deps: upgrade npm to 10.2.2

deps/npm/bin/node-gyp-bin/node-gyp

@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+if [ "x$npm_config_node_gyp" = "x" ]; then
+  node "`dirname "$0"`/../../node_modules/node-gyp/bin/node-gyp.js" "$@"
+else
+  "$npm_config_node_gyp" "$@"
+fi

deps/npm/bin/node-gyp-bin/node-gyp.cmd

@@ -0,0 +1,5 @@
+if not defined npm_config_node_gyp (
+  node "%~dp0\..\..\node_modules\node-gyp\bin\node-gyp.js" %*
+) else (
+  node "%npm_config_node_gyp%" %*
+)

deps/npm/docs/content/commands/npm-audit.md

@@ -83,13 +83,13 @@ The `sig` is generated using the following template: `${package.name}@${package.
 
 Keys response:
 
-- `expires`: null or a simplified extended <a href="https://en.wikipedia.org/wiki/ISO_8601" target="_blank">ISO 8601 format</a>: `YYYY-MM-DDTHH:mm:ss.sssZ`
+- `expires`: null or a simplified extended [ISO 8601 format](https://en.wikipedia.org/wiki/ISO_8601"): `YYYY-MM-DDTHH:mm:ss.sssZ`
 - `keydid`: sha256 fingerprint of the public key
 - `keytype`: only `ecdsa-sha2-nistp256` is currently supported by the npm CLI
 - `scheme`: only `ecdsa-sha2-nistp256` is currently supported by the npm CLI
 - `key`: base64 encoded public key
 
-See this <a href="https://registry.npmjs.org/-/npm/v1/keys" target="_blank">example key's response from the public npm registry</a>.
+See this [example key's response from the public npm registry](https://registry.npmjs.org/-/npm/v1/keys").
 
 ### Audit Endpoints
 

deps/npm/docs/content/commands/npm-ls.md

@@ -27,7 +27,7 @@ packages will *also* show the paths to the specified packages.  For
 example, running `npm ls promzard` in npm's source tree will show:
 
 ```bash
-npm@10.2.0 /path/to/npm
+npm@10.2.2 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 ```

deps/npm/docs/content/commands/npm-rebuild.md

@@ -14,14 +14,29 @@ alias: rb
 
 ### Description
 
-This command runs the `npm build` command on the matched folders.  This is
-useful when you install a new version of node, and must recompile all your
-C++ addons with the new binary.  It is also useful when installing with
-`--ignore-scripts` and `--no-bin-links`, to explicitly choose which
-packages to build and/or link bins.
-
-If one or more package specs are provided, then only packages with a
-name and version matching one of the specifiers will be rebuilt.
+This command does the following:
+
+1. Execute lifecycle scripts (`preinstall`, `install`, `postinstall`, `prepare`)
+2. Links bins depending on whether bin links are enabled
+
+This command is particularly useful in scenarios including but not limited to:
+
+1. Installing a new version of **node.js**, where you need to recompile all your C++ add-ons with the updated binary.
+2. Installing with `--ignore-scripts` and `--no-bin-links`, to explicitly choose which packages to build and/or link bins.
+
+If one or more package specs are provided, then only packages with a name and version matching one of the specifiers will be rebuilt.
+
+Usually, you should not need to run `npm rebuild` as it is already done for you as part of npm install (unless you suppressed these steps with `--ignore-scripts` or `--no-bin-links`).
+
+If there is a `binding.gyp` file in the root of your package, then npm will use a default install hook:
+
+```
+"scripts": {
+    "install": "node-gyp rebuild"
+}
+```
+
+This default behavior is suppressed if the `package.json` has its own `install` or `preinstall` scripts. It is also suppressed if the package specifies `"gypfile": false`
 
 ### Configuration
 

deps/npm/docs/content/commands/npm-team.md

@@ -33,7 +33,7 @@ on your `authtype`.
 
 * create / destroy:
   Create a new team, or destroy an existing one. Note: You cannot remove the
-  `developers` team, <a href="https://docs.npmjs.com/about-developers-team" target="_blank">learn more.</a>
+  `developers` team, [learn more.](https://docs.npmjs.com/about-developers-team)
 
   Here's how to create a new team `newteam` under the `org` org:
 

deps/npm/docs/content/commands/npm-unpublish.md

@@ -10,9 +10,8 @@ description: Remove a package from the registry
 npm unpublish [<package-spec>]
 ```
 
-To learn more about how the npm registry treats unpublish, see our <a
-href="https://docs.npmjs.com/policies/unpublish" target="_blank"
-rel="noopener noreferrer"> unpublish policies</a>
+To learn more about how the npm registry treats unpublish, see our
+[unpublish policies](https://docs.npmjs.com/policies/unpublish).
 
