npm-registry-client@8.3.0

PR-URL: https://github.com/npm/npm-registry-client/pull/157
Credit: @zkat
Reviewed-By: @iarna
Reviewed-By: @soldair

9 files changed, 1156 insertions, 29 deletions

diff --git a/node_modules/npm-registry-client/index.js b/node_modules/npm-registry-client/index.js
index 8a9fb5035..07eab3f36 100644
--- a/node_modules/npm-registry-client/index.js
+++ b/node_modules/npm-registry-client/index.js
@@ -60,6 +60,7 @@ function RegClient (config) {
   client.get = require('./lib/get')
   client.initialize = require('./lib/initialize')
   client.logout = require('./lib/logout')
+  client.org = require('./lib/org')
   client.ping = require('./lib/ping')
   client.publish = require('./lib/publish')
   client.request = require('./lib/request')
diff --git a/node_modules/npm-registry-client/lib/org.js b/node_modules/npm-registry-client/lib/org.js
new file mode 100644
index 000000000..7c73caf7d
--- /dev/null
+++ b/node_modules/npm-registry-client/lib/org.js
@@ -0,0 +1,62 @@
+'use strict'
+
+module.exports = org
+
+var assert = require('assert')
+var url = require('url')
+
+var subcommands = {}
+
+function org (subcommand, uri, params, cb) {
+  orgAssertions(subcommand, uri, params, cb)
+  return subcommands[subcommand].call(this, uri, params, cb)
+}
+
+subcommands.set = subcommands.add = function (uri, params, cb) {
+  return this.request(apiUri(uri, 'org', params.org, 'user'), {
+    method: 'PUT',
+    auth: params.auth,
+    body: JSON.stringify({
+      user: params.user,
+      role: params.role
+    })
+  }, cb)
+}
+
+subcommands.rm = function (uri, params, cb) {
+  return this.request(apiUri(uri, 'org', params.org, 'user'), {
+    method: 'DELETE',
+    auth: params.auth,
+    body: JSON.stringify({
+      user: params.user
+    })
+  }, cb)
+}
+
+subcommands.ls = function (uri, params, cb) {
+  return this.request(apiUri(uri, 'org', params.org, 'user'), {
+    method: 'GET',
+    auth: params.auth
+  }, cb)
+}
+
+function apiUri (registryUri) {
+  var path = Array.prototype.slice.call(arguments, 1)
+    .map(encodeURIComponent)
+    .join('/')
+  return url.resolve(registryUri, '-/' + path)
+}
+
+function orgAssertions (subcommand, uri, params, cb) {
+  assert(subcommand, 'subcommand is required')
+  assert(subcommands.hasOwnProperty(subcommand),
+         'org subcommand must be one of ' + Object.keys(subcommands))
+  assert(typeof uri === 'string', 'registry URI is required')
+  assert(typeof params === 'object', 'params are required')
+  assert(typeof params.auth === 'object', 'auth is required')
+  assert(!cb || typeof cb === 'function', 'callback must be a function')
+  assert(typeof params.org === 'string', 'org name is required')
+  if (subcommand === 'rm' || subcommand === 'add' || subcommand === 'set') {
+    assert(typeof params.user === 'string', 'user is required')
+  }
+}
diff --git a/node_modules/npm-registry-client/lib/publish.js b/node_modules/npm-registry-client/lib/publish.js
index 9bf1c3066..ecf593a4a 100644
--- a/node_modules/npm-registry-client/lib/publish.js
+++ b/node_modules/npm-registry-client/lib/publish.js
@@ -2,11 +2,11 @@ module.exports = publish
 
 var url = require('url')
 var semver = require('semver')
-var crypto = require('crypto')
 var Stream = require('stream').Stream
 var assert = require('assert')
 var fixer = require('normalize-package-data').fixer
 var concat = require('concat-stream')
+var ssri = require('ssri')
 
 function escaped (name) {
   return name.replace('/', '%2f')
@@ -84,10 +84,16 @@ function putFirst (registry, data, tarbuffer, access, auth, cb) {
 
   var tbName = data.name + '-' + data.version + '.tgz'
   var tbURI = data.name + '/-/' + tbName
+  var integrity = ssri.fromData(tarbuffer, {
+    algorithms: ['sha1', 'sha512']
+  })
 
   data._id = data.name + '@' + data.version
   data.dist = data.dist || {}
-  data.dist.shasum = crypto.createHash('sha1').update(tarbuffer).digest('hex')
+  // Don't bother having sha1 in the actual integrity field
+  data.dist.integrity = integrity['sha512'][0].toString()
+  // Legacy shasum support
+  data.dist.shasum = integrity['sha1'][0].hexDigest()
   data.dist.tarball = url.resolve(registry, tbURI)
                          .replace(/^https:\/\//, 'http://')
 
diff --git a/node_modules/npm-registry-client/node_modules/ssri/CHANGELOG.md b/node_modules/npm-registry-client/node_modules/ssri/CHANGELOG.md
new file mode 100644
index 000000000..838a6fe69
--- /dev/null
+++ b/node_modules/npm-registry-client/node_modules/ssri/CHANGELOG.md
@@ -0,0 +1,135 @@
+# Change Log
+
+All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
+
+<a name="4.1.2"></a>
+## [4.1.2](https://github.com/zkat/ssri/compare/v4.1.1...v4.1.2) (2017-04-18)
+
+
+### Bug Fixes
+
+* **stream:** _flush can be called multiple times. use on("end") ([b1c4805](https://github.com/zkat/ssri/commit/b1c4805))
+
+
+
+<a name="4.1.1"></a>
+## [4.1.1](https://github.com/zkat/ssri/compare/v4.1.0...v4.1.1) (2017-04-12)
+
+
+### Bug Fixes
+
+* **pickAlgorithm:** error if pickAlgorithm() is used in an empty Integrity ([fab470e](https://github.com/zkat/ssri/commit/fab470e))
+
+
+
+<a name="4.1.0"></a>
+# [4.1.0](https://github.com/zkat/ssri/compare/v4.0.0...v4.1.0) (2017-04-07)
+
+
+### Features
+
+* adding ssri.create for a crypto style interface (#2) ([96f52ad](https://github.com/zkat/ssri/commit/96f52ad))
+
+
+
+<a name="4.0.0"></a>
+# [4.0.0](https://github.com/zkat/ssri/compare/v3.0.2...v4.0.0) (2017-04-03)
+
+
+### Bug Fixes
+
+* **integrity:** should have changed the error code before. oops ([8381afa](https://github.com/zkat/ssri/commit/8381afa))
+
+
+### BREAKING CHANGES
+
+* **integrity:** EBADCHECKSUM -> EINTEGRITY for verification errors
+
+
+
+<a name="3.0.2"></a>
+## [3.0.2](https://github.com/zkat/ssri/compare/v3.0.1...v3.0.2) (2017-04-03)
+
+
+
+<a name="3.0.1"></a>
+## [3.0.1](https://github.com/zkat/ssri/compare/v3.0.0...v3.0.1) (2017-04-03)
+
+
+### Bug Fixes
+
+* **package.json:** really should have these in the keywords because search ([a6ac6d0](https://github.com/zkat/ssri/commit/a6ac6d0))
+
+
+
+<a name="3.0.0"></a>
+# [3.0.0](https://github.com/zkat/ssri/compare/v2.0.0...v3.0.0) (2017-04-03)
+
+
+### Bug Fixes
+
+* **hashes:** IntegrityMetadata -> Hash ([d04aa1f](https://github.com/zkat/ssri/commit/d04aa1f))
+
+
+### Features
+
+* **check:** return IntegrityMetadata on check success ([2301e74](https://github.com/zkat/ssri/commit/2301e74))
+* **fromHex:** ssri.fromHex to make it easier to generate them from hex valus ([049b89e](https://github.com/zkat/ssri/commit/049b89e))
+* **hex:** utility function for getting hex version of digest ([a9f021c](https://github.com/zkat/ssri/commit/a9f021c))
+* **hexDigest:** added hexDigest method to Integrity objects too ([85208ba](https://github.com/zkat/ssri/commit/85208ba))
+* **integrity:** add .isIntegrity and .isIntegrityMetadata ([1b29e6f](https://github.com/zkat/ssri/commit/1b29e6f))
+* **integrityStream:** new stream that can both generate and check streamed data ([fd23e1b](https://github.com/zkat/ssri/commit/fd23e1b))
+* **parse:** allow parsing straight into a single IntegrityMetadata object ([c8ddf48](https://github.com/zkat/ssri/commit/c8ddf48))
+* **pickAlgorithm:** Intergrity#pickAlgorithm() added ([b97a796](https://github.com/zkat/ssri/commit/b97a796))
+* **size:** calculate and update stream sizes ([02ed1ad](https://github.com/zkat/ssri/commit/02ed1ad))
+
+
+### BREAKING CHANGES
+
+* **hashes:** `.isIntegrityMetadata` is now `.isHash`. Also, any references to `IntegrityMetadata` now refer to `Hash`.
