upgrade npm in LTS to 2.15.4

deps/npm/AUTHORS

@@ -357,3 +357,8 @@ doug.wade <doug.wade@redfin.com>
 rhgb <kaiserdaemon@gmail.com>
 Yael <yaelz@users.noreply.github.com>
 Yann Odeyer <yann@odeyer.com>
+James Monger <jameskmonger@hotmail.co.uk>
+Paul Irish <paul.irish@gmail.com>
+Paul O'Leary McCann <polm@dampfkraft.com>
+Francis Gulotta <wizard@roborooter.com>
+Rachel Evans <git@rve.org.uk>

deps/npm/CHANGELOG.md

@@ -1,3 +1,122 @@
+### v2.15.4 (2016-04-21):
+
+Gosh, it's been a peaceful couple of weeks!
+
+Overall, the CLI team has been focused on the project to [get the test suite
+passing on Windows](https://github.com/npm/npm/pull/11444). Our efforts should
+be paying off soon -- there's only a couple of tests left!
+
+It's very unlikely those particular changes will make their way into our current
+`npm@2` LTS release, I think, but it will help `npm@3` a lot, as well as
+whatever version makes it into [`node@6`, which will eventually be the next
+Node.js LTS](https://github.com/nodejs/node/pull/6155).
+
+As far as this week goes, we've got a couple of dep updates and doc fixes.
+Always happy to see community contributions flying in. 💚
+
+#### DEP UPDATE MAGIC
+
+* [`b178c4a`](https://github.com/npm/npm/commit/b178c4ac9ce91c0a0794526a38b553c759132d18)
+  `spdx-license-ids@1.2.1`:
+  Minor project-related tweaks -- no license changes.
+  ([@shinnn](https://github.com/shinnn))
+* [`1adf179`](https://github.com/npm/npm/commit/1adf179948ab8cb97dfb2f46a61e9f37d944c42a)
+  `normalize-git-url@3.0.2`:
+  Fixes `file://` URLs on Windows. Turns out stuff like `file://C:\hello` is
+  actually fairly weird for a URL (it's not actually a valid URL, but we're just
+  gonna pretend.😉)
+  ([@zkat](https://github.com/zkat))
+* [`9cfd56c`](https://github.com/npm/npm/commit/9cfd56cdadc040c0b2fa7654cdb5e7d22dbef7cb)
+  `fs-vacuum@1.2.9`:
+  This one goes out to our fans at Big Blue: There was an AIX-specific issue
+  where `fs.rmDir` was failing with `EEXIST` instead of `ENOTEMPTY` with
+  non-empty directories.
+  ([@richardlau](https://github.com/richardlau))
+
+#### HOORAY DOC CONTRIBUTIONS
+
+No seriously, we love these. Keep 'em comin'!
+
+* [`2afe8bf`](https://github.com/npm/npm/commit/2afe8bf415a159baa181a8102f72c96e1d189bc9)
+  [#12415](https://github.com/npm/npm/pull/12415)
+  Clarify that the `--cert` and `--key` options are actual certs and keys, not
+  paths to files containing them.
+  ([@rvedotrc](https://github.com/rvedotrc))
+* [`3522560`](https://github.com/npm/npm/commit/3522560b0a4bb6c9717a34f9728f156fd9760cad)
+  [#12107](https://github.com/npm/npm/pull/12107)
+  Document `npm login` as an alias to `npm adduser`. People are still surprised
+  by this so often.
+  ([@gnerkus](https://github.com/gnerkus))
+
+### v2.15.3 (2016-03-31):
+
+Hiiiiiii!~👋
+
+We're really happy to be getting more and more community contributions! Keep it
+up! We really appreciate folks trying to help us, and we'll do our best to help
+point you in the right direction. Even things like documentation are a huge
+help. And remember -- you get socks for it, too!🎁
+
+This week is as quiet as usual, aside from fixing a regression to `npm
+deprecate` you might want to pay attention to! Other than that, just docs and
