deps: update npm to 5.5.1

Closes: #16280

PR-URL: #16509
Fixes: #14161
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaël Zasso <targos@protonmail.com>

Author: MylesBorins

deps/npm/CHANGELOG.md

@@ -1,3 +1,118 @@
+## v5.5.1 (2017-10-04):
+
+A very quick, record time, patch release, of a bug fix to a (sigh) last minute bug fix.
+
+* [`e628e058b`](https://github.com/npm/npm/commit/e628e058b)
+  Fix login to properly recognize OTP request and store bearer tokens.
+  ([@Rebecca Turner](https://github.com/Rebecca Turner))
+
+## v5.5.0 (2017-10-04):
+
+Hey y'all, this is a big new feature release!  We've got some security
+related goodies plus a some quality-of-life improvements for anyone who uses
+the public registry (so, virtually everyone).
+
+The changes largely came together in one piece, so I'm just gonna leave the commit line here:
+
+* [`f6ebf5e8b`](https://github.com/npm/npm/commit/f6ebf5e8bd6a212c7661e248c62c423f2b54d978)
+  [`f97ad6a38`](https://github.com/npm/npm/commit/f97ad6a38412581d059108ea29be470acb4fa510)
+  [`f644018e6`](https://github.com/npm/npm/commit/f644018e6ef1ff7523c6ec60ae55a24e87a9d9ae)
+  [`8af91528c`](https://github.com/npm/npm/commit/8af91528ce6277cd3a8c7ca8c8102671baf10d2f)
+  [`346a34260`](https://github.com/npm/npm/commit/346a34260b5fba7de62717135f3e083cc4820853)
+  Two factor authentication, profile editing and token management.
+  ([@iarna](https://github.com/iarna))
+
+### TWO FACTOR AUTHENTICATION
+
+You can now enable two-factor authentication for your npm account.  You can
+even do it from the CLI.  In fact, you have to, for the time being:
+
+```
+npm profile enable-tfa
+```
+
+With the default two-factor authentication mode you'll be prompted to enter
+a one-time password when logging in, when publishing and when modifying access rights to
+your modules.
+
+### TOKEN MANAGEMENT
+
+You can now create, list and delete authentication tokens from the comfort
+of the command line.  Authentication tokens created this way can have NEW
+restrictions placed on them.  For instance, you can create a `read-only`
+token to give to your CI.  It will be able to download your private modules
+but it won't be able to publish or modify modules.  You can also create
+tokens that can only be used from certain network addresses.  This way you
+can lock down access to your corporate VPN or other trusted machines.
+
+Deleting tokens isn't new, you could [do it via the
+website](https://www.npmjs.com/settings/tokens) but now you can do it via
+the CLI as well.
+
+### CHANGE YOUR PASSWORD, SET YOUR EMAIL
+
+You can finally change your password from the CLI with `npm profile set
+password`!  You can also update your email address with `npm profile set
+email <address>`. If you change your email address we'll send you a new
+verification email so you verify that its yours.
+
+### AND EVERYTHING ELSE ON YOUR PROFILE
+
+You can also update all of the other attributes of your profile that
+previously you could only update via the website: `fullname`, `homepage`,
+`freenode`, `twitter` and `github`.
+
+### AVAILABLE STAND ALONE
+
+All of these features were implemented in a stand alone library, so if you
+have use for them in your own project you can find them in
+[npm-profile](https://www.npmjs.com/package/npm-profile) on the registry.
+There's also a little mini-cli written just for it at
+[npm-profile-cli](https://www.npmjs.com/package/npm-profile-cli).  You might
+also be interested in the [API
+documentation](https://github.com/npm/registry/tree/master/docs) for these
+new features: [user profile editing](https://github.com/npm/registry/blob/master/docs/user/profile.md) and
+[authentication](https://github.com/npm/registry/blob/master/docs/user/authentication.md).
+
+### BUG FIXES
+
+* [`5ee55dc71`](https://github.com/npm/npm/commit/5ee55dc71b8b74b8418c3d5ec17483a07b3b6777)
+  install.sh: Drop support for upgrading from npm@1 as npm@5 can't run on
+  any Node.js version that ships npm@1. This fixes an issue some folks were seeing when trying
+  to upgrade using `curl | http://npmjs.com/install.sh`.
+  ([@iarna](https://github.com/iarna))
+* [`5cad1699a`](https://github.com/npm/npm/commit/5cad1699a7a0fc85ac7f77a95087a9647f75e344)
+  `npm-lifecycle@1.0.3` Fix a bug where when more than one lifecycle script
+  got queued to run, npm would crash.
+  ([@zkat](https://github.com/zkat))
+* [`cd256cbb2`](https://github.com/npm/npm/commit/cd256cbb2f97fcbcb82237e94b66eac80e493626)
+  `npm-packlist@1.1.9` Fix a bug where test directories would always be
+  excluded from published modules.
+  ([@isaacs](https://github.com/isaacs))
+* [`2a11f0215`](https://github.com/npm/npm/commit/2a11f021561acb1eb1ad4ad45ad955793b1eb4af)
+  Fix formatting of unsupported version warning
+  ([@iarna](https://github.com/iarna))
+
+### DEPENDENCY UPDATES
+
+* [`6d2a285a5`](https://github.com/npm/npm/commit/6d2a285a58655f10834f64d38449eb1f3c8b6c47)
+  `npm-registry-client@8.5.0`
+* [`69e64e27b`](https://github.com/npm/npm/commit/69e64e27bf58efd0b76b3cf6e8182c77f8cc452f)
+  `request@2.83.0`
+* [`34e0f4209`](https://github.com/npm/npm/commit/34e0f42090f6153eb5462f742e402813e4da56c8)
+  `abbrev@1.1.1`
+* [`10d31739d`](https://github.com/npm/npm/commit/10d31739d39765f1f0249f688bd934ffad92f872)
+  `aproba@1.2.0`
+* [`2b02e86c0`](https://github.com/npm/npm/commit/2b02e86c06cf2a5fe7146404f5bfd27f190ee4f4)
+  `meant@1.0.1`
+* [`b81fff808`](https://github.com/npm/npm/commit/b81fff808ee269361d3dcf38c1b6019f1708ae02)
+  `rimraf@2.6.2`:
+  Fixes a long standing bug in rimraf's attempts to work around Windows limitations
+  where it owns a file and can change its perms but can't remove it without
+  first changing its perms. This _may_ be an improvement for Windows users of npm under
+  some circumstances.
+  ([@isaacs](https://github.com/isaacs))
+
 ## v5.4.2 (2017-09-14):
 