+* **integrityStream:** createCheckerStream has been removed and replaced with a general-purpose integrityStream.
+
+To convert existing createCheckerStream code, move the `sri` argument into `opts.integrity` in integrityStream. All other options should be the same.
+* **check:** `checkData`, `checkStream`, and `createCheckerStream` now yield a whole IntegrityMetadata instance representing the first successful hash match.
+
+
+
+<a name="2.0.0"></a>
+# [2.0.0](https://github.com/zkat/ssri/compare/v1.0.0...v2.0.0) (2017-03-24)
+
+
+### Bug Fixes
+
+* **strict-mode:** make regexes more rigid ([122a32c](https://github.com/zkat/ssri/commit/122a32c))
+
+
+### Features
+
+* **api:** added serialize alias for unparse ([999b421](https://github.com/zkat/ssri/commit/999b421))
+* **concat:** add Integrity#concat() ([cae12c7](https://github.com/zkat/ssri/commit/cae12c7))
+* **pickAlgo:** pick the strongest algorithm provided, by default ([58c18f7](https://github.com/zkat/ssri/commit/58c18f7))
+* **strict-mode:** strict SRI support ([3f0b64c](https://github.com/zkat/ssri/commit/3f0b64c))
+* **stringify:** replaced unparse/serialize with stringify ([4acad30](https://github.com/zkat/ssri/commit/4acad30))
+* **verification:** add opts.pickAlgorithm ([f72e658](https://github.com/zkat/ssri/commit/f72e658))
+
+
+### BREAKING CHANGES
+
+* **pickAlgo:** ssri will prioritize specific hashes now
+* **stringify:** serialize and unparse have been removed. Use ssri.stringify instead.
+* **strict-mode:** functions that accepted an optional `sep` argument now expect `opts.sep`.
+
+
+
+<a name="1.0.0"></a>
+# 1.0.0 (2017-03-23)
+
+
+### Features
+
+* **api:** implemented initial api ([4fbb16b](https://github.com/zkat/ssri/commit/4fbb16b))
+
+
+### BREAKING CHANGES
+
+* **api:** Initial API established.
diff --git a/node_modules/npm-registry-client/node_modules/ssri/LICENSE.md b/node_modules/npm-registry-client/node_modules/ssri/LICENSE.md
new file mode 100644
index 000000000..c05cb0958
--- /dev/null
+++ b/node_modules/npm-registry-client/node_modules/ssri/LICENSE.md
@@ -0,0 +1,3 @@
+To the extent possible under law, maintainers for this project have waived all copyright and related or neighboring rights to this project.
+
+For more information on this waiver, see: https://creativecommons.org/publicdomain/zero/1.0/
diff --git a/node_modules/npm-registry-client/node_modules/ssri/README.md b/node_modules/npm-registry-client/node_modules/ssri/README.md
new file mode 100644
index 000000000..f2fc035da
--- /dev/null
+++ b/node_modules/npm-registry-client/node_modules/ssri/README.md
@@ -0,0 +1,462 @@
+# ssri [![npm version](https://img.shields.io/npm/v/ssri.svg)](https://npm.im/ssri) [![license](https://img.shields.io/npm/l/ssri.svg)](https://npm.im/ssri) [![Travis](https://img.shields.io/travis/zkat/ssri.svg)](https://travis-ci.org/zkat/ssri) [![AppVeyor](https://ci.appveyor.com/api/projects/status/github/zkat/ssri?svg=true)](https://ci.appveyor.com/project/zkat/ssri) [![Coverage Status](https://coveralls.io/repos/github/zkat/ssri/badge.svg?branch=latest)](https://coveralls.io/github/zkat/ssri?branch=latest)
+
+[`ssri`](https://github.com/zkat/ssri), short for Standard Subresource
+Integrity, is a Node.js utility for parsing, manipulating, serializing,
+generating, and verifying [Subresource
+Integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) hashes.
+
+## Install
+
+`$ npm install --save ssri`
+
+## Table of Contents
+
+* [Example](#example)
+* [Features](#features)
+* [Contributing](#contributing)
+* [API](#api)
+  * Parsing & Serializing
+    * [`parse`](#parse)
+    * [`stringify`](#stringify)
+    * [`Integrity#concat`](#integrity-concat)
+    * [`Integrity#toString`](#integrity-to-string)
+    * [`Integrity#toJSON`](#integrity-to-json)
+    * [`Integrity#pickAlgorithm`](#integrity-pick-algorithm)
+    * [`Integrity#hexDigest`](#integrity-hex-digest)
+  * Integrity Generation
+    * [`fromHex`](#from-hex)
+    * [`fromData`](#from-data)
+    * [`fromStream`](#from-stream)
+    * [`create`](#create)
+  * Integrity Verification
+    * [`checkData`](#check-data)
+    * [`checkStream`](#check-stream)
+    * [`integrityStream`](#integrity-stream)
+
+### Example
+
+```javascript
+const ssri = require('ssri')
+
+const integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'
+
+// Parsing and serializing
+const parsed = ssri.parse(integrity)
+ssri.stringify(parsed) // === integrity (works on non-Integrity objects)
+parsed.toString() // === integrity
+
+// Async stream functions
+ssri.checkStream(fs.createReadStream('./my-file'), integrity).then(...)
+ssri.fromStream(fs.createReadStream('./my-file')).then(sri => {
+  sri.toString() === integrity
+})
+fs.createReadStream('./my-file').pipe(ssri.createCheckerStream(sri))
+
+// Sync data functions
+ssri.fromData(fs.readFileSync('./my-file')) // === parsed
+ssri.checkData(fs.readFileSync('./my-file'), integrity) // => 'sha512'
+```
+
+### Features
+
+* Parses and stringifies SRI strings.
+* Generates SRI strings from raw data or Streams.
+* Strict standard compliance.
+* `?foo` metadata option support.
+* Multiple entries for the same algorithm.
+* Object-based integrity hash manipulation.
+* Small footprint: no dependencies, concise implementation.
+* Full test coverage.
+* Customizable algorithm picker.
+
+### Contributing
+
+The ssri team enthusiastically welcomes contributions and project participation!
+There's a bunch of things you can do if you want to contribute! The [Contributor
+Guide](CONTRIBUTING.md) has all the information you need for everything from
+reporting bugs to contributing entire new features. Please don't hesitate to
+jump in if you'd like to, or even ask us questions if something isn't clear.
+
+### API
+
+#### <a name="parse"></a> `> ssri.parse(sri, [opts]) -> Integrity`
+
+Parses `sri` into an `Integrity` data structure. `sri` can be an integrity
+string, an `Hash`-like with `digest` and `algorithm` fields and an optional
+`options` field, or an `Integrity`-like object. The resulting object will be an
+`Integrity` instance that has this shape:
+
+```javascript
+{
+  'sha1': [{algorithm: 'sha1', digest: 'deadbeef', options: []}],
+  'sha512': [
+    {algorithm: 'sha512', digest: 'c0ffee', options: []},
+    {algorithm: 'sha512', digest: 'bad1dea', options: ['foo']}
+  ],
+}
+```
+
+If `opts.single` is truthy, a single `Hash` object will be returned. That is, a
+single object that looks like `{algorithm, digest, options}`, as opposed to a
+larger object with multiple of these.
+
+If `opts.strict` is truthy, the resulting object will be filtered such that
+it strictly follows the Subresource Integrity spec, throwing away any entries
+with any invalid components. This also means a restricted set of algorithms
+will be used -- the spec limits them to `sha256`, `sha384`, and `sha512`.
+
+Strict mode is recommended if the integrity strings are intended for use in
+browsers, or in other situations where strict adherence to the spec is needed.
+
+##### Example
+
+```javascript
+ssri.parse('sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo') // -> Integrity object
+```
+
+#### <a name="stringify"></a> `> ssri.stringify(sri, [opts]) -> String`
+
+This function is identical to [`Integrity#toString()`](#integrity-to-string),
+except it can be used on _any_ object that [`parse`](#parse) can handle -- that
+is, a string, an `Hash`-like, or an `Integrity`-like.
+
+The `opts.sep` option defines the string to use when joining multiple entries
+together. To be spec-compliant, this _must_ be whitespace. The default is a
+single space (`' '`).
+
+If `opts.strict` is true, the integrity string will be created using strict
+parsing rules. See [`ssri.parse`](#parse).
