23 files changed, 125 insertions, 64 deletions
diff --git a/deps/npm/lib/ci.js b/deps/npm/lib/ci.js
index 1fbb28b570..309ad2f784 100644
--- a/deps/npm/lib/ci.js
+++ b/deps/npm/lib/ci.js
@@ -1,8 +1,9 @@
 'use strict'
 
+const npm = require('./npm.js')
 const Installer = require('libcipm')
-const npmConfig = require('./config/figgy-config.js')
-const npmlog = require('npmlog')
+const log = require('npmlog')
+const path = require('path')
 
 ci.usage = 'npm ci'
 
@@ -10,8 +11,33 @@ ci.completion = (cb) => cb(null, [])
 
 module.exports = ci
 function ci (args, cb) {
-  return new Installer(npmConfig({ log: npmlog })).run().then(details => {
-    npmlog.disableProgress()
+  const opts = {
+    // Add some non-npm-config opts by hand.
+    cache: path.join(npm.config.get('cache'), '_cacache'),
+    // NOTE: npm has some magic logic around color distinct from the config
+    // value, so we have to override it here
+    color: !!npm.color,
+    hashAlgorithm: 'sha1',
+    includeDeprecated: false,
+    log,
+    'npm-session': npm.session,
+    'project-scope': npm.projectScope,
+    refer: npm.referer,
+    dmode: npm.modes.exec,
+    fmode: npm.modes.file,
+    umask: npm.modes.umask,
+    npmVersion: npm.version,
+    tmp: npm.tmp
+  }
+
+  for (const key in npm.config.list[0]) {
+    if (key !== 'log') {
+      opts[key] = npm.config.list[0][key]
+    }
+  }
+
+  return new Installer(opts).run().then(details => {
+    log.disableProgress()
     console.log(`added ${details.pkgCount} packages in ${
       details.runTime / 1000
     }s`)
diff --git a/deps/npm/lib/config.js b/deps/npm/lib/config.js
index 0d4161d3b5..5f9819879b 100644
--- a/deps/npm/lib/config.js
+++ b/deps/npm/lib/config.js
@@ -11,7 +11,7 @@ var ini = require('ini')
 var editor = require('editor')
 var os = require('os')
 var path = require('path')
-var mkdirp = require('mkdirp')
+var mkdirp = require('gentle-fs').mkdir
 var umask = require('./utils/umask')
 var usage = require('./utils/usage')
 var output = require('./utils/output')
diff --git a/deps/npm/lib/config/core.js b/deps/npm/lib/config/core.js
index b9851f98d0..36420b3450 100644
--- a/deps/npm/lib/config/core.js
+++ b/deps/npm/lib/config/core.js
@@ -8,7 +8,7 @@ var path = require('path')
 var nopt = require('nopt')
 var ini = require('ini')
 var Umask = configDefs.Umask
-var mkdirp = require('mkdirp')
+var mkdirp = require('gentle-fs').mkdir
 var umask = require('../utils/umask')
 var isWindows = require('../utils/is-windows.js')
 
@@ -31,10 +31,8 @@ enumerable: true })
 
 exports.validate = validate
 
-var myUid = process.env.SUDO_UID !== undefined
-  ? process.env.SUDO_UID : (process.getuid && process.getuid())
-var myGid = process.env.SUDO_GID !== undefined
-  ? process.env.SUDO_GID : (process.getgid && process.getgid())
+var myUid = process.getuid && process.getuid()
+var myGid = process.getgid && process.getgid()
 
