deps: upgrade npm to 8.19.1

PR-URL: https://github.com/nodejs/node/pull/44486
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>

10 files changed, 72 insertions, 23 deletions

diff --git a/deps/npm/docs/content/commands/npm-access.md b/deps/npm/docs/content/commands/npm-access.md
index 162e94f1fec..f7a98af6547 100644
--- a/deps/npm/docs/content/commands/npm-access.md
+++ b/deps/npm/docs/content/commands/npm-access.md
@@ -35,29 +35,28 @@ For all of the subcommands, `npm access` will perform actions on the packages
 in the current working directory if no package name is passed to the
 subcommand.
 
-* public / restricted:
+* public / restricted (deprecated):
   Set a package to be either publicly accessible or restricted.
 
-* grant / revoke:
+* grant / revoke (deprecated):
   Add or remove the ability of users and teams to have read-only or read-write
   access to a package.
 
-* 2fa-required / 2fa-not-required:
+* 2fa-required / 2fa-not-required (deprecated):
   Configure whether a package requires that anyone publishing it have two-factor
   authentication enabled on their account.
 
-* ls-packages:
+* ls-packages (deprecated):
   Show all of the packages a user or a team is able to access, along with the
   access level, except for read-only public packages (it won't print the whole
   registry listing)
 
-* ls-collaborators:
+* ls-collaborators (deprecated):
   Show all of the access privileges for a package. Will only show permissions
   for packages to which you have at least read access. If `<user>` is passed in,
   the list is filtered only to teams _that_ user happens to belong to.
 
-* edit:
-  Set the access privileges for a package at once using `$EDITOR`.
+* edit (not implemented)
 
 ### Details
 
diff --git a/deps/npm/docs/content/commands/npm-query.md b/deps/npm/docs/content/commands/npm-query.md
index 6166d5c0e71..3c35e9ab427 100644
--- a/deps/npm/docs/content/commands/npm-query.md
+++ b/deps/npm/docs/content/commands/npm-query.md
@@ -232,4 +232,4 @@ This value is not exported to the environment for child processes.
 <!-- AUTOGENERATED CONFIG DESCRIPTIONS END -->
 ## See Also
 
-* [dependency selector](/using-npm/dependency-selector)
+* [dependency selectors](/using-npm/dependency-selectors)
diff --git a/deps/npm/docs/content/configuring-npm/npmrc.md b/deps/npm/docs/content/configuring-npm/npmrc.md
index 83310ffa9c7..d252f09b81a 100644
--- a/deps/npm/docs/content/configuring-npm/npmrc.md
+++ b/deps/npm/docs/content/configuring-npm/npmrc.md
@@ -91,6 +91,34 @@ consistent across updates.  Set fields in here using the `./configure`
 script that comes with npm.  This is primarily for distribution maintainers
 to override default configs in a standard and consistent manner.
 
+### Auth related configuration
+
+The settings `_auth`, `_authToken`, `username` and `_password` must all be
+scoped to a specific registry. This ensures that `npm` will never send
+credentials to the wrong host.
+
+In order to scope these values, they must be prefixed by a URI fragment.
+If the credential is meant for any request to a registry on a single host,
+the scope may look like `//registry.npmjs.org/:`. If it must be scoped to a
+specific path on the host that path may also be provided, such as
+`//my-custom-registry.org/unique/path:`.
+
+```
+; bad config
+_authToken=MYTOKEN
+
+; good config
+@myorg:registry=https://somewhere-else.com/myorg
+@another:registry=https://somewhere-else.com/another
+//registry.npmjs.org/:_authToken=MYTOKEN
+; would apply to both @myorg and @another
+; //somewhere-else.com/:_authToken=MYTOKEN
+; would apply only to @myorg
+//somewhere-else.com/myorg/:_authToken=MYTOKEN1
+; would apply only to @another
+//somewhere-else.com/another/:_authToken=MYTOKEN2
+```
+
 ### See also
 
 * [npm folders](/configuring-npm/folders)
diff --git a/deps/npm/docs/content/using-npm/dependency-selectors.md b/deps/npm/docs/content/using-npm/dependency-selectors.md
index c96057c798e..a9433a537f9 100644
--- a/deps/npm/docs/content/using-npm/dependency-selectors.md
+++ b/deps/npm/docs/content/using-npm/dependency-selectors.md
@@ -144,7 +144,7 @@ const arb = new Arborist({})
 
 ```js
 // root-level
-arb.loadActual((tree) => {
+arb.loadActual().then(async (tree) => {
   // query all production dependencies
   const results = await tree.querySelectorAll('.prod')
   console.log(results)
@@ -153,7 +153,7 @@ arb.loadActual((tree) => {
 