+
+##### Example
+
+```javascript
+// Useful for cleaning up input SRI strings:
+ssri.stringify('\n\rsha512-foo\n\t\tsha384-bar')
+// -> 'sha512-foo sha384-bar'
+
+// Hash-like: only a single entry.
+ssri.stringify({
+  algorithm: 'sha512',
+  digest:'9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==',
+  options: ['foo']
+})
+// ->
+// 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'
+
+// Integrity-like: full multi-entry syntax. Similar to output of `ssri.parse`
+ssri.stringify({
+  'sha512': [
+    {
+      algorithm: 'sha512',
+      digest:'9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==',
+      options: ['foo']
+    }
+  ]
+})
+// ->
+// 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'
+```
+
+#### <a name="integrity-concat"></a> `> Integrity#concat(otherIntegrity, [opts]) -> Integrity`
+
+Concatenates an `Integrity` object with another IntegrityLike, or an integrity
+string.
+
+This is functionally equivalent to concatenating the string format of both
+integrity arguments, and calling [`ssri.parse`](#ssri-parse) on the new string.
+
+If `opts.strict` is true, the new `Integrity` will be created using strict
+parsing rules. See [`ssri.parse`](#parse).
+
+##### Example
+
+```javascript
+// This will combine the integrity checks for two different versions of
+// your index.js file so you can use a single integrity string and serve
+// either of these to clients, from a single `<script>` tag.
+const desktopIntegrity = ssri.fromData(fs.readFileSync('./index.desktop.js'))
+const mobileIntegrity = ssri.fromData(fs.readFileSync('./index.mobile.js'))
+
+// Note that browsers (and ssri) will succeed as long as ONE of the entries
+// for the *prioritized* algorithm succeeds. That is, in order for this fallback
+// to work, both desktop and mobile *must* use the same `algorithm` values.
+desktopIntegrity.concat(mobileIntegrity)
+```
+
+#### <a name="integrity-to-string"></a> `> Integrity#toString([opts]) -> String`
+
+Returns the string representation of an `Integrity` object. All hash entries
+will be concatenated in the string by `opts.sep`, which defaults to `' '`.
+
+If you want to serialize an object that didn't from from an `ssri` function,
+use [`ssri.stringify()`](#stringify).
+
+If `opts.strict` is true, the integrity string will be created using strict
+parsing rules. See [`ssri.parse`](#parse).
+
+##### Example
+
+```javascript
+const integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'
+
+ssri.parse(integrity).toString() === integrity
+```
+
+#### <a name="integrity-to-json"></a> `> Integrity#toJSON() -> String`
+
+Returns the string representation of an `Integrity` object. All hash entries
+will be concatenated in the string by `' '`.
+
+This is a convenience method so you can pass an `Integrity` object directly to `JSON.stringify`.
+For more info check out [toJSON() behavior on mdn](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify#toJSON%28%29_behavior).
+
+##### Example
+
+```javascript
+const integrity = '"sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo"'
+
+JSON.stringify(ssri.parse(integrity)) === integrity
+```
+
+#### <a name="integrity-pick-algorithm"></a> `> Integrity#pickAlgorithm([opts]) -> String`
+
+Returns the "best" algorithm from those available in the integrity object.
+
+If `opts.pickAlgorithm` is provided, it will be passed two algorithms as
+arguments. ssri will prioritize whichever of the two algorithms is returned by
+this function. Note that the function may be called multiple times, and it
+**must** return one of the two algorithms provided. By default, ssri will make
+a best-effort to pick the strongest/most reliable of the given algorithms. It
+may intentionally deprioritize algorithms with known vulnerabilities.
+
+##### Example
+
+```javascript
+ssri.parse('sha1-WEakDigEST sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1').pickAlgorithm() // sha512
+```
+
+#### <a name="integrity-hex-digest"></a> `> Integrity#hexDigest() -> String`
+
+`Integrity` is assumed to be either a single-hash `Integrity` instance, or a
+`Hash` instance. Returns its `digest`, converted to a hex representation of the
+base64 data.
+
+##### Example
+
+```javascript
+ssri.parse('sha1-deadbeef').hexDigest() // '75e69d6de79f'
+```
+
+#### <a name="from-hex"></a> `> ssri.fromHex(hexDigest, algorithm, [opts]) -> Integrity`
+
+Creates an `Integrity` object with a single entry, based on a hex-formatted
+hash. This is a utility function to help convert existing shasums to the
+Integrity format, and is roughly equivalent to something like:
+
+```javascript
+algorithm + '-' + Buffer.from(hexDigest, 'hex').toString('base64')
+```
+
+`opts.options` may optionally be passed in: it must be an array of option
+strings that will be added to all generated integrity hashes generated by
+`fromData`. This is a loosely-specified feature of SRIs, and currently has no
+specified semantics besides being `?`-separated. Use at your own risk, and
+probably avoid if your integrity strings are meant to be used with browsers.
+
+If `opts.strict` is true, the integrity object will be created using strict
+parsing rules. See [`ssri.parse`](#parse).
+
+If `opts.single` is true, a single `Hash` object will be returned.
+
+##### Example
+
+```javascript
+ssri.fromHex('75e69d6de79f', 'sha1').toString() // 'sha1-deadbeef'
+```
+
+#### <a name="from-data"></a> `> ssri.fromData(data, [opts]) -> Integrity`
+
+Creates an `Integrity` object from either string or `Buffer` data, calculating
+all the requested hashes and adding any specified options to the object.
+
+`opts.algorithms` determines which algorithms to generate hashes for. All
+results will be included in a single `Integrity` object. The default value for
+`opts.algorithms` is `['sha512']`. All algorithm strings must be hashes listed
+in `crypto.getHashes()` for the host Node.js platform.
+
+`opts.options` may optionally be passed in: it must be an array of option
+strings that will be added to all generated integrity hashes generated by
+`fromData`. This is a loosely-specified feature of SRIs, and currently has no
+specified semantics besides being `?`-separated. Use at your own risk, and
+probably avoid if your integrity strings are meant to be used with browsers.
+
+If `opts.strict` is true, the integrity object will be created using strict
+parsing rules. See [`ssri.parse`](#parse).
+
+##### Example
+
+```javascript
+const integrityObj = ssri.fromData('foobarbaz', {
+  algorithms: ['sha256', 'sha384', 'sha512']
+})
+integrity.toString('\n')
+// ->
+// sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0=
+// sha384-irnCxQ0CfQhYGlVAUdwTPC9bF3+YWLxlaDGM4xbYminxpbXEq+D+2GCEBTxcjES9
+// sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1+9vBnypkYWg==
+```
+
+#### <a name="from-stream"></a> `> ssri.fromStream(stream, [opts]) -> Promise<Integrity>`
+
+Returns a Promise of an Integrity object calculated by reading data from
+a given `stream`.
+
+It accepts both `opts.algorithms` and `opts.options`, which are documented as
+part of [`ssri.fromData`](#from-data).
+
+Additionally, `opts.Promise` may be passed in to inject a Promise library of
+choice. By default, ssri will use Node's built-in Promises.
+
+If `opts.strict` is true, the integrity object will be created using strict
+parsing rules. See [`ssri.parse`](#parse).
+
+##### Example
+
+```javascript
+ssri.fromStream(fs.createReadStream('index.js'), {
+  algorithms: ['sha1', 'sha512']
+}).then(integrity => {
+  return ssri.checkStream(fs.createReadStream('index.js'), integrity)
+}) // succeeds
+```
+
+#### <a name="create"></a> `> ssri.create([opts]) -> <Hash>`
+
+Returns a Hash object with `update(<Buffer or string>[,enc])` and `digest()` methods.
+
+
+The Hash object provides the same methods as [crypto class Hash](https://nodejs.org/dist/latest-v6.x/docs/api/crypto.html#crypto_class_hash).
+`digest()` accepts no arguments and returns an Integrity object calculated by reading data from
+calls to update.
+
+It accepts both `opts.algorithms` and `opts.options`, which are documented as
+part of [`ssri.fromData`](#from-data).
+
+If `opts.strict` is true, the integrity object will be created using strict
+parsing rules. See [`ssri.parse`](#parse).
+
+##### Example
+
+```javascript
+const integrity = ssri.create().update('foobarbaz').digest()
+integrity.toString()
+// ->
+// sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1+9vBnypkYWg==
+```
+
+#### <a name="check-data"></a> `> ssri.checkData(data, sri, [opts]) -> Hash|false`
+
+Verifies `data` integrity against an `sri` argument. `data` may be either a
+`String` or a `Buffer`, and `sri` can be any subresource integrity
+representation that [`ssri.parse`](#parse) can handle.
+
+If verification succeeds, `checkData` will return the name of the algorithm that
+was used for verification (a truthy value). Otherwise, it will return `false`.
