failing) return cb()
   log.silly('install', 'saveToDependencies')
-  saveRequested(this.args, this.idealTree, cb)
+  saveRequested(this.idealTree, cb)
 }
 
 Installer.prototype.readGlobalPackageData = function (cb) {
@@ -655,7 +675,7 @@ function isLink (child) {
 Installer.prototype.loadShrinkwrap = function (cb) {
   validate('F', arguments)
   log.silly('install', 'loadShrinkwrap')
-  readShrinkwrap.andInflate(this.idealTree, cb)
+  readShrinkwrap.andInflate(this.idealTree, {fakeChildren: this.fakeChildren}, cb)
 }
 
 Installer.prototype.getInstalledModules = function () {
@@ -693,21 +713,22 @@ Installer.prototype.printInstalled = function (cb) {
   validate('F', arguments)
   if (this.failing) return cb()
   log.silly('install', 'printInstalled')
+  const diffs = this.differences.concat((this.idealTree.removedChildren || []).map((r) => ['remove', r]))
   if (npm.config.get('json')) {
-    return this.printInstalledForJSON(cb)
+    return this.printInstalledForJSON(diffs, cb)
   } else if (npm.config.get('parseable')) {
-    return this.printInstalledForParseable(cb)
+    return this.printInstalledForParseable(diffs, cb)
   } else {
-    return this.printInstalledForHuman(cb)
+    return this.printInstalledForHuman(diffs, cb)
   }
 }
 
-Installer.prototype.printInstalledForHuman = function (cb) {
+Installer.prototype.printInstalledForHuman = function (diffs, cb) {
   var removed = 0
   var added = 0
   var updated = 0
   var moved = 0
-  this.differences.forEach(function (action) {
+  diffs.forEach(function (action) {
     var mutation = action[0]
     if (mutation === 'remove') {
       ++removed
@@ -743,7 +764,7 @@ Installer.prototype.printInstalledForHuman = function (cb) {
   }
 }
 
-Installer.prototype.printInstalledForJSON = function (cb) {
+Installer.prototype.printInstalledForJSON = function (diffs, cb) {
   var result = {
     added: [],
     removed: [],
@@ -764,7 +785,7 @@ Installer.prototype.printInstalledForJSON = function (cb) {
     }
     result.warnings.push(message)
   })
-  this.differences.forEach(function (action) {
+  diffs.forEach(function (action) {
     var mutation = action[0]
     var child = action[1]
     var record = recordAction(action)
@@ -805,9 +826,9 @@ Installer.prototype.printInstalledForJSON = function (cb) {
   }
 }
 
-Installer.prototype.printInstalledForParseable = function (cb) {
+Installer.prototype.printInstalledForParseable = function (diffs, cb) {
   var self = this
-  this.differences.forEach(function (action) {
+  diffs.forEach(function (action) {
     var mutation = action[0]
     var child = action[1]
     if (mutation === 'move') {
@@ -819,7 +840,7 @@ Installer.prototype.printInstalledForParseable = function (cb) {
       mutation + '\t' +
       moduleName(child) + '\t' +
       (child.package ? child.package.version : '') + '\t' +
-      path.relative(self.where, child.path) + '\t' +
+      (child.path ? path.relative(self.where, child.path) : '') + '\t' +
       (previousVersion || '') + '\t' +
       (previousPath || ''))
   })
diff --git a/deps/npm/lib/install/action/extract.js b/deps/npm/lib/install/action/extract.js
index 7839177850fe84..437d7e57f78ffa 100644
--- a/deps/npm/lib/install/action/extract.js
+++ b/deps/npm/lib/install/action/extract.js
@@ -10,22 +10,19 @@ const moduleName = require('../../utils/module-name.js')
 const moduleStagingPath = require('../module-staging-path.js')
 const move = BB.promisify(require('../../utils/move.js'))
 const npa = require('npm-package-arg')
-const npm = require('../../npm.js')
 const packageId = require('../../utils/package-id.js')
 const pacote = require('pacote')
-const pacoteOpts = require('../../config/pacote')
+let pacoteOpts
 const path = require('path')
 
 module.exports = extract
 function extract (staging, pkg, log) {
   log.silly('extract', packageId(pkg))
-  const up = npm.config.get('unsafe-perm')
-  const user = up ? null : npm.config.get('user')
-  const group = up ? null : npm.config.get('group')
   const extractTo = moduleStagingPath(staging, pkg)
+  if (!pacoteOpts) {
+    pacoteOpts = require('../../config/pacote')
+  }
   const opts = pacoteOpts({
-    uid: user,
-    gid: group,
     integrity: pkg.package._integrity
   })
   return pacote.extract(
diff --git a/deps/npm/lib/install/action/finalize.js b/deps/npm/lib/install/action/finalize.js
index 1e86475710815e..ba38e602f82d8d 100644
--- a/deps/npm/lib/install/action/finalize.js
+++ b/deps/npm/lib/install/action/finalize.js
@@ -23,10 +23,11 @@ module.exports = function (staging, pkg, log) {
 
   const requested = pkg.package._requested || getRequested(pkg)
   if (requested.type === 'directory') {
+    const relative = path.relative(path.dirname(pkg.path), pkg.realpath)
     return makeParentPath(pkg.path)
-      .then(() => symlink(pkg.realpath, pkg.path, 'junction'))
+      .then(() => symlink(relative, pkg.path, 'junction'))
       .catch((ex) => {
-        return rimraf(pkg.path).then(() => symlink(pkg.realpath, pkg.path, 'junction'))
+        return rimraf(pkg.path).then(() => symlink(relative, pkg.path, 'junction'))
       })
   } else {
     return makeParentPath(pkg.realpath)
diff --git a/deps/npm/lib/install/action/preinstall.js b/deps/npm/lib/install/action/preinstall.js
index a6f85b0a5a2eb2..a16082ef7303da 100644
--- a/deps/npm/lib/install/action/preinstall.js
+++ b/deps/npm/lib/install/action/preinstall.js
@@ -1,9 +1,8 @@
 'use strict'
 var lifecycle = require('../../utils/lifecycle.js')
 var packageId = require('../../utils/package-id.js')
-var moduleStagingPath = require('../module-staging-path.js')
 
 module.exports = function (staging, pkg, log, next) {
   log.silly('preinstall', packageId(pkg))
-  lifecycle(pkg.package, 'preinstall', moduleStagingPath(staging, pkg), false, false, next)
+  lifecycle(pkg.package, 'preinstall', pkg.path, false, false, next)
 }
diff --git a/deps/npm/lib/install/action/refresh-package-json.js b/deps/npm/lib/install/action/refresh-package-json.js
index 337be0caf23997..6910803451048b 100644
--- a/deps/npm/lib/install/action/refresh-package-json.js
+++ b/deps/npm/lib/install/action/refresh-package-json.js
@@ -10,13 +10,13 @@ module.exports = function (staging, pkg, log) {
 
   return readJson(path.join(pkg.path, 'package.json'), false).then((metadata) => {
     Object.keys(pkg.package).forEach(function (key) {
-      if (key !== '_injectedFromShrinkwrap' && !isEmpty(pkg.package[key])) {
+      if (!isEmpty(pkg.package[key])) {
         metadata[key] = pkg.package[key]
-        if (key === '_resolved' && metadata[key] == null && pkg.package._injectedFromShrinkwrap) {
-          metadata[key] = pkg.package._injectedFromShrinkwrap.resolved
-        }
       }
     })
+    if (metadata._resolved == null && pkg.fakeChild) {
+      metadata._resolved = pkg.fakeChild.resolved
+    }
     // These two sneak in and it's awful
     delete metadata.readme
     delete metadata.readmeFilename
diff --git a/deps/npm/lib/install/deps.js b/deps/npm/lib/install/deps.js
index 3f3433535f0cd5..c0fe905d4ba01a 100644
--- a/deps/npm/lib/install/deps.js
+++ b/deps/npm/lib/install/deps.js
@@ -183,7 +183,9 @@ function packageRelativePath (tree) {
   if (!tree) return ''
   var requested = tree.package._requested || {}
   var isLocal = requested.type === 'directory' || requested.type === 'file'
-  return isLocal ? requested.fetchSpec : tree.path
+  return isLocal ? requested.fetchSpec
+       : (tree.isLink || tree.isInLink) && !preserveSymlinks() ? tree.realpath
+       : tree.path
 }
 
 function matchingDep (tree, name) {
@@ -227,14 +229,24 @@ exports.loadRequestedDeps = function (args, tree, saveToDependencies, log, next)
       }
       var childName = moduleName(child)
       child.saveSpec = computeVersionSpec(tree, child)
-      if (saveToDependencies) {
-        tree.package[getSaveType(tree, child)][childName] = child.saveSpec
-      }
-      if (getSaveType(tree, child) === 'optionalDependencies') {
-        tree.package.dependencies[childName] = child.saveSpec
-      }
       child.userRequired = true
-      child.save = saveToDependencies
+      child.save = getSaveType(tree, child)
+      const types = ['dependencies', 'devDependencies', 'optionalDependencies']
+      if (child.save) {
+        tree.package[child.save][childName] = child.saveSpec
+        // Astute readers might notice that this exact same code exists in
+        // save.js under a different guise. That code is responsible for deps
+        // being removed from the final written `package.json`. The removal in
+        // this function is specifically to prevent "installed as both X and Y"
+        // warnings when moving an existing dep between different dep fields.
+        //
+        // Or, try it by removing this loop, and do `npm i -P x && npm i -D x`
+        for (let saveType of types) {
+          if (child.save !== saveType) {
+            delete tree.package[saveType][childName]
+          }
+        }
+      }
 
       // For things the user asked to install, that aren't a dependency (or
       // won't be when we're done), flag it as "depending" on the user
@@ -246,9 +258,17 @@ exports.loadRequestedDeps = function (args, tree, saveToDependencies, log, next)
   }, andForEachChild(loadDeps, andFinishTracker(log, next)))
 }
 
+module.exports.computeVersionSpec = computeVersionSpec
 function computeVersionSpec (tree, child) {
   validate('OO', arguments)
-  var requested = child.package._requested
+  var requested
+  if (child.package._requested) {
+    requested = child.package._requested
+  } else if (child.package._from) {
+    requested = npa(child.package._from)
+  } else {
+    requested = npa.resolve(child.package.name, child.package.version)
+  }
   if (requested.registry) {
     var version = child.package.version
     var rangeDescriptor = ''
@@ -275,26 +295,38 @@ function noModuleNameMatches (name) {
 
 // while this implementation does not require async calling, doing so
 // gives this a consistent interface with loadDeps et al
-exports.removeDeps = function (args, tree, saveToDependencies, log, next) {
-  validate('AOOF', [args, tree, log, next])
-  args.forEach(function (pkg) {
+exports.removeDeps = function (args, tree, saveToDependencies, next) {
+  validate('AOSF|AOZF', [args, tree, saveToDependencies, next])
+  for (let pkg of args) {
     var pkgName = moduleName(pkg)
     var toRemove = tree.children.filter(moduleNameMatches(pkgName))
     var pkgToRemove = toRemove[0] || createChild({package: {name: pkgName}})
-    if (tree.isTop) {
-      if (saveToDependencies) {
-        pkgToRemove.save = getSaveType(tree, pkg)
-        delete tree.package[pkgToRemove.save][pkgName]
-        if (pkgToRemove.save === 'optionalDependencies') {
-          delete tree.package.dependencies[pkgName]
-        }
-        replaceModuleByPath(tree, 'removed', pkgToRemove)
+    var saveType = getSaveType(tree, pkg) || 'dependencies'
+    if (tree.isTop && saveToDependencies) {
+      pkgToRemove.save = saveType
+    }
+    if (tree.package[saveType][pkgName]) {
+      delete tree.package[saveType][pkgName]
+      if (saveType === 'optionalDependencies' && tree.package.dependencies[pkgName]) {
+        delete tree.package.dependencies[pkgName]
       }
-      pkgToRemove.requiredBy = pkgToRemove.requiredBy.filter((parent) => parent !== tree)
     }
-    if (pkgToRemove.requiredBy.length === 0) removeObsoleteDep(pkgToRemove)
-  })
-  log.finish()
+    replaceModuleByPath(tree, 'removedChildren', pkgToRemove)
+    for (let parent of pkgToRemove.requiredBy) {
+      parent.requires = parent.requires.filter((child) => child !== pkgToRemove)
+    }
+    pkgToRemove.requiredBy = pkgToRemove.requiredBy.filter((parent) => parent !== tree)
+  }
+  next()
+}
+exports.removeExtraneous = function (args, tree, next) {
+  for (let pkg of args) {
+    var pkgName = moduleName(pkg)
+    var toRemove = tree.children.filter(moduleNameMatches(pkgName))
+    if (toRemove.length) {
+      removeObsoleteDep(toRemove[0])
+    }
+  }
   next()
 }
 
@@ -639,6 +671,13 @@ var findRequirement = exports.findRequirement = function (tree, name, requested,
   return findRequirement(tree.parent, name, requested, requestor)
 }
 
+function preserveSymlinks () {
+  if (!('NODE_PRESERVE_SYMLINKS' in process.env)) return false
+  const value = process.env.NODE_PRESERVE_SYMLINKS
+  if (value == null || value === '' || value === 'false' || value === 'no' || value === '0') return false
+  return true
+}
+
 // Find the highest level in the tree that we can install this module in.
 // If the module isn't installed above us yet, that'd be the very top.
 // If it is, then it's the level below where its installed.
@@ -670,7 +709,7 @@ var earliestInstallable = exports.earliestInstallable = function (requiredBy, tr
 
   var devDeps = tree.package.devDependencies || {}
   if (tree.isTop && devDeps[pkg.name]) {
-    var requested = npa.resolve(pkg.name, devDeps[pkg.name], tree.path)
+    var requested = childDependencySpecifier(tree, pkg.name, devDeps[pkg.name])
     if (!doesChildVersionMatch({package: pkg}, requested, tree)) {
       return null
     }
@@ -684,7 +723,7 @@ var earliestInstallable = exports.earliestInstallable = function (requiredBy, tr
   if (npm.config.get('global-style') && tree.parent.isTop) return tree
   if (npm.config.get('legacy-bundling')) return tree
 
-  if (!process.env.NODE_PRESERVE_SYMLINKS && /^[.][.][\\/]/.test(path.relative(tree.parent.realpath, tree.realpath))) return tree
+  if (!preserveSymlinks() && /^[.][.][\\/]/.test(path.relative(tree.parent.realpath, tree.realpath))) return tree
 
   return (earliestInstallable(requiredBy, tree.parent, pkg) || tree)
 }
diff --git a/deps/npm/lib/install/inflate-shrinkwrap.js b/deps/npm/lib/install/inflate-shrinkwrap.js
index 9878b0f19a29b9..8cb75626bb5d77 100644
--- a/deps/npm/lib/install/inflate-shrinkwrap.js
+++ b/deps/npm/lib/install/inflate-shrinkwrap.js
@@ -2,10 +2,10 @@
 
 const BB = require('bluebird')
 
-const addBundled = BB.promisify(require('../fetch-package-metadata.js').addBundled)
+let addBundled
 const childPath = require('../utils/child-path.js')
 const createChild = require('./node.js').create
-const fetchPackageMetadata = BB.promisify(require('../fetch-package-metadata.js'))
+let fetchPackageMetadata
 const inflateBundled = require('./inflate-bundled.js')
 const moduleName = require('../utils/module-name.js')
 const normalizePackageData = require('normalize-package-data')
@@ -14,17 +14,28 @@ const realizeShrinkwrapSpecifier = require('./realize-shrinkwrap-specifier.js')
 const validate = require('aproba')
 const path = require('path')
 
-module.exports = function (tree, swdeps, finishInflating) {
-  if (!npm.config.get('shrinkwrap')) return finishInflating()
+module.exports = function (tree, swdeps, opts, finishInflating) {
+  if (!fetchPackageMetadata) {
+    fetchPackageMetadata = BB.promisify(require('../fetch-package-metadata.js'))
+    addBundled = BB.promisify(fetchPackageMetadata.addBundled)
+  }
+  if (!npm.config.get('shrinkwrap') || !npm.config.get('package-lock')) {
+    return finishInflating()
+  }
+  if (arguments.length === 3) {
+    finishInflating = opts
+    opts = {}
+  }
   tree.loaded = true
-  return inflateShrinkwrap(tree.path, tree, swdeps).then(
+  return inflateShrinkwrap(tree.path, tree, swdeps, opts).then(
     () => finishInflating(),
     finishInflating
   )
 }
 
-function inflateShrinkwrap (topPath, tree, swdeps) {
-  validate('SOO', arguments)
+function inflateShrinkwrap (topPath, tree, swdeps, opts) {
+  validate('SOO|SOOO', arguments)
+  if (!opts) opts = {}
   const onDisk = {}
   tree.children.forEach((child) => {
     onDisk[moduleName(child)] = child
@@ -43,7 +54,7 @@ function inflateShrinkwrap (topPath, tree, swdeps) {
     const dependencies = sw.dependencies || {}
     const requested = realizeShrinkwrapSpecifier(name, sw, topPath)
     return inflatableChild(
-      onDisk[name], name, topPath, tree, sw, requested
+      onDisk[name], name, topPath, tree, sw, requested, opts
     ).then((child) => {
       return inflateShrinkwrap(topPath, child, dependencies)
     })
@@ -58,8 +69,8 @@ function normalizePackageDataNoErrors (pkg) {
   }
 }
 
-function inflatableChild (onDiskChild, name, topPath, tree, sw, requested) {
-  validate('OSSOOO|ZSSOOO', arguments)
+function inflatableChild (onDiskChild, name, topPath, tree, sw, requested, opts) {
+  validate('OSSOOOO|ZSSOOOO', arguments)
   if (onDiskChild && childIsEquivalent(sw, requested, onDiskChild)) {
     // The version on disk matches the shrinkwrap entry.
     if (!onDiskChild.fromShrinkwrap) onDiskChild.fromShrinkwrap = true
@@ -77,7 +88,7 @@ function inflatableChild (onDiskChild, name, topPath, tree, sw, requested) {
     normalizePackageDataNoErrors(onDiskChild.package)
     tree.children.push(onDiskChild)
     return BB.resolve(onDiskChild)
-  } else if (sw.version && sw.integrity) {
+  } else if (opts.fakeChildren !== false && sw.version && sw.integrity) {
     // The shrinkwrap entry has an integrity field. We can fake a pkg to get
     // the installer to do a content-address fetch from the cache, if possible.
     return BB.resolve(makeFakeChild(name, topPath, tree, sw, requested))
@@ -101,8 +112,7 @@ function makeFakeChild (name, topPath, tree, sw, requested) {
     _from: from,
     _spec: requested.rawSpec,
     _where: topPath,
-    _args: [[requested.toString(), topPath]],
-    _injectedFromShrinkwrap: sw
+    _args: [[requested.toString(), topPath]]
   }
   let bundleAdded = BB.resolve()
   if (Object.keys(sw.dependencies || {}).some((d) => {
@@ -118,6 +128,7 @@ function makeFakeChild (name, topPath, tree, sw, requested) {
       parent: tree,
       children: pkg._bundled || [],
       fromShrinkwrap: true,
+      fakeChild: sw,
       fromBundle: sw.bundled ? tree.fromBundle || tree : null,
       path: childPath(tree.path, pkg),
       realpath: childPath(tree.realpath, pkg),
diff --git a/deps/npm/lib/install/is-extraneous.js b/deps/npm/lib/install/is-extraneous.js
index f0d599965fe598..a6477c23744079 100644
--- a/deps/npm/lib/install/is-extraneous.js
+++ b/deps/npm/lib/install/is-extraneous.js
@@ -6,14 +6,6 @@ function isExtraneous (tree) {
   return result
 }
 
-function isNotRequired (tree) {
-  return tree.requiredBy && tree.requiredBy.length === 0
-}
-
-function parentHasNoPjson (tree) {
-  return tree.parent && tree.parent.isTop && tree.parent.error
-}
-
 function topHasNoPjson (tree) {
   var top = tree
   while (!top.isTop) top = top.parent
@@ -24,8 +16,6 @@ function isNotExtraneous (tree, isCycle) {
   if (!isCycle) isCycle = {}
   if (tree.isTop || tree.userRequired) {
     return true
-  } else if (isNotRequired(tree) && parentHasNoPjson(tree)) {
-    return true
   } else if (isCycle[tree.path]) {
     return topHasNoPjson(tree)
   } else {
diff --git a/deps/npm/lib/install/mutate-into-logical-tree.js b/deps/npm/lib/install/mutate-into-logical-tree.js
index 491f20913cb2d9..018745cc5ffa49 100644
--- a/deps/npm/lib/install/mutate-into-logical-tree.js
+++ b/deps/npm/lib/install/mutate-into-logical-tree.js
@@ -7,6 +7,7 @@ var isExtraneous = require('./is-extraneous.js')
 var validateAllPeerDeps = require('./deps.js').validateAllPeerDeps
 var packageId = require('../utils/package-id.js')
 var moduleName = require('../utils/module-name.js')
+var npm = require('../npm.js')
 
 // Return true if tree is a part of a cycle that:
 //   A) Never connects to the top of the tree
@@ -128,7 +129,7 @@ function translateTree_ (tree, seen) {
   pkg.path = tree.path
 
   pkg.error = tree.error
-  pkg.extraneous = isExtraneous(tree)
+  pkg.extraneous = !tree.isTop && (!tree.parent.isTop || !tree.parent.error) && !npm.config.get('global') && isExtraneous(tree)
   if (tree.target && tree.parent && !tree.parent.target) pkg.link = tree.realpath
   return pkg
 }
diff --git a/deps/npm/lib/install/read-shrinkwrap.js b/deps/npm/lib/install/read-shrinkwrap.js
index 913c303482a596..de398fb40b878d 100644
--- a/deps/npm/lib/install/read-shrinkwrap.js
+++ b/deps/npm/lib/install/read-shrinkwrap.js
@@ -9,7 +9,6 @@ const log = require('npmlog')
 const parseJSON = require('../utils/parse-json.js')
 const path = require('path')
 const PKGLOCK_VERSION = require('../npm.js').lockfileVersion
-const pkgSri = require('../utils/package-integrity.js')
 
 const readFileAsync = BB.promisify(fs.readFile)
 
@@ -34,14 +33,6 @@ function readShrinkwrap (child, next) {
           throw ex
         }
       }
-      if (
-        pkgJson &&
-        parsed &&
-        parsed.packageIntegrity &&
-        !pkgSri.check(JSON.parse(pkgJson), parsed.packageIntegrity)
-      ) {
-        log.info('read-shrinkwrap', `${name} will be updated because package.json does not match what it was generated against.`)
-      }
       if (parsed && parsed.lockfileVersion !== PKGLOCK_VERSION) {
         log.warn('read-shrinkwrap', `This version of npm is compatible with lockfileVersion@${PKGLOCK_VERSION}, but ${name} was generated for lockfileVersion@${parsed.lockfileVersion || 0}. I'll try to do my best with it!`)
       }
@@ -56,10 +47,14 @@ function maybeReadFile (name, child) {
   ).catch({code: 'ENOENT'}, () => null)
 }
 
-module.exports.andInflate = function (child, next) {
+module.exports.andInflate = function (child, opts, next) {
+  if (arguments.length === 2) {
+    next = opts
+    opts = {}
+  }
   readShrinkwrap(child, iferr(next, function () {
     if (child.package._shrinkwrap) {
-      return inflateShrinkwrap(child, child.package._shrinkwrap.dependencies || {}, next)
+      return inflateShrinkwrap(child, child.package._shrinkwrap.dependencies || {}, opts, next)
     } else {
       return next()
     }
diff --git a/deps/npm/lib/install/save.js b/deps/npm/lib/install/save.js
index 5d5f4e7f7a920b..56a4a892ad4ee3 100644
--- a/deps/npm/lib/install/save.js
+++ b/deps/npm/lib/install/save.js
@@ -19,9 +19,9 @@ const writeFileAtomic = require('write-file-atomic')
 // if the -S|--save option is specified, then write installed packages
 // as dependencies to a package.json file.
 
-exports.saveRequested = function (args, tree, andReturn) {
-  validate('AOF', arguments)
-  savePackageJson(args, tree, andWarnErrors(andSaveShrinkwrap(tree, andReturn)))
+exports.saveRequested = function (tree, andReturn) {
+  validate('OF', arguments)
+  savePackageJson(tree, andWarnErrors(andSaveShrinkwrap(tree, andReturn)))
 }
 
 function andSaveShrinkwrap (tree, andReturn) {
@@ -43,13 +43,14 @@ function andWarnErrors (cb) {
 
 function saveShrinkwrap (tree, next) {
   validate('OF', arguments)
+  if (!npm.config.get('shrinkwrap') || !npm.config.get('package-lock')) {
+    next()
+  }
   createShrinkwrap(tree, {silent: false}, next)
 }
 
-function savePackageJson (args, tree, next) {
-  validate('AOF', arguments)
-  if (!args || !args.length) { return next() }
-
+function savePackageJson (tree, next) {
+  validate('OF', arguments)
   var saveBundle = npm.config.get('save-bundle')
 
   // each item in the tree is a top-level thing that should be saved
@@ -84,8 +85,23 @@ function savePackageJson (args, tree, next) {
     })
 
     log.verbose('saving', toSave)
+    const types = ['dependencies', 'devDependencies', 'optionalDependencies']
     toSave.forEach(function (pkg) {
       tree.package[pkg.save][pkg.name] = pkg.spec
+      const movedFrom = []
+      for (let saveType of types) {
+        if (
+          pkg.save !== saveType &&
+          tree.package[saveType] &&
+          tree.package[saveType][pkg.name]
+        ) {
+          movedFrom.push(saveType)
+          delete tree.package[saveType][pkg.name]
+        }
+      }
+      if (movedFrom.length) {
+        log.notice('save', `${pkg.name} is being moved from ${movedFrom.join(' and ')} to ${pkg.save}`)
+      }
       if (saveBundle) {
         var ii = bundle.indexOf(pkg.name)
         if (ii === -1) bundle.push(pkg.name)
@@ -116,6 +132,7 @@ exports.getSaveType = function (tree, arg) {
   var globalInstall = npm.config.get('global')
   var noSaveFlags = !npm.config.get('save') &&
                     !npm.config.get('save-dev') &&
+                    !npm.config.get('save-prod') &&
                     !npm.config.get('save-optional')
   if (globalInstall || noSaveFlags) return null
 
@@ -123,6 +140,8 @@ exports.getSaveType = function (tree, arg) {
     return 'optionalDependencies'
   } else if (npm.config.get('save-dev')) {
     return 'devDependencies'
+  } else if (npm.config.get('save-prod')) {
+    return 'dependencies'
   } else {
     if (arg) {
       var name = moduleName(arg)
@@ -152,8 +171,8 @@ function getThingsToSave (tree) {
 
 function getThingsToRemove (tree) {
   validate('O', arguments)
-  if (!tree.removed) return []
-  var toRemove = tree.removed.map(function (child) {
+  if (!tree.removedChildren) return []
+  var toRemove = tree.removedChildren.map(function (child) {
     return {
       name: moduleName(child),
       save: child.save
diff --git a/deps/npm/lib/pack.js b/deps/npm/lib/pack.js
index 68c6030ee894b4..075a672d66f212 100644
--- a/deps/npm/lib/pack.js
+++ b/deps/npm/lib/pack.js
@@ -8,16 +8,19 @@ const BB = require('bluebird')
 
 const cache = require('./cache')
 const cacache = require('cacache')
+const cp = require('child_process')
 const deprCheck = require('./utils/depr-check')
-const fpm = BB.promisify(require('./fetch-package-metadata'))
+const fpm = require('./fetch-package-metadata')
 const fs = require('graceful-fs')
 const install = require('./install')
 const lifecycle = BB.promisify(require('./utils/lifecycle'))
+const log = require('npmlog')
 const move = require('move-concurrently')
 const npm = require('./npm')
 const output = require('./utils/output')
 const pacoteOpts = require('./config/pacote')
 const path = require('path')
+const PassThrough = require('stream').PassThrough
 const pathIsInside = require('path-is-inside')
 const pipe = BB.promisify(require('mississippi').pipe)
 const prepublishWarning = require('./utils/warn-deprecated')('prepublish-on-install')
@@ -53,7 +56,7 @@ function pack (args, silent, cb) {
 
 // add to cache, then cp to the cwd
 function pack_ (pkg, dir) {
-  return fpm(pkg, dir).then((mani) => {
+  return BB.fromNode((cb) => fpm(pkg, dir, cb)).then((mani) => {
     let name = mani.name[0] === '@'
     // scoped packages get special treatment
     ? mani.name.substr(1).replace(/\//g, '-')
@@ -108,10 +111,111 @@ function prepareDirectory (dir) {
 module.exports.packDirectory = packDirectory
 function packDirectory (mani, dir, target) {
   deprCheck(mani)
-  return cacache.tmp.withTmp(npm.tmp, {tmpPrefix: 'packing'}, (tmp) => {
-    const tmpTarget = path.join(tmp, path.basename(target))
-    return tarPack(tmpTarget, dir, mani).then(() => {
-      return move(tmpTarget, target, {Promise: BB, fs})
-    }).then(() => target)
+  return readJson(path.join(dir, 'package.json')).then((pkg) => {
+    return lifecycle(pkg, 'prepack', dir)
+  }).then(() => {
+    return readJson(path.join(dir, 'package.json'))
+  }).then((pkg) => {
+    return cacache.tmp.withTmp(npm.tmp, {tmpPrefix: 'packing'}, (tmp) => {
+      const tmpTarget = path.join(tmp, path.basename(target))
+      return tarPack(tmpTarget, dir, pkg).then(() => {
+        return move(tmpTarget, target, {Promise: BB, fs})
+      }).then(() => {
+        return lifecycle(pkg, 'postpack', dir)
+      }).then(() => target)
+    })
   })
 }
+
+const PASSTHROUGH_OPTS = [
+  'always-auth',
+  'auth-type',
+  'ca',
+  'cafile',
+  'cert',
+  'git',
+  'local-address',
+  'maxsockets',
+  'offline',
+  'prefer-offline',
+  'prefer-online',
+  'proxy',
+  'https-proxy',
+  'registry',
+  'send-metrics',
+  'sso-poll-frequency',
+  'sso-type',
+  'strict-ssl'
+]
+
+module.exports.packGitDep = packGitDep
+function packGitDep (manifest, dir) {
+  const stream = new PassThrough()
+  readJson(path.join(dir, 'package.json')).then((pkg) => {
+    if (pkg.scripts && pkg.scripts.prepare) {
+      log.verbose('prepareGitDep', `${manifest._spec}: installing devDeps and running prepare script.`)
+      const cliArgs = PASSTHROUGH_OPTS.reduce((acc, opt) => {
+        if (npm.config.get(opt, 'cli') != null) {
+          acc.push(`--${opt}=${npm.config.get(opt)}`)
+        }
+        return acc
+      }, [])
+      const child = cp.spawn(process.env.NODE || process.execPath, [
+        require.main.filename,
+        'install',
+        '--ignore-prepublish',
+        '--no-progress',
+        '--no-save'
+      ].concat(cliArgs), {
+        cwd: dir,
+        env: process.env
+      })
+      let errData = []
+      let errDataLen = 0
+      let outData = []
+      let outDataLen = 0
+      child.stdout.on('data', (data) => {
+        outData.push(data)
+        outDataLen += data.length
+        log.gauge.pulse('preparing git package')
+      })
+      child.stderr.on('data', (data) => {
+        errData.push(data)
+        errDataLen += data.length
+        log.gauge.pulse('preparing git package')
+      })
+      return BB.fromNode((cb) => {
+        child.on('error', cb)
+        child.on('exit', (code, signal) => {
+          if (code > 0) {
+            const err = new Error(`${signal}: npm exited with code ${code} while attempting to build ${manifest._requested}. Clone the repository manually and run 'npm install' in it for more information.`)
+            err.code = code
+            err.signal = signal
+            cb(err)
+          } else {
+            cb()
+          }
+        })
+      }).then(() => {
+        if (outDataLen > 0) log.silly('prepareGitDep', '1>', Buffer.concat(outData, outDataLen).toString())
+        if (errDataLen > 0) log.silly('prepareGitDep', '2>', Buffer.concat(errData, errDataLen).toString())
+      }, (err) => {
+        if (outDataLen > 0) log.error('prepareGitDep', '1>', Buffer.concat(outData, outDataLen).toString())
+        if (errDataLen > 0) log.error('prepareGitDep', '2>', Buffer.concat(errData, errDataLen).toString())
+        throw err
+      })
+    }
+  }).then(() => {
+    return readJson(path.join(dir, 'package.json'))
+  }).then((pkg) => {
+    return cacache.tmp.withTmp(npm.tmp, {
+      tmpPrefix: 'pacote-packing'
+    }, (tmp) => {
+      const tmpTar = path.join(tmp, 'package.tgz')
+      return packDirectory(manifest, dir, tmpTar).then(() => {
+        return pipe(fs.createReadStream(tmpTar), stream)
+      })
+    })
+  }).catch((err) => stream.emit('error', err))
+  return stream
+}
diff --git a/deps/npm/lib/prune.js b/deps/npm/lib/prune.js
index 39d1c8ffb7571c..6027745383e47a 100644
--- a/deps/npm/lib/prune.js
+++ b/deps/npm/lib/prune.js
@@ -26,6 +26,7 @@ function prune (args, cb) {
 
 function Pruner (where, dryrun, args) {
   Installer.call(this, where, dryrun, args)
+  this.fakeChildren = false
 }
 util.inherits(Pruner, Installer)
 
@@ -59,7 +60,7 @@ Pruner.prototype.loadAllDepsIntoIdealTree = function (cb) {
   var toPrune = this.idealTree.children.filter(shouldPrune).map(getModuleName).filter(matchesArg).map(nameObj)
 
   steps.push(
-    [removeDeps, toPrune, this.idealTree, null, cg.newGroup('removeDeps')],
+    [removeDeps, toPrune, this.idealTree, null],
     [loadExtraneous, this.idealTree, cg.newGroup('loadExtraneous')])
   chain(steps, cb)
 }
diff --git a/deps/npm/lib/publish.js b/deps/npm/lib/publish.js
index 49c98fb8e606ed..5d99bfd0893cf5 100644
--- a/deps/npm/lib/publish.js
+++ b/deps/npm/lib/publish.js
@@ -76,15 +76,23 @@ function publish_ (arg) {
 }
 
 function publishFromDirectory (arg) {
-  return pack.prepareDirectory(arg).tap((pkg) => {
+  // All this readJson is because any of the given scripts might modify the
+  // package.json in question, so we need to refresh after every step.
+  return pack.prepareDirectory(arg).then(() => {
+    return readJson(path.join(arg, 'package.json'))
+  }).then((pkg) => {
     return lifecycle(pkg, 'prepublishOnly', arg)
-  }).tap((pkg) => {
+  }).then(() => {
+    return readJson(path.join(arg, 'package.json'))
+  }).then((pkg) => {
     return cacache.tmp.withTmp(npm.tmp, {tmpPrefix: 'fromDir'}, (tmpDir) => {
       const target = path.join(tmpDir, 'package.tgz')
       return pack.packDirectory(pkg, arg, target).then(() => {
         return upload(arg, pkg, false, target)
       })
     })
+  }).then(() => {
+    return readJson(path.join(arg, 'package.json'))
   }).tap((pkg) => {
     return lifecycle(pkg, 'publish', arg)
   }).tap((pkg) => {
diff --git a/deps/npm/lib/shrinkwrap.js b/deps/npm/lib/shrinkwrap.js
index 75fe0dd95d20f0..428c12bba70233 100644
--- a/deps/npm/lib/shrinkwrap.js
+++ b/deps/npm/lib/shrinkwrap.js
@@ -9,7 +9,6 @@ const getRequested = require('./install/get-requested.js')
 const id = require('./install/deps.js')
 const iferr = require('iferr')
 const isDevDep = require('./install/is-dev-dep.js')
-const isExtraneous = require('./install/is-extraneous.js')
 const isOptDep = require('./install/is-opt-dep.js')
 const isProdDep = require('./install/is-prod-dep.js')
 const lifecycle = require('./utils/lifecycle.js')
@@ -17,9 +16,7 @@ const log = require('npmlog')
 const moduleName = require('./utils/module-name.js')
 const move = require('move-concurrently')
 const npm = require('./npm.js')
-const packageId = require('./utils/package-id.js')
 const path = require('path')
-const pkgSri = require('./utils/package-integrity.js')
 const readPackageTree = BB.promisify(require('read-package-tree'))
 const ssri = require('ssri')
 const validate = require('aproba')
@@ -92,33 +89,21 @@ function treeToShrinkwrap (tree) {
   var pkginfo = {}
   if (tree.package.name) pkginfo.name = tree.package.name
   if (tree.package.version) pkginfo.version = tree.package.version
-  var problems = []
   if (tree.children.length) {
-    shrinkwrapDeps(problems, pkginfo.dependencies = {}, tree, tree)
+    shrinkwrapDeps(pkginfo.dependencies = {}, tree, tree)
   }
-  if (problems.length) pkginfo.problems = problems
   return pkginfo
 }
 
-function shrinkwrapDeps (problems, deps, top, tree, seen) {
-  validate('AOOO', [problems, deps, top, tree])
+function shrinkwrapDeps (deps, top, tree, seen) {
+  validate('OOO', [deps, top, tree])
   if (!seen) seen = {}
   if (seen[tree.path]) return
   seen[tree.path] = true
-  Object.keys(tree.missingDeps).forEach(function (name) {
-    var invalid = tree.children.filter(function (dep) { return moduleName(dep) === name })[0]
-    if (invalid) {
-      problems.push('invalid: have ' + invalid.package._id + ' (expected: ' + tree.missingDeps[name] + ') ' + invalid.path)
-    } else if (!tree.package.optionalDependencies || !tree.package.optionalDependencies[name]) {
-      var topname = packageId(tree)
-      problems.push('missing: ' + name + '@' + tree.package.dependencies[name] +
-        (topname ? ', required by ' + topname : ''))
-    }
-  })
   tree.children.sort(function (aa, bb) { return moduleName(aa).localeCompare(moduleName(bb)) }).forEach(function (child) {
     var childIsOnlyDev = isOnlyDev(child)
-    if (child.package._injectedFromShrinkwrap) {
-      deps[moduleName(child)] = child.package._injectedFromShrinkwrap
+    if (child.fakeChild) {
+      deps[moduleName(child)] = child.fakeChild
       return
     }
     var pkginfo = deps[moduleName(child)] = {}
@@ -148,16 +133,9 @@ function shrinkwrapDeps (problems, deps, top, tree, seen) {
     }
     if (childIsOnlyDev) pkginfo.dev = true
     if (isOptional(child)) pkginfo.optional = true
-    if (isExtraneous(child)) {
-      problems.push('extraneous: ' + child.package._id + ' ' + child.path)
-    }
-    id.validatePeerDeps(child, function (tree, pkgname, version) {
-      problems.push('peer invalid: ' + pkgname + '@' + version +
-        ', required by ' + child.package._id)
-    })
     if (child.children.length) {
       pkginfo.dependencies = {}
-      shrinkwrapDeps(problems, pkginfo.dependencies, top, child, seen)
+      shrinkwrapDeps(pkginfo.dependencies, top, child, seen)
     }
   })
 }
@@ -205,7 +183,6 @@ function updateLockfileMetadata (pkginfo, pkgJson) {
   let metainfoWritten = false
   const metainfo = new Set([
     'lockfileVersion',
-    'packageIntegrity',
     'preserveSymlinks'
   ])
   Object.keys(pkginfo).forEach((k) => {
@@ -224,7 +201,6 @@ function updateLockfileMetadata (pkginfo, pkgJson) {
   }
   function writeMetainfo (pkginfo) {
     pkginfo.lockfileVersion = PKGLOCK_VERSION
-    pkginfo.packageIntegrity = pkgJson && pkgSri.hash(pkgJson)
     if (process.env.NODE_PRESERVE_SYMLINKS) {
       pkginfo.preserveSymlinks = process.env.NODE_PRESERVE_SYMLINKS
     }
diff --git a/deps/npm/lib/uninstall.js b/deps/npm/lib/uninstall.js
index 9e3d91ac40bc62..c181fdc4e8200e 100644
--- a/deps/npm/lib/uninstall.js
+++ b/deps/npm/lib/uninstall.js
@@ -2,24 +2,21 @@
 // remove a package.
 
 module.exports = uninstall
-module.exports.Uninstaller = Uninstaller
 
-var util = require('util')
-var path = require('path')
-var validate = require('aproba')
-var chain = require('slide').chain
-var readJson = require('read-package-json')
-var npm = require('./npm.js')
-var Installer = require('./install.js').Installer
-var getSaveType = require('./install/save.js').getSaveType
-var removeDeps = require('./install/deps.js').removeDeps
-var loadExtraneous = require('./install/deps.js').loadExtraneous
-var log = require('npmlog')
-var usage = require('./utils/usage')
+const path = require('path')
+const validate = require('aproba')
+const readJson = require('read-package-json')
+const iferr = require('iferr')
+const npm = require('./npm.js')
+const Installer = require('./install.js').Installer
+const getSaveType = require('./install/save.js').getSaveType
+const removeDeps = require('./install/deps.js').removeDeps
+const log = require('npmlog')
+const usage = require('./utils/usage')
 
 uninstall.usage = usage(
   'uninstall',
-  'npm uninstall [<@scope>/][@]... [--save|--save-dev|--save-optional]'
+  'npm uninstall [<@scope>/][@]... [--save-prod|--save-dev|--save-optional] [--no-save]'
 )
 
 uninstall.completion = require('./utils/completion/installed-shallow.js')
@@ -27,17 +24,18 @@ uninstall.completion = require('./utils/completion/installed-shallow.js')
 function uninstall (args, cb) {
   validate('AF', arguments)
   // the /path/to/node_modules/..
-  var dryrun = !!npm.config.get('dry-run')
+  const dryrun = !!npm.config.get('dry-run')
 
   if (args.length === 1 && args[0] === '.') args = []
-  args = args.filter(function (a) {
-    return path.resolve(a) !== where
-  })
 
-  var where = npm.config.get('global') || !args.length
+  const where = npm.config.get('global') || !args.length
             ? path.resolve(npm.globalDir, '..')
             : npm.prefix
 
+  args = args.filter(function (a) {
+    return path.resolve(a) !== where
+  })
+
   if (args.length) {
     new Uninstaller(where, dryrun, args).run(cb)
   } else {
@@ -50,29 +48,33 @@ function uninstall (args, cb) {
   }
 }
 
-function Uninstaller (where, dryrun, args) {
-  validate('SBA', arguments)
-  Installer.call(this, where, dryrun, args)
-}
-util.inherits(Uninstaller, Installer)
+class Uninstaller extends Installer {
+  constructor (where, dryrun, args) {
+    super(where, dryrun, args)
+    this.remove = []
+    this.fakeChildren = false
+  }
 