+deps, as any good LTS release train should be. 🙆
+
+#### FIXME
+
+* [`6e0b66e`](https://github.com/npm/npm/commit/6e0b66e282aa27d1b5371e2babaa859924121730)
+  [#11884](https://github.com/npm/npm/pull/11884)
+  Include `node_modules` in the list of files and directories that npm won't
+  include in packages ordinarily. (Modules listed in `bundledDependencies` and
+  things that those modules rely on, ARE included of course.)
+  ([@Jameskmonger](https://github.com/Jameskmonger))
+* [`9896290`](https://github.com/npm/npm/commit/98962909b160364030705575202ad133971033c1)
+  [#12079](https://github.com/npm/npm/pull/12079)
+  Back in `npm@2.13.1` we included [a patch that made it so `npm install pkg`
+  was basically `npm install pkg@latest` instead of
+  `pkg@*`](https://github.com/npm/npm/pull/9170) This is probably what most
+  users expected, but it also ended up [breaking `npm
+  deprecate`](https://github.com/npm/npm/pull/9170) when no version was provided
+  for a package. In that case, we were using `*` to mean "deprecate all
+  versions" and relying on the `pkg` -> `pkg@*` conversion. This patch fixes
+  `npm deprecate pkg` to work as it used to by special casing that particular
+  command's behavior.
+  ([@polm](https://github.com/polm))
+* [`6c1628f`](https://github.com/npm/npm/commit/6c1628f62b657db6c116be13849d00933a3388cd)
+  [#12146](https://github.com/npm/npm/pull/12146)
+  Adds `make doc-clean` to `prepublish` script, to clear out previously built
+  docs before publishing a new npm version.
+  ([@watilde](https://github.com/watilde))
+* [`6d3017e`](https://github.com/npm/npm/commit/6d3017e6eed8a771b395d10130ac1f498e2d3211)
+  [#12146](https://github.com/npm/npm/pull/12146)
+  Adds `doc-clean` phony target to `make publish`.
+  ([@watilde](https://github.com/watilde))
+
+#### DOCS
+
+* [`d43921c`](https://github.com/npm/npm/commit/d43921c546617cdb94bbee444d7d67ef55f38dc5)
+  [#12147](https://github.com/npm/npm/pull/12147)
+  Document that the current behavior of `engines` is just to warn if the node
+  platform is incompatible.
+  ([@reconbot](https://github.com/reconbot))
+* [`3cfe99e`](https://github.com/npm/npm/commit/3cfe99e3a757c5d8cbb1c2789410e9802563abac)
+  [#12093](https://github.com/npm/npm/pull/12093)
+  Update `bugs` url in `package.json` to use the `https` URL for Github.
+  ([@watilde](https://github.com/watilde))
+* [`ecf865f`](https://github.com/npm/npm/commit/ecf865f4eed1419c75442e0d52bc34ba1647de15)
+  [#12075](https://github.com/npm/npm/pull/12075)
+  Add the `--ignore-scripts` flag to the `npm install` docs.
+  ([@paulirish](https://github.com/paulirish))
+* [`f0e6db3`](https://github.com/npm/npm/commit/f0e6db32827d88680ef2320e60c0863754a4fbc5)
+  [#12063](https://github.com/npm/npm/pull/12063)
+  Various minor fixes to the html docs homepage.
+  ([@watilde](https://github.com/watilde))
+
+#### DEPS
+
+* [`e2660de`](https://github.com/npm/npm/commit/e2660de1c08ed68a1c6fc4ee75d10376595979be)
+  `npmlog@2.0.3`
+  ([@iarna](https://github.com/iarna))
+
 ### v2.15.2 (2016-03-24):
 
 It's always nice to see new contributors. 💚
@@ -44,9 +163,62 @@ we'll link to that in the (near?) future, when it's ready to roll out.
 
