deps: upgrade to npm 2.14.2

PR-URL: #2696 Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com> Reviewed-By: Rod Vagg <rod@vagg.org>
nodejs · Sep 7, 2015 · babdbfd · babdbfd
1 parent 155783d
commit babdbfd
Show file tree

Hide file tree

Showing 499 changed files with 7,132 additions and 11,981 deletions.
diff --git a/deps/npm/.npmrc b/deps/npm/.npmrc
diff --git a/deps/npm/AUTHORS b/deps/npm/AUTHORS
@@ -301,3 +301,10 @@ Thaddee Tyl <thaddee.tyl@gmail.com>
 Steve Klabnik <steve@steveklabnik.com>
 Andrew Murray <radarhere@gmail.com>
 Stephan Bönnemann <stephan@excellenteasy.com>
+Kyle M. Tarplee <kyle.tarplee@numerica.us>
+Derek Peterson <derekpetey@gmail.com>
+Greg Whiteley <greg.whiteley@atomos.com>
+murgatroid99 <mlumish@google.com>
+Marcin Cieslak <saper@saper.info>
+João Reis <reis@janeasystems.com>
+Matthew Hasbach <hasbach.git@gmail.com>
diff --git a/deps/npm/CHANGELOG.md b/deps/npm/CHANGELOG.md
@@ -1,3 +1,277 @@
+### v2.14.2 (2015-08-27):
+
+#### GETTING THAT PESKY `preferGlobal` WARNING RIGHT
+
+So apparently the `preferGlobal` option hasn't quite been warning correctly for
+some time. But now it should be all better! tl;dr: if you try and install a
+dependency with `preferGlobal: true`, and it's _not already_ in your
+`package.json`, you'll get a warning that the author would really rather you
+install it with `--global`. :)
+
+* [`bbb25f3`](https://github.com/npm/npm/commit/bbb25f30d582f8979168c79233a9f8f840974f90)
+  [#8841](https://github.com/npm/npm/issues/8841)
+  [#9409](https://github.com/npm/npm/issues/9409) The `preferGlobal`
+  warning shouldn't happen if the dependency being installed is listed in
+  `devDependencies`. ([@saper](https://github.com/saper))
+* [`222fcec`](https://github.com/npm/npm/commit/222fcec85ccd30d35899e5037079fb14625af4e2)
+  [#9409](https://github.com/npm/npm/issues/9409) `preferGlobal` now prints a
+  warning when there are no dependencies for the current package.
+  ([@zkat](https://github.com/zkat))
+* [`5cfed6d`](https://github.com/npm/npm/commit/5cfed6d7a1a5f2731688cfc8293b5e43a6355393)
+  [#9409](https://github.com/npm/npm/issues/9409) Verify that
+  `preferGlobal` is warning as expected (when a `preferGlobal` dependency is
+  installed, but isn't listed in either `dependencies` or `devDependencies`).
+  ([@zkat](https://github.com/zkat))
+
+#### BUMP +1
+
+* [`eeafce2`](https://github.com/npm/npm/commit/eeafce2d06883c0f51bf403415b6bc5f2647eba3)
+  `validate-npm-package-license@3.0.1`: Include additional metadata in parsed license object,
+  useful for license checkers. ([@kemitchell](https://github.com/kemitchell))
+* [`1502a28`](https://github.com/npm/npm/commit/1502a285f84aa548806b3eafc8889e6288e810f3)
+  `normalise-package-data@2.3.2`: Updated to use `validate-npm-package-license@3.0.1`.
+  ([@othiym23](https://github.com/othiym23))
+* [`cbde823`](https://github.com/npm/npm/commit/cbde8233436bf0ea62a4740869b4990322c20659)
+  `init-package-json@1.9.1`: Add a `silent` option to suppress output on writing the
+  generated `package.json`. Also, updated to use `validate-npm-package-license@3.0.1`.
+  ([@zkat](https://github.com/zkat))
+* [`08fda46`](https://github.com/npm/npm/commit/08fda465452b4d77f1ced8050ee3a35a77fc30a5)
+  `tar@2.2.0`: Minor improvements. ([@othiym23](https://github.com/othiym23))
+* [`dc2f20b`](https://github.com/npm/npm/commit/dc2f20b53fff77203139c863b48da0e959df2ac9)
+  `rimraf@2.4.3`: `EPERM` now triggers a delay / retry loop (since Windows throws
+  this when things still hold a handle). ([@isaacs](https://github.com/isaacs))
+* [`e8acb27`](https://github.com/npm/npm/commit/e8acb273aa67ee0394d0431650e1b2a7d09c8554)
+  `read@1.0.7`: Fix licensing ambiguity. ([@isaacs](https://github.com/isaacs))
+
+#### OTHER STUFF THAT'S RELEVANT
+
+* [`73a1ee0`](https://github.com/npm/npm/commit/73a1ee0be90fa1928521b63f28bef83b8ffab61d)
+  [#9386](https://github.com/npm/npm/issues/9386) Include additional unignorable files in
+  documentation.
