.commitlintrc.js

@@ -0,0 +1,10 @@
+/* This file is automatically added by @npmcli/template-oss. Do not edit. */
+
+module.exports = {
+  extends: ['@commitlint/config-conventional'],
+  rules: {
+    'type-enum': [2, 'always', ['feat', 'fix', 'docs', 'deps', 'chore']],
+    'header-max-length': [2, 'always', 80],
+    'subject-case': [0, 'always', ['lower-case', 'sentence-case', 'start-case']],
+  },
+}

.eslintrc.js

@@ -1,3 +1,7 @@
+/* This file is automatically added by @npmcli/template-oss. Do not edit. */
+
+'use strict'
+
 const { readdirSync: readdir } = require('fs')
 
 const localConfigs = readdir(__dirname)
@@ -6,6 +10,13 @@ const localConfigs = readdir(__dirname)
 
 module.exports = {
   root: true,
+  ignorePatterns: [
+    'docs/**',
+    'smoke-tests/**',
+    'mock-globals/**',
+    'mock-registry/**',
+    'workspaces/**',
+  ],
   extends: [
     '@npmcli',
     ...localConfigs,

.eslintrc.local.js

@@ -0,0 +1,37 @@
+const { resolve, relative } = require('path')
+
+// Create an override to lockdown a file to es6 syntax only
+// and only allow it to require an allowlist of files
+const rel = (p) => relative(__dirname, resolve(__dirname, p))
+const braces = (a) => a.length > 1 ? `{${a.map(rel).join(',')}}` : a[0]
+
+const es6Files = (e) => Object.entries(e).map(([file, allow]) => ({
+  files: `./${rel(file)}`,
+  parserOptions: {
+    ecmaVersion: 6,
+  },
+  rules: Array.isArray(allow) ? {
+    'node/no-restricted-require': ['error', [{
+      name: ['/**', `!${__dirname}/${braces(allow)}`],
+      message: `This file can only require: ${allow.join(',')}`,
+    }]],
+  } : {},
+}))
+
+module.exports = {
+  rules: {
+    'no-console': 'error',
+  },
+  overrides: es6Files({
+    'index.js': ['lib/cli.js'],
+    'bin/npm-cli.js': ['lib/cli.js'],
+    'lib/cli.js': ['lib/es6/validate-engines.js'],
+    'lib/es6/validate-engines.js': ['package.json'],
+    // TODO: This file should also have its requires restricted as well since it
+    // is an entry point but it currently pulls in config definitions which have
+    // a large require graph, so that is not currently feasible. A future config
+    // refactor should keep that in mind and see if only config definitions can
+    // be exported in a way that is compatible with ES6.
+    'bin/npx-cli.js': null,
+  }),
+}

.gitattributes

@@ -1,2 +1,27 @@
-/node_modules/**    linguist-generated=false
-/package-lock.json  linguist-generated=false
+# normalize all line endings by default
+* text=auto
+
+# our shell/bin scripts always need to be LF
+/bin/* text eol=lf
+/workspaces/arborist/bin/index.js text eol=lf
+/configure text eol=lf
+
+# our cmd scripts always need to be CRLF
+/bin/*.cmd text eol=crlf
+
+# ignore all line endings in node_modules since we dont control that
+/node_modules/** -text
+
+# the files we write should be LF so they can be generated cross platform
+/node_modules/.gitignore text eol=lf
+/workspaces/arborist/test/fixtures/.gitignore text eol=lf
+/DEPENDENCIES.md text eol=lf
+/AUTHORS text eol=lf
+
+# fixture tarballs should be treated as binary
+/workspaces/*/test/fixtures/**/*.tgz binary
+
+# these hint to GitHub to show these files as not generated so they default to
+# showing the full diff in pull requests
+/node_modules/** linguist-generated=false
+/package-lock.json linguist-generated=false

.github/CODEOWNERS

@@ -1 +1,3 @@
-*	@npm/cli-team
+# This file is automatically added by @npmcli/template-oss. Do not edit.
+
+* @npm/cli-team

