[pull] main from nodejs:main

SECURITY.md

@@ -114,7 +114,8 @@ does not trust is considered a vulnerability:
   * The API doesn't have a warning against its usage in a production environment.
   * The API is public and documented.
   * The API is on stable (2.0) status.
-  * The memory leak is significant, causing a DoS fast or in a user-uncontrolled space (for instance, on HTTP parsing).
+  * The memory leak is significant enough to cause a denial of service quickly
+    or in a context not controlled by the user (for example, HTTP parsing).
   * The memory leak is directly exploitable by an untrusted source without requiring application mistakes.
   * The leak cannot be reasonably mitigated through standard operational practices (like process recycling).
   * The leak occurs deterministically under normal usage patterns rather than edge cases.
@@ -140,7 +141,7 @@ Vulnerabilities related to this case may be fixed by a documentation update.
 * The data received from the remote end of outbound network connections
   that are created through the use of Node.js APIs and
   which is transformed/validated by Node.js before being passed
-  to the application EXCEPT with respect to payload length. Node.js trusts
+  to the application **except** with respect to payload length. Node.js trusts
   that applications make connections/requests which will avoid payload
   sizes that will result in a Denial of Service.
   * HTTP APIs (all flavors) client APIs.
@@ -161,9 +162,9 @@ then untrusted input must not lead to arbitrary JavaScript code execution.
 
 **Node.js trusts everything else**. Examples include:
 
-* The developers and infrastructure that runs it.
+* The developers and infrastructure that run it.
 * The operating system that Node.js is running under and its configuration,
-  along with anything under control of the operating system.
+  along with anything under the control of the operating system.
 * The code it is asked to run, including JavaScript, WASM and native code, even
   if said code is dynamically loaded, e.g., all dependencies installed from the
   npm registry.
@@ -199,12 +200,12 @@ the community they pose.
 
 * Node.js provides APIs to validate handling of Subject Alternative Names (SANs)
   in certificates used to connect to a TLS/SSL endpoint. If certificates can be
-  crafted which result in incorrect validation by the Node.js APIs that is
+  crafted that result in incorrect validation by the Node.js APIs that is
   considered a vulnerability.
 
 #### Inconsistent Interpretation of HTTP Requests (CWE-444)
 
-* Node.js provides APIs to accept http connections. Those APIs parse the
+* Node.js provides APIs to accept HTTP connections. Those APIs parse the
   headers received for a connection and pass them on to the application.
   Bugs in parsing those headers which can result in request smuggling are
   considered vulnerabilities.
@@ -217,9 +218,9 @@ the community they pose.
 
 #### External Control of System or Configuration Setting (CWE-15)
 
-* If Node.js automatically loads a configuration file which is not documented
+* If Node.js automatically loads a configuration file that is not documented
   and modification of that configuration can affect the confidentiality of
-  data protected using the Node.js APIs this is considered a vulnerability.
+  data protected using the Node.js APIs, then this is considered a vulnerability.
 
 ### Examples of non-vulnerabilities
 
@@ -242,7 +243,7 @@ the community they pose.
 
 #### External Control of System or Configuration Setting (CWE-15)
 
-* If Node.js automatically loads a configuration file which is documented
+* If Node.js automatically loads a configuration file that is documented,
   no scenario that requires modification of that configuration file is
   considered a vulnerability.
 
@@ -262,9 +263,9 @@ the community they pose.
 
 ## Assessing experimental features reports
 
-Experimental features are eligible to reports as any other stable feature of
-Node.js. They will also be susceptible to receiving the same severity score
-as any other stable feature.
+Experimental features are eligible for security reports just like any other
+stable feature of Node.js. They may also receive the same severity score that a
+stable feature would.
 
 ## Receiving security updates
 

deps/npm/docs/content/commands/npm-bugs.md

@@ -24,7 +24,7 @@ folder and use the `name` property.
 
