deps: upgrade npm to 8.13.2

PR-URL: https://github.com/nodejs/node/pull/43622
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Ruy Adorno <ruyadorno@github.com>

18 files changed, 74 insertions, 24 deletions

diff --git a/deps/npm/docs/content/commands/npm-run-script.md b/deps/npm/docs/content/commands/npm-run-script.md
index d94040f1a2..f606ec6bf5 100644
--- a/deps/npm/docs/content/commands/npm-run-script.md
+++ b/deps/npm/docs/content/commands/npm-run-script.md
@@ -240,6 +240,21 @@ will *not* run any pre- or post-scripts.
 <!-- automatically generated, do not edit manually -->
 <!-- see lib/utils/config/definitions.js -->
 
+#### `foreground-scripts`
+
+* Default: false
+* Type: Boolean
+
+Run all build scripts (ie, `preinstall`, `install`, and `postinstall`)
+scripts for installed packages in the foreground process, sharing standard
+input, output, and error with the main npm process.
+
+Note that this will generally make installs run slower, and be much noisier,
+but can be useful for debugging.
+
+<!-- automatically generated, do not edit manually -->
+<!-- see lib/utils/config/definitions.js -->
+
 #### `script-shell`
 
 * Default: '/bin/sh' on POSIX systems, 'cmd.exe' on Windows
diff --git a/deps/npm/docs/output/commands/npm-ls.html b/deps/npm/docs/output/commands/npm-ls.html
index 4363442ef3..07deb2d490 100644
--- a/deps/npm/docs/output/commands/npm-ls.html
+++ b/deps/npm/docs/output/commands/npm-ls.html
@@ -166,7 +166,7 @@ tree at all, use <a href="../commands/npm-explain.html"><code>npm explain</code>
 the results to only the paths to the packages named.  Note that nested
 packages will <em>also</em> show the paths to the specified packages.  For
 example, running <code>npm ls promzard</code> in npm's source tree will show:</p>
-<pre lang="bash"><code>npm@8.13.1 /path/to/npm
+<pre lang="bash"><code>npm@8.13.2 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 </code></pre>
diff --git a/deps/npm/docs/output/commands/npm-run-script.html b/deps/npm/docs/output/commands/npm-run-script.html
index d74acb0564..5b1150cf4b 100644
--- a/deps/npm/docs/output/commands/npm-run-script.html
+++ b/deps/npm/docs/output/commands/npm-run-script.html
@@ -142,7 +142,7 @@ npm command-line interface
 
 <section id="table_of_contents">
 <h2 id="table-of-contents">Table of contents</h2>
-<div id="_table_of_contents"><ul><li><a href="#synopsis">Synopsis</a></li><li><a href="#description">Description</a></li><li><a href="#workspaces-support">Workspaces support</a></li><ul><li><a href="#filtering-workspaces">Filtering workspaces</a></li></ul><li><a href="#configuration">Configuration</a></li><ul><li><a href="#workspace"><code>workspace</code></a></li><li><a href="#workspaces"><code>workspaces</code></a></li><li><a href="#include-workspace-root"><code>include-workspace-root</code></a></li><li><a href="#if-present"><code>if-present</code></a></li><li><a href="#ignore-scripts"><code>ignore-scripts</code></a></li><li><a href="#script-shell"><code>script-shell</code></a></li></ul><li><a href="#see-also">See Also</a></li></ul></div>
+<div id="_table_of_contents"><ul><li><a href="#synopsis">Synopsis</a></li><li><a href="#description">Description</a></li><li><a href="#workspaces-support">Workspaces support</a></li><ul><li><a href="#filtering-workspaces">Filtering workspaces</a></li></ul><li><a href="#configuration">Configuration</a></li><ul><li><a href="#workspace"><code>workspace</code></a></li><li><a href="#workspaces"><code>workspaces</code></a></li><li><a href="#include-workspace-root"><code>include-workspace-root</code></a></li><li><a href="#if-present"><code>if-present</code></a></li><li><a href="#ignore-scripts"><code>ignore-scripts</code></a></li><li><a href="#foreground-scripts"><code>foreground-scripts</code></a></li><li><a href="#script-shell"><code>script-shell</code></a></li></ul><li><a href="#see-also">See Also</a></li></ul></div>
 </section>
 
