npm-registry-client@5.0.0

BREAKING CHANGE:

* npm star now works with token-based auth

otherwise:

* npm whoami has been moved out from under the package namespace
* ensure that Keep-Alive requests keep working properly with Node 0.11 /
  io.js 1.0.1
* use If-Modified-Since headers in addition to etags

10 files changed, 175 insertions, 74 deletions

diff --git a/node_modules/npm-registry-client/README.md b/node_modules/npm-registry-client/README.md
index 182552aeb..a35c48311 100644
--- a/node_modules/npm-registry-client/README.md
+++ b/node_modules/npm-registry-client/README.md
@@ -93,7 +93,7 @@ Deprecate a version of a package in the registry.
 * `cb` {Function}
 
 Fetches data from the registry via a GET request, saving it in the cache folder
-with the ETag.
+with the ETag or the "Last Modified" timestamp.
 
 ### client.publish(uri, params, cb)
 
@@ -182,6 +182,7 @@ caching logic directly.
     that are not Buffers or Streams are encoded as JSON. Optional – body
     only used for write operations.
   * `etag` {String} The cached ETag. Optional.
+  * `lastModified` {String} The cached Last-Modified timestamp. Optional.
   * `follow` {Boolean} Follow 302/301 responses. Optional (default: true).
   * `auth` {Credentials} Optional.
 * `cb` {Function}
diff --git a/node_modules/npm-registry-client/lib/initialize.js b/node_modules/npm-registry-client/lib/initialize.js
index 727625e74..bd5a4caae 100644
--- a/node_modules/npm-registry-client/lib/initialize.js
+++ b/node_modules/npm-registry-client/lib/initialize.js
@@ -1,7 +1,12 @@
 var crypto = require("crypto")
+var HttpAgent = require("http").Agent
+var HttpsAgent = require("https").Agent
 
 var pkg = require("../package.json")
 
+var httpAgent = new HttpAgent({ keepAlive : true })
+var httpsAgent = new HttpsAgent({ keepAlive : true })
+
 module.exports = initialize
 
 function initialize (uri, method, accept, headers) {
@@ -24,11 +29,13 @@ function initialize (uri, method, accept, headers) {
   // request will not pay attention to the NOPROXY environment variable if a
   // config value named proxy is passed in, even if it's set to null.
   var proxy
-  if (uri.protocol === "https") {
+  if (uri.protocol === "https:") {
     proxy = this.config.proxy.https
+    opts.agent = httpsAgent
   }
   else {
     proxy = this.config.proxy.http
+    opts.agent = httpAgent
   }
   if (typeof proxy === "string") opts.proxy = proxy
 
diff --git a/node_modules/npm-registry-client/lib/request.js b/node_modules/npm-registry-client/lib/request.js
index ec39cc25d..fa969ac22 100644
--- a/node_modules/npm-registry-client/lib/request.js
+++ b/node_modules/npm-registry-client/lib/request.js
@@ -121,6 +121,11 @@ function makeRequest (uri, params, cb_) {
     headers[params.method === "GET" ? "if-none-match" : "if-match"] = params.etag
   }
 
+  if (params.lastModified && params.method === "GET") {
+    this.log.verbose("lastModified", params.lastModified)
+    headers["if-modified-since"] = params.lastModified;
+  }
+
   // figure out wth body is
   if (params.body) {
     if (Buffer.isBuffer(params.body)) {
@@ -139,6 +144,7 @@ function makeRequest (uri, params, cb_) {
     }
     else {
       delete params.body._etag
+      delete params.body._lastModified
       opts.json = params.body
     }
   }
@@ -220,6 +226,10 @@ function requestDone (method, where, cb) {
       parsed._etag = response.headers.etag
     }
 
+    if (parsed && response.headers['last-modified']) {
+      parsed._lastModified = response.headers['last-modified']
+    }
+
     // for the search endpoint, the "error" property can be an object
     if (parsed && parsed.error && typeof parsed.error !== "object" ||
         response.statusCode >= 400) {
diff --git a/node_modules/npm-registry-client/lib/star.js b/node_modules/npm-registry-client/lib/star.js
index aa707e159..87c5b67c4 100644
--- a/node_modules/npm-registry-client/lib/star.js
+++ b/node_modules/npm-registry-client/lib/star.js
@@ -11,38 +11,42 @@ function star (uri, params, cb) {
 
   var auth = params.auth
   assert(auth && typeof auth === "object", "must pass auth to star")
-  if (auth.token) {
-    return cb(new Error("This operation is unsupported for token-based auth"))
-  }
-  else if (!(auth.username && auth.password)) {
-    return cb(new Error("Must be logged in to star/unstar packages"))
+  if (!(auth.token || (auth.password && auth.username && auth.email))) {
+    var er = new Error("Must be logged in to star/unstar packages")
+    er.code = "ENEEDAUTH"
+    return cb(er)
   }
 
   var client = this
   this.request(uri+"?write=true", { auth : auth }, function (er, fullData) {
     if (er) return cb(er)
 
