.github/dependabot.yml

@@ -4,9 +4,10 @@ version: 2
 
 updates:
   - package-ecosystem: npm
-    directory: "/"
+    directory: /
     schedule:
       interval: daily
+    target-branch: "main"
     allow:
       - dependency-type: direct
     versioning-strategy: increase-if-necessary

.github/matchers/tap.json

@@ -0,0 +1,32 @@
+{
+  "//@npmcli/template-oss": "This file is automatically added by @npmcli/template-oss. Do not edit.",
+  "problemMatcher": [
+    {
+      "owner": "tap",
+      "pattern": [
+        {
+          "regexp": "^\\s*not ok \\d+ - (.*)",
+          "message": 1
+        },
+        {
+          "regexp": "^\\s*---"
+        },
+        {
+          "regexp": "^\\s*at:"
+        },
+        {
+          "regexp": "^\\s*line:\\s*(\\d+)",
+          "line": 1
+        },
+        {
+          "regexp": "^\\s*column:\\s*(\\d+)",
+          "column": 1
+        },
+        {
+          "regexp": "^\\s*file:\\s*(.*)",
+          "file": 1
+        }
+      ]
+    }
+  ]
+}

.github/settings.yml

@@ -1,2 +1,27 @@
----
-_extends: '.github:npm-cli/settings.yml'
+# This file is automatically added by @npmcli/template-oss. Do not edit.
+
+repository:
+  allow_merge_commit: false
+  allow_rebase_merge: true
+  allow_squash_merge: true
+  squash_merge_commit_title: PR_TITLE
+  squash_merge_commit_message: PR_BODY
+  delete_branch_on_merge: true
+  enable_automated_security_fixes: true
+  enable_vulnerability_alerts: true
+
+branches:
+  - name: main
+    protection:
+      required_status_checks: null
+      enforce_admins: true
+      block_creations: true
+      required_pull_request_reviews:
+        required_approving_review_count: 1
+        require_code_owner_reviews: true
+        require_last_push_approval: true
+        dismiss_stale_reviews: true
+      restrictions:
+        apps: []
+        users: []
+        teams: [ "cli-team" ]

.github/workflows/audit.yml

@@ -5,23 +5,79 @@ name: Audit
 on:
   workflow_dispatch:
   schedule:
-    # "At 01:00 on Monday" https://crontab.guru/#0_1_*_*_1
-    - cron: "0 1 * * 1"
+    # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
+    - cron: "0 8 * * 1"
 
 jobs:
   audit:
+    name: Audit Dependencies
+    if: github.repository_owner == 'npm'
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
     steps:
-      - uses: actions/checkout@v3
-      - name: Setup git user
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Git User
         run: |
           git config --global user.email "npm-cli+bot@github.com"
           git config --global user.name "npm CLI robot"
-      - uses: actions/setup-node@v3
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        id: node
         with:
-          node-version: 16.x
-      - name: Update npm to latest
+          node-version: 20.x
+          check-latest: contains('20.x', '.x')
+
+      # node 10/12/14 ship with npm@6, which is known to fail when updating itself in windows
+      - name: Update Windows npm
+        if: |
+          matrix.platform.os == 'windows-latest' && (
+            startsWith(steps.node.outputs.node-version, 'v10.') || startsWith(steps.node.outputs.node-version, 'v12.') || startsWith(steps.node.outputs.node-version, 'v14.')
+          )
+        run: |
+          curl -sO https://registry.npmjs.org/npm/-/npm-7.5.4.tgz
+          tar xf npm-7.5.4.tgz
+          cd package
+          node lib/npm.js install --no-fund --no-audit -g ..\npm-7.5.4.tgz
+          cd ..
+          rmdir /s /q package
+
+      # Start on Node 10 because we dont test on anything lower
+      - name: Install npm@7 on Node 10
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v10.')
+        id: npm-7
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@7
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@8 on Node 12
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v12.')
+        id: npm-8
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@8
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@9 on Node 14/16/18.0
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v14.') || startsWith(steps.node.outputs.node-version, 'v16.') || startsWith(steps.node.outputs.node-version, 'v18.0.')
+        id: npm-9
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@9
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@latest on Node
+        if: ${{ !(steps.npm-7.outputs.updated || steps.npm-8.outputs.updated || steps.npm-9.outputs.updated) }}
         run: npm i --prefer-online --no-fund --no-audit -g npm@latest
-      - run: npm -v
-      - run: npm i --ignore-scripts --no-audit --no-fund --package-lock
-      - run: npm audit
+
+      - name: npm Version
+        run: npm -v
+      - name: Install Dependencies
+        run: npm i --ignore-scripts --no-audit --no-fund --package-lock
+      - name: Run Production Audit
+        run: npm audit --omit=dev
+      - name: Run Full Audit
+        run: npm audit --audit-level=none