 <div id="_content"><h3 id="synopsis">Synopsis</h3>
@@ -319,6 +319,18 @@ will still run their intended script if <code>ignore-scripts</code> is set, but
 will <em>not</em> run any pre- or post-scripts.</p>
 <!-- raw HTML omitted -->
 <!-- raw HTML omitted -->
+<h4 id="foreground-scripts"><code>foreground-scripts</code></h4>
+<ul>
+<li>Default: false</li>
+<li>Type: Boolean</li>
+</ul>
+<p>Run all build scripts (ie, <code>preinstall</code>, <code>install</code>, and <code>postinstall</code>)
+scripts for installed packages in the foreground process, sharing standard
+input, output, and error with the main npm process.</p>
+<p>Note that this will generally make installs run slower, and be much noisier,
+but can be useful for debugging.</p>
+<!-- raw HTML omitted -->
+<!-- raw HTML omitted -->
 <h4 id="script-shell"><code>script-shell</code></h4>
 <ul>
 <li>Default: '/bin/sh' on POSIX systems, 'cmd.exe' on Windows</li>
diff --git a/deps/npm/docs/output/commands/npm.html b/deps/npm/docs/output/commands/npm.html
index c7b7dd5dc7..9a0446af63 100644
--- a/deps/npm/docs/output/commands/npm.html
+++ b/deps/npm/docs/output/commands/npm.html
@@ -149,7 +149,7 @@ npm command-line interface
 <!-- raw HTML omitted -->
 <!-- raw HTML omitted -->
 <h3 id="version">Version</h3>
-<p>8.13.1</p>
+<p>8.13.2</p>
 <h3 id="description">Description</h3>
 <p>npm is the package manager for the Node JavaScript platform.  It puts
 modules in place so that node can find them, and manages dependency
diff --git a/deps/npm/lib/commands/run-script.js b/deps/npm/lib/commands/run-script.js
index a1591c7900..8507dbe79a 100644
--- a/deps/npm/lib/commands/run-script.js
+++ b/deps/npm/lib/commands/run-script.js
@@ -35,6 +35,7 @@ class RunScript extends BaseCommand {
     'include-workspace-root',
     'if-present',
     'ignore-scripts',
+    'foreground-scripts',
     'script-shell',
   ]
 
diff --git a/deps/npm/man/man1/npm-ls.1 b/deps/npm/man/man1/npm-ls.1
index a24c524909..5a78c46a6e 100644
--- a/deps/npm/man/man1/npm-ls.1
+++ b/deps/npm/man/man1/npm-ls.1
@@ -26,7 +26,7 @@ example, running \fBnpm ls promzard\fP in npm's source tree will show:
 .P
 .RS 2
 .nf
-npm@8\.13\.1 /path/to/npm
+npm@8\.13\.2 /path/to/npm
 └─┬ init\-package\-json@0\.0\.4
   └── promzard@0\.1\.5
 .fi
diff --git a/deps/npm/man/man1/npm-run-script.1 b/deps/npm/man/man1/npm-run-script.1
index c9dc22f4eb..c9c2925ff1 100644
--- a/deps/npm/man/man1/npm-run-script.1
+++ b/deps/npm/man/man1/npm-run-script.1
@@ -246,6 +246,21 @@ Note that commands explicitly intended to run a particular script, such as
 \fBnpm start\fP, \fBnpm stop\fP, \fBnpm restart\fP, \fBnpm test\fP, and \fBnpm run\-script\fP
 will still run their intended script if \fBignore\-scripts\fP is set, but they
 will \fInot\fR run any pre\- or post\-scripts\.
+.SS \fBforeground\-scripts\fP
+.RS 0
+.IP \(bu 2
+Default: false
+.IP \(bu 2
+Type: Boolean
+
+.RE
+.P
+Run all build scripts (ie, \fBpreinstall\fP, \fBinstall\fP, and \fBpostinstall\fP)
+scripts for installed packages in the foreground process, sharing standard
+input, output, and error with the main npm process\.
+.P
+Note that this will generally make installs run slower, and be much noisier,
+but can be useful for debugging\.
 .SS \fBscript\-shell\fP
 .RS 0
 .IP \(bu 2
diff --git a/deps/npm/man/man1/npm.1 b/deps/npm/man/man1/npm.1
index a26c713a11..1e2c15ebae 100644
--- a/deps/npm/man/man1/npm.1
+++ b/deps/npm/man/man1/npm.1
@@ -4,7 +4,7 @@
 .SS Synopsis
 .SS Version
 .P
-8\.13\.1
+8\.13\.2
 .SS Description
 .P
 npm is the package manager for the Node JavaScript platform\.  It puts
diff --git a/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js b/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
index d30838e738..1f479a90dd 100644
--- a/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
+++ b/deps/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
@@ -166,8 +166,8 @@ class Advisory {
     // we can try to be a *little* smarter up front by doing x-y for all
     // contiguous version sets in the list
     const ranges = []
-    this.versions = semver.sort(this.versions)
-    this.vulnerableVersions = semver.sort(this.vulnerableVersions)
+    this.versions = semver.sort(this.versions, semverOpt)
+    this.vulnerableVersions = semver.sort(this.vulnerableVersions, semverOpt)
     for (let v = 0, vulnVer = 0; v < this.versions.length; v++) {
       // figure out the vulnerable subrange
       const vr = [this.versions[v]]
diff --git a/deps/npm/node_modules/@npmcli/metavuln-calculator/package.json b/deps/npm/node_modules/@npmcli/metavuln-calculator/package.json
index 2c04e0fd42..2e7209ffc7 100644
--- a/deps/npm/node_modules/@npmcli/metavuln-calculator/package.json
+++ b/deps/npm/node_modules/@npmcli/metavuln-calculator/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/metavuln-calculator",
-  "version": "3.1.0",
+  "version": "3.1.1",
   "main": "lib/index.js",
   "files": [
     "bin/",
@@ -33,7 +33,7 @@
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^3.0.1",
-    "@npmcli/template-oss": "3.2.0",
+    "@npmcli/template-oss": "3.5.0",
     "require-inject": "^1.4.4",
     "tap": "^16.0.1"
   },
@@ -48,6 +48,6 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "3.2.0"
+    "version": "3.5.0"
   }
 }
diff --git a/deps/npm/node_modules/@npmcli/run-script/lib/escape.js b/deps/npm/node_modules/@npmcli/run-script/lib/escape.js
index 5254be24bf..3c574371bc 100644
--- a/deps/npm/node_modules/@npmcli/run-script/lib/escape.js
+++ b/deps/npm/node_modules/@npmcli/run-script/lib/escape.js
@@ -65,7 +65,13 @@ const sh = (input) => {
   return result
 }
 
