chore(deps): update npm to v6

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	References
npm	engines	major	>=5.0.0 -> >=6.4.1	homepage, source

---

Release Notes

npm/cli

v6.4.1

Compare Source

BUGFIXES

• 4bd40f543
  #​42
  Prevent blowing up on malformed responses from the npm audit endpoint, such
  as with third-party registries.
  (@​framp)
• 0e576f0aa
  #​46
  Fix NO_PROXY support by renaming npm-side config to --noproxy. The
  environment variable should still work.
  (@​SneakyFish5)
• d8e811d6a
  #​33
  Disable update-notifier checks when a CI environment is detected.
  (@​Sibiraj-S)
• 1bc5b8cea
  #​47
  Fix issue where postpack scripts would break if pack was used with
  --dry-run.
  (@​larsgw)

DEPENDENCY BUMPS

• 4c57316d5
figgy-pudding@3.4.1
  (@​zkat)
• 85f4d7905
cacache@11.2.0
  (@​zkat)
• d20ac242a
npm-packlist@1.1.11:
  No real changes in npm-packlist, but npm-bundled included a
  circular dependency fix, as well as adding a proper LICENSE file.
  (@​isaacs)
• e8d5f4418
  npm.community#​632
  libcipm@2.0.2:
  Fixes issue where npm ci wasn't running the prepare lifecycle script when
  installing git dependencies
  (@​edahlseng)
• a5e6f78e9
JSONStream@1.3.4:
  Fixes memory leak problem when streaming large files (like legacy npm search).
  (@​daern91)
• 3b940331d
  npm.community#​1042
  npm-lifecycle@2.1.0:
  Fixes issue for Windows user where multiple Path/PATH variables were being
  added to the environment and breaking things in all sorts of fun and
  interesting ways.
  (@​JimiC)
• d612d2ce8
npm-registry-client@8.6.0
  (@​iarna)
• 1f6ba1cb1
opener@1.5.0
  (@​domenic)
• 37b8f405f
request@2.88.0
  (@​mikeal)
• bb91a2a14
tacks@1.2.7
  (@​iarna)
• 30bc9900a
ci-info@1.4.0:
  Adds support for two more CI services
  (@​watson)
• 1d2fa4ddd
marked@0.5.0
  (@​joshbruce)

DOCUMENTATION

• 08ecde292
  #​54
  Mention registry terms of use in manpage and registry docs and update language
  in README for it.
  (@​kemitchell)
• de956405d
  #​41
  Add documentation for --dry-run in install and pack docs.
  (@​reconbot)
• 95031b90c
  #​48
  Update republish time and lightly reorganize republish info.
  (@​neverett)
• 767699b68
  #​53
  Correct npm@6.4.0 release date in changelog.
  (@​charmander)
• 3fea3166e
  #​55
  Align command descriptions in help text.
  (@​erik)

v6.4.0

Compare Source

NEW FEATURES

• 6e9f04b0b
  npm/cli#​8
  Search for authentication token defined by environment variables by preventing
  the translation layer from env variable to npm option from breaking
  :_authToken.
  (@​mkhl)
• 84bfd23e7
  npm/cli#​35
  Stop filtering out non-IPv4 addresses from local-addrs, making npm actually
  use IPv6 addresses when it must.
  (@​valentin2105)
• 792c8c709
  npm/cli#​31
  configurable audit level for non-zero exit
  npm audit currently exits with exit code 1 if any vulnerabilities are found of any level.
  Add a flag of --audit-level to npm audit to allow it to pass if only vulnerabilities below a certain level are found.
  Example: npm audit --audit-level=high will exit with 0 if only low or moderate level vulns are detected.
  (@​lennym)

BUGFIXES

• d81146181
  npm/cli#​32
  Don't check for updates to npm when we are updating npm itself.
  (@​olore)

DEPENDENCY UPDATES

A very special dependency update event! Since the release of
node-gyp@3.8.0, an awkward
version conflict that was preventing request from begin flattened was
resolved. This means two things:

1. We've cut down the npm tarball size by another 200kb, to 4.6MB
2. npm audit now shows no vulnerabilities for npm itself!

Thanks, @​rvagg!