 #### `browser`
 
-* Default: OS X: `"open"`, Windows: `"start"`, Others: `"xdg-open"`
+* Default: macOS: `"open"`, Windows: `"start"`, Others: `"xdg-open"`
 * Type: null, Boolean, or String
 
 The browser that is called by npm commands to open websites.

deps/npm/docs/content/commands/npm-docs.md

@@ -24,7 +24,7 @@ package names at once. If no package name is provided, it will search for a
 
 #### `browser`
 
-* Default: OS X: `"open"`, Windows: `"start"`, Others: `"xdg-open"`
+* Default: macOS: `"open"`, Windows: `"start"`, Others: `"xdg-open"`
 * Type: null, Boolean, or String
 
 The browser that is called by npm commands to open websites.

deps/npm/docs/content/commands/npm-fund.md

@@ -81,7 +81,7 @@ Not supported by all npm commands.
 
 #### `browser`
 
-* Default: OS X: `"open"`, Windows: `"start"`, Others: `"xdg-open"`
+* Default: macOS: `"open"`, Windows: `"start"`, Others: `"xdg-open"`
 * Type: null, Boolean, or String
 
 The browser that is called by npm commands to open websites.

deps/npm/docs/content/commands/npm-install-test.md

@@ -231,6 +231,23 @@ submitted.
 
 
 
+#### `before`
+
+* Default: null
+* Type: null or Date
+
+If passed to `npm install`, will rebuild the npm tree such that only
+versions that were available **on or before** the given date are installed.
+If there are no versions available for the current set of dependencies, the
+command will error.
+
+If the requested version is a `dist-tag` and the given tag does not pass the
+`--before` filter, the most recent version less than or equal to that tag
+will be used. For example, `foo@latest` might install `foo@1.2` even though
+`latest` is `2.0`.
+
+
+
 #### `bin-links`
 
 * Default: true

deps/npm/docs/content/commands/npm-install.md

@@ -619,6 +619,23 @@ submitted.
 
 
 
+#### `before`
+
+* Default: null
+* Type: null or Date
+
+If passed to `npm install`, will rebuild the npm tree such that only
+versions that were available **on or before** the given date are installed.
+If there are no versions available for the current set of dependencies, the
+command will error.
+
+If the requested version is a `dist-tag` and the given tag does not pass the
+`--before` filter, the most recent version less than or equal to that tag
+will be used. For example, `foo@latest` might install `foo@1.2` even though
+`latest` is `2.0`.
+
+
+
 #### `bin-links`
 
