deps: upgrade npm to 5.0.0

PR-URL: https://github.com/nodejs/node/pull/13276
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>

deps/npm/TODO.org

@@ -1,4 +1,18 @@
 * Finished
+  * [COMPLETED] npm: remove packageIntegrity
+  * [COMPLETED] npm: fix lifecycle stuff
+    * pack:
+      * pre-: immediately before tarball contents are packed. Need to re-read package.json immediately after
+      * pack: No pack lifecycle
+      * post-: immediately after tarball reaches its final destination (not immediately after packaging)
+    * prepare: `npm install`, immediately before `postinstall`, and immediately before `prepack`, never if `--prod`, after prepublish, before prepublishOnly
+    * prepublish: alias for `prepare`
+    * prepublishOnly: ONLY on `npm publish` (never on `npm pack`), runs before prepack (which takes care of re-reading package.json), re-reads package.json immediately after
+  * [COMPLETED] pacote: fix always-auth bug
+  * [COMPLETED] pacote: figure out why cache is being written as root
+  * [COMPLETED] npm: make `npm update` save files as the right type
+  * [COMPLETED] npm: update docs with npm5 changes
+  * [COMPLETED] npm: don't write "problems" into package-lock
   * [COMPLETED] npm: add `created-with`, `shrinkwrap-version`, and `package-integrity`
   * [COMPLETED] npm: warn on incompatible package-lock version
   * [COMPLETED] npm: warn if both shrinkwrap and package-lock are there
@@ -46,6 +60,12 @@
   * [COMPLETED] npm: fix bundle replacement issues (see: npm i nyc warning spam)
     * need fromBundle attribute on shrinkwrap and pass it through. the sw.version && sw.integrity-based fake node needs to have this there.
 * Backlog
+  * [TODO] make-fetch-happen: integrity failures are being thrown
+  * [TODO] write-file-atomic: review https://github.com/npm/write-file-atomic/pull/22
+  * [TODO] pacote: write tests for git handlers
+    * https://github.com/zkat/pacote/issues/70
+  * [TODO] pacote: offline feature support for git deps
+  * [TODO] npm: get logging working during the recalculateMetadata spam
   * [TODO] pacote: opts.extraHeaders
     * https://github.com/zkat/pacote/issues/79
   * [TODO] pacote: ECONNRESET recovery
@@ -59,14 +79,8 @@
     * https://github.com/zkat/make-fetch-happen/issues/16
   * [TODO] make-fetch-happen: retry notification
     * https://github.com/zkat/make-fetch-happen/issues/21
-  * [TODO] npm: move addBundled call from inflate-shrinkwrap to extract
-    * fix the fucking bundling thing while at it
+  * [TODO] npm: more informative logging when building git deps
 * Needed for npm@5
-  * [TODO] pacote: write tests for git handlers
-    * https://github.com/zkat/pacote/issues/70
-  * [TODO] pacote: offline feature support for git deps
-  * [TODO] npm: get logging working during the recalculateMetadata spam
-  * [TODO] write-file-atomic: review https://github.com/npm/write-file-atomic/pull/22
 * Active
-  * [TODO] npm: make `npm update` save files as the right type
-  * [TODO] node: track down lifecycle signal failure
+  * [TODO] npm: figure out https://github.com/npm/npm/issues/16665
+  * [TODO] npm: first-run notice about npm5 still having known issues

deps/npm/appveyor.yml

@@ -15,7 +15,6 @@ install:
   - ps: Install-Product node $env:nodejs_version $env:platform
   - npm config set spin false
   - npm rebuild
-  - npm i -g "npm/npm#release-beta-5"
   - node . install -g .
   - set "PATH=%APPDATA%\npm;C:\Program Files\Git\mingw64\libexec;%PATH%"
   - npm install --loglevel=http

deps/npm/doc/cli/npm-cache.md

@@ -8,11 +8,11 @@ npm-cache(1) -- Manipulates packages cache
     npm cache add <tarball url>
     npm cache add <name>@<version>
 
-    npm cache ls [<path>]
-
     npm cache clean [<path>]
     aliases: npm cache clear, npm cache rm
 
+    npm cache verify
+
 ## DESCRIPTION
 
 Used to add, list, or clean the npm cache folder.
@@ -22,35 +22,45 @@ Used to add, list, or clean the npm cache folder.
   intended to be used internally by npm, but it can provide a way to
   add data to the local installation cache explicitly.
 
-* ls:
-  Show the data in the cache.  Argument is a path to show in the cache
-  folder.  Works a bit like the `find` program, but limited by the
-  `depth` config.
-
 * clean:
-  Delete data out of the cache folder.  If an argument is provided, then
-  it specifies a subpath to delete.  If no argument is provided, then
-  the entire cache is deleted.
+  Delete all data out of the cache folder.
+
+* verify:
+  Verify the contents of the cache folder, garbage collecting any unneeded data,
+  and verifying the integrity of the cache index and all cached data.
 
 ## DETAILS
 
-npm stores cache data in the directory specified in `npm config get cache`.
-For each package that is added to the cache, three pieces of information are
-stored in `{cache}/{name}/{version}`:
+npm stores cache data in an opaque directory within the configured `cache`,
+named `_cacache`. This directory is a `cacache`-based content-addressable cache
+that stores all http request data as well as other package-related data. This
+directory is primarily accessed through `pacote`, the library responsible for
+all package fetching as of npm@5.
+
+All data that passes through the cache is fully verified for integrity on both
+insertion and extraction. Cache corruption will either trigger an error, or
+signal to `pacote` that the data must be refetched, which it will do
+automatically. For this reason, it should never be necessary to clear the cache
+for any reason other than reclaiming disk space, thus why `clean` now requires
+`--force` to run.
+
+There is currently no method exposed through npm to inspect or directly manage
+the contents of this cache. In order to access it, `cacache` must be used
+directly.
+
+npm will not remove data by itself: the cache will grow as new packages are
+installed.
 
-* .../package/package.json:
-  The package.json file, as npm sees it.
-* .../package.tgz:
-  The tarball for that version.
+## A NOTE ABOUT THE CACHE'S DESIGN
 
-Additionally, whenever a registry request is made, a `.cache.json` file
-is placed at the corresponding URI, to store the ETag and the requested
-data.  This is stored in `{cache}/{hostname}/{path}/.cache.json`.
+The npm cache is strictly a cache: it should not be relied upon as a persistent
+and reliable data store for package data. npm makes no guarantee that a
+previously-cached piece of data will be available later, and will automatically
+delete corrupted contents. The primary guarantee that the cache makes is that,
+if it does return data, that data will be exactly the data that was inserted.
 
-Commands that make non-essential registry requests (such as `search` and
-`view`, or the completion scripts) generally specify a minimum timeout.
-If the `.cache.json` file is younger than the specified timeout, then
-they do not make an HTTP request to the registry.
+To run an offline verification of existing cache contents, use `npm cache
+verify`.
 
 ## CONFIGURATION
 
@@ -69,3 +79,5 @@ The root cache folder.
 * npm-install(1)
 * npm-publish(1)
 * npm-pack(1)
+* https://npm.im/cacache
+* https://npm.im/pacote

deps/npm/doc/cli/npm-install.md

@@ -8,18 +8,21 @@ npm-install(1) -- Install a package
     npm install [<@scope>/]<name>@<tag>
     npm install [<@scope>/]<name>@<version>
     npm install [<@scope>/]<name>@<version range>
+    npm install <git-host>:<git-user>/<repo-name>
+    npm install <git repo url>
     npm install <tarball file>
     npm install <tarball url>
     npm install <folder>
 
     alias: npm i
-    common options: [-S|--save|-D|--save-dev|-O|--save-optional] [-E|--save-exact] [-B|--save-bundle] [--dry-run]
+    common options: [-P|--save-prod|-D|--save-dev|-O|--save-optional] [-E|--save-exact] [-B|--save-bundle] [--no-save] [--dry-run]
 
 ## DESCRIPTION
 
 This command installs a package, and any packages that it depends on. If the
-package has a shrinkwrap file, the installation of dependencies will be driven
-by that. See npm-shrinkwrap(1).
+package has a package-lock or shrinkwrap file, the installation of dependencies
+will be driven by that, with an `npm-shrinkwrap.json` taking precedence if both
+files exist. See package-lock.json(5) and npm-shrinkwrap(1).
 
 A `package` is:
 
@@ -54,13 +57,17 @@ after packing it up into a tarball (b).
 
 * `npm install <folder>`:
 
-    Install a package that is sitting in a folder on the filesystem.
+    Install the package in the directory as a symlink in the current project.
+    Its dependencies will be installed before it's linked. If `<folder>` sits
+    inside the root of your project, its dependencies may be hoisted to the
+    toplevel `node_modules` as they would for other types of dependencies.
 
 * `npm install <tarball file>`:
 
     Install a package that is sitting on the filesystem.  Note: if you just want
     to link a dev directory into your npm root, you can do this more easily by
-    using `npm link`.
+    using `npm link`. The filename *must* use `.tar`, `.tar.gz`, or `.tgz` as
+    the extension.
 
     Example:
 
@@ -75,27 +82,31 @@ after packing it up into a tarball (b).
 
           npm install https://github.com/indexzero/forever/tarball/v0.5.6
 
-* `npm install [<@scope>/]<name> [-S|--save|-D|--save-dev|-O|--save-optional]`:
+* `npm install [<@scope>/]<name>`:
 
     Do a `<name>@<tag>` install, where `<tag>` is the "tag" config. (See
     `npm-config(7)`. The config's default value is `latest`.)
 
-    In most cases, this will install the latest version
-    of the module published on npm.
+    In most cases, this will install the version of the modules tagged as
+    `latest` on the npm registry.
 
     Example:
 
           npm install sax
 
-    `npm install` takes 3 exclusive, optional flags which save or update
-    the package version in your main package.json:
+    `npm install` saves any specified packages into `dependencies` by default.
+    Additionally, you can control where and how they get saved with some
+    additional flags:
 
-    * `-S, --save`: Package will appear in your `dependencies`.
+    * `-P, --save-prod`: Package will appear in your `dependencies`. This is the
+                         default unless `-D` or `-O` are present.
 
     * `-D, --save-dev`: Package will appear in your `devDependencies`.
 
     * `-O, --save-optional`: Package will appear in your `optionalDependencies`.
 
+    * `--no-save`: Prevents saving to `dependencies`.
+
     When using any of the above options to save dependencies to your
     package.json, there are two additional, optional flags:
 
@@ -105,8 +116,8 @@ after packing it up into a tarball (b).
 
     * `-B, --save-bundle`: Saved dependencies will also be added to your `bundleDependencies` list.
 
-    Further, if you have an `npm-shrinkwrap.json` then it will be updated as
-    well.
+    Further, if you have an `npm-shrinkwrap.json` or `package-lock.json` then it
+    will be updated as well.
 
     `<scope>` is optional. The package will be downloaded from the registry
     associated with the specified scope. If no registry is associated with
@@ -118,13 +129,13 @@ after packing it up into a tarball (b).
 
     Examples:
 
-          npm install sax --save
+          npm install sax
           npm install githubname/reponame
           npm install @myorg/privatepackage
           npm install node-tap --save-dev
           npm install dtrace-provider --save-optional
-          npm install readable-stream --save --save-exact
-          npm install ansi-regex --save --save-bundle
+          npm install readable-stream --save-exact
+          npm install ansi-regex --save-bundle
 
 
     **Note**: If there is a file or folder named `<name>` in the current
@@ -167,20 +178,30 @@ after packing it up into a tarball (b).
 
 * `npm install <git remote url>`:
 
-    Installs the package from the hosted git provider, cloning it with
-    `git`. First it tries via the https (git with github) and if that fails, via ssh.
+    Installs the package from the hosted git provider, cloning it with `git`.
+    For a full git remote url, only that URL will be attempted.
+
+          <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>[#<commit-ish> | #semver:<semver>]
+
+    `<protocol>` is one of `git`, `git+ssh`, `git+http`, `git+https`, or
+    `git+file`.
 
-          <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>[#<commit-ish>]
+    If `#<commit-ish>` is provided, it will be used to clone exactly that
+    commit. If the commit-ish has the format `#semver:<semver>`, `<semver>` can
+    be any valid semver range or exact version, and npm will look for any tags
+    or refs matching that range in the remote repository, much as it would for a
+    registry dependency. If neither `#<commit-ish>` or `#semver:<semver>` is
+    specified, then `master` is used.
 
-    `<protocol>` is one of `git`, `git+ssh`, `git+http`, `git+https`,
-    or `git+file`.
-    If no `<commit-ish>` is specified, then `master` is used.
+    If the repository makes use of submodules, those submodules will be cloned
+    as well.
 
-    If the repository makes use of submodules, those submodules will
-    be cloned as well.
+    If the package being installed contains a `prepare` script, its
+    `dependencies` and `devDependencies` will be installed, and the prepare
+    script will be run, before the package is packaged and installed.
 
-    The following git environment variables are recognized by npm and will be added
-    to the environment when running git:
+    The following git environment variables are recognized by npm and will be
+    added to the environment when running git:
 
     * `GIT_ASKPASS`
     * `GIT_EXEC_PATH`
@@ -195,6 +216,7 @@ after packing it up into a tarball (b).
     Examples:
 
           npm install git+ssh://git@github.com:npm/npm.git#v1.0.27
+          npm install git+ssh://git@github.com:npm/npm#semver:^5.0
           npm install git+https://isaacs@github.com/npm/npm.git
           npm install git://github.com/npm/npm.git#v1.0.27
           GIT_SSH_COMMAND='ssh -i ~/.ssh/custom_ident' npm install git+ssh://git@github.com:npm/npm.git
@@ -205,20 +227,31 @@ after packing it up into a tarball (b).
     Install the package at `https://github.com/githubname/githubrepo` by
     attempting to clone it using `git`.
 
-    If you don't specify a *commit-ish* then `master` will be used.
+    If `#<commit-ish>` is provided, it will be used to clone exactly that
+    commit. If the commit-ish has the format `#semver:<semver>`, `<semver>` can
+    be any valid semver range or exact version, and npm will look for any tags
+    or refs matching that range in the remote repository, much as it would for a
+    registry dependency. If neither `#<commit-ish>` or `#semver:<semver>` is
+    specified, then `master` is used.
+
+    As with regular git dependencies, `dependencies` and `devDependencies` will
+    be installed if the package has a `prepare` script, before the package is
+    done installing.
 
     Examples:
 
           npm install mygithubuser/myproject
           npm install github:mygithubuser/myproject
 
-* `npm install gist:[<githubname>/]<gistID>[#<commit-ish>]`:
+* `npm install gist:[<githubname>/]<gistID>[#<commit-ish>|#semver:<semver>]`:
 
     Install the package at `https://gist.github.com/gistID` by attempting to
     clone it using `git`. The GitHub username associated with the gist is
-    optional and will not be saved in `package.json` if `-S` or `--save` is used.
+    optional and will not be saved in `package.json`.
 
-    If you don't specify a *commit-ish* then `master` will be used.
+    As with regular git dependencies, `dependencies` and `devDependencies` will
+    be installed if the package has a `prepare` script, before the package is
+    done installing.
 
     Example:
 
@@ -229,7 +262,16 @@ after packing it up into a tarball (b).
     Install the package at `https://bitbucket.org/bitbucketname/bitbucketrepo`
     by attempting to clone it using `git`.
 
-    If you don't specify a *commit-ish* then `master` will be used.
+    If `#<commit-ish>` is provided, it will be used to clone exactly that
+    commit. If the commit-ish has the format `#semver:<semver>`, `<semver>` can
+    be any valid semver range or exact version, and npm will look for any tags
+    or refs matching that range in the remote repository, much as it would for a
+    registry dependency. If neither `#<commit-ish>` or `#semver:<semver>` is
+    specified, then `master` is used.
+
+    As with regular git dependencies, `dependencies` and `devDependencies` will
+    be installed if the package has a `prepare` script, before the package is
+    done installing.
 
     Example:
 
@@ -240,11 +282,21 @@ after packing it up into a tarball (b).
     Install the package at `https://gitlab.com/gitlabname/gitlabrepo`
     by attempting to clone it using `git`.
 
-    If you don't specify a *commit-ish* then `master` will be used.
+    If `#<commit-ish>` is provided, it will be used to clone exactly that
+    commit. If the commit-ish has the format `#semver:<semver>`, `<semver>` can
+    be any valid semver range or exact version, and npm will look for any tags
+    or refs matching that range in the remote repository, much as it would for a
+    registry dependency. If neither `#<commit-ish>` or `#semver:<semver>` is
+    specified, then `master` is used.
+
+    As with regular git dependencies, `dependencies` and `devDependencies` will
+    be installed if the package has a `prepare` script, before the package is
+    done installing.
 
     Example:
 
           npm install gitlab:mygitlabuser/myproject
+          npm install gitlab:myusr/myproj#semver:^5.0
 
 You may combine multiple arguments, and even multiple types of arguments.
 For example:
@@ -272,7 +324,7 @@ global `node_modules` folder. Only your direct dependencies will show in
 `node_modules` and everything they depend on will be flattened in their
 `node_modules` folders. This obviously will eliminate some deduping.
 
-The `--ignore-scripts` argument will cause npm to not execute any 
+The `--ignore-scripts` argument will cause npm to not execute any
 scripts defined in the package.json. See `npm-scripts(7)`.
 
 The `--legacy-bundling` argument will cause npm to install the package such
@@ -289,7 +341,7 @@ The `--no-optional` argument will prevent optional dependencies from
 being installed.
 
 The `--no-shrinkwrap` argument, which will ignore an available
-shrinkwrap file and use the package.json instead.
+package lock or shrinkwrap file and use the package.json instead.
 
 The `--nodedir=/path/to/node/source` argument will allow npm to find the
 node source code so that npm can compile native modules.
@@ -336,7 +388,9 @@ For `A{B,C}, B{C,D@1}, C{D@2}`, this algorithm produces:
     +-- D@1
 
 Because B's D@1 will be installed in the top level, C now has to install D@2
-privately for itself.
+privately for itself. This algorithm is deterministic, but different trees may
+be produced if two dependencies are requested for installation in a different
+order.
 
 See npm-folders(5) for a more detailed description of the specific
 folder structures that npm creates.

deps/npm/doc/cli/npm-publish.md

@@ -48,6 +48,10 @@ Once a package is published with a given name and version, that
 specific name and version combination can never be used again, even if
 it is removed with npm-unpublish(1).
 