+
+If `opts.pickAlgorithm` is provided, it will be used by
+[`Integrity#pickAlgorithm`](#integrity-pick-algorithm) when deciding which of
+the available digests to match against.
+
+##### Example
+
+```javascript
+const data = fs.readFileSync('index.js')
+ssri.checkData(data, ssri.fromData(data)) // -> 'sha512'
+ssri.checkData(data, 'sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0')
+ssri.checkData(data, 'sha1-BaDDigEST') // -> false
+```
+
+#### <a name="check-stream"></a> `> ssri.checkStream(stream, sri, [opts]) -> Promise<Hash>`
+
+Verifies the contents of `stream` against an `sri` argument. `stream` will be
+consumed in its entirety by this process. `sri` can be any subresource integrity
+representation that [`ssri.parse`](#parse) can handle.
+
+`checkStream` will return a Promise that either resolves to the
+`Hash` that succeeded verification, or, if the verification fails
+or an error happens with `stream`, the Promise will be rejected.
+
+If the Promise is rejected because verification failed, the returned error will
+have `err.code` as `EINTEGRITY`.
+
+If `opts.size` is given, it will be matched against the stream size. An error
+with `err.code` `EBADSIZE` will be returned by a rejection if the expected size
+and actual size fail to match.
+
+If `opts.pickAlgorithm` is provided, it will be used by
+[`Integrity#pickAlgorithm`](#integrity-pick-algorithm) when deciding which of
+the available digests to match against.
+
+##### Example
+
+```javascript
+const integrity = ssri.fromData(fs.readFileSync('index.js'))
+
+ssri.checkStream(
+  fs.createReadStream('index.js'),
+  integrity
+)
+// ->
+// Promise<{
+//   algorithm: 'sha512',
+//   digest: 'sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1'
+// }>
+
+ssri.checkStream(
+  fs.createReadStream('index.js'),
+  'sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0'
+) // -> Promise<Hash>
+
+ssri.checkStream(
+  fs.createReadStream('index.js'),
+  'sha1-BaDDigEST'
+) // -> Promise<Error<{code: 'EINTEGRITY'}>>
+```
+
+#### <a name="integrity-stream"></a> `> integrityStream(sri, [opts]) -> IntegrityStream`
+
+Returns a `Transform` stream that data can be piped through in order to generate
+and optionally check data integrity for piped data. When the stream completes
+successfully, it emits `size` and `integrity` events, containing the total
+number of bytes processed and a calculated `Integrity` instance based on stream
+data, respectively.
+
+If `opts.algorithms` is passed in, the listed algorithms will be calculated when
+generating the final `Integrity` instance. The default is `['sha512']`.
+
+If `opts.single` is passed in, a single `Hash` instance will be returned.
+
+If `opts.integrity` is passed in, it should be an `integrity` value understood
+by [`parse`](#parse) that the stream will check the data against. If
+verification succeeds, the integrity stream will emit a `verified` event whose
+value is a single `Hash` object that is the one that succeeded verification. If
+verification fails, the stream will error with an `EINTEGRITY` error code.
+
+If `opts.size` is given, it will be matched against the stream size. An error
+with `err.code` `EBADSIZE` will be emitted by the stream if the expected size
+and actual size fail to match.
+
+If `opts.pickAlgorithm` is provided, it will be passed two algorithms as
+arguments. ssri will prioritize whichever of the two algorithms is returned by
+this function. Note that the function may be called multiple times, and it
+**must** return one of the two algorithms provided. By default, ssri will make
+a best-effort to pick the strongest/most reliable of the given algorithms. It
+may intentionally deprioritize algorithms with known vulnerabilities.
+
+##### Example
+
+```javascript
+const integrity = ssri.fromData(fs.readFileSync('index.js'))
+fs.createReadStream('index.js')
+.pipe(ssri.checkStream(integrity))
+```
diff --git a/node_modules/npm-registry-client/node_modules/ssri/index.js b/node_modules/npm-registry-client/node_modules/ssri/index.js
new file mode 100644
index 000000000..9c84dbc21
--- /dev/null
+++ b/node_modules/npm-registry-client/node_modules/ssri/index.js
@@ -0,0 +1,333 @@
+'use strict'
+
+const crypto = require('crypto')
+const Transform = require('stream').Transform
+
+const SPEC_ALGORITHMS = ['sha256', 'sha384', 'sha512']
+
+const BASE64_REGEX = /^[a-z0-9+/]+(?:=?=?)$/i
+const SRI_REGEX = /^([^-]+)-([^?]+)([?\S*]*)$/
+const STRICT_SRI_REGEX = /^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/
+const VCHAR_REGEX = /^[\x21-\x7E]+$/
+
+class Hash {
+  get isHash () { return true }
+  constructor (hash, opts) {
+    const strict = !!(opts && opts.strict)
+    this.source = hash.trim()
+    // 3.1. Integrity metadata (called "Hash" by ssri)
+    // https://w3c.github.io/webappsec-subresource-integrity/#integrity-metadata-description
+    const match = this.source.match(
+      strict
+      ? STRICT_SRI_REGEX
+      : SRI_REGEX
+    )
+    if (!match) { return }
+    if (strict && !SPEC_ALGORITHMS.some(a => a === match[1])) { return }
+    this.algorithm = match[1]
+    this.digest = match[2]
+
+    const rawOpts = match[3]
+    this.options = rawOpts ? rawOpts.slice(1).split('?') : []
+  }
+  hexDigest () {
+    return this.digest && bufFrom(this.digest, 'base64').toString('hex')
+  }
+  toJSON () {
+    return this.toString()
+  }
+  toString (opts) {
+    if (opts && opts.strict) {
+      // Strict mode enforces the standard as close to the foot of the
+      // letter as it can.
+      if (!(
+        // The spec has very restricted productions for algorithms.
+        // https://www.w3.org/TR/CSP2/#source-list-syntax
+        SPEC_ALGORITHMS.some(x => x === this.algorithm) &&
+        // Usually, if someone insists on using a "different" base64, we
+        // leave it as-is, since there's multiple standards, and the
+        // specified is not a URL-safe variant.
+        // https://www.w3.org/TR/CSP2/#base64_value
+        this.digest.match(BASE64_REGEX) &&
+        // Option syntax is strictly visual chars.
+        // https://w3c.github.io/webappsec-subresource-integrity/#grammardef-option-expression
+        // https://tools.ietf.org/html/rfc5234#appendix-B.1
+        (this.options || []).every(opt => opt.match(VCHAR_REGEX))
+      )) {
+        return ''
+      }
+    }
+    const options = this.options && this.options.length
+    ? `?${this.options.join('?')}`
+    : ''
+    return `${this.algorithm}-${this.digest}${options}`
+  }
+}
+
+class Integrity {
+  get isIntegrity () { return true }
+  toJSON () {
+    return this.toString()
+  }
+  toString (opts) {
+    opts = opts || {}
+    let sep = opts.sep || ' '
+    if (opts.strict) {
+      // Entries must be separated by whitespace, according to spec.
