fix(deps): update dependency npm to v6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
npm (source)	^3.10.9 -> ^6.14.6

GitHub Vulnerability Alerts

CVE-2019-16776

Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of node_modules. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the npm install are affected.

This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Recommendation

Upgrade to version 6.13.3 or later.

CVE-2019-16775

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on a user's system when the package is installed. It is only possible to affect files that the user running npm install has access to and it is not possible to over write files that already exist on disk.

This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Recommendation

Upgrade to version 6.13.3 or later.

CVE-2019-16777

Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations.

For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global node_modules directory.

This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Recommendation

Upgrade to version 6.13.4 or later.

CVE-2020-15095

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like <protocol>://[<user>[:<password>]@&#8203;]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.

CVE-2018-7408

An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue.

---

Release Notes

npm/cli (npm)

v6.14.6

Compare Source

6.14.6 (2020-07-07)

BUG FIXES

• a9857b8f6 chore: remove auth info from logs (@​claudiahdz)
• b7ad77598 #​1416 fix: wrong npm doctor command result (@​vanishcode)

DEPENDENCIES

• 94eca6377 npm-registry-fetch@4.0.5 (@​claudiahdz)
• c49b6ae28 #​1418 spdx-license-ids@3.0.5 (@​kemitchell)

v6.14.5

Compare Source

6.14.5 (2020-05-04)

BUG FIXES

• 33ec41f18 #​758 fix: relativize file links when inflating shrinkwrap (@​jsnajdr)
• 94ed456df #​1162 fix: npm init help output (@​mum-never-proud)

DEPENDENCIES

• 5587ac01f npm-registry-fetch@4.0.4
  • fc5d94c39 fix: removed default timeout
• 07a4d8884 graceful-fs@4.2.4
• 8228d1f2e mkdirp@0.5.5
• e6d208317 nopt@4.0.3

v6.14.4

Compare Source

6.14.4 (2020-03-25)

DEPENDENCIES

• 136832dca mkdirp@0.5.4
• Bump minimist@1.2.5 transitive dep to resolve security issue
  • 9c554fd8c update-notifier@2.5.0
  • bump deep-extend@1.2.5
  • bump is-ci@1.2.1
  • bump is-retry-allowed@1.2.0
  • bump rc@1.2.8
  • bump registry-auth-token@3.4.0
  • bump widest-line@2.0.1
• 8bf99b2b5 #​1053 deps: updates term-size to use signed binary

v6.14.3

Compare Source

6.14.3 (2020-03-19)

DOCUMENTATION

• 4ad221487 #​1020 docs(teams): updated team docs to reflect MFA workflow (@​blkdm0n)
• 4a31a4ba2 #​1034 docs: cleanup (@​ruyadorno)
• 0eac801cd #​1013 docs: fix links to cli commands (@​alenros)
• 7d8e5b99c #​755 docs: correction to npm update -g behaviour (@​johnkennedy9147)

DEPENDENCIES

• e11167646 mkdirp@0.5.3
  • c5b97d17d fix: bump minimist dep to resolve security issue (@​isaacs)
• c50d679c6 rimraf@2.7.1
• a2de99ff9 npm-registry-mock@1.3.1
• 217debeb9 npm-registry-couchapp@2.7.4

v6.14.2

Compare Source

6.14.2 (2020-03-03)

DOCUMENTATION

• f9248c0be #​730 chore(docs): update unpublish docs & policy reference (@​nomadtechie, @​mikemimik)

DEPENDENCIES

• 909cc3918 hosted-git-info@2.8.8 (@​darcyclarke)
  • 5038b1891 fix: regression in old node versions w/ respect to url.URL implmentation
• 9204ffa58 npm-profile@4.0.4 (@​isaacs)
  • 6bcf0860a fix: treat non-http/https login urls as invalid
• 0365d39bd glob@7.1.6 (@​isaacs)
• dab030536 node-gyp@5.1.0 (@​rvagg)

v6.14.1

Compare Source

6.14.1 (2020-02-26)