+  ([@mjhasbach](https://github.com/mjhasbach))
+* [`0313e40`](https://github.com/npm/npm/commit/0313e40ee0f757fce8861be590ad668c23d7be53)
+  [#9396](https://github.com/npm/npm/issues/9396) Improve the `EISDIR` error
+  message returned by npm's error-handling code to give users a better hint of
+  what's most likely going on.  Usually, error reports with this error code are
+  about people trying to install things without a `package.json`.
+  ([@KenanY](https://github.com/KenanY))
+* [`2677457`](https://github.com/npm/npm/commit/26774579c739c5951351e58263cf4d6ea3d66ec8)
+  [#9360](https://github.com/npm/npm/issues/9360) Make it easier to run
+  only _some_ of npm tests with lifecycle scripts via `npm tap test/tap/testname.js`.
+  ([@iarna](https://github.com/iarna))
+
+### v2.14.1 (2015-08-20):
+
+#### SECURITY FIX
+
+There are patches for two information leaks of moderate severity in `npm@2.14.1`:
+
+1. In some cases, npm was leaking sensitive credential information into the
+   child environment when running package and lifecycle scripts. This could
+   lead to packages being published with files (most notably `config.gypi`, a
+   file created by `node-gyp` that is a cache of environmental information
+   regenerated on every run) containing the bearer tokens used to authenticate
+   users to the registry. Users with affected packages have been notified (and
+   the affected tokens invalidated), and now npm has been modified to not
+   upload files that could contain this information, as well as scrubbing the
+   sensitive information out of the environment passed to child scripts.
+2. Per-package `.npmrc` files are used by some maintainers as a way to scope
+   those packages to a specific registry and its credentials. This is a
+   reasonable use case, but by default `.npmrc` was packed into packages,
+   leaking those credentials.  npm will no longer include `.npmrc` when packing
+   tarballs.
+
+If you maintain packages and believe you may be affected by either
+of the above scenarios (especially if you've received a security
+notification from npm recently), please upgrade to `npm@2.14.1` as
+soon as possible. If you believe you may have inadvertently leaked
+your credentials, upgrade to `npm@2.14.1` on the affected machine,
+and run `npm logout` and then `npm login`. Your access tokens will be
+invalidated, which will eliminate any risk posed by tokens inadvertently
+included in published packages. We apologize for the inconvenience this
+causes, as well as the oversight that led to the existence of this issue
+in the first place.
+
+Huge thanks to [@ChALkeR](https://github.com/ChALkeR) for bringing these
+issues to our attention, and for helping us identify affected packages
+and maintainers. Thanks also to the Node.js security working group for
+their coördination with the team in our response to this issue. We
+appreciate everybody's patience and understanding tremendously.
+
+* [`b9474a8`](https://github.com/npm/npm/commit/b9474a843ca55b7c5fac6da33989e8eb39aff8b1)
+  `fstream-npm@1.0.5`: Stop publishing build cruft (`config.gypi`) and per-project
+  `.npmrc` files to keep local configuration out of published packages.
+  ([@othiym23](https://github.com/othiym23))
+* [`13c286d`](https://github.com/npm/npm/commit/13c286dbdc3fa8fec4cb79fc4d1ee505c8a41b2e)
+  [#9348](https://github.com/npm/npm/issues/9348) Filter "private"
+  (underscore-prefixed, even when scoped to a registry) configuration values
+  out of child environments. ([@othiym23](https://github.com/othiym23))
+
+#### BETTER WINDOWS INTEGRATION, ONE STEP AT A TIME
+
+* [`e40e71f`](https://github.com/npm/npm/commit/e40e71f2f838a8a42392f44e3eeec04e323ab743)
+  [#6412](https://github.com/npm/npm/issues/6412) Improve the search strategy
+  used by the npm shims for Windows to prioritize your own local npm installs.
+  npm has really needed this tweak for a long time, so hammer on it and let us
+  know if you run into issues, but with luck it will Just Work.
+  ([@joaocgreis](https://github.com/joaocgreis))
+* [`204ebbb`](https://github.com/npm/npm/commit/204ebbb3e0cab696a429a878ceeb4a7e78ec2b94)
+  [#8751](https://github.com/npm/npm/issues/8751)
+  [#7333](https://github.com/npm/npm/issues/7333) Keep [autorun
+  scripts](https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) from
+  interfering with npm package and lifecycle script execution on Windows by
+  adding `/d` and `/s` when invoking `cmd.exe`.