+      sep = sep.replace(/\S+/g, ' ')
+    }
+    return Object.keys(this).map(k => {
+      return this[k].map(hash => {
+        return Hash.prototype.toString.call(hash, opts)
+      }).filter(x => x.length).join(sep)
+    }).filter(x => x.length).join(sep)
+  }
+  concat (integrity, opts) {
+    const other = typeof integrity === 'string'
+    ? integrity
+    : stringify(integrity, opts)
+    return parse(`${this.toString(opts)} ${other}`, opts)
+  }
+  hexDigest () {
+    return parse(this, {single: true}).hexDigest()
+  }
+  pickAlgorithm (opts) {
+    const pickAlgorithm = (opts && opts.pickAlgorithm) || getPrioritizedHash
+    const keys = Object.keys(this)
+    if (!keys.length) {
+      throw new Error(`No algorithms available for ${this}`)
+    }
+    return keys.reduce((acc, algo) => {
+      return pickAlgorithm(acc, algo) || acc
+    })
+  }
+}
+
+module.exports.parse = parse
+function parse (sri, opts) {
+  opts = opts || {}
+  if (typeof sri === 'string') {
+    return _parse(sri, opts)
+  } else if (sri.algorithm && sri.digest) {
+    const fullSri = new Integrity()
+    fullSri[sri.algorithm] = [sri]
+    return _parse(stringify(fullSri, opts), opts)
+  } else {
+    return _parse(stringify(sri, opts), opts)
+  }
+}
+
+function _parse (integrity, opts) {
+  // 3.4.3. Parse metadata
+  // https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata
+  if (opts.single) {
+    return new Hash(integrity, opts)
+  }
+  return integrity.trim().split(/\s+/).reduce((acc, string) => {
+    const hash = new Hash(string, opts)
+    if (hash.algorithm && hash.digest) {
+      const algo = hash.algorithm
+      if (!acc[algo]) { acc[algo] = [] }
+      acc[algo].push(hash)
+    }
+    return acc
+  }, new Integrity())
+}
+
+module.exports.stringify = stringify
+function stringify (obj, opts) {
+  if (obj.algorithm && obj.digest) {
+    return Hash.prototype.toString.call(obj, opts)
+  } else if (typeof obj === 'string') {
+    return stringify(parse(obj, opts), opts)
+  } else {
+    return Integrity.prototype.toString.call(obj, opts)
+  }
+}
+
+module.exports.fromHex = fromHex
+function fromHex (hexDigest, algorithm, opts) {
+  const optString = (opts && opts.options && opts.options.length)
+  ? `?${opts.options.join('?')}`
+  : ''
+  return parse(
+    `${algorithm}-${
+      bufFrom(hexDigest, 'hex').toString('base64')
+    }${optString}`, opts
+  )
+}
+
+module.exports.fromData = fromData
+function fromData (data, opts) {
+  opts = opts || {}
+  const algorithms = opts.algorithms || ['sha512']
+  const optString = opts.options && opts.options.length
+  ? `?${opts.options.join('?')}`
+  : ''
+  return algorithms.reduce((acc, algo) => {
+    const digest = crypto.createHash(algo).update(data).digest('base64')
+    const hash = new Hash(
+      `${algo}-${digest}${optString}`,
+       opts
+    )
+    if (hash.algorithm && hash.digest) {
+      const algo = hash.algorithm
+      if (!acc[algo]) { acc[algo] = [] }
+      acc[algo].push(hash)
+    }
+    return acc
+  }, new Integrity())
+}
+
+module.exports.fromStream = fromStream
+function fromStream (stream, opts) {
+  opts = opts || {}
+  const P = opts.Promise || Promise
+  const istream = integrityStream(opts)
+  return new P((resolve, reject) => {
+    stream.pipe(istream)
+    stream.on('error', reject)
+    istream.on('error', reject)
+    let sri
+    istream.on('integrity', s => { sri = s })
+    istream.on('end', () => resolve(sri))
+    istream.on('data', () => {})
+  })
+}
+
+module.exports.checkData = checkData
+function checkData (data, sri, opts) {
+  opts = opts || {}
+  sri = parse(sri, opts)
+  const algorithm = sri.pickAlgorithm(opts)
+  const digests = sri[algorithm]
+  const digest = crypto.createHash(algorithm).update(data).digest('base64')
+  return digests.find(hash => hash.digest === digest) || false
+}
+
+module.exports.checkStream = checkStream
+function checkStream (stream, sri, opts) {
+  opts = opts || {}
+  const P = opts.Promise || Promise
+  const checker = integrityStream({
+    integrity: sri,
+    size: opts.size,
+    strict: opts.strict,
+    pickAlgorithm: opts.pickAlgorithm
+  })
+  return new P((resolve, reject) => {
+    stream.pipe(checker)
+    stream.on('error', reject)
+    checker.on('error', reject)
+    let sri
+    checker.on('verified', s => { sri = s })
+    checker.on('end', () => resolve(sri))
+    checker.on('data', () => {})
+  })
+}
+
+module.exports.integrityStream = integrityStream
+function integrityStream (opts) {
+  opts = opts || {}
+  // For verification
+  const sri = opts.integrity && parse(opts.integrity, opts)
+  const algorithm = sri && sri.pickAlgorithm(opts)
+  const digests = sri && sri[algorithm]
+  // Calculating stream
+  const algorithms = opts.algorithms || [algorithm || 'sha512']
+  const hashes = algorithms.map(crypto.createHash)
+  let streamSize = 0
+  const stream = new Transform({
+    transform (chunk, enc, cb) {
+      streamSize += chunk.length
+      hashes.forEach(h => h.update(chunk, enc))
+      cb(null, chunk, enc)
+    }
+  }).on('end', () => {
+    const optString = (opts.options && opts.options.length)
+    ? `?${opts.options.join('?')}`
+    : ''
+    const newSri = parse(hashes.map((h, i) => {
+      return `${algorithms[i]}-${h.digest('base64')}${optString}`
+    }).join(' '), opts)
+    const match = (
+      // Integrity verification mode
+      opts.integrity &&
+      digests.find(hash => {
+        return newSri[algorithm].find(newhash => {
+          return hash.digest === newhash.digest
+        })
+      })
+    )
+    if (typeof opts.size === 'number' && streamSize !== opts.size) {
+      const err = new Error(`stream size mismatch when checking ${sri}.\n  Wanted: ${opts.size}\n  Found: ${streamSize}`)
+      err.code = 'EBADSIZE'
+      err.found = streamSize
+      err.expected = opts.size
+      err.sri = sri
+      stream.emit('error', err)
+    } else if (opts.integrity && !match) {
+      const err = new Error(`${sri} integrity checksum failed when using ${algorithm}: wanted ${digests} but got ${newSri}. (${streamSize} bytes)`)
+      err.code = 'EINTEGRITY'
+      err.found = newSri
+      err.expected = digests
+      err.algorithm = algorithm
+      err.sri = sri
+      stream.emit('error', err)
+    } else {
+      stream.emit('size', streamSize)
+      stream.emit('integrity', newSri)
+      match && stream.emit('verified', match)
+    }
+  })
+  return stream
+}
+
+module.exports.create = createIntegrity
+function createIntegrity (opts) {
+  opts = opts || {}
+  const algorithms = opts.algorithms || ['sha512']
+  const optString = opts.options && opts.options.length
+  ? `?${opts.options.join('?')}`
+  : ''
+
+  const hashes = algorithms.map(crypto.createHash)
+
+  return {
+    update: function (chunk, enc) {
+      hashes.forEach(h => h.update(chunk, enc))
+      return this
+    },
+    digest: function (enc) {
+      const integrity = algorithms.reduce((acc, algo) => {
+        const digest = hashes.shift().digest('base64')
+        const hash = new Hash(
+          `${algo}-${digest}${optString}`,
+          opts
+        )
+        if (hash.algorithm && hash.digest) {
+          const algo = hash.algorithm
+          if (!acc[algo]) { acc[algo] = [] }
+          acc[algo].push(hash)
+        }
+        return acc
+      }, new Integrity())
+
+      return integrity
+    }
+  }
+}
+
+// This is a Best Effort™ at a reasonable priority for hash algos
+const DEFAULT_PRIORITY = [
+  'md5', 'whirlpool', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512'
+]
+function getPrioritizedHash (algo1, algo2) {
+  return DEFAULT_PRIORITY.indexOf(algo1.toLowerCase()) >= DEFAULT_PRIORITY.indexOf(algo2.toLowerCase())
+  ? algo1
+  : algo2
+}
+
+function bufFrom (data, enc) {
+  return Buffer.from ? Buffer.from(data, enc) : new Buffer(data, enc)
+}
diff --git a/node_modules/npm-registry-client/node_modules/ssri/package.json b/node_modules/npm-registry-client/node_modules/ssri/package.json
new file mode 100644
index 000000000..bb22fc707
--- /dev/null
+++ b/node_modules/npm-registry-client/node_modules/ssri/package.json
@@ -0,0 +1,123 @@
+{
+  "_args": [
+    [
+      {
+        "raw": "ssri@^4.1.2",
+        "scope": null,
+        "escapedName": "ssri",
+        "name": "ssri",
