feat: implement new npm-packlist behavior

This also lands the latest `pacote` which now requires passing in an
`Arborist` constructor for use in loading the package tree that gets
passed to `npm-packlist`.

BREAKING CHANGE: `npm pack` now follows a strict order of operations
when applying ignore rules. If a files array is present in the
package.json, then rules in .gitignore and .npmignore files from the
root will be ignored.

DEPENDENCIES.md

@@ -25,6 +25,7 @@ graph LR;
   libnpmaccess-->npmcli-eslint-config["@npmcli/eslint-config"];
   libnpmaccess-->npmcli-template-oss["@npmcli/template-oss"];
   libnpmdiff-->npm-package-arg;
+  libnpmdiff-->npmcli-arborist["@npmcli/arborist"];
   libnpmdiff-->npmcli-disparity-colors["@npmcli/disparity-colors"];
   libnpmdiff-->npmcli-eslint-config["@npmcli/eslint-config"];
   libnpmdiff-->npmcli-installed-package-contents["@npmcli/installed-package-contents"];
@@ -54,6 +55,7 @@ graph LR;
   libnpmorg-->npmcli-eslint-config["@npmcli/eslint-config"];
   libnpmorg-->npmcli-template-oss["@npmcli/template-oss"];
   libnpmpack-->npm-package-arg;
+  libnpmpack-->npmcli-arborist["@npmcli/arborist"];
   libnpmpack-->npmcli-eslint-config["@npmcli/eslint-config"];
   libnpmpack-->npmcli-run-script["@npmcli/run-script"];
   libnpmpack-->npmcli-template-oss["@npmcli/template-oss"];
@@ -139,8 +141,6 @@ graph LR;
   npm-package-arg-->semver;
   npm-package-arg-->validate-npm-package-name;
   npm-packlist-->ignore-walk;
-  npm-packlist-->npm-bundled;
-  npm-packlist-->npm-normalize-package-bin;
   npm-profile-->npm-registry-fetch;
   npm-profile-->proc-log;
   npm-registry-fetch-->make-fetch-happen;
@@ -333,6 +333,7 @@ graph LR;
   libnpmdiff-->diff;
   libnpmdiff-->minimatch;
   libnpmdiff-->npm-package-arg;
+  libnpmdiff-->npmcli-arborist["@npmcli/arborist"];
   libnpmdiff-->npmcli-disparity-colors["@npmcli/disparity-colors"];
   libnpmdiff-->npmcli-eslint-config["@npmcli/eslint-config"];
   libnpmdiff-->npmcli-installed-package-contents["@npmcli/installed-package-contents"];
@@ -379,6 +380,7 @@ graph LR;
   libnpmorg-->tap;
   libnpmpack-->nock;
   libnpmpack-->npm-package-arg;
+  libnpmpack-->npmcli-arborist["@npmcli/arborist"];
   libnpmpack-->npmcli-eslint-config["@npmcli/eslint-config"];
   libnpmpack-->npmcli-run-script["@npmcli/run-script"];
   libnpmpack-->npmcli-template-oss["@npmcli/template-oss"];
@@ -554,10 +556,7 @@ graph LR;
   npm-package-arg-->proc-log;
   npm-package-arg-->semver;
   npm-package-arg-->validate-npm-package-name;
-  npm-packlist-->glob;
   npm-packlist-->ignore-walk;
-  npm-packlist-->npm-bundled;
-  npm-packlist-->npm-normalize-package-bin;
   npm-pick-manifest-->npm-install-checks;
   npm-pick-manifest-->npm-normalize-package-bin;
   npm-pick-manifest-->npm-package-arg;
@@ -756,12 +755,13 @@ Each group depends on packages lower down the chain, nothing depends on
 packages higher up the chain.
 
