9 files changed, 127 insertions, 79 deletions

diff --git a/deps/npm/lib/cache/add-remote-git.js b/deps/npm/lib/cache/add-remote-git.js
index 1ad925eec3..c829a4fe6d 100644
--- a/deps/npm/lib/cache/add-remote-git.js
+++ b/deps/npm/lib/cache/add-remote-git.js
@@ -14,6 +14,7 @@ var mkdir = require("mkdirp")
   , addLocal = require("./add-local.js")
   , realizePackageSpecifier = require("realize-package-specifier")
   , normalizeGitUrl = require("normalize-git-url")
+  , randomBytes = require("crypto").pseudoRandomBytes // only need uniqueness
 
 var remotes = path.resolve(npm.config.get("cache"), "_git-remotes")
 var templates = path.join(remotes, "_templates")
@@ -211,11 +212,23 @@ function resolveHead (p, u, co, origUrl, cb) {
  * this has to be two steps.
  */
 function cache (p, u, treeish, resolved, cb) {
-  var tmp = path.join(npm.tmp, Date.now()+"-"+Math.random(), treeish)
-  git.whichAndExec(
-    [ "clone", p, tmp ],
-    { cwd : p, env : gitEnv() },
-    function (er, stdout, stderr) {
+  // generate a unique filename
+  randomBytes(6, function (er, random) {
+    if (er) return cb(er)
+
+    var tmp = path.join(
+      npm.tmp,
+      "git-cache-"+random.toString("hex"),
+      treeish
+    )
+
+    mkdir(tmp, function (er) {
+      if (er) return cb(er)
+
+      git.whichAndExec(["clone", p, tmp], { cwd : p, env : gitEnv() }, clone)
+    })
+
+    function clone (er, stdout, stderr) {
       stdout = (stdout + "\n" + stderr).trim()
       if (er) {
         log.error("Failed to clone "+resolved+" from "+u, stderr)
@@ -224,34 +237,32 @@ function cache (p, u, treeish, resolved, cb) {
       log.verbose("git clone", "from", p)
       log.verbose("git clone", stdout)
 
-      git.whichAndExec(
-        [ "checkout", treeish ],
-        { cwd : tmp, env : gitEnv() },
-        function (er, stdout, stderr) {
-          stdout = (stdout + "\n" + stderr).trim()
-          if (er) {
-            log.error("Failed to check out "+treeish, stderr)
-            return cb(er)
-          }
-          log.verbose("git checkout", stdout)
+      git.whichAndExec(["checkout", treeish], { cwd : tmp, env : gitEnv() }, checkout)
+    }
 
-          realizePackageSpecifier(tmp, function (er, spec) {
-            if (er) {
-              log.error("Failed to map", tmp, "to a package specifier")
-              return cb(er)
-            }
+    function checkout (er, stdout, stderr) {
+      stdout = (stdout + "\n" + stderr).trim()
+      if (er) {
+        log.error("Failed to check out "+treeish, stderr)
+        return cb(er)
+      }
+      log.verbose("git checkout", stdout)
 
-            // https://github.com/npm/npm/issues/6400
-            // ensure pack logic is applied
-            addLocal(spec, null, function (er, data) {
-              if (data) data._resolved = resolved
-              cb(er, data)
-            })
-          })
+      realizePackageSpecifier(tmp, function (er, spec) {
+        if (er) {
+          log.error("Failed to map", tmp, "to a package specifier")
+          return cb(er)
         }
-      )
+
+        // https://github.com/npm/npm/issues/6400
+        // ensure pack logic is applied
+        addLocal(spec, null, function (er, data) {
+          if (data) data._resolved = resolved
+          cb(er, data)
+        })
+      })
     }
-  )
+  })
 }
 
 var gitEnv_
diff --git a/deps/npm/lib/cache/caching-client.js b/deps/npm/lib/cache/caching-client.js
index d81e6f53d6..459a236f55 100644
--- a/deps/npm/lib/cache/caching-client.js
+++ b/deps/npm/lib/cache/caching-client.js
@@ -37,9 +37,9 @@ CachingRegistryClient.prototype._invalidatingRequest = function (uri, params, cb
       var invalidated = client._mapToCache(uri)
       // invalidate cache
       //
-      // This is irrelevant for commands that do etag caching, but ls and
-      // view also have a timed cache, so this keeps the user from thinking
-      // that it didn't work when it did.
+      // This is irrelevant for commands that do etag / last-modified caching,
+      // but ls and view also have a timed cache, so this keeps the user from
+      // thinking that it didn't work when it did.
       // Note that failure is an acceptable option here, since the only
       // result will be a stale cache for some helper commands.
       client.log.verbose("request", "invalidating", invalidated, "on", method)
@@ -99,6 +99,7 @@ function get_ (uri, cachePath, params, cb) {
     , data    = params.data
     , stat    = params.stat
     , etag
+    , lastModified
 
