deps: upgrade npm to 10.5.1

PR-URL: #52351
Reviewed-By: Luke Karrys <luke@lukekarrys.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

Author: npm-cli-bot

deps/npm/bin/npm

@@ -41,8 +41,9 @@ if [ $? -ne 0 ]; then
   fi
   no_node_dir
 fi
+NPM_PREFIX_JS="$CLI_BASEDIR/node_modules/npm/bin/npm-prefix.js"
 NPM_CLI_JS="$CLI_BASEDIR/node_modules/npm/bin/npm-cli.js"
-NPM_PREFIX=`"$NODE_EXE" "$NPM_CLI_JS" prefix -g`
+NPM_PREFIX=`"$NODE_EXE" "$NPM_PREFIX_JS"`
 if [ $? -ne 0 ]; then
   no_node_dir
 fi

deps/npm/bin/npm-prefix.js

@@ -0,0 +1,30 @@
+#!/usr/bin/env node
+// This is a single-use bin to help windows discover the proper prefix for npm
+// without having to load all of npm first
+// It does not accept argv params
+
+const path = require('path')
+const Config = require('@npmcli/config')
+const { definitions, flatten, shorthands } = require('@npmcli/config/lib/definitions')
+const config = new Config({
+  npmPath: path.dirname(__dirname),
+  // argv is explicitly not looked at since prefix is not something that can be changed via argv
+  argv: [],
+  definitions,
+  flatten,
+  shorthands,
+  excludeNpmCwd: false,
+})
+
+async function main () {
+  try {
+    await config.load()
+    // eslint-disable-next-line no-console
+    console.log(config.globalPrefix)
+  } catch (err) {
+    // eslint-disable-next-line no-console
+    console.error(err)
+    process.exit(1)
+  }
+}
+main()

deps/npm/bin/npm.cmd

@@ -8,8 +8,9 @@ IF NOT EXIST "%NODE_EXE%" (
   SET "NODE_EXE=node"
 )
 
+SET "NPM_PREFIX_JS=%~dp0\node_modules\npm\bin\npm-prefix.js"
 SET "NPM_CLI_JS=%~dp0\node_modules\npm\bin\npm-cli.js"
-FOR /F "delims=" %%F IN ('CALL "%NODE_EXE%" "%NPM_CLI_JS%" prefix -g') DO (
+FOR /F "delims=" %%F IN ('CALL "%NODE_EXE%" "%NPM_PREFIX_JS%"') DO (
   SET "NPM_PREFIX_NPM_CLI_JS=%%F\node_modules\npm\bin\npm-cli.js"
 )
 IF EXIST "%NPM_PREFIX_NPM_CLI_JS%" (

deps/npm/bin/npm.ps1

@@ -17,8 +17,8 @@ if ($nodebin -eq $null) {
 }
 $nodedir = $(New-Object -ComObject Scripting.FileSystemObject).GetFile("$nodebin").ParentFolder.Path
 
-$npmclijs="$nodedir/node_modules/npm/bin/npm-cli.js"
-$npmprefix=(& $nodeexe $npmclijs prefix -g)
+$npmprefixjs="$nodedir/node_modules/npm/bin/npm-prefix.js"
+$npmprefix=(& $nodeexe $npmprefixjs)
 if ($LASTEXITCODE -ne 0) {
   Write-Host "Could not determine Node.js install directory"
   exit 1

deps/npm/bin/npx

@@ -41,9 +41,9 @@ if [ $? -ne 0 ]; then
   fi
   no_node_dir
 fi
-NPM_CLI_JS="$CLI_BASEDIR/node_modules/npm/bin/npm-cli.js"
+NPM_PREFIX_JS="$CLI_BASEDIR/node_modules/npm/bin/npm-prefix.js"
 NPX_CLI_JS="$CLI_BASEDIR/node_modules/npm/bin/npx-cli.js"
-NPM_PREFIX=`"$NODE_EXE" "$NPM_CLI_JS" prefix -g`
+NPM_PREFIX=`"$NODE_EXE" "$NPM_PREFIX_JS"`
 if [ $? -ne 0 ]; then
   no_node_dir
 fi

deps/npm/bin/npx.cmd

@@ -8,9 +8,9 @@ IF NOT EXIST "%NODE_EXE%" (
   SET "NODE_EXE=node"
 )
 