.github/workflows/ci-release.yml

@@ -0,0 +1,289 @@
+# This file is automatically added by @npmcli/template-oss. Do not edit.
+
+name: CI - Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        required: true
+        type: string
+        default: main
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+      check-sha:
+        required: true
+        type: string
+
+jobs:
+  lint-all:
+    name: Lint All
+    if: github.repository_owner == 'npm'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Get Workflow Job
+        uses: actions/github-script@v6
+        if: inputs.check-sha
+        id: check-output
+        env:
+          JOB_NAME: "Lint All"
+          MATRIX_NAME: ""
+        with:
+          script: |
+            const { owner, repo } = context.repo
+
+            const { data } = await github.rest.actions.listJobsForWorkflowRun({
+              owner,
+              repo,
+              run_id: context.runId,
+              per_page: 100
+            })
+
+            const jobName = process.env.JOB_NAME + process.env.MATRIX_NAME
+            const job = data.jobs.find(j => j.name.endsWith(jobName))
+            const jobUrl = job?.html_url
+
+            const shaUrl = `${context.serverUrl}/${owner}/${repo}/commit/${{ inputs.check-sha }}`
+
+            let summary = `This check is assosciated with ${shaUrl}\n\n`
+
+            if (jobUrl) {
+              summary += `For run logs, click here: ${jobUrl}`
+            } else {
+              summary += `Run logs could not be found for a job with name: "${jobName}"`
+            }
+
+            return { summary }
+      - name: Create Check
+        uses: LouisBrunner/checks-action@v1.6.0
+        id: check
+        if: inputs.check-sha
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          status: in_progress
+          name: Lint All
+          sha: ${{ inputs.check-sha }}
+          output: ${{ steps.check-output.outputs.result }}
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref }}
+      - name: Setup Git User
+        run: |
+          git config --global user.email "npm-cli+bot@github.com"
+          git config --global user.name "npm CLI robot"
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        id: node
+        with:
+          node-version: 20.x
+          check-latest: contains('20.x', '.x')
+
+      # node 10/12/14 ship with npm@6, which is known to fail when updating itself in windows
+      - name: Update Windows npm
+        if: |
+          matrix.platform.os == 'windows-latest' && (
+            startsWith(steps.node.outputs.node-version, 'v10.') || startsWith(steps.node.outputs.node-version, 'v12.') || startsWith(steps.node.outputs.node-version, 'v14.')
+          )
+        run: |
+          curl -sO https://registry.npmjs.org/npm/-/npm-7.5.4.tgz
+          tar xf npm-7.5.4.tgz
+          cd package
+          node lib/npm.js install --no-fund --no-audit -g ..\npm-7.5.4.tgz
+          cd ..
+          rmdir /s /q package
+
+      # Start on Node 10 because we dont test on anything lower
+      - name: Install npm@7 on Node 10
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v10.')
+        id: npm-7
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@7
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@8 on Node 12
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v12.')
+        id: npm-8
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@8
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@9 on Node 14/16/18.0
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v14.') || startsWith(steps.node.outputs.node-version, 'v16.') || startsWith(steps.node.outputs.node-version, 'v18.0.')
+        id: npm-9
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@9
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@latest on Node
+        if: ${{ !(steps.npm-7.outputs.updated || steps.npm-8.outputs.updated || steps.npm-9.outputs.updated) }}
+        run: npm i --prefer-online --no-fund --no-audit -g npm@latest
+
+      - name: npm Version
+        run: npm -v
+      - name: Install Dependencies
+        run: npm i --ignore-scripts --no-audit --no-fund
+      - name: Lint
+        run: npm run lint --ignore-scripts
+      - name: Post Lint
+        run: npm run postlint --ignore-scripts
+      - name: Conclude Check
+        uses: LouisBrunner/checks-action@v1.6.0
+        if: steps.check.outputs.check_id && always()
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          conclusion: ${{ job.status }}
+          check_id: ${{ steps.check.outputs.check_id }}
+
+  test-all:
+    name: Test All - ${{ matrix.platform.name }} - ${{ matrix.node-version }}
+    if: github.repository_owner == 'npm'
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - name: Linux
+            os: ubuntu-latest
+            shell: bash
+          - name: macOS
+            os: macos-latest
+            shell: bash
+          - name: Windows
+            os: windows-latest
+            shell: cmd
+        node-version:
+          - 16.14.0
+          - 16.x
+          - 18.0.0
+          - 18.x
+          - 20.x
+    runs-on: ${{ matrix.platform.os }}
+    defaults:
+      run:
+        shell: ${{ matrix.platform.shell }}
+    steps:
+      - name: Get Workflow Job
+        uses: actions/github-script@v6
+        if: inputs.check-sha
+        id: check-output
+        env:
+          JOB_NAME: "Test All"
+          MATRIX_NAME: " - ${{ matrix.platform.name }} - ${{ matrix.node-version }}"
+        with:
+          script: |
+            const { owner, repo } = context.repo
+
+            const { data } = await github.rest.actions.listJobsForWorkflowRun({
+              owner,
+              repo,
+              run_id: context.runId,
+              per_page: 100
+            })
+
+            const jobName = process.env.JOB_NAME + process.env.MATRIX_NAME
+            const job = data.jobs.find(j => j.name.endsWith(jobName))
+            const jobUrl = job?.html_url
+
+            const shaUrl = `${context.serverUrl}/${owner}/${repo}/commit/${{ inputs.check-sha }}`
+
+            let summary = `This check is assosciated with ${shaUrl}\n\n`
+
+            if (jobUrl) {
+              summary += `For run logs, click here: ${jobUrl}`
+            } else {
+              summary += `Run logs could not be found for a job with name: "${jobName}"`
+            }
+
+            return { summary }
+      - name: Create Check
+        uses: LouisBrunner/checks-action@v1.6.0
+        id: check
+        if: inputs.check-sha
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          status: in_progress
+          name: Test All - ${{ matrix.platform.name }} - ${{ matrix.node-version }}
+          sha: ${{ inputs.check-sha }}
+          output: ${{ steps.check-output.outputs.result }}
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref }}
+      - name: Setup Git User
+        run: |
+          git config --global user.email "npm-cli+bot@github.com"
+          git config --global user.name "npm CLI robot"
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        id: node
+        with:
+          node-version: ${{ matrix.node-version }}
+          check-latest: contains(matrix.node-version, '.x')
+
+      # node 10/12/14 ship with npm@6, which is known to fail when updating itself in windows
+      - name: Update Windows npm
+        if: |
+          matrix.platform.os == 'windows-latest' && (
+            startsWith(steps.node.outputs.node-version, 'v10.') || startsWith(steps.node.outputs.node-version, 'v12.') || startsWith(steps.node.outputs.node-version, 'v14.')
+          )
+        run: |
+          curl -sO https://registry.npmjs.org/npm/-/npm-7.5.4.tgz
+          tar xf npm-7.5.4.tgz
+          cd package
+          node lib/npm.js install --no-fund --no-audit -g ..\npm-7.5.4.tgz
+          cd ..
+          rmdir /s /q package
+
+      # Start on Node 10 because we dont test on anything lower
+      - name: Install npm@7 on Node 10
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v10.')
+        id: npm-7
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@7
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@8 on Node 12
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v12.')
+        id: npm-8
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@8
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@9 on Node 14/16/18.0
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v14.') || startsWith(steps.node.outputs.node-version, 'v16.') || startsWith(steps.node.outputs.node-version, 'v18.0.')
+        id: npm-9
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@9
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@latest on Node
+        if: ${{ !(steps.npm-7.outputs.updated || steps.npm-8.outputs.updated || steps.npm-9.outputs.updated) }}
+        run: npm i --prefer-online --no-fund --no-audit -g npm@latest
+
+      - name: npm Version
+        run: npm -v
+      - name: Install Dependencies
+        run: npm i --ignore-scripts --no-audit --no-fund
+      - name: Add Problem Matcher
+        run: echo "::add-matcher::.github/matchers/tap.json"
+      - name: Test
+        run: npm test --ignore-scripts
+      - name: Conclude Check
+        uses: LouisBrunner/checks-action@v1.6.0
+        if: steps.check.outputs.check_id && always()
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          conclusion: ${{ job.status }}
+          check_id: ${{ steps.check.outputs.check_id }}

.github/workflows/ci.yml

@@ -5,82 +5,175 @@ name: CI
 on:
   workflow_dispatch:
   pull_request:
-    branches:
-      - '*'
   push:
     branches:
       - main
-      - latest
   schedule:
-    # "At 02:00 on Monday" https://crontab.guru/#0_2_*_*_1
-    - cron: "0 2 * * 1"
+    # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
+    - cron: "0 9 * * 1"
 
 jobs:
   lint:
+    name: Lint
+    if: github.repository_owner == 'npm'
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
     steps:
-      - uses: actions/checkout@v3
-      - name: Setup git user
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Git User
         run: |
           git config --global user.email "npm-cli+bot@github.com"
           git config --global user.name "npm CLI robot"
-      - uses: actions/setup-node@v3
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        id: node
         with:
-          node-version: 16.x
-      - name: Update npm to latest
+          node-version: 20.x
+          check-latest: contains('20.x', '.x')
+
+      # node 10/12/14 ship with npm@6, which is known to fail when updating itself in windows
+      - name: Update Windows npm
+        if: |
+          matrix.platform.os == 'windows-latest' && (
+            startsWith(steps.node.outputs.node-version, 'v10.') || startsWith(steps.node.outputs.node-version, 'v12.') || startsWith(steps.node.outputs.node-version, 'v14.')
+          )
+        run: |
+          curl -sO https://registry.npmjs.org/npm/-/npm-7.5.4.tgz
+          tar xf npm-7.5.4.tgz
+          cd package
+          node lib/npm.js install --no-fund --no-audit -g ..\npm-7.5.4.tgz
+          cd ..
+          rmdir /s /q package
+
+      # Start on Node 10 because we dont test on anything lower
+      - name: Install npm@7 on Node 10
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v10.')
+        id: npm-7
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@7
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@8 on Node 12
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v12.')
+        id: npm-8
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@8
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@9 on Node 14/16/18.0
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v14.') || startsWith(steps.node.outputs.node-version, 'v16.') || startsWith(steps.node.outputs.node-version, 'v18.0.')
+        id: npm-9
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@9
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@latest on Node
+        if: ${{ !(steps.npm-7.outputs.updated || steps.npm-8.outputs.updated || steps.npm-9.outputs.updated) }}
         run: npm i --prefer-online --no-fund --no-audit -g npm@latest
-      - run: npm -v
-      - run: npm i --ignore-scripts --no-audit --no-fund
-      - run: npm run lint
+
+      - name: npm Version
+        run: npm -v
+      - name: Install Dependencies
+        run: npm i --ignore-scripts --no-audit --no-fund
+      - name: Lint
+        run: npm run lint --ignore-scripts
+      - name: Post Lint
+        run: npm run postlint --ignore-scripts
 