-Uninstaller.prototype.loadArgMetadata = function (next) {
-  this.args = this.args.map(function (arg) { return {name: arg} })
-  next()
-}
+  loadArgMetadata (next) {
+    this.args = this.args.map(function (arg) { return {name: arg} })
+    next()
+  }
 
-Uninstaller.prototype.loadAllDepsIntoIdealTree = function (cb) {
-  validate('F', arguments)
-  log.silly('uninstall', 'loadAllDepsIntoIdealTree')
-  var saveDeps = getSaveType()
+  loadAllDepsIntoIdealTree (cb) {
+    validate('F', arguments)
+    this.remove = this.args
+    this.args = []
+    log.silly('uninstall', 'loadAllDepsIntoIdealTree')
+    const saveDeps = getSaveType()
 
-  var cg = this.progress['loadIdealTree:loadAllDepsIntoIdealTree']
-  var steps = []
-  steps.push(
-    [removeDeps, this.args, this.idealTree, saveDeps, cg.newGroup('removeDeps')],
-    [loadExtraneous, this.idealTree, cg.newGroup('loadExtraneous')])
-  chain(steps, cb)
+    super.loadAllDepsIntoIdealTree(iferr(cb, () => {
+      removeDeps(this.remove, this.idealTree, saveDeps, cb)
+    }))
+  }
+
+  // no top level lifecycles on rm
+  runPreinstallTopLevelLifecycles (cb) { cb() }
+  runPostinstallTopLevelLifecycles (cb) { cb() }
 }
 
-Uninstaller.prototype.runPreinstallTopLevelLifecycles = function (cb) { cb() }
-Uninstaller.prototype.runPostinstallTopLevelLifecycles = function (cb) { cb() }
+module.exports.Uninstaller = Uninstaller
diff --git a/deps/npm/lib/utils/error-handler.js b/deps/npm/lib/utils/error-handler.js
index 8365f39d9d3050..5374d1feeca078 100644
--- a/deps/npm/lib/utils/error-handler.js
+++ b/deps/npm/lib/utils/error-handler.js
@@ -130,10 +130,12 @@ function exit (code, noLog) {
 
     itWorked = !code
 
-    // just emit a fake exit event.
-    // if we're really exiting, then let it exit on its own, so that
-    // in-process stuff can finish or clean up first.
-    if (!doExit) process.emit('exit', code)
+    // Exit directly -- nothing in the CLI should still be running in the
+    // background at this point, and this makes sure anything left dangling
+    // for whatever reason gets thrown away, instead of leaving the CLI open
+    //
+    // Commands that expect long-running actions should just delay `cb()`
+    process.exit(code)
   }
 }
 
diff --git a/deps/npm/lib/utils/link.js b/deps/npm/lib/utils/link.js
index 605b77402cfe6a..15331740a450ec 100644
--- a/deps/npm/lib/utils/link.js
+++ b/deps/npm/lib/utils/link.js
@@ -64,7 +64,7 @@ function link (from, to, gently, abs, cb) {
     [
       [ensureFromIsNotSource, absTarget, to],
       [fs, 'stat', absTarget],
-      [rm, to, gently],
+      [rm, to, gently, path.dirname(to)],
       [mkdir, path.dirname(to)],
       [fs, 'symlink', target, to, 'junction']
     ],
diff --git a/deps/npm/lib/utils/package-integrity.js b/deps/npm/lib/utils/package-integrity.js
deleted file mode 100644
index f9560d660e8bdd..00000000000000
--- a/deps/npm/lib/utils/package-integrity.js
+++ /dev/null
@@ -1,21 +0,0 @@
-'use strict'
-
-// Utilities for generating and verifying the packageIntegrity field for
-// package-lock
-//
-// Spec: https://github.com/npm/npm/pull/16441
-
-const ssri = require('ssri')
-const SSRI_OPTS = {
-  algorithms: ['sha512']
-}
-
-module.exports.check = check
-function check (pkg, integrity) {
-  return ssri.checkData(JSON.stringify(pkg), integrity, SSRI_OPTS)
-}
-
-module.exports.hash = hash
-function hash (pkg) {
-  return ssri.fromData(JSON.stringify(pkg), SSRI_OPTS).toString()
-}
diff --git a/deps/npm/lib/utils/tar.js b/deps/npm/lib/utils/tar.js
index 7ebc9d6875cdfe..ebbee025a27540 100644
--- a/deps/npm/lib/utils/tar.js
+++ b/deps/npm/lib/utils/tar.js
@@ -3,8 +3,6 @@
 // commands for packing and unpacking tarballs
 // this file is used by lib/cache.js
 
-const BB = require('bluebird')
-
 var fs = require('graceful-fs')
 var path = require('path')
 var writeFileAtomic = require('write-file-atomic')
@@ -28,11 +26,6 @@ var moduleName = require('./module-name.js')
 var packageId = require('./package-id.js')
 var pulseTillDone = require('../utils/pulse-till-done.js')
 
-const cacache = require('cacache')
-const packAsync = BB.promisify(pack)
-const PassThrough = require('stream').PassThrough
-const pipe = BB.promisify(require('mississippi').pipe)
-
 if (process.env.SUDO_UID && myUid === 0) {
   if (!isNaN(process.env.SUDO_UID)) myUid = +process.env.SUDO_UID
   if (!isNaN(process.env.SUDO_GID)) myGid = +process.env.SUDO_GID
@@ -41,18 +34,6 @@ if (process.env.SUDO_UID && myUid === 0) {
 exports.pack = pack
 exports.unpack = unpack
 
-module.exports.packToStream = packToStream
-function packToStream (mani, dir) {
-  const stream = new PassThrough()
-  cacache.tmp.withTmp(npm.tmp, (tmp) => {
-    const tmpTarget = path.join(tmp, 'package.tgz')
-    return packAsync(tmpTarget, dir, mani).then(() => {
-      return pipe(fs.createReadStream(tmpTarget), stream)
-    })
-  }).catch((err) => stream.emit('error', err))
-  return stream
-}
-
 function pack (tarball, folder, pkg, cb) {
   log.verbose('tar pack', [tarball, folder])
 
diff --git a/deps/npm/man/man1/npm-cache.1 b/deps/npm/man/man1/npm-cache.1
index 2da42829503b7c..cc8b1e2fae490a 100644
--- a/deps/npm/man/man1/npm-cache.1
+++ b/deps/npm/man/man1/npm-cache.1
@@ -10,10 +10,10 @@ npm cache add 
 npm cache add 
 npm cache add @
 
-npm cache ls []
-
 npm cache clean []
 aliases: npm cache clear, npm cache rm
+
+npm cache verify
 .fi
 .RE
 .SH DESCRIPTION
@@ -26,40 +26,45 @@ Add the specified package to the local cache\.  This command is primarily
 intended to be used internally by npm, but it can provide a way to
 add data to the local installation cache explicitly\.
 .IP \(bu 2
-ls:
-Show the data in the cache\.  Argument is a path to show in the cache
-folder\.  Works a bit like the \fBfind\fP program, but limited by the
-\fBdepth\fP config\.
-.IP \(bu 2
 clean:
-Delete data out of the cache folder\.  If an argument is provided, then
-it specifies a subpath to delete\.  If no argument is provided, then
-the entire cache is deleted\.
+Delete all data out of the cache folder\.
+.IP \(bu 2
+verify:
+Verify the contents of the cache folder, garbage collecting any unneeded data,
+and verifying the integrity of the cache index and all cached data\.
 
 .RE
 .SH DETAILS
 .P
-npm stores cache data in the directory specified in \fBnpm config get cache\fP\|\.
-For each package that is added to the cache, three pieces of information are
-stored in \fB{cache}/{name}/{version}\fP:
-.RS 0
-.IP \(bu 2
-\|\.\.\./package/package\.json:
-The package\.json file, as npm sees it\.
-.IP \(bu 2
-\|\.\.\./package\.tgz:
-The tarball for that version\.
-
-.RE
+npm stores cache data in an opaque directory within the configured \fBcache\fP,
+named \fB_cacache\fP\|\. This directory is a \fBcacache\fP\-based content\-addressable cache
+that stores all http request data as well as other package\-related data\. This
+directory is primarily accessed through \fBpacote\fP, the library responsible for
+all package fetching as of npm@5\.
+.P
+All data that passes through the cache is fully verified for integrity on both
+insertion and extraction\. Cache corruption will either trigger an error, or
+signal to \fBpacote\fP that the data must be refetched, which it will do
+automatically\. For this reason, it should never be necessary to clear the cache
+for any reason other than reclaiming disk space, thus why \fBclean\fP now requires
+\fB\-\-force\fP to run\.
+.P
+There is currently no method exposed through npm to inspect or directly manage
+the contents of this cache\. In order to access it, \fBcacache\fP must be used
+directly\.
 .P
-Additionally, whenever a registry request is made, a \fB\|\.cache\.json\fP file
-is placed at the corresponding URI, to store the ETag and the requested
-data\.  This is stored in \fB{cache}/{hostname}/{path}/\.cache\.json\fP\|\.
+npm will not remove data by itself: the cache will grow as new packages are
+installed\.
+.SH A NOTE ABOUT THE CACHE'S DESIGN
 .P
-Commands that make non\-essential registry requests (such as \fBsearch\fP and
-\fBview\fP, or the completion scripts) generally specify a minimum timeout\.
-If the \fB\|\.cache\.json\fP file is younger than the specified timeout, then
-they do not make an HTTP request to the registry\.
+The npm cache is strictly a cache: it should not be relied upon as a persistent
+and reliable data store for package data\. npm makes no guarantee that a
+previously\-cached piece of data will be available later, and will automatically
+delete corrupted contents\. The primary guarantee that the cache makes is that,
+if it does return data, that data will be exactly the data that was inserted\.
+.P
+To run an offline verification of existing cache contents, use \fBnpm cache
+verify\fP\|\.
 .SH CONFIGURATION
 .SS cache
 .P
@@ -82,6 +87,10 @@ npm help install
 npm help publish
 .IP \(bu 2
 npm help pack
+.IP \(bu 2
+https://npm\.im/cacache
+.IP \(bu 2
+https://npm\.im/pacote
 
 .RE
 
diff --git a/deps/npm/man/man1/npm-install.1 b/deps/npm/man/man1/npm-install.1
index 2bacec40554cdb..2dca6a4b8fe56a 100644
--- a/deps/npm/man/man1/npm-install.1
+++ b/deps/npm/man/man1/npm-install.1
@@ -10,19 +10,22 @@ npm install [<@scope>/]
 npm install [<@scope>/]@
 npm install [<@scope>/]@
 npm install [<@scope>/]@
+npm install :/
+npm install 
 npm install 
 npm install 
 npm install 
 
 alias: npm i
-common options: [\-S|\-\-save|\-D|\-\-save\-dev|\-O|\-\-save\-optional] [\-E|\-\-save\-exact] [\-B|\-\-save\-bundle] [\-\-dry\-run]
+common options: [\-P|\-\-save\-prod|\-D|\-\-save\-dev|\-O|\-\-save\-optional] [\-E|\-\-save\-exact] [\-B|\-\-save\-bundle] [\-\-no\-save] [\-\-dry\-run]
 .fi
 .RE
 .SH DESCRIPTION
 .P
 This command installs a package, and any packages that it depends on\. If the
-package has a shrinkwrap file, the installation of dependencies will be driven
-by that\. See npm help shrinkwrap\.
+package has a package\-lock or shrinkwrap file, the installation of dependencies
+will be driven by that, with an \fBnpm\-shrinkwrap\.json\fP taking precedence if both
+files exist\. See npm help 5 package\-lock\.json and npm help shrinkwrap\.
 .P
 A \fBpackage\fP is:
 .RS 0
@@ -61,12 +64,16 @@ after packing it up into a tarball (b)\.
   \fBdevDependencies\fP\|\.
 .IP \(bu 2
 \fBnpm install \fP:
-  Install a package that is sitting in a folder on the filesystem\.
+  Install the package in the directory as a symlink in the current project\.
+  Its dependencies will be installed before it's linked\. If \fB\fP sits
+  inside the root of your project, its dependencies may be hoisted to the
+  toplevel \fBnode_modules\fP as they would for other types of dependencies\.
 .IP \(bu 2
 \fBnpm install \fP:
   Install a package that is sitting on the filesystem\.  Note: if you just want
   to link a dev directory into your npm root, you can do this more easily by
-  using \fBnpm link\fP\|\.
+  using \fBnpm link\fP\|\. The filename \fImust\fR use \fB\|\.tar\fP, \fB\|\.tar\.gz\fP, or \fB\|\.tgz\fP as
+  the extension\.
   Example:
 .P
 .RS 2
@@ -86,11 +93,11 @@ after packing it up into a tarball (b)\.
 .fi
 .RE
 .IP \(bu 2
-\fBnpm install [<@scope>/] [\-S|\-\-save|\-D|\-\-save\-dev|\-O|\-\-save\-optional]\fP:
+\fBnpm install [<@scope>/]\fP:
   Do a \fB@\fP install, where \fB\fP is the "tag" config\. (See
   npm help 7 \fBnpm\-config\fP\|\. The config's default value is \fBlatest\fP\|\.)
-  In most cases, this will install the latest version
-  of the module published on npm\.
+  In most cases, this will install the version of the modules tagged as
+  \fBlatest\fP on the npm registry\.
   Example:
 .P
 .RS 2
@@ -98,15 +105,24 @@ after packing it up into a tarball (b)\.
     npm install sax
 .fi
 .RE
-  \fBnpm install\fP takes 3 exclusive, optional flags which save or update
-  the package version in your main package\.json:
+  \fBnpm install\fP saves any specified packages into \fBdependencies\fP by default\.
+  Additionally, you can control where and how they get saved with some
+  additional flags:
 .RS 0
 .IP \(bu 2
-\fB\-S, \-\-save\fP: Package will appear in your \fBdependencies\fP\|\.
+\fB\-P, \-\-save\-prod\fP: Package will appear in your \fBdependencies\fP\|\. This is the
+.P
+.RS 2
+.nf
+               default unless `\-D` or `\-O` are present\.
+.fi
+.RE
 .IP \(bu 2
 \fB\-D, \-\-save\-dev\fP: Package will appear in your \fBdevDependencies\fP\|\.
 .IP \(bu 2
 \fB\-O, \-\-save\-optional\fP: Package will appear in your \fBoptionalDependencies\fP\|\.
+.IP \(bu 2
+\fB\-\-no\-save\fP: Prevents saving to \fBdependencies\fP\|\.
 When using any of the above options to save dependencies to your
 package\.json, there are two additional, optional flags:
 .IP \(bu 2
@@ -115,8 +131,8 @@ exact version rather than using npm's default semver range
 operator\.
 .IP \(bu 2
 \fB\-B, \-\-save\-bundle\fP: Saved dependencies will also be added to your \fBbundleDependencies\fP list\.
-Further, if you have an \fBnpm\-shrinkwrap\.json\fP then it will be updated as
-well\.
+Further, if you have an \fBnpm\-shrinkwrap\.json\fP or \fBpackage\-lock\.json\fP then it
+will be updated as well\.
 \fB\fP is optional\. The package will be downloaded from the registry
 associated with the specified scope\. If no registry is associated with
 the given scope the default registry is assumed\. See npm help 7 \fBnpm\-scope\fP\|\.
@@ -127,13 +143,13 @@ Examples:
 .P
 .RS 2
 .nf
-npm install sax \-\-save
+npm install sax
 npm install githubname/reponame
 npm install @myorg/privatepackage
 npm install node\-tap \-\-save\-dev
 npm install dtrace\-provider \-\-save\-optional
-npm install readable\-stream \-\-save \-\-save\-exact
-npm install ansi\-regex \-\-save \-\-save\-bundle
+npm install readable\-stream \-\-save\-exact
+npm install ansi\-regex \-\-save\-bundle
 .fi
 .RE
 
@@ -190,21 +206,29 @@ fetch the package by name if it is not valid\.
 .RE
 .IP \(bu 2
 \fBnpm install \fP:
-  Installs the package from the hosted git provider, cloning it with
-  \fBgit\fP\|\. First it tries via the https (git with github) and if that fails, via ssh\.
+  Installs the package from the hosted git provider, cloning it with \fBgit\fP\|\.
+  For a full git remote url, only that URL will be attempted\.
 .P
 .RS 2
 .nf
-    ://[[:]@][:][:][/][#]
+    ://[[:]@][:][:][/][# | #semver:]
 .fi
 .RE
-  \fB\fP is one of \fBgit\fP, \fBgit+ssh\fP, \fBgit+http\fP, \fBgit+https\fP,
-  or \fBgit+file\fP\|\.
-  If no \fB\fP is specified, then \fBmaster\fP is used\.
-  If the repository makes use of submodules, those submodules will
-  be cloned as well\.
-  The following git environment variables are recognized by npm and will be added
-  to the environment when running git:
+  \fB\fP is one of \fBgit\fP, \fBgit+ssh\fP, \fBgit+http\fP, \fBgit+https\fP, or
+  \fBgit+file\fP\|\.
+  If \fB#\fP is provided, it will be used to clone exactly that
+  commit\. If the commit\-ish has the format \fB#semver:\fP, \fB\fP can
+  be any valid semver range or exact version, and npm will look for any tags
+  or refs matching that range in the remote repository, much as it would for a
+  registry dependency\. If neither \fB#\fP or \fB#semver:\fP is
+  specified, then \fBmaster\fP is used\.
+  If the repository makes use of submodules, those submodules will be cloned
+  as well\.
+  If the package being installed contains a \fBprepare\fP script, its
+  \fBdependencies\fP and \fBdevDependencies\fP will be installed, and the prepare
+  script will be run, before the package is packaged and installed\.
+  The following git environment variables are recognized by npm and will be
+  added to the environment when running git:
 .RS 0
 .IP \(bu 2
 \fBGIT_ASKPASS\fP
@@ -226,6 +250,7 @@ Examples:
 .RS 2
 .nf
 npm install git+ssh://git@github\.com:npm/npm\.git#v1\.0\.27
+npm install git+ssh://git@github\.com:npm/npm#semver:^5\.0
 npm install git+https://isaacs@github\.com/npm/npm\.git
 npm install git://github\.com/npm/npm\.git#v1\.0\.27
 GIT_SSH_COMMAND='ssh \-i ~/\.ssh/custom_ident' npm install git+ssh://git@github\.com:npm/npm\.git
@@ -239,7 +264,15 @@ GIT_SSH_COMMAND='ssh \-i ~/\.ssh/custom_ident' npm install git+ssh://git@github\
 \fBnpm install github:/[#]\fP:
   Install the package at \fBhttps://github\.com/githubname/githubrepo\fP by
   attempting to clone it using \fBgit\fP\|\.
-  If you don't specify a \fIcommit\-ish\fR then \fBmaster\fP will be used\.
+  If \fB#\fP is provided, it will be used to clone exactly that
+  commit\. If the commit\-ish has the format \fB#semver:\fP, \fB\fP can
+  be any valid semver range or exact version, and npm will look for any tags
+  or refs matching that range in the remote repository, much as it would for a
+  registry dependency\. If neither \fB#\fP or \fB#semver:\fP is
+  specified, then \fBmaster\fP is used\.
+  As with regular git dependencies, \fBdependencies\fP and \fBdevDependencies\fP will
+  be installed if the package has a \fBprepare\fP script, before the package is
+  done installing\.
   Examples:
 .P
 .RS 2
@@ -249,11 +282,13 @@ GIT_SSH_COMMAND='ssh \-i ~/\.ssh/custom_ident' npm install git+ssh://git@github\
 .fi
 .RE
 .IP \(bu 2
-\fBnpm install gist:[/][#]\fP:
+\fBnpm install gist:[/][#|#semver:]\fP:
   Install the package at \fBhttps://gist\.github\.com/gistID\fP by attempting to
   clone it using \fBgit\fP\|\. The GitHub username associated with the gist is
-  optional and will not be saved in \fBpackage\.json\fP if \fB\-S\fP or \fB\-\-save\fP is used\.
-  If you don't specify a \fIcommit\-ish\fR then \fBmaster\fP will be used\.
+  optional and will not be saved in \fBpackage\.json\fP\|\.
+  As with regular git dependencies, \fBdependencies\fP and \fBdevDependencies\fP will
+  be installed if the package has a \fBprepare\fP script, before the package is
+  done installing\.
   Example:
 .P
 .RS 2
@@ -265,7 +300,15 @@ GIT_SSH_COMMAND='ssh \-i ~/\.ssh/custom_ident' npm install git+ssh://git@github\
 \fBnpm install bitbucket:/[#]\fP:
   Install the package at \fBhttps://bitbucket\.org/bitbucketname/bitbucketrepo\fP
   by attempting to clone it using \fBgit\fP\|\.
-  If you don't specify a \fIcommit\-ish\fR then \fBmaster\fP will be used\.
+  If \fB#\fP is provided, it will be used to clone exactly that
+  commit\. If the commit\-ish has the format \fB#semver:\fP, \fB\fP can
+  be any valid semver range or exact version, and npm will look for any tags
+  or refs matching that range in the remote repository, much as it would for a
+  registry dependency\. If neither \fB#\fP or \fB#semver:\fP is
+  specified, then \fBmaster\fP is used\.
+  As with regular git dependencies, \fBdependencies\fP and \fBdevDependencies\fP will
+  be installed if the package has a \fBprepare\fP script, before the package is
+  done installing\.
   Example:
 .P
 .RS 2
@@ -277,12 +320,21 @@ GIT_SSH_COMMAND='ssh \-i ~/\.ssh/custom_ident' npm install git+ssh://git@github\
 \fBnpm install gitlab:/[#]\fP:
   Install the package at \fBhttps://gitlab\.com/gitlabname/gitlabrepo\fP
   by attempting to clone it using \fBgit\fP\|\.
-  If you don't specify a \fIcommit\-ish\fR then \fBmaster\fP will be used\.
+  If \fB#\fP is provided, it will be used to clone exactly that
+  commit\. If the commit\-ish has the format \fB#semver:\fP, \fB\fP can
+  be any valid semver range or exact version, and npm will look for any tags
+  or refs matching that range in the remote repository, much as it would for a
+  registry dependency\. If neither \fB#\fP or \fB#semver:\fP is
+  specified, then \fBmaster\fP is used\.
+  As with regular git dependencies, \fBdependencies\fP and \fBdevDependencies\fP will
+  be installed if the package has a \fBprepare\fP script, before the package is
+  done installing\.
   Example:
 .P
 .RS 2
 .nf
     npm install gitlab:mygitlabuser/myproject
+    npm install gitlab:myusr/myproj#semver:^5\.0
 .fi
 .RE
 
@@ -322,7 +374,7 @@ global \fBnode_modules\fP folder\. Only your direct dependencies will show in
 \fBnode_modules\fP and everything they depend on will be flattened in their
 \fBnode_modules\fP folders\. This obviously will eliminate some deduping\.
 .P
-The \fB\-\-ignore\-scripts\fP argument will cause npm to not execute any 
+The \fB\-\-ignore\-scripts\fP argument will cause npm to not execute any
 scripts defined in the package\.json\. See npm help 7 \fBnpm\-scripts\fP\|\.
 .P
 The \fB\-\-legacy\-bundling\fP argument will cause npm to install the package such
@@ -339,7 +391,7 @@ The \fB\-\-no\-optional\fP argument will prevent optional dependencies from
 being installed\.
 .P
 The \fB\-\-no\-shrinkwrap\fP argument, which will ignore an available
-shrinkwrap file and use the package\.json instead\.
+package lock or shrinkwrap file and use the package\.json instead\.
 .P
 The \fB\-\-nodedir=/path/to/node/source\fP argument will allow npm to find the
 node source code so that npm can compile native modules\.
@@ -397,7 +449,9 @@ A
 .RE
 .P
 Because B's D@1 will be installed in the top level, C now has to install D@2
-privately for itself\.
+privately for itself\. This algorithm is deterministic, but different trees may
+be produced if two dependencies are requested for installation in a different
+order\.
 .P
 See npm help 5 folders for a more detailed description of the specific
 folder structures that npm creates\.
diff --git a/deps/npm/man/man1/npm-ls.1 b/deps/npm/man/man1/npm-ls.1
index c886db5dc4d538..31cbd387aa695f 100644
--- a/deps/npm/man/man1/npm-ls.1
+++ b/deps/npm/man/man1/npm-ls.1
@@ -22,7 +22,7 @@ For example, running \fBnpm ls promzard\fP in npm's source tree will show:
 .P
 .RS 2
 .nf
-npm@5.0.0-beta.56 /path/to/npm
+npm@5.0.0 /path/to/npm
 └─┬ init\-package\-json@0\.0\.4
   └── promzard@0\.1\.5
 .fi
diff --git a/deps/npm/man/man1/npm-publish.1 b/deps/npm/man/man1/npm-publish.1
index 603031a4e6fe2b..603c79da7f499f 100644
--- a/deps/npm/man/man1/npm-publish.1
+++ b/deps/npm/man/man1/npm-publish.1
@@ -53,6 +53,10 @@ Once a package is published with a given name and version, that
 specific name and version combination can never be used again, even if
 it is removed with npm help unpublish\.
 .P
+As of \fBnpm@5\fP, both a sha1sum and an integrity field with a sha512sum of the
+tarball will be submitted to the registry during publication\. Subsequent
+installs will use the strongest supported algorithm to verify downloads\.
+.P
 For a "dry run" that does everything except actually publishing to the
 registry, see npm help \fBnpm\-pack\fP, which figures out the files to be included and
 packs them into a tarball to be uploaded to the registry\.
diff --git a/deps/npm/man/man1/npm-shrinkwrap.1 b/deps/npm/man/man1/npm-shrinkwrap.1
index e36981c4216797..08ce497d2066d5 100644
--- a/deps/npm/man/man1/npm-shrinkwrap.1
+++ b/deps/npm/man/man1/npm-shrinkwrap.1
@@ -1,6 +1,6 @@
 .TH "NPM\-SHRINKWRAP" "1" "May 2017" "" ""
 .SH "NAME"
-\fBnpm-shrinkwrap\fR \- Lock down dependency versions
+\fBnpm-shrinkwrap\fR \- Lock down dependency versions for publication
 .SH SYNOPSIS
 .P
 .RS 2
@@ -10,222 +10,11 @@ npm shrinkwrap
 .RE
 .SH DESCRIPTION
 .P
-This command locks down the versions of a package's dependencies so
-that you can control exactly which versions of each dependency will be
-used when your package is installed\. The \fBpackage\.json\fP file is still
-required if you want to use \fBnpm install\fP\|\.
-.P
-By default, \fBnpm install\fP recursively installs the target's
-dependencies (as specified in \fBpackage\.json\fP), choosing the latest
-available version that satisfies the dependency's semver pattern\. In
-some situations, particularly when shipping software where each change
-is tightly managed, it's desirable to fully specify each version of
-each dependency recursively so that subsequent builds and deploys do
-not inadvertently pick up newer versions of a dependency that satisfy
-the semver pattern\. Specifying specific semver patterns in each
-dependency's \fBpackage\.json\fP would facilitate this, but that's not always
-possible or desirable, as when another author owns the npm package\.
-It's also possible to check dependencies directly into source control,
-but that may be undesirable for other reasons\.
-.P
-As an example, consider package A:
-.P
-.RS 2
-.nf
-{
-  "name": "A",
-  "version": "0\.1\.0",
-  "dependencies": {
-    "B": "<0\.1\.0"
-  }
-}
-.fi
-.RE
-.P
-package B:
-.P
-.RS 2
-.nf
-{
-  "name": "B",
-  "version": "0\.0\.1",
-  "dependencies": {
-    "C": "<0\.1\.0"
-  }
-}
-.fi
-.RE
-.P
-and package C:
-.P
-.RS 2
-.nf
-{
-  "name": "C",
-  "version": "0\.0\.1"
-}
-.fi
-.RE
-.P
-If these are the only versions of A, B, and C available in the
-registry, then a normal \fBnpm install A\fP will install:
-.P
-.RS 2
-.nf
-A@0\.1\.0
-`\-\- B@0\.0\.1
-    `\-\- C@0\.0\.1
-.fi
-.RE
-.P
-However, if B@0\.0\.2 is published, then a fresh \fBnpm install A\fP will
-install:
-.P
-.RS 2
-.nf
-A@0\.1\.0
-`\-\- B@0\.0\.2
-    `\-\- C@0\.0\.1
-.fi
-.RE
-.P
-assuming the new version did not modify B's dependencies\. Of course,
-the new version of B could include a new version of C and any number
-of new dependencies\. If such changes are undesirable, the author of A
-could specify a dependency on B@0\.0\.1\. However, if A's author and B's
-author are not the same person, there's no way for A's author to say
-that he or she does not want to pull in newly published versions of C
-when B hasn't changed at all\.
-.P
-In this case, A's author can run
-.P
-.RS 2
-.nf
-npm shrinkwrap
-.fi
-.RE
-.P
-This generates \fBnpm\-shrinkwrap\.json\fP, which will look something like this:
-.P
-.RS 2
-.nf
-{
-  "name": "A",
-  "version": "0\.1\.0",
-  "dependencies": {
-    "B": {
-      "version": "0\.0\.1",
-      "from": "B@^0\.0\.1",
-      "resolved": "https://registry\.npmjs\.org/B/\-/B\-0\.0\.1\.tgz",
-      "dependencies": {
-        "C": {
-          "version": "0\.0\.1",
-          "from": "org/C#v0\.0\.1",
-          "resolved": "git://github\.com/org/C\.git#5c380ae319fc4efe9e7f2d9c78b0faa588fd99b4"
-        }
-      }
-    }
-  }
-}
-.fi
-.RE
-.P
-The shrinkwrap command has locked down the dependencies based on what's
-currently installed in \fBnode_modules\fP\|\.  The installation behavior is changed to:
-.RS 0
-.IP 1. 3
-The module tree described by the shrinkwrap is reproduced\. This means
-reproducing the structure described in the file, using the specific files
-referenced in "resolved" if available, falling back to normal package
-resolution using "version" if one isn't\.
-.IP 2. 3
-The tree is walked and any missing dependencies are installed in the usual fashion\.
-
-.RE
-.P
-If \fBpreshrinkwrap\fP, \fBshrinkwrap\fP or \fBpostshrinkwrap\fP are in the \fBscripts\fP property of the
-\fBpackage\.json\fP, they will be executed by running \fBnpm shrinkwrap\fP\|\.
-\fBpreshrinkwrap\fP and \fBshrinkwrap\fP are executed before the shrinkwrap, \fBpostshrinkwrap\fP is
-executed afterwards\. For example to run some postprocessing on the generated file:
-.P
-.RS 2
-.nf
-"scripts": { "postshrinkwrap": "node fix\-shrinkwrap\.js" }
-.fi
-.RE
-.SS Using shrinkwrapped packages
-.P
-Using a shrinkwrapped package is no different than using any other
-package: you can \fBnpm install\fP it by hand, or add a dependency to your
-\fBpackage\.json\fP file and \fBnpm install\fP it\.
-.SS Building shrinkwrapped packages
-.P
-To shrinkwrap an existing package:
-.RS 0
-.IP 1. 3
-Run \fBnpm install\fP in the package root to install the current
-versions of all dependencies\.
-.IP 2. 3
-Validate that the package works as expected with these versions\.
-.IP 3. 3
-Run \fBnpm shrinkwrap\fP, add \fBnpm\-shrinkwrap\.json\fP to git, and publish
-your package\.
-
-.RE
-.P
-To add or update a dependency in a shrinkwrapped package:
-.RS 0
-.IP 1. 3
-Run \fBnpm install\fP in the package root to install the current
-versions of all dependencies\.
-.IP 2. 3
-Add or update dependencies\. \fBnpm install \-\-save\fP or \fBnpm install \-\-save\-dev\fP
-each new or updated package individually to update the \fBpackage\.json\fP and
-the shrinkwrap\. Note that they must be explicitly named in order to be
-installed: running \fBnpm install\fP with no arguments will merely reproduce
-the existing shrinkwrap\.
-.IP 3. 3
-Validate that the package works as expected with the new
-dependencies\.
-.IP 4. 3
-Commit the new \fBnpm\-shrinkwrap\.json\fP, and publish your package\.
-
-.RE
-.P
-You can use npm help outdated to view dependencies with newer versions
-available\.
-.SS Other Notes
-.P
-A shrinkwrap file must be consistent with the package's \fBpackage\.json\fP
-file\. \fBnpm shrinkwrap\fP will fail if required dependencies are not
-already installed, since that would result in a shrinkwrap that
-wouldn't actually work\. Similarly, the command will fail if there are
-extraneous packages (not referenced by \fBpackage\.json\fP), since that would
-indicate that \fBpackage\.json\fP is not correct\.
-.P
-Starting with npm v4\.0\.1, \fBdevDependencies\fP are included when you run
-\fBnpm shrinkwrap\fP and follow the usual rules as to when they're installed\.
-As of npm v3\.10\.8, if you run \fBnpm install \-\-only=production\fP or
-\fBnpm install \-\-production\fP with a shrinkwrap including your development
-dependencies they won't be installed\. Similarly, if the environment
-variable \fBNODE_ENV\fP is \fBproduction\fP then they won't be installed\. If you
-need compatibility with versions of npm prior to v3\.10\.8 or otherwise
-don't want them in your shrinkwrap you can exclude development
-dependencies with:
-\fBnpm shrinkwrap \-\-only=prod\fP or \fBnpm shrinkwrap \-\-production\fP\|\.
-.P
-If shrinkwrapped package A depends on shrinkwrapped package B, B's
-shrinkwrap will not be used as part of the installation of A\. However,
-because A's shrinkwrap is constructed from a valid installation of B
-and recursively specifies all dependencies, the contents of B's
-shrinkwrap will implicitly be included in A's shrinkwrap\.
-.SS Caveats
-.P
-If you wish to lock down the specific bytes included in a package, for
-example to have 100% confidence in being able to reproduce a
-deployment or build, then you ought to check your dependencies into
-source control, or pursue some other mechanism that can verify
-contents rather than versions\.
+This command repurposes \fBpackage\-lock\.json\fP into a publishable
+\fBnpm\-shrinkwrap\.json\fP or simply creates a new one\. The file created and updated
+by this command will then take precedence over any other existing or future
+\fBpackage\-lock\.json\fP files\. For a detailed explanation of the design and purpose
+of package locks in npm, see npm help 5 package\-locks\.
 .SH SEE ALSO
 .RS 0
 .IP \(bu 2
@@ -237,6 +26,12 @@ npm help 7 scripts
 .IP \(bu 2
 npm help 5 package\.json
 .IP \(bu 2
+npm help 5 package\-locks
+.IP \(bu 2
+npm help 5 package\-lock\.json
+.IP \(bu 2
+npm help 5 shrinkwrap\.json
+.IP \(bu 2
 npm help ls
 