 This is a small bug fix release wrapping up most of the issues introduced with 5.4.0.

deps/npm/doc/cli/npm-access.md

@@ -60,6 +60,9 @@ You must have privileges to set the access of a package:
 * You have been given read-write privileges for a package, either as a member
   of a team or directly as an owner.
 
+If you have two-factor authentication enabled then you'll have to pass in an
+otp with `--otp` when making access changes.
+
 If your account is not paid, then attempts to publish scoped packages will fail
 with an HTTP 402 status code (logically enough), unless you use
 `--access=public`.

deps/npm/doc/cli/npm-dist-tag.md

@@ -15,7 +15,9 @@ Add, remove, and enumerate distribution tags on a package:
 
 * add:
   Tags the specified version of the package with the specified tag, or the
-  `--tag` config if not specified.
+  `--tag` config if not specified. The tag you're adding is `latest` and you
+  have two-factor authentication on auth-and-writes then you'll need to include
+  an otp on the command line with `--otp`.
 
 * rm:
   Clear a tag that is no longer in use from the package.

deps/npm/doc/cli/npm-owner.md

@@ -27,6 +27,10 @@ Note that there is only one level of access.  Either you can modify a package,
 or you can't.  Future versions may contain more fine-grained access levels, but
 that is not implemented at this time.
 
+If you have two-factor authentication enabled with `auth-and-writes` then
+you'll need to include an otp on the command line when changing ownership
+with `--otp`.
+
 ## SEE ALSO
 
 * npm-publish(1)