   test:
+    name: Test - ${{ matrix.platform.name }} - ${{ matrix.node-version }}
+    if: github.repository_owner == 'npm'
     strategy:
       fail-fast: false
       matrix:
-        node-version:
-          - 12.13.0
-          - 12.x
-          - 14.15.0
-          - 14.x
-          - 16.0.0
-          - 16.x
         platform:
-          - os: ubuntu-latest
+          - name: Linux
+            os: ubuntu-latest
             shell: bash
-          - os: macos-latest
+          - name: macOS
+            os: macos-latest
             shell: bash
-          - os: windows-latest
+          - name: Windows
+            os: windows-latest
             shell: cmd
+        node-version:
+          - 16.14.0
+          - 16.x
+          - 18.0.0
+          - 18.x
+          - 20.x
     runs-on: ${{ matrix.platform.os }}
     defaults:
       run:
         shell: ${{ matrix.platform.shell }}
     steps:
-      - uses: actions/checkout@v3
-      - name: Setup git user
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Git User
         run: |
           git config --global user.email "npm-cli+bot@github.com"
           git config --global user.name "npm CLI robot"
-      - uses: actions/setup-node@v3
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        id: node
         with:
           node-version: ${{ matrix.node-version }}
-      - name: Update to workable npm (windows)
-        # node 12 and 14 ship with npm@6, which is known to fail when updating itself in windows
-        if: matrix.platform.os == 'windows-latest' && (startsWith(matrix.node-version, '12.') || startsWith(matrix.node-version, '14.'))
+          check-latest: contains(matrix.node-version, '.x')
+
+      # node 10/12/14 ship with npm@6, which is known to fail when updating itself in windows
+      - name: Update Windows npm
+        if: |
+          matrix.platform.os == 'windows-latest' && (
+            startsWith(steps.node.outputs.node-version, 'v10.') || startsWith(steps.node.outputs.node-version, 'v12.') || startsWith(steps.node.outputs.node-version, 'v14.')
+          )
         run: |
           curl -sO https://registry.npmjs.org/npm/-/npm-7.5.4.tgz
           tar xf npm-7.5.4.tgz
           cd package
           node lib/npm.js install --no-fund --no-audit -g ..\npm-7.5.4.tgz
           cd ..
           rmdir /s /q package
-      - name: Update npm to 7
-        # If we do test on npm 10 it needs npm7
-        if: startsWith(matrix.node-version, '10.')
-        run: npm i --prefer-online --no-fund --no-audit -g npm@7
-      - name: Update npm to latest
-        if: ${{ !startsWith(matrix.node-version, '10.') }}
+
+      # Start on Node 10 because we dont test on anything lower
+      - name: Install npm@7 on Node 10
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v10.')
+        id: npm-7
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@7
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@8 on Node 12
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v12.')
+        id: npm-8
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@8
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@9 on Node 14/16/18.0
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v14.') || startsWith(steps.node.outputs.node-version, 'v16.') || startsWith(steps.node.outputs.node-version, 'v18.0.')
+        id: npm-9
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@9
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@latest on Node
+        if: ${{ !(steps.npm-7.outputs.updated || steps.npm-8.outputs.updated || steps.npm-9.outputs.updated) }}
         run: npm i --prefer-online --no-fund --no-audit -g npm@latest
-      - run: npm -v
-      - run: npm i --ignore-scripts --no-audit --no-fund
-      - run: npm test --ignore-scripts
+
+      - name: npm Version
+        run: npm -v
+      - name: Install Dependencies
+        run: npm i --ignore-scripts --no-audit --no-fund
+      - name: Add Problem Matcher
+        run: echo "::add-matcher::.github/matchers/tap.json"
+      - name: Test
+        run: npm test --ignore-scripts

.github/workflows/codeql-analysis.yml

@@ -1,20 +1,17 @@
 # This file is automatically added by @npmcli/template-oss. Do not edit.
 
-name: "CodeQL"
+name: CodeQL
 
 on:
   push:
     branches:
       - main
-      - latest
   pull_request:
-    # The branches below must be a subset of the branches above
     branches:
       - main
-      - latest
   schedule:
-    # "At 03:00 on Monday" https://crontab.guru/#0_3_*_*_1
-    - cron: "0 3 * * 1"
+    # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
+    - cron: "0 10 * * 1"
 
 jobs:
   analyze:
@@ -24,21 +21,16 @@ jobs:
       actions: read
       contents: read
       security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ javascript ]
-
     steps:
-      - uses: actions/checkout@v3
-      - name: Setup git user
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Git User
         run: |
           git config --global user.email "npm-cli+bot@github.com"
           git config --global user.name "npm CLI robot"
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
         with:
-          languages: ${{ matrix.language }}
+          languages: javascript
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2

.github/workflows/post-dependabot.yml

@@ -1,43 +1,165 @@
 # This file is automatically added by @npmcli/template-oss. Do not edit.
 
-name: Post Dependabot Actions
+name: Post Dependabot
 
 on: pull_request
 
-# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
 permissions:
   contents: write
 
 jobs:
-  template-oss-apply:
+  template-oss:
+    name: template-oss
+    if: github.repository_owner == 'npm' && github.actor == 'dependabot[bot]'
     runs-on: ubuntu-latest
-    if: github.actor == 'dependabot[bot]'
+    defaults:
+      run:
+        shell: bash
     steps:
-      - uses: actions/checkout@v3
-      - name: Setup git user
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+      - name: Setup Git User
         run: |
           git config --global user.email "npm-cli+bot@github.com"
           git config --global user.name "npm CLI robot"
-      - uses: actions/setup-node@v3
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        id: node
         with:
-          node-version: 16.x
-      - name: Update npm to latest
+          node-version: 20.x
+          check-latest: contains('20.x', '.x')
+
+      # node 10/12/14 ship with npm@6, which is known to fail when updating itself in windows
+      - name: Update Windows npm
+        if: |
+          matrix.platform.os == 'windows-latest' && (
+            startsWith(steps.node.outputs.node-version, 'v10.') || startsWith(steps.node.outputs.node-version, 'v12.') || startsWith(steps.node.outputs.node-version, 'v14.')
+          )
+        run: |
+          curl -sO https://registry.npmjs.org/npm/-/npm-7.5.4.tgz
+          tar xf npm-7.5.4.tgz
+          cd package
+          node lib/npm.js install --no-fund --no-audit -g ..\npm-7.5.4.tgz
+          cd ..
+          rmdir /s /q package
+
+      # Start on Node 10 because we dont test on anything lower
+      - name: Install npm@7 on Node 10
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v10.')
+        id: npm-7
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@7
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@8 on Node 12
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v12.')
+        id: npm-8
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@8
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@9 on Node 14/16/18.0
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v14.') || startsWith(steps.node.outputs.node-version, 'v16.') || startsWith(steps.node.outputs.node-version, 'v18.0.')
+        id: npm-9
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@9
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@latest on Node
+        if: ${{ !(steps.npm-7.outputs.updated || steps.npm-8.outputs.updated || steps.npm-9.outputs.updated) }}
         run: npm i --prefer-online --no-fund --no-audit -g npm@latest
-      - run: npm -v
-      - name: Dependabot metadata
+
+      - name: npm Version
+        run: npm -v
+      - name: Install Dependencies
+        run: npm i --ignore-scripts --no-audit --no-fund
+      - name: Fetch Dependabot Metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v1.1.1
+        uses: dependabot/fetch-metadata@v1
         with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-      - name: npm install and commit
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      # Dependabot can update multiple directories so we output which directory
+      # it is acting on so we can run the command for the correct root or workspace
+      - name: Get Dependabot Directory
         if: contains(steps.metadata.outputs.dependency-names, '@npmcli/template-oss')
+        id: flags
+        run: |
+          dependabot_dir="${{ steps.metadata.outputs.directory }}"
+          if [[ "$dependabot_dir" == "/" ]]; then
+            echo "workspace=-iwr" >> $GITHUB_OUTPUT
+          else
+            # strip leading slash from directory so it works as a
+            # a path to the workspace flag
+            echo "workspace=-w ${dependabot_dir#/}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Apply Changes
+        if: steps.flags.outputs.workspace
+        id: apply
+        run: |
+          npm run template-oss-apply ${{ steps.flags.outputs.workspace }}
+          if [[ `git status --porcelain` ]]; then
+            echo "changes=true" >> $GITHUB_OUTPUT
+          fi
+          # This only sets the conventional commit prefix. This workflow can't reliably determine
+          # what the breaking change is though. If a BREAKING CHANGE message is required then
+          # this PR check will fail and the commit will be amended with stafftools
+          if [[ "${{ steps.metadata.outputs.update-type }}" == "version-update:semver-major" ]]; then
+            prefix='feat!'
+          else
+            prefix='chore'
+          fi
+          echo "message=$prefix: postinstall for dependabot template-oss PR" >> $GITHUB_OUTPUT
+
+      # This step will fail if template-oss has made any workflow updates. It is impossible
+      # for a workflow to update other workflows. In the case it does fail, we continue
+      # and then try to apply only a portion of the changes in the next step
+      - name: Push All Changes
+        if: steps.apply.outputs.changes
+        id: push
+        continue-on-error: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git commit -am "${{ steps.apply.outputs.message }}"
+          git push
+
+      # If the previous step failed, then reset the commit and remove any workflow changes
+      # and attempt to commit and push again. This is helpful because we will have a commit
+      # with the correct prefix that we can then --amend with @npmcli/stafftools later.
+      - name: Push All Changes Except Workflows
+        if: steps.apply.outputs.changes && steps.push.outcome == 'failure'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh pr checkout ${{ github.event.pull_request.number }}
-          npm install --ignore-scripts --no-audit --no-fund
-          npm run template-oss-apply
-          git add .
-          git commit -am "chore: postinstall for dependabot template-oss PR"
+          git reset HEAD~
+          git checkout HEAD -- .github/workflows/
+          git clean -fd .github/workflows/
+          git commit -am "${{ steps.apply.outputs.message }}"
           git push
-          npm run lint
+
+      # Check if all the necessary template-oss changes were applied. Since we continued
+      # on errors in one of the previous steps, this check will fail if our follow up
+      # only applied a portion of the changes and we need to followup manually.
+      #
+      # Note that this used to run `lint` and `postlint` but that will fail this action
+      # if we've also shipped any linting changes separate from template-oss. We do
+      # linting in another action, so we want to fail this one only if there are
+      # template-oss changes that could not be applied.
+      - name: Check Changes
+        if: steps.apply.outputs.changes
+        run: |
+          npm exec --offline ${{ steps.flags.outputs.workspace }} -- template-oss-check
+
+      - name: Fail on Breaking Change
+        if: steps.apply.outputs.changes && startsWith(steps.apply.outputs.message, 'feat!')
+        run: |
+          echo "This PR has a breaking change. Run 'npx -p @npmcli/stafftools gh template-oss-fix'"
+          echo "for more information on how to fix this with a BREAKING CHANGE footer."
+          exit 1