 var loading = false
 var loadCbs = []
@@ -218,7 +216,6 @@ function Conf (base) {
 
 Conf.prototype.loadPrefix = require('./load-prefix.js')
 Conf.prototype.loadCAFile = require('./load-cafile.js')
-Conf.prototype.loadUid = require('./load-uid.js')
 Conf.prototype.setUser = require('./set-user.js')
 Conf.prototype.getCredentialsByURI = require('./get-credentials-by-uri.js')
 Conf.prototype.setCredentialsByURI = require('./set-credentials-by-uri.js')
@@ -227,11 +224,8 @@ Conf.prototype.clearCredentialsByURI = require('./clear-credentials-by-uri.js')
 Conf.prototype.loadExtras = function (cb) {
   this.setUser(function (er) {
     if (er) return cb(er)
-    this.loadUid(function (er) {
-      if (er) return cb(er)
-      // Without prefix, nothing will ever work
-      mkdirp(this.prefix, cb)
-    }.bind(this))
+    // Without prefix, nothing will ever work
+    mkdirp(this.prefix, cb)
   }.bind(this))
 }
 
@@ -287,15 +281,21 @@ Conf.prototype.save = function (where, cb) {
       done(null)
     })
   } else {
-    mkdirp(path.dirname(target.path), function (er) {
+    // we don't have to use inferOwner here, because gentle-fs will
+    // mkdir with the correctly inferred ownership.  Just preserve it.
+    const dir = path.dirname(target.path)
+    mkdirp(dir, function (er) {
       if (er) return then(er)
-      fs.writeFile(target.path, data, 'utf8', function (er) {
+      fs.stat(dir, (er, st) => {
         if (er) return then(er)
-        if (where === 'user' && myUid && myGid) {
-          fs.chown(target.path, +myUid, +myGid, then)
-        } else {
-          then()
-        }
+        fs.writeFile(target.path, data, 'utf8', function (er) {
+          if (er) return then(er)
+          if (myUid === 0 && (myUid !== st.uid || myGid !== st.gid)) {
+            fs.chown(target.path, st.uid, st.gid, then)
+          } else {
+            then()
+          }
+        })
       })
     })
   }
diff --git a/deps/npm/lib/config/figgy-config.js b/deps/npm/lib/config/figgy-config.js
index 9e9ca0ba56..d704d1502c 100644
--- a/deps/npm/lib/config/figgy-config.js
+++ b/deps/npm/lib/config/figgy-config.js
@@ -9,7 +9,7 @@ const npm = require('../npm.js')
 const pack = require('../pack.js')
 const path = require('path')
 
-const npmSession = crypto.randomBytes(8).toString('hex')
+const npmSession = npm.session = crypto.randomBytes(8).toString('hex')
 log.verbose('npm-session', npmSession)
 
 const SCOPE_REGISTRY_REGEX = /@.*:registry$/gi
diff --git a/deps/npm/lib/config/load-uid.js b/deps/npm/lib/config/load-uid.js
deleted file mode 100644
index 859eac7494..0000000000
--- a/deps/npm/lib/config/load-uid.js
+++ /dev/null
@@ -1,15 +0,0 @@
-module.exports = loadUid
-
-var getUid = require('uid-number')
-
-// Call in the context of a npmconf object
-
-function loadUid (cb) {
-  // if we're not in unsafe-perm mode, then figure out who
-  // to run stuff as.  Do this first, to support `npm update npm -g`
-  if (!this.get('unsafe-perm')) {
-    getUid(this.get('user'), this.get('group'), cb)
-  } else {
-    process.nextTick(cb)
-  }
-}
diff --git a/deps/npm/lib/config/set-user.js b/deps/npm/lib/config/set-user.js
index 14cc21d2eb..570a1f54e2 100644
--- a/deps/npm/lib/config/set-user.js
+++ b/deps/npm/lib/config/set-user.js
@@ -3,7 +3,7 @@ module.exports = setUser
 var assert = require('assert')
 var path = require('path')
 var fs = require('fs')
-var mkdirp = require('mkdirp')
+var mkdirp = require('gentle-fs').mkdir
 