   timeout = Math.min(timeout, npm.config.get("cache-max") || 0)
   timeout = Math.max(timeout, npm.config.get("cache-min") || -Infinity)
@@ -110,17 +111,20 @@ function get_ (uri, cachePath, params, cb) {
 
   if (data) {
     if (data._etag) etag = data._etag
+    if (data._lastModified) lastModified = data._lastModified
 
     if (stat && timeout && timeout > 0) {
       if ((Date.now() - stat.mtime.getTime())/1000 < timeout) {
         log.verbose("get", uri, "not expired, no request")
         delete data._etag
+        delete data._lastModified
         return cb(null, data, JSON.stringify(data), { statusCode : 304 })
       }
 
       if (staleOk) {
         log.verbose("get", uri, "staleOk, background update")
         delete data._etag
+        delete data._lastModified
         process.nextTick(
           cb.bind(null, null, data, JSON.stringify(data), { statusCode : 304 } )
         )
@@ -130,9 +134,10 @@ function get_ (uri, cachePath, params, cb) {
   }
 
   var options = {
-    etag   : etag,
-    follow : params.follow,
-    auth   : params.auth
+    etag         : etag,
+    lastModified : lastModified,
+    follow       : params.follow,
+    auth         : params.auth
   }
   this.request(uri, options, function (er, remoteData, raw, response) {
     // if we get an error talking to the registry, but we have it
@@ -144,9 +149,9 @@ function get_ (uri, cachePath, params, cb) {
 
     if (response) {
       log.silly("get", "cb", [response.statusCode, response.headers])
-      if (response.statusCode === 304 && etag) {
+      if (response.statusCode === 304 && (etag || lastModified)) {
         remoteData = data
-        log.verbose("etag", uri+" from cache")
+        log.verbose(etag ? "etag" : "lastModified", uri+" from cache")
       }
     }
 
@@ -160,6 +165,7 @@ function get_ (uri, cachePath, params, cb) {
     // just give the write the old college try.  if it fails, whatever.
     function saved () {
       delete data._etag
+      delete data._lastModified
       cb(er, data, raw, response)
     }
 
@@ -169,7 +175,7 @@ function get_ (uri, cachePath, params, cb) {
           if (er) return saved()
 
           writeFile(cachePath, JSON.stringify(data), function (er) {
-            if (er || st.uid === null || st.gid === null) return saved()
+            if (er) return saved()
 
             chownr(made || cachePath, st.uid, st.gid, saved)
           })
diff --git a/deps/npm/lib/cache/get-stat.js b/deps/npm/lib/cache/get-stat.js
index 45b60ce793..98f95ad6ae 100644
--- a/deps/npm/lib/cache/get-stat.js
+++ b/deps/npm/lib/cache/get-stat.js
@@ -22,11 +22,18 @@ module.exports = function getCacheStat (cb) {
 
 function makeCacheDir (cb) {
   cb = inflight("makeCacheDir", cb)
-  if (!cb) return log.verbose("getCacheStat", "cache creation already in flight; waiting")
+  if (!cb) {
+    return log.verbose(
+      "getCacheStat",
+      "cache creation already in flight; waiting"
+    )
+  }
   log.verbose("getCacheStat", "cache creation not in flight; initializing")
 
   if (!process.getuid) return mkdir(npm.cache, function (er) {
-    return cb(er, {})
+    log.verbose("makeCacheDir", "UID & GID are irrelevant on", process.platform)
+    cacheStat = { uid : 0, gid : 0 }
+    return cb(er, cacheStat)
   })
 
   var uid = +process.getuid()
@@ -36,8 +43,9 @@ function makeCacheDir (cb) {
     if (process.env.SUDO_UID) uid = +process.env.SUDO_UID
     if (process.env.SUDO_GID) gid = +process.env.SUDO_GID
   }
+
   if (uid !== 0 || !process.env.HOME) {
-    cacheStat = {uid: uid, gid: gid}
+    cacheStat = { uid : uid, gid : gid }
     return mkdir(npm.cache, afterMkdir)
   }
 
diff --git a/deps/npm/lib/config.js b/deps/npm/lib/config.js
index d2a6a89f69..c79cdc5b8b 100644
--- a/deps/npm/lib/config.js
+++ b/deps/npm/lib/config.js
@@ -18,6 +18,7 @@ var log = require("npmlog")
   , ini = require("ini")
   , editor = require("editor")
   , os = require("os")
+  , umask = require("./utils/umask")
 
