v22.12.0

node/node_modules/.bin/npm

@@ -1,12 +0,0 @@
-#!/bin/sh
-basedir=$(dirname "$(echo "$0" | sed -e 's,\\,/,g')")
-
-case `uname` in
-    *CYGWIN*|*MINGW*|*MSYS*) basedir=`cygpath -w "$basedir"`;;
-esac
-
-if [ -x "$basedir/node" ]; then
-  exec "$basedir/node"  "$basedir/../npm/bin/npm-cli.js" "$@"
-else 
-  exec node  "$basedir/../npm/bin/npm-cli.js" "$@"
-fi

node/node_modules/.bin/npm.cmd

@@ -1,17 +0,0 @@
-@ECHO off
-GOTO start
-:find_dp0
-SET dp0=%~dp0
-EXIT /b
-:start
-SETLOCAL
-CALL :find_dp0
-
-IF EXIST "%dp0%\node.exe" (
-  SET "_prog=%dp0%\node.exe"
-) ELSE (
-  SET "_prog=node"
-  SET PATHEXT=%PATHEXT:;.JS;=;%
-)
-
-endLocal & goto #_undefined_# 2>NUL || title %COMSPEC% & "%_prog%"  "%dp0%\..\npm\bin\npm-cli.js" %*

node/node_modules/.bin/npm.ps1

@@ -1,28 +0,0 @@
-#!/usr/bin/env pwsh
-$basedir=Split-Path $MyInvocation.MyCommand.Definition -Parent
-
-$exe=""
-if ($PSVersionTable.PSVersion -lt "6.0" -or $IsWindows) {
-  # Fix case when both the Windows and Linux builds of Node
-  # are installed in the same directory
-  $exe=".exe"
-}
-$ret=0
-if (Test-Path "$basedir/node$exe") {
-  # Support pipeline input
-  if ($MyInvocation.ExpectingInput) {
-    $input | & "$basedir/node$exe"  "$basedir/../npm/bin/npm-cli.js" $args
-  } else {
-    & "$basedir/node$exe"  "$basedir/../npm/bin/npm-cli.js" $args
-  }
-  $ret=$LASTEXITCODE
-} else {
-  # Support pipeline input
-  if ($MyInvocation.ExpectingInput) {
-    $input | & "node$exe"  "$basedir/../npm/bin/npm-cli.js" $args
-  } else {
-    & "node$exe"  "$basedir/../npm/bin/npm-cli.js" $args
-  }
-  $ret=$LASTEXITCODE
-}
-exit $ret

node/node_modules/.bin/npx

@@ -1,12 +0,0 @@
-#!/bin/sh
-basedir=$(dirname "$(echo "$0" | sed -e 's,\\,/,g')")
-
-case `uname` in
-    *CYGWIN*|*MINGW*|*MSYS*) basedir=`cygpath -w "$basedir"`;;
-esac
-
-if [ -x "$basedir/node" ]; then
-  exec "$basedir/node"  "$basedir/../npm/bin/npx-cli.js" "$@"
-else 
-  exec node  "$basedir/../npm/bin/npx-cli.js" "$@"
-fi

node/node_modules/.bin/npx.cmd

@@ -1,17 +0,0 @@
-@ECHO off
-GOTO start
-:find_dp0
-SET dp0=%~dp0
-EXIT /b
-:start
-SETLOCAL
-CALL :find_dp0
-
-IF EXIST "%dp0%\node.exe" (
-  SET "_prog=%dp0%\node.exe"
-) ELSE (
-  SET "_prog=node"
-  SET PATHEXT=%PATHEXT:;.JS;=;%
-)
-
-endLocal & goto #_undefined_# 2>NUL || title %COMSPEC% & "%_prog%"  "%dp0%\..\npm\bin\npx-cli.js" %*

node/node_modules/.bin/npx.ps1

@@ -1,28 +0,0 @@
-#!/usr/bin/env pwsh
-$basedir=Split-Path $MyInvocation.MyCommand.Definition -Parent
-
-$exe=""
-if ($PSVersionTable.PSVersion -lt "6.0" -or $IsWindows) {
-  # Fix case when both the Windows and Linux builds of Node
-  # are installed in the same directory
-  $exe=".exe"
-}
-$ret=0
-if (Test-Path "$basedir/node$exe") {
-  # Support pipeline input
-  if ($MyInvocation.ExpectingInput) {
-    $input | & "$basedir/node$exe"  "$basedir/../npm/bin/npx-cli.js" $args
-  } else {
-    & "$basedir/node$exe"  "$basedir/../npm/bin/npx-cli.js" $args
-  }
-  $ret=$LASTEXITCODE
-} else {
-  # Support pipeline input
-  if ($MyInvocation.ExpectingInput) {
-    $input | & "node$exe"  "$basedir/../npm/bin/npx-cli.js" $args
-  } else {
-    & "node$exe"  "$basedir/../npm/bin/npx-cli.js" $args
-  }
-  $ret=$LASTEXITCODE
-}
-exit $ret

node/node_modules/npm-js-interface/.gitattributes

@@ -1,2 +0,0 @@
-# Auto detect text files and perform LF normalization
-* text=auto

node/node_modules/npm-js-interface/README.md

@@ -1,20 +0,0 @@
-# npm-js-interface
-
-> Run NPM commmand directly in JS !
-
-Thanks for [npm/cli: the package manager for JavaScript (github.com)](https://github.com/npm/cli)
-
-## Usage
-
-1. Run `npm install npm-js-interface` to install
-
-2. ```javascript
-   let npm = require('npm-js-interface');
-   ```
-
-3. ```javascript
-   npm("npm help");
-   npm("npm list");
-   npm("npm install hello-world");
-   //...
-   ```