 function setUser (cb) {
   var defaultConf = this.root
diff --git a/deps/npm/lib/dist-tag.js b/deps/npm/lib/dist-tag.js
index 176e61221e..64bb97b61a 100644
--- a/deps/npm/lib/dist-tag.js
+++ b/deps/npm/lib/dist-tag.js
@@ -119,7 +119,8 @@ function remove (spec, tag, opts) {
     delete tags[tag]
     const url = `/-/package/${spec.escapedName}/dist-tags/${encodeURIComponent(tag)}`
     const reqOpts = opts.concat({
-      method: 'DELETE'
+      method: 'DELETE',
+      spec
     })
     return otplease(reqOpts, reqOpts => regFetch(url, reqOpts)).then(() => {
       output(`-${tag}: ${spec.name}@${version}`)
diff --git a/deps/npm/lib/explore.js b/deps/npm/lib/explore.js
index 826a527fa7..0c9930f8e4 100644
--- a/deps/npm/lib/explore.js
+++ b/deps/npm/lib/explore.js
@@ -9,10 +9,11 @@ var npm = require('./npm.js')
 var spawn = require('./utils/spawn')
 var path = require('path')
 var fs = require('graceful-fs')
-var isWindowsShell = require('./utils/is-windows-shell.js')
+var isWindows = require('./utils/is-windows.js')
 var escapeExecPath = require('./utils/escape-exec-path.js')
 var escapeArg = require('./utils/escape-arg.js')
 var output = require('./utils/output.js')
+var log = require('npmlog')
 
 function explore (args, cb) {
   if (args.length < 1 || !args[0]) return cb(explore.usage)
@@ -23,7 +24,7 @@ function explore (args, cb) {
 
   var shellArgs = []
   if (args) {
-    if (isWindowsShell) {
+    if (isWindows) {
       var execCmd = escapeExecPath(args.shift())
       var execArgs = [execCmd].concat(args.map(escapeArg))
       opts.windowsVerbatimArguments = true
@@ -49,6 +50,7 @@ function explore (args, cb) {
       )
     }
 
+    log.silly('explore', {sh, shellArgs, opts})
     var shell = spawn(sh, shellArgs, opts)
     shell.on('close', function (er) {
       // only fail if non-interactive.
diff --git a/deps/npm/lib/install.js b/deps/npm/lib/install.js
index d2f705e1d1..8cc6d16bdd 100644
--- a/deps/npm/lib/install.js
+++ b/deps/npm/lib/install.js
@@ -104,7 +104,7 @@ var readPackageJson = require('read-package-json')
 var chain = require('slide').chain
 var asyncMap = require('slide').asyncMap
 var archy = require('archy')
-var mkdirp = require('mkdirp')
+var mkdirp = require('gentle-fs').mkdir
 var rimraf = require('rimraf')
 var iferr = require('iferr')
 var validate = require('aproba')
diff --git a/deps/npm/lib/install/action/extract.js b/deps/npm/lib/install/action/extract.js
index 32a4f4e004..585580edd2 100644
--- a/deps/npm/lib/install/action/extract.js
+++ b/deps/npm/lib/install/action/extract.js
@@ -5,7 +5,7 @@ const BB = require('bluebird')
 const figgyPudding = require('figgy-pudding')
 const stat = BB.promisify(require('graceful-fs').stat)
 const gentlyRm = BB.promisify(require('../../utils/gently-rm.js'))
-const mkdirp = BB.promisify(require('mkdirp'))
+const mkdirp = BB.promisify(require('gentle-fs').mkdir)
 const moduleName = require('../../utils/module-name.js')
 const moduleStagingPath = require('../module-staging-path.js')
 const move = require('../../utils/move.js')
diff --git a/deps/npm/lib/install/action/finalize.js b/deps/npm/lib/install/action/finalize.js
index e46f1b9d83..1e53c189d2 100644
--- a/deps/npm/lib/install/action/finalize.js
+++ b/deps/npm/lib/install/action/finalize.js
@@ -3,7 +3,7 @@ const path = require('path')
 const fs = require('graceful-fs')
 const Bluebird = require('bluebird')
 const rimraf = Bluebird.promisify(require('rimraf'))
-const mkdirp = Bluebird.promisify(require('mkdirp'))
+const mkdirp = Bluebird.promisify(require('gentle-fs').mkdir)
 const lstat = Bluebird.promisify(fs.lstat)
 const readdir = Bluebird.promisify(fs.readdir)
 const symlink = Bluebird.promisify(fs.symlink)
diff --git a/deps/npm/lib/install/action/move.js b/deps/npm/lib/install/action/move.js
index 00d58a1592..8a956f59d6 100644
--- a/deps/npm/lib/install/action/move.js
+++ b/deps/npm/lib/install/action/move.js
@@ -4,7 +4,7 @@ var path = require('path')
 var chain = require('slide').chain
 var iferr = require('iferr')
 var rimraf = require('rimraf')
-var mkdirp = require('mkdirp')
+var mkdirp = require('gentle-fs').mkdir
 var rmStuff = require('../../unbuild.js').rmStuff
 var lifecycle = require('../../utils/lifecycle.js')
 var move = require('../../utils/move.js')
diff --git a/deps/npm/lib/install/action/remove.js b/deps/npm/lib/install/action/remove.js
index a852d10c5f..f7182d596b 100644
--- a/deps/npm/lib/install/action/remove.js
+++ b/deps/npm/lib/install/action/remove.js
@@ -3,7 +3,7 @@ var path = require('path')
 var fs = require('graceful-fs')
 var rimraf = require('rimraf')
 var asyncMap = require('slide').asyncMap
-var mkdirp = require('mkdirp')
+var mkdirp = require('gentle-fs').mkdir
 var npm = require('../../npm.js')
 var andIgnoreErrors = require('../and-ignore-errors.js')
 var move = require('../../utils/move.js')
diff --git a/deps/npm/lib/install/deps.js b/deps/npm/lib/install/deps.js
index 3fe370140a..bfc94ae504 100644
--- a/deps/npm/lib/install/deps.js
+++ b/deps/npm/lib/install/deps.js
@@ -711,6 +711,12 @@ function resolveWithNewModule (pkg, tree, log, next) {
   })
 }
 
