diff --git a/.github/label-pr-config.yml b/.github/label-pr-config.yml index 4ff8bee4c56d64..8b36066473f415 100644 --- a/.github/label-pr-config.yml +++ b/.github/label-pr-config.yml @@ -104,6 +104,7 @@ subSystemLabels: /^lib\/internal\/url\.js$/: whatwg-url /^lib\/internal\/modules\/esm/: esm /^lib\/internal\/modules/: module + /^lib\/internal\/source_map/: source maps /^lib\/internal\/webstreams/: web streams /^lib\/internal\/test_runner/: test_runner /^lib\/internal\/v8\//: v8 module @@ -128,6 +129,8 @@ exlusiveLabels: /^test\/report\//: test, report /^test\/fixtures\/es-module/: test, esm /^test\/es-module\//: test, esm + /^test\/fixtures\/source-map/: test, source maps + /^test\/fixtures\/test-426/: test, source maps /^test\/fixtures\/wpt\/streams\//: test, web streams /^test\/fixtures\/typescript/: test, strip-types /^test\/module-hooks\//: test, module, loaders @@ -214,6 +217,7 @@ allJsSubSystems: - url - util - v8 + - vfs - vm - wasi - worker diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5ff9daaa630d2a..01d7f37e38149e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,6 +9,7 @@ permissions: jobs: analyze: + if: github.repository == 'nodejs/node' name: Analyze runs-on: ubuntu-slim permissions: diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml index 8f652a91782aea..75ace50d2a071f 100644 --- a/.github/workflows/commit-lint.yml +++ b/.github/workflows/commit-lint.yml @@ -4,7 +4,6 @@ on: pull_request: branches: - main - - v[0-9]+.x-staging env: NODE_VERSION: lts/* diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml index 80e7f8294d693f..0b82dd2aac04c7 100644 --- a/.github/workflows/daily.yml +++ b/.github/workflows/daily.yml @@ -13,6 +13,7 @@ permissions: jobs: build-lto: + if: github.repository == 'nodejs/node' || github.event_name == 'workflow_dispatch' runs-on: ubuntu-24.04-arm steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index b25d5f32ce785e..fbd12b76548854 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -20,6 +20,7 @@ permissions: read-all jobs: analysis: + if: github.repository == 'nodejs/node' || github.event_name == 'workflow_dispatch' name: Scorecard analysis # cannot use ubuntu-slim here because ossf/scorecard-action is dockerized # cannot use ubuntu-24.04-arm here because the docker image is x86 only diff --git a/.github/workflows/test-internet.yml b/.github/workflows/test-internet.yml index a3265c46edccd4..6c01dc978d9380 100644 --- a/.github/workflows/test-internet.yml +++ b/.github/workflows/test-internet.yml @@ -43,7 +43,7 @@ permissions: jobs: test-internet: - if: github.event_name == 'schedule' && github.repository == 'nodejs/node' || github.event.pull_request.draft == false + if: (github.event_name == 'schedule' && github.repository == 'nodejs/node') || (github.event.pull_request && github.event.pull_request.draft == false) runs-on: ubuntu-24.04-arm steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml index 638a0fc2142118..59c9d4bcd466e7 100644 --- a/.github/workflows/tools.yml +++ b/.github/workflows/tools.yml @@ -311,7 +311,7 @@ jobs: # no-op if the base branch is already up-to-date. with: token: ${{ secrets.GH_USER_TOKEN }} - branch: actions/tools-update-${{ matrix.id }} # Custom branch *just* for this Action. + branch: actions/${{ github.ref_name == 'main' || format('{0}/', github.ref_name) }}tools-update-${{ matrix.id }} # Custom branch *just* for this Action. delete-branch: true commit-message: ${{ env.COMMIT_MSG }} labels: ${{ matrix.label }} diff --git a/.gitignore b/.gitignore index 221e4f4062486a..74eb99c8158cd1 100644 --- a/.gitignore +++ b/.gitignore @@ -31,6 +31,7 @@ /tags /tags.* /doc/api.xml +/docs/ /node /node_g /gon-config.json @@ -158,6 +159,10 @@ cmake_install.cmake install_manifest.txt *.cbp +# === Rules for AI assistants === +CLAUDE.md +AGENTS.md + # === Global Rules === # Keep last to avoid being excluded *.pyc diff --git a/.mailmap b/.mailmap index 0422fba4472601..0860e8e0147889 100644 --- a/.mailmap +++ b/.mailmap @@ -350,7 +350,7 @@ Mathias Buus Mathias Pettersson Matt Lang Matt Reed -Matteo Collina +Matteo Collina Matthew Lye Matthew Turner Matthias Bastian diff --git a/BUILDING.md b/BUILDING.md index 23d047563a64a7..b54a167b0f8940 100644 --- a/BUILDING.md +++ b/BUILDING.md @@ -97,7 +97,7 @@ and libc version. The table below lists the support tier for each supported combination. A list of [supported compile toolchains](#supported-toolchains) is also supplied for tier 1 platforms. -**For production applications, run Node.js on supported platforms only.** +**For production applications, run Node.js on supported platforms only (Tier 1 or 2).** Node.js does not support a platform version if a vendor has expired support for it. In other words, Node.js does not support running on End-of-Life (EoL) @@ -214,12 +214,11 @@ If compiling without one of the above, use `configure` with the ### Previous versions of this document Supported platforms and toolchains change with each major version of Node.js. -This document is only valid for the current major version of Node.js. -Consult previous versions of this document for older versions of Node.js: +This document is only valid for the current version of Node.js, and is expected +to be valid for the entire lifetime of this release line. -* [Node.js 24](https://github.com/nodejs/node/blob/v24.x/BUILDING.md) -* [Node.js 22](https://github.com/nodejs/node/blob/v22.x/BUILDING.md) -* [Node.js 20](https://github.com/nodejs/node/blob/v20.x/BUILDING.md) +To consult the version of this document for another version, download its source +tarball and/or browse the git repository checked out at the relevant tag. ## Building Node.js on supported platforms @@ -666,7 +665,7 @@ Refs: To install it, select the following two optional components: * C++ Clang Compiler for Windows (Microsoft.VisualStudio.Component.VC.Llvm.Clang) * MSBuild support for LLVM (clang-cl) toolset (Microsoft.VisualStudio.Component.VC.Llvm.ClangToolset) -* As an alternative to Visual Studio 2026, download Visual Studio 2022 Current channel Version 17.4 from the +* As an alternative to Visual Studio 2026, download Visual Studio 2022 Current channel Version 17.14 from the [Evergreen bootstrappers](https://learn.microsoft.com/en-us/visualstudio/releases/2022/release-history#evergreen-bootstrappers) table and install using the same workload and optional component selection as described above. * Basic Unix tools required for some tests, diff --git a/CHANGELOG.md b/CHANGELOG.md index 0fc24eabe63c9d..ecac7dab539028 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -40,7 +40,8 @@ release. -24.17.0
+24.18.0
+24.17.0
24.16.0
24.15.0
24.14.1
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 54296234a304d8..e22f23543e5ccc 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -46,6 +46,7 @@ dependencies, and tools contained in the `nodejs/node` repository. * [Setting up your local environment](./doc/contributing/pull-requests.md#setting-up-your-local-environment) * [The Process of Making Changes](./doc/contributing/pull-requests.md#the-process-of-making-changes) * [Reviewing Pull Requests](./doc/contributing/pull-requests.md#reviewing-pull-requests) +* [Large Pull Requests](./doc/contributing/large-pull-requests.md) * [Notes](./doc/contributing/pull-requests.md#notes) ## Automation and bots diff --git a/LICENSE b/LICENSE index 403ea3c5717087..2842efa1288eef 100644 --- a/LICENSE +++ b/LICENSE @@ -996,208 +996,208 @@ The externally maintained libraries used by Node.js are: - LIEF, located at deps/LIEF, is licensed as follows: """ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright 2017 - 2025 R. Thomas - Copyright 2017 - 2025 Quarkslab - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2017 - 2025 R. Thomas + Copyright 2017 - 2025 Quarkslab + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. """ - llhttp, located at deps/llhttp, is licensed as follows: diff --git a/Makefile b/Makefile index 1dbb9f95206aa6..61380c5b824ea0 100644 --- a/Makefile +++ b/Makefile @@ -570,7 +570,7 @@ test-all-suites: | clear-stalled test-build bench-addons-build doc-only ## Run a $(PYTHON) tools/test.py $(PARALLEL_ARGS) --mode=$(BUILDTYPE_LOWER) test/* JS_SUITES ?= default -NATIVE_SUITES ?= addons js-native-api node-api embedding +NATIVE_SUITES ?= addons ffi js-native-api node-api embedding # CI_* variables should be kept synchronized with the ones in vcbuild.bat CI_NATIVE_SUITES ?= $(NATIVE_SUITES) benchmark CI_JS_SUITES ?= $(JS_SUITES) pummel @@ -1384,7 +1384,7 @@ else LINT_MD_NEWER = -newer tools/.mdlintstamp endif -LINT_MD_TARGETS = doc src lib benchmark test tools/doc tools/icu $(wildcard *.md) +LINT_MD_TARGETS = doc src lib benchmark test tools/doc tools/icu $(filter-out CLAUDE.md AGENTS.md,$(wildcard *.md)) LINT_MD_FILES = $(shell $(FIND) $(LINT_MD_TARGETS) -type f \ ! -path '*node_modules*' ! -path 'test/fixtures/*' -name '*.md' \ $(LINT_MD_NEWER)) diff --git a/README.md b/README.md index c137f44f4b7a4e..c2012523eb199a 100644 --- a/README.md +++ b/README.md @@ -317,8 +317,6 @@ For information about the governance of the Node.js project, see **Daeyeon Jeong** <> (he/him) * [dario-piotrowicz](https://github.com/dario-piotrowicz) - **Dario Piotrowicz** <> (he/him) -* [debadree25](https://github.com/debadree25) - - **Debadree Chatterjee** <> (he/him) * [deokjinkim](https://github.com/deokjinkim) - **Deokjin Kim** <> (he/him) * [edsadr](https://github.com/edsadr) - @@ -365,8 +363,6 @@ For information about the governance of the Node.js project, see **James M Snell** <> (he/him) * [jazelly](https://github.com/jazelly) - **Jason Zhang** <> (he/him) -* [JonasBa](https://github.com/JonasBa) - - **Jonas Badalic** <> (he/him) * [joyeecheung](https://github.com/joyeecheung) - **Joyee Cheung** <> (she/her) * [juanarbol](https://github.com/juanarbol) - @@ -453,8 +449,6 @@ For information about the governance of the Node.js project, see **Vladimir Morozov** <> (he/him) * [watilde](https://github.com/watilde) - **Daijiro Wachi** <> (he/him) -* [zcbenz](https://github.com/zcbenz) - - **Cheng Zhao** <> (he/him) * [ZYSzys](https://github.com/ZYSzys) - **Yongsheng Zhang** <> (he/him) @@ -509,6 +503,8 @@ For information about the governance of the Node.js project, see **David Cai** <> (he/him) * [davisjam](https://github.com/davisjam) - **Jamie Davis** <> (he/him) +* [debadree25](https://github.com/debadree25) - + **Debadree Chatterjee** <> (he/him) * [devnexen](https://github.com/devnexen) - **David Carlier** <> * [devsnek](https://github.com/devsnek) - @@ -573,6 +569,8 @@ For information about the governance of the Node.js project, see **João Reis** <> * [joesepi](https://github.com/joesepi) - **Joe Sepi** <> (he/him) +* [JonasBa](https://github.com/JonasBa) - + **Jonas Badalic** <> (he/him) * [joshgav](https://github.com/joshgav) - **Josh Gavant** <> * [julianduque](https://github.com/julianduque) - @@ -733,6 +731,8 @@ For information about the governance of the Node.js project, see **Yorkie Liu** <> * [yosuke-furukawa](https://github.com/yosuke-furukawa) - **Yosuke Furukawa** <> +* [zcbenz](https://github.com/zcbenz) - + **Cheng Zhao** <> (he/him) @@ -745,38 +745,24 @@ maintaining the Node.js project. * [1ilsang](https://github.com/1ilsang) - **Sangchul Lee** <<1ilsang.dev@gmail.com>> (he/him) -* [atlowChemi](https://github.com/atlowChemi) - - **Chemi Atlow** <> (he/him) * [bjohansebas](https://github.com/bjohansebas) - **Sebastian Beltran** <> * [bmuenzenmeyer](https://github.com/bmuenzenmeyer) - **Brian Muenzenmeyer** <> (he/him) -* [CanadaHonk](https://github.com/CanadaHonk) - - **Oliver Medhurst** <> (they/them) -* [daeyeon](https://github.com/daeyeon) - - **Daeyeon Jeong** <> (he/him) * [efekrskl](https://github.com/efekrskl) - **Efe Karasakal** <> (he/him) * [gireeshpunathil](https://github.com/gireeshpunathil) - **Gireesh Punathil** <> (he/him) -* [gurgunday](https://github.com/gurgunday) - - **Gürgün Dayıoğlu** <> * [haramj](https://github.com/haramj) - **Haram Jeong** <> * [HBSPS](https://github.com/HBSPS) - **Wiyeong Seo** <> * [iam-frankqiu](https://github.com/iam-frankqiu) - **Frank Qiu** <> (he/him) -* [KevinEady](https://github.com/KevinEady) - - **Kevin Eady** <> (he/him) -* [marsonya](https://github.com/marsonya) - - **Akhil Marsonya** <> (he/him) * [milesguicent](https://github.com/milesguicent) - **Miles Guicent** <> (he/him) * [preveen-stack](https://github.com/preveen-stack) - **Preveen Padmanabhan** <> (he/him) -* [RaisinTen](https://github.com/RaisinTen) - - **Darshan Sen** <> (he/him) Triagers follow the [Triage Guide](./doc/contributing/issues.md#triaging-a-bug-report) when responding to new issues. diff --git a/SECURITY.md b/SECURITY.md index 540ab0f9dee80d..022edce4f88a88 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -85,6 +85,7 @@ When reporting security vulnerabilities, reporters must adhere to the following 4. **Report Quality** * Provide clear, detailed steps to reproduce the vulnerability. + * Include reproducible code written in JavaScript. * Include only the minimum proof of concept required to demonstrate the issue. * Remove any malicious payloads or components that could cause harm. @@ -376,7 +377,7 @@ the community they pose. #### Permission Model Boundaries (`--permission`) The Node.js [Permission Model](https://nodejs.org/api/permissions.html) -(`--experimental-permission`) is an opt-in mechanism that limits which +(`--permission`) is an opt-in mechanism that limits which resources a Node.js process may access. It is designed to reduce the blast radius of mistakes in trusted application code, **not** to act as a security boundary against intentional misuse or a compromised process. diff --git a/benchmark/streams/compose.js b/benchmark/streams/compose.js index b98596ffbd1411..283ad8b7e30b32 100644 --- a/benchmark/streams/compose.js +++ b/benchmark/streams/compose.js @@ -9,16 +9,35 @@ const { } = require('node:stream'); const bench = common.createBenchmark(main, { - n: [1e3], + type: ['creation', 'throughput'], + n: [1, 1e3], + streams: [100], + chunks: [1e4], +}, { + combinationFilter({ type, n }) { + return type === 'creation' ? n === 1e3 : n === 1; + }, + test: { + n: [1, 1e3], + type: ['creation', 'throughput'], + }, }); -function main({ n }) { +function main({ type, n, streams, chunks }) { + switch (type) { + case 'creation': + return benchCreation(n, streams); + case 'throughput': + return benchThroughput(n, streams, chunks); + } +} + +function benchCreation(n, numberOfPassThroughs) { const cachedPassThroughs = []; const cachedReadables = []; const cachedWritables = []; for (let i = 0; i < n; i++) { - const numberOfPassThroughs = 100; const passThroughs = []; for (let i = 0; i < numberOfPassThroughs; i++) { @@ -40,3 +59,41 @@ function main({ n }) { } bench.end(n); } + +function benchThroughput(n, numberOfPassThroughs, chunks) { + const chunk = Buffer.alloc(1024); + + let i = 0; + bench.start(); + + function run() { + if (i++ === n) { + bench.end(n * chunks); + return; + } + + const passThroughs = []; + for (let i = 0; i < numberOfPassThroughs; i++) { + passThroughs.push(new PassThrough()); + } + + let remaining = chunks; + const composed = compose(...passThroughs); + composed.on('data', () => {}); + composed.on('end', run); + + write(); + + function write() { + while (remaining-- > 0) { + if (!composed.write(chunk)) { + composed.once('drain', write); + return; + } + } + composed.end(); + } + } + + run(); +} diff --git a/benchmark/util/style-text.js b/benchmark/util/style-text.js index f04a26646e052d..c50a225fd39331 100644 --- a/benchmark/util/style-text.js +++ b/benchmark/util/style-text.js @@ -5,9 +5,22 @@ const common = require('../common.js'); const { styleText } = require('node:util'); const assert = require('node:assert'); +// 1000 distinct hex colors to exercise the cache under high-miss conditions. +// Spread evenly across hue space so colors are valid and maximally varied. +const kHexColorCount = 1000; +const toHex = (n) => n.toString(16).padStart(2, '0'); +const hexColors = Array.from({ length: kHexColorCount }, (_, i) => { + const r = (i * 37) & 0xff; + const g = (i * 73) & 0xff; + const b = (i * 137) & 0xff; + return `#${toHex(r)}${toHex(g)}${toHex(b)}`; +}); + const bench = common.createBenchmark(main, { messageType: ['string', 'number', 'boolean', 'invalid'], - format: ['red', 'italic', 'invalid', '#ff0000'], + // '#rotating' cycles through kHexColorCount distinct colors to simulate + // the high-miss-rate / large-cache scenario (e.g. user-randomised colors). + format: ['red', 'italic', 'invalid', '#ff0000', '#rotating'], validateStream: [1, 0], n: [1e3], }); @@ -31,9 +44,10 @@ function main({ messageType, format, validateStream, n }) { bench.start(); for (let i = 0; i < n; i++) { + const fmt = format === '#rotating' ? hexColors[i % kHexColorCount] : format; let colored = ''; try { - colored = styleText(format, str, { validateStream }); + colored = styleText(fmt, str, { validateStream }); assert.ok(colored); // Attempt to avoid dead-code elimination } catch { // eslint-disable no-empty diff --git a/benchmark/util/text-decoder.js b/benchmark/util/text-decoder.js index 1aa60f2dd0bcd6..ecfba045c52fab 100644 --- a/benchmark/util/text-decoder.js +++ b/benchmark/util/text-decoder.js @@ -6,26 +6,42 @@ const bench = common.createBenchmark(main, { encoding: ['utf-8', 'windows-1252', 'iso-8859-3'], ignoreBOM: [0, 1], fatal: [0, 1], + type: ['SharedArrayBuffer', 'ArrayBuffer', 'Buffer'], + content: ['ascii', 'one-byte-string', 'two-byte-string'], len: [256, 1024 * 16, 1024 * 128], n: [1e3], - type: ['SharedArrayBuffer', 'ArrayBuffer', 'Buffer'], }); -function main({ encoding, len, n, ignoreBOM, type, fatal }) { +function buildContent(content, len) { + let base; + switch (content) { + case 'ascii': base = 'a'; break; + case 'one-byte-string': base = '\xff'; break; + case 'two-byte-string': base = 'ğ'; break; + } + const unitBytes = Buffer.byteLength(base, 'utf8'); + const copies = Math.max(1, Math.floor(len / unitBytes)); + return Buffer.from(base.repeat(copies)); +} + +function main({ encoding, len, n, ignoreBOM, type, fatal, content }) { const decoder = new TextDecoder(encoding, { ignoreBOM, fatal }); + const seed = buildContent(content, len); let buf; switch (type) { case 'SharedArrayBuffer': { - buf = new SharedArrayBuffer(len); + buf = new SharedArrayBuffer(seed.length); + new Uint8Array(buf).set(seed); break; } case 'ArrayBuffer': { - buf = new ArrayBuffer(len); + buf = new ArrayBuffer(seed.length); + new Uint8Array(buf).set(seed); break; } case 'Buffer': { - buf = Buffer.allocUnsafe(len); + buf = seed; break; } } diff --git a/common.gypi b/common.gypi index 6dd4674aa3aeba..c9ff09b4dc04ca 100644 --- a/common.gypi +++ b/common.gypi @@ -12,9 +12,11 @@ 'msvs_multi_core_compile': '0', # we do enable multicore compiles, but not using the V8 way 'enable_pgo_generate%': '0', 'enable_pgo_use%': '0', + 'clang_profile_lib%': '', 'python%': 'python', 'node_shared%': 'false', + 'node_enable_experimentals%': 'false', 'force_dynamic_crt%': 0, 'node_use_v8_platform%': 'true', 'node_use_bundled_v8%': 'true', @@ -38,7 +40,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.49', + 'v8_embedder_string': '-node.50', ##### V8 defaults for Node.js ##### @@ -245,6 +247,65 @@ },], ], },], + ['OS=="win"', { + 'conditions': [ + ['enable_lto=="true"', { + 'msvs_settings': { + 'VCCLCompilerTool': { + 'AdditionalOptions': ['-flto=full'], + }, + 'VCLibrarianTool': { + 'AdditionalOptions': ['-flto=full'], + }, + 'VCLinkerTool': { + 'AdditionalOptions': ['-flto=full'], + }, + }, + },], + ['enable_thin_lto=="true"', { + 'msvs_settings': { + 'VCCLCompilerTool': { + 'AdditionalOptions': ['-flto=thin'], + }, + 'VCLibrarianTool': { + 'AdditionalOptions': ['-flto=thin'], + }, + 'VCLinkerTool': { + 'AdditionalOptions': ['-flto=thin'], + }, + }, + },], + ], + 'target_conditions': [ + ['_toolset=="target"', { + 'conditions': [ + ['enable_pgo_generate=="true"', { + 'msvs_settings': { + 'VCCLCompilerTool': { + 'AdditionalOptions': ['-fprofile-generate'], + }, + 'VCLinkerTool': { + 'AdditionalOptions': [ + '/NODEFAULTLIB:clang_rt.profile.lib', + '"<(clang_profile_lib)"', + ], + }, + }, + },], + ['enable_pgo_use=="true"', { + 'msvs_settings': { + 'VCCLCompilerTool': { + 'AdditionalOptions': ['-fprofile-use=$(SolutionDir)node.profdata'], + }, + 'VCLinkerTool': { + 'AdditionalOptions': ['-fprofile-use=$(SolutionDir)node.profdata'], + }, + }, + },], + ], + },], + ], + },], ['OS == "android"', { 'cflags': [ '-fPIC', '-I<(android_ndk_path)/sources/android/cpufeatures' ], 'ldflags': [ '-fPIC' ] @@ -440,6 +501,9 @@ }], # The defines bellow must include all things from the external_v8_defines # list in v8/BUILD.gn. + ['node_enable_experimentals == "true"', { + 'defines': ['EXPERIMENTALS_DEFAULT_VALUE=true'], + }], ['v8_enable_v8_checks == 1', { 'defines': ['V8_ENABLE_CHECKS'], }], diff --git a/configure.py b/configure.py index e05c1161105237..9c426b3f8f9cbf 100755 --- a/configure.py +++ b/configure.py @@ -202,14 +202,14 @@ dest="enable_pgo_generate", default=None, help="Enable profiling with pgo of a binary. This feature is only available " - "on linux with gcc and g++ 5.4.1 or newer.") + "on linux with gcc and g++ 5.4.1 or newer and on windows.") parser.add_argument("--enable-pgo-use", action="store_true", dest="enable_pgo_use", default=None, help="Enable use of the profile generated with --enable-pgo-generate. This " - "feature is only available on linux with gcc and g++ 5.4.1 or newer.") + "feature is only available on linux with gcc and g++ 5.4.1 or newer and on windows.") parser.add_argument("--enable-lto", action="store_true", @@ -218,6 +218,13 @@ help="Enable compiling with lto of a binary. This feature is only available " "with gcc 5.4.1+ or clang 3.9.1+.") +parser.add_argument("--enable-thin-lto", + action="store_true", + dest="enable_thin_lto", + default=None, + help="Enable compiling with thin lto of a binary. This feature is only available " + "on windows.") + parser.add_argument("--link-module", action="append", dest="linked_module", @@ -731,6 +738,12 @@ default=None, help='Enable the --trace-maps flag in V8 (use at your own risk)') +parser.add_argument('--enable-all-experimentals', + action='store_true', + dest='enable_all_experimentals', + default=None, + help='Enable all experimental features by default') + parser.add_argument('--experimental-enable-pointer-compression', action='store_true', dest='enable_pointer_compression', @@ -853,7 +866,8 @@ action='store_true', dest='with_ltcg', default=None, - help='Use Link Time Code Generation. This feature is only available on Windows.') + help='Use Thin LTO scoped to node.exe and libnode only. ' + 'This feature is only available on Windows.') parser.add_argument('--write-snapshot-as-array-literals', action='store_true', @@ -1608,6 +1622,7 @@ def configure_node_cctest_sources(o): def configure_node(o): if options.dest_os == 'android': o['variables']['OS'] = 'android' + o['variables']['node_enable_experimentals'] = b(options.enable_all_experimentals) o['variables']['node_prefix'] = options.prefix o['variables']['node_install_npm'] = b(not options.without_npm) o['variables']['node_install_corepack'] = b(not options.without_corepack) @@ -1705,9 +1720,9 @@ def configure_node(o): else: o['variables']['node_enable_v8_vtunejit'] = 'false' - if flavor != 'linux' and (options.enable_pgo_generate or options.enable_pgo_use): + if (flavor != 'linux' and flavor != 'win') and (options.enable_pgo_generate or options.enable_pgo_use): raise Exception( - 'The pgo option is supported only on linux.') + 'The pgo option is supported only on linux and windows.') if flavor == 'linux': if options.enable_pgo_generate or options.enable_pgo_use: @@ -1718,21 +1733,55 @@ def configure_node(o): 'The options --enable-pgo-generate and --enable-pgo-use ' f'are supported for gcc and gxx {version_checked_str} or newer only.') - if options.enable_pgo_generate and options.enable_pgo_use: - raise Exception( - 'Only one of the --enable-pgo-generate or --enable-pgo-use options ' - 'can be specified at a time. You would like to use ' - '--enable-pgo-generate first, profile node, and then recompile ' - 'with --enable-pgo-use') + if options.enable_pgo_generate and options.enable_pgo_use: + raise Exception( + 'Only one of the --enable-pgo-generate or --enable-pgo-use options ' + 'can be specified at a time. You would like to use ' + '--enable-pgo-generate first, profile node, and then recompile ' + 'with --enable-pgo-use') o['variables']['enable_pgo_generate'] = b(options.enable_pgo_generate) o['variables']['enable_pgo_use'] = b(options.enable_pgo_use) - if flavor == 'win' and (options.enable_lto): + if flavor == 'win' and (options.enable_pgo_generate or options.enable_pgo_use): + lib_suffix = 'aarch64' if target_arch == 'arm64' else 'x86_64' + lib_name = f'clang_rt.profile-{lib_suffix}.lib' + msvc_dir = target_arch # 'x64' or 'arm64' + + vc_tools_dir = os.environ.get('VCToolsInstallDir', '') + if vc_tools_dir: + clang_profile_lib = os.path.join(vc_tools_dir, 'lib', msvc_dir, lib_name) + if os.path.isfile(clang_profile_lib): + o['variables']['clang_profile_lib'] = clang_profile_lib + else: + raise Exception( + f'PGO profile runtime library not found at {clang_profile_lib}. ' + 'Ensure the ClangCL toolset is installed.') + else: + raise Exception( + 'VCToolsInstallDir not set. Run from a Visual Studio command prompt.') + + if flavor != 'win' and options.enable_thin_lto: raise Exception( - 'Use Link Time Code Generation instead.') + 'Use --enable-lto instead.') + + # LTO mutual exclusion + if flavor == 'win': + lto_options = [] + if options.enable_lto: + lto_options.append('--enable-lto') + if options.enable_thin_lto: + lto_options.append('--enable-thin-lto') + if options.with_ltcg: + lto_options.append('--with-ltcg') + if len(lto_options) > 1: + raise Exception( + f'Only one LTO option can be specified at a time: {", ".join(lto_options)}. ' + 'Use --enable-lto for Full LTO (global), ' + '--enable-thin-lto for Thin LTO (global), ' + 'or --with-ltcg for Thin LTO (scoped to node.exe and libnode).') - if options.enable_lto: + if options.enable_lto and flavor != 'win': gcc_version_checked = (5, 4, 1) clang_version_checked = (3, 9, 1) if not gcc_version_ge(gcc_version_checked) and not clang_version_ge(clang_version_checked): @@ -1743,6 +1792,7 @@ def configure_node(o): f'or clang {clang_version_checked_str}+ only.') o['variables']['enable_lto'] = b(options.enable_lto) + o['variables']['enable_thin_lto'] = b(options.enable_thin_lto) if options.node_use_large_pages or options.node_use_large_pages_script_lld: warn('''The `--use-largepages` and `--use-largepages-script-lld` options diff --git a/deps/npm/docs/content/commands/npm-approve-scripts.md b/deps/npm/docs/content/commands/npm-approve-scripts.md new file mode 100644 index 00000000000000..e3445447c79052 --- /dev/null +++ b/deps/npm/docs/content/commands/npm-approve-scripts.md @@ -0,0 +1,125 @@ +--- +title: npm-approve-scripts +section: 1 +description: Approve install scripts for specific dependencies +--- + +### Synopsis + +```bash +npm approve-scripts [ ...] +npm approve-scripts --all +npm approve-scripts --allow-scripts-pending +``` + +Note: This command is unaware of workspaces. + +### Description + +Manages the `allowScripts` field in your project's `package.json`, which +records which of your dependencies are permitted to run install scripts +(`preinstall`, `install`, `postinstall`, and `prepare` for non-registry +sources). This command is the recommended way to maintain that field. + +In the current release, this field is advisory: install scripts still run +by default, but installs print a list of packages whose scripts have not +been reviewed. A future release will block unreviewed install scripts. + +There are three modes: + +```bash +npm approve-scripts [ ...] +npm approve-scripts --all +npm approve-scripts --allow-scripts-pending +``` + +`` matches every installed version of that package. By default the +command writes pinned entries (`pkg@1.2.3`), which keep their approval +narrowed to the specific version you reviewed. Pass `--no-allow-scripts-pin` to write +name-only entries that allow any future version. + +`--all` approves every package with unreviewed install scripts in one go. + +`--allow-scripts-pending` is read-only: it lists every package whose install scripts +are not yet covered by `allowScripts`, without modifying `package.json`. + +`approve-scripts` honours the asymmetric pin rule: if you re-approve a +package whose installed version has changed, the existing pin is rewritten +to track the new installed version. Multi-version statements +(`pkg@1 || 2`) are left alone, since they likely capture intent that +the command cannot infer. Existing `false` entries always win; +`approve-scripts` will not silently re-allow a package you previously +denied. + +### Examples + +```bash +# Approve all currently-installed install scripts after reviewing them +npm approve-scripts --all + +# Approve specific packages, pinned to their installed version +npm approve-scripts canvas sharp + +# Approve name-only (any version of this package is allowed) +npm approve-scripts --no-allow-scripts-pin canvas + +# Preview which packages still need review +npm approve-scripts --allow-scripts-pending +``` + +### Configuration + +#### `all` + +* Default: false +* Type: Boolean + +When running `npm outdated` and `npm ls`, setting `--all` will show all +outdated or installed packages, rather than only those directly depended +upon by the current project. + + + +#### `allow-scripts-pending` + +* Default: false +* Type: Boolean + +List packages with install scripts that are not yet covered by the +`allowScripts` policy, without modifying `package.json`. Only meaningful for +`npm approve-scripts`. + + + +#### `allow-scripts-pin` + +* Default: true +* Type: Boolean + +Write pinned (`pkg@version`) entries when approving install scripts. Set to +`false` to write name-only entries that allow any version. Has no effect on +`npm deny-scripts`, which always writes name-only entries regardless of this +setting. + + + +#### `json` + +* Default: false +* Type: Boolean + +Whether or not to output JSON data, rather than the normal output. + +* In `npm pkg set` it enables parsing set values with JSON.parse() before + saving them to your `package.json`. + +Not supported by all npm commands. + + + +### See Also + +* [npm deny-scripts](/commands/npm-deny-scripts) +* [npm install](/commands/npm-install) +* [npm rebuild](/commands/npm-rebuild) +* [package.json](/configuring-npm/package-json) diff --git a/deps/npm/docs/content/commands/npm-ci.md b/deps/npm/docs/content/commands/npm-ci.md index 45162af8d61d57..bc460070459604 100644 --- a/deps/npm/docs/content/commands/npm-ci.md +++ b/deps/npm/docs/content/commands/npm-ci.md @@ -189,6 +189,42 @@ run any pre- or post-scripts. +#### `allow-directory` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from directories. That +is, dependencies that point to a directory instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +`all` allows any directories to be installed. `none` prevents any +directories from being installed. `root` only allows directories defined in +your project's package.json to be installed. Also allows directory +dependencies to be used for other commands like `npm view` + + + +#### `allow-file` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from tarball files. That +is, dependencies that point to a local tarball file instead of a version or +semver range. Please note that this could leave your tree incomplete and +some packages may not function as intended or designed. Changing this +setting will not remove dependencies that are already installed. + +`all` allows any tarball file to be installed. `none` prevents any tarball +file from being installed. `root` only allows tarball files defined in your +project's package.json to be installed. Also allows tarball file +dependencies to be used for other commands like `npm view` + + + #### `allow-git` * Default: "all" @@ -197,16 +233,85 @@ run any pre- or post-scripts. Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some -packages may not function as intended or designed. +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. `all` allows any git dependencies to be fetched and installed. `none` prevents any git dependencies from being fetched and installed. `root` only allows git dependencies defined in your project's package.json to be fetched -installed. Also allows git dependencies to be fetched for other commands +and installed. Also allows git dependencies to be fetched for other commands +like `npm view` + + + +#### `allow-remote` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to fetch dependencies from urls. That is, +dependencies that point to a tarball url instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +`all` allows any url to be installed. `none` prevents any url from being +installed. `root` only allows urls defined in your project's package.json to +be installed. Also allows url dependencies to be used for other commands like `npm view` +#### `allow-scripts` + +* Default: "" +* Type: String (can be set multiple times) + +Comma-separated list of packages whose install-time lifecycle scripts +(`preinstall`, `install`, `postinstall`, and `prepare` for non-registry +dependencies) are allowed to run. + +This setting is intended for one-off and global contexts: `npm exec`, `npx`, +and `npm install -g`, where no project `package.json` is involved. For +team-wide policy in a project, use the `allowScripts` field in +`package.json` (which also supports explicit denials), or configure it in +`.npmrc`. Passing `--allow-scripts` on the command line during a +project-scoped `npm install`, `ci`, `update`, or `rebuild` is an error. + +Each name is matched against a dependency's resolved identity, not against +the package's self-reported name. `--ignore-scripts` and +`--dangerously-allow-all-scripts` both override this setting. + + + +#### `strict-allow-scripts` + +* Default: false +* Type: Boolean + +If `true`, turn the install-script policy from a warning into a hard error: +any dependency with install scripts not covered by `allowScripts` will fail +the install instead of running with a notice. + +Dependencies explicitly denied with `false` in `allowScripts` are always +silently skipped; this setting only affects unreviewed entries. +`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this +setting. + + + +#### `dangerously-allow-all-scripts` + +* Default: false +* Type: Boolean + +If `true`, bypass the `allowScripts` policy entirely and run every +dependency install script regardless of whether it was approved or denied. +Intended as a migration escape hatch only; its use is strongly discouraged. +`--ignore-scripts` still takes precedence over this setting. + + + #### `audit` * Default: true diff --git a/deps/npm/docs/content/commands/npm-dedupe.md b/deps/npm/docs/content/commands/npm-dedupe.md index e7fd142d00c07c..8186ee2c1f31c7 100644 --- a/deps/npm/docs/content/commands/npm-dedupe.md +++ b/deps/npm/docs/content/commands/npm-dedupe.md @@ -184,6 +184,42 @@ run any pre- or post-scripts. +#### `allow-directory` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from directories. That +is, dependencies that point to a directory instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +`all` allows any directories to be installed. `none` prevents any +directories from being installed. `root` only allows directories defined in +your project's package.json to be installed. Also allows directory +dependencies to be used for other commands like `npm view` + + + +#### `allow-file` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from tarball files. That +is, dependencies that point to a local tarball file instead of a version or +semver range. Please note that this could leave your tree incomplete and +some packages may not function as intended or designed. Changing this +setting will not remove dependencies that are already installed. + +`all` allows any tarball file to be installed. `none` prevents any tarball +file from being installed. `root` only allows tarball files defined in your +project's package.json to be installed. Also allows tarball file +dependencies to be used for other commands like `npm view` + + + #### `allow-git` * Default: "all" @@ -192,12 +228,31 @@ run any pre- or post-scripts. Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some -packages may not function as intended or designed. +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. `all` allows any git dependencies to be fetched and installed. `none` prevents any git dependencies from being fetched and installed. `root` only allows git dependencies defined in your project's package.json to be fetched -installed. Also allows git dependencies to be fetched for other commands +and installed. Also allows git dependencies to be fetched for other commands +like `npm view` + + + +#### `allow-remote` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to fetch dependencies from urls. That is, +dependencies that point to a tarball url instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +`all` allows any url to be installed. `none` prevents any url from being +installed. `root` only allows urls defined in your project's package.json to +be installed. Also allows url dependencies to be used for other commands like `npm view` diff --git a/deps/npm/docs/content/commands/npm-deny-scripts.md b/deps/npm/docs/content/commands/npm-deny-scripts.md new file mode 100644 index 00000000000000..51915b09fe1dfc --- /dev/null +++ b/deps/npm/docs/content/commands/npm-deny-scripts.md @@ -0,0 +1,109 @@ +--- +title: npm-deny-scripts +section: 1 +description: Deny install scripts for specific dependencies +--- + +### Synopsis + +```bash +npm deny-scripts [ ...] +npm deny-scripts --all +``` + +Note: This command is unaware of workspaces. + +### Description + +The companion command to [`npm approve-scripts`](/commands/npm-approve-scripts). +Writes `false` entries into the `allowScripts` field of your project's +`package.json`, recording that a dependency must not run install scripts +even if a future version would otherwise be eligible. + +In the current release, install scripts still run by default, so `deny-scripts` +only affects how installs of denied packages are reported. A future release +will block unreviewed install scripts and respect deny entries at install +time. + +```bash +npm deny-scripts [ ...] +npm deny-scripts --all +``` + +`` matches every installed version of that package. Denies are always +written name-only (`"pkg": false`), regardless of `--allow-scripts-pin`. Pinning a deny +to a specific version would silently re-allow scripts for any other version +of the same package, which defeats the purpose; the command picks the +safer default for you. + +`--all` denies every package with unreviewed install scripts. + +If a `true` (pinned or name-only) entry exists for a package and you then +deny it, the existing allow entries are removed so the name-only deny is +unambiguous. + +### Examples + +```bash +# Deny a specific package outright +npm deny-scripts telemetry-pkg + +# Deny everything that has install scripts and isn't already approved +npm deny-scripts --all +``` + +### Configuration + +#### `all` + +* Default: false +* Type: Boolean + +When running `npm outdated` and `npm ls`, setting `--all` will show all +outdated or installed packages, rather than only those directly depended +upon by the current project. + + + +#### `allow-scripts-pending` + +* Default: false +* Type: Boolean + +List packages with install scripts that are not yet covered by the +`allowScripts` policy, without modifying `package.json`. Only meaningful for +`npm approve-scripts`. + + + +#### `allow-scripts-pin` + +* Default: true +* Type: Boolean + +Write pinned (`pkg@version`) entries when approving install scripts. Set to +`false` to write name-only entries that allow any version. Has no effect on +`npm deny-scripts`, which always writes name-only entries regardless of this +setting. + + + +#### `json` + +* Default: false +* Type: Boolean + +Whether or not to output JSON data, rather than the normal output. + +* In `npm pkg set` it enables parsing set values with JSON.parse() before + saving them to your `package.json`. + +Not supported by all npm commands. + + + +### See Also + +* [npm approve-scripts](/commands/npm-approve-scripts) +* [npm install](/commands/npm-install) +* [package.json](/configuring-npm/package-json) diff --git a/deps/npm/docs/content/commands/npm-exec.md b/deps/npm/docs/content/commands/npm-exec.md index 72c63163be4d2f..13a0939209a5ea 100644 --- a/deps/npm/docs/content/commands/npm-exec.md +++ b/deps/npm/docs/content/commands/npm-exec.md @@ -158,6 +158,56 @@ the specified workspaces, and not on the root project. This value is not exported to the environment for child processes. +#### `allow-scripts` + +* Default: "" +* Type: String (can be set multiple times) + +Comma-separated list of packages whose install-time lifecycle scripts +(`preinstall`, `install`, `postinstall`, and `prepare` for non-registry +dependencies) are allowed to run. + +This setting is intended for one-off and global contexts: `npm exec`, `npx`, +and `npm install -g`, where no project `package.json` is involved. For +team-wide policy in a project, use the `allowScripts` field in +`package.json` (which also supports explicit denials), or configure it in +`.npmrc`. Passing `--allow-scripts` on the command line during a +project-scoped `npm install`, `ci`, `update`, or `rebuild` is an error. + +Each name is matched against a dependency's resolved identity, not against +the package's self-reported name. `--ignore-scripts` and +`--dangerously-allow-all-scripts` both override this setting. + + + +#### `strict-allow-scripts` + +* Default: false +* Type: Boolean + +If `true`, turn the install-script policy from a warning into a hard error: +any dependency with install scripts not covered by `allowScripts` will fail +the install instead of running with a notice. + +Dependencies explicitly denied with `false` in `allowScripts` are always +silently skipped; this setting only affects unreviewed entries. +`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this +setting. + + + +#### `dangerously-allow-all-scripts` + +* Default: false +* Type: Boolean + +If `true`, bypass the `allowScripts` policy entirely and run every +dependency install script regardless of whether it was approved or denied. +Intended as a migration escape hatch only; its use is strongly discouraged. +`--ignore-scripts` still takes precedence over this setting. + + + ### Examples Run the version of `tap` in the local dependencies, with the provided arguments: diff --git a/deps/npm/docs/content/commands/npm-install-ci-test.md b/deps/npm/docs/content/commands/npm-install-ci-test.md index 6b9681d202c991..4528f63dfe28e8 100644 --- a/deps/npm/docs/content/commands/npm-install-ci-test.md +++ b/deps/npm/docs/content/commands/npm-install-ci-test.md @@ -142,6 +142,42 @@ run any pre- or post-scripts. +#### `allow-directory` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from directories. That +is, dependencies that point to a directory instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +`all` allows any directories to be installed. `none` prevents any +directories from being installed. `root` only allows directories defined in +your project's package.json to be installed. Also allows directory +dependencies to be used for other commands like `npm view` + + + +#### `allow-file` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from tarball files. That +is, dependencies that point to a local tarball file instead of a version or +semver range. Please note that this could leave your tree incomplete and +some packages may not function as intended or designed. Changing this +setting will not remove dependencies that are already installed. + +`all` allows any tarball file to be installed. `none` prevents any tarball +file from being installed. `root` only allows tarball files defined in your +project's package.json to be installed. Also allows tarball file +dependencies to be used for other commands like `npm view` + + + #### `allow-git` * Default: "all" @@ -150,16 +186,85 @@ run any pre- or post-scripts. Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some -packages may not function as intended or designed. +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. `all` allows any git dependencies to be fetched and installed. `none` prevents any git dependencies from being fetched and installed. `root` only allows git dependencies defined in your project's package.json to be fetched -installed. Also allows git dependencies to be fetched for other commands +and installed. Also allows git dependencies to be fetched for other commands +like `npm view` + + + +#### `allow-remote` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to fetch dependencies from urls. That is, +dependencies that point to a tarball url instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +`all` allows any url to be installed. `none` prevents any url from being +installed. `root` only allows urls defined in your project's package.json to +be installed. Also allows url dependencies to be used for other commands like `npm view` +#### `allow-scripts` + +* Default: "" +* Type: String (can be set multiple times) + +Comma-separated list of packages whose install-time lifecycle scripts +(`preinstall`, `install`, `postinstall`, and `prepare` for non-registry +dependencies) are allowed to run. + +This setting is intended for one-off and global contexts: `npm exec`, `npx`, +and `npm install -g`, where no project `package.json` is involved. For +team-wide policy in a project, use the `allowScripts` field in +`package.json` (which also supports explicit denials), or configure it in +`.npmrc`. Passing `--allow-scripts` on the command line during a +project-scoped `npm install`, `ci`, `update`, or `rebuild` is an error. + +Each name is matched against a dependency's resolved identity, not against +the package's self-reported name. `--ignore-scripts` and +`--dangerously-allow-all-scripts` both override this setting. + + + +#### `strict-allow-scripts` + +* Default: false +* Type: Boolean + +If `true`, turn the install-script policy from a warning into a hard error: +any dependency with install scripts not covered by `allowScripts` will fail +the install instead of running with a notice. + +Dependencies explicitly denied with `false` in `allowScripts` are always +silently skipped; this setting only affects unreviewed entries. +`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this +setting. + + + +#### `dangerously-allow-all-scripts` + +* Default: false +* Type: Boolean + +If `true`, bypass the `allowScripts` policy entirely and run every +dependency install script regardless of whether it was approved or denied. +Intended as a migration escape hatch only; its use is strongly discouraged. +`--ignore-scripts` still takes precedence over this setting. + + + #### `audit` * Default: true diff --git a/deps/npm/docs/content/commands/npm-install-test.md b/deps/npm/docs/content/commands/npm-install-test.md index 8291409edfb835..5a2f33a84ca96d 100644 --- a/deps/npm/docs/content/commands/npm-install-test.md +++ b/deps/npm/docs/content/commands/npm-install-test.md @@ -219,6 +219,42 @@ run any pre- or post-scripts. +#### `allow-directory` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from directories. That +is, dependencies that point to a directory instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +`all` allows any directories to be installed. `none` prevents any +directories from being installed. `root` only allows directories defined in +your project's package.json to be installed. Also allows directory +dependencies to be used for other commands like `npm view` + + + +#### `allow-file` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from tarball files. That +is, dependencies that point to a local tarball file instead of a version or +semver range. Please note that this could leave your tree incomplete and +some packages may not function as intended or designed. Changing this +setting will not remove dependencies that are already installed. + +`all` allows any tarball file to be installed. `none` prevents any tarball +file from being installed. `root` only allows tarball files defined in your +project's package.json to be installed. Also allows tarball file +dependencies to be used for other commands like `npm view` + + + #### `allow-git` * Default: "all" @@ -227,16 +263,85 @@ run any pre- or post-scripts. Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some -packages may not function as intended or designed. +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. `all` allows any git dependencies to be fetched and installed. `none` prevents any git dependencies from being fetched and installed. `root` only allows git dependencies defined in your project's package.json to be fetched -installed. Also allows git dependencies to be fetched for other commands +and installed. Also allows git dependencies to be fetched for other commands +like `npm view` + + + +#### `allow-remote` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to fetch dependencies from urls. That is, +dependencies that point to a tarball url instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +`all` allows any url to be installed. `none` prevents any url from being +installed. `root` only allows urls defined in your project's package.json to +be installed. Also allows url dependencies to be used for other commands like `npm view` +#### `allow-scripts` + +* Default: "" +* Type: String (can be set multiple times) + +Comma-separated list of packages whose install-time lifecycle scripts +(`preinstall`, `install`, `postinstall`, and `prepare` for non-registry +dependencies) are allowed to run. + +This setting is intended for one-off and global contexts: `npm exec`, `npx`, +and `npm install -g`, where no project `package.json` is involved. For +team-wide policy in a project, use the `allowScripts` field in +`package.json` (which also supports explicit denials), or configure it in +`.npmrc`. Passing `--allow-scripts` on the command line during a +project-scoped `npm install`, `ci`, `update`, or `rebuild` is an error. + +Each name is matched against a dependency's resolved identity, not against +the package's self-reported name. `--ignore-scripts` and +`--dangerously-allow-all-scripts` both override this setting. + + + +#### `strict-allow-scripts` + +* Default: false +* Type: Boolean + +If `true`, turn the install-script policy from a warning into a hard error: +any dependency with install scripts not covered by `allowScripts` will fail +the install instead of running with a notice. + +Dependencies explicitly denied with `false` in `allowScripts` are always +silently skipped; this setting only affects unreviewed entries. +`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this +setting. + + + +#### `dangerously-allow-all-scripts` + +* Default: false +* Type: Boolean + +If `true`, bypass the `allowScripts` policy entirely and run every +dependency install script regardless of whether it was approved or denied. +Intended as a migration escape hatch only; its use is strongly discouraged. +`--ignore-scripts` still takes precedence over this setting. + + + #### `audit` * Default: true @@ -264,7 +369,13 @@ If the requested version is a `dist-tag` and the given tag does not pass the will be used. For example, `foo@latest` might install `foo@1.2` even though `latest` is `2.0`. -This config cannot be used with: `min-release-age` +If `before` and `min-release-age` are both set in the same source, `before` +wins (an explicit absolute date overrides a relative window). Across +sources, the standard precedence applies (cli > env > project > user > +global), so a higher-priority source can always relax or override a +lower-priority one. + + #### `min-release-age` @@ -277,9 +388,11 @@ are no versions available for the current set of dependencies, the command will error. This flag is a complement to `before`, which accepts an exact date instead -of a relative number of days. - -This config cannot be used with: `before` +of a relative number of days. The two may coexist (e.g. `min-release-age` in +your `.npmrc` is preserved when npm internally spawns a sub-process with +`--before` while preparing a `git:` or `github:` dependency); when both +apply, `before` wins within a single source and across sources the standard +precedence rules apply. This value is not exported to the environment for child processes. diff --git a/deps/npm/docs/content/commands/npm-install.md b/deps/npm/docs/content/commands/npm-install.md index 77a34667725c3f..7bc00701e7bf2d 100644 --- a/deps/npm/docs/content/commands/npm-install.md +++ b/deps/npm/docs/content/commands/npm-install.md @@ -561,6 +561,42 @@ run any pre- or post-scripts. +#### `allow-directory` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from directories. That +is, dependencies that point to a directory instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +`all` allows any directories to be installed. `none` prevents any +directories from being installed. `root` only allows directories defined in +your project's package.json to be installed. Also allows directory +dependencies to be used for other commands like `npm view` + + + +#### `allow-file` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from tarball files. That +is, dependencies that point to a local tarball file instead of a version or +semver range. Please note that this could leave your tree incomplete and +some packages may not function as intended or designed. Changing this +setting will not remove dependencies that are already installed. + +`all` allows any tarball file to be installed. `none` prevents any tarball +file from being installed. `root` only allows tarball files defined in your +project's package.json to be installed. Also allows tarball file +dependencies to be used for other commands like `npm view` + + + #### `allow-git` * Default: "all" @@ -569,16 +605,85 @@ run any pre- or post-scripts. Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some -packages may not function as intended or designed. +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. `all` allows any git dependencies to be fetched and installed. `none` prevents any git dependencies from being fetched and installed. `root` only allows git dependencies defined in your project's package.json to be fetched -installed. Also allows git dependencies to be fetched for other commands +and installed. Also allows git dependencies to be fetched for other commands +like `npm view` + + + +#### `allow-remote` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to fetch dependencies from urls. That is, +dependencies that point to a tarball url instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +`all` allows any url to be installed. `none` prevents any url from being +installed. `root` only allows urls defined in your project's package.json to +be installed. Also allows url dependencies to be used for other commands like `npm view` +#### `allow-scripts` + +* Default: "" +* Type: String (can be set multiple times) + +Comma-separated list of packages whose install-time lifecycle scripts +(`preinstall`, `install`, `postinstall`, and `prepare` for non-registry +dependencies) are allowed to run. + +This setting is intended for one-off and global contexts: `npm exec`, `npx`, +and `npm install -g`, where no project `package.json` is involved. For +team-wide policy in a project, use the `allowScripts` field in +`package.json` (which also supports explicit denials), or configure it in +`.npmrc`. Passing `--allow-scripts` on the command line during a +project-scoped `npm install`, `ci`, `update`, or `rebuild` is an error. + +Each name is matched against a dependency's resolved identity, not against +the package's self-reported name. `--ignore-scripts` and +`--dangerously-allow-all-scripts` both override this setting. + + + +#### `strict-allow-scripts` + +* Default: false +* Type: Boolean + +If `true`, turn the install-script policy from a warning into a hard error: +any dependency with install scripts not covered by `allowScripts` will fail +the install instead of running with a notice. + +Dependencies explicitly denied with `false` in `allowScripts` are always +silently skipped; this setting only affects unreviewed entries. +`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this +setting. + + + +#### `dangerously-allow-all-scripts` + +* Default: false +* Type: Boolean + +If `true`, bypass the `allowScripts` policy entirely and run every +dependency install script regardless of whether it was approved or denied. +Intended as a migration escape hatch only; its use is strongly discouraged. +`--ignore-scripts` still takes precedence over this setting. + + + #### `audit` * Default: true @@ -606,7 +711,13 @@ If the requested version is a `dist-tag` and the given tag does not pass the will be used. For example, `foo@latest` might install `foo@1.2` even though `latest` is `2.0`. -This config cannot be used with: `min-release-age` +If `before` and `min-release-age` are both set in the same source, `before` +wins (an explicit absolute date overrides a relative window). Across +sources, the standard precedence applies (cli > env > project > user > +global), so a higher-priority source can always relax or override a +lower-priority one. + + #### `min-release-age` @@ -619,9 +730,11 @@ are no versions available for the current set of dependencies, the command will error. This flag is a complement to `before`, which accepts an exact date instead -of a relative number of days. - -This config cannot be used with: `before` +of a relative number of days. The two may coexist (e.g. `min-release-age` in +your `.npmrc` is preserved when npm internally spawns a sub-process with +`--before` while preparing a `git:` or `github:` dependency); when both +apply, `before` wins within a single source and across sources the standard +precedence rules apply. This value is not exported to the environment for child processes. diff --git a/deps/npm/docs/content/commands/npm-link.md b/deps/npm/docs/content/commands/npm-link.md index 31af87bfa3006d..37efda66408fbd 100644 --- a/deps/npm/docs/content/commands/npm-link.md +++ b/deps/npm/docs/content/commands/npm-link.md @@ -248,6 +248,42 @@ run any pre- or post-scripts. +#### `allow-directory` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from directories. That +is, dependencies that point to a directory instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +`all` allows any directories to be installed. `none` prevents any +directories from being installed. `root` only allows directories defined in +your project's package.json to be installed. Also allows directory +dependencies to be used for other commands like `npm view` + + + +#### `allow-file` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from tarball files. That +is, dependencies that point to a local tarball file instead of a version or +semver range. Please note that this could leave your tree incomplete and +some packages may not function as intended or designed. Changing this +setting will not remove dependencies that are already installed. + +`all` allows any tarball file to be installed. `none` prevents any tarball +file from being installed. `root` only allows tarball files defined in your +project's package.json to be installed. Also allows tarball file +dependencies to be used for other commands like `npm view` + + + #### `allow-git` * Default: "all" @@ -256,12 +292,31 @@ run any pre- or post-scripts. Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some -packages may not function as intended or designed. +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. `all` allows any git dependencies to be fetched and installed. `none` prevents any git dependencies from being fetched and installed. `root` only allows git dependencies defined in your project's package.json to be fetched -installed. Also allows git dependencies to be fetched for other commands +and installed. Also allows git dependencies to be fetched for other commands +like `npm view` + + + +#### `allow-remote` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to fetch dependencies from urls. That is, +dependencies that point to a tarball url instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +`all` allows any url to be installed. `none` prevents any url from being +installed. `root` only allows urls defined in your project's package.json to +be installed. Also allows url dependencies to be used for other commands like `npm view` diff --git a/deps/npm/docs/content/commands/npm-ls.md b/deps/npm/docs/content/commands/npm-ls.md index 556e77976c1a8f..c0a341e46fd10b 100644 --- a/deps/npm/docs/content/commands/npm-ls.md +++ b/deps/npm/docs/content/commands/npm-ls.md @@ -23,7 +23,7 @@ Note that nested packages will *also* show the paths to the specified packages. For example, running `npm ls promzard` in npm's source tree will show: ```bash -npm@11.13.0 /path/to/npm +npm@11.16.0 /path/to/npm └─┬ init-package-json@0.0.4 └── promzard@0.1.5 ``` diff --git a/deps/npm/docs/content/commands/npm-outdated.md b/deps/npm/docs/content/commands/npm-outdated.md index f635cb90565d2f..92e15e9602013d 100644 --- a/deps/npm/docs/content/commands/npm-outdated.md +++ b/deps/npm/docs/content/commands/npm-outdated.md @@ -165,7 +165,13 @@ If the requested version is a `dist-tag` and the given tag does not pass the will be used. For example, `foo@latest` might install `foo@1.2` even though `latest` is `2.0`. -This config cannot be used with: `min-release-age` +If `before` and `min-release-age` are both set in the same source, `before` +wins (an explicit absolute date overrides a relative window). Across +sources, the standard precedence applies (cli > env > project > user > +global), so a higher-priority source can always relax or override a +lower-priority one. + + #### `min-release-age` @@ -178,9 +184,11 @@ are no versions available for the current set of dependencies, the command will error. This flag is a complement to `before`, which accepts an exact date instead -of a relative number of days. - -This config cannot be used with: `before` +of a relative number of days. The two may coexist (e.g. `min-release-age` in +your `.npmrc` is preserved when npm internally spawns a sub-process with +`--before` while preparing a `git:` or `github:` dependency); when both +apply, `before` wins within a single source and across sources the standard +precedence rules apply. This value is not exported to the environment for child processes. diff --git a/deps/npm/docs/content/commands/npm-publish.md b/deps/npm/docs/content/commands/npm-publish.md index c69e187429eabb..04c020b3563f7d 100644 --- a/deps/npm/docs/content/commands/npm-publish.md +++ b/deps/npm/docs/content/commands/npm-publish.md @@ -117,7 +117,7 @@ the package submitted to the registry. * Default: 'public' for new packages, existing packages it will not change the current level -* Type: null, "restricted", or "public" +* Type: null, "restricted", "public", or "private" If you do not want your scoped package to be publicly viewable (and installable) set `--access=restricted`. @@ -129,6 +129,8 @@ packages. Specifying a value of `restricted` or `public` during publish will change the access for an existing package the same way that `npm access set status` would. +The value `private` is an alias for `restricted`. + #### `dry-run` diff --git a/deps/npm/docs/content/commands/npm-rebuild.md b/deps/npm/docs/content/commands/npm-rebuild.md index 9fb43567ac2eb4..18b1d37c779956 100644 --- a/deps/npm/docs/content/commands/npm-rebuild.md +++ b/deps/npm/docs/content/commands/npm-rebuild.md @@ -100,6 +100,56 @@ run any pre- or post-scripts. +#### `allow-scripts` + +* Default: "" +* Type: String (can be set multiple times) + +Comma-separated list of packages whose install-time lifecycle scripts +(`preinstall`, `install`, `postinstall`, and `prepare` for non-registry +dependencies) are allowed to run. + +This setting is intended for one-off and global contexts: `npm exec`, `npx`, +and `npm install -g`, where no project `package.json` is involved. For +team-wide policy in a project, use the `allowScripts` field in +`package.json` (which also supports explicit denials), or configure it in +`.npmrc`. Passing `--allow-scripts` on the command line during a +project-scoped `npm install`, `ci`, `update`, or `rebuild` is an error. + +Each name is matched against a dependency's resolved identity, not against +the package's self-reported name. `--ignore-scripts` and +`--dangerously-allow-all-scripts` both override this setting. + + + +#### `strict-allow-scripts` + +* Default: false +* Type: Boolean + +If `true`, turn the install-script policy from a warning into a hard error: +any dependency with install scripts not covered by `allowScripts` will fail +the install instead of running with a notice. + +Dependencies explicitly denied with `false` in `allowScripts` are always +silently skipped; this setting only affects unreviewed entries. +`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this +setting. + + + +#### `dangerously-allow-all-scripts` + +* Default: false +* Type: Boolean + +If `true`, bypass the `allowScripts` policy entirely and run every +dependency install script regardless of whether it was approved or denied. +Intended as a migration escape hatch only; its use is strongly discouraged. +`--ignore-scripts` still takes precedence over this setting. + + + #### `workspace` * Default: diff --git a/deps/npm/docs/content/commands/npm-stage.md b/deps/npm/docs/content/commands/npm-stage.md new file mode 100644 index 00000000000000..cda1b493f9ac4f --- /dev/null +++ b/deps/npm/docs/content/commands/npm-stage.md @@ -0,0 +1,253 @@ +--- +title: npm-stage +section: 1 +description: Stage packages for publishing +--- + +### Synopsis + +```bash +npm stage +``` + +Note: This command is unaware of workspaces. + +### Description + +Staged publishing allows package maintainers to require proof-of-presence +for all publishes. Proof-of-presence is where a human is involved, +interjects, and provides authentication (2FA) during an action — in this +case, publishing an npm package. + +Typically when maintainers use automated workflows to publish, +proof-of-presence is lacking as there's no convenient way to interject the +process and provide 2FA, as is the case for publishing with a granular +access token with bypass and the trusted publishing flow. Staged publishing +allows users to have their automated workflows stage a package without a 2FA +prompt, deferring the act of 2FA, allowing the maintainer to approve the +staged package and publish at a later point. + +The `npm stage publish` command packs the current working directory and +places that version of the package into the registry in a state where it's +not available for public access, allowing maintainers to approve the package +at a later point in time. The act of staging does not prompt for 2FA and can be done with any token +type, the act of approving will. + +Key behaviors: + +* Staged packages share the same semver version unique index as published + packages — you cannot publish a version that already exists as a staged + version for that package. +* You can still publish packages normally while you have staged packages + pending. +* You can stage multiple versions of the same package. +* `npm stage publish` has parity with `npm publish` and will respect + `"private": true` in `package.json`, refusing to stage the package. + +### Prerequisites + +Before using `npm stage` commands, ensure the following requirements are met: + +* **Write permissions on the package:** You must have write access to the + package you're configuring. +* **Package must exist:** The package you're configuring must already exist + on the npm registry. +* **2FA enabled on your account:** Commands that require 2FA will prompt you + to authenticate. If you don't already have 2FA enabled on your account, + you must enable it before using these commands. + +### Subcommands + +* `npm stage publish []` - Stage a package for publishing +* `npm stage list []` - List all staged package versions +* `npm stage view ` - View details of a specific staged package +* `npm stage approve ` - Approve a staged package for publishing +* `npm stage reject ` - Reject a staged package +* `npm stage download ` - Download the tarball for inspection + +### 2FA Requirements by Subcommand + +| Command | Requires 2FA | Notes | +| --- | --- | --- | +| `npm stage publish` | No | Designed for automated workflows; defers 2FA to approval | +| `npm stage list` | No | View staged packages | +| `npm stage view` | No | View staged package details | +| `npm stage approve` | Yes | Prompts for 2FA to publish the staged package | +| `npm stage reject` | Yes | Prompts for 2FA to permanently remove the staged package | +| `npm stage download` | No | Downloads the tarball for local inspection | + +### Tag Behavior + +The `--tag` flag follows the same logic as `npm publish`. If no tag is +provided, the `latest` tag is used by default. For pre-release versions +(e.g., `1.0.0-beta.1`) and non-latest semver versions, the tag must be +explicitly provided — otherwise the CLI will error, just as `npm publish` +would. + +The tag is an immutable property of the staged package. Once a package is +staged with a given tag, the tag cannot be changed. If you need to stage the +same version with a different tag, you must first reject the existing staged +package using `npm stage reject` and then re-stage it with the desired tag. + +### Token Behavior + +The key difference with staged publishing is that `npm stage publish` never +requires a 2FA prompt, regardless of token type. This is what makes it +suitable for automated workflows. The goal of `npm stage publish` is +deferring proof-of-presence to a later point in time. + +| Token Type | `npm stage publish` | `npm publish` | +| --- | --- | --- | +| GAT with bypass | Can stage | Can publish (if allowed by package publishing access) | +| GAT without bypass | Can stage | 2FA prompt (if allowed by package publishing access) | +| Session token | Can stage | 2FA prompt | +| Trust token (OIDC) | Can stage (if allowed) | Can publish (if allowed) | + +### Trust Relationship Permissions + +With staged publishing, trust relationships now support granular command +permissions. Shortlived tokens issued through trust relationships can only be +used with `npm stage publish` and `npm publish`. Shortlived tokens cannot run +`npm stage` subcommands. + +`npm trust ` supports `--allow-publish` and `--allow-stage-publish` +to control which commands are available through each trust relationship. + +### Best Practices + +**Note:** The addition of staged publishing does not make your account or org +more secure. Maintainers must still use the best practices listed below. + +1. **Delete Granular Access Tokens (GAT) with bypass 2FA enabled.** + Now with staged publishing, we've eliminated the need for a GAT token + that can bypass 2FA. We encourage you to delete all your tokens with + bypass enabled and switch to using a trust relationship in your automated + workflows, or create a GAT without bypass and use `npm stage publish`. + +2. **Disallow tokens from publishing at the package level.** + All packages have their own access controls under "package access" + allowing packages to be published with bypass tokens, which is no longer + a necessity. We encourage you to select "Require two-factor + authentication and disallow tokens (recommended)" for all your packages + on the package access page. + +3. **Configure trust relationship permissions to prevent `npm publish`.** + We encourage you to only enable `npm stage publish` on your trust + relationships and disable `npm publish`. + +### Configuration + +### `npm stage publish` + +Stage a package for publishing, deferring proof-of-presence (2FA) to a later point in time + +#### Synopsis + +```bash +npm stage publish +``` + +#### Flags + +| Flag | Default | Type | Description | +| --- | --- | --- | --- | +| `--tag` | "latest" | String | If you ask npm to install a package and don't tell it a specific version, then it will install the specified tag. It is the tag added to the package@version specified in the `npm dist-tag add` command, if no explicit tag is given. When used by the `npm diff` command, this is the tag used to fetch the tarball that will be compared with the local files by default. If used in the `npm publish` command, this is the tag that will be added to the package submitted to the registry. | +| `--access` | 'public' for new packages, existing packages it will not change the current level | null, "restricted", "public", or "private" | If you do not want your scoped package to be publicly viewable (and installable) set `--access=restricted`. Unscoped packages cannot be set to `restricted`. Note: This defaults to not changing the current access level for existing packages. Specifying a value of `restricted` or `public` during publish will change the access for an existing package the same way that `npm access set status` would. The value `private` is an alias for `restricted`. | +| `--dry-run` | false | Boolean | Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, `install`, `update`, `dedupe`, `uninstall`, as well as `pack` and `publish`. Note: This is NOT honored by other network related commands, eg `dist-tags`, `owner`, etc. | +| `--otp` | null | null or String | This is a one-time password from a two-factor authenticator. It's needed when publishing or changing package permissions with `npm access`. If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one. | +| `--workspace`, `-w` | | String (can be set multiple times) | Enable running a command in the context of the configured workspaces of the current project while filtering by running only the workspaces defined by this configuration option. Valid values for the `workspace` config are either: * Workspace names * Path to a workspace directory * Path to a parent workspace directory (will result in selecting all workspaces within that folder) When set for the `npm init` command, this may be set to the folder of a workspace which does not yet exist, to create the folder and set it up as a brand new workspace within the project. | +| `--workspaces` | null | null or Boolean | Set to true to run the command in the context of **all** configured workspaces. Explicitly setting this to false will cause commands like `install` to ignore workspaces altogether. When not set explicitly: - Commands that operate on the `node_modules` tree (install, update, etc.) will link workspaces into the `node_modules` folder. - Commands that do other things (test, exec, publish, etc.) will operate on the root project, _unless_ one or more workspaces are specified in the `workspace` config. | +| `--include-workspace-root` | false | Boolean | Include the workspace root when workspaces are enabled for a command. When false, specifying individual workspaces via the `workspace` config, or all workspaces via the `workspaces` flag, will cause npm to operate only on the specified workspaces, and not on the root project. | +| `--provenance` | false | Boolean | When publishing from a supported cloud CI/CD system, the package will be publicly linked to where it was built and published from. | + +### `npm stage list` + +List all staged package versions + +#### Synopsis + +```bash +npm stage list [] +``` + +#### Flags + +| Flag | Default | Type | Description | +| --- | --- | --- | --- | +| `--json` | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In `npm pkg set` it enables parsing set values with JSON.parse() before saving them to your `package.json`. Not supported by all npm commands. | +| `--registry` | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. | + +### `npm stage view` + +View details of a specific staged package + +#### Synopsis + +```bash +npm stage view +``` + +#### Flags + +| Flag | Default | Type | Description | +| --- | --- | --- | --- | +| `--json` | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In `npm pkg set` it enables parsing set values with JSON.parse() before saving them to your `package.json`. Not supported by all npm commands. | +| `--registry` | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. | + +### `npm stage approve` + +Approve a staged package, publishing it to the npm registry + +#### Synopsis + +```bash +npm stage approve +``` + +#### Flags + +| Flag | Default | Type | Description | +| --- | --- | --- | --- | +| `--otp` | null | null or String | This is a one-time password from a two-factor authenticator. It's needed when publishing or changing package permissions with `npm access`. If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one. | +| `--registry` | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. | + +### `npm stage reject` + +Reject a staged package, removing it from the registry + +#### Synopsis + +```bash +npm stage reject +``` + +#### Flags + +| Flag | Default | Type | Description | +| --- | --- | --- | --- | +| `--otp` | null | null or String | This is a one-time password from a two-factor authenticator. It's needed when publishing or changing package permissions with `npm access`. If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one. | +| `--registry` | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. | + +### `npm stage download` + +Download the tarball of a staged package for inspection + +#### Synopsis + +```bash +npm stage download +``` + +#### Flags + +| Flag | Default | Type | Description | +| --- | --- | --- | --- | +| `--json` | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In `npm pkg set` it enables parsing set values with JSON.parse() before saving them to your `package.json`. Not supported by all npm commands. | +| `--registry` | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. | + + +### See Also + +* [npm publish](/commands/npm-publish) +* [npm unpublish](/commands/npm-unpublish) +* [npm trust](/commands/npm-trust) diff --git a/deps/npm/docs/content/commands/npm-trust.md b/deps/npm/docs/content/commands/npm-trust.md index e780330db878de..5aac2035b38644 100644 --- a/deps/npm/docs/content/commands/npm-trust.md +++ b/deps/npm/docs/content/commands/npm-trust.md @@ -28,6 +28,17 @@ The `[package]` argument specifies the package name. If omitted, npm will use th Each trust relationship has its own set of configuration options and flags based on the OIDC claims provided by that provider. OIDC claims come from the CI/CD provider and include information such as repository name, workflow file, or environment. Since each provider's claims differ, the available flags and configuration keys are not universal—npm matches the claims supported by each provider's OIDC configuration. For specific details on which claims and flags are supported for a given provider, use `npm trust --help`. +### Permissions + +When creating a trust relationship, you must specify at least one permission flag to indicate which operations the trusted publisher is allowed to perform: + +* `--allow-publish`: Allows the trusted publisher to run `npm publish` for the package. +* `--allow-stage-publish`: Allows the trusted publisher to run `npm stage` for the package. The alias `--allow-staged-publish` is also accepted. + +At least one of these flags is required when creating a trust configuration. You can specify both to grant both permissions. + +### Provider Options + The required options depend on the CI/CD provider you're configuring. Detailed information about each option is available in the [managing trusted publisher configurations](https://docs.npmjs.com/trusted-publishers#managing-trusted-publisher-configurations) section of the npm documentation. If a provider is repository-based and the option is not provided, npm will use the `repository.url` field from your `package.json`, if available. Currently, the registry only supports one configuration per package. If you attempt to create a new trust relationship when one already exists, it will result in an error. To replace an existing configuration: @@ -53,7 +64,7 @@ Create a trusted relationship between a package and GitHub Actions #### Synopsis ```bash -npm trust github [package] --file [--repo|--repository] [--env|--environment] [-y|--yes] +npm trust github [package] --file [--repo|--repository] [--env|--environment] [--allow-publish] [--allow-stage-publish] [-y|--yes] ``` #### Flags @@ -63,6 +74,8 @@ npm trust github [package] --file [--repo|--repository] [--env|--environment] [- | `--file` | null | String (required) | Name of workflow file within a repositories .GitHub folder (must end in yaml, yml) | | `--repository`, `--repo` | null | String | Name of the repository in the format owner/repo | | `--environment`, `--env` | null | String | CI environment name | +| `--allow-publish` | false | Boolean | Allow npm publish for this trusted publisher configuration | +| `--allow-stage-publish`, `--allow-staged-publish` | false | Boolean | Allow npm stage publish for this trusted publisher configuration | | `--dry-run` | false | Boolean | Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, `install`, `update`, `dedupe`, `uninstall`, as well as `pack` and `publish`. Note: This is NOT honored by other network related commands, eg `dist-tags`, `owner`, etc. | | `--json` | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In `npm pkg set` it enables parsing set values with JSON.parse() before saving them to your `package.json`. Not supported by all npm commands. | | `--registry` | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. | @@ -75,7 +88,7 @@ Create a trusted relationship between a package and GitLab CI/CD #### Synopsis ```bash -npm trust gitlab [package] --file [--project|--repo|--repository] [--env|--environment] [-y|--yes] +npm trust gitlab [package] --file [--project|--repo|--repository] [--env|--environment] [--allow-publish] [--allow-stage-publish] [-y|--yes] ``` #### Flags @@ -85,6 +98,8 @@ npm trust gitlab [package] --file [--project|--repo|--repository] [--env|--envir | `--file` | null | String (required) | Name of pipeline file (e.g., .gitlab-ci.yml) | | `--project` | null | String | Name of the project in the format group/project or group/subgroup/project | | `--environment`, `--env` | null | String | CI environment name | +| `--allow-publish` | false | Boolean | Allow npm publish for this trusted publisher configuration | +| `--allow-stage-publish`, `--allow-staged-publish` | false | Boolean | Allow npm stage publish for this trusted publisher configuration | | `--dry-run` | false | Boolean | Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, `install`, `update`, `dedupe`, `uninstall`, as well as `pack` and `publish`. Note: This is NOT honored by other network related commands, eg `dist-tags`, `owner`, etc. | | `--json` | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In `npm pkg set` it enables parsing set values with JSON.parse() before saving them to your `package.json`. Not supported by all npm commands. | | `--registry` | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. | @@ -97,7 +112,7 @@ Create a trusted relationship between a package and CircleCI #### Synopsis ```bash -npm trust circleci [package] --org-id --project-id --pipeline-definition-id --vcs-origin [--context-id ...] [-y|--yes] +npm trust circleci [package] --org-id --project-id --pipeline-definition-id --vcs-origin [--context-id ...] [--allow-publish] [--allow-stage-publish] [-y|--yes] ``` #### Flags @@ -109,6 +124,8 @@ npm trust circleci [package] --org-id --project-id --pipeline-defi | `--pipeline-definition-id` | null | String (required) | CircleCI pipeline definition UUID | | `--vcs-origin` | null | String (required) | CircleCI repository origin in format 'provider/owner/repo' | | `--context-id` | null | null or String (can be set multiple times) | CircleCI context UUID to match | +| `--allow-publish` | false | Boolean | Allow npm publish for this trusted publisher configuration | +| `--allow-stage-publish`, `--allow-staged-publish` | false | Boolean | Allow npm stage publish for this trusted publisher configuration | | `--dry-run` | false | Boolean | Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, `install`, `update`, `dedupe`, `uninstall`, as well as `pack` and `publish`. Note: This is NOT honored by other network related commands, eg `dist-tags`, `owner`, etc. | | `--json` | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In `npm pkg set` it enables parsing set values with JSON.parse() before saving them to your `package.json`. Not supported by all npm commands. | | `--registry` | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. | diff --git a/deps/npm/docs/content/commands/npm-update.md b/deps/npm/docs/content/commands/npm-update.md index 979f1c1de333d9..86b54eed070924 100644 --- a/deps/npm/docs/content/commands/npm-update.md +++ b/deps/npm/docs/content/commands/npm-update.md @@ -303,6 +303,56 @@ run any pre- or post-scripts. +#### `allow-scripts` + +* Default: "" +* Type: String (can be set multiple times) + +Comma-separated list of packages whose install-time lifecycle scripts +(`preinstall`, `install`, `postinstall`, and `prepare` for non-registry +dependencies) are allowed to run. + +This setting is intended for one-off and global contexts: `npm exec`, `npx`, +and `npm install -g`, where no project `package.json` is involved. For +team-wide policy in a project, use the `allowScripts` field in +`package.json` (which also supports explicit denials), or configure it in +`.npmrc`. Passing `--allow-scripts` on the command line during a +project-scoped `npm install`, `ci`, `update`, or `rebuild` is an error. + +Each name is matched against a dependency's resolved identity, not against +the package's self-reported name. `--ignore-scripts` and +`--dangerously-allow-all-scripts` both override this setting. + + + +#### `strict-allow-scripts` + +* Default: false +* Type: Boolean + +If `true`, turn the install-script policy from a warning into a hard error: +any dependency with install scripts not covered by `allowScripts` will fail +the install instead of running with a notice. + +Dependencies explicitly denied with `false` in `allowScripts` are always +silently skipped; this setting only affects unreviewed entries. +`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this +setting. + + + +#### `dangerously-allow-all-scripts` + +* Default: false +* Type: Boolean + +If `true`, bypass the `allowScripts` policy entirely and run every +dependency install script regardless of whether it was approved or denied. +Intended as a migration escape hatch only; its use is strongly discouraged. +`--ignore-scripts` still takes precedence over this setting. + + + #### `audit` * Default: true @@ -330,7 +380,13 @@ If the requested version is a `dist-tag` and the given tag does not pass the will be used. For example, `foo@latest` might install `foo@1.2` even though `latest` is `2.0`. -This config cannot be used with: `min-release-age` +If `before` and `min-release-age` are both set in the same source, `before` +wins (an explicit absolute date overrides a relative window). Across +sources, the standard precedence applies (cli > env > project > user > +global), so a higher-priority source can always relax or override a +lower-priority one. + + #### `min-release-age` @@ -343,9 +399,11 @@ are no versions available for the current set of dependencies, the command will error. This flag is a complement to `before`, which accepts an exact date instead -of a relative number of days. - -This config cannot be used with: `before` +of a relative number of days. The two may coexist (e.g. `min-release-age` in +your `.npmrc` is preserved when npm internally spawns a sub-process with +`--before` while preparing a `git:` or `github:` dependency); when both +apply, `before` wins within a single source and across sources the standard +precedence rules apply. This value is not exported to the environment for child processes. diff --git a/deps/npm/docs/content/commands/npm-version.md b/deps/npm/docs/content/commands/npm-version.md index cd504b37b7f5eb..9016c8071f7593 100644 --- a/deps/npm/docs/content/commands/npm-version.md +++ b/deps/npm/docs/content/commands/npm-version.md @@ -229,6 +229,8 @@ The exact order of execution is as follows: 6. Run the `postversion` script. Use it to clean up the file system or automatically push the commit and/or tag. +For the `preversion`, `version` and `postversion` scripts, npm also sets the [environment variables](/using-npm/scripts#environment) `npm_old_version` and `npm_new_version`. + Take the following example: ```json diff --git a/deps/npm/docs/content/commands/npm.md b/deps/npm/docs/content/commands/npm.md index 242c61509bc1c7..ba1890149fcdd0 100644 --- a/deps/npm/docs/content/commands/npm.md +++ b/deps/npm/docs/content/commands/npm.md @@ -14,7 +14,7 @@ Note: This command is unaware of workspaces. ### Version -11.13.0 +11.16.0 ### Description diff --git a/deps/npm/docs/content/using-npm/config.md b/deps/npm/docs/content/using-npm/config.md index 96df0ae0058c69..d1167e0d14880b 100644 --- a/deps/npm/docs/content/using-npm/config.md +++ b/deps/npm/docs/content/using-npm/config.md @@ -140,7 +140,7 @@ safer to use a registry-provided authentication bearer token stored in the * Default: 'public' for new packages, existing packages it will not change the current level -* Type: null, "restricted", or "public" +* Type: null, "restricted", "public", or "private" If you do not want your scoped package to be publicly viewable (and installable) set `--access=restricted`. @@ -152,6 +152,8 @@ packages. Specifying a value of `restricted` or `public` during publish will change the access for an existing package the same way that `npm access set status` would. +The value `private` is an alias for `restricted`. + #### `all` @@ -165,6 +167,42 @@ upon by the current project. +#### `allow-directory` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from directories. That +is, dependencies that point to a directory instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +`all` allows any directories to be installed. `none` prevents any +directories from being installed. `root` only allows directories defined in +your project's package.json to be installed. Also allows directory +dependencies to be used for other commands like `npm view` + + + +#### `allow-file` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to install dependencies from tarball files. That +is, dependencies that point to a local tarball file instead of a version or +semver range. Please note that this could leave your tree incomplete and +some packages may not function as intended or designed. Changing this +setting will not remove dependencies that are already installed. + +`all` allows any tarball file to be installed. `none` prevents any tarball +file from being installed. `root` only allows tarball files defined in your +project's package.json to be installed. Also allows tarball file +dependencies to be used for other commands like `npm view` + + + #### `allow-git` * Default: "all" @@ -173,12 +211,31 @@ upon by the current project. Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some -packages may not function as intended or designed. +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. `all` allows any git dependencies to be fetched and installed. `none` prevents any git dependencies from being fetched and installed. `root` only allows git dependencies defined in your project's package.json to be fetched -installed. Also allows git dependencies to be fetched for other commands +and installed. Also allows git dependencies to be fetched for other commands +like `npm view` + + + +#### `allow-remote` + +* Default: "all" +* Type: "all", "none", or "root" + +Limits the ability for npm to fetch dependencies from urls. That is, +dependencies that point to a tarball url instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed. + +`all` allows any url to be installed. `none` prevents any url from being +installed. `root` only allows urls defined in your project's package.json to +be installed. Also allows url dependencies to be used for other commands like `npm view` @@ -193,6 +250,51 @@ to the same value as the current version. +#### `allow-scripts` + +* Default: "" +* Type: String (can be set multiple times) + +Comma-separated list of packages whose install-time lifecycle scripts +(`preinstall`, `install`, `postinstall`, and `prepare` for non-registry +dependencies) are allowed to run. + +This setting is intended for one-off and global contexts: `npm exec`, `npx`, +and `npm install -g`, where no project `package.json` is involved. For +team-wide policy in a project, use the `allowScripts` field in +`package.json` (which also supports explicit denials), or configure it in +`.npmrc`. Passing `--allow-scripts` on the command line during a +project-scoped `npm install`, `ci`, `update`, or `rebuild` is an error. + +Each name is matched against a dependency's resolved identity, not against +the package's self-reported name. `--ignore-scripts` and +`--dangerously-allow-all-scripts` both override this setting. + + + +#### `allow-scripts-pending` + +* Default: false +* Type: Boolean + +List packages with install scripts that are not yet covered by the +`allowScripts` policy, without modifying `package.json`. Only meaningful for +`npm approve-scripts`. + + + +#### `allow-scripts-pin` + +* Default: true +* Type: Boolean + +Write pinned (`pkg@version`) entries when approving install scripts. Set to +`false` to write name-only entries that allow any version. Has no effect on +`npm deny-scripts`, which always writes name-only entries regardless of this +setting. + + + #### `audit` * Default: true @@ -240,7 +342,13 @@ If the requested version is a `dist-tag` and the given tag does not pass the will be used. For example, `foo@latest` might install `foo@1.2` even though `latest` is `2.0`. -This config cannot be used with: `min-release-age` +If `before` and `min-release-age` are both set in the same source, `before` +wins (an explicit absolute date overrides a relative window). Across +sources, the standard precedence applies (cli > env > project > user > +global), so a higher-priority source can always relax or override a +lower-priority one. + + #### `bin-links` @@ -382,6 +490,18 @@ are same as `cpu` field of package.json, which comes from `process.arch`. +#### `dangerously-allow-all-scripts` + +* Default: false +* Type: Boolean + +If `true`, bypass the `allowScripts` policy entirely and run every +dependency install script regardless of whether it was approved or denied. +Intended as a migration escape hatch only; its use is strongly discouraged. +`--ignore-scripts` still takes precedence over this setting. + + + #### `depth` * Default: `Infinity` if `--all` is set; otherwise, `0` @@ -1094,9 +1214,11 @@ are no versions available for the current set of dependencies, the command will error. This flag is a complement to `before`, which accepts an exact date instead -of a relative number of days. - -This config cannot be used with: `before` +of a relative number of days. The two may coexist (e.g. `min-release-age` in +your `.npmrc` is preserved when npm internally spawns a sub-process with +`--before` while preparing a `git:` or `github:` dependency); when both +apply, `before` wins within a single source and across sources the standard +precedence rules apply. This value is not exported to the environment for child processes. @@ -1706,6 +1828,22 @@ this to work properly. +#### `strict-allow-scripts` + +* Default: false +* Type: Boolean + +If `true`, turn the install-script policy from a warning into a hard error: +any dependency with install scripts not covered by `allowScripts` will fail +the install instead of running with a notice. + +Dependencies explicitly denied with `false` in `allowScripts` are always +silently skipped; this setting only affects unreviewed entries. +`--ignore-scripts` and `--dangerously-allow-all-scripts` both override this +setting. + + + #### `strict-peer-deps` * Default: false diff --git a/deps/npm/docs/content/using-npm/scripts.md b/deps/npm/docs/content/using-npm/scripts.md index 91de8f22d47f0a..dcae0c66da0e3f 100644 --- a/deps/npm/docs/content/using-npm/scripts.md +++ b/deps/npm/docs/content/using-npm/scripts.md @@ -290,6 +290,13 @@ For example, if you had `{"name":"foo", "version":"1.2.5"}` in your package.json See [`package.json`](/configuring-npm/package-json) for more on package configs. +#### versioning variables + +For versioning scripts (`preversion`, `version`, `postversion`), npm sets these environment variables: + +* `npm_old_version` - The version before being bumped +* `npm_new_version` – The version after being bumped + #### current lifecycle event Lastly, the `npm_lifecycle_event` environment variable is set to whichever stage of the cycle is being executed. diff --git a/deps/npm/docs/lib/index.js b/deps/npm/docs/lib/index.js index d7a5e83ccf5062..9779d546572930 100644 --- a/deps/npm/docs/lib/index.js +++ b/deps/npm/docs/lib/index.js @@ -151,10 +151,12 @@ const generateFlagsTable = (definitionPool) => { if (!defaultVal) { defaultVal = String(def.default) } + defaultVal = defaultVal.replace(/\n/g, ' ').trim() let typeVal = def.typeDescription || String(def.type) if (def.required) { typeVal = `${typeVal} (required)` } + typeVal = typeVal.replace(/\n/g, ' ').trim() const desc = (def.description || '').replace(/\n/g, ' ').trim() return `| ${flagsStr} | ${defaultVal} | ${typeVal} | ${desc} |` }) diff --git a/deps/npm/docs/output/commands/npm-access.html b/deps/npm/docs/output/commands/npm-access.html index 329fad79ba9d15..983b44e86a639d 100644 --- a/deps/npm/docs/output/commands/npm-access.html +++ b/deps/npm/docs/output/commands/npm-access.html @@ -186,9 +186,9 @@
-

+

npm-access - @11.13.0 + @11.16.0

Set access level on published packages
diff --git a/deps/npm/docs/output/commands/npm-adduser.html b/deps/npm/docs/output/commands/npm-adduser.html index 52fc19c7942228..8945c6ef6cb33b 100644 --- a/deps/npm/docs/output/commands/npm-adduser.html +++ b/deps/npm/docs/output/commands/npm-adduser.html @@ -186,9 +186,9 @@
-

+

npm-adduser - @11.13.0 + @11.16.0

Add a registry user account
diff --git a/deps/npm/docs/output/commands/npm-approve-scripts.html b/deps/npm/docs/output/commands/npm-approve-scripts.html new file mode 100644 index 00000000000000..1849ae8c5011c4 --- /dev/null +++ b/deps/npm/docs/output/commands/npm-approve-scripts.html @@ -0,0 +1,304 @@ + + +npm-approve-scripts + + + + + +
+
+

+ npm-approve-scripts + @11.16.0 +

+Approve install scripts for specific dependencies +
+ +
+

Table of contents

+
+
+ +

Synopsis

+
npm approve-scripts <pkg> [<pkg> ...]
+npm approve-scripts --all
+npm approve-scripts --allow-scripts-pending
+
+

Note: This command is unaware of workspaces.

