Canary

AUTHORS

@@ -591,3 +591,8 @@ Darryl Pogue <dvpdiner2@gmail.com>
 Rick Schubert <rickschubert@gmx.de>
 Daniel W <dwilches@gmail.com>
 XhmikosR <xhmikosr@gmail.com>
+Martin Kühl <mkhl@users.noreply.github.com>
+Valentin Ouvrard <valentin210594@gmail.com>
+Noah Benham <noahbenham@users.noreply.github.com>
+Brian Olore <brian@olore.net>
+Mat Warger <mwarger@gmail.com>

CHANGELOG.md

@@ -1,3 +1,92 @@
+## v6.4.0 (2018-09-08):
+
+### NEW FEATURES
+
+* [`6e9f04b0b`](https://github.com/npm/cli/commit/6e9f04b0baed007169d4e0c341f097cf133debf7)
+  [npm/cli#8](https://github.com/npm/cli/pull/8)
+  Search for authentication token defined by environment variables by preventing
+  the translation layer from env variable to npm option from breaking
+  `:_authToken`.
+  ([@mkhl](https://github.com/mkhl))
+* [`84bfd23e7`](https://github.com/npm/cli/commit/84bfd23e7d6434d30595594723a6e1976e84b022)
+  [npm/cli#35](https://github.com/npm/cli/pull/35)
+  Stop filtering out non-IPv4 addresses from `local-addrs`, making npm actually
+  use IPv6 addresses when it must.
+  ([@valentin2105](https://github.com/valentin2105))
+* [`792c8c709`](https://github.com/npm/cli/commit/792c8c709dc7a445687aa0c8cba5c50bc4ed83fd)
+  [npm/cli#31](https://github.com/npm/cli/pull/31)
+  configurable audit level for non-zero exit
+  `npm audit` currently exits with exit code 1 if any vulnerabilities are found of any level.
+  Add a flag of `--audit-level` to `npm audit` to allow it to pass if only vulnerabilities below a certain level are found.
+  Example: `npm audit --audit-level=high` will exit with 0 if only low or moderate level vulns are detected.
+  ([@lennym](https://github.com/lennym))
+
+### BUGFIXES
+
+* [`d81146181`](https://github.com/npm/cli/commit/d8114618137bb5b9a52a86711bb8dc18bfc8e60c)
+  [npm/cli#32](https://github.com/npm/cli/pull/32)
+  Don't check for updates to npm when we are updating npm itself.
+  ([@olore](https://github.com/olore))
+
+### DEPENDENCY UPDATES
+
+A very special dependency update event! Since the [release of
+`node-gyp@3.8.0`](https://github.com/nodejs/node-gyp/pull/1521), an awkward
+version conflict that was preventing `request` from begin flattened was
+resolved. This means two things:
+
+1. We've cut down the npm tarball size by another 200kb, to 4.6MB
+2. `npm audit` now shows no vulnerabilities for npm itself!
+
+Thanks, [@rvagg](https://github.com/rvagg)!
+