-    fullData = {
-      _id   : fullData._id,
-      _rev  : fullData._rev,
-      users : fullData.users || {}
-    }
-
-    if (starred) {
-      client.log.info("starring", fullData._id)
-      fullData.users[auth.username] = true
-      client.log.verbose("starring", fullData)
-    } else {
-      delete fullData.users[auth.username]
-      client.log.info("unstarring", fullData._id)
-      client.log.verbose("unstarring", fullData)
-    }
-
-    var options = {
-      method : "PUT",
-      body : fullData,
-      auth : auth
-    }
-    return client.request(uri, options, cb)
+    client.whoami(uri, params, function (er, username) {
+      if (er) return cb(er)
+
+      var data = {
+        _id : fullData._id,
+        _rev : fullData._rev,
+        users : fullData.users || {}
+      }
+
+      if (starred) {
+        client.log.info("starring", data._id)
+        data.users[username] = true
+        client.log.verbose("starring", data)
+      }
+      else {
+        delete data.users[username]
+        client.log.info("unstarring", data._id)
+        client.log.verbose("unstarring", data)
+      }
+
+      var options = {
+        method : "PUT",
+        body : data,
+        auth : auth
+      }
+      return client.request(uri, options, cb)
+    })
   })
 }
diff --git a/node_modules/npm-registry-client/lib/whoami.js b/node_modules/npm-registry-client/lib/whoami.js
index 684ce7bfb..4c099ebec 100644
--- a/node_modules/npm-registry-client/lib/whoami.js
+++ b/node_modules/npm-registry-client/lib/whoami.js
@@ -11,7 +11,9 @@ function whoami (uri, params, cb) {
   var auth = params.auth
   assert(auth && typeof auth === "object", "must pass auth to whoami")
 
-  this.request(url.resolve(uri, "whoami"), { auth : auth }, function (er, userdata) {
+  if (auth.username) return process.nextTick(cb.bind(this, null, auth.username))
+
+  this.request(url.resolve(uri, "-/whoami"), { auth : auth }, function (er, userdata) {
     if (er) return cb(er)
 