+As of `npm@5`, both a sha1sum and an integrity field with a sha512sum of the
+tarball will be submitted to the registry during publication. Subsequent
+installs will use the strongest supported algorithm to verify downloads.
+
 For a "dry run" that does everything except actually publishing to the
 registry, see `npm-pack(1)`, which figures out the files to be included and
 packs them into a tarball to be uploaded to the registry.

deps/npm/doc/cli/npm-shrinkwrap.md

@@ -1,4 +1,4 @@
-npm-shrinkwrap(1) -- Lock down dependency versions
+npm-shrinkwrap(1) -- Lock down dependency versions for publication
 =====================================================
 
 ## SYNOPSIS
@@ -7,181 +7,11 @@ npm-shrinkwrap(1) -- Lock down dependency versions
 
 ## DESCRIPTION
 
-This command locks down the versions of a package's dependencies so
-that you can control exactly which versions of each dependency will be
-used when your package is installed. The `package.json` file is still
-required if you want to use `npm install`.
-
-By default, `npm install` recursively installs the target's
-dependencies (as specified in `package.json`), choosing the latest
-available version that satisfies the dependency's semver pattern. In
-some situations, particularly when shipping software where each change
-is tightly managed, it's desirable to fully specify each version of
-each dependency recursively so that subsequent builds and deploys do
-not inadvertently pick up newer versions of a dependency that satisfy
-the semver pattern. Specifying specific semver patterns in each
-dependency's `package.json` would facilitate this, but that's not always
-possible or desirable, as when another author owns the npm package.
-It's also possible to check dependencies directly into source control,
-but that may be undesirable for other reasons.
-
-As an example, consider package A:
-
-    {
-      "name": "A",
-      "version": "0.1.0",
-      "dependencies": {
-        "B": "<0.1.0"
-      }
-    }
-
-package B:
-
-    {
-      "name": "B",
-      "version": "0.0.1",
-      "dependencies": {
-        "C": "<0.1.0"
-      }
-    }
-
-and package C:
-
-    {
-      "name": "C",
-      "version": "0.0.1"
-    }
-
-If these are the only versions of A, B, and C available in the
-registry, then a normal `npm install A` will install:
-
-    A@0.1.0
-    `-- B@0.0.1
-        `-- C@0.0.1
-
-However, if B@0.0.2 is published, then a fresh `npm install A` will
-install:
-
-    A@0.1.0
-    `-- B@0.0.2
-        `-- C@0.0.1
-
-assuming the new version did not modify B's dependencies. Of course,
-the new version of B could include a new version of C and any number
-of new dependencies. If such changes are undesirable, the author of A
-could specify a dependency on B@0.0.1. However, if A's author and B's
-author are not the same person, there's no way for A's author to say
-that he or she does not want to pull in newly published versions of C
-when B hasn't changed at all.
-
-In this case, A's author can run
-
-    npm shrinkwrap
-
-This generates `npm-shrinkwrap.json`, which will look something like this:
-
-    {
-      "name": "A",
-      "version": "0.1.0",
-      "dependencies": {
-        "B": {
-          "version": "0.0.1",
-          "from": "B@^0.0.1",
-          "resolved": "https://registry.npmjs.org/B/-/B-0.0.1.tgz",
-          "dependencies": {
-            "C": {
-              "version": "0.0.1",
-              "from": "org/C#v0.0.1",
-              "resolved": "git://github.com/org/C.git#5c380ae319fc4efe9e7f2d9c78b0faa588fd99b4"
-            }
-          }
-        }
-      }
-    }
-
-The shrinkwrap command has locked down the dependencies based on what's
-currently installed in `node_modules`.  The installation behavior is changed to:
-
-1. The module tree described by the shrinkwrap is reproduced. This means
-reproducing the structure described in the file, using the specific files
-referenced in "resolved" if available, falling back to normal package
-resolution using "version" if one isn't.
-
-2. The tree is walked and any missing dependencies are installed in the usual fashion.
-
-If `preshrinkwrap`, `shrinkwrap` or `postshrinkwrap` are in the `scripts` property of the
-`package.json`, they will be executed by running `npm shrinkwrap`.
-`preshrinkwrap` and `shrinkwrap` are executed before the shrinkwrap, `postshrinkwrap` is
-executed afterwards. For example to run some postprocessing on the generated file:
-
-    "scripts": { "postshrinkwrap": "node fix-shrinkwrap.js" }
-
-
-### Using shrinkwrapped packages
-
-Using a shrinkwrapped package is no different than using any other
-package: you can `npm install` it by hand, or add a dependency to your
-`package.json` file and `npm install` it.
-
-### Building shrinkwrapped packages
-
-To shrinkwrap an existing package:
-
-1. Run `npm install` in the package root to install the current
-   versions of all dependencies.
-2. Validate that the package works as expected with these versions.
-3. Run `npm shrinkwrap`, add `npm-shrinkwrap.json` to git, and publish
-   your package.
-
-To add or update a dependency in a shrinkwrapped package:
-
-1. Run `npm install` in the package root to install the current
-   versions of all dependencies.
-2. Add or update dependencies. `npm install --save` or `npm install --save-dev`
-   each new or updated package individually to update the `package.json` and
-   the shrinkwrap. Note that they must be explicitly named in order to be
-   installed: running `npm install` with no arguments will merely reproduce
-   the existing shrinkwrap.
-3. Validate that the package works as expected with the new
-   dependencies.
-4. Commit the new `npm-shrinkwrap.json`, and publish your package.
-
-You can use npm-outdated(1) to view dependencies with newer versions
-available.
-
-### Other Notes
-
-A shrinkwrap file must be consistent with the package's `package.json`
-file. `npm shrinkwrap` will fail if required dependencies are not
-already installed, since that would result in a shrinkwrap that
-wouldn't actually work. Similarly, the command will fail if there are
-extraneous packages (not referenced by `package.json`), since that would
-indicate that `package.json` is not correct.
-
-Starting with npm v4.0.1, `devDependencies` are included when you run
-`npm shrinkwrap` and follow the usual rules as to when they're installed.
-As of npm v3.10.8, if you run `npm install --only=production` or
-`npm install --production` with a shrinkwrap including your development
-dependencies they won't be installed. Similarly, if the environment
-variable `NODE_ENV` is `production` then they won't be installed. If you
-need compatibility with versions of npm prior to v3.10.8 or otherwise
-don't want them in your shrinkwrap you can exclude development
-dependencies with:
-`npm shrinkwrap --only=prod` or `npm shrinkwrap --production`.
-
-If shrinkwrapped package A depends on shrinkwrapped package B, B's
-shrinkwrap will not be used as part of the installation of A. However,
-because A's shrinkwrap is constructed from a valid installation of B
-and recursively specifies all dependencies, the contents of B's
-shrinkwrap will implicitly be included in A's shrinkwrap.
-
-### Caveats
-
-If you wish to lock down the specific bytes included in a package, for
-example to have 100% confidence in being able to reproduce a
-deployment or build, then you ought to check your dependencies into
-source control, or pursue some other mechanism that can verify
-contents rather than versions.
+This command repurposes `package-lock.json` into a publishable
+`npm-shrinkwrap.json` or simply creates a new one. The file created and updated
+by this command will then take precedence over any other existing or future
+`package-lock.json` files. For a detailed explanation of the design and purpose
+of package locks in npm, see npm-package-locks(5).
 
 ## SEE ALSO
 
@@ -189,4 +19,7 @@ contents rather than versions.
 * npm-run-script(1)
 * npm-scripts(7)
 * package.json(5)
+* npm-package-locks(5)
+* package-lock.json(5)
+* npm-shrinkwrap.json(5)
 * npm-ls(1)

deps/npm/doc/files/npm-package-locks.md

@@ -0,0 +1,145 @@
+npm-package-locks(5) -- An explanation of npm lockfiles
+=====================================================
+
+## DESCRIPTION
+
+Conceptually, the "input" to npm-install(1) is a package.json(5), while its
+"output" is a fully-formed `node_modules` tree: a representation of the
+dependencies you declared. In an ideal world, npm would work like a pure
+function: the same `package.json` should produce the exact same `node_modules`
+tree, any time. In some cases, this is indeed true. But in many others, npm is
+unable to do this. There are multiple reasons for this:
+
+* different versions of npm (or other package managers) may have been used to install a package, each using slightly different installation algorithms.
+
+* a new version of a direct semver-range package may have been published since the last time your packages were installed, and thus a newer version will be used.
+
+* A dependency of one of your dependencies may have published a new version, which will update even if you used pinned dependency specifiers (`1.2.3` instead of `^1.2.3`)
+
+* The registry you installed from is no longer available, or allows mutation of versions (unlike the primary npm registry), and a different version of a package exists under the same version number now.
+
+As an example, consider package A:
+
+    {
+      "name": "A",
+      "version": "0.1.0",
+      "dependencies": {
+        "B": "<0.1.0"
+      }
+    }
+
+package B:
+
+    {
+      "name": "B",
+      "version": "0.0.1",
+      "dependencies": {
+        "C": "<0.1.0"
+      }
+    }
+
+and package C:
+
+    {
+      "name": "C",
+      "version": "0.0.1"
+    }
+
+If these are the only versions of A, B, and C available in the
+registry, then a normal `npm install A` will install:
+
+    A@0.1.0
+    `-- B@0.0.1
+        `-- C@0.0.1
+
+However, if B@0.0.2 is published, then a fresh `npm install A` will
+install:
+
+    A@0.1.0
+    `-- B@0.0.2
+        `-- C@0.0.1
+
+assuming the new version did not modify B's dependencies. Of course,
+the new version of B could include a new version of C and any number
+of new dependencies. If such changes are undesirable, the author of A
+could specify a dependency on B@0.0.1. However, if A's author and B's
+author are not the same person, there's no way for A's author to say
+that he or she does not want to pull in newly published versions of C
+when B hasn't changed at all.
+
+To prevent this potential issue, npm uses package-lock.json(5) or, if present,
+npm-shrinkwrap.json(5). These files are called package locks, or lockfiles.
+
+Whenever you run `npm install`, npm generates or updates your package lock,
+which will look something like this:
+
+    {
+      "name": "A",
+      "version": "0.1.0",
+      ...metadata fields...
+      "dependencies": {
+        "B": {
+          "version": "0.0.1",
+          "resolved": "https://registry.npmjs.org/B/-/B-0.0.1.tgz",
+          "integrity": "sha512-DeAdb33F+"
+          "dependencies": {
+            "C": {
+              "version": "git://github.com/org/C.git#5c380ae319fc4efe9e7f2d9c78b0faa588fd99b4"
+            }
+          }
+        }
+      }
+    }
+
+This file describes an *exact*, and more importantly *reproducible*
+`node_modules` tree. Once it's present, and future installation will base its
+work off this file, instead of recalculating dependency versions off
+package.json(5).
+
+The presence of a package lock changes the installation behavior such that:
+
+1. The module tree described by the package lock is reproduced. This means
+reproducing the structure described in the file, using the specific files
+referenced in "resolved" if available, falling back to normal package resolution
+using "version" if one isn't.
+
+2. The tree is walked and any missing dependencies are installed in the usual
+fashion.
+
+If `preshrinkwrap`, `shrinkwrap` or `postshrinkwrap` are in the `scripts`
+property of the `package.json`, they will be executed in order. `preshrinkwrap`
+and `shrinkwrap` are executed before the shrinkwrap, `postshrinkwrap` is
+executed afterwards. These scripts run for both `package-lock.json` and
+`npm-shrinkwrap.json`. For example to run some postprocessing on the generated
+file:
+
+    "scripts": {
+      "postshrinkwrap": "json -I -e \"this.myMetadata = $MY_APP_METADATA\""
+    }
+
+
+### Using locked packages
+
+Using a locked package is no different than using any package without a package
+lock: any commands that update `node_modules` and/or `package.json`'s
+dependencies will automatically sync the existing lockfile. This includes `npm
+install`, `npm rm`, `npm update`, etc. To prevent this update from happening,
+you can use the `--no-save` option to prevent saving altogether, or
+`--no-shrinkwrap` to allow `package.json` to be updated while leaving
+`package-lock.json` or `npm-shrinkwrap.json` intact.
+
+It is highly recommended you commit the generated package lock to source
+control: this will allow anyone else on your team, your deployments, your
+CI/continuous integration, and anyone else who runs `npm install` in your
+package source to get the exact same dependency tree that you were developing
+on. Additionally, the diffs from these changes are human-readable and will
+inform you of any changes npm has made to your `node_modules`, so you can notice
+if any transitive dependencies were updated, hoisted, etc.
+
+## SEE ALSO
+
+* https://medium.com/@sdboyer/so-you-want-to-write-a-package-manager-4ae9c17d9527
+* package.json(5)
+* package-lock.json(5)
+* npm-shrinkwrap.json(5)
+* npm-shrinkwrap(1)

deps/npm/doc/files/npm-shrinkwrap.json.md

@@ -0,0 +1,27 @@
+npm-shrinkwrap.json(5) -- A publishable lockfile
+=====================================================
+
+## DESCRIPTION
+
+`npm-shrinkwrap.json` is a file created by npm-shrinkwrap(1). It is identical to
+`package-lock.json`, with one major caveat: Unlike `package-lock.json`,
+`npm-shrinwkrap.json` may be included when publishing a package.
+
+The recommended use-case for `npm-shrinkwrap.json` is applications deployed
+through the publishing process on the registry: for example, daemons and
+command-line tools intended as global installs or `devDependencies`. It's
+strongly discouraged for library authors to publish this file, since that would
+prevent end users from having control over transitive dependency updates.
+
+Additionally, if both `package-lock.json` and `npm-shrinwkrap.json` are present
+in a package root, `package-lock.json` will be ignored in favor of this file.
+
+For full details and description of the `npm-shrinkwrap.json` file format, refer
+to the manual page for package-lock.json(5).
+
+## SEE ALSO
+
+* npm-shrinkwrap(1)
+* package-lock.json(5)
+* package.json(5)
+* npm-install(1)

deps/npm/doc/files/package-lock.json.md

@@ -0,0 +1,132 @@
+package-lock.json(5) -- A manifestation of the manifest
+=====================================================
+
+## DESCRIPTION
+
+`package-lock.json` is automatically generated for any operations where npm
+modifies either the `node_modules` tree, or `package.json`. It describes the
+exact tree that was generated, such that subsequent installs are able to
+generate identical trees, regardless of intermediate dependency updates.
+
+This file is intended to be committed into source repositories, and serves
+various purposes:
+
+* Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
+
+* Provide a facility for users to "time-travel" to previous states of `node_modules` without having to commit the directory itself.
+
+* To facilitate greater visibility of tree changes through readable source control diffs.
+
+* And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.
+
+One key detail about `package-lock.json` is that it cannot be published, and it
+will be ignored if found in any place other than the toplevel package. It shares
+a format with npm-shrinkwrap.json(5), which is essentially the same file, but
+allows publication. This is not recommended unless deploying a CLI tool or
+otherwise using the publication process for producing production packages.
+
+If both `package-lock.json` and `npm-shrinkwrap.json` are present in the root of
+a package, `package-lock.json` will be completely ignored.
+
+
+## FILE FORMAT
+
+### name
+
+The name of the package this is a package-lock for. This must match what's in
+`package.json`.
+
+### version
+
+The version of the package this is a package-lock for. This must match what's in
+`package.json`.
+
+### lockfileVersion
+
+An integer version, starting at `1` with the version number of this document
+whose semantics were used when generating this `package-lock.json`.
+
+### packageIntegrity
+
+This is a [subresource
+integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) value
+created from the `pacakge.json`. No preprocessing of the `package.json` should
+be done. Subresource integrity strings can be produced by modules like
+[`ssri`](https://www.npmjs.com/package/ssri).
+
+### preserveSymlinks
+
+Indicates that the install was done with the environment variable
+`NODE_PRESERVE_SYMLINKS` enabled. The installer should insist that the value of
+this property match that environment variable.
+
+### dependencies
+
+A mapping of package name to dependency object.  Dependency objects have the
+following properties:
+
+#### version
+
+This is a specifier that uniquely identifies this package and should be
+usable in fetching a new copy of it.
+
+* bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes.
+* registry sources: This is a version number. (eg, `1.2.3`)
+* git sources: This is a git specifier with resolved committish. (eg, `git+https://example.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e`)
+* http tarball sources: This is the URL of the tarball. (eg, `https://example.com/example-1.3.0.tgz`)
+* local tarball sources: This is the file URL of the tarball. (eg `file:///opt/storage/example-1.3.0.tgz`)
+* local link sources: This is the file URL of the link. (eg `file:libs/our-module`)
+
+#### integrity
+
+This is a [Standard Subresource
+Integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) for this
+resource.
+
+* For bundled dependencies this is not included, regardless of source.
+* For registry sources, this is the `integrity` that the registry provided, or if one wasn't provided the SHA1 in `shasum`.
+* For git sources this is the specific commit hash we cloned from.
+* For remote tarball sources this is an integrity based on a SHA512 of
+  the file.
+* For local tarball sources: This is an integrity field based on the SHA512 of the file.
+
+#### resolved
+
+* For bundled dependencies this is not included, regardless of source.
+* For registry sources this is path of the tarball relative to the registry
+  URL.  If the tarball URL isn't on the same server as the registry URL then
+  this is a complete URL.
+
+#### bundled
+
+If true, this is the bundled dependency and will be installed by the parent
+module.  When installing, this module will be extracted from the parent
+module during the extract phase, not installed as a separate dependency.
+
+#### dev
+
+If true then this dependency is either a development dependency ONLY of the
+top level module or a transitive dependency of one.  This is false for
+dependencies that are both a development dependency of the top level and a
+transitive dependency of a non-development dependency of the top level.
+
+#### optional
+
+If true then this dependency is either an optional dependency ONLY of the
+top level module or a transitive dependency of one.  This is false for
+dependencies that are both an optional dependency of the top level and a
+transitive dependency of a non-optional dependency of the top level.
+
+All optional dependencies should be included even if they're uninstallable
+on the current platform.
+
+#### dependencies
+
+The dependencies of this dependency, exactly as at the top level.
+
+## SEE ALSO
+
+* npm-shrinkwrap(1)
+* package-lock.json(5)
+* package.json(5)
+* npm-install(1)

deps/npm/doc/misc/npm-config.md

@@ -63,6 +63,7 @@ The following shorthands are parsed on the command-line:
 * `-f`: `--force`
 * `-desc`: `--description`
 * `-S`: `--save`
+* `-P`: `--save-prod`
 * `-D`: `--save-dev`
 * `-O`: `--save-optional`
 * `-B`: `--save-bundle`
@@ -682,6 +683,16 @@ Attempt to install packages in the `optionalDependencies` object.  Note
 that if these packages fail to install, the overall installation
 process is not aborted.
 
+### package-lock
+
+* Default: true
+* Type: Boolean
+
+If set to false, then ignore `package-lock.json` files when installing. This
+will also prevent _writing_ `package-lock.json` if `save` is true.
+
+This option is an alias for `--shrinkwrap`.
+
 ### parseable
 
 * Default: false
@@ -803,6 +814,17 @@ If a package would be saved at install time by the use of `--save`,
 When used with the `npm rm` command, it removes it from the
 bundledDependencies list.
 
+### save-prod
+
+* Default: false
+* Type: Boolean
+
+Makes sure that a package will be saved into `dependencies` specifically. This
+is useful if a package already exists in `devDependencies` or
+`optionalDependencies`, but you want to move it to be a production dep. This is
+also the default behavior if `--save` is true, and neither `--save-dev` or
+`--save-optional` are true.
+
 ### save-dev
 
 * Default: false
@@ -934,8 +956,10 @@ The shell to run for the `npm explore` command.
 * Default: true
 * Type: Boolean
 
-If set to false, then ignore `npm-shrinkwrap.json` files when
-installing.
+If set to false, then ignore `npm-shrinkwrap.json` files when installing. This
+will also prevent _writing_ `npm-shrinkwrap.json` if `save` is true.
+
+This option is an alias for `--package-lock`.
 