.github/ISSUE_TEMPLATE/bug_9.yml

@@ -0,0 +1,63 @@
+name: 🐞 Bug v9
+description: File a bug/issue against v9.x
+title: "[BUG] <title>"
+labels: [Bug, Needs Triage, Release 9.x]
+body:
+- type: checkboxes
+  attributes:
+    label: Is there an existing issue for this?
+    description: Please [search here](https://github.com/npm/cli/issues) to see if an issue already exists for your problem.
+    options:
+    - label: I have searched the existing issues
+      required: true
+- type: checkboxes
+  attributes:
+    label: This issue exists in the latest npm version
+    description: Please make sure you have installed the latest npm and verified it is still an issue.
+    options:
+    - label: I am using the latest npm
+      required: true
+- type: textarea
+  attributes:
+    label: Current Behavior
+    description: A clear & concise description of what you're experiencing.
+  validations:
+    required: false
+- type: textarea
+  attributes:
+    label: Expected Behavior
+    description: A clear & concise description of what you expected to happen.
+  validations:
+    required: false
+- type: textarea
+  attributes:
+    label: Steps To Reproduce
+    description: Steps to reproduce the behavior.
+    value: |
+      1. In this environment...
+      2. With this config...
+      3. Run '...'
+      4. See error...
+  validations:
+    required: false
+- type: textarea
+  attributes:
+    label: Environment
+    description: |
+      examples:
+        - **`npm -v`**: **npm**: 7.6.3
+        - **`node -v`**: **Node.js**: 13.14.0
+        - **OS Name**: Ubuntu 20.04
+        - **System Model Name**: Macbook Pro
+        - **`npm config ls`**: `; "user" config from ...`
+    value: |
+        - npm:
+        - Node.js:
+        - OS Name:
+        - System Model Name:
+        - npm config:
+        ```ini
+        ; copy and paste output from `npm config ls` here
+        ```
+  validations:
+    required: false

.github/matchers/tap.json

@@ -0,0 +1,32 @@
+{
+  "//@npmcli/template-oss": "This file is automatically added by @npmcli/template-oss. Do not edit.",
+  "problemMatcher": [
+    {
+      "owner": "tap",
+      "pattern": [
+        {
+          "regexp": "^\\s*not ok \\d+ - (.*)",
+          "message": 1
+        },
+        {
+          "regexp": "^\\s*---"
+        },
+        {
+          "regexp": "^\\s*at:"
+        },
+        {
+          "regexp": "^\\s*line:\\s*(\\d+)",
+          "line": 1
+        },
+        {
+          "regexp": "^\\s*column:\\s*(\\d+)",
+          "column": 1
+        },
+        {
+          "regexp": "^\\s*file:\\s*(.*)",
+          "file": 1
+        }
+      ]
+    }
+  ]
+}

.github/workflows/audit.yml

@@ -0,0 +1,39 @@
+# This file is automatically added by @npmcli/template-oss. Do not edit.
+
+name: Audit
+
+on:
+  workflow_dispatch:
+  schedule:
+    # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
+    - cron: "0 8 * * 1"
+
+jobs:
+  audit:
+    name: Audit Dependencies
+    if: github.repository_owner == 'npm'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Git User
+        run: |
+          git config --global user.email "npm-cli+bot@github.com"
+          git config --global user.name "npm CLI robot"
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 20.x
+          cache: npm
+          check-latest: true
+      - name: Check Git Status
+        run: node scripts/git-dirty.js
+      - name: Reset Deps
+        run: node scripts/resetdeps.js --package-lock
+      - name: Run Production Audit
+        run: node . audit --omit=dev
+      - name: Run Full Audit
+        run: node . audit --audit-level=none