+        "rawSpec": "^4.1.2",
+        "spec": ">=4.1.2 <5.0.0",
+        "type": "range"
+      },
+      "/Users/zkat/Documents/code/npm5/node_modules/npm-registry-client"
+    ]
+  ],
+  "_from": "ssri@>=4.1.2 <5.0.0",
+  "_id": "ssri@4.1.2",
+  "_inCache": true,
+  "_location": "/npm-registry-client/ssri",
+  "_nodeVersion": "7.9.0",
+  "_npmOperationalInternal": {
+    "host": "packages-12-west.internal.npmjs.com",
+    "tmp": "tmp/ssri-4.1.2.tgz_1492509214466_0.5280678283888847"
+  },
+  "_npmUser": {
+    "name": "zkat",
+    "email": "kat@sykosomatic.org"
+  },
+  "_npmVersion": "5.0.0-beta.1",
+  "_phantomChildren": {},
+  "_requested": {
+    "raw": "ssri@^4.1.2",
+    "scope": null,
+    "escapedName": "ssri",
+    "name": "ssri",
+    "rawSpec": "^4.1.2",
+    "spec": ">=4.1.2 <5.0.0",
+    "type": "range"
+  },
+  "_requiredBy": [
+    "/npm-registry-client"
+  ],
+  "_resolved": "https://registry.npmjs.org/ssri/-/ssri-4.1.2.tgz",
+  "_shasum": "3d3c69b490d0b107772a9bf81881f38ae071f24b",
+  "_shrinkwrap": null,
+  "_spec": "ssri@^4.1.2",
+  "_where": "/Users/zkat/Documents/code/npm5/node_modules/npm-registry-client",
+  "author": {
+    "name": "Kat Marchán",
+    "email": "kzm@sykosomatic.org"
+  },
+  "bugs": {
+    "url": "https://github.com/zkat/ssri/issues"
+  },
+  "config": {
+    "nyc": {
+      "exclude": [
+        "node_modules/**",
+        "test/**"
+      ]
+    }
+  },
+  "dependencies": {},
+  "description": "Standard Subresource Integrity library --  parses, serializes, generates, and verifies integrity metadata according to the SRI spec.",
+  "devDependencies": {
+    "nyc": "^10.2.0",
+    "standard": "^9.0.2",
+    "standard-version": "^4.0.0",
+    "tap": "^10.3.2",
+    "weallbehave": "^1.0.0",
+    "weallcontribute": "^1.0.8"
+  },
+  "directories": {},
+  "dist": {
+    "shasum": "3d3c69b490d0b107772a9bf81881f38ae071f24b",
+    "tarball": "https://registry.npmjs.org/ssri/-/ssri-4.1.2.tgz"
+  },
+  "files": [
+    "*.js"
+  ],
+  "gitHead": "e0f1a5dccd1583773f98c3cdef088f3c948afab0",
+  "homepage": "https://github.com/zkat/ssri#readme",
+  "keywords": [
+    "w3c",
+    "web",
+    "security",
+    "integrity",
+    "checksum",
+    "hashing",
+    "subresource integrity",
+    "sri",
+    "sri hash",
+    "sri string",
+    "sri generator",
+    "html"
+  ],
+  "license": "CC0-1.0",
+  "main": "index.js",
+  "maintainers": [
+    {
+      "name": "zkat",
+      "email": "kat@sykosomatic.org"
+    }
+  ],
+  "name": "ssri",
+  "optionalDependencies": {},
+  "readme": "# ssri [![npm version](https://img.shields.io/npm/v/ssri.svg)](https://npm.im/ssri) [![license](https://img.shields.io/npm/l/ssri.svg)](https://npm.im/ssri) [![Travis](https://img.shields.io/travis/zkat/ssri.svg)](https://travis-ci.org/zkat/ssri) [![AppVeyor](https://ci.appveyor.com/api/projects/status/github/zkat/ssri?svg=true)](https://ci.appveyor.com/project/zkat/ssri) [![Coverage Status](https://coveralls.io/repos/github/zkat/ssri/badge.svg?branch=latest)](https://coveralls.io/github/zkat/ssri?branch=latest)\n\n[`ssri`](https://github.com/zkat/ssri), short for Standard Subresource\nIntegrity, is a Node.js utility for parsing, manipulating, serializing,\ngenerating, and verifying [Subresource\nIntegrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) hashes.\n\n## Install\n\n`$ npm install --save ssri`\n\n## Table of Contents\n\n* [Example](#example)\n* [Features](#features)\n* [Contributing](#contributing)\n* [API](#api)\n  * Parsing & Serializing\n    * [`parse`](#parse)\n    * [`stringify`](#stringify)\n    * [`Integrity#concat`](#integrity-concat)\n    * [`Integrity#toString`](#integrity-to-string)\n    * [`Integrity#toJSON`](#integrity-to-json)\n    * [`Integrity#pickAlgorithm`](#integrity-pick-algorithm)\n    * [`Integrity#hexDigest`](#integrity-hex-digest)\n  * Integrity Generation\n    * [`fromHex`](#from-hex)\n    * [`fromData`](#from-data)\n    * [`fromStream`](#from-stream)\n    * [`create`](#create)\n  * Integrity Verification\n    * [`checkData`](#check-data)\n    * [`checkStream`](#check-stream)\n    * [`integrityStream`](#integrity-stream)\n\n### Example\n\n```javascript\nconst ssri = require('ssri')\n\nconst integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'\n\n// Parsing and serializing\nconst parsed = ssri.parse(integrity)\nssri.stringify(parsed) // === integrity (works on non-Integrity objects)\nparsed.toString() // === integrity\n\n// Async stream functions\nssri.checkStream(fs.createReadStream('./my-file'), integrity).then(...)\nssri.fromStream(fs.createReadStream('./my-file')).then(sri => {\n  sri.toString() === integrity\n})\nfs.createReadStream('./my-file').pipe(ssri.createCheckerStream(sri))\n\n// Sync data functions\nssri.fromData(fs.readFileSync('./my-file')) // === parsed\nssri.checkData(fs.readFileSync('./my-file'), integrity) // => 'sha512'\n```\n\n### Features\n\n* Parses and stringifies SRI strings.\n* Generates SRI strings from raw data or Streams.\n* Strict standard compliance.\n* `?foo` metadata option support.\n* Multiple entries for the same algorithm.\n* Object-based integrity hash manipulation.\n* Small footprint: no dependencies, concise implementation.\n* Full test coverage.\n* Customizable algorithm picker.\n\n### Contributing\n\nThe ssri team enthusiastically welcomes contributions and project participation!\nThere's a bunch of things you can do if you want to contribute! The [Contributor\nGuide](CONTRIBUTING.md) has all the information you need for everything from\nreporting bugs to contributing entire new features. Please don't hesitate to\njump in if you'd like to, or even ask us questions if something isn't clear.\n\n### API\n\n#### <a name=\"parse\"></a> `> ssri.parse(sri, [opts]) -> Integrity`\n\nParses `sri` into an `Integrity` data structure. `sri` can be an integrity\nstring, an `Hash`-like with `digest` and `algorithm` fields and an optional\n`options` field, or an `Integrity`-like object. The resulting object will be an\n`Integrity` instance that has this shape:\n\n```javascript\n{\n  'sha1': [{algorithm: 'sha1', digest: 'deadbeef', options: []}],\n  'sha512': [\n    {algorithm: 'sha512', digest: 'c0ffee', options: []},\n    {algorithm: 'sha512', digest: 'bad1dea', options: ['foo']}\n  ],\n}\n```\n\nIf `opts.single` is truthy, a single `Hash` object will be returned. That is, a\nsingle object that looks like `{algorithm, digest, options}`, as opposed to a\nlarger object with multiple of these.\n\nIf `opts.strict` is truthy, the resulting object will be filtered such that\nit strictly follows the Subresource Integrity spec, throwing away any entries\nwith any invalid components. This also means a restricted set of algorithms\nwill be used -- the spec limits them to `sha256`, `sha384`, and `sha512`.\n\nStrict mode is recommended if the integrity strings are intended for use in\nbrowsers, or in other situations where strict adherence to the spec is needed.\n\n##### Example\n\n```javascript\nssri.parse('sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo') // -> Integrity object\n```\n\n#### <a name=\"stringify\"></a> `> ssri.stringify(sri, [opts]) -> String`\n\nThis function is identical to [`Integrity#toString()`](#integrity-to-string),\nexcept it can be used on _any_ object that [`parse`](#parse) can handle -- that\nis, a string, an `Hash`-like, or an `Integrity`-like.\n\nThe `opts.sep` option defines the string to use when joining multiple entries\ntogether. To be spec-compliant, this _must_ be whitespace. The default is a\nsingle space (`' '`).\n\nIf `opts.strict` is true, the integrity string will be created using strict\nparsing rules. See [`ssri.parse`](#parse).\n\n##### Example\n\n```javascript\n// Useful for cleaning up input SRI strings:\nssri.stringify('\\n\\rsha512-foo\\n\\t\\tsha384-bar')\n// -> 'sha512-foo sha384-bar'\n\n// Hash-like: only a single entry.\nssri.stringify({\n  algorithm: 'sha512',\n  digest:'9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==',\n  options: ['foo']\n})\n// ->\n// 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'\n\n// Integrity-like: full multi-entry syntax. Similar to output of `ssri.parse`\nssri.stringify({\n  'sha512': [\n    {\n      algorithm: 'sha512',\n      digest:'9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==',\n      options: ['foo']\n    }\n  ]\n})\n// ->\n// 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'\n```\n\n#### <a name=\"integrity-concat\"></a> `> Integrity#concat(otherIntegrity, [opts]) -> Integrity`\n\nConcatenates an `Integrity` object with another IntegrityLike, or an integrity\nstring.