 * Default: true

deps/npm/docs/content/commands/npm-ls.md

@@ -27,7 +27,7 @@ packages will *also* show the paths to the specified packages.  For
 example, running `npm ls promzard` in npm's source tree will show:
 
 ```bash
-npm@11.4.2 /path/to/npm
+npm@11.5.1 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 ```

deps/npm/docs/content/commands/npm-outdated.md

@@ -169,6 +169,23 @@ brand new workspace within the project.
 
 This value is not exported to the environment for child processes.
 
+#### `before`
+
+* Default: null
+* Type: null or Date
+
+If passed to `npm install`, will rebuild the npm tree such that only
+versions that were available **on or before** the given date are installed.
+If there are no versions available for the current set of dependencies, the
+command will error.
+
+If the requested version is a `dist-tag` and the given tag does not pass the
+`--before` filter, the most recent version less than or equal to that tag
+will be used. For example, `foo@latest` might install `foo@1.2` even though
+`latest` is `2.0`.
+
+
+
 ### See Also
 
 * [package spec](/using-npm/package-spec)

deps/npm/docs/content/commands/npm-repo.md

@@ -22,7 +22,7 @@ provided, it will search for a `package.json` in the current folder and use the
 
 #### `browser`
 
-* Default: OS X: `"open"`, Windows: `"start"`, Others: `"xdg-open"`
+* Default: macOS: `"open"`, Windows: `"start"`, Others: `"xdg-open"`
 * Type: null, Boolean, or String
 
 The browser that is called by npm commands to open websites.

deps/npm/docs/content/commands/npm-update.md

@@ -332,6 +332,23 @@ submitted.
 
 
 
+#### `before`
+
+* Default: null
+* Type: null or Date
+
+If passed to `npm install`, will rebuild the npm tree such that only
+versions that were available **on or before** the given date are installed.
+If there are no versions available for the current set of dependencies, the
+command will error.
+
+If the requested version is a `dist-tag` and the given tag does not pass the
+`--before` filter, the most recent version less than or equal to that tag
+will be used. For example, `foo@latest` might install `foo@1.2` even though
+`latest` is `2.0`.
+
+
+
 #### `bin-links`
 
 * Default: true

deps/npm/docs/content/commands/npm.md

@@ -14,7 +14,7 @@ Note: This command is unaware of workspaces.
 
 ### Version
 
-11.4.2
+11.5.1
 
 ### Description
 

deps/npm/docs/content/configuring-npm/install.md

@@ -50,9 +50,9 @@ installer to install both Node.js and npm on your system.
 * [NodeSource installer](https://github.com/nodesource/distributions). If
   you use Linux, we recommend that you use a NodeSource installer.
 
-#### OS X or Windows Node installers
+#### macOS or Windows Node installers
 
-If you're using OS X or Windows, use one of the installers from the
+If you're using macOS or Windows, use one of the installers from the
 [Node.js download page](https://nodejs.org/en/download/). Be sure to
 install the version labeled **LTS**. Other versions have not yet been
 tested with npm.
@@ -69,10 +69,3 @@ installers:
 
 Or see [this page](https://nodejs.org/en/download/package-manager/) to
 install npm for Linux in the way many Linux developers prefer.
-
-#### Less-common operating systems
-
-For more information on installing Node.js on a variety of operating
-systems, see [this page][pkg-mgr].
-
-[pkg-mgr]: https://nodejs.org/en/download/package-manager/

deps/npm/docs/content/using-npm/config.md

@@ -218,9 +218,9 @@ config is given, this value will always be set to `legacy`.
 * Type: null or Date
 
 If passed to `npm install`, will rebuild the npm tree such that only
-versions that were available **on or before** the `--before` time get
-installed. If there's no versions available for the current set of direct
-dependencies, the command will error.
+versions that were available **on or before** the given date are installed.
+If there are no versions available for the current set of dependencies, the
+command will error.
 
 If the requested version is a `dist-tag` and the given tag does not pass the
 `--before` filter, the most recent version less than or equal to that tag
@@ -245,7 +245,7 @@ systems.
 
 #### `browser`
 
-* Default: OS X: `"open"`, Windows: `"start"`, Others: `"xdg-open"`
+* Default: macOS: `"open"`, Windows: `"start"`, Others: `"xdg-open"`
 * Type: null, Boolean, or String
 
 The browser that is called by npm commands to open websites.