 ```js
 // iterative
-arb.loadActual((tree) => {
+arb.loadActual().then(async (tree) => {
   // query for the deduped version of react
   const results = await tree.querySelectorAll('#react:not(:deduped)')
   // query the deduped react for git deps
diff --git a/deps/npm/docs/output/commands/npm-access.html b/deps/npm/docs/output/commands/npm-access.html
index 71eed719dbb..57d17abbd8f 100644
--- a/deps/npm/docs/output/commands/npm-access.html
+++ b/deps/npm/docs/output/commands/npm-access.html
@@ -169,34 +169,33 @@ in the current working directory if no package name is passed to the
 subcommand.</p>
 <ul>
 <li>
-<p>public / restricted:
+<p>public / restricted (deprecated):
 Set a package to be either publicly accessible or restricted.</p>
 </li>
 <li>
-<p>grant / revoke:
+<p>grant / revoke (deprecated):
 Add or remove the ability of users and teams to have read-only or read-write
 access to a package.</p>
 </li>
 <li>
-<p>2fa-required / 2fa-not-required:
+<p>2fa-required / 2fa-not-required (deprecated):
 Configure whether a package requires that anyone publishing it have two-factor
 authentication enabled on their account.</p>
 </li>
 <li>
-<p>ls-packages:
+<p>ls-packages (deprecated):
 Show all of the packages a user or a team is able to access, along with the
 access level, except for read-only public packages (it won't print the whole
 registry listing)</p>
 </li>
 <li>
-<p>ls-collaborators:
+<p>ls-collaborators (deprecated):
 Show all of the access privileges for a package. Will only show permissions
 for packages to which you have at least read access. If <code>&lt;user&gt;</code> is passed in,
 the list is filtered only to teams <em>that</em> user happens to belong to.</p>
 </li>
 <li>
-<p>edit:
-Set the access privileges for a package at once using <code>$EDITOR</code>.</p>
+<p>edit (not implemented)</p>
 </li>
 </ul>
 <h3 id="details">Details</h3>
diff --git a/deps/npm/docs/output/commands/npm-ls.html b/deps/npm/docs/output/commands/npm-ls.html
index f3fb8f05d85..ffe3861d165 100644
--- a/deps/npm/docs/output/commands/npm-ls.html
+++ b/deps/npm/docs/output/commands/npm-ls.html
@@ -166,7 +166,7 @@ tree at all, use <a href="../commands/npm-explain.html"><code>npm explain</code>
 the results to only the paths to the packages named.  Note that nested
 packages will <em>also</em> show the paths to the specified packages.  For
 example, running <code>npm ls promzard</code> in npm's source tree will show:</p>
-<pre lang="bash"><code>npm@8.18.0 /path/to/npm
+<pre lang="bash"><code>npm@8.19.1 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 </code></pre>
diff --git a/deps/npm/docs/output/commands/npm-query.html b/deps/npm/docs/output/commands/npm-query.html
index 1a11fb9e8cd..d567d2b8731 100644
--- a/deps/npm/docs/output/commands/npm-query.html
+++ b/deps/npm/docs/output/commands/npm-query.html
@@ -344,7 +344,7 @@ the specified workspaces, and not on the root project.</p>
 <!-- raw HTML omitted -->
 <h2 id="see-also">See Also</h2>
 <ul>
-<li><a href="../using-npm/dependency-selector.html">dependency selector</a></li>
+<li><a href="../using-npm/dependency-selectors.html">dependency selectors</a></li>
 </ul>
 </div>
 
diff --git a/deps/npm/docs/output/commands/npm.html b/deps/npm/docs/output/commands/npm.html
index 4c1f2a53eba..0abece728a1 100644
--- a/deps/npm/docs/output/commands/npm.html
+++ b/deps/npm/docs/output/commands/npm.html
@@ -149,7 +149,7 @@ npm command-line interface
 <!-- raw HTML omitted -->
 <!-- raw HTML omitted -->
 <h3 id="version">Version</h3>
-<p>8.18.0</p>
+<p>8.19.1</p>
 <h3 id="description">Description</h3>
 <p>npm is the package manager for the Node JavaScript platform.  It puts
 modules in place so that node can find them, and manages dependency
diff --git a/deps/npm/docs/output/configuring-npm/npmrc.html b/deps/npm/docs/output/configuring-npm/npmrc.html
index 1f158d8e081..be6d7a13c8c 100644
--- a/deps/npm/docs/output/configuring-npm/npmrc.html
+++ b/deps/npm/docs/output/configuring-npm/npmrc.html
@@ -142,7 +142,7 @@ npm command-line interface
 