 ### Warning
 

deps/npm/docs/content/commands/npm.md

@@ -14,7 +14,7 @@ Note: This command is unaware of workspaces.
 
 ### Version
 
-10.2.0
+10.2.2
 
 ### Description
 

deps/npm/docs/content/configuring-npm/package-lock-json.md

@@ -114,7 +114,7 @@ the npm registry.  Lockfiles generated by npm v7 will contain
 * `1`: The lockfile version used by npm v5 and v6.
 * `2`: The lockfile version used by npm v7 and v8. Backwards compatible to v1
   lockfiles.
-* `3`: The lockfile version used by npm v9. Backwards compatible to npm v7.
+* `3`: The lockfile version used by npm v9 and above. Backwards compatible to npm v7.
 
 npm will always attempt to get whatever data it can out of a lockfile, even
 if it is not a version that it was designed to support.

deps/npm/docs/content/using-npm/scripts.md

@@ -159,8 +159,6 @@ These are run from the scripts of `<pkg-name>`
 * `publish`
 * `postpublish`
 
-`prepare` will not run during `--dry-run`
-
 #### [`npm rebuild`](/commands/npm-rebuild)
 
 * `preinstall`

deps/npm/docs/output/commands/npm-audit.html

@@ -203,13 +203,13 @@ <h3 id="audit-signatures">Audit Signatures</h3>
 </code></pre>
 <p>Keys response:</p>
 <ul>
-<li><code>expires</code>: null or a simplified extended ISO 8601 format: <code>YYYY-MM-DDTHH:mm:ss.sssZ</code></li>
+<li><code>expires</code>: null or a simplified extended <a href="https://en.wikipedia.org/wiki/ISO_8601%22">ISO 8601 format</a>: <code>YYYY-MM-DDTHH:mm:ss.sssZ</code></li>
 <li><code>keydid</code>: sha256 fingerprint of the public key</li>
 <li><code>keytype</code>: only <code>ecdsa-sha2-nistp256</code> is currently supported by the npm CLI</li>
 <li><code>scheme</code>: only <code>ecdsa-sha2-nistp256</code> is currently supported by the npm CLI</li>
 <li><code>key</code>: base64 encoded public key</li>
 </ul>
-<p>See this example key's response from the public npm registry.</p>
+<p>See this <a href="https://registry.npmjs.org/-/npm/v1/keys%22">example key's response from the public npm registry</a>.</p>
 <h3 id="audit-endpoints">Audit Endpoints</h3>
 <p>There are two audit endpoints that npm may use to fetch vulnerability
 information: the <code>Bulk Advisory</code> endpoint and the <code>Quick Audit</code> endpoint.</p>

deps/npm/docs/output/commands/npm-ls.html

@@ -160,7 +160,7 @@ <h3 id="description">Description</h3>
 the results to only the paths to the packages named.  Note that nested
 packages will <em>also</em> show the paths to the specified packages.  For
 example, running <code>npm ls promzard</code> in npm's source tree will show:</p>
-<pre><code class="language-bash">npm@10.2.0 /path/to/npm
+<pre><code class="language-bash">npm@10.2.2 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 </code></pre>

