deps: upgrade npm to 8.14.0

PR-URL: #43826
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Mohammed Keyvanzadeh <[email protected]>
Reviewed-By: Darshan Sen <[email protected]>

Author: npm-cli-bot

deps/npm/docs/content/commands/npm-adduser.md

@@ -93,13 +93,12 @@ npm init --scope=@foo --yes
 #### `auth-type`
 
 * Default: "legacy"
-* Type: "legacy", "webauthn", "sso", "saml", or "oauth"
-* DEPRECATED: The SSO/SAML/OAuth methods are deprecated and will be removed in
-  a future version of npm in favor of web-based login.
+* Type: "legacy", "web", "sso", "saml", "oauth", or "webauthn"
 
-What authentication strategy to use with `adduser`/`login`.
+NOTE: auth-type values "sso", "saml", "oauth", and "webauthn" will be
+removed in a future version.
 
-Pass `webauthn` to use a web-based login.
+What authentication strategy to use with `login`.
 
 <!-- automatically generated, do not edit manually -->
 <!-- see lib/utils/config/definitions.js -->

deps/npm/docs/content/commands/npm-audit.md

@@ -11,7 +11,7 @@ description: Run a security audit
 <!-- see lib/commands/audit.js -->
 
 ```bash
-npm audit [fix]
+npm audit [fix|signatures]
 ```
 
 <!-- automatically generated, do not edit manually -->
@@ -41,6 +41,17 @@ vulnerability is found. It may be useful in CI environments to include the
 will cause the command to fail. This option does not filter the report
 output, it simply changes the command's failure threshold.
 
+### Audit Signatures
+
+This command can also audit the integrity values of the packages in your
+tree against any signatures present in the registry they were downloaded
+from.  npm will attempt to download the keys from `/-/npm/v1/keys` on
+each the registry used to download any given package.  It will then
+check the `dist.signatures` object in the package itself, and verify the
+`sig` present there using the `keyid` there, matching it with a key
+returned from the registry.  The command for this is `npm audit
+signatures`
+
 ### Audit Endpoints
 
 There are two audit endpoints that npm may use to fetch vulnerability

deps/npm/docs/content/commands/npm.md

@@ -102,7 +102,7 @@ following help topics:
   done via [`npm install`](/commands/npm-install)
 * adduser:
   Create an account or log in.  When you do this, npm will store
-  credentials in the user config file config file.
+  credentials in the user config file.
 * publish:
   Use the [`npm publish`](/commands/npm-publish) command to upload your
   code to the registry.

deps/npm/docs/content/configuring-npm/package-json.md

@@ -124,7 +124,7 @@ IDs](https://spdx.org/licenses/).  Ideally you should pick one that is
 
 If your package is licensed under multiple common licenses, use an [SPDX
 license expression syntax version 2.0
-string](https://www.npmjs.com/package/spdx), like this:
+string](https://spdx.dev/specifications/), like this:
 
 ```json
 {

deps/npm/docs/content/using-npm/config.md

@@ -215,6 +215,19 @@ exit code.
 <!-- automatically generated, do not edit manually -->
 <!-- see lib/utils/config/definitions.js -->
 
+#### `auth-type`
+
+* Default: "legacy"
+* Type: "legacy", "web", "sso", "saml", "oauth", or "webauthn"
+
+NOTE: auth-type values "sso", "saml", "oauth", and "webauthn" will be
+removed in a future version.
+
+What authentication strategy to use with `login`.
+
+<!-- automatically generated, do not edit manually -->
+<!-- see lib/utils/config/definitions.js -->
+
 #### `before`
 
 * Default: null
@@ -1905,20 +1918,6 @@ When set to `dev` or `development`, this is an alias for `--include=dev`.
 <!-- automatically generated, do not edit manually -->
 <!-- see lib/utils/config/definitions.js -->
 
-#### `auth-type`
-
-* Default: "legacy"
-* Type: "legacy", "webauthn", "sso", "saml", or "oauth"
-* DEPRECATED: The SSO/SAML/OAuth methods are deprecated and will be removed in
-  a future version of npm in favor of web-based login.
-
-What authentication strategy to use with `adduser`/`login`.
-
-Pass `webauthn` to use a web-based login.
-
-<!-- automatically generated, do not edit manually -->
-<!-- see lib/utils/config/definitions.js -->
-
 #### `cache-max`
 
 * Default: Infinity

deps/npm/docs/content/using-npm/scripts.md

@@ -39,7 +39,7 @@ There are some special life cycle scripts that happen only in certain
 situations. These scripts happen in addition to the `pre<event>`, `post<event>`, and
 `<event>` scripts.
 
-* `prepare`, `prepublish`, `prepublishOnly`, `prepack`, `postpack`
+* `prepare`, `prepublish`, `prepublishOnly`, `prepack`, `postpack`, `dependencies`
 
 **prepare** (since `[email protected]`)
 * Runs any time before the package is packed, i.e. during `npm publish`
@@ -71,6 +71,10 @@ situations. These scripts happen in addition to the `pre<event>`, `post<event>`,
 **postpack**
 * Runs AFTER the tarball has been generated but before it is moved to its final destination (if at all, publish does not save the tarball locally)
 
+**dependencies**
+* Runs AFTER any operations that modify the `node_modules` directory IF changes occurred.
+* Does NOT run in global mode
+
 #### Prepare and Prepublish
 
 **Deprecation Note: prepublish**
@@ -96,6 +100,10 @@ The advantage of doing these things at `prepublish` time is that they can be don
 * You don't need to rely on your users having `curl` or `wget` or
   other system tools on the target machines.
 
+#### Dependencies
+
+The `dependencies` script is run any time an `npm` command causes changes to the `node_modules` directory. It is run AFTER the changes have been applied and the `package.json` and `package-lock.json` files have been updated.
+
 ### Life Cycle Operation Order
 
 #### [`npm cache add`](/commands/npm-cache)

deps/npm/docs/content/using-npm/workspaces.md

@@ -57,7 +57,7 @@ structure of files and folders:
 ```
 .
 +-- node_modules
-|  `-- packages/a -> ../packages/a
+|  `-- a -> ../packages/a
 +-- package-lock.json
 +-- package.json
 `-- packages
@@ -112,15 +112,15 @@ respect the provided `workspace` configuration.
 