node/node_modules/npm/bin/npm-prefix.js

@@ -0,0 +1,30 @@
+#!/usr/bin/env node
+// This is a single-use bin to help windows discover the proper prefix for npm
+// without having to load all of npm first
+// It does not accept argv params
+
+const path = require('node:path')
+const Config = require('@npmcli/config')
+const { definitions, flatten, shorthands } = require('@npmcli/config/lib/definitions')
+const config = new Config({
+  npmPath: path.dirname(__dirname),
+  // argv is explicitly not looked at since prefix is not something that can be changed via argv
+  argv: [],
+  definitions,
+  flatten,
+  shorthands,
+  excludeNpmCwd: false,
+})
+
+async function main () {
+  try {
+    await config.load()
+    // eslint-disable-next-line no-console
+    console.log(config.globalPrefix)
+  } catch (err) {
+    // eslint-disable-next-line no-console
+    console.error(err)
+    process.exit(1)
+  }
+}
+main()

node/node_modules/npm/bin/npm.ps1

@@ -0,0 +1,32 @@
+#!/usr/bin/env pwsh
+
+$NODE_EXE="$PSScriptRoot/node.exe"
+if (-not (Test-Path $NODE_EXE)) {
+  $NODE_EXE="$PSScriptRoot/node"
+}
+if (-not (Test-Path $NODE_EXE)) {
+  $NODE_EXE="node"
+}
+
+$NPM_PREFIX_JS="$PSScriptRoot/node_modules/npm/bin/npm-prefix.js"
+$NPM_CLI_JS="$PSScriptRoot/node_modules/npm/bin/npm-cli.js"
+$NPM_PREFIX=(& $NODE_EXE $NPM_PREFIX_JS)
+
+if ($LASTEXITCODE -ne 0) {
+  Write-Host "Could not determine Node.js install directory"
+  exit 1
+}
+
+$NPM_PREFIX_NPM_CLI_JS="$NPM_PREFIX/node_modules/npm/bin/npm-cli.js"
+if (Test-Path $NPM_PREFIX_NPM_CLI_JS) {
+  $NPM_CLI_JS=$NPM_PREFIX_NPM_CLI_JS
+}
+
+# Support pipeline input
+if ($MyInvocation.ExpectingInput) {
+  $input | & $NODE_EXE $NPM_CLI_JS $args
+} else {
+  & $NODE_EXE $NPM_CLI_JS $args
+}
+
+exit $LASTEXITCODE

node/node_modules/npm/bin/npx.ps1

@@ -0,0 +1,32 @@
+#!/usr/bin/env pwsh
+
+$NODE_EXE="$PSScriptRoot/node.exe"
+if (-not (Test-Path $NODE_EXE)) {
+  $NODE_EXE="$PSScriptRoot/node"
+}
+if (-not (Test-Path $NODE_EXE)) {
+  $NODE_EXE="node"
+}
+
+$NPM_PREFIX_JS="$PSScriptRoot/node_modules/npm/bin/npm-prefix.js"
+$NPX_CLI_JS="$PSScriptRoot/node_modules/npm/bin/npx-cli.js"
+$NPM_PREFIX=(& $NODE_EXE $NPM_PREFIX_JS)
+
+if ($LASTEXITCODE -ne 0) {
+  Write-Host "Could not determine Node.js install directory"
+  exit 1
+}
+
+$NPM_PREFIX_NPX_CLI_JS="$NPM_PREFIX/node_modules/npm/bin/npx-cli.js"
+if (Test-Path $NPM_PREFIX_NPX_CLI_JS) {
+  $NPX_CLI_JS=$NPM_PREFIX_NPX_CLI_JS
+}
+
+# Support pipeline input
+if ($MyInvocation.ExpectingInput) {
+  $input | & $NODE_EXE $NPX_CLI_JS $args
+} else {
+  & $NODE_EXE $NPX_CLI_JS $args
+}
+
+exit $LASTEXITCODE

node/node_modules/npm/docs/content/commands/npm-bin.md

@@ -1,58 +0,0 @@
----
-title: npm-bin
-section: 1
-description: Display npm bin folder
----
-
-### Synopsis
-
-<!-- AUTOGENERATED USAGE DESCRIPTIONS START -->
-<!-- automatically generated, do not edit manually -->
-<!-- see lib/commands/bin.js -->
-
-```bash
-npm bin
-```
-
-<!-- automatically generated, do not edit manually -->
-<!-- see lib/commands/bin.js -->
-
-<!-- AUTOGENERATED USAGE DESCRIPTIONS END -->
-
-Note: This command is unaware of workspaces.
-
-### Description
-
-Print the folder where npm will install executables.
-
-### Configuration
-
-<!-- AUTOGENERATED CONFIG DESCRIPTIONS START -->
-<!-- automatically generated, do not edit manually -->
-<!-- see lib/utils/config/definitions.js -->
-#### `global`
-
-* Default: false
-* Type: Boolean
-
-Operates in "global" mode, so that packages are installed into the `prefix`
-folder instead of the current working directory. See
-[folders](/configuring-npm/folders) for more on the differences in behavior.
-
-* packages are installed into the `{prefix}/lib/node_modules` folder, instead
-  of the current working directory.
-* bin files are linked to `{prefix}/bin`
-* man pages are linked to `{prefix}/share/man`
-
-<!-- automatically generated, do not edit manually -->
-<!-- see lib/utils/config/definitions.js -->
-
-<!-- AUTOGENERATED CONFIG DESCRIPTIONS END -->
-
-### See Also
-
-* [npm prefix](/commands/npm-prefix)
-* [npm root](/commands/npm-root)
-* [npm folders](/configuring-npm/folders)
-* [npm config](/commands/npm-config)
-* [npmrc](/configuring-npm/npmrc)