 ### v2.15.1 (2016-03-17):
 
-It's another one of those releases again! Docs and tests, it turns out, have a
-pretty easy time getting into LTS releases, and boring is exactly how LTS should
-be. 💁
+#### SECURITY ADVISORY: BEARER TOKEN DISCLOSURE
+
+This release includes [the fix for a
+vulnerability](https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401)
+that could cause the unintentional leakage of bearer tokens.
+
+Here are details on this vulnerability and how it affects you.
+
+##### DETAILS
+
+Since 2014, npm’s registry has used HTTP bearer tokens to authenticate requests
+from the npm’s command-line interface. A design flaw meant that the CLI was
+sending these bearer tokens with _every_ request made by logged-in users,
+regardless of the destination of their request. (The bearers only should have
+been included for requests made against a registry or registries used for the
+current install.)
+
+An attacker could exploit this flaw by setting up an HTTP server that could
+collect authentication information, then use this authentication information to
+impersonate the users whose tokens they collected. This impersonation would
+allow them to do anything the compromised users could do, including publishing
+new versions of packages.
+
+With the fixes we’ve released, the CLI will only send bearer tokens with
+requests made against a registry.
+
+##### THINK YOU'RE AT RISK? REGENERATE YOUR TOKENS
+
+If you believe that your bearer token may have been leaked, [invalidate your
+current npm bearer tokens](https://www.npmjs.com/settings/tokens) and rerun
+`npm login` to generate new tokens. Keep in mind that this may cause continuous
+integration builds in services like Travis to break, in which case you’ll need
+to update the tokens in your CI server’s configuration.
+
+##### WILL THIS BREAK MY CURRENT SETUP?
+
+Maybe.
+
+npm’s CLI team believes that the fix won’t break any existing registry setups.
+Due to the large number of registry software suites out in the wild, though,
+it’s possible our change will be breaking in some cases.
+
+If so, please [file an issue](https://github.com/npm/npm/issues/new) describing
+the software you’re using and how it broke. Our team will work with you to
+mitigate the breakage.
+
+##### CREDIT & THANKS
+
+Thanks to Mitar, Will White & the team at Mapbox, Max Motovilov, and James
+Taylor for reporting this vulnerability to npm.
+
+### BACK TO YOUR REGULARLY SCHEDULED PROGRAMMING
+
+Aside from that, it's another one of those releases again! Docs and tests, it
+turns out, have a pretty easy time getting into LTS releases, and boring is
+exactly how LTS should be. 💁
 
 #### DOCS
 

deps/npm/Makefile

@@ -176,7 +176,7 @@ test: doc
 tag:
 	npm tag npm@$(PUBLISHTAG) latest
 
-publish: link doc
+publish: link doc-clean doc
 	@git push origin :v$(shell npm -v) 2>&1 || true
 	git clean -fd &&\
 	git push origin $(BRANCH) &&\

deps/npm/bin/node-gyp-bin/node-gyp.cmd

@@ -1,5 +1,5 @@
-if not defined npm_config_node_gyp (
-  node "%~dp0\..\..\node_modules\node-gyp\bin\node-gyp.js" %*
-) else (
-  node "%npm_config_node_gyp%" %*
-)
+if not defined npm_config_node_gyp (
+  node "%~dp0\..\..\node_modules\node-gyp\bin\node-gyp.js" %*
+) else (
+  node "%npm_config_node_gyp%" %*
+)