+

Description

+

Manages the allowScripts field in your project's package.json, which +records which of your dependencies are permitted to run install scripts +(preinstall, install, postinstall, and prepare for non-registry +sources). This command is the recommended way to maintain that field.

+

In the current release, this field is advisory: install scripts still run +by default, but installs print a list of packages whose scripts have not +been reviewed. A future release will block unreviewed install scripts.

+

There are three modes:

+
npm approve-scripts <pkg> [<pkg> ...]
+npm approve-scripts --all
+npm approve-scripts --allow-scripts-pending
+
+

<pkg> matches every installed version of that package. By default the +command writes pinned entries (pkg@1.2.3), which keep their approval +narrowed to the specific version you reviewed. Pass --no-allow-scripts-pin to write +name-only entries that allow any future version.

+

--all approves every package with unreviewed install scripts in one go.

+

--allow-scripts-pending is read-only: it lists every package whose install scripts +are not yet covered by allowScripts, without modifying package.json.

+

approve-scripts honours the asymmetric pin rule: if you re-approve a +package whose installed version has changed, the existing pin is rewritten +to track the new installed version. Multi-version statements +(pkg@1 || 2) are left alone, since they likely capture intent that +the command cannot infer. Existing false entries always win; +approve-scripts will not silently re-allow a package you previously +denied.

+

Examples

+
# Approve all currently-installed install scripts after reviewing them
+npm approve-scripts --all
+
+# Approve specific packages, pinned to their installed version
+npm approve-scripts canvas sharp
+
+# Approve name-only (any version of this package is allowed)
+npm approve-scripts --no-allow-scripts-pin canvas
+
+# Preview which packages still need review
+npm approve-scripts --allow-scripts-pending
+
+

Configuration

+

all

+
    +
  • Default: false
    • +
  • Type: Boolean
    • +
+

When running npm outdated and npm ls, setting --all will show all +outdated or installed packages, rather than only those directly depended +upon by the current project.

+

allow-scripts-pending

+
    +
  • Default: false
    • +
  • Type: Boolean
    • +
+

List packages with install scripts that are not yet covered by the +allowScripts policy, without modifying package.json. Only meaningful for +npm approve-scripts.

+

allow-scripts-pin

+
    +
  • Default: true
    • +
  • Type: Boolean
    • +
+

Write pinned (pkg@version) entries when approving install scripts. Set to +false to write name-only entries that allow any version. Has no effect on +npm deny-scripts, which always writes name-only entries regardless of this +setting.

+

json

+
    +
  • Default: false
    • +
  • Type: Boolean
    • +
+

Whether or not to output JSON data, rather than the normal output.

+
    +
  • In npm pkg set it enables parsing set values with JSON.parse() before +saving them to your package.json.
    • +
+

Not supported by all npm commands.

+

See Also

+
+ + +
+ + + + \ No newline at end of file diff --git a/deps/npm/docs/output/commands/npm-audit.html b/deps/npm/docs/output/commands/npm-audit.html index e935f919dfd483..f018a7ae7f1c57 100644 --- a/deps/npm/docs/output/commands/npm-audit.html +++ b/deps/npm/docs/output/commands/npm-audit.html @@ -186,9 +186,9 @@
-

+

npm-audit - @11.13.0 + @11.16.0

Run a security audit
diff --git a/deps/npm/docs/output/commands/npm-bugs.html b/deps/npm/docs/output/commands/npm-bugs.html index f6eb47691c1842..45ca5bec8ef537 100644 --- a/deps/npm/docs/output/commands/npm-bugs.html +++ b/deps/npm/docs/output/commands/npm-bugs.html @@ -186,9 +186,9 @@
-

+

npm-bugs - @11.13.0 + @11.16.0

Report bugs for a package in a web browser
diff --git a/deps/npm/docs/output/commands/npm-cache.html b/deps/npm/docs/output/commands/npm-cache.html index 761f44801dcd58..0e561b39dabdaa 100644 --- a/deps/npm/docs/output/commands/npm-cache.html +++ b/deps/npm/docs/output/commands/npm-cache.html @@ -186,9 +186,9 @@
-

+

npm-cache - @11.13.0 + @11.16.0

Manipulates packages cache
diff --git a/deps/npm/docs/output/commands/npm-ci.html b/deps/npm/docs/output/commands/npm-ci.html index 8762c8463177d5..745a22ea53c966 100644 --- a/deps/npm/docs/output/commands/npm-ci.html +++ b/deps/npm/docs/output/commands/npm-ci.html @@ -186,16 +186,16 @@
-

+

npm-ci - @11.13.0 + @11.16.0

Clean install a project

Table of contents

-
+

Synopsis

@@ -333,6 +333,34 @@

ignore-scripts

npm start, npm stop, npm restart, npm test, and npm run will still run their intended script if ignore-scripts is set, but they will not run any pre- or post-scripts.

+

allow-directory

+
    +
  • Default: "all"
    • +
  • Type: "all", "none", or "root"
    • +
+

Limits the ability for npm to install dependencies from directories. That +is, dependencies that point to a directory instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed.

+

all allows any directories to be installed. none prevents any +directories from being installed. root only allows directories defined in +your project's package.json to be installed. Also allows directory +dependencies to be used for other commands like npm view

+

allow-file

+
    +
  • Default: "all"
    • +
  • Type: "all", "none", or "root"
    • +
+

Limits the ability for npm to install dependencies from tarball files. That +is, dependencies that point to a local tarball file instead of a version or +semver range. Please note that this could leave your tree incomplete and +some packages may not function as intended or designed. Changing this +setting will not remove dependencies that are already installed.

+

all allows any tarball file to be installed. none prevents any tarball +file from being installed. root only allows tarball files defined in your +project's package.json to be installed. Also allows tarball file +dependencies to be used for other commands like npm view

allow-git

  • Default: "all"
    • @@ -341,12 +369,65 @@

    allow-git

    Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some -packages may not function as intended or designed.

    +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed.

    all allows any git dependencies to be fetched and installed. none prevents any git dependencies from being fetched and installed. root only allows git dependencies defined in your project's package.json to be fetched -installed. Also allows git dependencies to be fetched for other commands +and installed. Also allows git dependencies to be fetched for other commands +like npm view

    +

    allow-remote

    +
      +
    • Default: "all"
      • +
    • Type: "all", "none", or "root"
      • +
    +

    Limits the ability for npm to fetch dependencies from urls. That is, +dependencies that point to a tarball url instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed.

    +

    all allows any url to be installed. none prevents any url from being +installed. root only allows urls defined in your project's package.json to +be installed. Also allows url dependencies to be used for other commands like npm view

    +

    allow-scripts

    +
      +
    • Default: ""
      • +
    • Type: String (can be set multiple times)
      • +
    +

    Comma-separated list of packages whose install-time lifecycle scripts +(preinstall, install, postinstall, and prepare for non-registry +dependencies) are allowed to run.

    +

    This setting is intended for one-off and global contexts: npm exec, npx, +and npm install -g, where no project package.json is involved. For +team-wide policy in a project, use the allowScripts field in +package.json (which also supports explicit denials), or configure it in +.npmrc. Passing --allow-scripts on the command line during a +project-scoped npm install, ci, update, or rebuild is an error.

    +

    Each name is matched against a dependency's resolved identity, not against +the package's self-reported name. --ignore-scripts and +--dangerously-allow-all-scripts both override this setting.

    +

    strict-allow-scripts

    +
      +
    • Default: false
      • +
    • Type: Boolean
      • +
    +

    If true, turn the install-script policy from a warning into a hard error: +any dependency with install scripts not covered by allowScripts will fail +the install instead of running with a notice.

    +

    Dependencies explicitly denied with false in allowScripts are always +silently skipped; this setting only affects unreviewed entries. +--ignore-scripts and --dangerously-allow-all-scripts both override this +setting.

    +

    dangerously-allow-all-scripts

    +
      +
    • Default: false
      • +
    • Type: Boolean
      • +
    +

    If true, bypass the allowScripts policy entirely and run every +dependency install script regardless of whether it was approved or denied. +Intended as a migration escape hatch only; its use is strongly discouraged. +--ignore-scripts still takes precedence over this setting.

    audit

    • Default: true
      • diff --git a/deps/npm/docs/output/commands/npm-completion.html b/deps/npm/docs/output/commands/npm-completion.html index 8d92430c9b6822..866085f42351f5 100644 --- a/deps/npm/docs/output/commands/npm-completion.html +++ b/deps/npm/docs/output/commands/npm-completion.html @@ -186,9 +186,9 @@
      -

      +

      npm-completion - @11.13.0 + @11.16.0

      Tab Completion for npm
      diff --git a/deps/npm/docs/output/commands/npm-config.html b/deps/npm/docs/output/commands/npm-config.html index 9f23af17c2ba2a..3f9be6dedfb64a 100644 --- a/deps/npm/docs/output/commands/npm-config.html +++ b/deps/npm/docs/output/commands/npm-config.html @@ -186,9 +186,9 @@
      -

      +

      npm-config - @11.13.0 + @11.16.0

      Manage the npm configuration files
      diff --git a/deps/npm/docs/output/commands/npm-dedupe.html b/deps/npm/docs/output/commands/npm-dedupe.html index c4ded5d1e93e0e..e15165a5d00e44 100644 --- a/deps/npm/docs/output/commands/npm-dedupe.html +++ b/deps/npm/docs/output/commands/npm-dedupe.html @@ -186,16 +186,16 @@
      -

      +

      npm-dedupe - @11.13.0 + @11.16.0

      Reduce duplication in the package tree

      Table of contents

      -
      +

      Synopsis

      @@ -323,6 +323,34 @@

      ignore-scripts

      npm start, npm stop, npm restart, npm test, and npm run will still run their intended script if ignore-scripts is set, but they will not run any pre- or post-scripts.

      +

      allow-directory

      +
        +
      • Default: "all"
        • +
      • Type: "all", "none", or "root"
        • +
      +

      Limits the ability for npm to install dependencies from directories. That +is, dependencies that point to a directory instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed.

      +

      all allows any directories to be installed. none prevents any +directories from being installed. root only allows directories defined in +your project's package.json to be installed. Also allows directory +dependencies to be used for other commands like npm view

      +

      allow-file

      +
        +
      • Default: "all"
        • +
      • Type: "all", "none", or "root"
        • +
      +

      Limits the ability for npm to install dependencies from tarball files. That +is, dependencies that point to a local tarball file instead of a version or +semver range. Please note that this could leave your tree incomplete and +some packages may not function as intended or designed. Changing this +setting will not remove dependencies that are already installed.

      +

      all allows any tarball file to be installed. none prevents any tarball +file from being installed. root only allows tarball files defined in your +project's package.json to be installed. Also allows tarball file +dependencies to be used for other commands like npm view

      allow-git

      • Default: "all"
        • @@ -331,11 +359,26 @@

        allow-git

        Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some -packages may not function as intended or designed.

        +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed.

        all allows any git dependencies to be fetched and installed. none prevents any git dependencies from being fetched and installed. root only allows git dependencies defined in your project's package.json to be fetched -installed. Also allows git dependencies to be fetched for other commands +and installed. Also allows git dependencies to be fetched for other commands +like npm view

        +

        allow-remote

        +
          +
        • Default: "all"
          • +
        • Type: "all", "none", or "root"
          • +
        +

        Limits the ability for npm to fetch dependencies from urls. That is, +dependencies that point to a tarball url instead of a version or semver +range. Please note that this could leave your tree incomplete and some +packages may not function as intended or designed. Changing this setting +will not remove dependencies that are already installed.

        +

        all allows any url to be installed. none prevents any url from being +installed. root only allows urls defined in your project's package.json to +be installed. Also allows url dependencies to be used for other commands like npm view

        audit

          diff --git a/deps/npm/docs/output/commands/npm-deny-scripts.html b/deps/npm/docs/output/commands/npm-deny-scripts.html new file mode 100644 index 00000000000000..e9b18afb88b2a2 --- /dev/null +++ b/deps/npm/docs/output/commands/npm-deny-scripts.html @@ -0,0 +1,290 @@ + + +npm-deny-scripts + + + + + +
          +
          +

          + npm-deny-scripts + @11.16.0 +

          +Deny install scripts for specific dependencies +
          + +
          +

          Table of contents

          +
          +
          + +

          Synopsis

          +
          npm deny-scripts <pkg> [<pkg> ...]
+npm deny-scripts --all
+
          +

          Note: This command is unaware of workspaces.

          +

          Description

          +

          The companion command to npm approve-scripts. +Writes false entries into the allowScripts field of your project's +package.json, recording that a dependency must not run install scripts +even if a future version would otherwise be eligible.

          +

          In the current release, install scripts still run by default, so deny-scripts +only affects how installs of denied packages are reported. A future release +will block unreviewed install scripts and respect deny entries at install +time.

          +
          npm deny-scripts <pkg> [<pkg> ...]
+npm deny-scripts --all
+
          +

          <pkg> matches every installed version of that package. Denies are always +written name-only ("pkg": false), regardless of --allow-scripts-pin. Pinning a deny +to a specific version would silently re-allow scripts for any other version +of the same package, which defeats the purpose; the command picks the +safer default for you.

          +

          --all denies every package with unreviewed install scripts.

          +

          If a true (pinned or name-only) entry exists for a package and you then +deny it, the existing allow entries are removed so the name-only deny is +unambiguous.

          +

          Examples

          +
          # Deny a specific package outright
+npm deny-scripts telemetry-pkg
+
+# Deny everything that has install scripts and isn't already approved
+npm deny-scripts --all
+
          +

          Configuration

          +

          all

          +
            +
          • Default: false
            • +
          • Type: Boolean
            • +
          +

          When running npm outdated and npm ls, setting --all will show all +outdated or installed packages, rather than only those directly depended +upon by the current project.

          +

          allow-scripts-pending

          +
            +
          • Default: false
            • +
          • Type: Boolean
            • +
          +

          List packages with install scripts that are not yet covered by the +allowScripts policy, without modifying package.json. Only meaningful for +npm approve-scripts.

          +

          allow-scripts-pin

          +
            +
          • Default: true
            • +
          • Type: Boolean
            • +
          +

          Write pinned (pkg@version) entries when approving install scripts. Set to +false to write name-only entries that allow any version. Has no effect on +npm deny-scripts, which always writes name-only entries regardless of this +setting.

          +

          json

          +
            +
          • Default: false
            • +
          • Type: Boolean
            • +
          +

          Whether or not to output JSON data, rather than the normal output.

          +
            +
          • In npm pkg set it enables parsing set values with JSON.parse() before +saving them to your package.json.
            • +
          +

          Not supported by all npm commands.

          +

          See Also

          +
          + + +
          + + + + \ No newline at end of file diff --git a/deps/npm/docs/output/commands/npm-deprecate.html b/deps/npm/docs/output/commands/npm-deprecate.html index 5bc588535e092e..9bda62f1a891ca 100644 --- a/deps/npm/docs/output/commands/npm-deprecate.html +++ b/deps/npm/docs/output/commands/npm-deprecate.html @@ -186,9 +186,9 @@
          -

          +

          npm-deprecate - @11.13.0 + @11.16.0

          Deprecate a version of a package
          diff --git a/deps/npm/docs/output/commands/npm-diff.html b/deps/npm/docs/output/commands/npm-diff.html index a65a7c15e9dfd8..7b72340cb35e86 100644 --- a/deps/npm/docs/output/commands/npm-diff.html +++ b/deps/npm/docs/output/commands/npm-diff.html @@ -186,9 +186,9 @@
          -

          +

          npm-diff - @11.13.0 + @11.16.0

          The registry diff command
          diff --git a/deps/npm/docs/output/commands/npm-dist-tag.html b/deps/npm/docs/output/commands/npm-dist-tag.html index 374fcd8ceaa270..3b95fe2e3ebc7e 100644 --- a/deps/npm/docs/output/commands/npm-dist-tag.html +++ b/deps/npm/docs/output/commands/npm-dist-tag.html @@ -186,9 +186,9 @@
          -

          +

          npm-dist-tag - @11.13.0 + @11.16.0

          Modify package distribution tags
          diff --git a/deps/npm/docs/output/commands/npm-docs.html b/deps/npm/docs/output/commands/npm-docs.html index 1f445117b93cab..a12dd65697c1df 100644 --- a/deps/npm/docs/output/commands/npm-docs.html +++ b/deps/npm/docs/output/commands/npm-docs.html @@ -186,9 +186,9 @@
          -

          +

          npm-docs - @11.13.0 + @11.16.0

          Open documentation for a package in a web browser
          diff --git a/deps/npm/docs/output/commands/npm-doctor.html b/deps/npm/docs/output/commands/npm-doctor.html index b16a27077ccfd7..d9094606fa2a14 100644 --- a/deps/npm/docs/output/commands/npm-doctor.html +++ b/deps/npm/docs/output/commands/npm-doctor.html @@ -186,9 +186,9 @@
          -

          +

          npm-doctor - @11.13.0 + @11.16.0

          Check the health of your npm environment
          diff --git a/deps/npm/docs/output/commands/npm-edit.html b/deps/npm/docs/output/commands/npm-edit.html index 3660272c77fc56..a5f7d958498c21 100644 --- a/deps/npm/docs/output/commands/npm-edit.html +++ b/deps/npm/docs/output/commands/npm-edit.html @@ -186,9 +186,9 @@
          -

          +

          npm-edit - @11.13.0 + @11.16.0

          Edit an installed package
          diff --git a/deps/npm/docs/output/commands/npm-exec.html b/deps/npm/docs/output/commands/npm-exec.html index eaab3d41205b80..333fd7312a6140 100644 --- a/deps/npm/docs/output/commands/npm-exec.html +++ b/deps/npm/docs/output/commands/npm-exec.html @@ -186,16 +186,16 @@
          -

          +

          npm-exec - @11.13.0 + @11.16.0

          Run a command from a local or remote npm package

          Table of contents

          -
          +

          Synopsis

          @@ -307,6 +307,44 @@

          include-workspace-root

          all workspaces via the workspaces flag, will cause npm to operate only on the specified workspaces, and not on the root project.

          This value is not exported to the environment for child processes.

          +

          allow-scripts

          +
            +
          • Default: ""
            • +
          • Type: String (can be set multiple times)
            • +
          +

          Comma-separated list of packages whose install-time lifecycle scripts +(preinstall, install, postinstall, and prepare for non-registry +dependencies) are allowed to run.

          +

          This setting is intended for one-off and global contexts: npm exec, npx, +and npm install -g, where no project package.json is involved. For +team-wide policy in a project, use the allowScripts field in +package.json (which also supports explicit denials), or configure it in +.npmrc. Passing --allow-scripts on the command line during a +project-scoped npm install, ci, update, or rebuild is an error.

          +

          Each name is matched against a dependency's resolved identity, not against +the package's self-reported name. --ignore-scripts and +--dangerously-allow-all-scripts both override this setting.

          +

          strict-allow-scripts

          +
            +
          • Default: false
            • +
          • Type: Boolean
            • +
          +

          If true, turn the install-script policy from a warning into a hard error: +any dependency with install scripts not covered by allowScripts will fail +the install instead of running with a notice.

          +

          Dependencies explicitly denied with false in allowScripts are always +silently skipped; this setting only affects unreviewed entries. +--ignore-scripts and --dangerously-allow-all-scripts both override this +setting.

          +

          dangerously-allow-all-scripts

          +
            +
          • Default: false
            • +
          • Type: Boolean
            • +
          +

          If true, bypass the allowScripts policy entirely and run every +dependency install script regardless of whether it was approved or denied. +Intended as a migration escape hatch only; its use is strongly discouraged. +--ignore-scripts still takes precedence over this setting.

          Examples

          Run the version of tap in the local dependencies, with the provided arguments:

          $ npm exec -- tap --bail test/foo.js
diff --git a/deps/npm/docs/output/commands/npm-explain.html b/deps/npm/docs/output/commands/npm-explain.html
index bd64b49a29f4b5..feef6d1cf95315 100644
--- a/deps/npm/docs/output/commands/npm-explain.html
+++ b/deps/npm/docs/output/commands/npm-explain.html
@@ -186,9 +186,9 @@
 
 
          
 
          
-
          
+
          
     npm-explain
-    @11.13.0
+    @11.16.0
 
          
 Explain installed packages
 
          
diff --git a/deps/npm/docs/output/commands/npm-explore.html b/deps/npm/docs/output/commands/npm-explore.html
index aed39e77a6c4dd..0985c9bb2e8a19 100644
--- a/deps/npm/docs/output/commands/npm-explore.html
+++ b/deps/npm/docs/output/commands/npm-explore.html
@@ -186,9 +186,9 @@
 
 
          
 
          
-
          
+
          
     npm-explore
-    @11.13.0
+    @11.16.0
 
          
 Browse an installed package
 
          
diff --git a/deps/npm/docs/output/commands/npm-find-dupes.html b/deps/npm/docs/output/commands/npm-find-dupes.html
index bbe3222494c0b7..c013dd0db414bf 100644
--- a/deps/npm/docs/output/commands/npm-find-dupes.html
+++ b/deps/npm/docs/output/commands/npm-find-dupes.html
@@ -186,9 +186,9 @@
 
 
          
 
          
-
          
+
          
     npm-find-dupes
-    @11.13.0
+    @11.16.0
 
          
 Find duplication in the package tree
 
          
diff --git a/deps/npm/docs/output/commands/npm-fund.html b/deps/npm/docs/output/commands/npm-fund.html
index 85b66955b516b3..927ce09fa8cde9 100644
--- a/deps/npm/docs/output/commands/npm-fund.html
+++ b/deps/npm/docs/output/commands/npm-fund.html
@@ -186,9 +186,9 @@
 
 
          
 
          
-
          
+
          
     npm-fund
-    @11.13.0
+    @11.16.0
 
          
 Retrieve funding information
 
          
diff --git a/deps/npm/docs/output/commands/npm-get.html b/deps/npm/docs/output/commands/npm-get.html
index eb4bde934ce801..675a4fcecb9855 100644
--- a/deps/npm/docs/output/commands/npm-get.html
+++ b/deps/npm/docs/output/commands/npm-get.html
@@ -186,9 +186,9 @@
 
 
          
 
          
-
          
+
          
     npm-get
-    @11.13.0
+    @11.16.0
 
          
 Get a value from the npm configuration
 
          
diff --git a/deps/npm/docs/output/commands/npm-help-search.html b/deps/npm/docs/output/commands/npm-help-search.html
index cad8a79a483727..ba77fc89ae508a 100644
--- a/deps/npm/docs/output/commands/npm-help-search.html
+++ b/deps/npm/docs/output/commands/npm-help-search.html
@@ -186,9 +186,9 @@
 
 
          
 
          
-
          
+
          
     npm-help-search
-    @11.13.0
+    @11.16.0
 
          
 Search npm help documentation
 
          
diff --git a/deps/npm/docs/output/commands/npm-help.html b/deps/npm/docs/output/commands/npm-help.html
index 519fde8cf07841..5c83c72e328208 100644
--- a/deps/npm/docs/output/commands/npm-help.html
+++ b/deps/npm/docs/output/commands/npm-help.html
@@ -186,9 +186,9 @@
 
 
          
 
          
-
          
+
          
     npm-help
-    @11.13.0
+    @11.16.0
 
          
 Get help on npm
 
          
diff --git a/deps/npm/docs/output/commands/npm-init.html b/deps/npm/docs/output/commands/npm-init.html
index a26b848890dffd..321a462a5f0162 100644
--- a/deps/npm/docs/output/commands/npm-init.html
+++ b/deps/npm/docs/output/commands/npm-init.html
@@ -186,9 +186,9 @@
 
 
          
 
          
-
          
+
          
     npm-init
-    @11.13.0
+    @11.16.0
 
          
 Create a package.json file
 
          
diff --git a/deps/npm/docs/output/commands/npm-install-ci-test.html b/deps/npm/docs/output/commands/npm-install-ci-test.html
index bb65682760d46e..2658ecedd0efb2 100644
--- a/deps/npm/docs/output/commands/npm-install-ci-test.html
+++ b/deps/npm/docs/output/commands/npm-install-ci-test.html
@@ -186,16 +186,16 @@
 
 
          
 
          
-
          
+
          
     npm-install-ci-test
-    @11.13.0
+    @11.16.0
 
          
 Install a project with a clean slate and run tests
 
          
 
 
          
 
          Table of contents
          
-
          
+
          
 
          
 
 
          Synopsis
          
@@ -297,6 +297,34 @@ 
          ignore-scripts
          
 npm start, npm stop, npm restart, npm test, and npm run will still
 run their intended script if ignore-scripts is set, but they will not
 run any pre- or post-scripts.
          
+
          allow-directory
          
+
            
+
          • Default: "all"
            • 
+
          • Type: "all", "none", or "root"
            • 
+
          
+
          Limits the ability for npm to install dependencies from directories. That
+is, dependencies that point to a directory instead of a version or semver
+range. Please note that this could leave your tree incomplete and some
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
          
+
          all allows any directories to be installed. none prevents any
+directories from being installed. root only allows directories defined in
+your project's package.json to be installed. Also allows directory
+dependencies to be used for other commands like npm view
          
+
          allow-file
          
+
            
+
          • Default: "all"
            • 
+
          • Type: "all", "none", or "root"
            • 
+
          
+
          Limits the ability for npm to install dependencies from tarball files. That
+is, dependencies that point to a local tarball file instead of a version or
+semver range. Please note that this could leave your tree incomplete and
+some packages may not function as intended or designed. Changing this
+setting will not remove dependencies that are already installed.
          
+
          all allows any tarball file to be installed. none prevents any tarball
+file from being installed. root only allows tarball files defined in your
+project's package.json to be installed. Also allows tarball file
+dependencies to be used for other commands like npm view
          
 
          allow-git
          
 
            
 
          • Default: "all"
            • 
@@ -305,12 +333,65 @@ 
            allow-git
            
 
            Limits the ability for npm to fetch dependencies from git references. That
 is, dependencies that point to a git repo instead of a version or semver
 range. Please note that this could leave your tree incomplete and some
-packages may not function as intended or designed.
            
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
            
 
            all allows any git dependencies to be fetched and installed. none
 prevents any git dependencies from being fetched and installed. root only
 allows git dependencies defined in your project's package.json to be fetched
-installed. Also allows git dependencies to be fetched for other commands
+and installed. Also allows git dependencies to be fetched for other commands
+like npm view
            
+
            allow-remote
            
+
              
+
            • Default: "all"
              • 
+
            • Type: "all", "none", or "root"
              • 
+
            
+
            Limits the ability for npm to fetch dependencies from urls. That is,
+dependencies that point to a tarball url instead of a version or semver
+range. Please note that this could leave your tree incomplete and some
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
            
+
            all allows any url to be installed. none prevents any url from being
+installed. root only allows urls defined in your project's package.json to
+be installed. Also allows url dependencies to be used for other commands
 like npm view
            
+
            allow-scripts
            
+
              
+
            • Default: ""
              • 
+
            • Type: String (can be set multiple times)
              • 
+
            
+
            Comma-separated list of packages whose install-time lifecycle scripts
+(preinstall, install, postinstall, and prepare for non-registry
+dependencies) are allowed to run.
            
+
            This setting is intended for one-off and global contexts: npm exec, npx,
+and npm install -g, where no project package.json is involved. For
+team-wide policy in a project, use the allowScripts field in
+package.json (which also supports explicit denials), or configure it in
+.npmrc. Passing --allow-scripts on the command line during a
+project-scoped npm install, ci, update, or rebuild is an error.
            
+
            Each name is matched against a dependency's resolved identity, not against
+the package's self-reported name. --ignore-scripts and
+--dangerously-allow-all-scripts both override this setting.
            
+
            strict-allow-scripts
            
+
              
+
            • Default: false
              • 
+
            • Type: Boolean
              • 
+
            
+
            If true, turn the install-script policy from a warning into a hard error:
+any dependency with install scripts not covered by allowScripts will fail
+the install instead of running with a notice.
            
+
            Dependencies explicitly denied with false in allowScripts are always
+silently skipped; this setting only affects unreviewed entries.
+--ignore-scripts and --dangerously-allow-all-scripts both override this
+setting.
            
+
            dangerously-allow-all-scripts
            
+
              
+
            • Default: false
              • 
+
            • Type: Boolean
              • 
+
            
+
            If true, bypass the allowScripts policy entirely and run every
+dependency install script regardless of whether it was approved or denied.
+Intended as a migration escape hatch only; its use is strongly discouraged.
+--ignore-scripts still takes precedence over this setting.
            
 
            audit
            
 
              
 
            • Default: true
              • 
diff --git a/deps/npm/docs/output/commands/npm-install-test.html b/deps/npm/docs/output/commands/npm-install-test.html
index dff8ea97a81ae3..cda0bf383f0fe5 100644
--- a/deps/npm/docs/output/commands/npm-install-test.html
+++ b/deps/npm/docs/output/commands/npm-install-test.html
@@ -186,16 +186,16 @@
 
 
              
 
              
-
              
+
              
     npm-install-test
-    @11.13.0
+    @11.16.0
 
              
 Install package(s) and run tests
 
              
 
 
              
 
              Table of contents
              
-
              
+
              
 
              
 
 
              Synopsis
              
@@ -353,6 +353,34 @@ 
              ignore-scripts
              
 npm start, npm stop, npm restart, npm test, and npm run will still
 run their intended script if ignore-scripts is set, but they will not
 run any pre- or post-scripts.
              
+
              allow-directory
              
+
                
+
              • Default: "all"
                • 
+
              • Type: "all", "none", or "root"
                • 
+
              
+
              Limits the ability for npm to install dependencies from directories. That
+is, dependencies that point to a directory instead of a version or semver
+range. Please note that this could leave your tree incomplete and some
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
              
+
              all allows any directories to be installed. none prevents any
+directories from being installed. root only allows directories defined in
+your project's package.json to be installed. Also allows directory
+dependencies to be used for other commands like npm view
              
+
              allow-file
              
+
                
+
              • Default: "all"
                • 
+
              • Type: "all", "none", or "root"
                • 
+
              
+
              Limits the ability for npm to install dependencies from tarball files. That
+is, dependencies that point to a local tarball file instead of a version or
+semver range. Please note that this could leave your tree incomplete and
+some packages may not function as intended or designed. Changing this
+setting will not remove dependencies that are already installed.
              
+
              all allows any tarball file to be installed. none prevents any tarball
+file from being installed. root only allows tarball files defined in your
+project's package.json to be installed. Also allows tarball file
+dependencies to be used for other commands like npm view
              
 
              allow-git
              
 
                
 
              • Default: "all"
                • 
@@ -361,12 +389,65 @@ 
                allow-git
                
 
                Limits the ability for npm to fetch dependencies from git references. That
 is, dependencies that point to a git repo instead of a version or semver
 range. Please note that this could leave your tree incomplete and some
-packages may not function as intended or designed.
                
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
                
 
                all allows any git dependencies to be fetched and installed. none
 prevents any git dependencies from being fetched and installed. root only
 allows git dependencies defined in your project's package.json to be fetched
-installed. Also allows git dependencies to be fetched for other commands
+and installed. Also allows git dependencies to be fetched for other commands
+like npm view
                
+
                allow-remote
                
+
                  
+
                • Default: "all"
                  • 
+
                • Type: "all", "none", or "root"
                  • 
+
                
+
                Limits the ability for npm to fetch dependencies from urls. That is,
+dependencies that point to a tarball url instead of a version or semver
+range. Please note that this could leave your tree incomplete and some
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
                
+
                all allows any url to be installed. none prevents any url from being
+installed. root only allows urls defined in your project's package.json to
+be installed. Also allows url dependencies to be used for other commands
 like npm view
                
+
                allow-scripts
                
+
                  
+
                • Default: ""
                  • 
+
                • Type: String (can be set multiple times)
                  • 
+
                
+
                Comma-separated list of packages whose install-time lifecycle scripts
+(preinstall, install, postinstall, and prepare for non-registry
+dependencies) are allowed to run.
                
+
                This setting is intended for one-off and global contexts: npm exec, npx,
+and npm install -g, where no project package.json is involved. For
+team-wide policy in a project, use the allowScripts field in
+package.json (which also supports explicit denials), or configure it in
+.npmrc. Passing --allow-scripts on the command line during a
+project-scoped npm install, ci, update, or rebuild is an error.
                
+
                Each name is matched against a dependency's resolved identity, not against
+the package's self-reported name. --ignore-scripts and
+--dangerously-allow-all-scripts both override this setting.
                
+
                strict-allow-scripts
                
+
                  
+
                • Default: false
                  • 
+
                • Type: Boolean
                  • 
+
                
+
                If true, turn the install-script policy from a warning into a hard error:
+any dependency with install scripts not covered by allowScripts will fail
+the install instead of running with a notice.
                
+
                Dependencies explicitly denied with false in allowScripts are always
+silently skipped; this setting only affects unreviewed entries.
+--ignore-scripts and --dangerously-allow-all-scripts both override this
+setting.
                
+
                dangerously-allow-all-scripts
                
+
                  
+
                • Default: false
                  • 
+
                • Type: Boolean
                  • 
+
                
+
                If true, bypass the allowScripts policy entirely and run every
+dependency install script regardless of whether it was approved or denied.
+Intended as a migration escape hatch only; its use is strongly discouraged.
+--ignore-scripts still takes precedence over this setting.
                
 
                audit
                
 
                  
 
                • Default: true
                  • 
@@ -389,7 +470,11 @@ 
                  before
                  
 --before filter, the most recent version less than or equal to that tag
 will be used. For example, foo@latest might install foo@1.2 even though
 latest is 2.0.
                  
-
                  This config cannot be used with: min-release-age
                  
+
                  If before and min-release-age are both set in the same source, before
+wins (an explicit absolute date overrides a relative window). Across
+sources, the standard precedence applies (cli > env > project > user >
+global), so a higher-priority source can always relax or override a
+lower-priority one.
                  
 
                  min-release-age
                  
 
                    
 
                  • Default: null
                    • 
@@ -400,8 +485,11 @@ 
                    min-release-age
                    
 are no versions available for the current set of dependencies, the command
 will error.
                    
 
                    This flag is a complement to before, which accepts an exact date instead
-of a relative number of days.
                    
-
                    This config cannot be used with: before
                    
+of a relative number of days. The two may coexist (e.g. min-release-age in
+your .npmrc is preserved when npm internally spawns a sub-process with
+--before while preparing a git: or github: dependency); when both
+apply, before wins within a single source and across sources the standard
+precedence rules apply.
                    
 
                    This value is not exported to the environment for child processes.
                    
 
 
                      
diff --git a/deps/npm/docs/output/commands/npm-install.html b/deps/npm/docs/output/commands/npm-install.html
index 69d2207db9df91..c9ae37e393238c 100644
--- a/deps/npm/docs/output/commands/npm-install.html
+++ b/deps/npm/docs/output/commands/npm-install.html
@@ -186,16 +186,16 @@
 
 
                      
 
                      
-
                      
+
                      
     npm-install
-    @11.13.0
+    @11.16.0
 
                      
 Install a package
 
                      
 
 
                      
 
                      Table of contents
                      
-
                      
+
                      
 
                      
 
 
                      Synopsis
                      
@@ -628,6 +628,34 @@ 
                      ignore-scripts
                      
 npm start, npm stop, npm restart, npm test, and npm run will still
 run their intended script if ignore-scripts is set, but they will not
 run any pre- or post-scripts.
                      
+
                      allow-directory
                      
+
                        
+
                      • Default: "all"
                        • 
+
                      • Type: "all", "none", or "root"
                        • 
+
                      
+
                      Limits the ability for npm to install dependencies from directories. That
+is, dependencies that point to a directory instead of a version or semver
+range. Please note that this could leave your tree incomplete and some
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
                      
+
                      all allows any directories to be installed. none prevents any
+directories from being installed. root only allows directories defined in
+your project's package.json to be installed. Also allows directory
+dependencies to be used for other commands like npm view
                      
+
                      allow-file
                      
+
                        
+
                      • Default: "all"
                        • 
+
                      • Type: "all", "none", or "root"
                        • 
+
                      
+
                      Limits the ability for npm to install dependencies from tarball files. That
+is, dependencies that point to a local tarball file instead of a version or
+semver range. Please note that this could leave your tree incomplete and
+some packages may not function as intended or designed. Changing this
+setting will not remove dependencies that are already installed.
                      
+
                      all allows any tarball file to be installed. none prevents any tarball
+file from being installed. root only allows tarball files defined in your
+project's package.json to be installed. Also allows tarball file
+dependencies to be used for other commands like npm view
                      
 
                      allow-git
                      
 
                        
 
                      • Default: "all"
                        • 
@@ -636,12 +664,65 @@ 
                        allow-git
                        
 
                        Limits the ability for npm to fetch dependencies from git references. That
 is, dependencies that point to a git repo instead of a version or semver
 range. Please note that this could leave your tree incomplete and some
-packages may not function as intended or designed.
                        
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
                        
 
                        all allows any git dependencies to be fetched and installed. none
 prevents any git dependencies from being fetched and installed. root only
 allows git dependencies defined in your project's package.json to be fetched
-installed. Also allows git dependencies to be fetched for other commands
+and installed. Also allows git dependencies to be fetched for other commands
+like npm view
                        
+
                        allow-remote
                        
+
                          
+
                        • Default: "all"
                          • 
+
                        • Type: "all", "none", or "root"
                          • 
+
                        
+
                        Limits the ability for npm to fetch dependencies from urls. That is,
+dependencies that point to a tarball url instead of a version or semver
+range. Please note that this could leave your tree incomplete and some
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
                        
+
                        all allows any url to be installed. none prevents any url from being
+installed. root only allows urls defined in your project's package.json to
+be installed. Also allows url dependencies to be used for other commands
 like npm view
                        
+
                        allow-scripts
                        
+
                          
+
                        • Default: ""
                          • 
+
                        • Type: String (can be set multiple times)
                          • 
+
                        
+
                        Comma-separated list of packages whose install-time lifecycle scripts
+(preinstall, install, postinstall, and prepare for non-registry
+dependencies) are allowed to run.
                        
+
                        This setting is intended for one-off and global contexts: npm exec, npx,
+and npm install -g, where no project package.json is involved. For
+team-wide policy in a project, use the allowScripts field in
+package.json (which also supports explicit denials), or configure it in
+.npmrc. Passing --allow-scripts on the command line during a
+project-scoped npm install, ci, update, or rebuild is an error.
                        
+
                        Each name is matched against a dependency's resolved identity, not against
+the package's self-reported name. --ignore-scripts and
+--dangerously-allow-all-scripts both override this setting.
                        
+
                        strict-allow-scripts
                        
+
                          
+
                        • Default: false
                          • 
+
                        • Type: Boolean
                          • 
+
                        
+
                        If true, turn the install-script policy from a warning into a hard error:
+any dependency with install scripts not covered by allowScripts will fail
+the install instead of running with a notice.
                        
+
                        Dependencies explicitly denied with false in allowScripts are always
+silently skipped; this setting only affects unreviewed entries.
+--ignore-scripts and --dangerously-allow-all-scripts both override this
+setting.
                        
+
                        dangerously-allow-all-scripts
                        
+
                          
+
                        • Default: false
                          • 
+
                        • Type: Boolean
                          • 
+
                        
+
                        If true, bypass the allowScripts policy entirely and run every
+dependency install script regardless of whether it was approved or denied.
+Intended as a migration escape hatch only; its use is strongly discouraged.
+--ignore-scripts still takes precedence over this setting.
                        
 
                        audit
                        
 
                          
 
                        • Default: true
                          • 
@@ -664,7 +745,11 @@ 
                          before
                          
 --before filter, the most recent version less than or equal to that tag
 will be used. For example, foo@latest might install foo@1.2 even though
 latest is 2.0.
                          
-
                          This config cannot be used with: min-release-age
                          
+
                          If before and min-release-age are both set in the same source, before
+wins (an explicit absolute date overrides a relative window). Across
+sources, the standard precedence applies (cli > env > project > user >
+global), so a higher-priority source can always relax or override a
+lower-priority one.
                          
 
                          min-release-age
                          
 
                            
 
                          • Default: null
                            • 
@@ -675,8 +760,11 @@ 
                            min-release-age
                            
 are no versions available for the current set of dependencies, the command
 will error.
                            
 
                            This flag is a complement to before, which accepts an exact date instead
-of a relative number of days.
                            
-
                            This config cannot be used with: before
                            
+of a relative number of days. The two may coexist (e.g. min-release-age in
+your .npmrc is preserved when npm internally spawns a sub-process with
+--before while preparing a git: or github: dependency); when both
+apply, before wins within a single source and across sources the standard
+precedence rules apply.
                            
 
                            This value is not exported to the environment for child processes.
                            
 
 
                              
diff --git a/deps/npm/docs/output/commands/npm-link.html b/deps/npm/docs/output/commands/npm-link.html
index aed7d7f511bfad..dcc559329dfc51 100644
--- a/deps/npm/docs/output/commands/npm-link.html
+++ b/deps/npm/docs/output/commands/npm-link.html
@@ -186,16 +186,16 @@
 
 
                              
 
                              
-
                              
+
                              
     npm-link
-    @11.13.0
+    @11.16.0
 
                              
 Symlink a package folder
 
                              
 
 
                              
 
                              Table of contents
                              
-
                              
+
                              
 
                              
 
 
                              Synopsis
                              
@@ -366,6 +366,34 @@ 
                              ignore-scripts
                              
 npm start, npm stop, npm restart, npm test, and npm run will still
 run their intended script if ignore-scripts is set, but they will not
 run any pre- or post-scripts.
                              
+
                              allow-directory
                              
+
                                
+
                              • Default: "all"
                                • 
+
                              • Type: "all", "none", or "root"
                                • 
+
                              
+
                              Limits the ability for npm to install dependencies from directories. That
+is, dependencies that point to a directory instead of a version or semver
+range. Please note that this could leave your tree incomplete and some
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
                              
+
                              all allows any directories to be installed. none prevents any
+directories from being installed. root only allows directories defined in
+your project's package.json to be installed. Also allows directory
+dependencies to be used for other commands like npm view
                              
+
                              allow-file
                              
+
                                
+
                              • Default: "all"
                                • 
+
                              • Type: "all", "none", or "root"
                                • 
+
                              
+
                              Limits the ability for npm to install dependencies from tarball files. That
+is, dependencies that point to a local tarball file instead of a version or
+semver range. Please note that this could leave your tree incomplete and
+some packages may not function as intended or designed. Changing this
+setting will not remove dependencies that are already installed.
                              
+
                              all allows any tarball file to be installed. none prevents any tarball
+file from being installed. root only allows tarball files defined in your
+project's package.json to be installed. Also allows tarball file
+dependencies to be used for other commands like npm view
                              
 
                              allow-git
                              
 
                                
 
                              • Default: "all"
                                • 
@@ -374,11 +402,26 @@ 
                                allow-git
                                
 
                                Limits the ability for npm to fetch dependencies from git references. That
 is, dependencies that point to a git repo instead of a version or semver
 range. Please note that this could leave your tree incomplete and some
-packages may not function as intended or designed.
                                
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
                                
 
                                all allows any git dependencies to be fetched and installed. none
 prevents any git dependencies from being fetched and installed. root only
 allows git dependencies defined in your project's package.json to be fetched
-installed. Also allows git dependencies to be fetched for other commands
+and installed. Also allows git dependencies to be fetched for other commands
+like npm view
                                
+
                                allow-remote
                                
+
                                  
+
                                • Default: "all"
                                  • 
+
                                • Type: "all", "none", or "root"
                                  • 
+
                                
+
                                Limits the ability for npm to fetch dependencies from urls. That is,
+dependencies that point to a tarball url instead of a version or semver
+range. Please note that this could leave your tree incomplete and some
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
                                
+
                                all allows any url to be installed. none prevents any url from being
+installed. root only allows urls defined in your project's package.json to
+be installed. Also allows url dependencies to be used for other commands
 like npm view
                                
 
                                audit
                                
 
                                  
diff --git a/deps/npm/docs/output/commands/npm-ll.html b/deps/npm/docs/output/commands/npm-ll.html
index ce891f5976b960..52f363b8b17d68 100644
--- a/deps/npm/docs/output/commands/npm-ll.html
+++ b/deps/npm/docs/output/commands/npm-ll.html
@@ -186,9 +186,9 @@
 
 
                                  
 
                                  
-
                                  
+
                                  
     npm-ll
-    @11.13.0
+    @11.16.0
 
                                  
 List installed packages
 
                                  
diff --git a/deps/npm/docs/output/commands/npm-login.html b/deps/npm/docs/output/commands/npm-login.html
index a442b2e7e76669..eac37fc5a66665 100644
--- a/deps/npm/docs/output/commands/npm-login.html
+++ b/deps/npm/docs/output/commands/npm-login.html
@@ -186,9 +186,9 @@
 
 
                                  
 
                                  
-
                                  
+
                                  
     npm-login
-    @11.13.0
+    @11.16.0
 
                                  
 Login to a registry user account
 
                                  
diff --git a/deps/npm/docs/output/commands/npm-logout.html b/deps/npm/docs/output/commands/npm-logout.html
index 28482bfd2a53f1..0930332b862b4d 100644
--- a/deps/npm/docs/output/commands/npm-logout.html
+++ b/deps/npm/docs/output/commands/npm-logout.html
@@ -186,9 +186,9 @@
 
 
                                  
 
                                  
-
                                  
+
                                  
     npm-logout
-    @11.13.0
+    @11.16.0
 
                                  
 Log out of the registry
 
                                  
diff --git a/deps/npm/docs/output/commands/npm-ls.html b/deps/npm/docs/output/commands/npm-ls.html
index 2f5dd885004c16..cbf7f4e8208c93 100644
--- a/deps/npm/docs/output/commands/npm-ls.html
+++ b/deps/npm/docs/output/commands/npm-ls.html
@@ -186,9 +186,9 @@
 
 
                                  
 
                                  
-
                                  
+
                                  
     npm-ls
-    @11.13.0
+    @11.16.0
 
                                  
 List installed packages
 
                                  
@@ -209,7 +209,7 @@ 
                                  Description
                                  
 
                                  Positional arguments are name@version-range identifiers, which will limit the results to only the paths to the packages named.
 Note that nested packages will also show the paths to the specified packages.
 For example, running npm ls promzard in npm's source tree will show:
                                  
-
                                  npm@11.13.0 /path/to/npm
+
                                  npm@11.16.0 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 
                                  
diff --git a/deps/npm/docs/output/commands/npm-org.html b/deps/npm/docs/output/commands/npm-org.html
index 02bd129659dc32..99e8c472dc5f74 100644
--- a/deps/npm/docs/output/commands/npm-org.html
+++ b/deps/npm/docs/output/commands/npm-org.html
@@ -186,9 +186,9 @@
 
 
                                  
 
                                  
-
                                  
+
                                  
     npm-org
-    @11.13.0
+    @11.16.0
 
                                  
 Manage orgs
 
                                  
diff --git a/deps/npm/docs/output/commands/npm-outdated.html b/deps/npm/docs/output/commands/npm-outdated.html
index 2b4702dc5eefdd..cb154b4a234c7e 100644
--- a/deps/npm/docs/output/commands/npm-outdated.html
+++ b/deps/npm/docs/output/commands/npm-outdated.html
@@ -186,9 +186,9 @@
 
 
                                  
 
                                  
-
                                  
+
                                  
     npm-outdated
-    @11.13.0
+    @11.16.0
 
                                  
 Check for outdated packages
 
                                  
@@ -328,7 +328,11 @@ 
                                  before
                                  
 --before filter, the most recent version less than or equal to that tag
 will be used. For example, foo@latest might install foo@1.2 even though
 latest is 2.0.
                                  
-
                                  This config cannot be used with: min-release-age
                                  
+
                                  If before and min-release-age are both set in the same source, before
+wins (an explicit absolute date overrides a relative window). Across
+sources, the standard precedence applies (cli > env > project > user >
+global), so a higher-priority source can always relax or override a
+lower-priority one.
                                  
 
                                  min-release-age
                                  
 
                                    
 
                                  • Default: null
                                    • 
@@ -339,8 +343,11 @@ 
                                    min-release-age
                                    
 are no versions available for the current set of dependencies, the command
 will error.
                                    
 
                                    This flag is a complement to before, which accepts an exact date instead
-of a relative number of days.
                                    
-
                                    This config cannot be used with: before
                                    
+of a relative number of days. The two may coexist (e.g. min-release-age in
+your .npmrc is preserved when npm internally spawns a sub-process with
+--before while preparing a git: or github: dependency); when both
+apply, before wins within a single source and across sources the standard
+precedence rules apply.
                                    
 
                                    This value is not exported to the environment for child processes.
                                    
 
                                    See Also
                                    
 
                                      
diff --git a/deps/npm/docs/output/commands/npm-owner.html b/deps/npm/docs/output/commands/npm-owner.html
index 7519b7eafa17bd..fa568741602212 100644
--- a/deps/npm/docs/output/commands/npm-owner.html
+++ b/deps/npm/docs/output/commands/npm-owner.html
@@ -186,9 +186,9 @@
 
 
                                      
 
                                      
-
                                      
+
                                      
     npm-owner
-    @11.13.0
+    @11.16.0
 
                                      
 Manage package owners
 
                                      
diff --git a/deps/npm/docs/output/commands/npm-pack.html b/deps/npm/docs/output/commands/npm-pack.html
index 3290b6a50cb74f..a99ae2dba99c61 100644
--- a/deps/npm/docs/output/commands/npm-pack.html
+++ b/deps/npm/docs/output/commands/npm-pack.html
@@ -186,9 +186,9 @@
 
 
                                      
 
                                      
-
                                      
+
                                      
     npm-pack
-    @11.13.0
+    @11.16.0
 
                                      
 Create a tarball from a package
 
                                      
diff --git a/deps/npm/docs/output/commands/npm-ping.html b/deps/npm/docs/output/commands/npm-ping.html
index 4fe67beb9b00a9..bd867fbd3ef12b 100644
--- a/deps/npm/docs/output/commands/npm-ping.html
+++ b/deps/npm/docs/output/commands/npm-ping.html
@@ -186,9 +186,9 @@
 
 
                                      
 
                                      
-
                                      
+
                                      
     npm-ping
-    @11.13.0
+    @11.16.0
 
                                      
 Ping npm registry
 
                                      
diff --git a/deps/npm/docs/output/commands/npm-pkg.html b/deps/npm/docs/output/commands/npm-pkg.html
index 82928d2a503eae..145b47fde4e069 100644
--- a/deps/npm/docs/output/commands/npm-pkg.html
+++ b/deps/npm/docs/output/commands/npm-pkg.html
@@ -186,9 +186,9 @@
 
 
                                      
 
                                      
-
                                      
+
                                      
     npm-pkg
-    @11.13.0
+    @11.16.0
 
                                      
 Manages your package.json
 
                                      
diff --git a/deps/npm/docs/output/commands/npm-prefix.html b/deps/npm/docs/output/commands/npm-prefix.html
index 6bbab9ec8b6baa..2bccd93bb26aae 100644
--- a/deps/npm/docs/output/commands/npm-prefix.html
+++ b/deps/npm/docs/output/commands/npm-prefix.html
@@ -186,9 +186,9 @@
 
 
                                      
 
                                      
-
                                      
+
                                      
     npm-prefix
-    @11.13.0
+    @11.16.0
 
                                      
 Display prefix
 
                                      
diff --git a/deps/npm/docs/output/commands/npm-profile.html b/deps/npm/docs/output/commands/npm-profile.html
index a201918112143a..9e3d975aa3c2ca 100644
--- a/deps/npm/docs/output/commands/npm-profile.html
+++ b/deps/npm/docs/output/commands/npm-profile.html
@@ -186,9 +186,9 @@
 
 
                                      
 
                                      
-
                                      
+
                                      
     npm-profile
-    @11.13.0
+    @11.16.0
 
                                      
 Change settings on your registry profile
 
                                      
diff --git a/deps/npm/docs/output/commands/npm-prune.html b/deps/npm/docs/output/commands/npm-prune.html
index 485ad8c114bca1..f6a356f53cc238 100644
--- a/deps/npm/docs/output/commands/npm-prune.html
+++ b/deps/npm/docs/output/commands/npm-prune.html
@@ -186,9 +186,9 @@
 
 
                                      
 
                                      
-
                                      
+
                                      
     npm-prune
-    @11.13.0
+    @11.16.0
 
                                      
 Remove extraneous packages
 
                                      
diff --git a/deps/npm/docs/output/commands/npm-publish.html b/deps/npm/docs/output/commands/npm-publish.html
index 9f16f9a0732631..b9c7824c8456d7 100644
--- a/deps/npm/docs/output/commands/npm-publish.html
+++ b/deps/npm/docs/output/commands/npm-publish.html
@@ -186,9 +186,9 @@
 
 
                                      
 
                                      
-
                                      
+
                                      
     npm-publish
-    @11.13.0
+    @11.16.0
 
                                      
 Publish a package
 
                                      
@@ -279,7 +279,7 @@ 
                                      access
                                      
 
                                        
 
                                      • Default: 'public' for new packages, existing packages it will not change the
 current level
                                        • 
-
                                      • Type: null, "restricted", or "public"
                                        • 
+
                                      • Type: null, "restricted", "public", or "private"
                                        • 
 
                                      
 
                                      If you do not want your scoped package to be publicly viewable (and
 installable) set --access=restricted.
                                      
@@ -287,6 +287,7 @@ 
                                      access
                                      
 
                                      Note: This defaults to not changing the current access level for existing
 packages. Specifying a value of restricted or public during publish will
 change the access for an existing package the same way that npm access set status would.
                                      
+
                                      The value private is an alias for restricted.
                                      
 
                                      dry-run
                                      
 
                                        
 
                                      • Default: false
                                        • 
diff --git a/deps/npm/docs/output/commands/npm-query.html b/deps/npm/docs/output/commands/npm-query.html
index caadf8dffcf929..efa6bd81f130f8 100644
--- a/deps/npm/docs/output/commands/npm-query.html
+++ b/deps/npm/docs/output/commands/npm-query.html
@@ -186,9 +186,9 @@
 
 
                                        
 
                                        
-
                                        
+
                                        
     npm-query
-    @11.13.0
+    @11.16.0
 
                                        
 Dependency selector query
 
                                        
diff --git a/deps/npm/docs/output/commands/npm-rebuild.html b/deps/npm/docs/output/commands/npm-rebuild.html
index 51386d3290beab..0aff44579c5075 100644
--- a/deps/npm/docs/output/commands/npm-rebuild.html
+++ b/deps/npm/docs/output/commands/npm-rebuild.html
@@ -186,16 +186,16 @@
 
 
                                        
 
                                        
-
                                        
+
                                        
     npm-rebuild
-    @11.13.0
+    @11.16.0
 
                                        
 Rebuild a package
 
                                        
 
 
                                        
 
                                        Table of contents
                                        
-
                                        
+
                                        
 
                                        
 
 
                                        Synopsis
                                        
@@ -269,6 +269,44 @@ 
                                        ignore-scripts
                                        
 npm start, npm stop, npm restart, npm test, and npm run will still
 run their intended script if ignore-scripts is set, but they will not
 run any pre- or post-scripts.
                                        
+
                                        allow-scripts
                                        
+
                                          
+
                                        • Default: ""
                                          • 
+
                                        • Type: String (can be set multiple times)
                                          • 
+
                                        
+
                                        Comma-separated list of packages whose install-time lifecycle scripts
+(preinstall, install, postinstall, and prepare for non-registry
+dependencies) are allowed to run.
                                        
+
                                        This setting is intended for one-off and global contexts: npm exec, npx,
+and npm install -g, where no project package.json is involved. For
+team-wide policy in a project, use the allowScripts field in
+package.json (which also supports explicit denials), or configure it in
+.npmrc. Passing --allow-scripts on the command line during a
+project-scoped npm install, ci, update, or rebuild is an error.
                                        
+
                                        Each name is matched against a dependency's resolved identity, not against
+the package's self-reported name. --ignore-scripts and
+--dangerously-allow-all-scripts both override this setting.
                                        
+
                                        strict-allow-scripts
                                        
+
                                          
+
                                        • Default: false
                                          • 
+
                                        • Type: Boolean
                                          • 
+
                                        
+
                                        If true, turn the install-script policy from a warning into a hard error:
+any dependency with install scripts not covered by allowScripts will fail
+the install instead of running with a notice.
                                        
+
                                        Dependencies explicitly denied with false in allowScripts are always
+silently skipped; this setting only affects unreviewed entries.
+--ignore-scripts and --dangerously-allow-all-scripts both override this
+setting.
                                        
+
                                        dangerously-allow-all-scripts
                                        
+
                                          
+
                                        • Default: false
                                          • 
+
                                        • Type: Boolean
                                          • 
+
                                        
+
                                        If true, bypass the allowScripts policy entirely and run every
+dependency install script regardless of whether it was approved or denied.
+Intended as a migration escape hatch only; its use is strongly discouraged.
+--ignore-scripts still takes precedence over this setting.
                                        
 
                                        workspace
                                        
 
                                          
 
                                        • Default:
                                          • 
diff --git a/deps/npm/docs/output/commands/npm-repo.html b/deps/npm/docs/output/commands/npm-repo.html
index 1b4db65a41f8a1..0efe01e32391d1 100644
--- a/deps/npm/docs/output/commands/npm-repo.html
+++ b/deps/npm/docs/output/commands/npm-repo.html
@@ -186,9 +186,9 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-repo
-    @11.13.0
+    @11.16.0
 
                                          
 Open package repository page in the browser
 
                                          
diff --git a/deps/npm/docs/output/commands/npm-restart.html b/deps/npm/docs/output/commands/npm-restart.html
index 3bfb26e5b83c35..d58d9d362a03a9 100644
--- a/deps/npm/docs/output/commands/npm-restart.html
+++ b/deps/npm/docs/output/commands/npm-restart.html
@@ -186,9 +186,9 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-restart
-    @11.13.0
+    @11.16.0
 
                                          
 Restart a package
 
                                          
diff --git a/deps/npm/docs/output/commands/npm-root.html b/deps/npm/docs/output/commands/npm-root.html
index f224de42549133..8f1a7319765932 100644
--- a/deps/npm/docs/output/commands/npm-root.html
+++ b/deps/npm/docs/output/commands/npm-root.html
@@ -186,9 +186,9 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-root
-    @11.13.0
+    @11.16.0
 
                                          
 Display npm root
 
                                          
diff --git a/deps/npm/docs/output/commands/npm-run.html b/deps/npm/docs/output/commands/npm-run.html
index c61048f31cf8e2..c234db61b936de 100644
--- a/deps/npm/docs/output/commands/npm-run.html
+++ b/deps/npm/docs/output/commands/npm-run.html
@@ -186,9 +186,9 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-run
-    @11.13.0
+    @11.16.0
 
                                          
 Run arbitrary package scripts
 
                                          
diff --git a/deps/npm/docs/output/commands/npm-sbom.html b/deps/npm/docs/output/commands/npm-sbom.html
index ddee5f40af3896..df30ae75770012 100644
--- a/deps/npm/docs/output/commands/npm-sbom.html
+++ b/deps/npm/docs/output/commands/npm-sbom.html
@@ -186,9 +186,9 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-sbom
-    @11.13.0
+    @11.16.0
 
                                          
 Generate a Software Bill of Materials (SBOM)
 
                                          
diff --git a/deps/npm/docs/output/commands/npm-search.html b/deps/npm/docs/output/commands/npm-search.html
index 5c01a0fd8bfe66..63efdaad281e8b 100644
--- a/deps/npm/docs/output/commands/npm-search.html
+++ b/deps/npm/docs/output/commands/npm-search.html
@@ -186,9 +186,9 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-search
-    @11.13.0
+    @11.16.0
 
                                          
 Search for packages
 
                                          
diff --git a/deps/npm/docs/output/commands/npm-set.html b/deps/npm/docs/output/commands/npm-set.html
index b5bd610f6d999a..988c341f8fee77 100644
--- a/deps/npm/docs/output/commands/npm-set.html
+++ b/deps/npm/docs/output/commands/npm-set.html
@@ -186,9 +186,9 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-set
-    @11.13.0
+    @11.16.0
 
                                          
 Set a value in the npm configuration
 
                                          
diff --git a/deps/npm/docs/output/commands/npm-shrinkwrap.html b/deps/npm/docs/output/commands/npm-shrinkwrap.html
index ac415a958f178d..46c96bdef91111 100644
--- a/deps/npm/docs/output/commands/npm-shrinkwrap.html
+++ b/deps/npm/docs/output/commands/npm-shrinkwrap.html
@@ -186,9 +186,9 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-shrinkwrap
-    @11.13.0
+    @11.16.0
 
                                          
 Lock down dependency versions for publication
 
                                          
diff --git a/deps/npm/docs/output/commands/npm-stage.html b/deps/npm/docs/output/commands/npm-stage.html
new file mode 100644
index 00000000000000..e98b5e5aca18a7
--- /dev/null
+++ b/deps/npm/docs/output/commands/npm-stage.html
@@ -0,0 +1,609 @@
+
+
+npm-stage
+
+
+
+
+
+
                                          
+
                                          
+
                                          
+    npm-stage
+    @11.16.0
+
                                          
+Stage packages for publishing
+
                                          
+
+
                                          
+
                                          Table of contents
                                          
+
                                          
+
                                          
+
+
                                          Synopsis
                                          
+
                                          npm stage
+
                                          
+
                                          Note: This command is unaware of workspaces.
                                          
+
                                          Description
                                          
+
                                          Staged publishing allows package maintainers to require proof-of-presence
+for all publishes. Proof-of-presence is where a human is involved,
+interjects, and provides authentication (2FA) during an action — in this
+case, publishing an npm package.
                                          
+
                                          Typically when maintainers use automated workflows to publish,
+proof-of-presence is lacking as there's no convenient way to interject the
+process and provide 2FA, as is the case for publishing with a granular
+access token with bypass and the trusted publishing flow. Staged publishing
+allows users to have their automated workflows stage a package without a 2FA
+prompt, deferring the act of 2FA, allowing the maintainer to approve the
+staged package and publish at a later point.
                                          
+
                                          The npm stage publish command packs the current working directory and
+places that version of the package into the registry in a state where it's
+not available for public access, allowing maintainers to approve the package
+at a later point in time. The act of staging does not prompt for 2FA and can be done with any token
+type, the act of approving will.
                                          
+
                                          Key behaviors:
                                          
+
                                            
+
                                          • Staged packages share the same semver version unique index as published
+packages — you cannot publish a version that already exists as a staged
+version for that package.
                                            • 
+
                                          • You can still publish packages normally while you have staged packages
+pending.
                                            • 
+
                                          • You can stage multiple versions of the same package.
                                            • 
+
                                          • npm stage publish has parity with npm publish and will respect
+"private": true in package.json, refusing to stage the package.
                                            • 
+
                                          
+
                                          Prerequisites
                                          
+
                                          Before using npm stage commands, ensure the following requirements are met:
                                          
+
                                            
+
                                          • Write permissions on the package: You must have write access to the
+package you're configuring.
                                            • 
+
                                          • Package must exist: The package you're configuring must already exist
+on the npm registry.
                                            • 
+
                                          • 2FA enabled on your account: Commands that require 2FA will prompt you
+to authenticate. If you don't already have 2FA enabled on your account,
+you must enable it before using these commands.
                                            • 
+
                                          
+
                                          Subcommands
                                          
+
                                            
+
                                          • npm stage publish [<package-spec>] - Stage a package for publishing
                                            • 
+
                                          • npm stage list [<package-spec>] - List all staged package versions
                                            • 
+
                                          • npm stage view <stage-id> - View details of a specific staged package
                                            • 
+
                                          • npm stage approve <stage-id> - Approve a staged package for publishing
                                            • 
+
                                          • npm stage reject <stage-id> - Reject a staged package
                                            • 
+
                                          • npm stage download <stage-id> - Download the tarball for inspection
                                            • 
+
                                          
+
                                          2FA Requirements by Subcommand
                                          
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
                                          CommandRequires 2FANotes
                                          npm stage publishNoDesigned for automated workflows; defers 2FA to approval
                                          npm stage listNoView staged packages
                                          npm stage viewNoView staged package details
                                          npm stage approveYesPrompts for 2FA to publish the staged package
                                          npm stage rejectYesPrompts for 2FA to permanently remove the staged package
                                          npm stage downloadNoDownloads the tarball for local inspection
                                          
+
                                          Tag Behavior
                                          
+
                                          The --tag flag follows the same logic as npm publish. If no tag is
+provided, the latest tag is used by default. For pre-release versions
+(e.g., 1.0.0-beta.1) and non-latest semver versions, the tag must be
+explicitly provided — otherwise the CLI will error, just as npm publish
+would.
                                          
+
                                          The tag is an immutable property of the staged package. Once a package is
+staged with a given tag, the tag cannot be changed. If you need to stage the
+same version with a different tag, you must first reject the existing staged
+package using npm stage reject and then re-stage it with the desired tag.
                                          
+
                                          Token Behavior
                                          
+
                                          The key difference with staged publishing is that npm stage publish never
+requires a 2FA prompt, regardless of token type. This is what makes it
+suitable for automated workflows. The goal of npm stage publish is
+deferring proof-of-presence to a later point in time.
                                          
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
                                          Token Typenpm stage publishnpm publish
                                          GAT with bypassCan stageCan publish (if allowed by package publishing access)
                                          GAT without bypassCan stage2FA prompt (if allowed by package publishing access)
                                          Session tokenCan stage2FA prompt
                                          Trust token (OIDC)Can stage (if allowed)Can publish (if allowed)
                                          
+
                                          Trust Relationship Permissions
                                          
+
                                          With staged publishing, trust relationships now support granular command
+permissions. Shortlived tokens issued through trust relationships can only be
+used with npm stage publish and npm publish. Shortlived tokens cannot run
+npm stage subcommands.
                                          
+
                                          npm trust <provider> supports --allow-publish and --allow-stage-publish
+to control which commands are available through each trust relationship.
                                          
+
                                          Best Practices
                                          
+
                                          Note: The addition of staged publishing does not make your account or org
+more secure. Maintainers must still use the best practices listed below.
                                          
+
                                            
+
                                          1. 
+
                                            Delete Granular Access Tokens (GAT) with bypass 2FA enabled.
+Now with staged publishing, we've eliminated the need for a GAT token
+that can bypass 2FA. We encourage you to delete all your tokens with
+bypass enabled and switch to using a trust relationship in your automated
+workflows, or create a GAT without bypass and use npm stage publish.
                                            
+
                                            2. 
+
                                          2. 
+
                                            Disallow tokens from publishing at the package level.
+All packages have their own access controls under "package access"
+allowing packages to be published with bypass tokens, which is no longer
+a necessity. We encourage you to select "Require two-factor
+authentication and disallow tokens (recommended)" for all your packages
+on the package access page.
                                            
+
                                            3. 
+
                                          3. 
+
                                            Configure trust relationship permissions to prevent npm publish.
+We encourage you to only enable npm stage publish on your trust
+relationships and disable npm publish.
                                            
+
                                            4. 
+
                                          
+
                                          Configuration
                                          
+
                                          npm stage publish
                                          
+
                                          Stage a package for publishing, deferring proof-of-presence (2FA) to a later point in time
                                          
+
                                          Synopsis
                                          
+
                                          npm stage publish <package-spec>
+
                                          
+
                                          Flags
                                          
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
                                          FlagDefaultTypeDescription
                                          --tag"latest"StringIf you ask npm to install a package and don't tell it a specific version,       then it will install the specified tag.        It is the tag added to the package@version specified in the        npm dist-tag add command, if no explicit tag is given.        When used by the npm diff command, this is the tag used to fetch the       tarball that will be compared with the local files by default.              If used in the npm publish command, this is the tag that will be        added to the package submitted to the registry.
                                          --access'public' for new packages, existing packages it will not change the current levelnull, "restricted", "public", or "private"If you do not want your scoped package to be publicly viewable (and     installable) set --access=restricted.      Unscoped packages cannot be set to restricted.      Note: This defaults to not changing the current access level for existing     packages.  Specifying a value of restricted or public during     publish will change the access for an existing package the same way that     npm access set status would.      The value private is an alias for restricted.
                                          --dry-runfalseBooleanIndicates that you don't want npm to make any changes and that it should       only report what it would have done.  This can be passed into any of the       commands that modify your local installation, eg, install,       update, dedupe, uninstall, as well as pack and       publish.        Note: This is NOT honored by other network related commands, eg       dist-tags, owner, etc.
                                          --otpnullnull or StringThis is a one-time password from a two-factor authenticator.  It's needed       when publishing or changing package permissions with npm access.        If not set, and a registry response fails with a challenge for a one-time       password, npm will prompt on the command line for one.
                                          --workspace, -wString (can be set multiple times)Enable running a command in the context of the configured workspaces of the       current project while filtering by running only the workspaces defined by       this configuration option.        Valid values for the workspace config are either:        * Workspace names       * Path to a workspace directory       * Path to a parent workspace directory (will result in selecting all         workspaces within that folder)        When set for the npm init command, this may be set to the folder of       a workspace which does not yet exist, to create the folder and set it       up as a brand new workspace within the project.
                                          --workspacesnullnull or BooleanSet to true to run the command in the context of all configured       workspaces.        Explicitly setting this to false will cause commands like install to       ignore workspaces altogether.       When not set explicitly:        - Commands that operate on the node_modules tree (install, update,         etc.) will link workspaces into the node_modules folder.       - Commands that do other things (test, exec, publish, etc.) will operate         on the root project, unless one or more workspaces are specified in         the workspace config.
                                          --include-workspace-rootfalseBooleanInclude the workspace root when workspaces are enabled for a command.        When false, specifying individual workspaces via the workspace config,       or all workspaces via the workspaces flag, will cause npm to operate only       on the specified workspaces, and not on the root project.
                                          --provenancefalseBooleanWhen publishing from a supported cloud CI/CD system, the package will be       publicly linked to where it was built and published from.
                                          
+
                                          npm stage list
                                          
+
                                          List all staged package versions
                                          
+
                                          Synopsis
                                          
+
                                          npm stage list [<package-spec>]
+
                                          
+
                                          Flags
                                          
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
                                          FlagDefaultTypeDescription
                                          --jsonfalseBooleanWhether or not to output JSON data, rather than the normal output.        * In npm pkg set it enables parsing set values with JSON.parse()       before saving them to your package.json.        Not supported by all npm commands.
                                          --registry"https://registry.npmjs.org/"URLThe base URL of the npm registry.
                                          
+
                                          npm stage view
                                          
+
                                          View details of a specific staged package
                                          
+
                                          Synopsis
                                          
+
                                          npm stage view <stage-id>
+
                                          
+
                                          Flags
                                          
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
                                          FlagDefaultTypeDescription
                                          --jsonfalseBooleanWhether or not to output JSON data, rather than the normal output.        * In npm pkg set it enables parsing set values with JSON.parse()       before saving them to your package.json.        Not supported by all npm commands.
                                          --registry"https://registry.npmjs.org/"URLThe base URL of the npm registry.
                                          
+
                                          npm stage approve
                                          
+
                                          Approve a staged package, publishing it to the npm registry
                                          
+
                                          Synopsis
                                          
+
                                          npm stage approve <stage-id>
+
                                          
+
                                          Flags
                                          
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
                                          FlagDefaultTypeDescription
                                          --otpnullnull or StringThis is a one-time password from a two-factor authenticator.  It's needed       when publishing or changing package permissions with npm access.        If not set, and a registry response fails with a challenge for a one-time       password, npm will prompt on the command line for one.
                                          --registry"https://registry.npmjs.org/"URLThe base URL of the npm registry.
                                          
+
                                          npm stage reject
                                          
+
                                          Reject a staged package, removing it from the registry
                                          
+
                                          Synopsis
                                          
+
                                          npm stage reject <stage-id>
+
                                          
+
                                          Flags
                                          
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
                                          FlagDefaultTypeDescription
                                          --otpnullnull or StringThis is a one-time password from a two-factor authenticator.  It's needed       when publishing or changing package permissions with npm access.        If not set, and a registry response fails with a challenge for a one-time       password, npm will prompt on the command line for one.
                                          --registry"https://registry.npmjs.org/"URLThe base URL of the npm registry.
                                          
+
                                          npm stage download
                                          
+
                                          Download the tarball of a staged package for inspection
                                          
+
                                          Synopsis
                                          
+
                                          npm stage download <stage-id>
+
                                          
+
                                          Flags
                                          
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
                                          FlagDefaultTypeDescription
                                          --jsonfalseBooleanWhether or not to output JSON data, rather than the normal output.        * In npm pkg set it enables parsing set values with JSON.parse()       before saving them to your package.json.        Not supported by all npm commands.
                                          --registry"https://registry.npmjs.org/"URLThe base URL of the npm registry.
                                          
+
                                          See Also
                                          
+
                                          
+
+
+
                                          
+
+
+
+
\ No newline at end of file
diff --git a/deps/npm/docs/output/commands/npm-star.html b/deps/npm/docs/output/commands/npm-star.html
index 977756cc679403..5ecd1df01d01d2 100644
--- a/deps/npm/docs/output/commands/npm-star.html
+++ b/deps/npm/docs/output/commands/npm-star.html
@@ -186,9 +186,9 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-star
-    @11.13.0
+    @11.16.0
 
                                          
 Mark your favorite packages
 
                                          
diff --git a/deps/npm/docs/output/commands/npm-stars.html b/deps/npm/docs/output/commands/npm-stars.html
index 66164fa7780b94..d4e8bb1ae9764d 100644
--- a/deps/npm/docs/output/commands/npm-stars.html
+++ b/deps/npm/docs/output/commands/npm-stars.html
@@ -186,9 +186,9 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-stars
-    @11.13.0
+    @11.16.0
 
                                          
 View packages marked as favorites
 
                                          
diff --git a/deps/npm/docs/output/commands/npm-start.html b/deps/npm/docs/output/commands/npm-start.html
index c5079ac37a31da..bcc5463e6ddfe3 100644
--- a/deps/npm/docs/output/commands/npm-start.html
+++ b/deps/npm/docs/output/commands/npm-start.html
@@ -186,9 +186,9 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-start
-    @11.13.0
+    @11.16.0
 
                                          
 Start a package
 
                                          
diff --git a/deps/npm/docs/output/commands/npm-stop.html b/deps/npm/docs/output/commands/npm-stop.html
index 92500df777600a..abbb05aa873c1d 100644
--- a/deps/npm/docs/output/commands/npm-stop.html
+++ b/deps/npm/docs/output/commands/npm-stop.html
@@ -186,9 +186,9 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-stop
-    @11.13.0
+    @11.16.0
 
                                          
 Stop a package
 
                                          
diff --git a/deps/npm/docs/output/commands/npm-team.html b/deps/npm/docs/output/commands/npm-team.html
index f83bbe0ee6bbe3..a1d0941e2e541b 100644
--- a/deps/npm/docs/output/commands/npm-team.html
+++ b/deps/npm/docs/output/commands/npm-team.html
@@ -186,9 +186,9 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-team
-    @11.13.0
+    @11.16.0
 
                                          
 Manage organization teams and team memberships
 
                                          
diff --git a/deps/npm/docs/output/commands/npm-test.html b/deps/npm/docs/output/commands/npm-test.html
index 9466dd432374db..d5fb0a1ded18a7 100644
--- a/deps/npm/docs/output/commands/npm-test.html
+++ b/deps/npm/docs/output/commands/npm-test.html
@@ -186,9 +186,9 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-test
-    @11.13.0
+    @11.16.0
 
                                          
 Test a package
 
                                          
diff --git a/deps/npm/docs/output/commands/npm-token.html b/deps/npm/docs/output/commands/npm-token.html
index 7b956c64d1d11e..10163668153233 100644
--- a/deps/npm/docs/output/commands/npm-token.html
+++ b/deps/npm/docs/output/commands/npm-token.html
@@ -186,9 +186,9 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-token
-    @11.13.0
+    @11.16.0
 
                                          
 Manage your authentication tokens
 
                                          
diff --git a/deps/npm/docs/output/commands/npm-trust.html b/deps/npm/docs/output/commands/npm-trust.html
index d2f7cfb44c024a..e269490efdff39 100644
--- a/deps/npm/docs/output/commands/npm-trust.html
+++ b/deps/npm/docs/output/commands/npm-trust.html
@@ -186,16 +186,16 @@
 