     cb(null, userdata.username)
diff --git a/node_modules/npm-registry-client/package.json b/node_modules/npm-registry-client/package.json
index e98b732f7..9d4178c57 100644
--- a/node_modules/npm-registry-client/package.json
+++ b/node_modules/npm-registry-client/package.json
@@ -6,7 +6,7 @@
   },
   "name": "npm-registry-client",
   "description": "Client for the npm registry",
-  "version": "4.0.5",
+  "version": "5.0.0",
   "repository": {
     "url": "git://github.com/isaacs/npm-registry-client"
   },
@@ -30,20 +30,21 @@
   },
   "devDependencies": {
     "negotiator": "^0.4.9",
+    "nock": "^0.56.0",
     "tap": ""
   },
   "optionalDependencies": {
     "npmlog": ""
   },
   "license": "ISC",
-  "readme": "# npm-registry-client\n\nThe code that npm uses to talk to the registry.\n\nIt handles all the caching and HTTP calls.\n\n## Usage\n\n```javascript\nvar RegClient = require('npm-registry-client')\nvar client = new RegClient(config)\nvar uri = \"npm://registry.npmjs.org/npm\"\nvar params = {timeout: 1000}\n\nclient.get(uri, params, function (error, data, raw, res) {\n  // error is an error if there was a problem.\n  // data is the parsed data object\n  // raw is the json string\n  // res is the response from couch\n})\n```\n\n# Registry URLs\n\nThe registry calls take either a full URL pointing to a resource in the\nregistry, or a base URL for the registry as a whole (including the registry\npath – but be sure to terminate the path with `/`). `http` and `https` URLs are\nthe only ones supported.\n\n## Using the client\n\nEvery call to the client follows the same pattern:\n\n* `uri` {String} The *fully-qualified* URI of the registry API method being\n  invoked.\n* `params` {Object} Per-request parameters.\n* `callback` {Function} Callback to be invoked when the call is complete.\n\n### Credentials\n\nMany requests to the registry can by authenticated, and require credentials\nfor authorization. These credentials always look the same:\n\n* `username` {String}\n* `password` {String}\n* `email` {String}\n* `alwaysAuth` {Boolean} Whether calls to the target registry are always\n  authed.\n\n**or**\n\n* `token` {String}\n* `alwaysAuth` {Boolean} Whether calls to the target registry are always\n  authed.\n\n## API\n\n### client.adduser(uri, params, cb)\n\n* `uri` {String} Base registry URL.\n* `params` {Object} Object containing per-request properties.\n  * `auth` {Credentials}\n* `cb` {Function}\n  * `error` {Error | null}\n  * `data` {Object} the parsed data object\n  * `raw` {String} the json\n  * `res` {Response Object} response from couch\n\nAdd a user account to the registry, or verify the credentials.\n\n### client.deprecate(uri, params, cb)\n\n* `uri` {String} Full registry URI for the deprecated package.\n* `params` {Object} Object containing per-request properties.\n  * `version` {String} Semver version range.\n  * `message` {String} The message to use as a deprecation warning.\n  * `auth` {Credentials}\n* `cb` {Function}\n\nDeprecate a version of a package in the registry.\n\n### client.get(uri, params, cb)\n\n* `uri` {String} The complete registry URI to fetch\n* `params` {Object} Object containing per-request properties.\n  * `timeout` {Number} Duration before the request times out. Optional\n    (default: never).\n  * `follow` {Boolean} Follow 302/301 responses. Optional (default: true).\n  * `staleOk` {Boolean} If there's cached data available, then return that to\n    the callback quickly, and update the cache the background. Optional\n    (default: false).\n  * `auth` {Credentials} Optional.\n* `cb` {Function}\n\nFetches data from the registry via a GET request, saving it in the cache folder\nwith the ETag.\n\n### client.publish(uri, params, cb)\n\n* `uri` {String} The registry URI for the package to publish.\n* `params` {Object} Object containing per-request properties.\n  * `metadata` {Object} Package metadata.\n  * `body` {Stream} Stream of the package body / tarball.\n  * `auth` {Credentials}\n* `cb` {Function}\n\nPublish a package to the registry.\n\nNote that this does not create the tarball from a folder.\n\n### client.star(uri, params, cb)\n\n* `uri` {String} The complete registry URI for the package to star.\n* `params` {Object} Object containing per-request properties.\n  * `starred` {Boolean} True to star the package, false to unstar it. Optional\n    (default: false).\n  * `auth` {Credentials}\n* `cb` {Function}\n\nStar or unstar a package.\n\nNote that the user does not have to be the package owner to star or unstar a\npackage, though other writes do require that the user be the package owner.\n\n### client.stars(uri, params, cb)\n\n* `uri` {String} The base URL for the registry.\n* `params` {Object} Object containing per-request properties.