deps/npm/docs/output/commands/npm-rebuild.html

@@ -151,13 +151,24 @@ <h2 id="table-of-contents">Table of contents</h2>
 alias: rb
 </code></pre>
 <h3 id="description">Description</h3>
-<p>This command runs the <code>npm build</code> command on the matched folders.  This is
-useful when you install a new version of node, and must recompile all your
-C++ addons with the new binary.  It is also useful when installing with
-<code>--ignore-scripts</code> and <code>--no-bin-links</code>, to explicitly choose which
-packages to build and/or link bins.</p>
-<p>If one or more package specs are provided, then only packages with a
-name and version matching one of the specifiers will be rebuilt.</p>
+<p>This command does the following:</p>
+<ol>
+<li>Execute lifecycle scripts (<code>preinstall</code>, <code>install</code>, <code>postinstall</code>, <code>prepare</code>)</li>
+<li>Links bins depending on whether bin links are enabled</li>
+</ol>
+<p>This command is particularly useful in scenarios including but not limited to:</p>
+<ol>
+<li>Installing a new version of <strong>node.js</strong>, where you need to recompile all your C++ add-ons with the updated binary.</li>
+<li>Installing with <code>--ignore-scripts</code> and <code>--no-bin-links</code>, to explicitly choose which packages to build and/or link bins.</li>
+</ol>
+<p>If one or more package specs are provided, then only packages with a name and version matching one of the specifiers will be rebuilt.</p>
+<p>Usually, you should not need to run <code>npm rebuild</code> as it is already done for you as part of npm install (unless you suppressed these steps with <code>--ignore-scripts</code> or <code>--no-bin-links</code>).</p>
+<p>If there is a <code>binding.gyp</code> file in the root of your package, then npm will use a default install hook:</p>
+<pre><code>"scripts": {
+    "install": "node-gyp rebuild"
+}
+</code></pre>
+<p>This default behavior is suppressed if the <code>package.json</code> has its own <code>install</code> or <code>preinstall</code> scripts. It is also suppressed if the package specifies <code>"gypfile": false</code></p>
 <h3 id="configuration">Configuration</h3>
 <h4 id="global"><code>global</code></h4>
 <ul>

deps/npm/docs/output/commands/npm-team.html

@@ -168,7 +168,7 @@ <h3 id="description">Description</h3>
 <li>
 <p>create / destroy:
 Create a new team, or destroy an existing one. Note: You cannot remove the
-<code>developers</code> team, learn more.</p>
+<code>developers</code> team, <a href="https://docs.npmjs.com/about-developers-team">learn more.</a></p>
 <p>Here's how to create a new team <code>newteam</code> under the <code>org</code> org:</p>
 <pre><code class="language-bash">npm team create @org:newteam
 </code></pre>

deps/npm/docs/output/commands/npm-unpublish.html

@@ -148,7 +148,8 @@ <h2 id="table-of-contents">Table of contents</h2>
 <div id="_content"><h3 id="synopsis">Synopsis</h3>
 <pre><code class="language-bash">npm unpublish [&lt;package-spec&gt;]
 </code></pre>
-<p>To learn more about how the npm registry treats unpublish, see our  unpublish policies</p>
+<p>To learn more about how the npm registry treats unpublish, see our
+<a href="https://docs.npmjs.com/policies/unpublish">unpublish policies</a>.</p>
 <h3 id="warning">Warning</h3>
 <p>Consider using the <a href="../commands/npm-deprecate.html"><code>deprecate</code></a> command instead,
 if your intent is to encourage users to upgrade, or if you no longer

deps/npm/docs/output/commands/npm.html

@@ -150,7 +150,7 @@ <h2 id="table-of-contents">Table of contents</h2>
 </code></pre>
 <p>Note: This command is unaware of workspaces.</p>
 <h3 id="version">Version</h3>
-<p>10.2.0</p>
+<p>10.2.2</p>
 <h3 id="description">Description</h3>
 <p>npm is the package manager for the Node JavaScript platform.  It puts
 modules in place so that node can find them, and manages dependency

deps/npm/docs/output/configuring-npm/package-lock-json.html

@@ -241,7 +241,7 @@ <h4 id="lockfileversion"><code>lockfileVersion</code></h4>
 <li><code>1</code>: The lockfile version used by npm v5 and v6.</li>
 <li><code>2</code>: The lockfile version used by npm v7 and v8. Backwards compatible to v1
 lockfiles.</li>
-<li><code>3</code>: The lockfile version used by npm v9. Backwards compatible to npm v7.</li>
+<li><code>3</code>: The lockfile version used by npm v9 and above. Backwards compatible to npm v7.</li>
 </ul>
 <p>npm will always attempt to get whatever data it can out of a lockfile, even
 if it is not a version that it was designed to support.</p>

deps/npm/docs/output/using-npm/scripts.html

@@ -293,7 +293,6 @@ <h4 id="npm-publish"><a href="../commands/npm-publish.html"><code>npm publish</c
 <li><code>publish</code></li>
 <li><code>postpublish</code></li>
 </ul>
-<p><code>prepare</code> will not run during <code>--dry-run</code></p>
 <h4 id="npm-rebuild"><a href="../commands/npm-rebuild.html"><code>npm rebuild</code></a></h4>
 <ul>
 <li><code>preinstall</code></li>

