deps: upgrade npm to 8.4.1

PR-URL: #41836
Reviewed-By: Ruy Adorno <ruyadorno@github.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Mestery <mestery@protonmail.com>

Author: npm-robot

deps/npm/docs/content/configuring-npm/package-json.md

@@ -838,6 +838,10 @@ include any versions, as that information is specified in `dependencies`.
 
 If this is spelled `"bundleDependencies"`, then that is also honored.
 
+Alternatively, `"bundledDependencies"` can be defined as a boolean value. A
+value of `true` will bundle all dependencies, a value of `false` will bundle
+none.
+
 ### optionalDependencies
 
 If a dependency can be used, but you would like npm to proceed if it cannot

deps/npm/docs/content/using-npm/config.md

@@ -1190,6 +1190,8 @@ When package package-locks are disabled, automatic pruning of extraneous
 modules will also be disabled. To remove extraneous modules with
 package-locks disabled use `npm prune`.
 
+This configuration does not affect `npm ci`.
+
 <!-- automatically generated, do not edit manually -->
 <!-- see lib/utils/config/definitions.js -->
 

deps/npm/docs/output/commands/npm-ls.html

@@ -160,7 +160,7 @@ <h3 id="description">Description</h3>
 the results to only the paths to the packages named.  Note that nested
 packages will <em>also</em> show the paths to the specified packages.  For
 example, running <code>npm ls promzard</code> in npm's source tree will show:</p>
-<pre lang="bash"><code>npm@8.3.2 /path/to/npm
+<pre lang="bash"><code>npm@8.4.1 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 </code></pre>

deps/npm/docs/output/commands/npm.html

@@ -149,7 +149,7 @@ <h2 id="table-of-contents">Table of contents</h2>
 <pre lang="bash"><code>npm &lt;command&gt; [args]
 </code></pre>
 <h3 id="version">Version</h3>
-<p>8.3.2</p>
+<p>8.4.1</p>
 <h3 id="description">Description</h3>
 <p>npm is the package manager for the Node JavaScript platform.  It puts
 modules in place so that node can find them, and manages dependency

deps/npm/docs/output/configuring-npm/package-json.html

@@ -774,6 +774,9 @@ <h3 id="bundleddependencies">bundledDependencies</h3>
 can be installed in a new project by executing <code>npm install awesome-web-framework-1.0.0.tgz</code>.  Note that the package names do not
 include any versions, as that information is specified in <code>dependencies</code>.</p>
 <p>If this is spelled <code>"bundleDependencies"</code>, then that is also honored.</p>
+<p>Alternatively, <code>"bundledDependencies"</code> can be defined as a boolean value. A
+value of <code>true</code> will bundle all dependencies, a value of <code>false</code> will bundle
+none.</p>
 <h3 id="optionaldependencies">optionalDependencies</h3>
 <p>If a dependency can be used, but you would like npm to proceed if it cannot
 be found or fails to install, then you may put it in the

deps/npm/docs/output/using-npm/config.html

@@ -1100,6 +1100,7 @@ <h4 id="package-lock"><code>package-lock</code></h4>
 <p>When package package-locks are disabled, automatic pruning of extraneous
 modules will also be disabled. To remove extraneous modules with
 package-locks disabled use <code>npm prune</code>.</p>
+<p>This configuration does not affect <code>npm ci</code>.</p>
 <!-- raw HTML omitted -->
 <!-- raw HTML omitted -->
 <h4 id="package-lock-only"><code>package-lock-only</code></h4>

deps/npm/lib/commands/access.js

@@ -3,6 +3,7 @@ const path = require('path')
 const libaccess = require('libnpmaccess')
 const readPackageJson = require('read-package-json-fast')
 
+const log = require('../utils/log-shim.js')
 const otplease = require('../utils/otplease.js')
 const getIdentity = require('../utils/get-identity.js')
 const BaseCommand = require('../base-command.js')
@@ -76,7 +77,10 @@ class Access extends BaseCommand {
       throw this.usageError(`${cmd} is not a recognized subcommand.`)
     }
 
-    return this[cmd](args, this.npm.flatOptions)
+    return this[cmd](args, {
+      ...this.npm.flatOptions,
+      log,
+    })
   }
 
   public ([pkg], opts) {

deps/npm/lib/commands/ci.js

@@ -6,6 +6,7 @@ const runScript = require('@npmcli/run-script')
 const fs = require('fs')
 const readdir = util.promisify(fs.readdir)
 const log = require('../utils/log-shim.js')
+const validateLockfile = require('../utils/validate-lockfile.js')
 
 const removeNodeModules = async where => {
   const rimrafOpts = { glob: false }
@@ -37,6 +38,7 @@ class CI extends ArboristWorkspaceCmd {
     const where = this.npm.prefix
     const opts = {
       ...this.npm.flatOptions,
+      packageLock: true, // npm ci should never skip lock files
       path: where,
       log,
       save: false, // npm ci should never modify the lockfile or package.json
@@ -55,6 +57,28 @@ class CI extends ArboristWorkspaceCmd {
       }),
       removeNodeModules(where),
     ])
+
+    // retrieves inventory of packages from loaded virtual tree (lock file)
+    const virtualInventory = new Map(arb.virtualTree.inventory)
+
+    // build ideal tree step needs to come right after retrieving the virtual
+    // inventory since it's going to erase the previous ref to virtualTree
+    await arb.buildIdealTree()
+
+    // verifies that the packages from the ideal tree will match
+    // the same versions that are present in the virtual tree (lock file)
+    // throws a validation error in case of mismatches
+    const errors = validateLockfile(virtualInventory, arb.idealTree.inventory)
+    if (errors.length) {
+      throw new Error(
+        '`npm ci` can only install packages when your package.json and ' +
+        'package-lock.json or npm-shrinkwrap.json are in sync. Please ' +
+        'update your lock file with `npm install` ' +
+        'before continuing.\n\n' +
+        errors.join('\n') + '\n'
+      )
+    }
+
     await arb.reify(opts)
 
     const ignoreScripts = this.npm.config.get('ignore-scripts')

deps/npm/lib/commands/deprecate.js

@@ -1,4 +1,5 @@
 const fetch = require('npm-registry-fetch')
+const log = require('../utils/log-shim.js')
 const otplease = require('../utils/otplease.js')
 const npa = require('npm-package-arg')
 const semver = require('semver')
@@ -50,6 +51,7 @@ class Deprecate extends BaseCommand {
       ...this.npm.flatOptions,
       spec: p,
       query: { write: true },
+      log,
     })
 
     Object.keys(packument.versions)
@@ -64,6 +66,7 @@ class Deprecate extends BaseCommand {
       method: 'PUT',
       body: packument,
       ignoreBody: true,
+      log,
     }))
   }
 }

deps/npm/lib/commands/diff.js

@@ -61,6 +61,7 @@ class Diff extends BaseCommand {
       ...this.npm.flatOptions,
       diffFiles: args,
       where: this.top,
+      log,
     })
     return this.npm.output(res)
   }
@@ -193,6 +194,7 @@ class Diff extends BaseCommand {
         const packument = await pacote.packument(spec, {
           ...this.npm.flatOptions,
           preferOnline: true,
+          log,
         })
         bSpec = pickManifest(
           packument,