 
                                          
 
                                          
-
                                          
+
                                          
     npm-trust
-    @11.13.0
+    @11.16.0
 
                                          
 Manage trusted publishing relationships between packages and CI/CD providers
 
                                          
 
 
                                          
 
                                          Table of contents
                                          
-
                                          
+
                                          
 
                                          
 
 
                                          Synopsis
                                          
@@ -214,6 +214,14 @@ 
                                          Description
                                          
 
                                          For a comprehensive overview of trusted publishing, see the npm trusted publishers documentation.
                                          
 
                                          The [package] argument specifies the package name. If omitted, npm will use the name from the package.json in the current directory.
                                          
 
                                          Each trust relationship has its own set of configuration options and flags based on the OIDC claims provided by that provider. OIDC claims come from the CI/CD provider and include information such as repository name, workflow file, or environment. Since each provider's claims differ, the available flags and configuration keys are not universal—npm matches the claims supported by each provider's OIDC configuration. For specific details on which claims and flags are supported for a given provider, use npm trust <provider> --help.
                                          
+
                                          Permissions
                                          
+
                                          When creating a trust relationship, you must specify at least one permission flag to indicate which operations the trusted publisher is allowed to perform:
                                          
+
                                            
+
                                          • --allow-publish: Allows the trusted publisher to run npm publish for the package.
                                            • 
+
                                          • --allow-stage-publish: Allows the trusted publisher to run npm stage for the package. The alias --allow-staged-publish is also accepted.
                                            • 
+
                                          
+
                                          At least one of these flags is required when creating a trust configuration. You can specify both to grant both permissions.
                                          
+
                                          Provider Options
                                          
 
                                          The required options depend on the CI/CD provider you're configuring. Detailed information about each option is available in the managing trusted publisher configurations section of the npm documentation. If a provider is repository-based and the option is not provided, npm will use the repository.url field from your package.json, if available.
                                          
 
                                          Currently, the registry only supports one configuration per package. If you attempt to create a new trust relationship when one already exists, it will result in an error. To replace an existing configuration:
                                          
 
                                            
@@ -229,7 +237,7 @@ 
                                            Configuration
                                            
 
                                            npm trust github
                                            
 
                                            Create a trusted relationship between a package and GitHub Actions
                                            
 
                                            Synopsis
                                            
-
                                            npm trust github [package] --file [--repo|--repository] [--env|--environment] [-y|--yes]
+
                                            npm trust github [package] --file [--repo|--repository] [--env|--environment] [--allow-publish] [--allow-stage-publish] [-y|--yes]
 
                                            
 
                                            Flags
                                            
 
@@ -261,6 +269,18 @@ 
                                            Flags
                                            
+
+
+
+
+
+
+
+
+
+
+
+
@@ -289,7 +309,7 @@ 
                                            Flags
                                            npm trust gitlab
                                            Create a trusted relationship between a package and GitLab CI/CD
                                            Synopsis
                                            
-
                                            npm trust gitlab [package] --file [--project|--repo|--repository] [--env|--environment] [-y|--yes]
+
                                            npm trust gitlab [package] --file [--project|--repo|--repository] [--env|--environment] [--allow-publish] [--allow-stage-publish] [-y|--yes]
 
                                            
 
                                            Flags
                                            
 
                                            
 
                                            CI environment name
 
                                            
 
                                            --allow-publishfalseBooleanAllow npm publish for this trusted publisher configuration
                                            --allow-stage-publish, --allow-staged-publishfalseBooleanAllow npm stage publish for this trusted publisher configuration
                                            
 --dry-run
 false
 Boolean
 
 
 
                                            
@@ -321,6 +341,18 @@ 
                                            Flags
                                            
                                             
+
+
+
+
+
+
+
+
+
+
+
+
@@ -349,7 +381,7 @@ 
                                            Flags
                                            
 
                                            npm trust circleci
                                            
 
                                            Create a trusted relationship between a package and CircleCI
                                            
 
                                            Synopsis
                                            
-
                                            npm trust circleci [package] --org-id <uuid> --project-id <uuid> --pipeline-definition-id <uuid> --vcs-origin <origin> [--context-id <uuid>...] [-y|--yes]
+
                                            npm trust circleci [package] --org-id <uuid> --project-id <uuid> --pipeline-definition-id <uuid> --vcs-origin <origin> [--context-id <uuid>...] [--allow-publish] [--allow-stage-publish] [-y|--yes]
 
                                            
 
                                            Flags
                                            
 
                                            CI environment name
 
                                            
 
                                            --allow-publishfalseBooleanAllow npm publish for this trusted publisher configuration
                                            --allow-stage-publish, --allow-staged-publishfalseBooleanAllow npm stage publish for this trusted publisher configuration
                                            
 --dry-run
 false
 Boolean
                                            
@@ -393,6 +425,18 @@ 
                                            Flags
                                            
                                             
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/deps/npm/docs/output/commands/npm-undeprecate.html b/deps/npm/docs/output/commands/npm-undeprecate.html
index f4a4530423d3f2..45fcb65deed0ac 100644
--- a/deps/npm/docs/output/commands/npm-undeprecate.html
+++ b/deps/npm/docs/output/commands/npm-undeprecate.html
@@ -186,9 +186,9 @@
 
 
                                            
 
                                            
-
                                            
+
                                            
     npm-undeprecate
-    @11.13.0
+    @11.16.0
 
                                            
 Undeprecate a version of a package
 
                                            
diff --git a/deps/npm/docs/output/commands/npm-uninstall.html b/deps/npm/docs/output/commands/npm-uninstall.html
index dbad4b89328bfa..bdeb05ee1b30f8 100644
--- a/deps/npm/docs/output/commands/npm-uninstall.html
+++ b/deps/npm/docs/output/commands/npm-uninstall.html
@@ -186,9 +186,9 @@
 
 
                                            
 
                                            
-
                                            
+
                                            
     npm-uninstall
-    @11.13.0
+    @11.16.0
 
                                            
 Remove a package
 
                                            
diff --git a/deps/npm/docs/output/commands/npm-unpublish.html b/deps/npm/docs/output/commands/npm-unpublish.html
index 2437c08a3d38b1..eec4aee8c603e7 100644
--- a/deps/npm/docs/output/commands/npm-unpublish.html
+++ b/deps/npm/docs/output/commands/npm-unpublish.html
@@ -186,9 +186,9 @@
 
 
                                            
 
                                            
-
                                            
+
                                            
     npm-unpublish
-    @11.13.0
+    @11.16.0
 
                                            
 Remove a package from the registry
 
                                            
diff --git a/deps/npm/docs/output/commands/npm-unstar.html b/deps/npm/docs/output/commands/npm-unstar.html
index 78b27c53c751dc..7d3d40d29928a3 100644
--- a/deps/npm/docs/output/commands/npm-unstar.html
+++ b/deps/npm/docs/output/commands/npm-unstar.html
@@ -186,9 +186,9 @@
 
 
                                            
 
                                            
-
                                            
+
                                            
     npm-unstar
-    @11.13.0
+    @11.16.0
 
                                            
 Remove an item from your favorite packages
 
                                            
diff --git a/deps/npm/docs/output/commands/npm-update.html b/deps/npm/docs/output/commands/npm-update.html
index 9396c8a6834ed1..1558e84ce06729 100644
--- a/deps/npm/docs/output/commands/npm-update.html
+++ b/deps/npm/docs/output/commands/npm-update.html
@@ -186,16 +186,16 @@
 
 
                                            
 
                                            
-
                                            
+
                                            
     npm-update
-    @11.13.0
+    @11.16.0
 
                                            
 Update packages
 
                                            
 
 
                                            
 
                                            Table of contents
                                            
-
                                            
+
                                            
 
                                            
 
 
                                            Synopsis
                                            
@@ -407,6 +407,44 @@ 
                                            ignore-scripts
                                            
 npm start, npm stop, npm restart, npm test, and npm run will still
 run their intended script if ignore-scripts is set, but they will not
 run any pre- or post-scripts.
                                            
+
                                            allow-scripts
                                            
+
                                              
+
                                            • Default: ""
                                              • 
+
                                            • Type: String (can be set multiple times)
                                              • 
+
                                            
+
                                            Comma-separated list of packages whose install-time lifecycle scripts
+(preinstall, install, postinstall, and prepare for non-registry
+dependencies) are allowed to run.
                                            
+
                                            This setting is intended for one-off and global contexts: npm exec, npx,
+and npm install -g, where no project package.json is involved. For
+team-wide policy in a project, use the allowScripts field in
+package.json (which also supports explicit denials), or configure it in
+.npmrc. Passing --allow-scripts on the command line during a
+project-scoped npm install, ci, update, or rebuild is an error.
                                            
+
                                            Each name is matched against a dependency's resolved identity, not against
+the package's self-reported name. --ignore-scripts and
+--dangerously-allow-all-scripts both override this setting.
                                            
+
                                            strict-allow-scripts
                                            
+
                                              
+
                                            • Default: false
                                              • 
+
                                            • Type: Boolean
                                              • 
+
                                            
+
                                            If true, turn the install-script policy from a warning into a hard error:
+any dependency with install scripts not covered by allowScripts will fail
+the install instead of running with a notice.
                                            
+
                                            Dependencies explicitly denied with false in allowScripts are always
+silently skipped; this setting only affects unreviewed entries.
+--ignore-scripts and --dangerously-allow-all-scripts both override this
+setting.
                                            
+
                                            dangerously-allow-all-scripts
                                            
+
                                              
+
                                            • Default: false
                                              • 
+
                                            • Type: Boolean
                                              • 
+
                                            
+
                                            If true, bypass the allowScripts policy entirely and run every
+dependency install script regardless of whether it was approved or denied.
+Intended as a migration escape hatch only; its use is strongly discouraged.
+--ignore-scripts still takes precedence over this setting.
                                            
 
                                            audit
                                            
 
                                              
 
                                            • Default: true
                                              • 
@@ -429,7 +467,11 @@ 
                                              before
                                              
 --before filter, the most recent version less than or equal to that tag
 will be used. For example, foo@latest might install foo@1.2 even though
 latest is 2.0.
                                              
-
                                              This config cannot be used with: min-release-age
                                              
+
                                              If before and min-release-age are both set in the same source, before
+wins (an explicit absolute date overrides a relative window). Across
+sources, the standard precedence applies (cli > env > project > user >
+global), so a higher-priority source can always relax or override a
+lower-priority one.
                                              
 
                                              min-release-age
                                              
 
                                                
 
                                              • Default: null
                                                • 
@@ -440,8 +482,11 @@ 
                                                min-release-age
                                                
 are no versions available for the current set of dependencies, the command
 will error.
                                                
 
                                                This flag is a complement to before, which accepts an exact date instead
-of a relative number of days.
                                                
-
                                                This config cannot be used with: before
                                                
+of a relative number of days. The two may coexist (e.g. min-release-age in
+your .npmrc is preserved when npm internally spawns a sub-process with
+--before while preparing a git: or github: dependency); when both
+apply, before wins within a single source and across sources the standard
+precedence rules apply.
                                                
 
                                                This value is not exported to the environment for child processes.
                                                
 
 
                                                  
diff --git a/deps/npm/docs/output/commands/npm-version.html b/deps/npm/docs/output/commands/npm-version.html
index f80e5161e98b82..4deac0758f8d5d 100644
--- a/deps/npm/docs/output/commands/npm-version.html
+++ b/deps/npm/docs/output/commands/npm-version.html
@@ -186,9 +186,9 @@
 
 
                                                  
 
                                                  
-
                                                  
+
                                                  
     npm-version
-    @11.13.0
+    @11.16.0
 
                                                  
 Bump a package version
 
                                                  
@@ -367,6 +367,7 @@ 
                                                  Description
                                                  
 
                                                • Run the postversion script.
 Use it to clean up the file system or automatically push the commit and/or tag.
                                                  • 
 
+
                                                  For the preversion, version and postversion scripts, npm also sets the environment variables npm_old_version and npm_new_version.
                                                  
 
                                                  Take the following example:
                                                  
 
                                                  {
   "scripts": {
diff --git a/deps/npm/docs/output/commands/npm-view.html b/deps/npm/docs/output/commands/npm-view.html
index 2636be46817ead..71fac734e58daa 100644
--- a/deps/npm/docs/output/commands/npm-view.html
+++ b/deps/npm/docs/output/commands/npm-view.html
@@ -186,9 +186,9 @@
 
 
                                                  
 
                                                  
-
                                                  
+
                                                  
     npm-view
-    @11.13.0
+    @11.16.0
 
                                                  
 View registry info
 
                                                  
diff --git a/deps/npm/docs/output/commands/npm-whoami.html b/deps/npm/docs/output/commands/npm-whoami.html
index 2b456c4450622d..f92bd67d1f5d55 100644
--- a/deps/npm/docs/output/commands/npm-whoami.html
+++ b/deps/npm/docs/output/commands/npm-whoami.html
@@ -186,9 +186,9 @@
 
 
                                                  
 
                                                  
-
                                                  
+
                                                  
     npm-whoami
-    @11.13.0
+    @11.16.0
 
                                                  
 Display npm username
 
                                                  
diff --git a/deps/npm/docs/output/commands/npm.html b/deps/npm/docs/output/commands/npm.html
index d9807c608a8289..52befd0760479b 100644
--- a/deps/npm/docs/output/commands/npm.html
+++ b/deps/npm/docs/output/commands/npm.html
@@ -186,9 +186,9 @@
 
 
                                                  
 
                                                  
-
                                                  
+
                                                  
     npm
-    @11.13.0
+    @11.16.0
 
                                                  
 javascript package manager
 
                                                  
@@ -203,7 +203,7 @@ 
                                                  Table of contents
                                                  
 
                                                  
 
                                                  Note: This command is unaware of workspaces.
                                                  
 
                                                  Version
                                                  
-
                                                  11.13.0
                                                  
+
                                                  11.16.0
                                                  
 
                                                  Description
                                                  
 
                                                  npm is the package manager for the Node JavaScript platform.
 It puts modules in place so that node can find them, and manages dependency conflicts intelligently.
                                                  
diff --git a/deps/npm/docs/output/commands/npx.html b/deps/npm/docs/output/commands/npx.html
index ce14ad68a0a9a9..5786f4332f3b6f 100644
--- a/deps/npm/docs/output/commands/npx.html
+++ b/deps/npm/docs/output/commands/npx.html
@@ -186,9 +186,9 @@
 
 
                                                  
 
                                                  
-
                                                  
+
                                                  
     npx
-    @11.13.0
+    @11.16.0
 
                                                  
 Run a command from a local or remote npm package
 
                                                  
diff --git a/deps/npm/docs/output/configuring-npm/folders.html b/deps/npm/docs/output/configuring-npm/folders.html
index 2ebf3eb7ee4ea0..c88270a3799930 100644
--- a/deps/npm/docs/output/configuring-npm/folders.html
+++ b/deps/npm/docs/output/configuring-npm/folders.html
@@ -186,9 +186,9 @@
 
 
                                                  
 
                                                  
-
                                                  
+
                                                  
     Folders
-    @11.13.0
+    @11.16.0
 
                                                  
 Folder structures used by npm
 
                                                  
diff --git a/deps/npm/docs/output/configuring-npm/install.html b/deps/npm/docs/output/configuring-npm/install.html
index 1c928d1e45ad9b..cb308af4d962a9 100644
--- a/deps/npm/docs/output/configuring-npm/install.html
+++ b/deps/npm/docs/output/configuring-npm/install.html
@@ -186,9 +186,9 @@
 
 
                                                  
 
                                                  
-
                                                  
+
                                                  
     Install
-    @11.13.0
+    @11.16.0
 
                                                  
 Download and install node and npm
 
                                                  
diff --git a/deps/npm/docs/output/configuring-npm/npm-global.html b/deps/npm/docs/output/configuring-npm/npm-global.html
index 2ebf3eb7ee4ea0..c88270a3799930 100644
--- a/deps/npm/docs/output/configuring-npm/npm-global.html
+++ b/deps/npm/docs/output/configuring-npm/npm-global.html
@@ -186,9 +186,9 @@
 
 
                                                  
 
                                                  
-
                                                  
+
                                                  
     Folders
-    @11.13.0
+    @11.16.0
 
                                                  
 Folder structures used by npm
 
                                                  
diff --git a/deps/npm/docs/output/configuring-npm/npm-json.html b/deps/npm/docs/output/configuring-npm/npm-json.html
index b7b4f7545043b0..057c119042240f 100644
--- a/deps/npm/docs/output/configuring-npm/npm-json.html
+++ b/deps/npm/docs/output/configuring-npm/npm-json.html
@@ -186,9 +186,9 @@
 
 
                                                  
 
                                                  
-
                                                  
+
                                                  
     package.json
-    @11.13.0
+    @11.16.0
 
                                                  
 Specifics of npm's package.json handling
 
                                                  
diff --git a/deps/npm/docs/output/configuring-npm/npm-shrinkwrap-json.html b/deps/npm/docs/output/configuring-npm/npm-shrinkwrap-json.html
index 5205dd37e7dbae..2c585ff171c2c7 100644
--- a/deps/npm/docs/output/configuring-npm/npm-shrinkwrap-json.html
+++ b/deps/npm/docs/output/configuring-npm/npm-shrinkwrap-json.html
@@ -186,9 +186,9 @@
 
 
                                                  
 
                                                  
-
                                                  
+
                                                  
     npm-shrinkwrap.json
-    @11.13.0
+    @11.16.0
 
                                                  
 A publishable lockfile
 
                                                  
diff --git a/deps/npm/docs/output/configuring-npm/npmrc.html b/deps/npm/docs/output/configuring-npm/npmrc.html
index 0980887d978241..c90a8b19c6be09 100644
--- a/deps/npm/docs/output/configuring-npm/npmrc.html
+++ b/deps/npm/docs/output/configuring-npm/npmrc.html
@@ -186,9 +186,9 @@
 
 
                                                  
 
                                                  
-
                                                  
+
                                                  
     .npmrc
-    @11.13.0
+    @11.16.0
 
                                                  
 The npm config files
 
                                                  
diff --git a/deps/npm/docs/output/configuring-npm/package-json.html b/deps/npm/docs/output/configuring-npm/package-json.html
index b7b4f7545043b0..057c119042240f 100644
--- a/deps/npm/docs/output/configuring-npm/package-json.html
+++ b/deps/npm/docs/output/configuring-npm/package-json.html
@@ -186,9 +186,9 @@
 
 
                                                  
 
                                                  
-
                                                  
+
                                                  
     package.json
-    @11.13.0
+    @11.16.0
 
                                                  
 Specifics of npm's package.json handling
 
                                                  
diff --git a/deps/npm/docs/output/configuring-npm/package-lock-json.html b/deps/npm/docs/output/configuring-npm/package-lock-json.html
index 9cefaff6c908e1..64a2dbb13601d2 100644
--- a/deps/npm/docs/output/configuring-npm/package-lock-json.html
+++ b/deps/npm/docs/output/configuring-npm/package-lock-json.html
@@ -186,9 +186,9 @@
 
 
                                                  
 
                                                  
-
                                                  
+
                                                  
     package-lock.json
-    @11.13.0
+    @11.16.0
 
                                                  
 A manifestation of the manifest
 
                                                  
diff --git a/deps/npm/docs/output/using-npm/config.html b/deps/npm/docs/output/using-npm/config.html
index 83655e009e7117..687d077639eda6 100644
--- a/deps/npm/docs/output/using-npm/config.html
+++ b/deps/npm/docs/output/using-npm/config.html
@@ -186,16 +186,16 @@
 
 
                                                  
 
                                                  
-
                                                  
+
                                                  
     Config
-    @11.13.0
+    @11.16.0
 
                                                  
 About npm configuration
 
                                                  
 
 
                                                  
 
                                                  Table of contents
                                                  
-
                                                  
+
                                                  
 
                                                  
 
 
                                                  Description
                                                  
@@ -307,7 +307,7 @@ 
                                                  access
                                                  
 
                                                    
 
                                                  • Default: 'public' for new packages, existing packages it will not change the
 current level
                                                    • 
-
                                                  • Type: null, "restricted", or "public"
                                                    • 
+
                                                  • Type: null, "restricted", "public", or "private"
                                                    • 
 
                                                  
 
                                                  If you do not want your scoped package to be publicly viewable (and
 installable) set --access=restricted.
                                                  
@@ -315,6 +315,7 @@ 
                                                  access
                                                  
 
                                                  Note: This defaults to not changing the current access level for existing
 packages. Specifying a value of restricted or public during publish will
 change the access for an existing package the same way that npm access set status would.
                                                  
+
                                                  The value private is an alias for restricted.
                                                  
 
                                                  all
                                                  
 
                                                    
 
                                                  • Default: false
                                                    • 
@@ -323,6 +324,34 @@ 
                                                    all
                                                    
 
                                                    When running npm outdated and npm ls, setting --all will show all
 outdated or installed packages, rather than only those directly depended
 upon by the current project.
                                                    
+
                                                    allow-directory
                                                    
+
                                                      
+
                                                    • Default: "all"
                                                      • 
+
                                                    • Type: "all", "none", or "root"
                                                      • 
+
                                                    
+
                                                    Limits the ability for npm to install dependencies from directories. That
+is, dependencies that point to a directory instead of a version or semver
+range. Please note that this could leave your tree incomplete and some
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
                                                    
+
                                                    all allows any directories to be installed. none prevents any
+directories from being installed. root only allows directories defined in
+your project's package.json to be installed. Also allows directory
+dependencies to be used for other commands like npm view
                                                    
+
                                                    allow-file
                                                    
+
                                                      
+
                                                    • Default: "all"
                                                      • 
+
                                                    • Type: "all", "none", or "root"
                                                      • 
+
                                                    
+
                                                    Limits the ability for npm to install dependencies from tarball files. That
+is, dependencies that point to a local tarball file instead of a version or
+semver range. Please note that this could leave your tree incomplete and
+some packages may not function as intended or designed. Changing this
+setting will not remove dependencies that are already installed.
                                                    
+
                                                    all allows any tarball file to be installed. none prevents any tarball
+file from being installed. root only allows tarball files defined in your
+project's package.json to be installed. Also allows tarball file
+dependencies to be used for other commands like npm view
                                                    
 
                                                    allow-git
                                                    
 
                                                      
 
                                                    • Default: "all"
                                                      • 
@@ -331,11 +360,26 @@ 
                                                      allow-git
                                                      
 
                                                      Limits the ability for npm to fetch dependencies from git references. That
 is, dependencies that point to a git repo instead of a version or semver
 range. Please note that this could leave your tree incomplete and some
-packages may not function as intended or designed.
                                                      
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
                                                      
 
                                                      all allows any git dependencies to be fetched and installed. none
 prevents any git dependencies from being fetched and installed. root only
 allows git dependencies defined in your project's package.json to be fetched
-installed. Also allows git dependencies to be fetched for other commands
+and installed. Also allows git dependencies to be fetched for other commands
+like npm view
                                                      
+
                                                      allow-remote
                                                      
+
                                                        
+
                                                      • Default: "all"
                                                        • 
+
                                                      • Type: "all", "none", or "root"
                                                        • 
+
                                                      
+
                                                      Limits the ability for npm to fetch dependencies from urls. That is,
+dependencies that point to a tarball url instead of a version or semver
+range. Please note that this could leave your tree incomplete and some
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
                                                      
+
                                                      all allows any url to be installed. none prevents any url from being
+installed. root only allows urls defined in your project's package.json to
+be installed. Also allows url dependencies to be used for other commands
 like npm view
                                                      
 
                                                      allow-same-version
                                                      
 
                                                        
@@ -344,6 +388,40 @@ 
                                                        allow-same-version
                                                        
 
                                                      
 
                                                      Prevents throwing an error when npm version is used to set the new version
 to the same value as the current version.
                                                      
+
                                                      allow-scripts
                                                      
+
                                                        
+
                                                      • Default: ""
                                                        • 
+
                                                      • Type: String (can be set multiple times)
                                                        • 
+
                                                      
+
                                                      Comma-separated list of packages whose install-time lifecycle scripts
+(preinstall, install, postinstall, and prepare for non-registry
+dependencies) are allowed to run.
                                                      
+
                                                      This setting is intended for one-off and global contexts: npm exec, npx,
+and npm install -g, where no project package.json is involved. For
+team-wide policy in a project, use the allowScripts field in
+package.json (which also supports explicit denials), or configure it in
+.npmrc. Passing --allow-scripts on the command line during a
+project-scoped npm install, ci, update, or rebuild is an error.
                                                      
+
                                                      Each name is matched against a dependency's resolved identity, not against
+the package's self-reported name. --ignore-scripts and
+--dangerously-allow-all-scripts both override this setting.
                                                      
+
                                                      allow-scripts-pending
                                                      
+
                                                        
+
                                                      • Default: false
                                                        • 
+
                                                      • Type: Boolean
                                                        • 
+
                                                      
+
                                                      List packages with install scripts that are not yet covered by the
+allowScripts policy, without modifying package.json. Only meaningful for
+npm approve-scripts.
                                                      
+
                                                      allow-scripts-pin
                                                      
+
                                                        
+
                                                      • Default: true
                                                        • 
+
                                                      • Type: Boolean
                                                        • 
+
                                                      
+
                                                      Write pinned (pkg@version) entries when approving install scripts. Set to
+false to write name-only entries that allow any version. Has no effect on
+npm deny-scripts, which always writes name-only entries regardless of this
+setting.
                                                      
 
                                                      audit
                                                      
 
                                                        
 
                                                      • Default: true
                                                        • 
@@ -380,7 +458,11 @@ 
                                                        before
                                                        
 --before filter, the most recent version less than or equal to that tag
 will be used. For example, foo@latest might install foo@1.2 even though
 latest is 2.0.
                                                        
-
                                                        This config cannot be used with: min-release-age
                                                        
+
                                                        If before and min-release-age are both set in the same source, before
+wins (an explicit absolute date overrides a relative window). Across
+sources, the standard precedence applies (cli > env > project > user >
+global), so a higher-priority source can always relax or override a
+lower-priority one.
                                                        
 
 
                                                          
 
                                                        • Default: true
                                                          • 
@@ -476,6 +558,15 @@ 
                                                          cpu
                                                          
 
                                                        
 
                                                        Override CPU architecture of native modules to install. Acceptable values
 are same as cpu field of package.json, which comes from process.arch.
                                                        
+
                                                        dangerously-allow-all-scripts
                                                        
+
                                                          
+
                                                        • Default: false
                                                          • 
+
                                                        • Type: Boolean
                                                          • 
+
                                                        
+
                                                        If true, bypass the allowScripts policy entirely and run every
+dependency install script regardless of whether it was approved or denied.
+Intended as a migration escape hatch only; its use is strongly discouraged.
+--ignore-scripts still takes precedence over this setting.
                                                        
 
                                                        depth
                                                        
 
                                                          
 
                                                        • Default: Infinity if --all is set; otherwise, 0
                                                          • 
@@ -990,8 +1081,11 @@ 
                                                          min-release-age
                                                          
 are no versions available for the current set of dependencies, the command
 will error.
                                                          
 
                                                          This flag is a complement to before, which accepts an exact date instead
-of a relative number of days.
                                                          
-
                                                          This config cannot be used with: before
                                                          
+of a relative number of days. The two may coexist (e.g. min-release-age in
+your .npmrc is preserved when npm internally spawns a sub-process with
+--before while preparing a git: or github: dependency); when both
+apply, before wins within a single source and across sources the standard
+precedence rules apply.
                                                          
 
                                                          This value is not exported to the environment for child processes.
                                                          
 
                                                          name
                                                          
 
                                                            
@@ -1419,6 +1513,18 @@ 
                                                            sign-git-tag
                                                            
 -s to add a signature.
                                                            
 
                                                            Note that git requires you to have set up GPG keys in your git configs for
 this to work properly.
                                                            
+
                                                            strict-allow-scripts
                                                            
+
                                                              
+
                                                            • Default: false
                                                              • 
+
                                                            • Type: Boolean
                                                              • 
+
                                                            
+
                                                            If true, turn the install-script policy from a warning into a hard error:
+any dependency with install scripts not covered by allowScripts will fail
+the install instead of running with a notice.
                                                            
+
                                                            Dependencies explicitly denied with false in allowScripts are always
+silently skipped; this setting only affects unreviewed entries.
+--ignore-scripts and --dangerously-allow-all-scripts both override this
+setting.
                                                            
 
                                                            strict-peer-deps
                                                            
 
                                                              
 
                                                            • Default: false
                                                              • 
diff --git a/deps/npm/docs/output/using-npm/dependency-selectors.html b/deps/npm/docs/output/using-npm/dependency-selectors.html
index 35ad12b72bacd2..da260de09888ec 100644
--- a/deps/npm/docs/output/using-npm/dependency-selectors.html
+++ b/deps/npm/docs/output/using-npm/dependency-selectors.html
@@ -186,9 +186,9 @@
 
 
                                                              
 
                                                              
-
                                                              
+
                                                              
     Dependency Selectors
-    @11.13.0
+    @11.16.0
 
                                                              
 Dependency Selector Syntax & Querying
 
                                                              
diff --git a/deps/npm/docs/output/using-npm/developers.html b/deps/npm/docs/output/using-npm/developers.html
index 45ef5924245796..9f8825dccd2dda 100644
--- a/deps/npm/docs/output/using-npm/developers.html
+++ b/deps/npm/docs/output/using-npm/developers.html
@@ -186,9 +186,9 @@
 
 
                                                              
 
                                                              
-
                                                              
+
                                                              
     Developers
-    @11.13.0
+    @11.16.0
 
                                                              
 Developer guide
 
                                                              
diff --git a/deps/npm/docs/output/using-npm/logging.html b/deps/npm/docs/output/using-npm/logging.html
index c34d3d7c8f32fd..675c116ed70c64 100644
--- a/deps/npm/docs/output/using-npm/logging.html
+++ b/deps/npm/docs/output/using-npm/logging.html
@@ -186,9 +186,9 @@
 
 
                                                              
 
                                                              
-
                                                              
+
                                                              
     Logging
-    @11.13.0
+    @11.16.0
 
                                                              
 Why, What & How we Log
 
                                                              
diff --git a/deps/npm/docs/output/using-npm/orgs.html b/deps/npm/docs/output/using-npm/orgs.html
index 7beb2e2cd5e0c2..4da8761b61ffca 100644
--- a/deps/npm/docs/output/using-npm/orgs.html
+++ b/deps/npm/docs/output/using-npm/orgs.html
@@ -186,9 +186,9 @@
 
 
                                                              
 
                                                              
-
                                                              
+
                                                              
     Organizations
-    @11.13.0
+    @11.16.0
 
                                                              
 Working with teams & organizations
 
                                                              
diff --git a/deps/npm/docs/output/using-npm/package-spec.html b/deps/npm/docs/output/using-npm/package-spec.html
index e75963512474ca..b682f1889687a2 100644
--- a/deps/npm/docs/output/using-npm/package-spec.html
+++ b/deps/npm/docs/output/using-npm/package-spec.html
@@ -186,9 +186,9 @@
 
 
                                                              
 
                                                              
-
                                                              
+
                                                              
     Package spec
-    @11.13.0
+    @11.16.0
 
                                                              
 Package name specifier
 
                                                              
diff --git a/deps/npm/docs/output/using-npm/registry.html b/deps/npm/docs/output/using-npm/registry.html
index 54d3618031c5c3..e6efaed669f708 100644
--- a/deps/npm/docs/output/using-npm/registry.html
+++ b/deps/npm/docs/output/using-npm/registry.html
@@ -186,9 +186,9 @@
 
 
                                                              
 
                                                              
-
                                                              
+
                                                              
     Registry
-    @11.13.0
+    @11.16.0
 
                                                              
 The JavaScript Package Registry
 
                                                              
diff --git a/deps/npm/docs/output/using-npm/removal.html b/deps/npm/docs/output/using-npm/removal.html
index 068f758e2e872f..0d58d278fa6f8f 100644
--- a/deps/npm/docs/output/using-npm/removal.html
+++ b/deps/npm/docs/output/using-npm/removal.html
@@ -186,9 +186,9 @@
 
 
                                                              
 
                                                              
-
                                                              
+
                                                              
     Removal
-    @11.13.0
+    @11.16.0
 
                                                              
 Cleaning the slate
 
                                                              
diff --git a/deps/npm/docs/output/using-npm/scope.html b/deps/npm/docs/output/using-npm/scope.html
index 26a0718f94a470..4004c513323c3b 100644
--- a/deps/npm/docs/output/using-npm/scope.html
+++ b/deps/npm/docs/output/using-npm/scope.html
@@ -186,9 +186,9 @@
 
 
                                                              
 
                                                              
-
                                                              
+
                                                              
     Scope
-    @11.13.0
+    @11.16.0
 
                                                              
 Scoped packages
 
                                                              
diff --git a/deps/npm/docs/output/using-npm/scripts.html b/deps/npm/docs/output/using-npm/scripts.html
index dc8aed1c724c2c..15ca8072c3450f 100644
--- a/deps/npm/docs/output/using-npm/scripts.html
+++ b/deps/npm/docs/output/using-npm/scripts.html
@@ -186,16 +186,16 @@
 
 
                                                              
 
                                                              
-
                                                              
+
                                                              
     Scripts
-    @11.13.0
+    @11.16.0
 
                                                              
 How npm handles the "scripts" field
 
                                                              
 
 
                                                              
 
                                                              Table of contents
                                                              
-
                                                              
+
                                                              
 
                                                              
 
 
                                                              Description
                                                              
@@ -459,6 +459,12 @@ 
                                                              package.json vars
                                                              
 
                                                              For example, if you had {"name":"foo", "version":"1.2.5"} in your package.json file, then your package scripts would have the npm_package_name environment variable set to "foo", and the npm_package_version set to "1.2.5". You can access these variables in your code with process.env.npm_package_name and process.env.npm_package_version.
                                                              
 
                                                              Note: In npm 7 and later, most package.json fields are no longer provided as environment variables. Scripts that need access to other package.json fields should read the package.json file directly. The npm_package_json environment variable provides the path to the file for this purpose.
                                                              
 
                                                              See package.json for more on package configs.
                                                              
+
                                                              versioning variables
                                                              
+
                                                              For versioning scripts (preversion, version, postversion), npm sets these environment variables:
                                                              
+
                                                                
+
                                                              • npm_old_version - The version before being bumped
                                                                • 
+
                                                              • npm_new_version – The version after being bumped
                                                                • 
+
                                                              
 
                                                              current lifecycle event
                                                              
 
                                                              Lastly, the npm_lifecycle_event environment variable is set to whichever stage of the cycle is being executed.
 So, you could have a single script used for different parts of the process which switches based on what's currently happening.
                                                              
diff --git a/deps/npm/docs/output/using-npm/workspaces.html b/deps/npm/docs/output/using-npm/workspaces.html
index af84abf262b3db..a544b68ce46c23 100644
--- a/deps/npm/docs/output/using-npm/workspaces.html
+++ b/deps/npm/docs/output/using-npm/workspaces.html
@@ -186,9 +186,9 @@
 
 
                                                              
 
                                                              
-
                                                              
+
                                                              
     Workspaces
-    @11.13.0
+    @11.16.0
 
                                                              
 Working with workspaces
 
                                                              
diff --git a/deps/npm/lib/commands/approve-scripts.js b/deps/npm/lib/commands/approve-scripts.js
new file mode 100644
index 00000000000000..929c692112f16c
--- /dev/null
+++ b/deps/npm/lib/commands/approve-scripts.js
@@ -0,0 +1,10 @@
+const AllowScriptsCmd = require('../utils/allow-scripts-cmd.js')
+
+class ApproveScripts extends AllowScriptsCmd {
+  static description = 'Approve install scripts for specific dependencies'
+  static name = 'approve-scripts'
+  static usage = [' [ ...]', '--all', '--allow-scripts-pending']
+  static verb = 'approve'
+}
+
+module.exports = ApproveScripts
diff --git a/deps/npm/lib/commands/ci.js b/deps/npm/lib/commands/ci.js
index f6c97aea30f70a..e82438543295a1 100644
--- a/deps/npm/lib/commands/ci.js
+++ b/deps/npm/lib/commands/ci.js
@@ -1,4 +1,6 @@
 const reifyFinish = require('../utils/reify-finish.js')
+const resolveAllowScripts = require('../utils/resolve-allow-scripts.js')
+const strictAllowScriptsPreflight = require('../utils/strict-allow-scripts-preflight.js')
 const runScript = require('@npmcli/run-script')
 const fs = require('node:fs/promises')
 const path = require('node:path')
@@ -21,7 +23,13 @@ class CI extends ArboristWorkspaceCmd {
     'strict-peer-deps',
     'foreground-scripts',
     'ignore-scripts',
+    'allow-directory',
+    'allow-file',
     'allow-git',
+    'allow-remote',
+    'allow-scripts',
+    'strict-allow-scripts',
+    'dangerously-allow-all-scripts',
     'audit',
     'bin-links',
     'fund',
@@ -40,12 +48,14 @@ class CI extends ArboristWorkspaceCmd {
     const ignoreScripts = this.npm.config.get('ignore-scripts')
     const where = this.npm.prefix
     const Arborist = require('@npmcli/arborist')
+    const { policy: allowScriptsPolicy } = await resolveAllowScripts(this.npm)
     const opts = {
       ...this.npm.flatOptions,
       packageLock: true, // npm ci should never skip lock files
       path: where,
       save: false, // npm ci should never modify the lockfile or package.json
       workspaces: this.workspaceNames,
+      allowScripts: allowScriptsPolicy,
     }
 
     // generate an inventory from the virtual tree in the lockfile
@@ -66,6 +76,7 @@ class CI extends ArboristWorkspaceCmd {
     // We need a new one because the virtual tree fromt the lockfile can have extraneous dependencies in it that won't install on this platform
     const arb = new Arborist(opts)
     await arb.buildIdealTree()
+    await strictAllowScriptsPreflight({ arb, npm: this.npm, idealTreeOpts: opts })
 
     // Verifies that the packages from the ideal tree will match the same versions that are present in the virtual tree (lock file).
     const errors = validateLockfile(virtualInventory, arb.idealTree.inventory)
diff --git a/deps/npm/lib/commands/config.js b/deps/npm/lib/commands/config.js
index 015850c48304a6..0a8b84aba2666d 100644
--- a/deps/npm/lib/commands/config.js
+++ b/deps/npm/lib/commands/config.js
@@ -5,7 +5,7 @@ const { EOL } = require('node:os')
 const localeCompare = require('@isaacs/string-locale-compare')('en')
 const pkgJson = require('@npmcli/package-json')
 const { defaults, definitions, nerfDarts, proxyEnv } = require('@npmcli/config/lib/definitions')
-const { log, output } = require('proc-log')
+const { log, output, input } = require('proc-log')
 const BaseCommand = require('../base-cmd.js')
 const { redact } = require('@npmcli/redact')
 
@@ -266,7 +266,7 @@ ${defData}
 `.split('\n').join(EOL)
     await mkdir(dirname(file), { recursive: true })
     await writeFile(file, tmpData, 'utf8')
-    await new Promise((res, rej) => {
+    await input.start(() => new Promise((res, rej) => {
       const [bin, ...args] = e.split(/\s+/)
       const editor = spawn(bin, [...args, file], { stdio: 'inherit' })
       editor.on('exit', (code) => {
@@ -275,7 +275,7 @@ ${defData}
         }
         return res()
       })
-    })
+    }))
   }
 
   async fix () {
diff --git a/deps/npm/lib/commands/dedupe.js b/deps/npm/lib/commands/dedupe.js
index a931cabd646043..347031b60a78a6 100644
--- a/deps/npm/lib/commands/dedupe.js
+++ b/deps/npm/lib/commands/dedupe.js
@@ -14,7 +14,10 @@ class Dedupe extends ArboristWorkspaceCmd {
     'omit',
     'include',
     'ignore-scripts',
+    'allow-directory',
+    'allow-file',
     'allow-git',
+    'allow-remote',
     'audit',
     'bin-links',
     'fund',
diff --git a/deps/npm/lib/commands/deny-scripts.js b/deps/npm/lib/commands/deny-scripts.js
new file mode 100644
index 00000000000000..53b0cdd3cc50a6
--- /dev/null
+++ b/deps/npm/lib/commands/deny-scripts.js
@@ -0,0 +1,10 @@
+const AllowScriptsCmd = require('../utils/allow-scripts-cmd.js')
+
+class DenyScripts extends AllowScriptsCmd {
+  static description = 'Deny install scripts for specific dependencies'
+  static name = 'deny-scripts'
+  static usage = [' [ ...]', '--all']
+  static verb = 'deny'
+}
+
+module.exports = DenyScripts
diff --git a/deps/npm/lib/commands/edit.js b/deps/npm/lib/commands/edit.js
index 1140c59efa3e40..0b1a200264d982 100644
--- a/deps/npm/lib/commands/edit.js
+++ b/deps/npm/lib/commands/edit.js
@@ -1,6 +1,7 @@
 const { resolve } = require('node:path')
 const { lstat } = require('node:fs/promises')
 const cp = require('node:child_process')
+const { input } = require('proc-log')
 const completion = require('../utils/installed-shallow.js')
 const BaseCommand = require('../base-cmd.js')
 
@@ -46,16 +47,17 @@ class Edit extends BaseCommand {
     const dir = resolve(this.npm.dir, path)
 
     await lstat(dir)
-    await new Promise((res, rej) => {
+    await input.start(() => new Promise((res, rej) => {
       const [bin, ...spawnArgs] = this.npm.config.get('editor').split(/\s+/)
       const editor = cp.spawn(bin, [...spawnArgs, dir], { stdio: 'inherit' })
-      editor.on('exit', async (code) => {
+      editor.on('exit', (code) => {
         if (code) {
           return rej(new Error(`editor process exited with code: ${code}`))
         }
-        await this.npm.exec('rebuild', [dir]).then(res).catch(rej)
+        res()
       })
-    })
+    }))
+    await this.npm.exec('rebuild', [dir])
   }
 }
 
diff --git a/deps/npm/lib/commands/exec.js b/deps/npm/lib/commands/exec.js
index 5b1d117889a1ee..23c47a0cc1ad77 100644
--- a/deps/npm/lib/commands/exec.js
+++ b/deps/npm/lib/commands/exec.js
@@ -1,5 +1,6 @@
 const { resolve } = require('node:path')
 const libexec = require('libnpmexec')
+const resolveAllowScripts = require('../utils/resolve-allow-scripts.js')
 const BaseCommand = require('../base-cmd.js')
 
 class Exec extends BaseCommand {
@@ -10,6 +11,9 @@ class Exec extends BaseCommand {
     'workspace',
     'workspaces',
     'include-workspace-root',
+    'allow-scripts',
+    'strict-allow-scripts',
+    'dangerously-allow-all-scripts',
   ]
 
   static name = 'exec'
@@ -74,8 +78,16 @@ class Exec extends BaseCommand {
       throw this.usageError()
     }
 
+    // Resolve the install-script policy from the user/global .npmrc layer
+    // only. The RFC requires exec/npx to ignore any project
+    // package.json#allowScripts; CLI flags still apply.
+    const { policy: allowScriptsPolicy } = await resolveAllowScripts(this.npm, {
+      skipProjectConfig: true,
+    })
+
     return libexec({
       ...flatOptions,
+      allowScripts: allowScriptsPolicy,
       // we explicitly set packageLockOnly to false because if it's true when we try to install a missing package, we won't actually install it
       packageLockOnly: false,
       // what the user asked to run args[0] is run by default
diff --git a/deps/npm/lib/commands/install.js b/deps/npm/lib/commands/install.js
index 5970fddfdfe4fa..0bc3591d4af731 100644
--- a/deps/npm/lib/commands/install.js
+++ b/deps/npm/lib/commands/install.js
@@ -5,6 +5,8 @@ const runScript = require('@npmcli/run-script')
 const pacote = require('pacote')
 const checks = require('npm-install-checks')
 const reifyFinish = require('../utils/reify-finish.js')
+const resolveAllowScripts = require('../utils/resolve-allow-scripts.js')
+const strictAllowScriptsPreflight = require('../utils/strict-allow-scripts-preflight.js')
 const ArboristWorkspaceCmd = require('../arborist-cmd.js')
 
 class Install extends ArboristWorkspaceCmd {
@@ -27,7 +29,13 @@ class Install extends ArboristWorkspaceCmd {
     'package-lock-only',
     'foreground-scripts',
     'ignore-scripts',
+    'allow-directory',
+    'allow-file',
     'allow-git',
+    'allow-remote',
+    'allow-scripts',
+    'strict-allow-scripts',
+    'dangerously-allow-all-scripts',
     'audit',
     'before',
     'min-release-age',
@@ -135,14 +143,17 @@ class Install extends ArboristWorkspaceCmd {
     }
 
     const Arborist = require('@npmcli/arborist')
+    const { policy: allowScriptsPolicy } = await resolveAllowScripts(this.npm)
     const opts = {
       ...this.npm.flatOptions,
       auditLevel: null,
       path: where,
       add: args,
       workspaces: this.workspaceNames,
+      allowScripts: allowScriptsPolicy,
     }
     const arb = new Arborist(opts)
+    await strictAllowScriptsPreflight({ arb, npm: this.npm, idealTreeOpts: opts })
     await arb.reify(opts)
 
     if (!args.length && !isGlobalInstall && !ignoreScripts) {
diff --git a/deps/npm/lib/commands/link.js b/deps/npm/lib/commands/link.js
index e166a0051299a7..ca656ad18f5ca0 100644
--- a/deps/npm/lib/commands/link.js
+++ b/deps/npm/lib/commands/link.js
@@ -25,7 +25,10 @@ class Link extends ArboristWorkspaceCmd {
     'omit',
     'include',
     'ignore-scripts',
+    'allow-directory',
+    'allow-file',
     'allow-git',
+    'allow-remote',
     'audit',
     'bin-links',
     'fund',
diff --git a/deps/npm/lib/commands/outdated.js b/deps/npm/lib/commands/outdated.js
index 9140cdbc9fea51..882ad2cc9d28a2 100644
--- a/deps/npm/lib/commands/outdated.js
+++ b/deps/npm/lib/commands/outdated.js
@@ -31,6 +31,7 @@ class Outdated extends ArboristWorkspaceCmd {
     'global',
     'workspace',
     'before',
+    'min-release-age',
   ]
 
   #tree
diff --git a/deps/npm/lib/commands/publish.js b/deps/npm/lib/commands/publish.js
index 98478ae1e95f1d..450c51858ba017 100644
--- a/deps/npm/lib/commands/publish.js
+++ b/deps/npm/lib/commands/publish.js
@@ -1,4 +1,4 @@
-const { log, output } = require('proc-log')
+const { log, output, META } = require('proc-log')
 const semver = require('semver')
 const pack = require('libnpmpack')
 const libpub = require('libnpmpublish').publish
@@ -14,11 +14,17 @@ const { getContents, logTar } = require('../utils/tar.js')
 const { flatten } = require('@npmcli/config/lib/definitions')
 const pkgJson = require('@npmcli/package-json')
 const BaseCommand = require('../base-cmd.js')
-const { oidc } = require('../../lib/utils/oidc.js')
+const { oidc } = require('../utils/oidc.js')
 
 class Publish extends BaseCommand {
   static description = 'Publish a package'
   static name = 'publish'
+  static stage = false
+
+  get isStage () {
+    return this.constructor.stage
+  }
+
   static params = [
     'tag',
     'access',
@@ -60,13 +66,17 @@ class Publish extends BaseCommand {
         if (err.code !== 'EPRIVATE') {
           throw err
         }
-        log.warn('publish', `Skipping workspace ${this.npm.chalk.cyan(name)}, marked as ${this.npm.chalk.bold('private')}`)
+        log.warn(this.#command, `Skipping workspace ${this.npm.chalk.cyan(name)}, marked as ${this.npm.chalk.bold('private')}`)
       }
     }
   }
 
+  get #command () {
+    return this.isStage ? 'stage' : 'publish'
+  }
+
   async #publish (args, { workspace } = {}) {
-    log.verbose('publish', replaceInfo(args))
+    log.verbose(this.#command, replaceInfo(args))
 
     const unicode = this.npm.config.get('unicode')
     const dryRun = this.npm.config.get('dry-run')
@@ -138,7 +148,6 @@ class Publish extends BaseCommand {
     const noCreds = !(creds.token || creds.username || creds.certfile && creds.keyfile)
     const outputRegistry = replaceInfo(registry)
 
-    // if a workspace package is marked private then we skip it
     if (workspace && manifest.private) {
       throw Object.assign(
         new Error(`This package has been marked as private
@@ -150,7 +159,7 @@ class Publish extends BaseCommand {
     if (noCreds) {
       const msg = `This command requires you to be logged in to ${outputRegistry}`
       if (dryRun) {
-        log.warn('', `${msg} (dry-run)`)
+        log.warn(this.#command, `${msg} (dry-run)`)
       } else {
         throw Object.assign(new Error(msg), { code: 'ENEEDAUTH' })
       }
@@ -171,20 +180,36 @@ class Publish extends BaseCommand {
     }
 
     const access = opts.access === null ? 'default' : opts.access
-    let msg = `Publishing to ${outputRegistry} with tag ${defaultTag} and ${access} access`
+    const verb = this.isStage ? 'Staging' : 'Publishing'
+    let msg = `${verb} to ${outputRegistry} with tag ${defaultTag} and ${access} access`
     if (dryRun) {
       msg = `${msg} (dry-run)`
     }
 
     log.notice('', msg)
 
+    let stageId
     if (!dryRun) {
-      await otplease(this.npm, opts, o => libpub(manifest, tarballData, o))
+      if (this.isStage) {
+        // Stage intentionally bypasses otplease — 2FA is deferred to approve/reject
+        const res = await libpub(manifest, tarballData, {
+          ...opts,
+          command: this.#command,
+          stage: true,
+        })
+        stageId = res.stageId
+      } else {
+        await otplease(this.npm, opts, o => libpub(manifest, tarballData, o))
+      }
     }
 
     // In json mode we don't log until the publish has completed as this will add it to the output only if completes successfully
     if (json) {
-      logPkg()
+      if (stageId) {
+        pkgContents.stageId = stageId
+      }
+      logTar(pkgContents, {
+        unicode, json, key: pkgContents.name, redact: stageId ? false : undefined })
     }
 
     if (spec.type === 'directory' && !ignoreScripts) {
@@ -204,7 +229,15 @@ class Publish extends BaseCommand {
     }
 
     if (!json && !silent) {
-      output.standard(`+ ${pkgContents.id}`)
+      if (this.isStage) {
+        const stagedMsg = stageId
+          ? `+ ${pkgContents.id} (staged with id ${stageId})`
+          : `+ ${pkgContents.id} (staged)`
+        output.standard(stagedMsg, { [META]: true, redact: false })
+        log.notice(this.#command, `package ${pkgContents.id} has been staged with tag ${defaultTag}`)
+      } else {
+        output.standard(`+ ${pkgContents.id}`)
+      }
     }
   }
 
@@ -245,8 +278,8 @@ class Publish extends BaseCommand {
       const changes = []
       const pkg = await pkgJson.fix(spec.fetchSpec, { changes })
       if (changes.length && logWarnings) {
-        log.warn('publish', 'npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.')
-        log.warn('publish', `errors corrected:\n${changes.join('\n')}`)
+        log.warn(this.#command, 'npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.')
+        log.warn(this.#command, `errors corrected:\n${changes.join('\n')}`)
       }
       // Prepare is the special function for publishing, different than normalize
       const { content } = await pkg.prepare()
@@ -254,7 +287,7 @@ class Publish extends BaseCommand {
     } else {
       manifest = await pacote.manifest(spec, {
         ...opts,
-        fullmetadata: true,
+        fullMetadata: true,
         fullReadJson: true,
       })
     }
diff --git a/deps/npm/lib/commands/rebuild.js b/deps/npm/lib/commands/rebuild.js
index a23df39f1560be..333a879026cbc1 100644
--- a/deps/npm/lib/commands/rebuild.js
+++ b/deps/npm/lib/commands/rebuild.js
@@ -1,8 +1,11 @@
 const { resolve } = require('node:path')
-const { output } = require('proc-log')
+const { log, output } = require('proc-log')
 const npa = require('npm-package-arg')
 const semver = require('semver')
 const ArboristWorkspaceCmd = require('../arborist-cmd.js')
+const checkAllowScripts = require('../utils/check-allow-scripts.js')
+const resolveAllowScripts = require('../utils/resolve-allow-scripts.js')
+const strictAllowScriptsPreflight = require('../utils/strict-allow-scripts-preflight.js')
 
 class Rebuild extends ArboristWorkspaceCmd {
   static description = 'Rebuild a package'
@@ -12,6 +15,9 @@ class Rebuild extends ArboristWorkspaceCmd {
     'bin-links',
     'foreground-scripts',
     'ignore-scripts',
+    'allow-scripts',
+    'strict-allow-scripts',
+    'dangerously-allow-all-scripts',
     ...super.params,
   ]
 
@@ -26,9 +32,11 @@ class Rebuild extends ArboristWorkspaceCmd {
     const globalTop = resolve(this.npm.globalDir, '..')
     const where = this.npm.global ? globalTop : this.npm.prefix
     const Arborist = require('@npmcli/arborist')
+    const { policy: allowScriptsPolicy } = await resolveAllowScripts(this.npm)
     const arb = new Arborist({
       ...this.npm.flatOptions,
       path: where,
+      allowScripts: allowScriptsPolicy,
       // TODO when extending ReifyCmd
       // workspaces: this.workspaceNames,
     })
@@ -50,11 +58,28 @@ class Rebuild extends ArboristWorkspaceCmd {
       })
       const nodes = tree.inventory.filter(node => this.isNode(specs, node))
 
+      await strictAllowScriptsPreflight({ arb, npm: this.npm })
       await arb.rebuild({ nodes })
     } else {
+      await arb.loadActual()
+      await strictAllowScriptsPreflight({ arb, npm: this.npm })
       await arb.rebuild()
     }
 
+    // Phase 1 advisory: list any packages whose install scripts ran (or
+    // would have run) and are not yet covered by allowScripts. Rebuild
+    // doesn't go through reifyFinish, so the walker is invoked here.
+    const unreviewed = await checkAllowScripts({ arb, npm: this.npm })
+    if (unreviewed.length > 0) {
+      const count = unreviewed.length
+      const noun = count === 1 ? 'package has' : 'packages have'
+      log.warn(
+        'rebuild',
+        `${count} ${noun} install scripts not yet covered by allowScripts. ` +
+        'Run `npm approve-scripts --allow-scripts-pending` to review.'
+      )
+    }
+
     output.standard('rebuilt dependencies successfully')
   }
 
diff --git a/deps/npm/lib/commands/stage/approve.js b/deps/npm/lib/commands/stage/approve.js
new file mode 100644
index 00000000000000..619015d0c8a55e
--- /dev/null
+++ b/deps/npm/lib/commands/stage/approve.js
@@ -0,0 +1,35 @@
+const { log, output, META } = require('proc-log')
+const npmFetch = require('npm-registry-fetch')
+const { otplease } = require('../../utils/auth.js')
+const { validateUUID } = require('../../utils/validate-uuid.js')
+const BaseCommand = require('../../base-cmd.js')
+
+class StageApprove extends BaseCommand {
+  static description = 'Approve a staged package, publishing it to the npm registry'
+  static name = 'approve'
+  static usage = ['']
+  static params = ['otp', 'registry']
+  static positionals = 1
+
+  async exec (args) {
+    if (!args[0]) {
+      throw this.usageError('Missing required ')
+    }
+    const stageId = args[0]
+    validateUUID(stageId, 'stage-id')
+    const opts = { ...this.npm.flatOptions }
+
+    log.notice('', `Approving staged package ${stageId}`)
+
+    await otplease(this.npm, opts, o =>
+      npmFetch.json(`/-/stage/${stageId}/approve`, {
+        ...o,
+        method: 'POST',
+      })
+    )
+
+    output.standard(`Staged package ${stageId} approved and published successfully.`, { [META]: true, redact: false })
+  }
+}
+
+module.exports = StageApprove
diff --git a/deps/npm/lib/commands/stage/download.js b/deps/npm/lib/commands/stage/download.js
new file mode 100644
index 00000000000000..e5b7711aee54d3
--- /dev/null
+++ b/deps/npm/lib/commands/stage/download.js
@@ -0,0 +1,70 @@
+const { log, output, META } = require('proc-log')
+const { writeFile } = require('node:fs/promises')
+const { resolve } = require('node:path')
+const tar = require('tar')
+const npmFetch = require('npm-registry-fetch')
+const { getContents, logTar } = require('../../utils/tar.js')
+const { validateUUID } = require('../../utils/validate-uuid.js')
+const BaseCommand = require('../../base-cmd.js')
+
+class StageDownload extends BaseCommand {
+  static description = 'Download the tarball of a staged package for inspection'
+  static name = 'download'
+  static usage = ['']
+  static params = ['json', 'registry']
+  static positionals = 1
+
+  async exec (args) {
+    if (!args[0]) {
+      throw this.usageError('Missing required ')
+    }
+    const stageId = args[0]
+    validateUUID(stageId, 'stage-id')
+    const opts = { ...this.npm.flatOptions }
+    const unicode = this.npm.config.get('unicode')
+    const json = this.npm.config.get('json')
+
+    log.notice('', `Downloading staged package ${stageId}`)
+
+    const res = await npmFetch(`/-/stage/${stageId}/tarball`, opts)
+    const data = Buffer.from(await res.arrayBuffer())
+
+    const manifest = await this.#readManifestFromTarball(data)
+    const pkgContents = await getContents(manifest, data)
+    logTar(pkgContents, { unicode, json, key: pkgContents.name })
+
+    const safeName = pkgContents.name.replace('@', '').replace('/', '-')
+    const filename = `${safeName}-${pkgContents.version}-${stageId}.tgz`
+    const dest = resolve(process.cwd(), filename)
+
+    await writeFile(dest, data)
+    if (!json) {
+      output.standard(filename, { [META]: true, redact: false })
+    }
+  }
+
+  async #readManifestFromTarball (tarballData) {
+    let manifestJson
+    const stream = tar.t({
+      onentry (entry) {
+        if (entry.path === 'package/package.json') {
+          const chunks = []
+          entry.on('data', c => chunks.push(c))
+          entry.on('end', () => {
+            manifestJson = JSON.parse(Buffer.concat(chunks).toString())
+          })
+        } else {
+          entry.resume()
+        }
+      },
+    })
+    // node-tar uses Minipass which processes synchronously on .end()
+    stream.end(tarballData)
+    if (!manifestJson) {
+      throw new Error('Could not read package.json from tarball')
+    }
+    return manifestJson
+  }
+}
+
+module.exports = StageDownload
diff --git a/deps/npm/lib/commands/stage/index.js b/deps/npm/lib/commands/stage/index.js
new file mode 100644
index 00000000000000..51b41b4f0249d9
--- /dev/null
+++ b/deps/npm/lib/commands/stage/index.js
@@ -0,0 +1,25 @@
+const BaseCommand = require('../../base-cmd.js')
+
+class Stage extends BaseCommand {
+  static description = 'Stage packages for publishing, deferring proof-of-presence (2FA) to a later point in time'
+  static name = 'stage'
+
+  static subcommands = {
+    publish: require('./publish.js'),
+    list: require('./list.js'),
+    view: require('./view.js'),
+    approve: require('./approve.js'),
+    reject: require('./reject.js'),
+    download: require('./download.js'),
+  }
+
+  static async completion (opts) {
+    const argv = opts.conf.argv.remain
+    if (argv.length === 2) {
+      return Object.keys(Stage.subcommands)
+    }
+    return []
+  }
+}
+
+module.exports = Stage
diff --git a/deps/npm/lib/commands/stage/list.js b/deps/npm/lib/commands/stage/list.js
new file mode 100644
index 00000000000000..bcfb45affb00b0
--- /dev/null
+++ b/deps/npm/lib/commands/stage/list.js
@@ -0,0 +1,72 @@
+const { output, META } = require('proc-log')
+const npa = require('npm-package-arg')
+const npmFetch = require('npm-registry-fetch')
+const { logStageItem } = require('../../utils/key-values.js')
+const BaseCommand = require('../../base-cmd.js')
+
+class StageList extends BaseCommand {
+  static description = 'List all staged package versions'
+  static name = 'list'
+  static usage = ['[]']
+  static params = ['json', 'registry']
+
+  async exec (args) {
+    let packageFilter = null
+    if (args[0]) {
+      const spec = npa(args[0])
+      if (spec.rawSpec !== '*') {
+        throw this.usageError('Version specifiers are not supported for listing staged packages')
+      }
+      packageFilter = spec.name
+    }
+    const opts = { ...this.npm.flatOptions }
+    const json = this.npm.config.get('json')
+
+    const allItems = await this.#fetchAllPages(opts, packageFilter)
+
+    if (json) {
+      output.standard(JSON.stringify(allItems, null, 2), { [META]: true, redact: false })
+      return
+    }
+
+    if (allItems.length === 0) {
+      if (packageFilter) {
+        output.standard(`No staged versions of package name "${packageFilter}".`)
+      } else {
+        output.standard('No staged packages found.')
+      }
+      return
+    }
+
+    for (let i = 0; i < allItems.length; i++) {
+      if (i > 0) {
+        output.standard('')
+      }
+      logStageItem(allItems[i], { chalk: this.npm.chalk })
+    }
+  }
+
+  async #fetchAllPages (opts, packageFilter) {
+    const items = []
+    let page = 0
+    const perPage = 100
+    while (true) {
+      const query = { page, perPage }
+      if (packageFilter) {
+        query.package = packageFilter
+      }
+      const res = await npmFetch.json('/-/stage', {
+        ...opts,
+        query,
+      })
+      items.push(...res.items)
+      if (items.length >= res.total || res.items.length < perPage) {
+        break
+      }
+      page++
+    }
+    return items
+  }
+}
+
+module.exports = StageList
diff --git a/deps/npm/lib/commands/stage/publish.js b/deps/npm/lib/commands/stage/publish.js
new file mode 100644
index 00000000000000..ff3fa3ad2b9ca3
--- /dev/null
+++ b/deps/npm/lib/commands/stage/publish.js
@@ -0,0 +1,13 @@
+const Publish = require('../publish.js')
+
+class StagePublish extends Publish {
+  static description = 'Stage a package for publishing, deferring proof-of-presence (2FA) to a later point in time'
+  static name = 'publish'
+  static stage = true
+  static params = Publish.params
+  static usage = Publish.usage
+  static workspaces = true
+  static ignoreImplicitWorkspace = false
+}
+
+module.exports = StagePublish
diff --git a/deps/npm/lib/commands/stage/reject.js b/deps/npm/lib/commands/stage/reject.js
new file mode 100644
index 00000000000000..2f29a95ea4e964
--- /dev/null
+++ b/deps/npm/lib/commands/stage/reject.js
@@ -0,0 +1,37 @@
+const { log, output, META } = require('proc-log')
+const npmFetch = require('npm-registry-fetch')
+const { otplease } = require('../../utils/auth.js')
+const { validateUUID } = require('../../utils/validate-uuid.js')
+const BaseCommand = require('../../base-cmd.js')
+
+class StageReject extends BaseCommand {
+  static description = 'Reject a staged package, removing it from the registry'
+  static name = 'reject'
+  static usage = ['']
+  static params = ['otp', 'registry']
+  static positionals = 1
+
+  async exec (args) {
+    if (!args[0]) {
+      throw this.usageError('Missing required ')
+    }
+    const stageId = args[0]
+    validateUUID(stageId, 'stage-id')
+    const opts = { ...this.npm.flatOptions }
+
+    log.notice('', `Rejecting staged package ${stageId}`)
+    log.warn('', 'Rejecting will permanently delete this staged publish record and tarball from the registry.')
+
+    await otplease(this.npm, opts, o =>
+      npmFetch(`/-/stage/${stageId}`, {
+        ...o,
+        method: 'DELETE',
+        ignoreBody: true,
+      })
+    )
+
+    output.standard(`Staged package ${stageId} has been rejected.`, { [META]: true, redact: false })
+  }
+}
+
+module.exports = StageReject
diff --git a/deps/npm/lib/commands/stage/view.js b/deps/npm/lib/commands/stage/view.js
new file mode 100644
index 00000000000000..7f7f6634568704
--- /dev/null
+++ b/deps/npm/lib/commands/stage/view.js
@@ -0,0 +1,34 @@
+const { output, META } = require('proc-log')
+const npmFetch = require('npm-registry-fetch')
+const { logStageItem } = require('../../utils/key-values.js')
+const { validateUUID } = require('../../utils/validate-uuid.js')
+const BaseCommand = require('../../base-cmd.js')
+
+class StageView extends BaseCommand {
+  static description = 'View details of a specific staged package'
+  static name = 'view'
+  static usage = ['']
+  static params = ['json', 'registry']
+  static positionals = 1
+
+  async exec (args) {
+    if (!args[0]) {
+      throw this.usageError('Missing required ')
+    }
+    const stageId = args[0]
+    validateUUID(stageId, 'stage-id')
+    const opts = { ...this.npm.flatOptions }
+    const json = this.npm.config.get('json')
+
+    const item = await npmFetch.json(`/-/stage/${stageId}`, opts)
+
+    if (json) {
+      output.standard(JSON.stringify(item, null, 2), { [META]: true, redact: false })
+      return
+    }
+
+    logStageItem(item, { chalk: this.npm.chalk })
+  }
+}
+
+module.exports = StageView
diff --git a/deps/npm/lib/commands/trust/circleci.js b/deps/npm/lib/commands/trust/circleci.js
index 34d25b80182688..5444ccd09ce6e8 100644
--- a/deps/npm/lib/commands/trust/circleci.js
+++ b/deps/npm/lib/commands/trust/circleci.js
@@ -1,9 +1,8 @@
 const Definition = require('@npmcli/config/lib/definitions/definition.js')
 const globalDefinitions = require('@npmcli/config/lib/definitions/definitions.js')
 const TrustCommand = require('../../trust-cmd.js')
-
-// UUID validation regex
-const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+const { trustDefinitions } = require('../../trust-cmd.js')
+const { validateUUID } = require('../../utils/validate-uuid.js')
 
 class TrustCircleCI extends TrustCommand {
   static description = 'Create a trusted relationship between a package and CircleCI'
@@ -13,7 +12,7 @@ class TrustCircleCI extends TrustCommand {
   static providerEntity = 'CircleCI pipeline'
 
   static usage = [
-    '[package] --org-id  --project-id  --pipeline-definition-id  --vcs-origin  [--context-id ...] [-y|--yes]',
+    '[package] --org-id  --project-id  --pipeline-definition-id  --vcs-origin  [--context-id ...] [--allow-publish] [--allow-stage-publish] [-y|--yes]',
   ]
 
   static definitions = [
@@ -46,6 +45,8 @@ class TrustCircleCI extends TrustCommand {
       type: [null, String, Array],
       description: 'CircleCI context UUID to match',
     }),
+    trustDefinitions['allow-publish'],
+    trustDefinitions['allow-stage-publish'],
     // globals are alphabetical
     globalDefinitions['dry-run'],
     globalDefinitions.json,
@@ -54,9 +55,7 @@ class TrustCircleCI extends TrustCommand {
   ]
 
   validateUuid (value, fieldName) {
-    if (!UUID_REGEX.test(value)) {
-      throw new Error(`${fieldName} must be a valid UUID`)
-    }
+    validateUUID(value, fieldName)
   }
 
   validateVcsOrigin (value) {
diff --git a/deps/npm/lib/commands/trust/github.js b/deps/npm/lib/commands/trust/github.js
index 870314b717a759..c3434fe40770eb 100644
--- a/deps/npm/lib/commands/trust/github.js
+++ b/deps/npm/lib/commands/trust/github.js
@@ -1,6 +1,7 @@
 const Definition = require('@npmcli/config/lib/definitions/definition.js')
 const globalDefinitions = require('@npmcli/config/lib/definitions/definitions.js')
 const TrustCommand = require('../../trust-cmd.js')
+const { trustDefinitions } = require('../../trust-cmd.js')
 const path = require('node:path')
 
 class TrustGitHub extends TrustCommand {
@@ -16,7 +17,7 @@ class TrustGitHub extends TrustCommand {
   static entityKey = 'repository'
 
   static usage = [
-    '[package] --file [--repo|--repository] [--env|--environment] [-y|--yes]',
+    '[package] --file [--repo|--repository] [--env|--environment] [--allow-publish] [--allow-stage-publish] [-y|--yes]',
   ]
 
   static definitions = [
@@ -38,6 +39,8 @@ class TrustGitHub extends TrustCommand {
       description: 'CI environment name',
       alias: ['env'],
     }),
+    trustDefinitions['allow-publish'],
+    trustDefinitions['allow-stage-publish'],
     // globals are alphabetical
     globalDefinitions['dry-run'],
     globalDefinitions.json,
diff --git a/deps/npm/lib/commands/trust/gitlab.js b/deps/npm/lib/commands/trust/gitlab.js
index e6456244ea1850..809e05ed200201 100644
--- a/deps/npm/lib/commands/trust/gitlab.js
+++ b/deps/npm/lib/commands/trust/gitlab.js
@@ -1,6 +1,7 @@
 const Definition = require('@npmcli/config/lib/definitions/definition.js')
 const globalDefinitions = require('@npmcli/config/lib/definitions/definitions.js')
 const TrustCommand = require('../../trust-cmd.js')
+const { trustDefinitions } = require('../../trust-cmd.js')
 const path = require('node:path')
 
 class TrustGitLab extends TrustCommand {
@@ -16,7 +17,7 @@ class TrustGitLab extends TrustCommand {
   static entityKey = 'project'
 
   static usage = [
-    '[package] --file [--project|--repo|--repository] [--env|--environment] [-y|--yes]',
+    '[package] --file [--project|--repo|--repository] [--env|--environment] [--allow-publish] [--allow-stage-publish] [-y|--yes]',
   ]
 
   static definitions = [
@@ -37,6 +38,8 @@ class TrustGitLab extends TrustCommand {
       description: 'CI environment name',
       alias: ['env'],
     }),
+    trustDefinitions['allow-publish'],
+    trustDefinitions['allow-stage-publish'],
     // globals are alphabetical
     globalDefinitions['dry-run'],
     globalDefinitions.json,
diff --git a/deps/npm/lib/commands/update.js b/deps/npm/lib/commands/update.js
index ed1416d70c13e2..22f77390b25a31 100644
--- a/deps/npm/lib/commands/update.js
+++ b/deps/npm/lib/commands/update.js
@@ -1,6 +1,8 @@
 const path = require('node:path')
 const { log } = require('proc-log')
 const reifyFinish = require('../utils/reify-finish.js')
+const resolveAllowScripts = require('../utils/resolve-allow-scripts.js')
+const strictAllowScriptsPreflight = require('../utils/strict-allow-scripts-preflight.js')
 const ArboristWorkspaceCmd = require('../arborist-cmd.js')
 
 class Update extends ArboristWorkspaceCmd {
@@ -19,8 +21,12 @@ class Update extends ArboristWorkspaceCmd {
     'package-lock',
     'foreground-scripts',
     'ignore-scripts',
+    'allow-scripts',
+    'strict-allow-scripts',
+    'dangerously-allow-all-scripts',
     'audit',
     'before',
+    'min-release-age',
     'bin-links',
     'fund',
     'dry-run',
@@ -50,15 +56,19 @@ class Update extends ArboristWorkspaceCmd {
     }
 
     const Arborist = require('@npmcli/arborist')
+    const { policy: allowScriptsPolicy } = await resolveAllowScripts(this.npm)
     const opts = {
       ...this.npm.flatOptions,
       path: where,
       save,
       workspaces: this.workspaceNames,
+      allowScripts: allowScriptsPolicy,
     }
     const arb = new Arborist(opts)
 
-    await arb.reify({ ...opts, update })
+    const reifyOpts = { ...opts, update }
+    await strictAllowScriptsPreflight({ arb, npm: this.npm, idealTreeOpts: reifyOpts })
+    await arb.reify(reifyOpts)
     await reifyFinish(this.npm, arb)
   }
 }
diff --git a/deps/npm/lib/trust-cmd.js b/deps/npm/lib/trust-cmd.js
index 5fab8df1d21aa2..7fabe3e421aa6a 100644
--- a/deps/npm/lib/trust-cmd.js
+++ b/deps/npm/lib/trust-cmd.js
@@ -6,9 +6,29 @@ const { read: _read } = require('read')
 const { input, output, log, META } = require('proc-log')
 const gitinfo = require('hosted-git-info')
 const pkgJson = require('@npmcli/package-json')
+const Definition = require('@npmcli/config/lib/definitions/definition.js')
 
 const NPM_FRONTEND = 'https://www.npmjs.com'
 
+const PERMISSIONS = {
+  CREATE_PACKAGE: 'createPackage',
+  CREATE_STAGED_PACKAGE: 'createStagedPackage',
+}
+
+const trustDefinitions = {
+  'allow-publish': new Definition('allow-publish', {
+    default: false,
+    type: Boolean,
+    description: 'Allow npm publish for this trusted publisher configuration',
+  }),
+  'allow-stage-publish': new Definition('allow-stage-publish', {
+    default: false,
+    type: Boolean,
+    description: 'Allow npm stage publish for this trusted publisher configuration',
+    alias: ['allow-staged-publish'],
+  }),
+}
+
 class TrustCommand extends BaseCommand {
   // Helper to format template strings with color
   // Blue text with reset color for interpolated values
@@ -45,8 +65,22 @@ class TrustCommand extends BaseCommand {
     }))
   }
 
+  static permissionLabels = {
+    [PERMISSIONS.CREATE_PACKAGE]: 'publish',
+    [PERMISSIONS.CREATE_STAGED_PACKAGE]: 'stage publish',
+  }
+
+  static formatPermissions (permissions) {
+    if (!Array.isArray(permissions) || permissions.length === 0) {
+      return null
+    }
+    return permissions
+      .map(p => TrustCommand.permissionLabels[p] || p)
+      .join(', ')
+  }
+
   logOptions (options, pad = true) {
-    const { values, warnings, fromPackageJson, urls } = { warnings: [], ...options }
+    const { values, warnings, fromPackageJson, urls, permissions } = { warnings: [], ...options }
     if (warnings && warnings.length > 0) {
       for (const warningMsg of warnings) {
         log.warn('trust', warningMsg)
@@ -55,8 +89,12 @@ class TrustCommand extends BaseCommand {
 
     const json = this.config.get('json')
     if (json) {
+      const jsonValues = { ...options.values }
+      if (permissions) {
+        jsonValues.permissions = permissions
+      }
       // Disable redaction: trust config values (e.g. CircleCI UUIDs) are not secrets
-      output.standard(JSON.stringify(options.values, null, 2), { [META]: true, redact: false })
+      output.standard(JSON.stringify(jsonValues, null, 2), { [META]: true, redact: false })
       return
     }
 