\n  * `username` {String} Name of user to fetch starred packages for. Optional\n    (default: user in `auth`).\n  * `auth` {Credentials} Optional (required if `username` is omitted).\n* `cb` {Function}\n\nView your own or another user's starred packages.\n\n### client.tag(uri, params, cb)\n\n* `uri` {String} The complete registry URI to tag\n* `params` {Object} Object containing per-request properties.\n  * `version` {String} Version to tag.\n  * `tag` {String} Tag name to apply.\n  * `auth` {Credentials}\n* `cb` {Function}\n\nMark a version in the `dist-tags` hash, so that `pkg@tag` will fetch the\nspecified version.\n\n### client.unpublish(uri, params, cb)\n\n* `uri` {String} The complete registry URI of the package to unpublish.\n* `params` {Object} Object containing per-request properties.\n  * `version` {String} version to unpublish. Optional – omit to unpublish all\n    versions.\n  * `auth` {Credentials}\n* `cb` {Function}\n\nRemove a version of a package (or all versions) from the registry.  When the\nlast version us unpublished, the entire document is removed from the database.\n\n### client.whoami(uri, params, cb)\n\n* `uri` {String} The base registry for the URI.\n* `params` {Object} Object containing per-request properties.\n  * `auth` {Credentials}\n* `cb` {Function}\n\nSimple call to see who the registry thinks you are. Especially useful with\ntoken-based auth.\n\n\n## PLUMBING\n\nThe below are primarily intended for use by the rest of the API, or by the npm\ncaching logic directly.\n\n### client.request(uri, params, cb)\n\n* `uri` {String} URI pointing to the resource to request.\n* `params` {Object} Object containing per-request properties.\n  * `method` {String} HTTP method. Optional (default: \"GET\").\n  * `body` {Stream | Buffer | String | Object} The request body.  Objects\n    that are not Buffers or Streams are encoded as JSON. Optional – body\n    only used for write operations.\n  * `etag` {String} The cached ETag. Optional.\n  * `follow` {Boolean} Follow 302/301 responses. Optional (default: true).\n  * `auth` {Credentials} Optional.\n* `cb` {Function}\n  * `error` {Error | null}\n  * `data` {Object} the parsed data object\n  * `raw` {String} the json\n  * `res` {Response Object} response from couch\n\nMake a generic request to the registry. All the other methods are wrappers\naround `client.request`.\n\n### client.fetch(uri, params, cb)\n\n* `uri` {String} The complete registry URI to upload to\n* `params` {Object} Object containing per-request properties.\n  * `headers` {Stream} HTTP headers to be included with the request. Optional.\n  * `auth` {Credentials} Optional.\n* `cb` {Function}\n\nFetch a package from a URL, with auth set appropriately if included. Used to\ncache remote tarballs as well as request package tarballs from the registry.\n\n# Configuration\n\nThe client uses its own configuration, which is just passed in as a simple\nnested object. The following are the supported values (with their defaults, if\nany):\n\n* `proxy.http` {URL} The URL to proxy HTTP requests through.\n* `proxy.https` {URL} The URL to proxy HTTPS requests through. Defaults to be\n  the same as `proxy.http` if unset.\n* `proxy.localAddress` {IP} The local address to use on multi-homed systems.\n* `ssl.ca` {String} Cerficate signing authority certificates to trust.\n* `ssl.certificate` {String} Client certificate (PEM encoded). Enable access\n  to servers that require client certificates.\n* `ssl.key` {String} Private key (PEM encoded) for client certificate.\n* `ssl.strict` {Boolean} Whether or not to be strict with SSL certificates.\n  Default = `true`\n* `retry.count` {Number} Number of times to retry on GET failures. Default = 2.\n* `retry.factor` {Number} `factor` setting for `node-retry`. Default = 10.\n* `retry.minTimeout` {Number} `minTimeout` setting for `node-retry`.\n  Default = 10000 (10 seconds)\n* `retry.maxTimeout` {Number} `maxTimeout` setting for `node-retry`.\n  Default = 60000 (60 seconds)\n* `userAgent` {String} User agent header to send. Default =\n  `\"node/{process.version}\"`\n* `log` {Object} The logger to use.  Defaults to `require(\"npmlog\")` if\n  that works, otherwise logs are disabled.\n* `defaultTag` {String} The default tag to use when publishing new packages.\n  Default = `\"latest\"`\n* `couchToken` {Object} A token for use with\n  [couch-login](https://npmjs.org/package/couch-login).\n* `sessionToken` {string} A random identifier for this set of client requests.\n  Default = 8 random hexadecimal bytes.\n",