+  ([@saper](https://github.com/saper))
+
+#### IT SEEMED LIKE AN IDEA AT THE TIME
+
+* [`286f3d9`](https://github.com/npm/npm/commit/286f3d97103812f0fd84b70352addbe899e258f9)
+  [#9201](https://github.com/npm/npm/pull/9201) For a while npm was building
+  HTML partials for use on [`docs.npmjs.com`](https://docs.npmjs.com), but we
+  weren't actually using them. Stop building them, which makes running the full
+  test suite and installation process around a third faster.
+  ([@isaacs](https://github.com/isaacs))
+
+#### A SINGLE LONELY DEPENDENCY UPGRADE
+
+* [`b343b95`](https://github.com/npm/npm/commit/b343b956ef777e321e4251ddc96ec6d80827d9e2)
+  `request@2.61.0`: Bug fixes and keep-alive tweaks.
+  ([@simov](https://github.com/simov))
+
+### v2.14.0 (2015-08-13):
+
+#### IT'S HERE! KINDA!
+
+This release adds support for teens and orcs (err, teams and organizations) to
+the npm CLI! Note that the web site and registry-side features of this are
+still not ready for public consumption.
+
+A beta should be starting in the next couple of weeks, and the features
+themselves will become public once all that's done. Keep an eye out for more
+news!
+
+All of these changes were done under [`#9011`](https://github.com/npm/npm/pull/9011):
+
+* [`6424170`](https://github.com/npm/npm/commit/6424170fc17c666a6efc090370ec691e0cab1792)
+  Added new `npm team` command and subcommands.
+  ([@zkat](https://github.com/zkat))
+* [`52220d1`](https://github.com/npm/npm/commit/52220d146d474ec29b683bd99c06f75cbd46a9f4)
+  Added documentation for new `npm team` command.
+  ([@zkat](https://github.com/zkat))
+* [`4e66830`](https://github.com/npm/npm/commit/4e668304850d02df8eb27a779fda76fe5de645e7)
+  Updated `npm access` to support teams and organizations.
+  ([@zkat](https://github.com/zkat))
+* [`ea3eb87`](https://github.com/npm/npm/commit/ea3eb8733d9fa09ce34106b1b19fb1a8f95844a5)
+  Gussied up docs for `npm access` with new commands.
+  ([@zkat](https://github.com/zkat))
+* [`6e0b431`](https://github.com/npm/npm/commit/6e0b431c1de5e329c86e57d097aa88ebfedea864)
+  Fix up `npm whoami` to make the underlying API usable elsewhere.
+  ([@zkat](https://github.com/zkat))
+* [`f29c931`](https://github.com/npm/npm/commit/f29c931012ce5ccd69c29d83548f27e443bf7e62)
+  `npm-registry-client@7.0.1`: Upgrade `npm-registry-client` API to support
+  `team` and `access` calls against the registry.
+  ([@zkat](https://github.com/zkat))
+
+#### A FEW EXTRA VERSION BUMPS
+
+* [`c977e12`](https://github.com/npm/npm/commit/c977e12cbfa50c2f52fc807f5cc19ba1cc1b39bf)
+  `init-package-json@1.8.0`: Checks for some `npm@3` metadata.
+  ([@iarna](https://github.com/iarna))
+* [`5c8c9e5`](https://github.com/npm/npm/commit/5c8c9e5ae177ba7d0d298cfa42f3fc7f0271e4ec)
+  `columnify@1.5.2`: Updated some dependencies.
+  ([@timoxley](https://github.com/timoxley))
+* [`5d56742`](https://github.com/npm/npm/commit/5d567425768b75aeab402c817a53d8b2bc60d8de)
+  `chownr@1.0.1`: Tests, docs, and minor style nits.
+  ([@isaacs](https://github.com/isaacs))
+
+#### ALSO A DOC FIX
+
+* [`846fcc7`](https://github.com/npm/npm/commit/846fcc79b86984b109a97366b0422f995a45f8bf)
+  [`#9200`](https://github.com/npm/npm/pull/9200) Remove single quotes
+  around semver range, thus making it valid semver.
+  ([@KenanY](https://github.com/KenanY))
+
+### v2.13.5 (2015-08-07):
+
+This is another quiet week for the `npm@2` release.
+[@zkat](https://github.com/zkat) has been working hard on polishing the CLI
+bits of the registry's new feature to support direct management of teams and
+organizations, and [@iarna](https://github.com/iarna) continues to work through
+the list of issues blocking the general release of `npm@3`, which is looking
+more and more solid all the time.
+
+[@othiym23](https://github.com/othiym23) and [@zkat](https://github.com/zkat)
+have also been at this week's Node.js / io.js [collaborator
+summit](https://github.com/nodejs/summit/tree/master), both as facilitators and
+participants. This is a valuable opportunity to get some face time with other
+contributors and to work through a bunch of important discussions, but it does
+leave us feeling kind of sleepy. Running meetings is hard!