node/node_modules/npm/docs/content/commands/npm-login.md

@@ -0,0 +1,93 @@
+---
+title: npm-login
+section: 1
+description: Login to a registry user account
+---
+
+### Synopsis
+
+```bash
+npm login
+```
+
+Note: This command is unaware of workspaces.
+
+### Description
+
+Verify a user in the specified registry, and save the credentials to the
+`.npmrc` file. If no registry is specified, the default registry will be
+used (see [`config`](/using-npm/config)).
+
+When using `legacy` for your `auth-type`, the username and password, are
+read in from prompts.
+
+To reset your password, go to <https://www.npmjs.com/forgot>
+
+To change your email address, go to <https://www.npmjs.com/email-edit>
+
+You may use this command multiple times with the same user account to
+authorize on a new machine.  When authenticating on a new machine,
+the username, password and email address must all match with
+your existing record.
+
+### Configuration
+
+#### `registry`
+
+* Default: "https://registry.npmjs.org/"
+* Type: URL
+
+The base URL of the npm registry.
+
+
+
+#### `scope`
+
+* Default: the scope of the current project, if any, or ""
+* Type: String
+
+Associate an operation with a scope for a scoped registry.
+
+Useful when logging in to or out of a private registry:
+
+```
+# log in, linking the scope to the custom registry
+npm login --scope=@mycorp --registry=https://registry.mycorp.com
+
+# log out, removing the link and the auth token
+npm logout --scope=@mycorp
+```
+
+This will cause `@mycorp` to be mapped to the registry for future
+installation of packages specified according to the pattern
+`@mycorp/package`.
+
+This will also cause `npm init` to create a scoped package.
+
+```
+# accept all defaults, and create a package named "@foo/whatever",
+# instead of just named "whatever"
+npm init --scope=@foo --yes
+```
+
+
+
+#### `auth-type`
+
+* Default: "web"
+* Type: "legacy" or "web"
+
+What authentication strategy to use with `login`. Note that if an `otp`
+config is given, this value will always be set to `legacy`.
+
+
+
+### See Also
+
+* [npm registry](/using-npm/registry)
+* [npm config](/commands/npm-config)
+* [npmrc](/configuring-npm/npmrc)
+* [npm owner](/commands/npm-owner)
+* [npm whoami](/commands/npm-whoami)
+* [npm token](/commands/npm-token)
+* [npm profile](/commands/npm-profile)