.github/workflows/benchmark.yml

@@ -12,7 +12,7 @@ on:
       - edited
 
 jobs:
-  pull-request:
+  trigger-benchmark:
     runs-on: ubuntu-latest
     steps:
       - name: Incoming Pull Request
@@ -21,33 +21,51 @@ jobs:
             github.event_name == 'issue_comment' &&
             github.event.issue.pull_request &&
             github.event.issue.state == 'open' &&
-            startsWith(github.event.comment.body, '@npm-robot benchmark this')
+            startsWith(github.event.comment.body, '@npm-cli-bot benchmark this')
           )
         env:
           # gh cli uses these env vars for owner/repo/token
           GH_REPO: "npm/benchmarks"
-          GITHUB_TOKEN: ${{ secrets.NPM_BENCHMARKS_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.BENCHMARK_DISPATCH_TOKEN }}
         run: |
-          if [[ "$GITHUB_TOKEN" == "" ]]; then
-            echo "No auth - from fork pull request, exiting"
-            exit 0
-          fi
-
           EVENT_NAME="${{ github.event_name }}"
           OWNER="${{ github.event.repository.owner.login }}"
           REPO="${{ github.event.repository.name }}"
           PR=""
 
           if [[ "$EVENT_NAME" == "pull_request" ]]; then
+            if [[ "$GITHUB_TOKEN" == "" ]]; then
+              echo "No auth - from fork pull request, exiting"
+              exit 0
+            fi
             PR="${{ github.event.pull_request.number }}"
           else
             PR="${{ github.event.issue.number }}"
-            SENDER="${{ github.event.issue.sender.login }}"
+            SENDER="${{ github.event.comment.user.login }}"
             ROLE=$(gh api repos/${OWNER}/${REPO}/collaborators/${SENDER}/permission -q '.permission')
-            if [[ "$ROLE" != "admin"]]; then
+
+            if [[ "$ROLE" != "admin" ]]; then
               echo "${SENDER} is ${ROLE}, not an admin, exiting"
               exit 0
             fi
+
+            # add emoji to comment if user is an admin to signal
+            # benchmark is running
+            COMMENT_NODE_ID="${{ github.event.comment.node_id }}"
+            QUERY='mutation ($inputData:AddReactionInput!) {
+              addReaction (input:$inputData) {
+                reaction { content }
+              }
+            }'
+            echo '{
+              "query": "'${QUERY}'",
+              "variables": {
+                "inputData": {
+                  "subjectId": "'"${COMMENT_NODE_ID}"'",
+                  "content": "ROCKET"
+                }
+              }
+            }' | gh api graphql --input -
           fi
 
           EVENT="${EVENT_NAME} ${OWNER}/${REPO}#${PR}"
@@ -59,42 +77,3 @@ jobs:
               "owner": "'"$OWNER"'"
             }
           }' | gh api repos/{owner}/{repo}/dispatches --input -
-
-  comment:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Incoming Comment
-        if: |
-          github.event_name == 'issue_comment' &&
-          github.event.issue.pull_request &&
-          github.event.issue.state == 'open' &&
-          startsWith(github.event.comment.body, '@npm-robot benchmark this')
-        env:
-          # gh cli uses this env var as the token
-          GITHUB_TOKEN: ${{ secrets.NPM_BENCHMARKS_TOKEN }}
-        run: |
-          OWNER="${{ github.event.repository.owner.login }}"
-          REPO="${{ github.event.repository.name }}"
-          SENDER="${{ github.event.issue.sender.login }}"
-          ROLE=$(gh api repos/${OWNER}/${REPO}/collaborators/${SENDER}/permission -q '.permission')
-          if [[ "$ROLE" != "admin"]]; then
-            echo "${SENDER} is ${ROLE}, not an admin, exiting"
-            exit 0
-          fi
-
-          COMMENT_NODE_ID="${{ github.event.comment.node_id }}"
-          QUERY='mutation ($inputData:AddReactionInput!) {
-            addReaction (input:$inputData) {
-              reaction { content }
-            }
-          }'
-          echo '{
-            "query": "'${QUERY}'",
-            "variables": {
-              "inputData": {
-                "subjectId": "'"${COMMENT_NODE_ID}"'",
-                "content": "ROCKET"
-              }
-            }
-          }' | gh api graphql --input -
-