.github/workflows/pull-request.yml

@@ -1,6 +1,6 @@
 # This file is automatically added by @npmcli/template-oss. Do not edit.
 
-name: Pull Request Linting
+name: Pull Request
 
 on:
   pull_request:
@@ -11,28 +11,84 @@ on:
       - synchronize
 
 jobs:
-  check:
-    name: Check PR Title or Commits
+  commitlint:
+    name: Lint Commits
+    if: github.repository_owner == 'npm'
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - name: Setup git user
+      - name: Setup Git User
         run: |
           git config --global user.email "npm-cli+bot@github.com"
           git config --global user.name "npm CLI robot"
-      - uses: actions/setup-node@v3
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        id: node
         with:
-          node-version: 16.x
-      - name: Update npm to latest
+          node-version: 20.x
+          check-latest: contains('20.x', '.x')
+
+      # node 10/12/14 ship with npm@6, which is known to fail when updating itself in windows
+      - name: Update Windows npm
+        if: |
+          matrix.platform.os == 'windows-latest' && (
+            startsWith(steps.node.outputs.node-version, 'v10.') || startsWith(steps.node.outputs.node-version, 'v12.') || startsWith(steps.node.outputs.node-version, 'v14.')
+          )
+        run: |
+          curl -sO https://registry.npmjs.org/npm/-/npm-7.5.4.tgz
+          tar xf npm-7.5.4.tgz
+          cd package
+          node lib/npm.js install --no-fund --no-audit -g ..\npm-7.5.4.tgz
+          cd ..
+          rmdir /s /q package
+
+      # Start on Node 10 because we dont test on anything lower
+      - name: Install npm@7 on Node 10
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v10.')
+        id: npm-7
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@7
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@8 on Node 12
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v12.')
+        id: npm-8
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@8
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@9 on Node 14/16/18.0
+        shell: bash
+        if: startsWith(steps.node.outputs.node-version, 'v14.') || startsWith(steps.node.outputs.node-version, 'v16.') || startsWith(steps.node.outputs.node-version, 'v18.0.')
+        id: npm-9
+        run: |
+          npm i --prefer-online --no-fund --no-audit -g npm@9
+          echo "updated=true" >> "$GITHUB_OUTPUT"
+
+      - name: Install npm@latest on Node
+        if: ${{ !(steps.npm-7.outputs.updated || steps.npm-8.outputs.updated || steps.npm-9.outputs.updated) }}
         run: npm i --prefer-online --no-fund --no-audit -g npm@latest
-      - run: npm -v
-      - name: Install deps
-        run: npm i -D @commitlint/cli @commitlint/config-conventional
-      - name: Check commits OR PR title
+
+      - name: npm Version
+        run: npm -v
+      - name: Install Dependencies
+        run: npm i --ignore-scripts --no-audit --no-fund
+      - name: Run Commitlint on Commits
+        id: commit
+        continue-on-error: true
+        run: |
+          npx --offline commitlint -V --from 'origin/${{ github.base_ref }}' --to ${{ github.event.pull_request.head.sha }}
+      - name: Run Commitlint on PR Title
+        if: steps.commit.outcome == 'failure'
         env:
           PR_TITLE: ${{ github.event.pull_request.title }}
         run: |
-          npx --offline commitlint -V --from origin/main --to ${{ github.event.pull_request.head.sha }} \
-            || echo $PR_TITLE | npx --offline commitlint -V
+          echo "$PR_TITLE" | npx --offline commitlint -V

.gitignore

@@ -4,23 +4,26 @@
 /*
 
 # keep these
-!/.eslintrc.local.*
 !**/.gitignore
-!/docs/
-!/tap-snapshots/
-!/test/
-!/map.js
-!/scripts/
-!/README*
-!/LICENSE*
-!/CHANGELOG*
 !/.commitlintrc.js
 !/.eslintrc.js
+!/.eslintrc.local.*
 !/.github/
 !/.gitignore
 !/.npmrc
-!/CODE_OF_CONDUCT.md
-!/SECURITY.md
+!/.release-please-manifest.json
 !/bin/
+!/CHANGELOG*
+!/CODE_OF_CONDUCT.md
+!/CONTRIBUTING.md
+!/docs/
 !/lib/
+!/LICENSE*
+!/map.js
 !/package.json
+!/README*
+!/release-please-config.json
+!/scripts/
+!/SECURITY.md
+!/tap-snapshots/
+!/test/