 config.completion = function (opts, cb) {
   var argv = opts.conf.argv.remain
@@ -132,6 +133,7 @@ function set (key, val, cb) {
   val = val.trim()
   log.info("config", "set %j %j", key, val)
   var where = npm.config.get("global") ? "global" : "user"
+  if (key.match(/umask/)) val = umask.fromString(val)
   npm.config.set(key, val, where)
   npm.config.save(where, cb)
 }
@@ -141,7 +143,9 @@ function get (key, cb) {
   if (!public(key)) {
     return cb(new Error("---sekretz---"))
   }
-  console.log(npm.config.get(key))
+  var val = npm.config.get(key)
+  if (key.match(/umask/)) val = umask.toString(val)
+  console.log(val)
   cb()
 }
 
diff --git a/deps/npm/lib/config/core.js b/deps/npm/lib/config/core.js
index 6c6112532f..59f7cf5568 100644
--- a/deps/npm/lib/config/core.js
+++ b/deps/npm/lib/config/core.js
@@ -8,8 +8,9 @@ var fs = require("fs")
 var path = require("path")
 var nopt = require("nopt")
 var ini = require("ini")
-var Octal = configDefs.Octal
+var Umask = configDefs.Umask
 var mkdirp = require("mkdirp")
+var umask = require("../utils/umask")
 
 exports.load = load
 exports.Conf = Conf
@@ -362,8 +363,8 @@ function parseField (f, k) {
   var isPath = -1 !== typeList.indexOf(path)
   var isBool = -1 !== typeList.indexOf(Boolean)
   var isString = -1 !== typeList.indexOf(String)
-  var isOctal = -1 !== typeList.indexOf(Octal)
-  var isNumber = isOctal || (-1 !== typeList.indexOf(Number))
+  var isUmask = -1 !== typeList.indexOf(Umask)
+  var isNumber = -1 !== typeList.indexOf(Number)
 
   f = (""+f).trim()
 
@@ -396,8 +397,11 @@ function parseField (f, k) {
     f = path.resolve(f)
   }
 
+  if (isUmask)
+    f = umask.fromString(f)
+
   if (isNumber && !isNaN(f))
-    f = isOctal ? parseInt(f, 8) : +f
+    f = +f
 
   return f
 }
diff --git a/deps/npm/lib/config/defaults.js b/deps/npm/lib/config/defaults.js
index febd1049ed..3d99ab86fa 100644
--- a/deps/npm/lib/config/defaults.js
+++ b/deps/npm/lib/config/defaults.js
@@ -9,6 +9,7 @@ var path = require("path")
   , nopt = require("nopt")
   , os = require("os")
   , osenv = require("osenv")
+  , umask = require("../utils/umask")
 
 var log
 try {
@@ -20,19 +21,10 @@ try {
   } }
 }
 
-exports.Octal = Octal
-function Octal () {}
-function validateOctal (data, k, val) {
-  // must be either an integer or an octal string.
-  if (typeof val === "number") {
-    data[k] = val
-    return true
-  }
-
-  if (typeof val === "string") {
-    if (val.charAt(0) !== "0" || isNaN(val)) return false
-    data[k] = parseInt(val, 8).toString(8)
-  }
+exports.Umask = Umask
+function Umask () {}
+function validateUmask (data, k, val) {
+  return umask.validate (data, k, val)
 }
 
 function validateSemver (data, k, val) {
@@ -52,8 +44,8 @@ function validateStream (data, k, val) {
 }
 
 nopt.typeDefs.semver = { type: semver, validate: validateSemver }
-nopt.typeDefs.Octal = { type: Octal, validate: validateOctal }
 nopt.typeDefs.Stream = { type: Stream, validate: validateStream }
+nopt.typeDefs.Umask = { type: Umask, validate: validateUmask }
 