+  "readme": "# npm-registry-client\n\nThe code that npm uses to talk to the registry.\n\nIt handles all the caching and HTTP calls.\n\n## Usage\n\n```javascript\nvar RegClient = require('npm-registry-client')\nvar client = new RegClient(config)\nvar uri = \"npm://registry.npmjs.org/npm\"\nvar params = {timeout: 1000}\n\nclient.get(uri, params, function (error, data, raw, res) {\n  // error is an error if there was a problem.\n  // data is the parsed data object\n  // raw is the json string\n  // res is the response from couch\n})\n```\n\n# Registry URLs\n\nThe registry calls take either a full URL pointing to a resource in the\nregistry, or a base URL for the registry as a whole (including the registry\npath – but be sure to terminate the path with `/`). `http` and `https` URLs are\nthe only ones supported.\n\n## Using the client\n\nEvery call to the client follows the same pattern:\n\n* `uri` {String} The *fully-qualified* URI of the registry API method being\n  invoked.\n* `params` {Object} Per-request parameters.\n* `callback` {Function} Callback to be invoked when the call is complete.\n\n### Credentials\n\nMany requests to the registry can by authenticated, and require credentials\nfor authorization. These credentials always look the same:\n\n* `username` {String}\n* `password` {String}\n* `email` {String}\n* `alwaysAuth` {Boolean} Whether calls to the target registry are always\n  authed.\n\n**or**\n\n* `token` {String}\n* `alwaysAuth` {Boolean} Whether calls to the target registry are always\n  authed.\n\n## API\n\n### client.adduser(uri, params, cb)\n\n* `uri` {String} Base registry URL.\n* `params` {Object} Object containing per-request properties.\n  * `auth` {Credentials}\n* `cb` {Function}\n  * `error` {Error | null}\n  * `data` {Object} the parsed data object\n  * `raw` {String} the json\n  * `res` {Response Object} response from couch\n\nAdd a user account to the registry, or verify the credentials.\n\n### client.deprecate(uri, params, cb)\n\n* `uri` {String} Full registry URI for the deprecated package.\n* `params` {Object} Object containing per-request properties.\n  * `version` {String} Semver version range.\n  * `message` {String} The message to use as a deprecation warning.\n  * `auth` {Credentials}\n* `cb` {Function}\n\nDeprecate a version of a package in the registry.\n\n### client.get(uri, params, cb)\n\n* `uri` {String} The complete registry URI to fetch\n* `params` {Object} Object containing per-request properties.\n  * `timeout` {Number} Duration before the request times out. Optional\n    (default: never).\n  * `follow` {Boolean} Follow 302/301 responses. Optional (default: true).\n  * `staleOk` {Boolean} If there's cached data available, then return that to\n    the callback quickly, and update the cache the background. Optional\n    (default: false).\n  * `auth` {Credentials} Optional.\n* `cb` {Function}\n\nFetches data from the registry via a GET request, saving it in the cache folder\nwith the ETag or the \"Last Modified\" timestamp.\n\n### client.publish(uri, params, cb)\n\n* `uri` {String} The registry URI for the package to publish.\n* `params` {Object} Object containing per-request properties.\n  * `metadata` {Object} Package metadata.\n  * `body` {Stream} Stream of the package body / tarball.\n  * `auth` {Credentials}\n* `cb` {Function}\n\nPublish a package to the registry.\n\nNote that this does not create the tarball from a folder.\n\n### client.star(uri, params, cb)\n\n* `uri` {String} The complete registry URI for the package to star.\n* `params` {Object} Object containing per-request properties.\n  * `starred` {Boolean} True to star the package, false to unstar it. Optional\n    (default: false).\n  * `auth` {Credentials}\n* `cb` {Function}\n\nStar or unstar a package.\n\nNote that the user does not have to be the package owner to star or unstar a\npackage, though other writes do require that the user be the package owner.\n\n### client.stars(uri, params, cb)\n\n* `uri` {String} The base URL for the registry.\n* `params` {Object} Object containing per-request properties.\n  * `username` {String} Name of user to fetch starred packages for. Optional\n    (default: user in `auth`).\n  * `auth` {Credentials} Optional (required if `username` is omitted).\n* `cb` {Function}\n\nView your own or another user's starred packages.\n\n### client.tag(uri, params, cb)\n\n* `uri` {String} The complete registry URI to tag\n* `params` {Object} Object containing per-request properties.\n  * `version` {String} Version to tag.\n  * `tag` {String} Tag name to apply.\n  * `auth` {Credentials}\n* `cb` {Function}\n\nMark a version in the `dist-tags` hash, so that `pkg@tag` will fetch the\nspecified version.\n\n### client.unpublish(uri, params, cb)\n\n* `uri` {String} The complete registry URI of the package to unpublish.\n* `params` {Object} Object containing per-request properties.\n  * `version` {String} version to unpublish. Optional – omit to unpublish all\n    versions.