\n\nThis is functionally equivalent to concatenating the string format of both\nintegrity arguments, and calling [`ssri.parse`](#ssri-parse) on the new string.\n\nIf `opts.strict` is true, the new `Integrity` will be created using strict\nparsing rules. See [`ssri.parse`](#parse).\n\n##### Example\n\n```javascript\n// This will combine the integrity checks for two different versions of\n// your index.js file so you can use a single integrity string and serve\n// either of these to clients, from a single `<script>` tag.\nconst desktopIntegrity = ssri.fromData(fs.readFileSync('./index.desktop.js'))\nconst mobileIntegrity = ssri.fromData(fs.readFileSync('./index.mobile.js'))\n\n// Note that browsers (and ssri) will succeed as long as ONE of the entries\n// for the *prioritized* algorithm succeeds. That is, in order for this fallback\n// to work, both desktop and mobile *must* use the same `algorithm` values.\ndesktopIntegrity.concat(mobileIntegrity)\n```\n\n#### <a name=\"integrity-to-string\"></a> `> Integrity#toString([opts]) -> String`\n\nReturns the string representation of an `Integrity` object. All hash entries\nwill be concatenated in the string by `opts.sep`, which defaults to `' '`.\n\nIf you want to serialize an object that didn't from from an `ssri` function,\nuse [`ssri.stringify()`](#stringify).\n\nIf `opts.strict` is true, the integrity string will be created using strict\nparsing rules. See [`ssri.parse`](#parse).\n\n##### Example\n\n```javascript\nconst integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'\n\nssri.parse(integrity).toString() === integrity\n```\n\n#### <a name=\"integrity-to-json\"></a> `> Integrity#toJSON() -> String`\n\nReturns the string representation of an `Integrity` object. All hash entries\nwill be concatenated in the string by `' '`.\n\nThis is a convenience method so you can pass an `Integrity` object directly to `JSON.stringify`.\nFor more info check out [toJSON() behavior on mdn](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify#toJSON%28%29_behavior).\n\n##### Example\n\n```javascript\nconst integrity = '\"sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo\"'\n\nJSON.stringify(ssri.parse(integrity)) === integrity\n```\n\n#### <a name=\"integrity-pick-algorithm\"></a> `> Integrity#pickAlgorithm([opts]) -> String`\n\nReturns the \"best\" algorithm from those available in the integrity object.\n\nIf `opts.pickAlgorithm` is provided, it will be passed two algorithms as\narguments. ssri will prioritize whichever of the two algorithms is returned by\nthis function. Note that the function may be called multiple times, and it\n**must** return one of the two algorithms provided. By default, ssri will make\na best-effort to pick the strongest/most reliable of the given algorithms. It\nmay intentionally deprioritize algorithms with known vulnerabilities.\n\n##### Example\n\n```javascript\nssri.parse('sha1-WEakDigEST sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1').pickAlgorithm() // sha512\n```\n\n#### <a name=\"integrity-hex-digest\"></a> `> Integrity#hexDigest() -> String`\n\n`Integrity` is assumed to be either a single-hash `Integrity` instance, or a\n`Hash` instance. Returns its `digest`, converted to a hex representation of the\nbase64 data.\n\n##### Example\n\n```javascript\nssri.parse('sha1-deadbeef').hexDigest() // '75e69d6de79f'\n```\n\n#### <a name=\"from-hex\"></a> `> ssri.fromHex(hexDigest, algorithm, [opts]) -> Integrity`\n\nCreates an `Integrity` object with a single entry, based on a hex-formatted\nhash. This is a utility function to help convert existing shasums to the\nIntegrity format, and is roughly equivalent to something like:\n\n```javascript\nalgorithm + '-' + Buffer.from(hexDigest, 'hex').toString('base64')\n```\n\n`opts.options` may optionally be passed in: it must be an array of option\nstrings that will be added to all generated integrity hashes generated by\n`fromData`. This is a loosely-specified feature of SRIs, and currently has no\nspecified semantics besides being `?`-separated. Use at your own risk, and\nprobably avoid if your integrity strings are meant to be used with browsers.\n\nIf `opts.strict` is true, the integrity object will be created using strict\nparsing rules. See [`ssri.parse`](#parse).\n\nIf `opts.single` is true, a single `Hash` object will be returned.\n\n##### Example\n\n```javascript\nssri.fromHex('75e69d6de79f', 'sha1').toString() // 'sha1-deadbeef'\n```\n\n#### <a name=\"from-data\"></a> `> ssri.fromData(data, [opts]) -> Integrity`\n\nCreates an `Integrity` object from either string or `Buffer` data, calculating\nall the requested hashes and adding any specified options to the object.\n\n`opts.algorithms` determines which algorithms to generate hashes for. All\nresults will be included in a single `Integrity` object. The default value for\n`opts.algorithms` is `['sha512']`. All algorithm strings must be hashes listed\nin `crypto.getHashes()` for the host Node.js platform.\n\n`opts.options` may optionally be passed in: it must be an array of option\nstrings that will be added to all generated integrity hashes generated by\n`fromData`. This is a loosely-specified feature of SRIs, and currently has no\nspecified semantics besides being `?`-separated. Use at your own risk, and\nprobably avoid if your integrity strings are meant to be used with browsers.\n\nIf `opts.strict` is true, the integrity object will be created using strict\nparsing rules. See [`ssri.parse`](#parse).\n\n##### Example\n\n```javascript\nconst integrityObj = ssri.fromData('foobarbaz', {\n  algorithms: ['sha256', 'sha384', 'sha512']\n})\nintegrity.toString('\\n')\n// ->\n// sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0=\n// sha384-irnCxQ0CfQhYGlVAUdwTPC9bF3+YWLxlaDGM4xbYminxpbXEq+D+2GCEBTxcjES9\n// sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1+9vBnypkYWg==\n```\n\n#### <a name=\"from-stream\"></a> `> ssri.fromStream(stream, [opts]) -> Promise<Integrity>`\n\nReturns a Promise of an Integrity object calculated by reading data from\na given `stream`.\n\nIt accepts both `opts.algorithms` and `opts.options`, which are documented as\npart of [`ssri.fromData`](#from-data).\n\nAdditionally, `opts.Promise` may be passed in to inject a Promise library of\nchoice. By default, ssri will use Node's built-in Promises.\n\nIf `opts.strict` is true, the integrity object will be created using strict\nparsing rules. See [`ssri.parse`](#parse).\n\n##### Example\n\n```javascript\nssri.fromStream(fs.createReadStream('index.js'), {\n  algorithms: ['sha1', 'sha512']\n}).then(integrity => {\n  return ssri.checkStream(fs.createReadStream('index.js'), integrity)\n}) // succeeds\n```\n\n#### <a name=\"create\"></a> `> ssri.create([opts]) -> <Hash>`\n\nReturns a Hash object with `update(<Buffer or string>[,enc])` and `digest()` methods.\n\n\nThe Hash object provides the same methods as [crypto class Hash](https://nodejs.org/dist/latest-v6.x/docs/api/crypto.html#crypto_class_hash).\n`digest()` accepts no arguments and returns an Integrity object calculated by reading data from\ncalls to update.\n\nIt accepts both `opts.algorithms` and `opts.options`, which are documented as\npart of [`ssri.fromData`](#from-data).\n\nIf `opts.strict` is true, the integrity object will be created using strict\nparsing rules. See [`ssri.parse`](#parse).\n\n##### Example\n\n```javascript\nconst integrity = ssri.create().update('foobarbaz').digest()\nintegrity.toString()\n// ->\n// sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1+9vBnypkYWg==\n```\n\n#### <a name=\"check-data\"></a> `> ssri.checkData(data, sri, [opts]) -> Hash|false`\n\nVerifies `data` integrity against an `sri` argument. `data` may be either a\n`String` or a `Buffer`, and `sri` can be any subresource integrity\nrepresentation that [`ssri.parse`](#parse) can handle.\n\nIf verification succeeds, `checkData` will return the name of the algorithm that\nwas used for verification (a truthy value). Otherwise, it will return `false`.