+* [`866d776c2`](https://github.com/npm/cli/commit/866d776c27f80a71309389aaab42825b2a0916f6)
+  `request@2.87.0`
+  ([@simov](https://github.com/simov))
+* [`f861c2b57`](https://github.com/npm/cli/commit/f861c2b579a9d4feae1653222afcefdd4f0e978f)
+  `node-gyp@3.8.0`
+  ([@rvagg](https://github.com/rvagg))
+* [`32e6947c6`](https://github.com/npm/cli/commit/32e6947c60db865257a0ebc2f7e754fedf7a6fc9)
+  [npm/cli#39](https://github.com/npm/cli/pull/39)
+  `colors@1.1.2`:
+  REVERT REVERT, newer versions of this library are broken and print ansi
+  codes even when disabled.
+  ([@iarna](https://github.com/iarna))
+* [`beb96b92c`](https://github.com/npm/cli/commit/beb96b92caf061611e3faafc7ca10e77084ec335)
+  `libcipm@2.0.1`
+  ([@zkat](https://github.com/zkat))
+* [`348fc91ad`](https://github.com/npm/cli/commit/348fc91ad223ff91cd7bcf233018ea1d979a2af1)
+  `validate-npm-package-license@3.0.4`: Fixes errors with empty or string-only
+  license fields.
+  ([@Gudahtt](https://github.com/Gudahtt))
+* [`e57d34575`](https://github.com/npm/cli/commit/e57d3457547ef464828fc6f82ae4750f3e511550)
+  `iferr@1.0.2`
+  ([@shesek](https://github.com/shesek))
+* [`46f1c6ad4`](https://github.com/npm/cli/commit/46f1c6ad4b2fd5b0d7ec879b76b76a70a3a2595c)
+  `tar@4.4.6`
+  ([@isaacs](https://github.com/isaacs))
+* [`50df1bf69`](https://github.com/npm/cli/commit/50df1bf691e205b9f13e0fff0d51a68772c40561)
+  `hosted-git-info@2.7.1`
+  ([@iarna](https://github.com/iarna))
+  ([@Erveon](https://github.com/Erveon))
+  ([@huochunpeng](https://github.com/huochunpeng))
+
+### DOCUMENTATION
+
+* [`af98e76ed`](https://github.com/npm/cli/commit/af98e76ed96af780b544962aa575585b3fa17b9a)
+  [npm/cli#34](https://github.com/npm/cli/pull/34)
+  Remove `npm publish` from list of commands not affected by `--dry-run`.
+  ([@joebowbeer](https://github.com/joebowbeer))
+* [`e2b0f0921`](https://github.com/npm/cli/commit/e2b0f092193c08c00f12a6168ad2bd9d6e16f8ce)
+  [npm/cli#36](https://github.com/npm/cli/pull/36)
+  Tweak formatting in repository field examples.
+  ([@noahbenham](https://github.com/noahbenham))
+* [`e2346e770`](https://github.com/npm/cli/commit/e2346e7702acccefe6d711168c2b0e0e272e194a)
+  [npm/cli#14](https://github.com/npm/cli/pull/14)
+  Used `process.env` examples to make accessing certain `npm run-scripts`
+  environment variables more clear.
+  ([@mwarger](https://github.com/mwarger))
+
 ## v6.3.0 (2018-08-01):
 