• 303e5c11e hosted-git-info@2.8.7 Fixes a regression where scp-style git urls are passed to the WhatWG URL parser, which does not handle them properly. (@​isaacs)

v6.14.0

Compare Source

6.14.0 (2020-02-25)

FEATURES

• 30f170877 #​731 add support for multiple funding sources (@​ljharb & @​ruyadorno)

BUG FIXES

• 55916b130 #​508 fix: check npm.config before accessing its members (@​kaiyoma)
• 7d0cd65b2 #​733 fix: access grant with unscoped packages (@​netanelgilad)
• 28c3d40d6, 0769c5b20 #​945, #​697 fix: allow new major versions of node to be automatically considered "supported" (@​isaacs, @​ljharb)

DEPENDENCIES

• 6f39e93 hosted-git-info@2.8.6 (@​darcyclarke)
  • fix: passwords & usernames are escaped properly in git deps (@​stevenhilder)
• f14b594ee chownr@1.1.4 (@​isaacs)
• 77044150b npm-packlist@1.4.8 (@​isaacs)
• 1d112461a npm-registry-fetch@4.0.3 (@​isaacs)
  • ba8b4fe fix: always bypass cache when ?write=true
• a47fed760 readable-stream@3.6.0
  • 3bbf2d6 fix: babel's "loose mode" class transform enbrittles BufferList (@​ljharb)

DOCUMENTATION

• 284c1c055, fbb5f0e50 #​729 update lifecycle hooks docs
  (@​seanhealy, @​mikemimik)
• 1c272832d #​787 fix: trademarks typo (@​dnicolson)
• f6ff41776 #​936 fix: postinstall example (@​ajaymathur)
• 373224b16 #​939 fix: bad links in publish docs (@​vit100)

MISCELLANEOUS

• 85c79636d #​736 add script to update dist-tags (@​mikemimik)

v6.13.7

Compare Source

6.13.7 (2020-01-28)

BUG FIXES

• 7dbb91438 #​655 Update CI detection cases (@​isaacs)

DEPENDENCIES

• 0fb1296c7 libnpx@10.2.2 (@​mikemimik)
• c9b69d569 node-gyp@5.0.7 (@​mikemimik)
• e8dbaf452 bin-links@1.1.7 (@​mikemimik)
  • #​613 Fixes bin entry for package

v6.13.6

Compare Source

6.13.6 (2020-01-09)

DEPENDENCIES

• 6dba897a1 pacote@9.5.12:
  • d2f4176 fix(git): Do not drop uid/gid when executing in root-owned directory (@​isaacs)

v6.13.5

Compare Source

6.13.5 (2020-01-09)

BUG FIXES

• fd0a802ec #​550 Fix cache location for npm ci (@​zhenyavinogradov)
• 4b30f3cca #​648 fix(version): using 'allow-same-version', git commit --allow-empty and git tag -f (@​rhengles)

TESTING

• e16f68d30 test(ci): add failing cache config test (@​ruyadorno)
• 3f009fbf2 #​659 test: fix bin-overwriting test on Windows (@​isaacs)
• 43ae0791f #​601 ci: Allow builds to run even if one fails (@​XhmikosR)
• 4a669bee4 #​603 Remove the unused appveyor.yml (@​XhmikosR)
• 9295046ac #​600 ci: switch to actions/checkout@v2 (@​XhmikosR)

DOCUMENTATION

• f2d770ac7 #​569 fix netlify publish path config (@​claudiahdz)
• 462cf0983 #​627 update gatsby dependencies (@​felixonmars)
• 6fb5dbb72 #​532 docs: clarify usage of global prefix (@​jgehrcke)

v6.13.4

Compare Source

6.13.4 (2019-12-11)

BUGFIXES

• 320ac9aee npm/bin-links#12 npm/gentle-fs#7 Do not remove global bin/man links inappropriately (@​isaacs)

DEPENDENCIES

• 52fd21061 gentle-fs@2.3.0 (@​isaacs)
• d06f5c0b0 bin-links@1.1.6 (@​isaacs)

v6.13.3

Compare Source

6.13.3 (2019-12-09)