• 866d776c2
request@2.87.0
  (@​simov)
• f861c2b57
node-gyp@3.8.0
  (@​rvagg)
• 32e6947c6
  npm/cli#​39
  colors@1.1.2:
  REVERT REVERT, newer versions of this library are broken and print ansi
  codes even when disabled.
  (@​iarna)
• beb96b92c
libcipm@2.0.1
  (@​zkat)
• 348fc91ad
validate-npm-package-license@3.0.4: Fixes errors with empty or string-only
  license fields.
  (@​Gudahtt)
• e57d34575
iferr@1.0.2
  (@​shesek)
• 46f1c6ad4
tar@4.4.6
  (@​isaacs)
• 50df1bf69
hosted-git-info@2.7.1
  (@​iarna)
  (@​Erveon)
  (@​huochunpeng)

DOCUMENTATION

• af98e76ed
  npm/cli#​34
  Remove npm publish from list of commands not affected by --dry-run.
  (@​joebowbeer)
• e2b0f0921
  npm/cli#​36
  Tweak formatting in repository field examples.
  (@​noahbenham)
• e2346e770
  npm/cli#​14
  Used process.env examples to make accessing certain npm run-scripts
  environment variables more clear.
  (@​mwarger)

v6.3.0

Compare Source

This is basically the same as the prerelease, but two dependencies have been
bumped due to bugs that had been around for a while.

• 0a22be42e
figgy-pudding@3.2.0
  (@​zkat)
• 0096f6997
cacache@11.1.0
  (@​zkat)

v6.2.0

Compare Source

In case you missed it, we
moved!. We
look forward to seeing future PRs landing in
npm/cli in the future, and we'll be chatting with
you all in npm.community. Go check it out!

This final release of npm@6.2.0 includes a couple of features that weren't
quite ready on time but that we'd still like to include. Enjoy!

FEATURES

• 244b18380
  #​20554
  Add support for tab-separated output for npm audit data with the
  --parseable flag.
  (@​luislobo)
• 7984206e2
  #​12697
  Add new sign-git-commit config to control whether the git commit itself gets
  signed, or just the tag (which is the default).
  (@​tribou)

FIXES

• 4c32413a5
  #​19418
  Do not use SET to fetch the env in git-bash or Cygwin.
  (@​gucong3000)

DEPENDENCY BUMPS

• d9b2712a6
request@2.81.0: Downgraded to allow better deduplication. This does
  introduce a bunch of hoek-related audit reports, but they don't affect npm
  itself so we consider it safe. We'll upgrade request again once node-gyp
  unpins it.
  (@​simov)
• 2ac48f863
node-gyp@3.7.0
  (@​MylesBorins)
• 8dc6d7640
cli-table3@​0.5.0: cli-table2 is unmaintained and required lodash. With
  this dependency bump, we've removed lodash from our tree, which cut back
  tarball size by another 300kb.
  (@​Turbo87)
• 90c759fee
npm-audit-report@1.3.1
  (@​zkat)
• 4231a0a1e
  Add cli-table3 to bundleDeps.
  (@​iarna)
• 322d9c2f1
  Make standard happy.
  (@​iarna)

DOCS

• 5724983ea
  #​21165
  Fix some markdown formatting in npm-disputes.md.
  (@​hchiam)
• 738178315
  #​20920
  Explicitly state that republishing an unpublished package requires a 72h
  waiting period.
  (@​gmattie)
• f0a372b07
  Replace references to the old repo or issue tracker. We're at npm/cli now!
  (@​zkat)

v6.1.0

Compare Source

FIX WRITE AFTER END ERROR

First introduced in 5.8.0, this finally puts to bed errors where you would
occasionally see Error: write after end at MiniPass.write.

• 171f3182f
  node-tar#​180
  npm.community#​35
  pacote@8.1.5: Fix write-after-end errors.
  (@​zkat)

DETECT CHANGES IN GIT SPECIFIERS

• 0e1726c03
  We can now determine if the commitid of a git dependency in the lockfile is derived
  from the specifier in the package.json and if it isn't we now trigger an update for it.
  (@​iarna)

OTHER BUGS

• 442d2484f
2f0c88351
631d30a34
  When requesting the update of a direct dependency that was also a
  transitive dependency to a version incompatible with the transitive
  requirement and you had a lock-file but did not have a node_modules
  folder then npm would fail to provide a new copy of the transitive
  dependency, resulting in an invalid lock-file that could not self heal.
  (@​iarna)
• be5dd0f49
  #​20715
  Cleanup output of npm ci summary report.
  (@​legodude17)
• 98ffe4adb
  Node.js now has a test that scans for things that look like conflict
  markers in source code. This was triggering false positives on a fixture in a test
  of npm's ability to heal lockfiles with conflicts in them.
  (@​iarna)

DEPENDENCY UPDATES

• 3f2e306b8
  Using npm audit fix, replace some transitive dependencies with security
  issues with versions that don't have any.
  (@​iarna)
• 1d07134e0
tar@4.4.1:
  Dropping to 4.4.1 from 4.4.2 due to npm/node-tar#​183
  (@​zkat)

v6.0.1

Compare Source

AUDIT SHOULDN'T WAIT FOREVER

This will likely be reduced further with the goal that the audit process
shouldn't noticibly slow down your builds regardless of your network
situation.

• 3dcc240db
  Timeout audit requests eventually.
  (@​iarna)

Looking forward

We're still a way from having node@11, so now's a good time to ensure we
don't warn about being used with it.