 This is basically the same as the prerelease, but two dependencies have been

README.md

@@ -3,6 +3,14 @@ npm(1) -- a JavaScript package manager
 
 [![Build Status](https://img.shields.io/travis/npm/cli/latest.svg)](https://travis-ci.org/npm/cli)
 
+# NOTE: This is a "Canary" version of npm itself!
+
+This version of npm is meant to be rapid-release and unstable, essentially
+tracking `release-next` on the main npm repository (but not necessarily).
+
+The code in this package might be experimental, unreviewed, or have specific
+errors while adding other features.
+
 ## SYNOPSIS
 
 This is just enough info to get you up and running.

bin/npm-cli.js

@@ -69,12 +69,15 @@
     npm.command = 'help'
   }
 
+  var isGlobalNpmUpdate = conf.global && ['install', 'update'].includes(npm.command) && npm.argv.includes('npm')
+
   // now actually fire up npm and run the command.
   // this is how to use npm programmatically:
   conf._exit = true
   npm.load(conf, function (er) {
     if (er) return errorHandler(er)
     if (
+      !isGlobalNpmUpdate &&
       npm.config.get('update-notifier') &&
       !unsupported.checkVersion(process.version).unsupported
     ) {

doc/cli/npm-archive.md

@@ -0,0 +1,85 @@
+npm-archive(1) -- Project-local dependency tarball archive
+===================================
+
+## SYNOPSIS
+
+    npm archive
+
+## EXAMPLE
+
+Make sure you have a package-lock and an up-to-date install:
+
+```
+$ cd ./my/npm/project
+$ npm install
+added 154 packages in 10s
+$ ls | grep package-lock
+```
+
+Run `npm archive` in that project
+
+```
+$ npm archive
+added 1964 packages in 4.103s
+```
+
+Commit the newly-created `archived-packages/` directory and the modified `package-lock.json`
+
+```
+$ git add package-lock.json archived-packages/
+$ git commit -m 'misc: committing dependency archive'
+```
+
+Add a dependency as usual -- its archive will be automatically managed.
+
+```
+$ npm i aubergine
+added 1 package from 1 contributor in 5s
+$ git status
+ M package-lock.json
+ M package.json
+?? archived-packages/aubergine-1.0.1-46c5742af.tar
+$ git add archived-packages package-lock.json package.json
+$ git commit -m 'deps: aubergine@1.0.1'
+```
+
+The inverse happens when a package is removed.
+
+You can then install normally using `npm-ci(1)` or `npm-install(1)`!
+
+```
+$ npm ci
+added 1965 packages in 10.5s
+```
+
+Finally, you can remove and disable the archive, restoring `package-lock.json` its normal state, by using `npm-unarchive(1)`.
+
+```
+$ npm unarchive
+
+```
+## DESCRIPTION
+
+This command generates a committable archive of your project's dependencies. There are several benefits to this:
+
+1. Offline installs without having to warm up npm's global cache
+2. No need for configuring credentials for dependency fetching
+3. Much faster installs vs standard CI configurations
+4. No need to have a `git` binary present in the system
+5. Reduced download duplication across teams
+
+`npm-archive` works by generating tarballs for your dependencies, unzipping them, and storing them in a directory called `archived-packages/`. It then rewrites your `package-lock.json` (or `npm-shrinkwrap.json`) such that the `resolved` field on those dependencies refers to the path in `archived-packages/`.
+
+npm will detect these `file:` URLs and extract package data directly from them instead of the registry, git repositories, etc.
+
+When installing or removing dependencies, npm will look for `archived-packages/` and switch to an "archive mode", which will automatically update archive files and information on every relevant npm operation. Remember to commit the directory, not just `package-lock.json`!
+
+As an added benefit, `npm-archive` will generate tarballs for all your git dependencies and pre-pack them, meaning npm will not need to invoke the git binary or go through other heavy processes git dependencies go to -- making git deps as fast as registry dependencies when reinstalling from an archive.
+
+If specific tarballs are removed from the archive, npm will fall back to standard behavior for fetching dependencies: first checking its global cache, then going out and fetching the dependency from its origin. To regenerate the tarball for a package after removing it, just reinstall the package while in archive mode.
+
+## SEE ALSO
+
+* npm-unarchive(1)
+* npm-package-locks(5)
+* npm-ci(1)

doc/cli/npm-unarchive.md

@@ -0,0 +1,25 @@
+npm-unarchive(1) -- Restore project to a non-archived state.
+===================================
+
+## SYNOPSIS
+
+    npm unarchive
+
+## EXAMPLE
+
+```
+$ npm unarchive
+archive information and tarballs removed
+```
+## DESCRIPTION
+
+This command undoes the work of `npm-archive(1)` by doing the following:
+
+1. Removes the `archived-packages/` directory.
+2. Restores the entires in `package-lock.json` to use non-`file:` resolved URLs and updates their `integrity` fields.
+3. Removes `node_modules/` to prevent archive-related changes from affecting future installs.
+
+## SEE ALSO
+
+* npm-archive(1)
+* npm-package-locks(5)

doc/files/package.json.md

@@ -366,15 +366,15 @@ command will be able to find you.
 
 Do it like this:
 
-    "repository" :
-      { "type" : "git"
-      , "url" : "https://github.com/npm/cli.git"
-      }
+    "repository": {
+      "type" : "git",
+      "url" : "https://github.com/npm/cli.git"
+    }
 
-    "repository" :
-      { "type" : "svn"
-      , "url" : "https://v8.googlecode.com/svn/trunk/"
-      }
+    "repository": {
+      "type" : "svn",
+      "url" : "https://v8.googlecode.com/svn/trunk/"
+    }
 
 The URL should be a publicly available (perhaps read-only) url that can be handed
 directly to a VCS program without any modification.  It should not be a url to an

doc/misc/npm-config.md

@@ -164,6 +164,26 @@ When "true" submit audit reports alongside `npm install` runs to the default
 registry and all registries configured for scopes.  See the documentation
 for npm-audit(1) for details on what is submitted.
 
