Release/v8.3.0

.github/workflows/benchmark-comment.yml

@@ -17,15 +17,12 @@ jobs:
           DISPATCH_REPO: "benchmarks"
           DISPATCH_OWNER: "npm"
           EVENT_NAME: ${{ github.event_name }}
-          EVENT_ACTION: ${{ github.event.action }}
           OWNER: ${{ github.event.repository.owner.login }}
           REPO: ${{ github.event.repository.name }}
           ISSUE_NUMBER: ${{ github.event.issue.number }}
-          COMMENT_BODY: ${{ github.event.comment.body }}
-          COMMENT_ID: ${{ github.event.comment.id }}
           COMMENT_NODE_ID: ${{ github.event.comment.node_id }}
           COMMENT_ACTIONABLE: ${{ startsWith(github.event.comment.body, 'test this please ✅') }}
-          AUTH_TOKEN: ${{ secrets.NPM_DEPLOY_USER_PAT }}
+          AUTH_TOKEN: ${{ secrets.NPM_BENCHMARKS_TOKEN }}
         run: |
           # Comment Handler
 
@@ -46,24 +43,22 @@ jobs:
               PR_DATA=$(curl -s "${IS_PR}")
               PR_OWNER=$(echo "${PR_DATA}" | jq '.head.repo.owner.login')
               PR_REPO=$(echo "${PR_DATA}" | jq '.head.repo.name')
-              PR_COMMIT_SHA=$(curl -s "${IS_PR}/commits" | jq -r '.[0].sha')
 
               # dispatch request for benchmarks
               echo "Dispatching request..."
               curl \
                 -s \
                 -X POST https://api.github.com/repos/${DISPATCH_OWNER}/${DISPATCH_REPO}/dispatches \
-                -H "Accept: application/vnd.github.everest-preview+json" \
+                -H "Accept: application/vnd.github.v3+json" \
                 -H "Authorization: token ${AUTH_TOKEN}" \
                 -d \
                 '
                 {
-                  "event_type": "'"${EVENT_NAME}"'",
+                  "event_type": "'"${EVENT_NAME} ${PR_OWNER}/${PR_REPO}#${ISSUE_NUMBER}"'",
                   "client_payload": {
                     "pr_id": "'"${ISSUE_NUMBER}"'",
                     "repo": "'"${PR_REPO}"'",
-                    "owner": "'"${PR_OWNER}"'",
-                    "commit_sha": "'"${PR_COMMIT_SHA}"'"
+                    "owner": "'"${PR_OWNER}"'"
                   }
                 }'
 

.github/workflows/benchmark.yml

@@ -2,9 +2,6 @@
 name: Benchmark Suite
 
 on:
-  push:
-    branches:
-      - "latest"
   pull_request:
     branches:
       - "**"
@@ -21,48 +18,35 @@ jobs:
           DISPATCH_REPO: "benchmarks"
           DISPATCH_OWNER: "npm"
           EVENT_NAME: ${{ github.event_name }}
-          EVENT_ACTION: ${{ github.event.action }}
           REPO: ${{ github.event.repository.name }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
           PR_OWNER: ${{ github.event.pull_request.head.repo.owner.login }}
-          PR_COMMITS_URL: ${{ github.event.pull_request.commits_url }}
-          PR_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
-          AUTH_TOKEN: ${{ secrets.NPM_DEPLOY_USER_PAT }}
+          AUTH_TOKEN: ${{ secrets.NPM_BENCHMARKS_TOKEN }}
         run: |
           # Dispatch Handler
 