deps/npm/bin/npm.cmd

@@ -1,19 +1,19 @@
-:: Created by npm, please don't edit manually.
-@ECHO OFF
-
-SETLOCAL
-
-SET "NODE_EXE=%~dp0\node.exe"
-IF NOT EXIST "%NODE_EXE%" (
-  SET "NODE_EXE=node"
-)
-
-SET "NPM_CLI_JS=%~dp0\node_modules\npm\bin\npm-cli.js"
-FOR /F "delims=" %%F IN ('CALL "%NODE_EXE%" "%NPM_CLI_JS%" prefix -g') DO (
-  SET "NPM_PREFIX_NPM_CLI_JS=%%F\node_modules\npm\bin\npm-cli.js"
-)
-IF EXIST "%NPM_PREFIX_NPM_CLI_JS%" (
-  SET "NPM_CLI_JS=%NPM_PREFIX_NPM_CLI_JS%"
-)
-
-"%NODE_EXE%" "%NPM_CLI_JS%" %*
+:: Created by npm, please don't edit manually.
+@ECHO OFF
+
+SETLOCAL
+
+SET "NODE_EXE=%~dp0\node.exe"
+IF NOT EXIST "%NODE_EXE%" (
+  SET "NODE_EXE=node"
+)
+
+SET "NPM_CLI_JS=%~dp0\node_modules\npm\bin\npm-cli.js"
+FOR /F "delims=" %%F IN ('CALL "%NODE_EXE%" "%NPM_CLI_JS%" prefix -g') DO (
+  SET "NPM_PREFIX_NPM_CLI_JS=%%F\node_modules\npm\bin\npm-cli.js"
+)
+IF EXIST "%NPM_PREFIX_NPM_CLI_JS%" (
+  SET "NPM_CLI_JS=%NPM_PREFIX_NPM_CLI_JS%"
+)
+
+"%NODE_EXE%" "%NPM_CLI_JS%" %*

deps/npm/doc/cli/npm-install.md

@@ -250,6 +250,9 @@ local copy exists on disk.
 The `--global` argument will cause npm to install the package globally
 rather than locally.  See `npm-folders(5)`.
 
+The `--ignore-scripts` argument will cause npm to not execute any
+scripts defined in the package.json. See `npm-scripts(7)`.
+
 The `--link` argument will cause npm to link global installs into the
 local space in some cases.
 

deps/npm/doc/cli/npm-version.md

@@ -16,7 +16,7 @@ valid second argument to semver.inc (one of `patch`, `minor`, `major`,
 the existing version will be incremented by 1 in the specified field.
 
 If run in a git repo, it will also create a version commit and tag.
-This behavior is controlled by `git-tag-version` (see below), and can
+This behavior is controlled by `git-tag-version` (see below), and can 
 be disabled on the command line by running `npm --no-git-tag-version version`.
 It will fail if the working directory is not clean, unless the `--force`
 flag is set.
@@ -51,12 +51,12 @@ The exact order of execution is as follows:
   2. Run the `preversion` script. These scripts have access to the old `version` in package.json.
      A typical use would be running your full test suite before deploying.
      Any files you want added to the commit should be explicitly added using `git add`.
-  3. Bump `version` in `package.json` as requested (`patch`, `minor`, `major`, etc).
+  3. Bump `version` in `package.json` as requested (`patch`, `minor`, `major`, etc). 
   4. Run the `version` script. These scripts have access to the new `version` in package.json
-     (so they can incorporate it into file headers in generated files for example).
+     (so they can incorporate it into file headers in generated files for example). 
      Again, scripts should explicitly add generated files to the commit using `git add`.
   5. Commit and tag.
-  6. Run the `postversion` script. Use it to clean up the file system or automatically push
+  6. Run the `postversion` script. Use it to clean up the file system or automatically push 
      the commit and/or tag.
 
 Take the following example:

deps/npm/doc/files/npm-folders.md

@@ -20,9 +20,9 @@ This document will tell you what it puts where.
 ### prefix Configuration
 
 The `prefix` config defaults to the location where node is installed.
-On most systems, this is `/usr/local`. On windows, this is the exact
-location of the node.exe binary.  On Unix systems, it's one level up,
-since node is typically installed at `{prefix}/bin/node` rather than
+On most systems, this is `/usr/local`. On windows, this is the exact 
+location of the node.exe binary.  On Unix systems, it's one level up, 
+since node is typically installed at `{prefix}/bin/node` rather than 
 `{prefix}/node.exe`.
 