 Given the [specifities of how Node.js handles module resolution](https://nodejs.org/dist/latest-v14.x/docs/api/modules.html#modules_all_together) it's possible to consume any defined workspace
 by its declared `package.json` `name`. Continuing from the example defined
-above, let's also create a Node.js script that will require the `workspace-a`
+above, let's also create a Node.js script that will require the workspace `a`
 example module, e.g:
 
 ```
-// ./workspace-a/index.js
+// ./packages/a/index.js
 module.exports = 'a'
 
 // ./lib/index.js
-const moduleA = require('workspace-a')
+const moduleA = require('a')
 console.log(moduleA) // -> a
 ```
 

deps/npm/docs/output/commands/npm-adduser.html

@@ -207,12 +207,11 @@ <h4 id="scope"><code>scope</code></h4>
 <h4 id="auth-type"><code>auth-type</code></h4>
 <ul>
 <li>Default: "legacy"</li>
-<li>Type: "legacy", "webauthn", "sso", "saml", or "oauth"</li>
-<li>DEPRECATED: The SSO/SAML/OAuth methods are deprecated and will be removed in
-a future version of npm in favor of web-based login.</li>
+<li>Type: "legacy", "web", "sso", "saml", "oauth", or "webauthn"</li>
 </ul>
-<p>What authentication strategy to use with <code>adduser</code>/<code>login</code>.</p>
-<p>Pass <code>webauthn</code> to use a web-based login.</p>
+<p>NOTE: auth-type values "sso", "saml", "oauth", and "webauthn" will be
+removed in a future version.</p>
+<p>What authentication strategy to use with <code>login</code>.</p>
 <!-- raw HTML omitted -->
 <!-- raw HTML omitted -->
 <!-- raw HTML omitted -->

deps/npm/docs/output/commands/npm-audit.html

@@ -142,14 +142,14 @@ <h1 id="npm-audit">npm-audit</h1>
 
 <section id="table_of_contents">
 <h2 id="table-of-contents">Table of contents</h2>
-<div id="_table_of_contents"><ul><li><a href="#synopsis">Synopsis</a></li><li><a href="#description">Description</a></li><li><a href="#audit-endpoints">Audit Endpoints</a></li><ul><li><a href="#bulk-advisory-endpoint">Bulk Advisory Endpoint</a></li><li><a href="#quick-audit-endpoint">Quick Audit Endpoint</a></li><li><a href="#scrubbing">Scrubbing</a></li><li><a href="#calculating-meta-vulnerabilities-and-remediations">Calculating Meta-Vulnerabilities and Remediations</a></li></ul><li><a href="#exit-code">Exit Code</a></li><li><a href="#examples">Examples</a></li><li><a href="#configuration">Configuration</a></li><ul><li><a href="#audit-level"><code>audit-level</code></a></li><li><a href="#dry-run"><code>dry-run</code></a></li><li><a href="#force"><code>force</code></a></li><li><a href="#json"><code>json</code></a></li><li><a href="#package-lock-only"><code>package-lock-only</code></a></li><li><a href="#omit"><code>omit</code></a></li><li><a href="#foreground-scripts"><code>foreground-scripts</code></a></li><li><a href="#ignore-scripts"><code>ignore-scripts</code></a></li><li><a href="#workspace"><code>workspace</code></a></li><li><a href="#workspaces"><code>workspaces</code></a></li><li><a href="#include-workspace-root"><code>include-workspace-root</code></a></li><li><a href="#install-links"><code>install-links</code></a></li></ul><li><a href="#see-also">See Also</a></li></ul></div>
+<div id="_table_of_contents"><ul><li><a href="#synopsis">Synopsis</a></li><li><a href="#description">Description</a></li><li><a href="#audit-signatures">Audit Signatures</a></li><li><a href="#audit-endpoints">Audit Endpoints</a></li><ul><li><a href="#bulk-advisory-endpoint">Bulk Advisory Endpoint</a></li><li><a href="#quick-audit-endpoint">Quick Audit Endpoint</a></li><li><a href="#scrubbing">Scrubbing</a></li><li><a href="#calculating-meta-vulnerabilities-and-remediations">Calculating Meta-Vulnerabilities and Remediations</a></li></ul><li><a href="#exit-code">Exit Code</a></li><li><a href="#examples">Examples</a></li><li><a href="#configuration">Configuration</a></li><ul><li><a href="#audit-level"><code>audit-level</code></a></li><li><a href="#dry-run"><code>dry-run</code></a></li><li><a href="#force"><code>force</code></a></li><li><a href="#json"><code>json</code></a></li><li><a href="#package-lock-only"><code>package-lock-only</code></a></li><li><a href="#omit"><code>omit</code></a></li><li><a href="#foreground-scripts"><code>foreground-scripts</code></a></li><li><a href="#ignore-scripts"><code>ignore-scripts</code></a></li><li><a href="#workspace"><code>workspace</code></a></li><li><a href="#workspaces"><code>workspaces</code></a></li><li><a href="#include-workspace-root"><code>include-workspace-root</code></a></li><li><a href="#install-links"><code>install-links</code></a></li></ul><li><a href="#see-also">See Also</a></li></ul></div>
 </section>
 