@@ -82,6 +120,10 @@ class TrustCommand extends BaseCommand {
           lines.push(parts.join(' '))
         }
       }
+      const formattedPermissions = TrustCommand.formatPermissions(permissions)
+      if (formattedPermissions) {
+        lines.push(`${chalk.reset('permissions')}: ${chalk.green(formattedPermissions)}`)
+      }
       if (pad) {
         output.standard()
       }
@@ -165,6 +207,22 @@ class TrustCommand extends BaseCommand {
     const { providerName, providerEntity, providerHostname } = this.constructor
     const dryRun = this.config.get('dry-run')
     const yes = this.config.get('yes') // deep-lore this allows for --no-yes
+
+    const allowPublish = flags['allow-publish']
+    const allowStagePublish = flags['allow-stage-publish']
+
+    if (!allowPublish && !allowStagePublish) {
+      throw new Error('At least one permission flag is required (--allow-publish, --allow-stage-publish)')
+    }
+
+    const permissions = []
+    if (allowPublish) {
+      permissions.push(PERMISSIONS.CREATE_PACKAGE)
+    }
+    if (allowStagePublish) {
+      permissions.push(PERMISSIONS.CREATE_STAGED_PACKAGE)
+    }
+
     const options = await this.flagsToOptions({ positionalArgs, flags, providerHostname })
     this.dialogue`Establishing trust between ${options.values.package} package and ${providerName}`
     this.dialogue`Anyone with ${providerEntity} write access can publish to ${options.values.package}`
@@ -172,12 +230,13 @@ class TrustCommand extends BaseCommand {
     if (!this.registryIsDefault) {
       this.warn`Registry ${this.npm.config.get('registry')} may not support trusted publishing`
     }
-    this.logOptions(options)
+    this.logOptions({ ...options, permissions })
     if (dryRun) {
       return
     }
     await this.confirmOperation(yes)
     const trustConfig = this.constructor.optionsToBody(options.values)
+    trustConfig.permissions = permissions
     const response = await this.createConfig(options.values.package, [trustConfig])
     const body = await response.json()
     this.dialogue`Trust configuration created successfully for ${options.values.package} with the following settings:`
@@ -273,8 +332,9 @@ class TrustCommand extends BaseCommand {
     const items = Array.isArray(body) ? body : [body]
     for (const config of items) {
       const values = this.constructor.bodyToOptions(config)
+      const permissions = config.permissions
       output.standard()
-      this.logOptions({ values }, false)
+      this.logOptions({ values, permissions }, false)
     }
     output.standard()
   }
@@ -282,3 +342,4 @@ class TrustCommand extends BaseCommand {
 
 module.exports = TrustCommand
 module.exports.NPM_FRONTEND = NPM_FRONTEND
+module.exports.trustDefinitions = trustDefinitions
diff --git a/deps/npm/lib/utils/allow-scripts-cmd.js b/deps/npm/lib/utils/allow-scripts-cmd.js
new file mode 100644
index 00000000000000..c1ff242abeaa82
--- /dev/null
+++ b/deps/npm/lib/utils/allow-scripts-cmd.js
@@ -0,0 +1,245 @@
+const { log, output } = require('proc-log')
+const pkgJson = require('@npmcli/package-json')
+const { trustedDisplay } = require('@npmcli/arborist/lib/script-allowed.js')
+const checkAllowScripts = require('./check-allow-scripts.js')
+const resolveAllowScripts = require('./resolve-allow-scripts.js')
+const {
+  applyApprovalForPackage,
+  applyDenyForPackage,
+  nameKeyFor,
+} = require('./allow-scripts-writer.js')
+const BaseCommand = require('../base-cmd.js')
+
+// Shared implementation for `npm approve-scripts` and `npm deny-scripts`.
+// Subclasses set `verb` to `'approve'` or `'deny'`.
+//
+// Extends `BaseCommand` rather than `ArboristCmd` on purpose. Per RFC,
+// `allowScripts` is read from the workspace root's `package.json` only;
+// individual workspaces don't have their own `allowScripts` field, and
+// running approve/deny inside a sub-workspace is identical to running
+// it at the root. There's no per-workspace targeting to do, so the
+// `--workspace` / `--workspaces` / `--include-workspace-root` params
+// from `ArboristCmd` would be misleading no-ops.
+class AllowScriptsCmd extends BaseCommand {
+  static params = ['all', 'allow-scripts-pending', 'allow-scripts-pin', 'json']
+  static ignoreImplicitWorkspace = false
+
+  // Subclasses set `static verb = 'approve' | 'deny'`.
+  get verb () {
+    /* istanbul ignore next: every concrete subclass declares static verb */
+    return this.constructor.verb
+  }
+
+  async exec (args) {
+    if (this.npm.global) {
+      throw Object.assign(
+        new Error(`\`npm ${this.constructor.name}\` does not work for global installs`),
+        { code: 'EGLOBAL' }
+      )
+    }
+
+    const pending = !!this.npm.config.get('allow-scripts-pending')
+    const all = !!this.npm.config.get('all')
+
+    if (pending && (args.length > 0 || all)) {
+      throw this.usageError(
+        '`--allow-scripts-pending` cannot be combined with positional arguments or `--all`.'
+      )
+    }
+    if (!pending && !all && args.length === 0) {
+      throw this.usageError()
+    }
+    if (this.verb === 'deny' && pending) {
+      throw this.usageError('`npm deny-scripts --allow-scripts-pending` is not supported.')
+    }
+
+    const Arborist = require('@npmcli/arborist')
+    const { policy } = await resolveAllowScripts(this.npm)
+    const arb = new Arborist({
+      ...this.npm.flatOptions,
+      path: this.npm.prefix,
+      allowScripts: policy,
+    })
+    await arb.loadActual()
+
+    const unreviewed = await checkAllowScripts({ arb, npm: this.npm })
+
+    if (pending) {
+      return this.runPending(unreviewed)
+    }
+
+    if (all) {
+      return this.runAll(unreviewed)
+    }
+
+    return this.runPositional(args, arb)
+  }
+
+  runPending (unreviewed) {
+    if (unreviewed.length === 0) {
+      output.standard('No packages with unreviewed install scripts.')
+      return
+    }
+    const count = unreviewed.length
+    const has = count === 1 ? 'has' : 'have'
+    const pkg = count === 1 ? 'package' : 'packages'
+    output.standard(
+      `${count} ${pkg} ${has} install scripts not yet covered by allowScripts:`
+    )
+    for (const { node, scripts } of unreviewed) {
+      const { name, version } = trustedDisplay(node)
+      /* istanbul ignore next: every test node has a name */
+      const display = name || ''
+      const ver = version ? `@${version}` : ''
+      const events = Object.entries(scripts)
+        .map(([event, cmd]) => `${event}: ${cmd}`)
+        .join('; ')
+      output.standard(`  ${display}${ver} (${events})`)
+    }
+    output.standard('')
+    output.standard(
+      'Run `npm approve-scripts ` to allow, or `npm deny-scripts ` to deny.'
+    )
+  }
+
+  async runAll (unreviewed) {
+    if (unreviewed.length === 0) {
+      output.standard('No packages with unreviewed install scripts.')
+      return
+    }
+    // Bundled dependencies cannot be allowlisted in Phase 1 (RFC defers
+    // this to a follow-up because matching by name@version from the
+    // bundled tarball would reintroduce manifest confusion). Exclude
+    // them from `--all` so we don't silently write a policy entry under
+    // attacker-controlled identity.
+    const candidates = unreviewed.filter(({ node }) => !node.inBundle)
+    const skipped = unreviewed.length - candidates.length
+    if (skipped > 0) {
+      /* istanbul ignore next: plural variant covered separately */
+      const noun = skipped === 1 ? 'dependency' : 'dependencies'
+      log.warn(
+        this.logTitle,
+        `Skipping ${skipped} bundled ${noun}; bundled deps with install ` +
+        'scripts cannot be allowlisted in this release.'
+      )
+    }
+    if (candidates.length === 0) {
+      output.standard('No packages eligible for approval.')
+      return
+    }
+    const groups = this.groupByPackage(candidates.map(({ node }) => node))
+    await this.writePolicyChanges(groups)
+  }
+
+  async runPositional (args, arb) {
+    const matched = this.findNodesForArgs(args, arb)
+    const groups = this.groupByPackage(matched)
+    if (Object.keys(groups).length === 0) {
+      throw Object.assign(
+        new Error(`No installed packages match: ${args.join(', ')}`),
+        { code: 'ENOMATCH' }
+      )
+    }
+    await this.writePolicyChanges(groups)
+  }
+
+  findNodesForArgs (args, arb) {
+    // Match positional args against each node's trusted name. Registry
+    // deps use the URL-derived name; non-registry deps fall back to the
+    // dependency edge name. Bundled deps are excluded for the same reason
+    // as --all.
+    const wanted = new Set(args)
+    const matched = []
+    for (const node of arb.actualTree.inventory.values()) {
+      if (node.isProjectRoot || node.isWorkspace || node.inBundle) {
+        continue
+      }
+      const { name } = trustedDisplay(node)
+      if (name && wanted.has(name)) {
+        matched.push(node)
+      }
+    }
+    return matched
+  }
+
+  get logTitle () {
+    return this.constructor.name.replace(/([a-z])([A-Z])/g, '$1-$2').toLowerCase()
+  }
+
+  groupByPackage (nodes) {
+    const groups = {}
+    for (const node of nodes) {
+      const key = nameKeyFor(node)
+      /* istanbul ignore if: callers prefilter via inBundle and trustedDisplay so untrusted nodes don't reach here */
+      if (!key) {
+        log.warn(
+          this.logTitle,
+          `skipping ${node.name || ''}: no trusted identity for policy key`
+        )
+        continue
+      }
+      if (!groups[key]) {
+        groups[key] = []
+      }
+      groups[key].push(node)
+    }
+    return groups
+  }
+
+  async writePolicyChanges (groups) {
+    const pin = this.npm.config.get('allow-scripts-pin') !== false
+
+    const pkg = await pkgJson.load(this.npm.prefix)
+    const content = pkg.content
+    const existing = content.allowScripts && typeof content.allowScripts === 'object'
+      ? content.allowScripts
+      : {}
+
+    let updated = existing
+    const summary = []
+
+    for (const [name, nodes] of Object.entries(groups)) {
+      const result = this.verb === 'approve'
+        ? applyApprovalForPackage(updated, nodes, { pin })
+        : applyDenyForPackage(updated, nodes)
+
+      if (result.warning) {
+        log.warn(this.logTitle, result.warning)
+      }
+      updated = result.allowScripts
+      summary.push({ name, changes: result.changes })
+    }
+
+    /* istanbul ignore else: writePolicyChanges only called when changes are expected */
+    if (updated !== existing) {
+      pkg.update({ allowScripts: updated })
+      await pkg.save()
+    }
+
+    this.printSummary(summary)
+  }
+
+  printSummary (summary) {
+    if (this.npm.flatOptions.json) {
+      output.buffer({ allowScripts: summary })
+      return
+    }
+    const verb = this.verb === 'approve' ? 'Approved' : 'Denied'
+    let touched = 0
+    for (const { name, changes } of summary) {
+      if (changes.length === 0) {
+        continue
+      }
+      touched++
+      output.standard(`${verb} ${name}:`)
+      for (const { key, change } of changes) {
+        output.standard(`  ${change} ${key}`)
+      }
+    }
+    if (touched === 0) {
+      output.standard(`Nothing to ${this.verb}; allowScripts unchanged.`)
+    }
+  }
+}
+
+module.exports = AllowScriptsCmd
diff --git a/deps/npm/lib/utils/allow-scripts-writer.js b/deps/npm/lib/utils/allow-scripts-writer.js
new file mode 100644
index 00000000000000..5f43bbebeedefa
--- /dev/null
+++ b/deps/npm/lib/utils/allow-scripts-writer.js
@@ -0,0 +1,323 @@
+const npa = require('npm-package-arg')
+const { log } = require('proc-log')
+const { getTrustedRegistryIdentity } = require('@npmcli/arborist/lib/script-allowed.js')
+
+// Pure helpers that implement the RFC's pin-mismatch table for
+// `npm approve-scripts` and `npm deny-scripts`.
+//
+// Approving writes either `"": true` or `"": true` to the
+// project's `allowScripts` field, depending on `--allow-scripts-pin` and the currently
+// installed versions.
+//
+// Denying always writes `"": false`, regardless of `--allow-scripts-pin`, per the
+// RFC's asymmetric-pin rule.
+
+// Convert an arborist Node into the spec string used for a versioned policy
+// entry. Returns `null` if the node cannot be represented as a versioned key
+// derived from trusted sources (lockfile URL for registry, hosted shortcut
+// for git, the resolved file path for local installs). Never falls back to
+// `node.packageName` / `node.version`, which are tarball-controlled.
+const versionedKeyFor = (node) => {
+  if (!node) {
+    return null
+  }
+  /* istanbul ignore next: callers guarantee a string resolved */
+  const resolved = typeof node.resolved === 'string' ? node.resolved : ''
+  if (resolved.startsWith('git')) {
+    try {
+      const parsed = npa(resolved)
+      if (parsed.hosted) {
+        const committish = parsed.gitCommittish || parsed.hosted.committish
+        const base = parsed.hosted.shortcut({ noCommittish: true })
+        return committish ? `${base}#${committish}` : base
+      }
+    } catch {
+      /* istanbul ignore next: npa already parsed this string in keyTargetsNode */
+      return null
+    }
+    return null
+  }
+  if (/^https?:\/\//.test(resolved)) {
+    const trusted = getTrustedRegistryIdentity(node)
+    if (trusted && trusted.version) {
+      return `${trusted.name}@${trusted.version}`
+    }
+    // Registry node with a resolved URL that versionFromTgz couldn't
+    // parse (private-registry mirror, alternate CDN URL shape). Leave a
+    // breadcrumb so users notice when policy keys are silently pruned.
+    log.silly(
+      'allow-scripts',
+      `unable to derive trusted versioned key for ${node.path || node.name || ''} ` +
+      `(resolved: ${resolved}); key will be pruned on next save`
+    )
+    return null
+  }
+  /* istanbul ignore next: 'file:' and '/' branches are each covered separately */
+  if (resolved.startsWith('file:') || resolved.startsWith('/')) {
+    return resolved
+  }
+  // No trusted source. Refuse to compose a key from attacker-controlled
+  // `node.packageName` / `node.version`.
+  /* istanbul ignore next: callers filter out non-registry/non-file nodes before reaching this fallback */
+  return null
+}
+
+// Convert an arborist Node into the spec string used for a name-only policy
+// entry. Same trust rules as versionedKeyFor — returns `null` rather than
+// falling back to tarball-controlled fields.
+const nameKeyFor = (node) => {
+  if (!node) {
+    return null
+  }
+  /* istanbul ignore next: callers guarantee a string resolved */
+  const resolved = typeof node.resolved === 'string' ? node.resolved : ''
+  if (resolved.startsWith('git')) {
+    try {
+      const parsed = npa(resolved)
+      if (parsed.hosted) {
+        return parsed.hosted.shortcut({ noCommittish: true })
+      }
+    } catch {
+      /* istanbul ignore next: npa already parsed this string in keyTargetsNode */
+      return null
+    }
+    return null
+  }
+  if (resolved.startsWith('file:') || resolved.startsWith('/')) {
+    return resolved
+  }
+  // Registry deps: only the URL-derived (or edges-derived, in the
+  // omit-lockfile case) trusted name is acceptable.
+  const trusted = getTrustedRegistryIdentity(node)
+  return trusted ? trusted.name : null
+}
+
+const isSingleVersionPin = (key) => {
+  try {
+    const parsed = npa(key)
+    return parsed.type === 'version'
+  } catch {
+    return false
+  }
+}
+
+// Build the warning string emitted when an existing deny entry blocks
+// an approval. Per RFC, a name-only deny ("pkg": false) is widest and
+// the only remediation is to remove the entry. A versioned deny
+// ("pkg@1.2.3": false or a disjunction) blocks only specific versions;
+// the user can either widen it via `npm deny-scripts ` or remove
+// it to approve the currently-installed version only.
+const denyWarning = (key, subject, name) => {
+  if (isNameOnlyKey(key)) {
+    return `${key} is denied; remove the entry from allowScripts to approve ${subject}.`
+  }
+  /* istanbul ignore next: name fallback is defensive; callers pass nameKeyFor(sample) */
+  const widenTarget = name || 'this package'
+  return `${key} is a versioned deny; run \`npm deny-scripts ${widenTarget}\` ` +
+    `to widen the deny to all versions of ${widenTarget}, or remove the entry ` +
+    `to approve ${subject}.`
+}
+
+const isNameOnlyKey = (key) => {
+  try {
+    const parsed = npa(key)
+    if (parsed.type === 'tag') {
+      return true
+    }
+    if (parsed.type === 'range') {
+      return parsed.fetchSpec === '*'
+        || parsed.rawSpec === ''
+        || parsed.rawSpec === '*'
+    }
+    return false
+  } catch {
+    /* istanbul ignore next: keys reaching this helper have already parsed via keyTargetsNode */
+    return false
+  }
+}
+
+// Does this policy key target this node by identity (ignoring the
+// allow/deny value)?
+//
+// Registry keys (`tag`, `range`, `version`) require a trusted identity on
+// the node. If the node has no `getTrustedRegistryIdentity` result, the
+// key does not match — never fall back to `node.name`, which is the
+// install-directory name and is forgeable through aliases / manifest
+// confusion.
+const keyTargetsNode = (key, node) => {
+  let parsed
+  try {
+    parsed = npa(key)
+  } catch {
+    return false
+  }
+  switch (parsed.type) {
+    case 'tag':
+    case 'range':
+    case 'version': {
+      const trusted = getTrustedRegistryIdentity(node)
+      if (!trusted) {
+        return false
+      }
+      return trusted.name === parsed.name
+    }
+    case 'git': {
+      let resolvedParsed
+      try {
+        resolvedParsed = node.resolved ? npa(node.resolved) : null
+      } catch {
+        /* istanbul ignore next */
+        return false
+      }
+      const keyHost = parsed.hosted?.ssh({ noCommittish: true })
+      const nodeHost = resolvedParsed?.hosted?.ssh({ noCommittish: true })
+      return !!(keyHost && nodeHost && keyHost === nodeHost)
+    }
+    case 'file':
+    case 'directory':
+    case 'remote':
+      return node.resolved === parsed.saveSpec || node.resolved === parsed.fetchSpec
+    default:
+      return false
+  }
+}
+
+// Apply approvals for all currently-installed versions of a single package.
+//
+// `nodes` must all share an identity (same package name for registry deps,
+// or same hosted shortcut for git deps, etc.). The caller is responsible
+// for grouping nodes correctly.
+//
+// Returns `{ allowScripts, changes, warning }` where:
+//   - `allowScripts` is the new object (the input is never mutated)
+//   - `changes` is a list of `{ key, change }` entries describing edits
+//   - `warning` is an optional message to surface to the user
+const applyApprovalForPackage = (existing, nodes, { pin = true } = {}) => {
+  const allowScripts = { ...existing }
+  const changes = []
+
+  if (!Array.isArray(nodes) || nodes.length === 0) {
+    return { allowScripts, changes }
+  }
+
+  const sample = nodes[0]
+  const name = nameKeyFor(sample)
+
+  // Deny-wins: any existing false that targets any installed version aborts.
+  for (const node of nodes) {
+    for (const [key, value] of Object.entries(allowScripts)) {
+      if (value === false && keyTargetsNode(key, node)) {
+        /* istanbul ignore next: name fallback covers the empty-name edge case */
+        const subject = name || 'this package'
+        return {
+          allowScripts,
+          changes,
+          warning: denyWarning(key, subject, name),
+        }
+      }
+    }
+  }
+
+  if (!pin) {
+    // Name-only mode: collapse any single-version pins for this package
+    // into a single name-only entry.
+    for (const key of Object.keys(allowScripts)) {
+      if (
+        keyTargetsNode(key, sample) &&
+        key !== name &&
+        isSingleVersionPin(key) &&
+        allowScripts[key] === true
+      ) {
+        delete allowScripts[key]
+      }
+    }
+
+    /* istanbul ignore else: name === null is the no-identity path tested separately */
+    if (name && allowScripts[name] !== true) {
+      allowScripts[name] = true
+      changes.push({ key: name, change: 'added' })
+    }
+    return { allowScripts, changes }
+  }
+
+  // Pin mode. For each currently installed version, write a single-version
+  // pin if one is not already in place. Stale single-version pins for this
+  // package are removed. Per the RFC's pin-mismatch table, an existing
+  // name-only entry (`pkg: true`) is replaced by `pkg@x.y.z: true` once
+  // every installed version has a pin.
+  const installedKeys = new Set(nodes.map(versionedKeyFor).filter(Boolean))
+
+  for (const key of Object.keys(allowScripts)) {
+    if (
+      keyTargetsNode(key, sample) &&
+      isSingleVersionPin(key) &&
+      allowScripts[key] === true &&
+      !installedKeys.has(key)
+    ) {
+      delete allowScripts[key]
+      changes.push({ key, change: 'removed-stale' })
+    }
+  }
+
+  for (const key of installedKeys) {
+    if (allowScripts[key] !== true) {
+      allowScripts[key] = true
+      changes.push({ key, change: 'added' })
+    }
+  }
+
+  // Upgrade: drop the name-only entry once every installed version has a
+  // pin. The operation is convergent: running the command twice produces
+  // the same shape regardless of the starting state.
+  if (
+    installedKeys.size > 0 &&
+    name &&
+    !installedKeys.has(name) &&
+    allowScripts[name] === true
+  ) {
+    delete allowScripts[name]
+    changes.push({ key: name, change: 'replaced-by-pin' })
+  }
+
+  return { allowScripts, changes }
+}
+
+// Apply a deny for a single package. Always name-only; ignores `--allow-scripts-pin`.
+const applyDenyForPackage = (existing, nodes) => {
+  const allowScripts = { ...existing }
+  const changes = []
+
+  if (!Array.isArray(nodes) || nodes.length === 0) {
+    return { allowScripts, changes }
+  }
+
+  const sample = nodes[0]
+  const name = nameKeyFor(sample)
+  if (!name) {
+    return { allowScripts, changes }
+  }
+
+  // Drop any pinned allow entries for this package: the name-only deny
+  // overrides them anyway, and leaving them in place is confusing.
+  for (const key of Object.keys(allowScripts)) {
+    if (keyTargetsNode(key, sample) && key !== name) {
+      delete allowScripts[key]
+      changes.push({ key, change: 'removed-pinned-allow' })
+    }
+  }
+
+  if (allowScripts[name] !== false) {
+    allowScripts[name] = false
+    changes.push({ key: name, change: 'added' })
+  }
+  return { allowScripts, changes }
+}
+
+module.exports = {
+  applyApprovalForPackage,
+  applyDenyForPackage,
+  versionedKeyFor,
+  nameKeyFor,
+  keyTargetsNode,
+  isSingleVersionPin,
+}
diff --git a/deps/npm/lib/utils/check-allow-scripts.js b/deps/npm/lib/utils/check-allow-scripts.js
new file mode 100644
index 00000000000000..5ef2bfb74cf153
--- /dev/null
+++ b/deps/npm/lib/utils/check-allow-scripts.js
@@ -0,0 +1,54 @@
+const isScriptAllowed = require('@npmcli/arborist/lib/script-allowed.js')
+const getInstallScripts = require('@npmcli/arborist/lib/install-scripts.js')
+
+// Walks arb.actualTree.inventory and returns the list of dep nodes that
+// have install-relevant lifecycle scripts and are not yet covered (or
+// explicitly denied) by the allowScripts policy.
+//
+// Returns an array of `{ node, scripts }` entries. `scripts` is an object
+// describing the relevant lifecycle scripts that would run.
+
+const checkAllowScripts = async ({ arb, npm, tree }) => {
+  const ignoreScripts = !!arb.options?.ignoreScripts
+  const dangerouslyAllowAll = !!npm?.flatOptions?.dangerouslyAllowAllScripts
+
+  if (ignoreScripts || dangerouslyAllowAll) {
+    return []
+  }
+
+  // Defaults to actualTree (post-reify) but accepts an explicit tree so
+  // callers can pre-flight against the idealTree before scripts run.
+  const targetTree = tree || arb.actualTree
+  if (!targetTree?.inventory) {
+    return []
+  }
+
+  const policy = arb.options?.allowScripts || null
+
+  const unreviewed = []
+  for (const node of targetTree.inventory.values()) {
+    if (node.isProjectRoot || node.isWorkspace) {
+      continue
+    }
+    if (node.isLink) {
+      // Linked workspace dependencies are managed by the workspace owner.
+      continue
+    }
+
+    const verdict = isScriptAllowed(node, policy)
+    if (verdict === true || verdict === false) {
+      continue
+    }
+
+    const scripts = await getInstallScripts(node)
+    if (Object.keys(scripts).length === 0) {
+      continue
+    }
+
+    unreviewed.push({ node, scripts })
+  }
+
+  return unreviewed
+}
+
+module.exports = checkAllowScripts
diff --git a/deps/npm/lib/utils/cmd-list.js b/deps/npm/lib/utils/cmd-list.js
index 9cd2346f0ff98f..1909df0d045469 100644
--- a/deps/npm/lib/utils/cmd-list.js
+++ b/deps/npm/lib/utils/cmd-list.js
@@ -5,6 +5,7 @@ const abbrev = require('abbrev')
 const commands = [
   'access',
   'adduser',
+  'approve-scripts',
   'audit',
   'bugs',
   'cache',
@@ -12,6 +13,7 @@ const commands = [
   'completion',
   'config',
   'dedupe',
+  'deny-scripts',
   'deprecate',
   'diff',
   'dist-tag',
@@ -55,6 +57,7 @@ const commands = [
   'search',
   'set',
   'shrinkwrap',
+  'stage',
   'star',
   'stars',
   'start',
diff --git a/deps/npm/lib/utils/display.js b/deps/npm/lib/utils/display.js
index 122a7f6e8c577a..72e76bd36731b0 100644
--- a/deps/npm/lib/utils/display.js
+++ b/deps/npm/lib/utils/display.js
@@ -1,6 +1,7 @@
 const { log, output, input, META } = require('proc-log')
 const { explain } = require('./explain-eresolve.js')
 const { formatWithOptions } = require('./format')
+const { redactLog } = require('@npmcli/redact')
 
 // This is the general approach to color:
 // Eventually this will be exposed somewhere we can refer to these by name.
@@ -98,14 +99,16 @@ const getArrayOrObject = (items) => {
   return Object.assign({}, ...items.filter(o => isPlainObject(o)))
 }
 
+const redactValue = (obj) => JSON.parse(redactLog(JSON.stringify(obj)))
+
 const getJsonBuffer = ({ [JSON_ERROR_KEY]: metaError }, buffer) => {
   const items = []
   // meta also contains the meta object passed to flush
   const errors = metaError ? [metaError] : []
   // index 1 is the meta, 2 is the logged argument
-  for (const [, { [JSON_ERROR_KEY]: error }, obj] of buffer) {
+  for (const [, { [JSON_ERROR_KEY]: error, redact = true }, obj] of buffer) {
     if (obj) {
-      items.push(obj)
+      items.push(redact ? redactValue(obj) : obj)
     }
     if (error) {
       errors.push(error)
@@ -291,7 +294,9 @@ class Display {
         if (this.#json) {
           const json = getJsonBuffer(meta, this.#outputState.buffer)
           if (json) {
-            this.#writeOutput(output.KEYS.standard, meta, JSON.stringify(json, null, 2))
+            // Per-item redaction already applied in getJsonBuffer, skip string-level redaction
+            const jsonMeta = { ...meta, redact: false }
+            this.#writeOutput(output.KEYS.standard, jsonMeta, JSON.stringify(json, null, 2))
           }
         } else {
           this.#outputState.buffer.forEach((item) => this.#writeOutput(...item))
diff --git a/deps/npm/lib/utils/key-values.js b/deps/npm/lib/utils/key-values.js
new file mode 100644
index 00000000000000..cf54304da6b4b2
--- /dev/null
+++ b/deps/npm/lib/utils/key-values.js
@@ -0,0 +1,42 @@
+const { output, META } = require('proc-log')
+
+const defaultPredicate = (key, value, chalk) => {
+  if (value === null || value === undefined) {
+    return null
+  }
+  return chalk.green(value)
+}
+
+function logObject (values, { chalk, json, predicate = defaultPredicate }) {
+  if (json) {
+    output.standard(JSON.stringify(values, null, 2), { [META]: true, redact: false })
+    return
+  }
+
+  const lines = []
+  for (const [key, value] of Object.entries(values)) {
+    const formatted = predicate(key, value, chalk)
+    if (formatted !== null) {
+      lines.push(`${chalk.cyan(key)}: ${formatted}`)
+    }
+  }
+  if (lines.length) {
+    output.standard(lines.join('\n'), { [META]: true, redact: false })
+  }
+}
+
+function logStageItem (item, { chalk }) {
+  const { id, packageName, version, tag, createdAt, actor, actorType, shasum, ...rest } = item
+  logObject({
+    id,
+    'package name': packageName,
+    version,
+    tag,
+    'date staged': createdAt,
+    'staged by': actorType ? `${actor} (${actorType})` : actor,
+    shasum,
+    ...rest,
+  }, { chalk })
+}
+
+module.exports = { logObject, logStageItem, defaultPredicate }
diff --git a/deps/npm/lib/utils/reify-finish.js b/deps/npm/lib/utils/reify-finish.js
index 5e1330f4937bbd..1041c53fdb9357 100644
--- a/deps/npm/lib/utils/reify-finish.js
+++ b/deps/npm/lib/utils/reify-finish.js
@@ -1,4 +1,6 @@
 const reifyOutput = require('./reify-output.js')
+const checkAllowScripts = require('./check-allow-scripts.js')
+const warnWorkspaceAllowScripts = require('./warn-workspace-allow-scripts.js')
 const ini = require('ini')
 const { writeFile } = require('node:fs/promises')
 const { resolve } = require('node:path')
@@ -15,7 +17,9 @@ const reifyFinish = async (npm, arb) => {
       }
     }
   }
-  reifyOutput(npm, arb)
+  warnWorkspaceAllowScripts(arb.actualTree)
+  const unreviewedScripts = await checkAllowScripts({ arb, npm })
+  reifyOutput(npm, arb, { unreviewedScripts })
 }
 
 module.exports = reifyFinish
diff --git a/deps/npm/lib/utils/reify-output.js b/deps/npm/lib/utils/reify-output.js
index 99427faaf66488..b1e1ffbcddd175 100644
--- a/deps/npm/lib/utils/reify-output.js
+++ b/deps/npm/lib/utils/reify-output.js
@@ -14,11 +14,12 @@ const { depth } = require('treeverse')
 const ms = require('ms')
 const npmAuditReport = require('npm-audit-report')
 const { readTree: getFundingInfo } = require('libnpmfund')
+const { trustedDisplay } = require('@npmcli/arborist/lib/script-allowed.js')
 const auditError = require('./audit-error.js')
 
-// TODO: output JSON if flatOptions.json is true
-const reifyOutput = (npm, arb) => {
+const reifyOutput = (npm, arb, extras = {}) => {
   const { diff, actualTree } = arb
+  const unreviewedScripts = extras.unreviewedScripts || []
 
   // note: fails and crashes if we're running audit fix and there was an error which is a good thing, because there's no point printing all this other stuff in that case!
   const auditReport = auditError(npm, arb.auditReport) ? null : arb.auditReport
@@ -113,11 +114,23 @@ const reifyOutput = (npm, arb) => {
       summary.audit = npm.command === 'audit' ? auditReport
         : auditReport.toJSON().metadata
     }
+    if (unreviewedScripts.length) {
+      summary.unreviewedScripts = unreviewedScripts.map(({ node, scripts }) => {
+        const { name, version } = trustedDisplay(node)
+        return {
+          name,
+          version,
+          path: node.path,
+          scripts,
+        }
+      })
+    }
     output.buffer(summary)
   } else {
     packagesChangedMessage(npm, summary)
     packagesFundingMessage(npm, summary)
     printAuditReport(npm, auditReport)
+    unreviewedScriptsMessage(npm, unreviewedScripts)
   }
 }
 
@@ -217,4 +230,39 @@ const packagesFundingMessage = (npm, { funding }) => {
   output.standard('  run `npm fund` for details')
 }
 
+const unreviewedScriptsMessage = (npm, unreviewedScripts) => {
+  if (!unreviewedScripts.length) {
+    return
+  }
+
+  // Goes through log.warn so it respects --loglevel / --silent and lands
+  // on stderr like every other "FYI, here's something to know" message.
+  // stdout is reserved for things the user explicitly asked to see
+  // (npm ls, npm view).
+  const count = unreviewedScripts.length
+  const pkg = count === 1 ? 'package has' : 'packages have'
+  const header = `${count} ${pkg} install scripts not yet covered by allowScripts:`
+
+  const lines = unreviewedScripts.map(({ node, scripts }) => {
+    const { name, version } = trustedDisplay(node)
+    /* istanbul ignore next: every test node has a name */
+    const display = name || ''
+    const ver = version ? `@${version}` : ''
+    const events = Object.entries(scripts)
+      .map(([event, cmd]) => `${event}: ${cmd}`)
+      .join('; ')
+    return `  ${display}${ver} (${events})`
+  })
+
+  log.warn(
+    'allow-scripts',
+    [
+      header,
+      ...lines,
+      '',
+      'Run `npm approve-scripts --allow-scripts-pending` to review, or `npm approve-scripts ` to allow.',
+    ].join('\n')
+  )
+}
+
 module.exports = reifyOutput
diff --git a/deps/npm/lib/utils/resolve-allow-scripts.js b/deps/npm/lib/utils/resolve-allow-scripts.js
new file mode 100644
index 00000000000000..b658e1a68ad0cf
--- /dev/null
+++ b/deps/npm/lib/utils/resolve-allow-scripts.js
@@ -0,0 +1,181 @@
+const { log } = require('proc-log')
+const npa = require('npm-package-arg')
+const pkgJson = require('@npmcli/package-json')
+const { isExactVersionDisjunction } = require('@npmcli/arborist/lib/script-allowed.js')
+const parseAllowScriptsList = require('@npmcli/config/lib/parse-allow-scripts-list.js')
+
+const buildPolicyFromNames = (names) => {
+  /* istanbul ignore if: callers only pass non-empty arrays */
+  if (!names.length) {
+    return null
+  }
+  const policy = {}
+  for (const name of names) {
+    policy[name] = true
+  }
+  return policy
+}
+
+// Read the `allow-scripts` value from one or more named config sources and
+// build a policy object. Returns `null` if none of the sources has a value.
+const policyFromSources = (npm, sources) => {
+  for (const where of sources) {
+    const value = npm.config.get?.('allow-scripts', where)
+    if (value === undefined) {
+      continue
+    }
+    const names = parseAllowScriptsList(value)
+    /* istanbul ignore else: parseAllowScriptsList returns non-empty when value is set */
+    if (names.length) {
+      return buildPolicyFromNames(names)
+    }
+  }
+  return null
+}
+
+const validatePolicy = (policy, sourceLabel) => {
+  // Drop and warn about keys with forbidden semver ranges (^, ~, >=, <, *).
+  // The RFC only permits exact versions joined by `||`. Bare names like
+  // `canvas` and explicit name-only wildcards (`canvas@*`) are allowed.
+  if (!policy) {
+    return policy
+  }
+  const cleaned = {}
+  for (const [key, value] of Object.entries(policy)) {
+    let parsed
+    try {
+      parsed = npa(key)
+    } catch {
+      log.warn('allow-scripts', `${sourceLabel}: ignoring unparseable entry "${key}"`)
+      continue
+    }
+    if (parsed.type === 'tag') {
+      // `pkg@latest`, `pkg@next`, etc. look like a pin but behave name-
+      // only — the matcher has no way to verify what the tag points at
+      // when scripts run. Reject for the same reason as semver ranges.
+      log.warn(
+        'allow-scripts',
+        `${sourceLabel}: ignoring "${key}" — dist-tag specs (@latest, @next, ...) are not allowed; ` +
+        'use exact versions joined by "||", or the bare package name, instead'
+      )
+      continue
+    }
+    if (parsed.type === 'range') {
+      const isNameOnly = parsed.fetchSpec === '*'
+        || parsed.rawSpec === ''
+        || parsed.rawSpec === '*'
+      if (!isNameOnly && !isExactVersionDisjunction(parsed.fetchSpec)) {
+        log.warn(
+          'allow-scripts',
+          `${sourceLabel}: ignoring "${key}" — semver ranges (^, ~, >=, <) are not allowed; ` +
+          'use exact versions joined by "||" instead'
+        )
+        continue
+      }
+    }
+    cleaned[key] = value
+  }
+  return Object.keys(cleaned).length > 0 ? cleaned : null
+}
+
+// Resolve the effective allowScripts policy from the layered sources.
+// Returns `{ policy, source }` where:
+//   - `policy` is an object map of `package-spec` -> boolean, or `null` if
+//     no layer has any configuration
+//   - `source` is one of `'cli'`, `'package.json'`, `'.npmrc'`, or `null`
+//
+// Precedence order (highest to lowest), per RFC npm/rfcs#868:
+//   1. CLI flags (--allow-scripts) and env vars
+//   2. Root `package.json#allowScripts`
+//   3. `.npmrc` cascade (project, user, global)
+//
+// The project `package.json` layer is skipped when:
+//   - `npm.global` is true (no project context exists for global installs)
+//   - `skipProjectConfig` is true (e.g. npm exec / npx, which per the RFC
+//     consult only user/global .npmrc)
+//
+// In both skipped cases, the CLI and .npmrc layers are still consulted;
+// only the project package.json layer is skipped.
+//
+// The first source with any configuration wins for the entire install;
+// lower layers are ignored. A `log.warn` is emitted whenever a setting is
+// being suppressed by a higher-priority source.
+//
+// Reads `package.json` from `npm.prefix` (not `npm.localPrefix`) so an
+// install run from a workspace sub-directory still picks up the project
+// root's policy.
+const resolveAllowScripts = async (npm, { skipProjectConfig = false } = {}) => {
+  // Independently probe each RFC layer.
+  const cliPolicy = policyFromSources(npm, ['cli', 'env'])
+  const npmrcPolicy = policyFromSources(npm, ['project', 'user', 'global', 'builtin'])
+
+  // The --allow-scripts CLI flag is intended for one-off and global
+  // contexts (npm exec, npx, npm install -g). In a project-scoped install,
+  // team policy belongs in package.json or .npmrc, so reject the flag
+  // outright to avoid the "works on my machine" footgun.
+  if (cliPolicy && !npm.global && !skipProjectConfig) {
+    throw Object.assign(
+      new Error(
+        '--allow-scripts is not allowed in project-scoped installs. ' +
+        'Add the entries to the "allowScripts" field in package.json, ' +
+        'or to .npmrc, instead.'
+      ),
+      { code: 'EALLOWSCRIPTS' }
+    )
+  }
+
+  // Project package.json is consulted only when the caller is operating
+  // inside a real project (not -g, not npx).
+  let pkgPolicy = null
+  if (!npm.global && !skipProjectConfig) {
+    try {
+      const { content } = await pkgJson.normalize(npm.prefix)
+      if (content?.allowScripts && typeof content.allowScripts === 'object') {
+        const entries = Object.entries(content.allowScripts)
+        if (entries.length > 0) {
+          pkgPolicy = Object.fromEntries(entries)
+        }
+      }
+    } catch (err) {
+      log.silly('allow-scripts', 'no package.json at prefix', err.message)
+    }
+  }
+
+  // Validate each candidate layer: drop forbidden ranges, warn the user.
+  const cli = validatePolicy(cliPolicy, 'CLI flag')
+  const pkg = validatePolicy(pkgPolicy, 'package.json')
+  const rc = validatePolicy(npmrcPolicy, '.npmrc')
+
+  // Apply RFC precedence.
+  if (cli) {
+    // Note: `pkg` is never set alongside `cli` here. Project package.json is
+    // only read when `!npm.global && !skipProjectConfig`, but in that same
+    // case a CLI policy throws above. With `npm.global` or skipProjectConfig
+    // set, package.json is never consulted.
+    if (rc) {
+      log.warn(
+        'allow-scripts',
+        '.npmrc allow-scripts setting is being ignored because --allow-scripts was passed on the command line'
+      )
+    }
+    return { policy: cli, source: 'cli' }
+  }
+
+  if (pkg) {
+    if (rc) {
+      log.warn(
+        'allow-scripts',
+        '.npmrc allow-scripts setting is being ignored because package.json declares its own allowScripts field'
+      )
+    }
+    return { policy: pkg, source: 'package.json' }
+  }
+
+  if (rc) {
+    return { policy: rc, source: '.npmrc' }
+  }
+
+  return { policy: null, source: null }
+}
+
+module.exports = resolveAllowScripts
diff --git a/deps/npm/lib/utils/sbom-cyclonedx.js b/deps/npm/lib/utils/sbom-cyclonedx.js
index f8283397989d5b..fe368e968baaa7 100644
--- a/deps/npm/lib/utils/sbom-cyclonedx.js
+++ b/deps/npm/lib/utils/sbom-cyclonedx.js
@@ -170,13 +170,20 @@ const toCyclonedxItem = (node, { packageType }) => {
 }
 
 const toCyclonedxDependency = (node, nodes) => {
-  return {
-    ref: toCyclonedxID(node),
-    dependsOn: [...node.edgesOut.values()]
+  // A node can have multiple outgoing edges resolving to the same
+  // `name@version` (e.g. via npm aliases like `foo: npm:bar@1` alongside a
+  // direct `bar: ^1` dep), which would produce duplicate entries in
+  // `dependsOn`. CycloneDX 1.5 requires unique items, so dedupe by ref.
+  const dependsOn = [...new Set(
+    [...node.edgesOut.values()]
       // Filter out edges that are linking to nodes not in the list
       .filter(edge => nodes.find(n => n === edge.to))
       .map(edge => toCyclonedxID(edge.to))
-      .filter(id => id),
+      .filter(id => id)
+  )]
+  return {
+    ref: toCyclonedxID(node),
+    dependsOn,
   }
 }
 
diff --git a/deps/npm/lib/utils/sbom-spdx.js b/deps/npm/lib/utils/sbom-spdx.js
index 38824f263681d0..8ea75c688bc862 100644
--- a/deps/npm/lib/utils/sbom-spdx.js
+++ b/deps/npm/lib/utils/sbom-spdx.js
@@ -48,11 +48,23 @@ const spdxOutput = ({ npm, nodes, packageType }) => {
     }
     seen.add(node)
 
+    // A node can have multiple outgoing edges resolving to the same
+    // `name@version` of the same edge type (e.g. via npm aliases), which
+    // would produce identical relationship triples. Dedupe per source node.
+    const seenRels = new Set()
     const rels = [...node.edgesOut.values()]
       // Filter out edges that are linking to nodes not in the list
       .filter(edge => nodes.find(n => n === edge.to))
       .map(edge => toSpdxRelationship(node, edge))
       .filter(rel => rel)
+      .filter(rel => {
+        const key = `${rel.spdxElementId}|${rel.relatedSpdxElement}|${rel.relationshipType}`
+        if (seenRels.has(key)) {
+          return false
+        }
+        seenRels.add(key)
+        return true
+      })
 
     relationships.push(...rels)
   }
diff --git a/deps/npm/lib/utils/strict-allow-scripts-preflight.js b/deps/npm/lib/utils/strict-allow-scripts-preflight.js
new file mode 100644
index 00000000000000..a3f83ea4b662bc
--- /dev/null
+++ b/deps/npm/lib/utils/strict-allow-scripts-preflight.js
@@ -0,0 +1,61 @@
+const checkAllowScripts = require('./check-allow-scripts.js')
+
+// Pre-flight check for `--strict-allow-scripts`. Call after arborist has
+// been constructed but before `arb.reify()` runs, so that install scripts
+// never execute when strict mode would block them.
+//
+// Behaviour:
+//   - No-op unless `npm.flatOptions.strictAllowScripts` is set.
+//   - Bypassed by `--dangerously-allow-all-scripts` and `--ignore-scripts`
+//     (the per-flag short-circuits already live in checkAllowScripts).
+//   - Builds the ideal tree (idempotent — subsequent reify reuses it),
+//     walks it for nodes whose install scripts have not been covered by
+//     the `allowScripts` policy, and throws if any are found.
+const strictAllowScriptsPreflight = async ({ arb, npm, idealTreeOpts }) => {
+  if (!npm?.flatOptions?.strictAllowScripts) {
+    return
+  }
+
+  // Prefer the idealTree when reify is about to run; fall back to
+  // actualTree for npm rebuild (which never builds an ideal tree).
+  let tree
+  if (idealTreeOpts !== undefined) {
+    // `npm ci` builds the ideal tree before calling the preflight, so
+    // skip the rebuild when one already exists. `npm install` calls the
+    // preflight before reify and needs us to build.
+    if (!arb.idealTree) {
+      await arb.buildIdealTree(idealTreeOpts)
+    }
+    tree = arb.idealTree
+  } else {
+    tree = arb.actualTree
+  }
+
+  const unreviewed = await checkAllowScripts({ arb, npm, tree })
+  if (unreviewed.length === 0) {
+    return
+  }
+
+  const lines = unreviewed.map(({ node, scripts }) => {
+    const events = Object.entries(scripts)
+      .map(([event, body]) => `${event}: ${body}`)
+      .join('; ')
+    const name = node.package?.name || node.name
+    const version = node.package?.version || ''
+    const label = version ? `${name}@${version}` : name
+    return `  ${label} (${events})`
+  }).join('\n')
+
+  throw Object.assign(
+    new Error(
+      `--strict-allow-scripts: ${unreviewed.length} package(s) have install ` +
+      `scripts not covered by allowScripts:\n${lines}\n` +
+      'Approve them with `npm approve-scripts`, deny them with ' +
+      '`npm deny-scripts`, or bypass this check with ' +
+      '`--dangerously-allow-all-scripts`.'
+    ),
+    { code: 'ESTRICTALLOWSCRIPTS' }
+  )
+}
+
+module.exports = strictAllowScriptsPreflight
diff --git a/deps/npm/lib/utils/tar.js b/deps/npm/lib/utils/tar.js
index a744dca3132578..6b6870678c0973 100644
--- a/deps/npm/lib/utils/tar.js
+++ b/deps/npm/lib/utils/tar.js
@@ -1,15 +1,16 @@
 const tar = require('tar')
 const ssri = require('ssri')
-const { log, output } = require('proc-log')
+const { log, output, META } = require('proc-log')
 const formatBytes = require('./format-bytes.js')
 const localeCompare = require('@isaacs/string-locale-compare')('en', {
   sensitivity: 'case',
   numeric: true,
 })
 
-const logTar = (tarball, { unicode = false, json, key } = {}) => {
+const logTar = (tarball, { unicode = false, json, key, redact } = {}) => {
   if (json) {
-    output.buffer(key == null ? tarball : { [key]: tarball })
+    const meta = redact === false ? { [META]: true, redact: false } : undefined
+    output.buffer(key == null ? tarball : { [key]: tarball }, meta)
     return
   }
   log.notice('')
diff --git a/deps/npm/lib/utils/validate-uuid.js b/deps/npm/lib/utils/validate-uuid.js
new file mode 100644
index 00000000000000..d5842429303f60
--- /dev/null
+++ b/deps/npm/lib/utils/validate-uuid.js
@@ -0,0 +1,10 @@
+// UUID validation regex
+const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+
+const validateUUID = (value, fieldName) => {
+  if (!UUID_REGEX.test(value)) {
+    throw new Error(`${fieldName} must be a valid UUID`)
+  }
+}
+
+module.exports = { UUID_REGEX, validateUUID }
diff --git a/deps/npm/lib/utils/warn-workspace-allow-scripts.js b/deps/npm/lib/utils/warn-workspace-allow-scripts.js
new file mode 100644
index 00000000000000..e46e6cf4d2a10b
--- /dev/null
+++ b/deps/npm/lib/utils/warn-workspace-allow-scripts.js
@@ -0,0 +1,40 @@
+const { log } = require('proc-log')
+
+// The allowScripts policy MUST live at the project root (RFC npm/rfcs#868).
+// A non-root workspace declaring its own allowScripts is almost always a
+// mistake: that policy would be silently ignored at install time.
+//
+// `findWorkspaceAllowScripts` returns the list of offending workspace nodes.
+// `warnWorkspaceAllowScripts` is the side-effecting variant that emits one
+// install-time `log.warn` per offender.
+
+const findWorkspaceAllowScripts = (tree) => {
+  const offenders = []
+  if (!tree?.inventory) {
+    return offenders
+  }
+  for (const node of tree.inventory.values()) {
+    if (!node.isWorkspace || node.isProjectRoot) {
+      continue
+    }
+    if (node.package?.allowScripts !== undefined) {
+      offenders.push(node)
+    }
+  }
+  return offenders
+}
+
+const warnWorkspaceAllowScripts = (tree) => {
+  for (const node of findWorkspaceAllowScripts(tree)) {
+    const name = node.packageName || node.name
+    log.warn(
+      'allow-scripts',
+      `allowScripts in workspace ${name} (${node.path}) is ignored. ` +
+      'Move the field to the project root package.json.'
+    )
+  }
+}
+
+module.exports = warnWorkspaceAllowScripts
+module.exports.warnWorkspaceAllowScripts = warnWorkspaceAllowScripts
+module.exports.findWorkspaceAllowScripts = findWorkspaceAllowScripts
diff --git a/deps/npm/man/man1/npm-access.1 b/deps/npm/man/man1/npm-access.1
index 13c9af41efc167..1137b4d5fbee07 100644
--- a/deps/npm/man/man1/npm-access.1
+++ b/deps/npm/man/man1/npm-access.1
@@ -1,4 +1,4 @@
-.TH "NPM-ACCESS" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-ACCESS" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-access\fR - Set access level on published packages
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-adduser.1 b/deps/npm/man/man1/npm-adduser.1
index a9ce18423f7286..b52bf3ed7f980e 100644
--- a/deps/npm/man/man1/npm-adduser.1
+++ b/deps/npm/man/man1/npm-adduser.1
@@ -1,4 +1,4 @@
-.TH "NPM-ADDUSER" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-ADDUSER" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-adduser\fR - Add a registry user account
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-approve-scripts.1 b/deps/npm/man/man1/npm-approve-scripts.1
new file mode 100644
index 00000000000000..b6ac279a025584
--- /dev/null
+++ b/deps/npm/man/man1/npm-approve-scripts.1
@@ -0,0 +1,113 @@
+.TH "NPM-APPROVE-SCRIPTS" "1" "May 2026" "NPM@11.16.0" ""
+.SH "NAME"
+\fBnpm-approve-scripts\fR - Approve install scripts for specific dependencies
+.SS "Synopsis"
+.P
+.RS 2
+.nf
+npm approve-scripts  \[lB] ...\[rB]
+npm approve-scripts --all
+npm approve-scripts --allow-scripts-pending
+.fi
+.RE
+.P
+Note: This command is unaware of workspaces.
+.SS "Description"
+.P
+Manages the \fBallowScripts\fR field in your project's \fBpackage.json\fR, which records which of your dependencies are permitted to run install scripts (\fBpreinstall\fR, \fBinstall\fR, \fBpostinstall\fR, and \fBprepare\fR for non-registry sources). This command is the recommended way to maintain that field.
+.P
+In the current release, this field is advisory: install scripts still run by default, but installs print a list of packages whose scripts have not been reviewed. A future release will block unreviewed install scripts.
+.P
+There are three modes:
+.P
+.RS 2
+.nf
+npm approve-scripts  \[lB] ...\[rB]
+npm approve-scripts --all
+npm approve-scripts --allow-scripts-pending
+.fi
+.RE
+.P
+\fB\fR matches every installed version of that package. By default the command writes pinned entries (\fBpkg@1.2.3\fR), which keep their approval narrowed to the specific version you reviewed. Pass \fB--no-allow-scripts-pin\fR to write name-only entries that allow any future version.
+.P
+\fB--all\fR approves every package with unreviewed install scripts in one go.
+.P
+\fB--allow-scripts-pending\fR is read-only: it lists every package whose install scripts are not yet covered by \fBallowScripts\fR, without modifying \fBpackage.json\fR.
+.P
+\fBapprove-scripts\fR honours the asymmetric pin rule: if you re-approve a package whose installed version has changed, the existing pin is rewritten to track the new installed version. Multi-version statements (\fBpkg@1 || 2\fR) are left alone, since they likely capture intent that the command cannot infer. Existing \fBfalse\fR entries always win; \fBapprove-scripts\fR will not silently re-allow a package you previously denied.
+.SS "Examples"
+.P
+.RS 2
+.nf
+# Approve all currently-installed install scripts after reviewing them
+npm approve-scripts --all
+
+# Approve specific packages, pinned to their installed version
+npm approve-scripts canvas sharp
+
+# Approve name-only (any version of this package is allowed)
+npm approve-scripts --no-allow-scripts-pin canvas
+
+# Preview which packages still need review
+npm approve-scripts --allow-scripts-pending
+.fi
+.RE
+.SS "Configuration"
+.SS "\fBall\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+When running \fBnpm outdated\fR and \fBnpm ls\fR, setting \fB--all\fR will show all outdated or installed packages, rather than only those directly depended upon by the current project.
+.SS "\fBallow-scripts-pending\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+List packages with install scripts that are not yet covered by the \fBallowScripts\fR policy, without modifying \fBpackage.json\fR. Only meaningful for \fBnpm approve-scripts\fR.
+.SS "\fBallow-scripts-pin\fR"
+.RS 0
+.IP \(bu 4
+Default: true
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+Write pinned (\fBpkg@version\fR) entries when approving install scripts. Set to \fBfalse\fR to write name-only entries that allow any version. Has no effect on \fBnpm deny-scripts\fR, which always writes name-only entries regardless of this setting.
+.SS "\fBjson\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+Whether or not to output JSON data, rather than the normal output.
+.RS 0
+.IP \(bu 4
+In \fBnpm pkg set\fR it enables parsing set values with JSON.parse() before saving them to your \fBpackage.json\fR.
+.RE 0
+
+.P
+Not supported by all npm commands.
+.SS "See Also"
+.RS 0
+.IP \(bu 4
+npm help deny-scripts
+.IP \(bu 4
+npm help install
+.IP \(bu 4
+npm help rebuild
+.IP \(bu 4
+\fBpackage.json\fR \fI\(la/configuring-npm/package-json\(ra\fR
+.RE 0
diff --git a/deps/npm/man/man1/npm-audit.1 b/deps/npm/man/man1/npm-audit.1
index 6760fe1e954125..f066529a8b8530 100644
--- a/deps/npm/man/man1/npm-audit.1
+++ b/deps/npm/man/man1/npm-audit.1
@@ -1,4 +1,4 @@
-.TH "NPM-AUDIT" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-AUDIT" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-audit\fR - Run a security audit
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-bugs.1 b/deps/npm/man/man1/npm-bugs.1
index 474b08f5d76a26..6c9d745c20f3f2 100644
--- a/deps/npm/man/man1/npm-bugs.1
+++ b/deps/npm/man/man1/npm-bugs.1
@@ -1,4 +1,4 @@
-.TH "NPM-BUGS" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-BUGS" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-bugs\fR - Report bugs for a package in a web browser
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-cache.1 b/deps/npm/man/man1/npm-cache.1
index e20349de377056..17e38319e16223 100644
--- a/deps/npm/man/man1/npm-cache.1
+++ b/deps/npm/man/man1/npm-cache.1
@@ -1,4 +1,4 @@
-.TH "NPM-CACHE" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-CACHE" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-cache\fR - Manipulates packages cache
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-ci.1 b/deps/npm/man/man1/npm-ci.1
index 21f461e0fdd1db..467929979eda6c 100644
--- a/deps/npm/man/man1/npm-ci.1
+++ b/deps/npm/man/man1/npm-ci.1
@@ -1,4 +1,4 @@
-.TH "NPM-CI" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-CI" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-ci\fR - Clean install a project
 .SS "Synopsis"
@@ -168,6 +168,30 @@ Type: Boolean
 If true, npm does not run scripts specified in package.json files.
 .P
 Note that commands explicitly intended to run a particular script, such as \fBnpm start\fR, \fBnpm stop\fR, \fBnpm restart\fR, \fBnpm test\fR, and \fBnpm run\fR will still run their intended script if \fBignore-scripts\fR is set, but they will \fInot\fR run any pre- or post-scripts.
+.SS "\fBallow-directory\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to install dependencies from directories. That is, dependencies that point to a directory instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any directories to be installed. \fBnone\fR prevents any directories from being installed. \fBroot\fR only allows directories defined in your project's package.json to be installed. Also allows directory dependencies to be used for other commands like \fBnpm view\fR
+.SS "\fBallow-file\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to install dependencies from tarball files. That is, dependencies that point to a local tarball file instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any tarball file to be installed. \fBnone\fR prevents any tarball file from being installed. \fBroot\fR only allows tarball files defined in your project's package.json to be installed. Also allows tarball file dependencies to be used for other commands like \fBnpm view\fR
 .SS "\fBallow-git\fR"
 .RS 0
 .IP \(bu 4
@@ -177,9 +201,57 @@ Type: "all", "none", or "root"
 .RE 0
 
 .P
-Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed.
+Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any git dependencies to be fetched and installed. \fBnone\fR prevents any git dependencies from being fetched and installed. \fBroot\fR only allows git dependencies defined in your project's package.json to be fetched and installed. Also allows git dependencies to be fetched for other commands like \fBnpm view\fR
+.SS "\fBallow-remote\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to fetch dependencies from urls. That is, dependencies that point to a tarball url instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any url to be installed. \fBnone\fR prevents any url from being installed. \fBroot\fR only allows urls defined in your project's package.json to be installed. Also allows url dependencies to be used for other commands like \fBnpm view\fR
+.SS "\fBallow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: ""
+.IP \(bu 4
+Type: String (can be set multiple times)
+.RE 0
+
+.P
+Comma-separated list of packages whose install-time lifecycle scripts (\fBpreinstall\fR, \fBinstall\fR, \fBpostinstall\fR, and \fBprepare\fR for non-registry dependencies) are allowed to run.
+.P
+This setting is intended for one-off and global contexts: \fBnpm exec\fR, \fBnpx\fR, and \fBnpm install -g\fR, where no project \fBpackage.json\fR is involved. For team-wide policy in a project, use the \fBallowScripts\fR field in \fBpackage.json\fR (which also supports explicit denials), or configure it in \fB.npmrc\fR. Passing \fB--allow-scripts\fR on the command line during a project-scoped \fBnpm install\fR, \fBci\fR, \fBupdate\fR, or \fBrebuild\fR is an error.
+.P
+Each name is matched against a dependency's resolved identity, not against the package's self-reported name. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.SS "\fBstrict-allow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
+.P
+Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.SS "\fBdangerously-allow-all-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
 .P
-\fBall\fR allows any git dependencies to be fetched and installed. \fBnone\fR prevents any git dependencies from being fetched and installed. \fBroot\fR only allows git dependencies defined in your project's package.json to be fetched installed. Also allows git dependencies to be fetched for other commands like \fBnpm view\fR
+If \fBtrue\fR, bypass the \fBallowScripts\fR policy entirely and run every dependency install script regardless of whether it was approved or denied. Intended as a migration escape hatch only; its use is strongly discouraged. \fB--ignore-scripts\fR still takes precedence over this setting.
 .SS "\fBaudit\fR"
 .RS 0
 .IP \(bu 4
diff --git a/deps/npm/man/man1/npm-completion.1 b/deps/npm/man/man1/npm-completion.1
index ad07723f8e19dd..c6a82af87d93fa 100644
--- a/deps/npm/man/man1/npm-completion.1
+++ b/deps/npm/man/man1/npm-completion.1
@@ -1,4 +1,4 @@
-.TH "NPM-COMPLETION" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-COMPLETION" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-completion\fR - Tab Completion for npm
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-config.1 b/deps/npm/man/man1/npm-config.1
index cb4f7c4a21f478..28ae9ed07de461 100644
--- a/deps/npm/man/man1/npm-config.1
+++ b/deps/npm/man/man1/npm-config.1
@@ -1,4 +1,4 @@
-.TH "NPM-CONFIG" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-CONFIG" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-config\fR - Manage the npm configuration files
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-dedupe.1 b/deps/npm/man/man1/npm-dedupe.1
index 97eb2af71fde23..c62112ff7f9a8c 100644
--- a/deps/npm/man/man1/npm-dedupe.1
+++ b/deps/npm/man/man1/npm-dedupe.1
@@ -1,4 +1,4 @@
-.TH "NPM-DEDUPE" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-DEDUPE" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-dedupe\fR - Reduce duplication in the package tree
 .SS "Synopsis"
@@ -165,6 +165,30 @@ Type: Boolean
 If true, npm does not run scripts specified in package.json files.
 .P
 Note that commands explicitly intended to run a particular script, such as \fBnpm start\fR, \fBnpm stop\fR, \fBnpm restart\fR, \fBnpm test\fR, and \fBnpm run\fR will still run their intended script if \fBignore-scripts\fR is set, but they will \fInot\fR run any pre- or post-scripts.
+.SS "\fBallow-directory\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to install dependencies from directories. That is, dependencies that point to a directory instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any directories to be installed. \fBnone\fR prevents any directories from being installed. \fBroot\fR only allows directories defined in your project's package.json to be installed. Also allows directory dependencies to be used for other commands like \fBnpm view\fR
+.SS "\fBallow-file\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to install dependencies from tarball files. That is, dependencies that point to a local tarball file instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any tarball file to be installed. \fBnone\fR prevents any tarball file from being installed. \fBroot\fR only allows tarball files defined in your project's package.json to be installed. Also allows tarball file dependencies to be used for other commands like \fBnpm view\fR
 .SS "\fBallow-git\fR"
 .RS 0
 .IP \(bu 4
@@ -174,9 +198,21 @@ Type: "all", "none", or "root"
 .RE 0
 
 .P
-Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed.
+Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any git dependencies to be fetched and installed. \fBnone\fR prevents any git dependencies from being fetched and installed. \fBroot\fR only allows git dependencies defined in your project's package.json to be fetched and installed. Also allows git dependencies to be fetched for other commands like \fBnpm view\fR
+.SS "\fBallow-remote\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to fetch dependencies from urls. That is, dependencies that point to a tarball url instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
 .P
-\fBall\fR allows any git dependencies to be fetched and installed. \fBnone\fR prevents any git dependencies from being fetched and installed. \fBroot\fR only allows git dependencies defined in your project's package.json to be fetched installed. Also allows git dependencies to be fetched for other commands like \fBnpm view\fR
+\fBall\fR allows any url to be installed. \fBnone\fR prevents any url from being installed. \fBroot\fR only allows urls defined in your project's package.json to be installed. Also allows url dependencies to be used for other commands like \fBnpm view\fR
 .SS "\fBaudit\fR"
 .RS 0
 .IP \(bu 4
diff --git a/deps/npm/man/man1/npm-deny-scripts.1 b/deps/npm/man/man1/npm-deny-scripts.1
new file mode 100644
index 00000000000000..a466da7a30dc8f
--- /dev/null
+++ b/deps/npm/man/man1/npm-deny-scripts.1
@@ -0,0 +1,99 @@
+.TH "NPM-DENY-SCRIPTS" "1" "May 2026" "NPM@11.16.0" ""
+.SH "NAME"
+\fBnpm-deny-scripts\fR - Deny install scripts for specific dependencies
+.SS "Synopsis"
+.P
+.RS 2
+.nf
+npm deny-scripts  \[lB] ...\[rB]
+npm deny-scripts --all
+.fi
+.RE
+.P
+Note: This command is unaware of workspaces.
+.SS "Description"
+.P
+The companion command to npm help approve-scripts. Writes \fBfalse\fR entries into the \fBallowScripts\fR field of your project's \fBpackage.json\fR, recording that a dependency must not run install scripts even if a future version would otherwise be eligible.
+.P
+In the current release, install scripts still run by default, so \fBdeny-scripts\fR only affects how installs of denied packages are reported. A future release will block unreviewed install scripts and respect deny entries at install time.
+.P
+.RS 2
+.nf
+npm deny-scripts  \[lB] ...\[rB]
+npm deny-scripts --all
+.fi
+.RE
+.P
+\fB\fR matches every installed version of that package. Denies are always written name-only (\fB"pkg": false\fR), regardless of \fB--allow-scripts-pin\fR. Pinning a deny to a specific version would silently re-allow scripts for any other version of the same package, which defeats the purpose; the command picks the safer default for you.
+.P
+\fB--all\fR denies every package with unreviewed install scripts.
+.P
+If a \fBtrue\fR (pinned or name-only) entry exists for a package and you then deny it, the existing allow entries are removed so the name-only deny is unambiguous.
+.SS "Examples"
+.P
+.RS 2
+.nf
+# Deny a specific package outright
+npm deny-scripts telemetry-pkg
+
+# Deny everything that has install scripts and isn't already approved
+npm deny-scripts --all
+.fi
+.RE
+.SS "Configuration"
+.SS "\fBall\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+When running \fBnpm outdated\fR and \fBnpm ls\fR, setting \fB--all\fR will show all outdated or installed packages, rather than only those directly depended upon by the current project.
+.SS "\fBallow-scripts-pending\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+List packages with install scripts that are not yet covered by the \fBallowScripts\fR policy, without modifying \fBpackage.json\fR. Only meaningful for \fBnpm approve-scripts\fR.
+.SS "\fBallow-scripts-pin\fR"
+.RS 0
+.IP \(bu 4
+Default: true
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+Write pinned (\fBpkg@version\fR) entries when approving install scripts. Set to \fBfalse\fR to write name-only entries that allow any version. Has no effect on \fBnpm deny-scripts\fR, which always writes name-only entries regardless of this setting.
+.SS "\fBjson\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+Whether or not to output JSON data, rather than the normal output.
+.RS 0
+.IP \(bu 4
+In \fBnpm pkg set\fR it enables parsing set values with JSON.parse() before saving them to your \fBpackage.json\fR.
+.RE 0
+
+.P
+Not supported by all npm commands.
+.SS "See Also"
+.RS 0
+.IP \(bu 4
+npm help approve-scripts
+.IP \(bu 4
+npm help install
+.IP \(bu 4
+\fBpackage.json\fR \fI\(la/configuring-npm/package-json\(ra\fR
+.RE 0
diff --git a/deps/npm/man/man1/npm-deprecate.1 b/deps/npm/man/man1/npm-deprecate.1
index 8c44f55a1a52b0..0e67565fba394c 100644
--- a/deps/npm/man/man1/npm-deprecate.1
+++ b/deps/npm/man/man1/npm-deprecate.1
@@ -1,4 +1,4 @@
-.TH "NPM-DEPRECATE" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-DEPRECATE" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-deprecate\fR - Deprecate a version of a package
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-diff.1 b/deps/npm/man/man1/npm-diff.1
index 5b4ab2fcebcb1d..1051276045fc84 100644
--- a/deps/npm/man/man1/npm-diff.1
+++ b/deps/npm/man/man1/npm-diff.1
@@ -1,4 +1,4 @@
-.TH "NPM-DIFF" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-DIFF" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-diff\fR - The registry diff command
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-dist-tag.1 b/deps/npm/man/man1/npm-dist-tag.1
index 768fe6d575ea48..a2a7e0ea36a018 100644
--- a/deps/npm/man/man1/npm-dist-tag.1
+++ b/deps/npm/man/man1/npm-dist-tag.1
@@ -1,4 +1,4 @@
-.TH "NPM-DIST-TAG" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-DIST-TAG" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-dist-tag\fR - Modify package distribution tags
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-docs.1 b/deps/npm/man/man1/npm-docs.1
index ed9f35f00bebea..943c26eb53fbe3 100644
--- a/deps/npm/man/man1/npm-docs.1
+++ b/deps/npm/man/man1/npm-docs.1
@@ -1,4 +1,4 @@
-.TH "NPM-DOCS" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-DOCS" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-docs\fR - Open documentation for a package in a web browser
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-doctor.1 b/deps/npm/man/man1/npm-doctor.1
index d7f5ef43edf1f4..0d40b9b45b14d2 100644
--- a/deps/npm/man/man1/npm-doctor.1
+++ b/deps/npm/man/man1/npm-doctor.1
@@ -1,4 +1,4 @@
-.TH "NPM-DOCTOR" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-DOCTOR" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-doctor\fR - Check the health of your npm environment
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-edit.1 b/deps/npm/man/man1/npm-edit.1
index 83753a5fc423ab..d57bdc0ce6f910 100644
--- a/deps/npm/man/man1/npm-edit.1
+++ b/deps/npm/man/man1/npm-edit.1
@@ -1,4 +1,4 @@
-.TH "NPM-EDIT" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-EDIT" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-edit\fR - Edit an installed package
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-exec.1 b/deps/npm/man/man1/npm-exec.1
index d6f20fe3b587b6..8987175e5d8410 100644
--- a/deps/npm/man/man1/npm-exec.1
+++ b/deps/npm/man/man1/npm-exec.1
@@ -1,4 +1,4 @@
-.TH "NPM-EXEC" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-EXEC" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-exec\fR - Run a command from a local or remote npm package
 .SS "Synopsis"
@@ -167,6 +167,42 @@ Include the workspace root when workspaces are enabled for a command.
 When false, specifying individual workspaces via the \fBworkspace\fR config, or all workspaces via the \fBworkspaces\fR flag, will cause npm to operate only on the specified workspaces, and not on the root project.
 .P
 This value is not exported to the environment for child processes.
+.SS "\fBallow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: ""
+.IP \(bu 4
+Type: String (can be set multiple times)
+.RE 0
+
+.P
+Comma-separated list of packages whose install-time lifecycle scripts (\fBpreinstall\fR, \fBinstall\fR, \fBpostinstall\fR, and \fBprepare\fR for non-registry dependencies) are allowed to run.
+.P
+This setting is intended for one-off and global contexts: \fBnpm exec\fR, \fBnpx\fR, and \fBnpm install -g\fR, where no project \fBpackage.json\fR is involved. For team-wide policy in a project, use the \fBallowScripts\fR field in \fBpackage.json\fR (which also supports explicit denials), or configure it in \fB.npmrc\fR. Passing \fB--allow-scripts\fR on the command line during a project-scoped \fBnpm install\fR, \fBci\fR, \fBupdate\fR, or \fBrebuild\fR is an error.
+.P
+Each name is matched against a dependency's resolved identity, not against the package's self-reported name. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.SS "\fBstrict-allow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
+.P
+Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.SS "\fBdangerously-allow-all-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+If \fBtrue\fR, bypass the \fBallowScripts\fR policy entirely and run every dependency install script regardless of whether it was approved or denied. Intended as a migration escape hatch only; its use is strongly discouraged. \fB--ignore-scripts\fR still takes precedence over this setting.
 .SS "Examples"
 .P
 Run the version of \fBtap\fR in the local dependencies, with the provided arguments:
diff --git a/deps/npm/man/man1/npm-explain.1 b/deps/npm/man/man1/npm-explain.1
index 3f981b60850469..ec315300c2f1ba 100644
--- a/deps/npm/man/man1/npm-explain.1
+++ b/deps/npm/man/man1/npm-explain.1
@@ -1,4 +1,4 @@
-.TH "NPM-EXPLAIN" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-EXPLAIN" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-explain\fR - Explain installed packages
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-explore.1 b/deps/npm/man/man1/npm-explore.1
index f8fad8822edd5b..fbc61b1de01014 100644
--- a/deps/npm/man/man1/npm-explore.1
+++ b/deps/npm/man/man1/npm-explore.1
@@ -1,4 +1,4 @@
-.TH "NPM-EXPLORE" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-EXPLORE" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-explore\fR - Browse an installed package
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-find-dupes.1 b/deps/npm/man/man1/npm-find-dupes.1
index 5ea1a5e19df5b9..57daa9d322595e 100644
--- a/deps/npm/man/man1/npm-find-dupes.1
+++ b/deps/npm/man/man1/npm-find-dupes.1
@@ -1,4 +1,4 @@
-.TH "NPM-FIND-DUPES" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-FIND-DUPES" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-find-dupes\fR - Find duplication in the package tree
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-fund.1 b/deps/npm/man/man1/npm-fund.1
index fc0e31efb0f96e..05a0177501955f 100644
--- a/deps/npm/man/man1/npm-fund.1
+++ b/deps/npm/man/man1/npm-fund.1
@@ -1,4 +1,4 @@
-.TH "NPM-FUND" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-FUND" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-fund\fR - Retrieve funding information
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-get.1 b/deps/npm/man/man1/npm-get.1
index e05435badd204c..bbcfcae3a21158 100644
--- a/deps/npm/man/man1/npm-get.1
+++ b/deps/npm/man/man1/npm-get.1
@@ -1,4 +1,4 @@
-.TH "NPM-GET" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-GET" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-get\fR - Get a value from the npm configuration
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-help-search.1 b/deps/npm/man/man1/npm-help-search.1
index ed23a840be992b..b50eb9a9ac9c5b 100644
--- a/deps/npm/man/man1/npm-help-search.1
+++ b/deps/npm/man/man1/npm-help-search.1
@@ -1,4 +1,4 @@
-.TH "NPM-HELP-SEARCH" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-HELP-SEARCH" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-help-search\fR - Search npm help documentation
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-help.1 b/deps/npm/man/man1/npm-help.1
index 191480d5c3fe4e..eb4353fbd7c0ea 100644
--- a/deps/npm/man/man1/npm-help.1
+++ b/deps/npm/man/man1/npm-help.1
@@ -1,4 +1,4 @@
-.TH "NPM-HELP" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-HELP" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-help\fR - Get help on npm
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-init.1 b/deps/npm/man/man1/npm-init.1
index 6c7f7af97d5a0e..a55bf5cf7e42d3 100644
--- a/deps/npm/man/man1/npm-init.1
+++ b/deps/npm/man/man1/npm-init.1
@@ -1,4 +1,4 @@
-.TH "NPM-INIT" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-INIT" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-init\fR - Create a package.json file
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-install-ci-test.1 b/deps/npm/man/man1/npm-install-ci-test.1
index c1855691bfbc14..4d0d125aac3a57 100644
--- a/deps/npm/man/man1/npm-install-ci-test.1
+++ b/deps/npm/man/man1/npm-install-ci-test.1
@@ -1,4 +1,4 @@
-.TH "NPM-INSTALL-CI-TEST" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-INSTALL-CI-TEST" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-install-ci-test\fR - Install a project with a clean slate and run tests
 .SS "Synopsis"
@@ -116,6 +116,30 @@ Type: Boolean
 If true, npm does not run scripts specified in package.json files.
 .P
 Note that commands explicitly intended to run a particular script, such as \fBnpm start\fR, \fBnpm stop\fR, \fBnpm restart\fR, \fBnpm test\fR, and \fBnpm run\fR will still run their intended script if \fBignore-scripts\fR is set, but they will \fInot\fR run any pre- or post-scripts.
+.SS "\fBallow-directory\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to install dependencies from directories. That is, dependencies that point to a directory instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any directories to be installed. \fBnone\fR prevents any directories from being installed. \fBroot\fR only allows directories defined in your project's package.json to be installed. Also allows directory dependencies to be used for other commands like \fBnpm view\fR
+.SS "\fBallow-file\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to install dependencies from tarball files. That is, dependencies that point to a local tarball file instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any tarball file to be installed. \fBnone\fR prevents any tarball file from being installed. \fBroot\fR only allows tarball files defined in your project's package.json to be installed. Also allows tarball file dependencies to be used for other commands like \fBnpm view\fR
 .SS "\fBallow-git\fR"
 .RS 0
 .IP \(bu 4
@@ -125,9 +149,57 @@ Type: "all", "none", or "root"
 .RE 0
 
 .P
-Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed.
+Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any git dependencies to be fetched and installed. \fBnone\fR prevents any git dependencies from being fetched and installed. \fBroot\fR only allows git dependencies defined in your project's package.json to be fetched and installed. Also allows git dependencies to be fetched for other commands like \fBnpm view\fR
+.SS "\fBallow-remote\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to fetch dependencies from urls. That is, dependencies that point to a tarball url instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any url to be installed. \fBnone\fR prevents any url from being installed. \fBroot\fR only allows urls defined in your project's package.json to be installed. Also allows url dependencies to be used for other commands like \fBnpm view\fR
+.SS "\fBallow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: ""
+.IP \(bu 4
+Type: String (can be set multiple times)
+.RE 0
+
+.P
+Comma-separated list of packages whose install-time lifecycle scripts (\fBpreinstall\fR, \fBinstall\fR, \fBpostinstall\fR, and \fBprepare\fR for non-registry dependencies) are allowed to run.
+.P
+This setting is intended for one-off and global contexts: \fBnpm exec\fR, \fBnpx\fR, and \fBnpm install -g\fR, where no project \fBpackage.json\fR is involved. For team-wide policy in a project, use the \fBallowScripts\fR field in \fBpackage.json\fR (which also supports explicit denials), or configure it in \fB.npmrc\fR. Passing \fB--allow-scripts\fR on the command line during a project-scoped \fBnpm install\fR, \fBci\fR, \fBupdate\fR, or \fBrebuild\fR is an error.
+.P
+Each name is matched against a dependency's resolved identity, not against the package's self-reported name. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.SS "\fBstrict-allow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
+.P
+Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.SS "\fBdangerously-allow-all-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
 .P
-\fBall\fR allows any git dependencies to be fetched and installed. \fBnone\fR prevents any git dependencies from being fetched and installed. \fBroot\fR only allows git dependencies defined in your project's package.json to be fetched installed. Also allows git dependencies to be fetched for other commands like \fBnpm view\fR
+If \fBtrue\fR, bypass the \fBallowScripts\fR policy entirely and run every dependency install script regardless of whether it was approved or denied. Intended as a migration escape hatch only; its use is strongly discouraged. \fB--ignore-scripts\fR still takes precedence over this setting.
 .SS "\fBaudit\fR"
 .RS 0
 .IP \(bu 4
diff --git a/deps/npm/man/man1/npm-install-test.1 b/deps/npm/man/man1/npm-install-test.1
index ce4172bf42b0ad..dd238cbf6c613b 100644
--- a/deps/npm/man/man1/npm-install-test.1
+++ b/deps/npm/man/man1/npm-install-test.1
@@ -1,4 +1,4 @@
-.TH "NPM-INSTALL-TEST" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-INSTALL-TEST" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-install-test\fR - Install package(s) and run tests
 .SS "Synopsis"
@@ -193,6 +193,30 @@ Type: Boolean
 If true, npm does not run scripts specified in package.json files.
 .P
 Note that commands explicitly intended to run a particular script, such as \fBnpm start\fR, \fBnpm stop\fR, \fBnpm restart\fR, \fBnpm test\fR, and \fBnpm run\fR will still run their intended script if \fBignore-scripts\fR is set, but they will \fInot\fR run any pre- or post-scripts.
+.SS "\fBallow-directory\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to install dependencies from directories. That is, dependencies that point to a directory instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any directories to be installed. \fBnone\fR prevents any directories from being installed. \fBroot\fR only allows directories defined in your project's package.json to be installed. Also allows directory dependencies to be used for other commands like \fBnpm view\fR
+.SS "\fBallow-file\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to install dependencies from tarball files. That is, dependencies that point to a local tarball file instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any tarball file to be installed. \fBnone\fR prevents any tarball file from being installed. \fBroot\fR only allows tarball files defined in your project's package.json to be installed. Also allows tarball file dependencies to be used for other commands like \fBnpm view\fR
 .SS "\fBallow-git\fR"
 .RS 0
 .IP \(bu 4
@@ -202,9 +226,57 @@ Type: "all", "none", or "root"
 .RE 0
 
 .P
-Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed.
+Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any git dependencies to be fetched and installed. \fBnone\fR prevents any git dependencies from being fetched and installed. \fBroot\fR only allows git dependencies defined in your project's package.json to be fetched and installed. Also allows git dependencies to be fetched for other commands like \fBnpm view\fR
+.SS "\fBallow-remote\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to fetch dependencies from urls. That is, dependencies that point to a tarball url instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
 .P
-\fBall\fR allows any git dependencies to be fetched and installed. \fBnone\fR prevents any git dependencies from being fetched and installed. \fBroot\fR only allows git dependencies defined in your project's package.json to be fetched installed. Also allows git dependencies to be fetched for other commands like \fBnpm view\fR
+\fBall\fR allows any url to be installed. \fBnone\fR prevents any url from being installed. \fBroot\fR only allows urls defined in your project's package.json to be installed. Also allows url dependencies to be used for other commands like \fBnpm view\fR
+.SS "\fBallow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: ""
+.IP \(bu 4
+Type: String (can be set multiple times)
+.RE 0
+
+.P
+Comma-separated list of packages whose install-time lifecycle scripts (\fBpreinstall\fR, \fBinstall\fR, \fBpostinstall\fR, and \fBprepare\fR for non-registry dependencies) are allowed to run.
+.P
+This setting is intended for one-off and global contexts: \fBnpm exec\fR, \fBnpx\fR, and \fBnpm install -g\fR, where no project \fBpackage.json\fR is involved. For team-wide policy in a project, use the \fBallowScripts\fR field in \fBpackage.json\fR (which also supports explicit denials), or configure it in \fB.npmrc\fR. Passing \fB--allow-scripts\fR on the command line during a project-scoped \fBnpm install\fR, \fBci\fR, \fBupdate\fR, or \fBrebuild\fR is an error.
+.P
+Each name is matched against a dependency's resolved identity, not against the package's self-reported name. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.SS "\fBstrict-allow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
+.P
+Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.SS "\fBdangerously-allow-all-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+If \fBtrue\fR, bypass the \fBallowScripts\fR policy entirely and run every dependency install script regardless of whether it was approved or denied. Intended as a migration escape hatch only; its use is strongly discouraged. \fB--ignore-scripts\fR still takes precedence over this setting.
 .SS "\fBaudit\fR"
 .RS 0
 .IP \(bu 4
@@ -228,7 +300,7 @@ If passed to \fBnpm install\fR, will rebuild the npm tree such that only version
 .P
 If the requested version is a \fBdist-tag\fR and the given tag does not pass the \fB--before\fR filter, the most recent version less than or equal to that tag will be used. For example, \fBfoo@latest\fR might install \fBfoo@1.2\fR even though \fBlatest\fR is \fB2.0\fR.
 .P
-This config cannot be used with: \fBmin-release-age\fR
+If \fBbefore\fR and \fBmin-release-age\fR are both set in the same source, \fBbefore\fR wins (an explicit absolute date overrides a relative window). Across sources, the standard precedence applies (cli > env > project > user > global), so a higher-priority source can always relax or override a lower-priority one.
 .SS "\fBmin-release-age\fR"
 .RS 0
 .IP \(bu 4
@@ -240,9 +312,7 @@ Type: null or Number
 .P
 If set, npm will build the npm tree such that only versions that were available more than the given number of days ago will be installed. If there are no versions available for the current set of dependencies, the command will error.
 .P
-This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days.
-.P
-This config cannot be used with: \fBbefore\fR
+This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days. The two may coexist (e.g. \fBmin-release-age\fR in your \fB.npmrc\fR is preserved when npm internally spawns a sub-process with \fB--before\fR while preparing a \fBgit:\fR or \fBgithub:\fR dependency); when both apply, \fBbefore\fR wins within a single source and across sources the standard precedence rules apply.
 .P
 This value is not exported to the environment for child processes.
 .SS "\fBbin-links\fR"
diff --git a/deps/npm/man/man1/npm-install.1 b/deps/npm/man/man1/npm-install.1
index 92df99f6437c96..b51006e58e26d1 100644
--- a/deps/npm/man/man1/npm-install.1
+++ b/deps/npm/man/man1/npm-install.1
@@ -1,4 +1,4 @@
-.TH "NPM-INSTALL" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-INSTALL" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-install\fR - Install a package
 .SS "Synopsis"
@@ -583,6 +583,30 @@ Type: Boolean
 If true, npm does not run scripts specified in package.json files.
 .P
 Note that commands explicitly intended to run a particular script, such as \fBnpm start\fR, \fBnpm stop\fR, \fBnpm restart\fR, \fBnpm test\fR, and \fBnpm run\fR will still run their intended script if \fBignore-scripts\fR is set, but they will \fInot\fR run any pre- or post-scripts.
+.SS "\fBallow-directory\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to install dependencies from directories. That is, dependencies that point to a directory instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any directories to be installed. \fBnone\fR prevents any directories from being installed. \fBroot\fR only allows directories defined in your project's package.json to be installed. Also allows directory dependencies to be used for other commands like \fBnpm view\fR
+.SS "\fBallow-file\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to install dependencies from tarball files. That is, dependencies that point to a local tarball file instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any tarball file to be installed. \fBnone\fR prevents any tarball file from being installed. \fBroot\fR only allows tarball files defined in your project's package.json to be installed. Also allows tarball file dependencies to be used for other commands like \fBnpm view\fR
 .SS "\fBallow-git\fR"
 .RS 0
 .IP \(bu 4
@@ -592,9 +616,57 @@ Type: "all", "none", or "root"
 .RE 0
 
 .P
-Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed.
+Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any git dependencies to be fetched and installed. \fBnone\fR prevents any git dependencies from being fetched and installed. \fBroot\fR only allows git dependencies defined in your project's package.json to be fetched and installed. Also allows git dependencies to be fetched for other commands like \fBnpm view\fR
+.SS "\fBallow-remote\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to fetch dependencies from urls. That is, dependencies that point to a tarball url instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
 .P
-\fBall\fR allows any git dependencies to be fetched and installed. \fBnone\fR prevents any git dependencies from being fetched and installed. \fBroot\fR only allows git dependencies defined in your project's package.json to be fetched installed. Also allows git dependencies to be fetched for other commands like \fBnpm view\fR
+\fBall\fR allows any url to be installed. \fBnone\fR prevents any url from being installed. \fBroot\fR only allows urls defined in your project's package.json to be installed. Also allows url dependencies to be used for other commands like \fBnpm view\fR
+.SS "\fBallow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: ""
+.IP \(bu 4
+Type: String (can be set multiple times)
+.RE 0
+
+.P
+Comma-separated list of packages whose install-time lifecycle scripts (\fBpreinstall\fR, \fBinstall\fR, \fBpostinstall\fR, and \fBprepare\fR for non-registry dependencies) are allowed to run.
+.P
+This setting is intended for one-off and global contexts: \fBnpm exec\fR, \fBnpx\fR, and \fBnpm install -g\fR, where no project \fBpackage.json\fR is involved. For team-wide policy in a project, use the \fBallowScripts\fR field in \fBpackage.json\fR (which also supports explicit denials), or configure it in \fB.npmrc\fR. Passing \fB--allow-scripts\fR on the command line during a project-scoped \fBnpm install\fR, \fBci\fR, \fBupdate\fR, or \fBrebuild\fR is an error.
+.P
+Each name is matched against a dependency's resolved identity, not against the package's self-reported name. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.SS "\fBstrict-allow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
+.P
+Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.SS "\fBdangerously-allow-all-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+If \fBtrue\fR, bypass the \fBallowScripts\fR policy entirely and run every dependency install script regardless of whether it was approved or denied. Intended as a migration escape hatch only; its use is strongly discouraged. \fB--ignore-scripts\fR still takes precedence over this setting.
 .SS "\fBaudit\fR"
 .RS 0
 .IP \(bu 4
@@ -618,7 +690,7 @@ If passed to \fBnpm install\fR, will rebuild the npm tree such that only version
 .P
 If the requested version is a \fBdist-tag\fR and the given tag does not pass the \fB--before\fR filter, the most recent version less than or equal to that tag will be used. For example, \fBfoo@latest\fR might install \fBfoo@1.2\fR even though \fBlatest\fR is \fB2.0\fR.
 .P
-This config cannot be used with: \fBmin-release-age\fR
+If \fBbefore\fR and \fBmin-release-age\fR are both set in the same source, \fBbefore\fR wins (an explicit absolute date overrides a relative window). Across sources, the standard precedence applies (cli > env > project > user > global), so a higher-priority source can always relax or override a lower-priority one.
 .SS "\fBmin-release-age\fR"
 .RS 0
 .IP \(bu 4
@@ -630,9 +702,7 @@ Type: null or Number
 .P
 If set, npm will build the npm tree such that only versions that were available more than the given number of days ago will be installed. If there are no versions available for the current set of dependencies, the command will error.
 .P
-This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days.
-.P
-This config cannot be used with: \fBbefore\fR
+This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days. The two may coexist (e.g. \fBmin-release-age\fR in your \fB.npmrc\fR is preserved when npm internally spawns a sub-process with \fB--before\fR while preparing a \fBgit:\fR or \fBgithub:\fR dependency); when both apply, \fBbefore\fR wins within a single source and across sources the standard precedence rules apply.
 .P
 This value is not exported to the environment for child processes.
 .SS "\fBbin-links\fR"
diff --git a/deps/npm/man/man1/npm-link.1 b/deps/npm/man/man1/npm-link.1
index 749145e10948f0..5fc0057bfe9b6b 100644
--- a/deps/npm/man/man1/npm-link.1
+++ b/deps/npm/man/man1/npm-link.1
@@ -1,4 +1,4 @@
-.TH "NPM-LINK" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-LINK" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-link\fR - Symlink a package folder
 .SS "Synopsis"
@@ -224,6 +224,30 @@ Type: Boolean
 If true, npm does not run scripts specified in package.json files.
 .P
 Note that commands explicitly intended to run a particular script, such as \fBnpm start\fR, \fBnpm stop\fR, \fBnpm restart\fR, \fBnpm test\fR, and \fBnpm run\fR will still run their intended script if \fBignore-scripts\fR is set, but they will \fInot\fR run any pre- or post-scripts.
+.SS "\fBallow-directory\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to install dependencies from directories. That is, dependencies that point to a directory instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any directories to be installed. \fBnone\fR prevents any directories from being installed. \fBroot\fR only allows directories defined in your project's package.json to be installed. Also allows directory dependencies to be used for other commands like \fBnpm view\fR
+.SS "\fBallow-file\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to install dependencies from tarball files. That is, dependencies that point to a local tarball file instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any tarball file to be installed. \fBnone\fR prevents any tarball file from being installed. \fBroot\fR only allows tarball files defined in your project's package.json to be installed. Also allows tarball file dependencies to be used for other commands like \fBnpm view\fR
 .SS "\fBallow-git\fR"
 .RS 0
 .IP \(bu 4
@@ -233,9 +257,21 @@ Type: "all", "none", or "root"
 .RE 0
 