deps/npm/lib/commands/audit.js

@@ -55,7 +55,7 @@ class VerifySignatures {
     // Didn't find any dependencies that could be verified, e.g. only local
     // deps, missing version, not on a registry etc.
     if (!this.auditedWithKeysCount) {
-      throw new Error('found no dependencies to audit that where installed from ' +
+      throw new Error('found no dependencies to audit that were installed from ' +
                       'a supported registry')
     }
 

deps/npm/lib/commands/link.js

@@ -109,13 +109,13 @@ class Link extends ArboristWorkspaceCmd {
     // using any of --save-dev or other types
     const save =
       Boolean(
-        this.npm.config.find('save') !== 'default' ||
+        (this.npm.config.find('save') !== 'default' &&
+        this.npm.config.get('save')) ||
         this.npm.config.get('save-optional') ||
         this.npm.config.get('save-peer') ||
         this.npm.config.get('save-dev') ||
         this.npm.config.get('save-prod')
       )
-
     // create a new arborist instance for the local prefix and
     // reify all the pending names as symlinks there
     const localArb = new Arborist({

deps/npm/lib/commands/logout.js

@@ -1,5 +1,5 @@
-const getAuth = require('npm-registry-fetch/lib/auth.js')
 const npmFetch = require('npm-registry-fetch')
+const { getAuth } = npmFetch
 const log = require('../utils/log-shim')
 const BaseCommand = require('../base-command.js')
 
@@ -19,10 +19,14 @@ class Logout extends BaseCommand {
 
     const auth = getAuth(reg, this.npm.flatOptions)
 
+    const level = this.npm.config.find(`${auth.regKey}:${auth.authKey}`)
+
+    // find the config level and only delete from there
     if (auth.token) {
       log.verbose('logout', `clearing token for ${reg}`)
       await npmFetch(`/-/user/token/${encodeURIComponent(auth.token)}`, {
         ...this.npm.flatOptions,
+        registry: reg,
         method: 'DELETE',
         ignoreBody: true,
       })
@@ -34,12 +38,12 @@ class Logout extends BaseCommand {
     }
 
     if (scope) {
-      this.npm.config.delete(regRef, 'user')
+      this.npm.config.delete(regRef, level)
     }
 
-    this.npm.config.clearCredentialsByURI(reg)
+    this.npm.config.clearCredentialsByURI(reg, level)
 
-    await this.npm.config.save('user')
+    await this.npm.config.save(level)
   }
 }
 module.exports = Logout

deps/npm/lib/utils/error-message.js

@@ -182,7 +182,7 @@ const errorMessage = (er, npm) => {
           ])
           detail.push([
             '',
-            ['To correct this please trying logging in again with:', '    npm login'].join('\n'),
+            ['To correct this please try logging in again with:', '    npm login'].join('\n'),
           ])
         } else if (auth.includes('Basic')) {
           short.push(['', 'Incorrect or missing password.'])

deps/npm/lib/utils/queryable.js

@@ -111,13 +111,9 @@ const getter = ({ data, key }) => {
       }, {})
       return _data
     } else {
-      // if can't find any more values, it means it's just over
-      // and there's nothing to return
-      if (!_data[k]) {
+      if (!Object.hasOwn(_data, k)) {
         return undefined
       }
-
-      // otherwise sets the next value
       _data = _data[k]
     }
 

deps/npm/man/man1/npm-audit.1

@@ -78,7 +78,7 @@ Public signing keys are provided at \fBregistry-host.tld/-/npm/v1/keys\fR in the
 Keys response:
 .RS 0
 .IP \(bu 4
-\fBexpires\fR: null or a simplified extended ISO 8601 format: \fBYYYY-MM-DDTHH:mm:ss.sssZ\fR
+\fBexpires\fR: null or a simplified extended \fBISO 8601 format\fR \fI\(lahttps://en.wikipedia.org/wiki/ISO_8601"\(ra\fR: \fBYYYY-MM-DDTHH:mm:ss.sssZ\fR
 .IP \(bu 4
 \fBkeydid\fR: sha256 fingerprint of the public key
 .IP \(bu 4
@@ -90,7 +90,7 @@ Keys response:
 .RE 0
 