+// disabling the no-control-regex rule for this line as we very specifically _do_ want to
+// replace those characters if they somehow exist at this point, which is highly unlikely
+// eslint-disable-next-line no-control-regex
+const filename = (input) => input.replace(/[<>:"/\\|?*\x00-\x31]/g, '')
+
 module.exports = {
   cmd,
   sh,
+  filename,
 }
diff --git a/deps/npm/node_modules/@npmcli/run-script/lib/make-spawn-args.js b/deps/npm/node_modules/@npmcli/run-script/lib/make-spawn-args.js
index 660588e3ee..47f7346301 100644
--- a/deps/npm/node_modules/@npmcli/run-script/lib/make-spawn-args.js
+++ b/deps/npm/node_modules/@npmcli/run-script/lib/make-spawn-args.js
@@ -30,6 +30,7 @@ const makeSpawnArgs = options => {
     npm_config_node_gyp,
   })
 
+  const fileName = escape.filename(`${event}-${Date.now()}`)
   let scriptFile
   let script = ''
 
@@ -61,7 +62,7 @@ const makeSpawnArgs = options => {
 
     const doubleEscape = pathToInitial.endsWith('.cmd') || pathToInitial.endsWith('.bat')
 
-    scriptFile = resolve(tmpdir(), `${event}-${Date.now()}.cmd`)
+    scriptFile = resolve(tmpdir(), `${fileName}.cmd`)
     script += '@echo off\n'
     script += cmd
     if (args.length) {
@@ -71,7 +72,7 @@ const makeSpawnArgs = options => {
     const shebang = isAbsolute(scriptShell)
       ? `#!${scriptShell}`
       : `#!/usr/bin/env ${scriptShell}`
-    scriptFile = resolve(tmpdir(), `${event}-${Date.now()}.sh`)
+    scriptFile = resolve(tmpdir(), `${fileName}.sh`)
     script += `${shebang}\n`
     script += cmd
     if (args.length) {
diff --git a/deps/npm/node_modules/@npmcli/run-script/package.json b/deps/npm/node_modules/@npmcli/run-script/package.json
index ef8b43f772..1ce162dd8d 100644
--- a/deps/npm/node_modules/@npmcli/run-script/package.json
+++ b/deps/npm/node_modules/@npmcli/run-script/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/run-script",
-  "version": "4.1.3",
+  "version": "4.1.5",
   "description": "Run a lifecycle script for a package (descendant of npm-lifecycle)",
   "author": "GitHub Inc.",
   "license": "ISC",
@@ -17,10 +17,6 @@
     "posttest": "npm run lint",
     "template-oss-apply": "template-oss-apply --force"
   },
-  "tap": {
-    "check-coverage": true,
-    "coverage-map": "map.js"
-  },
   "devDependencies": {
     "@npmcli/eslint-config": "^3.0.1",
     "@npmcli/template-oss": "3.5.0",
@@ -32,7 +28,8 @@
     "@npmcli/node-gyp": "^2.0.0",
     "@npmcli/promise-spawn": "^3.0.0",
     "node-gyp": "^9.0.0",
-    "read-package-json-fast": "^2.0.3"
+    "read-package-json-fast": "^2.0.3",
+    "which": "^2.0.2"
   },
   "files": [
     "bin/",
diff --git a/deps/npm/node_modules/npm-packlist/lib/index.js b/deps/npm/node_modules/npm-packlist/lib/index.js
index e4a2e76c54..bd72329f02 100644
--- a/deps/npm/node_modules/npm-packlist/lib/index.js
+++ b/deps/npm/node_modules/npm-packlist/lib/index.js
@@ -34,10 +34,13 @@ const glob = require('glob')
 const globify = pattern => pattern.split('\\').join('/')
 