 ### sign-git-tag
 

deps/npm/doc/misc/npm-index.md

@@ -163,7 +163,7 @@ Search for packages
 
 ### npm-shrinkwrap(1)
 
-Lock down dependency versions
+Lock down dependency versions for publication
 
 ### npm-star(1)
 
@@ -225,10 +225,22 @@ File system structures npm uses
 
 Folder Structures Used by npm
 
+### npm-package-locks(5)
+
+An explanation of npm lockfiles
+
+### npm-shrinkwrap.json(5)
+
+A publishable lockfile
+
 ### npmrc(5)
 
 The npm config files
 
+### package-lock.json(5)
+
+A manifestation of the manifest
+
 ### package.json(5)
 
 Specifics of npm's package.json handling

deps/npm/doc/misc/npm-scripts.md

@@ -7,14 +7,20 @@ npm supports the "scripts" property of the package.json script, for the
 following scripts:
 
 * prepublish:
-  Run BEFORE the package is published.  (Also run on local `npm
-  install` without any arguments. See below.)
+  Run BEFORE the package is packed and published, as well as on local `npm
+  install` without any arguments. (See below)
 * prepare:
-  Run both BEFORE the package is published, and on local `npm
-  install` without any arguments. (See below.) This is run
+  Run both BEFORE the package is packed and published, and on local `npm
+  install` without any arguments (See below). This is run
   AFTER `prepublish`, but BEFORE `prepublishOnly`.
 * prepublishOnly:
-  Run BEFORE the package is published. (See below.)
+  Run BEFORE the package is prepared and packed, ONLY on `npm publish`. (See
+  below.)
+* prepack:
+  run BEFORE a tarball is packed (on `npm pack`, `npm publish`, and when
+  installing git dependencies)
+* postpack:
+  Run AFTER the tarball has been generated and moved to its final destination.
 * publish, postpublish:
   Run AFTER the package is published.
 * preinstall:

deps/npm/html/doc/README.html

@@ -126,5 +126,5 @@ will no doubt tell you to put the output in a gist or email.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer"><a href="../doc/README.html">README</a> &mdash; npm@5.0.0-beta.56</p>
+<p id="footer"><a href="../doc/README.html">README</a> &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-access.html

@@ -84,5 +84,5 @@ with an HTTP 402 status code (logically enough), unless you use
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-access &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-access &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-adduser.html

@@ -81,5 +81,5 @@ username/password entry in legacy npm.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-adduser &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-adduser &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-bin.html

@@ -35,5 +35,5 @@
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-bin &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-bin &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-bugs.html

@@ -55,5 +55,5 @@ a <code>package.json</code> in the current folder and use the <code>name</code>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-bugs &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-bugs &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-build.html

@@ -40,5 +40,5 @@ directly, run:</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-build &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-build &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-bundle.html

@@ -31,5 +31,5 @@ install packages into the local space.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-bundle &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-bundle &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-cache.html

@@ -16,10 +16,10 @@ npm cache add <folder>
 npm cache add <tarball url>
 npm cache add <name>@<version>
 
-npm cache ls [<path>]
-
 npm cache clean [<path>]
 aliases: npm cache clear, npm cache rm
+
+npm cache verify
 </code></pre><h2 id="description">DESCRIPTION</h2>
 <p>Used to add, list, or clean the npm cache folder.</p>
 <ul>
@@ -28,34 +28,39 @@ Add the specified package to the local cache.  This command is primarily
 intended to be used internally by npm, but it can provide a way to
 add data to the local installation cache explicitly.</p>
 </li>
-<li><p>ls:
-Show the data in the cache.  Argument is a path to show in the cache
-folder.  Works a bit like the <code>find</code> program, but limited by the
-<code>depth</code> config.</p>
-</li>
 <li><p>clean:
-Delete data out of the cache folder.  If an argument is provided, then
-it specifies a subpath to delete.  If no argument is provided, then
-the entire cache is deleted.</p>
+Delete all data out of the cache folder.</p>
+</li>
+<li><p>verify:
+Verify the contents of the cache folder, garbage collecting any unneeded data,
+and verifying the integrity of the cache index and all cached data.</p>
 </li>
 </ul>
 <h2 id="details">DETAILS</h2>
-<p>npm stores cache data in the directory specified in <code>npm config get cache</code>.
-For each package that is added to the cache, three pieces of information are
-stored in <code>{cache}/{name}/{version}</code>:</p>
-<ul>
-<li>.../package/package.json:
-The package.json file, as npm sees it.</li>
-<li>.../package.tgz:
-The tarball for that version.</li>
-</ul>
-<p>Additionally, whenever a registry request is made, a <code>.cache.json</code> file
-is placed at the corresponding URI, to store the ETag and the requested
-data.  This is stored in <code>{cache}/{hostname}/{path}/.cache.json</code>.</p>
-<p>Commands that make non-essential registry requests (such as <code>search</code> and
-<code>view</code>, or the completion scripts) generally specify a minimum timeout.
-If the <code>.cache.json</code> file is younger than the specified timeout, then
-they do not make an HTTP request to the registry.</p>
+<p>npm stores cache data in an opaque directory within the configured <code>cache</code>,
+named <code>_cacache</code>. This directory is a <code>cacache</code>-based content-addressable cache
+that stores all http request data as well as other package-related data. This
+directory is primarily accessed through <code>pacote</code>, the library responsible for
+all package fetching as of npm@5.</p>
+<p>All data that passes through the cache is fully verified for integrity on both
+insertion and extraction. Cache corruption will either trigger an error, or
+signal to <code>pacote</code> that the data must be refetched, which it will do
+automatically. For this reason, it should never be necessary to clear the cache
+for any reason other than reclaiming disk space, thus why <code>clean</code> now requires
+<code>--force</code> to run.</p>
+<p>There is currently no method exposed through npm to inspect or directly manage
+the contents of this cache. In order to access it, <code>cacache</code> must be used
+directly.</p>
+<p>npm will not remove data by itself: the cache will grow as new packages are
+installed.</p>
+<h2 id="a-note-about-the-cache-s-design">A NOTE ABOUT THE CACHE&#39;S DESIGN</h2>
+<p>The npm cache is strictly a cache: it should not be relied upon as a persistent
+and reliable data store for package data. npm makes no guarantee that a
+previously-cached piece of data will be available later, and will automatically
+delete corrupted contents. The primary guarantee that the cache makes is that,
+if it does return data, that data will be exactly the data that was inserted.</p>
+<p>To run an offline verification of existing cache contents, use <code>npm cache
+verify</code>.</p>
 <h2 id="configuration">CONFIGURATION</h2>
 <h3 id="cache">cache</h3>
 <p>Default: <code>~/.npm</code> on Posix, or <code>%AppData%/npm-cache</code> on Windows.</p>
@@ -69,6 +74,8 @@ they do not make an HTTP request to the registry.</p>
 <li><a href="../cli/npm-install.html">npm-install(1)</a></li>
 <li><a href="../cli/npm-publish.html">npm-publish(1)</a></li>
 <li><a href="../cli/npm-pack.html">npm-pack(1)</a></li>
+<li><a href="https://npm.im/cacache">https://npm.im/cacache</a></li>
+<li><a href="https://npm.im/pacote">https://npm.im/pacote</a></li>
 </ul>
 
 </div>
@@ -82,5 +89,5 @@ they do not make an HTTP request to the registry.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-cache &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-cache &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-completion.html

@@ -43,5 +43,5 @@ completions based on the arguments.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-completion &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-completion &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-config.html

@@ -67,5 +67,5 @@ global config.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-config &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-config &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-dedupe.html

@@ -61,5 +61,5 @@ result in new modules being installed.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-dedupe &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-dedupe &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-deprecate.html

@@ -38,5 +38,5 @@ something like this:</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-deprecate &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-deprecate &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-dist-tag.html

@@ -86,5 +86,5 @@ begin with a number or the letter <code>v</code>.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-dist-tag &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-dist-tag &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-docs.html

@@ -56,5 +56,5 @@ the current folder and use the <code>name</code> property.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-docs &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-docs &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-doctor.html

@@ -103,4 +103,4 @@ cache, you should probably run <code>npm cache clean</code> and reset the cache.
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-doctor &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-doctor &mdash; npm@5.0.0</p>

deps/npm/html/doc/cli/npm-edit.html

@@ -49,5 +49,5 @@ or <code>&quot;notepad&quot;</code> on Windows.</li>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-edit &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-edit &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-explore.html

@@ -49,5 +49,5 @@ Windows</li>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-explore &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-explore &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-help-search.html

@@ -45,5 +45,5 @@ where the terms were found in the documentation.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-help-search &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-help-search &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-help.html

@@ -50,5 +50,5 @@ matches are equivalent to specifying a topic name.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-help &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-help &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-init.html

@@ -48,5 +48,5 @@ defaults and not prompt you for any options.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-init &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-init &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-install-test.html

@@ -42,5 +42,5 @@ takes exactly the same arguments as <code>npm install</code>.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-install-test &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-install-test &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-install.html

@@ -16,16 +16,19 @@ npm install [<@scope>/]<name>
 npm install [<@scope>/]<name>@<tag>
 npm install [<@scope>/]<name>@<version>
 npm install [<@scope>/]<name>@<version range>
+npm install <git-host>:<git-user>/<repo-name>
+npm install <git repo url>
 npm install <tarball file>
 npm install <tarball url>
 npm install <folder>
 
 alias: npm i
-common options: [-S|--save|-D|--save-dev|-O|--save-optional] [-E|--save-exact] [-B|--save-bundle] [--dry-run]
+common options: [-P|--save-prod|-D|--save-dev|-O|--save-optional] [-E|--save-exact] [-B|--save-bundle] [--no-save] [--dry-run]
 </code></pre><h2 id="description">DESCRIPTION</h2>
 <p>This command installs a package, and any packages that it depends on. If the
-package has a shrinkwrap file, the installation of dependencies will be driven
-by that. See <a href="../cli/npm-shrinkwrap.html">npm-shrinkwrap(1)</a>.</p>
+package has a package-lock or shrinkwrap file, the installation of dependencies
+will be driven by that, with an <code>npm-shrinkwrap.json</code> taking precedence if both
+files exist. See <a href="../files/package-lock.json.html">package-lock.json(5)</a> and <a href="../cli/npm-shrinkwrap.html">npm-shrinkwrap(1)</a>.</p>
 <p>A <code>package</code> is:</p>
 <ul>
 <li>a) a folder containing a program described by a <code><a href="../files/package.json.html">package.json(5)</a></code> file</li>
@@ -53,12 +56,16 @@ after packing it up into a tarball (b).</p>
   <code>devDependencies</code>.</p>
 </li>
 <li><p><code>npm install &lt;folder&gt;</code>:</p>
-<p>  Install a package that is sitting in a folder on the filesystem.</p>
+<p>  Install the package in the directory as a symlink in the current project.
+  Its dependencies will be installed before it&#39;s linked. If <code>&lt;folder&gt;</code> sits
+  inside the root of your project, its dependencies may be hoisted to the
+  toplevel <code>node_modules</code> as they would for other types of dependencies.</p>
 </li>
 <li><p><code>npm install &lt;tarball file&gt;</code>:</p>
 <p>  Install a package that is sitting on the filesystem.  Note: if you just want
   to link a dev directory into your npm root, you can do this more easily by
-  using <code>npm link</code>.</p>
+  using <code>npm link</code>. The filename <em>must</em> use <code>.tar</code>, <code>.tar.gz</code>, or <code>.tgz</code> as
+  the extension.</p>
 <p>  Example:</p>
 <pre><code>    npm install ./package.tgz
 </code></pre></li>
@@ -68,21 +75,25 @@ after packing it up into a tarball (b).</p>
 <p>  Example:</p>
 <pre><code>    npm install https://github.com/indexzero/forever/tarball/v0.5.6
 </code></pre></li>
-<li><p><code>npm install [&lt;@scope&gt;/]&lt;name&gt; [-S|--save|-D|--save-dev|-O|--save-optional]</code>:</p>
+<li><p><code>npm install [&lt;@scope&gt;/]&lt;name&gt;</code>:</p>
 <p>  Do a <code>&lt;name&gt;@&lt;tag&gt;</code> install, where <code>&lt;tag&gt;</code> is the &quot;tag&quot; config. (See
   <code><a href="../misc/npm-config.html">npm-config(7)</a></code>. The config&#39;s default value is <code>latest</code>.)</p>
-<p>  In most cases, this will install the latest version
-  of the module published on npm.</p>
+<p>  In most cases, this will install the version of the modules tagged as
+  <code>latest</code> on the npm registry.</p>
 <p>  Example:</p>
 <pre><code>    npm install sax
-</code></pre><p>  <code>npm install</code> takes 3 exclusive, optional flags which save or update
-  the package version in your main package.json:</p>
+</code></pre><p>  <code>npm install</code> saves any specified packages into <code>dependencies</code> by default.
+  Additionally, you can control where and how they get saved with some
+  additional flags:</p>
 <ul>
-<li><p><code>-S, --save</code>: Package will appear in your <code>dependencies</code>.</p>
-</li>
+<li><p><code>-P, --save-prod</code>: Package will appear in your <code>dependencies</code>. This is the</p>
+<pre><code>               default unless `-D` or `-O` are present.
+</code></pre></li>
 <li><p><code>-D, --save-dev</code>: Package will appear in your <code>devDependencies</code>.</p>
 </li>
 <li><p><code>-O, --save-optional</code>: Package will appear in your <code>optionalDependencies</code>.</p>
+</li>
+<li><p><code>--no-save</code>: Prevents saving to <code>dependencies</code>.</p>
 <p>When using any of the above options to save dependencies to your
 package.json, there are two additional, optional flags:</p>
 </li>
@@ -91,8 +102,8 @@ exact version rather than using npm&#39;s default semver range
 operator.</p>
 </li>
 <li><p><code>-B, --save-bundle</code>: Saved dependencies will also be added to your <code>bundleDependencies</code> list.</p>
-<p>Further, if you have an <code>npm-shrinkwrap.json</code> then it will be updated as
-well.</p>
+<p>Further, if you have an <code>npm-shrinkwrap.json</code> or <code>package-lock.json</code> then it
+will be updated as well.</p>
 <p><code>&lt;scope&gt;</code> is optional. The package will be downloaded from the registry
 associated with the specified scope. If no registry is associated with
 the given scope the default registry is assumed. See <code><a href="../misc/npm-scope.html">npm-scope(7)</a></code>.</p>
@@ -100,13 +111,13 @@ the given scope the default registry is assumed. See <code><a href="../misc/npm-
 interpret this as a GitHub repository instead, see below. Scopes names
 must also be followed by a slash.</p>
 <p>Examples:</p>
-<pre><code>npm install sax --save
+<pre><code>npm install sax
 npm install githubname/reponame
 npm install @myorg/privatepackage
 npm install node-tap --save-dev
 npm install dtrace-provider --save-optional
-npm install readable-stream --save --save-exact
-npm install ansi-regex --save --save-bundle
+npm install readable-stream --save-exact
+npm install ansi-regex --save-bundle
 </code></pre></li>
 </ul>
 </li>
@@ -140,16 +151,24 @@ fetch the package by name if it is not valid.
     npm install @myorg/privatepackage@&quot;&gt;=0.1.0 &lt;0.2.0&quot;
 </code></pre></li>
 <li><p><code>npm install &lt;git remote url&gt;</code>:</p>
-<p>  Installs the package from the hosted git provider, cloning it with
-  <code>git</code>. First it tries via the https (git with github) and if that fails, via ssh.</p>
-<pre><code>    &lt;protocol&gt;://[&lt;user&gt;[:&lt;password&gt;]@]&lt;hostname&gt;[:&lt;port&gt;][:][/]&lt;path&gt;[#&lt;commit-ish&gt;]
-</code></pre><p>  <code>&lt;protocol&gt;</code> is one of <code>git</code>, <code>git+ssh</code>, <code>git+http</code>, <code>git+https</code>,
-  or <code>git+file</code>.
-  If no <code>&lt;commit-ish&gt;</code> is specified, then <code>master</code> is used.</p>
-<p>  If the repository makes use of submodules, those submodules will
-  be cloned as well.</p>
-<p>  The following git environment variables are recognized by npm and will be added
-  to the environment when running git:</p>
+<p>  Installs the package from the hosted git provider, cloning it with <code>git</code>.
+  For a full git remote url, only that URL will be attempted.</p>
+<pre><code>    &lt;protocol&gt;://[&lt;user&gt;[:&lt;password&gt;]@]&lt;hostname&gt;[:&lt;port&gt;][:][/]&lt;path&gt;[#&lt;commit-ish&gt; | #semver:&lt;semver&gt;]
+</code></pre><p>  <code>&lt;protocol&gt;</code> is one of <code>git</code>, <code>git+ssh</code>, <code>git+http</code>, <code>git+https</code>, or
+  <code>git+file</code>.</p>
+<p>  If <code>#&lt;commit-ish&gt;</code> is provided, it will be used to clone exactly that
+  commit. If the commit-ish has the format <code>#semver:&lt;semver&gt;</code>, <code>&lt;semver&gt;</code> can
+  be any valid semver range or exact version, and npm will look for any tags
+  or refs matching that range in the remote repository, much as it would for a
+  registry dependency. If neither <code>#&lt;commit-ish&gt;</code> or <code>#semver:&lt;semver&gt;</code> is
+  specified, then <code>master</code> is used.</p>
+<p>  If the repository makes use of submodules, those submodules will be cloned
+  as well.</p>
+<p>  If the package being installed contains a <code>prepare</code> script, its
+  <code>dependencies</code> and <code>devDependencies</code> will be installed, and the prepare
+  script will be run, before the package is packaged and installed.</p>
+<p>  The following git environment variables are recognized by npm and will be
+  added to the environment when running git:</p>
 <ul>
 <li><code>GIT_ASKPASS</code></li>
 <li><code>GIT_EXEC_PATH</code></li>
@@ -161,6 +180,7 @@ fetch the package by name if it is not valid.
 <p>See the git man page for details.</p>
 <p>Examples:</p>
 <pre><code>npm install git+ssh://git@github.com:npm/npm.git#v1.0.27
+npm install git+ssh://git@github.com:npm/npm#semver:^5.0
 npm install git+https://isaacs@github.com/npm/npm.git
 npm install git://github.com/npm/npm.git#v1.0.27
 GIT_SSH_COMMAND=&#39;ssh -i ~/.ssh/custom_ident&#39; npm install git+ssh://git@github.com:npm/npm.git
@@ -172,32 +192,59 @@ GIT_SSH_COMMAND=&#39;ssh -i ~/.ssh/custom_ident&#39; npm install git+ssh://git@g
 <li><p><code>npm install github:&lt;githubname&gt;/&lt;githubrepo&gt;[#&lt;commit-ish&gt;]</code>:</p>
 <p>  Install the package at <code>https://github.com/githubname/githubrepo</code> by
   attempting to clone it using <code>git</code>.</p>
-<p>  If you don&#39;t specify a <em>commit-ish</em> then <code>master</code> will be used.</p>
+<p>  If <code>#&lt;commit-ish&gt;</code> is provided, it will be used to clone exactly that
+  commit. If the commit-ish has the format <code>#semver:&lt;semver&gt;</code>, <code>&lt;semver&gt;</code> can
+  be any valid semver range or exact version, and npm will look for any tags
+  or refs matching that range in the remote repository, much as it would for a
+  registry dependency. If neither <code>#&lt;commit-ish&gt;</code> or <code>#semver:&lt;semver&gt;</code> is
+  specified, then <code>master</code> is used.</p>
+<p>  As with regular git dependencies, <code>dependencies</code> and <code>devDependencies</code> will
+  be installed if the package has a <code>prepare</code> script, before the package is
+  done installing.</p>
 <p>  Examples:</p>
 <pre><code>    npm install mygithubuser/myproject
     npm install github:mygithubuser/myproject
 </code></pre></li>
-<li><p><code>npm install gist:[&lt;githubname&gt;/]&lt;gistID&gt;[#&lt;commit-ish&gt;]</code>:</p>
+<li><p><code>npm install gist:[&lt;githubname&gt;/]&lt;gistID&gt;[#&lt;commit-ish&gt;|#semver:&lt;semver&gt;]</code>:</p>
 <p>  Install the package at <code>https://gist.github.com/gistID</code> by attempting to
   clone it using <code>git</code>. The GitHub username associated with the gist is
-  optional and will not be saved in <code>package.json</code> if <code>-S</code> or <code>--save</code> is used.</p>
-<p>  If you don&#39;t specify a <em>commit-ish</em> then <code>master</code> will be used.</p>
+  optional and will not be saved in <code>package.json</code>.</p>
+<p>  As with regular git dependencies, <code>dependencies</code> and <code>devDependencies</code> will
+  be installed if the package has a <code>prepare</code> script, before the package is
+  done installing.</p>
 <p>  Example:</p>
 <pre><code>    npm install gist:101a11beef
 </code></pre></li>
 <li><p><code>npm install bitbucket:&lt;bitbucketname&gt;/&lt;bitbucketrepo&gt;[#&lt;commit-ish&gt;]</code>:</p>
 <p>  Install the package at <code>https://bitbucket.org/bitbucketname/bitbucketrepo</code>
   by attempting to clone it using <code>git</code>.</p>
-<p>  If you don&#39;t specify a <em>commit-ish</em> then <code>master</code> will be used.</p>
+<p>  If <code>#&lt;commit-ish&gt;</code> is provided, it will be used to clone exactly that
+  commit. If the commit-ish has the format <code>#semver:&lt;semver&gt;</code>, <code>&lt;semver&gt;</code> can
+  be any valid semver range or exact version, and npm will look for any tags
+  or refs matching that range in the remote repository, much as it would for a
+  registry dependency. If neither <code>#&lt;commit-ish&gt;</code> or <code>#semver:&lt;semver&gt;</code> is
+  specified, then <code>master</code> is used.</p>
+<p>  As with regular git dependencies, <code>dependencies</code> and <code>devDependencies</code> will
+  be installed if the package has a <code>prepare</code> script, before the package is
+  done installing.</p>
 <p>  Example:</p>
 <pre><code>    npm install bitbucket:mybitbucketuser/myproject
 </code></pre></li>
 <li><p><code>npm install gitlab:&lt;gitlabname&gt;/&lt;gitlabrepo&gt;[#&lt;commit-ish&gt;]</code>:</p>
 <p>  Install the package at <code>https://gitlab.com/gitlabname/gitlabrepo</code>
   by attempting to clone it using <code>git</code>.</p>
-<p>  If you don&#39;t specify a <em>commit-ish</em> then <code>master</code> will be used.</p>
+<p>  If <code>#&lt;commit-ish&gt;</code> is provided, it will be used to clone exactly that
+  commit. If the commit-ish has the format <code>#semver:&lt;semver&gt;</code>, <code>&lt;semver&gt;</code> can
+  be any valid semver range or exact version, and npm will look for any tags
+  or refs matching that range in the remote repository, much as it would for a
+  registry dependency. If neither <code>#&lt;commit-ish&gt;</code> or <code>#semver:&lt;semver&gt;</code> is
+  specified, then <code>master</code> is used.</p>
+<p>  As with regular git dependencies, <code>dependencies</code> and <code>devDependencies</code> will
+  be installed if the package has a <code>prepare</code> script, before the package is
+  done installing.</p>
 <p>  Example:</p>
 <pre><code>    npm install gitlab:mygitlabuser/myproject
+    npm install gitlab:myusr/myproj#semver:^5.0
 </code></pre></li>
 </ul>
 <p>You may combine multiple arguments, and even multiple types of arguments.
@@ -218,7 +265,7 @@ your local <code>node_modules</code> folder with the same layout it uses with th
 global <code>node_modules</code> folder. Only your direct dependencies will show in
 <code>node_modules</code> and everything they depend on will be flattened in their
 <code>node_modules</code> folders. This obviously will eliminate some deduping.</p>
-<p>The <code>--ignore-scripts</code> argument will cause npm to not execute any 
+<p>The <code>--ignore-scripts</code> argument will cause npm to not execute any
 scripts defined in the package.json. See <code><a href="../misc/npm-scripts.html">npm-scripts(7)</a></code>.</p>
 <p>The <code>--legacy-bundling</code> argument will cause npm to install the package such
 that versions of npm prior to 1.4, such as the one included with node 0.8,
@@ -230,7 +277,7 @@ any binaries the package might contain.</p>
 <p>The <code>--no-optional</code> argument will prevent optional dependencies from
 being installed.</p>
 <p>The <code>--no-shrinkwrap</code> argument, which will ignore an available
-shrinkwrap file and use the package.json instead.</p>
+package lock or shrinkwrap file and use the package.json instead.</p>
 <p>The <code>--nodedir=/path/to/node/source</code> argument will allow npm to find the
 node source code so that npm can compile native modules.</p>
 <p>The <code>--only={prod[uction]|dev[elopment]}</code> argument will cause either only
@@ -265,7 +312,9 @@ at the top level because nothing conflicts with it.</p>
    `-- D@2
 +-- D@1
 </code></pre><p>Because B&#39;s D@1 will be installed in the top level, C now has to install D@2
-privately for itself.</p>
+privately for itself. This algorithm is deterministic, but different trees may
+be produced if two dependencies are requested for installation in a different
+order.</p>
 <p>See <a href="../files/npm-folders.html">npm-folders(5)</a> for a more detailed description of the specific
 folder structures that npm creates.</p>
 <h3 id="limitations-of-npm-s-install-algorithm">Limitations of npm&#39;s Install Algorithm</h3>
@@ -316,5 +365,5 @@ affects a real use-case, it will be investigated.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-install &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-install &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-link.html