 .P
-Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed.
+Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any git dependencies to be fetched and installed. \fBnone\fR prevents any git dependencies from being fetched and installed. \fBroot\fR only allows git dependencies defined in your project's package.json to be fetched and installed. Also allows git dependencies to be fetched for other commands like \fBnpm view\fR
+.SS "\fBallow-remote\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to fetch dependencies from urls. That is, dependencies that point to a tarball url instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
 .P
-\fBall\fR allows any git dependencies to be fetched and installed. \fBnone\fR prevents any git dependencies from being fetched and installed. \fBroot\fR only allows git dependencies defined in your project's package.json to be fetched installed. Also allows git dependencies to be fetched for other commands like \fBnpm view\fR
+\fBall\fR allows any url to be installed. \fBnone\fR prevents any url from being installed. \fBroot\fR only allows urls defined in your project's package.json to be installed. Also allows url dependencies to be used for other commands like \fBnpm view\fR
 .SS "\fBaudit\fR"
 .RS 0
 .IP \(bu 4
diff --git a/deps/npm/man/man1/npm-ll.1 b/deps/npm/man/man1/npm-ll.1
index d7eb6abb2be468..860cb296e86a60 100644
--- a/deps/npm/man/man1/npm-ll.1
+++ b/deps/npm/man/man1/npm-ll.1
@@ -1,4 +1,4 @@
-.TH "NPM-LL" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-LL" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-ll\fR - List installed packages
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-login.1 b/deps/npm/man/man1/npm-login.1
index 159897bd393f39..037be1840a4f1a 100644
--- a/deps/npm/man/man1/npm-login.1
+++ b/deps/npm/man/man1/npm-login.1
@@ -1,4 +1,4 @@
-.TH "NPM-LOGIN" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-LOGIN" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-login\fR - Login to a registry user account
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-logout.1 b/deps/npm/man/man1/npm-logout.1
index 2f8be327eb1816..d3fdd55251f4ab 100644
--- a/deps/npm/man/man1/npm-logout.1
+++ b/deps/npm/man/man1/npm-logout.1
@@ -1,4 +1,4 @@
-.TH "NPM-LOGOUT" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-LOGOUT" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-logout\fR - Log out of the registry
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-ls.1 b/deps/npm/man/man1/npm-ls.1
index 0a6f9a49df3c5d..ac695c5c633c55 100644
--- a/deps/npm/man/man1/npm-ls.1
+++ b/deps/npm/man/man1/npm-ls.1
@@ -1,4 +1,4 @@
-.TH "NPM-LS" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-LS" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-ls\fR - List installed packages
 .SS "Synopsis"
@@ -20,7 +20,7 @@ Positional arguments are \fBname@version-range\fR identifiers, which will limit
 .P
 .RS 2
 .nf
-npm@11.13.0 /path/to/npm
+npm@11.16.0 /path/to/npm
 └─┬ init-package-json@0.0.4
   └── promzard@0.1.5
 .fi
diff --git a/deps/npm/man/man1/npm-org.1 b/deps/npm/man/man1/npm-org.1
index 4afed2e97b2cc5..25f1ca4680cd27 100644
--- a/deps/npm/man/man1/npm-org.1
+++ b/deps/npm/man/man1/npm-org.1
@@ -1,4 +1,4 @@
-.TH "NPM-ORG" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-ORG" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-org\fR - Manage orgs
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-outdated.1 b/deps/npm/man/man1/npm-outdated.1
index 59a87bd862c9c7..462141f446fa46 100644
--- a/deps/npm/man/man1/npm-outdated.1
+++ b/deps/npm/man/man1/npm-outdated.1
@@ -1,4 +1,4 @@
-.TH "NPM-OUTDATED" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-OUTDATED" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-outdated\fR - Check for outdated packages
 .SS "Synopsis"
@@ -180,7 +180,7 @@ If passed to \fBnpm install\fR, will rebuild the npm tree such that only version
 .P
 If the requested version is a \fBdist-tag\fR and the given tag does not pass the \fB--before\fR filter, the most recent version less than or equal to that tag will be used. For example, \fBfoo@latest\fR might install \fBfoo@1.2\fR even though \fBlatest\fR is \fB2.0\fR.
 .P
-This config cannot be used with: \fBmin-release-age\fR
+If \fBbefore\fR and \fBmin-release-age\fR are both set in the same source, \fBbefore\fR wins (an explicit absolute date overrides a relative window). Across sources, the standard precedence applies (cli > env > project > user > global), so a higher-priority source can always relax or override a lower-priority one.
 .SS "\fBmin-release-age\fR"
 .RS 0
 .IP \(bu 4
@@ -192,9 +192,7 @@ Type: null or Number
 .P
 If set, npm will build the npm tree such that only versions that were available more than the given number of days ago will be installed. If there are no versions available for the current set of dependencies, the command will error.
 .P
-This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days.
-.P
-This config cannot be used with: \fBbefore\fR
+This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days. The two may coexist (e.g. \fBmin-release-age\fR in your \fB.npmrc\fR is preserved when npm internally spawns a sub-process with \fB--before\fR while preparing a \fBgit:\fR or \fBgithub:\fR dependency); when both apply, \fBbefore\fR wins within a single source and across sources the standard precedence rules apply.
 .P
 This value is not exported to the environment for child processes.
 .SS "See Also"
diff --git a/deps/npm/man/man1/npm-owner.1 b/deps/npm/man/man1/npm-owner.1
index 9be1dad02c0ca6..7a90c8e0c28856 100644
--- a/deps/npm/man/man1/npm-owner.1
+++ b/deps/npm/man/man1/npm-owner.1
@@ -1,4 +1,4 @@
-.TH "NPM-OWNER" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-OWNER" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-owner\fR - Manage package owners
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-pack.1 b/deps/npm/man/man1/npm-pack.1
index 7491a4154ec658..945b3f42e3c910 100644
--- a/deps/npm/man/man1/npm-pack.1
+++ b/deps/npm/man/man1/npm-pack.1
@@ -1,4 +1,4 @@
-.TH "NPM-PACK" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-PACK" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-pack\fR - Create a tarball from a package
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-ping.1 b/deps/npm/man/man1/npm-ping.1
index cf20722885fa78..0c9f579acb2cd5 100644
--- a/deps/npm/man/man1/npm-ping.1
+++ b/deps/npm/man/man1/npm-ping.1
@@ -1,4 +1,4 @@
-.TH "NPM-PING" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-PING" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-ping\fR - Ping npm registry
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-pkg.1 b/deps/npm/man/man1/npm-pkg.1
index 8622f1fe5aaba7..525cc2fa92f67d 100644
--- a/deps/npm/man/man1/npm-pkg.1
+++ b/deps/npm/man/man1/npm-pkg.1
@@ -1,4 +1,4 @@
-.TH "NPM-PKG" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-PKG" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-pkg\fR - Manages your package.json
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-prefix.1 b/deps/npm/man/man1/npm-prefix.1
index 83b8d8cc0df771..0ad1dced9b9fca 100644
--- a/deps/npm/man/man1/npm-prefix.1
+++ b/deps/npm/man/man1/npm-prefix.1
@@ -1,4 +1,4 @@
-.TH "NPM-PREFIX" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-PREFIX" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-prefix\fR - Display prefix
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-profile.1 b/deps/npm/man/man1/npm-profile.1
index 703f320dc298c3..ca1cdd366d80e1 100644
--- a/deps/npm/man/man1/npm-profile.1
+++ b/deps/npm/man/man1/npm-profile.1
@@ -1,4 +1,4 @@
-.TH "NPM-PROFILE" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-PROFILE" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-profile\fR - Change settings on your registry profile
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-prune.1 b/deps/npm/man/man1/npm-prune.1
index 7f3d08ca5633d2..b7dc1e212c4c89 100644
--- a/deps/npm/man/man1/npm-prune.1
+++ b/deps/npm/man/man1/npm-prune.1
@@ -1,4 +1,4 @@
-.TH "NPM-PRUNE" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-PRUNE" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-prune\fR - Remove extraneous packages
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-publish.1 b/deps/npm/man/man1/npm-publish.1
index f527741ac1963a..3bbb7139839af8 100644
--- a/deps/npm/man/man1/npm-publish.1
+++ b/deps/npm/man/man1/npm-publish.1
@@ -1,4 +1,4 @@
-.TH "NPM-PUBLISH" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-PUBLISH" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-publish\fR - Publish a package
 .SS "Synopsis"
@@ -120,7 +120,7 @@ If used in the \fBnpm publish\fR command, this is the tag that will be added to
 .IP \(bu 4
 Default: 'public' for new packages, existing packages it will not change the current level
 .IP \(bu 4
-Type: null, "restricted", or "public"
+Type: null, "restricted", "public", or "private"
 .RE 0
 
 .P
@@ -130,6 +130,8 @@ Unscoped packages cannot be set to \fBrestricted\fR.
 .P
 Note: This defaults to not changing the current access level for existing packages. Specifying a value of \fBrestricted\fR or \fBpublic\fR during publish will change the access for an existing package the same way that \fBnpm access set
 status\fR would.
+.P
+The value \fBprivate\fR is an alias for \fBrestricted\fR.
 .SS "\fBdry-run\fR"
 .RS 0
 .IP \(bu 4
diff --git a/deps/npm/man/man1/npm-query.1 b/deps/npm/man/man1/npm-query.1
index d8e792f3d0be1f..cc73ad1e92470f 100644
--- a/deps/npm/man/man1/npm-query.1
+++ b/deps/npm/man/man1/npm-query.1
@@ -1,4 +1,4 @@
-.TH "NPM-QUERY" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-QUERY" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-query\fR - Dependency selector query
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-rebuild.1 b/deps/npm/man/man1/npm-rebuild.1
index c19b76fe7597ec..af0562603369e6 100644
--- a/deps/npm/man/man1/npm-rebuild.1
+++ b/deps/npm/man/man1/npm-rebuild.1
@@ -1,4 +1,4 @@
-.TH "NPM-REBUILD" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-REBUILD" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-rebuild\fR - Rebuild a package
 .SS "Synopsis"
@@ -101,6 +101,42 @@ Type: Boolean
 If true, npm does not run scripts specified in package.json files.
 .P
 Note that commands explicitly intended to run a particular script, such as \fBnpm start\fR, \fBnpm stop\fR, \fBnpm restart\fR, \fBnpm test\fR, and \fBnpm run\fR will still run their intended script if \fBignore-scripts\fR is set, but they will \fInot\fR run any pre- or post-scripts.
+.SS "\fBallow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: ""
+.IP \(bu 4
+Type: String (can be set multiple times)
+.RE 0
+
+.P
+Comma-separated list of packages whose install-time lifecycle scripts (\fBpreinstall\fR, \fBinstall\fR, \fBpostinstall\fR, and \fBprepare\fR for non-registry dependencies) are allowed to run.
+.P
+This setting is intended for one-off and global contexts: \fBnpm exec\fR, \fBnpx\fR, and \fBnpm install -g\fR, where no project \fBpackage.json\fR is involved. For team-wide policy in a project, use the \fBallowScripts\fR field in \fBpackage.json\fR (which also supports explicit denials), or configure it in \fB.npmrc\fR. Passing \fB--allow-scripts\fR on the command line during a project-scoped \fBnpm install\fR, \fBci\fR, \fBupdate\fR, or \fBrebuild\fR is an error.
+.P
+Each name is matched against a dependency's resolved identity, not against the package's self-reported name. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.SS "\fBstrict-allow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
+.P
+Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.SS "\fBdangerously-allow-all-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+If \fBtrue\fR, bypass the \fBallowScripts\fR policy entirely and run every dependency install script regardless of whether it was approved or denied. Intended as a migration escape hatch only; its use is strongly discouraged. \fB--ignore-scripts\fR still takes precedence over this setting.
 .SS "\fBworkspace\fR"
 .RS 0
 .IP \(bu 4
diff --git a/deps/npm/man/man1/npm-repo.1 b/deps/npm/man/man1/npm-repo.1
index 71c912c1f672b6..00b1754b495937 100644
--- a/deps/npm/man/man1/npm-repo.1
+++ b/deps/npm/man/man1/npm-repo.1
@@ -1,4 +1,4 @@
-.TH "NPM-REPO" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-REPO" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-repo\fR - Open package repository page in the browser
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-restart.1 b/deps/npm/man/man1/npm-restart.1
index 75f8758112eb29..5fb602be957ba2 100644
--- a/deps/npm/man/man1/npm-restart.1
+++ b/deps/npm/man/man1/npm-restart.1
@@ -1,4 +1,4 @@
-.TH "NPM-RESTART" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-RESTART" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-restart\fR - Restart a package
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-root.1 b/deps/npm/man/man1/npm-root.1
index b8b6f31b2d979c..79ab7c6debcb3e 100644
--- a/deps/npm/man/man1/npm-root.1
+++ b/deps/npm/man/man1/npm-root.1
@@ -1,4 +1,4 @@
-.TH "NPM-ROOT" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-ROOT" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-root\fR - Display npm root
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-run.1 b/deps/npm/man/man1/npm-run.1
index c6c0bf5325f5d9..f20c43ab6a7113 100644
--- a/deps/npm/man/man1/npm-run.1
+++ b/deps/npm/man/man1/npm-run.1
@@ -1,4 +1,4 @@
-.TH "NPM-RUN" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-RUN" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-run\fR - Run arbitrary package scripts
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-sbom.1 b/deps/npm/man/man1/npm-sbom.1
index 34d5972e568556..e04ac0e689169a 100644
--- a/deps/npm/man/man1/npm-sbom.1
+++ b/deps/npm/man/man1/npm-sbom.1
@@ -1,4 +1,4 @@
-.TH "NPM-SBOM" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-SBOM" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-sbom\fR - Generate a Software Bill of Materials (SBOM)
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-search.1 b/deps/npm/man/man1/npm-search.1
index b901d6872d770c..51c9a99e58aefe 100644
--- a/deps/npm/man/man1/npm-search.1
+++ b/deps/npm/man/man1/npm-search.1
@@ -1,4 +1,4 @@
-.TH "NPM-SEARCH" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-SEARCH" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-search\fR - Search for packages
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-set.1 b/deps/npm/man/man1/npm-set.1
index a9a1506e540526..280d610a6e32c4 100644
--- a/deps/npm/man/man1/npm-set.1
+++ b/deps/npm/man/man1/npm-set.1
@@ -1,4 +1,4 @@
-.TH "NPM-SET" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-SET" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-set\fR - Set a value in the npm configuration
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-shrinkwrap.1 b/deps/npm/man/man1/npm-shrinkwrap.1
index 2c872c9723d832..0f7214bda3fd09 100644
--- a/deps/npm/man/man1/npm-shrinkwrap.1
+++ b/deps/npm/man/man1/npm-shrinkwrap.1
@@ -1,4 +1,4 @@
-.TH "NPM-SHRINKWRAP" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-SHRINKWRAP" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-shrinkwrap\fR - Lock down dependency versions for publication
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-stage.1 b/deps/npm/man/man1/npm-stage.1
new file mode 100644
index 00000000000000..0fe39e8ff8cffe
--- /dev/null
+++ b/deps/npm/man/man1/npm-stage.1
@@ -0,0 +1,178 @@
+.TH "NPM-STAGE" "1" "May 2026" "NPM@11.16.0" ""
+.SH "NAME"
+\fBnpm-stage\fR - Stage packages for publishing
+.SS "Synopsis"
+.P
+.RS 2
+.nf
+npm stage
+.fi
+.RE
+.P
+Note: This command is unaware of workspaces.
+.SS "Description"
+.P
+Staged publishing allows package maintainers to require proof-of-presence for all publishes. Proof-of-presence is where a human is involved, interjects, and provides authentication (2FA) during an action \[em] in this case, publishing an npm package.
+.P
+Typically when maintainers use automated workflows to publish, proof-of-presence is lacking as there's no convenient way to interject the process and provide 2FA, as is the case for publishing with a granular access token with bypass and the trusted publishing flow. Staged publishing allows users to have their automated workflows stage a package without a 2FA prompt, deferring the act of 2FA, allowing the maintainer to approve the staged package and publish at a later point.
+.P
+The \fBnpm stage publish\fR command packs the current working directory and places that version of the package into the registry in a state where it's not available for public access, allowing maintainers to approve the package at a later point in time. The act of staging does not prompt for 2FA and can be done with any token type, the act of approving will.
+.P
+Key behaviors:
+.RS 0
+.IP \(bu 4
+Staged packages share the same semver version unique index as published packages \[em] you cannot publish a version that already exists as a staged version for that package.
+.IP \(bu 4
+You can still publish packages normally while you have staged packages pending.
+.IP \(bu 4
+You can stage multiple versions of the same package.
+.IP \(bu 4
+\fBnpm stage publish\fR has parity with \fBnpm publish\fR and will respect \fB"private": true\fR in \fBpackage.json\fR, refusing to stage the package.
+.RE 0
+
+.SS "Prerequisites"
+.P
+Before using \fBnpm stage\fR commands, ensure the following requirements are met:
+.RS 0
+.IP \(bu 4
+\fBWrite permissions on the package:\fR You must have write access to the package you're configuring.
+.IP \(bu 4
+\fBPackage must exist:\fR The package you're configuring must already exist on the npm registry.
+.IP \(bu 4
+\fB2FA enabled on your account:\fR Commands that require 2FA will prompt you to authenticate. If you don't already have 2FA enabled on your account, you must enable it before using these commands.
+.RE 0
+
+.SS "Subcommands"
+.RS 0
+.IP \(bu 4
+\fBnpm stage publish \[lB]\[rB]\fR - Stage a package for publishing
+.IP \(bu 4
+\fBnpm stage list \[lB]\[rB]\fR - List all staged package versions
+.IP \(bu 4
+\fBnpm stage view \fR - View details of a specific staged package
+.IP \(bu 4
+\fBnpm stage approve \fR - Approve a staged package for publishing
+.IP \(bu 4
+\fBnpm stage reject \fR - Reject a staged package
+.IP \(bu 4
+\fBnpm stage download \fR - Download the tarball for inspection
+.RE 0
+
+.SS "2FA Requirements by Subcommand"
+.P
+| Command | Requires 2FA | Notes | | --- | --- | --- | | \fBnpm stage publish\fR | No | Designed for automated workflows; defers 2FA to approval | | \fBnpm stage list\fR | No | View staged packages | | \fBnpm stage view\fR | No | View staged package details | | \fBnpm stage approve\fR | Yes | Prompts for 2FA to publish the staged package | | \fBnpm stage reject\fR | Yes | Prompts for 2FA to permanently remove the staged package | | \fBnpm stage download\fR | No | Downloads the tarball for local inspection |
+.SS "Tag Behavior"
+.P
+The \fB--tag\fR flag follows the same logic as \fBnpm publish\fR. If no tag is provided, the \fBlatest\fR tag is used by default. For pre-release versions (e.g., \fB1.0.0-beta.1\fR) and non-latest semver versions, the tag must be explicitly provided \[em] otherwise the CLI will error, just as \fBnpm publish\fR would.
+.P
+The tag is an immutable property of the staged package. Once a package is staged with a given tag, the tag cannot be changed. If you need to stage the same version with a different tag, you must first reject the existing staged package using \fBnpm stage reject\fR and then re-stage it with the desired tag.
+.SS "Token Behavior"
+.P
+The key difference with staged publishing is that \fBnpm stage publish\fR never requires a 2FA prompt, regardless of token type. This is what makes it suitable for automated workflows. The goal of \fBnpm stage publish\fR is deferring proof-of-presence to a later point in time.
+.P
+| Token Type | \fBnpm stage publish\fR | \fBnpm publish\fR | | --- | --- | --- | | GAT with bypass | Can stage | Can publish (if allowed by package publishing access) | | GAT without bypass | Can stage | 2FA prompt (if allowed by package publishing access) | | Session token | Can stage | 2FA prompt | | Trust token (OIDC) | Can stage (if allowed) | Can publish (if allowed) |
+.SS "Trust Relationship Permissions"
+.P
+With staged publishing, trust relationships now support granular command permissions. Shortlived tokens issued through trust relationships can only be used with \fBnpm stage publish\fR and \fBnpm publish\fR. Shortlived tokens cannot run \fBnpm stage\fR subcommands.
+.P
+\fBnpm trust \fR supports \fB--allow-publish\fR and \fB--allow-stage-publish\fR to control which commands are available through each trust relationship.
+.SS "Best Practices"
+.P
+\fBNote:\fR The addition of staged publishing does not make your account or org more secure. Maintainers must still use the best practices listed below.
+.RS 0
+.IP 1. 4
+\fBDelete Granular Access Tokens (GAT) with bypass 2FA enabled.\fR Now with staged publishing, we've eliminated the need for a GAT token that can bypass 2FA. We encourage you to delete all your tokens with bypass enabled and switch to using a trust relationship in your automated workflows, or create a GAT without bypass and use \fBnpm stage publish\fR.
+.IP 2. 4
+\fBDisallow tokens from publishing at the package level.\fR All packages have their own access controls under "package access" allowing packages to be published with bypass tokens, which is no longer a necessity. We encourage you to select "Require two-factor authentication and disallow tokens (recommended)" for all your packages on the package access page.
+.IP 3. 4
+\fBConfigure trust relationship permissions to prevent \fBnpm publish\fB.\fR We encourage you to only enable \fBnpm stage publish\fR on your trust relationships and disable \fBnpm publish\fR.
+.RE 0
+
+.SS "Configuration"
+.SS "\fBnpm stage publish\fR"
+.P
+Stage a package for publishing, deferring proof-of-presence (2FA) to a later point in time
+.SS "Synopsis"
+.P
+.RS 2
+.nf
+npm stage publish 
+.fi
+.RE
+.SS "Flags"
+.P
+| Flag | Default | Type | Description | | --- | --- | --- | --- | | \fB--tag\fR | "latest" | String | If you ask npm to install a package and don't tell it a specific version, then it will install the specified tag. It is the tag added to the package@version specified in the \fBnpm dist-tag add\fR command, if no explicit tag is given. When used by the \fBnpm diff\fR command, this is the tag used to fetch the tarball that will be compared with the local files by default. If used in the \fBnpm publish\fR command, this is the tag that will be added to the package submitted to the registry. | | \fB--access\fR | 'public' for new packages, existing packages it will not change the current level | null, "restricted", "public", or "private" | If you do not want your scoped package to be publicly viewable (and installable) set \fB--access=restricted\fR. Unscoped packages cannot be set to \fBrestricted\fR. Note: This defaults to not changing the current access level for existing packages. Specifying a value of \fBrestricted\fR or \fBpublic\fR during publish will change the access for an existing package the same way that \fBnpm access set status\fR would. The value \fBprivate\fR is an alias for \fBrestricted\fR. | | \fB--dry-run\fR | false | Boolean | Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, \fBinstall\fR, \fBupdate\fR, \fBdedupe\fR, \fBuninstall\fR, as well as \fBpack\fR and \fBpublish\fR. Note: This is NOT honored by other network related commands, eg \fBdist-tags\fR, \fBowner\fR, etc. | | \fB--otp\fR | null | null or String | This is a one-time password from a two-factor authenticator. It's needed when publishing or changing package permissions with \fBnpm access\fR. If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one. | | \fB--workspace\fR, \fB-w\fR | | String (can be set multiple times) | Enable running a command in the context of the configured workspaces of the current project while filtering by running only the workspaces defined by this configuration option. Valid values for the \fBworkspace\fR config are either: * Workspace names * Path to a workspace directory * Path to a parent workspace directory (will result in selecting all workspaces within that folder) When set for the \fBnpm init\fR command, this may be set to the folder of a workspace which does not yet exist, to create the folder and set it up as a brand new workspace within the project. | | \fB--workspaces\fR | null | null or Boolean | Set to true to run the command in the context of \fBall\fR configured workspaces. Explicitly setting this to false will cause commands like \fBinstall\fR to ignore workspaces altogether. When not set explicitly: - Commands that operate on the \fBnode_modules\fR tree (install, update, etc.) will link workspaces into the \fBnode_modules\fR folder. - Commands that do other things (test, exec, publish, etc.) will operate on the root project, \fIunless\fR one or more workspaces are specified in the \fBworkspace\fR config. | | \fB--include-workspace-root\fR | false | Boolean | Include the workspace root when workspaces are enabled for a command. When false, specifying individual workspaces via the \fBworkspace\fR config, or all workspaces via the \fBworkspaces\fR flag, will cause npm to operate only on the specified workspaces, and not on the root project. | | \fB--provenance\fR | false | Boolean | When publishing from a supported cloud CI/CD system, the package will be publicly linked to where it was built and published from. |
+.SS "\fBnpm stage list\fR"
+.P
+List all staged package versions
+.SS "Synopsis"
+.P
+.RS 2
+.nf
+npm stage list \[lB]\[rB]
+.fi
+.RE
+.SS "Flags"
+.P
+| Flag | Default | Type | Description | | --- | --- | --- | --- | | \fB--json\fR | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In \fBnpm pkg set\fR it enables parsing set values with JSON.parse() before saving them to your \fBpackage.json\fR. Not supported by all npm commands. | | \fB--registry\fR | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. |
+.SS "\fBnpm stage view\fR"
+.P
+View details of a specific staged package
+.SS "Synopsis"
+.P
+.RS 2
+.nf
+npm stage view 
+.fi
+.RE
+.SS "Flags"
+.P
+| Flag | Default | Type | Description | | --- | --- | --- | --- | | \fB--json\fR | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In \fBnpm pkg set\fR it enables parsing set values with JSON.parse() before saving them to your \fBpackage.json\fR. Not supported by all npm commands. | | \fB--registry\fR | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. |
+.SS "\fBnpm stage approve\fR"
+.P
+Approve a staged package, publishing it to the npm registry
+.SS "Synopsis"
+.P
+.RS 2
+.nf
+npm stage approve 
+.fi
+.RE
+.SS "Flags"
+.P
+| Flag | Default | Type | Description | | --- | --- | --- | --- | | \fB--otp\fR | null | null or String | This is a one-time password from a two-factor authenticator. It's needed when publishing or changing package permissions with \fBnpm access\fR. If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one. | | \fB--registry\fR | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. |
+.SS "\fBnpm stage reject\fR"
+.P
+Reject a staged package, removing it from the registry
+.SS "Synopsis"
+.P
+.RS 2
+.nf
+npm stage reject 
+.fi
+.RE
+.SS "Flags"
+.P
+| Flag | Default | Type | Description | | --- | --- | --- | --- | | \fB--otp\fR | null | null or String | This is a one-time password from a two-factor authenticator. It's needed when publishing or changing package permissions with \fBnpm access\fR. If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one. | | \fB--registry\fR | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. |
+.SS "\fBnpm stage download\fR"
+.P
+Download the tarball of a staged package for inspection
+.SS "Synopsis"
+.P
+.RS 2
+.nf
+npm stage download 
+.fi
+.RE
+.SS "Flags"
+.P
+| Flag | Default | Type | Description | | --- | --- | --- | --- | | \fB--json\fR | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In \fBnpm pkg set\fR it enables parsing set values with JSON.parse() before saving them to your \fBpackage.json\fR. Not supported by all npm commands. | | \fB--registry\fR | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. |
+.SS "See Also"
+.RS 0
+.IP \(bu 4
+npm help publish
+.IP \(bu 4
+npm help unpublish
+.IP \(bu 4
+npm help trust
+.RE 0
diff --git a/deps/npm/man/man1/npm-star.1 b/deps/npm/man/man1/npm-star.1
index ffc44d6728e6c4..385d6e8a23249e 100644
--- a/deps/npm/man/man1/npm-star.1
+++ b/deps/npm/man/man1/npm-star.1
@@ -1,4 +1,4 @@
-.TH "NPM-STAR" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-STAR" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-star\fR - Mark your favorite packages
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-stars.1 b/deps/npm/man/man1/npm-stars.1
index 40e1fac243e72e..f028349ba81f8c 100644
--- a/deps/npm/man/man1/npm-stars.1
+++ b/deps/npm/man/man1/npm-stars.1
@@ -1,4 +1,4 @@
-.TH "NPM-STARS" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-STARS" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-stars\fR - View packages marked as favorites
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-start.1 b/deps/npm/man/man1/npm-start.1
index e5d324c7a459c5..de0605d2fa8fa2 100644
--- a/deps/npm/man/man1/npm-start.1
+++ b/deps/npm/man/man1/npm-start.1
@@ -1,4 +1,4 @@
-.TH "NPM-START" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-START" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-start\fR - Start a package
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-stop.1 b/deps/npm/man/man1/npm-stop.1
index 4f3f31a8111ddb..57cadfb2fa80bd 100644
--- a/deps/npm/man/man1/npm-stop.1
+++ b/deps/npm/man/man1/npm-stop.1
@@ -1,4 +1,4 @@
-.TH "NPM-STOP" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-STOP" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-stop\fR - Stop a package
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-team.1 b/deps/npm/man/man1/npm-team.1
index a3a69befb065d4..06d7b94acb7f24 100644
--- a/deps/npm/man/man1/npm-team.1
+++ b/deps/npm/man/man1/npm-team.1
@@ -1,4 +1,4 @@
-.TH "NPM-TEAM" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-TEAM" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-team\fR - Manage organization teams and team memberships
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-test.1 b/deps/npm/man/man1/npm-test.1
index 50a813a18c1f08..6c1108360e5789 100644
--- a/deps/npm/man/man1/npm-test.1
+++ b/deps/npm/man/man1/npm-test.1
@@ -1,4 +1,4 @@
-.TH "NPM-TEST" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-TEST" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-test\fR - Test a package
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-token.1 b/deps/npm/man/man1/npm-token.1
index 396df16d27d5c2..41a69ed9d9c355 100644
--- a/deps/npm/man/man1/npm-token.1
+++ b/deps/npm/man/man1/npm-token.1
@@ -1,4 +1,4 @@
-.TH "NPM-TOKEN" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-TOKEN" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-token\fR - Manage your authentication tokens
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-trust.1 b/deps/npm/man/man1/npm-trust.1
index 91744a56b13b4d..7b3c4d7990a8c9 100644
--- a/deps/npm/man/man1/npm-trust.1
+++ b/deps/npm/man/man1/npm-trust.1
@@ -1,4 +1,4 @@
-.TH "NPM-TRUST" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-TRUST" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-trust\fR - Manage trusted publishing relationships between packages and CI/CD providers
 .SS "Synopsis"
@@ -29,6 +29,19 @@ For a comprehensive overview of trusted publishing, see the \fBnpm trusted publi
 The \fB\[lB]package\[rB]\fR argument specifies the package name. If omitted, npm will use the name from the \fBpackage.json\fR in the current directory.
 .P
 Each trust relationship has its own set of configuration options and flags based on the OIDC claims provided by that provider. OIDC claims come from the CI/CD provider and include information such as repository name, workflow file, or environment. Since each provider's claims differ, the available flags and configuration keys are not universal\[em]npm matches the claims supported by each provider's OIDC configuration. For specific details on which claims and flags are supported for a given provider, use \fBnpm trust  --help\fR.
+.SS "Permissions"
+.P
+When creating a trust relationship, you must specify at least one permission flag to indicate which operations the trusted publisher is allowed to perform:
+.RS 0
+.IP \(bu 4
+\fB--allow-publish\fR: Allows the trusted publisher to run \fBnpm publish\fR for the package.
+.IP \(bu 4
+\fB--allow-stage-publish\fR: Allows the trusted publisher to run \fBnpm stage\fR for the package. The alias \fB--allow-staged-publish\fR is also accepted.
+.RE 0
+
+.P
+At least one of these flags is required when creating a trust configuration. You can specify both to grant both permissions.
+.SS "Provider Options"
 .P
 The required options depend on the CI/CD provider you're configuring. Detailed information about each option is available in the \fBmanaging trusted publisher configurations\fR \fI\(lahttps://docs.npmjs.com/trusted-publishers#managing-trusted-publisher-configurations\(ra\fR section of the npm documentation. If a provider is repository-based and the option is not provided, npm will use the \fBrepository.url\fR field from your \fBpackage.json\fR, if available.
 .P
@@ -57,12 +70,12 @@ Create a trusted relationship between a package and GitHub Actions
 .P
 .RS 2
 .nf
-npm trust github \[lB]package\[rB] --file \[lB]--repo|--repository\[rB] \[lB]--env|--environment\[rB] \[lB]-y|--yes\[rB]
+npm trust github \[lB]package\[rB] --file \[lB]--repo|--repository\[rB] \[lB]--env|--environment\[rB] \[lB]--allow-publish\[rB] \[lB]--allow-stage-publish\[rB] \[lB]-y|--yes\[rB]
 .fi
 .RE
 .SS "Flags"
 .P
-| Flag | Default | Type | Description | | --- | --- | --- | --- | | \fB--file\fR | null | String (required) | Name of workflow file within a repositories .GitHub folder (must end in yaml, yml) | | \fB--repository\fR, \fB--repo\fR | null | String | Name of the repository in the format owner/repo | | \fB--environment\fR, \fB--env\fR | null | String | CI environment name | | \fB--dry-run\fR | false | Boolean | Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, \fBinstall\fR, \fBupdate\fR, \fBdedupe\fR, \fBuninstall\fR, as well as \fBpack\fR and \fBpublish\fR. Note: This is NOT honored by other network related commands, eg \fBdist-tags\fR, \fBowner\fR, etc. | | \fB--json\fR | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In \fBnpm pkg set\fR it enables parsing set values with JSON.parse() before saving them to your \fBpackage.json\fR. Not supported by all npm commands. | | \fB--registry\fR | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. | | \fB--yes\fR, \fB-y\fR | null | null or Boolean | Automatically answer "yes" to any prompts that npm might print on the command line. |
+| Flag | Default | Type | Description | | --- | --- | --- | --- | | \fB--file\fR | null | String (required) | Name of workflow file within a repositories .GitHub folder (must end in yaml, yml) | | \fB--repository\fR, \fB--repo\fR | null | String | Name of the repository in the format owner/repo | | \fB--environment\fR, \fB--env\fR | null | String | CI environment name | | \fB--allow-publish\fR | false | Boolean | Allow npm publish for this trusted publisher configuration | | \fB--allow-stage-publish\fR, \fB--allow-staged-publish\fR | false | Boolean | Allow npm stage publish for this trusted publisher configuration | | \fB--dry-run\fR | false | Boolean | Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, \fBinstall\fR, \fBupdate\fR, \fBdedupe\fR, \fBuninstall\fR, as well as \fBpack\fR and \fBpublish\fR. Note: This is NOT honored by other network related commands, eg \fBdist-tags\fR, \fBowner\fR, etc. | | \fB--json\fR | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In \fBnpm pkg set\fR it enables parsing set values with JSON.parse() before saving them to your \fBpackage.json\fR. Not supported by all npm commands. | | \fB--registry\fR | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. | | \fB--yes\fR, \fB-y\fR | null | null or Boolean | Automatically answer "yes" to any prompts that npm might print on the command line. |
 .SS "\fBnpm trust gitlab\fR"
 .P
 Create a trusted relationship between a package and GitLab CI/CD
@@ -70,12 +83,12 @@ Create a trusted relationship between a package and GitLab CI/CD
 .P
 .RS 2
 .nf
-npm trust gitlab \[lB]package\[rB] --file \[lB]--project|--repo|--repository\[rB] \[lB]--env|--environment\[rB] \[lB]-y|--yes\[rB]
+npm trust gitlab \[lB]package\[rB] --file \[lB]--project|--repo|--repository\[rB] \[lB]--env|--environment\[rB] \[lB]--allow-publish\[rB] \[lB]--allow-stage-publish\[rB] \[lB]-y|--yes\[rB]
 .fi
 .RE
 .SS "Flags"
 .P
-| Flag | Default | Type | Description | | --- | --- | --- | --- | | \fB--file\fR | null | String (required) | Name of pipeline file (e.g., .gitlab-ci.yml) | | \fB--project\fR | null | String | Name of the project in the format group/project or group/subgroup/project | | \fB--environment\fR, \fB--env\fR | null | String | CI environment name | | \fB--dry-run\fR | false | Boolean | Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, \fBinstall\fR, \fBupdate\fR, \fBdedupe\fR, \fBuninstall\fR, as well as \fBpack\fR and \fBpublish\fR. Note: This is NOT honored by other network related commands, eg \fBdist-tags\fR, \fBowner\fR, etc. | | \fB--json\fR | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In \fBnpm pkg set\fR it enables parsing set values with JSON.parse() before saving them to your \fBpackage.json\fR. Not supported by all npm commands. | | \fB--registry\fR | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. | | \fB--yes\fR, \fB-y\fR | null | null or Boolean | Automatically answer "yes" to any prompts that npm might print on the command line. |
+| Flag | Default | Type | Description | | --- | --- | --- | --- | | \fB--file\fR | null | String (required) | Name of pipeline file (e.g., .gitlab-ci.yml) | | \fB--project\fR | null | String | Name of the project in the format group/project or group/subgroup/project | | \fB--environment\fR, \fB--env\fR | null | String | CI environment name | | \fB--allow-publish\fR | false | Boolean | Allow npm publish for this trusted publisher configuration | | \fB--allow-stage-publish\fR, \fB--allow-staged-publish\fR | false | Boolean | Allow npm stage publish for this trusted publisher configuration | | \fB--dry-run\fR | false | Boolean | Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, \fBinstall\fR, \fBupdate\fR, \fBdedupe\fR, \fBuninstall\fR, as well as \fBpack\fR and \fBpublish\fR. Note: This is NOT honored by other network related commands, eg \fBdist-tags\fR, \fBowner\fR, etc. | | \fB--json\fR | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In \fBnpm pkg set\fR it enables parsing set values with JSON.parse() before saving them to your \fBpackage.json\fR. Not supported by all npm commands. | | \fB--registry\fR | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. | | \fB--yes\fR, \fB-y\fR | null | null or Boolean | Automatically answer "yes" to any prompts that npm might print on the command line. |
 .SS "\fBnpm trust circleci\fR"
 .P
 Create a trusted relationship between a package and CircleCI
@@ -83,12 +96,12 @@ Create a trusted relationship between a package and CircleCI
 .P
 .RS 2
 .nf
-npm trust circleci \[lB]package\[rB] --org-id  --project-id  --pipeline-definition-id  --vcs-origin  \[lB]--context-id ...\[rB] \[lB]-y|--yes\[rB]
+npm trust circleci \[lB]package\[rB] --org-id  --project-id  --pipeline-definition-id  --vcs-origin  \[lB]--context-id ...\[rB] \[lB]--allow-publish\[rB] \[lB]--allow-stage-publish\[rB] \[lB]-y|--yes\[rB]
 .fi
 .RE
 .SS "Flags"
 .P
-| Flag | Default | Type | Description | | --- | --- | --- | --- | | \fB--org-id\fR | null | String (required) | CircleCI organization UUID | | \fB--project-id\fR | null | String (required) | CircleCI project UUID | | \fB--pipeline-definition-id\fR | null | String (required) | CircleCI pipeline definition UUID | | \fB--vcs-origin\fR | null | String (required) | CircleCI repository origin in format 'provider/owner/repo' | | \fB--context-id\fR | null | null or String (can be set multiple times) | CircleCI context UUID to match | | \fB--dry-run\fR | false | Boolean | Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, \fBinstall\fR, \fBupdate\fR, \fBdedupe\fR, \fBuninstall\fR, as well as \fBpack\fR and \fBpublish\fR. Note: This is NOT honored by other network related commands, eg \fBdist-tags\fR, \fBowner\fR, etc. | | \fB--json\fR | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In \fBnpm pkg set\fR it enables parsing set values with JSON.parse() before saving them to your \fBpackage.json\fR. Not supported by all npm commands. | | \fB--registry\fR | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. | | \fB--yes\fR, \fB-y\fR | null | null or Boolean | Automatically answer "yes" to any prompts that npm might print on the command line. |
+| Flag | Default | Type | Description | | --- | --- | --- | --- | | \fB--org-id\fR | null | String (required) | CircleCI organization UUID | | \fB--project-id\fR | null | String (required) | CircleCI project UUID | | \fB--pipeline-definition-id\fR | null | String (required) | CircleCI pipeline definition UUID | | \fB--vcs-origin\fR | null | String (required) | CircleCI repository origin in format 'provider/owner/repo' | | \fB--context-id\fR | null | null or String (can be set multiple times) | CircleCI context UUID to match | | \fB--allow-publish\fR | false | Boolean | Allow npm publish for this trusted publisher configuration | | \fB--allow-stage-publish\fR, \fB--allow-staged-publish\fR | false | Boolean | Allow npm stage publish for this trusted publisher configuration | | \fB--dry-run\fR | false | Boolean | Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, \fBinstall\fR, \fBupdate\fR, \fBdedupe\fR, \fBuninstall\fR, as well as \fBpack\fR and \fBpublish\fR. Note: This is NOT honored by other network related commands, eg \fBdist-tags\fR, \fBowner\fR, etc. | | \fB--json\fR | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In \fBnpm pkg set\fR it enables parsing set values with JSON.parse() before saving them to your \fBpackage.json\fR. Not supported by all npm commands. | | \fB--registry\fR | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. | | \fB--yes\fR, \fB-y\fR | null | null or Boolean | Automatically answer "yes" to any prompts that npm might print on the command line. |
 .SS "\fBnpm trust list\fR"
 .P
 List trusted relationships for a package
diff --git a/deps/npm/man/man1/npm-undeprecate.1 b/deps/npm/man/man1/npm-undeprecate.1
index 86b6ed7fc73ae7..8bb2936691c5c4 100644
--- a/deps/npm/man/man1/npm-undeprecate.1
+++ b/deps/npm/man/man1/npm-undeprecate.1
@@ -1,4 +1,4 @@
-.TH "NPM-UNDEPRECATE" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-UNDEPRECATE" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-undeprecate\fR - Undeprecate a version of a package
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-uninstall.1 b/deps/npm/man/man1/npm-uninstall.1
index 0d89545bc3d13a..10845d76cb050f 100644
--- a/deps/npm/man/man1/npm-uninstall.1
+++ b/deps/npm/man/man1/npm-uninstall.1
@@ -1,4 +1,4 @@
-.TH "NPM-UNINSTALL" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-UNINSTALL" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-uninstall\fR - Remove a package
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-unpublish.1 b/deps/npm/man/man1/npm-unpublish.1
index 465ee175b738e8..1386bb85ce279d 100644
--- a/deps/npm/man/man1/npm-unpublish.1
+++ b/deps/npm/man/man1/npm-unpublish.1
@@ -1,4 +1,4 @@
-.TH "NPM-UNPUBLISH" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-UNPUBLISH" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-unpublish\fR - Remove a package from the registry
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-unstar.1 b/deps/npm/man/man1/npm-unstar.1
index 60a6e600a49ddc..4fabb116f4242f 100644
--- a/deps/npm/man/man1/npm-unstar.1
+++ b/deps/npm/man/man1/npm-unstar.1
@@ -1,4 +1,4 @@
-.TH "NPM-UNSTAR" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-UNSTAR" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-unstar\fR - Remove an item from your favorite packages
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-update.1 b/deps/npm/man/man1/npm-update.1
index 0eacbf369b37d5..e157c16d8a30ee 100644
--- a/deps/npm/man/man1/npm-update.1
+++ b/deps/npm/man/man1/npm-update.1
@@ -1,4 +1,4 @@
-.TH "NPM-UPDATE" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-UPDATE" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-update\fR - Update packages
 .SS "Synopsis"
@@ -277,6 +277,42 @@ Type: Boolean
 If true, npm does not run scripts specified in package.json files.
 .P
 Note that commands explicitly intended to run a particular script, such as \fBnpm start\fR, \fBnpm stop\fR, \fBnpm restart\fR, \fBnpm test\fR, and \fBnpm run\fR will still run their intended script if \fBignore-scripts\fR is set, but they will \fInot\fR run any pre- or post-scripts.
+.SS "\fBallow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: ""
+.IP \(bu 4
+Type: String (can be set multiple times)
+.RE 0
+
+.P
+Comma-separated list of packages whose install-time lifecycle scripts (\fBpreinstall\fR, \fBinstall\fR, \fBpostinstall\fR, and \fBprepare\fR for non-registry dependencies) are allowed to run.
+.P
+This setting is intended for one-off and global contexts: \fBnpm exec\fR, \fBnpx\fR, and \fBnpm install -g\fR, where no project \fBpackage.json\fR is involved. For team-wide policy in a project, use the \fBallowScripts\fR field in \fBpackage.json\fR (which also supports explicit denials), or configure it in \fB.npmrc\fR. Passing \fB--allow-scripts\fR on the command line during a project-scoped \fBnpm install\fR, \fBci\fR, \fBupdate\fR, or \fBrebuild\fR is an error.
+.P
+Each name is matched against a dependency's resolved identity, not against the package's self-reported name. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.SS "\fBstrict-allow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
+.P
+Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.SS "\fBdangerously-allow-all-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+If \fBtrue\fR, bypass the \fBallowScripts\fR policy entirely and run every dependency install script regardless of whether it was approved or denied. Intended as a migration escape hatch only; its use is strongly discouraged. \fB--ignore-scripts\fR still takes precedence over this setting.
 .SS "\fBaudit\fR"
 .RS 0
 .IP \(bu 4
@@ -300,7 +336,7 @@ If passed to \fBnpm install\fR, will rebuild the npm tree such that only version
 .P
 If the requested version is a \fBdist-tag\fR and the given tag does not pass the \fB--before\fR filter, the most recent version less than or equal to that tag will be used. For example, \fBfoo@latest\fR might install \fBfoo@1.2\fR even though \fBlatest\fR is \fB2.0\fR.
 .P
-This config cannot be used with: \fBmin-release-age\fR
+If \fBbefore\fR and \fBmin-release-age\fR are both set in the same source, \fBbefore\fR wins (an explicit absolute date overrides a relative window). Across sources, the standard precedence applies (cli > env > project > user > global), so a higher-priority source can always relax or override a lower-priority one.
 .SS "\fBmin-release-age\fR"
 .RS 0
 .IP \(bu 4
@@ -312,9 +348,7 @@ Type: null or Number
 .P
 If set, npm will build the npm tree such that only versions that were available more than the given number of days ago will be installed. If there are no versions available for the current set of dependencies, the command will error.
 .P
-This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days.
-.P
-This config cannot be used with: \fBbefore\fR
+This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days. The two may coexist (e.g. \fBmin-release-age\fR in your \fB.npmrc\fR is preserved when npm internally spawns a sub-process with \fB--before\fR while preparing a \fBgit:\fR or \fBgithub:\fR dependency); when both apply, \fBbefore\fR wins within a single source and across sources the standard precedence rules apply.
 .P
 This value is not exported to the environment for child processes.
 .SS "\fBbin-links\fR"
diff --git a/deps/npm/man/man1/npm-version.1 b/deps/npm/man/man1/npm-version.1
index 70feae9fc4509b..78612356235a44 100644
--- a/deps/npm/man/man1/npm-version.1
+++ b/deps/npm/man/man1/npm-version.1
@@ -1,4 +1,4 @@
-.TH "NPM-VERSION" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-VERSION" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-version\fR - Bump a package version
 .SS "Synopsis"
@@ -226,6 +226,8 @@ Commit and tag.
 Run the \fBpostversion\fR script. Use it to clean up the file system or automatically push the commit and/or tag.
 .RE 0
 
+.P
+For the \fBpreversion\fR, \fBversion\fR and \fBpostversion\fR scripts, npm also sets the \fBenvironment variables\fR \fI\(la/using-npm/scripts#environment\(ra\fR \fBnpm_old_version\fR and \fBnpm_new_version\fR.
 .P
 Take the following example:
 .P
diff --git a/deps/npm/man/man1/npm-view.1 b/deps/npm/man/man1/npm-view.1
index e587954fc4be25..5ac8d354fbb51d 100644
--- a/deps/npm/man/man1/npm-view.1
+++ b/deps/npm/man/man1/npm-view.1
@@ -1,4 +1,4 @@
-.TH "NPM-VIEW" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-VIEW" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-view\fR - View registry info
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm-whoami.1 b/deps/npm/man/man1/npm-whoami.1
index a944920ca2e7c5..a0c1956514c26e 100644
--- a/deps/npm/man/man1/npm-whoami.1
+++ b/deps/npm/man/man1/npm-whoami.1
@@ -1,4 +1,4 @@
-.TH "NPM-WHOAMI" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-WHOAMI" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-whoami\fR - Display npm username
 .SS "Synopsis"
diff --git a/deps/npm/man/man1/npm.1 b/deps/npm/man/man1/npm.1
index a32d7b13b182e9..68369b132c9168 100644
--- a/deps/npm/man/man1/npm.1
+++ b/deps/npm/man/man1/npm.1
@@ -1,4 +1,4 @@
-.TH "NPM" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPM" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm\fR - javascript package manager
 .SS "Synopsis"
@@ -12,7 +12,7 @@ npm
 Note: This command is unaware of workspaces.
 .SS "Version"
 .P
-11.13.0
+11.16.0
 .SS "Description"
 .P
 npm is the package manager for the Node JavaScript platform. It puts modules in place so that node can find them, and manages dependency conflicts intelligently.
diff --git a/deps/npm/man/man1/npx.1 b/deps/npm/man/man1/npx.1
index 8878334eb8a297..23671ac8cfb611 100644
--- a/deps/npm/man/man1/npx.1
+++ b/deps/npm/man/man1/npx.1
@@ -1,4 +1,4 @@
-.TH "NPX" "1" "April 2026" "NPM@11.13.0" ""
+.TH "NPX" "1" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpx\fR - Run a command from a local or remote npm package
 .SS "Synopsis"
diff --git a/deps/npm/man/man5/folders.5 b/deps/npm/man/man5/folders.5
index c9d7a23cfd2916..b0a8c9b4825ccb 100644
--- a/deps/npm/man/man5/folders.5
+++ b/deps/npm/man/man5/folders.5
@@ -1,4 +1,4 @@
-.TH "FOLDERS" "5" "April 2026" "NPM@11.13.0" ""
+.TH "FOLDERS" "5" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBFolders\fR - Folder structures used by npm
 .SS "Description"
diff --git a/deps/npm/man/man5/install.5 b/deps/npm/man/man5/install.5
index c43ef43f621d5d..e70fd2ed7b602e 100644
--- a/deps/npm/man/man5/install.5
+++ b/deps/npm/man/man5/install.5
@@ -1,4 +1,4 @@
-.TH "INSTALL" "5" "April 2026" "NPM@11.13.0" ""
+.TH "INSTALL" "5" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBInstall\fR - Download and install node and npm
 .SS "Description"
diff --git a/deps/npm/man/man5/npm-global.5 b/deps/npm/man/man5/npm-global.5
index c9d7a23cfd2916..b0a8c9b4825ccb 100644
--- a/deps/npm/man/man5/npm-global.5
+++ b/deps/npm/man/man5/npm-global.5
@@ -1,4 +1,4 @@
-.TH "FOLDERS" "5" "April 2026" "NPM@11.13.0" ""
+.TH "FOLDERS" "5" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBFolders\fR - Folder structures used by npm
 .SS "Description"
diff --git a/deps/npm/man/man5/npm-json.5 b/deps/npm/man/man5/npm-json.5
index f26a307d85a111..3d0c548f7042fa 100644
--- a/deps/npm/man/man5/npm-json.5
+++ b/deps/npm/man/man5/npm-json.5
@@ -1,4 +1,4 @@
-.TH "PACKAGE.JSON" "5" "April 2026" "NPM@11.13.0" ""
+.TH "PACKAGE.JSON" "5" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBpackage.json\fR - Specifics of npm's package.json handling
 .SS "Description"
diff --git a/deps/npm/man/man5/npm-shrinkwrap-json.5 b/deps/npm/man/man5/npm-shrinkwrap-json.5
index dff972eeacec67..104ac0703d7710 100644
--- a/deps/npm/man/man5/npm-shrinkwrap-json.5
+++ b/deps/npm/man/man5/npm-shrinkwrap-json.5
@@ -1,4 +1,4 @@
-.TH "NPM-SHRINKWRAP.JSON" "5" "April 2026" "NPM@11.13.0" ""
+.TH "NPM-SHRINKWRAP.JSON" "5" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBnpm-shrinkwrap.json\fR - A publishable lockfile
 .SS "Description"
diff --git a/deps/npm/man/man5/npmrc.5 b/deps/npm/man/man5/npmrc.5
index ff767b87c10dcb..7c5273d6344a25 100644
--- a/deps/npm/man/man5/npmrc.5
+++ b/deps/npm/man/man5/npmrc.5
@@ -1,4 +1,4 @@
-.TH ".NPMRC" "5" "April 2026" "NPM@11.13.0" ""
+.TH ".NPMRC" "5" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fB.npmrc\fR - The npm config files
 .SS "Description"
diff --git a/deps/npm/man/man5/package-json.5 b/deps/npm/man/man5/package-json.5
index f26a307d85a111..3d0c548f7042fa 100644
--- a/deps/npm/man/man5/package-json.5
+++ b/deps/npm/man/man5/package-json.5
@@ -1,4 +1,4 @@
-.TH "PACKAGE.JSON" "5" "April 2026" "NPM@11.13.0" ""
+.TH "PACKAGE.JSON" "5" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBpackage.json\fR - Specifics of npm's package.json handling
 .SS "Description"
diff --git a/deps/npm/man/man5/package-lock-json.5 b/deps/npm/man/man5/package-lock-json.5
index f66b38335b28ff..40742966252fa4 100644
--- a/deps/npm/man/man5/package-lock-json.5
+++ b/deps/npm/man/man5/package-lock-json.5
@@ -1,4 +1,4 @@
-.TH "PACKAGE-LOCK.JSON" "5" "April 2026" "NPM@11.13.0" ""
+.TH "PACKAGE-LOCK.JSON" "5" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBpackage-lock.json\fR - A manifestation of the manifest
 .SS "Description"
diff --git a/deps/npm/man/man7/config.7 b/deps/npm/man/man7/config.7
index 1b93498c84818e..d4b0b124d3f142 100644
--- a/deps/npm/man/man7/config.7
+++ b/deps/npm/man/man7/config.7
@@ -1,4 +1,4 @@
-.TH "CONFIG" "7" "April 2026" "NPM@11.13.0" ""
+.TH "CONFIG" "7" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBConfig\fR - About npm configuration
 .SS "Description"
@@ -174,7 +174,7 @@ Warning: This should generally not be set via a command-line option. It is safer
 .IP \(bu 4
 Default: 'public' for new packages, existing packages it will not change the current level
 .IP \(bu 4
-Type: null, "restricted", or "public"
+Type: null, "restricted", "public", or "private"
 .RE 0
 
 .P
@@ -184,6 +184,8 @@ Unscoped packages cannot be set to \fBrestricted\fR.
 .P
 Note: This defaults to not changing the current access level for existing packages. Specifying a value of \fBrestricted\fR or \fBpublic\fR during publish will change the access for an existing package the same way that \fBnpm access set
 status\fR would.
+.P
+The value \fBprivate\fR is an alias for \fBrestricted\fR.
 .SS "\fBall\fR"
 .RS 0
 .IP \(bu 4
@@ -194,6 +196,30 @@ Type: Boolean
 
 .P
 When running \fBnpm outdated\fR and \fBnpm ls\fR, setting \fB--all\fR will show all outdated or installed packages, rather than only those directly depended upon by the current project.
+.SS "\fBallow-directory\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to install dependencies from directories. That is, dependencies that point to a directory instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any directories to be installed. \fBnone\fR prevents any directories from being installed. \fBroot\fR only allows directories defined in your project's package.json to be installed. Also allows directory dependencies to be used for other commands like \fBnpm view\fR
+.SS "\fBallow-file\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to install dependencies from tarball files. That is, dependencies that point to a local tarball file instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any tarball file to be installed. \fBnone\fR prevents any tarball file from being installed. \fBroot\fR only allows tarball files defined in your project's package.json to be installed. Also allows tarball file dependencies to be used for other commands like \fBnpm view\fR
 .SS "\fBallow-git\fR"
 .RS 0
 .IP \(bu 4
@@ -203,9 +229,21 @@ Type: "all", "none", or "root"
 .RE 0
 
 .P
-Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed.
+Limits the ability for npm to fetch dependencies from git references. That is, dependencies that point to a git repo instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
+.P
+\fBall\fR allows any git dependencies to be fetched and installed. \fBnone\fR prevents any git dependencies from being fetched and installed. \fBroot\fR only allows git dependencies defined in your project's package.json to be fetched and installed. Also allows git dependencies to be fetched for other commands like \fBnpm view\fR
+.SS "\fBallow-remote\fR"
+.RS 0
+.IP \(bu 4
+Default: "all"
+.IP \(bu 4
+Type: "all", "none", or "root"
+.RE 0
+
+.P
+Limits the ability for npm to fetch dependencies from urls. That is, dependencies that point to a tarball url instead of a version or semver range. Please note that this could leave your tree incomplete and some packages may not function as intended or designed. Changing this setting will not remove dependencies that are already installed.
 .P
-\fBall\fR allows any git dependencies to be fetched and installed. \fBnone\fR prevents any git dependencies from being fetched and installed. \fBroot\fR only allows git dependencies defined in your project's package.json to be fetched installed. Also allows git dependencies to be fetched for other commands like \fBnpm view\fR
+\fBall\fR allows any url to be installed. \fBnone\fR prevents any url from being installed. \fBroot\fR only allows urls defined in your project's package.json to be installed. Also allows url dependencies to be used for other commands like \fBnpm view\fR
 .SS "\fBallow-same-version\fR"
 .RS 0
 .IP \(bu 4
@@ -216,6 +254,40 @@ Type: Boolean
 
 .P
 Prevents throwing an error when \fBnpm version\fR is used to set the new version to the same value as the current version.
+.SS "\fBallow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: ""
+.IP \(bu 4
+Type: String (can be set multiple times)
+.RE 0
+
+.P
+Comma-separated list of packages whose install-time lifecycle scripts (\fBpreinstall\fR, \fBinstall\fR, \fBpostinstall\fR, and \fBprepare\fR for non-registry dependencies) are allowed to run.
+.P
+This setting is intended for one-off and global contexts: \fBnpm exec\fR, \fBnpx\fR, and \fBnpm install -g\fR, where no project \fBpackage.json\fR is involved. For team-wide policy in a project, use the \fBallowScripts\fR field in \fBpackage.json\fR (which also supports explicit denials), or configure it in \fB.npmrc\fR. Passing \fB--allow-scripts\fR on the command line during a project-scoped \fBnpm install\fR, \fBci\fR, \fBupdate\fR, or \fBrebuild\fR is an error.
+.P
+Each name is matched against a dependency's resolved identity, not against the package's self-reported name. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
+.SS "\fBallow-scripts-pending\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+List packages with install scripts that are not yet covered by the \fBallowScripts\fR policy, without modifying \fBpackage.json\fR. Only meaningful for \fBnpm approve-scripts\fR.
+.SS "\fBallow-scripts-pin\fR"
+.RS 0
+.IP \(bu 4
+Default: true
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+Write pinned (\fBpkg@version\fR) entries when approving install scripts. Set to \fBfalse\fR to write name-only entries that allow any version. Has no effect on \fBnpm deny-scripts\fR, which always writes name-only entries regardless of this setting.
 .SS "\fBaudit\fR"
 .RS 0
 .IP \(bu 4
@@ -259,7 +331,7 @@ If passed to \fBnpm install\fR, will rebuild the npm tree such that only version
 .P
 If the requested version is a \fBdist-tag\fR and the given tag does not pass the \fB--before\fR filter, the most recent version less than or equal to that tag will be used. For example, \fBfoo@latest\fR might install \fBfoo@1.2\fR even though \fBlatest\fR is \fB2.0\fR.
 .P
-This config cannot be used with: \fBmin-release-age\fR
+If \fBbefore\fR and \fBmin-release-age\fR are both set in the same source, \fBbefore\fR wins (an explicit absolute date overrides a relative window). Across sources, the standard precedence applies (cli > env > project > user > global), so a higher-priority source can always relax or override a lower-priority one.
 .SS "\fBbin-links\fR"
 .RS 0
 .IP \(bu 4
@@ -401,6 +473,16 @@ Type: null or String
 
 .P
 Override CPU architecture of native modules to install. Acceptable values are same as \fBcpu\fR field of package.json, which comes from \fBprocess.arch\fR.
+.SS "\fBdangerously-allow-all-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+If \fBtrue\fR, bypass the \fBallowScripts\fR policy entirely and run every dependency install script regardless of whether it was approved or denied. Intended as a migration escape hatch only; its use is strongly discouraged. \fB--ignore-scripts\fR still takes precedence over this setting.
 .SS "\fBdepth\fR"
 .RS 0
 .IP \(bu 4
@@ -1116,9 +1198,7 @@ Type: null or Number
 .P
 If set, npm will build the npm tree such that only versions that were available more than the given number of days ago will be installed. If there are no versions available for the current set of dependencies, the command will error.
 .P
-This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days.
-.P
-This config cannot be used with: \fBbefore\fR
+This flag is a complement to \fBbefore\fR, which accepts an exact date instead of a relative number of days. The two may coexist (e.g. \fBmin-release-age\fR in your \fB.npmrc\fR is preserved when npm internally spawns a sub-process with \fB--before\fR while preparing a \fBgit:\fR or \fBgithub:\fR dependency); when both apply, \fBbefore\fR wins within a single source and across sources the standard precedence rules apply.
 .P
 This value is not exported to the environment for child processes.
 .SS "\fBname\fR"
@@ -1725,6 +1805,18 @@ Type: Boolean
 If set to true, then the \fBnpm version\fR command will tag the version using \fB-s\fR to add a signature.
 .P
 Note that git requires you to have set up GPG keys in your git configs for this to work properly.
+.SS "\fBstrict-allow-scripts\fR"
+.RS 0
+.IP \(bu 4
+Default: false
+.IP \(bu 4
+Type: Boolean
+.RE 0
+
+.P
+If \fBtrue\fR, turn the install-script policy from a warning into a hard error: any dependency with install scripts not covered by \fBallowScripts\fR will fail the install instead of running with a notice.
+.P
+Dependencies explicitly denied with \fBfalse\fR in \fBallowScripts\fR are always silently skipped; this setting only affects unreviewed entries. \fB--ignore-scripts\fR and \fB--dangerously-allow-all-scripts\fR both override this setting.
 .SS "\fBstrict-peer-deps\fR"
 .RS 0
 .IP \(bu 4
diff --git a/deps/npm/man/man7/dependency-selectors.7 b/deps/npm/man/man7/dependency-selectors.7
index 3b5e9f8faa2333..4b67c2a3be5892 100644
--- a/deps/npm/man/man7/dependency-selectors.7
+++ b/deps/npm/man/man7/dependency-selectors.7
@@ -1,4 +1,4 @@
-.TH "SELECTORS" "7" "April 2026" "NPM@11.13.0" ""
+.TH "SELECTORS" "7" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBSelectors\fR - Dependency Selector Syntax & Querying
 .SS "Description"
diff --git a/deps/npm/man/man7/developers.7 b/deps/npm/man/man7/developers.7
index 6ed01ced244362..5b41ed26374205 100644
--- a/deps/npm/man/man7/developers.7
+++ b/deps/npm/man/man7/developers.7
@@ -1,4 +1,4 @@
-.TH "DEVELOPERS" "7" "April 2026" "NPM@11.13.0" ""
+.TH "DEVELOPERS" "7" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBDevelopers\fR - Developer guide
 .SS "Description"
diff --git a/deps/npm/man/man7/logging.7 b/deps/npm/man/man7/logging.7
index 0a114670022595..474becd6ff6431 100644
--- a/deps/npm/man/man7/logging.7
+++ b/deps/npm/man/man7/logging.7
@@ -1,4 +1,4 @@
-.TH "LOGGING" "7" "April 2026" "NPM@11.13.0" ""
+.TH "LOGGING" "7" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBLogging\fR - Why, What & How we Log
 .SS "Description"
diff --git a/deps/npm/man/man7/orgs.7 b/deps/npm/man/man7/orgs.7
index 502ef7d6f9b521..e0666bdf0f3389 100644
--- a/deps/npm/man/man7/orgs.7
+++ b/deps/npm/man/man7/orgs.7
@@ -1,4 +1,4 @@
-.TH "ORGANIZATIONS" "7" "April 2026" "NPM@11.13.0" ""
+.TH "ORGANIZATIONS" "7" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBOrganizations\fR - Working with teams & organizations
 .SS "Description"
diff --git a/deps/npm/man/man7/package-spec.7 b/deps/npm/man/man7/package-spec.7
index 3644ebecde9732..76d07709632b0c 100644
--- a/deps/npm/man/man7/package-spec.7
+++ b/deps/npm/man/man7/package-spec.7
@@ -1,4 +1,4 @@
-.TH "SPEC" "7" "April 2026" "NPM@11.13.0" ""
+.TH "SPEC" "7" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBspec\fR - Package name specifier
 .SS "Description"
diff --git a/deps/npm/man/man7/registry.7 b/deps/npm/man/man7/registry.7
index 62edddcc6d591b..cbfca0c6f42d3c 100644
--- a/deps/npm/man/man7/registry.7
+++ b/deps/npm/man/man7/registry.7
@@ -1,4 +1,4 @@
-.TH "REGISTRY" "7" "April 2026" "NPM@11.13.0" ""
+.TH "REGISTRY" "7" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBRegistry\fR - The JavaScript Package Registry
 .SS "Description"
diff --git a/deps/npm/man/man7/removal.7 b/deps/npm/man/man7/removal.7
index 3758202663fa2e..fa44b56539a008 100644
--- a/deps/npm/man/man7/removal.7
+++ b/deps/npm/man/man7/removal.7
@@ -1,4 +1,4 @@
-.TH "REMOVAL" "7" "April 2026" "NPM@11.13.0" ""
+.TH "REMOVAL" "7" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBRemoval\fR - Cleaning the slate
 .SS "Synopsis"
diff --git a/deps/npm/man/man7/scope.7 b/deps/npm/man/man7/scope.7
index fec92c73e43eab..7857ede645fa92 100644
--- a/deps/npm/man/man7/scope.7
+++ b/deps/npm/man/man7/scope.7
@@ -1,4 +1,4 @@
-.TH "SCOPE" "7" "April 2026" "NPM@11.13.0" ""
+.TH "SCOPE" "7" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBScope\fR - Scoped packages
 .SS "Description"
diff --git a/deps/npm/man/man7/scripts.7 b/deps/npm/man/man7/scripts.7
index f6d85659db5872..5cfab1d64cd2e9 100644
--- a/deps/npm/man/man7/scripts.7
+++ b/deps/npm/man/man7/scripts.7
@@ -1,4 +1,4 @@
-.TH "SCRIPTS" "7" "April 2026" "NPM@11.13.0" ""
+.TH "SCRIPTS" "7" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBScripts\fR - How npm handles the "scripts" field
 .SS "Description"
@@ -382,6 +382,16 @@ For example, if you had \fB{"name":"foo", "version":"1.2.5"}\fR in your package.
 \fBNote:\fR In npm 7 and later, most package.json fields are no longer provided as environment variables. Scripts that need access to other package.json fields should read the package.json file directly. The \fBnpm_package_json\fR environment variable provides the path to the file for this purpose.
 .P
 See \fB\[rs]fBpackage.json\[rs]fR\fR \fI\(la/configuring-npm/package-json\(ra\fR for more on package configs.
+.SS "versioning variables"
+.P
+For versioning scripts (\fBpreversion\fR, \fBversion\fR, \fBpostversion\fR), npm sets these environment variables:
+.RS 0
+.IP \(bu 4
+\fBnpm_old_version\fR - The version before being bumped
+.IP \(bu 4
+\fBnpm_new_version\fR \[en] The version after being bumped
+.RE 0
+
 .SS "current lifecycle event"
 .P
 Lastly, the \fBnpm_lifecycle_event\fR environment variable is set to whichever stage of the cycle is being executed. So, you could have a single script used for different parts of the process which switches based on what's currently happening.
diff --git a/deps/npm/man/man7/workspaces.7 b/deps/npm/man/man7/workspaces.7
index e32fbf3c9b124f..be7a22047d9971 100644
--- a/deps/npm/man/man7/workspaces.7
+++ b/deps/npm/man/man7/workspaces.7
@@ -1,4 +1,4 @@
-.TH "WORKSPACES" "7" "April 2026" "NPM@11.13.0" ""
+.TH "WORKSPACES" "7" "May 2026" "NPM@11.16.0" ""
 .SH "NAME"
 \fBWorkspaces\fR - Working with workspaces
 .SS "Description"
diff --git a/deps/npm/node_modules/@npmcli/agent/lib/agents.js b/deps/npm/node_modules/@npmcli/agent/lib/agents.js
index c541b93001517e..e9624dfeb90090 100644
--- a/deps/npm/node_modules/@npmcli/agent/lib/agents.js
+++ b/deps/npm/node_modules/@npmcli/agent/lib/agents.js
@@ -203,4 +203,56 @@ module.exports = class Agent extends AgentBase {
 
     return super.addRequest(request, options)
   }
+
+  // When connect() rejects, agent-base removes only its placeholder socket, so Node never drains this.requests[name] and requests queued past maxSockets hang forever.
+  // On a failure we dispatch the next queued request ourselves.
+  // See npm/cli#9386 and TooTallNate/proxy-agents#427.
+  createSocket (req, options, cb) {
+    super.createSocket(req, options, (err, socket) => {
+      if (err) {
+        this.#drainPendingRequests(req, options)
+      }
+      cb(err, socket)
+    })
+  }
+
+  // Dispatch the next request queued behind maxSockets, reusing the slot the failed connection freed.
+  #drainPendingRequests (failedReq, options) {
+    const name = this.getName(options)
+    const queue = this.requests[name]
+    if (!queue || queue.length === 0) {
+      return
+    }
+
+    // Node's removeSocket() picks a queued request without shifting it off, so drop the failed one to avoid dispatching it twice.
+    const failedIndex = queue.indexOf(failedReq)
+    if (failedIndex !== -1) {
+      queue.splice(failedIndex, 1)
+    }
+    if (queue.length === 0) {
+      delete this.requests[name]
+      return
+    }
+
+    // Safety belt: only dispatch if a socket slot is genuinely free.
+    const socketCount = this.sockets[name] ? this.sockets[name].length : 0
+    if (socketCount >= this.maxSockets || this.totalSocketCount >= this.maxTotalSockets) {
+      return
+    }
+
+    const nextReq = queue.shift()
+    if (queue.length === 0) {
+      delete this.requests[name]
+    }
+
+    // All queued requests share this origin, so the failed request's options suit the next one.
+    // createSocket() recurses here if this connection also fails, draining the whole queue.
+    this.createSocket(nextReq, options, (err, socket) => {
+      if (err) {
+        nextReq.onSocket(null, err)
+      } else {
+        nextReq.onSocket(socket)
+      }
+    })
+  }
 }
diff --git a/deps/npm/node_modules/@npmcli/agent/lib/options.js b/deps/npm/node_modules/@npmcli/agent/lib/options.js
index 0bf53f725f0846..a6ae490a89c3b3 100644
--- a/deps/npm/node_modules/@npmcli/agent/lib/options.js
+++ b/deps/npm/node_modules/@npmcli/agent/lib/options.js
@@ -37,6 +37,10 @@ const normalizeOptions = (opts) => {
   // remove timeout since we already used it to set our own idle timeout
   delete normalized.timeout
 
+  // since opts is often passed when initiating requests, it may contain
+  // headers, which should not be saved in an agent
+  delete normalized.headers
+
   return normalized
 }
 
diff --git a/deps/npm/node_modules/@npmcli/agent/package.json b/deps/npm/node_modules/@npmcli/agent/package.json
index 67670a0c1c484e..8c0d358b02a717 100644
--- a/deps/npm/node_modules/@npmcli/agent/package.json
+++ b/deps/npm/node_modules/@npmcli/agent/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/agent",
-  "version": "4.0.0",
+  "version": "4.0.2",
   "description": "the http/https agent used by the npm cli",
   "main": "lib/index.js",
   "scripts": {
@@ -29,8 +29,10 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.25.0",
-    "publish": "true"
+    "version": "4.30.0",
+    "publish": "true",
+    "updateNpm": false,
+    "latestCiVersion": 24
   },
   "dependencies": {
     "agent-base": "^7.1.0",
@@ -40,11 +42,11 @@
     "socks-proxy-agent": "^8.0.3"
   },
   "devDependencies": {
-    "@npmcli/eslint-config": "^5.0.0",
-    "@npmcli/template-oss": "4.25.0",
-    "minipass-fetch": "^4.0.1",
+    "@npmcli/eslint-config": "^6.0.0",
+    "@npmcli/template-oss": "4.30.0",
+    "ip-address": "^10.1.0",
+    "minipass-fetch": "^5.0.0",
     "nock": "^14.0.3",
-    "socksv5": "^0.0.6",
     "tap": "^16.3.0"
   },
   "repository": {
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js
index fdbbd4679bd80a..f16844ea73d7d1 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js
@@ -13,7 +13,6 @@ const { lstat, readlink } = require('node:fs/promises')
 const { depth } = require('treeverse')
 const { log, time } = require('proc-log')
 const { redact } = require('@npmcli/redact')
-const semver = require('semver')
 
 const {
   OK,
@@ -29,6 +28,15 @@ const Shrinkwrap = require('../shrinkwrap.js')
 const { defaultLockfileVersion } = Shrinkwrap
 const Node = require('../node.js')
 const Link = require('../link.js')
+
+// Maps a parsed spec.type to the corresponding allow-* arborist option name.
+// Hoisted to module scope so #checkAllow doesn't re-allocate it per call.
+const ALLOW_OPTION_FOR_TYPE = {
+  git: 'allowGit',
+  remote: 'allowRemote',
+  file: 'allowFile',
+  directory: 'allowDirectory',
+}
 const addRmPkgDeps = require('../add-rm-pkg-deps.js')
 const optionalSet = require('../optional-set.js')
 const { checkEngine, checkPlatform } = require('npm-install-checks')
@@ -294,10 +302,6 @@ module.exports = cls => class IdealTreeBuilder extends cls {
           }).then(meta => Object.assign(root, { meta }))
         } else {
           return this.loadVirtual({ root })
-            .then(tree => {
-              this.#applyRootOverridesToWorkspaces(tree)
-              return tree
-            })
         }
       })
 
@@ -406,6 +410,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
         global: this.options.global,
         installLinks: this.installLinks,
         legacyPeerDeps: this.legacyPeerDeps,
+        loadOverrides: true,
         root,
       })
     }
@@ -450,6 +455,11 @@ module.exports = cls => class IdealTreeBuilder extends cls {
       const paths = await readdirScoped(nm).catch(() => [])
       for (const p of paths) {
         const name = p.replace(/\\/g, '/')
+        // Match loadActual behavior: hidden entries and retired scoped package
+        // folders are not installed global packages.
+        if (/^(@[^/]+\/)?\./.test(name)) {
+          continue
+        }
         const updateName = this[_updateNames].includes(name)
         if (this[_updateAll] || updateName) {
           if (updateName) {
@@ -648,6 +658,45 @@ module.exports = cls => class IdealTreeBuilder extends cls {
     return vuln.range
   }
 
+  // Enforces the allow-git / allow-file / allow-directory / allow-remote configs at the arborist resolution layer, before any branching into the symlink (Link) path or the manifest-fetch path.
+  // Pacote also enforces these inside FetcherBase.get() as defense-in-depth, but the symlink branch never reaches pacote, and the manifest cache here would bypass pacote on a cached hit.
+  // Throws the same { code: EALLOW${TYPE} } shape pacote uses, so callers and downstream consumers stay consistent.
+  #checkAllow (spec, edge) {
+    const optName = ALLOW_OPTION_FOR_TYPE[spec.type]
+    if (!optName) {
+      return
+    }
+    const allow = this.options[optName] ?? 'all'
+    if (allow === 'all') {
+      return
+    }
+    const isRoot = !!(edge?.from?.isProjectRoot || edge?.from?.isWorkspace)
+    if (allow !== 'none' && isRoot) {
+      return
+    }
+    throw Object.assign(
+      new Error(`Fetching${allow === 'root' ? ' non-root' : ''} packages of type "${spec.type}" have been disabled`),
+      {
+        code: `EALLOW${spec.type.toUpperCase()}`,
+        package: spec.toString(),
+      }
+    )
+  }
+
+  // Builds a Node representing a spec we failed to load (allow-* gate, network failure, ENOTARGET, etc.) and records it in #loadFailures so #pruneFailedOptional can later decide whether the failure is fatal or silently dropped for optional deps.
+  #failureNode (name, parent, error, edge) {
+    error.requiredBy = edge?.from?.location || '.'
+    const n = new Node({
+      name,
+      parent,
+      error,
+      installLinks: this.installLinks,
+      legacyPeerDeps: this.legacyPeerDeps,
+    })
+    this.#loadFailures.add(n)
+    return n
+  }
+
   #queueNamedUpdates () {
     // ignore top nodes, since they are not loaded the same way, and
     // probably have their own project associated with them.
@@ -913,8 +962,21 @@ This is a one-time fix-up, please be patient...
       // be forced to agree on a version of z.
       const required = new Set([edge.from])
       const parent = edge.peer ? virtualRoot : null
-      const dep = vrDep && vrDep.satisfies(edge) ? vrDep
-        : await this.#nodeFromEdge(edge, parent, null, required)
+      let dep = vrDep && vrDep.satisfies(edge) ? vrDep : null
+
+      // A peerOptional conflict can be resolved by finding an existing node in the tree that satisfies the edge, avoiding a registry fetch that may introduce an extraneous package. See npm/cli#9249.
+      // Skip the shortcut when the user has signaled an explicit re-fetch intent (npm update by name, explicit request, or audit fix), so we honor those signals rather than silently keeping the existing node.
+      const skipExistingShortcut = this[_updateNames].includes(edge.name)
+        || this.#explicitRequests.has(edge)
+        || (edge.to && this.auditReport?.isVulnerable(edge.to))
+      if (!dep && edge.type === 'peerOptional' && !skipExistingShortcut) {
+        dep = this.#findHoistableNode(
+          /* istanbul ignore next - resolveParent is always set for non-root nodes */
+          edge.from.resolveParent || edge.from, edge)
+      }
+      if (!dep) {
+        dep = await this.#nodeFromEdge(edge, parent, null, required)
+      }
 
       /* istanbul ignore next */
       debug(() => {
@@ -1026,7 +1088,7 @@ This is a one-time fix-up, please be patient...
             // This can't be changed or removed till we figure out why
             // The test is named "tarball deps with transitive tarball deps"
             promises.push(() =>
-              this.#fetchManifest(npa.resolve(e.name, e.spec, fromPath(placed, e)), parent)
+              this.#fetchManifest(npa.resolve(e.name, e.spec, fromPath(placed, e)), parent, e)
                 .catch(() => null)
             )
           }
@@ -1044,6 +1106,24 @@ This is a one-time fix-up, please be patient...
     return this.#buildDepStep()
   }
 
+  // BFS descendants of `root` for a node satisfying `edge`.
+  // Prefers nodes closer to root.  Skips bundled nodes.
+  #findHoistableNode (root, edge) {
+    const queue = [...root.children.values()]
+    while (queue.length) {
+      const node = queue.shift()
+      if (node.name === edge.name
+        && !node.inDepBundle
+        && node.satisfies(edge)) {
+        return node
+      }
+      for (const child of node.children.values()) {
+        queue.push(child)
+      }
+    }
+    return null
+  }
+
   // loads a node from an edge, and then loads its peer deps (and their peer deps, on down the line) into a virtual root parent.
   async #nodeFromEdge (edge, parent_, secondEdge, required) {
     // create a virtual root node with the same deps as the node that is requesting this one, so that we can get all the peer deps in a context where they're likely to be resolvable.
@@ -1199,12 +1279,14 @@ This is a one-time fix-up, please be patient...
     return problems
   }
 
-  async #fetchManifest (spec, parent) {
+  async #fetchManifest (spec, parent, edge) {
+    // Enforce allow-* gates before consulting the manifest cache so a cached entry from a different edge cannot bypass the policy.
+    this.#checkAllow(spec, edge)
     const options = {
       ...this.options,
       avoid: this.#avoidRange(spec.name),
       fullMetadata: true,
-      _isRoot: parent?.isProjectRoot || parent?.isWorkspace,
+      _isRoot: !!(edge?.from?.isProjectRoot || edge?.from?.isWorkspace),
     }
     // get the intended spec and stored metadata from yarn.lock file,
     // if available and valid.
@@ -1221,6 +1303,14 @@ This is a one-time fix-up, please be patient...
   }
 
   async #nodeFromSpec (name, spec, parent, edge) {
+    // Enforce allow-git / allow-file / allow-directory / allow-remote before any branching, so the symlink (Link) path is enforced as well as the manifest-fetch path.
+    // Route the failure through #loadFailures so optional-dep semantics apply (e.g. a transitive optionalDependencies entry that resolves to a disallowed git URL is silently dropped rather than failing the install).
+    try {
+      this.#checkAllow(spec, edge)
+    } catch (error) {
+      return this.#failureNode(name, parent, error, edge)
+    }
+
     // pacote will slap integrity on its options, so we have to clone the object so it doesn't get mutated.
     // Don't bother to load the manifest for link deps, because the target might be within another package that doesn't exist yet.
     const { installLinks, legacyPeerDeps } = this
@@ -1275,23 +1365,26 @@ This is a one-time fix-up, please be patient...
 