 .RE
diff --git a/deps/npm/man/man1/npm.1 b/deps/npm/man/man1/npm.1
index f2d5d75d66bdee..8ce03075f12ace 100644
--- a/deps/npm/man/man1/npm.1
+++ b/deps/npm/man/man1/npm.1
@@ -10,7 +10,7 @@ npm  [args]
 .RE
 .SH VERSION
 .P
-5.0.0-beta.56
+5.0.0
 .SH DESCRIPTION
 .P
 npm is the package manager for the Node JavaScript platform\.  It puts
diff --git a/deps/npm/man/man5/npm-package-locks.5 b/deps/npm/man/man5/npm-package-locks.5
new file mode 100644
index 00000000000000..d751dc55661570
--- /dev/null
+++ b/deps/npm/man/man5/npm-package-locks.5
@@ -0,0 +1,183 @@
+.TH "NPM\-PACKAGE\-LOCKS" "5" "May 2017" "" ""
+.SH "NAME"
+\fBnpm-package-locks\fR \- An explanation of npm lockfiles
+.SH DESCRIPTION
+.P
+Conceptually, the "input" to npm help install is a npm help 5 package\.json, while its
+"output" is a fully\-formed \fBnode_modules\fP tree: a representation of the
+dependencies you declared\. In an ideal world, npm would work like a pure
+function: the same \fBpackage\.json\fP should produce the exact same \fBnode_modules\fP
+tree, any time\. In some cases, this is indeed true\. But in many others, npm is
+unable to do this\. There are multiple reasons for this:
+.RS 0
+.IP \(bu 2
+different versions of npm (or other package managers) may have been used to install a package, each using slightly different installation algorithms\.
+.IP \(bu 2
+a new version of a direct semver\-range package may have been published since the last time your packages were installed, and thus a newer version will be used\.
+.IP \(bu 2
+A dependency of one of your dependencies may have published a new version, which will update even if you used pinned dependency specifiers (\fB1\.2\.3\fP instead of \fB^1\.2\.3\fP)
+.IP \(bu 2
+The registry you installed from is no longer available, or allows mutation of versions (unlike the primary npm registry), and a different version of a package exists under the same version number now\.
+
+.RE
+.P
+As an example, consider package A:
+.P
+.RS 2
+.nf
+{
+  "name": "A",
+  "version": "0\.1\.0",
+  "dependencies": {
+    "B": "<0\.1\.0"
+  }
+}
+.fi
+.RE
+.P
+package B:
+.P
+.RS 2
+.nf
+{
+  "name": "B",
+  "version": "0\.0\.1",
+  "dependencies": {
+    "C": "<0\.1\.0"
+  }
+}
+.fi
+.RE
+.P
+and package C:
+.P
+.RS 2
+.nf
+{
+  "name": "C",
+  "version": "0\.0\.1"
+}
+.fi
+.RE
+.P
+If these are the only versions of A, B, and C available in the
+registry, then a normal \fBnpm install A\fP will install:
+.P
+.RS 2
+.nf
+A@0\.1\.0
+`\-\- B@0\.0\.1
+    `\-\- C@0\.0\.1
+.fi
+.RE
+.P
+However, if B@0\.0\.2 is published, then a fresh \fBnpm install A\fP will
+install:
+.P
+.RS 2
+.nf
+A@0\.1\.0
+`\-\- B@0\.0\.2
+    `\-\- C@0\.0\.1
+.fi
+.RE
+.P
+assuming the new version did not modify B's dependencies\. Of course,
+the new version of B could include a new version of C and any number
+of new dependencies\. If such changes are undesirable, the author of A
+could specify a dependency on B@0\.0\.1\. However, if A's author and B's
+author are not the same person, there's no way for A's author to say
+that he or she does not want to pull in newly published versions of C
+when B hasn't changed at all\.
+.P
+To prevent this potential issue, npm uses npm help 5 package\-lock\.json or, if present,
+npm help 5 shrinkwrap\.json\. These files are called package locks, or lockfiles\.
+.P
+Whenever you run \fBnpm install\fP, npm generates or updates your package lock,
+which will look something like this:
+.P
+.RS 2
+.nf
+{
+  "name": "A",
+  "version": "0\.1\.0",
+  \.\.\.metadata fields\.\.\.
+  "dependencies": {
+    "B": {
+      "version": "0\.0\.1",
+      "resolved": "https://registry\.npmjs\.org/B/\-/B\-0\.0\.1\.tgz",
+      "integrity": "sha512\-DeAdb33F+"
+      "dependencies": {
+        "C": {
+          "version": "git://github\.com/org/C\.git#5c380ae319fc4efe9e7f2d9c78b0faa588fd99b4"
+        }
+      }
+    }
+  }
+}
+.fi
+.RE
+.P
+This file describes an \fIexact\fR, and more importantly \fIreproducible\fR
+\fBnode_modules\fP tree\. Once it's present, and future installation will base its
+work off this file, instead of recalculating dependency versions off
+npm help 5 package\.json\.
+.P
+The presence of a package lock changes the installation behavior such that:
+.RS 0
+.IP 1. 3
+The module tree described by the package lock is reproduced\. This means
+reproducing the structure described in the file, using the specific files
+referenced in "resolved" if available, falling back to normal package resolution
+using "version" if one isn't\.
+.IP 2. 3
+The tree is walked and any missing dependencies are installed in the usual
+fashion\.
+
+.RE
+.P
+If \fBpreshrinkwrap\fP, \fBshrinkwrap\fP or \fBpostshrinkwrap\fP are in the \fBscripts\fP
+property of the \fBpackage\.json\fP, they will be executed in order\. \fBpreshrinkwrap\fP
+and \fBshrinkwrap\fP are executed before the shrinkwrap, \fBpostshrinkwrap\fP is
+executed afterwards\. These scripts run for both \fBpackage\-lock\.json\fP and
+\fBnpm\-shrinkwrap\.json\fP\|\. For example to run some postprocessing on the generated
+file:
+.P
+.RS 2
+.nf
+"scripts": {
+  "postshrinkwrap": "json \-I \-e \\"this\.myMetadata = $MY_APP_METADATA\\""
+}
+.fi
+.RE
+.SS Using locked packages
+.P
+Using a locked package is no different than using any package without a package
+lock: any commands that update \fBnode_modules\fP and/or \fBpackage\.json\fP\|'s
+dependencies will automatically sync the existing lockfile\. This includes \fBnpm
+install\fP, \fBnpm rm\fP, \fBnpm update\fP, etc\. To prevent this update from happening,
+you can use the \fB\-\-no\-save\fP option to prevent saving altogether, or
+\fB\-\-no\-shrinkwrap\fP to allow \fBpackage\.json\fP to be updated while leaving
+\fBpackage\-lock\.json\fP or \fBnpm\-shrinkwrap\.json\fP intact\.
+.P
+It is highly recommended you commit the generated package lock to source
+control: this will allow anyone else on your team, your deployments, your
+CI/continuous integration, and anyone else who runs \fBnpm install\fP in your
+package source to get the exact same dependency tree that you were developing
+on\. Additionally, the diffs from these changes are human\-readable and will
+inform you of any changes npm has made to your \fBnode_modules\fP, so you can notice
+if any transitive dependencies were updated, hoisted, etc\.
+.SH SEE ALSO
+.RS 0
+.IP \(bu 2
+https://medium\.com/@sdboyer/so\-you\-want\-to\-write\-a\-package\-manager\-4ae9c17d9527
+.IP \(bu 2
+npm help 5 package\.json
+.IP \(bu 2
+npm help 5 package\-lock\.json
+.IP \(bu 2
+npm help 5 shrinkwrap\.json
+.IP \(bu 2
+npm help shrinkwrap
+
+.RE
diff --git a/deps/npm/man/man5/npm-shrinkwrap.json.5 b/deps/npm/man/man5/npm-shrinkwrap.json.5
new file mode 100644
index 00000000000000..deb06a7244cd31
--- /dev/null
+++ b/deps/npm/man/man5/npm-shrinkwrap.json.5
@@ -0,0 +1,32 @@
+.TH "NPM\-SHRINKWRAP\.JSON" "5" "May 2017" "" ""
+.SH "NAME"
+\fBnpm-shrinkwrap.json\fR \- A publishable lockfile
+.SH DESCRIPTION
+.P
+\fBnpm\-shrinkwrap\.json\fP is a file created by npm help shrinkwrap\. It is identical to
+\fBpackage\-lock\.json\fP, with one major caveat: Unlike \fBpackage\-lock\.json\fP,
+\fBnpm\-shrinwkrap\.json\fP may be included when publishing a package\.
+.P
+The recommended use\-case for \fBnpm\-shrinkwrap\.json\fP is applications deployed
+through the publishing process on the registry: for example, daemons and
+command\-line tools intended as global installs or \fBdevDependencies\fP\|\. It's
+strongly discouraged for library authors to publish this file, since that would
+prevent end users from having control over transitive dependency updates\.
+.P
+Additionally, if both \fBpackage\-lock\.json\fP and \fBnpm\-shrinwkrap\.json\fP are present
+in a package root, \fBpackage\-lock\.json\fP will be ignored in favor of this file\.
+.P
+For full details and description of the \fBnpm\-shrinkwrap\.json\fP file format, refer
+to the manual page for npm help 5 package\-lock\.json\.
+.SH SEE ALSO
+.RS 0
+.IP \(bu 2
+npm help shrinkwrap
+.IP \(bu 2
+npm help 5 package\-lock\.json
+.IP \(bu 2
+npm help 5 package\.json
+.IP \(bu 2
+npm help install
+
+.RE
diff --git a/deps/npm/man/man5/package-lock.json.5 b/deps/npm/man/man5/package-lock.json.5
new file mode 100644
index 00000000000000..fb86d4d0c56e62
--- /dev/null
+++ b/deps/npm/man/man5/package-lock.json.5
@@ -0,0 +1,144 @@
+.TH "PACKAGE\-LOCK\.JSON" "5" "May 2017" "" ""
+.SH "NAME"
+\fBpackage-lock.json\fR \- A manifestation of the manifest
+.SH DESCRIPTION
+.P
+\fBpackage\-lock\.json\fP is automatically generated for any operations where npm
+modifies either the \fBnode_modules\fP tree, or \fBpackage\.json\fP\|\. It describes the
+exact tree that was generated, such that subsequent installs are able to
+generate identical trees, regardless of intermediate dependency updates\.
+.P
+This file is intended to be committed into source repositories, and serves
+various purposes:
+.RS 0
+.IP \(bu 2
+Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies\.
+.IP \(bu 2
+Provide a facility for users to "time\-travel" to previous states of \fBnode_modules\fP without having to commit the directory itself\.
+.IP \(bu 2
+To facilitate greater visibility of tree changes through readable source control diffs\.
+.IP \(bu 2
+And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously\-installed packages\.
+
+.RE
+.P
+One key detail about \fBpackage\-lock\.json\fP is that it cannot be published, and it
+will be ignored if found in any place other than the toplevel package\. It shares
+a format with npm help 5 shrinkwrap\.json, which is essentially the same file, but
+allows publication\. This is not recommended unless deploying a CLI tool or
+otherwise using the publication process for producing production packages\.
+.P
+If both \fBpackage\-lock\.json\fP and \fBnpm\-shrinkwrap\.json\fP are present in the root of
+a package, \fBpackage\-lock\.json\fP will be completely ignored\.
+.SH FILE FORMAT
+.SS name
+.P
+The name of the package this is a package\-lock for\. This must match what's in
+\fBpackage\.json\fP\|\.
+.SS version
+.P
+The version of the package this is a package\-lock for\. This must match what's in
+\fBpackage\.json\fP\|\.
+.SS lockfileVersion
+.P
+An integer version, starting at \fB1\fP with the version number of this document
+whose semantics were used when generating this \fBpackage\-lock\.json\fP\|\.
+.SS packageIntegrity
+.P
+This is a subresource
+integrity \fIhttps://w3c\.github\.io/webappsec/specs/subresourceintegrity/\fR value
+created from the \fBpacakge\.json\fP\|\. No preprocessing of the \fBpackage\.json\fP should
+be done\. Subresource integrity strings can be produced by modules like
+\fBssri\fP \fIhttps://www\.npmjs\.com/package/ssri\fR\|\.
+.SS preserveSymlinks
+.P
+Indicates that the install was done with the environment variable
+\fBNODE_PRESERVE_SYMLINKS\fP enabled\. The installer should insist that the value of
+this property match that environment variable\.
+.SS dependencies
+.P
+A mapping of package name to dependency object\.  Dependency objects have the
+following properties:
+.SS version
+.P
+This is a specifier that uniquely identifies this package and should be
+usable in fetching a new copy of it\.
+.RS 0
+.IP \(bu 2
+bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes\.
+.IP \(bu 2
+registry sources: This is a version number\. (eg, \fB1\.2\.3\fP)
+.IP \(bu 2
+git sources: This is a git specifier with resolved committish\. (eg, \fBgit+https://example\.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e\fP)
+.IP \(bu 2
+http tarball sources: This is the URL of the tarball\. (eg, \fBhttps://example\.com/example\-1\.3\.0\.tgz\fP)
+.IP \(bu 2
+local tarball sources: This is the file URL of the tarball\. (eg \fBfile:///opt/storage/example\-1\.3\.0\.tgz\fP)
+.IP \(bu 2
+local link sources: This is the file URL of the link\. (eg \fBfile:libs/our\-module\fP)
+
+.RE
+.SS integrity
+.P
+This is a Standard Subresource
+Integrity \fIhttps://w3c\.github\.io/webappsec/specs/subresourceintegrity/\fR for this
+resource\.
+.RS 0
+.IP \(bu 2
+For bundled dependencies this is not included, regardless of source\.
+.IP \(bu 2
+For registry sources, this is the \fBintegrity\fP that the registry provided, or if one wasn't provided the SHA1 in \fBshasum\fP\|\.
+.IP \(bu 2
+For git sources this is the specific commit hash we cloned from\.
+.IP \(bu 2
+For remote tarball sources this is an integrity based on a SHA512 of
+the file\.
+.IP \(bu 2
+For local tarball sources: This is an integrity field based on the SHA512 of the file\.
+
+.RE
+.SS resolved
+.RS 0
+.IP \(bu 2
+For bundled dependencies this is not included, regardless of source\.
+.IP \(bu 2
+For registry sources this is path of the tarball relative to the registry
+URL\.  If the tarball URL isn't on the same server as the registry URL then
+this is a complete URL\.
+
+.RE
+.SS bundled
+.P
+If true, this is the bundled dependency and will be installed by the parent
+module\.  When installing, this module will be extracted from the parent
+module during the extract phase, not installed as a separate dependency\.
+.SS dev
+.P
+If true then this dependency is either a development dependency ONLY of the
+top level module or a transitive dependency of one\.  This is false for
+dependencies that are both a development dependency of the top level and a
+transitive dependency of a non\-development dependency of the top level\.
+.SS optional
+.P
+If true then this dependency is either an optional dependency ONLY of the
+top level module or a transitive dependency of one\.  This is false for
+dependencies that are both an optional dependency of the top level and a
+transitive dependency of a non\-optional dependency of the top level\.
+.P
+All optional dependencies should be included even if they're uninstallable
+on the current platform\.
+.SS dependencies
+.P
+The dependencies of this dependency, exactly as at the top level\.
+.SH SEE ALSO
+.RS 0
+.IP \(bu 2
+npm help shrinkwrap
+.IP \(bu 2
+npm help 5 package\-lock\.json
+.IP \(bu 2
+npm help 5 package\.json
+.IP \(bu 2
+npm help install
+
+.RE
diff --git a/deps/npm/man/man7/npm-config.7 b/deps/npm/man/man7/npm-config.7
index 30a42afec6da1b..67e8880659a055 100644
--- a/deps/npm/man/man7/npm-config.7
+++ b/deps/npm/man/man7/npm-config.7
@@ -81,6 +81,8 @@ The following shorthands are parsed on the command\-line:
 .IP \(bu 2
 \fB\-S\fP: \fB\-\-save\fP
 .IP \(bu 2
+\fB\-P\fP: \fB\-\-save\-prod\fP
+.IP \(bu 2
 \fB\-D\fP: \fB\-\-save\-dev\fP
 .IP \(bu 2
 \fB\-O\fP: \fB\-\-save\-optional\fP
@@ -943,6 +945,19 @@ Type: Boolean
 Attempt to install packages in the \fBoptionalDependencies\fP object\.  Note
 that if these packages fail to install, the overall installation
 process is not aborted\.
+.SS package\-lock
+.RS 0
+.IP \(bu 2
+Default: true
+.IP \(bu 2
+Type: Boolean
+
+.RE
+.P
+If set to false, then ignore \fBpackage\-lock\.json\fP files when installing\. This
+will also prevent \fIwriting\fR \fBpackage\-lock\.json\fP if \fBsave\fP is true\.
+.P
+This option is an alias for \fB\-\-shrinkwrap\fP\|\.
 .SS parseable
 .RS 0
 .IP \(bu 2
@@ -1107,6 +1122,20 @@ If a package would be saved at install time by the use of \fB\-\-save\fP,
 .P
 When used with the \fBnpm rm\fP command, it removes it from the
 bundledDependencies list\.
+.SS save\-prod
+.RS 0
+.IP \(bu 2
+Default: false
+.IP \(bu 2
+Type: Boolean
+
+.RE
+.P
+Makes sure that a package will be saved into \fBdependencies\fP specifically\. This
+is useful if a package already exists in \fBdevDependencies\fP or
+\fBoptionalDependencies\fP, but you want to move it to be a production dep\. This is
+also the default behavior if \fB\-\-save\fP is true, and neither \fB\-\-save\-dev\fP or
+\fB\-\-save\-optional\fP are true\.
 .SS save\-dev
 .RS 0
 .IP \(bu 2
@@ -1278,8 +1307,10 @@ Type: Boolean
 
 .RE
 .P
-If set to false, then ignore \fBnpm\-shrinkwrap\.json\fP files when
-installing\.
+If set to false, then ignore \fBnpm\-shrinkwrap\.json\fP files when installing\. This
+will also prevent \fIwriting\fR \fBnpm\-shrinkwrap\.json\fP if \fBsave\fP is true\.
+.P
+This option is an alias for \fB\-\-package\-lock\fP\|\.
 .SS sign\-git\-tag
 .RS 0
 .IP \(bu 2
diff --git a/deps/npm/man/man7/npm-index.7 b/deps/npm/man/man7/npm-index.7
index 2ed9981eb313ce..8ec9c159769861 100644
--- a/deps/npm/man/man7/npm-index.7
+++ b/deps/npm/man/man7/npm-index.7
@@ -123,7 +123,7 @@ Run arbitrary package scripts
 Search for packages
 .SS npm help shrinkwrap
 .P
-Lock down dependency versions
+Lock down dependency versions for publication
 .SS npm help star
 .P
 Mark your favorite packages
@@ -169,9 +169,18 @@ File system structures npm uses
 .SS npm help 5 folders
 .P
 Folder Structures Used by npm
+.SS npm help 5 package\-locks
+.P
+An explanation of npm lockfiles
+.SS npm help 5 shrinkwrap\.json
+.P
+A publishable lockfile
 .SS npm help 5 npmrc
 .P
 The npm config files
+.SS npm help 5 package\-lock\.json
+.P
+A manifestation of the manifest
 .SS npm help 5 package\.json
 .P
 Specifics of npm's package\.json handling
diff --git a/deps/npm/man/man7/npm-scripts.7 b/deps/npm/man/man7/npm-scripts.7
index 666953c5ce4ead..f57a4c221fef30 100644
--- a/deps/npm/man/man7/npm-scripts.7
+++ b/deps/npm/man/man7/npm-scripts.7
@@ -8,16 +8,24 @@ following scripts:
 .RS 0
 .IP \(bu 2
 prepublish:
-Run BEFORE the package is published\.  (Also run on local \fBnpm
-install\fP without any arguments\. See below\.)
+Run BEFORE the package is packed and published, as well as on local \fBnpm
+install\fP without any arguments\. (See below)
 .IP \(bu 2
 prepare:
-Run both BEFORE the package is published, and on local \fBnpm
-install\fP without any arguments\. (See below\.) This is run
+Run both BEFORE the package is packed and published, and on local \fBnpm
+install\fP without any arguments (See below)\. This is run
 AFTER \fBprepublish\fP, but BEFORE \fBprepublishOnly\fP\|\.
 .IP \(bu 2
 prepublishOnly:
-Run BEFORE the package is published\. (See below\.)
+Run BEFORE the package is prepared and packed, ONLY on \fBnpm publish\fP\|\. (See
+below\.)
+.IP \(bu 2
+prepack:
+run BEFORE a tarball is packed (on \fBnpm pack\fP, \fBnpm publish\fP, and when
+installing git dependencies)
+.IP \(bu 2
+postpack:
+Run AFTER the tarball has been generated and moved to its final destination\.
 .IP \(bu 2
 publish, postpublish:
 Run AFTER the package is published\.
diff --git a/deps/npm/node_modules/cacache/CHANGELOG.md b/deps/npm/node_modules/cacache/CHANGELOG.md
index 3eeb55dbbb7e8f..8235212ade495f 100644
--- a/deps/npm/node_modules/cacache/CHANGELOG.md
+++ b/deps/npm/node_modules/cacache/CHANGELOG.md
@@ -2,6 +2,76 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+
+## [9.2.5](https://github.com/zkat/cacache/compare/v9.2.4...v9.2.5) (2017-05-25)
+
+
+### Bug Fixes
+
+* **deps:** fix lockfile issues and bump ssri ([84e1d7e](https://github.com/zkat/cacache/commit/84e1d7e))
+
+
+
+
+## [9.2.4](https://github.com/zkat/cacache/compare/v9.2.3...v9.2.4) (2017-05-24)
+
+
+### Bug Fixes
+
+* **deps:** bumping deps ([bbccb12](https://github.com/zkat/cacache/commit/bbccb12))
+
+
+
+
+## [9.2.3](https://github.com/zkat/cacache/compare/v9.2.2...v9.2.3) (2017-05-24)
+
+
+### Bug Fixes
+
+* **rm:** stop crashing if content is missing on rm ([ac90bc0](https://github.com/zkat/cacache/commit/ac90bc0))
+
+
+
+
+## [9.2.2](https://github.com/zkat/cacache/compare/v9.2.1...v9.2.2) (2017-05-14)
+
+
+### Bug Fixes
+
+* **i18n:** lets pretend this didn't happen ([519b4ee](https://github.com/zkat/cacache/commit/519b4ee))
+
+
+
+
+## [9.2.1](https://github.com/zkat/cacache/compare/v9.2.0...v9.2.1) (2017-05-14)
+
+
+### Bug Fixes
+
+* **docs:** fixing translation messup ([bb9e4f9](https://github.com/zkat/cacache/commit/bb9e4f9))
+
+
+
+
+# [9.2.0](https://github.com/zkat/cacache/compare/v9.1.0...v9.2.0) (2017-05-14)
+
+
+### Features
+
+* **i18n:** add Spanish translation for API ([531f9a4](https://github.com/zkat/cacache/commit/531f9a4))
+
+
+
+
+# [9.1.0](https://github.com/zkat/cacache/compare/v9.0.0...v9.1.0) (2017-05-14)
+
+
+### Features
+
+* **i18n:** Add Spanish translation and i18n setup (#91) ([323b90c](https://github.com/zkat/cacache/commit/323b90c))
+
+
+
 
 # [9.0.0](https://github.com/zkat/cacache/compare/v8.0.0...v9.0.0) (2017-04-28)
 
diff --git a/deps/npm/node_modules/cacache/README.md b/deps/npm/node_modules/cacache/README.md
index bb8f79e988f7eb..ea69b8f540f44f 100644
--- a/deps/npm/node_modules/cacache/README.md
+++ b/deps/npm/node_modules/cacache/README.md
@@ -8,6 +8,8 @@ get corrupted or manipulated.
 It was originally written to be used as [npm](https://npm.im)'s local cache, but
 can just as easily be used on its own
 
+_Translations: [español](README.es.md)_
+
 ## Install
 
 `$ npm install --save cacache`
@@ -18,6 +20,7 @@ can just as easily be used on its own
 * [Features](#features)
 * [Contributing](#contributing)
 * [API](#api)
+  * [Using localized APIs](#localized-api)
   * Reading
     * [`ls`](#ls)
     * [`ls.stream`](#ls-stream)
@@ -33,6 +36,7 @@ can just as easily be used on its own
     * [`rm.entry`](#rm-entry)
     * [`rm.content`](#rm-content)
   * Utilities
+    * [`setLocale`](#set-locale)
     * [`clearMemoized`](#clear-memoized)
     * [`tmp.mkdir`](#tmp-mkdir)
     * [`tmp.withTmp`](#with-tmp)
@@ -44,7 +48,7 @@ can just as easily be used on its own
 ### Example
 
 ```javascript
-const cacache = require('cacache')
+const cacache = require('cacache/en')
 const fs = require('fs')
 
 const tarball = '/path/to/mytar.tgz'
@@ -105,7 +109,22 @@ Happy hacking!
 
 ### API
 
-####  `> cacache.ls(cache) -> Promise`
+####  Using localized APIs
+
+cacache includes a complete API in English, with the same features as other
+translations. To use the English API as documented in this README, use
+`require('cacache/en')`. This is also currently the default if you do
+`require('cacache')`, but may change in the future.
+
+cacache also supports other languages! You can find the list of currently
+supported ones my looking in `./locales` in the source directory. You can use
+the API in that language with `require('cacache/')`.
+
+Want to add support for a new language? Please go ahead! You should be able to
+copy `./locales/en.js` and `./locales/en.json` and fill them in. Translating the
+`README.md` is a bit more work, but also appreciated if you get around to it. 👍🏼
+
+####  `> cacache.ls(cache) -> Promise`
 
 Lists info for all entries currently in the cache as a single large object. Each
 entry in the object will be keyed by the unique index key, with corresponding
@@ -301,14 +320,6 @@ Looks up a [Subresource Integrity hash](#integrity) in the cache. If content
 exists for this `integrity`, it will return an object, with the specific single integrity hash
 that was found in `sri` key, and the size of the found content as `size`. If no content exists for this integrity, it will return `false`.
 
-##### Fields
-
-* `source` - The [Subresource Integrity hash](#integrity) that was provided as an
-argument and subsequently found in the cache.
-* `algorithm` - The algorithm used in the hash.
-* `digest` - The digest portion of the hash.
-* `options`
-
 ##### Example
 
 ```javascript
@@ -422,9 +433,8 @@ If `opts.memoize` is an object or a `Map`-like (that is, an object with `get`
 and `set` methods), it will be written to instead of the global memoization
 cache.
 
-Reading from existing memoized data can be forced by explicitly passing
-`memoize: false` to the reader functions, but their default will be to read from
-memory.
+Reading from disk data can be forced by explicitly passing `memoize: false` to
+the reader functions, but their default will be to read from memory.
 