node/node_modules/npm/docs/content/commands/npm-query.md

@@ -0,0 +1,272 @@
+---
+title: npm-query
+section: 1
+description: Dependency selector query
+---
+
+### Synopsis
+
+```bash
+npm query <selector>
+```
+
+### Description
+
+The `npm query` command allows for usage of css selectors in order to retrieve
+an array of dependency objects.
+
+### Piping npm query to other commands
+
+```bash
+# find all dependencies with postinstall scripts & uninstall them
+npm query ":attr(scripts, [postinstall])" | jq 'map(.name)|join("\n")' -r | xargs -I {} npm uninstall {}
+
+# find all git dependencies & explain who requires them
+npm query ":type(git)" | jq 'map(.name)' | xargs -I {} npm why {}
+```
+
+### Extended Use Cases & Queries
+
+```stylus
+// all deps
+*
+
+// all direct deps
+:root > *
+
+// direct production deps
+:root > .prod
+
+// direct development deps
+:root > .dev
+
+// any peer dep of a direct deps
+:root > * > .peer
+
+// any workspace dep
+.workspace
+
+// all workspaces that depend on another workspace
+.workspace > .workspace
+
+// all workspaces that have peer deps
+.workspace:has(.peer)
+
+// any dep named "lodash"
+// equivalent to [name="lodash"]
+#lodash
+
+// any deps named "lodash" & within semver range ^"1.2.3"
+#lodash@^1.2.3
+// equivalent to...
+[name="lodash"]:semver(^1.2.3)
+
+// get the hoisted node for a given semver range
+#lodash@^1.2.3:not(:deduped)
+
+// querying deps with a specific version
+#lodash@2.1.5
+// equivalent to...
+[name="lodash"][version="2.1.5"]
+
+// has any deps
+:has(*)
+
+// deps with no other deps (ie. "leaf" nodes)
+:empty
+
+// manually querying git dependencies
+[repository^=github:],
+[repository^=git:],
+[repository^=https://github.com],
+[repository^=http://github.com],
+[repository^=https://github.com],
+[repository^=+git:...]
+
+// querying for all git dependencies
+:type(git)
+
+// get production dependencies that aren't also dev deps
+.prod:not(.dev)
+
+// get dependencies with specific licenses
+[license=MIT], [license=ISC]
+
+// find all packages that have @ruyadorno as a contributor
+:attr(contributors, [email=ruyadorno@github.com])
+```
+
+### Example Response Output
+
+- an array of dependency objects is returned which can contain multiple copies of the same package which may or may not have been linked or deduped
+
+```json
+[
+  {
+    "name": "",
+    "version": "",
+    "description": "",
+    "homepage": "",
+    "bugs": {},
+    "author": {},
+    "license": {},
+    "funding": {},
+    "files": [],
+    "main": "",
+    "browser": "",
+    "bin": {},
+    "man": [],
+    "directories": {},
+    "repository": {},
+    "scripts": {},
+    "config": {},
+    "dependencies": {},
+    "devDependencies": {},
+    "optionalDependencies": {},
+    "bundledDependencies": {},
+    "peerDependencies": {},
+    "peerDependenciesMeta": {},
+    "engines": {},
+    "os": [],
+    "cpu": [],
+    "workspaces": {},
+    "keywords": [],
+    ...
+  },
+  ...
+```
+
+### Expecting a certain number of results
+
+One common use of `npm query` is to make sure there is only one version of
+a certain dependency in your tree.  This is especially common for
+ecosystems like that rely on `typescript` where having state split
+across two different but identically-named packages causes bugs.  You
+can use the `--expect-results` or `--expect-result-count` in your setup
+to ensure that npm will exit with an exit code if your tree doesn't look
+like you want it to.
+
+
+```sh
+$ npm query '#react' --expect-result-count=1
+```
+
+Perhaps you want to quickly check if there are any production
+dependencies that could be updated:
+
+```sh
+$ npm query ':root>:outdated(in-range).prod' --no-expect-results
+```
+
+### Package lock only mode
+
+If package-lock-only is enabled, only the information in the package lock (or shrinkwrap) is loaded.  This means that information from the package.json files of your dependencies will not be included in the result set (e.g. description, homepage, engines).
+
+### Configuration
+
+#### `global`
+
+* Default: false
+* Type: Boolean
+
+Operates in "global" mode, so that packages are installed into the `prefix`
+folder instead of the current working directory. See
+[folders](/configuring-npm/folders) for more on the differences in behavior.
+
+* packages are installed into the `{prefix}/lib/node_modules` folder, instead
+  of the current working directory.
+* bin files are linked to `{prefix}/bin`
+* man pages are linked to `{prefix}/share/man`
+
+
+
+#### `workspace`
+
+* Default:
+* Type: String (can be set multiple times)
+
+Enable running a command in the context of the configured workspaces of the
+current project while filtering by running only the workspaces defined by
+this configuration option.
+
+Valid values for the `workspace` config are either:
+
+* Workspace names
+* Path to a workspace directory
+* Path to a parent workspace directory (will result in selecting all
+  workspaces within that folder)
+
+When set for the `npm init` command, this may be set to the folder of a
+workspace which does not yet exist, to create the folder and set it up as a
+brand new workspace within the project.
+
+This value is not exported to the environment for child processes.
+
+#### `workspaces`
+
+* Default: null
+* Type: null or Boolean
+
+Set to true to run the command in the context of **all** configured
+workspaces.
+
+Explicitly setting this to false will cause commands like `install` to
+ignore workspaces altogether. When not set explicitly:
+
+- Commands that operate on the `node_modules` tree (install, update, etc.)
+will link workspaces into the `node_modules` folder. - Commands that do
+other things (test, exec, publish, etc.) will operate on the root project,
+_unless_ one or more workspaces are specified in the `workspace` config.
+
+This value is not exported to the environment for child processes.
+
+#### `include-workspace-root`
+
+* Default: false
+* Type: Boolean
+
+Include the workspace root when workspaces are enabled for a command.
+
+When false, specifying individual workspaces via the `workspace` config, or
+all workspaces via the `workspaces` flag, will cause npm to operate only on
+the specified workspaces, and not on the root project.
+
+This value is not exported to the environment for child processes.
+
+#### `package-lock-only`
+
+* Default: false
+* Type: Boolean
+
+If set to true, the current operation will only use the `package-lock.json`,
+ignoring `node_modules`.
+
+For `update` this means only the `package-lock.json` will be updated,
+instead of checking `node_modules` and downloading dependencies.
+
+For `list` this means the output will be based on the tree described by the
+`package-lock.json`, rather than the contents of `node_modules`.
+
+
+
+#### `expect-results`
+
+* Default: null
+* Type: null or Boolean
+
+Tells npm whether or not to expect results from the command. Can be either
+true (expect some results) or false (expect no results).
+
+This config can not be used with: `expect-result-count`
+
+#### `expect-result-count`
+
+* Default: null
+* Type: null or Number
+
+Tells to expect a specific number of results from the command.
+
+This config can not be used with: `expect-results`
+## See Also
+
+* [dependency selectors](/using-npm/dependency-selectors)