DEPENDENCIES

• 19ce061a2 bin-links@1.1.5 Properly normalize, sanitize, and verify bin entries in package.json.
• 59c836aae npm-packlist@1.4.7
• fb4ecd7d2 pacote@9.5.11
  • 5f33040 #​476 npm/pacote#22 npm/pacote#14 fix: Do not drop perms in git when not root (isaacs, @​darcyclarke)
  • 6f229f7 sanitize and normalize package bin field (isaacs)
• 1743cb339 read-package-json@2.1.1

v6.13.2

Compare Source

6.13.2 (2019-12-03)

BUG FIXES

• 4429645b3 #​546 fix docs target typo (@​richardlau)
• 867642942 #​142 fix(packageRelativePath): fix 'where' for file deps (@​larsgw)
• d480f2c17 #​527 Revert "windows: Add preliminary WSL support for npm and npx" (@​craigloewen-msft)
• e4b97962e #​504 remove unnecessary package.json read when reading shrinkwrap (@​Lighting-Jack)
• 1c65d26ac #​501 fix(fund): open url for string shorthand (@​ruyadorno)
• ae7afe565 #​263 Don't log error message if git tagging is disabled (@​woppa684)
• 4c1b16f6a #​182 Warn the user that it is uninstalling npm-install (@​Hoidberg)

v6.13.1

Compare Source

6.13.1 (2019-11-18)

BUG FIXES

• 938d6124d #​472 fix(fund): support funding string shorthand (@​ruyadorno)
• b49c5535b #​471 should not publish tap-snapshot folder (@​ruyadorno)
• 3471d5200 #​253 Add preliminary WSL support for npm and npx (@​infinnie)
• 3ef295f23 #​486 print quick audit report for human output (@​isaacs)

TESTING

• dbbf977ac #​278 added workflow to trigger and run benchmarks (@​mikemimik)
• b4f5e3825 #​457 feat(docs): adding tests and updating docs to reflect changes in registry teams API. (@​nomadtechie)
• 454c7dd60 #​456 fix git configs for git 2.23 and above (@​isaacs)

DOCUMENTATION

• b8c1576a4 30b013ae8 26c1b2ef6 9f943a765 c0346b158 8e09d5ad6 4a2f551ee 87d67258c 5c3b32722 b150eaeff 7555a743c b89423e2f #​463 #​285 #​268 #​232 #​485 #​453 docs cleanup: typos, styling and content (@​claudiahdz) (@​XhmikosR) (@​mugli) (@​brettz9) (@​mkotsollaris)

DEPENDENCIES

• 661d86cd2 make-fetch-happen@5.0.2 (@​claudiahdz)

v6.13.0

Compare Source

6.13.0 (2019-11-05)

NEW FEATURES

• 4414b06d9 #​273 add fund command (@​ruyadorno)

DOCUMENTATION

• ae4c74d04 #​274 migrate existing docs to gatsby (@​claudiahdz)
• 4ff1bb180 #​277 updated documentation copy (@​oletizi)

BUG FIXES

• e4455409f #​281 delete ps1 files on package removal (@​NoDocCat)
• cd14d4701 #​279 update supported node list to remove v6.0, v6.1, v9.0 - v9.2 (@​ljharb)

DEPENDENCIES

• a37296b20 pacote@9.5.9
• d3cb3abe8 read-cmd-shim@1.0.5

TESTING

• 688cd97be #​272 use github actions for CI (@​JasonEtco)
• 9a2d8af84 #​240 Clean up some flakiness and inconsistency (@​isaacs)

v6.12.1

Compare Source

6.12.1 (2019-10-29)

BUG FIXES

• 6508e833d #​269 add node v13 as a supported version (@​ljharb)
• b6588a8f7 #​265 Fix regression in lockfile repair for sub-deps (@​feelepxyz)
• d5dfe57a1 #​266 resolve circular dependency in pack.js (@​addaleax)

DEPENDENCIES

• 73678bb59 chownr@1.1.3
• 4b76926e2 graceful-fs@4.2.3
• c691f36a9 libcipm@4.0.7
• 5e1a14975 npm-packlist@1.4.6
• c194482d6 npm-registry-fetch@4.0.2
• bc6a8e0ec tar@4.4.1
• 4dcca3cbb uuid@3.3.3

v6.12.0

Compare Source

6.12.0 (2019-10-08):

Now npm ci runs prepare scripts for git dependencies, and respects the --no-optional argument. Warnings for engine mismatches are printed again. Various other fixes and cleanups.