+var isOptionalPeerDep = exports.isOptionalPeerDep = function (tree, pkgname) {
+  if (!tree.package.peerDependenciesMeta) return
+  if (!tree.package.peerDependenciesMeta[pkgname]) return
+  return !!tree.package.peerDependenciesMeta[pkgname].optional
+}
+
 var validatePeerDeps = exports.validatePeerDeps = function (tree, onInvalid) {
   if (!tree.package.peerDependencies) return
   Object.keys(tree.package.peerDependencies).forEach(function (pkgname) {
@@ -719,7 +725,7 @@ var validatePeerDeps = exports.validatePeerDeps = function (tree, onInvalid) {
       var spec = npa.resolve(pkgname, version)
     } catch (e) {}
     var match = spec && findRequirement(tree.parent || tree, pkgname, spec)
-    if (!match) onInvalid(tree, pkgname, version)
+    if (!match && !isOptionalPeerDep(tree, pkgname)) onInvalid(tree, pkgname, version)
   })
 }
 
diff --git a/deps/npm/lib/install/inflate-shrinkwrap.js b/deps/npm/lib/install/inflate-shrinkwrap.js
index 5da9418bbd..b0b71ef6b1 100644
--- a/deps/npm/lib/install/inflate-shrinkwrap.js
+++ b/deps/npm/lib/install/inflate-shrinkwrap.js
@@ -167,7 +167,7 @@ function makeFakeChild (name, topPath, tree, sw, requested) {
   }
   const child = createChild({
     package: pkg,
-    loaded: false,
+    loaded: true,
     parent: tree,
     children: [],
     fromShrinkwrap: requested,
diff --git a/deps/npm/lib/outdated.js b/deps/npm/lib/outdated.js
index bb4c346f9a..5b84ae3558 100644
--- a/deps/npm/lib/outdated.js
+++ b/deps/npm/lib/outdated.js
@@ -91,7 +91,7 @@ function outdated (args, silent, cb) {
   var dir = path.resolve(npm.dir, '..')
 