           dispatch_request () {
             echo "Dispatching request..."
-            REF_SHA=$1
             curl \
               -s \
               -X POST https://api.github.com/repos/${DISPATCH_OWNER}/${DISPATCH_REPO}/dispatches \
-              -H "Accept: application/vnd.github.everest-preview+json" \
+              -H "Accept: application/vnd.github.v3+json" \
               -H "Authorization: token ${AUTH_TOKEN}" \
               -d \
               '
               {
-                "event_type": "'"${EVENT_NAME}"'",
+                "event_type": "'"${EVENT_NAME} ${PR_OWNER}/${REPO}#${PR_NUMBER}"'",
                 "client_payload": {
                   "pr_id": "'"${PR_NUMBER}"'",
                   "repo": "'"${REPO}"'",
-                  "owner": "'"${PR_OWNER}"'",
-                  "commit_sha": "'"${REF_SHA}"'"
+                  "owner": "'"${PR_OWNER}"'"
                 }
               }'
           }
 
           if [ "${AUTH_TOKEN}" != "" ]; then
-            if [ "${EVENT_ACTION}" == "opened" ]; then
-              # Fetch the head commit sha, since it doesn't exist in the body of this event
-              COMMIT_SHA=$(curl -s "${PR_COMMITS_URL}" | jq -r '.[0].sha')
-
-              # Dispatch request for benchmarks
-              dispatch_request "${COMMIT_SHA}"
-            else
-              # Dispatch request for benchmarks
-              dispatch_request "${PR_COMMIT_SHA}"
-            fi
+            # Dispatch request for benchmarks
+            dispatch_request
           else
             echo "NO AUTH - FORK PULL REQUEST"
           fi

.github/workflows/ci.yml

@@ -62,7 +62,7 @@ jobs:
         run: |
           node ./bin/npm-cli.js install --ignore-scripts --no-audit
           node ./bin/npm-cli.js rebuild
-      - name: Run linting
+      - name: Validate licenses
         run: node ./bin/npm-cli.js run licenses
 
   smoke-tests:

AUTHORS

@@ -812,3 +812,4 @@ Yucel Okcu <yucel.n.okcu@gmail.com>
 Takuya Fukuju <chalkygames123@gmail.com>
 Jan T. Sott <jan@motim.co>
 yotamselementor <83912471+yotamselementor@users.noreply.github.com>
+Felipe Plets <fsplets@gmail.com>

CHANGELOG.md

@@ -1,3 +1,55 @@
+## v8.3.0 (2021-12-09)
+
+### Features
+
+* [`4b0c29a7c`](https://github.com/npm/cli/commit/4b0c29a7c5860410c7b453bec389c54cb21dbde3)
+  [#4116](https://github.com/npm/cli/issues/4116)
+  feat: `@npmcli/arborist@4.1.0`
+  * introduces overrides
+  ([@nlf](https://github.com/nlf))
+* [`166d9e144`](https://github.com/npm/cli/commit/166d9e144b38087ee5e7d8aaf6ec7d602cf2957c)
+  [npm/statusboard#416](https://github.com/npm/statusboard/issues/416)
+  [#4143](https://github.com/npm/cli/issues/4143)
+  feat: output configured registry during publish
+  ([@lukekarrys](https://github.com/lukekarrys))
+* [`71777be17`](https://github.com/npm/cli/commit/71777be17e57179d203cb9162664ecd0c36ca633)
+  [npm/statusboard#417](https://github.com/npm/statusboard/issues/417)
+  [#4146](https://github.com/npm/cli/issues/4146)
+  feat: display `publishConfig` during `config list`
+  ([@lukekarrys](https://github.com/lukekarrys))
+
+### Bug Fixes
+
+* [`08c663931`](https://github.com/npm/cli/commit/08c663931ec1f56d777ffdb38f94926b9eac13ef)
+  [#4128](https://github.com/npm/cli/issues/4128)
+  [#4134](https://github.com/npm/cli/issues/4134)
+  fix: dont warn on error cleaning individual log files
+  ([@lukekarrys](https://github.com/lukekarrys))
+* [`e605b128c`](https://github.com/npm/cli/commit/e605b128c87620aae843cdbd8f35cc614da3f8a2)
+  [#4142](https://github.com/npm/cli/issues/4142)
+  fix: redact all private keys from config output
+  ([@lukekarrys](https://github.com/lukekarrys))
+
+### Documentation
+
+* [`db1885d7f`](https://github.com/npm/cli/commit/db1885d7fec012f018093c76dec5a9c01a0ca2b0)
+  [#4092](https://github.com/npm/cli/issues/4092)
+  chore(docs): document overrides
+  ([@nlf](https://github.com/nlf))
+
+### Dependencies
+
+* [`e1da1fa4b`](https://github.com/npm/cli/commit/e1da1fa4ba7d95616928d2192b5b9db09b3120bc)
+  [#4141](https://github.com/npm/cli/issues/4141)
+  deps: `@npmcli/arborist@4.1.1`: `parse-conflict-json@2.0.1`
+  * Fixes object property assignment bug in resolving package-locks with
+  conflicts
+* [`1d8bec566`](https://github.com/npm/cli/commit/1d8bec566cb08ff5ff220f53083323fa8c3fb72e)
+  [#4144](https://github.com/npm/cli/issues/4144)
+  [#3884](https://github.com/npm/cli/issues/3884)
+  deps: `minipass@3.1.6`
+  * fixes some TAR_ENTRY_INVALID and Z_DATA_ERROR errors
+
 ## v8.2.0 (2021-12-02)
 