\n  * `auth` {Credentials}\n* `cb` {Function}\n\nRemove a version of a package (or all versions) from the registry.  When the\nlast version us unpublished, the entire document is removed from the database.\n\n### client.whoami(uri, params, cb)\n\n* `uri` {String} The base registry for the URI.\n* `params` {Object} Object containing per-request properties.\n  * `auth` {Credentials}\n* `cb` {Function}\n\nSimple call to see who the registry thinks you are. Especially useful with\ntoken-based auth.\n\n\n## PLUMBING\n\nThe below are primarily intended for use by the rest of the API, or by the npm\ncaching logic directly.\n\n### client.request(uri, params, cb)\n\n* `uri` {String} URI pointing to the resource to request.\n* `params` {Object} Object containing per-request properties.\n  * `method` {String} HTTP method. Optional (default: \"GET\").\n  * `body` {Stream | Buffer | String | Object} The request body.  Objects\n    that are not Buffers or Streams are encoded as JSON. Optional – body\n    only used for write operations.\n  * `etag` {String} The cached ETag. Optional.\n  * `lastModified` {String} The cached Last-Modified timestamp. Optional.\n  * `follow` {Boolean} Follow 302/301 responses. Optional (default: true).\n  * `auth` {Credentials} Optional.\n* `cb` {Function}\n  * `error` {Error | null}\n  * `data` {Object} the parsed data object\n  * `raw` {String} the json\n  * `res` {Response Object} response from couch\n\nMake a generic request to the registry. All the other methods are wrappers\naround `client.request`.\n\n### client.fetch(uri, params, cb)\n\n* `uri` {String} The complete registry URI to upload to\n* `params` {Object} Object containing per-request properties.\n  * `headers` {Stream} HTTP headers to be included with the request. Optional.\n  * `auth` {Credentials} Optional.\n* `cb` {Function}\n\nFetch a package from a URL, with auth set appropriately if included. Used to\ncache remote tarballs as well as request package tarballs from the registry.\n\n# Configuration\n\nThe client uses its own configuration, which is just passed in as a simple\nnested object. The following are the supported values (with their defaults, if\nany):\n\n* `proxy.http` {URL} The URL to proxy HTTP requests through.\n* `proxy.https` {URL} The URL to proxy HTTPS requests through. Defaults to be\n  the same as `proxy.http` if unset.\n* `proxy.localAddress` {IP} The local address to use on multi-homed systems.\n* `ssl.ca` {String} Cerficate signing authority certificates to trust.\n* `ssl.certificate` {String} Client certificate (PEM encoded). Enable access\n  to servers that require client certificates.\n* `ssl.key` {String} Private key (PEM encoded) for client certificate.\n* `ssl.strict` {Boolean} Whether or not to be strict with SSL certificates.\n  Default = `true`\n* `retry.count` {Number} Number of times to retry on GET failures. Default = 2.\n* `retry.factor` {Number} `factor` setting for `node-retry`. Default = 10.\n* `retry.minTimeout` {Number} `minTimeout` setting for `node-retry`.\n  Default = 10000 (10 seconds)\n* `retry.maxTimeout` {Number} `maxTimeout` setting for `node-retry`.\n  Default = 60000 (60 seconds)\n* `userAgent` {String} User agent header to send. Default =\n  `\"node/{process.version}\"`\n* `log` {Object} The logger to use.  Defaults to `require(\"npmlog\")` if\n  that works, otherwise logs are disabled.\n* `defaultTag` {String} The default tag to use when publishing new packages.\n  Default = `\"latest\"`\n* `couchToken` {Object} A token for use with\n  [couch-login](https://npmjs.org/package/couch-login).\n* `sessionToken` {string} A random identifier for this set of client requests.\n  Default = 8 random hexadecimal bytes.\n",
   "readmeFilename": "README.md",
-  "gitHead": "33bd08aa65bb26ba1b956d2f119b5e952f4d3141",
+  "gitHead": "b22f38992087e57f263c269dcd52ff290565d401",
   "bugs": {
     "url": "https://github.com/isaacs/npm-registry-client/issues"
   },
   "homepage": "https://github.com/isaacs/npm-registry-client",
-  "_id": "npm-registry-client@4.0.5",
-  "_shasum": "27d37ca0c7bbd5df14f4ae35223a4d588dd4fea6",
-  "_from": "npm-registry-client@>=4.0.5 <4.1.0"
+  "_id": "npm-registry-client@5.0.0",
+  "_shasum": "0425db2fc3dcd322e74fe95029d2c49a41e4b6cf",
+  "_from": "npm-registry-client@>=5.0.0 <5.1.0"
 }
diff --git a/node_modules/npm-registry-client/test/lib/server.js b/node_modules/npm-registry-client/test/lib/server.js
index 37cfae041..775f7548c 100644
--- a/node_modules/npm-registry-client/test/lib/server.js
+++ b/node_modules/npm-registry-client/test/lib/server.js
@@ -27,7 +27,7 @@ function handler (req, res) {
   if (!k) throw Error('unexpected request: ' + req.method + ' ' + req.url)
 