.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "7.0.2"
+}

CHANGELOG.md

@@ -1,5 +1,110 @@
 # Changelog
 
+## [7.0.2](https://github.com/npm/run-script/compare/v7.0.1...v7.0.2) (2023-10-29)
+
+### Dependencies
+
+* [`30623cf`](https://github.com/npm/run-script/commit/30623cf3b6f119a765a9a869623715f69643ec25) [#177](https://github.com/npm/run-script/pull/177) bump node-gyp from 9.4.1 to 10.0.0
+
+## [7.0.1](https://github.com/npm/run-script/compare/v7.0.0...v7.0.1) (2023-08-30)
+
+### Dependencies
+
+* [`f61fd84`](https://github.com/npm/run-script/commit/f61fd84cd799ba22351e97f7983684d9f8b1319e) [#159](https://github.com/npm/run-script/pull/159) bump @npmcli/promise-spawn from 6.0.2 to 7.0.0
+
+## [7.0.0](https://github.com/npm/run-script/compare/v6.0.2...v7.0.0) (2023-08-30)
+
+### ⚠️ BREAKING CHANGES
+
+* support for node 14 has been removed
+
+### Bug Fixes
+
+* [`e1b1a3c`](https://github.com/npm/run-script/commit/e1b1a3c49370f60783879de9b228cbb2c0faeb2a) [#157](https://github.com/npm/run-script/pull/157) drop node14 support (@wraithgar)
+
+### Dependencies
+
+* [`a8045a9`](https://github.com/npm/run-script/commit/a8045a9d08a5a8440f7f2b3406a3c5142fcad5d1) [#157](https://github.com/npm/run-script/pull/157) bump which from 3.0.1 to 4.0.0
+
+## [6.0.2](https://github.com/npm/run-script/compare/v6.0.1...v6.0.2) (2023-05-08)
+
+### Bug Fixes
+
+* [`545f3be`](https://github.com/npm/run-script/commit/545f3be94d412941537ad0011717933d48cb58cf) [#142](https://github.com/npm/run-script/pull/142) handle signals more correctly (#142) (@nlf)
+
+### Documentation
+
+* [`581be58`](https://github.com/npm/run-script/commit/581be58e689930cc1b832f510b971a111e27ff6a) [#141](https://github.com/npm/run-script/pull/141) fix syntax in example (#141) (@kas-elvirov)
+
+## [6.0.1](https://github.com/npm/run-script/compare/v6.0.0...v6.0.1) (2023-04-27)
+
+### Bug Fixes
+
+* [`3a8f085`](https://github.com/npm/run-script/commit/3a8f0854bff739653ca704d2d8cfd4e4682dcc4e) [#147](https://github.com/npm/run-script/pull/147) remove unused dependency on minipass (#147) (@nlf)
+
+## [6.0.0](https://github.com/npm/run-script/compare/v5.1.1...v6.0.0) (2022-11-02)
+
+### ⚠️ BREAKING CHANGES
+
+* `stdioString` is no longer set to `false` by default. Instead it is not set and passed directory to `@npmcli/promise-spawn` which defaults it to `true`.
+
+### Features
+
+* [`34ecf46`](https://github.com/npm/run-script/commit/34ecf46524fb8585223795ff7bb37a89f995762d) [#134](https://github.com/npm/run-script/pull/134) dont set a default for `stdioString` (@lukekarrys)
+
+## [5.1.1](https://github.com/npm/run-script/compare/v5.1.0...v5.1.1) (2022-11-01)
+
+### Dependencies
+
+* [`40706eb`](https://github.com/npm/run-script/commit/40706eb573f969aaa65e4ab45a21edeab39130ca) [#132](https://github.com/npm/run-script/pull/132) `which@3.0.0` (#132)
+
+## [5.1.0](https://github.com/npm/run-script/compare/v5.0.1...v5.1.0) (2022-11-01)
+
+### Features
+
+* [`45f2301`](https://github.com/npm/run-script/commit/45f2301931ba7686fa0a4b1a1d69ecc1892fdf85) let @npmcli/promise-spawn do the escaping (@nlf)
+
+### Dependencies
+
+* [`71c20af`](https://github.com/npm/run-script/commit/71c20af2e414691733ef7592baff6f11a14d8b32) [#130](https://github.com/npm/run-script/pull/130) `@npmcli/promise-spawn@6.0.0`
+
+## [5.0.1](https://github.com/npm/run-script/compare/v5.0.0...v5.0.1) (2022-10-26)
+
+### Dependencies
+
+* [`1bfadcb`](https://github.com/npm/run-script/commit/1bfadcb1abadf316f229f4cad5a3bb8a623fd21a) [#127](https://github.com/npm/run-script/pull/127) bump @npmcli/promise-spawn from 4.0.0 to 5.0.0 (#127)
+
+## [5.0.0](https://github.com/npm/run-script/compare/v4.2.1...v5.0.0) (2022-10-14)
+
+### ⚠️ BREAKING CHANGES
+
+* `@npmcli/run-script` is now compatible with the following semver range for node: `^14.17.0 || ^16.13.0 || >=18.0.0`
+
+### Features
+
+* [`891cb2a`](https://github.com/npm/run-script/commit/891cb2af4b65d23db28acfae62d028faaef6bddd) [#113](https://github.com/npm/run-script/pull/113) postinstall for dependabot template-oss PR (@lukekarrys)
+
+### Dependencies
+
+* [`d41405e`](https://github.com/npm/run-script/commit/d41405ea56350581f11378160e4b03a42ab0c393) [#121](https://github.com/npm/run-script/pull/121) bump @npmcli/node-gyp from 2.0.0 to 3.0.0 (#121)
+* [`5fc0e27`](https://github.com/npm/run-script/commit/5fc0e2737ee92a1983a251dd4c8aa1d8768f3226) [#123](https://github.com/npm/run-script/pull/123) bump @npmcli/promise-spawn from 3.0.0 to 4.0.0
+* [`132b84b`](https://github.com/npm/run-script/commit/132b84bbfd617d156118cb3469fa5cb3c9d7c958) [#120](https://github.com/npm/run-script/pull/120) bump read-package-json-fast from 2.0.3 to 3.0.0
+
+## [4.2.1](https://github.com/npm/run-script/compare/v4.2.0...v4.2.1) (2022-08-09)
+
+
+### Bug Fixes
+
+* add arguments back to the logged banner ([#102](https://github.com/npm/run-script/issues/102)) ([8e08311](https://github.com/npm/run-script/commit/8e08311358a9f7c361e191b728eaada53eba607b))
+* remove the temp file entirely ([#98](https://github.com/npm/run-script/issues/98)) ([82ef491](https://github.com/npm/run-script/commit/82ef49184eb494175582f2f4d6f359519b09edfb))
+
+## [4.2.0](https://github.com/npm/run-script/compare/v4.1.7...v4.2.0) (2022-08-01)
+
+
+### Features
+
+* add binPaths param ([#99](https://github.com/npm/run-script/issues/99)) ([27cc108](https://github.com/npm/run-script/commit/27cc108d1553170f4a274da608b44c8ad550037c))
+
 ## [4.1.7](https://github.com/npm/run-script/compare/v4.1.6...v4.1.7) (2022-07-12)
 
 

CONTRIBUTING.md

@@ -0,0 +1,50 @@
+<!-- This file is automatically added by @npmcli/template-oss. Do not edit. -->
+
+# Contributing
+
+## Code of Conduct
+
+All interactions in the **npm** organization on GitHub are considered to be covered by our standard [Code of Conduct](https://docs.npmjs.com/policies/conduct).
+
+## Reporting Bugs
+
+Before submitting a new bug report please search for an existing or similar report.
+
+Use one of our existing issue templates if you believe you've come across a unique problem.
+
+Duplicate issues, or issues that don't use one of our templates may get closed without a response.
+
+## Pull Request Conventions
+
+### Commits
+
+We use [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/).
+
+When opening a pull request please be sure that either the pull request title, or each commit in the pull request, has one of the following prefixes:
+
+ - `feat`: For when introducing a new feature.  The result will be a new semver minor version of the package when it is next published.
+ - `fix`: For bug fixes. The result will be a new semver patch version of the package when it is next published.
+ - `docs`: For documentation updates.  The result will be a new semver patch version of the package when it is next published.
+ - `chore`: For changes that do not affect the published module.  Often these are changes to tests.  The result will be *no* change to the version of the package when it is next published (as the commit does not affect the published version).
+
+### Test Coverage
+
+Pull requests made against this repo will run `npm test` automatically.  Please make sure tests pass locally before submitting a PR.
+
+Every new feature or bug fix should come with a corresponding test or tests that validate the solutions. Testing also reports on code coverage and will fail if code coverage drops.
+
+### Linting
+
+Linting is also done automatically once tests pass.  `npm run lintfix` will fix most linting errors automatically.
+
+Please make sure linting passes before submitting a PR.
+
+## What _not_ to contribute?
+
+### Dependencies
+
+It should be noted that our team does not accept third-party dependency updates/PRs.  If you submit a PR trying to update our dependencies we will close it with or without a reference to these contribution guidelines.
+
+### Tools/Automation
+
+Our core team is responsible for the maintenance of the tooling/automation in this project and we ask contributors to not make changes to these when contributing (e.g. `.github/*`, `.eslintrc.json`, `.licensee.json`).  Most of those files also have a header at the top to remind folks they are automatically generated.  Pull requests that alter these will not be accepted.