 ### Features

docs/content/configuring-npm/package-json.md

@@ -871,6 +871,109 @@ if (foo) {
 Entries in `optionalDependencies` will override entries of the same name in
 `dependencies`, so it's usually best to only put in one place.
 
+### overrides
+
+If you need to make specific changes to dependencies of your dependencies, for
+example replacing the version of a dependency with a known security issue,
+replacing an existing dependency with a fork, or making sure that the same
+version of a package is used everywhere, then you may add an override.
+
+Overrides provide a way to replace a package in your dependency tree with
+another version, or another package entirely. These changes can be scoped as
+specific or as vague as desired.
+
+To make sure the package `foo` is always installed as version `1.0.0` no matter
+what version your dependencies rely on:
+
+```json
+{
+  "overrides": {
+    "foo": "1.0.0"
+  }
+}
+```
+
+The above is a short hand notation, the full object form can be used to allow
+overriding a package itself as well as a child of the package. This will cause
+`foo` to always be `1.0.0` while also making `bar` at any depth beyond `foo`
+also `1.0.0`:
+
+```json
+{
+  "overrides": {
+    "foo": {
+      ".": "1.0.0",
+      "bar": "1.0.0"
+    }
+  }
+}
+```
+
+To only override `foo` to be `1.0.0` when it's a child (or grandchild, or great
+grandchild, etc) of the package `bar`:
+
+```json
+{
+  "overrides": {
+    "bar": {
+      "foo": "1.0.0"
+    }
+  }
+}
+```
+
+Keys can be nested to any arbitrary length. To override `foo` only when it's a
+child of `bar` and only when `bar` is a child of `baz`:
+
+```json
+{
+  "overrides": {
+    "baz": {
+      "bar": {
+        "foo": "1.0.0"
+      }
+    }
+  }
+}
+```
+
+The key of an override can also include a version, or range of versions.
+To override `foo` to `1.0.0`, but only when it's a child of `bar@2.0.0`:
+
+```json
+{
+  "overrides": {
+    "bar@2.0.0": {
+      "foo": "1.0.0"
+    }
+  }
+}
+```
+
+You may not set an override for a package that you directly depend on unless
+both the dependency and the override itself share the exact same spec. To make
+this limitation easier to deal with, overrides may also be defined as a
+reference to a spec for a direct dependency by prefixing the name of the
+package you wish the version to match with a `$`.
+
+```json
+{
+  "dependencies": {
+    "foo": "^1.0.0"
+  },
+  "overrides": {
+    // BAD, will throw an EOVERRIDE error
+    // "foo": "^2.0.0"
+    // GOOD, specs match so override is allowed
+    // "foo": "^1.0.0"
+    // BEST, the override is defined as a reference to the dependency
+    "foo": "$foo",
+    // the referenced package does not need to match the overridden one
+    "bar": "$foo"
+  }
+}
+```
+
 ### engines
 