   var fn = server._expect[k].shift()
-  if (!fn) throw Error('unexpected request' + req.method + ' ' + req.url)
+  if (!fn) throw Error('unexpected request: ' + req.method + ' ' + req.url)
 
 
   var remain = (Object.keys(server._expect).reduce(function (s, k) {
diff --git a/node_modules/npm-registry-client/test/request-gzip-content.js b/node_modules/npm-registry-client/test/request-gzip-content.js
index 4463de9a7..497a6b8c0 100644
--- a/node_modules/npm-registry-client/test/request-gzip-content.js
+++ b/node_modules/npm-registry-client/test/request-gzip-content.js
@@ -11,12 +11,12 @@ var client = common.freshClient({
   }
 })
 
-var TEST_URL = "http://localhost:1337/some-package-gzip/1.2.3"
+var TEST_URL = common.registry+"/some-package-gzip/1.2.3"
 
 var pkg = {
-  _id: "some-package-gzip@1.2.3",
-  name: "some-package-gzip",
-  version: "1.2.3"
+  _id : "some-package-gzip@1.2.3",
+  name : "some-package-gzip",
+  version : "1.2.3"
 }
 
 zlib.gzip(JSON.stringify(pkg), function (err, pkgGzip) {
@@ -32,21 +32,24 @@ zlib.gzip(JSON.stringify(pkg), function (err, pkgGzip) {
 
     client.get(TEST_URL, {}, function (er, data) {
       if (er) throw er
-      t.deepEqual(data, pkg)
+      t.deepEqual(data, pkg, "some-package-gzip version 1.2.3")
       t.end()
     })
   })
 
   tap.test("request wrong gzip package content", function (t) {
-    server.expect("GET", "/some-package-gzip-error/1.2.3", function (req, res) {
-      res.statusCode = 200
-      res.setHeader("Content-Encoding", "gzip")
-      res.setHeader("Content-Type", "application/json")
-      res.end(new Buffer("wrong gzip content"))
-    })
+    // will retry 3 times
+    for (var i = 0; i < 3; i++) {
+      server.expect("GET", "/some-package-gzip-error/1.2.3", function (req, res) {
+        res.statusCode = 200
+        res.setHeader("Content-Encoding", "gzip")
+        res.setHeader("Content-Type", "application/json")
+        res.end(new Buffer("wrong gzip content"))
+      })
+    }
 
     client.get(TEST_URL, {}, function (er) {
-      t.ok(er)
+      t.ok(er, "ungzip error")
       t.end()
     })
   })
diff --git a/node_modules/npm-registry-client/test/request.js b/node_modules/npm-registry-client/test/request.js
index 799a626ea..cdc4b75f5 100644
--- a/node_modules/npm-registry-client/test/request.js
+++ b/node_modules/npm-registry-client/test/request.js
@@ -81,7 +81,7 @@ test("request call contract", function (t) {
 })
 
 test("run request through its paces", function (t) {
-  t.plan(24)
+  t.plan(27)
 
   server.expect("/request-defaults", function (req, res) {
     t.equal(req.method, "GET", "uses GET by default")
@@ -94,6 +94,14 @@ test("run request through its paces", function (t) {
     }))
   })
 
+  server.expect("/last-modified", function (req, res) {
+    t.equal(req.headers["if-modified-since"], "test-last-modified",
+      "got test if-modified-since")
+
+    res.statusCode = 200
+    res.json({ fetched : "last-modified" })
+  })
+
   server.expect("/etag", function (req, res) {
     t.equal(req.headers["if-none-match"], "test-etag", "got test etag")
 
@@ -159,9 +167,20 @@ test("run request through its paces", function (t) {
   })
 
   var defaults = {}
-  client.request(common.registry+"/request-defaults", defaults, function (er, data) {
+  client.request(
+    common.registry+"/request-defaults",
+    defaults,
+    function (er, data, raw, response) {
+      t.ifError(er, "call worked")
+      t.deepEquals(data, { fetched : "defaults" }, "confirmed defaults work")
+      t.equal(response.headers.connection, "keep-alive", "keep-alive set")
+    }
+  )
+
+  var lastModified = { lastModified : "test-last-modified" }
+  client.request(common.registry+"/last-modified", lastModified, function (er, data) {
     t.ifError(er, "call worked")
-    t.deepEquals(data, { fetched : "defaults" }, "confirmed defaults work")
+    t.deepEquals(data, { fetched : "last-modified" }, "last-modified request sent")
   })
 