 const readOutOfTreeIgnoreFiles = (root, rel, result = '') => {
-  for (const file of ['.gitignore', '.npmignore']) {
+  for (const file of ['.npmignore', '.gitignore']) {
     try {
       const ignoreContent = fs.readFileSync(path.join(root, file), { encoding: 'utf8' })
       result += ignoreContent + '\n'
+      // break the loop immediately after concatting, this allows us to prioritize the
+      // .npmignore and discard the .gitignore if one exists
+      break
     } catch (err) {
       // we ignore ENOENT errors completely because we don't care if the file doesn't exist
       // but we throw everything else because failing to read a file that does exist is
diff --git a/deps/npm/node_modules/npm-packlist/package.json b/deps/npm/node_modules/npm-packlist/package.json
index dfa0188b4c..4c63caf21e 100644
--- a/deps/npm/node_modules/npm-packlist/package.json
+++ b/deps/npm/node_modules/npm-packlist/package.json
@@ -1,6 +1,6 @@
 {
   "name": "npm-packlist",
-  "version": "5.1.0",
+  "version": "5.1.1",
   "description": "Get a list of the files to add from a folder into an npm package",
   "directories": {
     "test": "test"
diff --git a/deps/npm/package.json b/deps/npm/package.json
index a9d84ab62c..95afa528fa 100644
--- a/deps/npm/package.json
+++ b/deps/npm/package.json
@@ -1,5 +1,5 @@
 {
-  "version": "8.13.1",
+  "version": "8.13.2",
   "name": "npm",
   "description": "a package manager for JavaScript",
   "workspaces": [
@@ -62,7 +62,7 @@
     "@npmcli/fs": "^2.1.0",
     "@npmcli/map-workspaces": "^2.0.3",
     "@npmcli/package-json": "^2.0.0",
-    "@npmcli/run-script": "^4.1.3",
+    "@npmcli/run-script": "^4.1.5",
     "abbrev": "~1.1.1",
     "archy": "~1.0.0",
     "cacache": "^16.1.1",
diff --git a/deps/npm/tap-snapshots/test/lib/load-all-commands.js.test.cjs b/deps/npm/tap-snapshots/test/lib/load-all-commands.js.test.cjs
index 13a3b06fe3..57dd612666 100644
--- a/deps/npm/tap-snapshots/test/lib/load-all-commands.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/load-all-commands.js.test.cjs
@@ -746,7 +746,7 @@ npm run-script <command> [-- <args>]
 Options:
 [-w|--workspace <workspace-name> [-w|--workspace <workspace-name> ...]]
 [-ws|--workspaces] [--include-workspace-root] [--if-present] [--ignore-scripts]
-[--script-shell <script-shell>]
+[--foreground-scripts] [--script-shell <script-shell>]
 
 aliases: run, rum, urn
 
diff --git a/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs b/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs
index c59252f9e8..5ae34e8687 100644
--- a/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs
@@ -790,7 +790,7 @@ All commands:
                     Options:
                     [-w|--workspace <workspace-name> [-w|--workspace <workspace-name> ...]]
                     [-ws|--workspaces] [--include-workspace-root] [--if-present] [--ignore-scripts]
-                    [--script-shell <script-shell>]
+                    [--foreground-scripts] [--script-shell <script-shell>]
 
                     aliases: run, rum, urn