README.md

@@ -17,12 +17,22 @@ runScript({
   // required, the folder where the package lives
   path: '/path/to/package/folder',
 
+  // optional, these paths will be put at the beginning of `$PATH`, even
+  // after run-script adds the node_modules/.bin folder(s) from
+  // `process.cwd()`. This is for commands like `npm init`, `npm exec`,
+  // and `npx` to make sure manually installed  packages come before
+  // anything that happens to be in the tree in `process.cwd()`.
+  binPaths: [
+    '/path/to/npx/node_modules/.bin',
+    '/path/to/npm/prefix/node_modules/.bin',
+  ],
+
   // optional, defaults to /bin/sh on unix, or cmd.exe on windows
   scriptShell: '/bin/bash',
 
-  // optional, defaults to false
+  // optional, passed directly to `@npmcli/promise-spawn` which defaults it to true
   // return stdout and stderr as strings rather than buffers
-  stdioString: true,
+  stdioString: false,
 
   // optional, additional environment variables to add
   // note that process.env IS inherited by default
@@ -111,8 +121,9 @@ terminal, then it is up to the user to end it, of course.
   the result/error object.
 - `cmd` Optional.  Override the script from the `package.json` with
   something else, which will be run in an otherwise matching environment.
-- `stdioString` Optional, defaults to `false`.  Return string values for
-  `stderr` and `stdout` rather than Buffers.
+- `stdioString` Optional, passed directly to `@npmcli/promise-spawn` which
+  defaults it to `true`.  Return string values for `stderr` and `stdout` rather
+  than Buffers.
 - `banner` Optional, defaults to `true`.  If the `stdio` option is set to
   `'inherit'`, then print a banner with the package name and version, event
   name, and script command to be run.  Set explicitly to `false` to disable

SECURITY.md

@@ -1,3 +1,13 @@
 <!-- This file is automatically added by @npmcli/template-oss. Do not edit. -->
 
-Please send vulnerability reports through [hackerone](https://hackerone.com/github).
+GitHub takes the security of our software products and services seriously, including the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub).
+
+If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. 
+
+If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly through [opensource-security@github.com](mailto:opensource-security@github.com).
+
+If the vulnerability you have found is [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) and you would like for your finding to be considered for a bounty reward, please submit the vulnerability to us through [HackerOne](https://hackerone.com/github) in order to be eligible to receive a bounty award.
+
+**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
+
+Thanks for helping make GitHub safe for everyone.

lib/make-spawn-args.js

@@ -1,33 +1,22 @@
 /* eslint camelcase: "off" */
-const isWindows = require('./is-windows.js')
 const setPATH = require('./set-path.js')
-const { unlinkSync: unlink, writeFileSync: writeFile } = require('fs')
-const { tmpdir } = require('os')
 const { resolve } = require('path')
-const which = require('which')
 const npm_config_node_gyp = require.resolve('node-gyp/bin/node-gyp.js')
-const escape = require('./escape.js')
-const { randomBytes } = require('crypto')
-
-const translateWinPathToPosix = (path) => {
-  return path
-    .replace(/^([A-z]):/, '/$1')
-    .replace(/\\/g, '/')
-}
 
 const makeSpawnArgs = options => {
   const {
     event,
     path,
-    scriptShell = isWindows ? process.env.ComSpec || 'cmd' : 'sh',
+    scriptShell = true,
+    binPaths,
     env = {},
     stdio,
     cmd,
     args = [],
-    stdioString = false,
+    stdioString,
   } = options
 
-  const spawnEnv = setPATH(path, {
+  const spawnEnv = setPATH(path, binPaths, {
     // we need to at least save the PATH environment var
     ...process.env,
     ...env,
@@ -37,73 +26,15 @@ const makeSpawnArgs = options => {
     npm_config_node_gyp,
   })
 
-  const fileName = escape.filename(`${event}-${randomBytes(4).toString('hex')}`)
-  let scriptFile
-  let script = ''
-
-  const isCmd = /(?:^|\\)cmd(?:\.exe)?$/i.test(scriptShell)
-  if (isCmd) {
-    let initialCmd = ''
-    let insideQuotes = false
-    for (let i = 0; i < cmd.length; ++i) {
-      const char = cmd.charAt(i)
-      if (char === ' ' && !insideQuotes) {
-        break
-      }
-
-      initialCmd += char
-      if (char === '"' || char === "'") {
-        insideQuotes = !insideQuotes
-      }
-    }
-
-    let pathToInitial
-    try {
-      pathToInitial = which.sync(initialCmd, {
-        path: spawnEnv.path,
-        pathext: spawnEnv.pathext,
-      }).toLowerCase()
-    } catch (err) {
-      pathToInitial = initialCmd.toLowerCase()
-    }
-
-    const doubleEscape = pathToInitial.endsWith('.cmd') || pathToInitial.endsWith('.bat')
-
-    scriptFile = resolve(tmpdir(), `${fileName}.cmd`)
-    script += '@echo off\n'
-    script += cmd
-    if (args.length) {
-      script += ` ${args.map((arg) => escape.cmd(arg, doubleEscape)).join(' ')}`
-    }
-  } else {
-    scriptFile = resolve(tmpdir(), `${fileName}.sh`)
-    script = cmd
-    if (args.length) {
-      script += ` ${args.map((arg) => escape.sh(arg)).join(' ')}`
-    }
-  }
-
-  writeFile(scriptFile, script)
-  const spawnArgs = isCmd
-    ? ['/d', '/s', '/c', escape.cmd(scriptFile)]
-    : [isWindows ? translateWinPathToPosix(scriptFile) : scriptFile]
-
   const spawnOpts = {
     env: spawnEnv,
     stdioString,
     stdio,
     cwd: path,
-    ...(isCmd ? { windowsVerbatimArguments: true } : {}),
-  }
-
-  const cleanup = () => {
-    // delete the script, this is just a best effort
-    try {
-      unlink(scriptFile)
-    } catch (err) {}
+    shell: scriptShell,
   }
 
-  return [scriptShell, spawnArgs, spawnOpts, cleanup]
+  return [cmd, args, spawnOpts]
 }
 
 module.exports = makeSpawnArgs

lib/run-script-pkg.js

@@ -6,19 +6,29 @@ const signalManager = require('./signal-manager.js')
 const isServerPackage = require('./is-server-package.js')
 
 // you wouldn't like me when I'm angry...
-const bruce = (id, event, cmd) =>
-  `\n> ${id ? id + ' ' : ''}${event}\n> ${cmd.trim().replace(/\n/g, '\n> ')}\n`
+const bruce = (id, event, cmd, args) => {
+  let banner = id
+    ? `\n> ${id} ${event}\n`
+    : `\n> ${event}\n`
+  banner += `> ${cmd.trim().replace(/\n/g, '\n> ')}`
+  if (args.length) {
+    banner += ` ${args.join(' ')}`
+  }
+  banner += '\n'
+  return banner
+}
 
 const runScriptPkg = async options => {
   const {
     event,
     path,
     scriptShell,
+    binPaths = false,
     env = {},
     stdio = 'pipe',
     pkg,
     args = [],
-    stdioString = false,
+    stdioString,
     // note: only used when stdio:inherit
     banner = true,
     // how long to wait for a process.kill signal
@@ -51,13 +61,14 @@ const runScriptPkg = async options => {
 
   if (stdio === 'inherit' && banner !== false) {
     // we're dumping to the parent's stdout, so print the banner
-    console.log(bruce(pkg._id, event, cmd))
+    console.log(bruce(pkg._id, event, cmd, args))
   }
 
-  const [spawnShell, spawnArgs, spawnOpts, cleanup] = makeSpawnArgs({
+  const [spawnShell, spawnArgs, spawnOpts] = makeSpawnArgs({
     event,
     path,
     scriptShell,
+    binPaths,
     env: packageEnvs(env, pkg),
     stdio,
     cmd,
@@ -83,15 +94,19 @@ const runScriptPkg = async options => {
   return p.catch(er => {
     const { signal } = er
     if (stdio === 'inherit' && signal) {
+      // by the time we reach here, the child has already exited. we send the
+      // signal back to ourselves again so that npm will exit with the same
+      // status as the child
       process.kill(process.pid, signal)
+
       // just in case we don't die, reject after 500ms
       // this also keeps the node process open long enough to actually
       // get the signal, rather than terminating gracefully.
       return new Promise((res, rej) => setTimeout(() => rej(er), signalTimeout))
     } else {
       throw er
     }
-  }).finally(cleanup)
+  })
 }
 
 module.exports = runScriptPkg

lib/set-path.js

@@ -1,24 +1,24 @@
-const { resolve, dirname } = require('path')
-const isWindows = require('./is-windows.js')
+const { resolve, dirname, delimiter } = require('path')
 // the path here is relative, even though it does not need to be
 // in order to make the posix tests pass in windows
 const nodeGypPath = resolve(__dirname, '../lib/node-gyp-bin')
 