@@ -1245,7 +1245,8 @@ a semver. Like the `rc` in `1.2.0-rc.8`.
 
 #### `progress`
 
-* Default: `true` unless running in a known CI system
+* Default: `true` when not in CI and both stderr and stdout are TTYs and not
+  in a dumb terminal
 * Type: Boolean
 
 When set to `true`, npm will display a progress bar during time intensive

deps/npm/docs/content/using-npm/scripts.md

@@ -9,7 +9,7 @@ description: How npm handles the "scripts" field
 The `"scripts"` property of your `package.json` file supports a number
 of built-in scripts and their preset life cycle events as well as
 arbitrary scripts. These all can be executed by running
-`npm run <stage>` or `npm run <stage>` for short. *Pre* and *post*
+`npm run <stage>`. *Pre* and *post*
 commands with matching names will be run for those as well (e.g. `premyscript`,
 `myscript`, `postmyscript`). Scripts from dependencies can be run with
 `npm explore <pkg> -- npm run <stage>`.

deps/npm/docs/output/commands/npm-access.html

@@ -141,9 +141,9 @@
 
 <section id="content">
 <header class="title">
-<h1 id="----npm-access----1142">
+<h1 id="----npm-access----1151">
     <span>npm-access</span>
-    <span class="version">@11.4.2</span>
+    <span class="version">@11.5.1</span>
 </h1>
 <span class="description">Set access level on published packages</span>
 </header>

deps/npm/docs/output/commands/npm-adduser.html

@@ -141,9 +141,9 @@
 
 <section id="content">
 <header class="title">
-<h1 id="----npm-adduser----1142">
+<h1 id="----npm-adduser----1151">
     <span>npm-adduser</span>
-    <span class="version">@11.4.2</span>
+    <span class="version">@11.5.1</span>
 </h1>
 <span class="description">Add a registry user account</span>
 </header>

deps/npm/docs/output/commands/npm-audit.html

@@ -141,9 +141,9 @@
 
 <section id="content">
 <header class="title">
-<h1 id="----npm-audit----1142">
+<h1 id="----npm-audit----1151">
     <span>npm-audit</span>
-    <span class="version">@11.4.2</span>
+    <span class="version">@11.5.1</span>
 </h1>
 <span class="description">Run a security audit</span>
 </header>

deps/npm/docs/output/commands/npm-bugs.html

@@ -141,9 +141,9 @@
 
 <section id="content">
 <header class="title">
-<h1 id="----npm-bugs----1142">
+<h1 id="----npm-bugs----1151">
     <span>npm-bugs</span>
-    <span class="version">@11.4.2</span>
+    <span class="version">@11.5.1</span>
 </h1>
 <span class="description">Report bugs for a package in a web browser</span>
 </header>
@@ -167,7 +167,7 @@ <h3 id="description">Description</h3>
 <h3 id="configuration">Configuration</h3>
 <h4 id="browser"><code>browser</code></h4>
 <ul>
-<li>Default: OS X: <code>"open"</code>, Windows: <code>"start"</code>, Others: <code>"xdg-open"</code></li>
+<li>Default: macOS: <code>"open"</code>, Windows: <code>"start"</code>, Others: <code>"xdg-open"</code></li>
 <li>Type: null, Boolean, or String</li>
 </ul>
 <p>The browser that is called by npm commands to open websites.</p>

deps/npm/docs/output/commands/npm-cache.html

@@ -141,9 +141,9 @@
 
 <section id="content">
 <header class="title">
-<h1 id="----npm-cache----1142">
+<h1 id="----npm-cache----1151">
     <span>npm-cache</span>
-    <span class="version">@11.4.2</span>
+    <span class="version">@11.5.1</span>
 </h1>
 <span class="description">Manipulates packages cache</span>
 </header>

deps/npm/docs/output/commands/npm-ci.html

@@ -141,9 +141,9 @@
 
 <section id="content">
 <header class="title">
-<h1 id="----npm-ci----1142">
+<h1 id="----npm-ci----1151">
     <span>npm-ci</span>
-    <span class="version">@11.4.2</span>
+    <span class="version">@11.5.1</span>
 </h1>
 <span class="description">Clean install a project</span>
 </header>

deps/npm/docs/output/commands/npm-completion.html

@@ -141,9 +141,9 @@
 
 <section id="content">
 <header class="title">
-<h1 id="----npm-completion----1142">
+<h1 id="----npm-completion----1151">
     <span>npm-completion</span>
-    <span class="version">@11.4.2</span>
+    <span class="version">@11.5.1</span>
 </h1>
 <span class="description">Tab Completion for npm</span>
 </header>

deps/npm/docs/output/commands/npm-config.html

@@ -141,9 +141,9 @@
 
 <section id="content">
 <header class="title">
-<h1 id="----npm-config----1142">
+<h1 id="----npm-config----1151">
     <span>npm-config</span>
-    <span class="version">@11.4.2</span>
+    <span class="version">@11.5.1</span>
 </h1>
 <span class="description">Manage the npm configuration files</span>
 </header>