 // Don't let --tag=1.2.3 ever be a thing
 var tag = {}
@@ -71,8 +63,8 @@ nopt.invalidHandler = function (k, val, type) {
     case tag:
       log.warn("invalid config", "Tag must not be a SemVer range")
       break
-    case Octal:
-      log.warn("invalid config", "Must be octal number, starting with 0")
+    case Umask:
+      log.warn("invalid config", "Must be umask, octal number in range 0000..0777")
       break
     case url:
       log.warn("invalid config", "Must be a full url with 'http://'")
@@ -224,7 +216,7 @@ Object.defineProperty(exports, "defaults", {get: function () {
     , usage : false
     , user : process.platform === "win32" ? 0 : "nobody"
     , userconfig : path.resolve(home, ".npmrc")
-    , umask: process.umask ? process.umask() : parseInt("022", 8)
+    , umask: process.umask ? process.umask() : umask.fromString("022")
     , version : false
     , versions : false
     , viewer: process.platform === "win32" ? "browser" : "man"
@@ -322,7 +314,7 @@ exports.types =
   , usage : Boolean
   , user : [Number, String]
   , userconfig : path
-  , umask: Octal
+  , umask: Umask
   , version : Boolean
   , versions : Boolean
   , viewer: String
diff --git a/deps/npm/lib/utils/lifecycle.js b/deps/npm/lib/utils/lifecycle.js
index ccee756308..299fa56988 100644
--- a/deps/npm/lib/utils/lifecycle.js
+++ b/deps/npm/lib/utils/lifecycle.js
@@ -3,14 +3,15 @@ exports.cmd = cmd
 exports.makeEnv = makeEnv
 
 var log = require("npmlog")
-  , spawn = require("./spawn")
-  , npm = require("../npm.js")
-  , path = require("path")
-  , fs = require("graceful-fs")
-  , chain = require("slide").chain
-  , Stream = require("stream").Stream
-  , PATH = "PATH"
-  , uidNumber = require("uid-number")
+var spawn = require("./spawn")
+var npm = require("../npm.js")
+var path = require("path")
+var fs = require("graceful-fs")
+var chain = require("slide").chain
+var Stream = require("stream").Stream
+var PATH = "PATH"
+var uidNumber = require("uid-number")
+var umask = require("./umask")
 
 // windows calls it's path "Path" usually, but this is not guaranteed.
 if (process.platform === "win32") {
@@ -198,7 +199,7 @@ function runCmd_ (cmd, pkg, env, wd, stage, unsafe, uid, gid, cb_) {
   var shFlag = "-c"
 
   if (process.platform === "win32") {
-    sh = "cmd"
+    sh = process.env.comspec || "cmd"
     shFlag = "/c"
     conf.windowsVerbatimArguments = true
   }
@@ -316,6 +317,7 @@ function makeEnv (data, prefix, env) {
     }
     var value = npm.config.get(i)
     if (value instanceof Stream || Array.isArray(value)) return
+    if (i.match(/umask/)) value = umask.toString(value)
     if (!value) value = ""
     else if (typeof value === "number") value = "" + value
     else if (typeof value !== "string") value = JSON.stringify(value)
diff --git a/deps/npm/lib/utils/umask.js b/deps/npm/lib/utils/umask.js
new file mode 100644
index 0000000000..6ccb4a1194
--- /dev/null
+++ b/deps/npm/lib/utils/umask.js
@@ -0,0 +1,17 @@
+var umask = require("umask")
+var npmlog = require("npmlog")
+var _fromString = umask.fromString
+
+module.exports = umask
+
+// fromString with logging callback
+umask.fromString = function (val) {
+  _fromString(val, function (err, result) {
+    if (err) {
+      npmlog.warn("invalid umask", err.message)
+    }
+    val = result
+  })
+
+  return val
+}
diff --git a/deps/npm/lib/whoami.js b/deps/npm/lib/whoami.js
index 121c4336ae..42cede1b82 100644
--- a/deps/npm/lib/whoami.js
+++ b/deps/npm/lib/whoami.js
@@ -14,6 +14,14 @@ function whoami (args, silent, cb) {
   var registry = npm.config.get("registry")
   if (!registry) return cb(new Error("no default registry set"))
 
+  function noUser () {
+    // At this point, if they have a credentials object, it doesn't have a
+    // token or auth in it.  Probably just the default registry.
+    var msg = "Not authed.  Run 'npm adduser'"
+    if (!silent) console.log(msg)
+    cb(null, msg)
+  }
+
   var auth = npm.config.getCredentialsByURI(registry)
   if (auth) {
     if (auth.username) {
@@ -23,6 +31,7 @@ function whoami (args, silent, cb) {
     else if (auth.token) {
       return npm.registry.whoami(registry, { auth : auth }, function (er, username) {
         if (er) return cb(er)
+        if (!username) return noUser()
 
         if (!silent) console.log(username)
         cb(null, username)
@@ -30,10 +39,5 @@ function whoami (args, silent, cb) {
     }
   }
 
-  // At this point, if they have a credentials object, it doesn't
-  // have a token or auth in it.  Probably just the default
-  // registry.
-  var msg = "Not authed.  Run 'npm adduser'"
-  if (!silent) console.log(msg)
-  process.nextTick(cb.bind(this, null, msg))
+  process.nextTick(noUser)
 }