 ####  `> cacache.rm.all(cache) -> Promise`
 
@@ -471,6 +481,14 @@ cacache.rm.content(cachePath, 'sha512-SoMeDIGest/IN+BaSE64==').then(() => {
 })
 ```
 
+####  `> cacache.setLocale(locale)`
+
+Configure the language/locale used for messages and errors coming from cacache.
+The list of available locales is in the `./locales` directory in the project
+root.
+
+_Interested in contributing more languages! [Submit a PR](CONTRIBUTING.md)!_
+
 ####  `> cacache.clearMemoized()`
 
 Completely resets the in-memory entry cache.
diff --git a/deps/npm/node_modules/cacache/en.js b/deps/npm/node_modules/cacache/en.js
new file mode 100644
index 00000000000000..a3db581c9f1faa
--- /dev/null
+++ b/deps/npm/node_modules/cacache/en.js
@@ -0,0 +1,3 @@
+'use strict'
+
+module.exports = require('./locales/en.js')
diff --git a/deps/npm/node_modules/cacache/es.js b/deps/npm/node_modules/cacache/es.js
new file mode 100644
index 00000000000000..6282363c3bdbf5
--- /dev/null
+++ b/deps/npm/node_modules/cacache/es.js
@@ -0,0 +1,3 @@
+'use strict'
+
+module.exports = require('./locales/es.js')
diff --git a/deps/npm/node_modules/cacache/index.js b/deps/npm/node_modules/cacache/index.js
index c9b19c20f7cc1d..a3db581c9f1faa 100644
--- a/deps/npm/node_modules/cacache/index.js
+++ b/deps/npm/node_modules/cacache/index.js
@@ -1,11 +1,3 @@
 'use strict'
 
-module.exports = {
-  ls: require('./ls'),
-  get: require('./get'),
-  put: require('./put'),
-  rm: require('./rm'),
-  verify: require('./verify'),
-  clearMemoized: require('./lib/memoization').clearMemoized,
-  tmp: require('./lib/util/tmp')
-}
+module.exports = require('./locales/en.js')
diff --git a/deps/npm/node_modules/cacache/lib/content/read.js b/deps/npm/node_modules/cacache/lib/content/read.js
index 0ba19ac6e98306..14ca7d905dfdb6 100644
--- a/deps/npm/node_modules/cacache/lib/content/read.js
+++ b/deps/npm/node_modules/cacache/lib/content/read.js
@@ -7,6 +7,7 @@ const fs = require('graceful-fs')
 const PassThrough = require('stream').PassThrough
 const pipe = BB.promisify(require('mississippi').pipe)
 const ssri = require('ssri')
+const Y = require('../util/y.js')
 
 BB.promisifyAll(fs)
 
@@ -86,7 +87,7 @@ function pickContentSri (cache, integrity) {
 }
 
 function sizeError (expected, found) {
-  var err = new Error('stream data size mismatch')
+  var err = new Error(Y`Bad data size: expected inserted data to be ${expected} bytes, but got ${found} instead`)
   err.expected = expected
   err.found = found
   err.code = 'EBADSIZE'
@@ -94,7 +95,7 @@ function sizeError (expected, found) {
 }
 
 function integrityError (sri, path) {
-  var err = new Error(`Integrity verification failed for ${sri} (${path})`)
+  var err = new Error(Y`Integrity verification failed for ${sri} (${path})`)
   err.code = 'EINTEGRITY'
   err.sri = sri
   err.path = path
diff --git a/deps/npm/node_modules/cacache/lib/content/rm.js b/deps/npm/node_modules/cacache/lib/content/rm.js
index a8903dc0e35ce3..12cf1582358dd7 100644
--- a/deps/npm/node_modules/cacache/lib/content/rm.js
+++ b/deps/npm/node_modules/cacache/lib/content/rm.js
@@ -9,9 +9,13 @@ const rimraf = BB.promisify(require('rimraf'))
 module.exports = rm
 function rm (cache, integrity) {
   return hasContent(cache, integrity).then(content => {
-    const sri = content.sri
-    if (sri) {
-      return rimraf(contentPath(cache, sri))
+    if (content) {
+      const sri = content.sri
+      if (sri) {
+        return rimraf(contentPath(cache, sri)).then(() => true)
+      }
+    } else {
+      return false
     }
   })
 }
diff --git a/deps/npm/node_modules/cacache/lib/content/write.js b/deps/npm/node_modules/cacache/lib/content/write.js
index 479d3e7f80d081..a79ae92902137f 100644
--- a/deps/npm/node_modules/cacache/lib/content/write.js
+++ b/deps/npm/node_modules/cacache/lib/content/write.js
@@ -13,6 +13,7 @@ const rimraf = BB.promisify(require('rimraf'))
 const ssri = require('ssri')
 const to = require('mississippi').to
 const uniqueFilename = require('unique-filename')
+const Y = require('../util/y.js')
 
 const writeFileAsync = BB.promisify(fs.writeFile)
 
@@ -21,7 +22,7 @@ function write (cache, data, opts) {
   opts = opts || {}
   if (opts.algorithms && opts.algorithms.length > 1) {
     throw new Error(
-      'opts.algorithms only supports a single algorithm for now'
+      Y`opts.algorithms only supports a single algorithm for now`
     )
   }
   if (typeof opts.size === 'number' && data.length !== opts.size) {
@@ -58,7 +59,7 @@ function writeStream (cache, opts) {
   }, cb => {
     inputStream.end(() => {
       if (!allDone) {
-        const e = new Error('Input stream was empty')
+        const e = new Error(Y`Cache input stream was empty`)
         e.code = 'ENODATA'
         return ret.emit('error', e)
       }
@@ -143,7 +144,7 @@ function moveToDestination (tmp, cache, sri, opts, errCheck) {
 }
 
 function sizeError (expected, found) {
-  var err = new Error('stream data size mismatch')
+  var err = new Error(Y`Bad data size: expected inserted data to be ${expected} bytes, but got ${found} instead`)
   err.expected = expected
   err.found = found
   err.code = 'EBADSIZE'
@@ -151,7 +152,9 @@ function sizeError (expected, found) {
 }
 
 function checksumError (expected, found) {
-  var err = new Error('checksum failed')
+  var err = new Error(Y`Integrity check failed:
+  Wanted: ${expected}
+   Found: ${found}`)
   err.code = 'EINTEGRITY'
   err.expected = expected
   err.found = found
diff --git a/deps/npm/node_modules/cacache/lib/entry-index.js b/deps/npm/node_modules/cacache/lib/entry-index.js
index d95d0452a2a097..face0fe79c4dbd 100644
--- a/deps/npm/node_modules/cacache/lib/entry-index.js
+++ b/deps/npm/node_modules/cacache/lib/entry-index.js
@@ -10,6 +10,7 @@ const hashToSegments = require('./util/hash-to-segments')
 const ms = require('mississippi')
 const path = require('path')
 const ssri = require('ssri')
+const Y = require('./util/y.js')
 
 const indexV = require('../package.json')['cache-version'].index
 
@@ -21,7 +22,7 @@ const from = ms.from
 
 module.exports.NotFoundError = class NotFoundError extends Error {
   constructor (cache, key) {
-    super('content not found')
+    super(Y`No cache entry for \`${key}\` found in \`${cache}\``)
     this.code = 'ENOENT'
     this.cache = cache
     this.key = key
@@ -214,7 +215,9 @@ function formatEntry (cache, entry) {
 }
 
 function readdirOrEmpty (dir) {
-  return readdirAsync(dir).catch({code: 'ENOENT'}, () => [])
+  return readdirAsync(dir)
+  .catch({code: 'ENOENT'}, () => [])
+  .catch({code: 'ENOTDIR'}, () => [])
 }
 
 function nop () {
diff --git a/deps/npm/node_modules/cacache/lib/util/y.js b/deps/npm/node_modules/cacache/lib/util/y.js
new file mode 100644
index 00000000000000..d62bedacb32a27
--- /dev/null
+++ b/deps/npm/node_modules/cacache/lib/util/y.js
@@ -0,0 +1,25 @@
+'use strict'
+
+const path = require('path')
+const y18n = require('y18n')({
+  directory: path.join(__dirname, '../../locales'),
+  locale: 'en',
+  updateFiles: process.env.CACACHE_UPDATE_LOCALE_FILES === 'true'
+})
+
+module.exports = yTag
+function yTag (parts) {
+  let str = ''
+  parts.forEach((part, i) => {
+    const arg = arguments[i + 1]
+    str += part
+    if (arg) {
+      str += '%s'
+    }
+  })
+  return y18n.__.apply(null, [str].concat([].slice.call(arguments, 1)))
+}
+
+module.exports.setLocale = locale => {
+  y18n.setLocale(locale)
+}
diff --git a/deps/npm/node_modules/cacache/locales/en.js b/deps/npm/node_modules/cacache/locales/en.js
new file mode 100644
index 00000000000000..22382c96b38596
--- /dev/null
+++ b/deps/npm/node_modules/cacache/locales/en.js
@@ -0,0 +1,42 @@
+'use strict'
+
+const ls = require('../ls.js')
+const get = require('../get.js')
+const put = require('../put.js')
+const rm = require('../rm.js')
+const verify = require('../verify.js')
+const setLocale = require('../lib/util/y.js').setLocale
+const clearMemoized = require('../lib/memoization.js').clearMemoized
+const tmp = require('../lib/util/tmp.js')
+
+setLocale('en')
+
+const x = module.exports
+
+x.ls = cache => ls(cache)
+x.ls.stream = cache => ls.stream(cache)
+
+x.get = (cache, key, opts) => get(cache, key, opts)
+x.get.byDigest = (cache, hash, opts) => get.byDigest(cache, hash, opts)
+x.get.stream = (cache, key, opts) => get.stream(cache, key, opts)
+x.get.stream.byDigest = (cache, hash, opts) => get.stream.byDigest(cache, hash, opts)
+x.get.info = (cache, key) => get.info(cache, key)
+x.get.hasContent = (cache, hash) => get.hasContent(cache, hash)
+
+x.put = (cache, key, data, opts) => put(cache, key, data, opts)
+x.put.stream = (cache, key, opts) => put.stream(cache, key, opts)
+
+x.rm = (cache, key) => rm.entry(cache, key)
+x.rm.all = cache => rm.all(cache)
+x.rm.entry = x.rm
+x.rm.content = (cache, hash) => rm.content(cache, hash)
+
+x.setLocale = lang => setLocale(lang)
+x.clearMemoized = () => clearMemoized()
+
+x.tmp = {}
+x.tmp.mkdir = (cache, opts) => tmp.mkdir(cache, opts)
+x.tmp.withTmp = (cache, opts, cb) => tmp.withTmp(cache, opts, cb)
+
+x.verify = (cache, opts) => verify(cache, opts)
+x.verify.lastRun = cache => verify.lastRun(cache)
diff --git a/deps/npm/node_modules/cacache/locales/en.json b/deps/npm/node_modules/cacache/locales/en.json
new file mode 100644
index 00000000000000..82ecb0832490d2
--- /dev/null
+++ b/deps/npm/node_modules/cacache/locales/en.json
@@ -0,0 +1,6 @@
+{
+  "No cache entry for `%s` found in `%s`": "No cache entry for %s found in %s",
+  "Integrity verification failed for %s (%s)": "Integrity verification failed for %s (%s)",
+  "Bad data size: expected inserted data to be %s bytes, but got %s instead": "Bad data size: expected inserted data to be %s bytes, but got %s instead",
+  "Cache input stream was empty": "Cache input stream was empty"
+}
diff --git a/deps/npm/node_modules/cacache/locales/es.js b/deps/npm/node_modules/cacache/locales/es.js
new file mode 100644
index 00000000000000..6cb9d0c0d28be9
--- /dev/null
+++ b/deps/npm/node_modules/cacache/locales/es.js
@@ -0,0 +1,44 @@
+'use strict'
+
+const ls = require('../ls.js')
+const get = require('../get.js')
+const put = require('../put.js')
+const rm = require('../rm.js')
+const verify = require('../verify.js')
+const setLocale = require('../lib/util/y.js').setLocale
+const clearMemoized = require('../lib/memoization.js').clearMemoized
+const tmp = require('../lib/util/tmp.js')
+
+setLocale('es')
+
+const x = module.exports
+
+x.ls = cache => ls(cache)
+x.ls.flujo = cache => ls.stream(cache)
+
+x.saca = (cache, clave, ops) => get(cache, clave, ops)
+x.saca.porHacheo = (cache, hacheo, ops) => get.byDigest(cache, hacheo, ops)
+x.saca.flujo = (cache, clave, ops) => get.stream(cache, clave, ops)
+x.saca.flujo.porHacheo = (cache, hacheo, ops) => get.stream.byDigest(cache, hacheo, ops)
+x.saca.info = (cache, clave) => get.info(cache, clave)
+x.saca.tieneDatos = (cache, hacheo) => get.hasContent(cache, hacheo)
+
+x.mete = (cache, clave, datos, ops) => put(cache, clave, datos, ops)
+x.mete.flujo = (cache, clave, ops) => put.stream(cache, clave, ops)
+
+x.rm = (cache, clave) => rm.entry(cache, clave)
+x.rm.todo = cache => rm.all(cache)
+x.rm.entrada = x.rm
+x.rm.datos = (cache, hacheo) => rm.content(cache, hacheo)
+
+x.ponLenguaje = lang => setLocale(lang)
+x.limpiaMemoizado = () => clearMemoized()
+
+x.tmp = {}
+x.tmp.mkdir = (cache, ops) => tmp.mkdir(cache, ops)
+x.tmp.hazdir = x.tmp.mkdir
+x.tmp.conTmp = (cache, ops, cb) => tmp.withTmp(cache, ops, cb)
+
+x.verifica = (cache, ops) => verify(cache, ops)
+x.verifica.ultimaVez = cache => verify.lastRun(cache)
+x.verifica.últimaVez = x.verifica.ultimaVez
diff --git a/deps/npm/node_modules/cacache/locales/es.json b/deps/npm/node_modules/cacache/locales/es.json
new file mode 100644
index 00000000000000..a91d76225b43ff
--- /dev/null
+++ b/deps/npm/node_modules/cacache/locales/es.json
@@ -0,0 +1,6 @@
+{
+  "No cache entry for `%s` found in `%s`": "No existe ninguna entrada para «%s» en «%s»",
+  "Integrity verification failed for %s (%s)": "Verificación de integridad falló para «%s» (%s)",
+  "Bad data size: expected inserted data to be %s bytes, but got %s instead": "Tamaño incorrecto de datos: los datos insertados debieron haber sido %s octetos, pero fueron %s",
+  "Cache input stream was empty": "El stream de entrada al caché estaba vacío"
+}
diff --git a/deps/npm/node_modules/cacache/node_modules/y18n/LICENSE b/deps/npm/node_modules/cacache/node_modules/y18n/LICENSE
new file mode 100644
index 00000000000000..3c157f0b9d9bed
--- /dev/null
+++ b/deps/npm/node_modules/cacache/node_modules/y18n/LICENSE
@@ -0,0 +1,13 @@
+Copyright (c) 2015, Contributors
+
+Permission to use, copy, modify, and/or distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright notice
+and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
+TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
+THIS SOFTWARE.
diff --git a/deps/npm/node_modules/cacache/node_modules/y18n/README.md b/deps/npm/node_modules/cacache/node_modules/y18n/README.md
new file mode 100644
index 00000000000000..9859458f20b856
--- /dev/null
+++ b/deps/npm/node_modules/cacache/node_modules/y18n/README.md
@@ -0,0 +1,91 @@
+# y18n
+
+[![Build Status][travis-image]][travis-url]
+[![Coverage Status][coveralls-image]][coveralls-url]
+[![NPM version][npm-image]][npm-url]
+[![js-standard-style][standard-image]][standard-url]
+
+The bare-bones internationalization library used by yargs.
+
+Inspired by [i18n](https://www.npmjs.com/package/i18n).
+
+## Examples
+
+_simple string translation:_
+
+```js
+var __ = require('y18n').__
+
+console.log(__('my awesome string %s', 'foo'))
+```
+
+output:
+
+`my awesome string foo`
+
+_pluralization support:_
+
+```js
+var __n = require('y18n').__n
+
+console.log(__n('one fish %s', '%d fishes %s', 2, 'foo'))
+```
+
+output:
+
+`2 fishes foo`
+
+## JSON Language Files
+
+The JSON language files should be stored in a `./locales` folder.
+File names correspond to locales, e.g., `en.json`, `pirate.json`.
+
+When strings are observed for the first time they will be
+added to the JSON file corresponding to the current locale.
+
+## Methods
+
+### require('y18n')(config)
+
+Create an instance of y18n with the config provided, options include:
+
+* `directory`: the locale directory, default `./locales`.
+* `updateFiles`: should newly observed strings be updated in file, default `true`.
+* `locale`: what locale should be used.
+* `fallbackToLanguage`: should fallback to a language-only file (e.g. `en.json`)
+  be allowed if a file matching the locale does not exist (e.g. `en_US.json`),
+  default `true`.
+
+### y18n.\_\_(str, arg, arg, arg)
+
+Print a localized string, `%s` will be replaced with `arg`s.
+
+### y18n.\_\_n(singularString, pluralString, count, arg, arg, arg)
+
+Print a localized string with appropriate pluralization. If `%d` is provided
+in the string, the `count` will replace this placeholder.
+
+### y18n.setLocale(str)
+
+Set the current locale being used.
+
+### y18n.getLocale()
+
+What locale is currently being used?
+
+### y18n.updateLocale(obj)
+
+Update the current locale with the key value pairs in `obj`.
+
+## License
+
+ISC
+
+[travis-url]: https://travis-ci.org/yargs/y18n
+[travis-image]: https://img.shields.io/travis/yargs/y18n.svg
+[coveralls-url]: https://coveralls.io/github/yargs/y18n
+[coveralls-image]: https://img.shields.io/coveralls/yargs/y18n.svg
+[npm-url]: https://npmjs.org/package/y18n
+[npm-image]: https://img.shields.io/npm/v/y18n.svg
+[standard-image]: https://img.shields.io/badge/code%20style-standard-brightgreen.svg
+[standard-url]: https://github.com/feross/standard
diff --git a/deps/npm/node_modules/cacache/node_modules/y18n/index.js b/deps/npm/node_modules/cacache/node_modules/y18n/index.js
new file mode 100644
index 00000000000000..91b159e34298ac
--- /dev/null
+++ b/deps/npm/node_modules/cacache/node_modules/y18n/index.js
@@ -0,0 +1,172 @@
+var fs = require('fs')
+var path = require('path')
+var util = require('util')
+
+function Y18N (opts) {
+  // configurable options.
+  opts = opts || {}
+  this.directory = opts.directory || './locales'
+  this.updateFiles = typeof opts.updateFiles === 'boolean' ? opts.updateFiles : true
+  this.locale = opts.locale || 'en'
+  this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
+
+  // internal stuff.
+  this.cache = {}
+  this.writeQueue = []
+}
+
+Y18N.prototype.__ = function () {
+  var args = Array.prototype.slice.call(arguments)
+  var str = args.shift()
+  var cb = function () {} // start with noop.
+
+  if (typeof args[args.length - 1] === 'function') cb = args.pop()
+  cb = cb || function () {} // noop.
+
+  if (!this.cache[this.locale]) this._readLocaleFile()
+
+  // we've observed a new string, update the language file.
+  if (!this.cache[this.locale][str] && this.updateFiles) {
+    this.cache[this.locale][str] = str
+
+    // include the current directory and locale,
+    // since these values could change before the
+    // write is performed.
+    this._enqueueWrite([this.directory, this.locale, cb])
+  } else {
+    cb()
+  }
+
+  return util.format.apply(util, [this.cache[this.locale][str] || str].concat(args))
+}
+
+Y18N.prototype._enqueueWrite = function (work) {
+  this.writeQueue.push(work)
+  if (this.writeQueue.length === 1) this._processWriteQueue()
+}
+
+Y18N.prototype._processWriteQueue = function () {
+  var _this = this
+  var work = this.writeQueue[0]
+
+  // destructure the enqueued work.
+  var directory = work[0]
+  var locale = work[1]
+  var cb = work[2]
+
+  var languageFile = this._resolveLocaleFile(directory, locale)
+  var serializedLocale = JSON.stringify(this.cache[locale], null, 2)
+
+  fs.writeFile(languageFile, serializedLocale, 'utf-8', function (err) {
+    _this.writeQueue.shift()
+    if (_this.writeQueue.length > 0) _this._processWriteQueue()
+    cb(err)
+  })
+}
+
+Y18N.prototype._readLocaleFile = function () {
+  var localeLookup = {}
+  var languageFile = this._resolveLocaleFile(this.directory, this.locale)
+
+  try {
+    localeLookup = JSON.parse(fs.readFileSync(languageFile, 'utf-8'))
+  } catch (err) {
+    if (err instanceof SyntaxError) {
+      err.message = 'syntax error in ' + languageFile
+    }
+
+    if (err.code === 'ENOENT') localeLookup = {}
+    else throw err
+  }
+
+  this.cache[this.locale] = localeLookup
+}
+
+Y18N.prototype._resolveLocaleFile = function (directory, locale) {
+  var file = path.resolve(directory, './', locale + '.json')
+  if (this.fallbackToLanguage && !this._fileExistsSync(file) && ~locale.lastIndexOf('_')) {
+    // attempt fallback to language only
+    var languageFile = path.resolve(directory, './', locale.split('_')[0] + '.json')
+    if (this._fileExistsSync(languageFile)) file = languageFile
+  }
+  return file
+}
+
+// this only exists because fs.existsSync() "will be deprecated"
+// see https://nodejs.org/api/fs.html#fs_fs_existssync_path
+Y18N.prototype._fileExistsSync = function (file) {
+  try {
+    return fs.statSync(file).isFile()
+  } catch (err) {
+    return false
+  }
+}
+
+Y18N.prototype.__n = function () {
+  var args = Array.prototype.slice.call(arguments)
+  var singular = args.shift()
+  var plural = args.shift()
+  var quantity = args.shift()
+
+  var cb = function () {} // start with noop.
+  if (typeof args[args.length - 1] === 'function') cb = args.pop()
+
+  if (!this.cache[this.locale]) this._readLocaleFile()
+
+  var str = quantity === 1 ? singular : plural
+  if (this.cache[this.locale][singular]) {
+    str = this.cache[this.locale][singular][quantity === 1 ? 'one' : 'other']
+  }
+
+  // we've observed a new string, update the language file.
+  if (!this.cache[this.locale][singular] && this.updateFiles) {
+    this.cache[this.locale][singular] = {
+      one: singular,
+      other: plural
+    }
+
+    // include the current directory and locale,
+    // since these values could change before the
+    // write is performed.
+    this._enqueueWrite([this.directory, this.locale, cb])
+  } else {
+    cb()
+  }
+
+  // if a %d placeholder is provided, add quantity
+  // to the arguments expanded by util.format.
+  var values = [str]
+  if (~str.indexOf('%d')) values.push(quantity)
+
+  return util.format.apply(util, values.concat(args))
+}
+
+Y18N.prototype.setLocale = function (locale) {
+  this.locale = locale
+}
+
+Y18N.prototype.getLocale = function () {
+  return this.locale
+}
+
+Y18N.prototype.updateLocale = function (obj) {
+  if (!this.cache[this.locale]) this._readLocaleFile()
+
+  for (var key in obj) {
+    this.cache[this.locale][key] = obj[key]
+  }
+}
+
+module.exports = function (opts) {
+  var y18n = new Y18N(opts)
+
+  // bind all functions to y18n, so that
+  // they can be used in isolation.
+  for (var key in y18n) {
+    if (typeof y18n[key] === 'function') {
+      y18n[key] = y18n[key].bind(y18n)
+    }
+  }
+
+  return y18n
+}
diff --git a/deps/npm/node_modules/cacache/node_modules/y18n/package.json b/deps/npm/node_modules/cacache/node_modules/y18n/package.json
new file mode 100644
index 00000000000000..a96457708aa5a8
--- /dev/null
+++ b/deps/npm/node_modules/cacache/node_modules/y18n/package.json
@@ -0,0 +1,65 @@
+{
+  "_from": "y18n@^3.2.1",
+  "_id": "y18n@3.2.1",
+  "_inBundle": false,
+  "_integrity": "sha1-bRX7qITAhnnA136I53WegR4H+kE=",
+  "_location": "/cacache/y18n",
+  "_phantomChildren": {},
+  "_requested": {
+    "type": "range",
+    "registry": true,
+    "raw": "y18n@^3.2.1",
+    "name": "y18n",
+    "escapedName": "y18n",
+    "rawSpec": "^3.2.1",
+    "saveSpec": null,
+    "fetchSpec": "^3.2.1"
+  },
+  "_requiredBy": [
+    "/cacache"
+  ],
+  "_resolved": "https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz",
+  "_shasum": "6d15fba884c08679c0d77e88e7759e811e07fa41",
+  "_spec": "y18n@^3.2.1",
+  "_where": "/Users/zkat/Documents/code/npm/node_modules/cacache",
+  "author": {
+    "name": "Ben Coe",
+    "email": "ben@npmjs.com"
+  },
+  "bugs": {
+    "url": "https://github.com/yargs/y18n/issues"
+  },
+  "bundleDependencies": false,
+  "deprecated": false,
+  "description": "the bare-bones internationalization library used by yargs",
+  "devDependencies": {
+    "chai": "^3.4.1",
+    "coveralls": "^2.11.6",
+    "mocha": "^2.3.4",
+    "nyc": "^6.1.1",
+    "rimraf": "^2.5.0",
+    "standard": "^5.4.1"
+  },
+  "files": [
+    "index.js"
+  ],
+  "homepage": "https://github.com/yargs/y18n",
+  "keywords": [
+    "i18n",
+    "internationalization",
+    "yargs"
+  ],
+  "license": "ISC",
+  "main": "index.js",
+  "name": "y18n",
+  "repository": {
+    "type": "git",
+    "url": "git+ssh://git@github.com/yargs/y18n.git"
+  },
+  "scripts": {
+    "coverage": "nyc report --reporter=text-lcov | coveralls",
+    "pretest": "standard",
+    "test": "nyc mocha"
+  },
+  "version": "3.2.1"
+}
diff --git a/deps/npm/node_modules/cacache/package.json b/deps/npm/node_modules/cacache/package.json
index b39b2d2104cc17..26b8e826f216ba 100644
--- a/deps/npm/node_modules/cacache/package.json
+++ b/deps/npm/node_modules/cacache/package.json
@@ -1,34 +1,34 @@
 {
-  "_from": "cacache@~9.0.0",
-  "_id": "cacache@9.0.0",
-  "_integrity": "sha1-7c9iADCw+/NwgZPwcYE27tshcKQ=",
+  "_from": "cacache@9.2.5",
+  "_id": "cacache@9.2.5",
+  "_inBundle": false,
+  "_integrity": "sha512-mURsTvkjbCSFRTdkuPhHUp9sbEHn3AVrvM4mveg/bhlKKYolfRm23TsFUVAssC9p622lwmh7pgpb+H5mSVpYcA==",
   "_location": "/cacache",
   "_phantomChildren": {},
   "_requested": {
-    "type": "range",
+    "type": "version",
     "registry": true,
-    "raw": "cacache@~9.0.0",
+    "raw": "cacache@9.2.5",
     "name": "cacache",
     "escapedName": "cacache",
-    "rawSpec": "~9.0.0",
+    "rawSpec": "9.2.5",
     "saveSpec": null,
-    "fetchSpec": "~9.0.0"
+    "fetchSpec": "9.2.5"
   },
   "_requiredBy": [
+    "#USER",
     "/",
     "/pacote",
     "/pacote/make-fetch-happen"
   ],
-  "_resolved": "https://registry.npmjs.org/cacache/-/cacache-9.0.0.tgz",
-  "_shasum": "edcf620030b0fbf3708193f0718136eedb2170a4",
-  "_shrinkwrap": null,
-  "_spec": "cacache@~9.0.0",
-  "_where": "/Users/zkat/Documents/code/npm",
+  "_resolved": "https://registry.npmjs.org/cacache/-/cacache-9.2.5.tgz",
+  "_shasum": "cb401d0e59858532062de1f104097cb40c71c3bf",
+  "_spec": "cacache@9.2.5",
+  "_where": "/Users/rebecca/code/npm",
   "author": {
     "name": "Kat Marchán",
     "email": "kzm@sykosomatic.org"
   },
-  "bin": null,
   "bugs": {
     "url": "https://github.com/zkat/cacache/issues"
   },
@@ -56,37 +56,40 @@
     }
   ],
   "dependencies": {
-    "bluebird": "^3.4.7",
+    "bluebird": "^3.5.0",
     "chownr": "^1.0.1",
-    "glob": "^7.1.1",
-    "graceful-fs": "^4.1.10",
+    "glob": "^7.1.2",
+    "graceful-fs": "^4.1.11",
     "lru-cache": "^4.0.2",
-    "mississippi": "^1.2.0",
+    "mississippi": "^1.3.0",
     "mkdirp": "^0.5.1",
-    "move-concurrently": "^1.0.0",
+    "move-concurrently": "^1.0.1",
     "promise-inflight": "^1.0.1",
     "rimraf": "^2.6.1",
-    "ssri": "^4.1.2",
-    "unique-filename": "^1.1.0"
+    "ssri": "^4.1.3",
+    "unique-filename": "^1.1.0",
+    "y18n": "^3.2.1"
   },
   "deprecated": false,
   "description": "Fast, fault-tolerant, cross-platform, disk-based, data-agnostic, content-addressable cache.",
   "devDependencies": {
     "benchmark": "^2.1.4",
     "chalk": "^1.1.3",
-    "nyc": "^10.2.0",
+    "cross-env": "^5.0.0",
+    "nyc": "^10.3.2",
     "require-inject": "^1.4.0",
     "safe-buffer": "^5.0.1",
     "standard": "^10.0.2",
     "standard-version": "^4.0.0",
     "tacks": "^1.2.2",
     "tap": "^10.3.2",
-    "weallbehave": "^1.0.0",
+    "weallbehave": "^1.2.0",
     "weallcontribute": "^1.0.8"
   },
   "files": [
     "*.js",
-    "lib"
+    "lib",
+    "locales"
   ],
   "homepage": "https://github.com/zkat/cacache#readme",
   "keywords": [
@@ -107,8 +110,6 @@
   "license": "CC0-1.0",
   "main": "index.js",
   "name": "cacache",
-  "optionalDependencies": {},
-  "peerDependencies": {},
   "repository": {
     "type": "git",
     "url": "git+https://github.com/zkat/cacache.git"
@@ -119,10 +120,10 @@
     "prerelease": "npm t",
     "pretest": "standard lib test *.js",
     "release": "standard-version -s",
-    "test": "nyc --all -- tap -J test/*.js",
+    "test": "cross-env CACACHE_UPDATE_LOCALE_FILES=true nyc --all -- tap -J test/*.js",
     "test-docker": "docker run -it --rm --name pacotest -v \"$PWD\":/tmp -w /tmp node:latest npm test",
     "update-coc": "weallbehave -o . && git add CODE_OF_CONDUCT.md && git commit -m 'docs(coc): updated CODE_OF_CONDUCT.md'",
     "update-contrib": "weallcontribute -o . && git add CONTRIBUTING.md && git commit -m 'docs(contributing): updated CONTRIBUTING.md'"
   },
-  "version": "9.0.0"
+  "version": "9.2.5"
 }
diff --git a/deps/npm/node_modules/glob/glob.js b/deps/npm/node_modules/glob/glob.js
index bfdd7a11b8144f..58dec0f6c2bd0b 100644
--- a/deps/npm/node_modules/glob/glob.js
+++ b/deps/npm/node_modules/glob/glob.js
@@ -153,9 +153,7 @@ function Glob (pattern, options, cb) {
   }
 
   var self = this
-  var n = this.minimatch.set.length
   this._processing = 0
-  this.matches = new Array(n)
 
   this._emitQueue = []
   this._processQueue = []
diff --git a/deps/npm/node_modules/glob/node_modules/minimatch/package.json b/deps/npm/node_modules/glob/node_modules/minimatch/package.json
index aa259b0ee8cb65..c329ba05343200 100644
--- a/deps/npm/node_modules/glob/node_modules/minimatch/package.json
+++ b/deps/npm/node_modules/glob/node_modules/minimatch/package.json
@@ -1,45 +1,43 @@
 {
-  "_from": "minimatch@^3.0.2",
-  "_id": "minimatch@3.0.3",
-  "_integrity": "sha1-Kk5AkLlrLbBqnX3wEFWmKnfJt3Q=",
+  "_from": "minimatch@^3.0.4",
+  "_id": "minimatch@3.0.4",
+  "_inBundle": false,
+  "_integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
   "_location": "/glob/minimatch",
   "_phantomChildren": {},
   "_requested": {
     "type": "range",
     "registry": true,
-    "raw": "minimatch@^3.0.2",
+    "raw": "minimatch@^3.0.4",
     "name": "minimatch",
     "escapedName": "minimatch",
-    "rawSpec": "^3.0.2",
+    "rawSpec": "^3.0.4",
     "saveSpec": null,
-    "fetchSpec": "^3.0.2"
+    "fetchSpec": "^3.0.4"
   },
   "_requiredBy": [
     "/glob"
   ],
-  "_resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.3.tgz",
-  "_shasum": "2a4e4090b96b2db06a9d7df01055a62a77c9b774",
-  "_shrinkwrap": null,
-  "_spec": "minimatch@^3.0.2",
+  "_resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
+  "_shasum": "5166e286457f03306064be5497e8dbb0c3d32083",
+  "_spec": "minimatch@^3.0.4",
   "_where": "/Users/zkat/Documents/code/npm/node_modules/glob",
   "author": {
     "name": "Isaac Z. Schlueter",
     "email": "i@izs.me",
     "url": "http://blog.izs.me"
   },
-  "bin": null,
   "bugs": {
     "url": "https://github.com/isaacs/minimatch/issues"
   },
   "bundleDependencies": false,
   "dependencies": {
-    "brace-expansion": "^1.0.0"
+    "brace-expansion": "^1.1.7"
   },
   "deprecated": false,
   "description": "a glob matcher in javascript",
   "devDependencies": {
-    "standard": "^3.7.2",
-    "tap": "^5.6.0"
+    "tap": "^10.3.2"
   },
   "engines": {
     "node": "*"
@@ -51,15 +49,15 @@
   "license": "ISC",
   "main": "minimatch.js",
   "name": "minimatch",
-  "optionalDependencies": {},
-  "peerDependencies": {},
   "repository": {
     "type": "git",
     "url": "git://github.com/isaacs/minimatch.git"
   },
   "scripts": {
-    "posttest": "standard minimatch.js test/*.js",
-    "test": "tap test/*.js"
+    "postpublish": "git push origin --all; git push origin --tags",
+    "postversion": "npm publish",
+    "preversion": "npm test",
+    "test": "tap test/*.js --cov"
   },
-  "version": "3.0.3"
+  "version": "3.0.4"
 }
diff --git a/deps/npm/node_modules/glob/package.json b/deps/npm/node_modules/glob/package.json
index e218af71436ab0..82971fc8bfbac0 100644
--- a/deps/npm/node_modules/glob/package.json
+++ b/deps/npm/node_modules/glob/package.json
@@ -1,20 +1,22 @@
 {
-  "_from": "glob@~7.1.1",
-  "_id": "glob@7.1.1",
-  "_integrity": "sha1-gFIR3wT6rxxjo2ADBs31reULLsg=",
+  "_from": "glob@7.1.2",
+  "_id": "glob@7.1.2",
+  "_inBundle": false,
+  "_integrity": "sha512-MJTUg1kjuLeQCJ+ccE4Vpa6kKVXkPYJ2mOCQyUuKLcLQsdrMCpBPUi8qVE6+YuaJkozeA9NusTAw3hLr8Xe5EQ==",
   "_location": "/glob",
   "_phantomChildren": {},
   "_requested": {
-    "type": "range",
+    "type": "version",
     "registry": true,
-    "raw": "glob@~7.1.1",
+    "raw": "glob@7.1.2",
     "name": "glob",
     "escapedName": "glob",
-    "rawSpec": "~7.1.1",
+    "rawSpec": "7.1.2",
     "saveSpec": null,
-    "fetchSpec": "~7.1.1"
+    "fetchSpec": "7.1.2"
   },
   "_requiredBy": [
+    "#USER",
     "/",
     "/cacache",
     "/init-package-json",
@@ -26,17 +28,15 @@
     "/tap",
     "/tap/tap-mocha-reporter"
   ],
-  "_resolved": "https://registry.npmjs.org/glob/-/glob-7.1.1.tgz",
-  "_shasum": "805211df04faaf1c63a3600306cdf5ade50b2ec8",
-  "_shrinkwrap": null,
-  "_spec": "glob@~7.1.1",
+  "_resolved": "https://registry.npmjs.org/glob/-/glob-7.1.2.tgz",
+  "_shasum": "c19c9df9a028702d678612384a6552404c636d15",
+  "_spec": "glob@7.1.2",
   "_where": "/Users/zkat/Documents/code/npm",
   "author": {
     "name": "Isaac Z. Schlueter",
     "email": "i@izs.me",
     "url": "http://blog.izs.me/"
   },
-  "bin": null,
   "bugs": {
     "url": "https://github.com/isaacs/node-glob/issues"
   },
@@ -45,7 +45,7 @@
     "fs.realpath": "^1.0.0",
     "inflight": "^1.0.4",
     "inherits": "2",
-    "minimatch": "^3.0.2",
+    "minimatch": "^3.0.4",
     "once": "^1.3.0",
     "path-is-absolute": "^1.0.0"
   },
@@ -69,8 +69,6 @@
   "license": "ISC",
   "main": "glob.js",
   "name": "glob",
-  "optionalDependencies": {},
-  "peerDependencies": {},
   "repository": {
     "type": "git",
     "url": "git://github.com/isaacs/node-glob.git"
@@ -84,5 +82,5 @@
     "test": "tap test/*.js --cov",
     "test-regen": "npm run profclean && TEST_REGEN=1 node test/00-setup.js"
   },
-  "version": "7.1.1"
+  "version": "7.1.2"
 }
diff --git a/deps/npm/node_modules/pacote/CHANGELOG.md b/deps/npm/node_modules/pacote/CHANGELOG.md
index 4c24dd4be2472d..55c0cda6861a5c 100644
--- a/deps/npm/node_modules/pacote/CHANGELOG.md
+++ b/deps/npm/node_modules/pacote/CHANGELOG.md
@@ -2,6 +2,97 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+
+## [2.7.21](https://github.com/zkat/pacote/compare/v2.7.20...v2.7.21) (2017-05-25)
+
+
+### Bug Fixes
+
+* **registry:** stop URIEncoding username/password ([011c9a2](https://github.com/zkat/pacote/commit/011c9a2))
+
+
+
+
+## [2.7.20](https://github.com/zkat/pacote/compare/v2.7.19...v2.7.20) (2017-05-25)
+
+
+### Bug Fixes
+
+* **registry:** encode username and password for auth ([c48b651](https://github.com/zkat/pacote/commit/c48b651))
+
+
+
+
+## [2.7.19](https://github.com/zkat/pacote/compare/v2.7.18...v2.7.19) (2017-05-25)
+
+
+### Bug Fixes
+
+* **registry:** respect alwaysAuth ([150788a](https://github.com/zkat/pacote/commit/150788a))
+
+
+
+
+## [2.7.18](https://github.com/zkat/pacote/compare/v2.7.17...v2.7.18) (2017-05-25)
+
+
+### Bug Fixes
+
+* **cache:** pass uid/gid settings through to mfh ([d8845df](https://github.com/zkat/pacote/commit/d8845df))
+* **deps:** update m-f-h for cache opts fix ([faab6cd](https://github.com/zkat/pacote/commit/faab6cd))
+
+
+
+
+## [2.7.17](https://github.com/zkat/pacote/compare/v2.7.16...v2.7.17) (2017-05-25)
+
+
+### Bug Fixes
+
+* **deps:** bump cacache ([34bd656](https://github.com/zkat/pacote/commit/34bd656))
+
+
+
+
+## [2.7.16](https://github.com/zkat/pacote/compare/v2.7.15...v2.7.16) (2017-05-24)
+
+
+### Bug Fixes
+
+* **deps:** pull in various fixes from deps ([4354703](https://github.com/zkat/pacote/commit/4354703))
+
+
+
+
+## [2.7.15](https://github.com/zkat/pacote/compare/v2.7.14...v2.7.15) (2017-05-24)
+
+
+### Bug Fixes
+
+* **proxy:** bump m-f-h with more patches ([26d4170](https://github.com/zkat/pacote/commit/26d4170))
+
+
+
+
+## [2.7.14](https://github.com/zkat/pacote/compare/v2.7.13...v2.7.14) (2017-05-24)
+
+
+### Bug Fixes
+
+* **proxy:** pull in new m-f-h with fixed http proxies ([d6a14e0](https://github.com/zkat/pacote/commit/d6a14e0))
+
+
+
+
+## [2.7.13](https://github.com/zkat/pacote/compare/v2.7.12...v2.7.13) (2017-05-23)
+
+
+### Bug Fixes
+
+* **deps:** bump dep versions to fix http redirect issues ([b23a9fa](https://github.com/zkat/pacote/commit/b23a9fa))
+
+
+
 
 ## [2.7.12](https://github.com/zkat/pacote/compare/v2.7.11...v2.7.12) (2017-05-16)
 
diff --git a/deps/npm/node_modules/pacote/lib/fetchers/registry/fetch.js b/deps/npm/node_modules/pacote/lib/fetchers/registry/fetch.js
index 914053c79f5ae4..46a926a1a15b93 100644
--- a/deps/npm/node_modules/pacote/lib/fetchers/registry/fetch.js
+++ b/deps/npm/node_modules/pacote/lib/fetchers/registry/fetch.js
@@ -1,5 +1,6 @@
 'use strict'
 
+const BB = require('bluebird')
 const Buffer = require('safe-buffer').Buffer
 
 const checkWarnings = require('./check-warning-header')
@@ -19,10 +20,13 @@ function regFetch (uri, registry, opts) {
     integrity: opts.integrity,
     memoize: opts.memoize,
     noProxy: opts.noProxy,
+    Promise: BB,
     proxy: opts.proxy,
     referer: opts.refer,
     retry: opts.retry,
-    timeout: opts.timeout
+    timeout: opts.timeout,
+    uid: opts.uid,
+    gid: opts.gid
   }).then(res => {
     if (res.headers.has('npm-notice') && !res.headers.has('x-local-cache')) {
       opts.log.warn('notice', res.headers.get('npm-notice'))
@@ -75,14 +79,17 @@ function getHeaders (uri, registry, opts) {
   }, opts.headers)
   const auth = (
     opts.auth &&
-    // If these two are on different hosts, don't send credentials.
-    // This is mainly used by the tarball fetcher.
-    url.parse(uri).host === url.parse(registry).host &&
     opts.auth[registryKey(registry)]
   )
-  if (auth && auth.token) {
+  // If a tarball is hosted on a different place than the manifest, only send
+  // credentials on `alwaysAuth`
+  const shouldAuth = auth && (
+    auth.alwaysAuth ||
+    url.parse(uri).host === url.parse(registry).host
+  )
+  if (shouldAuth && auth.token) {
     headers.authorization = `Bearer ${auth.token}`
-  } else if (auth && opts.alwaysAuth && auth.username && auth.password) {
+  } else if (shouldAuth && auth.username && auth.password) {
     const encoded = Buffer.from(
       `${auth.username}:${auth.password}`, 'utf8'
     ).toString('base64')
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/CHANGELOG.md b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/CHANGELOG.md
index 0164c37d81836b..854388027b0634 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/CHANGELOG.md
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/CHANGELOG.md
@@ -2,6 +2,68 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+
+## [2.4.9](https://github.com/zkat/make-fetch-happen/compare/v2.4.8...v2.4.9) (2017-05-25)
+
+
+### Bug Fixes
+
+* **cache:** use the passed-in promise for resolving cache stuff ([4c46257](https://github.com/zkat/make-fetch-happen/commit/4c46257))
+
+
+
+
+## [2.4.8](https://github.com/zkat/make-fetch-happen/compare/v2.4.7...v2.4.8) (2017-05-25)
+
+
+### Bug Fixes
+
+* **cache:** pass uid/gid/Promise through to cache ([a847c92](https://github.com/zkat/make-fetch-happen/commit/a847c92))
+
+
+
+
+## [2.4.7](https://github.com/zkat/make-fetch-happen/compare/v2.4.6...v2.4.7) (2017-05-24)
+
+
+### Bug Fixes
+
+* **deps:** pull in various fixes from deps ([fc2a587](https://github.com/zkat/make-fetch-happen/commit/fc2a587))
+
+
+
+
+## [2.4.6](https://github.com/zkat/make-fetch-happen/compare/v2.4.5...v2.4.6) (2017-05-24)
+
+
+### Bug Fixes
+
+* **proxy:** choose agent for http(s)-proxy by protocol of destUrl ([ea4832a](https://github.com/zkat/make-fetch-happen/commit/ea4832a))
+* **proxy:** make socks proxy working ([1de810a](https://github.com/zkat/make-fetch-happen/commit/1de810a))
+* **proxy:** revert previous proxy solution ([563b0d8](https://github.com/zkat/make-fetch-happen/commit/563b0d8))
+
+
+
+
+## [2.4.5](https://github.com/zkat/make-fetch-happen/compare/v2.4.4...v2.4.5) (2017-05-24)
+
+
+### Bug Fixes
+
+* **proxy:** use the destination url when determining agent ([1a714e7](https://github.com/zkat/make-fetch-happen/commit/1a714e7))
+
+
+
+
+## [2.4.4](https://github.com/zkat/make-fetch-happen/compare/v2.4.3...v2.4.4) (2017-05-23)
+
+
+### Bug Fixes
+
+* **redirect:** handle redirects explicitly  (#27) ([4c4af54](https://github.com/zkat/make-fetch-happen/commit/4c4af54))
+
+
+
 
 ## [2.4.3](https://github.com/zkat/make-fetch-happen/compare/v2.4.2...v2.4.3) (2017-05-06)
 
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/agent.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/agent.js
index fb97208a020635..0100498947e21f 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/agent.js
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/agent.js
@@ -34,7 +34,7 @@ function getAgent (uri, opts) {
   }
 
   if (pxuri) {
-    const proxy = getProxy(pxuri, opts)
+    const proxy = getProxy(pxuri, opts, isHttps)
     AGENT_CACHE.set(key, proxy)
     return proxy
   }
@@ -120,7 +120,7 @@ function getProxyUri (uri, opts) {
 let HttpProxyAgent
 let HttpsProxyAgent
 let SocksProxyAgent
-function getProxy (proxyUrl, opts) {
+function getProxy (proxyUrl, opts, isHttps) {
   let popts = {
     host: proxyUrl.hostname,
     port: proxyUrl.port,
@@ -134,21 +134,22 @@ function getProxy (proxyUrl, opts) {
     rejectUnauthorized: opts.strictSSL
   }
 
-  if (proxyUrl.protocol === 'http:') {
-    if (!HttpProxyAgent) {
-      HttpProxyAgent = require('http-proxy-agent')
-    }
+  if (proxyUrl.protocol === 'http:' || proxyUrl.protocol === 'https:') {
+    if (!isHttps) {
+      if (!HttpProxyAgent) {
+        HttpProxyAgent = require('http-proxy-agent')
+      }
 
-    return new HttpProxyAgent(popts)
-  }
-  if (proxyUrl.protocol === 'https:') {
-    if (!HttpsProxyAgent) {
-      HttpsProxyAgent = require('https-proxy-agent')
-    }
+      return new HttpProxyAgent(popts)
+    } else {
+      if (!HttpsProxyAgent) {
+        HttpsProxyAgent = require('https-proxy-agent')
+      }
 
-    return new HttpsProxyAgent(popts)
+      return new HttpsProxyAgent(popts)
+    }
   }
-  if (proxyUrl.startsWith('socks')) {
+  if (proxyUrl.protocol.startsWith('socks')) {
     if (!SocksProxyAgent) {
       SocksProxyAgent = require('socks-proxy-agent')
     }
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/cache.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/cache.js
index 85d755e8a51b8e..9aeae6b2f8e6d8 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/cache.js
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/cache.js
@@ -95,7 +95,7 @@ module.exports = class Cache {
             }
           })
         }
-        return Promise.resolve(new fetch.Response(body, {
+        return this.Promise.resolve(new fetch.Response(body, {
           url: req.url,
           headers: resHeaders,
           status: 200,
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/index.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/index.js
index 1eadece3c97253..18a2893538ad73 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/index.js
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/index.js
@@ -1,6 +1,7 @@
 'use strict'
 
 let Cache
+const url = require('url')
 const CachePolicy = require('http-cache-semantics')
 const fetch = require('node-fetch-npm')
 const pkg = require('./package.json')
@@ -10,6 +11,7 @@ const Stream = require('stream')
 const getAgent = require('./agent')
 const setWarning = require('./warning')
 
+const isURL = /^https?:/
 const USER_AGENT = `${pkg.name}/${pkg.version} (+https://npm.im/${pkg.name})`
 
 const RETRY_ERRORS = [
@@ -50,7 +52,7 @@ function initializeCache (opts) {
       Cache = require('./cache')
     }
 
-    opts.cacheManager = new Cache(opts.cacheManager)
+    opts.cacheManager = new Cache(opts.cacheManager, opts)
   }
 