 <section id="table_of_contents">
 <h2 id="table-of-contents">Table of contents</h2>
-<div id="_table_of_contents"><ul><li><a href="#description">Description</a></li><li><a href="#files">Files</a></li><ul><li><a href="#comments">Comments</a></li><li><a href="#per-project-config-file">Per-project config file</a></li><li><a href="#per-user-config-file">Per-user config file</a></li><li><a href="#global-config-file">Global config file</a></li><li><a href="#built-in-config-file">Built-in config file</a></li></ul><li><a href="#see-also">See also</a></li></ul></div>
+<div id="_table_of_contents"><ul><li><a href="#description">Description</a></li><li><a href="#files">Files</a></li><ul><li><a href="#comments">Comments</a></li><li><a href="#per-project-config-file">Per-project config file</a></li><li><a href="#per-user-config-file">Per-user config file</a></li><li><a href="#global-config-file">Global config file</a></li><li><a href="#built-in-config-file">Built-in config file</a></li></ul><li><a href="#auth-related-configuration">Auth related configuration</a></li><li><a href="#see-also">See also</a></li></ul></div>
 </section>
 
 <div id="_content"><h3 id="description">Description</h3>
@@ -204,6 +204,29 @@ variables can be replaced as above.</p>
 consistent across updates.  Set fields in here using the <code>./configure</code>
 script that comes with npm.  This is primarily for distribution maintainers
 to override default configs in a standard and consistent manner.</p>
+<h3 id="auth-related-configuration">Auth related configuration</h3>
+<p>The settings <code>_auth</code>, <code>_authToken</code>, <code>username</code> and <code>_password</code> must all be
+scoped to a specific registry. This ensures that <code>npm</code> will never send
+credentials to the wrong host.</p>
+<p>In order to scope these values, they must be prefixed by a URI fragment.
+If the credential is meant for any request to a registry on a single host,
+the scope may look like <code>//registry.npmjs.org/:</code>. If it must be scoped to a
+specific path on the host that path may also be provided, such as
+<code>//my-custom-registry.org/unique/path:</code>.</p>
+<pre><code>; bad config
+_authToken=MYTOKEN
+
+; good config
+@myorg:registry=https://somewhere-else.com/myorg
+@another:registry=https://somewhere-else.com/another
+//registry.npmjs.org/:_authToken=MYTOKEN
+; would apply to both @myorg and @another
+; //somewhere-else.com/:_authToken=MYTOKEN
+; would apply only to @myorg
+//somewhere-else.com/myorg/:_authToken=MYTOKEN1
+; would apply only to @another
+//somewhere-else.com/another/:_authToken=MYTOKEN2
+</code></pre>
 <h3 id="see-also">See also</h3>
 <ul>
 <li><a href="../configuring-npm/folders.html">npm folders</a></li>
diff --git a/deps/npm/docs/output/using-npm/dependency-selectors.html b/deps/npm/docs/output/using-npm/dependency-selectors.html
index e19499207da..31ab2bb5b7c 100644
--- a/deps/npm/docs/output/using-npm/dependency-selectors.html
+++ b/deps/npm/docs/output/using-npm/dependency-selectors.html
@@ -264,14 +264,14 @@ npm command-line interface
 const arb = new Arborist({})
 </code></pre>
 <pre lang="js"><code>// root-level
-arb.loadActual((tree) =&gt; {
+arb.loadActual().then(async (tree) =&gt; {
   // query all production dependencies
   const results = await tree.querySelectorAll('.prod')
   console.log(results)
 })
 </code></pre>
 <pre lang="js"><code>// iterative
-arb.loadActual((tree) =&gt; {
+arb.loadActual().then(async (tree) =&gt; {
   // query for the deduped version of react
   const results = await tree.querySelectorAll('#react:not(:deduped)')
   // query the deduped react for git deps