BUG FIXES

• 890b245dc #​252 ci: add dirPacker to options (@​claudiahdz)
• f3299acd0 #​257 npm.community#4792 warn message on engine mismatch (@​ruyadorno)
• bbc92fb8f #​259 npm.community#10288 Fix figgyPudding error in npm token (@​benblank)
• 70f54dcb5 #​241 doctor: Make OK more consistent (@​gemal)

FEATURES

• ed993a29c #​249 Add CI environment variables to user-agent (@​isaacs)
• f6b0459a4 #​248 Add option to save package-lock without formatting Adds a new config --format-package-lock, which defaults to true. (@​bl00mber)

DEPENDENCIES

• 0ca063c5d npm-lifecycle@3.1.4:
  • fix: filter functions and undefined out of makeEnv (@​isaacs)
• 5df6b0ea2 libcipm@4.0.4:
  • fix: pack git directories properly (@​claudiahdz)
  • respect no-optional argument (@​cruzdanilo)
• 7e04f728c tar@4.4.12
• 5c380e5a3 stringify-package@1.0.1 (@​isaacs)
• 62f2ca692 node-gyp@5.0.5 (@​isaacs)
• 0ff0ea47a npm-install-checks@3.0.2 (@​isaacs)
• f46edae94 hosted-git-info@2.8.5 (@​isaacs)

TESTING

• 44a2b036b #​262 fix root-ownership race conditions in meta-test (@​isaacs)

v6.11.3

Compare Source

6.11.3 (2019-09-03):

Fix npm ci regressions and npm outdated depth.

BUG FIXES

• 235ed1d28#​239 Don't override user specified depth in outdated. Restores ability to update packages using --depth as suggested by npm audit. (@​G-Rath)
• 1fafb5151#​242 npm.community#9586 Revert "install: do not descend into directory deps' child modules" (@​isaacs)
• cebf542e6#​243 npm.community#9720 ci: pass appropriate configs for file/dir modes (@​isaacs)

DEPENDENCIES

• e5fbb7ed1 read-cmd-shim@1.0.4 (@​claudiahdz)
• 23ce65616 npm-pick-manifest@3.0.2 (@​claudiahdz)

v6.11.2

Compare Source

6.11.2 (2019-08-22):

Fix a recent Windows regression, and two long-standing Windows bugs. Also, get CI running on Windows, so these things are less likely in the future.

DEPENDENCIES

• 9778a1b87 cmd-shim@3.0.3: Fix regression where shims fail to preserve exit code (@​isaacs)
• bf93e91d8 npm-package-arg@6.1.1: Properly handle git+file: urls on Windows when a drive letter is included. (@​isaacs)

BUGFIXES

• 6cc4cc66f escape args properly on Windows Bash Despite being bash, Node.js running on windows git mingw bash still executes child processes using cmd.exe. As a result, arguments in this environment need to be escaped in the style of cmd.exe, not bash. (@​isaacs)

TESTS

• 291aba7b8 make tests pass on Windows (@​isaacs)
• fea3a023a travis: run tests on Windows as well (@​isaacs)

v6.11.1

Compare Source

6.11.1 (2019-08-20):

Fix a regression for windows command shim syntax.

• 37db29647 cmd-shim@3.0.2 (@​isaacs)

v6.11.0

Compare Source

v6.11.0 (2019-08-20):

A few meaty bugfixes, and introducing peerDependenciesMeta.