   // default depth for `outdated` is 0 (cf. `ls`)
-  if (opts.depth) opts = opts.concat({depth: 0})
+  if (opts.depth === Infinity) opts = opts.concat({depth: 0})
 
   readPackageTree(dir, andComputeMetadata(function (er, tree) {
     if (!tree) return cb(er)
@@ -421,7 +421,7 @@ function shouldUpdate (args, tree, dep, has, req, depth, pkgpath, opts, cb, type
       var l = pickManifest(d, 'latest')
       var m = pickManifest(d, req)
     } catch (er) {
-      if (er.code === 'ETARGET') {
+      if (er.code === 'ETARGET' || er.code === 'E403') {
         return skip(er)
       } else {
         return skip()
diff --git a/deps/npm/lib/search/all-package-metadata.js b/deps/npm/lib/search/all-package-metadata.js
index a006dadadd..388b4f61f0 100644
--- a/deps/npm/lib/search/all-package-metadata.js
+++ b/deps/npm/lib/search/all-package-metadata.js
@@ -9,7 +9,7 @@ const figgyPudding = require('figgy-pudding')
 const fs = require('graceful-fs')
 const JSONStream = require('JSONStream')
 const log = require('npmlog')
-const mkdir = BB.promisify(require('mkdirp'))
+const mkdir = BB.promisify(require('gentle-fs').mkdir)
 const ms = require('mississippi')
 const npmFetch = require('libnpm/fetch')
 const path = require('path')
diff --git a/deps/npm/lib/shrinkwrap.js b/deps/npm/lib/shrinkwrap.js
index 35e063d447..0a3f53546c 100644
--- a/deps/npm/lib/shrinkwrap.js
+++ b/deps/npm/lib/shrinkwrap.js
@@ -25,6 +25,13 @@ const writeFileAtomic = require('write-file-atomic')
 const unixFormatPath = require('./utils/unix-format-path.js')
 const isRegistry = require('./utils/is-registry.js')
 
+const { chown } = require('fs')
+const inferOwner = require('infer-owner')
+const selfOwner = {
+  uid: process.getuid && process.getuid(),
+  gid: process.getgid && process.getgid()
+}
+
 const PKGLOCK = 'package-lock.json'
 const SHRINKWRAP = 'npm-shrinkwrap.json'
 const PKGLOCK_VERSION = npm.lockfileVersion
@@ -217,13 +224,19 @@ function save (dir, pkginfo, opts, cb) {
         log.verbose('shrinkwrap', `skipping write for ${path.basename(info.path)} because there were no changes.`)
         cb(null, pkginfo)
       } else {
-        writeFileAtomic(info.path, swdata, (err) => {
-          if (err) return cb(err)
-          if (opts.silent) return cb(null, pkginfo)
-          if (!shrinkwrap && !lockfile) {
-            log.notice('', `created a lockfile as ${path.basename(info.path)}. You should commit this file.`)
-          }
-          cb(null, pkginfo)
+        inferOwner(info.path).then(owner => {
+          writeFileAtomic(info.path, swdata, (err) => {
+            if (err) return cb(err)
+            if (opts.silent) return cb(null, pkginfo)
+            if (!shrinkwrap && !lockfile) {
+              log.notice('', `created a lockfile as ${path.basename(info.path)}. You should commit this file.`)
+            }
+            if (selfOwner.uid === 0 && (selfOwner.uid !== owner.uid || selfOwner.gid !== owner.gid)) {
+              chown(info.path, owner.uid, owner.gid, er => cb(er, pkginfo))
+            } else {
+              cb(null, pkginfo)
+            }
+          })
         })
       }
     }
diff --git a/deps/npm/lib/utils/cache-file.js b/deps/npm/lib/utils/cache-file.js
index 77df7d4e09..7b3136b2e2 100644
--- a/deps/npm/lib/utils/cache-file.js
+++ b/deps/npm/lib/utils/cache-file.js
@@ -1,3 +1,4 @@
+// XXX use infer-owner or gentle-fs.mkdir here
 const npm = require('../npm.js')
 const path = require('path')
 const chownr = require('chownr')
diff --git a/deps/npm/lib/utils/correct-mkdir.js b/deps/npm/lib/utils/correct-mkdir.js
index 2558de66f5..57368e946e 100644
--- a/deps/npm/lib/utils/correct-mkdir.js
+++ b/deps/npm/lib/utils/correct-mkdir.js
@@ -1,3 +1,4 @@
+// XXX this can probably be replaced with gentle-fs.mkdir everywhere it's used
 const chownr = require('chownr')
 const inflight = require('inflight')
 const log = require('npmlog')
diff --git a/deps/npm/lib/utils/error-message.js b/deps/npm/lib/utils/error-message.js
index ea8b05938c..5ddfb37682 100644
--- a/deps/npm/lib/utils/error-message.js
+++ b/deps/npm/lib/utils/error-message.js
@@ -72,6 +72,20 @@ function errorMessage (er) {
       }
       break
 