 // Windows typically calls its PATH environ 'Path', but this is not
 // guaranteed, nor is it guaranteed to be the only one.  Merge them
 // all together in the order they appear in the object.
-const setPATH = (projectPath, env) => {
-  // not require('path').delimiter, because we fake this for testing
-  const delimiter = isWindows ? ';' : ':'
+const setPATH = (projectPath, binPaths, env) => {
   const PATH = Object.keys(env).filter(p => /^path$/i.test(p) && env[p])
     .map(p => env[p].split(delimiter))
     .reduce((set, p) => set.concat(p.filter(concatted => !set.includes(concatted))), [])
     .join(delimiter)
 
   const pathArr = []
+  if (binPaths) {
+    pathArr.push(...binPaths)
+  }
   // unshift the ./node_modules/.bin from every folder
   // walk up until dirname() does nothing, at the root
-  // XXX should we specify a cwd that we don't go above?
+  // XXX we should specify a cwd that we don't go above
   let p = projectPath
   let pp
   do {

lib/signal-manager.js

@@ -1,17 +1,19 @@
 const runningProcs = new Set()
 let handlersInstalled = false
 
+// NOTE: these signals aren't actually forwarded anywhere. they're trapped and
+// ignored until all child processes have exited. in our next breaking change
+// we should rename this
 const forwardedSignals = [
   'SIGINT',
   'SIGTERM',
 ]
 
-const handleSignal = signal => {
-  for (const proc of runningProcs) {
-    proc.kill(signal)
-  }
-}
-
+// no-op, this is so receiving the signal doesn't cause us to exit immediately
+// instead, we exit after all children have exited when we re-send the signal
+// to ourselves. see the catch handler at the bottom of run-script-pkg.js
+// istanbul ignore next - this function does nothing
+const handleSignal = () => {}
 const setupListeners = () => {
   for (const signal of forwardedSignals) {
     process.on(signal, handleSignal)

package.json

@@ -1,14 +1,11 @@
 {
   "name": "@npmcli/run-script",
-  "version": "4.1.7",
+  "version": "7.0.2",
   "description": "Run a lifecycle script for a package (descendant of npm-lifecycle)",
   "author": "GitHub Inc.",
   "license": "ISC",
   "scripts": {
     "test": "tap",
-    "preversion": "npm test",
-    "postversion": "npm publish",
-    "prepublishOnly": "git push origin --follow-tags",
     "eslint": "eslint",
     "lint": "eslint \"**/*.js\"",
     "lintfix": "npm run lint -- --fix",
@@ -18,18 +15,17 @@
     "template-oss-apply": "template-oss-apply --force"
   },
   "devDependencies": {
-    "@npmcli/eslint-config": "^3.0.1",
-    "@npmcli/template-oss": "3.5.0",
-    "minipass": "^3.1.6",
+    "@npmcli/eslint-config": "^4.0.0",
+    "@npmcli/template-oss": "4.19.0",
     "require-inject": "^1.4.4",
     "tap": "^16.0.1"
   },
   "dependencies": {
-    "@npmcli/node-gyp": "^2.0.0",
-    "@npmcli/promise-spawn": "^3.0.0",
-    "node-gyp": "^9.0.0",
-    "read-package-json-fast": "^2.0.3",
-    "which": "^2.0.2"
+    "@npmcli/node-gyp": "^3.0.0",
+    "@npmcli/promise-spawn": "^7.0.0",
+    "node-gyp": "^10.0.0",
+    "read-package-json-fast": "^3.0.0",
+    "which": "^4.0.0"
   },
   "files": [
     "bin/",
@@ -41,10 +37,17 @@
     "url": "https://github.com/npm/run-script.git"
   },
   "engines": {
-    "node": "^12.13.0 || ^14.15.0 || >=16.0.0"
+    "node": "^16.14.0 || >=18.0.0"
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "3.5.0"
+    "version": "4.19.0",
+    "publish": "true"
+  },
+  "tap": {
+    "nyc-arg": [
+      "--exclude",
+      "tap-snapshots/**"
+    ]
   }
 }

release-please-config.json

@@ -0,0 +1,36 @@
+{
+  "exclude-packages-from-root": true,
+  "group-pull-request-title-pattern": "chore: release ${version}",
+  "pull-request-title-pattern": "chore: release${component} ${version}",
+  "changelog-sections": [
+    {
+      "type": "feat",
+      "section": "Features",
+      "hidden": false
+    },
+    {
+      "type": "fix",
+      "section": "Bug Fixes",
+      "hidden": false
+    },
+    {
+      "type": "docs",
+      "section": "Documentation",
+      "hidden": false
+    },
+    {
+      "type": "deps",
+      "section": "Dependencies",
+      "hidden": false
+    },
+    {
+      "type": "chore",
+      "hidden": true
+    }
+  ],
+  "packages": {
+    ".": {
+      "package-name": ""
+    }
+  }
+}

test/run-script-pkg.js

@@ -55,11 +55,12 @@ t.test('pkg has server.js, start not specified', async t => {
     },
   })
   t.strictSame(res, ['sh', ['-c', 'node server.js'], {
-    stdioString: false,
+    stdioString: undefined,
     event: 'start',
     path,
     scriptShell: 'sh',
     args: [],
+    binPaths: false,
     env: {
       environ: 'value',
     },
@@ -83,14 +84,15 @@ t.test('pkg has server.js, start not specified, with args', async t => {
       environ: 'value',
     },
     args: ['a', 'b', 'c'],
+    binPaths: false,
     stdio: 'pipe',
     pkg: {
       _id: 'foo@1.2.3',
       scripts: {},
     },
   })
   t.strictSame(res, ['sh', ['-c', 'node server.js'], {
-    stdioString: false,
+    stdioString: undefined,
     event: 'start',
     path,
     scriptShell: 'sh',
@@ -100,6 +102,7 @@ t.test('pkg has server.js, start not specified, with args', async t => {
     stdio: 'pipe',
     cmd: 'node server.js',
     args: ['a', 'b', 'c'],
+    binPaths: false,
   }, {
     event: 'start',
     script: 'node server.js',
@@ -127,11 +130,12 @@ t.test('pkg has no foo script, but custom cmd provided', t => runScriptPkg({
     scripts: {},
   },
 }).then(res => t.strictSame(res, ['sh', ['-c', 'bar'], {
-  stdioString: false,
+  stdioString: undefined,
   event: 'foo',
   path: 'path',
   scriptShell: 'sh',
   args: [],
+  binPaths: false,
   env: {
     environ: 'value',
   },
@@ -163,11 +167,12 @@ t.test('do the banner when stdio is inherited, handle line breaks', t => {
       scripts: {},
     },
   }).then(res => t.strictSame(res, ['sh', ['-c', 'bar\nbaz\n'], {
-    stdioString: false,
+    stdioString: undefined,
     event: 'foo',
     path: 'path',
     scriptShell: 'sh',
     args: [],
+    binPaths: false,
     env: {
       environ: 'value',
     },
@@ -201,11 +206,12 @@ t.test('do not show banner when stdio is inherited, if suppressed', t => {
     },
     banner: false,
   }).then(res => t.strictSame(res, ['sh', ['-c', 'bar'], {
-    stdioString: false,
+    stdioString: undefined,
     event: 'foo',
     path: 'path',
     scriptShell: 'sh',
     args: [],
+    binPaths: false,
     env: {
       environ: 'value',
     },
@@ -233,26 +239,28 @@ t.test('do the banner with no pkgid', t => {
     },
     stdio: 'inherit',
     cmd: 'bar',
+    args: ['baz', 'buzz'],
     pkg: {
       scripts: {},
     },
   }).then(res => t.strictSame(res, ['sh', ['-c', 'bar'], {
-    stdioString: false,
+    stdioString: undefined,
     event: 'foo',
     path: 'path',
     scriptShell: 'sh',
-    args: [],
+    binPaths: false,
     env: {
       environ: 'value',
     },
     stdio: 'inherit',
     cmd: 'bar',
+    args: ['baz', 'buzz'],
   }, {
     event: 'foo',
     script: 'bar',
     path: 'path',
     pkgid: undefined,
-  }])).then(() => t.strictSame(logs, [['\n> foo\n> bar\n']]))
+  }])).then(() => t.strictSame(logs, [['\n> foo\n> bar baz buzz\n']]))
 })
 