 You can specify the version of node that your stuff works on:

lib/commands/config.js

@@ -2,7 +2,7 @@
 const configDefs = require('../utils/config/index.js')
 
 const mkdirp = require('mkdirp-infer-owner')
-const { dirname } = require('path')
+const { dirname, resolve } = require('path')
 const { promisify } = require('util')
 const fs = require('fs')
 const readFile = promisify(fs.readFile)
@@ -11,6 +11,7 @@ const { spawn } = require('child_process')
 const { EOL } = require('os')
 const ini = require('ini')
 const localeCompare = require('@isaacs/string-locale-compare')('en')
+const rpj = require('read-package-json-fast')
 const log = require('../utils/log-shim.js')
 
 // take an array of `[key, value, k2=v2, k3, v3, ...]` and turn into
@@ -28,7 +29,17 @@ const keyValues = args => {
   return kv
 }
 
-const publicVar = k => !/^(\/\/[^:]+:)?_/.test(k)
+const publicVar = k => {
+  // _password
+  if (k.startsWith('_')) {
+    return false
+  }
+  // //localhost:8080/:_password
+  if (k.startsWith('//') && k.includes(':_')) {
+    return false
+  }
+  return true
+}
 
 const BaseCommand = require('../base-command.js')
 class Config extends BaseCommand {
@@ -147,7 +158,7 @@ class Config extends BaseCommand {
     const out = []
     for (const key of keys) {
       if (!publicVar(key)) {
-        throw `The ${key} option is protected, and cannot be retrieved in this way`
+        throw new Error(`The ${key} option is protected, and cannot be retrieved in this way`)
       }
 
       const pref = keys.length > 1 ? `${key}=` : ''
@@ -257,6 +268,23 @@ ${defData}
         `; HOME = ${process.env.HOME}`,
         '; Run `npm config ls -l` to show all defaults.'
       )
+      msg.push('')
+    }
+
+    if (!this.npm.config.get('global')) {
+      const pkgPath = resolve(this.npm.prefix, 'package.json')
+      const pkg = await rpj(pkgPath).catch(() => ({}))
+
+      if (pkg.publishConfig) {
+        msg.push(`; "publishConfig" from ${pkgPath}`)
+        msg.push('; This set of config values will be used at publish-time.', '')
+        const pkgKeys = Object.keys(pkg.publishConfig).sort(localeCompare)
+        for (const k of pkgKeys) {
+          const v = publicVar(k) ? JSON.stringify(pkg.publishConfig[k]) : '(protected)'
+          msg.push(`${k} = ${v}`)
+        }
+        msg.push('')
+      }
     }
 
     this.npm.output(msg.join('\n').trim())

lib/commands/publish.js

@@ -104,11 +104,15 @@ class Publish extends BaseCommand {
       const resolved = npa.resolve(manifest.name, manifest.version)
       const registry = npmFetch.pickRegistry(resolved, opts)
       const creds = this.npm.config.getCredentialsByURI(registry)
+      const outputRegistry = replaceInfo(registry)
       if (!creds.token && !creds.username) {
-        throw Object.assign(new Error('This command requires you to be logged in.'), {
-          code: 'ENEEDAUTH',
-        })
+        throw Object.assign(
+          new Error(`This command requires you to be logged in to ${outputRegistry}`), {
+            code: 'ENEEDAUTH',
+          }
+        )
       }
+      log.notice('', `Publishing to ${outputRegistry}`)
       await otplease(opts, opts => libpub(manifest, tarballData, opts))
     }
 

lib/utils/exit-handler.js

@@ -116,6 +116,7 @@ const exitHandler = err => {
       exitCode = err.code
       noLogMessage = true
     } else if (typeof err === 'string') {
+      // XXX: we should stop throwing strings
       log.error('', err)
       noLogMessage = true
     } else if (!(err instanceof Error)) {