+    case 'EUIDLOOKUP':
+      short.push(['lifecycle', er.message])
+      detail.push([
+        '',
+        [
+          '',
+          'Failed to look up the user/group for running scripts.',
+          '',
+          'Try again with a different --user or --group settings, or',
+          'run with --unsafe-perm to execute scripts as root.'
+        ].join('\n')
+      ])
+      break
+
     case 'ELIFECYCLE':
       short.push(['', er.message])
       detail.push([
@@ -313,6 +327,18 @@ function errorMessage (er) {
       detail.push(['notarget', msg.join('\n')])
       break
 
+    case 'E403':
+      short.push(['403', er.message])
+      msg = [
+        'In most cases, you or one of your dependencies are requesting',
+        'a package version that is forbidden by your security policy.'
+      ]
+      if (er.parent) {
+        msg.push("\nIt was specified as a dependency of '" + er.parent + "'\n")
+      }
+      detail.push(['403', msg.join('\n')])
+      break
+
     case 'ENOTSUP':
       if (er.required) {
         short.push(['notsup', er.message])
diff --git a/deps/npm/lib/utils/escape-arg.js b/deps/npm/lib/utils/escape-arg.js
index d12ee5edf5..114abaadaa 100644
--- a/deps/npm/lib/utils/escape-arg.js
+++ b/deps/npm/lib/utils/escape-arg.js
@@ -1,6 +1,6 @@
 'use strict'
 var path = require('path')
-var isWindowsShell = require('./is-windows-shell.js')
+var isWindows = require('./is-windows.js')
 
 /*
 Escape the name of an executable suitable for passing to the system shell.
@@ -15,7 +15,7 @@ any single quotes in the filename.
 module.exports = escapify
 
 function escapify (str) {
-  if (isWindowsShell) {
+  if (isWindows) {
     return '"' + path.normalize(str) + '"'
   } else {
     if (/[^-_.~/\w]/.test(str)) {
diff --git a/deps/npm/lib/utils/escape-exec-path.js b/deps/npm/lib/utils/escape-exec-path.js
index bf94886efa..42b6493486 100644
--- a/deps/npm/lib/utils/escape-exec-path.js
+++ b/deps/npm/lib/utils/escape-exec-path.js
@@ -1,6 +1,6 @@
 'use strict'
 var path = require('path')
-var isWindowsShell = require('./is-windows-shell.js')
+var isWindows = require('./is-windows.js')
 
 /*
 Escape the name of an executable suitable for passing to the system shell.
@@ -20,7 +20,7 @@ function windowsQuotes (str) {
 }
 
 function escapify (str) {
-  if (isWindowsShell) {
+  if (isWindows) {
     return path.normalize(str).split(/\\/).map(windowsQuotes).join('\\')
   } else if (/[^-_.~/\w]/.test(str)) {
     return "'" + str.replace(/'/g, "'\"'\"'") + "'"