   opts.cache = opts.cache || 'default'
@@ -303,8 +305,9 @@ function remoteFetch (uri, opts) {
     follow: opts.follow,
     headers: new fetch.Headers(headers),
     method: opts.method,
-    redirect: opts.redirect,
+    redirect: 'manual',
     size: opts.size,
+    counter: opts.counter,
     timeout: opts.timeout
   }
 
@@ -357,7 +360,59 @@ function remoteFetch (uri, opts) {
             return retryHandler(res)
           }
 
-          return res
+          if (!fetch.isRedirect(res.status) || opts.redirect === 'manual') {
+            return res
+          }
+
+          // handle redirects - matches behavior of npm-fetch: https://github.com/bitinn/node-fetch
+          if (opts.redirect === 'error') {
+            const err = new Error(`redirect mode is set to error: ${uri}`)
+            err.code = 'ENOREDIRECT'
+            throw err
+          }
+
+          if (!res.headers.get('location')) {
+            const err = new Error(`redirect location header missing at: ${uri}`)
+            err.code = 'EINVALIDREDIRECT'
+            throw err
+          }
+
+          if (req.counter >= req.follow) {
+            const err = new Error(`maximum redirect reached at: ${uri}`)
+            err.code = 'EMAXREDIRECT'
+            throw err
+          }
+
+          const resolvedUrl = url.resolve(req.url, res.headers.get('location'))
+          let redirectURL = url.parse(resolvedUrl)
+
+          if (isURL.test(res.headers.get('location'))) {
+            redirectURL = url.parse(res.headers.get('location'))
+          }
+
+          // Remove authorization if changing hostnames (but not if just
+          // changing ports or protocols).  This matches the behavior of request:
+          // https://github.com/request/request/blob/b12a6245/lib/redirect.js#L134-L138
+          if (url.parse(req.url).hostname !== redirectURL.hostname) {
+            req.headers.delete('authorization')
+          }
+
+          // for POST request with 301/302 response, or any request with 303 response,
+          // use GET when following redirect
+          if (res.status === 303 ||
+            ((res.status === 301 || res.status === 302) && req.method === 'POST')) {
+            opts.method = 'GET'
+            opts.body = null
+            req.headers.delete('content-length')
+          }
+
+          opts.headers = {}
+          req.headers.forEach((value, name) => {
+            opts.headers[name] = value
+          })
+
+          opts.counter = ++req.counter
+          return cachingFetch(resolvedUrl, opts)
         })
         .catch(err => {
           const code = err.code === 'EPROMISERETRY' ? err.retried.code : err.code
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/History.md b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/History.md
index b1729dbc722172..b1595870501193 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/History.md
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/History.md
@@ -1,4 +1,9 @@
 
+1.2.1 / 2017-05-19
+==================
+
+  * fix: package.json to reduce vulnerabilities (#3)
+
 1.2.0 / 2016-05-21
 ==================
 
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/LICENSE b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/LICENSE
new file mode 100644
index 00000000000000..89de354795ec7a
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/LICENSE
@@ -0,0 +1,17 @@
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/node_modules/ms/index.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/node_modules/ms/index.js
index e904c7054bc378..6a522b16b3a3bf 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/node_modules/ms/index.js
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/node_modules/ms/index.js
@@ -2,11 +2,11 @@
  * Helpers.
  */
 
-var s = 1000
-var m = s * 60
-var h = m * 60
-var d = h * 24
-var y = d * 365.25
+var s = 1000;
+var m = s * 60;
+var h = m * 60;
+var d = h * 24;
+var y = d * 365.25;
 
 /**
  * Parse or format the given `val`.
@@ -22,18 +22,19 @@ var y = d * 365.25
  * @api public
  */
 
-module.exports = function (val, options) {
-  options = options || {}
-  var type = typeof val
+module.exports = function(val, options) {
+  options = options || {};
+  var type = typeof val;
   if (type === 'string' && val.length > 0) {
-    return parse(val)
+    return parse(val);
   } else if (type === 'number' && isNaN(val) === false) {
-    return options.long ?
-			fmtLong(val) :
-			fmtShort(val)
+    return options.long ? fmtLong(val) : fmtShort(val);
   }
-  throw new Error('val is not a non-empty string or a valid number. val=' + JSON.stringify(val))
-}
+  throw new Error(
+    'val is not a non-empty string or a valid number. val=' +
+      JSON.stringify(val)
+  );
+};
 
 /**
  * Parse the given `str` and return milliseconds.
@@ -44,53 +45,55 @@ module.exports = function (val, options) {
  */
 
 function parse(str) {
-  str = String(str)
-  if (str.length > 10000) {
-    return
+  str = String(str);
+  if (str.length > 100) {
+    return;
   }
-  var match = /^((?:\d+)?\.?\d+) *(milliseconds?|msecs?|ms|seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|years?|yrs?|y)?$/i.exec(str)
+  var match = /^((?:\d+)?\.?\d+) *(milliseconds?|msecs?|ms|seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|years?|yrs?|y)?$/i.exec(
+    str
+  );
   if (!match) {
-    return
+    return;
   }
-  var n = parseFloat(match[1])
-  var type = (match[2] || 'ms').toLowerCase()
+  var n = parseFloat(match[1]);
+  var type = (match[2] || 'ms').toLowerCase();
   switch (type) {
     case 'years':
     case 'year':
     case 'yrs':
     case 'yr':
     case 'y':
-      return n * y
+      return n * y;
     case 'days':
     case 'day':
     case 'd':
-      return n * d
+      return n * d;
     case 'hours':
     case 'hour':
     case 'hrs':
     case 'hr':
     case 'h':
-      return n * h
+      return n * h;
     case 'minutes':
     case 'minute':
     case 'mins':
     case 'min':
     case 'm':
-      return n * m
+      return n * m;
     case 'seconds':
     case 'second':
     case 'secs':
     case 'sec':
     case 's':
-      return n * s
+      return n * s;
     case 'milliseconds':
     case 'millisecond':
     case 'msecs':
     case 'msec':
     case 'ms':
-      return n
+      return n;
     default:
-      return undefined
+      return undefined;
   }
 }
 
@@ -104,18 +107,18 @@ function parse(str) {
 
 function fmtShort(ms) {
   if (ms >= d) {
-    return Math.round(ms / d) + 'd'
+    return Math.round(ms / d) + 'd';
   }
   if (ms >= h) {
-    return Math.round(ms / h) + 'h'
+    return Math.round(ms / h) + 'h';
   }
   if (ms >= m) {
-    return Math.round(ms / m) + 'm'
+    return Math.round(ms / m) + 'm';
   }
   if (ms >= s) {
-    return Math.round(ms / s) + 's'
+    return Math.round(ms / s) + 's';
   }
-  return ms + 'ms'
+  return ms + 'ms';
 }
 
 /**
@@ -131,7 +134,7 @@ function fmtLong(ms) {
     plural(ms, h, 'hour') ||
     plural(ms, m, 'minute') ||
     plural(ms, s, 'second') ||
-    ms + ' ms'
+    ms + ' ms';
 }
 
 /**
@@ -140,10 +143,10 @@ function fmtLong(ms) {
 
 function plural(ms, n, name) {
   if (ms < n) {
-    return
+    return;
   }
   if (ms < n * 1.5) {
-    return Math.floor(ms / n) + ' ' + name
+    return Math.floor(ms / n) + ' ' + name;
   }
-  return Math.ceil(ms / n) + ' ' + name + 's'
+  return Math.ceil(ms / n) + ' ' + name + 's';
 }
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/node_modules/ms/package.json b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/node_modules/ms/package.json
index 186ca293c92c97..5bf17fa25e7300 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/node_modules/ms/package.json
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/node_modules/ms/package.json
@@ -1,72 +1,69 @@
 {
-  "_from": "ms@~0.7.0",
-  "_id": "ms@0.7.3",
-  "_integrity": "sha1-cIFVpeROM/X9D8U+gdDUCpG+H/8=",
+  "_from": "ms@^2.0.0",
+  "_id": "ms@2.0.0",
+  "_inBundle": false,
+  "_integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
   "_location": "/pacote/make-fetch-happen/agentkeepalive/humanize-ms/ms",
   "_phantomChildren": {},
   "_requested": {
     "type": "range",
     "registry": true,
-    "raw": "ms@~0.7.0",
+    "raw": "ms@^2.0.0",
     "name": "ms",
     "escapedName": "ms",
-    "rawSpec": "~0.7.0",
+    "rawSpec": "^2.0.0",
     "saveSpec": null,
-    "fetchSpec": "~0.7.0"
+    "fetchSpec": "^2.0.0"
   },
   "_requiredBy": [
     "/pacote/make-fetch-happen/agentkeepalive/humanize-ms"
   ],
-  "_resolved": "https://registry.npmjs.org/ms/-/ms-0.7.3.tgz",
-  "_shasum": "708155a5e44e33f5fd0fc53e81d0d40a91be1fff",
-  "_shrinkwrap": null,
-  "_spec": "ms@~0.7.0",
+  "_resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+  "_shasum": "5608aeadfc00be6c2901df5f9861788de0d597c8",
+  "_spec": "ms@^2.0.0",
   "_where": "/Users/zkat/Documents/code/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms",
-  "bin": null,
   "bugs": {
     "url": "https://github.com/zeit/ms/issues"
   },
   "bundleDependencies": false,
-  "component": {
-    "scripts": {
-      "ms/index.js": "index.js"
-    }
-  },
-  "dependencies": {},
   "deprecated": false,
   "description": "Tiny milisecond conversion utility",
   "devDependencies": {
+    "eslint": "3.19.0",
     "expect.js": "0.3.1",
-    "mocha": "3.0.2",
-    "serve": "5.0.1",
-    "xo": "0.17.0"
+    "husky": "0.13.3",
+    "lint-staged": "3.4.1",
+    "mocha": "3.4.1"
+  },
+  "eslintConfig": {
+    "extends": "eslint:recommended",
+    "env": {
+      "node": true,
+      "es6": true
+    }
   },
   "files": [
     "index.js"
   ],
   "homepage": "https://github.com/zeit/ms#readme",
   "license": "MIT",
+  "lint-staged": {
+    "*.js": [
+      "npm run lint",
+      "prettier --single-quote --write",
+      "git add"
+    ]
+  },
   "main": "./index",
   "name": "ms",
-  "optionalDependencies": {},
-  "peerDependencies": {},
   "repository": {
     "type": "git",
     "url": "git+https://github.com/zeit/ms.git"
   },
   "scripts": {
-    "test": "xo && mocha test/index.js",
-    "test-browser": "serve ./test"
+    "lint": "eslint lib/* bin/*",
+    "precommit": "lint-staged",
+    "test": "mocha tests.js"
   },
-  "version": "0.7.3",
-  "xo": {
-    "space": true,
-    "semicolon": false,
-    "envs": [
-      "mocha"
-    ],
-    "rules": {
-      "complexity": 0
-    }
-  }
+  "version": "2.0.0"
 }
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/node_modules/ms/readme.md b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/node_modules/ms/readme.md
index 5b475707d8aaf0..84a9974cccd81f 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/node_modules/ms/readme.md
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/node_modules/ms/readme.md
@@ -1,8 +1,7 @@
 # ms
 
 [![Build Status](https://travis-ci.org/zeit/ms.svg?branch=master)](https://travis-ci.org/zeit/ms)
-[![XO code style](https://img.shields.io/badge/code_style-XO-5ed9c7.svg)](https://github.com/sindresorhus/xo)
-[![Slack Channel](https://zeit-slackin.now.sh/badge.svg)](https://zeit.chat/)
+[![Slack Channel](http://zeit-slackin.now.sh/badge.svg)](https://zeit.chat/)
 
 Use this package to easily convert various time formats to milliseconds.
 
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/package.json b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/package.json
index a10e71dd997e2a..14ea394c4b2d93 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/package.json
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive/node_modules/humanize-ms/package.json
@@ -1,7 +1,8 @@
 {
   "_from": "humanize-ms@^1.2.0",
-  "_id": "humanize-ms@1.2.0",
-  "_integrity": "sha1-TWkaH6G4eYl4mvjljN39VQYi5NQ=",
+  "_id": "humanize-ms@1.2.1",
+  "_inBundle": false,
+  "_integrity": "sha1-xG4xWaKT9riW2ikxbYtv6Lt5u+0=",
   "_location": "/pacote/make-fetch-happen/agentkeepalive/humanize-ms",
   "_phantomChildren": {},
   "_requested": {
@@ -17,9 +18,8 @@
   "_requiredBy": [
     "/pacote/make-fetch-happen/agentkeepalive"
   ],
-  "_resolved": "https://registry.npmjs.org/humanize-ms/-/humanize-ms-1.2.0.tgz",
-  "_shasum": "4d691a1fa1b87989789af8e58cddfd550622e4d4",
-  "_shrinkwrap": null,
+  "_resolved": "https://registry.npmjs.org/humanize-ms/-/humanize-ms-1.2.1.tgz",
+  "_shasum": "c46e3159a293f6b896da29316d8b6fe8bb79bbed",
   "_spec": "humanize-ms@^1.2.0",
   "_where": "/Users/zkat/Documents/code/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/agentkeepalive",
   "author": {
@@ -27,13 +27,12 @@
     "email": "dead_horse@qq.com",
     "url": "http://deadhorse.me"
   },
-  "bin": null,
   "bugs": {
     "url": "https://github.com/node-modules/humanize-ms/issues"
   },
   "bundleDependencies": false,
   "dependencies": {
-    "ms": "~0.7.0"
+    "ms": "^2.0.0"
   },
   "deprecated": false,
   "description": "transform humanize time to ms",
@@ -56,8 +55,6 @@
   "license": "MIT",
   "main": "index.js",
   "name": "humanize-ms",
-  "optionalDependencies": {},
-  "peerDependencies": {},
   "repository": {
     "type": "git",
     "url": "git+https://github.com/node-modules/humanize-ms.git"
@@ -65,5 +62,5 @@
   "scripts": {
     "test": "make test"
   },
-  "version": "1.2.0"
+  "version": "1.2.1"
 }
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/CHANGELOG.md b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/CHANGELOG.md
index a9def50cf8652b..3dfb812968eedf 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/CHANGELOG.md
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/CHANGELOG.md
@@ -1,8 +1,15 @@
 
-2.6.6 / 2017-04-27
+2.6.8 / 2017-05-18
 ==================
 
-  * Fix: regression from removal of undefined check (@thebigredgeek)
+  * Fix: Check for undefined on browser globals (#462, @marbemac)
+
+2.6.7 / 2017-05-16
+==================
+
+  * Fix: Update ms to 2.0.0 to fix regular expression denial of service vulnerability (#458, @hubdotcom)
+  * Fix: Inline extend function in node implementation (#452, @dougwilson)
+  * Docs: Fix typo (#455, @msasad)
 
 2.6.5 / 2017-04-27
 ==================
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/README.md b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/README.md
index 9b70a382f952c8..bc59ae86e87719 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/README.md
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/README.md
@@ -100,7 +100,7 @@ Then, run the program to be debugged as usual.
 
 | Name      | Purpose                                         |
 |-----------|-------------------------------------------------|
-| `DEBUG`   | Enables/disabled specific debugging namespaces. |
+| `DEBUG`   | Enables/disables specific debugging namespaces. |
 | `DEBUG_COLORS`| Whether or not to use colors in the debug output. |
 | `DEBUG_DEPTH` | Object inspection depth. |
 | `DEBUG_SHOW_HIDDEN` | Shows hidden properties on inspected objects. |
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/component.json b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/component.json
index 0705b91aa77bc4..94cd36d8b6c106 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/component.json
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/component.json
@@ -2,7 +2,7 @@
   "name": "debug",
   "repo": "visionmedia/debug",
   "description": "small debugging utility",
-  "version": "2.6.6",
+  "version": "2.6.8",
   "keywords": [
     "debug",
     "log",
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/node_modules/ms/index.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/node_modules/ms/index.js
index e904c7054bc378..6a522b16b3a3bf 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/node_modules/ms/index.js
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/node_modules/ms/index.js
@@ -2,11 +2,11 @@
  * Helpers.
  */
 
-var s = 1000
-var m = s * 60
-var h = m * 60
-var d = h * 24
-var y = d * 365.25
+var s = 1000;
+var m = s * 60;
+var h = m * 60;
+var d = h * 24;
+var y = d * 365.25;
 
 /**
  * Parse or format the given `val`.
@@ -22,18 +22,19 @@ var y = d * 365.25
  * @api public
  */
 
-module.exports = function (val, options) {
-  options = options || {}
-  var type = typeof val
+module.exports = function(val, options) {
+  options = options || {};
+  var type = typeof val;
   if (type === 'string' && val.length > 0) {
-    return parse(val)
+    return parse(val);
   } else if (type === 'number' && isNaN(val) === false) {
-    return options.long ?
-			fmtLong(val) :
-			fmtShort(val)
+    return options.long ? fmtLong(val) : fmtShort(val);
   }
-  throw new Error('val is not a non-empty string or a valid number. val=' + JSON.stringify(val))
-}
+  throw new Error(
+    'val is not a non-empty string or a valid number. val=' +
+      JSON.stringify(val)
+  );
+};
 
 /**
  * Parse the given `str` and return milliseconds.
@@ -44,53 +45,55 @@ module.exports = function (val, options) {
  */
 
 function parse(str) {
-  str = String(str)
-  if (str.length > 10000) {
-    return
+  str = String(str);
+  if (str.length > 100) {
+    return;
   }
-  var match = /^((?:\d+)?\.?\d+) *(milliseconds?|msecs?|ms|seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|years?|yrs?|y)?$/i.exec(str)
+  var match = /^((?:\d+)?\.?\d+) *(milliseconds?|msecs?|ms|seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|years?|yrs?|y)?$/i.exec(
+    str
+  );
   if (!match) {
-    return
+    return;
   }
-  var n = parseFloat(match[1])
-  var type = (match[2] || 'ms').toLowerCase()
+  var n = parseFloat(match[1]);
+  var type = (match[2] || 'ms').toLowerCase();
   switch (type) {
     case 'years':
     case 'year':
     case 'yrs':
     case 'yr':
     case 'y':
-      return n * y
+      return n * y;
     case 'days':
     case 'day':
     case 'd':
-      return n * d
+      return n * d;
     case 'hours':
     case 'hour':
     case 'hrs':
     case 'hr':
     case 'h':
-      return n * h
+      return n * h;
     case 'minutes':
     case 'minute':
     case 'mins':
     case 'min':
     case 'm':
-      return n * m
+      return n * m;
     case 'seconds':
     case 'second':
     case 'secs':
     case 'sec':
     case 's':
-      return n * s
+      return n * s;
     case 'milliseconds':
     case 'millisecond':
     case 'msecs':
     case 'msec':
     case 'ms':
-      return n
+      return n;
     default:
-      return undefined
+      return undefined;
   }
 }
 
@@ -104,18 +107,18 @@ function parse(str) {
 
 function fmtShort(ms) {
   if (ms >= d) {
-    return Math.round(ms / d) + 'd'
+    return Math.round(ms / d) + 'd';
   }
   if (ms >= h) {
-    return Math.round(ms / h) + 'h'
+    return Math.round(ms / h) + 'h';
   }
   if (ms >= m) {
-    return Math.round(ms / m) + 'm'
+    return Math.round(ms / m) + 'm';
   }
   if (ms >= s) {
-    return Math.round(ms / s) + 's'
+    return Math.round(ms / s) + 's';
   }
-  return ms + 'ms'
+  return ms + 'ms';
 }
 
 /**
@@ -131,7 +134,7 @@ function fmtLong(ms) {
     plural(ms, h, 'hour') ||
     plural(ms, m, 'minute') ||
     plural(ms, s, 'second') ||
-    ms + ' ms'
+    ms + ' ms';
 }
 
 /**
@@ -140,10 +143,10 @@ function fmtLong(ms) {
 
 function plural(ms, n, name) {
   if (ms < n) {
-    return
+    return;
   }
   if (ms < n * 1.5) {
-    return Math.floor(ms / n) + ' ' + name
+    return Math.floor(ms / n) + ' ' + name;
   }
-  return Math.ceil(ms / n) + ' ' + name + 's'
+  return Math.ceil(ms / n) + ' ' + name + 's';
 }
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/node_modules/ms/package.json b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/node_modules/ms/package.json
index 28311e8bdae18f..6c1e6fc3cc20e7 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/node_modules/ms/package.json
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/node_modules/ms/package.json
@@ -1,72 +1,69 @@
 {
-  "_from": "ms@0.7.3",
-  "_id": "ms@0.7.3",
-  "_integrity": "sha1-cIFVpeROM/X9D8U+gdDUCpG+H/8=",
+  "_from": "ms@2.0.0",
+  "_id": "ms@2.0.0",
+  "_inBundle": false,
+  "_integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
   "_location": "/pacote/make-fetch-happen/http-proxy-agent/debug/ms",
   "_phantomChildren": {},
   "_requested": {
     "type": "version",
     "registry": true,
-    "raw": "ms@0.7.3",
+    "raw": "ms@2.0.0",
     "name": "ms",
     "escapedName": "ms",
-    "rawSpec": "0.7.3",
+    "rawSpec": "2.0.0",
     "saveSpec": null,
-    "fetchSpec": "0.7.3"
+    "fetchSpec": "2.0.0"
   },
   "_requiredBy": [
     "/pacote/make-fetch-happen/http-proxy-agent/debug"
   ],
-  "_resolved": "https://registry.npmjs.org/ms/-/ms-0.7.3.tgz",
-  "_shasum": "708155a5e44e33f5fd0fc53e81d0d40a91be1fff",
-  "_shrinkwrap": null,
-  "_spec": "ms@0.7.3",
+  "_resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+  "_shasum": "5608aeadfc00be6c2901df5f9861788de0d597c8",
+  "_spec": "ms@2.0.0",
   "_where": "/Users/zkat/Documents/code/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug",
-  "bin": null,
   "bugs": {
     "url": "https://github.com/zeit/ms/issues"
   },
   "bundleDependencies": false,
-  "component": {
-    "scripts": {
-      "ms/index.js": "index.js"
-    }
-  },
-  "dependencies": {},
   "deprecated": false,
   "description": "Tiny milisecond conversion utility",
   "devDependencies": {
+    "eslint": "3.19.0",
     "expect.js": "0.3.1",
-    "mocha": "3.0.2",
-    "serve": "5.0.1",
-    "xo": "0.17.0"
+    "husky": "0.13.3",
+    "lint-staged": "3.4.1",
+    "mocha": "3.4.1"
+  },
+  "eslintConfig": {
+    "extends": "eslint:recommended",
+    "env": {
+      "node": true,
+      "es6": true
+    }
   },
   "files": [
     "index.js"
   ],
   "homepage": "https://github.com/zeit/ms#readme",
   "license": "MIT",
+  "lint-staged": {
+    "*.js": [
+      "npm run lint",
+      "prettier --single-quote --write",
+      "git add"
+    ]
+  },
   "main": "./index",
   "name": "ms",
-  "optionalDependencies": {},
-  "peerDependencies": {},
   "repository": {
     "type": "git",
     "url": "git+https://github.com/zeit/ms.git"
   },
   "scripts": {
-    "test": "xo && mocha test/index.js",
-    "test-browser": "serve ./test"
+    "lint": "eslint lib/* bin/*",
+    "precommit": "lint-staged",
+    "test": "mocha tests.js"
   },
-  "version": "0.7.3",
-  "xo": {
-    "space": true,
-    "semicolon": false,
-    "envs": [
-      "mocha"
-    ],
-    "rules": {
-      "complexity": 0
-    }
-  }
+  "version": "2.0.0"
 }
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/node_modules/ms/readme.md b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/node_modules/ms/readme.md
index 5b475707d8aaf0..84a9974cccd81f 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/node_modules/ms/readme.md
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/node_modules/ms/readme.md
@@ -1,8 +1,7 @@
 # ms
 
 [![Build Status](https://travis-ci.org/zeit/ms.svg?branch=master)](https://travis-ci.org/zeit/ms)
-[![XO code style](https://img.shields.io/badge/code_style-XO-5ed9c7.svg)](https://github.com/sindresorhus/xo)
-[![Slack Channel](https://zeit-slackin.now.sh/badge.svg)](https://zeit.chat/)
+[![Slack Channel](http://zeit-slackin.now.sh/badge.svg)](https://zeit.chat/)
 
 Use this package to easily convert various time formats to milliseconds.
 
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/package.json b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/package.json
index dad9ab5dd01473..1062dd985b5e49 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/package.json
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/package.json
@@ -1,7 +1,8 @@
 {
   "_from": "debug@2",
-  "_id": "debug@2.6.6",
-  "_integrity": "sha1-qfpvvpykPPHnn3O3XAGJy7fW21o=",
+  "_id": "debug@2.6.8",
+  "_inBundle": false,
+  "_integrity": "sha1-5zFTHKLt4n0YgiJCfaF4IdaP9Pw=",
   "_location": "/pacote/make-fetch-happen/http-proxy-agent/debug",
   "_phantomChildren": {},
   "_requested": {
@@ -17,16 +18,14 @@
   "_requiredBy": [
     "/pacote/make-fetch-happen/http-proxy-agent"
   ],
-  "_resolved": "https://registry.npmjs.org/debug/-/debug-2.6.6.tgz",
-  "_shasum": "a9fa6fbe9ca43cf1e79f73b75c0189cbb7d6db5a",
-  "_shrinkwrap": null,
+  "_resolved": "https://registry.npmjs.org/debug/-/debug-2.6.8.tgz",
+  "_shasum": "e731531ca2ede27d188222427da17821d68ff4fc",
   "_spec": "debug@2",
   "_where": "/Users/zkat/Documents/code/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent",
   "author": {
     "name": "TJ Holowaychuk",
     "email": "tj@vision-media.ca"
   },
-  "bin": null,
   "browser": "./src/browser.js",
   "bugs": {
     "url": "https://github.com/visionmedia/debug/issues"
@@ -50,7 +49,7 @@
     }
   ],
   "dependencies": {
-    "ms": "0.7.3"
+    "ms": "2.0.0"
   },
   "deprecated": false,
   "description": "small debugging utility",
@@ -81,11 +80,9 @@
   "license": "MIT",
   "main": "./src/index.js",
   "name": "debug",
-  "optionalDependencies": {},
-  "peerDependencies": {},
   "repository": {
     "type": "git",
     "url": "git://github.com/visionmedia/debug.git"
   },
-  "version": "2.6.6"
+  "version": "2.6.8"
 }
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/src/browser.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/src/browser.js
index 053f4b898cd9b1..7106924934501f 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/src/browser.js
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/src/browser.js
@@ -46,14 +46,14 @@ function useColors() {
 
   // is webkit? http://stackoverflow.com/a/16459606/376773
   // document is undefined in react-native: https://github.com/facebook/react-native/pull/1632
-  return (typeof document !== 'undefined' && document && document.documentElement && document.documentElement.style && document.documentElement.style.WebkitAppearance) ||
+  return (typeof document !== 'undefined' && document.documentElement && document.documentElement.style && document.documentElement.style.WebkitAppearance) ||
     // is firebug? http://stackoverflow.com/a/398120/376773
-    (typeof window !== 'undefined' && window && window.console && (window.console.firebug || (window.console.exception && window.console.table))) ||
+    (typeof window !== 'undefined' && window.console && (window.console.firebug || (window.console.exception && window.console.table))) ||
     // is firefox >= v31?
     // https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Styling_messages
-    (typeof navigator !== 'undefined' && navigator && navigator.userAgent && navigator.userAgent.toLowerCase().match(/firefox\/(\d+)/) && parseInt(RegExp.$1, 10) >= 31) ||
+    (typeof navigator !== 'undefined' && navigator.userAgent && navigator.userAgent.toLowerCase().match(/firefox\/(\d+)/) && parseInt(RegExp.$1, 10) >= 31) ||
     // double check webkit in userAgent just in case we are in a worker
-    (typeof navigator !== 'undefined' && navigator && navigator.userAgent && navigator.userAgent.toLowerCase().match(/applewebkit\/(\d+)/));
+    (typeof navigator !== 'undefined' && navigator.userAgent && navigator.userAgent.toLowerCase().match(/applewebkit\/(\d+)/));
 }
 
 /**
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/src/node.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/src/node.js
index 3c7407b6b73326..af61297683f138 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/src/node.js
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/http-proxy-agent/node_modules/debug/src/node.js
@@ -231,7 +231,12 @@ function createWritableStdioStream (fd) {
  */
 
 function init (debug) {
-  debug.inspectOpts = util._extend({}, exports.inspectOpts);
+  debug.inspectOpts = {};
+
+  var keys = Object.keys(exports.inspectOpts);
+  for (var i = 0; i < keys.length; i++) {
+    debug.inspectOpts[keys[i]] = exports.inspectOpts[keys[i]];
+  }
 }
 
 /**
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/CHANGELOG.md b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/CHANGELOG.md
index a9def50cf8652b..3dfb812968eedf 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/CHANGELOG.md
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/CHANGELOG.md
@@ -1,8 +1,15 @@
 
-2.6.6 / 2017-04-27
+2.6.8 / 2017-05-18
 ==================
 
-  * Fix: regression from removal of undefined check (@thebigredgeek)
+  * Fix: Check for undefined on browser globals (#462, @marbemac)
+
+2.6.7 / 2017-05-16
+==================
+
+  * Fix: Update ms to 2.0.0 to fix regular expression denial of service vulnerability (#458, @hubdotcom)
+  * Fix: Inline extend function in node implementation (#452, @dougwilson)
+  * Docs: Fix typo (#455, @msasad)
 
 2.6.5 / 2017-04-27
 ==================
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/README.md b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/README.md
index 9b70a382f952c8..bc59ae86e87719 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/README.md
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/README.md
@@ -100,7 +100,7 @@ Then, run the program to be debugged as usual.
 
 | Name      | Purpose                                         |
 |-----------|-------------------------------------------------|
-| `DEBUG`   | Enables/disabled specific debugging namespaces. |
+| `DEBUG`   | Enables/disables specific debugging namespaces. |
 | `DEBUG_COLORS`| Whether or not to use colors in the debug output. |
 | `DEBUG_DEPTH` | Object inspection depth. |
 | `DEBUG_SHOW_HIDDEN` | Shows hidden properties on inspected objects. |
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/component.json b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/component.json
index 0705b91aa77bc4..94cd36d8b6c106 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/component.json
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/component.json
@@ -2,7 +2,7 @@
   "name": "debug",
   "repo": "visionmedia/debug",
   "description": "small debugging utility",
-  "version": "2.6.6",
+  "version": "2.6.8",
   "keywords": [
     "debug",
     "log",
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/node_modules/ms/index.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/node_modules/ms/index.js
index e904c7054bc378..6a522b16b3a3bf 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/node_modules/ms/index.js
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/node_modules/ms/index.js
@@ -2,11 +2,11 @@
  * Helpers.
  */
 
-var s = 1000
-var m = s * 60
-var h = m * 60
-var d = h * 24
-var y = d * 365.25
+var s = 1000;
+var m = s * 60;
+var h = m * 60;
+var d = h * 24;
+var y = d * 365.25;
 
 /**
  * Parse or format the given `val`.
@@ -22,18 +22,19 @@ var y = d * 365.25
  * @api public
  */
 
-module.exports = function (val, options) {
-  options = options || {}
-  var type = typeof val
+module.exports = function(val, options) {
+  options = options || {};
+  var type = typeof val;
   if (type === 'string' && val.length > 0) {
-    return parse(val)
+    return parse(val);
   } else if (type === 'number' && isNaN(val) === false) {
-    return options.long ?
-			fmtLong(val) :
-			fmtShort(val)
+    return options.long ? fmtLong(val) : fmtShort(val);
   }
-  throw new Error('val is not a non-empty string or a valid number. val=' + JSON.stringify(val))
-}
+  throw new Error(
+    'val is not a non-empty string or a valid number. val=' +
+      JSON.stringify(val)
+  );
+};
 
 /**
  * Parse the given `str` and return milliseconds.
@@ -44,53 +45,55 @@ module.exports = function (val, options) {
  */
 
 function parse(str) {
-  str = String(str)
-  if (str.length > 10000) {
-    return
+  str = String(str);
+  if (str.length > 100) {
+    return;
   }
-  var match = /^((?:\d+)?\.?\d+) *(milliseconds?|msecs?|ms|seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|years?|yrs?|y)?$/i.exec(str)
+  var match = /^((?:\d+)?\.?\d+) *(milliseconds?|msecs?|ms|seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|years?|yrs?|y)?$/i.exec(
+    str
+  );
   if (!match) {
-    return
+    return;
   }
-  var n = parseFloat(match[1])
-  var type = (match[2] || 'ms').toLowerCase()
+  var n = parseFloat(match[1]);
+  var type = (match[2] || 'ms').toLowerCase();
   switch (type) {
     case 'years':
     case 'year':
     case 'yrs':
     case 'yr':
     case 'y':
-      return n * y
+      return n * y;
     case 'days':
     case 'day':
     case 'd':
-      return n * d
+      return n * d;
     case 'hours':
     case 'hour':
     case 'hrs':
     case 'hr':
     case 'h':
-      return n * h
+      return n * h;
     case 'minutes':
     case 'minute':
     case 'mins':
     case 'min':
     case 'm':
-      return n * m
+      return n * m;
     case 'seconds':
     case 'second':
     case 'secs':
     case 'sec':
     case 's':
-      return n * s
+      return n * s;
     case 'milliseconds':
     case 'millisecond':
     case 'msecs':
     case 'msec':
     case 'ms':
-      return n
+      return n;
     default:
-      return undefined
+      return undefined;
   }
 }
 
@@ -104,18 +107,18 @@ function parse(str) {
 
 function fmtShort(ms) {
   if (ms >= d) {
-    return Math.round(ms / d) + 'd'
+    return Math.round(ms / d) + 'd';
   }
   if (ms >= h) {
-    return Math.round(ms / h) + 'h'
+    return Math.round(ms / h) + 'h';
   }
   if (ms >= m) {
-    return Math.round(ms / m) + 'm'
+    return Math.round(ms / m) + 'm';
   }
   if (ms >= s) {
-    return Math.round(ms / s) + 's'
+    return Math.round(ms / s) + 's';
   }
-  return ms + 'ms'
+  return ms + 'ms';
 }
 
 /**
@@ -131,7 +134,7 @@ function fmtLong(ms) {
     plural(ms, h, 'hour') ||
     plural(ms, m, 'minute') ||
     plural(ms, s, 'second') ||
-    ms + ' ms'
+    ms + ' ms';
 }
 
 /**
@@ -140,10 +143,10 @@ function fmtLong(ms) {
 
 function plural(ms, n, name) {
   if (ms < n) {
-    return
+    return;
   }
   if (ms < n * 1.5) {
-    return Math.floor(ms / n) + ' ' + name
+    return Math.floor(ms / n) + ' ' + name;
   }
-  return Math.ceil(ms / n) + ' ' + name + 's'
+  return Math.ceil(ms / n) + ' ' + name + 's';
 }
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/node_modules/ms/package.json b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/node_modules/ms/package.json
index e1a8785c3ddcd8..edaef6e3554abe 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/node_modules/ms/package.json
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/node_modules/ms/package.json
@@ -1,72 +1,69 @@
 {
-  "_from": "ms@0.7.3",
-  "_id": "ms@0.7.3",
-  "_integrity": "sha1-cIFVpeROM/X9D8U+gdDUCpG+H/8=",
+  "_from": "ms@2.0.0",
+  "_id": "ms@2.0.0",
+  "_inBundle": false,
+  "_integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=",
   "_location": "/pacote/make-fetch-happen/https-proxy-agent/debug/ms",
   "_phantomChildren": {},
   "_requested": {
     "type": "version",
     "registry": true,
-    "raw": "ms@0.7.3",
+    "raw": "ms@2.0.0",
     "name": "ms",
     "escapedName": "ms",
-    "rawSpec": "0.7.3",
+    "rawSpec": "2.0.0",
     "saveSpec": null,
-    "fetchSpec": "0.7.3"
+    "fetchSpec": "2.0.0"
   },
   "_requiredBy": [
     "/pacote/make-fetch-happen/https-proxy-agent/debug"
   ],
-  "_resolved": "https://registry.npmjs.org/ms/-/ms-0.7.3.tgz",
-  "_shasum": "708155a5e44e33f5fd0fc53e81d0d40a91be1fff",
-  "_shrinkwrap": null,
-  "_spec": "ms@0.7.3",
+  "_resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+  "_shasum": "5608aeadfc00be6c2901df5f9861788de0d597c8",
+  "_spec": "ms@2.0.0",
   "_where": "/Users/zkat/Documents/code/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug",
-  "bin": null,
   "bugs": {
     "url": "https://github.com/zeit/ms/issues"
   },
   "bundleDependencies": false,
-  "component": {
-    "scripts": {
-      "ms/index.js": "index.js"
-    }
-  },
-  "dependencies": {},
   "deprecated": false,
   "description": "Tiny milisecond conversion utility",
   "devDependencies": {
+    "eslint": "3.19.0",
     "expect.js": "0.3.1",
-    "mocha": "3.0.2",
-    "serve": "5.0.1",
-    "xo": "0.17.0"
+    "husky": "0.13.3",
+    "lint-staged": "3.4.1",
+    "mocha": "3.4.1"
+  },
+  "eslintConfig": {
+    "extends": "eslint:recommended",
+    "env": {
+      "node": true,
+      "es6": true
+    }
   },
   "files": [
     "index.js"
   ],
   "homepage": "https://github.com/zeit/ms#readme",
   "license": "MIT",
+  "lint-staged": {
+    "*.js": [
+      "npm run lint",
+      "prettier --single-quote --write",
+      "git add"
+    ]
+  },
   "main": "./index",
   "name": "ms",
-  "optionalDependencies": {},
-  "peerDependencies": {},
   "repository": {
     "type": "git",
     "url": "git+https://github.com/zeit/ms.git"
   },
   "scripts": {
-    "test": "xo && mocha test/index.js",
-    "test-browser": "serve ./test"
+    "lint": "eslint lib/* bin/*",
+    "precommit": "lint-staged",
+    "test": "mocha tests.js"
   },
-  "version": "0.7.3",
-  "xo": {
-    "space": true,
-    "semicolon": false,
-    "envs": [
-      "mocha"
-    ],
-    "rules": {
-      "complexity": 0
-    }
-  }
+  "version": "2.0.0"
 }
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/node_modules/ms/readme.md b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/node_modules/ms/readme.md
index 5b475707d8aaf0..84a9974cccd81f 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/node_modules/ms/readme.md
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/node_modules/ms/readme.md
@@ -1,8 +1,7 @@
 # ms
 
 [![Build Status](https://travis-ci.org/zeit/ms.svg?branch=master)](https://travis-ci.org/zeit/ms)
-[![XO code style](https://img.shields.io/badge/code_style-XO-5ed9c7.svg)](https://github.com/sindresorhus/xo)
-[![Slack Channel](https://zeit-slackin.now.sh/badge.svg)](https://zeit.chat/)
+[![Slack Channel](http://zeit-slackin.now.sh/badge.svg)](https://zeit.chat/)
 
 Use this package to easily convert various time formats to milliseconds.
 
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/package.json b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/package.json
index 49f3bb4fd4a8f9..ac0f1e8a9bd224 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/package.json
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/package.json
@@ -1,7 +1,8 @@
 {
   "_from": "debug@2",
-  "_id": "debug@2.6.6",
-  "_integrity": "sha1-qfpvvpykPPHnn3O3XAGJy7fW21o=",
+  "_id": "debug@2.6.8",
+  "_inBundle": false,
+  "_integrity": "sha1-5zFTHKLt4n0YgiJCfaF4IdaP9Pw=",
   "_location": "/pacote/make-fetch-happen/https-proxy-agent/debug",
   "_phantomChildren": {},
   "_requested": {
@@ -17,16 +18,14 @@
   "_requiredBy": [
     "/pacote/make-fetch-happen/https-proxy-agent"
   ],
-  "_resolved": "https://registry.npmjs.org/debug/-/debug-2.6.6.tgz",
-  "_shasum": "a9fa6fbe9ca43cf1e79f73b75c0189cbb7d6db5a",
-  "_shrinkwrap": null,
+  "_resolved": "https://registry.npmjs.org/debug/-/debug-2.6.8.tgz",
+  "_shasum": "e731531ca2ede27d188222427da17821d68ff4fc",
   "_spec": "debug@2",
   "_where": "/Users/zkat/Documents/code/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent",
   "author": {
     "name": "TJ Holowaychuk",
     "email": "tj@vision-media.ca"
   },
-  "bin": null,
   "browser": "./src/browser.js",
   "bugs": {
     "url": "https://github.com/visionmedia/debug/issues"
@@ -50,7 +49,7 @@
     }
   ],
   "dependencies": {
-    "ms": "0.7.3"
+    "ms": "2.0.0"
   },
   "deprecated": false,
   "description": "small debugging utility",
@@ -81,11 +80,9 @@
   "license": "MIT",
   "main": "./src/index.js",
   "name": "debug",
-  "optionalDependencies": {},
-  "peerDependencies": {},
   "repository": {
     "type": "git",
     "url": "git://github.com/visionmedia/debug.git"
   },
-  "version": "2.6.6"
+  "version": "2.6.8"
 }
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/src/browser.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/src/browser.js
index 053f4b898cd9b1..7106924934501f 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/src/browser.js
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/src/browser.js
@@ -46,14 +46,14 @@ function useColors() {
 
   // is webkit? http://stackoverflow.com/a/16459606/376773
   // document is undefined in react-native: https://github.com/facebook/react-native/pull/1632
-  return (typeof document !== 'undefined' && document && document.documentElement && document.documentElement.style && document.documentElement.style.WebkitAppearance) ||
+  return (typeof document !== 'undefined' && document.documentElement && document.documentElement.style && document.documentElement.style.WebkitAppearance) ||
     // is firebug? http://stackoverflow.com/a/398120/376773
-    (typeof window !== 'undefined' && window && window.console && (window.console.firebug || (window.console.exception && window.console.table))) ||
+    (typeof window !== 'undefined' && window.console && (window.console.firebug || (window.console.exception && window.console.table))) ||
     // is firefox >= v31?
     // https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Styling_messages
-    (typeof navigator !== 'undefined' && navigator && navigator.userAgent && navigator.userAgent.toLowerCase().match(/firefox\/(\d+)/) && parseInt(RegExp.$1, 10) >= 31) ||
+    (typeof navigator !== 'undefined' && navigator.userAgent && navigator.userAgent.toLowerCase().match(/firefox\/(\d+)/) && parseInt(RegExp.$1, 10) >= 31) ||
     // double check webkit in userAgent just in case we are in a worker
-    (typeof navigator !== 'undefined' && navigator && navigator.userAgent && navigator.userAgent.toLowerCase().match(/applewebkit\/(\d+)/));
+    (typeof navigator !== 'undefined' && navigator.userAgent && navigator.userAgent.toLowerCase().match(/applewebkit\/(\d+)/));
 }
 
 /**
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/src/node.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/src/node.js
index 3c7407b6b73326..af61297683f138 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/src/node.js
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/https-proxy-agent/node_modules/debug/src/node.js
@@ -231,7 +231,12 @@ function createWritableStdioStream (fd) {
  */
 
 function init (debug) {
-  debug.inspectOpts = util._extend({}, exports.inspectOpts);