@@ -74,5 +74,5 @@ include that scope, e.g.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-link &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-link &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-logout.html

@@ -51,5 +51,5 @@ it takes precedence.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-logout &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-logout &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-ls.html

@@ -21,7 +21,7 @@ installed, as well as their dependencies, in a tree-structure.</p>
 limit the results to only the paths to the packages named.  Note that
 nested packages will <em>also</em> show the paths to the specified packages.
 For example, running <code>npm ls promzard</code> in npm&#39;s source tree will show:</p>
-<pre><code>npm@5.0.0-beta.56 /path/to/npm
+<pre><code>npm@5.0.0 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 </code></pre><p>It will print out extraneous, missing, and invalid packages.</p>
@@ -104,5 +104,5 @@ project.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-ls &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-ls &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-outdated.html

@@ -116,5 +116,5 @@ project.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-outdated &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-outdated &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-owner.html

@@ -51,5 +51,5 @@ that is not implemented at this time.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-owner &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-owner &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-pack.html

@@ -41,5 +41,5 @@ overwritten the second time.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-pack &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-pack &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-ping.html

@@ -32,5 +32,5 @@
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-ping &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-ping &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-prefix.html

@@ -38,5 +38,5 @@ to contain a package.json file unless <code>-g</code> is also specified.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-prefix &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-prefix &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-prune.html

@@ -40,5 +40,5 @@ negate <code>NODE_ENV</code> being set to <code>production</code>.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-prune &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-prune &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-publish.html

@@ -51,6 +51,9 @@ the specified registry.</p>
 <p>Once a package is published with a given name and version, that
 specific name and version combination can never be used again, even if
 it is removed with <a href="../cli/npm-unpublish.html">npm-unpublish(1)</a>.</p>
+<p>As of <code>npm@5</code>, both a sha1sum and an integrity field with a sha512sum of the
+tarball will be submitted to the registry during publication. Subsequent
+installs will use the strongest supported algorithm to verify downloads.</p>
 <p>For a &quot;dry run&quot; that does everything except actually publishing to the
 registry, see <code><a href="../cli/npm-pack.html">npm-pack(1)</a></code>, which figures out the files to be included and
 packs them into a tarball to be uploaded to the registry.</p>
@@ -76,5 +79,5 @@ packs them into a tarball to be uploaded to the registry.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-publish &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-publish &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-rebuild.html

@@ -35,5 +35,5 @@ the new binary.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-rebuild &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-rebuild &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-repo.html

@@ -41,5 +41,5 @@ a <code>package.json</code> in the current folder and use the <code>name</code>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-repo &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-repo &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-restart.html

@@ -53,5 +53,5 @@ behavior will be accompanied by an increase in major version number</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-restart &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-restart &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-root.html

@@ -35,5 +35,5 @@
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-root &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-root &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-run-script.html

@@ -66,5 +66,5 @@ you will be given a warning to run <code>npm install</code>, just in case you&#3
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-run-script &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-run-script &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-search.html

@@ -109,5 +109,5 @@ setting.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-search &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-search &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-shrinkwrap.html

@@ -9,163 +9,24 @@
   <body>
     <div id="wrapper">
 
-<h1><a href="../cli/npm-shrinkwrap.html">npm-shrinkwrap</a></h1> <p>Lock down dependency versions</p>
+<h1><a href="../cli/npm-shrinkwrap.html">npm-shrinkwrap</a></h1> <p>Lock down dependency versions for publication</p>
 <h2 id="synopsis">SYNOPSIS</h2>
 <pre><code>npm shrinkwrap
 </code></pre><h2 id="description">DESCRIPTION</h2>
-<p>This command locks down the versions of a package&#39;s dependencies so
-that you can control exactly which versions of each dependency will be
-used when your package is installed. The <code>package.json</code> file is still
-required if you want to use <code>npm install</code>.</p>
-<p>By default, <code>npm install</code> recursively installs the target&#39;s
-dependencies (as specified in <code>package.json</code>), choosing the latest
-available version that satisfies the dependency&#39;s semver pattern. In
-some situations, particularly when shipping software where each change
-is tightly managed, it&#39;s desirable to fully specify each version of
-each dependency recursively so that subsequent builds and deploys do
-not inadvertently pick up newer versions of a dependency that satisfy
-the semver pattern. Specifying specific semver patterns in each
-dependency&#39;s <code>package.json</code> would facilitate this, but that&#39;s not always
-possible or desirable, as when another author owns the npm package.
-It&#39;s also possible to check dependencies directly into source control,
-but that may be undesirable for other reasons.</p>
-<p>As an example, consider package A:</p>
-<pre><code>{
-  &quot;name&quot;: &quot;A&quot;,
-  &quot;version&quot;: &quot;0.1.0&quot;,
-  &quot;dependencies&quot;: {
-    &quot;B&quot;: &quot;&lt;0.1.0&quot;
-  }
-}
-</code></pre><p>package B:</p>
-<pre><code>{
-  &quot;name&quot;: &quot;B&quot;,
-  &quot;version&quot;: &quot;0.0.1&quot;,
-  &quot;dependencies&quot;: {
-    &quot;C&quot;: &quot;&lt;0.1.0&quot;
-  }
-}
-</code></pre><p>and package C:</p>
-<pre><code>{
-  &quot;name&quot;: &quot;C&quot;,
-  &quot;version&quot;: &quot;0.0.1&quot;
-}
-</code></pre><p>If these are the only versions of A, B, and C available in the
-registry, then a normal <code>npm install A</code> will install:</p>
-<pre><code>A@0.1.0
-`-- B@0.0.1
-    `-- C@0.0.1
-</code></pre><p>However, if B@0.0.2 is published, then a fresh <code>npm install A</code> will
-install:</p>
-<pre><code>A@0.1.0
-`-- B@0.0.2
-    `-- C@0.0.1
-</code></pre><p>assuming the new version did not modify B&#39;s dependencies. Of course,
-the new version of B could include a new version of C and any number
-of new dependencies. If such changes are undesirable, the author of A
-could specify a dependency on B@0.0.1. However, if A&#39;s author and B&#39;s
-author are not the same person, there&#39;s no way for A&#39;s author to say
-that he or she does not want to pull in newly published versions of C
-when B hasn&#39;t changed at all.</p>
-<p>In this case, A&#39;s author can run</p>
-<pre><code>npm shrinkwrap
-</code></pre><p>This generates <code>npm-shrinkwrap.json</code>, which will look something like this:</p>
-<pre><code>{
-  &quot;name&quot;: &quot;A&quot;,
-  &quot;version&quot;: &quot;0.1.0&quot;,
-  &quot;dependencies&quot;: {
-    &quot;B&quot;: {
-      &quot;version&quot;: &quot;0.0.1&quot;,
-      &quot;from&quot;: &quot;B@^0.0.1&quot;,
-      &quot;resolved&quot;: &quot;https://registry.npmjs.org/B/-/B-0.0.1.tgz&quot;,
-      &quot;dependencies&quot;: {
-        &quot;C&quot;: {
-          &quot;version&quot;: &quot;0.0.1&quot;,
-          &quot;from&quot;: &quot;org/C#v0.0.1&quot;,
-          &quot;resolved&quot;: &quot;git://github.com/org/C.git#5c380ae319fc4efe9e7f2d9c78b0faa588fd99b4&quot;
-        }
-      }
-    }
-  }
-}
-</code></pre><p>The shrinkwrap command has locked down the dependencies based on what&#39;s
-currently installed in <code>node_modules</code>.  The installation behavior is changed to:</p>
-<ol>
-<li><p>The module tree described by the shrinkwrap is reproduced. This means
-reproducing the structure described in the file, using the specific files
-referenced in &quot;resolved&quot; if available, falling back to normal package
-resolution using &quot;version&quot; if one isn&#39;t.</p>
-</li>
-<li><p>The tree is walked and any missing dependencies are installed in the usual fashion.</p>
-</li>
-</ol>
-<p>If <code>preshrinkwrap</code>, <code>shrinkwrap</code> or <code>postshrinkwrap</code> are in the <code>scripts</code> property of the
-<code>package.json</code>, they will be executed by running <code>npm shrinkwrap</code>.
-<code>preshrinkwrap</code> and <code>shrinkwrap</code> are executed before the shrinkwrap, <code>postshrinkwrap</code> is
-executed afterwards. For example to run some postprocessing on the generated file:</p>
-<pre><code>&quot;scripts&quot;: { &quot;postshrinkwrap&quot;: &quot;node fix-shrinkwrap.js&quot; }
-</code></pre><h3 id="using-shrinkwrapped-packages">Using shrinkwrapped packages</h3>
-<p>Using a shrinkwrapped package is no different than using any other
-package: you can <code>npm install</code> it by hand, or add a dependency to your
-<code>package.json</code> file and <code>npm install</code> it.</p>
-<h3 id="building-shrinkwrapped-packages">Building shrinkwrapped packages</h3>
-<p>To shrinkwrap an existing package:</p>
-<ol>
-<li>Run <code>npm install</code> in the package root to install the current
-versions of all dependencies.</li>
-<li>Validate that the package works as expected with these versions.</li>
-<li>Run <code>npm shrinkwrap</code>, add <code>npm-shrinkwrap.json</code> to git, and publish
-your package.</li>
-</ol>
-<p>To add or update a dependency in a shrinkwrapped package:</p>
-<ol>
-<li>Run <code>npm install</code> in the package root to install the current
-versions of all dependencies.</li>
-<li>Add or update dependencies. <code>npm install --save</code> or <code>npm install --save-dev</code>
-each new or updated package individually to update the <code>package.json</code> and
-the shrinkwrap. Note that they must be explicitly named in order to be
-installed: running <code>npm install</code> with no arguments will merely reproduce
-the existing shrinkwrap.</li>
-<li>Validate that the package works as expected with the new
-dependencies.</li>
-<li>Commit the new <code>npm-shrinkwrap.json</code>, and publish your package.</li>
-</ol>
-<p>You can use <a href="../cli/npm-outdated.html">npm-outdated(1)</a> to view dependencies with newer versions
-available.</p>
-<h3 id="other-notes">Other Notes</h3>
-<p>A shrinkwrap file must be consistent with the package&#39;s <code>package.json</code>
-file. <code>npm shrinkwrap</code> will fail if required dependencies are not
-already installed, since that would result in a shrinkwrap that
-wouldn&#39;t actually work. Similarly, the command will fail if there are
-extraneous packages (not referenced by <code>package.json</code>), since that would
-indicate that <code>package.json</code> is not correct.</p>
-<p>Starting with npm v4.0.1, <code>devDependencies</code> are included when you run
-<code>npm shrinkwrap</code> and follow the usual rules as to when they&#39;re installed.
-As of npm v3.10.8, if you run <code>npm install --only=production</code> or
-<code>npm install --production</code> with a shrinkwrap including your development
-dependencies they won&#39;t be installed. Similarly, if the environment
-variable <code>NODE_ENV</code> is <code>production</code> then they won&#39;t be installed. If you
-need compatibility with versions of npm prior to v3.10.8 or otherwise
-don&#39;t want them in your shrinkwrap you can exclude development
-dependencies with:
-<code>npm shrinkwrap --only=prod</code> or <code>npm shrinkwrap --production</code>.</p>
-<p>If shrinkwrapped package A depends on shrinkwrapped package B, B&#39;s
-shrinkwrap will not be used as part of the installation of A. However,
-because A&#39;s shrinkwrap is constructed from a valid installation of B
-and recursively specifies all dependencies, the contents of B&#39;s
-shrinkwrap will implicitly be included in A&#39;s shrinkwrap.</p>
-<h3 id="caveats">Caveats</h3>
-<p>If you wish to lock down the specific bytes included in a package, for
-example to have 100% confidence in being able to reproduce a
-deployment or build, then you ought to check your dependencies into
-source control, or pursue some other mechanism that can verify
-contents rather than versions.</p>
+<p>This command repurposes <code>package-lock.json</code> into a publishable
+<code>npm-shrinkwrap.json</code> or simply creates a new one. The file created and updated
+by this command will then take precedence over any other existing or future
+<code>package-lock.json</code> files. For a detailed explanation of the design and purpose
+of package locks in npm, see <a href="../files/npm-package-locks.html">npm-package-locks(5)</a>.</p>
 <h2 id="see-also">SEE ALSO</h2>
 <ul>
 <li><a href="../cli/npm-install.html">npm-install(1)</a></li>
 <li><a href="../cli/npm-run-script.html">npm-run-script(1)</a></li>
 <li><a href="../misc/npm-scripts.html">npm-scripts(7)</a></li>
 <li><a href="../files/package.json.html">package.json(5)</a></li>
+<li><a href="../files/npm-package-locks.html">npm-package-locks(5)</a></li>
+<li><a href="../files/package-lock.json.html">package-lock.json(5)</a></li>
+<li><a href="../files/npm-shrinkwrap.json.html">npm-shrinkwrap.json(5)</a></li>
 <li><a href="../cli/npm-ls.html">npm-ls(1)</a></li>
 </ul>
 
@@ -180,5 +41,5 @@ contents rather than versions.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-shrinkwrap &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-shrinkwrap &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-star.html

@@ -36,5 +36,5 @@ a vaguely positive way to show that you care.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-star &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-star &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-stars.html

@@ -36,5 +36,5 @@ you will most certainly enjoy this command.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-stars &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-stars &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-start.html

@@ -39,5 +39,5 @@ more details.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-start &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-start &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-stop.html

@@ -34,5 +34,5 @@
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-stop &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-stop &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-team.html

@@ -67,5 +67,5 @@ use the <code>npm access</code> command to grant or revoke the appropriate permi
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-team &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-team &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-test.html