-SET "NPM_CLI_JS=%~dp0\node_modules\npm\bin\npm-cli.js"
+SET "NPM_PREFIX_JS=%~dp0\node_modules\npm\bin\npm-prefix.js"
 SET "NPX_CLI_JS=%~dp0\node_modules\npm\bin\npx-cli.js"
-FOR /F "delims=" %%F IN ('CALL "%NODE_EXE%" "%NPM_CLI_JS%" prefix -g') DO (
+FOR /F "delims=" %%F IN ('CALL "%NODE_EXE%" "%NPM_PREFIX_JS%"') DO (
   SET "NPM_PREFIX_NPX_CLI_JS=%%F\node_modules\npm\bin\npx-cli.js"
 )
 IF EXIST "%NPM_PREFIX_NPX_CLI_JS%" (

deps/npm/bin/npx.ps1

@@ -17,8 +17,8 @@ if ($nodebin -eq $null) {
 }
 $nodedir = $(New-Object -ComObject Scripting.FileSystemObject).GetFile("$nodebin").ParentFolder.Path
 
-$npmclijs="$nodedir/node_modules/npm/bin/npm-cli.js"
-$npmprefix=(& $nodeexe $npmclijs prefix -g)
+$npmprefixjs="$nodedir/node_modules/npm/bin/npm-prefix.js"
+$npmprefix=(& $nodeexe $npmprefixjs)
 if ($LASTEXITCODE -ne 0) {
   Write-Host "Could not determine Node.js install directory"
   exit 1

deps/npm/docs/content/commands/npm-audit.md

@@ -49,6 +49,13 @@ Registry signatures can be verified using the following `audit` command:
 $ npm audit signatures
 ```
 
+The `audit signatures` command will also verify the provenance attestations of
+downloaded packages. Because provenance attestations are such a new feature,
+security features may be added to (or changed in) the attestation format over
+time. To ensure that you're always able to verify attestation signatures check
+that you're running the latest version of the npm CLI. Please note this often
+means updating npm beyond the version that ships with Node.js.
+
 The npm CLI supports registry signatures and signing keys provided by any registry if the following conventions are followed:
 
 1. Signatures are provided in the package's `packument` in each published version within the `dist` object:
@@ -89,7 +96,7 @@ Keys response:
 - `scheme`: only `ecdsa-sha2-nistp256` is currently supported by the npm CLI
 - `key`: base64 encoded public key
 
-See this [example key's response from the public npm registry](https://registry.npmjs.org/-/npm/v1/keys").
+See this [example key's response from the public npm registry](https://registry.npmjs.org/-/npm/v1/keys).
 
 ### Audit Endpoints
 

deps/npm/docs/content/commands/npm-ls.md

@@ -27,7 +27,7 @@ packages will *also* show the paths to the specified packages.  For
 example, running `npm ls promzard` in npm's source tree will show:
 
 ```bash
-npm@10.5.0 /path/to/npm
+npm@10.5.1 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 ```

deps/npm/docs/content/commands/npm-search.md

@@ -91,6 +91,16 @@ Show the description in `npm search`
 
 
 
+#### `searchlimit`
+
+* Default: 20
+* Type: Number
+
+Number of items to limit search results to. Will not apply at all to legacy
+searches.
+
+
+
 #### `searchopts`
 
 * Default: ""

deps/npm/docs/content/commands/npm.md

@@ -14,7 +14,7 @@ Note: This command is unaware of workspaces.
 
 ### Version
 
-10.5.0
+10.5.1
 
 ### Description
 

deps/npm/docs/content/configuring-npm/package-json.md

@@ -40,7 +40,7 @@ Some tips:
 * Don't use the same name as a core Node module.
 * Don't put "js" or "node" in the name.  It's assumed that it's js, since
   you're writing a package.json file, and you can specify the engine using
-  the "engines" field.  (See below.)
+  the "[engines](#engines)" field.  (See below.)
 * The name will probably be passed as an argument to require(), so it
   should be something short, but also reasonably descriptive.
 * You may want to check the npm registry to see if there's something by
@@ -75,7 +75,7 @@ your package as it's listed in `npm search`.
 
 ### homepage
 
-The url to the project homepage.
+The URL to the project homepage.
 