deps/npm/doc/cli/npm-profile.md

@@ -0,0 +1,74 @@
+npm-profile(1) -- Change settings on your registry profile
+==========================================================
+
+## SYNOPSIS
+
+    npm profile get [--json|--parseable] [<property>]
+    npm profile set [--json|--parseable] <property> <value>
+    npm profile set password
+    npm profile enable-2fa [auth-and-writes|auth-only]
+    npm profile disable-2fa
+
+## DESCRIPTION
+
+Change your profile information on the registry.  This not be available if
+you're using a non-npmjs registry.
+
+* `npm profile get [<property>]`:
+  Display all of the properties of your profile, or one or more specific
+  properties.  It looks like:
+
+```
++-----------------+---------------------------+
+| name            | example                   |
++-----------------+---------------------------+
+| email           | me@example.com (verified) |
++-----------------+---------------------------+
+| two factor auth | auth-and-writes           |
++-----------------+---------------------------+
+| fullname        | Example User              |
++-----------------+---------------------------+
+| homepage        |                           |
++-----------------+---------------------------+
+| freenode        |                           |
++-----------------+---------------------------+
+| twitter         |                           |
++-----------------+---------------------------+
+| github          |                           |
++-----------------+---------------------------+
+| created         | 2015-02-26T01:38:35.892Z  |
++-----------------+---------------------------+
+| updated         | 2017-10-02T21:29:45.922Z  |
++-----------------+---------------------------+
+```
+
+* `npm profile set <property> <value>`:
+  Set the value of a profile property. You can set the following properties this way:
+    email, fullname, homepage, freenode, twitter, github
+
+* `npm profile set password`:
+  Change your password.  This is interactive, you'll be prompted for your
+  current password and a new password.  You'll also be prompted for an OTP
+  if you have two-factor authentication enabled.
+
+* `npm profile enable-2fa [auth-and-writes|auth-only]`:
+  Enables two-factor authentication. Defaults to `auth-and-writes` mode. Modes are:
+  * `auth-only`: Require an OTP when logging in or making changes to your
+    account's authentication.  The OTP will be required on both the website
+    and the command line.
+  * `auth-and-writes`: Requires an OTP at all the times `auth-only` does, and also requires one when
+    publishing a module, setting the `latest` dist-tag, or changing access
+    via `npm access` and `npm owner`.
+
+* `npm profile disable-2fa`:
+  Disables two-factor authentication.
+
+## DETAILS
+
+All of the `npm profile` subcommands accept `--json` and `--parseable` and
+will tailor their output based on those.  Some of these commands may not be
+available on non npmjs.com registries.
+
+## SEE ALSO
+
+* npm-config(7)

deps/npm/doc/cli/npm-publish.md

@@ -4,7 +4,7 @@ npm-publish(1) -- Publish a package
 
 ## SYNOPSIS
 
-    npm publish [<tarball>|<folder>] [--tag <tag>] [--access <public|restricted>]
+    npm publish [<tarball>|<folder>] [--tag <tag>] [--access <public|restricted>] [--otp otpcode]
 
     Publishes '.' if no argument supplied
     Sets tag 'latest' if no --tag specified
@@ -41,6 +41,11 @@ specifying a different default registry or using a `npm-scope(7)` in the name
   If you don't have a paid account, you must publish with `--access public`
   to publish scoped packages.
 
+* `[--otp <otpcode>]`
+  If you have two-factor authentication enabled in `auth-and-writes` mode
+  then you can provide a code from your authenticator with this. If you
+  don't include this and you're running from a TTY then you'll be prompted.
+
 Fails if the package name and version combination already exists in
 the specified registry.
 
@@ -65,3 +70,4 @@ packs them into a tarball to be uploaded to the registry.
 * npm-deprecate(1)
 * npm-dist-tag(1)
 * npm-pack(1)
+* npm-profile(1)