+### audit-level
+
+* Default: `"low"`
+* Type: `'low'`, `'moderate'`, `'high'`, `'critical'`
+
+The minimum level of vulnerability for `npm audit` to exit with
+a non-zero exit code.
+
+### archive
+
+* Default: true
+* Type: Boolean
+
+If false (with `--no-archive`), an existing `archived-packages/` directory
+will not be modified on save.
+
+This flag has no effect if the archive directory does not alredy exist.
+
+See also npm-archive(1).
+
 ### auth-type
 
 * Default: `'legacy'`
@@ -331,8 +351,8 @@ Install `dev-dependencies` along with packages.
 Indicates that you don't want npm to make any changes and that it should
 only report what it would have done.  This can be passed into any of the
 commands that modify your local installation, eg, `install`, `update`,
-`dedupe`, `uninstall`.  This is NOT currently honored by network related
-commands, eg `dist-tags`, `owner`, `publish`, etc.
+`dedupe`, `uninstall`.  This is NOT currently honored by some network related
+commands, eg `dist-tags`, `owner`, etc.
 
 ### editor
 

doc/misc/npm-scripts.md

@@ -143,7 +143,9 @@ The package.json fields are tacked onto the `npm_package_` prefix. So,
 for instance, if you had `{"name":"foo", "version":"1.2.5"}` in your
 package.json file, then your package scripts would have the
 `npm_package_name` environment variable set to "foo", and the
-`npm_package_version` set to "1.2.5"
+`npm_package_version` set to "1.2.5".  You can access these variables 
+in your code with `process.env.npm_package_name` and 
+`process.env.npm_package_version`, and so on for other fields.
 
 ### configuration
 

doc/spec/file-specifiers.md

@@ -55,9 +55,6 @@ note for the `npm-shrinkwrap.json` as it means the specifier there will
 be different then the original `package.json` (where it was relative to that
 `package.json`).
 
-# No, for `file:` type specifiers, we SHOULD shrinkwrap.  Other symlinks we
-# should not. Other symlinks w/o the link spec should be an error.
-
 When shrinkwrapping file specifiers, the contents of the destination
 package's `node_modules` WILL NOT be included in the shrinkwrap. If you want to lock
 down the destination package's `node_modules` you should create a shrinkwrap for it

lib/archive.js

@@ -0,0 +1,63 @@
+'use strict'
+
+const BB = require('bluebird')
+
+const MyPrecious = require('libprecious')
+const npm = require('./npm.js')
+const npmlog = require('npmlog')
+const pacoteOpts = require('./config/pacote.js')
+const path = require('path')
+
+const statAsync = BB.promisify(require('fs').stat)
+
+archive.usage = 'npm archive\nnpm archive restore'
+
+archive.completion = (cb) => cb(null, [])
+
+MyPrecious.PreciousConfig.impl(npm.config, {
+  get: npm.config.get,
+  set: npm.config.set,
+  toPacote (moreOpts) {
+    return pacoteOpts(moreOpts)
+  }
+})
+
+module.exports = archive
+function archive (args, cb) {
+  BB.resolve(_archive()).nodeify(cb)
+}
+
+function _archive (args) {
+  // TODO - is this the right path?...
+  return statAsync(path.join(npm.prefix, 'archived-packages'))
+  .catch((err) => { if (err.code !== 'ENOENT') { throw err } })
+  .then((stat) => {
+    const archiveExists = stat && stat.isDirectory()
+    return new MyPrecious({
+      config: npm.config,
+      log: npmlog
+    })
+    .run()
+    .then((details) => {
+      if (!archiveExists) {
+        npmlog.notice('archive', 'created new package archive as `archived-packages/`. Future installations will prioritize packages in this directory.')
+      }
+      const clauses = []
+      if (!details.pkgCount && !details.removed) {
+        clauses.push('done')
+      }
+      if (details.pkgCount) {
+        clauses.push(`archived ${details.pkgCount} package${
+          details.pkgCount === 1 ? '' : 's'
+        }`)
+      }
+      if (details.removed) {
+        clauses.push(`cleaned up ${details.pkgCount} archive${
+          details.removed === 1 ? '' : 's'
+        }`)
+      }
+      const time = details.runTime / 1000
+      console.error(`${clauses.join(' and ')} in ${time}s`)
+    })
+  })
+}