 Example:
 
@@ -85,7 +85,7 @@ Example:
 
 ### bugs
 
-The url to your project's issue tracker and / or the email address to which
+The URL to your project's issue tracker and / or the email address to which
 issues should be reported. These are helpful for people who encounter
 issues with your package.
 
@@ -101,10 +101,10 @@ It should look like this:
 ```
 
 You can specify either one or both values. If you want to provide only a
-url, you can specify the value for "bugs" as a simple string instead of an
+URL, you can specify the value for "bugs" as a simple string instead of an
 object.
 
-If a url is provided, it will be used by the `npm bugs` command.
+If a URL is provided, it will be used by the `npm bugs` command.
 
 ### license
 
@@ -511,9 +511,9 @@ Do it like this:
 }
 ```
 
-The URL should be a publicly available (perhaps read-only) url that can be
+The URL should be a publicly available (perhaps read-only) URL that can be
 handed directly to a VCS program without any modification.  It should not
-be a url to an html project page that you put in your browser.  It's for
+be a URL to an html project page that you put in your browser.  It's for
 computers.
 
 For GitHub, GitHub gist, Bitbucket, or GitLab repositories you can use the
@@ -636,7 +636,7 @@ install time.
 
 #### Git URLs as Dependencies
 
-Git urls are of the form:
+Git URLs are of the form:
 
 ```bash
 <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>[#<commit-ish> | #semver:<semver>]
@@ -683,7 +683,7 @@ will be rebuilt for every installation.
 
 #### GitHub URLs
 
-As of version 1.1.65, you can refer to GitHub urls as just "foo":
+As of version 1.1.65, you can refer to GitHub URLs as just "foo":
 "user/foo-project".  Just as with git URLs, a `commit-ish` suffix can be
 included.  For example:
 
@@ -889,7 +889,7 @@ none.
 If a dependency can be used, but you would like npm to proceed if it cannot
 be found or fails to install, then you may put it in the
 `optionalDependencies` object.  This is a map of package name to version or
-url, just like the `dependencies` object.  The difference is that build
+URL, just like the `dependencies` object.  The difference is that build
 failures do not cause installation to fail.  Running `npm install
 --omit=optional` will prevent these dependencies from being installed.
 

deps/npm/docs/output/commands/npm-audit.html

@@ -174,6 +174,12 @@ <h3 id="audit-signatures">Audit Signatures</h3>
 <p>Registry signatures can be verified using the following <code>audit</code> command:</p>
 <pre><code class="language-bash">$ npm audit signatures
 </code></pre>
+<p>The <code>audit signatures</code> command will also verify the provenance attestations of
+downloaded packages. Because provenance attestations are such a new feature,
+security features may be added to (or changed in) the attestation format over
+time. To ensure that you're always able to verify attestation signatures check
+that you're running the latest version of the npm CLI. Please note this often
+means updating npm beyond the version that ships with Node.js.</p>
 <p>The npm CLI supports registry signatures and signing keys provided by any registry if the following conventions are followed:</p>
 <ol>
 <li>Signatures are provided in the package's <code>packument</code> in each published version within the <code>dist</code> object:</li>
@@ -209,7 +215,7 @@ <h3 id="audit-signatures">Audit Signatures</h3>
 <li><code>scheme</code>: only <code>ecdsa-sha2-nistp256</code> is currently supported by the npm CLI</li>
 <li><code>key</code>: base64 encoded public key</li>
 </ul>
-<p>See this <a href="https://registry.npmjs.org/-/npm/v1/keys%22">example key's response from the public npm registry</a>.</p>
+<p>See this <a href="https://registry.npmjs.org/-/npm/v1/keys">example key's response from the public npm registry</a>.</p>
 <h3 id="audit-endpoints">Audit Endpoints</h3>
 <p>There are two audit endpoints that npm may use to fetch vulnerability
 information: the <code>Bulk Advisory</code> endpoint and the <code>Quick Audit</code> endpoint.</p>

deps/npm/docs/output/commands/npm-ls.html