 .P
-See this example key's response from the public npm registry.
+See this \fBexample key's response from the public npm registry\fR \fI\(lahttps://registry.npmjs.org/-/npm/v1/keys"\(ra\fR.
 .SS "Audit Endpoints"
 .P
 There are two audit endpoints that npm may use to fetch vulnerability information: the \fBBulk Advisory\fR endpoint and the \fBQuick Audit\fR endpoint.

deps/npm/man/man1/npm-ls.1

@@ -20,7 +20,7 @@ Positional arguments are \fBname@version-range\fR identifiers, which will limit
 .P
 .RS 2
 .nf
-npm@10.2.0 /path/to/npm
+npm@10.2.2 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 .fi

deps/npm/man/man1/npm-rebuild.1

@@ -12,9 +12,39 @@ alias: rb
 .RE
 .SS "Description"
 .P
-This command runs the \fBnpm build\fR command on the matched folders. This is useful when you install a new version of node, and must recompile all your C++ addons with the new binary. It is also useful when installing with \fB--ignore-scripts\fR and \fB--no-bin-links\fR, to explicitly choose which packages to build and/or link bins.
+This command does the following:
+.RS 0
+.IP 1. 4
+Execute lifecycle scripts (\fBpreinstall\fR, \fBinstall\fR, \fBpostinstall\fR, \fBprepare\fR)
+.IP 2. 4
+Links bins depending on whether bin links are enabled
+.RE 0
+
+.P
+This command is particularly useful in scenarios including but not limited to:
+.RS 0
+.IP 1. 4
+Installing a new version of \fBnode.js\fR, where you need to recompile all your C++ add-ons with the updated binary.
+.IP 2. 4
+Installing with \fB--ignore-scripts\fR and \fB--no-bin-links\fR, to explicitly choose which packages to build and/or link bins.
+.RE 0
+
 .P
 If one or more package specs are provided, then only packages with a name and version matching one of the specifiers will be rebuilt.
+.P
+Usually, you should not need to run \fBnpm rebuild\fR as it is already done for you as part of npm install (unless you suppressed these steps with \fB--ignore-scripts\fR or \fB--no-bin-links\fR).
+.P
+If there is a \fBbinding.gyp\fR file in the root of your package, then npm will use a default install hook:
+.P
+.RS 2
+.nf
+"scripts": {
+    "install": "node-gyp rebuild"
+}
+.fi
+.RE
+.P
+This default behavior is suppressed if the \fBpackage.json\fR has its own \fBinstall\fR or \fBpreinstall\fR scripts. It is also suppressed if the package specifies \fB"gypfile": false\fR
 .SS "Configuration"
 .SS "\fBglobal\fR"
 .RS 0

deps/npm/man/man1/npm-team.1

@@ -23,7 +23,7 @@ Teams must always be fully qualified with the organization/scope they belong to
 If you have two-factor authentication enabled in \fBauth-and-writes\fR mode, then you can provide a code from your authenticator with \fB\[lB]--otp <otpcode>\[rB]\fR. If you don't include this then you will be taken through a second factor flow based on your \fBauthtype\fR.
 .RS 0
 .IP \(bu 4
-create / destroy: Create a new team, or destroy an existing one. Note: You cannot remove the \fBdevelopers\fR team, learn more.
+create / destroy: Create a new team, or destroy an existing one. Note: You cannot remove the \fBdevelopers\fR team, \fBlearn more.\fR \fI\(lahttps://docs.npmjs.com/about-developers-team\(ra\fR
 .P
 Here's how to create a new team \fBnewteam\fR under the \fBorg\fR org:
 .P

deps/npm/man/man1/npm-unpublish.1

@@ -9,7 +9,7 @@ npm unpublish \[lB]<package-spec>\[rB]
 .fi
 .RE
 .P
-To learn more about how the npm registry treats unpublish, see our  unpublish policies
+To learn more about how the npm registry treats unpublish, see our \fBunpublish policies\fR \fI\(lahttps://docs.npmjs.com/policies/unpublish\(ra\fR.
 .SS "Warning"
 .P
 Consider using the npm help deprecate command instead, if your intent is to encourage users to upgrade, or if you no longer want to maintain a package.