   var etagged = { etag : "test-etag" }
diff --git a/node_modules/npm-registry-client/test/star.js b/node_modules/npm-registry-client/test/star.js
index 1a8576f85..0d899ee50 100644
--- a/node_modules/npm-registry-client/test/star.js
+++ b/node_modules/npm-registry-client/test/star.js
@@ -1,9 +1,9 @@
 var test = require("tap").test
-
 var server = require("./lib/server.js")
 var common = require("./lib/common.js")
 var client = common.freshClient()
 var cache = require("./fixtures/underscore/cache.json")
+var nock = require("nock")
 
 function nop () {}
 
@@ -19,7 +19,7 @@ var AUTH     = {
 }
 var PARAMS  = {
   starred : STARRED,
-  auth    : AUTH
+  auth : AUTH
 }
 
 test("star call contract", function (t) {
@@ -58,22 +58,6 @@ test("star call contract", function (t) {
     "params must include auth"
   )
 
-  t.test("token auth disallowed in star", function (t) {
-    var params = {
-      auth : {
-        token : "lol"
-      }
-    }
-    client.star(URI, params, function (err) {
-      t.equal(
-        err && err.message,
-        "This operation is unsupported for token-based auth",
-        "star doesn't support token-based auth"
-      )
-      t.end()
-    })
-  })
-
   t.end()
 })
 
@@ -96,7 +80,7 @@ test("star a package", function (t) {
     req.on("end", function () {
       var updated = JSON.parse(b)
 
-      var already  = [
+      var already = [
         "vesln", "mvolkmann", "lancehunt", "mikl", "linus", "vasc", "bat",
         "dmalam", "mbrevoort", "danielr", "rsimoes", "thlorenz"
       ]
@@ -110,7 +94,7 @@ test("star a package", function (t) {
       t.ok(updated.users[USERNAME], "user is in the starred list")
 
       res.statusCode = 201
-      res.json({starred:true})
+      res.json({ starred : true })
     })
   })
 
@@ -118,10 +102,80 @@ test("star a package", function (t) {
     starred : STARRED,
     auth : AUTH
   }
-  client.star("http://localhost:1337/underscore", params, function (error, data) {
-    t.ifError(error, "no errors")
+
+  client.star("http://localhost:1337/underscore", params, function (er, data) {
+    t.ifError(er, "no errors")
     t.ok(data.starred, "was starred")
 
     t.end()
   })
 })
+
+test("if password auth, only sets authorization on put", function (t) {
+  var starGet = nock("http://localhost:1010")
+    .get("/underscore?write=true")
+    .reply(200, {})
+
+  var starPut = nock("http://localhost:1010", {
+      reqheaders : {
+        authorization : "Basic " + new Buffer(AUTH.username+":"+
+                                              AUTH.password).toString("base64")
+      }
+    })
+    .put("/underscore")
+    .reply(200)
+
+  var params = {
+    starred : STARRED,
+    auth : AUTH
+  }
+
+  client.star("http://localhost:1010/underscore", params, function (er) {
+    t.ifError(er, "starred without issues")
+    starGet.done()
+    starPut.done()
+    t.end()
+  })
+})
+
+test("if token auth, sets bearer on get and put", function (t) {
+  var starGet = nock("http://localhost:1010", {
+      reqheaders : {
+        authorization : "Bearer foo"
+      }
+    })
+    .get("/underscore?write=true")
+    .reply(200, {})
+
+  var getUser = nock("http://localhost:1010", {
+      reqheaders : {
+        authorization : "Bearer foo"
+      }
+    })
+    .get("/-/whoami")
+    .reply(200, {
+      username : "bcoe"
+    })
+
+  var starPut = nock("http://localhost:1010", {
+      reqheaders : {
+        authorization : "Bearer foo"
+      }
+    })
+    .put("/underscore")
+    .reply(200)
+
+  var params = {
+    starred : STARRED,
+    auth : {
+      token : "foo"
+    }
+  }
+  client.star("http://localhost:1010/underscore", params, function (er) {
+    t.ifError(er, "starred without error")
+    starGet.done()
+    starPut.done()
+    getUser.done()
+    t.end()
+  })
+})