  - npm
- - libnpmexec, libnpmfund
- - @npmcli/arborist, libnpmpublish
- - @npmcli/metavuln-calculator, libnpmdiff, libnpmpack
+ - libnpmpublish
+ - libnpmdiff, libnpmexec, libnpmfund, libnpmpack
+ - @npmcli/arborist
+ - @npmcli/metavuln-calculator
  - pacote, libnpmaccess, libnpmhook, libnpmorg, libnpmsearch, libnpmteam, npm-profile
  - npm-registry-fetch
  - make-fetch-happen, libnpmversion, @npmcli/config, init-package-json
- - @npmcli/installed-package-contents, @npmcli/map-workspaces, cacache, @npmcli/git, @npmcli/run-script, npm-packlist, read-package-json, @npmcli/query, readdir-scoped-modules, promzard
- - npm-bundled, read-package-json-fast, @npmcli/fs, unique-filename, @npmcli/promise-spawn, npm-package-arg, normalize-package-data, bin-links, nopt, npm-install-checks, npmlog, dezalgo, read
+ - @npmcli/installed-package-contents, @npmcli/map-workspaces, cacache, @npmcli/git, @npmcli/run-script, read-package-json, @npmcli/query, readdir-scoped-modules, promzard
+ - npm-bundled, read-package-json-fast, @npmcli/fs, unique-filename, @npmcli/promise-spawn, npm-package-arg, npm-packlist, normalize-package-data, bin-links, nopt, npm-install-checks, npmlog, dezalgo, read
  - npm-normalize-package-bin, @npmcli/name-from-folder, semver, @npmcli/move-file, fs-minipass, infer-owner, ssri, unique-slug, proc-log, @npmcli/node-gyp, hosted-git-info, validate-npm-package-name, ignore-walk, minipass-fetch, @npmcli/package-json, cmd-shim, read-cmd-shim, write-file-atomic, abbrev, are-we-there-yet, gauge, parse-conflict-json, wrappy, treeverse, @npmcli/eslint-config, @npmcli/template-oss, @npmcli/disparity-colors, @npmcli/ci-detect, mute-stream, ini, npm-audit-report, npm-user-validate

lib/commands/cache.js

@@ -1,4 +1,5 @@
 const cacache = require('cacache')
+const Arborist = require('@npmcli/arborist')
 const { promisify } = require('util')
 const pacote = require('pacote')
 const path = require('path')
@@ -164,7 +165,7 @@ class Cache extends BaseCommand {
       return pacote.tarball.stream(spec, stream => {
         stream.resume()
         return stream.promise()
-      }, this.npm.flatOptions)
+      }, { ...this.npm.flatOptions, Arborist })
     }))
   }
 

lib/package-url-cmd.js

@@ -2,6 +2,7 @@
 
 const pacote = require('pacote')
 const hostedGitInfo = require('hosted-git-info')
+const Arborist = require('@npmcli/arborist')
 
 const openUrl = require('./utils/open-url.js')
 const log = require('./utils/log-shim')
@@ -31,6 +32,7 @@ class PackageUrlCommand extends BaseCommand {
         ...this.npm.flatOptions,
         where: this.npm.localPrefix,
         fullMetadata: true,
+        Arborist,
       }
       const mani = await pacote.manifest(arg, opts)
       const url = this.getUrl(arg, mani)

node_modules/@npmcli/metavuln-calculator/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/metavuln-calculator",
-  "version": "3.1.1",
+  "version": "4.0.0-pre.0",
   "main": "lib/index.js",
   "files": [
     "bin/",
@@ -18,9 +18,6 @@
     "posttest": "npm run lint",
     "snap": "tap",
     "postsnap": "npm run lint",
-    "preversion": "npm test",
-    "postversion": "npm publish",
-    "prepublishOnly": "git push origin --follow-tags",
     "eslint": "eslint",
     "lint": "eslint \"**/*.js\"",
     "lintfix": "npm run lint -- --fix",
@@ -29,25 +26,29 @@
   },
   "tap": {
     "check-coverage": true,
-    "coverage-map": "map.js"
+    "coverage-map": "map.js",
+    "nyc-arg": [
+      "--exclude",
+      "tap-snapshots/**"
+    ]
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^3.0.1",
-    "@npmcli/template-oss": "3.5.0",
+    "@npmcli/template-oss": "4.4.2",
     "require-inject": "^1.4.4",
     "tap": "^16.0.1"
   },
   "dependencies": {
     "cacache": "^16.0.0",
     "json-parse-even-better-errors": "^2.3.1",
-    "pacote": "^13.0.3",
+    "pacote": "^14.0.0 || ^14.0.0-pre.0",
     "semver": "^7.3.5"
   },
   "engines": {
-    "node": "^12.13.0 || ^14.15.0 || >=16.0.0"
+    "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "3.5.0"
+    "version": "4.4.2"
   }
 }