+  debug.inspectOpts = {};
+
+  var keys = Object.keys(exports.inspectOpts);
+  for (var i = 0; i < keys.length; i++) {
+    debug.inspectOpts[keys[i]] = exports.inspectOpts[keys[i]];
+  }
 }
 
 /**
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/CHANGELOG.md b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/CHANGELOG.md
index ec77cdd0231b44..e007b99929229b 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/CHANGELOG.md
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/CHANGELOG.md
@@ -2,6 +2,16 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+
+## [2.0.1](https://github.com/npm/node-fetch-npm/compare/v2.0.0...v2.0.1) (2017-05-24)
+
+
+### Bug Fixes
+
+* **json:** improve JSON parse error reporting ([1c810df](https://github.com/npm/node-fetch-npm/commit/1c810df))
+
+
+
 
 # [2.0.0](https://github.com/npm/node-fetch-npm/compare/v1.0.1...v2.0.0) (2017-05-06)
 
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/.editorconfig b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/.editorconfig
new file mode 100644
index 00000000000000..fb7f73a832a4af
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/.editorconfig
@@ -0,0 +1,14 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.js, **/*.js]
+indent_size = 4
+indent_style = space
+
+[{package.json,.travis.yml}]
+indent_size = 2
+indent_style = space
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/.npmignore b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/.npmignore
new file mode 100644
index 00000000000000..59d842baa84c8b
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/.npmignore
@@ -0,0 +1,28 @@
+# Logs
+logs
+*.log
+
+# Runtime data
+pids
+*.pid
+*.seed
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Compiled binary addons (http://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directory
+# Commenting this out is preferred by some people, see
+# https://www.npmjs.org/doc/misc/npm-faq.html#should-i-check-my-node_modules-folder-into-git-
+node_modules
+
+# Users Environment Variables
+.lock-wscript
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/LICENSE b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/LICENSE
new file mode 100644
index 00000000000000..c3d2eb3550079b
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Sam Mikes
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/README.md b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/README.md
new file mode 100644
index 00000000000000..ffad93584b19d4
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/README.md
@@ -0,0 +1,29 @@
+# json-parse-helpfulerror
+
+A drop-in replacement for `JSON.parse` that uses
+ to provide more useful error messages in the
+event of a parse error.
+
+# Example
+
+## Installation
+
+```
+npm i -S json-parse-helpfulerror
+```
+
+## Use
+
+```js
+var jph = require('json-parse-helpfulerror');
+
+var notJSON = "{'foo': 3}";     // keys must be double-quoted in JSON
+
+JSON.parse(notJSON);            // throws unhelpful error
+
+jph.parse("{'foo': 3}")         // throws more helpful error: "Unexpected token '\''..."
+```
+
+# License
+
+MIT
\ No newline at end of file
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/index.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/index.js
new file mode 100644
index 00000000000000..15648b017b3db5
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/index.js
@@ -0,0 +1,21 @@
+'use strict';
+
+var jju = require('jju');
+
+function parse(text, reviver) {
+    try {
+        return JSON.parse(text, reviver);
+    } catch (err) {
+        // we expect this to throw with a more informative message
+        jju.parse(text, {
+            mode: 'json',
+            reviver: reviver
+        });
+
+        // backup if jju is not as strict as JSON.parse; re-throw error
+        // data-dependent code path, I do not know how to cover it
+        throw err;
+    }
+}
+
+exports.parse = parse;
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/.npmignore b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/.npmignore
new file mode 100644
index 00000000000000..5ae40150eea106
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/.npmignore
@@ -0,0 +1,9 @@
+package.json
+node_modules
+test
+benchmark
+docs
+examples
+/.editorconfig
+/.eslint*
+/.travis.yml
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/LICENSE b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/LICENSE
new file mode 100644
index 00000000000000..5c93f456546877
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/LICENSE
@@ -0,0 +1,13 @@
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+                    Version 2, December 2004
+
+ Copyright (C) 2004 Sam Hocevar 
+
+ Everyone is permitted to copy and distribute verbatim or modified
+ copies of this license document, and changing it is allowed as long
+ as the name is changed.
+
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. You just DO WHAT THE FUCK YOU WANT TO.
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/README.md b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/README.md
new file mode 100644
index 00000000000000..3d61083fb04dd0
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/README.md
@@ -0,0 +1,242 @@
+`jju` - a set of utilities to work with JSON / JSON5 documents
+
+[![npm version badge](https://img.shields.io/npm/v/jju.svg)](https://www.npmjs.org/package/jju)
+[![travis badge](http://img.shields.io/travis/rlidwka/jju.svg)](https://travis-ci.org/rlidwka/jju)
+[![downloads badge](http://img.shields.io/npm/dm/jju.svg)](https://www.npmjs.org/package/jju)
+
+## Installation
+
+```
+npm install jju
+```
+
+## Usage
+
+This module provides following functions:
+
+1. [jju.parse()](#jjuparse-function) parses json/json5 text and returns a javascript value it corresponds to
+2. [jju.stringify()](#jjustringify-function) converts javascript value to an appropriate json/json5 text
+3. [jju.tokenize()](#jjutokenize-function) parses json/json5 text and returns an array of tokens it consists of ([see demo](http://rlidwka.github.io/jju/tokenizer.html))
+4. [jju.analyze()](#jjuanalyze-function) parses json/json5 text and tries to guess indentation, quoting style, etc.
+5. [jju.update()](#jjuupdate-function) changes json/json5 text, preserving original formatting as much as possible ([see demo](http://rlidwka.github.io/jju/editor.html))
+
+All functions are able to work with a standard JSON documents. `jju.parse()` and `jju.stringify()` are better in some cases, but slower than native `JSON.parse()` and `JSON.stringify()` versions. Detailed description see below.
+
+### jju.parse() function
+
+```javascript
+/*
+ * Main syntax:
+ *
+ * `text` - text to parse, type: String
+ * `options` - parser options, type: Object
+ */
+jju.parse(text[, options])
+
+// compatibility syntax
+jju.parse(text[, reviver])
+```
+
+Options:
+
+ - reserved\_keys - what to do with reserved keys (String, default="ignore")
+   - "ignore" - ignore reserved keys
+   - "throw" - throw SyntaxError in case of reserved keys
+   - "replace" - replace reserved keys, this is the default JSON.parse behaviour, unsafe
+
+     Reserved keys are keys that exist in an empty object (`hasOwnProperty`, `__proto__`, etc.).
+
+```javascript
+// 'ignore' will cause reserved keys to be ignored:
+parse('{hasOwnProperty: 1}', {reserved_keys: 'ignore'}) == {}
+parse('{hasOwnProperty: 1, x: 2}', {reserved_keys: 'ignore'}).hasOwnProperty('x') == true
+
+// 'throw' will cause SyntaxError in these cases:
+parse('{hasOwnProperty: 1}', {reserved_keys: 'throw'}) == SyntaxError
+
+// 'replace' will replace reserved keys with new ones:
+parse('{hasOwnProperty: 1}', {reserved_keys: 'throw'}) == {hasOwnProperty: 1}
+parse('{hasOwnProperty: 1, x: 2}', {reserved_keys: 'ignore'}).hasOwnProperty('x') == TypeError
+```
+
+
+ - null\_prototype - create object as Object.create(null) instead of '{}' (Boolean)
+
+   if `reserved_keys != 'replace'`, default is **false**
+
+   if `reserved_keys == 'replace'`, default is **true**
+
+   It is usually unsafe and not recommended to change this option to false in the last case.
+
+ - reviver - reviver function - Function
+
+   This function should follow JSON specification
+
+ - mode - operation mode, set it to 'json' if you want to throw on non-strict json files (String)
+
+### jju.stringify() function
+
+```javascript
+/*
+ * Main syntax:
+ *
+ * `value` - value to serialize, type: *
+ * `options` - serializer options, type: Object
+ */
+jju.stringify(value[, options])
+
+// compatibility syntax
+jju.stringify(value[, replacer [, indent])
+```
+
+Options:
+
+ - ascii - output ascii only (Boolean, default=false)
+   If this option is enabled, output will not have any characters except of 0x20-0x7f.
+
+ - indent - indentation (String, Number or Boolean, default='\t')
+   This option follows JSON specification.
+
+ - quote - enquoting char (String, "'" or '"', default="'")
+ - quote\_keys - whether keys quoting in objects is required or not (String, default=false)
+   If you want `{"q": 1}` instead of `{q: 1}`, set it to true.
+
+ - sort\_keys - sort all keys while stringifying (Boolean or Function, default=false)
+   By default sort order will depend on implementation, with v8 it's insertion order. If set to `true`, all keys (but not arrays) will be sorted alphabetically. You can provide your own sorting function as well.
+
+ - replacer - replacer function or array (Function or Array)
+   This option follows JSON specification.
+
+ - no\_trailing\_comma = don't output trailing comma (Boolean, default=false)
+   If this option is set, arrays like this `[1,2,3,]` will never be generated. Otherwise they may be generated for pretty printing.
+
+ - mode - operation mode, set it to 'json' if you want correct json in the output (String)
+
+   Currently it's either 'json' or something else. If it is 'json', following options are implied:
+
+   - options.quote = '"'
+   - options.no\_trailing\_comma = true
+   - options.quote\_keys = true
+   - '\x' literals are not used
+
+### jju.tokenize() function
+
+```javascript
+/*
+ * Main syntax:
+ *
+ * `text` - text to tokenize, type: String
+ * `options` - parser options, type: Object
+ */
+jju.tokenize(text[, options])
+```
+
+Options are the same as for the `jju.parse` function.
+
+Return value is an array of tokens, where each token is an object:
+
+ - raw (String) - raw text of this token, if you join all raw's, you will get the original document
+ - type (String) - type of the token, can be `whitespace`, `comment`, `key`, `literal`, `separator` or `newline`
+ - stack (Array) - path to the current token in the syntax tree
+ - value - value of the token if token is a `key` or `literal`
+
+You can check tokenizer for yourself using [this demo](http://rlidwka.github.io/jju/tokenizer.html).
+
+### jju.analyze() function
+
+```javascript
+/*
+ * Main syntax:
+ *
+ * `text` - text to analyze, type: String
+ * `options` - parser options, type: Object
+ */
+jju.analyze(text[, options])
+```
+
+Options are the same as for the `jju.parse` function.
+
+Return value is an object defining a programming style in which the document was written.
+
+ - indent (String) - preferred indentation
+ - newline (String) - preferred newline
+ - quote (String) - `"` or `'` depending on which quote is preferred
+ - quote\_keys (Boolean) - `true` if unquoted keys were used at least once
+ - has\_whitespace (Boolean) - `true` if input has a whitespace token
+ - has\_comments (Boolean) - `true` if input has a comment token
+ - has\_newlines (Boolean) - `true` if input has a newline token
+ - has\_trailing\_comma (Boolean) - `true` if input has at least one trailing comma
+
+### jju.update() function
+
+```javascript
+/*
+ * Main syntax:
+ *
+ * `text` - original text, type: String
+ * `new_value` - new value you want to set
+ * `options` - parser or stringifier options, type: Object
+ */
+jju.update(text, new_value[, options])
+```
+
+If you want to update a JSON document, here is the general approach:
+
+```javascript
+// here is your original JSON document:
+var input = '{"foo": "bar", "baz": 123}'
+
+// you need to parse it first:
+var json = jju.parse(input, {mode: 'json'})
+// json is { foo: 'bar', baz: 123 }
+
+// then you can change it as you like:
+json.foo = 'quux'
+json.hello = 'world'
+
+// then you run an update function to change the original json:
+var output = jju.update(input, json, {mode: 'json'})
+// output is '{"foo": "quux", "baz": 123, "hello": "world"}'
+```
+
+Look at [this demo](http://rlidwka.github.io/jju/editor.html) to test various types of json.
+
+## Advantages over existing JSON libraries
+
+In a few cases it makes sense to use this module instead of built-in JSON methods.
+
+Parser:
+ - better error reporting with source code and line numbers
+
+In case of syntax error, JSON.parse does not return any good information to the user. This module does:
+
+```
+$ node -e 'require("jju").parse("[1,1,1,1,invalid]")'
+
+SyntaxError: Unexpected token 'i' at 0:9
+[1,1,1,1,invalid]
+         ^
+```
+
+This module is about 5 times slower, so if user experience matters to you more than performance, use this module. If you're working with a lot of machine-generated data, use JSON.parse instead.
+
+Stringifier:
+ - util.inspect-like pretty printing
+
+This module behaves more smart when dealing with object and arrays, and does not always print newlines in them:
+
+```
+$ node -e 'console.log(require("./").stringify([[,,,],,,[,,,,]], {mode:"json"}))'
+[
+        [null, null, null],
+        null,
+        null,
+        [null, null, null, null]
+]
+```
+
+JSON.stringify will split this into 15 lines, and it's hard to read.
+
+Yet again, this feature comes with a performance hit, so if user experience matters to you more than performance, use this module. If your JSON will be consumed by machines, use JSON.stringify instead.
+
+As a rule of thumb, if you use "space" argument to indent your JSON, you'd better use this module instead.
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/index.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/index.js
new file mode 100644
index 00000000000000..50f16249634fb6
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/index.js
@@ -0,0 +1,32 @@
+
+module.exports.__defineGetter__('parse', function() {
+	return require('./lib/parse').parse
+})
+
+module.exports.__defineGetter__('stringify', function() {
+	return require('./lib/stringify').stringify
+})
+
+module.exports.__defineGetter__('tokenize', function() {
+	return require('./lib/parse').tokenize
+})
+
+module.exports.__defineGetter__('update', function() {
+	return require('./lib/document').update
+})
+
+module.exports.__defineGetter__('analyze', function() {
+	return require('./lib/analyze').analyze
+})
+
+module.exports.__defineGetter__('utils', function() {
+	return require('./lib/utils')
+})
+
+/**package
+{ "name": "jju",
+  "version": "0.0.0",
+  "dependencies": {"js-yaml": "*"},
+  "scripts": {"postinstall": "js-yaml package.yaml > package.json ; npm install"}
+}
+**/
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/analyze.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/analyze.js
new file mode 100644
index 00000000000000..39303b0969081c
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/analyze.js
@@ -0,0 +1,91 @@
+/*
+ * Author: Alex Kocharin 
+ * GIT: https://github.com/rlidwka/jju
+ * License: WTFPL, grab your copy here: http://www.wtfpl.net/txt/copying/
+ */
+
+var tokenize = require('./parse').tokenize
+
+module.exports.analyze = function analyzeJSON(input, options) {
+  if (options == null) options = {}
+
+  if (!Array.isArray(input)) {
+    input = tokenize(input, options)
+  }
+
+  var result = {
+    has_whitespace: false,
+    has_comments: false,
+    has_newlines: false,
+    has_trailing_comma: false,
+    indent: '',
+    newline: '\n',
+    quote: '"',
+    quote_keys: true,
+  }
+
+  var stats = {
+    indent: {},
+    newline: {},
+    quote: {},
+  }
+
+  for (var i=0; i stats[k][b] ? a : b
+      })
+    }
+  }
+
+  return result
+}
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/document.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/document.js
new file mode 100644
index 00000000000000..af1a01a03d062b
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/document.js
@@ -0,0 +1,484 @@
+/*
+ * Author: Alex Kocharin 
+ * GIT: https://github.com/rlidwka/jju
+ * License: WTFPL, grab your copy here: http://www.wtfpl.net/txt/copying/
+ */
+
+var assert = require('assert')
+var tokenize = require('./parse').tokenize
+var stringify = require('./stringify').stringify
+var analyze = require('./analyze').analyze
+
+function isObject(x) {
+  return typeof(x) === 'object' && x !== null
+}
+
+function value_to_tokenlist(value, stack, options, is_key, indent) {
+  options = Object.create(options)
+  options._stringify_key = !!is_key
+
+  if (indent) {
+    options._prefix = indent.prefix.map(function(x) {
+      return x.raw
+    }).join('')
+  }
+
+  if (options._splitMin == null) options._splitMin = 0
+  if (options._splitMax == null) options._splitMax = 0
+
+  var stringified = stringify(value, options)
+
+  if (is_key) {
+    return [ { raw: stringified, type: 'key', stack: stack, value: value } ]
+  }
+
+  options._addstack = stack
+  var result = tokenize(stringified, {
+    _addstack: stack,
+  })
+  result.data = null
+  return result
+}
+
+// '1.2.3' -> ['1','2','3']
+function arg_to_path(path) {
+  // array indexes
+  if (typeof(path) === 'number') path = String(path)
+
+  if (path === '') path = []
+  if (typeof(path) === 'string') path = path.split('.')
+
+  if (!Array.isArray(path)) throw Error('Invalid path type, string or array expected')
+  return path
+}
+
+// returns new [begin, end] or false if not found
+//
+//          {x:3, xxx: 111, y: [111,  {q: 1, e: 2}  ,333]  }
+// f('y',0) returns this       B^^^^^^^^^^^^^^^^^^^^^^^^E
+// then f('1',1) would reduce it to   B^^^^^^^^^^E
+function find_element_in_tokenlist(element, lvl, tokens, begin, end) {
+  while(tokens[begin].stack[lvl] != element) {
+    if (begin++ >= end) return false
+  }
+  while(tokens[end].stack[lvl] != element) {
+    if (end-- < begin) return false
+  }
+  return [begin, end]
+}
+
+function is_whitespace(token_type) {
+  return token_type === 'whitespace'
+      || token_type === 'newline'
+      || token_type === 'comment'
+}
+
+function find_first_non_ws_token(tokens, begin, end) {
+  while(is_whitespace(tokens[begin].type)) {
+    if (begin++ >= end) return false
+  }
+  return begin
+}
+
+function find_last_non_ws_token(tokens, begin, end) {
+  while(is_whitespace(tokens[end].type)) {
+    if (end-- < begin) return false
+  }
+  return end
+}
+
+/*
+ * when appending a new element of an object/array, we are trying to
+ * figure out the style used on the previous element
+ *
+ * return {prefix, sep1, sep2, suffix}
+ *
+ *      '    "key" :  "element"    \r\n'
+ * prefix^^^^ sep1^ ^^sep2     ^^^^^^^^suffix
+ *
+ * begin - the beginning of the object/array
+ * end - last token of the last element (value or comma usually)
+ */
+function detect_indent_style(tokens, is_array, begin, end, level) {
+  var result = {
+    sep1: [],
+    sep2: [],
+    suffix: [],
+    prefix: [],
+    newline: [],
+  }
+
+  if (tokens[end].type === 'separator' && tokens[end].stack.length !== level+1 && tokens[end].raw !== ',') {
+    // either a beginning of the array (no last element) or other weird situation
+    //
+    // just return defaults
+    return result
+  }
+
+  //                              ' "key"  : "value"  ,'
+  // skipping last separator, we're now here        ^^
+  if (tokens[end].type === 'separator')
+    end = find_last_non_ws_token(tokens, begin, end - 1)
+  if (end === false) return result
+
+  //                              ' "key"  : "value"  ,'
+  // skipping value                          ^^^^^^^
+  while(tokens[end].stack.length > level) end--
+
+  if (!is_array) {
+    while(is_whitespace(tokens[end].type)) {
+      if (end < begin) return result
+      if (tokens[end].type === 'whitespace') {
+        result.sep2.unshift(tokens[end])
+      } else {
+        // newline, comment or other unrecognized codestyle
+        return result
+      }
+      end--
+    }
+
+    //                              ' "key"  : "value"  ,'
+    // skipping separator                    ^
+    assert.equal(tokens[end].type, 'separator')
+    assert.equal(tokens[end].raw, ':')
+    while(is_whitespace(tokens[--end].type)) {
+      if (end < begin) return result
+      if (tokens[end].type === 'whitespace') {
+        result.sep1.unshift(tokens[end])
+      } else {
+        // newline, comment or other unrecognized codestyle
+        return result
+      }
+    }
+
+    assert.equal(tokens[end].type, 'key')
+    end--
+  }
+
+  //                              ' "key"  : "value"  ,'
+  // skipping key                   ^^^^^
+  while(is_whitespace(tokens[end].type)) {
+    if (end < begin) return result
+    if (tokens[end].type === 'whitespace') {
+      result.prefix.unshift(tokens[end])
+    } else if (tokens[end].type === 'newline') {
+      result.newline.unshift(tokens[end])
+      return result
+    } else {
+      // comment or other unrecognized codestyle
+      return result
+    }
+    end--
+  }
+
+  return result
+}
+
+function Document(text, options) {
+  var self = Object.create(Document.prototype)
+
+  if (options == null) options = {}
+  //options._structure = true
+  var tokens = self._tokens = tokenize(text, options)
+  self._data = tokens.data
+  tokens.data = null
+  self._options = options
+
+  var stats = analyze(text, options)
+  if (options.indent == null) {
+    options.indent = stats.indent
+  }
+  if (options.quote == null) {
+    options.quote = stats.quote
+  }
+  if (options.quote_keys == null) {
+    options.quote_keys = stats.quote_keys
+  }
+  if (options.no_trailing_comma == null) {
+    options.no_trailing_comma = !stats.has_trailing_comma
+  }
+  return self
+}
+
+// return true if it's a proper object
+//        throw otherwise
+function check_if_can_be_placed(key, object, is_unset) {
+  //if (object == null) return false
+  function error(add) {
+    return Error("You can't " + (is_unset ? 'unset' : 'set') + " key '" + key + "'" + add)
+  }
+
+  if (!isObject(object)) {
+    throw error(' of an non-object')
+  }
+  if (Array.isArray(object)) {
+    // array, check boundary
+    if (String(key).match(/^\d+$/)) {
+      key = Number(String(key))
+      if (object.length < key || (is_unset && object.length === key)) {
+        throw error(', out of bounds')
+      } else if (is_unset && object.length !== key+1) {
+        throw error(' in the middle of an array')
+      } else {
+        return true
+      }
+    } else {
+      throw error(' of an array')
+    }
+  } else {
+    // object
+    return true
+  }
+}
+
+// usage: document.set('path.to.something', 'value')
+//    or: document.set(['path','to','something'], 'value')
+Document.prototype.set = function(path, value) {
+  path = arg_to_path(path)
+
+  // updating this._data and check for errors
+  if (path.length === 0) {
+    if (value === undefined) throw Error("can't remove root document")
+    this._data = value
+    var new_key = false
+
+  } else {
+    var data = this._data
+
+    for (var i=0; i {x:1}`
+        // removing sep, literal and optional sep
+        // ':'
+        var pos2 = find_last_non_ws_token(this._tokens, pos_old[0], position[0] - 1)
+        assert.equal(this._tokens[pos2].type, 'separator')
+        assert.equal(this._tokens[pos2].raw, ':')
+        position[0] = pos2
+
+        // key
+        var pos2 = find_last_non_ws_token(this._tokens, pos_old[0], position[0] - 1)
+        assert.equal(this._tokens[pos2].type, 'key')
+        assert.equal(this._tokens[pos2].value, path[path.length-1])
+        position[0] = pos2
+      }
+
+      // removing comma in arrays and objects
+      var pos2 = find_last_non_ws_token(this._tokens, pos_old[0], position[0] - 1)
+      assert.equal(this._tokens[pos2].type, 'separator')
+      if (this._tokens[pos2].raw === ',') {
+        position[0] = pos2
+      } else {
+        // beginning of the array/object, so we should remove trailing comma instead
+        pos2 = find_first_non_ws_token(this._tokens, position[1] + 1, pos_old[1])
+        assert.equal(this._tokens[pos2].type, 'separator')
+        if (this._tokens[pos2].raw === ',') {
+          position[1] = pos2
+        }
+      }
+
+    } else {
+      var indent = pos2 !== false
+                 ? detect_indent_style(this._tokens, Array.isArray(data), pos_old[0], position[1] - 1, i)
+                 : {}
+      var newtokens = value_to_tokenlist(value, path, this._options, false, indent)
+    }
+
+  } else {
+    // insert new key, that's tricky
+    var path_1 = path.slice(0, i)
+
+    //  find a last separator after which we're inserting it
+    var pos2 = find_last_non_ws_token(this._tokens, position[0] + 1, position[1] - 1)
+    assert(pos2 !== false)
+
+    var indent = pos2 !== false
+               ? detect_indent_style(this._tokens, Array.isArray(data), position[0] + 1, pos2, i)
+               : {}
+
+    var newtokens = value_to_tokenlist(value, path, this._options, false, indent)
+
+    // adding leading whitespaces according to detected codestyle
+    var prefix = []
+    if (indent.newline && indent.newline.length)
+      prefix = prefix.concat(indent.newline)
+    if (indent.prefix && indent.prefix.length)
+      prefix = prefix.concat(indent.prefix)
+
+    // adding '"key":' (as in "key":"value") to object values
+    if (!Array.isArray(data)) {
+      prefix = prefix.concat(value_to_tokenlist(path[path.length-1], path_1, this._options, true))
+      if (indent.sep1 && indent.sep1.length)
+        prefix = prefix.concat(indent.sep1)
+      prefix.push({raw: ':', type: 'separator', stack: path_1})
+      if (indent.sep2 && indent.sep2.length)
+        prefix = prefix.concat(indent.sep2)
+    }
+
+    newtokens.unshift.apply(newtokens, prefix)
+
+    // check if prev token is a separator AND they're at the same level
+    if (this._tokens[pos2].type === 'separator' && this._tokens[pos2].stack.length === path.length-1) {
+      // previous token is either , or [ or {
+      if (this._tokens[pos2].raw === ',') {
+        // restore ending comma
+        newtokens.push({raw: ',', type: 'separator', stack: path_1})
+      }
+    } else {
+      // previous token isn't a separator, so need to insert one
+      newtokens.unshift({raw: ',', type: 'separator', stack: path_1})
+    }
+
+    if (indent.suffix && indent.suffix.length)
+      newtokens.push.apply(newtokens, indent.suffix)
+
+    assert.equal(this._tokens[position[1]].type, 'separator')
+    position[0] = pos2+1
+    position[1] = pos2
+  }
+
+  newtokens.unshift(position[1] - position[0] + 1)
+  newtokens.unshift(position[0])
+  this._tokens.splice.apply(this._tokens, newtokens)
+
+  return this
+}
+
+// convenience method
+Document.prototype.unset = function(path) {
+  return this.set(path, undefined)
+}
+
+Document.prototype.get = function(path) {
+  path = arg_to_path(path)
+
+  var data = this._data
+  for (var i=0; i old_data.length) {
+        // adding new elements, so going forward
+        for (var i=0; i=0; i--) {
+          path.push(String(i))
+          change(path, old_data[i], new_data[i])
+          path.pop()
+        }
+      }
+
+    } else {
+      // both values are objects here
+      for (var i in new_data) {
+        path.push(String(i))
+        change(path, old_data[i], new_data[i])
+        path.pop()
+      }
+
+      for (var i in old_data) {
+        if (i in new_data) continue
+        path.push(String(i))
+        change(path, old_data[i], new_data[i])
+        path.pop()
+      }
+    }
+  }
+}
+
+Document.prototype.toString = function() {
+  return this._tokens.map(function(x) {
+    return x.raw
+  }).join('')
+}
+
+module.exports.Document = Document
+
+module.exports.update = function updateJSON(source, new_value, options) {
+  return Document(source, options).update(new_value).toString()
+}
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/parse.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/parse.js
new file mode 100644
index 00000000000000..025007f63b7060
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/parse.js
@@ -0,0 +1,764 @@
+/*
+ * Author: Alex Kocharin 
+ * GIT: https://github.com/rlidwka/jju
+ * License: WTFPL, grab your copy here: http://www.wtfpl.net/txt/copying/
+ */
+
+// RTFM: http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-262.pdf
+
+var Uni = require('./unicode')
+
+function isHexDigit(x) {
+  return (x >= '0' && x <= '9')
+      || (x >= 'A' && x <= 'F')
+      || (x >= 'a' && x <= 'f')
+}
+
+function isOctDigit(x) {
+  return x >= '0' && x <= '7'
+}
+
+function isDecDigit(x) {
+  return x >= '0' && x <= '9'
+}
+
+var unescapeMap = {
+  '\'': '\'',
+  '"' : '"',
+  '\\': '\\',
+  'b' : '\b',
+  'f' : '\f',
+  'n' : '\n',
+  'r' : '\r',
+  't' : '\t',
+  'v' : '\v',
+  '/' : '/',
+}
+
+function formatError(input, msg, position, lineno, column, json5) {
+  var result = msg + ' at ' + (lineno + 1) + ':' + (column + 1)
+    , tmppos = position - column - 1
+    , srcline = ''
+    , underline = ''
+
+  var isLineTerminator = json5 ? Uni.isLineTerminator : Uni.isLineTerminatorJSON
+
+  // output no more than 70 characters before the wrong ones
+  if (tmppos < position - 70) {
+    tmppos = position - 70
+  }
+
+  while (1) {
+    var chr = input[++tmppos]
+
+    if (isLineTerminator(chr) || tmppos === input.length) {
+      if (position >= tmppos) {
+        // ending line error, so show it after the last char
+        underline += '^'
+      }
+      break
+    }
+    srcline += chr
+
+    if (position === tmppos) {
+      underline += '^'
+    } else if (position > tmppos) {
+      underline += input[tmppos] === '\t' ? '\t' : ' '
+    }
+
+    // output no more than 78 characters on the string
+    if (srcline.length > 78) break
+  }
+
+  return result + '\n' + srcline + '\n' + underline
+}
+
+function parse(input, options) {
+  // parse as a standard JSON mode
+  var json5 = false;
+  var cjson = false;
+
+  if (options.legacy || options.mode === 'json') {
+    // use json
+  } else if (options.mode === 'cjson') {
+    cjson = true;
+  } else if (options.mode === 'json5') {
+    json5 = true;
+  } else {
+    // use it by default
+    json5 = true;
+  }
+
+  var isLineTerminator = json5 ? Uni.isLineTerminator : Uni.isLineTerminatorJSON
+  var isWhiteSpace     = json5 ? Uni.isWhiteSpace     : Uni.isWhiteSpaceJSON
+
+  var length = input.length
+    , lineno = 0
+    , linestart = 0
+    , position = 0
+    , stack = []
+
+  var tokenStart = function() {}
+  var tokenEnd = function(v) {return v}
+
+  /* tokenize({
+       raw: '...',
+       type: 'whitespace'|'comment'|'key'|'literal'|'separator'|'newline',
+       value: 'number'|'string'|'whatever',
+       path: [...],
+     })
+  */
+  if (options._tokenize) {
+    ;(function() {
+      var start = null
+      tokenStart = function() {
+        if (start !== null) throw Error('internal error, token overlap')
+        start = position
+      }
+
+      tokenEnd = function(v, type) {
+        if (start != position) {
+          var hash = {
+            raw: input.substr(start, position-start),
+            type: type,
+            stack: stack.slice(0),
+          }
+          if (v !== undefined) hash.value = v
+          options._tokenize.call(null, hash)
+        }
+        start = null
+        return v
+      }
+    })()
+  }
+
+  function fail(msg) {
+    var column = position - linestart
+
+    if (!msg) {
+      if (position < length) {
+        var token = '\'' +
+          JSON
+            .stringify(input[position])
+            .replace(/^"|"$/g, '')
+            .replace(/'/g, "\\'")
+            .replace(/\\"/g, '"')
+          + '\''
+
+        if (!msg) msg = 'Unexpected token ' + token
+      } else {
+        if (!msg) msg = 'Unexpected end of input'
+      }
+    }
+
+    var error = SyntaxError(formatError(input, msg, position, lineno, column, json5))
+    error.row = lineno + 1
+    error.column = column + 1
+    throw error
+  }
+
+  function newline(chr) {
+    // account for 
+    if (chr === '\r' && input[position] === '\n') position++
+    linestart = position
+    lineno++
+  }
+
+  function parseGeneric() {
+    var result
+
+    while (position < length) {
+      tokenStart()
+      var chr = input[position++]
+
+      if (chr === '"' || (chr === '\'' && json5)) {
+        return tokenEnd(parseString(chr), 'literal')
+
+      } else if (chr === '{') {
+        tokenEnd(undefined, 'separator')
+        return parseObject()
+
+      } else if (chr === '[') {
+        tokenEnd(undefined, 'separator')
+        return parseArray()
+
+      } else if (chr === '-'
+             ||  chr === '.'
+             ||  isDecDigit(chr)
+                 //           + number       Infinity          NaN
+             ||  (json5 && (chr === '+' || chr === 'I' || chr === 'N'))
+      ) {
+        return tokenEnd(parseNumber(), 'literal')
+
+      } else if (chr === 'n') {
+        parseKeyword('null')
+        return tokenEnd(null, 'literal')
+
+      } else if (chr === 't') {
+        parseKeyword('true')
+        return tokenEnd(true, 'literal')
+
+      } else if (chr === 'f') {
+        parseKeyword('false')
+        return tokenEnd(false, 'literal')
+
+      } else {
+        position--
+        return tokenEnd(undefined)
+      }
+    }
+  }
+
+  function parseKey() {
+    var result
+
+    while (position < length) {
+      tokenStart()
+      var chr = input[position++]
+
+      if (chr === '"' || (chr === '\'' && json5)) {
+        return tokenEnd(parseString(chr), 'key')
+
+      } else if (chr === '{') {
+        tokenEnd(undefined, 'separator')
+        return parseObject()
+
+      } else if (chr === '[') {
+        tokenEnd(undefined, 'separator')
+        return parseArray()
+
+      } else if (chr === '.'
+             ||  isDecDigit(chr)
+      ) {
+        return tokenEnd(parseNumber(true), 'key')
+
+      } else if (json5
+             &&  Uni.isIdentifierStart(chr) || (chr === '\\' && input[position] === 'u')) {
+        // unicode char or a unicode sequence
+        var rollback = position - 1
+        var result = parseIdentifier()
+
+        if (result === undefined) {
+          position = rollback
+          return tokenEnd(undefined)
+        } else {
+          return tokenEnd(result, 'key')
+        }
+
+      } else {
+        position--
+        return tokenEnd(undefined)
+      }
+    }
+  }
+
+  function skipWhiteSpace() {
+    tokenStart()
+    while (position < length) {
+      var chr = input[position++]
+
+      if (isLineTerminator(chr)) {
+        position--
+        tokenEnd(undefined, 'whitespace')
+        tokenStart()
+        position++
+        newline(chr)
+        tokenEnd(undefined, 'newline')
+        tokenStart()
+
+      } else if (isWhiteSpace(chr)) {
+        // nothing
+
+      } else if (chr === '/'
+             && (json5 || cjson)
+             && (input[position] === '/' || input[position] === '*')
+      ) {
+        position--
+        tokenEnd(undefined, 'whitespace')
+        tokenStart()
+        position++
+        skipComment(input[position++] === '*')
+        tokenEnd(undefined, 'comment')
+        tokenStart()
+
+      } else {
+        position--
+        break
+      }
+    }
+    return tokenEnd(undefined, 'whitespace')
+  }
+
+  function skipComment(multi) {
+    while (position < length) {
+      var chr = input[position++]
+
+      if (isLineTerminator(chr)) {
+        // LineTerminator is an end of singleline comment
+        if (!multi) {
+          // let parent function deal with newline
+          position--
+          return
+        }
+
+        newline(chr)
+
+      } else if (chr === '*' && multi) {
+        // end of multiline comment
+        if (input[position] === '/') {
+          position++
+          return
+        }
+
+      } else {
+        // nothing
+      }
+    }
+
+    if (multi) {
+      fail('Unclosed multiline comment')
+    }
+  }
+
+  function parseKeyword(keyword) {
+    // keyword[0] is not checked because it should've checked earlier
+    var _pos = position
+    var len = keyword.length
+    for (var i=1; i= length || keyword[i] != input[position]) {
+        position = _pos-1
+        fail()
+      }
+      position++
+    }
+  }
+
+  function parseObject() {
+    var result = options.null_prototype ? Object.create(null) : {}
+      , empty_object = {}
+      , is_non_empty = false
+
+    while (position < length) {
+      skipWhiteSpace()
+      var item1 = parseKey()
+      skipWhiteSpace()
+      tokenStart()
+      var chr = input[position++]
+      tokenEnd(undefined, 'separator')
+
+      if (chr === '}' && item1 === undefined) {
+        if (!json5 && is_non_empty) {
+          position--
+          fail('Trailing comma in object')
+        }
+        return result
+
+      } else if (chr === ':' && item1 !== undefined) {
+        skipWhiteSpace()
+        stack.push(item1)
+        var item2 = parseGeneric()
+        stack.pop()
+
+        if (item2 === undefined) fail('No value found for key ' + item1)
+        if (typeof(item1) !== 'string') {
+          if (!json5 || typeof(item1) !== 'number') {
+            fail('Wrong key type: ' + item1)
+          }
+        }
+
+        if ((item1 in empty_object || empty_object[item1] != null) && options.reserved_keys !== 'replace') {
+          if (options.reserved_keys === 'throw') {
+            fail('Reserved key: ' + item1)
+          } else {
+            // silently ignore it
+          }
+        } else {
+          if (typeof(options.reviver) === 'function') {
+            item2 = options.reviver.call(null, item1, item2)
+          }
+
+          if (item2 !== undefined) {
+            is_non_empty = true
+            Object.defineProperty(result, item1, {
+              value: item2,
+              enumerable: true,
+              configurable: true,
+              writable: true,
+            })
+          }
+        }
+
+        skipWhiteSpace()
+
+        tokenStart()
+        var chr = input[position++]
+        tokenEnd(undefined, 'separator')
+
+        if (chr === ',') {
+          continue
+
+        } else if (chr === '}') {
+          return result
+
+        } else {
+          fail()
+        }
+
+      } else {
+        position--
+        fail()
+      }
+    }
+
+    fail()
+  }
+
+  function parseArray() {
+    var result = []
+
+    while (position < length) {
+      skipWhiteSpace()
+      stack.push(result.length)
+      var item = parseGeneric()
+      stack.pop()
+      skipWhiteSpace()
+      tokenStart()
+      var chr = input[position++]
+      tokenEnd(undefined, 'separator')
+
+      if (item !== undefined) {
+        if (typeof(options.reviver) === 'function') {
+          item = options.reviver.call(null, String(result.length), item)
+        }
+        if (item === undefined) {
+          result.length++
+          item = true // hack for check below, not included into result
+        } else {
+          result.push(item)
+        }
+      }
+
+      if (chr === ',') {
+        if (item === undefined) {
+          fail('Elisions are not supported')
+        }
+
+      } else if (chr === ']') {
+        if (!json5 && item === undefined && result.length) {
+          position--
+          fail('Trailing comma in array')
+        }
+        return result
+
+      } else {
+        position--
+        fail()
+      }
+    }
+  }
+
+  function parseNumber() {
+    // rewind because we don't know first char
+    position--
+
+    var start = position
+      , chr = input[position++]
+      , t
+
+    var to_num = function(is_octal) {
+      var str = input.substr(start, position - start)
+
+      if (is_octal) {
+        var result = parseInt(str.replace(/^0o?/, ''), 8)
+      } else {
+        var result = Number(str)
+      }
+
+      if (Number.isNaN(result)) {
+        position--
+        fail('Bad numeric literal - "' + input.substr(start, position - start + 1) + '"')
+      } else if (!json5 && !str.match(/^-?(0|[1-9][0-9]*)(\.[0-9]+)?(e[+-]?[0-9]+)?$/i)) {
+        // additional restrictions imposed by json
+        position--
+        fail('Non-json numeric literal - "' + input.substr(start, position - start + 1) + '"')
+      } else {
+        return result
+      }
+    }
+
+    // ex: -5982475.249875e+29384
+    //     ^ skipping this
+    if (chr === '-' || (chr === '+' && json5)) chr = input[position++]
+
+    if (chr === 'N' && json5) {
+      parseKeyword('NaN')
+      return NaN
+    }
+
+    if (chr === 'I' && json5) {
+      parseKeyword('Infinity')
+
+      // returning +inf or -inf
+      return to_num()
+    }
+
+    if (chr >= '1' && chr <= '9') {
+      // ex: -5982475.249875e+29384
+      //        ^^^ skipping these
+      while (position < length && isDecDigit(input[position])) position++
+      chr = input[position++]
+    }
+
+    // special case for leading zero: 0.123456
+    if (chr === '0') {
+      chr = input[position++]
+
+      //             new syntax, "0o777"           old syntax, "0777"
+      var is_octal = chr === 'o' || chr === 'O' || isOctDigit(chr)
+      var is_hex = chr === 'x' || chr === 'X'
+
+      if (json5 && (is_octal || is_hex)) {
+        while (position < length
+           &&  (is_hex ? isHexDigit : isOctDigit)( input[position] )
+        ) position++
+
+        var sign = 1
+        if (input[start] === '-') {
+          sign = -1
+          start++
+        } else if (input[start] === '+') {
+          start++
+        }
+
+        return sign * to_num(is_octal)
+      }
+    }
+
+    if (chr === '.') {
