This lets you run *any* npm command on the bundle, by doing `npm bundle <cmd>`, so you can use it to list bundled packages, remove them, put things in the bundle cache, etc.
This way, timing issues and such are easier to detect. In node, stderr is generally blocking anyway. Additionally, this seems to avoid the repeated kernel panics on Mac OS X when doing a lot of log calls and stdout writing mixed together.
Don't install stuff that's already bundled, because that's silly and pointless.
This adds two things: 1. When creating a tarball in the cache at .npm/.cache/name/version/package.tgz, also calculate a shasum of the data, and add it to the cached data. This is what is used when publishing, so that's what ends up in the registry, and is based on the actual tarball which is uploaded. 2. When downloading a tarball from the registry, and saving it to a temporary location, validate that the temporary tarball file's shasum matches what is stored in the registry. It is possible to make this much more efficient, simpler, and more secure, in the following ways: 1. Whenever unpacking a tarball in the unpackTar function, the bytes are being passed from the FileReadStream into a gzip child process. Those bytes could be forked to the sha1 Hash at that time. 2. When a package is uploaded, the bytes are pumped to an http request. They could be hashed at that time, and then added to the published json data right before the second write. 3. When a tarball is downloaded, the bytes are pumped from the http request to a (manual) FileWriteStream. They could be hashed there and tested at the end of the download. Ideally, there should be some checksumming pump function that npm used internally that would capture the state of every pump action, and provide the shasum to the callback. Then, it would even be possible to shasum the gzipped tarball, as well as the tar file itself, and eventually perhaps even all of the files within.