node/node_modules/npm/docs/content/commands/npm-sbom.md

@@ -0,0 +1,318 @@
+---
+title: npm-sbom
+section: 1
+description: Generate a Software Bill of Materials (SBOM)
+---
+
+### Synopsis
+
+```bash
+npm sbom
+```
+
+### Description
+
+The `npm sbom` command generates a Software Bill of Materials (SBOM) listing the
+dependencies for the current project. SBOMs can be generated in either
+[SPDX](https://spdx.dev/) or [CycloneDX](https://cyclonedx.org/) format.
+
+### Example CycloneDX SBOM
+
+```json
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:09f55116-97e1-49cf-b3b8-44d0207e7730",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2023-09-01T00:00:00.001Z",
+    "lifecycles": [
+      {
+        "phase": "build"
+      }
+    ],
+    "tools": [
+      {
+        "vendor": "npm",
+        "name": "cli",
+        "version": "10.1.0"
+      }
+    ],
+    "component": {
+      "bom-ref": "simple@1.0.0",
+      "type": "library",
+      "name": "simple",
+      "version": "1.0.0",
+      "scope": "required",
+      "author": "John Doe",
+      "description": "simple react app",
+      "purl": "pkg:npm/simple@1.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        }
+      ],
+      "externalReferences": [],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "lodash@4.17.21",
+      "type": "library",
+      "name": "lodash",
+      "version": "4.17.21",
+      "scope": "required",
+      "author": "John-David Dalton",
+      "description": "Lodash modular utilities.",
+      "purl": "pkg:npm/lodash@4.17.21",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/lodash"
+        }
+      ],
+      "externalReferences": [
+        {
+          "type": "distribution",
+          "url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
+        },
+        {
+          "type": "vcs",
+          "url": "git+https://github.com/lodash/lodash.git"
+        },
+        {
+          "type": "website",
+          "url": "https://lodash.com/"
+        },
+        {
+          "type": "issue-tracker",
+          "url": "https://github.com/lodash/lodash/issues"
+        }
+      ],
+      "hashes": [
+        {
+          "alg": "SHA-512",
+          "content": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "simple@1.0.0",
+      "dependsOn": [
+        "lodash@4.17.21"
+      ]
+    },
+    {
+      "ref": "lodash@4.17.21",
+      "dependsOn": []
+    }
+  ]
+}
+```
+
+### Example SPDX SBOM
+
+```json
+{
+  "spdxVersion": "SPDX-2.3",
+  "dataLicense": "CC0-1.0",
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "simple@1.0.0",
+  "documentNamespace": "http://spdx.org/spdxdocs/simple-1.0.0-bf81090e-8bbc-459d-bec9-abeb794e096a",
+  "creationInfo": {
+    "created": "2023-09-01T00:00:00.001Z",
+    "creators": [
+      "Tool: npm/cli-10.1.0"
+    ]
+  },
+  "documentDescribes": [
+    "SPDXRef-Package-simple-1.0.0"
+  ],
+  "packages": [
+    {
+      "name": "simple",
+      "SPDXID": "SPDXRef-Package-simple-1.0.0",
+      "versionInfo": "1.0.0",
+      "packageFileName": "",
+      "description": "simple react app",
+      "primaryPackagePurpose": "LIBRARY",
+      "downloadLocation": "NOASSERTION",
+      "filesAnalyzed": false,
+      "homepage": "NOASSERTION",
+      "licenseDeclared": "MIT",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:npm/simple@1.0.0"
+        }
+      ]
+    },
+    {
+      "name": "lodash",
+      "SPDXID": "SPDXRef-Package-lodash-4.17.21",
+      "versionInfo": "4.17.21",
+      "packageFileName": "node_modules/lodash",
+      "description": "Lodash modular utilities.",
+      "downloadLocation": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
+      "filesAnalyzed": false,
+      "homepage": "https://lodash.com/",
+      "licenseDeclared": "MIT",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:npm/lodash@4.17.21"
+        }
+      ],
+      "checksums": [
+        {
+          "algorithm": "SHA512",
+          "checksumValue": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
+        }
+      ]
+    }
+  ],
+  "relationships": [
+    {
+      "spdxElementId": "SPDXRef-DOCUMENT",
+      "relatedSpdxElement": "SPDXRef-Package-simple-1.0.0",
+      "relationshipType": "DESCRIBES"
+    },
+    {
+      "spdxElementId": "SPDXRef-Package-simple-1.0.0",
+      "relatedSpdxElement": "SPDXRef-Package-lodash-4.17.21",
+      "relationshipType": "DEPENDS_ON"
+    }
+  ]
+}
+```
+
+### Package lock only mode
+
+If package-lock-only is enabled, only the information in the package
+lock (or shrinkwrap) is loaded.  This means that information from the
+package.json files of your dependencies will not be included in the
+result set (e.g. description, homepage, engines).
+
+### Configuration
+
+#### `omit`
+
+* Default: 'dev' if the `NODE_ENV` environment variable is set to
+  'production', otherwise empty.
+* Type: "dev", "optional", or "peer" (can be set multiple times)
+
+Dependency types to omit from the installation tree on disk.
+
+Note that these dependencies _are_ still resolved and added to the
+`package-lock.json` or `npm-shrinkwrap.json` file. They are just not
+physically installed on disk.
+
+If a package type appears in both the `--include` and `--omit` lists, then
+it will be included.
+
+If the resulting omit list includes `'dev'`, then the `NODE_ENV` environment
+variable will be set to `'production'` for all lifecycle scripts.
+
+
+
+#### `package-lock-only`
+
+* Default: false
+* Type: Boolean
+
+If set to true, the current operation will only use the `package-lock.json`,
+ignoring `node_modules`.
+
+For `update` this means only the `package-lock.json` will be updated,
+instead of checking `node_modules` and downloading dependencies.
+
+For `list` this means the output will be based on the tree described by the
+`package-lock.json`, rather than the contents of `node_modules`.
+
+
+
+#### `sbom-format`
+
+* Default: null
+* Type: "cyclonedx" or "spdx"
+
+SBOM format to use when generating SBOMs.
+
+
+
+#### `sbom-type`
+
+* Default: "library"
+* Type: "library", "application", or "framework"
+
+The type of package described by the generated SBOM. For SPDX, this is the
+value for the `primaryPackagePurpose` field. For CycloneDX, this is the
+value for the `type` field.
+
+
+
+#### `workspace`
+
+* Default:
+* Type: String (can be set multiple times)
+
+Enable running a command in the context of the configured workspaces of the
+current project while filtering by running only the workspaces defined by
+this configuration option.
+
+Valid values for the `workspace` config are either:
+
+* Workspace names
+* Path to a workspace directory
+* Path to a parent workspace directory (will result in selecting all
+  workspaces within that folder)
+
+When set for the `npm init` command, this may be set to the folder of a
+workspace which does not yet exist, to create the folder and set it up as a
+brand new workspace within the project.
+
+This value is not exported to the environment for child processes.
+
+#### `workspaces`
+
+* Default: null
+* Type: null or Boolean
+
+Set to true to run the command in the context of **all** configured
+workspaces.
+
+Explicitly setting this to false will cause commands like `install` to
+ignore workspaces altogether. When not set explicitly:
+
+- Commands that operate on the `node_modules` tree (install, update, etc.)
+will link workspaces into the `node_modules` folder. - Commands that do
+other things (test, exec, publish, etc.) will operate on the root project,
+_unless_ one or more workspaces are specified in the `workspace` config.
+
+This value is not exported to the environment for child processes.
+## See Also
+
+* [package spec](/using-npm/package-spec)
+* [dependency selectors](/using-npm/dependency-selectors)
+* [package.json](/configuring-npm/package-json)
+* [workspaces](/using-npm/workspaces)