     // spec isn't a directory, and either isn't a workspace or the workspace we have
     // doesn't satisfy the edge. try to fetch a manifest and build a node from that.
-    return this.#fetchManifest(spec, parent)
-      .then(pkg => new Node({ name, pkg, parent, installLinks, legacyPeerDeps }), error => {
-        error.requiredBy = edge.from.location || '.'
-
-        // failed to load the spec, either because of enotarget or
-        // fetch failure of some other sort.  save it so we can verify
-        // later that it's optional; otherwise, the error is fatal.
-        const n = new Node({
-          name,
-          parent,
-          error,
-          installLinks,
-          legacyPeerDeps,
-        })
-        this.#loadFailures.add(n)
-        return n
-      })
+    return this.#fetchManifest(spec, parent, edge)
+      .then(
+        pkg => {
+          // When a proxy/upstream registry returns an incomplete manifest
+          // (e.g. missing version field for platform-specific packages it
+          // hasn't cached), treat it as a load failure so that optional deps
+          // are properly pruned instead of written to the lockfile without
+          // version metadata.  Only apply to registry specs — file: deps
+          // legitimately omit version.
+          if (!pkg.version && spec.registry) {
+            const error = Object.assign(
+              new Error(`incomplete manifest for ${name}, missing version`),
+              { code: 'EINCOMPLETEMANIFEST' }
+            )
+            return this.#failureNode(name, parent, error, edge)
+          }
+          return new Node({ name, pkg, parent, installLinks, legacyPeerDeps })
+        },
+        error => this.#failureNode(name, parent, error, edge)
+      )
   }
 
   // load all peer deps and meta-peer deps into the node's parent
@@ -1507,32 +1600,6 @@ This is a one-time fix-up, please be patient...
     timeEnd()
   }
 
-  #applyRootOverridesToWorkspaces (tree) {
-    const rootOverrides = tree.root.package.overrides || {}
-
-    for (const node of tree.root.inventory.values()) {
-      if (!node.isWorkspace) {
-        continue
-      }
-
-      for (const depName of Object.keys(rootOverrides)) {
-        const edge = node.edgesOut.get(depName)
-        const rootNode = tree.root.children.get(depName)
-
-        // safely skip if either edge or rootNode doesn't exist yet
-        if (!edge || !rootNode) {
-          continue
-        }
-
-        const resolvedRootVersion = rootNode.package.version
-        if (!semver.satisfies(resolvedRootVersion, edge.spec)) {
-          edge.detach()
-          node.children.delete(depName)
-        }
-      }
-    }
-  }
-
   #idealTreePrune () {
     for (const node of this.idealTree.inventory.values()) {
       if (node.extraneous) {
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/index.js b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/index.js
index 4c1faffa786f35..11581cb4fd9400 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/index.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/index.js
@@ -100,8 +100,10 @@ class Arborist extends Base {
       nodeVersion: process.version,
       ...options,
       Arborist: this.constructor,
+      allowScripts: options.allowScripts ?? null,
       binLinks: 'binLinks' in options ? !!options.binLinks : true,
       cache: options.cache || `${homedir()}/.npm/_cacache`,
+      dangerouslyAllowAllScripts: !!options.dangerouslyAllowAllScripts,
       dryRun: !!options.dryRun,
       formatPackageLock: 'formatPackageLock' in options ? !!options.formatPackageLock : true,
       force: !!options.force,
@@ -288,6 +290,16 @@ class Arborist extends Base {
     return ret
   }
 
+  // Build an ideal tree (or reuse an already-built one) and return the
+  // resulting lockfile contents as a string, without writing to disk.
+  // Useful for callers that want to inspect, diff, or store a lockfile
+  // somewhere other than the project's `package-lock.json`.
+  async lockfileString (options = {}) {
+    await this.buildIdealTree(options)
+
+    return this.idealTree.meta.toString(options)
+  }
+
   async dedupe (options = {}) {
     // allow the user to set options on the ctor as well.
     // XXX: deprecate separate method options objects.
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/isolated-reifier.js b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/isolated-reifier.js
index 1f086e97b3cd59..14f432ca977459 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/isolated-reifier.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/isolated-reifier.js
@@ -97,7 +97,9 @@ module.exports = cls => class IsolatedReifier extends cls {
     }
     this.counter = 0
 
-    this.idealGraph.workspaces = await Promise.all(Array.from(idealTree.fsChildren.values(), w => this.#workspaceProxy(w)))
+    // Skip extraneous fsChildren: workspaces removed from the root manifest can linger in fsChildren via the lockfile, and re-materializing them here would re-create a directory the user just deleted.
+    const fsChildren = Array.from(idealTree.fsChildren.values()).filter(w => !w.extraneous)
+    this.idealGraph.workspaces = await Promise.all(fsChildren.map(w => this.#workspaceProxy(w)))
     const processed = new Set()
     const queue = [idealTree, ...idealTree.fsChildren]
     while (queue.length !== 0) {
@@ -333,7 +335,8 @@ module.exports = cls => class IsolatedReifier extends cls {
       root.inventory.set(workspace.location, workspace)
       root.workspaces.set(wsName, workspace.path)
 
-      // Create workspace Link. For root declared deps, link at root node_modules/. For undeclared deps, link at the workspace's own node_modules/ (self-link).
+      // Declared workspaces are symlinked at root node_modules/.
+      // Undeclared workspaces get a tree-only Link kept for diff/filter participation but not materialized on disk.
       const isDeclared = this.#rootDeclaredDeps.has(wsName)
       const wsLink = new IsolatedLink({
         location: isDeclared ? join('node_modules', wsName) : join(c.localLocation, 'node_modules', wsName),
@@ -346,7 +349,7 @@ module.exports = cls => class IsolatedReifier extends cls {
         target: workspace,
       })
       if (!isDeclared) {
-        workspace.children.set(wsName, wsLink)
+        wsLink.isUndeclaredWorkspaceLink = true
       }
       root.children.set(wsName, wsLink)
       root.inventory.set(wsLink.location, wsLink)
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/rebuild.js b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/rebuild.js
index d4cce1ac02776c..e70a2186c29713 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/rebuild.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/rebuild.js
@@ -12,6 +12,7 @@ const { isNodeGypPackage, defaultGypInstallScript } = require('@npmcli/node-gyp'
 const { promiseRetry } = require('@gar/promise-retry')
 const { log, time } = require('proc-log')
 const { resolve } = require('node:path')
+const { isScriptAllowed } = require('../script-allowed.js')
 
 const boolEnv = b => b ? '1' : ''
 const sortNodes = (a, b) => (a.depth - b.depth) || localeCompare(a.path, b.path)
@@ -225,6 +226,18 @@ module.exports = cls => class Builder extends cls {
       return
     }
 
+    // Phase 1 allowScripts gate: a `false` verdict from the policy matcher
+    // means the user explicitly denied install scripts for this node, so skip
+    // it. `true` and `null` (unreviewed) both fall through to the existing
+    // detection logic — unreviewed nodes still run their scripts in Phase 1
+    // and are surfaced via the post-reify advisory warning. The global
+    // --ignore-scripts kill switch in #build() still takes precedence, and
+    // --dangerously-allow-all-scripts bypasses this gate entirely.
+    if (!this.options.dangerouslyAllowAllScripts &&
+        isScriptAllowed(node, this.options.allowScripts) === false) {
+      return
+    }
+
     if (this.#oldMeta === null) {
       const { root: { meta } } = node
       this.#oldMeta = meta && meta.loadedFromDisk &&
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/reify.js b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/reify.js
index 26ad0016be3a95..38fb4e37589255 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/arborist/reify.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/arborist/reify.js
@@ -4,6 +4,7 @@ const hgi = require('hosted-git-info')
 const npa = require('npm-package-arg')
 const packageContents = require('@npmcli/installed-package-contents')
 const pacote = require('pacote')
+const { pickRegistry } = require('npm-registry-fetch')
 const promiseAllRejectLate = require('promise-all-reject-late')
 const runScript = require('@npmcli/run-script')
 const { callLimit: promiseCallLimit } = require('promise-call-limit')
@@ -11,7 +12,7 @@ const { depth: dfwalk } = require('treeverse')
 const { dirname, resolve, relative, join, sep } = require('node:path')
 const { log, time } = require('proc-log')
 const { existsSync } = require('node:fs')
-const { lstat, mkdir, readdir, rm, symlink } = require('node:fs/promises')
+const { lstat, mkdir, readdir, readlink, rm, symlink } = require('node:fs/promises')
 const { moveFile } = require('@npmcli/fs')
 const { subset, intersects } = require('semver')
 const { walkUp } = require('walk-up-path')
@@ -126,7 +127,11 @@ module.exports = cls => class Reifier extends cls {
     await this[_diffTrees]()
     await this.#reifyPackages()
     if (linked) {
-      await this.#cleanOrphanedStoreEntries()
+      // The sweep mutates node_modules on disk, so skip it for dry runs and lockfile-only installs (those modes also short-circuit #reifyPackages).
+      // The sweep itself scopes to in-filter workspaces when a filter is active, so it's safe to run for filtered installs too.
+      if (!this.options.dryRun && !this.options.packageLockOnly) {
+        await this.#cleanOrphanedStoreEntries()
+      }
       // swap back in the idealTree
       // so that the lockfile is preserved
       this.idealTree = oldTree
@@ -234,7 +239,7 @@ module.exports = cls => class Reifier extends cls {
     this.actualTree = this.idealTree
     this.idealTree = null
 
-    if (!this.options.global) {
+    if (!this.options.global && !this.options.dryRun) {
       await this.actualTree.meta.save()
       const ignoreScripts = !!this.options.ignoreScripts
       // if we aren't doing a dry run or ignoring scripts and we actually made changes to the dep
@@ -737,7 +742,14 @@ module.exports = cls => class Reifier extends cls {
         ...this.options,
         resolved: node.resolved,
         integrity: node.integrity,
-        _isRoot: node.parent?.isProjectRoot || node.parent?.isWorkspace,
+        // A node counts as "root" for allow-* enforcement if it satisfies at least one valid dependency edge declared by the project root or a workspace.
+        // node.parent is unsafe here: after hoisting, transitive packages can have the project root as their tree parent.
+        _isRoot: [...node.edgesIn].some(e =>
+          e.valid && (e.from?.isProjectRoot || e.from?.isWorkspace)
+        ),
+        // pacote's npa re-parses our `name@URL` spec as type=remote, so allowRemote would mis-fire on registry tarballs.
+        // Override only when we can prove the URL is registry-mediated; see #isRegistryResolvedTarball.
+        ...(this.#isRegistryResolvedTarball(node) ? { allowRemote: 'all' } : {}),
       })
       // store nodes don't use Node class so node.package doesn't get updated
       if (node.isInStore) {
@@ -748,6 +760,12 @@ module.exports = cls => class Reifier extends cls {
     }
 
     // node.isLink
+
+    // Tree-only Link: present in the tree for diff/filter participation, never materialized on disk.
+    if (node.isUndeclaredWorkspaceLink) {
+      return
+    }
+
     await rm(node.path, { recursive: true, force: true })
 
     // symlink
@@ -861,6 +879,24 @@ module.exports = cls => class Reifier extends cls {
     return wrapper
   }
 
+  // When extracting a registry-resolved package, the spec we hand to pacote is name@URL.
+  // pacote re-parses that with npa and gets spec.type === 'remote', so without an override the allow-remote gate would fire on every registry tarball (both =none and =root mis-fire).
+  // Returns true only when we are confident this is a registry-mediated install: the node's inbound edges must all be registry-typed (no exotic spec smuggled the URL in) AND the resolved URL's host must match the registry npm-registry-fetch selected for this spec, so a tampered lockfile pointing at an attacker host still hits the gate.
+  #isRegistryResolvedTarball (node) {
+    if (!node.resolved || !node.isRegistryDependency) {
+      return false
+    }
+    try {
+      // Hostnames are case-insensitive; lowercase both sides for safety even though WHATWG URL already normalizes.
+      const resolvedHost = new URL(node.resolved).hostname.toLowerCase()
+      // pickRegistry only consults spec.scope, so a bare-name (tag) parse is sufficient and avoids a node.version dependency.
+      const registryHost = new URL(pickRegistry(npa(node.name), this.options)).hostname.toLowerCase()
+      return resolvedHost === registryHost
+    } catch {
+      return false
+    }
+  }
+
   #registryResolved (resolved) {
     // the default registry url is a magic value meaning "the currently
     // configured registry".
@@ -1321,35 +1357,179 @@ module.exports = cls => class Reifier extends cls {
 
   // After a linked install, scan node_modules/.store/ and remove any directories that are not referenced by the current ideal tree.
   // Store entries become orphaned when dependencies are updated or removed, because the diff never sees the old store keys.
+  // Then sweep the top-level node_modules/ for orphaned symlinks (e.g. an uninstalled dep whose store entry was just removed) so we don't leave dangling links.
   async #cleanOrphanedStoreEntries () {
-    const storeDir = resolve(this.path, 'node_modules', '.store')
+    const nmDir = resolve(this.path, 'node_modules')
+    const storeDir = resolve(nmDir, '.store')
+
     let entries
     try {
       entries = await readdir(storeDir)
     } catch {
-      return
+      entries = null
     }
 
-    // Collect valid store keys from the isolated ideal tree (location: node_modules/.store/{key}/node_modules/{pkg})
+    // Collect valid store keys and valid top-level links per node_modules directory.
+    // Store entries have location node_modules/.store/{key}/node_modules/{pkg}.
+    // Top-level links have location {prefix}/node_modules/{pkg} or {prefix}/node_modules/@scope/{pkg}, where {prefix} is empty for the root project and the workspace's localLocation for workspace deps.
+    // Locations are normalized to forward slashes here because IsolatedNode/IsolatedLink locations are built with path.join, which uses backslashes on Windows.
     const validKeys = new Set()
+    const nmDirs = new Map()
+    const NM_PREFIX = 'node_modules/'
+    const STORE_MARKER = '/.store/'
     for (const child of this.idealTree.children.values()) {
+      const loc = child.location.replace(/\\/g, '/')
       if (child.isInStore) {
-        const key = child.location.split(sep)[2]
+        const key = loc.split('/')[2]
         validKeys.add(key)
+        continue
+      }
+      if (!child.isLink) {
+        continue
+      }
+      // Tree-only Links never exist on disk; skipping them lets the sweep remove any stale self-link left by an older npm version.
+      if (child.isUndeclaredWorkspaceLink) {
+        continue
+      }
+      const nmIdx = loc.lastIndexOf(NM_PREFIX)
+      if (nmIdx === -1 || loc.includes(STORE_MARKER)) {
+        continue
+      }
+      const prefix = loc.slice(0, nmIdx)
+      const dir = resolve(this.path, prefix, 'node_modules')
+      const rest = loc.slice(nmIdx + NM_PREFIX.length)
+      let entry
+      if (rest.startsWith('@')) {
+        const [scope, name] = rest.split('/')
+        entry = `${scope}${sep}${name}`
+      } else {
+        entry = rest.split('/')[0]
+      }
+      let set = nmDirs.get(dir)
+      if (!set) {
+        set = new Set()
+        nmDirs.set(dir, set)
+      }
+      set.add(entry)
+    }
+
+    // Determine which node_modules directories to sweep.
+    // For an unfiltered install, sweep the project root and every workspace's node_modules even if no top-level links remain (e.g. last dep was just uninstalled).
+    // For a filtered install (npm install -w ), restrict the sweep to the in-scope workspaces so out-of-scope workspaces are left untouched, mirroring what the diff would do.
+    // When --include-workspace-root is set, the filter scope pulls in root deps too, so the root node_modules is included in the sweep.
+    const filteredNames = this.options.workspaces
+    const isFiltered = Array.isArray(filteredNames) && filteredNames.length > 0
+    if (isFiltered) {
+      const allowedDirs = new Set()
+      for (const ws of this.idealTree.fsChildren) {
+        if (filteredNames.includes(ws.packageName) || filteredNames.includes(ws.name)) {
+          allowedDirs.add(resolve(ws.path, 'node_modules'))
+        }
+      }
+      if (this.options.includeWorkspaceRoot) {
+        allowedDirs.add(nmDir)
+      }
+      for (const dir of [...nmDirs.keys()]) {
+        if (!allowedDirs.has(dir)) {
+          nmDirs.delete(dir)
+        }
+      }
+      for (const dir of allowedDirs) {
+        if (!nmDirs.has(dir)) {
+          nmDirs.set(dir, new Set())
+        }
+      }
+    } else {
+      if (!nmDirs.has(nmDir)) {
+        nmDirs.set(nmDir, new Set())
+      }
+      for (const ws of this.idealTree.fsChildren) {
+        const wsNmDir = resolve(ws.path, 'node_modules')
+        if (!nmDirs.has(wsNmDir)) {
+          nmDirs.set(wsNmDir, new Set())
+        }
+      }
+    }
+
+    if (entries) {
+      const orphaned = entries.filter(e => !validKeys.has(e))
+      if (orphaned.length) {
+        log.silly('reify', 'cleaning orphaned store entries', orphaned)
+        await promiseAllRejectLate(
+          orphaned.map(e =>
+            rm(resolve(storeDir, e), { recursive: true, force: true })
+              .catch(/* istanbul ignore next -- rm with force rarely fails */
+                er => log.warn('cleanup', `Failed to remove orphaned store entry ${e}`, er))
+          )
+        )
+      }
+    }
+
+    for (const [dir, valid] of nmDirs) {
+      await this.#cleanOrphanedTopLevelLinks(dir, valid)
+    }
+  }
+
+  // Remove node_modules/ entries that aren't represented in the ideal tree.
+  // Run for the project root and each workspace's node_modules.
+  // The linked diff path can't see these because #buildLinkedActualForDiff derives the actual tree from the ideal, so removed deps are never compared.
+  // Only symlinks whose target resolves inside the project root are removed — that covers store links (node_modules/.store/...) and workspace self-links (e.g. node_modules/ -> ../packages/) that npm itself created.
+  // Symlinks pointing outside the project (e.g. `npm link foo` without --save targeting the global prefix, or hand-made `ln -s` to an external path) and real directories are preserved.
+  async #cleanOrphanedTopLevelLinks (nmDir, validTopLevel) {
+    const projectPrefix = resolve(this.path) + sep
+    let dirents
+    try {
+      dirents = await readdir(nmDir, { withFileTypes: true })
+    } catch {
+      return
+    }
+
+    const isOurOrphan = async (linkPath) => {
+      let target
+      try {
+        target = await readlink(linkPath)
+      } catch {
+        /* istanbul ignore next -- readlink of an entry we just listed as a symlink should not fail */
+        return false
+      }
+      return resolve(dirname(linkPath), target).startsWith(projectPrefix)
+    }
+
+    const orphaned = []
+    for (const ent of dirents) {
+      // skip npm-managed entries (.bin, .store, .package-lock.json, etc)
+      if (ent.name.startsWith('.')) {
+        continue
+      }
+      if (ent.name.startsWith('@')) {
+        let scoped
+        try {
+          scoped = await readdir(resolve(nmDir, ent.name), { withFileTypes: true })
+        } catch {
+          /* istanbul ignore next -- readdir of an entry we just listed should not fail */
+          continue
+        }
+        for (const pkgEnt of scoped) {
+          const key = `${ent.name}${sep}${pkgEnt.name}`
+          if (!validTopLevel.has(key) && pkgEnt.isSymbolicLink() && await isOurOrphan(resolve(nmDir, key))) {
+            orphaned.push(key)
+          }
+        }
+      } else if (!validTopLevel.has(ent.name) && ent.isSymbolicLink() && await isOurOrphan(resolve(nmDir, ent.name))) {
+        orphaned.push(ent.name)
       }
     }
 
-    const orphaned = entries.filter(e => !validKeys.has(e))
     if (!orphaned.length) {
       return
     }
 
-    log.silly('reify', 'cleaning orphaned store entries', orphaned)
+    log.silly('reify', 'cleaning orphaned top-level links', orphaned)
     await promiseAllRejectLate(
-      orphaned.map(e =>
-        rm(resolve(storeDir, e), { recursive: true, force: true })
+      orphaned.map(name =>
+        rm(resolve(nmDir, name), { recursive: true, force: true })
           .catch(/* istanbul ignore next -- rm with force rarely fails */
-            er => log.warn('cleanup', `Failed to remove orphaned store entry ${e}`, er))
+            er => log.warn('cleanup', `Failed to remove orphaned link ${name}`, er))
       )
     )
   }
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/install-scripts.js b/deps/npm/node_modules/@npmcli/arborist/lib/install-scripts.js
new file mode 100644
index 00000000000000..47a7f982c04ef1
--- /dev/null
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/install-scripts.js
@@ -0,0 +1,88 @@
+const { isNodeGypPackage } = require('@npmcli/node-gyp')
+
+// Returns the install-relevant lifecycle scripts that would run for a
+// given arborist Node, or `{}` if there are none.
+//
+// Includes:
+//   - explicit preinstall/install/postinstall
+//   - prepare, but only for non-registry sources (git, file, link, remote)
+//   - synthetic `node-gyp rebuild`, when `binding.gyp` is present on disk
+//     and the package does not opt out via `gypfile: false` or define its
+//     own install / preinstall script
+
+// Lifecycle-script enumeration boundary.
+//
+// IMPORTANT: this helper decides whether `prepare` should be included
+// in the enumerated install scripts (true for non-registry sources only).
+// It is NOT a policy-matching predicate. The policy matcher in
+// script-allowed.js uses `isRegistryNode`, which is strictly tied to
+// versionFromTgz(node.resolved). The two helpers exist separately on
+// purpose:
+//
+//   - `hasNonRegistryShape` (here): "should we consider running prepare
+//     on this node?" — a yes/no for what to enumerate.
+//   - `isRegistryNode` (script-allowed.js): "do we trust this node's
+//     identity enough to apply a policy entry?" — a security check.
+//
+// The looser fallback here (treating unknown-resolved nodes as registry,
+// thus skipping `prepare`) is the safer default for enumeration: we'd
+// rather omit a script we should have run than synthesise one for a
+// non-registry source we couldn't confirm. The policy matcher's stricter
+// behaviour is correct for its boundary; the two helpers must not be
+// merged.
+const hasNonRegistryShape = (node) => {
+  if (typeof node.isRegistryDependency === 'boolean') {
+    return !node.isRegistryDependency
+  }
+  if (!node.resolved) {
+    return false
+  }
+  return !/^https?:\/\/[^/]+\/.+\/-\/[^/]+-\d/.test(node.resolved)
+}
+
+const getInstallScripts = async (node) => {
+  /* istanbul ignore next: arborist Nodes always carry a `package` object;
+     defensive fallbacks for non-arborist callers. */
+  const pkg = node.package || {}
+  /* istanbul ignore next */
+  const scripts = pkg.scripts || {}
+  const collected = {}
+
+  if (scripts.preinstall) {
+    collected.preinstall = scripts.preinstall
+  }
+  if (scripts.install) {
+    collected.install = scripts.install
+  }
+  if (scripts.postinstall) {
+    collected.postinstall = scripts.postinstall
+  }
+  if (scripts.prepare && hasNonRegistryShape(node)) {
+    collected.prepare = scripts.prepare
+  }
+
+  const hasExplicitGypGate = !!(collected.preinstall || collected.install)
+  if (
+    !hasExplicitGypGate &&
+    pkg.gypfile !== false &&
+    await isNodeGypPackage(node.path).catch(() => false)
+  ) {
+    collected.install = 'node-gyp rebuild'
+  }
+
+  // Lockfile-only nodes (e.g. `npm ci` before reify) carry
+  // `hasInstallScript: true` but no enumerated scripts: the lockfile
+  // records the presence flag but never the script bodies. Without this
+  // fallback the strict-allow-scripts preflight would miss them entirely
+  // and let postinstall run. We can't recover the real script body
+  // without fetching the manifest, so emit a sentinel describing that
+  // install scripts are present.
+  if (Object.keys(collected).length === 0 && node.hasInstallScript === true) {
+    collected.install = '(install scripts present)'
+  }
+
+  return collected
+}
+
+module.exports = getInstallScripts
+module.exports.getInstallScripts = getInstallScripts
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/link.js b/deps/npm/node_modules/@npmcli/arborist/lib/link.js
index 42bc1faf488609..3824dc81ffb3cb 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/link.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/link.js
@@ -109,6 +109,26 @@ class Link extends Node {
   // so this is a no-op
   [_loadDeps] () {}
 
+  // When a Link receives overrides (via edgesIn), forward them to the target node which holds the actual edgesOut — but only when the OverrideSet has at least one rule that names a dep the target actually depends on.
+  // Without this scope, the link forwards a generic ancestor OverrideSet that has no real effect on the target's edges, but still flips the target to "has overrides", which changes downstream `canReplaceWith` / placement decisions and causes `npm ci` to re-resolve lockfile-pinned edges from the registry.
+  // See npm/cli#9357.
+  recalculateOutEdgesOverrides () {
+    if (!this.target || !this.overrides) {
+      return
+    }
+    let hasMatchingRule = false
+    for (const rule of this.overrides.ruleset.values()) {
+      if (this.target.edgesOut.has(rule.name)) {
+        hasMatchingRule = true
+        break
+      }
+    }
+    if (!hasMatchingRule) {
+      return
+    }
+    this.target.updateOverridesEdgeInAdded(this.overrides)
+  }
+
   // links can't have children, only their targets can
   // fix it to an empty list so that we can still call
   // things that iterate over them, just as a no-op
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/script-allowed.js b/deps/npm/node_modules/@npmcli/arborist/lib/script-allowed.js
new file mode 100644
index 00000000000000..91734fa38c1034
--- /dev/null
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/script-allowed.js
@@ -0,0 +1,340 @@
+const npa = require('npm-package-arg')
+const semver = require('semver')
+const versionFromTgz = require('./version-from-tgz.js')
+
+// Identity matcher for the allowScripts policy.
+//
+// Returns:
+//   - true: at least one allow entry matches and no deny entry matches
+//   - false: at least one deny entry matches (deny wins on conflict)
+//   - null: no entry matches (unreviewed)
+//
+// `policy` is a flat object of `spec-key -> boolean`, where spec-key is
+// anything `npm-package-arg` can parse. `node` is an arborist Node.
+//
+// Identity rules (see RFC npm/rfcs#868):
+//   - registry deps match by the name+version parsed from the lockfile's
+//     resolved URL, NOT by `node.packageName` / `node.version`. Those two
+//     getters return `node.package.name` / `node.package.version`, which
+//     come from the tarball's own package.json and are therefore
+//     attacker-controlled. A package can publish a tarball claiming any
+//     name; the only trusted name is the one baked into the registry URL.
+//   - tarball / file / link / remote: exact match on node.resolved
+//   - git: match on hosted.ssh() plus a short-SHA prefix of the
+//     resolved committish
+
+const isScriptAllowed = (node, policy) => {
+  // Bundled dependencies cannot be allowlisted in Phase 1. The RFC defers
+  // allowlisting them to a follow-up RFC because matching by name@version
+  // from the bundled tarball would reintroduce manifest confusion (a
+  // bundled tarball can claim any name and version). Returning null here
+  // marks bundled deps as unreviewed regardless of any policy entries, so
+  // their install scripts surface in the Phase 1 advisory warning and
+  // (eventually) get blocked at the install-time gate.
+  if (node.inBundle) {
+    return null
+  }
+
+  if (!policy || typeof policy !== 'object') {
+    return null
+  }
+
+  let anyAllow = false
+  let anyDeny = false
+
+  for (const [key, value] of Object.entries(policy)) {
+    if (!matches(node, key)) {
+      continue
+    }
+    if (value === false) {
+      anyDeny = true
+      continue
+    }
+    /* istanbul ignore else: policy values are strictly true/false;
+       defensive guard against unexpected coercions. */
+    if (value === true) {
+      anyAllow = true
+    }
+  }
+
+  if (anyDeny) {
+    return false
+  }
+  if (anyAllow) {
+    return true
+  }
+  return null
+}
+
+const matches = (node, key) => {
+  let parsed
+  try {
+    parsed = npa(key)
+  } catch {
+    return false
+  }
+
+  switch (parsed.type) {
+    case 'tag':
+    case 'range':
+    case 'version':
+      return matchRegistry(node, parsed)
+    case 'git':
+      return matchGit(node, parsed)
+    case 'file':
+    case 'directory':
+      return matchFileOrDir(node, parsed)
+    case 'remote':
+      return matchRemote(node, parsed)
+    case 'alias':
+      // Disallowed: aliases as policy keys do not match anything.
+      // The user has to address the real package name.
+      return false
+    /* istanbul ignore next: switch above covers every npa type we expect;
+       defensive fallback for future npa types. */
+    default:
+      return false
+  }
+}
+
+const matchRegistry = (node, parsed) => {
+  // If this node is not a registry dep, refuse the match. A registry-style
+  // key (`pkg`, `pkg@1`, `pkg@1 || 2`) must not match a tarball or git node
+  // even if their names happen to coincide.
+  if (!isRegistryNode(node)) {
+    return false
+  }
+
+  // Derive the trusted name+version from the lockfile's resolved URL.
+  // Never use `node.packageName` / `node.version` here: those read from
+  // the tarball's own package.json and can be forged by a malicious
+  // publisher to bypass an allowScripts entry.
+  const trusted = getTrustedRegistryIdentity(node)
+  if (!trusted || trusted.name !== parsed.name) {
+    return false
+  }
+
+  // `tag` covers `pkg@latest`. Rejected up front by validatePolicy in
+  // resolve-allow-scripts.js because tags look like a pin but can't be
+  // verified at install time. Defense-in-depth: if one slips through
+  // (e.g. arborist invoked directly without the resolver), don't match.
+  if (parsed.type === 'tag') {
+    /* istanbul ignore next: validatePolicy filters this; defensive */
+    return false
+  }
+
+  // `range` includes `pkg@^1`, `pkg@1 || 2`, `pkg@*`, `pkg@>=0`, and bare
+  // names like `pkg` (npa parses these as range with fetchSpec='*'). The
+  // RFC permits bare names (name-only allow) and exact versions joined by
+  // `||`; ranges like ^/~/>=/< are rejected because they would silently
+  // allow versions the user has never reviewed.
+  if (parsed.type === 'range') {
+    // Bare name or `pkg@*`: treat as name-only allow.
+    if (parsed.fetchSpec === '*' || parsed.rawSpec === '' || parsed.rawSpec === '*') {
+      return true
+    }
+    if (!trusted.version || !isExactVersionDisjunction(parsed.fetchSpec)) {
+      return false
+    }
+    return semver.satisfies(trusted.version, parsed.fetchSpec, { loose: true })
+  }
+
+  // `version` is an exact pin like `pkg@1.2.3`.
+  /* istanbul ignore else: parsed.type at this point is always 'version';
+     the istanbul-ignored fallback below handles the impossible case. */
+  if (parsed.type === 'version') {
+    return trusted.version === parsed.fetchSpec
+  }
+
+  /* istanbul ignore next: parsed.type is constrained to tag/range/version
+     by the caller; this final fallback is defensive. */
+  return false
+}
+
+// Derive a registry node's trusted name+version.
+//
+// Preferred source: the lockfile's resolved URL parsed via
+// versionFromTgz. arborist records the URL when it first adds the dep,
+// before any tarball is unpacked, so the URL cannot be forged by the
+// package's own package.json.
+//
+// Fallback for lockfiles produced with omit-lockfile-registry-resolved
+// (where the URL is absent): take the dep name from an incoming
+// dependency edge. The edge's spec was written by the consumer (or by an
+// upstream package.json), not by the installed tarball. For aliases like
+// `"trusted": "npm:naughty@1.0.0"`, the underlying registered package
+// name is parsed out of the alias `subSpec`. The install location
+// (`node_modules/trusted`) is deliberately not consulted because for
+// aliases it carries only the alias name, which would let a malicious
+// publisher bypass an allowScripts entry written for the real package.
+//
+// Version is left null in the fallback case because the only remaining
+// source for it (`node.version`) reads from the tarball.
+//
+// Returns `{ name, version }` or `null` if no trusted identity exists.
+const getTrustedRegistryIdentity = (node) => {
+  if (node.resolved && typeof node.resolved === 'string') {
+    const parsed = versionFromTgz('', node.resolved)
+    /* istanbul ignore else: versionFromTgz returns either a complete
+       { name, version } or null; partial objects are not produced. */
+    if (parsed && parsed.name && parsed.version) {
+      return parsed
+    }
+  }
+  const name = nameFromEdges(node)
+  if (name) {
+    return { name, version: null }
+  }
+  return null
+}
+
+const nameFromEdges = (node) => {
+  if (!node.edgesIn || typeof node.edgesIn[Symbol.iterator] !== 'function') {
+    return null
+  }
+  for (const edge of node.edgesIn) {
+    let parsed
+    try {
+      parsed = npa.resolve(edge.name, edge.spec)
+    } catch {
+      continue
+    }
+    // Aliases: trust the underlying registered package, not the alias.
+    if (parsed.type === 'alias' && parsed.subSpec && parsed.subSpec.registry) {
+      return parsed.subSpec.name
+    }
+    // Non-aliased registry edge: the edge name is the package name as
+    // written by the consumer / upstream, which is trusted (it is not
+    // read from the installed tarball).
+    if (parsed.registry) {
+      return parsed.name
+    }
+  }
+  return null
+}
+
+// True if `rangeSpec` is one or more exact versions joined by `||`. Anything
+// containing comparator operators (^, ~, >=, <, *) returns false.
+const isExactVersionDisjunction = (rangeSpec) => {
+  /* istanbul ignore next: caller always passes parsed.fetchSpec, which
+     npa guarantees to be a non-empty string for range specs. */
+  if (typeof rangeSpec !== 'string' || rangeSpec.trim() === '') {
+    return false
+  }
+  const parts = rangeSpec.split('||').map(p => p.trim())
+  /* istanbul ignore next: String.prototype.split always returns at least
+     one element; defensive guard only. */
+  if (parts.length === 0) {
+    return false
+  }
+  return parts.every(p => p !== '' && semver.valid(p) !== null)
+}
+
+const matchGit = (node, parsed) => {
+  if (!node.resolved || !node.resolved.startsWith('git')) {
+    return false
+  }
+
+  let nodeParsed
+  try {
+    nodeParsed = npa(node.resolved)
+  } catch {
+    /* istanbul ignore next: npa parsing a git URL we already validated
+       starts with `git` should not throw; defensive guard only. */
+    return false
+  }
+
+  // Compare the host/repo. Both sides should resolve to the same canonical
+  // ssh URL.
+  const noCommittish = { noCommittish: true }
+  const keyHost = parsed.hosted?.ssh(noCommittish)
+  const nodeHost = nodeParsed.hosted?.ssh(noCommittish)
+  if (keyHost && nodeHost) {
+    if (keyHost !== nodeHost) {
+      return false
+    }
+  } else if (parsed.fetchSpec && nodeParsed.fetchSpec) {
+    // Non-hosted git URLs: fall back to fetch spec.
+    if (parsed.fetchSpec !== nodeParsed.fetchSpec) {
+      return false
+    }
+  } else {
+    return false
+  }
+
+  // If the policy key has no committish, name-only match.
+  const keyCommittish = parsed.gitCommittish || parsed.hosted?.committish
+  if (!keyCommittish) {
+    return true
+  }
+
+  // Match the resolved full SHA against the key's committish. Users
+  // typically write short SHAs in the policy; the lockfile stores 40-char
+  // SHAs. Direction matters: the lockfile's full SHA must START WITH the
+  // key's short SHA, never the reverse. A longer key matching a shorter
+  // resolved committish would let a malformed lockfile or a divergent
+  // resolver allow scripts the user never approved.
+  const nodeCommittish = nodeParsed.gitCommittish || nodeParsed.hosted?.committish || ''
+  if (!nodeCommittish) {
+    return false
+  }
+  return nodeCommittish.startsWith(keyCommittish)
+}
+
+const matchFileOrDir = (node, parsed) => {
+  if (!node.resolved) {
+    return false
+  }
+  return node.resolved === parsed.saveSpec || node.resolved === parsed.fetchSpec
+}
+
+const matchRemote = (node, parsed) => {
+  if (!node.resolved) {
+    return false
+  }
+  return node.resolved === parsed.fetchSpec || node.resolved === parsed.saveSpec
+}
+
+const isRegistryNode = (node) => {
+  // Prefer arborist's edge-based check when available (real Node objects).
+  // It inspects the incoming edges' specs and only returns true if every
+  // edge resolves to a registry spec, which is much harder to spoof than
+  // the URL.
+  if (typeof node.isRegistryDependency === 'boolean') {
+    return node.isRegistryDependency
+  }
+  // Fall back to URL parsing for nodes without the arborist getter
+  // (e.g. test fixtures, lockfiles with omit-lockfile-registry-resolved).
+  // Treat the node as a registry dep when:
+  //   - resolved is missing entirely (omitLockfileRegistryResolved),
+  //   - resolved is an https/http URL pointing at a registry tarball, or
+  //   - resolved is undefined and the node has a version (defensive).
+  if (!node.resolved) {
+    return !!node.version
+  }
+  // Registry tarballs live at `//-/-.tgz`.
+  // Require a path segment before `/-/` so an attacker can't lift a
+  // registry-style allow entry to a hostile URL like
+  // `https://evil.com/-/trusted-1.0.0.tgz`.
+  return /^https?:\/\/[^/]+\/.+\/-\/[^/]+-\d/.test(node.resolved)
+}
+
+// Trusted display identity for human-facing output (`npm install`
+// advisory, `npm approve-scripts --allow-scripts-pending`). Same idea as
+// getTrustedRegistryIdentity, but for DISPLAY only — version falls back
+// to node.version when the URL doesn't carry one. Must never be used
+// for policy matching.
+const trustedDisplay = (node) => {
+  const trusted = getTrustedRegistryIdentity(node)
+  /* istanbul ignore next: defensive fallbacks for nodes without name/version */
+  return {
+    name: (trusted && trusted.name) || node.name || null,
+    version: (trusted && trusted.version) || node.version || null,
+  }
+}
+
+module.exports = isScriptAllowed
+module.exports.isScriptAllowed = isScriptAllowed
+module.exports.isExactVersionDisjunction = isExactVersionDisjunction
+module.exports.getTrustedRegistryIdentity = getTrustedRegistryIdentity
+module.exports.trustedDisplay = trustedDisplay
diff --git a/deps/npm/node_modules/@npmcli/arborist/lib/shrinkwrap.js b/deps/npm/node_modules/@npmcli/arborist/lib/shrinkwrap.js
index 751c549fed63bc..6af902cdf8a48e 100644
--- a/deps/npm/node_modules/@npmcli/arborist/lib/shrinkwrap.js
+++ b/deps/npm/node_modules/@npmcli/arborist/lib/shrinkwrap.js
@@ -929,10 +929,24 @@ class Shrinkwrap {
           continue
         }
         const loc = relpath(this.path, node.path)
-        this.data.packages[loc] = Shrinkwrap.metaFromNode(
+        // Drop lockfile entries for extraneous nodes outside node_modules. These are stale workspace entries: the workspace was removed from package.json or its directory was deleted, so it should not be tracked in package-lock.json.
+        if (node.extraneous && !/(^|\/)node_modules\//.test(loc) && loc !== 'node_modules') {
+          continue
+        }
+        const meta = Shrinkwrap.metaFromNode(
           node,
           this.path,
           this.resolveOptions)
+        // Skip inert nodes — these are optional deps that failed to load
+        // (e.g. 404 from a proxy registry that hasn't cached the package,
+        // or incomplete manifest missing version field).
+        // #pruneFailedOptional marks them inert so they won't be reified;
+        // writing them to the lockfile produces invalid entries like
+        // {"optional": true} that cause "Invalid Version:" errors.
+        if (node.inert && !node.package.version) {
+          continue
+        }
+        this.data.packages[loc] = meta
       }
     } else if (this.#awaitingUpdate.size > 0) {
       for (const loc of this.#awaitingUpdate.keys()) {
diff --git a/deps/npm/node_modules/@npmcli/arborist/package.json b/deps/npm/node_modules/@npmcli/arborist/package.json
index d0f823e61d3481..712151e63a1c65 100644
--- a/deps/npm/node_modules/@npmcli/arborist/package.json
+++ b/deps/npm/node_modules/@npmcli/arborist/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "9.4.3",
+  "version": "9.7.0",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@gar/promise-retry": "^1.0.0",
diff --git a/deps/npm/node_modules/@npmcli/config/lib/definitions/definitions.js b/deps/npm/node_modules/@npmcli/config/lib/definitions/definitions.js
index c3e5cd2b430189..2cb03709d73b5e 100644
--- a/deps/npm/node_modules/@npmcli/config/lib/definitions/definitions.js
+++ b/deps/npm/node_modules/@npmcli/config/lib/definitions/definitions.js
@@ -1,4 +1,5 @@
 const Definition = require('./definition.js')
+const parseAllowScriptsList = require('../parse-allow-scripts-list.js')
 
 const ciInfo = require('ci-info')
 const querystring = require('node:querystring')
@@ -153,7 +154,7 @@ const definitions = {
     defaultDescription: `
     'public' for new packages, existing packages it will not change the current level
   `,
-    type: [null, 'restricted', 'public'],
+    type: [null, 'restricted', 'public', 'private'],
     description: `
     If you do not want your scoped package to be publicly viewable (and
     installable) set \`--access=restricted\`.
@@ -164,8 +165,13 @@ const definitions = {
     packages.  Specifying a value of \`restricted\` or \`public\` during
     publish will change the access for an existing package the same way that
     \`npm access set status\` would.
+
+    The value \`private\` is an alias for \`restricted\`.
   `,
-    flatten,
+    flatten (key, obj, flatOptions) {
+      const value = obj[key]
+      flatOptions.access = value === 'private' ? 'restricted' : value
+    },
   }),
   all: new Definition('all', {
     default: false,
@@ -187,6 +193,36 @@ const definitions = {
   `,
     flatten,
   }),
+  'allow-directory': new Definition('allow-directory', {
+    default: 'all',
+    type: ['all', 'none', 'root'],
+    description: `
+      Limits the ability for npm to install dependencies from directories.
+      That is, dependencies that point to a directory instead of a version or semver range.
+      Please note that this could leave your tree incomplete and some packages may not function as intended or designed.
+      Changing this setting will not remove dependencies that are already installed.
+
+      \`all\` allows any directories to be installed.
+      \`none\` prevents any directories from being installed.
+      \`root\` only allows directories defined in your project's package.json to be installed.  Also allows directory dependencies to be used for other commands like \`npm view\`
+  `,
+    flatten,
+  }),
+  'allow-file': new Definition('allow-file', {
+    default: 'all',
+    type: ['all', 'none', 'root'],
+    description: `
+      Limits the ability for npm to install dependencies from tarball files.
+      That is, dependencies that point to a local tarball file instead of a version or semver range.
+      Please note that this could leave your tree incomplete and some packages may not function as intended or designed.
+      Changing this setting will not remove dependencies that are already installed.
+
+      \`all\` allows any tarball file to be installed.
+      \`none\` prevents any tarball file from being installed.
+      \`root\` only allows tarball files defined in your project's package.json to be installed.  Also allows tarball file dependencies to be used for other commands like \`npm view\`
+  `,
+    flatten,
+  }),
   'allow-git': new Definition('allow-git', {
     default: 'all',
     type: ['all', 'none', 'root'],
@@ -194,13 +230,54 @@ const definitions = {
       Limits the ability for npm to fetch dependencies from git references.
       That is, dependencies that point to a git repo instead of a version or semver range.
       Please note that this could leave your tree incomplete and some packages may not function as intended or designed.
+      Changing this setting will not remove dependencies that are already installed.
 
       \`all\` allows any git dependencies to be fetched and installed.
       \`none\` prevents any git dependencies from being fetched and installed.
-      \`root\` only allows git dependencies defined in your project's package.json to be fetched installed.  Also allows git dependencies to be fetched for other commands like \`npm view\`
+      \`root\` only allows git dependencies defined in your project's package.json to be fetched and installed.  Also allows git dependencies to be fetched for other commands like \`npm view\`
   `,
     flatten,
   }),
+  'allow-remote': new Definition('allow-remote', {
+    default: 'all',
+    type: ['all', 'none', 'root'],
+    description: `
+      Limits the ability for npm to fetch dependencies from urls.
+      That is, dependencies that point to a tarball url instead of a version or semver range.
+      Please note that this could leave your tree incomplete and some packages may not function as intended or designed.
+      Changing this setting will not remove dependencies that are already installed.
+
+      \`all\` allows any url to be installed.
+      \`none\` prevents any url from being installed.
+      \`root\` only allows urls defined in your project's package.json to be installed.  Also allows url dependencies to be used for other commands like \`npm view\`
+  `,
+    flatten,
+  }),
+  'allow-scripts': new Definition('allow-scripts', {
+    default: '',
+    type: [String, Array],
+    hint: '',
+    description: `
+      Comma-separated list of packages whose install-time lifecycle scripts
+      (\`preinstall\`, \`install\`, \`postinstall\`, and \`prepare\` for
+      non-registry dependencies) are allowed to run.
+
+      This setting is intended for one-off and global contexts: \`npm exec\`,
+      \`npx\`, and \`npm install -g\`, where no project \`package.json\` is
+      involved. For team-wide policy in a project, use the \`allowScripts\`
+      field in \`package.json\` (which also supports explicit denials), or
+      configure it in \`.npmrc\`. Passing \`--allow-scripts\` on the command
+      line during a project-scoped \`npm install\`, \`ci\`, \`update\`, or
+      \`rebuild\` is an error.
+
+      Each name is matched against a dependency's resolved identity, not
+      against the package's self-reported name. \`--ignore-scripts\` and
+      \`--dangerously-allow-all-scripts\` both override this setting.
+  `,
+    flatten (key, obj, flatOptions) {
+      flatOptions.allowScripts = parseAllowScriptsList(obj[key])
+    },
+  }),
   also: new Definition('also', {
     default: null,
     type: [null, 'dev', 'development'],
@@ -246,7 +323,6 @@ const definitions = {
     default: null,
     hint: '',
     type: [null, Date],
-    exclusive: ['min-release-age'],
     description: `
       If passed to \`npm install\`, will rebuild the npm tree such that only
       versions that were available **on or before** the given date are
@@ -257,6 +333,12 @@ const definitions = {
       pass the \`--before\` filter, the most recent version less than or equal
       to that tag will be used. For example, \`foo@latest\` might install
       \`foo@1.2\` even though \`latest\` is \`2.0\`.
+
+      If \`before\` and \`min-release-age\` are both set in the same source,
+      \`before\` wins (an explicit absolute date overrides a relative window).
+      Across sources, the standard precedence applies (cli > env > project >
+      user > global), so a higher-priority source can always relax or
+      override a lower-priority one.
     `,
     flatten,
   }),
@@ -484,6 +566,18 @@ const definitions = {
     `,
     flatten,
   }),
+  'dangerously-allow-all-scripts': new Definition('dangerously-allow-all-scripts', {
+    default: false,
+    type: Boolean,
+    description: `
+      If \`true\`, bypass the \`allowScripts\` policy entirely and run every
+      dependency install script regardless of whether it was approved or
+      denied. Intended as a migration escape hatch only; its use is strongly
+      discouraged. \`--ignore-scripts\` still takes precedence over this
+      setting.
+    `,
+    flatten,
+  }),
   depth: new Definition('depth', {
     default: null,
     defaultDescription: `
@@ -1363,7 +1457,6 @@ const definitions = {
     default: null,
     hint: '',
     type: [null, Number],
-    exclusive: ['before'],
     envExport: false,
     description: `
        If set, npm will build the npm tree such that only versions that were
@@ -1372,13 +1465,18 @@ const definitions = {
        command will error.
 
        This flag is a complement to \`before\`, which accepts an exact date
-       instead of a relative number of days.
+       instead of a relative number of days. The two may coexist (e.g.
+       \`min-release-age\` in your \`.npmrc\` is preserved when npm internally
+       spawns a sub-process with \`--before\` while preparing a \`git:\` or
+       \`github:\` dependency); when both apply, \`before\` wins within a
+       single source and across sources the standard precedence rules apply.
     `,
     flatten: (key, obj, flatOptions) => {
-      if (obj['min-release-age'] !== null) {
-        flatOptions.before = new Date(Date.now() - (86400000 * obj['min-release-age']))
-        obj.before = flatOptions.before
-        delete obj['min-release-age']
+      const age = obj['min-release-age']
+      // `hasOwn` so a `before` inherited via ConfigData's prototype chain (lib/index.js) from a lower-priority source doesn't silently win.
+      // The `: null` clear depends on `Config#flat` iterating sources low → high.
+      if (age != null && !Object.hasOwn(obj, 'before')) {
+        flatOptions.before = age ? new Date(Date.now() - (86400000 * age)) : null
       }
     },
   }),
@@ -1612,6 +1710,27 @@ const definitions = {
     `,
     flatten,
   }),
+  'allow-scripts-pending': new Definition('allow-scripts-pending', {
+    default: false,
+    type: Boolean,
+    description: `
+      List packages with install scripts that are not yet covered by the
+      \`allowScripts\` policy, without modifying \`package.json\`. Only
+      meaningful for \`npm approve-scripts\`.
+    `,
+    flatten,
+  }),
+  'allow-scripts-pin': new Definition('allow-scripts-pin', {
+    default: true,
+    type: Boolean,
+    description: `
+      Write pinned (\`pkg@version\`) entries when approving install scripts.
+      Set to \`false\` to write name-only entries that allow any version.
+      Has no effect on \`npm deny-scripts\`, which always writes name-only
+      entries regardless of this setting.
+    `,
+    flatten,
+  }),
   'prefer-dedupe': new Definition('prefer-dedupe', {
     default: false,
     type: Boolean,
@@ -2183,6 +2302,22 @@ const definitions = {
     `,
     flatten,
   }),
+  'strict-allow-scripts': new Definition('strict-allow-scripts', {
+    default: false,
+    type: Boolean,
+    description: `
+      If \`true\`, turn the install-script policy from a warning into a hard
+      error: any dependency with install scripts not covered by
+      \`allowScripts\` will fail the install instead of running with a
+      notice.
+
+      Dependencies explicitly denied with \`false\` in \`allowScripts\` are
+      always silently skipped; this setting only affects unreviewed entries.
+      \`--ignore-scripts\` and \`--dangerously-allow-all-scripts\` both
+      override this setting.
+    `,
+    flatten,
+  }),
   'strict-ssl': new Definition('strict-ssl', {
     default: true,
     type: Boolean,
diff --git a/deps/npm/node_modules/@npmcli/config/lib/parse-allow-scripts-list.js b/deps/npm/node_modules/@npmcli/config/lib/parse-allow-scripts-list.js
new file mode 100644
index 00000000000000..0f13d4a75b6349
--- /dev/null
+++ b/deps/npm/node_modules/@npmcli/config/lib/parse-allow-scripts-list.js
@@ -0,0 +1,23 @@
+// Parse an `allow-scripts` raw config value (string or array of strings)
+// into a flat array of trimmed package-spec entries. Shared between the
+// CLI/env layer (via the `allow-scripts` definition's `flatten`) and the
+// package.json / .npmrc layer (in lib/utils/resolve-allow-scripts.js) so
+// both paths agree on quoting, whitespace, and duplicate handling.
+const parseAllowScriptsList = (raw) => {
+  const parts = []
+  const entries = Array.isArray(raw) ? raw : (typeof raw === 'string' ? [raw] : [])
+  for (const entry of entries) {
+    if (typeof entry !== 'string') {
+      continue
+    }
+    for (const part of entry.split(',')) {
+      const trimmed = part.trim()
+      if (trimmed) {
+        parts.push(trimmed)
+      }
+    }
+  }
+  return parts
+}
+
+module.exports = parseAllowScriptsList
diff --git a/deps/npm/node_modules/@npmcli/config/package.json b/deps/npm/node_modules/@npmcli/config/package.json
index 5da16efc6cc4c3..295855d76df3e0 100644
--- a/deps/npm/node_modules/@npmcli/config/package.json
+++ b/deps/npm/node_modules/@npmcli/config/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/config",
-  "version": "10.8.1",
+  "version": "10.10.0",
   "files": [
     "bin/",
     "lib/"
diff --git a/deps/npm/node_modules/@sigstore/core/dist/dsse.js b/deps/npm/node_modules/@sigstore/core/dist/dsse.js
index ca7b63630e2ba9..9dcc2649198c19 100644
--- a/deps/npm/node_modules/@sigstore/core/dist/dsse.js
+++ b/deps/npm/node_modules/@sigstore/core/dist/dsse.js
@@ -19,12 +19,11 @@ limitations under the License.
 const PAE_PREFIX = 'DSSEv1';
 // DSSE Pre-Authentication Encoding
 function preAuthEncoding(payloadType, payload) {
-    const prefix = [
-        PAE_PREFIX,
-        payloadType.length,
-        payloadType,
-        payload.length,
-        '',
-    ].join(' ');
-    return Buffer.concat([Buffer.from(prefix, 'ascii'), payload]);
+    const typeBytes = Buffer.from(payloadType, 'utf-8');
+    return Buffer.concat([
+        Buffer.from(`${PAE_PREFIX} ${typeBytes.length} `, 'ascii'),
+        typeBytes,
+        Buffer.from(` ${payload.length} `, 'ascii'),
+        payload,
+    ]);
 }
diff --git a/deps/npm/node_modules/@sigstore/core/package.json b/deps/npm/node_modules/@sigstore/core/package.json
index 0564a373c6fa31..82cab44654a1c9 100644
--- a/deps/npm/node_modules/@sigstore/core/package.json
+++ b/deps/npm/node_modules/@sigstore/core/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/core",
-  "version": "3.2.0",
+  "version": "3.2.1",
   "description": "Base library for Sigstore",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
diff --git a/deps/npm/node_modules/@sigstore/verify/dist/key/index.js b/deps/npm/node_modules/@sigstore/verify/dist/key/index.js
index c966ccb1e925ef..880ad04bd235d7 100644
--- a/deps/npm/node_modules/@sigstore/verify/dist/key/index.js
+++ b/deps/npm/node_modules/@sigstore/verify/dist/key/index.js
@@ -56,9 +56,17 @@ function getSigner(cert) {
     else {
         issuer = cert.extension(OID_FULCIO_ISSUER_V1)?.value.toString('ascii');
     }
+    const oids = cert.extensions.map((ext) => {
+        const oid = ext.subs[0].toOID();
+        return {
+            oid: { id: oid.split('.').map(Number) },
+            value: ext.subs[ext.subs.length - 1].value,
+        };
+    });
     const identity = {
         extensions: { issuer },
         subjectAlternativeName: cert.subjectAltName,
+        oids,
     };
     return {
         key: core_1.crypto.createPublicKey(cert.publicKey),
diff --git a/deps/npm/node_modules/@sigstore/verify/dist/policy.js b/deps/npm/node_modules/@sigstore/verify/dist/policy.js
index f5960cf047b84b..b08d083a296fb8 100644
--- a/deps/npm/node_modules/@sigstore/verify/dist/policy.js
+++ b/deps/npm/node_modules/@sigstore/verify/dist/policy.js
@@ -2,7 +2,12 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.verifySubjectAlternativeName = verifySubjectAlternativeName;
 exports.verifyExtensions = verifyExtensions;
+exports.verifyOIDs = verifyOIDs;
 const error_1 = require("./error");
+// Verifies that the signer's SAN matches the policy identity. The
+// policyIdentity is treated as a JavaScript regular expression pattern and
+// tested against the full signerIdentity string. For exact matching, use
+// anchored patterns (e.g. '^user@example\\.com$').
 function verifySubjectAlternativeName(policyIdentity, signerIdentity) {
     if (signerIdentity === undefined || !signerIdentity.match(policyIdentity)) {
         throw new error_1.PolicyError({
@@ -22,3 +27,24 @@ function verifyExtensions(policyExtensions, signerExtensions = {}) {
         }
     }
 }
+function verifyOIDs(policyOIDs, signerOIDs = []) {
+    for (const policyOID of policyOIDs) {
+        const match = signerOIDs.find((signerOID) => oidEquals(policyOID.oid?.id, signerOID.oid?.id) &&
+            policyOID.value.equals(signerOID.value));
+        if (!match) {
+            /* istanbul ignore next */
+            const oid = policyOID.oid?.id.join('.') ?? '';
+            throw new error_1.PolicyError({
+                code: 'UNTRUSTED_SIGNER_ERROR',
+                message: `invalid certificate extension - missing OID ${oid}`,
+            });
+        }
+    }
+}
+function oidEquals(a, b) {
+    /* istanbul ignore if */
+    if (a === undefined || b === undefined) {
+        return false;
+    }
+    return a.length === b.length && a.every((v, i) => v === b[i]);
+}
diff --git a/deps/npm/node_modules/@sigstore/verify/dist/timestamp/index.js b/deps/npm/node_modules/@sigstore/verify/dist/timestamp/index.js
index 03a51083e10827..603e559831a9d8 100644
--- a/deps/npm/node_modules/@sigstore/verify/dist/timestamp/index.js
+++ b/deps/npm/node_modules/@sigstore/verify/dist/timestamp/index.js
@@ -12,6 +12,10 @@ function getTSATimestamp(timestamp, data, timestampAuthorities) {
     };
 }
 function getTLogTimestamp(entry) {
+    // Only entries with an inclusion promise provide a verifiable timestamp
+    if (!entry.inclusionPromise) {
+        return undefined;
+    }
     return {
         type: 'transparency-log',
         logID: entry.logId.keyId,
diff --git a/deps/npm/node_modules/@sigstore/verify/dist/verifier.js b/deps/npm/node_modules/@sigstore/verify/dist/verifier.js
index 5751087ff178d2..eeba4128fabe34 100644
--- a/deps/npm/node_modules/@sigstore/verify/dist/verifier.js
+++ b/deps/npm/node_modules/@sigstore/verify/dist/verifier.js
@@ -46,17 +46,22 @@ class Verifier {
     }
     // Checks that all of the timestamps in the entity are valid and returns them
     verifyTimestamps(entity) {
-        let timestampCount = 0;
-        const timestamps = entity.timestamps.map((timestamp) => {
+        const timestamps = [];
+        for (const timestamp of entity.timestamps) {
             switch (timestamp.$case) {
                 case 'timestamp-authority':
-                    timestampCount++;
-                    return (0, timestamp_1.getTSATimestamp)(timestamp.timestamp, entity.signature.signature, this.trustMaterial.timestampAuthorities);
-                case 'transparency-log':
-                    timestampCount++;
-                    return (0, timestamp_1.getTLogTimestamp)(timestamp.tlogEntry);
+                    timestamps.push((0, timestamp_1.getTSATimestamp)(timestamp.timestamp, entity.signature.signature, this.trustMaterial.timestampAuthorities));
+                    break;
+                case 'transparency-log': {
+                    const result = (0, timestamp_1.getTLogTimestamp)(timestamp.tlogEntry);
+                    /* istanbul ignore else */
+                    if (result) {
+                        timestamps.push(result);
+                    }
+                    break;
+                }
             }
-        });
+        }
         // Check for duplicate timestamps
         if (containsDupes(timestamps)) {
             throw new error_1.VerificationError({
@@ -64,10 +69,10 @@ class Verifier {
                 message: 'duplicate timestamp',
             });
         }
-        if (timestampCount < this.options.timestampThreshold) {
+        if (timestamps.length < this.options.timestampThreshold) {
             throw new error_1.VerificationError({
                 code: 'TIMESTAMP_ERROR',
-                message: `expected ${this.options.timestampThreshold} timestamps, got ${timestampCount}`,
+                message: `expected ${this.options.timestampThreshold} timestamps, got ${timestamps.length}`,
             });
         }
         return timestamps.map((t) => t.timestamp);
@@ -133,6 +138,11 @@ class Verifier {
         if (policy.extensions) {
             (0, policy_1.verifyExtensions)(policy.extensions, identity.extensions);
         }
+        // Check that the OIDs of the signer match the policy
+        /* istanbul ignore if */
+        if (policy.oids) {
+            (0, policy_1.verifyOIDs)(policy.oids, identity.oids);
+        }
     }
 }
 exports.Verifier = Verifier;
diff --git a/deps/npm/node_modules/@sigstore/verify/package.json b/deps/npm/node_modules/@sigstore/verify/package.json
index 79826a80bddebf..9c4e5dc7a727a7 100644
--- a/deps/npm/node_modules/@sigstore/verify/package.json
+++ b/deps/npm/node_modules/@sigstore/verify/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/verify",
-  "version": "3.1.0",
+  "version": "3.1.1",
   "description": "Verification of Sigstore signatures",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -28,7 +28,7 @@
   "dependencies": {
     "@sigstore/protobuf-specs": "^0.5.0",
     "@sigstore/bundle": "^4.0.0",
-    "@sigstore/core": "^3.1.0"
+    "@sigstore/core": "^3.2.1"
   },
   "engines": {
     "node": "^20.17.0 || >=22.9.0"
diff --git a/deps/npm/node_modules/bin-links/lib/check-bin.js b/deps/npm/node_modules/bin-links/lib/check-bin.js
index c5b997bb96355c..a7fc8d51b415e2 100644
--- a/deps/npm/node_modules/bin-links/lib/check-bin.js
+++ b/deps/npm/node_modules/bin-links/lib/check-bin.js
@@ -2,7 +2,7 @@
 // either rejects or resolves to nothing.  return value not relevant.
 const isWindows = require('./is-windows.js')
 const binTarget = require('./bin-target.js')
-const { resolve, dirname } = require('path')
+const { resolve, dirname, sep } = require('path')
 const readCmdShim = require('read-cmd-shim')
 const { readlink } = require('fs/promises')
 
@@ -34,7 +34,9 @@ const checkLink = async ({ target, path }) => {
 
   const resolved = resolve(dirname(target), current)
 
-  if (resolved.toLowerCase().indexOf(path.toLowerCase()) !== 0) {
+  const resolvedLower = resolved.toLowerCase()
+  const pathLower = path.toLowerCase()
+  if (resolvedLower !== pathLower && !resolvedLower.startsWith(pathLower + sep)) {
     return failEEXIST({ target })
   }
 }
@@ -65,7 +67,9 @@ const checkShim = async ({ target, path }) => {
 
     const resolved = resolve(dirname(shim), current.replace(/\\/g, '/'))
 
-    if (resolved.toLowerCase().indexOf(path.toLowerCase()) !== 0) {
+    const resolvedLower = resolved.toLowerCase()
+    const pathLower = path.toLowerCase()
+    if (resolvedLower !== pathLower && !resolvedLower.startsWith(pathLower + sep)) {
       return failEEXIST({ target: shim })
     }
   }))
diff --git a/deps/npm/node_modules/bin-links/lib/link-gently.js b/deps/npm/node_modules/bin-links/lib/link-gently.js
index a39d3bced57b13..c4a38f7f54b951 100644
--- a/deps/npm/node_modules/bin-links/lib/link-gently.js
+++ b/deps/npm/node_modules/bin-links/lib/link-gently.js
@@ -4,7 +4,7 @@
 // if there's a symlink already, pointing into our pkg, remove it first
 // then create the symlink
 
-const { resolve, dirname } = require('path')
+const { resolve, dirname, sep } = require('path')
 const { lstat, mkdir, readlink, rm, symlink } = require('fs/promises')
 const { log } = require('proc-log')
 const throwSignificant = er => {
@@ -63,7 +63,7 @@ const linkGently = async ({ path, to, from, absFrom, force }) => {
         } // skip it, already set up like we want it.
 