@@ -36,5 +36,5 @@
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-test &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-test &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-uninstall.html

@@ -60,5 +60,5 @@ npm uninstall dtrace-provider --save-optional
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-uninstall &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-uninstall &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-unpublish.html

@@ -51,5 +51,5 @@ contact support@npmjs.com.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-unpublish &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-unpublish &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-update.html

@@ -118,5 +118,5 @@ be <em>downgraded</em>.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-update &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-update &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-version.html

@@ -114,5 +114,5 @@ to the same value as the current version.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-version &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-version &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-view.html

@@ -86,5 +86,5 @@ the field name.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-view &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-view &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm-whoami.html

@@ -33,5 +33,5 @@
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-whoami &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-whoami &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/cli/npm.html

@@ -13,7 +13,7 @@
 <h2 id="synopsis">SYNOPSIS</h2>
 <pre><code>npm &lt;command&gt; [args]
 </code></pre><h2 id="version">VERSION</h2>
-<p>5.0.0-beta.56</p>
+<p>5.0.0</p>
 <h2 id="description">DESCRIPTION</h2>
 <p>npm is the package manager for the Node JavaScript platform.  It puts
 modules in place so that node can find them, and manages dependency
@@ -126,7 +126,7 @@ will no doubt tell you to put the output in a gist or email.</p>
 <p><a href="http://blog.izs.me/">Isaac Z. Schlueter</a> ::
 <a href="https://github.com/isaacs/">isaacs</a> ::
 <a href="http://twitter.com/izs">@izs</a> ::
-<a href="&#x6d;&#x61;&#105;&#108;&#116;&#111;&#x3a;&#x69;&#64;&#105;&#x7a;&#115;&#46;&#109;&#101;">&#x69;&#64;&#105;&#x7a;&#115;&#46;&#109;&#101;</a></p>
+<a href="&#x6d;&#97;&#105;&#x6c;&#116;&#x6f;&#x3a;&#105;&#64;&#x69;&#122;&#x73;&#x2e;&#x6d;&#101;">&#105;&#64;&#x69;&#122;&#x73;&#x2e;&#x6d;&#101;</a></p>
 <h2 id="see-also">SEE ALSO</h2>
 <ul>
 <li><a href="../cli/npm-help.html">npm-help(1)</a></li>
@@ -150,5 +150,5 @@ will no doubt tell you to put the output in a gist or email.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/files/npm-folders.html

@@ -182,5 +182,5 @@ cannot be found elsewhere.  See <code><a href="../files/package.json.html">packa
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-folders &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-folders &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/files/npm-global.html

@@ -182,5 +182,5 @@ cannot be found elsewhere.  See <code><a href="../files/package.json.html">packa
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-folders &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-folders &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/files/npm-json.html

@@ -586,5 +586,5 @@ ignored.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">package.json &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">package.json &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/files/npm-package-locks.html

@@ -0,0 +1,148 @@
+<!doctype html>
+<html>
+  <title>npm-package-locks</title>
+  <meta charset="utf-8">
+  <link rel="stylesheet" type="text/css" href="../../static/style.css">
+  <link rel="canonical" href="https://www.npmjs.org/doc/files/npm-package-locks.html">
+  <script async=true src="../../static/toc.js"></script>
+
+  <body>
+    <div id="wrapper">
+
+<h1><a href="../files/npm-package-locks.html">npm-package-locks</a></h1> <p>An explanation of npm lockfiles</p>
+<h2 id="description">DESCRIPTION</h2>
+<p>Conceptually, the &quot;input&quot; to <a href="../cli/npm-install.html">npm-install(1)</a> is a <a href="../files/package.json.html">package.json(5)</a>, while its
+&quot;output&quot; is a fully-formed <code>node_modules</code> tree: a representation of the
+dependencies you declared. In an ideal world, npm would work like a pure
+function: the same <code>package.json</code> should produce the exact same <code>node_modules</code>
+tree, any time. In some cases, this is indeed true. But in many others, npm is
+unable to do this. There are multiple reasons for this:</p>
+<ul>
+<li><p>different versions of npm (or other package managers) may have been used to install a package, each using slightly different installation algorithms.</p>
+</li>
+<li><p>a new version of a direct semver-range package may have been published since the last time your packages were installed, and thus a newer version will be used.</p>
+</li>
+<li><p>A dependency of one of your dependencies may have published a new version, which will update even if you used pinned dependency specifiers (<code>1.2.3</code> instead of <code>^1.2.3</code>)</p>
+</li>
+<li><p>The registry you installed from is no longer available, or allows mutation of versions (unlike the primary npm registry), and a different version of a package exists under the same version number now.</p>
+</li>
+</ul>
+<p>As an example, consider package A:</p>
+<pre><code>{
+  &quot;name&quot;: &quot;A&quot;,
+  &quot;version&quot;: &quot;0.1.0&quot;,
+  &quot;dependencies&quot;: {
+    &quot;B&quot;: &quot;&lt;0.1.0&quot;
+  }
+}
+</code></pre><p>package B:</p>
+<pre><code>{
+  &quot;name&quot;: &quot;B&quot;,
+  &quot;version&quot;: &quot;0.0.1&quot;,
+  &quot;dependencies&quot;: {
+    &quot;C&quot;: &quot;&lt;0.1.0&quot;
+  }
+}
+</code></pre><p>and package C:</p>
+<pre><code>{
+  &quot;name&quot;: &quot;C&quot;,
+  &quot;version&quot;: &quot;0.0.1&quot;
+}
+</code></pre><p>If these are the only versions of A, B, and C available in the
+registry, then a normal <code>npm install A</code> will install:</p>
+<pre><code>A@0.1.0
+`-- B@0.0.1
+    `-- C@0.0.1
+</code></pre><p>However, if B@0.0.2 is published, then a fresh <code>npm install A</code> will
+install:</p>
+<pre><code>A@0.1.0
+`-- B@0.0.2
+    `-- C@0.0.1
+</code></pre><p>assuming the new version did not modify B&#39;s dependencies. Of course,
+the new version of B could include a new version of C and any number
+of new dependencies. If such changes are undesirable, the author of A
+could specify a dependency on B@0.0.1. However, if A&#39;s author and B&#39;s
+author are not the same person, there&#39;s no way for A&#39;s author to say
+that he or she does not want to pull in newly published versions of C
+when B hasn&#39;t changed at all.</p>
+<p>To prevent this potential issue, npm uses <a href="../files/package-lock.json.html">package-lock.json(5)</a> or, if present,
+n<a href="../files/pm-shrinkwrap.json.html">pm-shrinkwrap.json(5)</a>. These files are called package locks, or lockfiles.</p>
+<p>Whenever you run <code>npm install</code>, npm generates or updates your package lock,
+which will look something like this:</p>
+<pre><code>{
+  &quot;name&quot;: &quot;A&quot;,
+  &quot;version&quot;: &quot;0.1.0&quot;,
+  ...metadata fields...
+  &quot;dependencies&quot;: {
+    &quot;B&quot;: {
+      &quot;version&quot;: &quot;0.0.1&quot;,
+      &quot;resolved&quot;: &quot;https://registry.npmjs.org/B/-/B-0.0.1.tgz&quot;,
+      &quot;integrity&quot;: &quot;sha512-DeAdb33F+&quot;
+      &quot;dependencies&quot;: {
+        &quot;C&quot;: {
+          &quot;version&quot;: &quot;git://github.com/org/C.git#5c380ae319fc4efe9e7f2d9c78b0faa588fd99b4&quot;
+        }
+      }
+    }
+  }
+}
+</code></pre><p>This file describes an <em>exact</em>, and more importantly <em>reproducible</em>
+<code>node_modules</code> tree. Once it&#39;s present, and future installation will base its
+work off this file, instead of recalculating dependency versions off
+p<a href="../files/ackage.json.html">ackage.json(5)</a>.</p>
+<p>The presence of a package lock changes the installation behavior such that:</p>
+<ol>
+<li><p>The module tree described by the package lock is reproduced. This means
+reproducing the structure described in the file, using the specific files
+referenced in &quot;resolved&quot; if available, falling back to normal package resolution
+using &quot;version&quot; if one isn&#39;t.</p>
+</li>
+<li><p>The tree is walked and any missing dependencies are installed in the usual
+fashion.</p>
+</li>
+</ol>
+<p>If <code>preshrinkwrap</code>, <code>shrinkwrap</code> or <code>postshrinkwrap</code> are in the <code>scripts</code>
+property of the <code>package.json</code>, they will be executed in order. <code>preshrinkwrap</code>
+and <code>shrinkwrap</code> are executed before the shrinkwrap, <code>postshrinkwrap</code> is
+executed afterwards. These scripts run for both <code>package-lock.json</code> and
+<code>npm-shrinkwrap.json</code>. For example to run some postprocessing on the generated
+file:</p>
+<pre><code>&quot;scripts&quot;: {
+  &quot;postshrinkwrap&quot;: &quot;json -I -e \&quot;this.myMetadata = $MY_APP_METADATA\&quot;&quot;
+}
+</code></pre><h3 id="using-locked-packages">Using locked packages</h3>
+<p>Using a locked package is no different than using any package without a package
+lock: any commands that update <code>node_modules</code> and/or <code>package.json</code>&#39;s
+dependencies will automatically sync the existing lockfile. This includes <code>npm
+install</code>, <code>npm rm</code>, <code>npm update</code>, etc. To prevent this update from happening,
+you can use the <code>--no-save</code> option to prevent saving altogether, or
+<code>--no-shrinkwrap</code> to allow <code>package.json</code> to be updated while leaving
+<code>package-lock.json</code> or <code>npm-shrinkwrap.json</code> intact.</p>
+<p>It is highly recommended you commit the generated package lock to source
+control: this will allow anyone else on your team, your deployments, your
+CI/continuous integration, and anyone else who runs <code>npm install</code> in your
+package source to get the exact same dependency tree that you were developing
+on. Additionally, the diffs from these changes are human-readable and will
+inform you of any changes npm has made to your <code>node_modules</code>, so you can notice
+if any transitive dependencies were updated, hoisted, etc.</p>
+<h2 id="see-also">SEE ALSO</h2>
+<ul>
+<li><a href="https://medium.com/@sdboyer/so-you-want-to-write-a-package-manager-4ae9c17d9527">https://medium.com/@sdboyer/so-you-want-to-write-a-package-manager-4ae9c17d9527</a></li>
+<li><a href="../files/package.json.html">package.json(5)</a></li>
+<li><a href="../files/package-lock.json.html">package-lock.json(5)</a></li>
+<li><a href="../files/npm-shrinkwrap.json.html">npm-shrinkwrap.json(5)</a></li>
+<li><a href="../cli/npm-shrinkwrap.html">npm-shrinkwrap(1)</a></li>
+</ul>
+
+</div>
+
+<table border=0 cellspacing=0 cellpadding=0 id=npmlogo>
+<tr><td style="width:180px;height:10px;background:rgb(237,127,127)" colspan=18>&nbsp;</td></tr>
+<tr><td rowspan=4 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td><td style="width:40px;height:10px;background:#fff" colspan=4>&nbsp;</td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=4>&nbsp;</td><td style="width:40px;height:10px;background:#fff" colspan=4>&nbsp;</td><td rowspan=4 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td><td colspan=6 style="width:60px;height:10px;background:#fff">&nbsp;</td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=4>&nbsp;</td></tr>
+<tr><td colspan=2 style="width:20px;height:30px;background:#fff" rowspan=3>&nbsp;</td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=3>&nbsp;</td><td style="width:10px;height:10px;background:#fff" rowspan=3>&nbsp;</td><td style="width:20px;height:10px;background:#fff" rowspan=4 colspan=2>&nbsp;</td><td style="width:10px;height:20px;background:rgb(237,127,127)" rowspan=2>&nbsp;</td><td style="width:10px;height:10px;background:#fff" rowspan=3>&nbsp;</td><td style="width:20px;height:10px;background:#fff" rowspan=3 colspan=2>&nbsp;</td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=3>&nbsp;</td><td style="width:10px;height:10px;background:#fff" rowspan=3>&nbsp;</td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=3>&nbsp;</td></tr>
+<tr><td style="width:10px;height:10px;background:#fff" rowspan=2>&nbsp;</td></tr>
+<tr><td style="width:10px;height:10px;background:#fff">&nbsp;</td></tr>
+<tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
+<tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
+</table>
+<p id="footer">npm-package-locks &mdash; npm@5.0.0</p>

deps/npm/html/doc/files/npm-shrinkwrap.json.html

@@ -0,0 +1,45 @@
+<!doctype html>
+<html>
+  <title>npm-shrinkwrap.json</title>
+  <meta charset="utf-8">
+  <link rel="stylesheet" type="text/css" href="../../static/style.css">
+  <link rel="canonical" href="https://www.npmjs.org/doc/files/npm-shrinkwrap.json.html">
+  <script async=true src="../../static/toc.js"></script>
+
+  <body>
+    <div id="wrapper">
+
+<h1><a href="../files/npm-shrinkwrap.json.html">npm-shrinkwrap.json</a></h1> <p>A publishable lockfile</p>
+<h2 id="description">DESCRIPTION</h2>
+<p><code>npm-shrinkwrap.json</code> is a file created by <a href="../cli/npm-shrinkwrap.html">npm-shrinkwrap(1)</a>. It is identical to
+<code>package-lock.json</code>, with one major caveat: Unlike <code>package-lock.json</code>,
+<code>npm-shrinwkrap.json</code> may be included when publishing a package.</p>
+<p>The recommended use-case for <code>npm-shrinkwrap.json</code> is applications deployed
+through the publishing process on the registry: for example, daemons and
+command-line tools intended as global installs or <code>devDependencies</code>. It&#39;s
+strongly discouraged for library authors to publish this file, since that would
+prevent end users from having control over transitive dependency updates.</p>
+<p>Additionally, if both <code>package-lock.json</code> and <code>npm-shrinwkrap.json</code> are present
+in a package root, <code>package-lock.json</code> will be ignored in favor of this file.</p>
+<p>For full details and description of the <code>npm-shrinkwrap.json</code> file format, refer
+to the manual page for <a href="../files/package-lock.json.html">package-lock.json(5)</a>.</p>
+<h2 id="see-also">SEE ALSO</h2>
+<ul>
+<li><a href="../cli/npm-shrinkwrap.html">npm-shrinkwrap(1)</a></li>
+<li><a href="../files/package-lock.json.html">package-lock.json(5)</a></li>
+<li><a href="../files/package.json.html">package.json(5)</a></li>
+<li><a href="../cli/npm-install.html">npm-install(1)</a></li>
+</ul>
+
+</div>
+
+<table border=0 cellspacing=0 cellpadding=0 id=npmlogo>
+<tr><td style="width:180px;height:10px;background:rgb(237,127,127)" colspan=18>&nbsp;</td></tr>
+<tr><td rowspan=4 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td><td style="width:40px;height:10px;background:#fff" colspan=4>&nbsp;</td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=4>&nbsp;</td><td style="width:40px;height:10px;background:#fff" colspan=4>&nbsp;</td><td rowspan=4 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td><td colspan=6 style="width:60px;height:10px;background:#fff">&nbsp;</td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=4>&nbsp;</td></tr>
+<tr><td colspan=2 style="width:20px;height:30px;background:#fff" rowspan=3>&nbsp;</td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=3>&nbsp;</td><td style="width:10px;height:10px;background:#fff" rowspan=3>&nbsp;</td><td style="width:20px;height:10px;background:#fff" rowspan=4 colspan=2>&nbsp;</td><td style="width:10px;height:20px;background:rgb(237,127,127)" rowspan=2>&nbsp;</td><td style="width:10px;height:10px;background:#fff" rowspan=3>&nbsp;</td><td style="width:20px;height:10px;background:#fff" rowspan=3 colspan=2>&nbsp;</td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=3>&nbsp;</td><td style="width:10px;height:10px;background:#fff" rowspan=3>&nbsp;</td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=3>&nbsp;</td></tr>
+<tr><td style="width:10px;height:10px;background:#fff" rowspan=2>&nbsp;</td></tr>
+<tr><td style="width:10px;height:10px;background:#fff">&nbsp;</td></tr>
+<tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
+<tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
+</table>
+<p id="footer">npm-shrinkwrap.json &mdash; npm@5.0.0</p>

deps/npm/html/doc/files/npmrc.html

@@ -85,5 +85,5 @@ manner.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npmrc &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npmrc &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/files/package-lock.json.html

