Fix#5658
Note that this doesn't actually *ignore* the files specified by the
.gitignore and/or .npmignore files. That would likely require removing
them after the fact, as well as all the same logic that exists in
fstream-npm, since tar does not give us a directory listing, and
tarballs may have their files in any random order.
In addition to starting with the string `package/`, they may also start
with a `pax_global_header`, and this is almost certainly an indication
that we are dealing with a tar file. For example, git adds a global
header with the commit sha when producing archive files.
The primary purpose is so that everything doing network requests
includes auth, if so required. Sends bearer token by default, will send
HTTP Basic auth with `always-auth` set in the config.
Checks to ensure that it's only reoving files managed by npm, and
uses fs-vacuum to ensure that empty directories are cleand up as it
goes. Maybe slightly overdone.
It causes all npm commands to no longer run package.json scripts. Most notably,
`npm install --ignore-scripts` will not run preinstall and prepublish scripts.
This way, if an `npm test` script (or any other lifecycle process) ends
up exiting because of a signal like a SIGSEGV, then npm will exit the same
way (since the `code` will be null when a signal is present), and not
obscure the signal the occurred.
For example, given this `package.json` file:
``` json
{
"name": "sigsegv",
"version": "0.0.0",
"scripts": {
"test": "node -e 'process.kill(process.pid, \"SIGSEGV\")'"
}
}
```
Before this patch, npm would obscure the seg fault exit status:
```
$ npm test
> sigsegv@0.0.0 test /Users/nrajlich/t
> node -e 'process.kill(process.pid, "SIGSEGV")'
$ echo $?
0
```
After this patch, the proper signal is relayed to npm, and thus the shell:
```
$ node ../npm/bin/npm-cli.js test
> sigsegv@0.0.0 test /Users/nrajlich/t
> node -e 'process.kill(process.pid, "SIGSEGV")'
Segmentation fault: 11
$ echo $?
139
```
If a project specifies git urls for dependencies these are shown
in parentheses after the name@version to make it easier for
users to recognize potential forks of a project.
Fixes#3570