 <div id="_content"><h3 id="synopsis">Synopsis</h3>
 <!-- raw HTML omitted -->
 <!-- raw HTML omitted -->
 <!-- raw HTML omitted -->
-<pre lang="bash"><code>npm audit [fix]
+<pre lang="bash"><code>npm audit [fix|signatures]
 </code></pre>
 <!-- raw HTML omitted -->
 <!-- raw HTML omitted -->
@@ -170,6 +170,14 @@ <h3 id="description">Description</h3>
 <code>--audit-level</code> parameter to specify the minimum vulnerability level that
 will cause the command to fail. This option does not filter the report
 output, it simply changes the command's failure threshold.</p>
+<h3 id="audit-signatures">Audit Signatures</h3>
+<p>This command can also audit the integrity values of the packages in your
+tree against any signatures present in the registry they were downloaded
+from.  npm will attempt to download the keys from <code>/-/npm/v1/keys</code> on
+each the registry used to download any given package.  It will then
+check the <code>dist.signatures</code> object in the package itself, and verify the
+<code>sig</code> present there using the <code>keyid</code> there, matching it with a key
+returned from the registry.  The command for this is <code>npm audit signatures</code></p>
 <h3 id="audit-endpoints">Audit Endpoints</h3>
 <p>There are two audit endpoints that npm may use to fetch vulnerability
 information: the <code>Bulk Advisory</code> endpoint and the <code>Quick Audit</code> endpoint.</p>

deps/npm/docs/output/commands/npm-ls.html

@@ -166,7 +166,7 @@ <h3 id="description">Description</h3>
 the results to only the paths to the packages named.  Note that nested
 packages will <em>also</em> show the paths to the specified packages.  For
 example, running <code>npm ls promzard</code> in npm's source tree will show:</p>
-<pre lang="bash"><code>npm@8.13.2 /path/to/npm
+<pre lang="bash"><code>npm@8.14.0 /path/to/npm
 └─┬ [email protected]
   └── [email protected]
 </code></pre>

deps/npm/docs/output/commands/npm.html

@@ -149,7 +149,7 @@ <h2 id="table-of-contents">Table of contents</h2>
 <!-- raw HTML omitted -->
 <!-- raw HTML omitted -->
 <h3 id="version">Version</h3>
-<p>8.13.2</p>
+<p>8.14.0</p>
 <h3 id="description">Description</h3>
 <p>npm is the package manager for the Node JavaScript platform.  It puts
 modules in place so that node can find them, and manages dependency
@@ -219,7 +219,7 @@ <h3 id="developer-usage">Developer Usage</h3>
 done via <a href="../commands/npm-install.html"><code>npm install</code></a></li>
 <li>adduser:
 Create an account or log in.  When you do this, npm will store
-credentials in the user config file config file.</li>
+credentials in the user config file.</li>
 <li>publish:
 Use the <a href="../commands/npm-publish.html"><code>npm publish</code></a> command to upload your
 code to the registry.</li>

deps/npm/docs/output/configuring-npm/package-json.html

@@ -231,7 +231,7 @@ <h3 id="license">license</h3>
 <p>You can check <a href="https://spdx.org/licenses/">the full list of SPDX license
 IDs</a>.  Ideally you should pick one that is
 <a href="https://opensource.org/licenses/alphabetical">OSI</a> approved.</p>
-<p>If your package is licensed under multiple common licenses, use an <a href="https://www.npmjs.com/package/spdx">SPDX
+<p>If your package is licensed under multiple common licenses, use an <a href="https://spdx.dev/specifications/">SPDX
 license expression syntax version 2.0
 string</a>, like this:</p>
 <pre lang="json"><code>{