deps: upgrade npm to 12.0.0-pre.1

deps/npm/docs/content/commands/npm-approve-scripts.md

@@ -21,9 +21,10 @@ records which of your dependencies are permitted to run install scripts
 (`preinstall`, `install`, `postinstall`, and `prepare` for non-registry
 sources). This command is the recommended way to maintain that field.
 
-In the current release, this field is advisory: install scripts still run
-by default, but installs print a list of packages whose scripts have not
-been reviewed. A future release will block unreviewed install scripts.
+Dependency install scripts are blocked by default. Install commands
+silently skip lifecycle scripts for any dependency that does not have a
+matching entry in `allowScripts`, and end with a list of the packages
+whose scripts were skipped so you can review them with this command.
 
 This command only works inside a project that has a `package.json`. Running
 it with `--global` (`-g`) fails with an `EGLOBAL` error, since global

deps/npm/docs/content/commands/npm-audit.md

@@ -27,7 +27,7 @@ This option does not filter the report output, it simply changes the command's f
 
 ### Package lock
 
-By default npm requires a package-lock or shrinkwrap in order to run the audit.
+By default npm requires a package-lock in order to run the audit.
 You can bypass the package lock with `--no-package-lock` but be aware the results may be different with every run, since npm will re-build the dependency tree each time.
 
 ### Audit Signatures
@@ -313,8 +313,7 @@ will also prevent _writing_ `package-lock.json` if `save` is true.
 Dependency types to omit from the installation tree on disk.
 
 Note that these dependencies _are_ still resolved and added to the
-`package-lock.json` or `npm-shrinkwrap.json` file. They are just not
-physically installed on disk.
+`package-lock.json` file. They are just not physically installed on disk.
 
 If a package type appears in both the `--include` and `--omit` lists, then
 it will be included.

deps/npm/docs/content/commands/npm-ci.md

@@ -18,13 +18,12 @@ This command is similar to [`npm install`](/commands/npm-install), except it's m
 
 The main differences between using `npm install` and `npm ci` are:
 
-* The project **must** have an existing `package-lock.json` or
-  `npm-shrinkwrap.json`.
+* The project **must** have an existing `package-lock.json`.
 * If dependencies in the package lock do not match those in `package.json`,
   `npm ci` will exit with an error, instead of updating the package lock.
 * `npm ci` can only install entire projects at a time: individual dependencies cannot be added with this command.
 * If a `node_modules` is already present, it will be automatically removed before `npm ci` begins its install.
-* It will never write to `package.json` or any of the package-locks:
+* It will never write to `package.json` or `package-lock.json`:
   installs are essentially frozen.
 
 NOTE: If you create your `package-lock.json` file by running `npm install` with flags that can affect the shape of your dependency tree, such as
@@ -114,8 +113,7 @@ on deeper dependencies. Sets `--install-strategy=shallow`.
 Dependency types to omit from the installation tree on disk.
 
 Note that these dependencies _are_ still resolved and added to the
-`package-lock.json` or `npm-shrinkwrap.json` file. They are just not
-physically installed on disk.
+`package-lock.json` file. They are just not physically installed on disk.
 
 If a package type appears in both the `--include` and `--omit` lists, then
 it will be included.
@@ -227,7 +225,7 @@ dependencies to be used for other commands like `npm view`
 
 #### `allow-git`
 
-* Default: "all"
+* Default: "none"
 * Type: "all", "none", or "root"
 
 Limits the ability for npm to fetch dependencies from git references. That
@@ -236,6 +234,11 @@ range. Please note that this could leave your tree incomplete and some
 packages may not function as intended or designed. Changing this setting
 will not remove dependencies that are already installed.
 
+As of npm 12 the default is `none`. Git dependencies run `git` against a
+remote repo and may install configuration the project does not control. Opt
+in explicitly per project (in `.npmrc`) or per command (on the CLI) when you
+need git deps.
+
 `all` allows any git dependencies to be fetched and installed. `none`
 prevents any git dependencies from being fetched and installed. `root` only
 allows git dependencies defined in your project's package.json to be fetched
@@ -246,7 +249,7 @@ like `npm view`
 
 #### `allow-remote`
 
-* Default: "all"
+* Default: "none"
 * Type: "all", "none", or "root"
 
 Limits the ability for npm to fetch dependencies from urls. That is,
@@ -255,6 +258,13 @@ range. Please note that this could leave your tree incomplete and some
 packages may not function as intended or designed. Changing this setting
 will not remove dependencies that are already installed.
 
+As of npm 12 the default is `none`. Tarballs that share a hostname with the
+configured registry (the typical case for the npm registry, GitHub Packages,
+and most private registries) are still installed normally. If your registry
+serves tarballs from a different host, set `replace-registry-host` or
+override this setting. Opt in explicitly per project (in `.npmrc`) or per
+command (on the CLI) when you intentionally install from a URL.
+
 `all` allows any url to be installed. `none` prevents any url from being
 installed. `root` only allows urls defined in your project's package.json to
 be installed. Also allows url dependencies to be used for other commands
@@ -290,11 +300,12 @@ the package's self-reported name. `--ignore-scripts` and
 * Type: Boolean
 
 If `true`, turn the install-script policy from a warning into a hard error:
-any dependency with install scripts not covered by `allowScripts` will fail
-the install instead of running with a notice.
+any dependency with install scripts that is not covered by `allowScripts`
+will fail the install instead of being blocked with a warning.
 
