npm: Upgrade to v1.2.15

Author: isaacs

deps/npm/doc/cli/disputes.md

@@ -15,9 +15,9 @@ There sometimes arise cases where a user publishes a module, and then
 later, some other user wants to use that name.  Here are some common
 ways that happens (each of these is based on actual events.)
 
-1. Bob writes a JavaScript module `foo`, which is not node-specific.
-   Bob doesn't use node at all.  Joe wants to use `foo` in node, so he
-   wraps it in an npm module.  Some time later, Bob starts using node,
+1. Joe writes a JavaScript module `foo`, which is not node-specific.
+   Joe doesn't use node at all.  Bob   wants to use `foo` in node, so he
+   wraps it in an npm module.  Some time later, Joe starts using node,
    and wants to take over management of his program.
 2. Bob writes an npm module `foo`, and publishes it.  Perhaps much
    later, Joe finds a bug in `foo`, and fixes it.  He sends a pull
@@ -49,7 +49,8 @@ Joe's appropriate course of action in each case is the same.
    the `foo` package.
 3. After a reasonable amount of time, if Bob has not responded, or if
    Bob and Joe can't come to any sort of resolution, email isaacs
-   <i@izs.me> and we'll sort it out.
+   <i@izs.me> and we'll sort it out.  ("Reasonable" is usually about 4
+   weeks, but extra time is allowed around common holidays.)
 
 ## REASONING
 
@@ -71,17 +72,23 @@ Some things are not allowed, and will be removed without discussion if
 they are brought to the attention of the npm registry admins, including
 but not limited to:
 
-1. Malware (that is, a module designed to exploit or harm the machine on
-   which it is installed)
+1. Malware (that is, a package designed to exploit or harm the machine on
+   which it is installed).
 2. Violations of copyright or licenses (for example, cloning an
    MIT-licensed program, and then removing or changing the copyright and
-   license statement)
+   license statement).
 3. Illegal content.
 4. "Squatting" on a package name that you *plan* to use, but aren't
    actually using.  Sorry, I don't care how great the name is, or how
    perfect a fit it is for the thing that someday might happen.  If
    someone wants to use it today, and you're just taking up space with
    an empty tarball, you're going to be evicted.
+5. Putting empty packages in the registry.  Packages must have SOME
+   functionality.  It can be silly, but it can't be *nothing*.  (See
+   also: squatting.)
+6. Doing weird things with the registry, like using it as your own
+   personal application database or otherwise putting non-packagey
+   things into it.
 
 If you see bad behavior like this, please report it right away.
 

deps/npm/html/doc/disputes.html

@@ -20,9 +20,9 @@ <h2 id="DESCRIPTION">DESCRIPTION</h2>
 later, some other user wants to use that name.  Here are some common
 ways that happens (each of these is based on actual events.)</p>
 
-<ol><li>Bob writes a JavaScript module <code>foo</code>, which is not node-specific.
-Bob doesn&#39;t use node at all.  Joe wants to use <code>foo</code> in node, so he
-wraps it in an npm module.  Some time later, Bob starts using node,
+<ol><li>Joe writes a JavaScript module <code>foo</code>, which is not node-specific.
+Joe doesn&#39;t use node at all.  Bob   wants to use <code>foo</code> in node, so he
+wraps it in an npm module.  Some time later, Joe starts using node,
 and wants to take over management of his program.</li><li>Bob writes an npm module <code>foo</code>, and publishes it.  Perhaps much
 later, Joe finds a bug in <code>foo</code>, and fixes it.  He sends a pull
 request to Bob, but Bob doesn&#39;t have the time to deal with it,
@@ -49,7 +49,8 @@ <h2 id="DESCRIPTION">DESCRIPTION</h2>
 that Bob can run <code>npm owner add joe foo</code> to add Joe as an owner of
 the <code>foo</code> package.</li><li>After a reasonable amount of time, if Bob has not responded, or if
 Bob and Joe can&#39;t come to any sort of resolution, email isaacs
-<a href="mailto:i@izs.me">i@izs.me</a> and we&#39;ll sort it out.</li></ol>
+<a href="mailto:i@izs.me">i@izs.me</a> and we&#39;ll sort it out.  (&quot;Reasonable&quot; is usually about 4
+weeks, but extra time is allowed around common holidays.)</li></ol>
 
 <h2 id="REASONING">REASONING</h2>
 
@@ -71,14 +72,18 @@ <h2 id="EXCEPTIONS">EXCEPTIONS</h2>
 they are brought to the attention of the npm registry admins, including
 but not limited to:</p>
 