node/node_modules/npm/docs/content/commands/npm-set-script.md

@@ -1,114 +0,0 @@
----
-title: npm-set-script
-section: 1
-description: Set tasks in the scripts section of package.json
----
-
-### Synopsis
-An npm command that lets you create a task in the `scripts` section of the `package.json`.
-
-Deprecated.
-
-<!-- AUTOGENERATED USAGE DESCRIPTIONS START -->
-<!-- automatically generated, do not edit manually -->
-<!-- see lib/commands/set-script.js -->
-
-```bash
-npm set-script [<script>] [<command>]
-```
-
-<!-- automatically generated, do not edit manually -->
-<!-- see lib/commands/set-script.js -->
-
-<!-- AUTOGENERATED USAGE DESCRIPTIONS END -->
-
-
-**Example:**
-
-* `npm set-script start "http-server ."`
-
-```json
-{
-  "name": "my-project",
-  "scripts": {
-    "start": "http-server .",
-    "test": "some existing value"
-  }
-}
-```
-
-### Configuration
-
-<!-- AUTOGENERATED CONFIG DESCRIPTIONS START -->
-<!-- automatically generated, do not edit manually -->
-<!-- see lib/utils/config/definitions.js -->
-#### `workspace`
-
-* Default:
-* Type: String (can be set multiple times)
-
-Enable running a command in the context of the configured workspaces of the
-current project while filtering by running only the workspaces defined by
-this configuration option.
-
-Valid values for the `workspace` config are either:
-
-* Workspace names
-* Path to a workspace directory
-* Path to a parent workspace directory (will result in selecting all
-  workspaces within that folder)
-
-When set for the `npm init` command, this may be set to the folder of a
-workspace which does not yet exist, to create the folder and set it up as a
-brand new workspace within the project.
-
-This value is not exported to the environment for child processes.
-
-<!-- automatically generated, do not edit manually -->
-<!-- see lib/utils/config/definitions.js -->
-
-#### `workspaces`
-
-* Default: null
-* Type: null or Boolean
-
-Set to true to run the command in the context of **all** configured
-workspaces.
-
-Explicitly setting this to false will cause commands like `install` to
-ignore workspaces altogether. When not set explicitly:
-
-- Commands that operate on the `node_modules` tree (install, update, etc.)
-will link workspaces into the `node_modules` folder. - Commands that do
-other things (test, exec, publish, etc.) will operate on the root project,
-_unless_ one or more workspaces are specified in the `workspace` config.
-
-This value is not exported to the environment for child processes.
-
-<!-- automatically generated, do not edit manually -->
-<!-- see lib/utils/config/definitions.js -->
-
-#### `include-workspace-root`
-
-* Default: false
-* Type: Boolean
-
-Include the workspace root when workspaces are enabled for a command.
-
-When false, specifying individual workspaces via the `workspace` config, or
-all workspaces via the `workspaces` flag, will cause npm to operate only on
-the specified workspaces, and not on the root project.
-
-This value is not exported to the environment for child processes.
-
-<!-- automatically generated, do not edit manually -->
-<!-- see lib/utils/config/definitions.js -->
-
-<!-- AUTOGENERATED CONFIG DESCRIPTIONS END -->
-
-### See Also
-
-* [npm run-script](/commands/npm-run-script)
-* [npm install](/commands/npm-install)
-* [npm test](/commands/npm-test)
-* [npm start](/commands/npm-start)