+      // ex: -5982475.249875e+29384
+      //                ^^^ skipping these
+      while (position < length && isDecDigit(input[position])) position++
+      chr = input[position++]
+    }
+
+    if (chr === 'e' || chr === 'E') {
+      chr = input[position++]
+      if (chr === '-' || chr === '+') position++
+      // ex: -5982475.249875e+29384
+      //                       ^^^ skipping these
+      while (position < length && isDecDigit(input[position])) position++
+      chr = input[position++]
+    }
+
+    // we have char in the buffer, so count for it
+    position--
+    return to_num()
+  }
+
+  function parseIdentifier() {
+    // rewind because we don't know first char
+    position--
+
+    var result = ''
+
+    while (position < length) {
+      var chr = input[position++]
+
+      if (chr === '\\'
+      &&  input[position] === 'u'
+      &&  isHexDigit(input[position+1])
+      &&  isHexDigit(input[position+2])
+      &&  isHexDigit(input[position+3])
+      &&  isHexDigit(input[position+4])
+      ) {
+        // UnicodeEscapeSequence
+        chr = String.fromCharCode(parseInt(input.substr(position+1, 4), 16))
+        position += 5
+      }
+
+      if (result.length) {
+        // identifier started
+        if (Uni.isIdentifierPart(chr)) {
+          result += chr
+        } else {
+          position--
+          return result
+        }
+
+      } else {
+        if (Uni.isIdentifierStart(chr)) {
+          result += chr
+        } else {
+          return undefined
+        }
+      }
+    }
+
+    fail()
+  }
+
+  function parseString(endChar) {
+    // 7.8.4 of ES262 spec
+    var result = ''
+
+    while (position < length) {
+      var chr = input[position++]
+
+      if (chr === endChar) {
+        return result
+
+      } else if (chr === '\\') {
+        if (position >= length) fail()
+        chr = input[position++]
+
+        if (unescapeMap[chr] && (json5 || (chr != 'v' && chr != "'"))) {
+          result += unescapeMap[chr]
+
+        } else if (json5 && isLineTerminator(chr)) {
+          // line continuation
+          newline(chr)
+
+        } else if (chr === 'u' || (chr === 'x' && json5)) {
+          // unicode/character escape sequence
+          var off = chr === 'u' ? 4 : 2
+
+          // validation for \uXXXX
+          for (var i=0; i= length) fail()
+            if (!isHexDigit(input[position])) fail('Bad escape sequence')
+            position++
+          }
+
+          result += String.fromCharCode(parseInt(input.substr(position-off, off), 16))
+        } else if (json5 && isOctDigit(chr)) {
+          if (chr < '4' && isOctDigit(input[position]) && isOctDigit(input[position+1])) {
+            // three-digit octal
+            var digits = 3
+          } else if (isOctDigit(input[position])) {
+            // two-digit octal
+            var digits = 2
+          } else {
+            var digits = 1
+          }
+          position += digits - 1
+          result += String.fromCharCode(parseInt(input.substr(position-digits, digits), 8))
+          /*if (!isOctDigit(input[position])) {
+            // \0 is allowed still
+            result += '\0'
+          } else {
+            fail('Octal literals are not supported')
+          }*/
+
+        } else if (json5) {
+          // \X -> x
+          result += chr
+
+        } else {
+          position--
+          fail()
+        }
+
+      } else if (isLineTerminator(chr)) {
+        fail()
+
+      } else {
+        if (!json5 && chr.charCodeAt(0) < 32) {
+          position--
+          fail('Unexpected control character')
+        }
+
+        // SourceCharacter but not one of " or \ or LineTerminator
+        result += chr
+      }
+    }
+
+    fail()
+  }
+
+  skipWhiteSpace()
+  var return_value = parseGeneric()
+  if (return_value !== undefined || position < length) {
+    skipWhiteSpace()
+
+    if (position >= length) {
+      if (typeof(options.reviver) === 'function') {
+        return_value = options.reviver.call(null, '', return_value)
+      }
+      return return_value
+    } else {
+      fail()
+    }
+
+  } else {
+    if (position) {
+      fail('No data, only a whitespace')
+    } else {
+      fail('No data, empty input')
+    }
+  }
+}
+
+/*
+ * parse(text, options)
+ * or
+ * parse(text, reviver)
+ *
+ * where:
+ * text - string
+ * options - object
+ * reviver - function
+ */
+module.exports.parse = function parseJSON(input, options) {
+  // support legacy functions
+  if (typeof(options) === 'function') {
+    options = {
+      reviver: options
+    }
+  }
+
+  if (input === undefined) {
+    // parse(stringify(x)) should be equal x
+    // with JSON functions it is not 'cause of undefined
+    // so we're fixing it
+    return undefined
+  }
+
+  // JSON.parse compat
+  if (typeof(input) !== 'string') input = String(input)
+  if (options == null) options = {}
+  if (options.reserved_keys == null) options.reserved_keys = 'ignore'
+
+  if (options.reserved_keys === 'throw' || options.reserved_keys === 'ignore') {
+    if (options.null_prototype == null) {
+      options.null_prototype = true
+    }
+  }
+
+  try {
+    return parse(input, options)
+  } catch(err) {
+    // jju is a recursive parser, so JSON.parse("{{{{{{{") could blow up the stack
+    //
+    // this catch is used to skip all those internal calls
+    if (err instanceof SyntaxError && err.row != null && err.column != null) {
+      var old_err = err
+      err = SyntaxError(old_err.message)
+      err.column = old_err.column
+      err.row = old_err.row
+    }
+    throw err
+  }
+}
+
+module.exports.tokenize = function tokenizeJSON(input, options) {
+  if (options == null) options = {}
+
+  options._tokenize = function(smth) {
+    if (options._addstack) smth.stack.unshift.apply(smth.stack, options._addstack)
+    tokens.push(smth)
+  }
+
+  var tokens = []
+  tokens.data = module.exports.parse(input, options)
+  return tokens
+}
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/stringify.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/stringify.js
new file mode 100644
index 00000000000000..e76af2efe8e06a
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/stringify.js
@@ -0,0 +1,382 @@
+/*
+ * Author: Alex Kocharin 
+ * GIT: https://github.com/rlidwka/jju
+ * License: WTFPL, grab your copy here: http://www.wtfpl.net/txt/copying/
+ */
+
+var Uni = require('./unicode')
+
+// Fix Function#name on browsers that do not support it (IE)
+// http://stackoverflow.com/questions/6903762/function-name-not-supported-in-ie
+if (!(function f(){}).name) {
+  Object.defineProperty((function(){}).constructor.prototype, 'name', {
+    get: function() {
+      var name = this.toString().match(/^\s*function\s*(\S*)\s*\(/)[1]
+      // For better performance only parse once, and then cache the
+      // result through a new accessor for repeated access.
+      Object.defineProperty(this, 'name', { value: name })
+      return name
+    }
+  })
+}
+
+var special_chars = {
+  0: '\\0', // this is not an octal literal
+  8: '\\b',
+  9: '\\t',
+  10: '\\n',
+  11: '\\v',
+  12: '\\f',
+  13: '\\r',
+  92: '\\\\',
+}
+
+// for oddballs
+var hasOwnProperty = Object.prototype.hasOwnProperty
+
+// some people escape those, so I'd copy this to be safe
+var escapable = /[\x00-\x1f\x7f-\x9f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/
+
+function _stringify(object, options, recursiveLvl, currentKey) {
+  var json5 = (options.mode === 'json5' || !options.mode)
+  /*
+   * Opinionated decision warning:
+   *
+   * Objects are serialized in the following form:
+   * { type: 'Class', data: DATA }
+   *
+   * Class is supposed to be a function, and new Class(DATA) is
+   * supposed to be equivalent to the original value
+   */
+  /*function custom_type() {
+    return stringify({
+      type: object.constructor.name,
+      data: object.toString()
+    })
+  }*/
+
+  // if add, it's an internal indentation, so we add 1 level and a eol
+  // if !add, it's an ending indentation, so we just indent
+  function indent(str, add) {
+    var prefix = options._prefix ? options._prefix : ''
+    if (!options.indent) return prefix + str
+    var result = ''
+    var count = recursiveLvl + (add || 0)
+    for (var i=0; i 0) {
+        if (!Uni.isIdentifierPart(key[i]))
+          return _stringify_str(key)
+
+      } else {
+        if (!Uni.isIdentifierStart(key[i]))
+          return _stringify_str(key)
+      }
+
+      var chr = key.charCodeAt(i)
+
+      if (options.ascii) {
+        if (chr < 0x80) {
+          result += key[i]
+
+        } else {
+          result += '\\u' + ('0000' + chr.toString(16)).slice(-4)
+        }
+
+      } else {
+        if (escapable.exec(key[i])) {
+          result += '\\u' + ('0000' + chr.toString(16)).slice(-4)
+
+        } else {
+          result += key[i]
+        }
+      }
+    }
+
+    return result
+  }
+
+  function _stringify_str(key) {
+    var quote = options.quote
+    var quoteChr = quote.charCodeAt(0)
+
+    var result = ''
+    for (var i=0; i= 8 && chr <= 13 && (json5 || chr !== 11)) {
+          result += special_chars[chr]
+        } else if (json5) {
+          result += '\\x0' + chr.toString(16)
+        } else {
+          result += '\\u000' + chr.toString(16)
+        }
+
+      } else if (chr < 0x20) {
+        if (json5) {
+          result += '\\x' + chr.toString(16)
+        } else {
+          result += '\\u00' + chr.toString(16)
+        }
+
+      } else if (chr >= 0x20 && chr < 0x80) {
+        // ascii range
+        if (chr === 47 && i && key[i-1] === '<') {
+          // escaping slashes in 
+          result += '\\' + key[i]
+
+        } else if (chr === 92) {
+          result += '\\\\'
+
+        } else if (chr === quoteChr) {
+          result += '\\' + quote
+
+        } else {
+          result += key[i]
+        }
+
+      } else if (options.ascii || Uni.isLineTerminator(key[i]) || escapable.exec(key[i])) {
+        if (chr < 0x100) {
+          if (json5) {
+            result += '\\x' + chr.toString(16)
+          } else {
+            result += '\\u00' + chr.toString(16)
+          }
+
+        } else if (chr < 0x1000) {
+          result += '\\u0' + chr.toString(16)
+
+        } else if (chr < 0x10000) {
+          result += '\\u' + chr.toString(16)
+
+        } else {
+          throw Error('weird codepoint')
+        }
+      } else {
+        result += key[i]
+      }
+    }
+    return quote + result + quote
+  }
+
+  function _stringify_object() {
+    if (object === null) return 'null'
+    var result = []
+      , len = 0
+      , braces
+
+    if (Array.isArray(object)) {
+      braces = '[]'
+      for (var i=0; i options._splitMax - recursiveLvl * options.indent.length || len > options._splitMin) ) {
+      // remove trailing comma in multiline if asked to
+      if (options.no_trailing_comma && result.length) {
+        result[result.length-1] = result[result.length-1].substring(0, result[result.length-1].length-1)
+      }
+
+      var innerStuff = result.map(function(x) {return indent(x, 1)}).join('')
+      return braces[0]
+          + (options.indent ? '\n' : '')
+          + innerStuff
+          + indent(braces[1])
+    } else {
+      // always remove trailing comma in one-lined arrays
+      if (result.length) {
+        result[result.length-1] = result[result.length-1].substring(0, result[result.length-1].length-1)
+      }
+
+      var innerStuff = result.join(options.indent ? ' ' : '')
+      return braces[0]
+          + innerStuff
+          + braces[1]
+    }
+  }
+
+  function _stringify_nonobject(object) {
+    if (typeof(options.replacer) === 'function') {
+      object = options.replacer.call(null, currentKey, object)
+    }
+
+    switch(typeof(object)) {
+      case 'string':
+        return _stringify_str(object)
+
+      case 'number':
+        if (object === 0 && 1/object < 0) {
+          // Opinionated decision warning:
+          //
+          // I want cross-platform negative zero in all js engines
+          // I know they're equal, but why lose that tiny bit of
+          // information needlessly?
+          return '-0'
+        }
+        if (!json5 && !Number.isFinite(object)) {
+          // json don't support infinity (= sucks)
+          return 'null'
+        }
+        return object.toString()
+
+      case 'boolean':
+        return object.toString()
+
+      case 'undefined':
+        return undefined
+
+      case 'function':
+//        return custom_type()
+
+      default:
+        // fallback for something weird
+        return JSON.stringify(object)
+    }
+  }
+
+  if (options._stringify_key) {
+    return _stringify_key(object)
+  }
+
+  if (typeof(object) === 'object') {
+    if (object === null) return 'null'
+
+    var str
+    if (typeof(str = object.toJSON5) === 'function' && options.mode !== 'json') {
+      object = str.call(object, currentKey)
+
+    } else if (typeof(str = object.toJSON) === 'function') {
+      object = str.call(object, currentKey)
+    }
+
+    if (object === null) return 'null'
+    if (typeof(object) !== 'object') return _stringify_nonobject(object)
+
+    if (object.constructor === Number || object.constructor === Boolean || object.constructor === String) {
+      object = object.valueOf()
+      return _stringify_nonobject(object)
+
+    } else if (object.constructor === Date) {
+      // only until we can't do better
+      return _stringify_nonobject(object.toISOString())
+
+    } else {
+      if (typeof(options.replacer) === 'function') {
+        object = options.replacer.call(null, currentKey, object)
+        if (typeof(object) !== 'object') return _stringify_nonobject(object)
+      }
+
+      return _stringify_object(object)
+    }
+  } else {
+    return _stringify_nonobject(object)
+  }
+}
+
+/*
+ * stringify(value, options)
+ * or
+ * stringify(value, replacer, space)
+ *
+ * where:
+ * value - anything
+ * options - object
+ * replacer - function or array
+ * space - boolean or number or string
+ */
+module.exports.stringify = function stringifyJSON(object, options, _space) {
+  // support legacy syntax
+  if (typeof(options) === 'function' || Array.isArray(options)) {
+    options = {
+      replacer: options
+    }
+  } else if (typeof(options) === 'object' && options !== null) {
+    // nothing to do
+  } else {
+    options = {}
+  }
+  if (_space != null) options.indent = _space
+
+  if (options.indent == null) options.indent = '\t'
+  if (options.quote == null) options.quote = "'"
+  if (options.ascii == null) options.ascii = false
+  if (options.mode == null) options.mode = 'json5'
+
+  if (options.mode === 'json' || options.mode === 'cjson') {
+    // json only supports double quotes (= sucks)
+    options.quote = '"'
+
+    // json don't support trailing commas (= sucks)
+    options.no_trailing_comma = true
+
+    // json don't support unquoted property names (= sucks)
+    options.quote_keys = true
+  }
+
+  // why would anyone use such objects?
+  if (typeof(options.indent) === 'object') {
+    if (options.indent.constructor === Number
+    ||  options.indent.constructor === Boolean
+    ||  options.indent.constructor === String)
+      options.indent = options.indent.valueOf()
+  }
+
+  // gap is capped at 10 characters
+  if (typeof(options.indent) === 'number') {
+    if (options.indent >= 0) {
+      options.indent = Array(Math.min(~~options.indent, 10) + 1).join(' ')
+    } else {
+      options.indent = false
+    }
+  } else if (typeof(options.indent) === 'string') {
+    options.indent = options.indent.substr(0, 10)
+  }
+
+  if (options._splitMin == null) options._splitMin = 50
+  if (options._splitMax == null) options._splitMax = 70
+
+  return _stringify(object, options, 0, '')
+}
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/unicode.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/unicode.js
new file mode 100644
index 00000000000000..1a29143c2d6b1c
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/unicode.js
@@ -0,0 +1,71 @@
+
+// This is autogenerated with esprima tools, see:
+// https://github.com/ariya/esprima/blob/master/esprima.js
+//
+// PS: oh God, I hate Unicode
+
+// ECMAScript 5.1/Unicode v6.3.0 NonAsciiIdentifierStart:
+
+var Uni = module.exports
+
+module.exports.isWhiteSpace = function isWhiteSpace(x) {
+  // section 7.2, table 2
+  return x === '\u0020'
+      || x === '\u00A0'
+      || x === '\uFEFF' // <-- this is not a Unicode WS, only a JS one
+      || (x >= '\u0009' && x <= '\u000D') // 9 A B C D
+
+      // + whitespace characters from unicode, category Zs
+      || x === '\u1680'
+      || x === '\u180E'
+      || (x >= '\u2000' && x <= '\u200A') // 0 1 2 3 4 5 6 7 8 9 A
+      || x === '\u2028'
+      || x === '\u2029'
+      || x === '\u202F'
+      || x === '\u205F'
+      || x === '\u3000'
+}
+
+module.exports.isWhiteSpaceJSON = function isWhiteSpaceJSON(x) {
+  return x === '\u0020'
+      || x === '\u0009'
+      || x === '\u000A'
+      || x === '\u000D'
+}
+
+module.exports.isLineTerminator = function isLineTerminator(x) {
+  // ok, here is the part when JSON is wrong
+  // section 7.3, table 3
+  return x === '\u000A'
+      || x === '\u000D'
+      || x === '\u2028'
+      || x === '\u2029'
+}
+
+module.exports.isLineTerminatorJSON = function isLineTerminatorJSON(x) {
+  return x === '\u000A'
+      || x === '\u000D'
+}
+
+module.exports.isIdentifierStart = function isIdentifierStart(x) {
+  return x === '$'
+      || x === '_'
+      || (x >= 'A' && x <= 'Z')
+      || (x >= 'a' && x <= 'z')
+      || (x >= '\u0080' && Uni.NonAsciiIdentifierStart.test(x))
+}
+
+module.exports.isIdentifierPart = function isIdentifierPart(x) {
+  return x === '$'
+      || x === '_'
+      || (x >= 'A' && x <= 'Z')
+      || (x >= 'a' && x <= 'z')
+      || (x >= '0' && x <= '9') // <-- addition to Start
+      || (x >= '\u0080' && Uni.NonAsciiIdentifierPart.test(x))
+}
+
+module.exports.NonAsciiIdentifierStart = /[\xAA\xB5\xBA\xC0-\xD6\xD8-\xF6\xF8-\u02C1\u02C6-\u02D1\u02E0-\u02E4\u02EC\u02EE\u0370-\u0374\u0376\u0377\u037A-\u037D\u0386\u0388-\u038A\u038C\u038E-\u03A1\u03A3-\u03F5\u03F7-\u0481\u048A-\u0527\u0531-\u0556\u0559\u0561-\u0587\u05D0-\u05EA\u05F0-\u05F2\u0620-\u064A\u066E\u066F\u0671-\u06D3\u06D5\u06E5\u06E6\u06EE\u06EF\u06FA-\u06FC\u06FF\u0710\u0712-\u072F\u074D-\u07A5\u07B1\u07CA-\u07EA\u07F4\u07F5\u07FA\u0800-\u0815\u081A\u0824\u0828\u0840-\u0858\u08A0\u08A2-\u08AC\u0904-\u0939\u093D\u0950\u0958-\u0961\u0971-\u0977\u0979-\u097F\u0985-\u098C\u098F\u0990\u0993-\u09A8\u09AA-\u09B0\u09B2\u09B6-\u09B9\u09BD\u09CE\u09DC\u09DD\u09DF-\u09E1\u09F0\u09F1\u0A05-\u0A0A\u0A0F\u0A10\u0A13-\u0A28\u0A2A-\u0A30\u0A32\u0A33\u0A35\u0A36\u0A38\u0A39\u0A59-\u0A5C\u0A5E\u0A72-\u0A74\u0A85-\u0A8D\u0A8F-\u0A91\u0A93-\u0AA8\u0AAA-\u0AB0\u0AB2\u0AB3\u0AB5-\u0AB9\u0ABD\u0AD0\u0AE0\u0AE1\u0B05-\u0B0C\u0B0F\u0B10\u0B13-\u0B28\u0B2A-\u0B30\u0B32\u0B33\u0B35-\u0B39\u0B3D\u0B5C\u0B5D\u0B5F-\u0B61\u0B71\u0B83\u0B85-\u0B8A\u0B8E-\u0B90\u0B92-\u0B95\u0B99\u0B9A\u0B9C\u0B9E\u0B9F\u0BA3\u0BA4\u0BA8-\u0BAA\u0BAE-\u0BB9\u0BD0\u0C05-\u0C0C\u0C0E-\u0C10\u0C12-\u0C28\u0C2A-\u0C33\u0C35-\u0C39\u0C3D\u0C58\u0C59\u0C60\u0C61\u0C85-\u0C8C\u0C8E-\u0C90\u0C92-\u0CA8\u0CAA-\u0CB3\u0CB5-\u0CB9\u0CBD\u0CDE\u0CE0\u0CE1\u0CF1\u0CF2\u0D05-\u0D0C\u0D0E-\u0D10\u0D12-\u0D3A\u0D3D\u0D4E\u0D60\u0D61\u0D7A-\u0D7F\u0D85-\u0D96\u0D9A-\u0DB1\u0DB3-\u0DBB\u0DBD\u0DC0-\u0DC6\u0E01-\u0E30\u0E32\u0E33\u0E40-\u0E46\u0E81\u0E82\u0E84\u0E87\u0E88\u0E8A\u0E8D\u0E94-\u0E97\u0E99-\u0E9F\u0EA1-\u0EA3\u0EA5\u0EA7\u0EAA\u0EAB\u0EAD-\u0EB0\u0EB2\u0EB3\u0EBD\u0EC0-\u0EC4\u0EC6\u0EDC-\u0EDF\u0F00\u0F40-\u0F47\u0F49-\u0F6C\u0F88-\u0F8C\u1000-\u102A\u103F\u1050-\u1055\u105A-\u105D\u1061\u1065\u1066\u106E-\u1070\u1075-\u1081\u108E\u10A0-\u10C5\u10C7\u10CD\u10D0-\u10FA\u10FC-\u1248\u124A-\u124D\u1250-\u1256\u1258\u125A-\u125D\u1260-\u1288\u128A-\u128D\u1290-\u12B0\u12B2-\u12B5\u12B8-\u12BE\u12C0\u12C2-\u12C5\u12C8-\u12D6\u12D8-\u1310\u1312-\u1315\u1318-\u135A\u1380-\u138F\u13A0-\u13F4\u1401-\u166C\u166F-\u167F\u1681-\u169A\u16A0-\u16EA\u16EE-\u16F0\u1700-\u170C\u170E-\u1711\u1720-\u1731\u1740-\u1751\u1760-\u176C\u176E-\u1770\u1780-\u17B3\u17D7\u17DC\u1820-\u1877\u1880-\u18A8\u18AA\u18B0-\u18F5\u1900-\u191C\u1950-\u196D\u1970-\u1974\u1980-\u19AB\u19C1-\u19C7\u1A00-\u1A16\u1A20-\u1A54\u1AA7\u1B05-\u1B33\u1B45-\u1B4B\u1B83-\u1BA0\u1BAE\u1BAF\u1BBA-\u1BE5\u1C00-\u1C23\u1C4D-\u1C4F\u1C5A-\u1C7D\u1CE9-\u1CEC\u1CEE-\u1CF1\u1CF5\u1CF6\u1D00-\u1DBF\u1E00-\u1F15\u1F18-\u1F1D\u1F20-\u1F45\u1F48-\u1F4D\u1F50-\u1F57\u1F59\u1F5B\u1F5D\u1F5F-\u1F7D\u1F80-\u1FB4\u1FB6-\u1FBC\u1FBE\u1FC2-\u1FC4\u1FC6-\u1FCC\u1FD0-\u1FD3\u1FD6-\u1FDB\u1FE0-\u1FEC\u1FF2-\u1FF4\u1FF6-\u1FFC\u2071\u207F\u2090-\u209C\u2102\u2107\u210A-\u2113\u2115\u2119-\u211D\u2124\u2126\u2128\u212A-\u212D\u212F-\u2139\u213C-\u213F\u2145-\u2149\u214E\u2160-\u2188\u2C00-\u2C2E\u2C30-\u2C5E\u2C60-\u2CE4\u2CEB-\u2CEE\u2CF2\u2CF3\u2D00-\u2D25\u2D27\u2D2D\u2D30-\u2D67\u2D6F\u2D80-\u2D96\u2DA0-\u2DA6\u2DA8-\u2DAE\u2DB0-\u2DB6\u2DB8-\u2DBE\u2DC0-\u2DC6\u2DC8-\u2DCE\u2DD0-\u2DD6\u2DD8-\u2DDE\u2E2F\u3005-\u3007\u3021-\u3029\u3031-\u3035\u3038-\u303C\u3041-\u3096\u309D-\u309F\u30A1-\u30FA\u30FC-\u30FF\u3105-\u312D\u3131-\u318E\u31A0-\u31BA\u31F0-\u31FF\u3400-\u4DB5\u4E00-\u9FCC\uA000-\uA48C\uA4D0-\uA4FD\uA500-\uA60C\uA610-\uA61F\uA62A\uA62B\uA640-\uA66E\uA67F-\uA697\uA6A0-\uA6EF\uA717-\uA71F\uA722-\uA788\uA78B-\uA78E\uA790-\uA793\uA7A0-\uA7AA\uA7F8-\uA801\uA803-\uA805\uA807-\uA80A\uA80C-\uA822\uA840-\uA873\uA882-\uA8B3\uA8F2-\uA8F7\uA8FB\uA90A-\uA925\uA930-\uA946\uA960-\uA97C\uA984-\uA9B2\uA9CF\uAA00-\uAA28\uAA40-\uAA42\uAA44-\uAA4B\uAA60-\uAA76\uAA7A\uAA80-\uAAAF\uAAB1\uAAB5\uAAB6\uAAB9-\uAABD\uAAC0\uAAC2\uAADB-\uAADD\uAAE0-\uAAEA\uAAF2-\uAAF4\uAB01-\uAB06\uAB09-\uAB0E\uAB11-\uAB16\uAB20-\uAB26\uAB28-\uAB2E\uABC0-\uABE2\uAC00-\uD7A3\uD7B0-\uD7C6\uD7CB-\uD7FB\uF900-\uFA6D\uFA70-\uFAD9\uFB00-\uFB06\uFB13-\uFB17\uFB1D\uFB1F-\uFB28\uFB2A-\uFB36\uFB38-\uFB3C\uFB3E\uFB40\uFB41\uFB43\uFB44\uFB46-\uFBB1\uFBD3-\uFD3D\uFD50-\uFD8F\uFD92-\uFDC7\uFDF0-\uFDFB\uFE70-\uFE74\uFE76-\uFEFC\uFF21-\uFF3A\uFF41-\uFF5A\uFF66-\uFFBE\uFFC2-\uFFC7\uFFCA-\uFFCF\uFFD2-\uFFD7\uFFDA-\uFFDC]/
+
+// ECMAScript 5.1/Unicode v6.3.0 NonAsciiIdentifierPart:
+
+module.exports.NonAsciiIdentifierPart = /[\xAA\xB5\xBA\xC0-\xD6\xD8-\xF6\xF8-\u02C1\u02C6-\u02D1\u02E0-\u02E4\u02EC\u02EE\u0300-\u0374\u0376\u0377\u037A-\u037D\u0386\u0388-\u038A\u038C\u038E-\u03A1\u03A3-\u03F5\u03F7-\u0481\u0483-\u0487\u048A-\u0527\u0531-\u0556\u0559\u0561-\u0587\u0591-\u05BD\u05BF\u05C1\u05C2\u05C4\u05C5\u05C7\u05D0-\u05EA\u05F0-\u05F2\u0610-\u061A\u0620-\u0669\u066E-\u06D3\u06D5-\u06DC\u06DF-\u06E8\u06EA-\u06FC\u06FF\u0710-\u074A\u074D-\u07B1\u07C0-\u07F5\u07FA\u0800-\u082D\u0840-\u085B\u08A0\u08A2-\u08AC\u08E4-\u08FE\u0900-\u0963\u0966-\u096F\u0971-\u0977\u0979-\u097F\u0981-\u0983\u0985-\u098C\u098F\u0990\u0993-\u09A8\u09AA-\u09B0\u09B2\u09B6-\u09B9\u09BC-\u09C4\u09C7\u09C8\u09CB-\u09CE\u09D7\u09DC\u09DD\u09DF-\u09E3\u09E6-\u09F1\u0A01-\u0A03\u0A05-\u0A0A\u0A0F\u0A10\u0A13-\u0A28\u0A2A-\u0A30\u0A32\u0A33\u0A35\u0A36\u0A38\u0A39\u0A3C\u0A3E-\u0A42\u0A47\u0A48\u0A4B-\u0A4D\u0A51\u0A59-\u0A5C\u0A5E\u0A66-\u0A75\u0A81-\u0A83\u0A85-\u0A8D\u0A8F-\u0A91\u0A93-\u0AA8\u0AAA-\u0AB0\u0AB2\u0AB3\u0AB5-\u0AB9\u0ABC-\u0AC5\u0AC7-\u0AC9\u0ACB-\u0ACD\u0AD0\u0AE0-\u0AE3\u0AE6-\u0AEF\u0B01-\u0B03\u0B05-\u0B0C\u0B0F\u0B10\u0B13-\u0B28\u0B2A-\u0B30\u0B32\u0B33\u0B35-\u0B39\u0B3C-\u0B44\u0B47\u0B48\u0B4B-\u0B4D\u0B56\u0B57\u0B5C\u0B5D\u0B5F-\u0B63\u0B66-\u0B6F\u0B71\u0B82\u0B83\u0B85-\u0B8A\u0B8E-\u0B90\u0B92-\u0B95\u0B99\u0B9A\u0B9C\u0B9E\u0B9F\u0BA3\u0BA4\u0BA8-\u0BAA\u0BAE-\u0BB9\u0BBE-\u0BC2\u0BC6-\u0BC8\u0BCA-\u0BCD\u0BD0\u0BD7\u0BE6-\u0BEF\u0C01-\u0C03\u0C05-\u0C0C\u0C0E-\u0C10\u0C12-\u0C28\u0C2A-\u0C33\u0C35-\u0C39\u0C3D-\u0C44\u0C46-\u0C48\u0C4A-\u0C4D\u0C55\u0C56\u0C58\u0C59\u0C60-\u0C63\u0C66-\u0C6F\u0C82\u0C83\u0C85-\u0C8C\u0C8E-\u0C90\u0C92-\u0CA8\u0CAA-\u0CB3\u0CB5-\u0CB9\u0CBC-\u0CC4\u0CC6-\u0CC8\u0CCA-\u0CCD\u0CD5\u0CD6\u0CDE\u0CE0-\u0CE3\u0CE6-\u0CEF\u0CF1\u0CF2\u0D02\u0D03\u0D05-\u0D0C\u0D0E-\u0D10\u0D12-\u0D3A\u0D3D-\u0D44\u0D46-\u0D48\u0D4A-\u0D4E\u0D57\u0D60-\u0D63\u0D66-\u0D6F\u0D7A-\u0D7F\u0D82\u0D83\u0D85-\u0D96\u0D9A-\u0DB1\u0DB3-\u0DBB\u0DBD\u0DC0-\u0DC6\u0DCA\u0DCF-\u0DD4\u0DD6\u0DD8-\u0DDF\u0DF2\u0DF3\u0E01-\u0E3A\u0E40-\u0E4E\u0E50-\u0E59\u0E81\u0E82\u0E84\u0E87\u0E88\u0E8A\u0E8D\u0E94-\u0E97\u0E99-\u0E9F\u0EA1-\u0EA3\u0EA5\u0EA7\u0EAA\u0EAB\u0EAD-\u0EB9\u0EBB-\u0EBD\u0EC0-\u0EC4\u0EC6\u0EC8-\u0ECD\u0ED0-\u0ED9\u0EDC-\u0EDF\u0F00\u0F18\u0F19\u0F20-\u0F29\u0F35\u0F37\u0F39\u0F3E-\u0F47\u0F49-\u0F6C\u0F71-\u0F84\u0F86-\u0F97\u0F99-\u0FBC\u0FC6\u1000-\u1049\u1050-\u109D\u10A0-\u10C5\u10C7\u10CD\u10D0-\u10FA\u10FC-\u1248\u124A-\u124D\u1250-\u1256\u1258\u125A-\u125D\u1260-\u1288\u128A-\u128D\u1290-\u12B0\u12B2-\u12B5\u12B8-\u12BE\u12C0\u12C2-\u12C5\u12C8-\u12D6\u12D8-\u1310\u1312-\u1315\u1318-\u135A\u135D-\u135F\u1380-\u138F\u13A0-\u13F4\u1401-\u166C\u166F-\u167F\u1681-\u169A\u16A0-\u16EA\u16EE-\u16F0\u1700-\u170C\u170E-\u1714\u1720-\u1734\u1740-\u1753\u1760-\u176C\u176E-\u1770\u1772\u1773\u1780-\u17D3\u17D7\u17DC\u17DD\u17E0-\u17E9\u180B-\u180D\u1810-\u1819\u1820-\u1877\u1880-\u18AA\u18B0-\u18F5\u1900-\u191C\u1920-\u192B\u1930-\u193B\u1946-\u196D\u1970-\u1974\u1980-\u19AB\u19B0-\u19C9\u19D0-\u19D9\u1A00-\u1A1B\u1A20-\u1A5E\u1A60-\u1A7C\u1A7F-\u1A89\u1A90-\u1A99\u1AA7\u1B00-\u1B4B\u1B50-\u1B59\u1B6B-\u1B73\u1B80-\u1BF3\u1C00-\u1C37\u1C40-\u1C49\u1C4D-\u1C7D\u1CD0-\u1CD2\u1CD4-\u1CF6\u1D00-\u1DE6\u1DFC-\u1F15\u1F18-\u1F1D\u1F20-\u1F45\u1F48-\u1F4D\u1F50-\u1F57\u1F59\u1F5B\u1F5D\u1F5F-\u1F7D\u1F80-\u1FB4\u1FB6-\u1FBC\u1FBE\u1FC2-\u1FC4\u1FC6-\u1FCC\u1FD0-\u1FD3\u1FD6-\u1FDB\u1FE0-\u1FEC\u1FF2-\u1FF4\u1FF6-\u1FFC\u200C\u200D\u203F\u2040\u2054\u2071\u207F\u2090-\u209C\u20D0-\u20DC\u20E1\u20E5-\u20F0\u2102\u2107\u210A-\u2113\u2115\u2119-\u211D\u2124\u2126\u2128\u212A-\u212D\u212F-\u2139\u213C-\u213F\u2145-\u2149\u214E\u2160-\u2188\u2C00-\u2C2E\u2C30-\u2C5E\u2C60-\u2CE4\u2CEB-\u2CF3\u2D00-\u2D25\u2D27\u2D2D\u2D30-\u2D67\u2D6F\u2D7F-\u2D96\u2DA0-\u2DA6\u2DA8-\u2DAE\u2DB0-\u2DB6\u2DB8-\u2DBE\u2DC0-\u2DC6\u2DC8-\u2DCE\u2DD0-\u2DD6\u2DD8-\u2DDE\u2DE0-\u2DFF\u2E2F\u3005-\u3007\u3021-\u302F\u3031-\u3035\u3038-\u303C\u3041-\u3096\u3099\u309A\u309D-\u309F\u30A1-\u30FA\u30FC-\u30FF\u3105-\u312D\u3131-\u318E\u31A0-\u31BA\u31F0-\u31FF\u3400-\u4DB5\u4E00-\u9FCC\uA000-\uA48C\uA4D0-\uA4FD\uA500-\uA60C\uA610-\uA62B\uA640-\uA66F\uA674-\uA67D\uA67F-\uA697\uA69F-\uA6F1\uA717-\uA71F\uA722-\uA788\uA78B-\uA78E\uA790-\uA793\uA7A0-\uA7AA\uA7F8-\uA827\uA840-\uA873\uA880-\uA8C4\uA8D0-\uA8D9\uA8E0-\uA8F7\uA8FB\uA900-\uA92D\uA930-\uA953\uA960-\uA97C\uA980-\uA9C0\uA9CF-\uA9D9\uAA00-\uAA36\uAA40-\uAA4D\uAA50-\uAA59\uAA60-\uAA76\uAA7A\uAA7B\uAA80-\uAAC2\uAADB-\uAADD\uAAE0-\uAAEF\uAAF2-\uAAF6\uAB01-\uAB06\uAB09-\uAB0E\uAB11-\uAB16\uAB20-\uAB26\uAB28-\uAB2E\uABC0-\uABEA\uABEC\uABED\uABF0-\uABF9\uAC00-\uD7A3\uD7B0-\uD7C6\uD7CB-\uD7FB\uF900-\uFA6D\uFA70-\uFAD9\uFB00-\uFB06\uFB13-\uFB17\uFB1D-\uFB28\uFB2A-\uFB36\uFB38-\uFB3C\uFB3E\uFB40\uFB41\uFB43\uFB44\uFB46-\uFBB1\uFBD3-\uFD3D\uFD50-\uFD8F\uFD92-\uFDC7\uFDF0-\uFDFB\uFE00-\uFE0F\uFE20-\uFE26\uFE33\uFE34\uFE4D-\uFE4F\uFE70-\uFE74\uFE76-\uFEFC\uFF10-\uFF19\uFF21-\uFF3A\uFF3F\uFF41-\uFF5A\uFF66-\uFFBE\uFFC2-\uFFC7\uFFCA-\uFFCF\uFFD2-\uFFD7\uFFDA-\uFFDC]/
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/utils.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/utils.js
new file mode 100644
index 00000000000000..dd4752c73a4078
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/lib/utils.js
@@ -0,0 +1,45 @@
+var FS  = require('fs')
+var jju = require('../')
+
+// this function registers json5 extension, so you
+// can do `require("./config.json5")` kind of thing
+module.exports.register = function() {
+  var r = require, e = 'extensions'
+  r[e]['.json5'] = function(m, f) {
+    /*eslint no-sync:0*/
+    m.exports = jju.parse(FS.readFileSync(f, 'utf8'))
+  }
+}
+
+// this function monkey-patches JSON.parse, so it
+// will return an exact position of error in case
+// of parse failure
+module.exports.patch_JSON_parse = function() {
+  var _parse = JSON.parse
+  JSON.parse = function(text, rev) {
+    try {
+      return _parse(text, rev)
+    } catch(err) {
+      // this call should always throw
+      require('jju').parse(text, {
+        mode: 'json',
+        legacy: true,
+        reviver: rev,
+        reserved_keys: 'replace',
+        null_prototype: false,
+      })
+
+      // if it didn't throw, but original parser did,
+      // this is an error in this library and should be reported
+      throw err
+    }
+  }
+}
+
+// this function is an express/connect middleware
+// that accepts uploads in application/json5 format
+module.exports.middleware = function() {
+  return function(req, res, next) {
+    throw Error('this function is removed, use express-json5 instead')
+  }
+}
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/package.json b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/package.json
new file mode 100644
index 00000000000000..8b01adc877b3fb
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/package.json
@@ -0,0 +1,65 @@
+{
+  "_from": "jju@^1.1.0",
+  "_id": "jju@1.3.0",
+  "_inBundle": false,
+  "_integrity": "sha1-2t2e8BkkvHKLA/L3l5vb1i96Kqo=",
+  "_location": "/pacote/make-fetch-happen/node-fetch-npm/json-parse-helpfulerror/jju",
+  "_phantomChildren": {},
+  "_requested": {
+    "type": "range",
+    "registry": true,
+    "raw": "jju@^1.1.0",
+    "name": "jju",
+    "escapedName": "jju",
+    "rawSpec": "^1.1.0",
+    "saveSpec": null,
+    "fetchSpec": "^1.1.0"
+  },
+  "_requiredBy": [
+    "/pacote/make-fetch-happen/node-fetch-npm/json-parse-helpfulerror"
+  ],
+  "_resolved": "https://registry.npmjs.org/jju/-/jju-1.3.0.tgz",
+  "_shasum": "dadd9ef01924bc728b03f2f7979bdbd62f7a2aaa",
+  "_spec": "jju@^1.1.0",
+  "_where": "/Users/zkat/Documents/code/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror",
+  "author": {
+    "name": "Alex Kocharin",
+    "email": "alex@kocharin.ru"
+  },
+  "bugs": {
+    "url": "https://github.com/rlidwka/jju/issues"
+  },
+  "bundleDependencies": false,
+  "deprecated": false,
+  "description": "a set of utilities to work with JSON / JSON5 documents",
+  "devDependencies": {
+    "eslint": "~0.4.2",
+    "js-yaml": ">=3.1.0",
+    "mocha": ">=1.21.0"
+  },
+  "homepage": "http://rlidwka.github.io/jju/",
+  "keywords": [
+    "json",
+    "json5",
+    "parser",
+    "serializer",
+    "data"
+  ],
+  "license": {
+    "type": "WTFPL",
+    "url": "http://www.wtfpl.net/txt/copying/"
+  },
+  "name": "jju",
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/rlidwka/jju.git"
+  },
+  "scripts": {
+    "lint": "eslint -c ./.eslint.yaml ./lib",
+    "test": "mocha test/*.js"
+  },
+  "version": "1.3.0"
+}
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/package.yaml b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/package.yaml
new file mode 100644
index 00000000000000..828163ddc4524c
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/node_modules/jju/package.yaml
@@ -0,0 +1,45 @@
+# use "yapm install ." if you're installing this from git repository
+
+# "jju" stands for "json/json5 utils"
+name: jju
+
+version: 1.3.0
+description: a set of utilities to work with JSON / JSON5 documents
+
+author:
+  name: Alex Kocharin
+  email: alex@kocharin.ru
+
+repository:
+  type: git
+  url: git://github.com/rlidwka/jju
+
+bugs:
+  url: https://github.com/rlidwka/jju/issues
+
+homepage: http://rlidwka.github.io/jju/
+
+devDependencies:
+  mocha: '>=1.21.0'
+  js-yaml: '>=3.1.0'
+
+  # linting tools
+  eslint: '~0.4.2'
+
+scripts:
+  test: 'mocha test/*.js'
+  lint: 'eslint -c ./.eslint.yaml ./lib'
+
+keywords:
+  - json
+  - json5
+  - parser
+  - serializer
+  - data
+
+publishConfig:
+  registry: https://registry.npmjs.org/
+
+license:
+  type: WTFPL
+  url: http://www.wtfpl.net/txt/copying/
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/package.json b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/package.json
new file mode 100644
index 00000000000000..6c723ae8efa256
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/package.json
@@ -0,0 +1,63 @@
+{
+  "_from": "json-parse-helpfulerror@^1.0.3",
+  "_id": "json-parse-helpfulerror@1.0.3",
+  "_inBundle": false,
+  "_integrity": "sha1-E/FM4C7tTpgSl7ZOueO5MuLdE9w=",
+  "_location": "/pacote/make-fetch-happen/node-fetch-npm/json-parse-helpfulerror",
+  "_phantomChildren": {},
+  "_requested": {
+    "type": "range",
+    "registry": true,
+    "raw": "json-parse-helpfulerror@^1.0.3",
+    "name": "json-parse-helpfulerror",
+    "escapedName": "json-parse-helpfulerror",
+    "rawSpec": "^1.0.3",
+    "saveSpec": null,
+    "fetchSpec": "^1.0.3"
+  },
+  "_requiredBy": [
+    "/pacote/make-fetch-happen/node-fetch-npm"
+  ],
+  "_resolved": "https://registry.npmjs.org/json-parse-helpfulerror/-/json-parse-helpfulerror-1.0.3.tgz",
+  "_shasum": "13f14ce02eed4e981297b64eb9e3b932e2dd13dc",
+  "_spec": "json-parse-helpfulerror@^1.0.3",
+  "_where": "/Users/zkat/Documents/code/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm",
+  "author": {
+    "name": "Sam Mikes",
+    "email": "smikes@cubane.com"
+  },
+  "bugs": {
+    "url": "https://github.com/smikes/json-parse-helpfulerror/issues"
+  },
+  "bundleDependencies": false,
+  "dependencies": {
+    "jju": "^1.1.0"
+  },
+  "deprecated": false,
+  "description": "A drop-in replacement for JSON.parse that uses `jju` to give helpful errors",
+  "devDependencies": {
+    "code": "^1.2.1",
+    "jslint": "^0.7.1",
+    "lab": "^5.1.1"
+  },
+  "homepage": "https://github.com/smikes/json-parse-helpfulerror",
+  "keywords": [
+    "json",
+    "parse",
+    "line",
+    "doublequote",
+    "error"
+  ],
+  "license": "MIT",
+  "main": "index.js",
+  "name": "json-parse-helpfulerror",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/smikes/json-parse-helpfulerror.git"
+  },
+  "scripts": {
+    "lint": "jslint --edition=latest --terse *.js",
+    "test": "lab -c"
+  },
+  "version": "1.0.3"
+}
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/test/test.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/test/test.js
new file mode 100644
index 00000000000000..fca458ac080f60
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/node_modules/json-parse-helpfulerror/test/test.js
@@ -0,0 +1,32 @@
+var Code = require('code'),
+    Lab = require('lab'),
+    lab = Lab.script(),
+    jph = require('..'); // 'json-parse-helpfulerror'
+
+exports.lab = lab;
+
+lab.test('can parse', function (done) {
+  var o = jph.parse('{"foo": "bar"}');
+
+  Code.expect(o.foo).to.equal('bar');
+  done();
+});
+
+lab.test('helpful error for bad JSON', function (done) {
+
+  var bad = "{'foo': 'bar'}";
+
+  Code.expect(function () { JSON.parse(bad) }).to.throw();
+
+  Code.expect(function () { jph.parse(bad) }).to.throw(SyntaxError, "Unexpected token '\\'' at 1:2\n" + bad + '\n ^');
+
+  done();
+});
+
+lab.test('fails if reviver throws', function (done) {
+  function badReviver() { throw new ReferenceError('silly'); }
+
+  Code.expect(function () { jph.parse('3', badReviver) }).to.throw(ReferenceError, 'silly');
+
+  done();
+});
\ No newline at end of file
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/package.json b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/package.json
index 09b56c7ea1bbb2..b98cbe1997616a 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/package.json
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/package.json
@@ -1,7 +1,8 @@
 {
   "_from": "node-fetch-npm@^2.0.0",
-  "_id": "node-fetch-npm@2.0.0",
-  "_integrity": "sha512-o8Vxcb16qHPAkqBTPIrxvGSY0dHrtwsk2opomChLWg/2MFJW/hqB3XDG78k0gyI0cmy95kSFjn4BLrMkbQFHAQ==",
+  "_id": "node-fetch-npm@2.0.1",
+  "_inBundle": false,
+  "_integrity": "sha512-W3onhopST5tqpX0/MGSL47pDQLLKobNR83AvkiOWQKaw54h+uYUfzeLAxCiyhWlUOiuI+GIb4O9ojLaAFlhCCA==",
   "_location": "/pacote/make-fetch-happen/node-fetch-npm",
   "_phantomChildren": {},
   "_requested": {
@@ -17,15 +18,13 @@
   "_requiredBy": [
     "/pacote/make-fetch-happen"
   ],
-  "_resolved": "https://registry.npmjs.org/node-fetch-npm/-/node-fetch-npm-2.0.0.tgz",
-  "_shasum": "baab3734bdc50c614af5252bd1ee37a3662bf1ad",
-  "_shrinkwrap": null,
+  "_resolved": "https://registry.npmjs.org/node-fetch-npm/-/node-fetch-npm-2.0.1.tgz",
+  "_shasum": "4dd3355ce526c01bc5ab29ccdf48352dc8a79465",
   "_spec": "node-fetch-npm@^2.0.0",
   "_where": "/Users/zkat/Documents/code/npm/node_modules/pacote/node_modules/make-fetch-happen",
   "author": {
     "name": "David Frank"
   },
-  "bin": null,
   "bugs": {
     "url": "https://github.com/npm/node-fetch-npm/issues"
   },
@@ -42,6 +41,7 @@
   ],
   "dependencies": {
     "encoding": "^0.1.11",
+    "json-parse-helpfulerror": "^1.0.3",
     "safe-buffer": "^5.0.1"
   },
   "deprecated": false,
@@ -81,8 +81,6 @@
   "license": "MIT",
   "main": "src/index.js",
   "name": "node-fetch-npm",
-  "optionalDependencies": {},
-  "peerDependencies": {},
   "repository": {
     "type": "git",
     "url": "git+https://github.com/npm/node-fetch-npm.git"
@@ -98,5 +96,5 @@
     "update-coc": "weallbehave -o . && git add CODE_OF_CONDUCT.md && git commit -m 'docs(coc): updated CODE_OF_CONDUCT.md'",
     "update-contrib": "weallcontribute -o . && git add CONTRIBUTING.md && git commit -m 'docs(contributing): updated CONTRIBUTING.md'"
   },
-  "version": "2.0.0"
+  "version": "2.0.1"
 }
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/src/body.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/src/body.js
index 87093e79b45ff3..2b009b7cfc0293 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/src/body.js
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/node-fetch-npm/src/body.js
@@ -11,6 +11,7 @@ const Buffer = require('safe-buffer').Buffer
 const Blob = require('./blob.js')
 const BUFFER = Blob.BUFFER
 const convert = require('encoding').convert
+const parseJson = require('json-parse-helpfulerror').parse
 const FetchError = require('./fetch-error.js')
 const Stream = require('stream')
 
@@ -92,7 +93,7 @@ Body.prototype = {
    * @return  Promise
    */
   json () {
-    return consumeBody.call(this).then(buffer => JSON.parse(buffer.toString()))
+    return consumeBody.call(this).then(buffer => parseJson(buffer.toString()))
   },
 
   /**
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/.travis.yml b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/.travis.yml
index 85a50123c63edb..41840cb357b87a 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/.travis.yml
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/.travis.yml
@@ -1,8 +1,27 @@
+sudo: false
+
 language: node_js
+
 node_js:
   - "0.8"
   - "0.10"
   - "0.12"
-before_install:
-  - '[ "${TRAVIS_NODE_VERSION}" != "0.8" ] || npm install -g npm@1.4.28'
-  - npm install -g npm@latest
+  - "1"
+  - "2"
+  - "3"
+  - "4"
+  - "5"
+
+install:
+  - PATH="`npm bin`:`npm bin -g`:$PATH"
+  # Node 0.8 comes with a too obsolete npm
+  - if [[ "`node --version`" =~ ^v0\.8\. ]]; then npm install -g npm@1.4.28 ; fi
+  # Install dependencies and build
+  - npm install
+
+script:
+  # Output useful info for debugging
+  - node --version
+  - npm --version
+  # Run tests
+  - npm test
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/History.md b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/History.md
index 519a31b373b241..7c464a63d629b5 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/History.md
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/History.md
@@ -1,4 +1,14 @@
 
+2.1.0 / 2017-05-24
+==================
+
+  * DRY post-lookup logic
+  * Fix an error in readme (#13, @599316527)
+  * travis: test node v5
+  * travis: test iojs v1, 2, 3 and node.js v4
+  * test: use ssl-cert-snakeoil cert files
+  * Authentication support (#9, @baryshev)
+
 2.0.0 / 2015-07-10
 ==================
 
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/README.md b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/README.md
index f671685d3974ba..30d33500af43e7 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/README.md
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/README.md
@@ -70,7 +70,7 @@ var opts = url.parse(endpoint);
 var agent = new SocksProxyAgent(proxy, true);
 opts.agent = agent;
 
-http.get(opts, function (res) {
+https.get(opts, function (res) {
   console.log('"response" event!', res.headers);
   res.pipe(process.stdout);
 });
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/package.json b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/package.json
index 39234938d2e898..ff492a2788a872 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/package.json
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/package.json
@@ -1,7 +1,8 @@
 {
   "_from": "socks-proxy-agent@^2.0.0",
-  "_id": "socks-proxy-agent@2.0.0",
-  "_integrity": "sha1-xnSELXBBD7KK4ekuYTWpJ4VLwnU=",
+  "_id": "socks-proxy-agent@2.1.0",
+  "_inBundle": false,
+  "_integrity": "sha1-3fsBtdvqX8h5SQyjiiX+h9PRWRI=",
   "_location": "/pacote/make-fetch-happen/socks-proxy-agent",
   "_phantomChildren": {},
   "_requested": {
@@ -17,9 +18,8 @@
   "_requiredBy": [
     "/pacote/make-fetch-happen"
   ],
-  "_resolved": "https://registry.npmjs.org/socks-proxy-agent/-/socks-proxy-agent-2.0.0.tgz",
-  "_shasum": "c674842d70410fb28ae1e92e6135a927854bc275",
-  "_shrinkwrap": null,
+  "_resolved": "https://registry.npmjs.org/socks-proxy-agent/-/socks-proxy-agent-2.1.0.tgz",
+  "_shasum": "ddfb01b5dbea5fc879490ca38a25fe87d3d15912",
   "_spec": "socks-proxy-agent@^2.0.0",
   "_where": "/Users/zkat/Documents/code/npm/node_modules/pacote/node_modules/make-fetch-happen",
   "author": {
@@ -27,7 +27,6 @@
     "email": "nathan@tootallnate.net",
     "url": "http://n8.io/"
   },
-  "bin": null,
   "bugs": {
     "url": "https://github.com/TooTallNate/node-socks-proxy-agent/issues"