 When the `global` flag is set, npm installs things into this prefix.

deps/npm/doc/files/package.json.md

@@ -204,6 +204,7 @@ Conversely, some files are always ignored:
 * `._*`
 * `npm-debug.log`
 * `.npmrc`
+* `node_modules`
 
 ## main
 
@@ -644,8 +645,8 @@ are capable of properly installing your program.  For example:
 
     { "engines" : { "npm" : "~1.0.20" } }
 
-Note that, unless the user has set the `engine-strict` config flag, this
-field is advisory only.
+Unless the user has set the `engine-strict` config flag, this
+field is advisory only will produce warnings when your package is installed as a dependency.
 
 ## engineStrict
 

deps/npm/doc/misc/npm-config.md

@@ -228,7 +228,12 @@ explicitly used, and that only GET requests use the cache.
 * Default: `null`
 * Type: String
 
-A client certificate to pass when accessing the registry.
+A client certificate to pass when accessing the registry.  Values should be in
+PEM format with newlines replaced by the string "\n". For example:
+
+    cert="-----BEGIN CERTIFICATE-----\nXXXX\nXXXX\n-----END CERTIFICATE-----"
+
+It is _not_ the path to a certificate file (and there is no "certfile" option).
 
 ### color
 
@@ -470,7 +475,12 @@ change.  Only the output from `npm ls --json` is currently valid.
 * Default: `null`
 * Type: String
 
-A client key to pass when accessing the registry.
+A client key to pass when accessing the registry.  Values should be in PEM
+format with newlines replaced by the string "\n". For example:
+
+    key="-----BEGIN PRIVATE KEY-----\nXXXX\nXXXX\n-----END PRIVATE KEY-----"
+
+It is _not_ the path to a key file (and there is no "keyfile" option).
 
 ### link
 

deps/npm/doc/misc/npm-orgs.md

@@ -7,7 +7,7 @@ There are three levels of org users:
 
 1. Super admin, controls billing & adding people to the org.
 2. Team admin, manages team membership & package access.
-3. Developer, works on packages they are given access to.
+3. Developer, works on packages they are given access to.  
 
 The super admin is the only person who can add users to the org because it impacts the monthly bill. The super admin will use the website to manage membership. Every org has a `developers` team that all users are automatically added to.
 
@@ -51,7 +51,7 @@ npm init --scope=<org>
 ```
 to scope it for your org & publish as usual
 
-* Grant access:
+* Grant access:  
 
 ```
 npm access grant <read-only|read-write> <org:team> [<package>]

deps/npm/doc/misc/npm-registry.md

@@ -31,7 +31,7 @@ similar) design doc to implement the APIs.
 If you set up continuous replication from the official CouchDB, and then
 set your internal CouchDB as the registry config, then you'll be able
 to read any published packages, in addition to your private ones, and by
-default will only publish internally.
+default will only publish internally. 
 
 If you then want to publish a package for the whole world to see, you can
 simply override the `--registry` option for that `publish` command.

deps/npm/html/doc/README.html

@@ -127,5 +127,5 @@ <h2 id="see-also">SEE ALSO</h2>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer"><a href="../doc/README.html">README</a> &mdash; npm@2.15.2</p>
+<p id="footer"><a href="../doc/README.html">README</a> &mdash; npm@2.15.4</p>
 

deps/npm/html/doc/api/npm-bin.html

@@ -28,5 +28,5 @@ <h2 id="synopsis">SYNOPSIS</h2>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-bin &mdash; npm@2.15.2</p>
+<p id="footer">npm-bin &mdash; npm@2.15.4</p>
 

deps/npm/html/doc/api/npm-bugs.html

@@ -33,5 +33,5 @@ <h2 id="synopsis">SYNOPSIS</h2>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-bugs &mdash; npm@2.15.2</p>
+<p id="footer">npm-bugs &mdash; npm@2.15.4</p>