 Dependencies explicitly denied with `false` in `allowScripts` are always
-silently skipped; this setting only affects unreviewed entries.
+silently skipped; this setting only affects unreviewed entries (packages
+with install scripts that are neither approved nor denied).
 `--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
 setting.
 

deps/npm/docs/content/commands/npm-dedupe.md

@@ -145,8 +145,7 @@ will also prevent _writing_ `package-lock.json` if `save` is true.
 Dependency types to omit from the installation tree on disk.
 
 Note that these dependencies _are_ still resolved and added to the
-`package-lock.json` or `npm-shrinkwrap.json` file. They are just not
-physically installed on disk.
+`package-lock.json` file. They are just not physically installed on disk.
 
 If a package type appears in both the `--include` and `--omit` lists, then
 it will be included.
@@ -222,7 +221,7 @@ dependencies to be used for other commands like `npm view`
 
 #### `allow-git`
 
-* Default: "all"
+* Default: "none"
 * Type: "all", "none", or "root"
 
 Limits the ability for npm to fetch dependencies from git references. That
@@ -231,6 +230,11 @@ range. Please note that this could leave your tree incomplete and some
 packages may not function as intended or designed. Changing this setting
 will not remove dependencies that are already installed.
 
+As of npm 12 the default is `none`. Git dependencies run `git` against a
+remote repo and may install configuration the project does not control. Opt
+in explicitly per project (in `.npmrc`) or per command (on the CLI) when you
+need git deps.
+
 `all` allows any git dependencies to be fetched and installed. `none`
 prevents any git dependencies from being fetched and installed. `root` only
 allows git dependencies defined in your project's package.json to be fetched
@@ -241,7 +245,7 @@ like `npm view`
 
 #### `allow-remote`
 
-* Default: "all"
+* Default: "none"
 * Type: "all", "none", or "root"
 
 Limits the ability for npm to fetch dependencies from urls. That is,
@@ -250,6 +254,13 @@ range. Please note that this could leave your tree incomplete and some
 packages may not function as intended or designed. Changing this setting
 will not remove dependencies that are already installed.
 
+As of npm 12 the default is `none`. Tarballs that share a hostname with the
+configured registry (the typical case for the npm registry, GitHub Packages,
+and most private registries) are still installed normally. If your registry
+serves tarballs from a different host, set `replace-registry-host` or
+override this setting. Opt in explicitly per project (in `.npmrc`) or per
+command (on the CLI) when you intentionally install from a URL.
+
 `all` allows any url to be installed. `none` prevents any url from being
 installed. `root` only allows urls defined in your project's package.json to
 be installed. Also allows url dependencies to be used for other commands

deps/npm/docs/content/commands/npm-deny-scripts.md

@@ -20,10 +20,10 @@ Writes `false` entries into the `allowScripts` field of your project's
 `package.json`, recording that a dependency must not run install scripts
 even if a future version would otherwise be eligible.
 
-In the current release, install scripts still run by default, so `deny-scripts`
-only affects how installs of denied packages are reported. A future release
-will block unreviewed install scripts and respect deny entries at install
-time.
+Dependency install scripts are blocked by default. Adding a `false`
+entry with `deny-scripts` makes the denial explicit (so it survives
+`npm approve-scripts --all`) and excludes the package from any future
+`--allow-scripts-pending` review prompts.
 
 ```bash
 npm deny-scripts <pkg> [<pkg> ...]

deps/npm/docs/content/commands/npm-deprecate.md

@@ -32,7 +32,7 @@ npm deprecate my-thing@1.x "1.x is no longer supported"
 In this case, a version `my-thing@1.0.0-beta.0` will also be deprecated.
 
 You must be the package owner to deprecate something.
-See the `owner` and `adduser` help topics.
+See the `owner` and `login` help topics.
 
 To un-deprecate a package, specify an empty string (`""`) for the `message` argument.
 Note that you must use double quotes with no space between them to format an empty string.
@@ -82,4 +82,4 @@ Note: This is NOT honored by other network related commands, eg `dist-tags`,
 * [npm publish](/commands/npm-publish)
 * [npm registry](/using-npm/registry)
 * [npm owner](/commands/npm-owner)
-* [npm adduser](/commands/npm-adduser)
+* [npm login](/commands/npm-login)

deps/npm/docs/content/commands/npm-exec.md

@@ -186,11 +186,12 @@ the package's self-reported name. `--ignore-scripts` and
 * Type: Boolean
 
 If `true`, turn the install-script policy from a warning into a hard error:
-any dependency with install scripts not covered by `allowScripts` will fail
-the install instead of running with a notice.
+any dependency with install scripts that is not covered by `allowScripts`
+will fail the install instead of being blocked with a warning.
 
 Dependencies explicitly denied with `false` in `allowScripts` are always
-silently skipped; this setting only affects unreviewed entries.
+silently skipped; this setting only affects unreviewed entries (packages
+with install scripts that are neither approved nor denied).
 `--ignore-scripts` and `--dangerously-allow-all-scripts` both override this
 setting.
 

deps/npm/docs/content/commands/npm-find-dupes.md

@@ -96,8 +96,7 @@ will also prevent _writing_ `package-lock.json` if `save` is true.
 Dependency types to omit from the installation tree on disk.
 
 Note that these dependencies _are_ still resolved and added to the
-`package-lock.json` or `npm-shrinkwrap.json` file. They are just not
-physically installed on disk.
+`package-lock.json` file. They are just not physically installed on disk.
 
 If a package type appears in both the `--include` and `--omit` lists, then
 it will be included.

deps/npm/docs/content/commands/npm-init.md

@@ -157,10 +157,11 @@ homepage.
 
 #### `init-license`
 
-* Default: "ISC"
+* Default: ""
 * Type: String
 
-The value `npm init` should use by default for the package license.
+The value `npm init` should use by default for the package license. If not
+set, the license field will be omitted from new packages.