+
+What does that leave for this release? A few of the more tricky bug fixes that
+have been sitting around for a little while now, and a couple dependency
+upgrades. Nothing too fancy, but most of these were contributed by developers
+like _you_, which we think is swell. Thanks!
+
+#### BUG FIXES
+
+* [`d7271b8`](https://github.com/npm/npm/commit/d7271b8226712479cdd339bf85faf7e394923e0d)
+  [#4530](https://github.com/npm/npm/issues/4530) The bash completion script
+  for npm no longer alters global completion behavior around word breaks.
+  ([@whitty](https://github.com/whitty))
+* [`c9ce294`](https://github.com/npm/npm/commit/c9ce29415a0a8fc610690b6e9d91b64d6e36cfcc)
+  [#7198](https://github.com/npm/npm/issues/7198) When setting up dependencies
+  to be shared via `npm link <package>`, only run the lifecycle scripts during
+  the original link, not when running `npm link <package>` or `npm install
+  --link` against them. ([@murgatroid99](https://github.com/murgatroid99))
+* [`422da66`](https://github.com/npm/npm/commit/422da664bd3ce71313da447f170507faf5aac46a)
+  [#9108](https://github.com/npm/npm/issues/9108) Clear up minor confusion
+  around wording in `bundledDependencies` section of `package.json` docs.
+  ([@derekpeterson](https://github.com/derekpeterson))
+* [`6b42d99`](https://github.com/npm/npm/commit/6b42d99460885e715772d3487b1c548d2bc8a738)
+  [#9146](https://github.com/npm/npm/issues/9146) Include scripts that run for
+  `preversion`, `version`, and `postversion` in the section for lifecycle
+  scripts rather than the generic `npm run-script` output.
+  ([@othiym23](https://github.com/othiym23))
+
+#### NOPE, NOT DONE WITH DEPENDENCY UPDATES
+
+* [`91a48bb`](https://github.com/npm/npm/commit/91a48bb5ef5a990781c86f8b69b8a32cf4fac2d9)
+  `chmodr@1.0.1`: Ignore symbolic links when recursively changing mode, just
+  like the Unix command. ([@isaacs](https://github.com/isaacs))
+* [`4bbc86e`](https://github.com/npm/npm/commit/4bbc86e3825e2eee9a8758ba26bdea0cb6a2581e)
+  `nock@2.10.0` ([@pgte](https://github.com/pgte))
+
+### v2.13.4 (2015-07-30):
+
+#### JULY ENDS ON A FAIRLY QUIET NOTE
+
+Hey everyone! I hope you've had a great week. We're having a fairly small
+release this week while we wrap up Teams and Orgs (or, as we've taken to calling
+it internally, _Teens and Orcs_).
+
+In other exciting news, a bunch of us are gonna be at the [Node.js Collaborator
+Summit](https://github.com/nodejs/summit/issues/1), and you can also find us at
+[wafflejs](https://wafflejs.com/) on Wednesday. Hopefully we'll be seeing some
+of you there. :)
+
+#### THE PATCH!!!
+
+So here it is. The patch. Hope it helps. (Thanks,
+[@ktarplee](https://github.com/ktarplee)!)
+
+* [`2e58c48`](https://github.com/npm/npm/commit/2e58c4819e3cafe4ae23ab7f4a520fe09258cfd7)
+  [#9033](https://github.com/npm/npm/pull/9033) `npm version` now works on git
+  submodules
+  ([@ktarplee](https://github.com/ktarplee))
+
+#### OH AND THERE'S A DEV DEPENDENCIES UPDATE
+
+Hooray.
+
+* [`d204683`](https://github.com/npm/npm/commit/d2046839d471322e61e3ceb0f00e78e5c481f967)
+  nock@2.9.1
+  ([@pgte](https://github.com/pgte))
+
 ### v2.13.3 (2015-07-23):
 
 #### I'M SAVING THE GOOD JOKES FOR MORE INTERESTING RELEASES
@@ -29,12 +303,10 @@ There's a couple of doc updates! The last one might be interesting.
   settings.
   ([@SimenB](https://github.com/SimenB))
 * [`cf09e75`](https://github.com/npm/npm/commit/cf09e754931739af32647d667b671e72a4c79081)
-
   [#9022](https://github.com/npm/npm/issues/9022) Document the `"access"` field
   in `"publishConfig"`. Did you know you don't need to use `--access=public`
   when publishing scoped packages?! Just put it in your `package.json`!
   Go refresh yourself on scopes packages by [checking our docs](https://docs.npmjs.com/getting-started/scoped-packages) on them.
-
   ([@boennemann](https://github.com/boennemann))
 * [`bfd73da`](https://github.com/npm/npm/commit/bfd73da33349cc2afb8278953b2ae16ea95023de)
   [#9013](https://github.com/npm/npm/issues/9013) fixed typo in changelog