@@ -0,0 +1,127 @@
+<!doctype html>
+<html>
+  <title>package-lock.json</title>
+  <meta charset="utf-8">
+  <link rel="stylesheet" type="text/css" href="../../static/style.css">
+  <link rel="canonical" href="https://www.npmjs.org/doc/files/package-lock.json.html">
+  <script async=true src="../../static/toc.js"></script>
+
+  <body>
+    <div id="wrapper">
+
+<h1><a href="../files/package-lock.json.html">package-lock.json</a></h1> <p>A manifestation of the manifest</p>
+<h2 id="description">DESCRIPTION</h2>
+<p><code>package-lock.json</code> is automatically generated for any operations where npm
+modifies either the <code>node_modules</code> tree, or <code>package.json</code>. It describes the
+exact tree that was generated, such that subsequent installs are able to
+generate identical trees, regardless of intermediate dependency updates.</p>
+<p>This file is intended to be committed into source repositories, and serves
+various purposes:</p>
+<ul>
+<li><p>Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.</p>
+</li>
+<li><p>Provide a facility for users to &quot;time-travel&quot; to previous states of <code>node_modules</code> without having to commit the directory itself.</p>
+</li>
+<li><p>To facilitate greater visibility of tree changes through readable source control diffs.</p>
+</li>
+<li><p>And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.</p>
+</li>
+</ul>
+<p>One key detail about <code>package-lock.json</code> is that it cannot be published, and it
+will be ignored if found in any place other than the toplevel package. It shares
+a format with <a href="../files/npm-shrinkwrap.json.html">npm-shrinkwrap.json(5)</a>, which is essentially the same file, but
+allows publication. This is not recommended unless deploying a CLI tool or
+otherwise using the publication process for producing production packages.</p>
+<p>If both <code>package-lock.json</code> and <code>npm-shrinkwrap.json</code> are present in the root of
+a package, <code>package-lock.json</code> will be completely ignored.</p>
+<h2 id="file-format">FILE FORMAT</h2>
+<h3 id="name">name</h3>
+<p>The name of the package this is a package-lock for. This must match what&#39;s in
+<code>package.json</code>.</p>
+<h3 id="version">version</h3>
+<p>The version of the package this is a package-lock for. This must match what&#39;s in
+<code>package.json</code>.</p>
+<h3 id="lockfileversion">lockfileVersion</h3>
+<p>An integer version, starting at <code>1</code> with the version number of this document
+whose semantics were used when generating this <code>package-lock.json</code>.</p>
+<h3 id="packageintegrity">packageIntegrity</h3>
+<p>This is a <a href="https://w3c.github.io/webappsec/specs/subresourceintegrity/">subresource
+integrity</a> value
+created from the <code>pacakge.json</code>. No preprocessing of the <code>package.json</code> should
+be done. Subresource integrity strings can be produced by modules like
+<a href="https://www.npmjs.com/package/ssri"><code>ssri</code></a>.</p>
+<h3 id="preservesymlinks">preserveSymlinks</h3>
+<p>Indicates that the install was done with the environment variable
+<code>NODE_PRESERVE_SYMLINKS</code> enabled. The installer should insist that the value of
+this property match that environment variable.</p>
+<h3 id="dependencies">dependencies</h3>
+<p>A mapping of package name to dependency object.  Dependency objects have the
+following properties:</p>
+<h4 id="version">version</h4>
+<p>This is a specifier that uniquely identifies this package and should be
+usable in fetching a new copy of it.</p>
+<ul>
+<li>bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes.</li>
+<li>registry sources: This is a version number. (eg, <code>1.2.3</code>)</li>
+<li>git sources: This is a git specifier with resolved committish. (eg, <code>git+https://example.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e</code>)</li>
+<li>http tarball sources: This is the URL of the tarball. (eg, <code>https://example.com/example-1.3.0.tgz</code>)</li>
+<li>local tarball sources: This is the file URL of the tarball. (eg <code>file:///opt/storage/example-1.3.0.tgz</code>)</li>
+<li>local link sources: This is the file URL of the link. (eg <code>file:libs/our-module</code>)</li>
+</ul>
+<h4 id="integrity">integrity</h4>
+<p>This is a <a href="https://w3c.github.io/webappsec/specs/subresourceintegrity/">Standard Subresource
+Integrity</a> for this
+resource.</p>
+<ul>
+<li>For bundled dependencies this is not included, regardless of source.</li>
+<li>For registry sources, this is the <code>integrity</code> that the registry provided, or if one wasn&#39;t provided the SHA1 in <code>shasum</code>.</li>
+<li>For git sources this is the specific commit hash we cloned from.</li>
+<li>For remote tarball sources this is an integrity based on a SHA512 of
+the file.</li>
+<li>For local tarball sources: This is an integrity field based on the SHA512 of the file.</li>
+</ul>
+<h4 id="resolved">resolved</h4>
+<ul>
+<li>For bundled dependencies this is not included, regardless of source.</li>
+<li>For registry sources this is path of the tarball relative to the registry
+URL.  If the tarball URL isn&#39;t on the same server as the registry URL then
+this is a complete URL.</li>
+</ul>
+<h4 id="bundled">bundled</h4>
+<p>If true, this is the bundled dependency and will be installed by the parent
+module.  When installing, this module will be extracted from the parent
+module during the extract phase, not installed as a separate dependency.</p>
+<h4 id="dev">dev</h4>
+<p>If true then this dependency is either a development dependency ONLY of the
+top level module or a transitive dependency of one.  This is false for
+dependencies that are both a development dependency of the top level and a
+transitive dependency of a non-development dependency of the top level.</p>
+<h4 id="optional">optional</h4>
+<p>If true then this dependency is either an optional dependency ONLY of the
+top level module or a transitive dependency of one.  This is false for
+dependencies that are both an optional dependency of the top level and a
+transitive dependency of a non-optional dependency of the top level.</p>
+<p>All optional dependencies should be included even if they&#39;re uninstallable
+on the current platform.</p>
+<h4 id="dependencies">dependencies</h4>
+<p>The dependencies of this dependency, exactly as at the top level.</p>
+<h2 id="see-also">SEE ALSO</h2>
+<ul>
+<li><a href="../cli/npm-shrinkwrap.html">npm-shrinkwrap(1)</a></li>
+<li><a href="../files/package-lock.json.html">package-lock.json(5)</a></li>
+<li><a href="../files/package.json.html">package.json(5)</a></li>
+<li><a href="../cli/npm-install.html">npm-install(1)</a></li>
+</ul>
+
+</div>
+
+<table border=0 cellspacing=0 cellpadding=0 id=npmlogo>
+<tr><td style="width:180px;height:10px;background:rgb(237,127,127)" colspan=18>&nbsp;</td></tr>
+<tr><td rowspan=4 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td><td style="width:40px;height:10px;background:#fff" colspan=4>&nbsp;</td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=4>&nbsp;</td><td style="width:40px;height:10px;background:#fff" colspan=4>&nbsp;</td><td rowspan=4 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td><td colspan=6 style="width:60px;height:10px;background:#fff">&nbsp;</td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=4>&nbsp;</td></tr>
+<tr><td colspan=2 style="width:20px;height:30px;background:#fff" rowspan=3>&nbsp;</td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=3>&nbsp;</td><td style="width:10px;height:10px;background:#fff" rowspan=3>&nbsp;</td><td style="width:20px;height:10px;background:#fff" rowspan=4 colspan=2>&nbsp;</td><td style="width:10px;height:20px;background:rgb(237,127,127)" rowspan=2>&nbsp;</td><td style="width:10px;height:10px;background:#fff" rowspan=3>&nbsp;</td><td style="width:20px;height:10px;background:#fff" rowspan=3 colspan=2>&nbsp;</td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=3>&nbsp;</td><td style="width:10px;height:10px;background:#fff" rowspan=3>&nbsp;</td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=3>&nbsp;</td></tr>
+<tr><td style="width:10px;height:10px;background:#fff" rowspan=2>&nbsp;</td></tr>
+<tr><td style="width:10px;height:10px;background:#fff">&nbsp;</td></tr>
+<tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
+<tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
+</table>
+<p id="footer">package-lock.json &mdash; npm@5.0.0</p>

deps/npm/html/doc/files/package.json.html

@@ -586,5 +586,5 @@ ignored.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">package.json &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">package.json &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/index.html

@@ -91,7 +91,7 @@
 <h3 id="npm-search-1-"><a href="cli/npm-search.html">npm-search(1)</a></h3>
 <p>Search for packages</p>
 <h3 id="npm-shrinkwrap-1-"><a href="cli/npm-shrinkwrap.html">npm-shrinkwrap(1)</a></h3>
-<p>Lock down dependency versions</p>
+<p>Lock down dependency versions for publication</p>
 <h3 id="npm-star-1-"><a href="cli/npm-star.html">npm-star(1)</a></h3>
 <p>Mark your favorite packages</p>
 <h3 id="npm-stars-1-"><a href="cli/npm-stars.html">npm-stars(1)</a></h3>
@@ -122,8 +122,14 @@
 <p>File system structures npm uses</p>
 <h3 id="npm-folders-5-"><a href="files/npm-folders.html">npm-folders(5)</a></h3>
 <p>Folder Structures Used by npm</p>
+<h3 id="npm-package-locks-5-"><a href="files/npm-package-locks.html">npm-package-locks(5)</a></h3>
+<p>An explanation of npm lockfiles</p>
+<h3 id="npm-shrinkwrap-json-5-"><a href="files/npm-shrinkwrap.json.html">npm-shrinkwrap.json(5)</a></h3>
+<p>A publishable lockfile</p>
 <h3 id="npmrc-5-"><a href="files/npmrc.html">npmrc(5)</a></h3>
 <p>The npm config files</p>
+<h3 id="package-lock-json-5-"><a href="files/package-lock.json.html">package-lock.json(5)</a></h3>
+<p>A manifestation of the manifest</p>
 <h3 id="package-json-5-"><a href="files/package.json.html">package.json(5)</a></h3>
 <p>Specifics of npm&#39;s package.json handling</p>
 <h2 id="misc">Misc</h2>
@@ -162,5 +168,5 @@
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-index &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-index &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/misc/npm-coding-style.html

@@ -153,5 +153,5 @@ set to anything.&quot;</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-coding-style &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-coding-style &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/misc/npm-config.html

@@ -61,6 +61,7 @@ internal to npm, and are defaults if nothing else is specified.</p>
 <li><code>-f</code>: <code>--force</code></li>
 <li><code>-desc</code>: <code>--description</code></li>
 <li><code>-S</code>: <code>--save</code></li>
+<li><code>-P</code>: <code>--save-prod</code></li>
 <li><code>-D</code>: <code>--save-dev</code></li>
 <li><code>-O</code>: <code>--save-optional</code></li>
 <li><code>-B</code>: <code>--save-bundle</code></li>
@@ -586,6 +587,14 @@ installed.</p>
 <p>Attempt to install packages in the <code>optionalDependencies</code> object.  Note
 that if these packages fail to install, the overall installation
 process is not aborted.</p>
+<h3 id="package-lock">package-lock</h3>
+<ul>
+<li>Default: true</li>
+<li>Type: Boolean</li>
+</ul>
+<p>If set to false, then ignore <code>package-lock.json</code> files when installing. This
+will also prevent <em>writing</em> <code>package-lock.json</code> if <code>save</code> is true.</p>
+<p>This option is an alias for <code>--shrinkwrap</code>.</p>
 <h3 id="parseable">parseable</h3>
 <ul>
 <li>Default: false</li>
@@ -689,6 +698,16 @@ object.</p>
 <code>bundleDependencies</code> list.</p>
 <p>When used with the <code>npm rm</code> command, it removes it from the
 bundledDependencies list.</p>
+<h3 id="save-prod">save-prod</h3>
+<ul>
+<li>Default: false</li>
+<li>Type: Boolean</li>
+</ul>
+<p>Makes sure that a package will be saved into <code>dependencies</code> specifically. This
+is useful if a package already exists in <code>devDependencies</code> or
+<code>optionalDependencies</code>, but you want to move it to be a production dep. This is
+also the default behavior if <code>--save</code> is true, and neither <code>--save-dev</code> or
+<code>--save-optional</code> are true.</p>
 <h3 id="save-dev">save-dev</h3>
 <ul>
 <li>Default: false</li>
@@ -800,8 +819,9 @@ Windows</li>
 <li>Default: true</li>
 <li>Type: Boolean</li>
 </ul>
-<p>If set to false, then ignore <code>npm-shrinkwrap.json</code> files when
-installing.</p>
+<p>If set to false, then ignore <code>npm-shrinkwrap.json</code> files when installing. This
+will also prevent <em>writing</em> <code>npm-shrinkwrap.json</code> if <code>save</code> is true.</p>
+<p>This option is an alias for <code>--package-lock</code>.</p>
 <h3 id="sign-git-tag">sign-git-tag</h3>
 <ul>
 <li>Default: false</li>
@@ -961,5 +981,5 @@ exit successfully.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-config &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-config &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/misc/npm-developers.html

@@ -194,5 +194,5 @@ from a fresh checkout.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-developers &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-developers &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/misc/npm-disputes.html

@@ -20,7 +20,7 @@ Conduct.</p>
 <h2 id="tl-dr">TL;DR</h2>
 <ol>
 <li>Get the author email with <code>npm owner ls &lt;pkgname&gt;</code></li>
-<li>Email the author, CC <a href="&#x6d;&#97;&#105;&#108;&#x74;&#111;&#58;&#115;&#x75;&#x70;&#x70;&#x6f;&#x72;&#x74;&#64;&#x6e;&#112;&#109;&#106;&#x73;&#46;&#99;&#111;&#x6d;">&#115;&#x75;&#x70;&#x70;&#x6f;&#x72;&#x74;&#64;&#x6e;&#112;&#109;&#106;&#x73;&#46;&#99;&#111;&#x6d;</a></li>
+<li>Email the author, CC <a href="&#x6d;&#x61;&#x69;&#x6c;&#116;&#111;&#x3a;&#x73;&#117;&#112;&#x70;&#111;&#114;&#x74;&#x40;&#110;&#112;&#109;&#x6a;&#x73;&#46;&#x63;&#111;&#x6d;">&#x73;&#117;&#112;&#x70;&#111;&#114;&#x74;&#x40;&#110;&#112;&#109;&#x6a;&#x73;&#46;&#x63;&#111;&#x6d;</a></li>
 <li>After a few weeks, if there&#39;s no resolution, we&#39;ll sort it out.</li>
 </ol>
 <p>Don&#39;t squat on package names.  Publish code or move out of the way.</p>
@@ -55,12 +55,12 @@ because Yusuf&#39;s <code>foo</code> is in the way.</p>
 </li>
 <li>Alice emails Yusuf, explaining the situation <strong>as respectfully as possible</strong>,
 and what she would like to do with the module name. She adds the npm support
-staff <a href="&#109;&#x61;&#105;&#x6c;&#x74;&#x6f;&#x3a;&#115;&#117;&#112;&#112;&#111;&#x72;&#x74;&#64;&#110;&#x70;&#109;&#106;&#115;&#46;&#x63;&#x6f;&#109;">&#115;&#117;&#112;&#112;&#111;&#x72;&#x74;&#64;&#110;&#x70;&#109;&#106;&#115;&#46;&#x63;&#x6f;&#109;</a> to the CC list of the email. Mention in the email
+staff <a href="&#109;&#97;&#x69;&#x6c;&#116;&#111;&#58;&#115;&#x75;&#x70;&#x70;&#x6f;&#x72;&#x74;&#x40;&#110;&#112;&#109;&#106;&#x73;&#46;&#99;&#111;&#x6d;">&#115;&#x75;&#x70;&#x70;&#x6f;&#x72;&#x74;&#x40;&#110;&#112;&#109;&#106;&#x73;&#46;&#99;&#111;&#x6d;</a> to the CC list of the email. Mention in the email
 that Yusuf can run npm owner <code>add alice foo</code> to add Alice as an owner of the
 foo package.</li>
 <li>After a reasonable amount of time, if Yusuf has not responded, or if Yusuf
 and Alice can&#39;t come to any sort of resolution, email support
-<a href="&#x6d;&#97;&#105;&#x6c;&#x74;&#x6f;&#58;&#x73;&#117;&#112;&#112;&#x6f;&#114;&#116;&#x40;&#x6e;&#112;&#109;&#106;&#x73;&#46;&#x63;&#x6f;&#x6d;">&#x73;&#117;&#112;&#112;&#x6f;&#114;&#116;&#x40;&#x6e;&#112;&#109;&#106;&#x73;&#46;&#x63;&#x6f;&#x6d;</a> and we&#39;ll sort it out. (&quot;Reasonable&quot; is usually at least
+<a href="&#x6d;&#x61;&#105;&#108;&#x74;&#111;&#x3a;&#115;&#x75;&#x70;&#x70;&#111;&#114;&#x74;&#64;&#110;&#112;&#x6d;&#106;&#115;&#x2e;&#x63;&#x6f;&#109;">&#115;&#x75;&#x70;&#x70;&#111;&#114;&#x74;&#64;&#110;&#112;&#x6d;&#106;&#115;&#x2e;&#x63;&#x6f;&#109;</a> and we&#39;ll sort it out. (&quot;Reasonable&quot; is usually at least
 4 weeks.)</li>
 </ol>
 <h2 id="reasoning">REASONING</h2>
@@ -96,12 +96,12 @@ application database or otherwise putting non-packagey things into it.</li>
 <a href="https://www.npmjs.com/policies/conduct">Code of Conduct</a> such as hateful
 language, pornographic content, or harassment.</li>
 </ol>
-<p>If you see bad behavior like this, please report it to <a href="&#109;&#97;&#x69;&#x6c;&#x74;&#111;&#x3a;&#x61;&#98;&#x75;&#x73;&#x65;&#64;&#x6e;&#x70;&#x6d;&#106;&#115;&#46;&#x63;&#111;&#109;">&#x61;&#98;&#x75;&#x73;&#x65;&#64;&#x6e;&#x70;&#x6d;&#106;&#115;&#46;&#x63;&#111;&#109;</a> right
+<p>If you see bad behavior like this, please report it to <a href="&#x6d;&#97;&#105;&#x6c;&#x74;&#111;&#x3a;&#x61;&#98;&#117;&#115;&#101;&#x40;&#x6e;&#112;&#x6d;&#x6a;&#x73;&#46;&#99;&#111;&#109;">&#x61;&#98;&#117;&#115;&#101;&#x40;&#x6e;&#112;&#x6d;&#x6a;&#x73;&#46;&#99;&#111;&#109;</a> right
 away. <strong>You are never expected to resolve abusive behavior on your own. We are
 here to help.</strong></p>
 <h2 id="trademarks">TRADEMARKS</h2>
 <p>If you think another npm publisher is infringing your trademark, such as by
-using a confusingly similar package name, email <a href="&#109;&#x61;&#x69;&#x6c;&#x74;&#x6f;&#58;&#97;&#x62;&#117;&#115;&#101;&#x40;&#x6e;&#112;&#109;&#x6a;&#115;&#46;&#99;&#x6f;&#109;">&#97;&#x62;&#117;&#115;&#101;&#x40;&#x6e;&#112;&#109;&#x6a;&#115;&#46;&#99;&#x6f;&#109;</a> with a link to
+using a confusingly similar package name, email <a href="&#x6d;&#x61;&#105;&#108;&#116;&#111;&#x3a;&#x61;&#x62;&#x75;&#115;&#101;&#x40;&#x6e;&#x70;&#109;&#x6a;&#x73;&#46;&#x63;&#x6f;&#109;">&#x61;&#x62;&#x75;&#115;&#101;&#x40;&#x6e;&#x70;&#109;&#x6a;&#x73;&#46;&#x63;&#x6f;&#109;</a> with a link to
 the package or user account on <a href="https://npmjs.com">https://npmjs.com</a>. Attach a
 copy of your trademark registration certificate.</p>
 <p>If we see that the package&#39;s publisher is intentionally misleading others by
@@ -134,5 +134,5 @@ License.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-disputes &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-disputes &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/misc/npm-index.html

@@ -91,7 +91,7 @@
 <h3 id="npm-search-1-"><a href="../cli/npm-search.html">npm-search(1)</a></h3>
 <p>Search for packages</p>
 <h3 id="npm-shrinkwrap-1-"><a href="../cli/npm-shrinkwrap.html">npm-shrinkwrap(1)</a></h3>
-<p>Lock down dependency versions</p>
+<p>Lock down dependency versions for publication</p>
 <h3 id="npm-star-1-"><a href="../cli/npm-star.html">npm-star(1)</a></h3>
 <p>Mark your favorite packages</p>
 <h3 id="npm-stars-1-"><a href="../cli/npm-stars.html">npm-stars(1)</a></h3>
@@ -122,8 +122,14 @@
 <p>File system structures npm uses</p>
 <h3 id="npm-folders-5-"><a href="../files/npm-folders.html">npm-folders(5)</a></h3>
 <p>Folder Structures Used by npm</p>
+<h3 id="npm-package-locks-5-"><a href="../files/npm-package-locks.html">npm-package-locks(5)</a></h3>
+<p>An explanation of npm lockfiles</p>
+<h3 id="npm-shrinkwrap-json-5-"><a href="../files/npm-shrinkwrap.json.html">npm-shrinkwrap.json(5)</a></h3>
+<p>A publishable lockfile</p>
 <h3 id="npmrc-5-"><a href="../files/npmrc.html">npmrc(5)</a></h3>
 <p>The npm config files</p>
+<h3 id="package-lock-json-5-"><a href="../files/package-lock.json.html">package-lock.json(5)</a></h3>
+<p>A manifestation of the manifest</p>
 <h3 id="package-json-5-"><a href="../files/package.json.html">package.json(5)</a></h3>
 <p>Specifics of npm&#39;s package.json handling</p>
 <h2 id="misc">Misc</h2>
@@ -162,5 +168,5 @@
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-index &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-index &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/misc/npm-orgs.html

@@ -86,5 +86,5 @@
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-orgs &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-orgs &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/misc/npm-registry.html

@@ -90,5 +90,5 @@ effectively implement the entire CouchDB API anyway.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-registry &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-registry &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/misc/npm-scope.html

@@ -99,5 +99,5 @@ that registry instead.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-scope &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-scope &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/misc/npm-scripts.html