         target = resolve(dirname(to), target)
-        if (target.indexOf(path) === 0 || force) {
+        if (target === path || target.startsWith(path + sep) || force) {
           return rm(to, rmOpts).then(() => CLOBBER)
         }
         // neither skip nor clobber
diff --git a/deps/npm/node_modules/bin-links/lib/shim-bin.js b/deps/npm/node_modules/bin-links/lib/shim-bin.js
index 67e2702702f0a8..91a6fcc94153bc 100644
--- a/deps/npm/node_modules/bin-links/lib/shim-bin.js
+++ b/deps/npm/node_modules/bin-links/lib/shim-bin.js
@@ -1,4 +1,4 @@
-const { resolve, dirname } = require('path')
+const { resolve, dirname, sep } = require('path')
 const { lstat } = require('fs/promises')
 const throwNonEnoent = er => {
   if (er.code !== 'ENOENT') {
@@ -64,7 +64,8 @@ const shimBin = ({ path, to, from, absFrom, force }) => {
       return readCmdShim(s)
         .then(target => {
           target = resolve(dirname(to), target)
-          if (target.indexOf(resolve(path)) !== 0) {
+          const base = resolve(path)
+          if (target !== base && !target.startsWith(base + sep)) {
             return failEEXIST({ from, to, path })
           }
           return false
diff --git a/deps/npm/node_modules/bin-links/package.json b/deps/npm/node_modules/bin-links/package.json
index 23f52cfc96ec46..80a63323e884b1 100644
--- a/deps/npm/node_modules/bin-links/package.json
+++ b/deps/npm/node_modules/bin-links/package.json
@@ -1,6 +1,6 @@
 {
   "name": "bin-links",
-  "version": "6.0.0",
+  "version": "6.0.2",
   "description": "JavaScript package binary linker",
   "main": "./lib/index.js",
   "scripts": {
@@ -32,7 +32,7 @@
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^5.0.0",
-    "@npmcli/template-oss": "4.27.1",
+    "@npmcli/template-oss": "4.30.0",
     "require-inject": "^1.4.4",
     "tap": "^16.0.1"
   },
@@ -55,7 +55,9 @@
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
     "windowsCI": false,
-    "version": "4.27.1",
-    "publish": true
+    "version": "4.30.0",
+    "publish": true,
+    "updateNpm": false,
+    "latestCiVersion": 24
   }
 }
diff --git a/deps/npm/node_modules/brace-expansion/dist/commonjs/index.js b/deps/npm/node_modules/brace-expansion/dist/commonjs/index.js
index b9f3c6fdf6dfc7..33063dd3552cd6 100644
--- a/deps/npm/node_modules/brace-expansion/dist/commonjs/index.js
+++ b/deps/npm/node_modules/brace-expansion/dist/commonjs/index.js
@@ -155,7 +155,7 @@ function expand_(str, max, isTop) {
             }
             const pad = n.some(isPadded);
             N = [];
-            for (let i = x; test(i, y); i += incr) {
+            for (let i = x; test(i, y) && N.length < max; i += incr) {
                 let c;
                 if (isAlphaSequence) {
                     c = String.fromCharCode(i);
diff --git a/deps/npm/node_modules/brace-expansion/dist/esm/index.js b/deps/npm/node_modules/brace-expansion/dist/esm/index.js
index 855e22cd71e824..32399e7b2f5cf1 100644
--- a/deps/npm/node_modules/brace-expansion/dist/esm/index.js
+++ b/deps/npm/node_modules/brace-expansion/dist/esm/index.js
@@ -151,7 +151,7 @@ function expand_(str, max, isTop) {
             }
             const pad = n.some(isPadded);
             N = [];
-            for (let i = x; test(i, y); i += incr) {
+            for (let i = x; test(i, y) && N.length < max; i += incr) {
                 let c;
                 if (isAlphaSequence) {
                     c = String.fromCharCode(i);
diff --git a/deps/npm/node_modules/brace-expansion/package.json b/deps/npm/node_modules/brace-expansion/package.json
index 83a8289641532c..81524809e58612 100644
--- a/deps/npm/node_modules/brace-expansion/package.json
+++ b/deps/npm/node_modules/brace-expansion/package.json
@@ -1,7 +1,7 @@
 {
   "name": "brace-expansion",
   "description": "Brace expansion as known from sh/bash",
-  "version": "5.0.5",
+  "version": "5.0.6",
   "files": [
     "dist"
   ],
diff --git a/deps/npm/node_modules/cidr-regex/package.json b/deps/npm/node_modules/cidr-regex/package.json
index 1c2db1a6e28b30..c15a446e7e2136 100644
--- a/deps/npm/node_modules/cidr-regex/package.json
+++ b/deps/npm/node_modules/cidr-regex/package.json
@@ -1,12 +1,25 @@
 {
   "name": "cidr-regex",
-  "version": "5.0.4",
+  "version": "5.0.5",
   "description": "Regular expression for matching IP addresses in CIDR notation",
   "author": "silverwind ",
   "contributors": [
     "Felipe Apostol  (http://flipjs.io/)"
   ],
   "repository": "silverwind/cidr-regex",
+  "keywords": [
+    "cidr",
+    "regex",
+    "regexp",
+    "ip",
+    "ipv4",
+    "ipv6",
+    "address",
+    "subnet",
+    "network",
+    "notation",
+    "match"
+  ],
   "license": "BSD-2-Clause",
   "type": "module",
   "sideEffects": false,
@@ -21,18 +34,18 @@
   },
   "devDependencies": {
     "@types/node": "25.6.0",
-    "@typescript/native-preview": "7.0.0-dev.20260420.1",
+    "@typescript/native-preview": "7.0.0-dev.20260427.1",
     "eslint": "10.2.1",
-    "eslint-config-silverwind": "131.0.5",
+    "eslint-config-silverwind": "132.0.0",
     "jest-extended": "7.0.0",
-    "tsdown": "0.21.9",
-    "tsdown-config-silverwind": "2.1.0",
+    "tsdown": "0.21.10",
+    "tsdown-config-silverwind": "2.1.1",
     "typescript": "6.0.3",
     "typescript-config-silverwind": "18.0.0",
-    "updates": "17.15.5",
-    "updates-config-silverwind": "2.1.0",
-    "versions": "15.0.0",
-    "vitest": "4.1.4",
-    "vitest-config-silverwind": "11.3.0"
+    "updates": "17.16.4",
+    "updates-config-silverwind": "2.1.1",
+    "versions": "15.0.1",
+    "vitest": "4.1.5",
+    "vitest-config-silverwind": "11.3.1"
   }
 }
\ No newline at end of file
diff --git a/deps/npm/node_modules/hosted-git-info/lib/hosts.js b/deps/npm/node_modules/hosted-git-info/lib/hosts.js
index 6e7c123dbff8b4..a1635d3c898fed 100644
--- a/deps/npm/node_modules/hosted-git-info/lib/hosts.js
+++ b/deps/npm/node_modules/hosted-git-info/lib/hosts.js
@@ -110,7 +110,7 @@ hosts.gitlab = {
   blobpath: 'tree',
   editpath: '-/edit',
   tarballtemplate: ({ domain, user, project, committish }) =>
-    `https://${domain}/${user}/${project}/repository/archive.tar.gz?ref=${maybeEncode(committish || 'HEAD')}`,
+    `https://${domain}/api/v4/projects/${maybeEncode(user + '/' + project)}/repository/archive.tar.gz?sha=${maybeEncode(committish || 'HEAD')}`,
   extract: (url) => {
     const path = url.pathname.slice(1)
     if (path.includes('/-/') || path.includes('/archive.tar.gz')) {
@@ -198,7 +198,7 @@ hosts.sourcehut = {
   filetemplate: ({ domain, user, project, committish, path }) =>
     `https://${domain}/${user}/${project}/blob/${maybeEncode(committish) || 'HEAD'}/${path}`,
   httpstemplate: ({ domain, user, project, committish }) =>
-    `https://${domain}/${user}/${project}.git${maybeJoin('#', committish)}`,
+    `https://${domain}/${user}/${project}${maybeJoin('#', committish)}`,
   tarballtemplate: ({ domain, user, project, committish }) =>
     `https://${domain}/${user}/${project}/archive/${maybeEncode(committish) || 'HEAD'}.tar.gz`,
   bugstemplate: () => null,
diff --git a/deps/npm/node_modules/hosted-git-info/package.json b/deps/npm/node_modules/hosted-git-info/package.json
index 1e74eda1656d78..f21e546a64bfa5 100644
--- a/deps/npm/node_modules/hosted-git-info/package.json
+++ b/deps/npm/node_modules/hosted-git-info/package.json
@@ -1,6 +1,6 @@
 {
   "name": "hosted-git-info",
-  "version": "9.0.2",
+  "version": "9.0.3",
   "description": "Provides metadata and conversions from repository urls for GitHub, Bitbucket and GitLab",
   "main": "./lib/index.js",
   "repository": {
@@ -21,22 +21,23 @@
   "homepage": "https://github.com/npm/hosted-git-info",
   "scripts": {
     "posttest": "npm run lint",
-    "snap": "tap",
-    "test": "tap",
+    "snap": "node --test --test-update-snapshots './test/**/*.js'",
+    "test": "node --test './test/**/*.js'",
     "test:coverage": "tap --coverage-report=html",
     "lint": "npm run eslint",
     "postlint": "template-oss-check",
     "lintfix": "npm run eslint -- --fix",
     "template-oss-apply": "template-oss-apply --force",
-    "eslint": "eslint \"**/*.{js,cjs,ts,mjs,jsx,tsx}\""
+    "eslint": "eslint \"**/*.{js,cjs,ts,mjs,jsx,tsx}\"",
+    "test:node20": "node --test test",
+    "test:cover": "node --test --experimental-test-coverage --test-timeout=3000 --test-coverage-lines=100 --test-coverage-functions=100 --test-coverage-branches=100 './test/**/*.js'"
   },
   "dependencies": {
     "lru-cache": "^11.1.0"
   },
   "devDependencies": {
-    "@npmcli/eslint-config": "^5.0.0",
-    "@npmcli/template-oss": "4.25.1",
-    "tap": "^16.0.1"
+    "@npmcli/eslint-config": "^6.0.0",
+    "@npmcli/template-oss": "4.30.0"
   },
   "files": [
     "bin/",
@@ -45,17 +46,12 @@
   "engines": {
     "node": "^20.17.0 || >=22.9.0"
   },
-  "tap": {
-    "color": 1,
-    "coverage": true,
-    "nyc-arg": [
-      "--exclude",
-      "tap-snapshots/**"
-    ]
-  },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.25.1",
-    "publish": "true"
+    "version": "4.30.0",
+    "publish": "true",
+    "testRunner": "node:test",
+    "latestCiVersion": 24,
+    "updateNpm": false
   }
 }
diff --git a/deps/npm/node_modules/ip-address/dist/common.js b/deps/npm/node_modules/ip-address/dist/common.js
index 273a01e28e317d..6b76e051b44e41 100644
--- a/deps/npm/node_modules/ip-address/dist/common.js
+++ b/deps/npm/node_modules/ip-address/dist/common.js
@@ -2,9 +2,11 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.isInSubnet = isInSubnet;
 exports.isCorrect = isCorrect;
+exports.prefixLengthFromMask = prefixLengthFromMask;
 exports.numberToPaddedHex = numberToPaddedHex;
 exports.stringToPaddedHex = stringToPaddedHex;
 exports.testBit = testBit;
+const address_error_1 = require("./address-error");
 function isInSubnet(address) {
     if (this.subnetMask < address.subnetMask) {
         return false;
@@ -25,6 +27,25 @@ function isCorrect(defaultBits) {
         return this.parsedSubnet === String(this.subnetMask);
     };
 }
+/**
+ * Returns the prefix length (number of leading 1 bits) of a contiguous
+ * subnet mask. Throws `AddressError` if the mask is non-contiguous (e.g.
+ * `255.0.255.0`).
+ */
+function prefixLengthFromMask(value, totalBits) {
+    const binary = value.toString(2).padStart(totalBits, '0');
+    if (binary.length > totalBits) {
+        throw new address_error_1.AddressError('Invalid subnet mask.');
+    }
+    const firstZero = binary.indexOf('0');
+    if (firstZero === -1) {
+        return totalBits;
+    }
+    if (binary.slice(firstZero).includes('1')) {
+        throw new address_error_1.AddressError('Invalid subnet mask.');
+    }
+    return firstZero;
+}
 function numberToPaddedHex(number) {
     return number.toString(16).padStart(2, '0');
 }
diff --git a/deps/npm/node_modules/ip-address/dist/ipv4.js b/deps/npm/node_modules/ip-address/dist/ipv4.js
index 311c89c6965cb8..2c0fd182086d2d 100644
--- a/deps/npm/node_modules/ip-address/dist/ipv4.js
+++ b/deps/npm/node_modules/ip-address/dist/ipv4.js
@@ -28,9 +28,9 @@ exports.Address4 = void 0;
 const common = __importStar(require("./common"));
 const constants = __importStar(require("./v4/constants"));
 const address_error_1 = require("./address-error");
+const isCorrect4 = common.isCorrect(constants.BITS);
 /**
  * Represents an IPv4 address
- * @class Address4
  * @param {string} address - An IPv4 address string
  */
 class Address4 {
@@ -43,15 +43,11 @@ class Address4 {
         this.v4 = true;
         /**
          * Returns true if the address is correct, false otherwise
-         * @memberof Address4
-         * @instance
          * @returns {Boolean}
          */
-        this.isCorrect = common.isCorrect(constants.BITS);
+        this.isCorrect = isCorrect4;
         /**
          * Returns true if the given address is in the subnet of the current address
-         * @memberof Address4
-         * @instance
          * @returns {boolean}
          */
         this.isInSubnet = common.isInSubnet;
@@ -69,6 +65,13 @@ class Address4 {
         this.addressMinusSuffix = address;
         this.parsedAddress = this.parse(address);
     }
+    /**
+     * Returns true if the given string is a valid IPv4 address (with optional
+     * CIDR subnet), false otherwise. Host bits in the subnet portion are
+     * allowed (e.g. `192.168.1.5/24` is valid); for strict network-address
+     * validation compare `correctForm()` to `startAddress().correctForm()`,
+     * or use `networkForm()`.
+     */
     static isValid(address) {
         try {
             // eslint-disable-next-line no-new
@@ -79,8 +82,11 @@ class Address4 {
             return false;
         }
     }
-    /*
-     * Parses a v4 address
+    /**
+     * Parses an IPv4 address string into its four octet groups and stores the
+     * result on `this.parsedAddress`. Called automatically by the constructor;
+     * you typically don't need to call it directly. Throws `AddressError` if
+     * the input is not a valid IPv4 address.
      */
     parse(address) {
         const groups = address.split('.');
@@ -90,45 +96,110 @@ class Address4 {
         return groups;
     }
     /**
-     * Returns the correct form of an address
-     * @memberof Address4
-     * @instance
-     * @returns {String}
+     * Returns the address in correct form: octets joined with `.` and any
+     * leading zeros stripped (e.g. `192.168.1.1`). For IPv4 this matches the
+     * canonical dotted-decimal representation.
      */
     correctForm() {
         return this.parsedAddress.map((part) => parseInt(part, 10)).join('.');
     }
     /**
-     * Converts a hex string to an IPv4 address object
-     * @memberof Address4
-     * @static
+     * Construct an `Address4` from an address and a dotted-decimal subnet
+     * mask given as separate strings (e.g. as returned by Node's
+     * `os.networkInterfaces()`). Throws `AddressError` if the mask is
+     * non-contiguous (e.g. `255.0.255.0`).
+     * @example
+     * var address = Address4.fromAddressAndMask('192.168.1.1', '255.255.255.0');
+     * address.subnetMask; // 24
+     */
+    static fromAddressAndMask(address, mask) {
+        const bits = common.prefixLengthFromMask(new Address4(mask).bigInt(), constants.BITS);
+        return new Address4(`${address}/${bits}`);
+    }
+    /**
+     * Construct an `Address4` from an address and a Cisco-style wildcard mask
+     * given as separate strings (e.g. `0.0.0.255` for a `/24`). The wildcard
+     * mask is the bitwise inverse of the subnet mask. Throws `AddressError`
+     * if the mask is non-contiguous (e.g. `0.255.0.255`).
+     * @example
+     * var address = Address4.fromAddressAndWildcardMask('10.0.0.1', '0.0.0.255');
+     * address.subnetMask; // 24
+     */
+    static fromAddressAndWildcardMask(address, wildcardMask) {
+        const wildcard = new Address4(wildcardMask).bigInt();
+        const allOnes = (BigInt(1) << BigInt(constants.BITS)) - BigInt(1);
+        // eslint-disable-next-line no-bitwise
+        const mask = wildcard ^ allOnes;
+        const bits = common.prefixLengthFromMask(mask, constants.BITS);
+        return new Address4(`${address}/${bits}`);
+    }
+    /**
+     * Construct an `Address4` from a wildcard pattern with trailing `*`
+     * octets. The number of trailing wildcards determines the prefix
+     * length: each `*` represents 8 bits.
+     *
+     * Only trailing whole-octet wildcards are supported. Partial-octet
+     * wildcards (e.g. `192.168.0.1*`) and interior wildcards (e.g.
+     * `192.*.0.1`) throw `AddressError`.
+     * @example
+     * Address4.fromWildcard('192.168.0.*').subnet;   // '/24'
+     * Address4.fromWildcard('192.168.*.*').subnet;   // '/16'
+     * Address4.fromWildcard('*.*.*.*').subnet;       // '/0'
+     */
+    static fromWildcard(input) {
+        const groups = input.split('.');
+        if (groups.length !== constants.GROUPS) {
+            throw new address_error_1.AddressError('Wildcard pattern must have 4 octets');
+        }
+        let firstWildcard = -1;
+        for (let i = 0; i < groups.length; i++) {
+            if (groups[i] === '*') {
+                if (firstWildcard === -1) {
+                    firstWildcard = i;
+                }
+            }
+            else if (firstWildcard !== -1) {
+                throw new address_error_1.AddressError('Wildcard `*` must only appear in trailing octets (e.g. `192.168.0.*`)');
+            }
+        }
+        const trailing = firstWildcard === -1 ? 0 : groups.length - firstWildcard;
+        const replaced = groups.map((g) => (g === '*' ? '0' : g));
+        const subnetBits = constants.BITS - trailing * 8;
+        return new Address4(`${replaced.join('.')}/${subnetBits}`);
+    }
+    /**
+     * Converts a hex string to an IPv4 address object. Accepts 8 hex digits
+     * with optional `:` separators (e.g. `'7f000001'` or `'7f:00:00:01'`).
+     * Throws `AddressError` for any other length or for non-hex characters.
      * @param {string} hex - a hex string to convert
      * @returns {Address4}
      */
     static fromHex(hex) {
-        const padded = hex.replace(/:/g, '').padStart(8, '0');
+        const stripped = hex.replace(/:/g, '');
+        if (!/^[0-9a-fA-F]{8}$/.test(stripped)) {
+            throw new address_error_1.AddressError('IPv4 hex must be exactly 8 hex digits');
+        }
         const groups = [];
-        let i;
-        for (i = 0; i < 8; i += 2) {
-            const h = padded.slice(i, i + 2);
-            groups.push(parseInt(h, 16));
+        for (let i = 0; i < 8; i += 2) {
+            groups.push(parseInt(stripped.slice(i, i + 2), 16));
         }
         return new Address4(groups.join('.'));
     }
     /**
-     * Converts an integer into a IPv4 address object
-     * @memberof Address4
-     * @static
+     * Converts an integer into a IPv4 address object. The integer must be a
+     * non-negative safe integer in the range `[0, 2**32 - 1]`; otherwise
+     * `AddressError` is thrown.
      * @param {integer} integer - a number to convert
      * @returns {Address4}
      */
     static fromInteger(integer) {
-        return Address4.fromHex(integer.toString(16));
+        if (!Number.isInteger(integer) || integer < 0 || integer > 0xffffffff) {
+            throw new address_error_1.AddressError('IPv4 integer must be in the range 0 to 2**32 - 1');
+        }
+        return Address4.fromHex(integer.toString(16).padStart(8, '0'));
     }
     /**
      * Return an address from in-addr.arpa form
-     * @memberof Address4
-     * @static
      * @param {string} arpaFormAddress - an 'in-addr.arpa' form ipv4 address
      * @returns {Adress4}
      * @example
@@ -143,17 +214,15 @@ class Address4 {
     }
     /**
      * Converts an IPv4 address object to a hex string
-     * @memberof Address4
-     * @instance
      * @returns {String}
      */
     toHex() {
         return this.parsedAddress.map((part) => common.stringToPaddedHex(part)).join(':');
     }
     /**
-     * Converts an IPv4 address object to an array of bytes
-     * @memberof Address4
-     * @instance
+     * Converts an IPv4 address object to an array of bytes.
+     *
+     * To get a Node.js `Buffer`, wrap the result: `Buffer.from(address.toArray())`.
      * @returns {Array}
      */
     toArray() {
@@ -161,8 +230,6 @@ class Address4 {
     }
     /**
      * Converts an IPv4 address object to an IPv6 address group
-     * @memberof Address4
-     * @instance
      * @returns {String}
      */
     toGroup6() {
@@ -175,8 +242,6 @@ class Address4 {
     }
     /**
      * Returns the address as a `bigint`
-     * @memberof Address4
-     * @instance
      * @returns {bigint}
      */
     bigInt() {
@@ -184,8 +249,6 @@ class Address4 {
     }
     /**
      * Helper function getting start address.
-     * @memberof Address4
-     * @instance
      * @returns {bigint}
      */
     _startAddress() {
@@ -194,8 +257,6 @@ class Address4 {
     /**
      * The first address in the range given by this address' subnet.
      * Often referred to as the Network Address.
-     * @memberof Address4
-     * @instance
      * @returns {Address4}
      */
     startAddress() {
@@ -204,8 +265,6 @@ class Address4 {
     /**
      * The first host address in the range given by this address's subnet ie
      * the first address after the Network Address
-     * @memberof Address4
-     * @instance
      * @returns {Address4}
      */
     startAddressExclusive() {
@@ -214,8 +273,6 @@ class Address4 {
     }
     /**
      * Helper function getting end address.
-     * @memberof Address4
-     * @instance
      * @returns {bigint}
      */
     _endAddress() {
@@ -224,8 +281,6 @@ class Address4 {
     /**
      * The last address in the range given by this address' subnet
      * Often referred to as the Broadcast
-     * @memberof Address4
-     * @instance
      * @returns {Address4}
      */
     endAddress() {
@@ -234,8 +289,6 @@ class Address4 {
     /**
      * The last host address in the range given by this address's subnet ie
      * the last address prior to the Broadcast Address
-     * @memberof Address4
-     * @instance
      * @returns {Address4}
      */
     endAddressExclusive() {
@@ -243,19 +296,47 @@ class Address4 {
         return Address4.fromBigInt(this._endAddress() - adjust);
     }
     /**
-     * Converts a BigInt to a v4 address object
-     * @memberof Address4
-     * @static
+     * The dotted-decimal form of the subnet mask, e.g. `255.255.240.0` for
+     * a `/20`. Returns an `Address4`; call `.correctForm()` for the string.
+     * @returns {Address4}
+     */
+    subnetMaskAddress() {
+        return Address4.fromBigInt(BigInt(`0b${'1'.repeat(this.subnetMask)}${'0'.repeat(constants.BITS - this.subnetMask)}`));
+    }
+    /**
+     * The Cisco-style wildcard mask, e.g. `0.0.0.255` for a `/24`. This is
+     * the bitwise inverse of `subnetMaskAddress()`. Returns an `Address4`;
+     * call `.correctForm()` for the string.
+     * @returns {Address4}
+     */
+    wildcardMask() {
+        return Address4.fromBigInt(BigInt(`0b${'0'.repeat(this.subnetMask)}${'1'.repeat(constants.BITS - this.subnetMask)}`));
+    }
+    /**
+     * The network address in CIDR string form, e.g. `192.168.1.0/24` for
+     * `192.168.1.5/24`. For an address with no explicit subnet the prefix is
+     * `/32`, e.g. `networkForm()` on `192.168.1.5` returns `192.168.1.5/32`.
+     * @returns {string}
+     */
+    networkForm() {
+        return `${this.startAddress().correctForm()}/${this.subnetMask}`;
+    }
+    /**
+     * Converts a BigInt to a v4 address object. The value must be in the
+     * range `[0, 2**32 - 1]`; otherwise `AddressError` is thrown.
      * @param {bigint} bigInt - a BigInt to convert
      * @returns {Address4}
      */
     static fromBigInt(bigInt) {
-        return Address4.fromHex(bigInt.toString(16));
+        if (bigInt < 0n || bigInt > 0xffffffffn) {
+            throw new address_error_1.AddressError('IPv4 BigInt must be in the range 0 to 2**32 - 1');
+        }
+        return Address4.fromHex(bigInt.toString(16).padStart(8, '0'));
     }
     /**
-     * Convert a byte array to an Address4 object
-     * @memberof Address4
-     * @static
+     * Convert a byte array to an Address4 object.
+     *
+     * To convert from a Node.js `Buffer`, spread it: `Address4.fromByteArray([...buf])`.
      * @param {Array} bytes - an array of 4 bytes (0-255)
      * @returns {Address4}
      */
@@ -273,8 +354,6 @@ class Address4 {
     }
     /**
      * Convert an unsigned byte array to an Address4 object
-     * @memberof Address4
-     * @static
      * @param {Array} bytes - an array of 4 unsigned bytes (0-255)
      * @returns {Address4}
      */
@@ -288,8 +367,6 @@ class Address4 {
     /**
      * Returns the first n bits of the address, defaulting to the
      * subnet mask
-     * @memberof Address4
-     * @instance
      * @returns {String}
      */
     mask(mask) {
@@ -300,8 +377,6 @@ class Address4 {
     }
     /**
      * Returns the bits in the given range as a base-2 string
-     * @memberof Address4
-     * @instance
      * @returns {string}
      */
     getBitsBase2(start, end) {
@@ -309,10 +384,8 @@ class Address4 {
     }
     /**
      * Return the reversed ip6.arpa form of the address
-     * @memberof Address4
      * @param {Object} options
      * @param {boolean} options.omitSuffix - omit the "in-addr.arpa" suffix
-     * @instance
      * @returns {String}
      */
     reverseForm(options) {
@@ -327,21 +400,62 @@ class Address4 {
     }
     /**
      * Returns true if the given address is a multicast address
-     * @memberof Address4
-     * @instance
      * @returns {boolean}
      */
     isMulticast() {
-        return this.isInSubnet(new Address4('224.0.0.0/4'));
+        return this.isInSubnet(MULTICAST_V4);
+    }
+    /**
+     * Returns true if the address is in one of the [RFC 1918](https://datatracker.ietf.org/doc/html/rfc1918) private address ranges (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`).
+     * @returns {boolean}
+     */
+    isPrivate() {
+        return PRIVATE_V4.some((subnet) => this.isInSubnet(subnet));
+    }
+    /**
+     * Returns true if the address is in the loopback range `127.0.0.0/8` ([RFC 1122](https://datatracker.ietf.org/doc/html/rfc1122)).
+     * @returns {boolean}
+     */
+    isLoopback() {
+        return this.isInSubnet(LOOPBACK_V4);
+    }
+    /**
+     * Returns true if the address is in the link-local range `169.254.0.0/16` ([RFC 3927](https://datatracker.ietf.org/doc/html/rfc3927)).
+     * @returns {boolean}
+     */
+    isLinkLocal() {
+        return this.isInSubnet(LINK_LOCAL_V4);
+    }
+    /**
+     * Returns true if the address is the unspecified address `0.0.0.0`.
+     * @returns {boolean}
+     */
+    isUnspecified() {
+        return this.isInSubnet(UNSPECIFIED_V4);
+    }
+    /**
+     * Returns true if the address is the limited broadcast address `255.255.255.255` ([RFC 919](https://datatracker.ietf.org/doc/html/rfc919)).
+     * @returns {boolean}
+     */
+    isBroadcast() {
+        return this.isInSubnet(BROADCAST_V4);
+    }
+    /**
+     * Returns true if the address is in the carrier-grade NAT range `100.64.0.0/10` ([RFC 6598](https://datatracker.ietf.org/doc/html/rfc6598)).
+     * @returns {boolean}
+     */
+    isCGNAT() {
+        return this.isInSubnet(CGNAT_V4);
     }
     /**
      * Returns a zero-padded base-2 string representation of the address
-     * @memberof Address4
-     * @instance
      * @returns {string}
      */
     binaryZeroPad() {
-        return this.bigInt().toString(2).padStart(constants.BITS, '0');
+        if (this._binaryZeroPad === undefined) {
+            this._binaryZeroPad = this.bigInt().toString(2).padStart(constants.BITS, '0');
+        }
+        return this._binaryZeroPad;
     }
     /**
      * Groups an IPv4 address for inclusion at the end of an IPv6 address
@@ -357,4 +471,15 @@ class Address4 {
     }
 }
 exports.Address4 = Address4;
+const MULTICAST_V4 = new Address4('224.0.0.0/4');
+const PRIVATE_V4 = [
+    new Address4('10.0.0.0/8'),
+    new Address4('172.16.0.0/12'),
+    new Address4('192.168.0.0/16'),
+];
+const LOOPBACK_V4 = new Address4('127.0.0.0/8');
+const LINK_LOCAL_V4 = new Address4('169.254.0.0/16');
+const UNSPECIFIED_V4 = new Address4('0.0.0.0/32');
+const BROADCAST_V4 = new Address4('255.255.255.255/32');
+const CGNAT_V4 = new Address4('100.64.0.0/10');
 //# sourceMappingURL=ipv4.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/ip-address/dist/ipv6.js b/deps/npm/node_modules/ip-address/dist/ipv6.js
index 5f88ab63a56eb8..a78020ee7886ff 100644
--- a/deps/npm/node_modules/ip-address/dist/ipv6.js
+++ b/deps/npm/node_modules/ip-address/dist/ipv6.js
@@ -34,6 +34,7 @@ const ipv4_1 = require("./ipv4");
 const regular_expressions_1 = require("./v6/regular-expressions");
 const address_error_1 = require("./address-error");
 const common_1 = require("./common");
+const isCorrect6 = common.isCorrect(constants6.BITS);
 function assert(condition) {
     if (!condition) {
         throw new Error('Assertion failed.');
@@ -77,7 +78,6 @@ function unsignByte(b) {
 }
 /**
  * Represents an IPv6 address
- * @class Address6
  * @param {string} address - An IPv6 address string
  * @param {number} [groups=8] - How many octets to parse
  * @example
@@ -94,18 +94,14 @@ class Address6 {
         // #region Attributes
         /**
          * Returns true if the given address is in the subnet of the current address
-         * @memberof Address6
-         * @instance
          * @returns {boolean}
          */
         this.isInSubnet = common.isInSubnet;
         /**
          * Returns true if the address is correct, false otherwise
-         * @memberof Address6
-         * @instance
          * @returns {boolean}
          */
-        this.isCorrect = common.isCorrect(constants6.BITS);
+        this.isCorrect = isCorrect6;
         if (optionalGroups === undefined) {
             this.groups = constants6.GROUPS;
         }
@@ -136,6 +132,13 @@ class Address6 {
         this.addressMinusSuffix = address;
         this.parsedAddress = this.parse(this.addressMinusSuffix);
     }
+    /**
+     * Returns true if the given string is a valid IPv6 address (with optional
+     * CIDR subnet and zone identifier), false otherwise. Host bits in the
+     * subnet portion are allowed (e.g. `2001:db8::1/32` is valid); for strict
+     * network-address validation compare `correctForm()` to
+     * `startAddress().correctForm()`, or use `networkForm()`.
+     */
     static isValid(address) {
         try {
             // eslint-disable-next-line no-new
@@ -147,9 +150,8 @@ class Address6 {
         }
     }
     /**
-     * Convert a BigInt to a v6 address object
-     * @memberof Address6
-     * @static
+     * Convert a BigInt to a v6 address object. The value must be in the
+     * range `[0, 2**128 - 1]`; otherwise `AddressError` is thrown.
      * @param {bigint} bigInt - a BigInt to convert
      * @returns {Address6}
      * @example
@@ -158,19 +160,21 @@ class Address6 {
      * address.correctForm(); // '::e8:d4a5:1000'
      */
     static fromBigInt(bigInt) {
+        if (bigInt < 0n || bigInt > (1n << BigInt(constants6.BITS)) - 1n) {
+            throw new address_error_1.AddressError('IPv6 BigInt must be in the range 0 to 2**128 - 1');
+        }
         const hex = bigInt.toString(16).padStart(32, '0');
         const groups = [];
-        let i;
-        for (i = 0; i < constants6.GROUPS; i++) {
+        for (let i = 0; i < constants6.GROUPS; i++) {
             groups.push(hex.slice(i * 4, (i + 1) * 4));
         }
         return new Address6(groups.join(':'));
     }
     /**
-     * Convert a URL (with optional port number) to an address object
-     * @memberof Address6
-     * @static
-     * @param {string} url - a URL with optional port number
+     * Parse a URL (with optional bracketed host and port) into an address and
+     * port. Returns either `{ address, port }` on success or
+     * `{ error, address: null, port: null }` if the URL could not be parsed.
+     * Ports are returned as numbers (or `null` if absent or out of range).
      * @example
      * var addressAndPort = Address6.fromURL('http://[ffff::]:8080/foo/');
      * addressAndPort.address.correctForm(); // 'ffff::'
@@ -229,10 +233,92 @@ class Address6 {
             port,
         };
     }
+    /**
+     * Construct an `Address6` from an address and a hex subnet mask given as
+     * separate strings (e.g. as returned by Node's `os.networkInterfaces()`).
+     * Throws `AddressError` if the mask is non-contiguous (e.g.
+     * `ffff::ffff`).
+     * @example
+     * var address = Address6.fromAddressAndMask('fe80::1', 'ffff:ffff:ffff:ffff::');
+     * address.subnetMask; // 64
+     */
+    static fromAddressAndMask(address, mask) {
+        const bits = common.prefixLengthFromMask(new Address6(mask).bigInt(), constants6.BITS);
+        return new Address6(`${address}/${bits}`);
+    }
+    /**
+     * Construct an `Address6` from an address and a Cisco-style wildcard mask
+     * given as separate strings (e.g. `::ffff:ffff:ffff:ffff` for a `/64`).
+     * The wildcard mask is the bitwise inverse of the subnet mask. Throws
+     * `AddressError` if the mask is non-contiguous.
+     * @example
+     * var address = Address6.fromAddressAndWildcardMask('fe80::1', '::ffff:ffff:ffff:ffff');
+     * address.subnetMask; // 64
+     */
+    static fromAddressAndWildcardMask(address, wildcardMask) {
+        const wildcard = new Address6(wildcardMask).bigInt();
+        const allOnes = (BigInt(1) << BigInt(constants6.BITS)) - BigInt(1);
+        // eslint-disable-next-line no-bitwise
+        const mask = wildcard ^ allOnes;
+        const bits = common.prefixLengthFromMask(mask, constants6.BITS);
+        return new Address6(`${address}/${bits}`);
+    }
+    /**
+     * Construct an `Address6` from a wildcard pattern with trailing `*`
+     * groups. The number of trailing wildcards determines the prefix
+     * length: each `*` represents 16 bits. `::` is expanded to zero groups
+     * (not wildcards) before evaluating trailing wildcards.
+     *
+     * Only trailing whole-group wildcards are supported. Partial-group
+     * wildcards (e.g. `2001:db8::0*`) and interior wildcards (e.g.
+     * `*::1`) throw `AddressError`.
+     * @example
+     * Address6.fromWildcard('2001:db8:*:*:*:*:*:*').subnet;  // '/32'
+     * Address6.fromWildcard('2001:db8::*').subnet;           // '/112'
+     * Address6.fromWildcard('*:*:*:*:*:*:*:*').subnet;       // '/0'
+     */
+    static fromWildcard(input) {
+        if (input.includes('%') || input.includes('/')) {
+            throw new address_error_1.AddressError('Wildcard pattern must not include a zone or CIDR suffix');
+        }
+        const halves = input.split('::');
+        if (halves.length > 2) {
+            throw new address_error_1.AddressError("Wildcard pattern cannot contain more than one '::'");
+        }
+        let groups;
+        if (halves.length === 2) {
+            const left = halves[0] === '' ? [] : halves[0].split(':');
+            const right = halves[1] === '' ? [] : halves[1].split(':');
+            const remaining = constants6.GROUPS - left.length - right.length;
+            if (remaining < 1) {
+                throw new address_error_1.AddressError("Wildcard pattern with '::' has too many groups");
+            }
+            groups = [...left, ...new Array(remaining).fill('0'), ...right];
+        }
+        else {
+            groups = input.split(':');
+        }
+        if (groups.length !== constants6.GROUPS) {
+            throw new address_error_1.AddressError('Wildcard pattern must have 8 groups');
+        }
+        let firstWildcard = -1;
+        for (let i = 0; i < groups.length; i++) {
+            if (groups[i] === '*') {
+                if (firstWildcard === -1) {
+                    firstWildcard = i;
+                }
+            }
+            else if (firstWildcard !== -1) {
+                throw new address_error_1.AddressError('Wildcard `*` must only appear in trailing groups (e.g. `2001:db8:*:*:*:*:*:*`)');
+            }
+        }
+        const trailing = firstWildcard === -1 ? 0 : groups.length - firstWildcard;
+        const replaced = groups.map((g) => (g === '*' ? '0' : g));
+        const subnetBits = constants6.BITS - trailing * 16;
+        return new Address6(`${replaced.join(':')}/${subnetBits}`);
+    }
     /**
      * Create an IPv6-mapped address given an IPv4 address
-     * @memberof Address6
-     * @static
      * @param {string} address - An IPv4 address string
      * @returns {Address6}
      * @example
@@ -247,8 +333,6 @@ class Address6 {
     }
     /**
      * Return an address from ip6.arpa form
-     * @memberof Address6
-     * @static
      * @param {string} arpaFormAddress - an 'ip6.arpa' form address
      * @returns {Adress6}
      * @example
@@ -273,8 +357,6 @@ class Address6 {
     }
     /**
      * Return the Microsoft UNC transcription of the address
-     * @memberof Address6
-     * @instance
      * @returns {String} the Microsoft UNC transcription of the address
      */
     microsoftTranscription() {
@@ -282,8 +364,6 @@ class Address6 {
     }
     /**
      * Return the first n bits of the address, defaulting to the subnet mask
-     * @memberof Address6
-     * @instance
      * @param {number} [mask=subnet] - the number of bits to mask
      * @returns {String} the first n bits of the address as a string
      */
@@ -292,8 +372,6 @@ class Address6 {
     }
     /**
      * Return the number of possible subnets of a given size in the address
-     * @memberof Address6
-     * @instance
      * @param {number} [subnetSize=128] - the subnet size
      * @returns {String}
      */
@@ -309,8 +387,6 @@ class Address6 {
     }
     /**
      * Helper function getting start address.
-     * @memberof Address6
-     * @instance
      * @returns {bigint}
      */
     _startAddress() {
@@ -319,8 +395,6 @@ class Address6 {
     /**
      * The first address in the range given by this address' subnet
      * Often referred to as the Network Address.
-     * @memberof Address6
-     * @instance
      * @returns {Address6}
      */
     startAddress() {
@@ -329,8 +403,6 @@ class Address6 {
     /**
      * The first host address in the range given by this address's subnet ie
      * the first address after the Network Address
-     * @memberof Address6
-     * @instance
      * @returns {Address6}
      */
     startAddressExclusive() {
@@ -339,8 +411,6 @@ class Address6 {
     }
     /**
      * Helper function getting end address.
-     * @memberof Address6
-     * @instance
      * @returns {bigint}
      */
     _endAddress() {
@@ -349,8 +419,6 @@ class Address6 {
     /**
      * The last address in the range given by this address' subnet
      * Often referred to as the Broadcast
-     * @memberof Address6
-     * @instance
      * @returns {Address6}
      */
     endAddress() {
@@ -359,8 +427,6 @@ class Address6 {
     /**
      * The last host address in the range given by this address's subnet ie
      * the last address prior to the Broadcast Address
-     * @memberof Address6
-     * @instance
      * @returns {Address6}
      */
     endAddressExclusive() {
@@ -368,36 +434,73 @@ class Address6 {
         return Address6.fromBigInt(this._endAddress() - adjust);
     }
     /**
-     * Return the scope of the address
-     * @memberof Address6
-     * @instance
+     * The hex form of the subnet mask, e.g. `ffff:ffff:ffff:ffff::` for a
+     * `/64`. Returns an `Address6`; call `.correctForm()` for the string.
+     * @returns {Address6}
+     */
+    subnetMaskAddress() {
+        return Address6.fromBigInt(BigInt(`0b${'1'.repeat(this.subnetMask)}${'0'.repeat(constants6.BITS - this.subnetMask)}`));
+    }
+    /**
+     * The Cisco-style wildcard mask, e.g. `::ffff:ffff:ffff:ffff` for a
+     * `/64`. This is the bitwise inverse of `subnetMaskAddress()`. Returns
+     * an `Address6`; call `.correctForm()` for the string.
+     * @returns {Address6}
+     */
+    wildcardMask() {
+        return Address6.fromBigInt(BigInt(`0b${'0'.repeat(this.subnetMask)}${'1'.repeat(constants6.BITS - this.subnetMask)}`));
+    }
+    /**
+     * The network address in CIDR string form, e.g. `2001:db8::/32` for
+     * `2001:db8::1/32`. For an address with no explicit subnet the prefix
+     * is `/128`, e.g. `networkForm()` on `2001:db8::1` returns
+     * `2001:db8::1/128`.
+     * @returns {string}
+     */
+    networkForm() {
+        return `${this.startAddress().correctForm()}/${this.subnetMask}`;
+    }
+    /**
+     * Return the scope of the address. The 4-bit scope field
+     * ([RFC 4291 §2.7](https://datatracker.ietf.org/doc/html/rfc4291#section-2.7))
+     * is only defined for multicast addresses; for unicast addresses the scope
+     * is derived from the address type per
+     * [RFC 4007 §6](https://datatracker.ietf.org/doc/html/rfc4007#section-6).
      * @returns {String}
      */
     getScope() {
-        let scope = constants6.SCOPES[parseInt(this.getBits(12, 16).toString(10), 10)];
-        if (this.getType() === 'Global unicast' && scope !== 'Link local') {
-            scope = 'Global';
+        const type = this.getType();
+        if (type === 'Multicast' || type.startsWith('Multicast ')) {
+            const scope = constants6.SCOPES[parseInt(this.getBits(12, 16).toString(10), 10)];
+            return scope || 'Unknown';
+        }
+        // RFC 4291 §2.5.3: the loopback address is treated as having Link-Local
+        // scope. (Multicast scope 1, "Interface-Local", is a different concept
+        // used only for loopback transmission of multicast.)
+        if (type === 'Link-local unicast' || type === 'Loopback') {
+            return 'Link local';
+        }
+        // RFC 4007 §6: the unspecified address has no scope.
+        if (type === 'Unspecified') {
+            return 'Unknown';
         }
-        return scope || 'Unknown';
+        return 'Global';
     }
     /**
      * Return the type of the address
-     * @memberof Address6
-     * @instance
      * @returns {String}
      */
     getType() {
-        for (const subnet of Object.keys(constants6.TYPES)) {
-            if (this.isInSubnet(new Address6(subnet))) {
-                return constants6.TYPES[subnet];
+        for (let i = 0; i < TYPE_SUBNETS.length; i++) {
+            const entry = TYPE_SUBNETS[i];
+            if (this.isInSubnet(entry[0])) {
+                return entry[1];
             }
         }
         return 'Global unicast';
     }
     /**
      * Return the bits in the given range as a BigInt
-     * @memberof Address6
-     * @instance
      * @returns {bigint}
      */
     getBits(start, end) {
@@ -405,8 +508,6 @@ class Address6 {
     }
     /**
      * Return the bits in the given range as a base-2 string
-     * @memberof Address6
-     * @instance
      * @returns {String}
      */
     getBitsBase2(start, end) {
@@ -414,8 +515,6 @@ class Address6 {
     }
     /**
      * Return the bits in the given range as a base-16 string
-     * @memberof Address6
-     * @instance
      * @returns {String}
      */
     getBitsBase16(start, end) {
@@ -429,8 +528,6 @@ class Address6 {
     }
     /**
      * Return the bits that are set past the subnet mask length
-     * @memberof Address6
-     * @instance
      * @returns {String}
      */
     getBitsPastSubnet() {
@@ -438,10 +535,8 @@ class Address6 {
     }
     /**
      * Return the reversed ip6.arpa form of the address
-     * @memberof Address6
      * @param {Object} options
      * @param {boolean} options.omitSuffix - omit the "ip6.arpa" suffix
-     * @instance
      * @returns {String}
      */
     reverseForm(options) {
@@ -467,10 +562,10 @@ class Address6 {
         return 'ip6.arpa.';
     }
     /**
-     * Return the correct form of the address
-     * @memberof Address6
-     * @instance
-     * @returns {String}
+     * Returns the address in correct form, per
+     * [RFC 5952](https://datatracker.ietf.org/doc/html/rfc5952): leading zeros
+     * stripped, the longest run of zero groups collapsed to `::`, and hex digits
+     * lowercased (e.g. `2001:db8::1`). This is the recommended form for display.
      */
     correctForm() {
         let i;
@@ -514,8 +609,6 @@ class Address6 {
     }
     /**
      * Return a zero-padded base-2 string representation of the address
-     * @memberof Address6
-     * @instance
      * @returns {String}
      * @example
      * var address = new Address6('2001:4860:4001:803::1011');
@@ -524,10 +617,22 @@ class Address6 {
      * //  0000000000000000000000000000000000000000000000000001000000010001'
      */
     binaryZeroPad() {
-        return this.bigInt().toString(2).padStart(constants6.BITS, '0');
+        if (this._binaryZeroPad === undefined) {
+            this._binaryZeroPad = this.bigInt().toString(2).padStart(constants6.BITS, '0');
+        }
+        return this._binaryZeroPad;
     }
+    /**
+     * Parses a v4-in-v6 string (e.g. `::ffff:192.168.0.1`) by extracting the
+     * trailing IPv4 address into `this.address4` / `this.parsedAddress4` and
+     * returning the address with the v4 portion converted to two v6 groups.
+     * Used internally by `parse()`.
+     */
     // TODO: Improve the semantics of this helper function
     parse4in6(address) {
+        if (address.indexOf('.') === -1) {
+            return address;
+        }
         const groups = address.split(':');
         const lastGroup = groups.slice(-1)[0];
         const address4 = lastGroup.match(constants4.RE_ADDRESS);
@@ -536,7 +641,12 @@ class Address6 {
             this.address4 = new ipv4_1.Address4(this.parsedAddress4);
             for (let i = 0; i < this.address4.groups; i++) {
                 if (/^0[0-9]+/.test(this.address4.parsedAddress[i])) {
-                    throw new address_error_1.AddressError("IPv4 addresses can't have leading zeroes.", address.replace(constants4.RE_ADDRESS, this.address4.parsedAddress.map(spanLeadingZeroes4).join('.')));
+                    // The prefix groups haven't been through the bad-character check
+                    // yet, so escape them before including in the error HTML.
+                    const highlighted = this.address4.parsedAddress.map(spanLeadingZeroes4).join('.');
+                    const prefix = groups.slice(0, -1).map(helpers.escapeHtml).join(':');
+                    const separator = groups.length > 1 ? ':' : '';
+                    throw new address_error_1.AddressError("IPv4 addresses can't have leading zeroes.", `${prefix}${separator}${highlighted}`);
                 }
             }
             this.v4 = true;
@@ -545,6 +655,13 @@ class Address6 {
         }
         return address;
     }
+    /**
+     * Parses an IPv6 address string into its 8 hexadecimal groups (expanding
+     * any `::` elision and any trailing v4-in-v6 portion) and stores the result
+     * on `this.parsedAddress`. Called automatically by the constructor; you
+     * typically don't need to call it directly. Throws `AddressError` if the
+     * input is malformed.
+     */
     // TODO: Make private?
     parse(address) {
         address = this.parse4in6(address);
@@ -594,18 +711,16 @@ class Address6 {
         return groups;
     }
     /**
-     * Return the canonical form of the address
-     * @memberof Address6
-     * @instance
-     * @returns {String}
+     * Returns the canonical (fully expanded) form of the address: all 8 groups,
+     * each padded to 4 hex digits, with no `::` collapsing
+     * (e.g. `2001:0db8:0000:0000:0000:0000:0000:0001`). Useful for sorting and
+     * byte-exact comparison.
      */
     canonicalForm() {
         return this.parsedAddress.map(paddedHex).join(':');
     }
     /**
      * Return the decimal form of the address
-     * @memberof Address6
-     * @instance
      * @returns {String}
      */
     decimal() {
@@ -613,8 +728,6 @@ class Address6 {
     }
     /**
      * Return the address as a BigInt
-     * @memberof Address6
-     * @instance
      * @returns {bigint}
      */
     bigInt() {
@@ -622,8 +735,6 @@ class Address6 {
     }
     /**
      * Return the last two groups of this address as an IPv4 address string
-     * @memberof Address6
-     * @instance
      * @returns {Address4}
      * @example
      * var address = new Address6('2001:4860:4001::1825:bf11');
@@ -631,12 +742,10 @@ class Address6 {
      */
     to4() {
         const binary = this.binaryZeroPad().split('');
-        return ipv4_1.Address4.fromHex(BigInt(`0b${binary.slice(96, 128).join('')}`).toString(16));
+        return ipv4_1.Address4.fromHex(BigInt(`0b${binary.slice(96, 128).join('')}`).toString(16).padStart(8, '0'));
     }
     /**
      * Return the v4-in-v6 form of the address
-     * @memberof Address6
-     * @instance
      * @returns {String}
      */
     to4in6() {
@@ -650,10 +759,10 @@ class Address6 {
         return correct + infix + address4.address;
     }
     /**
-     * Return an object containing the Teredo properties of the address
-     * @memberof Address6
-     * @instance
-     * @returns {Object}
+     * Decodes the Teredo tunneling fields embedded in this address. Returns the
+     * Teredo prefix, server IPv4, client IPv4, raw flag bits, cone-NAT flag,
+     * UDP port, and Microsoft-format flag breakdown (reserved, universal/local,
+     * group/individual, nonce). Only meaningful for addresses in `2001::/32`.
      */
     inspectTeredo() {
         /*
@@ -684,7 +793,7 @@ class Address6 {
         const server4 = ipv4_1.Address4.fromHex(this.getBitsBase16(32, 64));
         const bitsForClient4 = this.getBits(96, 128);
         // eslint-disable-next-line no-bitwise
-        const client4 = ipv4_1.Address4.fromHex((bitsForClient4 ^ BigInt('0xffffffff')).toString(16));
+        const client4 = ipv4_1.Address4.fromHex((bitsForClient4 ^ BigInt('0xffffffff')).toString(16).padStart(8, '0'));
         const flagsBase2 = this.getBitsBase2(64, 80);
         const coneNat = (0, common_1.testBit)(flagsBase2, 15);
         const reserved = (0, common_1.testBit)(flagsBase2, 14);
@@ -707,10 +816,9 @@ class Address6 {
         };
     }
     /**
-     * Return an object containing the 6to4 properties of the address
-     * @memberof Address6
-     * @instance
-     * @returns {Object}
+     * Decodes the 6to4 tunneling fields embedded in this address. Returns the
+     * 6to4 prefix and the embedded IPv4 gateway address. Only meaningful for
+     * addresses in `2002::/16`.
      */
     inspect6to4() {
         /*
@@ -726,8 +834,6 @@ class Address6 {
     }
     /**
      * Return a v6 6to4 address from a v6 v4inv6 address
-     * @memberof Address6
-     * @instance
      * @returns {Address6}
      */
     to6to4() {
@@ -744,9 +850,80 @@ class Address6 {
         return new Address6(addr6to4);
     }
     /**
-     * Return a byte array
-     * @memberof Address6
-     * @instance
+     * Embed an IPv4 address into a NAT64 IPv6 address using the encoding
+     * defined by [RFC 6052](https://datatracker.ietf.org/doc/html/rfc6052).
+     * The default prefix is the well-known prefix `64:ff9b::/96`. The prefix
+     * length must be one of 32, 40, 48, 56, 64, or 96; for prefixes shorter
+     * than /64 the IPv4 octets are split around the reserved bits 64–71.
+     * @example
+     * Address6.fromAddress4Nat64('192.0.2.33').correctForm(); // '64:ff9b::c000:221'
+     * Address6.fromAddress4Nat64('192.0.2.33', '2001:db8::/32').correctForm(); // '2001:db8:c000:221::'
+     */
+    static fromAddress4Nat64(address, prefix = '64:ff9b::/96') {
+        const v4 = new ipv4_1.Address4(address);
+        const prefix6 = new Address6(prefix);
+        const pl = prefix6.subnetMask;
+        if (pl !== 32 && pl !== 40 && pl !== 48 && pl !== 56 && pl !== 64 && pl !== 96) {
+            throw new address_error_1.AddressError('NAT64 prefix length must be 32, 40, 48, 56, 64, or 96');
+        }
+        const prefixBits = prefix6.binaryZeroPad();
+        const v4Bits = v4.binaryZeroPad();
+        let bits;
+        if (pl === 96) {
+            bits = prefixBits.slice(0, 96) + v4Bits;
+        }
+        else {
+            const beforeU = 64 - pl;
+            bits =
+                prefixBits.slice(0, pl) +
+                    v4Bits.slice(0, beforeU) +
+                    '00000000' +
+                    v4Bits.slice(beforeU) +
+                    '0'.repeat(128 - 72 - (32 - beforeU));
+        }
+        const hex = BigInt(`0b${bits}`).toString(16).padStart(32, '0');
+        const groups = [];
+        for (let i = 0; i < 8; i++) {
+            groups.push(hex.slice(i * 4, (i + 1) * 4));
+        }
+        return new Address6(groups.join(':'));
+    }
+    /**
+     * Extract the embedded IPv4 address from a NAT64 IPv6 address using the
+     * encoding defined by [RFC 6052](https://datatracker.ietf.org/doc/html/rfc6052).
+     * The default prefix is the well-known prefix `64:ff9b::/96`. Returns
+     * `null` if this address is not contained within the given prefix.
+     * @example
+     * new Address6('64:ff9b::c000:221').toAddress4Nat64()!.correctForm(); // '192.0.2.33'
+     */
+    toAddress4Nat64(prefix = '64:ff9b::/96') {
+        const prefix6 = new Address6(prefix);
+        const pl = prefix6.subnetMask;
+        if (pl !== 32 && pl !== 40 && pl !== 48 && pl !== 56 && pl !== 64 && pl !== 96) {
+            throw new address_error_1.AddressError('NAT64 prefix length must be 32, 40, 48, 56, 64, or 96');
+        }
+        if (!this.isInSubnet(prefix6)) {
+            return null;
+        }
+        const bits = this.binaryZeroPad();
+        let v4Bits;
+        if (pl === 96) {
+            v4Bits = bits.slice(96, 128);
+        }
+        else {
+            const beforeU = 64 - pl;
+            v4Bits = bits.slice(pl, pl + beforeU) + bits.slice(72, 72 + (32 - beforeU));
+        }
+        const octets = [];
+        for (let i = 0; i < 4; i++) {
+            octets.push(parseInt(v4Bits.slice(i * 8, (i + 1) * 8), 2).toString());
+        }
+        return new ipv4_1.Address4(octets.join('.'));
+    }
+    /**
+     * Return a byte array.
+     *
+     * To get a Node.js `Buffer`, wrap the result: `Buffer.from(address.toByteArray())`.
      * @returns {Array}
      */
     toByteArray() {
@@ -760,27 +937,27 @@ class Address6 {
         return bytes;
     }
     /**
-     * Return an unsigned byte array
-     * @memberof Address6
-     * @instance
+     * Return an unsigned byte array.
+     *
+     * To get a Node.js `Buffer`, wrap the result: `Buffer.from(address.toUnsignedByteArray())`.
      * @returns {Array}
      */
     toUnsignedByteArray() {
         return this.toByteArray().map(unsignByte);
     }
     /**
-     * Convert a byte array to an Address6 object
-     * @memberof Address6
-     * @static
+     * Convert a byte array to an Address6 object.
+     *
+     * To convert from a Node.js `Buffer`, spread it: `Address6.fromByteArray([...buf])`.
      * @returns {Address6}
      */
     static fromByteArray(bytes) {
         return this.fromUnsignedByteArray(bytes.map(unsignByte));
     }
     /**
-     * Convert an unsigned byte array to an Address6 object
-     * @memberof Address6
-     * @static
+     * Convert an unsigned byte array to an Address6 object.
+     *
+     * To convert from a Node.js `Buffer`, spread it: `Address6.fromUnsignedByteArray([...buf])`.
      * @returns {Address6}
      */
     static fromUnsignedByteArray(bytes) {
@@ -795,8 +972,6 @@ class Address6 {
     }
     /**
      * Returns true if the address is in the canonical form, false otherwise
-     * @memberof Address6
-     * @instance
      * @returns {boolean}
      */
     isCanonical() {
@@ -804,8 +979,6 @@ class Address6 {
     }
     /**
      * Returns true if the address is a link local address, false otherwise
-     * @memberof Address6
-     * @instance
      * @returns {boolean}
      */
     isLinkLocal() {
@@ -818,53 +991,81 @@ class Address6 {
     }
     /**
      * Returns true if the address is a multicast address, false otherwise
-     * @memberof Address6
-     * @instance
      * @returns {boolean}
      */
     isMulticast() {
-        return this.getType() === 'Multicast';
+        const type = this.getType();
+        return type === 'Multicast' || type.startsWith('Multicast ');
     }
     /**
-     * Returns true if the address is a v4-in-v6 address, false otherwise
-     * @memberof Address6
-     * @instance
+     * Returns true if the address was written in v4-in-v6 dotted-quad notation
+     * (e.g. `::ffff:127.0.0.1`), false otherwise. This is a notation-level flag
+     * and does not reflect whether the address bits lie in the IPv4-mapped
+     * (`::ffff:0:0/96`) subnet — for that, see {@link isMapped4}.
      * @returns {boolean}
      */
     is4() {
         return this.v4;
     }
+    /**
+     * Returns true if the address is an IPv4-mapped IPv6 address in
+     * `::ffff:0:0/96` ([RFC 4291 §2.5.5.2](https://datatracker.ietf.org/doc/html/rfc4291#section-2.5.5.2)),
+     * false otherwise. Unlike {@link is4}, this checks the underlying address
+     * bits rather than the textual notation, so `::ffff:127.0.0.1` and
+     * `::ffff:7f00:1` both return true.
+     * @returns {boolean}
+     */
+    isMapped4() {
+        return this.isInSubnet(IPV4_MAPPED_SUBNET);
+    }
     /**
      * Returns true if the address is a Teredo address, false otherwise
-     * @memberof Address6
-     * @instance
      * @returns {boolean}
      */
     isTeredo() {
-        return this.isInSubnet(new Address6('2001::/32'));
+        return this.isInSubnet(TEREDO_SUBNET);
     }
     /**
      * Returns true if the address is a 6to4 address, false otherwise
-     * @memberof Address6
-     * @instance
      * @returns {boolean}
      */
     is6to4() {
-        return this.isInSubnet(new Address6('2002::/16'));
+        return this.isInSubnet(SIX_TO_FOUR_SUBNET);
     }
     /**
      * Returns true if the address is a loopback address, false otherwise
-     * @memberof Address6
-     * @instance
      * @returns {boolean}
      */
     isLoopback() {
         return this.getType() === 'Loopback';
     }
+    /**
+     * Returns true if the address is a Unique Local Address in `fc00::/7` ([RFC 4193](https://datatracker.ietf.org/doc/html/rfc4193)). ULAs are the IPv6 equivalent of IPv4 [RFC 1918](https://datatracker.ietf.org/doc/html/rfc1918) private addresses.
+     * @returns {boolean}
+     */
+    isULA() {
+        return this.isInSubnet(ULA_SUBNET);
+    }
+    /**
+     * Returns true if the address is the unspecified address `::`.
+     * @returns {boolean}
+     */
+    isUnspecified() {
+        return this.getType() === 'Unspecified';
+    }
+    /**
+     * Returns true if the address is in the documentation prefix `2001:db8::/32` ([RFC 3849](https://datatracker.ietf.org/doc/html/rfc3849)).
+     * @returns {boolean}
+     */
+    isDocumentation() {
+        return this.isInSubnet(DOCUMENTATION_SUBNET);
+    }
     // #endregion
     // #region HTML
     /**
-     * @returns {String} the address in link form with a default port of 80
+     * Returns the address as an HTTP URL with the host bracketed, e.g.
+     * `http://[2001:db8::1]/`. If `optionalPort` is provided it is appended,
+     * e.g. `http://[2001:db8::1]:8080/`.
      */
     href(optionalPort) {
         if (optionalPort === undefined) {
@@ -876,7 +1077,12 @@ class Address6 {
         return `http://[${this.correctForm()}]${optionalPort}/`;
     }
     /**
-     * @returns {String} a link suitable for conveying the address via a URL hash
+     * Returns an HTML `` element whose `href` encodes the address in a URL
+     * hash fragment (default prefix `/#address=`). Useful for linking between
+     * pages of an address-inspector UI.
+     * @param options.className - CSS class for the rendered `` element
+     * @param options.prefix - hash prefix prepended to the address (default `/#address=`)
+     * @param options.v4 - when true, render the address in v4-in-v6 form
      */
     link(options) {
         if (!options) {
@@ -896,10 +1102,13 @@ class Address6 {
             formFunction = this.to4in6;
         }
         const form = formFunction.call(this);
+        const safeHref = helpers.escapeHtml(`${options.prefix}${form}`);
+        const safeForm = helpers.escapeHtml(form);
         if (options.className) {
-            return `${form}`;
+            const safeClass = helpers.escapeHtml(options.className);
+            return `${safeForm}`;
         }
-        return `${form}`;
+        return `${safeForm}`;
     }
     /**
      * Groups an address
@@ -908,13 +1117,13 @@ class Address6 {
     group() {
         if (this.elidedGroups === 0) {
             // The simple case
-            return helpers.simpleGroup(this.address).join(':');
+            return helpers.simpleGroup(this.addressMinusSuffix).join(':');
         }
         assert(typeof this.elidedGroups === 'number');
         assert(typeof this.elisionBegin === 'number');
         // The elided case
         const output = [];
-        const [left, right] = this.address.split('::');
+        const [left, right] = this.addressMinusSuffix.split('::');
         if (left.length) {
             output.push(...helpers.simpleGroup(left));
         }
@@ -944,8 +1153,6 @@ class Address6 {
     /**
      * Generate a regular expression string that can be used to find or validate
      * all variations of this address
-     * @memberof Address6
-     * @instance
      * @param {boolean} substringSearch
      * @returns {string}
      */
@@ -990,8 +1197,6 @@ class Address6 {
     /**
      * Generate a regular expression that can be used to find or validate all
      * variations of this address.
-     * @memberof Address6
-     * @instance
      * @param {boolean} substringSearch
      * @returns {RegExp}
      */
@@ -1000,4 +1205,13 @@ class Address6 {
     }
 }
 exports.Address6 = Address6;
+const TYPE_SUBNETS = Object.keys(constants6.TYPES).map((subnet) => [
+    new Address6(subnet),
+    constants6.TYPES[subnet],
+]);
+const TEREDO_SUBNET = new Address6('2001::/32');
+const SIX_TO_FOUR_SUBNET = new Address6('2002::/16');
+const ULA_SUBNET = new Address6('fc00::/7');
+const DOCUMENTATION_SUBNET = new Address6('2001:db8::/32');
+const IPV4_MAPPED_SUBNET = new Address6('::ffff:0:0/96');
 //# sourceMappingURL=ipv6.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/ip-address/dist/v6/constants.js b/deps/npm/node_modules/ip-address/dist/v6/constants.js
index 0abc423e0a91ab..1a8cd1dd616e86 100644
--- a/deps/npm/node_modules/ip-address/dist/v6/constants.js
+++ b/deps/npm/node_modules/ip-address/dist/v6/constants.js
@@ -46,6 +46,11 @@ exports.TYPES = {
     '::1/128': 'Loopback',
     'ff00::/8': 'Multicast',
     'fe80::/10': 'Link-local unicast',
+    'fc00::/7': 'Unique local',
+    '2002::/16': '6to4',
+    '2001:db8::/32': 'Documentation',
+    '64:ff9b::/96': 'NAT64 (well-known)',
+    '64:ff9b:1::/48': 'NAT64 (local-use)',
 };
 /**
  * A regular expression that matches bad characters in an IPv6 address
diff --git a/deps/npm/node_modules/ip-address/dist/v6/helpers.js b/deps/npm/node_modules/ip-address/dist/v6/helpers.js
index fafca0c2712ddc..e6bae04698a66a 100644
--- a/deps/npm/node_modules/ip-address/dist/v6/helpers.js
+++ b/deps/npm/node_modules/ip-address/dist/v6/helpers.js
@@ -1,14 +1,23 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.escapeHtml = escapeHtml;
 exports.spanAllZeroes = spanAllZeroes;
 exports.spanAll = spanAll;
 exports.spanLeadingZeroes = spanLeadingZeroes;
 exports.simpleGroup = simpleGroup;
+function escapeHtml(s) {
+    return s
+        .replace(/&/g, '&')
+        .replace(//g, '>')
+        .replace(/"/g, '"')
+        .replace(/'/g, ''');
+}
 /**
  * @returns {String} the string with all zeroes contained in a 
  */
 function spanAllZeroes(s) {
-    return s.replace(/(0+)/g, '$1');
+    return escapeHtml(s).replace(/(0+)/g, '$1');
 }
 /**
  * @returns {String} the string with each character contained in a 
@@ -16,11 +25,11 @@ function spanAllZeroes(s) {
 function spanAll(s, offset = 0) {
     const letters = s.split('');
     return letters
-        .map((n, i) => `${spanAllZeroes(n)}`)
+        .map((n, i) => `${spanAllZeroes(n)}`)
         .join('');
 }
 function spanLeadingZeroesSimple(group) {
-    return group.replace(/^(0+)/, '$1');
+    return escapeHtml(group).replace(/^(0+)/, '$1');
 }
 /**
  * @returns {String} the string with leading zeroes contained in a 
diff --git a/deps/npm/node_modules/ip-address/package.json b/deps/npm/node_modules/ip-address/package.json
index 5cf811e8c563af..47d109ec6f34da 100644
--- a/deps/npm/node_modules/ip-address/package.json
+++ b/deps/npm/node_modules/ip-address/package.json
@@ -2,77 +2,87 @@
   "name": "ip-address",
   "description": "A library for parsing IPv4 and IPv6 IP addresses in node and the browser.",
   "keywords": [
-    "ipv6",
+    "ip",
     "ipv4",
-    "browser",
-    "validation"
+    "ipv6",
+    "address",
+    "cidr",
+    "subnet",
+    "netmask",
+    "validate",
+    "validation",
+    "parse",
+    "arpa",
+    "bigint",
+    "browser"
   ],
-  "version": "10.1.0",
+  "version": "10.2.0",
   "author": "Beau Gunderson  (https://beaugunderson.com/)",
   "license": "MIT",
   "main": "dist/ip-address.js",
   "types": "dist/ip-address.d.ts",
   "scripts": {
-    "docs": "documentation build --github --output docs --format html ./ip-address.js",
+    "docs": "tsx scripts/build-readme.ts",
     "build": "rm -rf dist; mkdir dist; tsc",
-    "prepack": "npm run build",
-    "release": "release-it",
-    "test-ci": "nyc mocha",
+    "prepack": "npm run docs && npm run build",
+    "test-ci": "c8 --experimental-monocart mocha",
     "test": "mocha",
     "watch": "mocha --watch"
   },
-  "nyc": {
-    "extension": [
-      ".ts"
+  "c8": {
+    "include": [
+      "src/**/*.ts"
     ],
     "exclude": [
       "**/*.d.ts",
-      ".eslintrc.js",
-      "coverage/",
-      "dist/",
-      "test/",
-      "tmp/"
+      "src/ip-address.ts",
+      "src/v4/constants.ts",
+      "src/v6/constants.ts"
     ],
     "reporter": [
       "html",
       "lcov",
       "text"
-    ],
-    "all": true
+    ]
   },
   "engines": {
     "node": ">= 12"
   },
+  "sideEffects": false,
   "files": [
-    "src",
     "dist"
   ],
   "repository": {
     "type": "git",
     "url": "git://github.com/beaugunderson/ip-address.git"
   },
+  "overrides": {
+    "diff": "^8.0.3",
+    "serialize-javascript": "^7.0.5",
+    "@eslint/plugin-kit": "^0.7.1"
+  },
   "devDependencies": {
-    "@types/chai": "^5.0.0",
-    "@types/mocha": "^10.0.8",
-    "@typescript-eslint/eslint-plugin": "^8.8.0",
-    "@typescript-eslint/parser": "^8.8.0",
-    "chai": "^5.1.1",
-    "documentation": "^14.0.3",
-    "eslint": "^8.50.0",
+    "@types/chai": "^5.2.3",
+    "@types/mocha": "^10.0.10",
+    "@typescript-eslint/eslint-plugin": "^8.59.1",
+    "@typescript-eslint/parser": "^8.59.1",
+    "c8": "^11.0.0",
+    "chai": "^6.2.2",
+    "eslint": "^8.57.1",
     "eslint_d": "^14.0.4",
     "eslint-config-airbnb": "^19.0.4",
-    "eslint-config-prettier": "^9.1.0",
+    "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-filenames": "^1.3.2",
-    "eslint-plugin-import": "^2.30.0",
-    "eslint-plugin-jsx-a11y": "^6.10.0",
-    "eslint-plugin-prettier": "^5.2.1",
+    "eslint-plugin-import": "^2.32.0",
+    "eslint-plugin-jsx-a11y": "^6.10.2",
+    "eslint-plugin-prettier": "^5.5.5",
     "eslint-plugin-sort-imports-es6-autofix": "^0.6.0",
-    "mocha": "^10.7.3",
-    "nyc": "^17.1.0",
-    "prettier": "^3.3.3",
-    "release-it": "^17.6.0",
+    "mocha": "^11.7.5",
+    "monocart-coverage-reports": "^2.12.11",
+    "prettier": "^3.8.3",
     "source-map-support": "^0.5.21",
-    "tsx": "^4.19.1",
+    "tsx": "^4.21.0",
+    "typedoc": "^0.28.19",
     "typescript": "<5.6.0"
   }
 }
diff --git a/deps/npm/node_modules/libnpmdiff/package.json b/deps/npm/node_modules/libnpmdiff/package.json
index a59017ff3d9731..08783e3ecb13e8 100644
--- a/deps/npm/node_modules/libnpmdiff/package.json
+++ b/deps/npm/node_modules/libnpmdiff/package.json
@@ -1,6 +1,6 @@
 {
   "name": "libnpmdiff",
-  "version": "8.1.6",
+  "version": "8.1.9",
   "description": "The registry diff",
   "repository": {
     "type": "git",
@@ -47,7 +47,7 @@
     "tap": "^16.3.8"
   },
   "dependencies": {
-    "@npmcli/arborist": "^9.4.3",
+    "@npmcli/arborist": "^9.7.0",
     "@npmcli/installed-package-contents": "^4.0.0",
     "binary-extensions": "^3.0.0",
     "diff": "^8.0.2",
diff --git a/deps/npm/node_modules/libnpmexec/lib/index.js b/deps/npm/node_modules/libnpmexec/lib/index.js
index 3681653d8217d6..3add22cd2edca5 100644
--- a/deps/npm/node_modules/libnpmexec/lib/index.js
+++ b/deps/npm/node_modules/libnpmexec/lib/index.js
@@ -87,8 +87,10 @@ const missingFromTree = async ({ spec, tree, flatOptions, isNpxTree, shallow })
 }
 
 // see if the package.json at `path` has an entry that matches `cmd`
+// the path is a known-local directory, not a user-supplied dep, so
+// allow-directory must not gate this introspection
 const hasPkgBin = (path, cmd, flatOptions) =>
-  pacote.manifest(path, flatOptions)
+  pacote.manifest(path, { ...flatOptions, allowDirectory: 'all' })
     .then(manifest => manifest?.bin?.[cmd]).catch(() => null)
 
 const exec = async (opts) => {
@@ -147,6 +149,8 @@ const exec = async (opts) => {
         // we have to install the local package into the npx cache so that its
         // bin links get set up
         flatOptions.installLinks = false
+        // self-execution of a local bin, not a directory dep install
+        flatOptions.allowDirectory = 'all'
         // args[0] will exist when the package is installed
         packages.push(p)
         yes = true
diff --git a/deps/npm/node_modules/libnpmexec/package.json b/deps/npm/node_modules/libnpmexec/package.json
index 078c5618a4cd33..b672050048bd3f 100644
--- a/deps/npm/node_modules/libnpmexec/package.json
+++ b/deps/npm/node_modules/libnpmexec/package.json
@@ -1,6 +1,6 @@
 {
   "name": "libnpmexec",
-  "version": "10.2.6",
+  "version": "10.2.9",
   "files": [
     "bin/",
     "lib/"
@@ -61,7 +61,7 @@
   },
   "dependencies": {
     "@gar/promise-retry": "^1.0.0",
-    "@npmcli/arborist": "^9.4.3",
+    "@npmcli/arborist": "^9.7.0",
     "@npmcli/package-json": "^7.0.0",
     "@npmcli/run-script": "^10.0.0",
     "ci-info": "^4.0.0",
diff --git a/deps/npm/node_modules/libnpmfund/package.json b/deps/npm/node_modules/libnpmfund/package.json
index 62e73f5ef6436b..ab5b5a86d98339 100644
--- a/deps/npm/node_modules/libnpmfund/package.json
+++ b/deps/npm/node_modules/libnpmfund/package.json
@@ -1,6 +1,6 @@
 {
   "name": "libnpmfund",
-  "version": "7.0.20",
+  "version": "7.0.23",
   "main": "lib/index.js",
   "files": [
     "bin/",
@@ -46,7 +46,7 @@
     "tap": "^16.3.8"
   },
   "dependencies": {
-    "@npmcli/arborist": "^9.4.3"
+    "@npmcli/arborist": "^9.7.0"
   },
   "engines": {
     "node": "^20.17.0 || >=22.9.0"
diff --git a/deps/npm/node_modules/libnpmpack/package.json b/deps/npm/node_modules/libnpmpack/package.json
index befca6090e66b8..58ff8edc24d844 100644
--- a/deps/npm/node_modules/libnpmpack/package.json
+++ b/deps/npm/node_modules/libnpmpack/package.json
@@ -1,6 +1,6 @@
 {
   "name": "libnpmpack",
-  "version": "9.1.6",
+  "version": "9.1.9",
   "description": "Programmatic API for the bits behind npm pack",
   "author": "GitHub Inc.",
   "main": "lib/index.js",
@@ -37,7 +37,7 @@
   "bugs": "https://github.com/npm/libnpmpack/issues",
   "homepage": "https://npmjs.com/package/libnpmpack",
   "dependencies": {
-    "@npmcli/arborist": "^9.4.3",
+    "@npmcli/arborist": "^9.7.0",
     "@npmcli/run-script": "^10.0.0",
     "npm-package-arg": "^13.0.0",
     "pacote": "^21.0.2"
diff --git a/deps/npm/node_modules/libnpmpublish/README.md b/deps/npm/node_modules/libnpmpublish/README.md
index 90b1f7c68ab4f2..4daac34feaad10 100644
--- a/deps/npm/node_modules/libnpmpublish/README.md
+++ b/deps/npm/node_modules/libnpmpublish/README.md
@@ -62,6 +62,13 @@ A couple of options of note:
   containing a [DSSE](https://github.com/secure-systems-lab/dsse)-packaged
   provenance statement.
 
+* `opts.stage` - when `true`, publishes the package to a staging area instead
+  of making it immediately available. The registry response will include a
+  `stageId` (UUID) that can be used to approve or reject the staged version
+  later. Changes the request method to `POST` and the endpoint to
+  `/-/stage/package/`. The returned Response object will have a
+  `stageId` property.
+
 ####  `> libpub.publish(manifest, tarData, [opts]) -> Promise`
 
 Sends the package represented by the `manifest` and `tarData` to the
diff --git a/deps/npm/node_modules/libnpmpublish/lib/publish.js b/deps/npm/node_modules/libnpmpublish/lib/publish.js
index 933e142422b6c4..cfe85d2d29f57b 100644
--- a/deps/npm/node_modules/libnpmpublish/lib/publish.js
+++ b/deps/npm/node_modules/libnpmpublish/lib/publish.js
@@ -50,15 +50,20 @@ Remove the 'private' field from the package.json to publish it.`),
     opts
   )
 
-  const res = await npmFetch(spec.escapedName, {
+  const stageRoute = `/-/stage/package/${spec.escapedName}`
+  const res = await npmFetch(opts.stage ? stageRoute : spec.escapedName, {
     ...opts,
-    method: 'PUT',
+    method: opts.stage ? 'POST' : 'PUT',
     body: metadata,
-    ignoreBody: true,
+    ignoreBody: !opts.stage,
   })
   if (transparencyLogUrl) {
     res.transparencyLogUrl = transparencyLogUrl
   }
+  if (opts.stage) {
+    const json = await res.json()
+    res.stageId = json.stageId
+  }
   return res
 }
 
@@ -86,7 +91,7 @@ const patchManifest = async (_manifest, opts) => {
 }
 
 const buildMetadata = async (registry, manifest, tarballData, spec, opts) => {
-  const { access, defaultTag, algorithms, provenance, provenanceFile } = opts
+  const { access, defaultTag, algorithms, provenance, provenanceFile, command = 'publish' } = opts
   const root = {
     _id: manifest.name,
     name: manifest.name,
@@ -141,14 +146,14 @@ const buildMetadata = async (registry, manifest, tarballData, spec, opts) => {
       provenanceBundle = await generateProvenance([subject], opts)
 
       /* eslint-disable-next-line max-len */
-      log.notice('publish', `Signed provenance statement with source and build information from ${ciInfo.name}`)
+      log.notice(command, `Signed provenance statement with source and build information from ${ciInfo.name}`)
 
       const tlogEntry = provenanceBundle?.verificationMaterial?.tlogEntries[0]
       /* istanbul ignore else */
       if (tlogEntry) {
         transparencyLogUrl = `${TLOG_BASE_URL}?logIndex=${tlogEntry.logIndex}`
         log.notice(
-          'publish',
+          command,
           `Provenance statement published to transparency log: ${transparencyLogUrl}`
         )
       }
diff --git a/deps/npm/node_modules/libnpmpublish/package.json b/deps/npm/node_modules/libnpmpublish/package.json
index f90a6bf4506ecd..5b4ae66e57284c 100644
--- a/deps/npm/node_modules/libnpmpublish/package.json
+++ b/deps/npm/node_modules/libnpmpublish/package.json
@@ -1,6 +1,6 @@
 {
   "name": "libnpmpublish",
-  "version": "11.1.3",
+  "version": "11.2.0",
   "description": "Programmatic API for the bits behind npm publish and unpublish",
   "author": "GitHub Inc.",
   "main": "lib/index.js",
diff --git a/deps/npm/node_modules/libnpmversion/README.md b/deps/npm/node_modules/libnpmversion/README.md
index b81a231d05ce04..d60a144bcc1bf1 100644
--- a/deps/npm/node_modules/libnpmversion/README.md
+++ b/deps/npm/node_modules/libnpmversion/README.md
@@ -86,6 +86,9 @@ The exact order of execution is as follows:
 6. Run the `postversion` script. Use it to clean up the file system or
    automatically push the commit and/or tag.
 