node/node_modules/npm/docs/content/using-npm/dependency-selectors.md

@@ -0,0 +1,223 @@
+---
+title: Dependency Selector Syntax & Querying
+section: 7
+description: Dependency Selector Syntax & Querying
+---
+
+### Description
+
+The [`npm query`](/commands/npm-query) command exposes a new dependency selector syntax (informed by & respecting many aspects of the [CSS Selectors 4 Spec](https://dev.w3.org/csswg/selectors4/#relational)) which:
+
+- Standardizes the shape of, & querying of, dependency graphs with a robust object model, metadata & selector syntax
+- Leverages existing, known language syntax & operators from CSS to make disparate package information broadly accessible
+- Unlocks the ability to answer complex, multi-faceted questions about dependencies, their relationships & associative metadata
+- Consolidates redundant logic of similar query commands in `npm` (ex. `npm fund`, `npm ls`, `npm outdated`, `npm audit` ...)
+
+### Dependency Selector Syntax
+
+#### Overview:
+
+- there is no "type" or "tag" selectors (ex. `div, h1, a`) as a dependency/target is the only type of `Node` that can be queried
+- the term "dependencies" is in reference to any `Node` found in a `tree` returned by `Arborist`
+
+#### Combinators
+
+- `>` direct descendant/child
+- ` ` any descendant/child
+- `~` sibling
+
+#### Selectors
+
+- `*` universal selector
+- `#<name>` dependency selector (equivalent to `[name="..."]`)
+- `#<name>@<version>` (equivalent to `[name=<name>]:semver(<version>)`)
+- `,` selector list delimiter
+- `.` dependency type selector
+- `:` pseudo selector
+
+#### Dependency Type Selectors
+
+- `.prod` dependency found in the `dependencies` section of `package.json`, or is a child of said dependency
+- `.dev` dependency found in the `devDependencies` section of `package.json`, or is a child of said dependency
+- `.optional` dependency found in the `optionalDependencies` section of `package.json`, or has `"optional": true` set in its entry in the `peerDependenciesMeta` section of `package.json`, or a child of said dependency
+- `.peer` dependency found in the `peerDependencies` section of `package.json`
+- `.workspace` dependency found in the [`workspaces`](https://docs.npmjs.com/cli/v8/using-npm/workspaces) section of `package.json`
+- `.bundled` dependency found in the `bundleDependencies` section of `package.json`, or is a child of said dependency
+
+#### Pseudo Selectors
+- [`:not(<selector>)`](https://developer.mozilla.org/en-US/docs/Web/CSS/:not)
+- [`:has(<selector>)`](https://developer.mozilla.org/en-US/docs/Web/CSS/:has)
+- [`:is(<selector list>)`](https://developer.mozilla.org/en-US/docs/Web/CSS/:is)
+- [`:root`](https://developer.mozilla.org/en-US/docs/Web/CSS/:root) matches the root node/dependency
+- [`:scope`](https://developer.mozilla.org/en-US/docs/Web/CSS/:scope) matches node/dependency it was queried against
+- [`:empty`](https://developer.mozilla.org/en-US/docs/Web/CSS/:empty) when a dependency has no dependencies
+- [`:private`](https://docs.npmjs.com/cli/v8/configuring-npm/package-json#private) when a dependency is private
+- `:link` when a dependency is linked (for instance, workspaces or packages manually [`linked`](https://docs.npmjs.com/cli/v8/commands/npm-link)
+- `:deduped` when a dependency has been deduped (note that this does *not* always mean the dependency has been hoisted to the root of node_modules)
+- `:overridden` when a dependency has been overridden
+- `:extraneous` when a dependency exists but is not defined as a dependency of any node
+- `:invalid` when a dependency version is out of its ancestors specified range
+- `:missing` when a dependency is not found on disk
+- `:semver(<spec>, [selector], [function])` match a valid [`node-semver`](https://github.com/npm/node-semver) version or range to a selector
+- `:path(<path>)` [glob](https://www.npmjs.com/package/glob) matching based on dependencies path relative to the project
+- `:type(<type>)` [based on currently recognized types](https://github.com/npm/npm-package-arg#result-object)
+- `:outdated(<type>)` when a dependency is outdated
+- `:vuln(<selector>)` when a dependency has a known vulnerability
+
+##### `:semver(<spec>, [selector], [function])`
+
+The `:semver()` pseudo selector allows comparing fields from each node's `package.json` using [semver](https://github.com/npm/node-semver#readme) methods. It accepts up to 3 parameters, all but the first of which are optional.
+
+- `spec` a semver version or range
+- `selector` an attribute selector for each node (default `[version]`)
+- `function` a semver method to apply, one of: `satisfies`, `intersects`, `subset`, `gt`, `gte`, `gtr`, `lt`, `lte`, `ltr`, `eq`, `neq` or the special function `infer` (default `infer`)
+
+When the special `infer` function is used the `spec` and the actual value from the node are compared. If both are versions, according to `semver.valid()`, `eq` is used. If both values are ranges, according to `!semver.valid()`, `intersects` is used. If the values are mixed types `satisfies` is used.
+
+Some examples:
+
+- `:semver(^1.0.0)` returns every node that has a `version` satisfied by the provided range `^1.0.0`
+- `:semver(16.0.0, :attr(engines, [node]))` returns every node which has an `engines.node` property satisfying the version `16.0.0`
+- `:semver(1.0.0, [version], lt)` every node with a `version` less than `1.0.0`
+
+##### `:outdated(<type>)`
+
+The `:outdated` pseudo selector retrieves data from the registry and returns information about which of your dependencies are outdated. The type parameter may be one of the following:
+
+- `any` (default) a version exists that is greater than the current one
+- `in-range` a version exists that is greater than the current one, and satisfies at least one if its parent's dependencies
+- `out-of-range` a version exists that is greater than the current one, does not satisfy at least one of its parent's dependencies
+- `major` a version exists that is a semver major greater than the current one
+- `minor` a version exists that is a semver minor greater than the current one
+- `patch` a version exists that is a semver patch greater than the current one
+