FEATURES

• a12341088 #​224 Implements peerDependenciesMeta (@​arcanis)
• 2f3b79bba #​234 add new forbidden 403 error code (@​claudiahdz)

BUGFIXES

• 24acc9fc8 and 45772af0d #​217 npm.community#8863 npm.community#9327 do not descend into directory deps' child modules, fix shrinkwrap files that inappropriately list child nodes of symlink packages (@​isaacs and @​salomvary)
• 50cfe113d #​229 fixed typo in semver doc (@​gall0ws)
• e8fb2a1bd #​231 Fix spelling mistakes in CHANGELOG-3.md (@​XhmikosR)
• 769d2e057 npm/uid-number#7 Better error on invalid --user/--group configs. This addresses the issue when people fail to install binary packages on Docker and other environments where there is no 'nobody' user. (@​isaacs)
• 8b43c9624 nodejs/node#28987 npm.community#6032 npm.community#6658 npm.community#6069 npm.community#9323 Fix the regression where random config values in a .npmrc file are not passed to lifecycle scripts, breaking build processes which rely on them. (@​isaacs)
• 8b85eaa47 save files with inferred ownership rather than relying on SUDO_UID and SUDO_GID. (@​isaacs)
• b7f6e5f02 Infer ownership of shrinkwrap files (@​isaacs)
• 54b095d77 #​235 Add spec to dist-tag remove function (@​theberbie)

DEPENDENCIES

• dc8f9e52f pacote@9.5.7: Infer the ownership of all unpacked files in node_modules, so that we never have user-owned files in root-owned folders, or root-owned files in user-owned folders. (@​isaacs)
• bb33940c3 cmd-shim@3.0.0:
  • 9c93ac3 #​2 npm#3380 Handle environment variables properly (@​basbossink)
  • 2d277f8 #​25 #​36 #​35 Fix 'no shebang' case by always providing $basedir in shell script (@​igorklopov)
  • adaf20b #​26 Fix $* causing an error when arguments contain parentheses (@​satazor)
  • 49f0c13 #​30 Fix paths for MSYS/MINGW bash (@​dscho)
  • 51a8af3 #​34 Add proper support for PowerShell (@​ExE-Boss)
  • 4c37e04 #​10 Work around quoted batch file names (@​isaacs)
• a4e279544 npm-lifecycle@3.1.3 (@​isaacs):
  • fail properly if uid-number raises an error
• 7086a1809 libcipm@4.0.3 (@​isaacs)
• 8845141f9 read-package-json@2.1.0 (@​isaacs)
• 51c028215 bin-links@1.1.3 (@​isaacs)
• 534a5548c read-cmd-shim@1.0.3 (@​isaacs)
• 3038f2fd5 gentle-fs@2.2.1 (@​isaacs)
• a609a1648 graceful-fs@4.2.2 (@​isaacs)
• f0346f754 cacache@12.0.3 (@​isaacs)
• ca9c615c8 npm-pick-manifest@3.0.0 (@​isaacs)
• b417affbf pacote@9.5.8 (@​isaacs)

TESTS

• b6df0913c #​228 Proper handing of /usr/bin/node lifecycle-path test (@​olivr70)
• aaf98e88c npm-registry-mock@1.3.0 (@​isaacs)

v6.10.3

Compare Source

v6.10.3 (2019-08-06):

BUGFIXES

• 27cccfbda #​223 vulns → vulnerabilities in npm audit output (@​sapegin)
• d5e865eb7 #​222 #​226 install, doctor: don't crash if registry unset (@​dmitrydvorkin, @​isaacs)
• 5b3890226 #​227 npm.community#9167 Handle unhandledRejections, tell user what to do when encountering an EACCES error in the cache. (@​isaacs)

DEPENDENCIES

• 77516df6e licensee@7.0.3 (@​isaacs)
• ceb993590 query-string@6.8.2 (@​isaacs)
• 4050b9189 hosted-git-info@2.8.2
  • #​46 #​43 #​47 #​44 Add support for GitLab subgroups (@​mterrel, @​isaacs, @​ybiquitous)
  • 3b1d629 #​48 fix http protocol using sshurl by default (@​fengmk2)
  • 5d4a8d7 ignore noCommittish on tarball url generation (@​isaacs)
  • 1692435 use gist tarball url that works for anonymous gists (@​isaacs)
  • d5cf830 Do not allow invalid gist urls (@​isaacs)
  • e518222 Use LRU cache to prevent unbounded memory consumption (@​iarna)

v6.10.2

Compare Source

v6.10.2 (2019-07-23):

tl;dr - Fixes several issues with the cache when npm is run as sudo on Unix systems.