@@ -160,7 +160,7 @@ <h3 id="description">Description</h3>
 the results to only the paths to the packages named.  Note that nested
 packages will <em>also</em> show the paths to the specified packages.  For
 example, running <code>npm ls promzard</code> in npm's source tree will show:</p>
-<pre><code class="language-bash">npm@10.5.0 /path/to/npm
+<pre><code class="language-bash">npm@10.5.1 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 </code></pre>

deps/npm/docs/output/commands/npm-search.html

@@ -142,7 +142,7 @@ <h1 id="npm-search">npm-search</h1>
 
 <section id="table_of_contents">
 <h2 id="table-of-contents">Table of contents</h2>
-<div id="_table_of_contents"><ul><li><a href="#synopsis">Synopsis</a></li><li><a href="#description">Description</a></li><li><a href="#configuration">Configuration</a></li><ul><li><a href="#long"><code>long</code></a></li><li><a href="#json"><code>json</code></a></li><li><a href="#color"><code>color</code></a></li><li><a href="#parseable"><code>parseable</code></a></li><li><a href="#description2"><code>description</code></a></li><li><a href="#searchopts"><code>searchopts</code></a></li><li><a href="#searchexclude"><code>searchexclude</code></a></li><li><a href="#registry"><code>registry</code></a></li><li><a href="#prefer-online"><code>prefer-online</code></a></li><li><a href="#prefer-offline"><code>prefer-offline</code></a></li><li><a href="#offline"><code>offline</code></a></li></ul><li><a href="#see-also">See Also</a></li></ul></div>
+<div id="_table_of_contents"><ul><li><a href="#synopsis">Synopsis</a></li><li><a href="#description">Description</a></li><li><a href="#configuration">Configuration</a></li><ul><li><a href="#long"><code>long</code></a></li><li><a href="#json"><code>json</code></a></li><li><a href="#color"><code>color</code></a></li><li><a href="#parseable"><code>parseable</code></a></li><li><a href="#description2"><code>description</code></a></li><li><a href="#searchlimit"><code>searchlimit</code></a></li><li><a href="#searchopts"><code>searchopts</code></a></li><li><a href="#searchexclude"><code>searchexclude</code></a></li><li><a href="#registry"><code>registry</code></a></li><li><a href="#prefer-online"><code>prefer-online</code></a></li><li><a href="#prefer-offline"><code>prefer-offline</code></a></li><li><a href="#offline"><code>offline</code></a></li></ul><li><a href="#see-also">See Also</a></li></ul></div>
 </section>
 
 <div id="_content"><h3 id="synopsis">Synopsis</h3>
@@ -207,6 +207,13 @@ <h4 id="description2"><code>description</code></h4>
 <li>Type: Boolean</li>
 </ul>
 <p>Show the description in <code>npm search</code></p>
+<h4 id="searchlimit"><code>searchlimit</code></h4>
+<ul>
+<li>Default: 20</li>
+<li>Type: Number</li>
+</ul>
+<p>Number of items to limit search results to. Will not apply at all to legacy
+searches.</p>
 <h4 id="searchopts"><code>searchopts</code></h4>
 <ul>
 <li>Default: ""</li>

deps/npm/docs/output/commands/npm.html

@@ -150,7 +150,7 @@ <h2 id="table-of-contents">Table of contents</h2>
 </code></pre>
 <p>Note: This command is unaware of workspaces.</p>
 <h3 id="version">Version</h3>
-<p>10.5.0</p>
+<p>10.5.1</p>
 <h3 id="description">Description</h3>
 <p>npm is the package manager for the Node JavaScript platform.  It puts
 modules in place so that node can find them, and manages dependency

deps/npm/docs/output/configuring-npm/package-json.html

@@ -175,7 +175,7 @@ <h3 id="name">name</h3>
 <li>Don't use the same name as a core Node module.</li>
 <li>Don't put "js" or "node" in the name.  It's assumed that it's js, since
 you're writing a package.json file, and you can specify the engine using
-the "engines" field.  (See below.)</li>
+the "<a href="#engines">engines</a>" field.  (See below.)</li>
 <li>The name will probably be passed as an argument to require(), so it
 should be something short, but also reasonably descriptive.</li>
 <li>You may want to check the npm registry to see if there's something by
@@ -201,12 +201,12 @@ <h3 id="keywords">keywords</h3>
 <p>Put keywords in it.  It's an array of strings.  This helps people discover