\n\nIf `opts.pickAlgorithm` is provided, it will be used by\n[`Integrity#pickAlgorithm`](#integrity-pick-algorithm) when deciding which of\nthe available digests to match against.\n\n##### Example\n\n```javascript\nconst data = fs.readFileSync('index.js')\nssri.checkData(data, ssri.fromData(data)) // -> 'sha512'\nssri.checkData(data, 'sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0')\nssri.checkData(data, 'sha1-BaDDigEST') // -> false\n```\n\n#### <a name=\"check-stream\"></a> `> ssri.checkStream(stream, sri, [opts]) -> Promise<Hash>`\n\nVerifies the contents of `stream` against an `sri` argument. `stream` will be\nconsumed in its entirety by this process. `sri` can be any subresource integrity\nrepresentation that [`ssri.parse`](#parse) can handle.\n\n`checkStream` will return a Promise that either resolves to the\n`Hash` that succeeded verification, or, if the verification fails\nor an error happens with `stream`, the Promise will be rejected.\n\nIf the Promise is rejected because verification failed, the returned error will\nhave `err.code` as `EINTEGRITY`.\n\nIf `opts.size` is given, it will be matched against the stream size. An error\nwith `err.code` `EBADSIZE` will be returned by a rejection if the expected size\nand actual size fail to match.\n\nIf `opts.pickAlgorithm` is provided, it will be used by\n[`Integrity#pickAlgorithm`](#integrity-pick-algorithm) when deciding which of\nthe available digests to match against.\n\n##### Example\n\n```javascript\nconst integrity = ssri.fromData(fs.readFileSync('index.js'))\n\nssri.checkStream(\n  fs.createReadStream('index.js'),\n  integrity\n)\n// ->\n// Promise<{\n//   algorithm: 'sha512',\n//   digest: 'sha512-yzd8ELD1piyANiWnmdnpCL5F52f10UfUdEkHywVZeqTt0ymgrxR63Qz0GB7TKPoeeZQmWCaz7T1'\n// }>\n\nssri.checkStream(\n  fs.createReadStream('index.js'),\n  'sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0'\n) // -> Promise<Hash>\n\nssri.checkStream(\n  fs.createReadStream('index.js'),\n  'sha1-BaDDigEST'\n) // -> Promise<Error<{code: 'EINTEGRITY'}>>\n```\n\n#### <a name=\"integrity-stream\"></a> `> integrityStream(sri, [opts]) -> IntegrityStream`\n\nReturns a `Transform` stream that data can be piped through in order to generate\nand optionally check data integrity for piped data. When the stream completes\nsuccessfully, it emits `size` and `integrity` events, containing the total\nnumber of bytes processed and a calculated `Integrity` instance based on stream\ndata, respectively.\n\nIf `opts.algorithms` is passed in, the listed algorithms will be calculated when\ngenerating the final `Integrity` instance. The default is `['sha512']`.\n\nIf `opts.single` is passed in, a single `Hash` instance will be returned.\n\nIf `opts.integrity` is passed in, it should be an `integrity` value understood\nby [`parse`](#parse) that the stream will check the data against. If\nverification succeeds, the integrity stream will emit a `verified` event whose\nvalue is a single `Hash` object that is the one that succeeded verification. If\nverification fails, the stream will error with an `EINTEGRITY` error code.\n\nIf `opts.size` is given, it will be matched against the stream size. An error\nwith `err.code` `EBADSIZE` will be emitted by the stream if the expected size\nand actual size fail to match.\n\nIf `opts.pickAlgorithm` is provided, it will be passed two algorithms as\narguments. ssri will prioritize whichever of the two algorithms is returned by\nthis function. Note that the function may be called multiple times, and it\n**must** return one of the two algorithms provided. By default, ssri will make\na best-effort to pick the strongest/most reliable of the given algorithms. It\nmay intentionally deprioritize algorithms with known vulnerabilities.\n\n##### Example\n\n```javascript\nconst integrity = ssri.fromData(fs.readFileSync('index.js'))\nfs.createReadStream('index.js')\n.pipe(ssri.checkStream(integrity))\n```\n",
+  "readmeFilename": "README.md",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/zkat/ssri.git"
+  },
+  "scripts": {
+    "postrelease": "npm publish && git push --follow-tags",
+    "prerelease": "npm t",
+    "pretest": "standard",
+    "release": "standard-version -s",
+    "test": "tap -J --coverage test/*.js",
+    "update-coc": "weallbehave -o . && git add CODE_OF_CONDUCT.md && git commit -m 'docs(coc): updated CODE_OF_CONDUCT.md'",
+    "update-contrib": "weallcontribute -o . && git add CONTRIBUTING.md && git commit -m 'docs(contributing): updated CONTRIBUTING.md'"
+  },
+  "version": "4.1.2"
+}
diff --git a/node_modules/npm-registry-client/package.json b/node_modules/npm-registry-client/package.json
index d2dbce4cd..d65ab3470 100644
--- a/node_modules/npm-registry-client/package.json
+++ b/node_modules/npm-registry-client/package.json
@@ -2,53 +2,53 @@
   "_args": [
     [
       {
-        "raw": "npm-registry-client@8.1.1",
+        "raw": "npm-registry-client@latest",
         "scope": null,
         "escapedName": "npm-registry-client",
         "name": "npm-registry-client",
-        "rawSpec": "8.1.1",
-        "spec": "8.1.1",
-        "type": "version"
+        "rawSpec": "latest",
+        "spec": "latest",
+        "type": "tag"
       },
-      "/Users/rebecca/code/npm"
+      "/Users/zkat/Documents/code/npm5"
     ]
   ],
-  "_from": "npm-registry-client@8.1.1",
-  "_id": "npm-registry-client@8.1.1",
+  "_from": "npm-registry-client@latest",
+  "_id": "npm-registry-client@8.3.0",
   "_inCache": true,
   "_location": "/npm-registry-client",
-  "_nodeVersion": "7.7.4",
+  "_nodeVersion": "7.9.0",
   "_npmOperationalInternal": {
-    "host": "packages-18-east.internal.npmjs.com",
-    "tmp": "tmp/npm-registry-client-8.1.1.tgz_1492135290715_0.17790596769191325"
+    "host": "packages-12-west.internal.npmjs.com",
+    "tmp": "tmp/npm-registry-client-8.3.0.tgz_1493330360670_0.4767299888189882"
   },
   "_npmUser": {
-    "name": "iarna",
-    "email": "me@re-becca.org"
+    "name": "zkat",
+    "email": "kat@sykosomatic.org"
   },
-  "_npmVersion": "4.5.0",
+  "_npmVersion": "5.0.0-beta.13",
   "_phantomChildren": {
     "inherits": "2.0.3",
-    "readable-stream": "2.2.6"
+    "readable-stream": "2.2.9"
   },
   "_requested": {
-    "raw": "npm-registry-client@8.1.1",
+    "raw": "npm-registry-client@latest",
     "scope": null,
     "escapedName": "npm-registry-client",
     "name": "npm-registry-client",
-    "rawSpec": "8.1.1",
-    "spec": "8.1.1",
-    "type": "version"
+    "rawSpec": "latest",
+    "spec": "latest",
+    "type": "tag"
   },
   "_requiredBy": [
     "#USER",
     "/"
   ],
-  "_resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-8.1.1.tgz",
-  "_shasum": "831476455423ca0a265c6ffdb6100fcc042b36cf",
+  "_resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-8.3.0.tgz",
+  "_shasum": "a86d5b1f97945de8df73c471d33602d5cd15130f",
   "_shrinkwrap": null,
-  "_spec": "npm-registry-client@8.1.1",
-  "_where": "/Users/rebecca/code/npm",
+  "_spec": "npm-registry-client@latest",
+  "_where": "/Users/zkat/Documents/code/npm5",
   "author": {
     "name": "Isaac Z. Schlueter",
     "email": "i@izs.me",
@@ -67,7 +67,8 @@
     "request": "^2.74.0",
     "retry": "^0.10.0",
     "semver": "2 >=2.2.1 || 3.x || 4 || 5",
-    "slide": "^1.1.3"
+    "slide": "^1.1.3",
+    "ssri": "^4.1.2"
   },
   "description": "Client for the npm registry",
   "devDependencies": {
@@ -81,14 +82,15 @@
   },
   "directories": {},
   "dist": {
-    "shasum": "831476455423ca0a265c6ffdb6100fcc042b36cf",
-    "tarball": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-8.1.1.tgz"
+    "integrity": "sha512-rBFLIisl55sq77Bf189ptxaFGEkTNcZpvR7UFZI7bmG/wYD2hY/2Ix1Ss26aOLSbyctwHuUPZ3tJRSYnkmMQkg==",
+    "shasum": "a86d5b1f97945de8df73c471d33602d5cd15130f",
+    "tarball": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-8.3.0.tgz"
   },
   "files": [
     "lib",
     "index.js"
   ],
-  "gitHead": "81afb2ce59d82c2a1179211d8c1bc789c9f6128c",
+  "gitHead": "20b0c8a723b3fbb56ace1bbbde99502b7d089ddb",
   "homepage": "https://github.com/npm/npm-registry-client#readme",
   "license": "ISC",
   "main": "index.js",
@@ -110,5 +112,5 @@
   "scripts": {
     "test": "standard && tap test/*.js"
   },
-  "version": "8.1.1"
+  "version": "8.3.0"
 }