 t.test('pkg has foo script', t => runScriptPkg({
@@ -270,11 +278,12 @@ t.test('pkg has foo script', t => runScriptPkg({
     },
   },
 }).then(res => t.strictSame(res, ['sh', ['-c', 'bar'], {
-  stdioString: false,
+  stdioString: undefined,
   event: 'foo',
   path: 'path',
   scriptShell: 'sh',
   args: [],
+  binPaths: false,
   env: {
     environ: 'value',
   },
@@ -302,12 +311,14 @@ t.test('pkg has foo script, with args', t => runScriptPkg({
     },
   },
   args: ['a', 'b', 'c'],
+  binPaths: false,
 }).then(res => t.strictSame(res, ['sh', ['-c', 'bar'], {
-  stdioString: false,
+  stdioString: undefined,
   event: 'foo',
   path: 'path',
   scriptShell: 'sh',
   args: ['a', 'b', 'c'],
+  binPaths: false,
   env: {
     environ: 'value',
   },
@@ -346,10 +357,11 @@ t.test('pkg has no install or preinstall script, but node-gyp files are present'
       path: 'path',
       scriptShell: 'sh',
       args: [],
+      binPaths: false,
       env: { environ: 'value' },
       stdio: 'pipe',
       cmd: 'node-gyp rebuild',
-      stdioString: false,
+      stdioString: undefined,
     },
     {
       event: 'install',
@@ -410,7 +422,7 @@ t.test('end stdin if present', async t => {
     env: {},
     stdio: 'pipe',
     cmd: 'cat',
-    stdioString: false,
+    stdioString: undefined,
   }, {
     event: 'cat',
     script: 'cat',

test/set-path.js

@@ -1,69 +1,53 @@
 const t = require('tap')
-const requireInject = require('require-inject')
-const isWindows = require('../lib/is-windows.js')
+const { resolve, delimiter } = require('path').posix
 
-if (!process.env.__FAKE_TESTING_PLATFORM__) {
-  const fake = isWindows ? 'posix' : 'win32'
-  t.spawn(process.execPath, [__filename, fake], { env: {
-    ...process.env,
-    __FAKE_TESTING_PLATFORM__: fake,
-  } })
-}
+const setPATH = t.mock('../lib/set-path.js', {
+  // Always use posix path functions so tests are consistent
+  path: require('path').posix,
+})
 
-if (isWindows) {
-  const setPATH = requireInject('../lib/set-path.js', {
-    path: require('path').win32,
-  })
-  const expect = [
-    'c:\\x\\y\\z\\node_modules\\a\\node_modules\\b\\node_modules\\.bin',
-    'c:\\x\\y\\z\\node_modules\\a\\node_modules\\node_modules\\.bin',
-    'c:\\x\\y\\z\\node_modules\\a\\node_modules\\.bin',
-    'c:\\x\\y\\z\\node_modules\\node_modules\\.bin',
-    'c:\\x\\y\\z\\node_modules\\.bin',
-    'c:\\x\\y\\node_modules\\.bin',
-    'c:\\x\\node_modules\\.bin',
-    'c:\\node_modules\\.bin',
-    require('path').win32.resolve(__dirname, '../lib/node-gyp-bin'),
-    'c:\\usr\\local\\bin',
-    'c:\\usr\\local\\sbin',
-    'c:\\usr\\bin',
-    'c:\\usr\\sbin',
-    'c:\\bin',
-    'c:\\sbin',
-  ].join(';')
-  t.strictSame(setPATH('c:\\x\\y\\z\\node_modules\\a\\node_modules\\b', {
+const paths = [
+  '/x/y/z/node_modules/a/node_modules/b/node_modules/.bin',
+  '/x/y/z/node_modules/a/node_modules/node_modules/.bin',
+  '/x/y/z/node_modules/a/node_modules/.bin',
+  '/x/y/z/node_modules/node_modules/.bin',
+  '/x/y/z/node_modules/.bin',
+  '/x/y/node_modules/.bin',
+  '/x/node_modules/.bin',
+  '/node_modules/.bin',
+  resolve(__dirname, '../lib/node-gyp-bin'),
+  '/usr/local/bin',
+  '/usr/local/sbin',
+  '/usr/bin',
+  '/usr/sbin',
+  '/bin',
+  '/sbin',
+]
+t.test('no binPaths', async t => {
+  const projectPath = '/x/y/z/node_modules/a/node_modules/b'
+  t.strictSame(setPATH(projectPath, false, {
     foo: 'bar',
-    PATH: 'c:\\usr\\local\\bin;c:\\usr\\local\\sbin',
-    Path: 'c:\\usr\\local\\bin;c:\\usr\\bin;c:\\usr\\sbin;c:\\bin;c:\\sbin',
+    PATH: '/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin',
   }), {
     foo: 'bar',
-    PATH: expect,
-    Path: expect,
+    PATH: paths.join(delimiter),
   })
-} else {
-  const setPATH = requireInject('../lib/set-path.js', {
-    path: require('path').posix,
-  })
-  t.strictSame(setPATH('/x/y/z/node_modules/a/node_modules/b', {
+})
+
+t.test('binPaths end up at beginning of PATH', async t => {
+  const projectPath = '/x/y/z/node_modules/a/node_modules/b'
+  const binPaths = [
+    '/q/r/s/node_modules/.bin',
+    '/t/u/v/node_modules/.bin',
+  ]
+  t.strictSame(setPATH(projectPath, binPaths, {
     foo: 'bar',
     PATH: '/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin',
   }), {
     foo: 'bar',
-    PATH:
-      '/x/y/z/node_modules/a/node_modules/b/node_modules/.bin:' +
-      '/x/y/z/node_modules/a/node_modules/node_modules/.bin:' +
-      '/x/y/z/node_modules/a/node_modules/.bin:' +
-      '/x/y/z/node_modules/node_modules/.bin:' +
-      '/x/y/z/node_modules/.bin:' +
-      '/x/y/node_modules/.bin:' +
-      '/x/node_modules/.bin:' +
-      '/node_modules/.bin:' +
-      require('path').posix.resolve(__dirname, '../lib/node-gyp-bin') + ':' +
-      '/usr/local/bin:' +
-      '/usr/local/sbin:' +
-      '/usr/bin:' +
-      '/usr/sbin:' +
-      '/bin:' +
-      '/sbin',
+    PATH: [
+      ...binPaths,
+      ...paths,
+    ].join(delimiter),
   })
-}
+})

test/signal-manager.js

@@ -44,24 +44,3 @@ test('adds only one handler for each signal, removes handlers when children have
 
   t.end()
 })
-
-test('forwards signals to child process', t => {
-  const proc = new EventEmitter()
-  proc.kill = (signal) => {
-    t.equal(signal, signalManager.forwardedSignals[0], 'child receives correct signal')
-    proc.emit('exit', 0)
-    for (const forwarded of signalManager.forwardedSignals) {
-      t.equal(
-        process.listeners(forwarded).includes(signalManager.handleSignal),
-        false, 'listener has been removed')
-    }
-    t.end()
-  }
-
-  signalManager.add(proc)
-  // passing the signal name here is necessary to fake the effects of actually
-  // receiving the signal per nodejs documentation signal handlers receive the
-  // name of the signal as their first parameter
-  // https://nodejs.org/api/process.html#process_signal_events
-  process.emit(signalManager.forwardedSignals[0], signalManager.forwardedSignals[0])
-})