 your package as it's listed in <code>npm search</code>.</p>
 <h3 id="homepage">homepage</h3>
-<p>The url to the project homepage.</p>
+<p>The URL to the project homepage.</p>
 <p>Example:</p>
 <pre><code class="language-json">"homepage": "https://github.com/owner/project#readme"
 </code></pre>
 <h3 id="bugs">bugs</h3>
-<p>The url to your project's issue tracker and / or the email address to which
+<p>The URL to your project's issue tracker and / or the email address to which
 issues should be reported. These are helpful for people who encounter
 issues with your package.</p>
 <p>It should look like this:</p>
@@ -218,9 +218,9 @@ <h3 id="bugs">bugs</h3>
 }
 </code></pre>
 <p>You can specify either one or both values. If you want to provide only a
-url, you can specify the value for "bugs" as a simple string instead of an
+URL, you can specify the value for "bugs" as a simple string instead of an
 object.</p>
-<p>If a url is provided, it will be used by the <code>npm bugs</code> command.</p>
+<p>If a URL is provided, it will be used by the <code>npm bugs</code> command.</p>
 <h3 id="license">license</h3>
 <p>You should specify a license for your package so that people know how they
 are permitted to use it, and any restrictions you're placing on it.</p>
@@ -531,9 +531,9 @@ <h3 id="repository">repository</h3>
   }
 }
 </code></pre>
-<p>The URL should be a publicly available (perhaps read-only) url that can be
+<p>The URL should be a publicly available (perhaps read-only) URL that can be
 handed directly to a VCS program without any modification.  It should not
-be a url to an html project page that you put in your browser.  It's for
+be a URL to an html project page that you put in your browser.  It's for
 computers.</p>
 <p>For GitHub, GitHub gist, Bitbucket, or GitLab repositories you can use the
 same shortcut syntax you use for <code>npm install</code>:</p>
@@ -630,7 +630,7 @@ <h4 id="urls-as-dependencies">URLs as Dependencies</h4>
 <p>This tarball will be downloaded and installed locally to your package at
 install time.</p>
 <h4 id="git-urls-as-dependencies">Git URLs as Dependencies</h4>
-<p>Git urls are of the form:</p>
+<p>Git URLs are of the form:</p>
 <pre><code class="language-bash">&lt;protocol&gt;://[&lt;user&gt;[:&lt;password&gt;]@]&lt;hostname&gt;[:&lt;port&gt;][:][/]&lt;path&gt;[#&lt;commit-ish&gt; | #semver:&lt;semver&gt;]
 </code></pre>
 <p><code>&lt;protocol&gt;</code> is one of <code>git</code>, <code>git+ssh</code>, <code>git+http</code>, <code>git+https</code>, or
@@ -666,7 +666,7 @@ <h4 id="git-urls-as-dependencies">Git URLs as Dependencies</h4>
 make sure that none of the above scripts are defined, or your dependency
 will be rebuilt for every installation.</p>
 <h4 id="github-urls">GitHub URLs</h4>
-<p>As of version 1.1.65, you can refer to GitHub urls as just "foo":
+<p>As of version 1.1.65, you can refer to GitHub URLs as just "foo":
 "user/foo-project".  Just as with git URLs, a <code>commit-ish</code> suffix can be
 included.  For example:</p>
 <pre><code class="language-json">{
@@ -820,7 +820,7 @@ <h3 id="optionaldependencies">optionalDependencies</h3>
 <p>If a dependency can be used, but you would like npm to proceed if it cannot
 be found or fails to install, then you may put it in the
 <code>optionalDependencies</code> object.  This is a map of package name to version or
-url, just like the <code>dependencies</code> object.  The difference is that build
+URL, just like the <code>dependencies</code> object.  The difference is that build
 failures do not cause installation to fail.  Running <code>npm install --omit=optional</code> will prevent these dependencies from being installed.</p>
 <p>It is still your program's responsibility to handle the lack of the
 dependency.  For example, something like this:</p>

deps/npm/lib/commands/adduser.js

@@ -1,5 +1,5 @@
 const log = require('../utils/log-shim.js')
-const replaceInfo = require('../utils/replace-info.js')
+const { redactLog: replaceInfo } = require('@npmcli/redact')
 const auth = require('../utils/auth.js')
 
 const BaseCommand = require('../base-command.js')