TESTING

• 2a78b96f8 check test cache for root-owned files (@​isaacs)
• 108646ebc run sudo tests on Travis-CI (@​isaacs)
• cf984e946 set --no-esm tap flag (@​isaacs)
• 8e0a3100d add script to run tests and leave fixtures for inspection and debugging (@​isaacs)

BUGFIXES

• 25f4f73f6 add a util for writing arbitrary files to cache This prevents metrics timing and debug logs from becoming root-owned. (@​isaacs)
• 2c61ce65d infer cache owner from parent dir in correct-mkdir util (@​isaacs)
• 235e5d6df ensure correct owner on cached all-packages metadata (@​isaacs)
• e2d377bb6 npm.community#8540 audit: report server error on failure (@​isaacs)
• 52576a39e #​216 npm.community#5385 npm.community#6076 Fix npm ci with file: dependencies. Partially reverts #​40/#​86, recording dependencies of linked deps in order for npm ci to work. (@​jfirebaugh)

DEPENDENCIES

• 0fefdee13 cacache@12.0.2 (@​isaacs)
  • infer uid/gid instead of accepting as options, preventing the overwhelming majority of cases where root-owned files end up in the cache folder. (ac84d14) (@​isaacs) (#​1)
  • i18n: add another error message (676cb32) (@​zkat)
• e1d87a392 pacote@9.5.4 (@​isaacs)
  • git: ensure stream failures are reported (7f07b5d) #​1 (@​lddubeau)
• 3f035bf09 infer-owner@1.0.4 (@​isaacs)
• ba3283112 npm-registry-fetch@4.0.0 (@​isaacs)
• ee90c334d libnpm@3.0.1 (@​isaacs)
• 1e480c384 libnpmaccess@3.0.2 (@​isaacs)
• 7662ee850 libnpmhook@5.0.3 (@​isaacs)
• 1357fadc6 libnpmorg@1.0.1 (@​isaacs)
• a621b5cb6 libnpmsearch@2.0.2 (@​isaacs)
• 560cd31dd libnpmteam@1.0.2 (@​isaacs)
• de7ae0867 npm-profile@4.0.2 (@​isaacs)
• e95da463c libnpm@3.0.1 (@​isaacs)
• 554b641d4 npm-registry-fetch@4.0.0 (@​isaacs)
• 06772f34a node-gyp@5.0.3 (@​isaacs)
• 85358db80 npm-lifecycle@3.1.2 (@​isaacs)
  • 051cf20 #​26 fix switches for alternative shells on Windows (@​gucong3000)
  • 3aaf954 #​25 set only one PATH env variable for child process on Windows (@​zkochan)
  • ea18ed2 #​36 #​11 #​18 remove procInterrupt listener on SIGINT in procError (@​mattshin)
  • 5523951 #​29 #​30 Use platform specific path casing if present (@​mattezell)

v6.10.1

Compare Source

BUGFIXES

• 3cbd57712 fix(git): strip GIT environs when running git (@​isaacs)
• a81a8c4c4 #​206 improve isOnly(Dev,Optional) (@​larsgw)
• 172f9aca6 #​179 fix-xmas-underline (@​raywu0123)
• f52673fc7 #​212 build: use /usr/bin/env to load bash (@​rsmarples)

DEPENDENCIES

• ef4445ad3 #​208 node-gyp@5.0.2 (@​irega)
• c0d611356 npm-lifecycle@3.0.0 (@​isaacs)
• 7716ba972 libcipm@4.0.0 (@​isaacs)
• 42d22e837 libnpm@3.0.0 (@​isaacs)
• a2ea7f9ff semver@5.7.0 (@​isaacs)
• 429226a5e lru-cache@5.1.1 ([@&#8203

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.