   },
@@ -56,8 +55,6 @@
   "license": "MIT",
   "main": "socks-proxy-agent.js",
   "name": "socks-proxy-agent",
-  "optionalDependencies": {},
-  "peerDependencies": {},
   "repository": {
     "type": "git",
     "url": "git://github.com/TooTallNate/node-socks-proxy-agent.git"
@@ -65,5 +62,5 @@
   "scripts": {
     "test": "mocha --reporter spec"
   },
-  "version": "2.0.0"
+  "version": "2.1.0"
 }
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/socks-proxy-agent.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/socks-proxy-agent.js
index 46d30f7c68a6ad..c1f769e24eeae4 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/socks-proxy-agent.js
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/socks-proxy-agent.js
@@ -67,6 +67,11 @@ function SocksProxyAgent (opts) {
       throw new TypeError('A "socks" protocol must be specified! Got: ' + proxy.protocol);
   }
 
+  if (proxy.auth) {
+    var auth = proxy.auth.split(':');
+    proxy.authentication = {username: auth[0], password: auth[1]};
+    proxy.userid = auth[0];
+  }
   this.proxy = proxy;
 }
 inherits(SocksProxyAgent, Agent);
@@ -102,7 +107,7 @@ function connect (req, opts, fn) {
   }
 
   // called for the `dns.lookup()` callback
-  function onlookup (err, ip, type) {
+  function onlookup (err, ip) {
     if (err) return fn(err);
     options.target.host = ip;
     SocksClient.createConnection(options, onhostconnect);
@@ -119,13 +124,16 @@ function connect (req, opts, fn) {
     },
     command: 'connect'
   };
+  if (proxy.authentication) {
+    options.proxy.authentication = proxy.authentication;
+    options.proxy.userid = proxy.userid;
+  }
 
   if (proxy.lookup) {
     // client-side DNS resolution for "4" and "5" socks proxy versions
     dns.lookup(opts.host, onlookup);
   } else {
     // proxy hostname DNS resolution for "4a" and "5h" socks proxy servers
-    options.target.host = opts.host;
-    SocksClient.createConnection(options, onhostconnect);
+    onlookup(null, opts.host)
   }
 }
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/server.crt b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/server.crt
deleted file mode 100644
index 9580116cd75ba0..00000000000000
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/server.crt
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICATCCAWoCCQCSMIVZI8DGgTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB
-VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
-cyBQdHkgTHRkMB4XDTEzMDkwOTIyNTI1MVoXDTE0MDkwOTIyNTI1MVowRTELMAkG
-A1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0
-IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwQO2
-jlSxR12EvpF1hROxQAyQzDsxVv7AjDGhSVhizn7anxo5mCE9+5jHRJ6hgxF/3RJO
-q157J49W7hlgiJfN3X4Q3WCqkTnfj1wFr8aSjWUl6TWeLMrhKZgzGCmZH0GV4Kpu
-4jQ4lyjl/dIBw8HiJmKvaEagdUb5UJCKBDrDtvECAwEAATANBgkqhkiG9w0BAQUF
-AAOBgQB33WAM5Yr2jkaeRog6rEglMC8i+Jab12amnFFJEMoWnH6csXVGSXxCtlX8
-FWnCoNb/D71dnEusS4JxbYluRg2Xrdfb/pmHje9pE2TTprZRBFAIoh4CmDh129Ka
-HJwYPZi59XRnac8ghiF2l4d2yOQPznrJDekj6pfLVdIcVowSvg==
------END CERTIFICATE-----
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/server.key b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/server.key
deleted file mode 100644
index 25ade3cd165c8c..00000000000000
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/server.key
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDBA7aOVLFHXYS+kXWFE7FADJDMOzFW/sCMMaFJWGLOftqfGjmY
-IT37mMdEnqGDEX/dEk6rXnsnj1buGWCIl83dfhDdYKqROd+PXAWvxpKNZSXpNZ4s
-yuEpmDMYKZkfQZXgqm7iNDiXKOX90gHDweImYq9oRqB1RvlQkIoEOsO28QIDAQAB
-AoGBAJGXlm34bp0Rat9A46/VMd/JWrPjdo1TrrRRf4LO3AE9aPWYl5cshA+zp6QY
-MGaonZWJiLP1mdo2YnFJzSpbr9mzEBEIjCsKdzeKbmnaEpCZY5YUj/ypVWYVJqXx
-jZ6/9VEIxCrB9WmXi9fs97IZtZJcHI4M+0FXakjF9AmxtVvRAkEA5MNakvgLPn5s
-GH5yuu0P0vSQ6d7EEgcM/89pjEpfKCvsYBh92VvmKspjBV71OuQ3Eh7/0GB/5UGC
-gaJwID7ibQJBANf+wBky99/+ffzwrUGavIbLO4NOwnbQsz7v49PwJHoGIhlfoLW7
-21JwDwWUteFyYOwzHxRdKedolT5Ul+PxNBUCQCXYU7Ggq2uJSqS6toxKD6Yco6St
-H87Dr9jaHWICI7/nlFFJe/hrhaZqmPsYfIVjn+C1lCiK7l2k+swrbVVIUfkCQQCA
-8MgWgvGsWw00+SxElK3kveAaI+M88JuAf85+z8XGvnCOuyKCOtHT5adiCoOFQTWQ
-63erPW5tgWZOnktKPMx9AkEAru3G68AjJN6e14aHkK9KFD0DV1RjrIe7E5iQq5Tn
-QXyiyiu624him6pov6UIGs5429z+gl3JjRM3A2rl//j//w==
------END RSA PRIVATE KEY-----
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/ssl-cert-snakeoil.key b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/ssl-cert-snakeoil.key
new file mode 100644
index 00000000000000..fd12501220a564
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/ssl-cert-snakeoil.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQCzURxIqzer0ACAbX/lHdsn4Gd9PLKrf7EeDYfIdV0HZKPD8WDr
+bBx2/fBu0OW2sjnzv/SVZbJ0DAuPE/p0+eT0qb2qC10iz9iTD7ribd7gxhirVb8y
+b3fBjXsxc8V8p4Ny1LcvNSqCjwUbJqdRogfoJeTiqPM58z5sNzuv5iq7iwIDAQAB
+AoGAPMQy4olrP0UotlzlJ36bowLP70ffgHCwU+/f4NWs5fF78c3du0oSx1w820Dd
+Z7E0JF8bgnlJJTxjumPZz0RUCugrEHBKJmzEz3cxF5E3+7NvteZcjKn9D67RrM5x
+1/uSZ9cqKE9cYvY4fSuHx18diyZ4axR/wB1Pea2utjjDM+ECQQDb9ZbmmaWMiRpQ
+5Up+loxP7BZNPsEVsm+DVJmEFbaFgGfncWBqSIqnPNjMwTwj0OigTwCAEGPkfRVW
+T0pbYWCxAkEA0LK7SCTwzyDmhASUalk0x+3uCAA6ryFdwJf/wd8TRAvVOmkTEldX
+uJ7ldLvfrONYO3v56uKTU/SoNdZYzKtO+wJAX2KM4ctXYy5BXztPpr2acz4qHa1N
+Bh+vBAC34fOYhyQ76r3b1btHhWZ5jbFuZwm9F2erC94Ps5IaoqcX07DSwQJAPKGw
+h2U0EPkd/3zVIZCJJQya+vgWFIs9EZcXVtvYXQyTBkVApTN66MhBIYjzkub5205J
+bVQmOV37AKklY1DhwQJAA1wos0cYxro02edzatxd0DIR2r4qqOqLkw6BhYHhq6HJ
+ZvIcQkHqdSXzdETFc01I1znDGGIrJHcnvKWgBPoEUg==
+-----END RSA PRIVATE KEY-----
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/ssl-cert-snakeoil.pem b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/ssl-cert-snakeoil.pem
new file mode 100644
index 00000000000000..b115a5e91498de
--- /dev/null
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/ssl-cert-snakeoil.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1TCCAT4CCQDV5mPlzm9+izANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDEyQ3
+NTI3YmQ3Ny1hYjNlLTQ3NGItYWNlNy1lZWQ2MDUzOTMxZTcwHhcNMTUwNzA2MjI0
+NTA3WhcNMjUwNzAzMjI0NTA3WjAvMS0wKwYDVQQDEyQ3NTI3YmQ3Ny1hYjNlLTQ3
+NGItYWNlNy1lZWQ2MDUzOTMxZTcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+ALNRHEirN6vQAIBtf+Ud2yfgZ308sqt/sR4Nh8h1XQdko8PxYOtsHHb98G7Q5bay
+OfO/9JVlsnQMC48T+nT55PSpvaoLXSLP2JMPuuJt3uDGGKtVvzJvd8GNezFzxXyn
+g3LUty81KoKPBRsmp1GiB+gl5OKo8znzPmw3O6/mKruLAgMBAAEwDQYJKoZIhvcN
+AQEFBQADgYEACzoHUF8UV2Z6541Q2wKEA0UFUzmUjf/E1XwBO+1P15ZZ64uw34B4
+1RwMPtAo9RY/PmICTWtNxWGxkzwb2JtDWtnxVER/lF8k2XcXPE76fxTHJF/BKk9J
+QU8OTD1dd9gHCBviQB9TqntRZ5X7axjtuWjb2umY+owBYzAHZkp1HKI=
+-----END CERTIFICATE-----
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/test.js b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/test.js
index 3ab7e55b22919c..cc3375334ec83b 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/test.js
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/node_modules/socks-proxy-agent/test/test.js
@@ -44,8 +44,8 @@ describe('SocksProxyAgent', function () {
   before(function (done) {
     // setup target SSL HTTPS server
     var options = {
-      key: fs.readFileSync(__dirname + '/server.key'),
-      cert: fs.readFileSync(__dirname + '/server.crt')
+      key: fs.readFileSync(__dirname + '/ssl-cert-snakeoil.key'),
+      cert: fs.readFileSync(__dirname + '/ssl-cert-snakeoil.pem')
     };
     httpsServer = https.createServer(options);
     httpsServer.listen(function () {
diff --git a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/package.json b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/package.json
index e74dc5d95e5dd5..8b8e2cd878d5ec 100644
--- a/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/package.json
+++ b/deps/npm/node_modules/pacote/node_modules/make-fetch-happen/package.json
@@ -1,7 +1,8 @@
 {
-  "_from": "make-fetch-happen@^2.4.3",
-  "_id": "make-fetch-happen@2.4.3",
-  "_integrity": "sha512-Vi+Y+uUnWki65KG6RjjW6J4o10XJivCyhvSh4TB/XC5gNtD9MbxlyOVkAFKTNCj1w1wcDw7HWaVPGj0CPfAyhw==",
+  "_from": "make-fetch-happen@^2.4.9",
+  "_id": "make-fetch-happen@2.4.9",
+  "_inBundle": false,
+  "_integrity": "sha512-/qh6T1E2gBD31bhutxeFehcHDwbBJJ7F+7w8bNAzPbacqfTwEpeo7W5SVQqciCSfNex51SjnEyw1XuK4zDn+Fw==",
   "_location": "/pacote/make-fetch-happen",
   "_phantomChildren": {
     "safe-buffer": "5.0.1"
@@ -9,42 +10,40 @@
   "_requested": {
     "type": "range",
     "registry": true,
-    "raw": "make-fetch-happen@^2.4.3",
+    "raw": "make-fetch-happen@^2.4.9",
     "name": "make-fetch-happen",
     "escapedName": "make-fetch-happen",
-    "rawSpec": "^2.4.3",
+    "rawSpec": "^2.4.9",
     "saveSpec": null,
-    "fetchSpec": "^2.4.3"
+    "fetchSpec": "^2.4.9"
   },
   "_requiredBy": [
     "/pacote"
   ],
-  "_resolved": "https://registry.npmjs.org/make-fetch-happen/-/make-fetch-happen-2.4.3.tgz",
-  "_shasum": "a9e894f213cc4628fde0859a589a90da96f4e4d8",
-  "_shrinkwrap": null,
-  "_spec": "make-fetch-happen@^2.4.3",
+  "_resolved": "https://registry.npmjs.org/make-fetch-happen/-/make-fetch-happen-2.4.9.tgz",
+  "_shasum": "245b799e35da3ec05a45e6ef31f9c34df7d1e0c1",
+  "_spec": "make-fetch-happen@^2.4.9",
   "_where": "/Users/zkat/Documents/code/npm/node_modules/pacote",
   "author": {
     "name": "Kat Marchán",
     "email": "kzm@sykosomatic.org"
   },
-  "bin": null,
   "bugs": {
     "url": "https://github.com/zkat/make-fetch-happen/issues"
   },
   "bundleDependencies": false,
   "dependencies": {
     "agentkeepalive": "^3.1.0",
-    "cacache": "^9.0.0",
+    "cacache": "^9.2.4",
     "http-cache-semantics": "^3.7.3",
     "http-proxy-agent": "^1.0.0",
     "https-proxy-agent": "^1.0.0",
     "lru-cache": "^4.0.2",
     "mississippi": "^1.2.0",
-    "node-fetch-npm": "^2.0.0",
+    "node-fetch-npm": "^2.0.1",
     "promise-retry": "^1.1.1",
     "socks-proxy-agent": "^2.0.0",
-    "ssri": "^4.1.2"
+    "ssri": "^4.1.3"
   },
   "deprecated": false,
   "description": "Opinionated, caching, retrying fetch client",
@@ -80,8 +79,6 @@
   "license": "CC0-1.0",
   "main": "index.js",
   "name": "make-fetch-happen",
-  "optionalDependencies": {},
-  "peerDependencies": {},
   "repository": {
     "type": "git",
     "url": "git+https://github.com/zkat/make-fetch-happen.git"
@@ -95,5 +92,5 @@
     "update-coc": "weallbehave -o . && git add CODE_OF_CONDUCT.md && git commit -m 'docs(coc): updated CODE_OF_CONDUCT.md'",
     "update-contrib": "weallcontribute -o . && git add CONTRIBUTING.md && git commit -m 'docs(contributing): updated CONTRIBUTING.md'"
   },
-  "version": "2.4.3"
+  "version": "2.4.9"
 }
diff --git a/deps/npm/node_modules/pacote/package.json b/deps/npm/node_modules/pacote/package.json
index 578b7c8687374d..c27683d0d20778 100644
--- a/deps/npm/node_modules/pacote/package.json
+++ b/deps/npm/node_modules/pacote/package.json
@@ -1,11 +1,11 @@
 {
-  "_from": "pacote@latest",
-  "_id": "pacote@2.7.12",
+  "_from": "pacote@2.7.21",
+  "_id": "pacote@2.7.21",
   "_inBundle": false,
-  "_integrity": "sha512-HkAuFF2tUtXFqgmweU5eVNia1cUl4/1gYYmm1+eLOIuGPUlCLqvO0wtsKgUgoHbStFToTNh13JgDSgOaMz7REg==",
+  "_integrity": "sha512-ksTHJiAkJxLmcOGxO6iGMk1cVMTTtIC051ZUqvWbckICIhzScOSBgGRBc4CHRhd62NuqAL082RuOOmb1Mi6o6Q==",
   "_location": "/pacote",
   "_phantomChildren": {
-    "cacache": "9.0.0",
+    "cacache": "9.2.5",
     "chownr": "1.0.1",
     "lru-cache": "4.0.2",
     "mississippi": "1.3.0",
@@ -14,26 +14,27 @@
     "once": "1.4.0",
     "readable-stream": "2.2.9",
     "retry": "0.10.1",
+    "safe-buffer": "5.0.1",
     "semver": "5.3.0",
-    "ssri": "4.1.2"
+    "ssri": "4.1.3"
   },
   "_requested": {
-    "type": "tag",
+    "type": "version",
     "registry": true,
-    "raw": "pacote@latest",
+    "raw": "pacote@2.7.21",
     "name": "pacote",
     "escapedName": "pacote",
-    "rawSpec": "latest",
+    "rawSpec": "2.7.21",
     "saveSpec": null,
-    "fetchSpec": "latest"
+    "fetchSpec": "2.7.21"
   },
   "_requiredBy": [
     "#USER",
     "/"
   ],
-  "_resolved": "https://registry.npmjs.org/pacote/-/pacote-2.7.12.tgz",
-  "_shasum": "36bced5b5fe29defff827b8da893245d9fb0789f",
-  "_spec": "pacote@latest",
+  "_resolved": "https://registry.npmjs.org/pacote/-/pacote-2.7.21.tgz",
+  "_shasum": "e909e8a0559940053300e1127297e92a1302d244",
+  "_spec": "pacote@2.7.21",
   "_where": "/Users/zkat/Documents/code/npm",
   "author": {
     "name": "Kat Marchán",
@@ -55,11 +56,11 @@
   ],
   "dependencies": {
     "bluebird": "^3.5.0",
-    "cacache": "^9.0.0",
-    "glob": "^7.1.1",
+    "cacache": "^9.2.5",
+    "glob": "^7.1.2",
     "lru-cache": "^4.0.2",
-    "make-fetch-happen": "^2.4.3",
-    "minimatch": "^3.0.3",
+    "make-fetch-happen": "^2.4.9",
+    "minimatch": "^3.0.4",
     "mississippi": "^1.2.0",
     "normalize-package-data": "^2.3.6",
     "npm-package-arg": "^5.0.0",
@@ -70,9 +71,9 @@
     "protoduck": "^4.0.0",
     "safe-buffer": "^5.0.1",
     "semver": "^5.3.0",
-    "ssri": "^4.1.2",
+    "ssri": "^4.1.3",
     "tar-fs": "^1.15.1",
-    "tar-stream": "^1.5.2",
+    "tar-stream": "^1.5.4",
     "unique-filename": "^1.1.0",
     "which": "^1.2.12"
   },
@@ -81,15 +82,15 @@
   "devDependencies": {
     "mkdirp": "^0.5.1",
     "nock": "^9.0.13",
-    "npmlog": "^4.0.1",
-    "nyc": "^10.0.0",
+    "npmlog": "^4.1.0",
+    "nyc": "^10.3.2",
     "require-inject": "^1.4.0",
     "rimraf": "^2.5.4",
     "standard": "^10.0.1",
     "standard-version": "^4.0.0",
     "tacks": "^1.2.6",
     "tap": "^10.2.0",
-    "weallbehave": "^1.0.0",
+    "weallbehave": "^1.2.0",
     "weallcontribute": "^1.0.7"
   },
   "files": [
@@ -119,5 +120,5 @@
     "update-coc": "weallbehave -o . && git add CODE_OF_CONDUCT.md && git commit -m 'docs(coc): updated CODE_OF_CONDUCT.md'",
     "update-contrib": "weallcontribute -o . && git add CONTRIBUTING.md && git commit -m 'docs(contributing): updated CONTRIBUTING.md'"
   },
-  "version": "2.7.12"
+  "version": "2.7.21"
 }
diff --git a/deps/npm/node_modules/pacote/node_modules/safe-buffer/.travis.yml b/deps/npm/node_modules/safe-buffer/.travis.yml
similarity index 100%
rename from deps/npm/node_modules/pacote/node_modules/safe-buffer/.travis.yml
rename to deps/npm/node_modules/safe-buffer/.travis.yml
diff --git a/deps/npm/node_modules/pacote/node_modules/safe-buffer/LICENSE b/deps/npm/node_modules/safe-buffer/LICENSE
similarity index 100%
rename from deps/npm/node_modules/pacote/node_modules/safe-buffer/LICENSE
rename to deps/npm/node_modules/safe-buffer/LICENSE
diff --git a/deps/npm/node_modules/pacote/node_modules/safe-buffer/README.md b/deps/npm/node_modules/safe-buffer/README.md
similarity index 100%
rename from deps/npm/node_modules/pacote/node_modules/safe-buffer/README.md
rename to deps/npm/node_modules/safe-buffer/README.md
diff --git a/deps/npm/node_modules/pacote/node_modules/safe-buffer/browser.js b/deps/npm/node_modules/safe-buffer/browser.js
similarity index 100%
rename from deps/npm/node_modules/pacote/node_modules/safe-buffer/browser.js
rename to deps/npm/node_modules/safe-buffer/browser.js
diff --git a/deps/npm/node_modules/pacote/node_modules/safe-buffer/index.js b/deps/npm/node_modules/safe-buffer/index.js
similarity index 100%
rename from deps/npm/node_modules/pacote/node_modules/safe-buffer/index.js
rename to deps/npm/node_modules/safe-buffer/index.js
diff --git a/deps/npm/node_modules/pacote/node_modules/safe-buffer/package.json b/deps/npm/node_modules/safe-buffer/package.json
similarity index 74%
rename from deps/npm/node_modules/pacote/node_modules/safe-buffer/package.json
rename to deps/npm/node_modules/safe-buffer/package.json
index 267f02494ebf70..d866dd9580b6dc 100644
--- a/deps/npm/node_modules/pacote/node_modules/safe-buffer/package.json
+++ b/deps/npm/node_modules/safe-buffer/package.json
@@ -1,40 +1,38 @@
 {
-  "_from": "safe-buffer@^5.0.1",
+  "_from": "safe-buffer@~5.0.1",
   "_id": "safe-buffer@5.0.1",
+  "_inBundle": false,
   "_integrity": "sha1-0mPKVGls2KMGtcplUekt5XkY++c=",
-  "_location": "/pacote/safe-buffer",
+  "_location": "/safe-buffer",
   "_phantomChildren": {},
   "_requested": {
     "type": "range",
     "registry": true,
-    "raw": "safe-buffer@^5.0.1",
+    "raw": "safe-buffer@~5.0.1",
     "name": "safe-buffer",
     "escapedName": "safe-buffer",
-    "rawSpec": "^5.0.1",
+    "rawSpec": "~5.0.1",
     "saveSpec": null,
-    "fetchSpec": "^5.0.1"
+    "fetchSpec": "~5.0.1"
   },
   "_requiredBy": [
-    "/pacote",
-    "/pacote/make-fetch-happen/node-fetch-npm"
+    "#USER",
+    "/"
   ],
   "_resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.0.1.tgz",
   "_shasum": "d263ca54696cd8a306b5ca6551e92de57918fbe7",
-  "_shrinkwrap": null,
-  "_spec": "safe-buffer@^5.0.1",
-  "_where": "/Users/zkat/Documents/code/npm/node_modules/pacote",
+  "_spec": "safe-buffer@~5.0.1",
+  "_where": "/Users/zkat/Documents/code/npm",
   "author": {
     "name": "Feross Aboukhadijeh",
     "email": "feross@feross.org",
     "url": "http://feross.org"
   },
-  "bin": null,
   "browser": "./browser.js",
   "bugs": {
     "url": "https://github.com/feross/safe-buffer/issues"
   },
   "bundleDependencies": false,
-  "dependencies": {},
   "deprecated": false,
   "description": "Safer Node.js Buffer API",
   "devDependencies": {
@@ -55,8 +53,6 @@
   "license": "MIT",
   "main": "index.js",
   "name": "safe-buffer",
-  "optionalDependencies": {},
-  "peerDependencies": {},
   "repository": {
     "type": "git",
     "url": "git://github.com/feross/safe-buffer.git"
diff --git a/deps/npm/node_modules/pacote/node_modules/safe-buffer/test.js b/deps/npm/node_modules/safe-buffer/test.js
similarity index 100%
rename from deps/npm/node_modules/pacote/node_modules/safe-buffer/test.js
rename to deps/npm/node_modules/safe-buffer/test.js
diff --git a/deps/npm/node_modules/ssri/CHANGELOG.md b/deps/npm/node_modules/ssri/CHANGELOG.md
index 838a6fe691b06f..46a0093e00c366 100644
--- a/deps/npm/node_modules/ssri/CHANGELOG.md
+++ b/deps/npm/node_modules/ssri/CHANGELOG.md
@@ -2,6 +2,16 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+
+## [4.1.3](https://github.com/zkat/ssri/compare/v4.1.2...v4.1.3) (2017-05-24)
+
+
+### Bug Fixes
+
+* **check:** handle various bad hash corner cases better ([c2c262b](https://github.com/zkat/ssri/commit/c2c262b))
+
+
+
 
 ## [4.1.2](https://github.com/zkat/ssri/compare/v4.1.1...v4.1.2) (2017-04-18)
 
diff --git a/deps/npm/node_modules/ssri/index.js b/deps/npm/node_modules/ssri/index.js
index 9c84dbc2170502..f01986fa51b1bb 100644
--- a/deps/npm/node_modules/ssri/index.js
+++ b/deps/npm/node_modules/ssri/index.js
@@ -95,7 +95,9 @@ class Integrity {
     const pickAlgorithm = (opts && opts.pickAlgorithm) || getPrioritizedHash
     const keys = Object.keys(this)
     if (!keys.length) {
-      throw new Error(`No algorithms available for ${this}`)
+      throw new Error(`No algorithms available for ${
+        JSON.stringify(this.toString())
+      }`)
     }
     return keys.reduce((acc, algo) => {
       return pickAlgorithm(acc, algo) || acc
@@ -199,8 +201,9 @@ module.exports.checkData = checkData
 function checkData (data, sri, opts) {
   opts = opts || {}
   sri = parse(sri, opts)
+  if (!Object.keys(sri).length) { return false }
   const algorithm = sri.pickAlgorithm(opts)
-  const digests = sri[algorithm]
+  const digests = sri[algorithm] || []
   const digest = crypto.createHash(algorithm).update(data).digest('base64')
   return digests.find(hash => hash.digest === digest) || false
 }
@@ -231,8 +234,9 @@ function integrityStream (opts) {
   opts = opts || {}
   // For verification
   const sri = opts.integrity && parse(opts.integrity, opts)
-  const algorithm = sri && sri.pickAlgorithm(opts)
-  const digests = sri && sri[algorithm]
+  const goodSri = sri && Object.keys(sri).length
+  const algorithm = goodSri && sri.pickAlgorithm(opts)
+  const digests = goodSri && sri[algorithm]
   // Calculating stream
   const algorithms = opts.algorithms || [algorithm || 'sha512']
   const hashes = algorithms.map(crypto.createHash)
@@ -253,6 +257,7 @@ function integrityStream (opts) {
     const match = (
       // Integrity verification mode
       opts.integrity &&
+      digests &&
       digests.find(hash => {
         return newSri[algorithm].find(newhash => {
           return hash.digest === newhash.digest
diff --git a/deps/npm/node_modules/ssri/package.json b/deps/npm/node_modules/ssri/package.json
index b828c974c9f329..fae62d7c52961c 100644
--- a/deps/npm/node_modules/ssri/package.json
+++ b/deps/npm/node_modules/ssri/package.json
@@ -1,36 +1,36 @@
 {
-  "_from": "ssri@~4.1.2",
-  "_id": "ssri@4.1.2",
-  "_integrity": "sha1-PTxptJDQsQd3Kpv4GIHziuBx8ks=",
+  "_from": "ssri@4.1.3",
+  "_id": "ssri@4.1.3",
+  "_inBundle": false,
+  "_integrity": "sha512-vDXK4C5lxEMlMXyUvsaNAqyYkoMaScW8r6jUTg3uwUOMnvbMmNRSw3Cal0iiWHtMsQxga7NG4GShS0CKt3Pt1w==",
   "_location": "/ssri",
   "_phantomChildren": {},
   "_requested": {
-    "type": "range",
+    "type": "version",
     "registry": true,
-    "raw": "ssri@~4.1.2",
+    "raw": "ssri@4.1.3",
     "name": "ssri",
     "escapedName": "ssri",
-    "rawSpec": "~4.1.2",
+    "rawSpec": "4.1.3",
     "saveSpec": null,
-    "fetchSpec": "~4.1.2"
+    "fetchSpec": "4.1.3"
   },
   "_requiredBy": [
+    "#USER",
     "/",
     "/cacache",
     "/npm-registry-client",
     "/pacote",
     "/pacote/make-fetch-happen"
   ],
-  "_resolved": "https://registry.npmjs.org/ssri/-/ssri-4.1.2.tgz",
-  "_shasum": "3d3c69b490d0b107772a9bf81881f38ae071f24b",
-  "_shrinkwrap": null,
-  "_spec": "ssri@~4.1.2",
+  "_resolved": "https://registry.npmjs.org/ssri/-/ssri-4.1.3.tgz",
+  "_shasum": "ec8b5585cbfc726a5f9aad829efce238de831935",
+  "_spec": "ssri@4.1.3",
   "_where": "/Users/zkat/Documents/code/npm",
   "author": {
     "name": "Kat Marchán",
     "email": "kzm@sykosomatic.org"
   },
-  "bin": null,
   "bugs": {
     "url": "https://github.com/zkat/ssri/issues"
   },
@@ -47,11 +47,11 @@
   "deprecated": false,
   "description": "Standard Subresource Integrity library --  parses, serializes, generates, and verifies integrity metadata according to the SRI spec.",
   "devDependencies": {
-    "nyc": "^10.2.0",
+    "nyc": "^10.3.2",
     "standard": "^9.0.2",
     "standard-version": "^4.0.0",
     "tap": "^10.3.2",
-    "weallbehave": "^1.0.0",
+    "weallbehave": "^1.2.0",
     "weallcontribute": "^1.0.8"
   },
   "files": [
@@ -75,8 +75,6 @@
   "license": "CC0-1.0",
   "main": "index.js",
   "name": "ssri",
-  "optionalDependencies": {},
-  "peerDependencies": {},
   "repository": {
     "type": "git",
     "url": "git+https://github.com/zkat/ssri.git"
@@ -90,5 +88,5 @@
     "update-coc": "weallbehave -o . && git add CODE_OF_CONDUCT.md && git commit -m 'docs(coc): updated CODE_OF_CONDUCT.md'",
     "update-contrib": "weallcontribute -o . && git add CONTRIBUTING.md && git commit -m 'docs(contributing): updated CONTRIBUTING.md'"
   },
-  "version": "4.1.2"
+  "version": "4.1.3"
 }
diff --git a/deps/npm/package.json b/deps/npm/package.json
index 724e29292db009..3bb9001de010d1 100644
--- a/deps/npm/package.json
+++ b/deps/npm/package.json
@@ -1,5 +1,5 @@
 {
-  "version": "5.0.0-beta.56",
+  "version": "5.0.0",
   "name": "npm",
   "description": "a package manager for JavaScript",
   "keywords": [
@@ -38,7 +38,7 @@
     "aproba": "~1.1.1",
     "archy": "~1.0.0",
     "bluebird": "~3.5.0",
-    "cacache": "~9.0.0",
+    "cacache": "~9.2.5",
     "call-limit": "~1.1.0",
     "chownr": "~1.0.1",
     "cmd-shim": "~2.0.2",
@@ -51,7 +51,7 @@
     "fs-write-stream-atomic": "~1.0.10",
     "fstream": "~1.0.11",
     "fstream-npm": "~1.2.1",
-    "glob": "~7.1.1",
+    "glob": "~7.1.2",
     "graceful-fs": "~4.1.11",
     "has-unicode": "~2.0.1",
     "hosted-git-info": "~2.4.2",
@@ -83,7 +83,7 @@
     "once": "~1.4.0",
     "opener": "~1.4.3",
     "osenv": "~0.1.4",
-    "pacote": "~2.7.12",
+    "pacote": "~2.7.21",
     "path-is-inside": "~1.0.2",
     "promise-inflight": "~1.0.1",
     "read": "~1.0.7",
@@ -95,12 +95,13 @@
     "request": "~2.81.0",
     "retry": "~0.10.1",
     "rimraf": "~2.6.1",
+    "safe-buffer": "~5.0.1",
     "semver": "~5.3.0",
     "sha": "~2.0.1",
     "slide": "~1.1.6",
     "sorted-object": "~2.0.1",
     "sorted-union-stream": "~2.1.3",
-    "ssri": "~4.1.2",
+    "ssri": "~4.1.3",
     "strip-ansi": "~3.0.1",
     "tar": "~2.2.1",
     "text-table": "~0.2.0",
@@ -209,7 +210,8 @@
     "validate-npm-package-name",
     "which",
     "wrappy",
-    "write-file-atomic"
+    "write-file-atomic",
+    "safe-buffer"
   ],
   "devDependencies": {
     "deep-equal": "~1.0.1",
diff --git a/deps/npm/test/tap/bearer-token-check.js b/deps/npm/test/tap/bearer-token-check.js
index 42c8f313e2d181..23870d2f2100e6 100644
--- a/deps/npm/test/tap/bearer-token-check.js
+++ b/deps/npm/test/tap/bearer-token-check.js
@@ -89,7 +89,10 @@ var contents = '@scoped:registry=' + common.registry + '\n' +
 
 var json = {
   name: 'test-package-install',
-  version: '1.0.0'
+  version: '1.0.0',
+  dependencies: {
+    '@scoped/underscore': '1.3.1'
+  }
 }
 
 var shrinkwrap = {
diff --git a/deps/npm/test/tap/config-meta.js b/deps/npm/test/tap/config-meta.js
index d7897a16ceaacd..f667077a1aa04b 100644
--- a/deps/npm/test/tap/config-meta.js
+++ b/deps/npm/test/tap/config-meta.js
@@ -19,6 +19,7 @@ var exceptions = [
   path.resolve(lib, 'adduser.js'),
   path.resolve(lib, 'config.js'),
   path.resolve(lib, 'config', 'pacote.js'),
+  path.resolve(lib, 'pack.js'),
   path.resolve(lib, 'publish.js'),
   path.resolve(lib, 'install', 'inflate-shrinkwrap.js'),
   path.resolve(lib, 'utils', 'lifecycle.js'),
diff --git a/deps/npm/test/tap/gently-rm-linked-module.js b/deps/npm/test/tap/gently-rm-linked-module.js
index aeae71eee02647..a9804cd792d44e 100644
--- a/deps/npm/test/tap/gently-rm-linked-module.js
+++ b/deps/npm/test/tap/gently-rm-linked-module.js
@@ -46,7 +46,8 @@ var env = extend({}, process.env)
 env.npm_config_prefix = linkedGlobal
 var EXEC_OPTS = {
   cwd: workingDir,
-  env: env
+  env: env,
+  stdio: [0, 'pipe', 2]
 }
 
 test('setup', function (t) {
@@ -57,49 +58,32 @@ test('setup', function (t) {
 })
 
 test('install and link', function (t) {
+  var globalBin = resolve(linkedGlobal, isWindows ? '.' : 'bin', 'linked')
+  var globalModule = resolve(linkedGlobal, isWindows ? '.' : 'lib', 'node_modules', '@test', 'linked')
   // link our test module into the global folder
-  common.npm(
-    [
-      '--loglevel', 'error',
-      'link',
-      toInstall
-    ],
-    EXEC_OPTS,
-    function (er, code) {
-      if (er) throw er
-      t.is(code, 0, 'link succeeded')
-      var globalBin = resolve(linkedGlobal, isWindows ? '.' : 'bin', 'linked')
-      var globalModule = resolve(linkedGlobal, isWindows ? '.' : 'lib', 'node_modules', '@test', 'linked')
-      var localBin = resolve(workingDir, 'node_modules', '.bin', 'linked')
-      var localModule = resolve(workingDir, 'node_modules', '@test', 'linked')
-      try {
-        t.ok(fs.statSync(globalBin), 'global bin exists')
-        t.is(fs.lstatSync(globalModule).isSymbolicLink(), true, 'global module is link')
-        t.ok(fs.statSync(localBin), 'local bin exists')
-        t.is(fs.lstatSync(localModule).isSymbolicLink(), true, 'local module is link')
-      } catch (ex) {
-        t.ifError(ex, 'linking happened')
-      }
-      if (code !== 0) return t.end()
-
-      // and try removing it and make sure that succeeds
-      common.npm(
-        [
-          '--global',
-          '--loglevel', 'error',
-          'rm', '@test/linked'
-        ],
-        EXEC_OPTS,
-        function (er, code) {
-          if (er) throw er
-          t.is(code, 0, 'rm succeeded')
-          t.throws(function () { fs.statSync(globalBin) }, 'global bin removed')
-          t.throws(function () { fs.statSync(globalModule) }, 'global module removed')
-          t.end()
-        }
-      )
+  return common.npm(['--loglevel', 'error', 'link', toInstall], EXEC_OPTS).spread((code, out) => {
+    t.comment(out)
+    t.is(code, 0, 'link succeeded')
+    var localBin = resolve(workingDir, 'node_modules', '.bin', 'linked')
+    var localModule = resolve(workingDir, 'node_modules', '@test', 'linked')
+    try {
+      t.ok(fs.statSync(globalBin), 'global bin exists')
+      t.is(fs.lstatSync(globalModule).isSymbolicLink(), true, 'global module is link')
+      t.ok(fs.statSync(localBin), 'local bin exists')
+      t.is(fs.lstatSync(localModule).isSymbolicLink(), true, 'local module is link')
+    } catch (ex) {
+      t.ifError(ex, 'linking happened')
     }
-  )
+    if (code !== 0) throw new Error('aborting')
+
+    // and try removing it and make sure that succeeds
+    return common.npm(['--global', '--loglevel', 'error', 'rm', '@test/linked'], EXEC_OPTS)
+  }).spread((code, out) => {
+    t.comment(out)
+    t.is(code, 0, 'rm succeeded')
+    t.throws(function () { fs.statSync(globalBin) }, 'global bin removed')
+    t.throws(function () { fs.statSync(globalModule) }, 'global module removed')
+  })
 })
 
 test('cleanup', function (t) {
diff --git a/deps/npm/test/tap/no-scan-full-global-dir.js b/deps/npm/test/tap/no-scan-full-global-dir.js
index ca051fc6287c6c..6a9349d54d9629 100644
--- a/deps/npm/test/tap/no-scan-full-global-dir.js
+++ b/deps/npm/test/tap/no-scan-full-global-dir.js
@@ -4,7 +4,6 @@ var path = require('path')
 var test = require('tap').test
 var requireInject = require('require-inject')
 var osenv = require('osenv')
-var inherits = require('inherits')
 var npm = require('../../lib/npm.js')
 
 var packages = {
@@ -47,26 +46,26 @@ test('setup', function (t) {
   })
 })
 
-function loadArgMetadata (cb) {
-  this.args = this.args.map(function (arg) { return {name: arg} })
-  cb()
-}
-
 test('installer', function (t) {
   t.plan(1)
   var installer = requireInject('../../lib/install.js', {
     'fs': mockFs,
     'readdir-scoped-modules': mockReaddir,
-    'read-package-json': mockReadPackageJson
+    'read-package-json': mockReadPackageJson,
+    'mkdirp': function (path, cb) { cb() }
   })
 
   var Installer = installer.Installer
-  var TestInstaller = function () {
-    Installer.apply(this, arguments)
-    this.global = true
+  class TestInstaller extends Installer {
+    constructor (where, dryrun, args) {
+      super(where, dryrun, args)
+      this.global = true
+    }
+    loadArgMetadata (cb) {
+      this.args = this.args.map(function (arg) { return {name: arg} })
+      cb()
+    }
   }
-  inherits(TestInstaller, Installer)
-  TestInstaller.prototype.loadArgMetadata = loadArgMetadata
 
   var inst = new TestInstaller(__dirname, false, ['def', 'abc'])
   inst.loadCurrentTree(function () {
@@ -81,15 +80,17 @@ test('uninstaller', function (t) {
   var uninstaller = requireInject('../../lib/uninstall.js', {
     'fs': mockFs,
     'readdir-scoped-modules': mockReaddir,
-    'read-package-json': mockReadPackageJson
+    'read-package-json': mockReadPackageJson,
+    'mkdirp': function (path, cb) { cb() }
   })
 
   var Uninstaller = uninstaller.Uninstaller
-  var TestUninstaller = function () {
-    Uninstaller.apply(this, arguments)
-    this.global = true
+  class TestUninstaller extends Uninstaller {
+    constructor (where, dryrun, args) {
+      super(where, dryrun, args)
+      this.global = true
+    }
   }
-  inherits(TestUninstaller, Uninstaller)
 
   var uninst = new TestUninstaller(__dirname, false, ['ghi', 'jkl'])
   uninst.loadCurrentTree(function () {
diff --git a/deps/npm/test/tap/noargs-install-config-save.js b/deps/npm/test/tap/noargs-install-config-save.js
index 074d5e848df38f..12ccf86804b377 100644
--- a/deps/npm/test/tap/noargs-install-config-save.js
+++ b/deps/npm/test/tap/noargs-install-config-save.js
@@ -62,7 +62,7 @@ test('updates the package.json (adds dependencies) with an argument', function (
   t.plan(2)
 
   mr({ port: common.port }, function (er, s) {
-    common.npm(['install', 'underscore'], OPTS, function (er, code, stdout, stderr) {
+    common.npm(['install', 'underscore', '-P'], OPTS, function (er, code, stdout, stderr) {
       if (er) throw er
       t.is(code, 0)
       s.close()
diff --git a/deps/npm/test/tap/shrinkwrap-extra-metadata.js b/deps/npm/test/tap/shrinkwrap-extra-metadata.js
index c5f60e4c221f00..dd7f85ee827ed6 100644
--- a/deps/npm/test/tap/shrinkwrap-extra-metadata.js
+++ b/deps/npm/test/tap/shrinkwrap-extra-metadata.js
@@ -7,15 +7,11 @@ const mr = require('npm-registry-mock')
 const npm = require('../../lib/npm.js')
 const osenv = require('osenv')
 const path = require('path')
-const pkgSri = require('../../lib/utils/package-integrity.js')
 const rimraf = require('rimraf')
 const test = require('tap').test
 
 const pkg = path.join(__dirname, path.basename(__filename, '.js'))
 
-const EXEC_OPTS = {
-  cwd: pkg }
-
 const json = {
   author: 'Rockbert',
   name: 'shrinkwrap-extra-metadata',
@@ -54,7 +50,6 @@ test('adds additional metadata fields from the pkglock spec', function (t) {
               'name': 'shrinkwrap-extra-metadata',
               'version': '0.0.0',
               'lockfileVersion': npm.lockfileVersion,
-              'packageIntegrity': pkgSri.hash(json),
               'preserveSymlinks': 'foo'
             },
             JSON.parse(desired),
diff --git a/deps/npm/test/tap/shrinkwrap-package-integrity.js b/deps/npm/test/tap/shrinkwrap-package-integrity.js
deleted file mode 100644
index 6333757d7f3a3c..00000000000000
--- a/deps/npm/test/tap/shrinkwrap-package-integrity.js
+++ /dev/null
@@ -1,50 +0,0 @@
-'use strict'
-
-const pkgsri = require('../../lib/utils/package-integrity.js')
-const ssri = require('ssri')
-const test = require('tap').test
-
-test('generates integrity according to spec', (t) => {
-  const pkgJson = {
-    'name': 'foo',
-    'version': '1.0.0',
-    'dependencies': {
-      'x': '1.0.0'
-    },
-    'devDependencies': {
-      'y': '1.0.0'
-    },
-    'optionalDependencies': {
-      'z': '1.0.0'
-    }
-  }
-  const integrity = pkgsri.hash(pkgJson)
-  t.ok(integrity && integrity.toString(), 'hash returned')
-  t.equal(
-    ssri.parse(integrity).toString(),
-    integrity,
-    'hash is a valid ssri string'
-  )
-  t.ok(pkgsri.check(pkgJson, integrity), 'same-data integrity check succeeds')
-  t.done()
-})
-
-test('updates if anything changes in package.json', (t) => {
-  const pkgJson = {
-    'name': 'foo',
-    'version': '1.0.0',
-    'dependencies': {
-      'x': '1.0.0'
-    },
-    'devDependencies': {
-      'y': '1.0.0'
-    },
-    'optionalDependencies': {
-      'z': '1.0.0'
-    }
-  }
-  const sri = pkgsri.hash(pkgJson)
-  pkgJson.version = '1.2.3'
-  t.equal(pkgsri.check(pkgJson, sri), false, 'no match after pkgJson change')
-  t.done()
-})
diff --git a/deps/npm/test/tap/shrinkwrap-scoped-auth.js b/deps/npm/test/tap/shrinkwrap-scoped-auth.js
index 6d5130137e141d..bd884c00b7de25 100644
--- a/deps/npm/test/tap/shrinkwrap-scoped-auth.js
+++ b/deps/npm/test/tap/shrinkwrap-scoped-auth.js
@@ -1,4 +1,4 @@
-var resolve = require('path').resolve
+var path = require('path')
 var writeFileSync = require('graceful-fs').writeFileSync
 
 var mkdirp = require('mkdirp')
@@ -10,12 +10,12 @@ var test = require('tap').test
 var common = require('../common-tap.js')
 var toNerfDart = require('../../lib/config/nerf-dart.js')
 
-var pkg = resolve(__dirname, 'shrinkwrap-scoped-auth')
-var outfile = resolve(pkg, '_npmrc')
-var modules = resolve(pkg, 'node_modules')
+var pkg = path.resolve(__dirname, path.basename(__filename, '.js'))
+var outfile = path.resolve(pkg, '_npmrc')
+var modules = path.resolve(pkg, 'node_modules')
 var tarballPath = '/scoped-underscore/-/scoped-underscore-1.3.1.tgz'
 var tarballURL = common.registry + tarballPath
-var tarball = resolve(__dirname, '../fixtures/scoped-underscore-1.3.1.tgz')
+var tarball = path.resolve(__dirname, '../fixtures/scoped-underscore-1.3.1.tgz')
 
 var server
 
@@ -46,10 +46,9 @@ test('authed npm install with shrinkwrapped scoped package', function (t) {
       '--fetch-retries', 0,
       '--userconfig', outfile
     ],
-    {cwd: pkg},
-    function (err, code, stdout, stderr) {
+    {cwd: pkg, stdio: [0, 'pipe', 2]},
+    function (err, code, stdout) {
       if (err) throw err
-      if (stderr) t.comment(stderr)
       t.equal(code, 0, 'npm install exited OK')
       try {
         var results = JSON.parse(stdout)
@@ -75,7 +74,10 @@ var contents = '@scoped:registry=' + common.registry + '\n' +
 
 var json = {
   name: 'test-package-install',
-  version: '1.0.0'
+  version: '1.0.0',
+  dependencies: {
+    '@scoped/underscore': '1.0.0'
+  }
 }
 
 var shrinkwrap = {
@@ -93,10 +95,10 @@ var shrinkwrap = {
 function setup () {
   cleanup()
   mkdirp.sync(modules)
-  writeFileSync(resolve(pkg, 'package.json'), JSON.stringify(json, null, 2) + '\n')
+  writeFileSync(path.resolve(pkg, 'package.json'), JSON.stringify(json, null, 2) + '\n')
   writeFileSync(outfile, contents)
   writeFileSync(
-    resolve(pkg, 'npm-shrinkwrap.json'),
+    path.resolve(pkg, 'npm-shrinkwrap.json'),
     JSON.stringify(shrinkwrap, null, 2) + '\n'
   )
 }
diff --git a/deps/npm/test/tap/uninstall-link-clean.js b/deps/npm/test/tap/uninstall-link-clean.js
index b4759e8895e238..2b1d244d00fdeb 100644
--- a/deps/npm/test/tap/uninstall-link-clean.js
+++ b/deps/npm/test/tap/uninstall-link-clean.js
@@ -3,15 +3,15 @@ var path = require('path')
 var existsSync = fs.existsSync || path.existsSync
 
 var mkdirp = require('mkdirp')
-var osenv = require('osenv')
 var rimraf = require('rimraf')
 var test = require('tap').test
 
 var common = require('../common-tap.js')
 
-var pkg = path.join(__dirname, 'uninstall-link-clean')
-var dep = path.join(__dirname, 'dep')
-var work = path.join(__dirname, 'uninstall-link-clean-TEST')
+var testdir = path.join(__dirname, path.basename(__filename, '.js'))
+var pkg = path.join(testdir, 'pkg')
+var dep = path.join(testdir, 'dep')
+var work = path.join(testdir, 'uninstall-link-clean-TEST')
 var modules = path.join(work, 'node_modules')
 
 var EXEC_OPTS = { cwd: work, stdio: [0, 'ignore', 2] }
@@ -54,7 +54,6 @@ test('setup', function (t) {
   fs.writeFileSync(path.join(dep, 'world.js'), world)
 
   mkdirp.sync(modules)
-  process.chdir(work)
 
   t.end()
 })
@@ -110,8 +109,5 @@ test('cleanup', function (t) {
 })
 
 function cleanup () {
-  process.chdir(osenv.tmpdir())
-  rimraf.sync(dep)
-  rimraf.sync(work)
-  rimraf.sync(pkg)
+  rimraf.sync(testdir)
 }
diff --git a/deps/npm/test/tap/uninstall-save.js b/deps/npm/test/tap/uninstall-save.js
index 47cffdb5213767..9bf342d7cf9556 100644
--- a/deps/npm/test/tap/uninstall-save.js
+++ b/deps/npm/test/tap/uninstall-save.js
@@ -10,7 +10,7 @@ var test = require('tap').test
 var common = require('../common-tap.js')
 var server
 
-var pkg = path.join(__dirname, 'uninstall-save')
+var pkg = path.join(__dirname, path.basename(__filename, '.js'))
 
 var EXEC_OPTS = { cwd: pkg, stdio: [0, 'ignore', 2] }
 
@@ -29,62 +29,44 @@ test('setup', function (t) {
 })
 
 test('uninstall --save removes rm-ed package from package.json', function (t) {
-  common.npm(
-    [
-      '--registry', common.registry,
-      '--loglevel', 'error',
-      '--save-prefix', '^',
-      '--save',
-      'install', 'underscore@latest'
-    ],
-    EXEC_OPTS,
-    function (err, code) {
-      t.ifError(err, 'npm install ran without issue')
-      t.notOk(code, 'npm install exited with code 0')
-
-      var p = path.join(pkg, 'node_modules', 'underscore', 'package.json')
-      t.ok(JSON.parse(fs.readFileSync(p)))
-
-      var pkgJson = JSON.parse(fs.readFileSync(
-        path.join(pkg, 'package.json'),
-        'utf8'
-      ))
-      t.deepEqual(
-        pkgJson.dependencies,
-        { 'underscore': '^1.5.1' },
-        'got expected save prefix and version of 1.5.1'
-      )
-
-      var installed = path.join(pkg, 'node_modules', 'underscore')
-      rimraf.sync(installed)
-
-      common.npm(
-        [
-          '--registry', common.registry,
-          '--loglevel', 'debug',
-          '--save',
-          'uninstall', 'underscore'
-        ],
-        EXEC_OPTS,
-        function (err, code) {
-          t.ifError(err, 'npm uninstall ran without issue')
-
-          var pkgJson = JSON.parse(fs.readFileSync(
-            path.join(pkg, 'package.json'),
-            'utf8'
-          ))
-
-          t.deepEqual(
-            pkgJson.dependencies,
-            { },
-            'dependency removed as expected'
-          )
-
-          t.end()
-        }
-      )
-    }
-  )
+  var config = [
+    '--registry', common.registry,
+    '--save-prefix', '^',
+    '--save',
+    '--loglevel=error'
+  ]
+  return common.npm(config.concat(['install', 'underscore@latest']), EXEC_OPTS).spread((code) => {
+    t.notOk(code, 'npm install exited with code 0')
+
+    var p = path.join(pkg, 'node_modules', 'underscore', 'package.json')
+    t.ok(JSON.parse(fs.readFileSync(p)))
+
+    var pkgJson = JSON.parse(fs.readFileSync(
+      path.join(pkg, 'package.json'),
+      'utf8'
+    ))
+    t.deepEqual(
+      pkgJson.dependencies,
+      { 'underscore': '^1.5.1' },
+      'got expected save prefix and version of 1.5.1'
+    )
+
+    var installed = path.join(pkg, 'node_modules', 'underscore')
+    rimraf.sync(installed)
+
+    return common.npm(config.concat(['uninstall', 'underscore']), EXEC_OPTS)
+  }).spread((code) => {
+    var pkgJson = JSON.parse(fs.readFileSync(
+      path.join(pkg, 'package.json'),
+      'utf8'
+    ))
+
+    t.deepEqual(
+      pkgJson.dependencies,
+      { },
+      'dependency removed as expected'
+    )
+  })
 })
 
 test('cleanup', function (t) {
diff --git a/deps/npm/test/tap/unit-link.js b/deps/npm/test/tap/unit-link.js
index e4b9094068ca97..4f4083e110c5db 100644
--- a/deps/npm/test/tap/unit-link.js
+++ b/deps/npm/test/tap/unit-link.js
@@ -227,7 +227,7 @@ function testLink (opts, cb) {
         }
       }
     },
-    '../../lib/utils/gently-rm.js': dezalgo(function (toRemove, gently, cb) {
+    '../../lib/utils/gently-rm.js': dezalgo(function (toRemove, gently, basedir, cb) {
       if (opts.rm[toRemove] && opts.rm[toRemove].gently === gently) {
         cb()
       } else {