@@ -15,14 +15,20 @@
 following scripts:</p>
 <ul>
 <li>prepublish:
-Run BEFORE the package is published.  (Also run on local <code>npm
-install</code> without any arguments. See below.)</li>
+Run BEFORE the package is packed and published, as well as on local <code>npm
+install</code> without any arguments. (See below)</li>
 <li>prepare:
-Run both BEFORE the package is published, and on local <code>npm
-install</code> without any arguments. (See below.) This is run
+Run both BEFORE the package is packed and published, and on local <code>npm
+install</code> without any arguments (See below). This is run
 AFTER <code>prepublish</code>, but BEFORE <code>prepublishOnly</code>.</li>
 <li>prepublishOnly:
-Run BEFORE the package is published. (See below.)</li>
+Run BEFORE the package is prepared and packed, ONLY on <code>npm publish</code>. (See
+below.)</li>
+<li>prepack:
+run BEFORE a tarball is packed (on <code>npm pack</code>, <code>npm publish</code>, and when
+installing git dependencies)</li>
+<li>postpack:
+Run AFTER the tarball has been generated and moved to its final destination.</li>
 <li>publish, postpublish:
 Run AFTER the package is published.</li>
 <li>preinstall:
@@ -237,5 +243,5 @@ scripts is for compilation which must be done on the target architecture.</li>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">npm-scripts &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">npm-scripts &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/misc/removing-npm.html

@@ -57,5 +57,5 @@ modules.  To track those down, you can do the following:</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">removing-npm &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">removing-npm &mdash; npm@5.0.0</p>
 

deps/npm/html/doc/misc/semver.html

@@ -325,5 +325,5 @@ range, use the <code>satisfies(version, range)</code> function.</p>
 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6>&nbsp;</td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)">&nbsp;</td></tr>
 <tr><td colspan=5 style="width:50px;height:10px;background:#fff">&nbsp;</td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4>&nbsp;</td><td style="width:90px;height:10px;background:#fff" colspan=9>&nbsp;</td></tr>
 </table>
-<p id="footer">semver &mdash; npm@5.0.0-beta.56</p>
+<p id="footer">semver &mdash; npm@5.0.0</p>
 

deps/npm/lib/config/cmd-list.js

@@ -37,6 +37,7 @@ var affordances = {
   'info': 'view',
   'show': 'view',
   'find': 'search',
+  'add': 'install',
   'unlink': 'uninstall',
   'remove': 'uninstall',
   'rm': 'uninstall',

deps/npm/lib/config/defaults.js

@@ -178,6 +178,7 @@ Object.defineProperty(exports, 'defaults', {get: function () {
     'onload-script': false,
     only: null,
     optional: true,
+    'package-lock': true,
     parseable: false,
     'prefer-offline': false,
     'prefer-online': false,
@@ -200,6 +201,7 @@ Object.defineProperty(exports, 'defaults', {get: function () {
     'save-exact': false,
     'save-optional': false,
     'save-prefix': '^',
+    'save-prod': false,
     scope: '',
     'scripts-prepend-node-path': 'warn-only',
     searchopts: '',
@@ -304,6 +306,7 @@ exports.types = {
   'onload-script': [null, String],
   only: [null, 'dev', 'development', 'prod', 'production'],
   optional: Boolean,
+  'package-lock': Boolean,
   parseable: Boolean,
   'prefer-offline': Boolean,
   'prefer-online': Boolean,
@@ -321,6 +324,7 @@ exports.types = {
   'save-exact': Boolean,
   'save-optional': Boolean,
   'save-prefix': String,
+  'save-prod': Boolean,
   scope: String,
   'scripts-prepend-node-path': [false, true, 'auto', 'warn-only'],
   searchopts: String,
@@ -404,6 +408,7 @@ exports.shorthands = {
   D: ['--save-dev'],
   E: ['--save-exact'],
   O: ['--save-optional'],
+  P: ['--save-prod'],
   y: ['--yes'],
   n: ['--no-yes'],
   B: ['--save-bundle'],

deps/npm/lib/config/pacote.js

@@ -1,25 +1,24 @@
 'use strict'
 
-const BB = require('bluebird')
+const Buffer = require('safe-buffer').Buffer
 
-const cp = require('child_process')
 const npm = require('../npm')
 const log = require('npmlog')
-const packToStream = require('../utils/tar').packToStream
+let pack
 const path = require('path')
-const pipe = BB.promisify(require('mississippi').pipe)
-const readJson = BB.promisify(require('read-package-json'))
-const PassThrough = require('stream').PassThrough
 
 let effectiveOwner
 
 module.exports = pacoteOpts
 function pacoteOpts (moreOpts) {
+  if (!pack) {
+    pack = require('../pack.js')
+  }
   const ownerStats = calculateOwner()
   const opts = {
     cache: path.join(npm.config.get('cache'), '_cacache'),
     defaultTag: npm.config.get('tag'),
-    dirPacker: prepareAndPack,
+    dirPacker: pack.packGitDep,
     hashAlgorithm: 'sha1',
     localAddress: npm.config.get('local-address'),
     log: log,
@@ -44,17 +43,34 @@ function pacoteOpts (moreOpts) {
   }
 
   if (ownerStats.uid || ownerStats.gid) {
-    Object.assign(opts, ownerStats, {
-      cacheUid: ownerStats.uid,
-      cacheGid: ownerStats.gid
-    })
+    Object.assign(opts, ownerStats)
   }
 
   npm.config.keys.forEach(function (k) {
-    if (k[0] === '/' && k.match(/.*:_authToken$/)) {
+    const authMatch = k[0] === '/' && k.match(
+      /(.*):(_authToken|username|_password|password|email|always-auth)$/
+    )
+    if (authMatch) {
+      const nerfDart = authMatch[1]
+      const key = authMatch[2]
+      const val = npm.config.get(k)
       if (!opts.auth) { opts.auth = {} }
-      opts.auth[k.replace(/:_authToken$/, '')] = {
-        token: npm.config.get(k)
+      if (!opts.auth[nerfDart]) {
+        opts.auth[nerfDart] = {
+          alwaysAuth: !!npm.config.get('always-auth')
+        }
+      }
+      if (key === '_authToken') {
+        opts.auth[nerfDart].token = val
+      } else if (key.match(/password$/i)) {
+        opts.auth[nerfDart].password =
+        // the config file stores password auth already-encoded. pacote expects
+        // the actual username/password pair.
+        Buffer.from(val, 'base64').toString('utf8')
+      } else if (key === 'always-auth') {
+        opts.auth[nerfDart].alwaysAuth = val === 'false' ? false : !!val
+      } else {
+        opts.auth[nerfDart][key] = val
       }
     }
     if (k[0] === '@') {
@@ -90,86 +106,3 @@ function calculateOwner () {
 
   return effectiveOwner
 }
-
-const PASSTHROUGH_OPTS = [
-  'always-auth',
-  'auth-type',
-  'ca',
-  'cafile',
-  'cert',
-  'git',
-  'local-address',
-  'maxsockets',
-  'offline',
-  'prefer-offline',
-  'prefer-online',
-  'proxy',
-  'https-proxy',
-  'registry',
-  'send-metrics',
-  'sso-poll-frequency',
-  'sso-type',
-  'strict-ssl'
-]
-
-function prepareAndPack (manifest, dir) {
-  const stream = new PassThrough()
-  readJson(path.join(dir, 'package.json')).then((pkg) => {
-    if (pkg.scripts && pkg.scripts.prepare) {
-      log.verbose('prepareGitDep', `${manifest._spec}: installing devDeps and running prepare script.`)
-      const cliArgs = PASSTHROUGH_OPTS.reduce((acc, opt) => {
-        if (npm.config.get(opt, 'cli') != null) {
-          acc.push(`--${opt}=${npm.config.get(opt)}`)
-        }
-        return acc
-      }, [])
-      const child = cp.spawn(process.env.NODE || process.execPath, [
-        require.main.filename,
-        'install',
-        '--ignore-prepublish',
-        '--no-progress',
-        '--no-save'
-      ].concat(cliArgs), {
-        cwd: dir,
-        env: process.env
-      })
-      let errData = []
-      let errDataLen = 0
-      let outData = []
-      let outDataLen = 0
-      child.stdout.on('data', (data) => {
-        outData.push(data)
-        outDataLen += data.length
-        log.gauge.pulse('preparing git package')
-      })
-      child.stderr.on('data', (data) => {
-        errData.push(data)
-        errDataLen += data.length
-        log.gauge.pulse('preparing git package')
-      })
-      return BB.fromNode((cb) => {
-        child.on('error', cb)
-        child.on('exit', (code, signal) => {
-          if (code > 0) {
-            const err = new Error(`${signal}: npm exited with code ${code} while attempting to build ${manifest._requested}. Clone the repository manually and run 'npm install' in it for more information.`)
-            err.code = code
-            err.signal = signal
-            cb(err)
-          } else {
-            cb()
-          }
-        })
-      }).then(() => {
-        if (outDataLen > 0) log.silly('prepareGitDep', '1>', Buffer.concat(outData, outDataLen).toString())
-        if (errDataLen > 0) log.silly('prepareGitDep', '2>', Buffer.concat(errData, errDataLen).toString())
-      }, (err) => {
-        if (outDataLen > 0) log.error('prepareGitDep', '1>', Buffer.concat(outData, outDataLen).toString())
-        if (errDataLen > 0) log.error('prepareGitDep', '2>', Buffer.concat(errData, errDataLen).toString())
-        throw err
-      })
-    }
-  }).then(() => {
-    return pipe(packToStream(manifest, dir), stream)
-  }).catch((err) => stream.emit('error', err))
-  return stream
-}

deps/npm/lib/fetch-package-metadata.js

@@ -12,7 +12,7 @@ const npmlog = require('npmlog')
 const limit = require('call-limit')
 const tempFilename = require('./utils/temp-filename')
 const pacote = require('pacote')
-const pacoteOpts = require('./config/pacote')
+let pacoteOpts
 const isWindows = require('./utils/is-windows.js')
 
 function andLogAndFinish (spec, tracker, done) {
@@ -52,7 +52,9 @@ function fetchPackageMetadata (spec, where, opts, done) {
     err.code = 'EWINDOWSPATH'
     return logAndFinish(err)
   }
-
+  if (!pacoteOpts) {
+    pacoteOpts = require('./config/pacote')
+  }
   pacote.manifest(dep, pacoteOpts({
     annotate: true,
     fullMetadata: opts.fullMetadata,
@@ -83,6 +85,9 @@ function fetchPackageMetadata (spec, where, opts, done) {
 module.exports.addBundled = addBundled
 function addBundled (pkg, next) {
   validate('OF', arguments)
+  if (!pacoteOpts) {
+    pacoteOpts = require('./config/pacote')
+  }
   if (pkg._bundled !== undefined) return next(null, pkg)
 
   if (!pkg.bundleDependencies && pkg._requested.type !== 'directory') return next(null, pkg)

deps/npm/lib/install.js

@@ -29,7 +29,7 @@ install.usage = usage(
   '\nnpm install <tarball url>' +
   '\nnpm install <git:// url>' +
   '\nnpm install <github username>/<github project>',
-  '[--save|--save-dev|--save-optional] [--save-exact]'
+  '[--save-prod|--save-dev|--save-optional] [--save-exact] [--no-save]'
 )
 
 install.completion = function (opts, cb) {
@@ -98,6 +98,7 @@ var path = require('path')
 // dependencies
 var log = require('npmlog')
 var readPackageTree = require('read-package-tree')
+var readPackageJson = require('read-package-json')
 var chain = require('slide').chain
 var asyncMap = require('slide').asyncMap
 var archy = require('archy')
@@ -137,10 +138,11 @@ var doReverseSerialActions = require('./install/actions.js').doReverseSerial
 var doParallelActions = require('./install/actions.js').doParallel
 var doOneAction = require('./install/actions.js').doOne
 var removeObsoleteDep = require('./install/deps.js').removeObsoleteDep
+var removeExtraneous = require('./install/deps.js').removeExtraneous
+var computeVersionSpec = require('./install/deps.js').computeVersionSpec
 var packageId = require('./utils/package-id.js')
 var moduleName = require('./utils/module-name.js')
 var errorMessage = require('./utils/error-message.js')
-var removeDeps = require('./install/deps.js').removeDeps
 var isExtraneous = require('./install/is-extraneous.js')
 
 function unlockCB (lockPath, name, cb) {
@@ -202,6 +204,11 @@ function Installer (where, dryrun, args) {
   this.where = where
   this.dryrun = dryrun
   this.args = args
+  // fakechildren are children created from the lockfile and lack relationship data
+  // the only exist when the tree does not match the lockfile
+  // this is fine when doing full tree installs/updates but not ok when modifying only
+  // a few deps via `npm install` or `npm uninstall`.
+  this.fakeChildren = true
   this.currentTree = null
   this.idealTree = null
   this.differences = []
@@ -245,6 +252,11 @@ Installer.prototype.run = function (_cb) {
 
   var installSteps = []
   var postInstallSteps = []
+  if (!this.dryrun) {
+    installSteps.push(
+      [this.newTracker(log, 'runTopLevelLifecycles', 2)],
+      [this, this.runPreinstallTopLevelLifecycles])
+  }
   installSteps.push(
     [this.newTracker(log, 'loadCurrentTree', 4)],
     [this, this.loadCurrentTree],
@@ -265,9 +277,6 @@ Installer.prototype.run = function (_cb) {
     [this, this.debugActions, 'decomposeActions', 'todo'])
   if (!this.dryrun) {
     installSteps.push(
-      [this.newTracker(log, 'runTopLevelLifecycles', 2)],
-      [this, this.runPreinstallTopLevelLifecycles],
-
       [this.newTracker(log, 'executeActions', 8)],
       [this, this.executeActions],
       [this, this.finishTracker, 'executeActions'])
@@ -313,9 +322,9 @@ Installer.prototype.run = function (_cb) {
 }
 
 Installer.prototype.loadArgMetadata = function (next) {
-  var self = this
-  getAllMetadata(this.args, this.currentTree, process.cwd(), iferr(next, function (args) {
-    self.args = args
+  getAllMetadata(this.args, this.currentTree, process.cwd(), iferr(next, (args) => {
+    this.args = args
+    if (args.length) this.fakeChildren = false
     next()
   }))
 }
@@ -354,6 +363,14 @@ var flatNameFromTree = require('./install/flatten-tree.js').flatNameFromTree
 Installer.prototype.normalizeCurrentTree = function (cb) {
   this.currentTree.isTop = true
   normalizeTree(this.currentTree)
+  // If the user didn't have a package.json then fill in deps with what was on disk
+  if (this.currentTree.error) {
+    for (let child of this.currentTree.children) {
+      if (!child.fakeChild && isExtraneous(child)) {
+        this.currentTree.package.dependencies[child.package.name] = computeVersionSpec(this.currentTree, child)
+      }
+    }
+  }
   return cb()
 
   function normalizeTree (tree) {
@@ -386,9 +403,9 @@ Installer.prototype.loadIdealTree = function (cb) {
 
 Installer.prototype.pruneIdealTree = function (cb) {
   var toPrune = this.idealTree.children
-    .filter((n) => !n.fromShrinkwrap && isExtraneous(n))
+    .filter((n) => !n.fakeChild && isExtraneous(n))
     .map((n) => ({name: moduleName(n)}))
-  return removeDeps(toPrune, this.idealTree, null, log.newGroup('pruneDeps'), cb)
+  return removeExtraneous(toPrune, this.idealTree, cb)
 }
 
 Installer.prototype.loadAllDepsIntoIdealTree = function (cb) {
@@ -400,14 +417,14 @@ Installer.prototype.loadAllDepsIntoIdealTree = function (cb) {
   var installNewModules = !!this.args.length
   var steps = []
 
+  const depsToPreload = Object.assign({},
+    this.dev ? this.idealTree.package.devDependencies : {},
+    this.prod ? this.idealTree.package.dependencies : {}
+  )
   if (installNewModules) {
     steps.push([validateArgs, this.idealTree, this.args])
     steps.push([loadRequestedDeps, this.args, this.idealTree, saveDeps, cg.newGroup('loadRequestedDeps')])
   } else {
-    const depsToPreload = Object.assign({},
-      this.dev ? this.idealTree.package.devDependencies : {},
-      this.prod ? this.idealTree.package.dependencies : {}
-    )
     if (this.prod || this.dev) {
       steps.push(
         [prefetchDeps, this.idealTree, depsToPreload, cg.newGroup('prefetchDeps')])
@@ -549,13 +566,16 @@ Installer.prototype.runPreinstallTopLevelLifecycles = function (cb) {
   if (this.failing) return cb()
   if (!this.topLevelLifecycles) return cb()
   log.silly('install', 'runPreinstallTopLevelLifecycles')
-  var steps = []
-  var trackLifecycle = this.progress.runTopLevelLifecycles
 
-  steps.push(
-    [doOneAction, 'preinstall', this.idealTree.path, this.idealTree, trackLifecycle.newGroup('preinstall:.')]
-  )
-  chain(steps, cb)
+  readPackageJson(path.join(this.where, 'package.json'), log, false, (err, data) => {
+    if (err) return cb()
+    this.currentTree = createNode({
+      isTop: true,
+      package: data,
+      path: this.where
+    })
+    doOneAction('preinstall', this.where, this.currentTree, log.newGroup('preinstall:.'), cb)
+  })
 }
 
 Installer.prototype.runPostinstallTopLevelLifecycles = function (cb) {
@@ -581,7 +601,7 @@ Installer.prototype.saveToDependencies = function (cb) {
   validate('F', arguments)
   if (this.failing) return cb()
   log.silly('install', 'saveToDependencies')
-  saveRequested(this.args, this.idealTree, cb)
+  saveRequested(this.idealTree, cb)
 }
 
 Installer.prototype.readGlobalPackageData = function (cb) {
@@ -655,7 +675,7 @@ function isLink (child) {
 Installer.prototype.loadShrinkwrap = function (cb) {
   validate('F', arguments)
   log.silly('install', 'loadShrinkwrap')
-  readShrinkwrap.andInflate(this.idealTree, cb)
+  readShrinkwrap.andInflate(this.idealTree, {fakeChildren: this.fakeChildren}, cb)
 }
 
 Installer.prototype.getInstalledModules = function () {
@@ -693,21 +713,22 @@ Installer.prototype.printInstalled = function (cb) {
   validate('F', arguments)
   if (this.failing) return cb()
   log.silly('install', 'printInstalled')
+  const diffs = this.differences.concat((this.idealTree.removedChildren || []).map((r) => ['remove', r]))
   if (npm.config.get('json')) {
-    return this.printInstalledForJSON(cb)
+    return this.printInstalledForJSON(diffs, cb)
   } else if (npm.config.get('parseable')) {
-    return this.printInstalledForParseable(cb)
+    return this.printInstalledForParseable(diffs, cb)
   } else {
-    return this.printInstalledForHuman(cb)
+    return this.printInstalledForHuman(diffs, cb)
   }
 }
 
-Installer.prototype.printInstalledForHuman = function (cb) {
+Installer.prototype.printInstalledForHuman = function (diffs, cb) {
   var removed = 0
   var added = 0
   var updated = 0
   var moved = 0
-  this.differences.forEach(function (action) {
+  diffs.forEach(function (action) {
     var mutation = action[0]
     if (mutation === 'remove') {
       ++removed
@@ -743,7 +764,7 @@ Installer.prototype.printInstalledForHuman = function (cb) {
   }
 }
 