• ed1aebf55
  Allow node@11, when it comes.
  (@​iarna)

v6.0.0

Compare Source

Hey y'all! Here's another npm@6 release -- with node@10 around the corner,
this might well be the last prerelease before we tag 6.0.0! There's two major
features included with this release, along with a few miscellaneous fixes and
changes.

EXTENDED npm init SCAFFOLDING

Thanks to the wonderful efforts of @​jdalton of
lodash fame, npm init can now be used to invoke custom scaffolding tools!

You can now do things like npm init react-app or npm init esm to scaffold an
npm package by running create-react-app and create-esm, respectively. This
also adds an npm create alias, to correspond to Yarn's yarn create feature,
which inspired this.

• 008a83642 ed81d1426 833046e45
  #​20303
  Add an npm init feature that calls out to npx when invoked with positional
  arguments. (@​jdalton)

DEPENDENCY AUDITING

This version of npm adds a new command, npm audit, which will run a security
audit of your project's dependency tree and notify you about any actions you may
need to take.

The registry-side services required for this command to work will be available
on the main npm registry in the coming weeks. Until then, you won't get much out
of trying to use this on the CLI.

As part of this change, the npm CLI now sends scrubbed and cryptographically
anonymized metadata about your dependency tree to your configured registry, to
allow notifying you about the existence of critical security flaws. For details
about how the CLI protects your privacy when it shares this metadata, see npm help audit, or read the docs for npm audit
online. You
can disable this altogether by doing npm config set audit false, but will no
longer benefit from the service.

• f4bc648ea
  #​20389
  npm-registry-fetch@1.1.0
  (@​iarna)
• 594d16987
  #​20389
  npm-audit-report@1.0.5
  (@​iarna)
• 8c77dde74 1d8ac2492 552ff6d64 09c734803
  #​20389
  Add new npm audit command.
  (@​iarna)
• be393a290
  #​20389
  Temporarily suppress git metadata till there's an opt-in.
  (@​iarna)
• 8e713344f
  #​20389
  Document the new command.
  (@​iarna)
• #​20389
  Default audit to off when running the npm test suite itself.
  (@​iarna)

MORE package-lock.json FORMAT CHANGES?!

• 820f74ae2
  #​20384
  Add from field back into package-lock for git dependencies. This will give
  npm the information it needs to figure out whether git deps are valid,
  specially when running with legacy install metadata or in
  --package-lock-only mode when there's no node_modules. This should help
  remove a significant amount of git-related churn on the lock-file.
  (@​zkat)

BUGFIXES

• 9d5d0a18a
  #​20358
  npm install-test (aka npm it) will no longer generate package-lock.json
  when running with --no-package-lock or package-lock=false.
  (@​raymondfeng)
• e4ed976e2
2facb35fb
9c1eb945b
  #​20390
  Fix a scenario where a git dependency had a comittish associated with it
  that was not a complete commitid. npm would never consider that entry
  in the package.json as matching the entry in the package-lock.json and
  this resulted in inappropriate pruning or reinstallation of git
  dependencies. This has been addressed in two ways, first, the addition of the
  from field as described in #​20384 means
  we can exactly match the package.json. Second, when that's missing (when working with
  older package-lock.json files), we assume that the match is ok. (If
  it's not, we'll fix it up when a real installation is done.)
  (@​iarna)

DEPENDENCIES

• 1c1f89b73
libnpx@10.2.0
  (@​zkat)
• 242d8a647
pacote@8.1.0
  (@​zkat)

DOCS

• a1c77d614
  #​20331
  Fix broken link to 'private-modules' page. The redirect went away when the new
  npm website went up, but the new URL is better anyway.
  (@​vipranarayan14)
• ad7a5962d
  #​20279
  Document the --if-present option for npm run-script.
  (@​aleclarson)

v5.10.0

Compare Source

v5.8.0

Compare Source

v5.7.1

Compare Source

v5.7.0

Compare Source

v5.6.0

Compare Source

v5.5.1

Compare Source

v5.5.0

Compare Source

v5.4.2

Compare Source

v5.4.1

Compare Source

v5.4.0

Compare Source

v5.3.0

Compare Source

v5.2.0

Compare Source

v5.1.0

Compare Source

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v5.0.1

Compare Source

---

Renovate configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "rebase!".

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

This PR has been generated by Renovate Bot. View repository job log here.

[renovate]

Renovate Ignore Notification

As this PR has been closed unmerged, Renovate will ignore this upgrade and you will not receive PRs for any future 6.x releases. However, if you upgrade to 6.x manually then Renovate will then reenable updates for minor and patch updates automatically.

If this PR was closed by mistake or you changed your mind, you can simply rename this PR and you will soon get a fresh replacement PR opened.