-<ol><li>Malware (that is, a module designed to exploit or harm the machine on
-which it is installed)</li><li>Violations of copyright or licenses (for example, cloning an
+<ol><li>Malware (that is, a package designed to exploit or harm the machine on
+which it is installed).</li><li>Violations of copyright or licenses (for example, cloning an
 MIT-licensed program, and then removing or changing the copyright and
-license statement)</li><li>Illegal content.</li><li>&quot;Squatting&quot; on a package name that you <em>plan</em> to use, but aren&#39;t
+license statement).</li><li>Illegal content.</li><li>&quot;Squatting&quot; on a package name that you <em>plan</em> to use, but aren&#39;t
 actually using.  Sorry, I don&#39;t care how great the name is, or how
 perfect a fit it is for the thing that someday might happen.  If
 someone wants to use it today, and you&#39;re just taking up space with
-an empty tarball, you&#39;re going to be evicted.</li></ol>
+an empty tarball, you&#39;re going to be evicted.</li><li>Putting empty packages in the registry.  Packages must have SOME
+functionality.  It can be silly, but it can&#39;t be <em>nothing</em>.  (See
+also: squatting.)</li><li>Doing weird things with the registry, like using it as your own
+personal application database or otherwise putting non-packagey
+things into it.</li></ol>
 
 <p>If you see bad behavior like this, please report it right away.</p>
 

deps/npm/lib/cache.js

@@ -140,6 +140,7 @@ function read (name, ver, forceBypass, cb) {
   }
 
   readJson(jsonFile, function (er, data) {
+    er = needName(er, data)
     er = needVersion(er, data)
     if (er && er.code !== "ENOENT" && er.code !== "ENOTDIR") return cb(er)
     if (er) return addNamed(name, ver, c)
@@ -722,6 +723,7 @@ function addNameVersion (name, ver, data, cb) {
       if (!er) readJson( path.join( npm.cache, name, ver
                                   , "package", "package.json" )
                        , function (er, data) {
+          er = needName(er, data)
           er = needVersion(er, data)
           if (er && er.code !== "ENOENT" && er.code !== "ENOTDIR") return cb(er)
           if (er) return fetchit()
@@ -1011,6 +1013,7 @@ function addPlacedTarball_ (p, name, uid, gid, resolvedSum, cb) {
           return cb(er)
         }
         readJson(path.join(folder, "package.json"), function (er, data) {
+          er = needName(er, data)
           er = needVersion(er, data)
           if (er) {
             log.error("addPlacedTarball", "Couldn't read json in %j"
@@ -1057,6 +1060,7 @@ function addLocalDirectory (p, name, shasum, cb) {
   if (p.indexOf(npm.cache) === 0) return cb(new Error(
     "Adding a cache directory to the cache will make the world implode."))
   readJson(path.join(p, "package.json"), function (er, data) {
+    er = needName(er, data)
     er = needVersion(er, data)
     if (er) return cb(er)
     deprCheck(data)
@@ -1183,6 +1187,12 @@ function unlock (u, cb) {
   lockFile.unlock(lockFileName(u), cb)
 }
 
+function needName(er, data) {
+  return er ? er
+       : (data && !data.name) ? new Error("No name provided")
+       : null
+}
+
 function needVersion(er, data) {
   return er ? er
        : (data && !data.version) ? new Error("No version provided")

deps/npm/man/man1/disputes.1

@@ -28,9 +28,9 @@ later, some other user wants to use that name\.  Here are some common
 ways that happens (each of these is based on actual events\.)
 .
 .IP "1" 4
-Bob writes a JavaScript module \fBfoo\fR, which is not node\-specific\.
-Bob doesn\'t use node at all\.  Joe wants to use \fBfoo\fR in node, so he
-wraps it in an npm module\.  Some time later, Bob starts using node,
+Joe writes a JavaScript module \fBfoo\fR, which is not node\-specific\.
+Joe doesn\'t use node at all\.  Bob   wants to use \fBfoo\fR in node, so he
+wraps it in an npm module\.  Some time later, Joe starts using node,
 and wants to take over management of his program\.
 .
 .IP "2" 4
@@ -75,7 +75,8 @@ the \fBfoo\fR package\.
 .
 .IP "3" 4
 After a reasonable amount of time, if Bob has not responded, or if
-Bob and Joe can\'t come to any sort of resolution, email isaacs \fIi@izs\.me\fR and we\'ll sort it out\.
+Bob and Joe can\'t come to any sort of resolution, email isaacs \fIi@izs\.me\fR and we\'ll sort it out\.  ("Reasonable" is usually about 4
+weeks, but extra time is allowed around common holidays\.)
 .
 .IP "" 0
 .
@@ -99,13 +100,13 @@ they are brought to the attention of the npm registry admins, including
 but not limited to:
 .
 .IP "1" 4
-Malware (that is, a module designed to exploit or harm the machine on
-which it is installed)
+Malware (that is, a package designed to exploit or harm the machine on
+which it is installed)\.
 .
 .IP "2" 4
 Violations of copyright or licenses (for example, cloning an
 MIT\-licensed program, and then removing or changing the copyright and
-license statement)
+license statement)\.
 .
 .IP "3" 4
 Illegal content\.
@@ -117,6 +118,16 @@ perfect a fit it is for the thing that someday might happen\.  If
 someone wants to use it today, and you\'re just taking up space with
 an empty tarball, you\'re going to be evicted\.
 .
+.IP "5" 4
+Putting empty packages in the registry\.  Packages must have SOME
+functionality\.  It can be silly, but it can\'t be \fInothing\fR\|\.  (See
+also: squatting\.)
+.
+.IP "6" 4
+Doing weird things with the registry, like using it as your own
+personal application database or otherwise putting non\-packagey
+things into it\.
+.
 .IP "" 0
 .
 .P