-Installer.prototype.printInstalledForJSON = function (cb) {
+Installer.prototype.printInstalledForJSON = function (diffs, cb) {
   var result = {
     added: [],
     removed: [],
@@ -764,7 +785,7 @@ Installer.prototype.printInstalledForJSON = function (cb) {
     }
     result.warnings.push(message)
   })
-  this.differences.forEach(function (action) {
+  diffs.forEach(function (action) {
     var mutation = action[0]
     var child = action[1]
     var record = recordAction(action)
@@ -805,9 +826,9 @@ Installer.prototype.printInstalledForJSON = function (cb) {
   }
 }
 
-Installer.prototype.printInstalledForParseable = function (cb) {
+Installer.prototype.printInstalledForParseable = function (diffs, cb) {
   var self = this
-  this.differences.forEach(function (action) {
+  diffs.forEach(function (action) {
     var mutation = action[0]
     var child = action[1]
     if (mutation === 'move') {
@@ -819,7 +840,7 @@ Installer.prototype.printInstalledForParseable = function (cb) {
       mutation + '\t' +
       moduleName(child) + '\t' +
       (child.package ? child.package.version : '') + '\t' +
-      path.relative(self.where, child.path) + '\t' +
+      (child.path ? path.relative(self.where, child.path) : '') + '\t' +
       (previousVersion || '') + '\t' +
       (previousPath || ''))
   })

deps/npm/lib/install/action/extract.js

@@ -10,22 +10,19 @@ const moduleName = require('../../utils/module-name.js')
 const moduleStagingPath = require('../module-staging-path.js')
 const move = BB.promisify(require('../../utils/move.js'))
 const npa = require('npm-package-arg')
-const npm = require('../../npm.js')
 const packageId = require('../../utils/package-id.js')
 const pacote = require('pacote')
-const pacoteOpts = require('../../config/pacote')
+let pacoteOpts
 const path = require('path')
 
 module.exports = extract
 function extract (staging, pkg, log) {
   log.silly('extract', packageId(pkg))
-  const up = npm.config.get('unsafe-perm')
-  const user = up ? null : npm.config.get('user')
-  const group = up ? null : npm.config.get('group')
   const extractTo = moduleStagingPath(staging, pkg)
+  if (!pacoteOpts) {
+    pacoteOpts = require('../../config/pacote')
+  }
   const opts = pacoteOpts({
-    uid: user,
-    gid: group,
     integrity: pkg.package._integrity
   })
   return pacote.extract(

deps/npm/lib/install/action/finalize.js

@@ -23,10 +23,11 @@ module.exports = function (staging, pkg, log) {
 
   const requested = pkg.package._requested || getRequested(pkg)
   if (requested.type === 'directory') {
+    const relative = path.relative(path.dirname(pkg.path), pkg.realpath)
     return makeParentPath(pkg.path)
-      .then(() => symlink(pkg.realpath, pkg.path, 'junction'))
+      .then(() => symlink(relative, pkg.path, 'junction'))
       .catch((ex) => {
-        return rimraf(pkg.path).then(() => symlink(pkg.realpath, pkg.path, 'junction'))
+        return rimraf(pkg.path).then(() => symlink(relative, pkg.path, 'junction'))
       })
   } else {
     return makeParentPath(pkg.realpath)

deps/npm/lib/install/action/preinstall.js

@@ -1,9 +1,8 @@
 'use strict'
 var lifecycle = require('../../utils/lifecycle.js')
 var packageId = require('../../utils/package-id.js')
-var moduleStagingPath = require('../module-staging-path.js')
 
 module.exports = function (staging, pkg, log, next) {
   log.silly('preinstall', packageId(pkg))
-  lifecycle(pkg.package, 'preinstall', moduleStagingPath(staging, pkg), false, false, next)
+  lifecycle(pkg.package, 'preinstall', pkg.path, false, false, next)
 }

deps/npm/lib/install/action/refresh-package-json.js

@@ -10,13 +10,13 @@ module.exports = function (staging, pkg, log) {
 
   return readJson(path.join(pkg.path, 'package.json'), false).then((metadata) => {
     Object.keys(pkg.package).forEach(function (key) {
-      if (key !== '_injectedFromShrinkwrap' && !isEmpty(pkg.package[key])) {
+      if (!isEmpty(pkg.package[key])) {
         metadata[key] = pkg.package[key]
-        if (key === '_resolved' && metadata[key] == null && pkg.package._injectedFromShrinkwrap) {
-          metadata[key] = pkg.package._injectedFromShrinkwrap.resolved
-        }
       }
     })
+    if (metadata._resolved == null && pkg.fakeChild) {
+      metadata._resolved = pkg.fakeChild.resolved
+    }
     // These two sneak in and it's awful
     delete metadata.readme
     delete metadata.readmeFilename

deps/npm/lib/install/deps.js

@@ -183,7 +183,9 @@ function packageRelativePath (tree) {
   if (!tree) return ''
   var requested = tree.package._requested || {}
   var isLocal = requested.type === 'directory' || requested.type === 'file'
-  return isLocal ? requested.fetchSpec : tree.path
+  return isLocal ? requested.fetchSpec
+       : (tree.isLink || tree.isInLink) && !preserveSymlinks() ? tree.realpath
+       : tree.path
 }
 
 function matchingDep (tree, name) {
@@ -227,14 +229,24 @@ exports.loadRequestedDeps = function (args, tree, saveToDependencies, log, next)
       }
       var childName = moduleName(child)
       child.saveSpec = computeVersionSpec(tree, child)
-      if (saveToDependencies) {
-        tree.package[getSaveType(tree, child)][childName] = child.saveSpec
-      }
-      if (getSaveType(tree, child) === 'optionalDependencies') {
-        tree.package.dependencies[childName] = child.saveSpec
-      }
       child.userRequired = true
-      child.save = saveToDependencies
+      child.save = getSaveType(tree, child)
+      const types = ['dependencies', 'devDependencies', 'optionalDependencies']
+      if (child.save) {
+        tree.package[child.save][childName] = child.saveSpec
+        // Astute readers might notice that this exact same code exists in
+        // save.js under a different guise. That code is responsible for deps
+        // being removed from the final written `package.json`. The removal in
+        // this function is specifically to prevent "installed as both X and Y"
+        // warnings when moving an existing dep between different dep fields.
+        //
+        // Or, try it by removing this loop, and do `npm i -P x && npm i -D x`
+        for (let saveType of types) {
+          if (child.save !== saveType) {
+            delete tree.package[saveType][childName]
+          }
+        }
+      }
 
       // For things the user asked to install, that aren't a dependency (or
       // won't be when we're done), flag it as "depending" on the user
@@ -246,9 +258,17 @@ exports.loadRequestedDeps = function (args, tree, saveToDependencies, log, next)
   }, andForEachChild(loadDeps, andFinishTracker(log, next)))
 }
 
+module.exports.computeVersionSpec = computeVersionSpec
 function computeVersionSpec (tree, child) {
   validate('OO', arguments)
-  var requested = child.package._requested
+  var requested
+  if (child.package._requested) {
+    requested = child.package._requested
+  } else if (child.package._from) {
+    requested = npa(child.package._from)
+  } else {
+    requested = npa.resolve(child.package.name, child.package.version)
+  }
   if (requested.registry) {
     var version = child.package.version
     var rangeDescriptor = ''
@@ -275,26 +295,38 @@ function noModuleNameMatches (name) {
 
 // while this implementation does not require async calling, doing so
 // gives this a consistent interface with loadDeps et al
-exports.removeDeps = function (args, tree, saveToDependencies, log, next) {
-  validate('AOOF', [args, tree, log, next])
-  args.forEach(function (pkg) {
+exports.removeDeps = function (args, tree, saveToDependencies, next) {
+  validate('AOSF|AOZF', [args, tree, saveToDependencies, next])
+  for (let pkg of args) {
     var pkgName = moduleName(pkg)
     var toRemove = tree.children.filter(moduleNameMatches(pkgName))
     var pkgToRemove = toRemove[0] || createChild({package: {name: pkgName}})
-    if (tree.isTop) {
-      if (saveToDependencies) {
-        pkgToRemove.save = getSaveType(tree, pkg)
-        delete tree.package[pkgToRemove.save][pkgName]
-        if (pkgToRemove.save === 'optionalDependencies') {
-          delete tree.package.dependencies[pkgName]
-        }
-        replaceModuleByPath(tree, 'removed', pkgToRemove)
+    var saveType = getSaveType(tree, pkg) || 'dependencies'
+    if (tree.isTop && saveToDependencies) {
+      pkgToRemove.save = saveType
+    }
+    if (tree.package[saveType][pkgName]) {
+      delete tree.package[saveType][pkgName]
+      if (saveType === 'optionalDependencies' && tree.package.dependencies[pkgName]) {
+        delete tree.package.dependencies[pkgName]
       }
-      pkgToRemove.requiredBy = pkgToRemove.requiredBy.filter((parent) => parent !== tree)
     }
-    if (pkgToRemove.requiredBy.length === 0) removeObsoleteDep(pkgToRemove)
-  })
-  log.finish()
+    replaceModuleByPath(tree, 'removedChildren', pkgToRemove)
+    for (let parent of pkgToRemove.requiredBy) {
+      parent.requires = parent.requires.filter((child) => child !== pkgToRemove)
+    }
+    pkgToRemove.requiredBy = pkgToRemove.requiredBy.filter((parent) => parent !== tree)
+  }
+  next()
+}
+exports.removeExtraneous = function (args, tree, next) {
+  for (let pkg of args) {
+    var pkgName = moduleName(pkg)
+    var toRemove = tree.children.filter(moduleNameMatches(pkgName))
+    if (toRemove.length) {
+      removeObsoleteDep(toRemove[0])
+    }
+  }
   next()
 }
 
@@ -639,6 +671,13 @@ var findRequirement = exports.findRequirement = function (tree, name, requested,
   return findRequirement(tree.parent, name, requested, requestor)
 }
 
+function preserveSymlinks () {
+  if (!('NODE_PRESERVE_SYMLINKS' in process.env)) return false
+  const value = process.env.NODE_PRESERVE_SYMLINKS
+  if (value == null || value === '' || value === 'false' || value === 'no' || value === '0') return false
+  return true
+}
+
 // Find the highest level in the tree that we can install this module in.
 // If the module isn't installed above us yet, that'd be the very top.
 // If it is, then it's the level below where its installed.
@@ -670,7 +709,7 @@ var earliestInstallable = exports.earliestInstallable = function (requiredBy, tr
 
   var devDeps = tree.package.devDependencies || {}
   if (tree.isTop && devDeps[pkg.name]) {
-    var requested = npa.resolve(pkg.name, devDeps[pkg.name], tree.path)
+    var requested = childDependencySpecifier(tree, pkg.name, devDeps[pkg.name])
     if (!doesChildVersionMatch({package: pkg}, requested, tree)) {
       return null
     }
@@ -684,7 +723,7 @@ var earliestInstallable = exports.earliestInstallable = function (requiredBy, tr
   if (npm.config.get('global-style') && tree.parent.isTop) return tree
   if (npm.config.get('legacy-bundling')) return tree
 
-  if (!process.env.NODE_PRESERVE_SYMLINKS && /^[.][.][\\/]/.test(path.relative(tree.parent.realpath, tree.realpath))) return tree
+  if (!preserveSymlinks() && /^[.][.][\\/]/.test(path.relative(tree.parent.realpath, tree.realpath))) return tree
 
   return (earliestInstallable(requiredBy, tree.parent, pkg) || tree)
 }

deps/npm/lib/install/inflate-shrinkwrap.js

@@ -2,10 +2,10 @@
 
 const BB = require('bluebird')
 
-const addBundled = BB.promisify(require('../fetch-package-metadata.js').addBundled)
+let addBundled
 const childPath = require('../utils/child-path.js')
 const createChild = require('./node.js').create
-const fetchPackageMetadata = BB.promisify(require('../fetch-package-metadata.js'))
+let fetchPackageMetadata
 const inflateBundled = require('./inflate-bundled.js')
 const moduleName = require('../utils/module-name.js')
 const normalizePackageData = require('normalize-package-data')
@@ -14,17 +14,28 @@ const realizeShrinkwrapSpecifier = require('./realize-shrinkwrap-specifier.js')
 const validate = require('aproba')
 const path = require('path')
 
-module.exports = function (tree, swdeps, finishInflating) {
-  if (!npm.config.get('shrinkwrap')) return finishInflating()
+module.exports = function (tree, swdeps, opts, finishInflating) {
+  if (!fetchPackageMetadata) {
+    fetchPackageMetadata = BB.promisify(require('../fetch-package-metadata.js'))
+    addBundled = BB.promisify(fetchPackageMetadata.addBundled)
+  }
+  if (!npm.config.get('shrinkwrap') || !npm.config.get('package-lock')) {
+    return finishInflating()
+  }
+  if (arguments.length === 3) {
+    finishInflating = opts
+    opts = {}
+  }
   tree.loaded = true
-  return inflateShrinkwrap(tree.path, tree, swdeps).then(
+  return inflateShrinkwrap(tree.path, tree, swdeps, opts).then(
     () => finishInflating(),
     finishInflating
   )
 }
 
-function inflateShrinkwrap (topPath, tree, swdeps) {
-  validate('SOO', arguments)
+function inflateShrinkwrap (topPath, tree, swdeps, opts) {
+  validate('SOO|SOOO', arguments)
+  if (!opts) opts = {}
   const onDisk = {}
   tree.children.forEach((child) => {
     onDisk[moduleName(child)] = child
@@ -43,7 +54,7 @@ function inflateShrinkwrap (topPath, tree, swdeps) {
     const dependencies = sw.dependencies || {}
     const requested = realizeShrinkwrapSpecifier(name, sw, topPath)
     return inflatableChild(
-      onDisk[name], name, topPath, tree, sw, requested
+      onDisk[name], name, topPath, tree, sw, requested, opts
     ).then((child) => {
       return inflateShrinkwrap(topPath, child, dependencies)
     })
@@ -58,8 +69,8 @@ function normalizePackageDataNoErrors (pkg) {
   }
 }
 
-function inflatableChild (onDiskChild, name, topPath, tree, sw, requested) {
-  validate('OSSOOO|ZSSOOO', arguments)
+function inflatableChild (onDiskChild, name, topPath, tree, sw, requested, opts) {
+  validate('OSSOOOO|ZSSOOOO', arguments)
   if (onDiskChild && childIsEquivalent(sw, requested, onDiskChild)) {
     // The version on disk matches the shrinkwrap entry.
     if (!onDiskChild.fromShrinkwrap) onDiskChild.fromShrinkwrap = true
@@ -77,7 +88,7 @@ function inflatableChild (onDiskChild, name, topPath, tree, sw, requested) {
     normalizePackageDataNoErrors(onDiskChild.package)
     tree.children.push(onDiskChild)
     return BB.resolve(onDiskChild)
-  } else if (sw.version && sw.integrity) {
+  } else if (opts.fakeChildren !== false && sw.version && sw.integrity) {
     // The shrinkwrap entry has an integrity field. We can fake a pkg to get
     // the installer to do a content-address fetch from the cache, if possible.
     return BB.resolve(makeFakeChild(name, topPath, tree, sw, requested))
@@ -101,8 +112,7 @@ function makeFakeChild (name, topPath, tree, sw, requested) {
     _from: from,
     _spec: requested.rawSpec,
     _where: topPath,
-    _args: [[requested.toString(), topPath]],
-    _injectedFromShrinkwrap: sw
+    _args: [[requested.toString(), topPath]]
   }
   let bundleAdded = BB.resolve()
   if (Object.keys(sw.dependencies || {}).some((d) => {
@@ -118,6 +128,7 @@ function makeFakeChild (name, topPath, tree, sw, requested) {
       parent: tree,
       children: pkg._bundled || [],
       fromShrinkwrap: true,
+      fakeChild: sw,
       fromBundle: sw.bundled ? tree.fromBundle || tree : null,
       path: childPath(tree.path, pkg),
       realpath: childPath(tree.realpath, pkg),

deps/npm/lib/install/is-extraneous.js

@@ -6,14 +6,6 @@ function isExtraneous (tree) {
   return result
 }
 
-function isNotRequired (tree) {
-  return tree.requiredBy && tree.requiredBy.length === 0
-}
-
-function parentHasNoPjson (tree) {
-  return tree.parent && tree.parent.isTop && tree.parent.error
-}
-
 function topHasNoPjson (tree) {
   var top = tree
   while (!top.isTop) top = top.parent
@@ -24,8 +16,6 @@ function isNotExtraneous (tree, isCycle) {
   if (!isCycle) isCycle = {}
   if (tree.isTop || tree.userRequired) {
     return true
-  } else if (isNotRequired(tree) && parentHasNoPjson(tree)) {
-    return true
   } else if (isCycle[tree.path]) {
     return topHasNoPjson(tree)
   } else {

deps/npm/lib/install/mutate-into-logical-tree.js

@@ -7,6 +7,7 @@ var isExtraneous = require('./is-extraneous.js')
 var validateAllPeerDeps = require('./deps.js').validateAllPeerDeps
 var packageId = require('../utils/package-id.js')
 var moduleName = require('../utils/module-name.js')
+var npm = require('../npm.js')
 
 // Return true if tree is a part of a cycle that:
 //   A) Never connects to the top of the tree
@@ -128,7 +129,7 @@ function translateTree_ (tree, seen) {
   pkg.path = tree.path
 
   pkg.error = tree.error
-  pkg.extraneous = isExtraneous(tree)
+  pkg.extraneous = !tree.isTop && (!tree.parent.isTop || !tree.parent.error) && !npm.config.get('global') && isExtraneous(tree)
   if (tree.target && tree.parent && !tree.parent.target) pkg.link = tree.realpath
   return pkg
 }

deps/npm/lib/install/read-shrinkwrap.js

@@ -9,7 +9,6 @@ const log = require('npmlog')
 const parseJSON = require('../utils/parse-json.js')
 const path = require('path')
 const PKGLOCK_VERSION = require('../npm.js').lockfileVersion
-const pkgSri = require('../utils/package-integrity.js')
 
 const readFileAsync = BB.promisify(fs.readFile)
 
@@ -34,14 +33,6 @@ function readShrinkwrap (child, next) {
           throw ex
         }
       }
-      if (
-        pkgJson &&
-        parsed &&
-        parsed.packageIntegrity &&
-        !pkgSri.check(JSON.parse(pkgJson), parsed.packageIntegrity)
-      ) {
-        log.info('read-shrinkwrap', `${name} will be updated because package.json does not match what it was generated against.`)
-      }
       if (parsed && parsed.lockfileVersion !== PKGLOCK_VERSION) {
         log.warn('read-shrinkwrap', `This version of npm is compatible with lockfileVersion@${PKGLOCK_VERSION}, but ${name} was generated for lockfileVersion@${parsed.lockfileVersion || 0}. I'll try to do my best with it!`)
       }
@@ -56,10 +47,14 @@ function maybeReadFile (name, child) {
   ).catch({code: 'ENOENT'}, () => null)
 }
 
-module.exports.andInflate = function (child, next) {
+module.exports.andInflate = function (child, opts, next) {
+  if (arguments.length === 2) {
+    next = opts
+    opts = {}
+  }
   readShrinkwrap(child, iferr(next, function () {
     if (child.package._shrinkwrap) {
-      return inflateShrinkwrap(child, child.package._shrinkwrap.dependencies || {}, next)
+      return inflateShrinkwrap(child, child.package._shrinkwrap.dependencies || {}, opts, next)
     } else {
       return next()
     }