+In addition to the filtering performed by the pseudo selector, some extra data is added to the resulting objects. The following data can be found under the `queryContext` property of each node.
+
+- `versions` an array of every available version of the given node
+- `outdated.inRange` an array of objects, each with a `from` and `versions`, where `from` is the on-disk location of the node that depends on the current node and `versions` is an array of all available versions that satisfies that dependency. This is only populated if `:outdated(in-range)` is used.
+- `outdated.outOfRange` an array of objects, identical in shape to `inRange`, but where the `versions` array is every available version that does not satisfy the dependency. This is only populated if `:outdated(out-of-range)` is used.
+
+Some examples:
+
+- `:root > :outdated(major)` returns every direct dependency that has a new semver major release
+- `.prod:outdated(in-range)` returns production dependencies that have a new release that satisfies at least one of its parent's dependencies
+
+##### `:vuln`
+
+The `:vuln` pseudo selector retrieves data from the registry and returns information about which if your dependencies has a known vulnerability.  Only dependencies whose current version matches a vulnerability will be returned.  For example if you have `semver@7.6.0` in your tree, a vulnerability for `semver` which affects versions `<=6.3.1` will not match.
+
+You can also filter results by certain attributes in advisories.  Currently that includes `severity` and `cwe`.  Note that severity filtering is done per severity, it does not include severities "higher" or "lower" than the one specified.
+
+In addition to the filtering performed by the pseudo selector, info about each relevant advisory will be added to the `queryContext` attribute of each node under the `advisories` attribute.
+
+Some examples:
+
+- `:root > .prod:vuln` returns direct production dependencies with any known vulnerability
+- `:vuln([severity=high])` returns only dependencies with a vulnerability with a `high` severity.
+- `:vuln([severity=high],[severity=moderate])` returns only dependencies with a vulnerability with a `high`  or `moderate` severity.
+- `:vuln([cwe=1333])` returns only dependencies with a vulnerability that includes CWE-1333 (ReDoS)
+
+#### [Attribute Selectors](https://developer.mozilla.org/en-US/docs/Web/CSS/Attribute_selectors)
+
+The attribute selector evaluates the key/value pairs in `package.json` if they are `String`s.
+
+- `[]` attribute selector (ie. existence of attribute)
+- `[attribute=value]` attribute value is equivalent...
+- `[attribute~=value]` attribute value contains word...
+- `[attribute*=value]` attribute value contains string...
+- `[attribute|=value]` attribute value is equal to or starts with...
+- `[attribute^=value]` attribute value starts with...
+- `[attribute$=value]` attribute value ends with...
+
+#### `Array` & `Object` Attribute Selectors
+
+The generic `:attr()` pseudo selector standardizes a pattern which can be used for attribute selection of `Object`s, `Array`s or `Arrays` of `Object`s accessible via `Arborist`'s `Node.package` metadata. This allows for iterative attribute selection beyond top-level `String` evaluation. The last argument passed to `:attr()` must be an `attribute` selector or a nested `:attr()`. See examples below:
+
+#### `Objects`
+
+```css
+/* return dependencies that have a `scripts.test` containing `"tap"` */
+*:attr(scripts, [test~=tap])
+```
+
+#### Nested `Objects`
+
+Nested objects are expressed as sequential arguments to `:attr()`.
+
+```css
+/* return dependencies that have a testling config for opera browsers */
+*:attr(testling, browsers, [~=opera])
+```
+
+#### `Arrays`
+
+`Array`s specifically uses a special/reserved `.` character in place of a typical attribute name. `Arrays` also support exact `value` matching when a `String` is passed to the selector.
+
+##### Example of an `Array` Attribute Selection:
+```css
+/* removes the distinction between properties & arrays */
+/* ie. we'd have to check the property & iterate to match selection */
+*:attr([keywords^=react])
+*:attr(contributors, :attr([name~=Jordan]))
+```
+
+##### Example of an `Array` matching directly to a value:
+```css
+/* return dependencies that have the exact keyword "react" */
+/* this is equivalent to `*:keywords([value="react"])` */
+*:attr([keywords=react])
+```
+
+##### Example of an `Array` of `Object`s:
+```css
+/* returns */
+*:attr(contributors, [email=ruyadorno@github.com])
+```
+
+### Groups
+
+Dependency groups are defined by the package relationships to their ancestors (ie. the dependency types that are defined in `package.json`). This approach is user-centric as the ecosystem has been taught to think about dependencies in these groups first-and-foremost. Dependencies are allowed to be included in multiple groups (ex. a `prod` dependency may also be a `dev` dependency (in that it's also required by another `dev` dependency) & may also be `bundled` - a selector for that type of dependency would look like: `*.prod.dev.bundled`).
+
+- `.prod`
+- `.dev`
+- `.optional`
+- `.peer`
+- `.bundled`
+- `.workspace`
+
+Please note that currently `workspace` deps are always `prod` dependencies.  Additionally the `.root` dependency is also considered a `prod` dependency.
+
+### Programmatic Usage
+
+- `Arborist`'s `Node` Class has a `.querySelectorAll()` method
+  - this method will return a filtered, flattened dependency Arborist `Node` list based on a valid query selector
+
+```js
+const Arborist = require('@npmcli/arborist')
+const arb = new Arborist({})
+```
+
+```js
+// root-level
+arb.loadActual().then(async (tree) => {
+  // query all production dependencies
+  const results = await tree.querySelectorAll('.prod')
+  console.log(results)
+})
+```
+
+```js
+// iterative
+arb.loadActual().then(async (tree) => {
+  // query for the deduped version of react
+  const results = await tree.querySelectorAll('#react:not(:deduped)')
+  // query the deduped react for git deps
+  const deps = await results[0].querySelectorAll(':type(git)')
+  console.log(deps)
+})
+```
+
+## See Also
+
+* [npm query](/commands/npm-query)
+* [@npmcli/arborist](https://npm.im/@npmcli/arborist)