deps/npm/doc/cli/npm-token.md

@@ -0,0 +1,59 @@
+npm-token(1) -- Manage your authentication tokens
+=================================================
+
+## SYNOPSIS
+
+    npm token list [--json|--parseable]
+    npm token create [--read-only] [--cidr=1.1.1.1/24,2.2.2.2/16]
+    npm token delete <id|token>
+
+## DESCRIPTION
+
+This list you list, create and delete authentication tokens.
+
+* `npm token list`:
+  Shows a table of all active authentication tokens. You can request this as
+  JSON with `--json` or tab-separated values with `--parseable`.
+```
++--------+---------+------------+----------+----------------+
+| id     | token   | created    | read-only | CIDR whitelist |
++--------+---------+------------+----------+----------------+
+| 7f3134 | 1fa9ba… | 2017-10-02 | yes      |                |
++--------+---------+------------+----------+----------------+
+| c03241 | af7aef… | 2017-10-02 | no       | 192.168.0.1/24 |
++--------+---------+------------+----------+----------------+
+| e0cf92 | 3a436a… | 2017-10-02 | no       |                |
++--------+---------+------------+----------+----------------+
+| 63eb9d | 74ef35… | 2017-09-28 | no       |                |
++--------+---------+------------+----------+----------------+
+| 2daaa8 | cbad5f… | 2017-09-26 | no       |                |
++--------+---------+------------+----------+----------------+
+| 68c2fe | 127e51… | 2017-09-23 | no       |                |
++--------+---------+------------+----------+----------------+
+| 6334e1 | 1dadd1… | 2017-09-23 | no       |                |
++--------+---------+------------+----------+----------------+
+```
+
+* `npm token create [--read-only] [--cidr=<cidr-ranges>]`:
+  Create a new authentication token. It can be `--read-only` or accept a list of
+  [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) ranges to
+  limit use of this token to. This will prompt you for your password, and, if you have
+  two-factor authentication enabled, an otp.
+
+```
++----------------+--------------------------------------+
+| token          | a73c9572-f1b9-8983-983d-ba3ac3cc913d |
++----------------+--------------------------------------+
+| cidr_whitelist |                                      |
++----------------+--------------------------------------+
+| readonly       | false                                |
++----------------+--------------------------------------+
+| created        | 2017-10-02T07:52:24.838Z             |
++----------------+--------------------------------------+
+```
+
+* `npm token delete <token|id>`:
+  This removes an authentication token, making it immediately unusable. This can accept
+  both complete tokens (as you get back from `npm token create` and will
+  find in your `.npmrc`) and ids as seen in the `npm token list` output.
+  This will NOT accept the truncated token found in `npm token list` output.

deps/npm/doc/misc/npm-config.md

@@ -269,6 +269,13 @@ PEM format (Windows calls it "Base-64 encoded X.509 (.CER)") with newlines repla
 
 It is _not_ the path to a certificate file (and there is no "certfile" option).
 
+### cidr
+
+* Default: `null`
+* Type: String, Array, null
+
+This is a list of CIDR address to be used when configuring limited access tokens with the `npm token create` command.
+
 ### color
 
 * Default: true
@@ -699,6 +706,14 @@ Attempt to install packages in the `optionalDependencies` object.  Note
 that if these packages fail to install, the overall installation
 process is not aborted.
 
+### otp
+
+* Default: null
+* Type: Number
+
+This is a one-time password from a two-factor authenticator.  It's needed
+when publishing or changing package permissions with `npm access`.
+
 ### package-lock
 
 * Default: true
@@ -773,6 +788,13 @@ A proxy to use for outgoing http requests. If the `HTTP_PROXY` or
 `http_proxy` environment variables are set, proxy settings will be
 honored by the underlying `request` library.
 
+### read-only
+
+* Default: false
+* Type: Boolean
+
+This is used to mark a token as unable to publish when configuring limited access tokens with the `npm token create` command.
+
 ### rebuild-bundle
 
 * Default: true

deps/npm/doc/misc/npm-index.md

@@ -129,6 +129,10 @@ Ping npm registry
 
 Display prefix
 
+### npm-profile(1)
+
+Change settings on your registry profile
+
 ### npm-prune(1)
 
 Remove extraneous packages
@@ -189,6 +193,10 @@ Manage organization teams and team memberships
 
 Test a package
 
+### npm-token(1)
+
+Manage your authentication tokens
+
 ### npm-uninstall(1)
 
 Remove a package

deps/npm/html/doc/README.html

@@ -127,5 +127,5 @@ <h2 id="see-also">SEE ALSO</h2>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer"><a href="../doc/README.html">README</a> &mdash; npm@5.4.2</p>
+<p id="footer"><a href="../doc/README.html">README</a> &mdash; npm@5.5.1</p>
 

deps/npm/html/doc/cli/npm-access.html

@@ -61,6 +61,8 @@ <h2 id="details">DETAILS</h2>
 <li>You have been given read-write privileges for a package, either as a member
 of a team or directly as an owner.</li>
 </ul>
+<p>If you have two-factor authentication enabled then you&#39;ll have to pass in an
+otp with <code>--otp</code> when making access changes.</p>
 <p>If your account is not paid, then attempts to publish scoped packages will fail
 with an HTTP 402 status code (logically enough), unless you use
 <code>--access=public</code>.</p>
@@ -84,5 +86,5 @@ <h2 id="see-also">SEE ALSO</h2>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-access &mdash; npm@5.4.2</p>
+<p id="footer">npm-access &mdash; npm@5.5.1</p>