+For the `preversion`, `version` and `postversion` scripts, npm also sets the
+environment variables `npm_old_version` and `npm_new_version`.
+
 Take the following example:
 
 ```json
diff --git a/deps/npm/node_modules/libnpmversion/package.json b/deps/npm/node_modules/libnpmversion/package.json
index cac11cc36bd385..f8be6d8fdb3af7 100644
--- a/deps/npm/node_modules/libnpmversion/package.json
+++ b/deps/npm/node_modules/libnpmversion/package.json
@@ -1,6 +1,6 @@
 {
   "name": "libnpmversion",
-  "version": "8.0.3",
+  "version": "8.0.4",
   "main": "lib/index.js",
   "files": [
     "bin/",
diff --git a/deps/npm/node_modules/lru-cache/dist/commonjs/browser/diagnostics-channel.js b/deps/npm/node_modules/lru-cache/dist/commonjs/browser/diagnostics-channel.js
new file mode 100644
index 00000000000000..8f6a8f12edb399
--- /dev/null
+++ b/deps/npm/node_modules/lru-cache/dist/commonjs/browser/diagnostics-channel.js
@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tracing = exports.metrics = void 0;
+const dummy = { hasSubscribers: false };
+exports.metrics = dummy;
+exports.tracing = dummy;
+//# sourceMappingURL=diagnostics-channel-browser.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/lru-cache/dist/commonjs/browser/index.js b/deps/npm/node_modules/lru-cache/dist/commonjs/browser/index.js
new file mode 100644
index 00000000000000..6b8268b0ea9123
--- /dev/null
+++ b/deps/npm/node_modules/lru-cache/dist/commonjs/browser/index.js
@@ -0,0 +1,1726 @@
+"use strict";
+/**
+ * @module LRUCache
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LRUCache = void 0;
+const diagnostics_channel_js_1 = require("./diagnostics-channel.js");
+const perf_js_1 = require("./perf.js");
+const hasSubscribers = () => diagnostics_channel_js_1.metrics.hasSubscribers || diagnostics_channel_js_1.tracing.hasSubscribers;
+const warned = new Set();
+/* c8 ignore start */
+const PROCESS = (typeof process === 'object' && !!process ?
+    process
+    : {});
+/* c8 ignore stop */
+const emitWarning = (msg, type, code, fn) => {
+    if (typeof PROCESS.emitWarning === 'function') {
+        PROCESS.emitWarning(msg, type, code, fn);
+    }
+    else {
+        //oxlint-disable-next-line no-console
+        console.error(`[${code}] ${type}: ${msg}`);
+    }
+};
+const shouldWarn = (code) => !warned.has(code);
+const TYPE = Symbol('type');
+const isPosInt = (n) => !!n && n === Math.floor(n) && n > 0 && isFinite(n);
+// This is a little bit ridiculous, tbh.
+// The maximum array length is 2^32-1 or thereabouts on most JS impls.
+// And well before that point, you're caching the entire world, I mean,
+// that's ~32GB of just integers for the next/prev links, plus whatever
+// else to hold that many keys and values.  Just filling the memory with
+// zeroes at init time is brutal when you get that big.
+// But why not be complete?
+// Maybe in the future, these limits will have expanded.
+/* c8 ignore start */
+const getUintArray = (max) => !isPosInt(max) ? null
+    : max <= Math.pow(2, 8) ? Uint8Array
+        : max <= Math.pow(2, 16) ? Uint16Array
+            : max <= Math.pow(2, 32) ? Uint32Array
+                : max <= Number.MAX_SAFE_INTEGER ? ZeroArray
+                    : null;
+/* c8 ignore stop */
+class ZeroArray extends Array {
+    constructor(size) {
+        super(size);
+        this.fill(0);
+    }
+}
+class Stack {
+    /* c8 ignore start - not sure why this is showing up uncovered?? */
+    heap;
+    /* c8 ignore stop */
+    length;
+    // private constructor
+    static #constructing = false;
+    static create(max) {
+        const HeapCls = getUintArray(max);
+        if (!HeapCls)
+            return [];
+        Stack.#constructing = true;
+        const s = new Stack(max, HeapCls);
+        Stack.#constructing = false;
+        return s;
+    }
+    constructor(max, HeapCls) {
+        /* c8 ignore start */
+        if (!Stack.#constructing) {
+            throw new TypeError('instantiate Stack using Stack.create(n)');
+        }
+        /* c8 ignore stop */
+        this.heap = new HeapCls(max);
+        this.length = 0;
+    }
+    push(n) {
+        this.heap[this.length++] = n;
+    }
+    pop() {
+        return this.heap[--this.length];
+    }
+}
+/**
+ * Default export, the thing you're using this module to get.
+ *
+ * The `K` and `V` types define the key and value types, respectively. The
+ * optional `FC` type defines the type of the `context` object passed to
+ * `cache.fetch()` and `cache.memo()`.
+ *
+ * Keys and values **must not** be `null` or `undefined`.
+ *
+ * All properties from the options object (with the exception of `max`,
+ * `maxSize`, `fetchMethod`, `memoMethod`, `dispose` and `disposeAfter`) are
+ * added as normal public members. (The listed options are read-only getters.)
+ *
+ * Changing any of these will alter the defaults for subsequent method calls.
+ */
+class LRUCache {
+    // options that cannot be changed without disaster
+    #max;
+    #maxSize;
+    #dispose;
+    #onInsert;
+    #disposeAfter;
+    #fetchMethod;
+    #memoMethod;
+    #perf;
+    /**
+     * {@link LRUCache.OptionsBase.perf}
+     */
+    get perf() {
+        return this.#perf;
+    }
+    /**
+     * {@link LRUCache.OptionsBase.ttl}
+     */
+    ttl;
+    /**
+     * {@link LRUCache.OptionsBase.ttlResolution}
+     */
+    ttlResolution;
+    /**
+     * {@link LRUCache.OptionsBase.ttlAutopurge}
+     */
+    ttlAutopurge;
+    /**
+     * {@link LRUCache.OptionsBase.updateAgeOnGet}
+     */
+    updateAgeOnGet;
+    /**
+     * {@link LRUCache.OptionsBase.updateAgeOnHas}
+     */
+    updateAgeOnHas;
+    /**
+     * {@link LRUCache.OptionsBase.allowStale}
+     */
+    allowStale;
+    /**
+     * {@link LRUCache.OptionsBase.noDisposeOnSet}
+     */
+    noDisposeOnSet;
+    /**
+     * {@link LRUCache.OptionsBase.noUpdateTTL}
+     */
+    noUpdateTTL;
+    /**
+     * {@link LRUCache.OptionsBase.maxEntrySize}
+     */
+    maxEntrySize;
+    /**
+     * {@link LRUCache.OptionsBase.sizeCalculation}
+     */
+    sizeCalculation;
+    /**
+     * {@link LRUCache.OptionsBase.noDeleteOnFetchRejection}
+     */
+    noDeleteOnFetchRejection;
+    /**
+     * {@link LRUCache.OptionsBase.noDeleteOnStaleGet}
+     */
+    noDeleteOnStaleGet;
+    /**
+     * {@link LRUCache.OptionsBase.allowStaleOnFetchAbort}
+     */
+    allowStaleOnFetchAbort;
+    /**
+     * {@link LRUCache.OptionsBase.allowStaleOnFetchRejection}
+     */
+    allowStaleOnFetchRejection;
+    /**
+     * {@link LRUCache.OptionsBase.ignoreFetchAbort}
+     */
+    ignoreFetchAbort;
+    /** {@link LRUCache.OptionsBase.backgroundFetchSize} */
+    backgroundFetchSize;
+    // computed properties
+    #size;
+    #calculatedSize;
+    #keyMap;
+    #keyList;
+    #valList;
+    #next;
+    #prev;
+    #head;
+    #tail;
+    #free;
+    #disposed;
+    #sizes;
+    #starts;
+    #ttls;
+    #autopurgeTimers;
+    #hasDispose;
+    #hasFetchMethod;
+    #hasDisposeAfter;
+    #hasOnInsert;
+    /**
+     * Do not call this method unless you need to inspect the
+     * inner workings of the cache.  If anything returned by this
+     * object is modified in any way, strange breakage may occur.
+     *
+     * These fields are private for a reason!
+     *
+     * @internal
+     */
+    static unsafeExposeInternals(c) {
+        return {
+            // properties
+            starts: c.#starts,
+            ttls: c.#ttls,
+            autopurgeTimers: c.#autopurgeTimers,
+            sizes: c.#sizes,
+            keyMap: c.#keyMap,
+            keyList: c.#keyList,
+            valList: c.#valList,
+            next: c.#next,
+            prev: c.#prev,
+            get head() {
+                return c.#head;
+            },
+            get tail() {
+                return c.#tail;
+            },
+            free: c.#free,
+            // methods
+            isBackgroundFetch: (p) => c.#isBackgroundFetch(p),
+            backgroundFetch: (k, index, options, context) => c.#backgroundFetch(k, index, options, context),
+            moveToTail: (index) => c.#moveToTail(index),
+            indexes: (options) => c.#indexes(options),
+            rindexes: (options) => c.#rindexes(options),
+            isStale: (index) => c.#isStale(index),
+        };
+    }
+    // Protected read-only members
+    /**
+     * {@link LRUCache.OptionsBase.max} (read-only)
+     */
+    get max() {
+        return this.#max;
+    }
+    /**
+     * {@link LRUCache.OptionsBase.maxSize} (read-only)
+     */
+    get maxSize() {
+        return this.#maxSize;
+    }
+    /**
+     * The total computed size of items in the cache (read-only)
+     */
+    get calculatedSize() {
+        return this.#calculatedSize;
+    }
+    /**
+     * The number of items stored in the cache (read-only)
+     */
+    get size() {
+        return this.#size;
+    }
+    /**
+     * {@link LRUCache.OptionsBase.fetchMethod} (read-only)
+     */
+    get fetchMethod() {
+        return this.#fetchMethod;
+    }
+    get memoMethod() {
+        return this.#memoMethod;
+    }
+    /**
+     * {@link LRUCache.OptionsBase.dispose} (read-only)
+     */
+    get dispose() {
+        return this.#dispose;
+    }
+    /**
+     * {@link LRUCache.OptionsBase.onInsert} (read-only)
+     */
+    get onInsert() {
+        return this.#onInsert;
+    }
+    /**
+     * {@link LRUCache.OptionsBase.disposeAfter} (read-only)
+     */
+    get disposeAfter() {
+        return this.#disposeAfter;
+    }
+    constructor(options) {
+        const { max = 0, ttl, ttlResolution = 1, ttlAutopurge, updateAgeOnGet, updateAgeOnHas, allowStale, dispose, onInsert, disposeAfter, noDisposeOnSet, noUpdateTTL, maxSize = 0, maxEntrySize = 0, sizeCalculation, fetchMethod, memoMethod, noDeleteOnFetchRejection, noDeleteOnStaleGet, allowStaleOnFetchRejection, allowStaleOnFetchAbort, ignoreFetchAbort, backgroundFetchSize = 1, perf, } = options;
+        this.backgroundFetchSize = backgroundFetchSize;
+        if (perf !== undefined) {
+            if (typeof perf?.now !== 'function') {
+                throw new TypeError('perf option must have a now() method if specified');
+            }
+        }
+        this.#perf = perf ?? perf_js_1.defaultPerf;
+        if (max !== 0 && !isPosInt(max)) {
+            throw new TypeError('max option must be a nonnegative integer');
+        }
+        const UintArray = max ? getUintArray(max) : Array;
+        if (!UintArray) {
+            throw new Error('invalid max value: ' + max);
+        }
+        this.#max = max;
+        this.#maxSize = maxSize;
+        this.maxEntrySize = maxEntrySize || this.#maxSize;
+        this.sizeCalculation = sizeCalculation;
+        if (this.sizeCalculation) {
+            if (!this.#maxSize && !this.maxEntrySize) {
+                throw new TypeError('cannot set sizeCalculation without setting maxSize or maxEntrySize');
+            }
+            if (typeof this.sizeCalculation !== 'function') {
+                throw new TypeError('sizeCalculation set to non-function');
+            }
+        }
+        if (memoMethod !== undefined && typeof memoMethod !== 'function') {
+            throw new TypeError('memoMethod must be a function if defined');
+        }
+        this.#memoMethod = memoMethod;
+        if (fetchMethod !== undefined && typeof fetchMethod !== 'function') {
+            throw new TypeError('fetchMethod must be a function if specified');
+        }
+        this.#fetchMethod = fetchMethod;
+        this.#hasFetchMethod = !!fetchMethod;
+        this.#keyMap = new Map();
+        this.#keyList = Array.from({ length: max }).fill(undefined);
+        this.#valList = Array.from({ length: max }).fill(undefined);
+        this.#next = new UintArray(max);
+        this.#prev = new UintArray(max);
+        this.#head = 0;
+        this.#tail = 0;
+        this.#free = Stack.create(max);
+        this.#size = 0;
+        this.#calculatedSize = 0;
+        if (typeof dispose === 'function') {
+            this.#dispose = dispose;
+        }
+        if (typeof onInsert === 'function') {
+            this.#onInsert = onInsert;
+        }
+        if (typeof disposeAfter === 'function') {
+            this.#disposeAfter = disposeAfter;
+            this.#disposed = [];
+        }
+        else {
+            this.#disposeAfter = undefined;
+            this.#disposed = undefined;
+        }
+        this.#hasDispose = !!this.#dispose;
+        this.#hasOnInsert = !!this.#onInsert;
+        this.#hasDisposeAfter = !!this.#disposeAfter;
+        this.noDisposeOnSet = !!noDisposeOnSet;
+        this.noUpdateTTL = !!noUpdateTTL;
+        this.noDeleteOnFetchRejection = !!noDeleteOnFetchRejection;
+        this.allowStaleOnFetchRejection = !!allowStaleOnFetchRejection;
+        this.allowStaleOnFetchAbort = !!allowStaleOnFetchAbort;
+        this.ignoreFetchAbort = !!ignoreFetchAbort;
+        // NB: maxEntrySize is set to maxSize if it's set
+        if (this.maxEntrySize !== 0) {
+            if (this.#maxSize !== 0) {
+                if (!isPosInt(this.#maxSize)) {
+                    throw new TypeError('maxSize must be a positive integer if specified');
+                }
+            }
+            if (!isPosInt(this.maxEntrySize)) {
+                throw new TypeError('maxEntrySize must be a positive integer if specified');
+            }
+            this.#initializeSizeTracking();
+        }
+        this.allowStale = !!allowStale;
+        this.noDeleteOnStaleGet = !!noDeleteOnStaleGet;
+        this.updateAgeOnGet = !!updateAgeOnGet;
+        this.updateAgeOnHas = !!updateAgeOnHas;
+        this.ttlResolution =
+            isPosInt(ttlResolution) || ttlResolution === 0 ? ttlResolution : 1;
+        this.ttlAutopurge = !!ttlAutopurge;
+        this.ttl = ttl || 0;
+        if (this.ttl) {
+            if (!isPosInt(this.ttl)) {
+                throw new TypeError('ttl must be a positive integer if specified');
+            }
+            this.#initializeTTLTracking();
+        }
+        // do not allow completely unbounded caches
+        if (this.#max === 0 && this.ttl === 0 && this.#maxSize === 0) {
+            throw new TypeError('At least one of max, maxSize, or ttl is required');
+        }
+        if (!this.ttlAutopurge && !this.#max && !this.#maxSize) {
+            const code = 'LRU_CACHE_UNBOUNDED';
+            if (shouldWarn(code)) {
+                warned.add(code);
+                const msg = 'TTL caching without ttlAutopurge, max, or maxSize can ' +
+                    'result in unbounded memory consumption.';
+                emitWarning(msg, 'UnboundedCacheWarning', code, LRUCache);
+            }
+        }
+    }
+    /**
+     * Return the number of ms left in the item's TTL. If item is not in cache,
+     * returns `0`. Returns `Infinity` if item is in cache without a defined TTL.
+     */
+    getRemainingTTL(key) {
+        return this.#keyMap.has(key) ? Infinity : 0;
+    }
+    #initializeTTLTracking() {
+        const ttls = new ZeroArray(this.#max);
+        const starts = new ZeroArray(this.#max);
+        this.#ttls = ttls;
+        this.#starts = starts;
+        const purgeTimers = this.ttlAutopurge ?
+            Array.from({
+                length: this.#max,
+            })
+            : undefined;
+        this.#autopurgeTimers = purgeTimers;
+        this.#setItemTTL = (index, ttl, start = this.#perf.now()) => {
+            starts[index] = ttl !== 0 ? start : 0;
+            ttls[index] = ttl;
+            setPurgetTimer(index, ttl);
+        };
+        this.#updateItemAge = index => {
+            starts[index] = ttls[index] !== 0 ? this.#perf.now() : 0;
+            setPurgetTimer(index, ttls[index]);
+        };
+        // clear out the purge timer if we're setting TTL to 0, and
+        // previously had a ttl purge timer running, so it doesn't
+        // fire unnecessarily. Don't need to do this if we're not doing
+        // autopurge.
+        const setPurgetTimer = !this.ttlAutopurge ?
+            () => { }
+            : (index, ttl) => {
+                if (purgeTimers?.[index]) {
+                    clearTimeout(purgeTimers[index]);
+                    purgeTimers[index] = undefined;
+                }
+                if (ttl && ttl !== 0 && purgeTimers) {
+                    const t = setTimeout(() => {
+                        if (this.#isStale(index)) {
+                            this.#delete(this.#keyList[index], 'expire');
+                        }
+                    }, ttl + 1);
+                    // unref() not supported on all platforms
+                    /* c8 ignore start */
+                    if (t.unref) {
+                        t.unref();
+                    }
+                    /* c8 ignore stop */
+                    purgeTimers[index] = t;
+                }
+            };
+        this.#statusTTL = (status, index) => {
+            if (ttls[index]) {
+                const ttl = ttls[index];
+                const start = starts[index];
+                /* c8 ignore start */
+                if (!ttl || !start) {
+                    return;
+                }
+                /* c8 ignore stop */
+                status.ttl = ttl;
+                status.start = start;
+                status.now = cachedNow || getNow();
+                const age = status.now - start;
+                status.remainingTTL = ttl - age;
+            }
+        };
+        // debounce calls to perf.now() to 1s so we're not hitting
+        // that costly call repeatedly.
+        let cachedNow = 0;
+        const getNow = () => {
+            const n = this.#perf.now();
+            if (this.ttlResolution > 0) {
+                cachedNow = n;
+                const t = setTimeout(() => (cachedNow = 0), this.ttlResolution);
+                // not available on all platforms
+                /* c8 ignore start */
+                if (t.unref) {
+                    t.unref();
+                }
+                /* c8 ignore stop */
+            }
+            return n;
+        };
+        this.getRemainingTTL = key => {
+            const index = this.#keyMap.get(key);
+            if (index === undefined) {
+                return 0;
+            }
+            const ttl = ttls[index];
+            const start = starts[index];
+            if (!ttl || !start) {
+                return Infinity;
+            }
+            const age = (cachedNow || getNow()) - start;
+            return ttl - age;
+        };
+        this.#isStale = index => {
+            const s = starts[index];
+            const t = ttls[index];
+            return !!t && !!s && (cachedNow || getNow()) - s > t;
+        };
+    }
+    // conditionally set private methods related to TTL
+    #updateItemAge = () => { };
+    #statusTTL = () => { };
+    #setItemTTL = () => { };
+    /* c8 ignore stop */
+    #isStale = () => false;
+    #initializeSizeTracking() {
+        const sizes = new ZeroArray(this.#max);
+        this.#calculatedSize = 0;
+        this.#sizes = sizes;
+        this.#removeItemSize = index => {
+            this.#calculatedSize -= sizes[index];
+            sizes[index] = 0;
+        };
+        this.#requireSize = (k, v, size, sizeCalculation) => {
+            if (!isPosInt(size)) {
+                // provisionally accept background fetches.
+                // actual value size will be checked when they return.
+                if (this.#isBackgroundFetch(v)) {
+                    // NB: this cannot occur if v.__staleWhileFetching is set,
+                    // because in that case, it would take on the size of the
+                    // existing entry that it temporarily replaces.
+                    return this.backgroundFetchSize;
+                }
+                if (sizeCalculation) {
+                    if (typeof sizeCalculation !== 'function') {
+                        throw new TypeError('sizeCalculation must be a function');
+                    }
+                    size = sizeCalculation(v, k);
+                    if (!isPosInt(size)) {
+                        throw new TypeError('sizeCalculation return invalid (expect positive integer)');
+                    }
+                }
+                else {
+                    throw new TypeError('invalid size value (must be positive integer). ' +
+                        'When maxSize or maxEntrySize is used, sizeCalculation ' +
+                        'or size must be set.');
+                }
+            }
+            return size;
+        };
+        this.#addItemSize = (index, size, status) => {
+            sizes[index] = size;
+            if (this.#maxSize) {
+                const maxSize = this.#maxSize - sizes[index];
+                while (this.#calculatedSize > maxSize) {
+                    this.#evict(true);
+                }
+            }
+            this.#calculatedSize += sizes[index];
+            if (status) {
+                status.entrySize = size;
+                status.totalCalculatedSize = this.#calculatedSize;
+            }
+        };
+    }
+    #removeItemSize = _i => { };
+    #addItemSize = (_i, _s, _st) => { };
+    #requireSize = (_k, _v, size, sizeCalculation) => {
+        if (size || sizeCalculation) {
+            throw new TypeError('cannot set size without setting maxSize or maxEntrySize on cache');
+        }
+        return 0;
+    };
+    *#indexes({ allowStale = this.allowStale } = {}) {
+        if (this.#size) {
+            for (let i = this.#tail; this.#isValidIndex(i);) {
+                if (allowStale || !this.#isStale(i)) {
+                    yield i;
+                }
+                if (i === this.#head) {
+                    break;
+                }
+                else {
+                    i = this.#prev[i];
+                }
+            }
+        }
+    }
+    *#rindexes({ allowStale = this.allowStale } = {}) {
+        if (this.#size) {
+            for (let i = this.#head; this.#isValidIndex(i);) {
+                if (allowStale || !this.#isStale(i)) {
+                    yield i;
+                }
+                if (i === this.#tail) {
+                    break;
+                }
+                else {
+                    i = this.#next[i];
+                }
+            }
+        }
+    }
+    #isValidIndex(index) {
+        return (index !== undefined &&
+            this.#keyMap.get(this.#keyList[index]) === index);
+    }
+    /**
+     * Return a generator yielding `[key, value]` pairs,
+     * in order from most recently used to least recently used.
+     */
+    *entries() {
+        for (const i of this.#indexes()) {
+            if (this.#valList[i] !== undefined &&
+                this.#keyList[i] !== undefined &&
+                !this.#isBackgroundFetch(this.#valList[i])) {
+                yield [this.#keyList[i], this.#valList[i]];
+            }
+        }
+    }
+    /**
+     * Inverse order version of {@link LRUCache.entries}
+     *
+     * Return a generator yielding `[key, value]` pairs,
+     * in order from least recently used to most recently used.
+     */
+    *rentries() {
+        for (const i of this.#rindexes()) {
+            if (this.#valList[i] !== undefined &&
+                this.#keyList[i] !== undefined &&
+                !this.#isBackgroundFetch(this.#valList[i])) {
+                yield [this.#keyList[i], this.#valList[i]];
+            }
+        }
+    }
+    /**
+     * Return a generator yielding the keys in the cache,
+     * in order from most recently used to least recently used.
+     */
+    *keys() {
+        for (const i of this.#indexes()) {
+            const k = this.#keyList[i];
+            if (k !== undefined && !this.#isBackgroundFetch(this.#valList[i])) {
+                yield k;
+            }
+        }
+    }
+    /**
+     * Inverse order version of {@link LRUCache.keys}
+     *
+     * Return a generator yielding the keys in the cache,
+     * in order from least recently used to most recently used.
+     */
+    *rkeys() {
+        for (const i of this.#rindexes()) {
+            const k = this.#keyList[i];
+            if (k !== undefined && !this.#isBackgroundFetch(this.#valList[i])) {
+                yield k;
+            }
+        }
+    }
+    /**
+     * Return a generator yielding the values in the cache,
+     * in order from most recently used to least recently used.
+     */
+    *values() {
+        for (const i of this.#indexes()) {
+            const v = this.#valList[i];
+            if (v !== undefined && !this.#isBackgroundFetch(this.#valList[i])) {
+                yield this.#valList[i];
+            }
+        }
+    }
+    /**
+     * Inverse order version of {@link LRUCache.values}
+     *
+     * Return a generator yielding the values in the cache,
+     * in order from least recently used to most recently used.
+     */
+    *rvalues() {
+        for (const i of this.#rindexes()) {
+            const v = this.#valList[i];
+            if (v !== undefined && !this.#isBackgroundFetch(this.#valList[i])) {
+                yield this.#valList[i];
+            }
+        }
+    }
+    /**
+     * Iterating over the cache itself yields the same results as
+     * {@link LRUCache.entries}
+     */
+    [Symbol.iterator]() {
+        return this.entries();
+    }
+    /**
+     * A String value that is used in the creation of the default string
+     * description of an object. Called by the built-in method
+     * `Object.prototype.toString`.
+     */
+    [Symbol.toStringTag] = 'LRUCache';
+    /**
+     * Find a value for which the supplied fn method returns a truthy value,
+     * similar to `Array.find()`. fn is called as `fn(value, key, cache)`.
+     */
+    find(fn, getOptions = {}) {
+        for (const i of this.#indexes()) {
+            const v = this.#valList[i];
+            const value = this.#isBackgroundFetch(v) ? v.__staleWhileFetching : v;
+            if (value === undefined)
+                continue;
+            if (fn(value, this.#keyList[i], this)) {
+                return this.#get(this.#keyList[i], getOptions);
+            }
+        }
+    }
+    /**
+     * Call the supplied function on each item in the cache, in order from most
+     * recently used to least recently used.
+     *
+     * `fn` is called as `fn(value, key, cache)`.
+     *
+     * If `thisp` is provided, function will be called in the `this`-context of
+     * the provided object, or the cache if no `thisp` object is provided.
+     *
+     * Does not update age or recenty of use, or iterate over stale values.
+     */
+    forEach(fn, thisp = this) {
+        for (const i of this.#indexes()) {
+            const v = this.#valList[i];
+            const value = this.#isBackgroundFetch(v) ? v.__staleWhileFetching : v;
+            if (value === undefined)
+                continue;
+            fn.call(thisp, value, this.#keyList[i], this);
+        }
+    }
+    /**
+     * The same as {@link LRUCache.forEach} but items are iterated over in
+     * reverse order.  (ie, less recently used items are iterated over first.)
+     */
+    rforEach(fn, thisp = this) {
+        for (const i of this.#rindexes()) {
+            const v = this.#valList[i];
+            const value = this.#isBackgroundFetch(v) ? v.__staleWhileFetching : v;
+            if (value === undefined)
+                continue;
+            fn.call(thisp, value, this.#keyList[i], this);
+        }
+    }
+    /**
+     * Delete any stale entries. Returns true if anything was removed,
+     * false otherwise.
+     */
+    purgeStale() {
+        let deleted = false;
+        for (const i of this.#rindexes({ allowStale: true })) {
+            if (this.#isStale(i)) {
+                this.#delete(this.#keyList[i], 'expire');
+                deleted = true;
+            }
+        }
+        return deleted;
+    }
+    /**
+     * Get the extended info about a given entry, to get its value, size, and
+     * TTL info simultaneously. Returns `undefined` if the key is not present.
+     *
+     * Unlike {@link LRUCache#dump}, which is designed to be portable and survive
+     * serialization, the `start` value is always the current timestamp, and the
+     * `ttl` is a calculated remaining time to live (negative if expired).
+     *
+     * Always returns stale values, if their info is found in the cache, so be
+     * sure to check for expirations (ie, a negative {@link LRUCache.Entry#ttl})
+     * if relevant.
+     */
+    info(key) {
+        const i = this.#keyMap.get(key);
+        if (i === undefined)
+            return undefined;
+        const v = this.#valList[i];
+        /* c8 ignore start - this isn't tested for the info function,
+         * but it's the same logic as found in other places. */
+        const value = this.#isBackgroundFetch(v) ? v.__staleWhileFetching : v;
+        if (value === undefined)
+            return undefined;
+        /* c8 ignore stop */
+        const entry = { value };
+        if (this.#ttls && this.#starts) {
+            const ttl = this.#ttls[i];
+            const start = this.#starts[i];
+            if (ttl && start) {
+                const remain = ttl - (this.#perf.now() - start);
+                entry.ttl = remain;
+                entry.start = Date.now();
+            }
+        }
+        if (this.#sizes) {
+            entry.size = this.#sizes[i];
+        }
+        return entry;
+    }
+    /**
+     * Return an array of [key, {@link LRUCache.Entry}] tuples which can be
+     * passed to {@link LRUCache#load}.
+     *
+     * The `start` fields are calculated relative to a portable `Date.now()`
+     * timestamp, even if `performance.now()` is available.
+     *
+     * Stale entries are always included in the `dump`, even if
+     * {@link LRUCache.OptionsBase.allowStale} is false.
+     *
+     * Note: this returns an actual array, not a generator, so it can be more
+     * easily passed around.
+     */
+    dump() {
+        const arr = [];
+        for (const i of this.#indexes({ allowStale: true })) {
+            const key = this.#keyList[i];
+            const v = this.#valList[i];
+            const value = this.#isBackgroundFetch(v) ? v.__staleWhileFetching : v;
+            if (value === undefined || key === undefined)
+                continue;
+            const entry = { value };
+            if (this.#ttls && this.#starts) {
+                entry.ttl = this.#ttls[i];
+                // always dump the start relative to a portable timestamp
+                // it's ok for this to be a bit slow, it's a rare operation.
+                const age = this.#perf.now() - this.#starts[i];
+                entry.start = Math.floor(Date.now() - age);
+            }
+            if (this.#sizes) {
+                entry.size = this.#sizes[i];
+            }
+            arr.unshift([key, entry]);
+        }
+        return arr;
+    }
+    /**
+     * Reset the cache and load in the items in entries in the order listed.
+     *
+     * The shape of the resulting cache may be different if the same options are
+     * not used in both caches.
+     *
+     * The `start` fields are assumed to be calculated relative to a portable
+     * `Date.now()` timestamp, even if `performance.now()` is available.
+     */
+    load(arr) {
+        this.clear();
+        for (const [key, entry] of arr) {
+            if (entry.start) {
+                // entry.start is a portable timestamp, but we may be using
+                // node's performance.now(), so calculate the offset, so that
+                // we get the intended remaining TTL, no matter how long it's
+                // been on ice.
+                //
+                // it's ok for this to be a bit slow, it's a rare operation.
+                const age = Date.now() - entry.start;
+                entry.start = this.#perf.now() - age;
+            }
+            this.#set(key, entry.value, entry);
+        }
+    }
+    /**
+     * Add a value to the cache.
+     *
+     * Note: if `undefined` is specified as a value, this is an alias for
+     * {@link LRUCache#delete}
+     *
+     * Fields on the {@link LRUCache.SetOptions} options param will override
+     * their corresponding values in the constructor options for the scope
+     * of this single `set()` operation.
+     *
+     * If `start` is provided, then that will set the effective start
+     * time for the TTL calculation. Note that this must be a previous
+     * value of `performance.now()` if supported, or a previous value of
+     * `Date.now()` if not.
+     *
+     * Options object may also include `size`, which will prevent
+     * calling the `sizeCalculation` function and just use the specified
+     * number if it is a positive integer, and `noDisposeOnSet` which
+     * will prevent calling a `dispose` function in the case of
+     * overwrites.
+     *
+     * If the `size` (or return value of `sizeCalculation`) for a given
+     * entry is greater than `maxEntrySize`, then the item will not be
+     * added to the cache.
+     *
+     * Will update the recency of the entry.
+     *
+     * If the value is `undefined`, then this is an alias for
+     * `cache.delete(key)`. `undefined` is never stored in the cache.
+     */
+    set(k, v, setOptions = {}) {
+        const { status = diagnostics_channel_js_1.metrics.hasSubscribers ? {} : undefined } = setOptions;
+        setOptions.status = status;
+        if (status) {
+            status.op = 'set';
+            status.key = k;
+            if (v !== undefined)
+                status.value = v;
+            status.cache = this;
+        }
+        const result = this.#set(k, v, setOptions);
+        if (status && diagnostics_channel_js_1.metrics.hasSubscribers) {
+            diagnostics_channel_js_1.metrics.publish(status);
+        }
+        return result;
+    }
+    #set(k, v, setOptions, bf) {
+        const { ttl = this.ttl, start, noDisposeOnSet = this.noDisposeOnSet, sizeCalculation = this.sizeCalculation, status, } = setOptions;
+        const isBF = this.#isBackgroundFetch(v);
+        if (v === undefined) {
+            if (status)
+                status.set = 'deleted';
+            this.delete(k);
+            return this;
+        }
+        let { noUpdateTTL = this.noUpdateTTL } = setOptions;
+        if (status && !isBF)
+            status.value = v;
+        const size = this.#requireSize(k, v, setOptions.size || 0, sizeCalculation, status);
+        // if the item doesn't fit, don't do anything
+        // NB: maxEntrySize set to maxSize by default
+        if (this.maxEntrySize && size > this.maxEntrySize) {
+            // have to delete, in case something is there already.
+            this.#delete(k, 'set');
+            if (status) {
+                status.set = 'miss';
+                status.maxEntrySizeExceeded = true;
+            }
+            return this;
+        }
+        let index = this.#size === 0 ? undefined : this.#keyMap.get(k);
+        if (index === undefined) {
+            // addition
+            index = (this.#size === 0 ? this.#tail
+                : this.#free.length !== 0 ? this.#free.pop()
+                    : this.#size === this.#max ? this.#evict(false)
+                        : this.#size);
+            this.#keyList[index] = k;
+            this.#valList[index] = v;
+            this.#keyMap.set(k, index);
+            this.#next[this.#tail] = index;
+            this.#prev[index] = this.#tail;
+            this.#tail = index;
+            this.#size++;
+            this.#addItemSize(index, size, status);
+            if (status)
+                status.set = 'add';
+            noUpdateTTL = false;
+            if (this.#hasOnInsert && !isBF) {
+                this.#onInsert?.(v, k, 'add');
+            }
+        }
+        else {
+            // update
+            // might be updating a background fetch!
+            this.#moveToTail(index);
+            const oldVal = this.#valList[index];
+            if (v !== oldVal) {
+                if (!noDisposeOnSet) {
+                    if (this.#isBackgroundFetch(oldVal)) {
+                        if (oldVal !== bf) {
+                            // setting over a background fetch, not merely resolving it.
+                            oldVal.__abortController.abort(new Error('replaced'));
+                        }
+                        const { __staleWhileFetching: s } = oldVal;
+                        if (s !== undefined && s !== v) {
+                            if (this.#hasDispose) {
+                                this.#dispose?.(s, k, 'set');
+                            }
+                            if (this.#hasDisposeAfter) {
+                                this.#disposed?.push([s, k, 'set']);
+                            }
+                        }
+                    }
+                    else {
+                        if (this.#hasDispose) {
+                            this.#dispose?.(oldVal, k, 'set');
+                        }
+                        if (this.#hasDisposeAfter) {
+                            this.#disposed?.push([oldVal, k, 'set']);
+                        }
+                    }
+                }
+                this.#removeItemSize(index);
+                this.#addItemSize(index, size, status);
+                this.#valList[index] = v;
+                if (!isBF) {
+                    const oldValue = oldVal && this.#isBackgroundFetch(oldVal) ?
+                        oldVal.__staleWhileFetching
+                        : oldVal;
+                    const setType = oldValue === undefined ? 'add'
+                        : v !== oldValue ? 'replace'
+                            : 'update';
+                    if (status) {
+                        status.set = setType;
+                        if (oldValue !== undefined)
+                            status.oldValue = oldValue;
+                    }
+                    if (this.#hasOnInsert) {
+                        this.onInsert?.(v, k, setType);
+                    }
+                }
+            }
+            else if (!isBF) {
+                if (status) {
+                    status.set = 'update';
+                }
+                if (this.#hasOnInsert) {
+                    this.onInsert?.(v, k, 'update');
+                }
+            }
+        }
+        if (ttl !== 0 && !this.#ttls) {
+            this.#initializeTTLTracking();
+        }
+        if (this.#ttls) {
+            if (!noUpdateTTL) {
+                this.#setItemTTL(index, ttl, start);
+            }
+            if (status)
+                this.#statusTTL(status, index);
+        }
+        if (!noDisposeOnSet && this.#hasDisposeAfter && this.#disposed) {
+            const dt = this.#disposed;
+            let task;
+            while ((task = dt?.shift())) {
+                this.#disposeAfter?.(...task);
+            }
+        }
+        return this;
+    }
+    /**
+     * Evict the least recently used item, returning its value or
+     * `undefined` if cache is empty.
+     */
+    pop() {
+        try {
+            while (this.#size) {
+                const val = this.#valList[this.#head];
+                this.#evict(true);
+                if (this.#isBackgroundFetch(val)) {
+                    if (val.__staleWhileFetching) {
+                        return val.__staleWhileFetching;
+                    }
+                }
+                else if (val !== undefined) {
+                    return val;
+                }
+            }
+        }
+        finally {
+            if (this.#hasDisposeAfter && this.#disposed) {
+                const dt = this.#disposed;
+                let task;
+                while ((task = dt?.shift())) {
+                    this.#disposeAfter?.(...task);
+                }
+            }
+        }
+    }
+    #evict(free) {
+        const head = this.#head;
+        const k = this.#keyList[head];
+        const v = this.#valList[head];
+        const isBF = this.#isBackgroundFetch(v);
+        if (isBF) {
+            v.__abortController.abort(new Error('evicted'));
+        }
+        const oldValue = isBF ? v.__staleWhileFetching : v;
+        if ((this.#hasDispose || this.#hasDisposeAfter) &&
+            oldValue !== undefined) {
+            if (this.#hasDispose) {
+                this.#dispose?.(oldValue, k, 'evict');
+            }
+            if (this.#hasDisposeAfter) {
+                this.#disposed?.push([oldValue, k, 'evict']);
+            }
+        }
+        this.#removeItemSize(head);
+        if (this.#autopurgeTimers?.[head]) {
+            clearTimeout(this.#autopurgeTimers[head]);
+            this.#autopurgeTimers[head] = undefined;
+        }
+        // if we aren't about to use the index, then null these out
+        if (free) {
+            this.#keyList[head] = undefined;
+            this.#valList[head] = undefined;
+            this.#free.push(head);
+        }
+        if (this.#size === 1) {
+            this.#head = this.#tail = 0;
+            this.#free.length = 0;
+        }
+        else {
+            this.#head = this.#next[head];
+        }
+        this.#keyMap.delete(k);
+        this.#size--;
+        return head;
+    }
+    /**
+     * Check if a key is in the cache, without updating the recency of use.
+     * Will return false if the item is stale, even though it is technically
+     * in the cache.
+     *
+     * Check if a key is in the cache, without updating the recency of
+     * use. Age is updated if {@link LRUCache.OptionsBase.updateAgeOnHas} is set
+     * to `true` in either the options or the constructor.
+     *
+     * Will return `false` if the item is stale, even though it is technically in
+     * the cache. The difference can be determined (if it matters) by using a
+     * `status` argument, and inspecting the `has` field.
+     *
+     * Will not update item age unless
+     * {@link LRUCache.OptionsBase.updateAgeOnHas} is set.
+     */
+    has(k, hasOptions = {}) {
+        const { status = diagnostics_channel_js_1.metrics.hasSubscribers ? {} : undefined } = hasOptions;
+        hasOptions.status = status;
+        if (status) {
+            status.op = 'has';
+            status.key = k;
+            status.cache = this;
+        }
+        const result = this.#has(k, hasOptions);
+        if (diagnostics_channel_js_1.metrics.hasSubscribers)
+            diagnostics_channel_js_1.metrics.publish(status);
+        return result;
+    }
+    #has(k, hasOptions = {}) {
+        const { updateAgeOnHas = this.updateAgeOnHas, status } = hasOptions;
+        const index = this.#keyMap.get(k);
+        if (index !== undefined) {
+            const v = this.#valList[index];
+            if (this.#isBackgroundFetch(v) &&
+                v.__staleWhileFetching === undefined) {
+                return false;
+            }
+            if (!this.#isStale(index)) {
+                if (updateAgeOnHas) {
+                    this.#updateItemAge(index);
+                }
+                if (status) {
+                    status.has = 'hit';
+                    this.#statusTTL(status, index);
+                }
+                return true;
+            }
+            else if (status) {
+                status.has = 'stale';
+                this.#statusTTL(status, index);
+            }
+        }
+        else if (status) {
+            status.has = 'miss';
+        }
+        return false;
+    }
+    /**
+     * Like {@link LRUCache#get} but doesn't update recency or delete stale
+     * items.
+     *
+     * Returns `undefined` if the item is stale, unless
+     * {@link LRUCache.OptionsBase.allowStale} is set.
+     */
+    peek(k, peekOptions = {}) {
+        const { status = hasSubscribers() ? {} : undefined } = peekOptions;
+        if (status) {
+            status.op = 'peek';
+            status.key = k;
+            status.cache = this;
+        }
+        peekOptions.status = status;
+        const result = this.#peek(k, peekOptions);
+        if (diagnostics_channel_js_1.metrics.hasSubscribers) {
+            diagnostics_channel_js_1.metrics.publish(status);
+        }
+        return result;
+    }
+    #peek(k, peekOptions) {
+        const { status, allowStale = this.allowStale } = peekOptions;
+        const index = this.#keyMap.get(k);
+        if (index === undefined || (!allowStale && this.#isStale(index))) {
+            if (status)
+                status.peek = index === undefined ? 'miss' : 'stale';
+            return undefined;
+        }
+        const v = this.#valList[index];
+        const val = this.#isBackgroundFetch(v) ? v.__staleWhileFetching : v;
+        if (status) {
+            if (val !== undefined) {
+                status.peek = 'hit';
+                status.value = val;
+            }
+            else {
+                status.peek = 'miss';
+            }
+        }
+        return val;
+    }
+    #backgroundFetch(k, index, options, context) {
+        const v = index === undefined ? undefined : this.#valList[index];
+        if (this.#isBackgroundFetch(v)) {
+            return v;
+        }
+        const ac = new AbortController();
+        const { signal } = options;
+        // when/if our AC signals, then stop listening to theirs.
+        signal?.addEventListener('abort', () => ac.abort(signal.reason), {
+            signal: ac.signal,
+        });
+        const fetchOpts = {
+            signal: ac.signal,
+            options,
+            context,
+        };
+        const cb = (v, updateCache = false) => {
+            const { aborted } = ac.signal;
+            const ignoreAbort = options.ignoreFetchAbort && v !== undefined;
+            const proceed = options.ignoreFetchAbort ||
+                !!(options.allowStaleOnFetchAbort && v !== undefined);
+            if (options.status) {
+                if (aborted && !updateCache) {
+                    options.status.fetchAborted = true;
+                    options.status.fetchError = ac.signal.reason;
+                    if (ignoreAbort)
+                        options.status.fetchAbortIgnored = true;
+                }
+                else {
+                    options.status.fetchResolved = true;
+                }
+            }
+            if (aborted && !ignoreAbort && !updateCache) {
+                return fetchFail(ac.signal.reason, proceed);
+            }
+            // either we didn't abort, and are still here, or we did, and ignored
+            const bf = p;
+            // if nothing else has been written there but we're set to update the
+            // cache and ignore the abort, or if it's still pending on this specific
+            // background request, then write it to the cache.
+            const vl = this.#valList[index];
+            if (vl === p || (vl === undefined && ignoreAbort && updateCache)) {
+                if (v === undefined) {
+                    if (bf.__staleWhileFetching !== undefined) {
+                        this.#valList[index] = bf.__staleWhileFetching;
+                    }
+                    else {
+                        this.#delete(k, 'fetch');
+                    }
+                }
+                else {
+                    if (options.status)
+                        options.status.fetchUpdated = true;
+                    this.#set(k, v, fetchOpts.options, bf);
+                }
+            }
+            return v;
+        };
+        const eb = (er) => {
+            if (options.status) {
+                options.status.fetchRejected = true;
+                options.status.fetchError = er;
+            }
+            // do not pass go, do not collect $200
+            return fetchFail(er, false);
+        };
+        const fetchFail = (er, proceed) => {
+            const { aborted } = ac.signal;
+            const allowStaleAborted = aborted && options.allowStaleOnFetchAbort;
+            const allowStale = allowStaleAborted || options.allowStaleOnFetchRejection;
+            const noDelete = allowStale || options.noDeleteOnFetchRejection;
+            const bf = p;
+            if (this.#valList[index] === p) {
+                // if we allow stale on fetch rejections, then we need to ensure that
+                // the stale value is not removed from the cache when the fetch fails.
+                const del = !noDelete || (!proceed && bf.__staleWhileFetching === undefined);
+                if (del) {
+                    this.#delete(k, 'fetch');
+                }
+                else if (!allowStaleAborted) {
+                    // still replace the *promise* with the stale value,
+                    // since we are done with the promise at this point.
+                    // leave it untouched if we're still waiting for an
+                    // aborted background fetch that hasn't yet returned.
+                    this.#valList[index] = bf.__staleWhileFetching;
+                }
+            }
+            if (allowStale) {
+                if (options.status && bf.__staleWhileFetching !== undefined) {
+                    options.status.returnedStale = true;
+                }
+                return bf.__staleWhileFetching;
+            }
+            else if (bf.__returned === bf) {
+                throw er;
+            }
+        };
+        const pcall = (res, rej) => {
+            const fmp = this.#fetchMethod?.(k, v, fetchOpts);
+            // ignored, we go until we finish, regardless.
+            // defer check until we are actually aborting,
+            // so fetchMethod can override.
+            ac.signal.addEventListener('abort', () => {
+                if (!options.ignoreFetchAbort || options.allowStaleOnFetchAbort) {
+                    res(undefined);
+                    // when it eventually resolves, update the cache.
+                    if (options.allowStaleOnFetchAbort) {
+                        res = v => cb(v, true);
+                    }
+                }
+            });
+            if (fmp && fmp instanceof Promise) {
+                fmp.then(v => res(v === undefined ? undefined : v), rej);
+            }
+            else if (fmp !== undefined) {
+                res(fmp);
+            }
+        };
+        if (options.status)
+            options.status.fetchDispatched = true;
+        const p = new Promise(pcall).then(cb, eb);
+        const bf = Object.assign(p, {
+            __abortController: ac,
+            __staleWhileFetching: v,
+            __returned: undefined,
+        });
+        if (index === undefined) {
+            // internal, don't expose status.
+            this.#set(k, bf, { ...fetchOpts.options, status: undefined });
+            index = this.#keyMap.get(k);
+        }
+        else {
+            // do not call #set, because we do not want to adjust its place
+            // in the lru queue, as it has not yet been "used". Also, we don't
+            // need to worry about evicting for size, because a background fetch
+            // over a stale value is treated as the same size as its stale value.
+            this.#valList[index] = bf;
+        }
+        return bf;
+    }
+    #isBackgroundFetch(p) {
+        if (!this.#hasFetchMethod)
+            return false;
+        const b = p;
+        return (!!b &&
+            b instanceof Promise &&
+            b.hasOwnProperty('__staleWhileFetching') &&
+            b.__abortController instanceof AbortController);
+    }
+    fetch(k, fetchOptions = {}) {
+        const ths = diagnostics_channel_js_1.tracing.hasSubscribers;
+        const { status = hasSubscribers() ? {} : undefined } = fetchOptions;
+        fetchOptions.status = status;
+        if (status && fetchOptions.context) {
+            status.context = fetchOptions.context;
+        }
+        const p = this.#fetch(k, fetchOptions);
+        if (status && ths) {
+            status.trace = true;
+            diagnostics_channel_js_1.tracing.tracePromise(() => p, status).catch(() => { });
+        }
+        return p;
+    }
+    async #fetch(k, fetchOptions = {}) {
+        const {
+        // get options
+        allowStale = this.allowStale, updateAgeOnGet = this.updateAgeOnGet, noDeleteOnStaleGet = this.noDeleteOnStaleGet,
+        // set options
+        ttl = this.ttl, noDisposeOnSet = this.noDisposeOnSet, size = 0, sizeCalculation = this.sizeCalculation, noUpdateTTL = this.noUpdateTTL,
+        // fetch exclusive options
+        noDeleteOnFetchRejection = this.noDeleteOnFetchRejection, allowStaleOnFetchRejection = this.allowStaleOnFetchRejection, ignoreFetchAbort = this.ignoreFetchAbort, allowStaleOnFetchAbort = this.allowStaleOnFetchAbort, context, forceRefresh = false, status, signal, } = fetchOptions;
+        if (status) {
+            status.op = 'fetch';
+            status.key = k;
+            if (forceRefresh)
+                status.forceRefresh = true;
+            status.cache = this;
+        }
+        if (!this.#hasFetchMethod) {
+            if (status)
+                status.fetch = 'get';
+            return this.#get(k, {
+                allowStale,
+                updateAgeOnGet,
+                noDeleteOnStaleGet,
+                status,
+            });
+        }
+        const options = {
+            allowStale,
+            updateAgeOnGet,
+            noDeleteOnStaleGet,
+            ttl,
+            noDisposeOnSet,
+            size,
+            sizeCalculation,
+            noUpdateTTL,
+            noDeleteOnFetchRejection,
+            allowStaleOnFetchRejection,
+            allowStaleOnFetchAbort,
+            ignoreFetchAbort,
+            status,
+            signal,
+        };
+        let index = this.#keyMap.get(k);
+        if (index === undefined) {
+            if (status)
+                status.fetch = 'miss';
+            const p = this.#backgroundFetch(k, index, options, context);
+            return (p.__returned = p);
+        }
+        else {
+            // in cache, maybe already fetching
+            const v = this.#valList[index];
+            if (this.#isBackgroundFetch(v)) {
+                const stale = allowStale && v.__staleWhileFetching !== undefined;
+                if (status) {
+                    status.fetch = 'inflight';
+                    if (stale)
+                        status.returnedStale = true;
+                }
+                return stale ? v.__staleWhileFetching : (v.__returned = v);
+            }
+            // if we force a refresh, that means do NOT serve the cached value,
+            // unless we are already in the process of refreshing the cache.
+            const isStale = this.#isStale(index);
+            if (!forceRefresh && !isStale) {
+                if (status)
+                    status.fetch = 'hit';
+                this.#moveToTail(index);
+                if (updateAgeOnGet) {
+                    this.#updateItemAge(index);
+                }
+                if (status)
+                    this.#statusTTL(status, index);
+                return v;
+            }
+            // ok, it is stale or a forced refresh, and not already fetching.
+            // refresh the cache.
+            const p = this.#backgroundFetch(k, index, options, context);
+            const hasStale = p.__staleWhileFetching !== undefined;
+            const staleVal = hasStale && allowStale;
+            if (status) {
+                status.fetch = isStale ? 'stale' : 'refresh';
+                if (staleVal && isStale)
+                    status.returnedStale = true;
+            }
+            return staleVal ? p.__staleWhileFetching : (p.__returned = p);
+        }
+    }
+    forceFetch(k, fetchOptions = {}) {
+        const ths = diagnostics_channel_js_1.tracing.hasSubscribers;
+        const { status = hasSubscribers() ? {} : undefined } = fetchOptions;
+        fetchOptions.status = status;
+        if (status && fetchOptions.context) {
+            status.context = fetchOptions.context;
+        }
+        const p = this.#forceFetch(k, fetchOptions);
+        if (status && ths) {
+            status.trace = true;
+            diagnostics_channel_js_1.tracing.tracePromise(() => p, status).catch(() => { });
+        }
+        return p;
+    }
+    async #forceFetch(k, fetchOptions = {}) {
+        const v = await this.#fetch(k, fetchOptions);
+        if (v === undefined)
+            throw new Error('fetch() returned undefined');
+        return v;
+    }
+    memo(k, memoOptions = {}) {
+        const { status = diagnostics_channel_js_1.metrics.hasSubscribers ? {} : undefined } = memoOptions;
+        memoOptions.status = status;
+        if (status) {
+            status.op = 'memo';
+            status.key = k;
+            if (memoOptions.context) {
+                status.context = memoOptions.context;
+            }
+            status.cache = this;
+        }
+        const result = this.#memo(k, memoOptions);
+        if (status)
+            status.value = result;
+        if (diagnostics_channel_js_1.metrics.hasSubscribers)
+            diagnostics_channel_js_1.metrics.publish(status);
+        return result;
+    }
+    #memo(k, memoOptions = {}) {
+        const memoMethod = this.#memoMethod;
+        if (!memoMethod) {
+            throw new Error('no memoMethod provided to constructor');
+        }
+        const { context, status, forceRefresh, ...options } = memoOptions;
+        if (status && forceRefresh)
+            status.forceRefresh = true;
+        const v = this.#get(k, options);
+        const refresh = forceRefresh || v === undefined;
+        if (status) {
+            status.memo = refresh ? 'miss' : 'hit';
+            if (!refresh)
+                status.value = v;
+        }
+        if (!refresh)
+            return v;
+        const vv = memoMethod(k, v, {
+            options,
+            context,
+        });
+        if (status)
+            status.value = vv;
+        this.#set(k, vv, options);
+        return vv;
+    }
+    /**
+     * Return a value from the cache. Will update the recency of the cache
+     * entry found.
+     *
+     * If the key is not found, get() will return `undefined`.
+     */
+    get(k, getOptions = {}) {
+        const { status = diagnostics_channel_js_1.metrics.hasSubscribers ? {} : undefined } = getOptions;
+        getOptions.status = status;
+        if (status) {
+            status.op = 'get';
+            status.key = k;
+            status.cache = this;
+        }
+        const result = this.#get(k, getOptions);
+        if (status) {
+            if (result !== undefined)
+                status.value = result;
+            if (diagnostics_channel_js_1.metrics.hasSubscribers)
+                diagnostics_channel_js_1.metrics.publish(status);
+        }
+        return result;
+    }
+    #get(k, getOptions = {}) {
+        const { allowStale = this.allowStale, updateAgeOnGet = this.updateAgeOnGet, noDeleteOnStaleGet = this.noDeleteOnStaleGet, status, } = getOptions;
+        const index = this.#keyMap.get(k);
+        if (index === undefined) {
+            if (status)
+                status.get = 'miss';
+            return undefined;
+        }
+        const value = this.#valList[index];
+        const fetching = this.#isBackgroundFetch(value);
+        if (status)
+            this.#statusTTL(status, index);
+        if (this.#isStale(index)) {
+            // delete only if not an in-flight background fetch
+            if (!fetching) {
+                if (!noDeleteOnStaleGet) {
+                    this.#delete(k, 'expire');
+                }
+                if (status)
+                    status.get = 'stale';
+                if (allowStale) {
+                    if (status)
+                        status.returnedStale = true;
+                    return value;
+                }
+                return undefined;
+            }
+            if (status)
+                status.get = 'stale-fetching';
+            if (allowStale && value.__staleWhileFetching !== undefined) {
+                if (status)
+                    status.returnedStale = true;
+                return value.__staleWhileFetching;
+            }
+            return undefined;
+        }
+        // not stale
+        if (status)
+            status.get = fetching ? 'fetching' : 'hit';
+        // if we're currently fetching it, we don't actually have it yet
+        // it's not stale, which means this isn't a staleWhileRefetching.
+        // If it's not stale, and fetching, AND has a __staleWhileFetching
+        // value, then that means the user fetched with {forceRefresh:true},
+        // so it's safe to return that value.
+        this.#moveToTail(index);
+        if (updateAgeOnGet) {
+            this.#updateItemAge(index);
+        }
+        return fetching ? value.__staleWhileFetching : value;
+    }
+    #connect(p, n) {
+        this.#prev[n] = p;
+        this.#next[p] = n;
+    }
+    #moveToTail(index) {
+        // if tail already, nothing to do
+        // if head, move head to next[index]
+        // else
+        //   move next[prev[index]] to next[index] (head has no prev)
+        //   move prev[next[index]] to prev[index]
+        // prev[index] = tail
+        // next[tail] = index
+        // tail = index
+        if (index !== this.#tail) {
+            if (index === this.#head) {
+                this.#head = this.#next[index];
+            }
+            else {
+                this.#connect(this.#prev[index], this.#next[index]);
+            }
+            this.#connect(this.#tail, index);
+            this.#tail = index;
+        }
+    }
+    /**
+     * Deletes a key out of the cache.
+     *
+     * Returns true if the key was deleted, false otherwise.
+     */
+    delete(k) {
+        return this.#delete(k, 'delete');
+    }
+    #delete(k, reason) {
+        if (diagnostics_channel_js_1.metrics.hasSubscribers) {
+            diagnostics_channel_js_1.metrics.publish({
+                op: 'delete',
+                delete: reason,
+                key: k,
+                cache: this,
+            });
+        }
+        let deleted = false;
+        if (this.#size !== 0) {
+            const index = this.#keyMap.get(k);
+            if (index !== undefined) {
+                if (this.#autopurgeTimers?.[index]) {
+                    clearTimeout(this.#autopurgeTimers?.[index]);
+                    this.#autopurgeTimers[index] = undefined;
+                }
+                deleted = true;
+                if (this.#size === 1) {
+                    this.#clear(reason);
+                }
+                else {
+                    this.#removeItemSize(index);
+                    const v = this.#valList[index];
+                    if (this.#isBackgroundFetch(v)) {
+                        v.__abortController.abort(new Error('deleted'));
+                    }
+                    else if (this.#hasDispose || this.#hasDisposeAfter) {
+                        if (this.#hasDispose) {
+                            this.#dispose?.(v, k, reason);
+                        }
+                        if (this.#hasDisposeAfter) {
+                            this.#disposed?.push([v, k, reason]);
+                        }
+                    }
+                    this.#keyMap.delete(k);
+                    this.#keyList[index] = undefined;
+                    this.#valList[index] = undefined;
+                    if (index === this.#tail) {
+                        this.#tail = this.#prev[index];
+                    }
+                    else if (index === this.#head) {
+                        this.#head = this.#next[index];
+                    }
+                    else {
+                        const pi = this.#prev[index];
+                        this.#next[pi] = this.#next[index];
+                        const ni = this.#next[index];
+                        this.#prev[ni] = this.#prev[index];
+                    }
+                    this.#size--;
+                    this.#free.push(index);
+                }
+            }
+        }
+        if (this.#hasDisposeAfter && this.#disposed?.length) {
+            const dt = this.#disposed;
+            let task;
+            while ((task = dt?.shift())) {
+                this.#disposeAfter?.(...task);
+            }
+        }
+        return deleted;
+    }
+    /**
+     * Clear the cache entirely, throwing away all values.
+     */
+    clear() {
+        return this.#clear('delete');
+    }
+    #clear(reason) {
+        for (const index of this.#rindexes({ allowStale: true })) {
+            const v = this.#valList[index];
+            if (this.#isBackgroundFetch(v)) {
+                v.__abortController.abort(new Error('deleted'));
+            }
+            else {
+                const k = this.#keyList[index];
+                if (this.#hasDispose) {
+                    this.#dispose?.(v, k, reason);
+                }
+                if (this.#hasDisposeAfter) {
+                    this.#disposed?.push([v, k, reason]);
+                }
+            }
+        }
+        this.#keyMap.clear();
+        void this.#valList.fill(undefined);
+        this.#keyList.fill(undefined);
+        if (this.#ttls && this.#starts) {
+            this.#ttls.fill(0);
+            this.#starts.fill(0);
+            for (const t of this.#autopurgeTimers ?? []) {
+                if (t !== undefined)
+                    clearTimeout(t);
+            }
+            this.#autopurgeTimers?.fill(undefined);
+        }
+        if (this.#sizes) {
+            this.#sizes.fill(0);
+        }
+        this.#head = 0;
+        this.#tail = 0;
+        this.#free.length = 0;
+        this.#calculatedSize = 0;
+        this.#size = 0;
+        if (this.#hasDisposeAfter && this.#disposed) {
+            const dt = this.#disposed;
+            let task;
+            while ((task = dt?.shift())) {
+                this.#disposeAfter?.(...task);
+            }
+        }
+    }
+}
+exports.LRUCache = LRUCache;
+//# sourceMappingURL=index.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/lru-cache/dist/commonjs/browser/index.min.js b/deps/npm/node_modules/lru-cache/dist/commonjs/browser/index.min.js
new file mode 100644
index 00000000000000..8e42461074475a
--- /dev/null
+++ b/deps/npm/node_modules/lru-cache/dist/commonjs/browser/index.min.js
@@ -0,0 +1,2 @@
+"use strict";var j=(c,t)=>()=>(t||c((t={exports:{}}).exports,t),t.exports);var I=j(O=>{"use strict";Object.defineProperty(O,"__esModule",{value:!0});O.tracing=O.metrics=void 0;var U={hasSubscribers:!1};O.metrics=U;O.tracing=U});var P=j(D=>{"use strict";Object.defineProperty(D,"__esModule",{value:!0});D.defaultPerf=void 0;D.defaultPerf=typeof performance=="object"&&performance&&typeof performance.now=="function"?performance:Date});Object.defineProperty(exports,"__esModule",{value:!0});exports.LRUCache=void 0;var g=I(),N=P(),x=()=>g.metrics.hasSubscribers||g.tracing.hasSubscribers,k=new Set,G=typeof process=="object"&&process?process:{},V=(c,t,e,i)=>{typeof G.emitWarning=="function"?G.emitWarning(c,t,e,i):console.error(`[${e}] ${t}: ${c}`)},B=c=>!k.has(c);var T=c=>!!c&&c===Math.floor(c)&&c>0&&isFinite(c),H=c=>T(c)?c<=Math.pow(2,8)?Uint8Array:c<=Math.pow(2,16)?Uint16Array:c<=Math.pow(2,32)?Uint32Array:c<=Number.MAX_SAFE_INTEGER?W:null:null,W=class extends Array{constructor(t){super(t),this.fill(0)}},C=class c{heap;length;static#o=!1;static create(t){let e=H(t);if(!e)return[];c.#o=!0;let i=new c(t,e);return c.#o=!1,i}constructor(t,e){if(!c.#o)throw new TypeError("instantiate Stack using Stack.create(n)");this.heap=new e(t),this.length=0}push(t){this.heap[this.length++]=t}pop(){return this.heap[--this.length]}},L=class c{#o;#c;#m;#W;#S;#M;#j;#w;get perf(){return this.#w}ttl;ttlResolution;ttlAutopurge;updateAgeOnGet;updateAgeOnHas;allowStale;noDisposeOnSet;noUpdateTTL;maxEntrySize;sizeCalculation;noDeleteOnFetchRejection;noDeleteOnStaleGet;allowStaleOnFetchAbort;allowStaleOnFetchRejection;ignoreFetchAbort;backgroundFetchSize;#n;#b;#s;#i;#t;#l;#u;#a;#h;#y;#r;#_;#F;#d;#g;#T;#U;#f;#D;static unsafeExposeInternals(t){return{starts:t.#F,ttls:t.#d,autopurgeTimers:t.#g,sizes:t.#_,keyMap:t.#s,keyList:t.#i,valList:t.#t,next:t.#l,prev:t.#u,get head(){return t.#a},get tail(){return t.#h},free:t.#y,isBackgroundFetch:e=>t.#e(e),backgroundFetch:(e,i,s,n)=>t.#G(e,i,s,n),moveToTail:e=>t.#L(e),indexes:e=>t.#A(e),rindexes:e=>t.#z(e),isStale:e=>t.#p(e)}}get max(){return this.#o}get maxSize(){return this.#c}get calculatedSize(){return this.#b}get size(){return this.#n}get fetchMethod(){return this.#M}get memoMethod(){return this.#j}get dispose(){return this.#m}get onInsert(){return this.#W}get disposeAfter(){return this.#S}constructor(t){let{max:e=0,ttl:i,ttlResolution:s=1,ttlAutopurge:n,updateAgeOnGet:r,updateAgeOnHas:h,allowStale:a,dispose:o,onInsert:d,disposeAfter:y,noDisposeOnSet:_,noUpdateTTL:u,maxSize:p=0,maxEntrySize:f=0,sizeCalculation:b,fetchMethod:l,memoMethod:S,noDeleteOnFetchRejection:F,noDeleteOnStaleGet:w,allowStaleOnFetchRejection:m,allowStaleOnFetchAbort:A,ignoreFetchAbort:z,backgroundFetchSize:M=1,perf:v}=t;if(this.backgroundFetchSize=M,v!==void 0&&typeof v?.now!="function")throw new TypeError("perf option must have a now() method if specified");if(this.#w=v??N.defaultPerf,e!==0&&!T(e))throw new TypeError("max option must be a nonnegative integer");let E=e?H(e):Array;if(!E)throw new Error("invalid max value: "+e);if(this.#o=e,this.#c=p,this.maxEntrySize=f||this.#c,this.sizeCalculation=b,this.sizeCalculation){if(!this.#c&&!this.maxEntrySize)throw new TypeError("cannot set sizeCalculation without setting maxSize or maxEntrySize");if(typeof this.sizeCalculation!="function")throw new TypeError("sizeCalculation set to non-function")}if(S!==void 0&&typeof S!="function")throw new TypeError("memoMethod must be a function if defined");if(this.#j=S,l!==void 0&&typeof l!="function")throw new TypeError("fetchMethod must be a function if specified");if(this.#M=l,this.#U=!!l,this.#s=new Map,this.#i=Array.from({length:e}).fill(void 0),this.#t=Array.from({length:e}).fill(void 0),this.#l=new E(e),this.#u=new E(e),this.#a=0,this.#h=0,this.#y=C.create(e),this.#n=0,this.#b=0,typeof o=="function"&&(this.#m=o),typeof d=="function"&&(this.#W=d),typeof y=="function"?(this.#S=y,this.#r=[]):(this.#S=void 0,this.#r=void 0),this.#T=!!this.#m,this.#D=!!this.#W,this.#f=!!this.#S,this.noDisposeOnSet=!!_,this.noUpdateTTL=!!u,this.noDeleteOnFetchRejection=!!F,this.allowStaleOnFetchRejection=!!m,this.allowStaleOnFetchAbort=!!A,this.ignoreFetchAbort=!!z,this.maxEntrySize!==0){if(this.#c!==0&&!T(this.#c))throw new TypeError("maxSize must be a positive integer if specified");if(!T(this.maxEntrySize))throw new TypeError("maxEntrySize must be a positive integer if specified");this.#X()}if(this.allowStale=!!a,this.noDeleteOnStaleGet=!!w,this.updateAgeOnGet=!!r,this.updateAgeOnHas=!!h,this.ttlResolution=T(s)||s===0?s:1,this.ttlAutopurge=!!n,this.ttl=i||0,this.ttl){if(!T(this.ttl))throw new TypeError("ttl must be a positive integer if specified");this.#k()}if(this.#o===0&&this.ttl===0&&this.#c===0)throw new TypeError("At least one of max, maxSize, or ttl is required");if(!this.ttlAutopurge&&!this.#o&&!this.#c){let R="LRU_CACHE_UNBOUNDED";B(R)&&(k.add(R),V("TTL caching without ttlAutopurge, max, or maxSize can result in unbounded memory consumption.","UnboundedCacheWarning",R,c))}}getRemainingTTL(t){return this.#s.has(t)?1/0:0}#k(){let t=new W(this.#o),e=new W(this.#o);this.#d=t,this.#F=e;let i=this.ttlAutopurge?Array.from({length:this.#o}):void 0;this.#g=i,this.#H=(h,a,o=this.#w.now())=>{e[h]=a!==0?o:0,t[h]=a,s(h,a)},this.#R=h=>{e[h]=t[h]!==0?this.#w.now():0,s(h,t[h])};let s=this.ttlAutopurge?(h,a)=>{if(i?.[h]&&(clearTimeout(i[h]),i[h]=void 0),a&&a!==0&&i){let o=setTimeout(()=>{this.#p(h)&&this.#v(this.#i[h],"expire")},a+1);o.unref&&o.unref(),i[h]=o}}:()=>{};this.#E=(h,a)=>{if(t[a]){let o=t[a],d=e[a];if(!o||!d)return;h.ttl=o,h.start=d,h.now=n||r();let y=h.now-d;h.remainingTTL=o-y}};let n=0,r=()=>{let h=this.#w.now();if(this.ttlResolution>0){n=h;let a=setTimeout(()=>n=0,this.ttlResolution);a.unref&&a.unref()}return h};this.getRemainingTTL=h=>{let a=this.#s.get(h);if(a===void 0)return 0;let o=t[a],d=e[a];if(!o||!d)return 1/0;let y=(n||r())-d;return o-y},this.#p=h=>{let a=e[h],o=t[h];return!!o&&!!a&&(n||r())-a>o}}#R=()=>{};#E=()=>{};#H=()=>{};#p=()=>!1;#X(){let t=new W(this.#o);this.#b=0,this.#_=t,this.#x=e=>{this.#b-=t[e],t[e]=0},this.#N=(e,i,s,n)=>{if(!T(s)){if(this.#e(i))return this.backgroundFetchSize;if(n){if(typeof n!="function")throw new TypeError("sizeCalculation must be a function");if(s=n(i,e),!T(s))throw new TypeError("sizeCalculation return invalid (expect positive integer)")}else throw new TypeError("invalid size value (must be positive integer). When maxSize or maxEntrySize is used, sizeCalculation or size must be set.")}return s},this.#I=(e,i,s)=>{if(t[e]=i,this.#c){let n=this.#c-t[e];for(;this.#b>n;)this.#P(!0)}this.#b+=t[e],s&&(s.entrySize=i,s.totalCalculatedSize=this.#b)}}#x=t=>{};#I=(t,e,i)=>{};#N=(t,e,i,s)=>{if(i||s)throw new TypeError("cannot set size without setting maxSize or maxEntrySize on cache");return 0};*#A({allowStale:t=this.allowStale}={}){if(this.#n)for(let e=this.#h;this.#V(e)&&((t||!this.#p(e))&&(yield e),e!==this.#a);)e=this.#u[e]}*#z({allowStale:t=this.allowStale}={}){if(this.#n)for(let e=this.#a;this.#V(e)&&((t||!this.#p(e))&&(yield e),e!==this.#h);)e=this.#l[e]}#V(t){return t!==void 0&&this.#s.get(this.#i[t])===t}*entries(){for(let t of this.#A())this.#t[t]!==void 0&&this.#i[t]!==void 0&&!this.#e(this.#t[t])&&(yield[this.#i[t],this.#t[t]])}*rentries(){for(let t of this.#z())this.#t[t]!==void 0&&this.#i[t]!==void 0&&!this.#e(this.#t[t])&&(yield[this.#i[t],this.#t[t]])}*keys(){for(let t of this.#A()){let e=this.#i[t];e!==void 0&&!this.#e(this.#t[t])&&(yield e)}}*rkeys(){for(let t of this.#z()){let e=this.#i[t];e!==void 0&&!this.#e(this.#t[t])&&(yield e)}}*values(){for(let t of this.#A())this.#t[t]!==void 0&&!this.#e(this.#t[t])&&(yield this.#t[t])}*rvalues(){for(let t of this.#z())this.#t[t]!==void 0&&!this.#e(this.#t[t])&&(yield this.#t[t])}[Symbol.iterator](){return this.entries()}[Symbol.toStringTag]="LRUCache";find(t,e={}){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;if(n!==void 0&&t(n,this.#i[i],this))return this.#C(this.#i[i],e)}}forEach(t,e=this){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&t.call(e,n,this.#i[i],this)}}rforEach(t,e=this){for(let i of this.#z()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&t.call(e,n,this.#i[i],this)}}purgeStale(){let t=!1;for(let e of this.#z({allowStale:!0}))this.#p(e)&&(this.#v(this.#i[e],"expire"),t=!0);return t}info(t){let e=this.#s.get(t);if(e===void 0)return;let i=this.#t[e],s=this.#e(i)?i.__staleWhileFetching:i;if(s===void 0)return;let n={value:s};if(this.#d&&this.#F){let r=this.#d[e],h=this.#F[e];if(r&&h){let a=r-(this.#w.now()-h);n.ttl=a,n.start=Date.now()}}return this.#_&&(n.size=this.#_[e]),n}dump(){let t=[];for(let e of this.#A({allowStale:!0})){let i=this.#i[e],s=this.#t[e],n=this.#e(s)?s.__staleWhileFetching:s;if(n===void 0||i===void 0)continue;let r={value:n};if(this.#d&&this.#F){r.ttl=this.#d[e];let h=this.#w.now()-this.#F[e];r.start=Math.floor(Date.now()-h)}this.#_&&(r.size=this.#_[e]),t.unshift([i,r])}return t}load(t){this.clear();for(let[e,i]of t){if(i.start){let s=Date.now()-i.start;i.start=this.#w.now()-s}this.#O(e,i.value,i)}}set(t,e,i={}){let{status:s=g.metrics.hasSubscribers?{}:void 0}=i;i.status=s,s&&(s.op="set",s.key=t,e!==void 0&&(s.value=e),s.cache=this);let n=this.#O(t,e,i);return s&&g.metrics.hasSubscribers&&g.metrics.publish(s),n}#O(t,e,i,s){let{ttl:n=this.ttl,start:r,noDisposeOnSet:h=this.noDisposeOnSet,sizeCalculation:a=this.sizeCalculation,status:o}=i,d=this.#e(e);if(e===void 0)return o&&(o.set="deleted"),this.delete(t),this;let{noUpdateTTL:y=this.noUpdateTTL}=i;o&&!d&&(o.value=e);let _=this.#N(t,e,i.size||0,a,o);if(this.maxEntrySize&&_>this.maxEntrySize)return this.#v(t,"set"),o&&(o.set="miss",o.maxEntrySizeExceeded=!0),this;let u=this.#n===0?void 0:this.#s.get(t);if(u===void 0)u=this.#n===0?this.#h:this.#y.length!==0?this.#y.pop():this.#n===this.#o?this.#P(!1):this.#n,this.#i[u]=t,this.#t[u]=e,this.#s.set(t,u),this.#l[this.#h]=u,this.#u[u]=this.#h,this.#h=u,this.#n++,this.#I(u,_,o),o&&(o.set="add"),y=!1,this.#D&&!d&&this.#W?.(e,t,"add");else{this.#L(u);let p=this.#t[u];if(e!==p){if(!h)if(this.#e(p)){p!==s&&p.__abortController.abort(new Error("replaced"));let{__staleWhileFetching:f}=p;f!==void 0&&f!==e&&(this.#T&&this.#m?.(f,t,"set"),this.#f&&this.#r?.push([f,t,"set"]))}else this.#T&&this.#m?.(p,t,"set"),this.#f&&this.#r?.push([p,t,"set"]);if(this.#x(u),this.#I(u,_,o),this.#t[u]=e,!d){let f=p&&this.#e(p)?p.__staleWhileFetching:p,b=f===void 0?"add":e!==f?"replace":"update";o&&(o.set=b,f!==void 0&&(o.oldValue=f)),this.#D&&this.onInsert?.(e,t,b)}}else d||(o&&(o.set="update"),this.#D&&this.onInsert?.(e,t,"update"))}if(n!==0&&!this.#d&&this.#k(),this.#d&&(y||this.#H(u,n,r),o&&this.#E(o,u)),!h&&this.#f&&this.#r){let p=this.#r,f;for(;f=p?.shift();)this.#S?.(...f)}return this}pop(){try{for(;this.#n;){let t=this.#t[this.#a];if(this.#P(!0),this.#e(t)){if(t.__staleWhileFetching)return t.__staleWhileFetching}else if(t!==void 0)return t}}finally{if(this.#f&&this.#r){let t=this.#r,e;for(;e=t?.shift();)this.#S?.(...e)}}}#P(t){let e=this.#a,i=this.#i[e],s=this.#t[e],n=this.#e(s);n&&s.__abortController.abort(new Error("evicted"));let r=n?s.__staleWhileFetching:s;return(this.#T||this.#f)&&r!==void 0&&(this.#T&&this.#m?.(r,i,"evict"),this.#f&&this.#r?.push([r,i,"evict"])),this.#x(e),this.#g?.[e]&&(clearTimeout(this.#g[e]),this.#g[e]=void 0),t&&(this.#i[e]=void 0,this.#t[e]=void 0,this.#y.push(e)),this.#n===1?(this.#a=this.#h=0,this.#y.length=0):this.#a=this.#l[e],this.#s.delete(i),this.#n--,e}has(t,e={}){let{status:i=g.metrics.hasSubscribers?{}:void 0}=e;e.status=i,i&&(i.op="has",i.key=t,i.cache=this);let s=this.#Y(t,e);return g.metrics.hasSubscribers&&g.metrics.publish(i),s}#Y(t,e={}){let{updateAgeOnHas:i=this.updateAgeOnHas,status:s}=e,n=this.#s.get(t);if(n!==void 0){let r=this.#t[n];if(this.#e(r)&&r.__staleWhileFetching===void 0)return!1;if(this.#p(n))s&&(s.has="stale",this.#E(s,n));else return i&&this.#R(n),s&&(s.has="hit",this.#E(s,n)),!0}else s&&(s.has="miss");return!1}peek(t,e={}){let{status:i=x()?{}:void 0}=e;i&&(i.op="peek",i.key=t,i.cache=this),e.status=i;let s=this.#J(t,e);return g.metrics.hasSubscribers&&g.metrics.publish(i),s}#J(t,e){let{status:i,allowStale:s=this.allowStale}=e,n=this.#s.get(t);if(n===void 0||!s&&this.#p(n)){i&&(i.peek=n===void 0?"miss":"stale");return}let r=this.#t[n],h=this.#e(r)?r.__staleWhileFetching:r;return i&&(h!==void 0?(i.peek="hit",i.value=h):i.peek="miss"),h}#G(t,e,i,s){let n=e===void 0?void 0:this.#t[e];if(this.#e(n))return n;let r=new AbortController,{signal:h}=i;h?.addEventListener("abort",()=>r.abort(h.reason),{signal:r.signal});let a={signal:r.signal,options:i,context:s},o=(f,b=!1)=>{let{aborted:l}=r.signal,S=i.ignoreFetchAbort&&f!==void 0,F=i.ignoreFetchAbort||!!(i.allowStaleOnFetchAbort&&f!==void 0);if(i.status&&(l&&!b?(i.status.fetchAborted=!0,i.status.fetchError=r.signal.reason,S&&(i.status.fetchAbortIgnored=!0)):i.status.fetchResolved=!0),l&&!S&&!b)return y(r.signal.reason,F);let w=u,m=this.#t[e];return(m===u||m===void 0&&S&&b)&&(f===void 0?w.__staleWhileFetching!==void 0?this.#t[e]=w.__staleWhileFetching:this.#v(t,"fetch"):(i.status&&(i.status.fetchUpdated=!0),this.#O(t,f,a.options,w))),f},d=f=>(i.status&&(i.status.fetchRejected=!0,i.status.fetchError=f),y(f,!1)),y=(f,b)=>{let{aborted:l}=r.signal,S=l&&i.allowStaleOnFetchAbort,F=S||i.allowStaleOnFetchRejection,w=F||i.noDeleteOnFetchRejection,m=u;if(this.#t[e]===u&&(!w||!b&&m.__staleWhileFetching===void 0?this.#v(t,"fetch"):S||(this.#t[e]=m.__staleWhileFetching)),F)return i.status&&m.__staleWhileFetching!==void 0&&(i.status.returnedStale=!0),m.__staleWhileFetching;if(m.__returned===m)throw f},_=(f,b)=>{let l=this.#M?.(t,n,a);r.signal.addEventListener("abort",()=>{(!i.ignoreFetchAbort||i.allowStaleOnFetchAbort)&&(f(void 0),i.allowStaleOnFetchAbort&&(f=S=>o(S,!0)))}),l&&l instanceof Promise?l.then(S=>f(S===void 0?void 0:S),b):l!==void 0&&f(l)};i.status&&(i.status.fetchDispatched=!0);let u=new Promise(_).then(o,d),p=Object.assign(u,{__abortController:r,__staleWhileFetching:n,__returned:void 0});return e===void 0?(this.#O(t,p,{...a.options,status:void 0}),e=this.#s.get(t)):this.#t[e]=p,p}#e(t){if(!this.#U)return!1;let e=t;return!!e&&e instanceof Promise&&e.hasOwnProperty("__staleWhileFetching")&&e.__abortController instanceof AbortController}fetch(t,e={}){let i=g.tracing.hasSubscribers,{status:s=x()?{}:void 0}=e;e.status=s,s&&e.context&&(s.context=e.context);let n=this.#B(t,e);return s&&i&&(s.trace=!0,g.tracing.tracePromise(()=>n,s).catch(()=>{})),n}async#B(t,e={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,ttl:r=this.ttl,noDisposeOnSet:h=this.noDisposeOnSet,size:a=0,sizeCalculation:o=this.sizeCalculation,noUpdateTTL:d=this.noUpdateTTL,noDeleteOnFetchRejection:y=this.noDeleteOnFetchRejection,allowStaleOnFetchRejection:_=this.allowStaleOnFetchRejection,ignoreFetchAbort:u=this.ignoreFetchAbort,allowStaleOnFetchAbort:p=this.allowStaleOnFetchAbort,context:f,forceRefresh:b=!1,status:l,signal:S}=e;if(l&&(l.op="fetch",l.key=t,b&&(l.forceRefresh=!0),l.cache=this),!this.#U)return l&&(l.fetch="get"),this.#C(t,{allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,status:l});let F={allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,ttl:r,noDisposeOnSet:h,size:a,sizeCalculation:o,noUpdateTTL:d,noDeleteOnFetchRejection:y,allowStaleOnFetchRejection:_,allowStaleOnFetchAbort:p,ignoreFetchAbort:u,status:l,signal:S},w=this.#s.get(t);if(w===void 0){l&&(l.fetch="miss");let m=this.#G(t,w,F,f);return m.__returned=m}else{let m=this.#t[w];if(this.#e(m)){let E=i&&m.__staleWhileFetching!==void 0;return l&&(l.fetch="inflight",E&&(l.returnedStale=!0)),E?m.__staleWhileFetching:m.__returned=m}let A=this.#p(w);if(!b&&!A)return l&&(l.fetch="hit"),this.#L(w),s&&this.#R(w),l&&this.#E(l,w),m;let z=this.#G(t,w,F,f),v=z.__staleWhileFetching!==void 0&&i;return l&&(l.fetch=A?"stale":"refresh",v&&A&&(l.returnedStale=!0)),v?z.__staleWhileFetching:z.__returned=z}}forceFetch(t,e={}){let i=g.tracing.hasSubscribers,{status:s=x()?{}:void 0}=e;e.status=s,s&&e.context&&(s.context=e.context);let n=this.#K(t,e);return s&&i&&(s.trace=!0,g.tracing.tracePromise(()=>n,s).catch(()=>{})),n}async#K(t,e={}){let i=await this.#B(t,e);if(i===void 0)throw new Error("fetch() returned undefined");return i}memo(t,e={}){let{status:i=g.metrics.hasSubscribers?{}:void 0}=e;e.status=i,i&&(i.op="memo",i.key=t,e.context&&(i.context=e.context),i.cache=this);let s=this.#Q(t,e);return i&&(i.value=s),g.metrics.hasSubscribers&&g.metrics.publish(i),s}#Q(t,e={}){let i=this.#j;if(!i)throw new Error("no memoMethod provided to constructor");let{context:s,status:n,forceRefresh:r,...h}=e;n&&r&&(n.forceRefresh=!0);let a=this.#C(t,h),o=r||a===void 0;if(n&&(n.memo=o?"miss":"hit",o||(n.value=a)),!o)return a;let d=i(t,a,{options:h,context:s});return n&&(n.value=d),this.#O(t,d,h),d}get(t,e={}){let{status:i=g.metrics.hasSubscribers?{}:void 0}=e;e.status=i,i&&(i.op="get",i.key=t,i.cache=this);let s=this.#C(t,e);return i&&(s!==void 0&&(i.value=s),g.metrics.hasSubscribers&&g.metrics.publish(i)),s}#C(t,e={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,status:r}=e,h=this.#s.get(t);if(h===void 0){r&&(r.get="miss");return}let a=this.#t[h],o=this.#e(a);return r&&this.#E(r,h),this.#p(h)?o?(r&&(r.get="stale-fetching"),i&&a.__staleWhileFetching!==void 0?(r&&(r.returnedStale=!0),a.__staleWhileFetching):void 0):(n||this.#v(t,"expire"),r&&(r.get="stale"),i?(r&&(r.returnedStale=!0),a):void 0):(r&&(r.get=o?"fetching":"hit"),this.#L(h),s&&this.#R(h),o?a.__staleWhileFetching:a)}#q(t,e){this.#u[e]=t,this.#l[t]=e}#L(t){t!==this.#h&&(t===this.#a?this.#a=this.#l[t]:this.#q(this.#u[t],this.#l[t]),this.#q(this.#h,t),this.#h=t)}delete(t){return this.#v(t,"delete")}#v(t,e){g.metrics.hasSubscribers&&g.metrics.publish({op:"delete",delete:e,key:t,cache:this});let i=!1;if(this.#n!==0){let s=this.#s.get(t);if(s!==void 0)if(this.#g?.[s]&&(clearTimeout(this.#g?.[s]),this.#g[s]=void 0),i=!0,this.#n===1)this.#$(e);else{this.#x(s);let n=this.#t[s];if(this.#e(n)?n.__abortController.abort(new Error("deleted")):(this.#T||this.#f)&&(this.#T&&this.#m?.(n,t,e),this.#f&&this.#r?.push([n,t,e])),this.#s.delete(t),this.#i[s]=void 0,this.#t[s]=void 0,s===this.#h)this.#h=this.#u[s];else if(s===this.#a)this.#a=this.#l[s];else{let r=this.#u[s];this.#l[r]=this.#l[s];let h=this.#l[s];this.#u[h]=this.#u[s]}this.#n--,this.#y.push(s)}}if(this.#f&&this.#r?.length){let s=this.#r,n;for(;n=s?.shift();)this.#S?.(...n)}return i}clear(){return this.#$("delete")}#$(t){for(let e of this.#z({allowStale:!0})){let i=this.#t[e];if(this.#e(i))i.__abortController.abort(new Error("deleted"));else{let s=this.#i[e];this.#T&&this.#m?.(i,s,t),this.#f&&this.#r?.push([i,s,t])}}if(this.#s.clear(),this.#t.fill(void 0),this.#i.fill(void 0),this.#d&&this.#F){this.#d.fill(0),this.#F.fill(0);for(let e of this.#g??[])e!==void 0&&clearTimeout(e);this.#g?.fill(void 0)}if(this.#_&&this.#_.fill(0),this.#a=0,this.#h=0,this.#y.length=0,this.#b=0,this.#n=0,this.#f&&this.#r){let e=this.#r,i;for(;i=e?.shift();)this.#S?.(...i)}}};exports.LRUCache=L;
+//# sourceMappingURL=index.min.js.map
diff --git a/deps/npm/node_modules/lru-cache/dist/commonjs/browser/perf.js b/deps/npm/node_modules/lru-cache/dist/commonjs/browser/perf.js
new file mode 100644
index 00000000000000..bd4c80f461d6c1
--- /dev/null
+++ b/deps/npm/node_modules/lru-cache/dist/commonjs/browser/perf.js
@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultPerf = void 0;
+exports.defaultPerf = (typeof performance === 'object' &&
+    performance &&
+    typeof performance.now === 'function') ?
+    /* c8 ignore start - this gets covered, but c8 gets confused */
+    performance
+    : /* c8 ignore stop */ Date;
+//# sourceMappingURL=perf.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/lru-cache/dist/commonjs/diagnostics-channel.js b/deps/npm/node_modules/lru-cache/dist/commonjs/diagnostics-channel.js
index 3a3c4e1be38b28..bdd4f41f903666 100644
--- a/deps/npm/node_modules/lru-cache/dist/commonjs/diagnostics-channel.js
+++ b/deps/npm/node_modules/lru-cache/dist/commonjs/diagnostics-channel.js
@@ -1,10 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.tracing = exports.metrics = void 0;
-// simple node version that imports from node builtin
-// this gets compiled to a require() commonjs-style override,
-// not using top level await on a conditional dynamic import
-const node_diagnostics_channel_1 = require("node:diagnostics_channel");
-exports.metrics = (0, node_diagnostics_channel_1.channel)('lru-cache:metrics');
-exports.tracing = (0, node_diagnostics_channel_1.tracingChannel)('lru-cache');
-//# sourceMappingURL=diagnostics-channel.js.map
\ No newline at end of file
+const dummy = { hasSubscribers: false };
+exports.metrics = dummy;
+exports.tracing = dummy;
+//# sourceMappingURL=diagnostics-channel-cjs.cjs.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/lru-cache/dist/commonjs/index.js b/deps/npm/node_modules/lru-cache/dist/commonjs/index.js
index bb8256253be5f8..6b8268b0ea9123 100644
--- a/deps/npm/node_modules/lru-cache/dist/commonjs/index.js
+++ b/deps/npm/node_modules/lru-cache/dist/commonjs/index.js
@@ -5,12 +5,8 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.LRUCache = void 0;
 const diagnostics_channel_js_1 = require("./diagnostics-channel.js");
+const perf_js_1 = require("./perf.js");
 const hasSubscribers = () => diagnostics_channel_js_1.metrics.hasSubscribers || diagnostics_channel_js_1.tracing.hasSubscribers;
-const defaultPerf = (typeof performance === 'object' &&
-    performance &&
-    typeof performance.now === 'function') ?
-    performance
-    : Date;
 const warned = new Set();
 /* c8 ignore start */
 const PROCESS = (typeof process === 'object' && !!process ?
@@ -52,7 +48,9 @@ class ZeroArray extends Array {
     }
 }
 class Stack {
+    /* c8 ignore start - not sure why this is showing up uncovered?? */
     heap;
+    /* c8 ignore stop */
     length;
     // private constructor
     static #constructing = false;
@@ -172,6 +170,8 @@ class LRUCache {
      * {@link LRUCache.OptionsBase.ignoreFetchAbort}
      */
     ignoreFetchAbort;
+    /** {@link LRUCache.OptionsBase.backgroundFetchSize} */
+    backgroundFetchSize;
     // computed properties
     #size;
     #calculatedSize;
@@ -282,13 +282,14 @@ class LRUCache {
         return this.#disposeAfter;
     }
     constructor(options) {
-        const { max = 0, ttl, ttlResolution = 1, ttlAutopurge, updateAgeOnGet, updateAgeOnHas, allowStale, dispose, onInsert, disposeAfter, noDisposeOnSet, noUpdateTTL, maxSize = 0, maxEntrySize = 0, sizeCalculation, fetchMethod, memoMethod, noDeleteOnFetchRejection, noDeleteOnStaleGet, allowStaleOnFetchRejection, allowStaleOnFetchAbort, ignoreFetchAbort, perf, } = options;
+        const { max = 0, ttl, ttlResolution = 1, ttlAutopurge, updateAgeOnGet, updateAgeOnHas, allowStale, dispose, onInsert, disposeAfter, noDisposeOnSet, noUpdateTTL, maxSize = 0, maxEntrySize = 0, sizeCalculation, fetchMethod, memoMethod, noDeleteOnFetchRejection, noDeleteOnStaleGet, allowStaleOnFetchRejection, allowStaleOnFetchAbort, ignoreFetchAbort, backgroundFetchSize = 1, perf, } = options;
+        this.backgroundFetchSize = backgroundFetchSize;
         if (perf !== undefined) {
             if (typeof perf?.now !== 'function') {
                 throw new TypeError('perf option must have a now() method if specified');
             }
         }
-        this.#perf = perf ?? defaultPerf;
+        this.#perf = perf ?? perf_js_1.defaultPerf;
         if (max !== 0 && !isPosInt(max)) {
             throw new TypeError('max option must be a nonnegative integer');
         }
@@ -510,12 +511,15 @@ class LRUCache {
             sizes[index] = 0;
         };
         this.#requireSize = (k, v, size, sizeCalculation) => {
-            // provisionally accept background fetches.
-            // actual value size will be checked when they return.
-            if (this.#isBackgroundFetch(v)) {
-                return 0;
-            }
             if (!isPosInt(size)) {
+                // provisionally accept background fetches.
+                // actual value size will be checked when they return.
+                if (this.#isBackgroundFetch(v)) {
+                    // NB: this cannot occur if v.__staleWhileFetching is set,
+                    // because in that case, it would take on the size of the
+                    // existing entry that it temporarily replaces.
+                    return this.backgroundFetchSize;
+                }
                 if (sizeCalculation) {
                     if (typeof sizeCalculation !== 'function') {
                         throw new TypeError('sizeCalculation must be a function');
@@ -882,6 +886,7 @@ class LRUCache {
             status.key = k;
             if (v !== undefined)
                 status.value = v;
+            status.cache = this;
         }
         const result = this.#set(k, v, setOptions);
         if (status && diagnostics_channel_js_1.metrics.hasSubscribers) {
@@ -889,8 +894,9 @@ class LRUCache {
         }
         return result;
     }
-    #set(k, v, setOptions = {}) {
+    #set(k, v, setOptions, bf) {
         const { ttl = this.ttl, start, noDisposeOnSet = this.noDisposeOnSet, sizeCalculation = this.sizeCalculation, status, } = setOptions;
+        const isBF = this.#isBackgroundFetch(v);
         if (v === undefined) {
             if (status)
                 status.set = 'deleted';
@@ -898,7 +904,7 @@ class LRUCache {
             return this;
         }
         let { noUpdateTTL = this.noUpdateTTL } = setOptions;
-        if (status && !this.#isBackgroundFetch(v))
+        if (status && !isBF)
             status.value = v;
         const size = this.#requireSize(k, v, setOptions.size || 0, sizeCalculation, status);
         // if the item doesn't fit, don't do anything
@@ -930,52 +936,68 @@ class LRUCache {
             if (status)
                 status.set = 'add';
             noUpdateTTL = false;
-            if (this.#hasOnInsert) {
+            if (this.#hasOnInsert && !isBF) {
                 this.#onInsert?.(v, k, 'add');
             }
         }
         else {
             // update
+            // might be updating a background fetch!
             this.#moveToTail(index);
             const oldVal = this.#valList[index];
             if (v !== oldVal) {
-                if (this.#hasFetchMethod && this.#isBackgroundFetch(oldVal)) {
-                    oldVal.__abortController.abort(new Error('replaced'));
-                    const { __staleWhileFetching: s } = oldVal;
-                    if (s !== undefined && !noDisposeOnSet) {
+                if (!noDisposeOnSet) {
+                    if (this.#isBackgroundFetch(oldVal)) {
+                        if (oldVal !== bf) {
+                            // setting over a background fetch, not merely resolving it.
+                            oldVal.__abortController.abort(new Error('replaced'));
+                        }
+                        const { __staleWhileFetching: s } = oldVal;
+                        if (s !== undefined && s !== v) {
+                            if (this.#hasDispose) {
+                                this.#dispose?.(s, k, 'set');
+                            }
+                            if (this.#hasDisposeAfter) {
+                                this.#disposed?.push([s, k, 'set']);
+                            }
+                        }
+                    }
+                    else {
                         if (this.#hasDispose) {
-                            this.#dispose?.(s, k, 'set');
+                            this.#dispose?.(oldVal, k, 'set');
                         }
                         if (this.#hasDisposeAfter) {
-                            this.#disposed?.push([s, k, 'set']);
+                            this.#disposed?.push([oldVal, k, 'set']);
                         }
                     }
                 }
-                else if (!noDisposeOnSet) {
-                    if (this.#hasDispose) {
-                        this.#dispose?.(oldVal, k, 'set');
-                    }
-                    if (this.#hasDisposeAfter) {
-                        this.#disposed?.push([oldVal, k, 'set']);
-                    }
-                }
                 this.#removeItemSize(index);
                 this.#addItemSize(index, size, status);
                 this.#valList[index] = v;
-                if (status) {
-                    status.set = 'replace';
+                if (!isBF) {
                     const oldValue = oldVal && this.#isBackgroundFetch(oldVal) ?
                         oldVal.__staleWhileFetching
                         : oldVal;
-                    if (oldValue !== undefined)
-                        status.oldValue = oldValue;
+                    const setType = oldValue === undefined ? 'add'
+                        : v !== oldValue ? 'replace'
+                            : 'update';
+                    if (status) {
+                        status.set = setType;
+                        if (oldValue !== undefined)
+                            status.oldValue = oldValue;
+                    }
+                    if (this.#hasOnInsert) {
+                        this.onInsert?.(v, k, setType);
+                    }
                 }
             }
-            else if (status) {
-                status.set = 'update';
-            }
-            if (this.#hasOnInsert) {
-                this.onInsert?.(v, k, v === oldVal ? 'update' : 'replace');
+            else if (!isBF) {
+                if (status) {
+                    status.set = 'update';
+                }
+                if (this.#hasOnInsert) {
+                    this.onInsert?.(v, k, 'update');
+                }
             }
         }
         if (ttl !== 0 && !this.#ttls) {
@@ -1030,15 +1052,18 @@ class LRUCache {
         const head = this.#head;
         const k = this.#keyList[head];
         const v = this.#valList[head];
-        if (this.#hasFetchMethod && this.#isBackgroundFetch(v)) {
+        const isBF = this.#isBackgroundFetch(v);
+        if (isBF) {
             v.__abortController.abort(new Error('evicted'));
         }
-        else if (this.#hasDispose || this.#hasDisposeAfter) {
+        const oldValue = isBF ? v.__staleWhileFetching : v;
+        if ((this.#hasDispose || this.#hasDisposeAfter) &&
+            oldValue !== undefined) {
             if (this.#hasDispose) {
-                this.#dispose?.(v, k, 'evict');
+                this.#dispose?.(oldValue, k, 'evict');
             }
             if (this.#hasDisposeAfter) {
-                this.#disposed?.push([v, k, 'evict']);
+                this.#disposed?.push([oldValue, k, 'evict']);
             }
         }
         this.#removeItemSize(head);
@@ -1085,6 +1110,7 @@ class LRUCache {
         if (status) {
             status.op = 'has';
             status.key = k;
+            status.cache = this;
         }
         const result = this.#has(k, hasOptions);
         if (diagnostics_channel_js_1.metrics.hasSubscribers)
@@ -1132,6 +1158,7 @@ class LRUCache {
         if (status) {
             status.op = 'peek';
             status.key = k;
+            status.cache = this;
         }
         peekOptions.status = status;
         const result = this.#peek(k, peekOptions);
@@ -1214,7 +1241,7 @@ class LRUCache {
                 else {
                     if (options.status)
                         options.status.fetchUpdated = true;
-                    this.#set(k, v, fetchOpts.options);
+                    this.#set(k, v, fetchOpts.options, bf);
                 }
             }
             return v;
@@ -1260,9 +1287,6 @@ class LRUCache {
         };
         const pcall = (res, rej) => {
             const fmp = this.#fetchMethod?.(k, v, fetchOpts);
-            if (fmp && fmp instanceof Promise) {
-                fmp.then(v => res(v === undefined ? undefined : v), rej);
-            }
             // ignored, we go until we finish, regardless.
             // defer check until we are actually aborting,
             // so fetchMethod can override.
@@ -1275,6 +1299,12 @@ class LRUCache {
                     }
                 }
             });
+            if (fmp && fmp instanceof Promise) {
+                fmp.then(v => res(v === undefined ? undefined : v), rej);
+            }
+            else if (fmp !== undefined) {
+                res(fmp);
+            }
         };
         if (options.status)
             options.status.fetchDispatched = true;
@@ -1290,6 +1320,10 @@ class LRUCache {
             index = this.#keyMap.get(k);
         }
         else {
+            // do not call #set, because we do not want to adjust its place
+            // in the lru queue, as it has not yet been "used". Also, we don't
+            // need to worry about evicting for size, because a background fetch
+            // over a stale value is treated as the same size as its stale value.
             this.#valList[index] = bf;
         }
         return bf;
@@ -1311,11 +1345,9 @@ class LRUCache {
             status.context = fetchOptions.context;
         }
         const p = this.#fetch(k, fetchOptions);
-        if (status && hasSubscribers()) {
-            if (ths) {
-                status.trace = true;
-                diagnostics_channel_js_1.tracing.tracePromise(() => p, status).catch(() => { });
-            }
+        if (status && ths) {
+            status.trace = true;
+            diagnostics_channel_js_1.tracing.tracePromise(() => p, status).catch(() => { });
         }
         return p;
     }
@@ -1332,6 +1364,7 @@ class LRUCache {
             status.key = k;
             if (forceRefresh)
                 status.forceRefresh = true;
+            status.cache = this;
         }
         if (!this.#hasFetchMethod) {
             if (status)
@@ -1413,11 +1446,9 @@ class LRUCache {
             status.context = fetchOptions.context;
         }
         const p = this.#forceFetch(k, fetchOptions);
-        if (status && hasSubscribers()) {
-            if (ths) {
-                status.trace = true;
-                diagnostics_channel_js_1.tracing.tracePromise(() => p, status).catch(() => { });
-            }
+        if (status && ths) {
+            status.trace = true;
+            diagnostics_channel_js_1.tracing.tracePromise(() => p, status).catch(() => { });
         }
         return p;
     }
@@ -1436,6 +1467,7 @@ class LRUCache {
             if (memoOptions.context) {
                 status.context = memoOptions.context;
             }
+            status.cache = this;
         }
         const result = this.#memo(k, memoOptions);
         if (status)
@@ -1482,6 +1514,7 @@ class LRUCache {
         if (status) {
             status.op = 'get';
             status.key = k;
+            status.cache = this;
         }
         const result = this.#get(k, getOptions);
         if (status) {
@@ -1580,6 +1613,7 @@ class LRUCache {
                 op: 'delete',
                 delete: reason,
                 key: k,
+                cache: this,
             });
         }
         let deleted = false;
@@ -1660,7 +1694,7 @@ class LRUCache {
             }
         }
         this.#keyMap.clear();
-        this.#valList.fill(undefined);
+        void this.#valList.fill(undefined);
         this.#keyList.fill(undefined);
         if (this.#ttls && this.#starts) {
             this.#ttls.fill(0);
diff --git a/deps/npm/node_modules/lru-cache/dist/commonjs/index.min.js b/deps/npm/node_modules/lru-cache/dist/commonjs/index.min.js
index 383a09d043d362..8e42461074475a 100644
--- a/deps/npm/node_modules/lru-cache/dist/commonjs/index.min.js
+++ b/deps/npm/node_modules/lru-cache/dist/commonjs/index.min.js
@@ -1,2 +1,2 @@
-"use strict";var G=(c,t)=>()=>(t||c((t={exports:{}}).exports,t),t.exports);var M=G(O=>{"use strict";Object.defineProperty(O,"__esModule",{value:!0});O.tracing=O.metrics=void 0;var L=require("node:diagnostics_channel");O.metrics=(0,L.channel)("lru-cache:metrics");O.tracing=(0,L.tracingChannel)("lru-cache")});Object.defineProperty(exports,"__esModule",{value:!0});exports.LRUCache=void 0;var u=M(),D=()=>u.metrics.hasSubscribers||u.tracing.hasSubscribers,P=typeof performance=="object"&&performance&&typeof performance.now=="function"?performance:Date,U=new Set,j=typeof process=="object"&&process?process:{},H=(c,t,e,i)=>{typeof j.emitWarning=="function"?j.emitWarning(c,t,e,i):console.error(`[${e}] ${t}: ${c}`)},N=c=>!U.has(c),B=Symbol("type"),F=c=>!!c&&c===Math.floor(c)&&c>0&&isFinite(c),I=c=>F(c)?c<=Math.pow(2,8)?Uint8Array:c<=Math.pow(2,16)?Uint16Array:c<=Math.pow(2,32)?Uint32Array:c<=Number.MAX_SAFE_INTEGER?W:null:null,W=class extends Array{constructor(t){super(t),this.fill(0)}},C=class c{heap;length;static#o=!1;static create(t){let e=I(t);if(!e)return[];c.#o=!0;let i=new c(t,e);return c.#o=!1,i}constructor(t,e){if(!c.#o)throw new TypeError("instantiate Stack using Stack.create(n)");this.heap=new e(t),this.length=0}push(t){this.heap[this.length++]=t}pop(){return this.heap[--this.length]}},x=class c{#o;#c;#m;#D;#w;#M;#j;#S;get perf(){return this.#S}ttl;ttlResolution;ttlAutopurge;updateAgeOnGet;updateAgeOnHas;allowStale;noDisposeOnSet;noUpdateTTL;maxEntrySize;sizeCalculation;noDeleteOnFetchRejection;noDeleteOnStaleGet;allowStaleOnFetchAbort;allowStaleOnFetchRejection;ignoreFetchAbort;#n;#b;#s;#i;#t;#l;#u;#a;#h;#y;#r;#_;#F;#d;#g;#T;#O;#f;#U;static unsafeExposeInternals(t){return{starts:t.#F,ttls:t.#d,autopurgeTimers:t.#g,sizes:t.#_,keyMap:t.#s,keyList:t.#i,valList:t.#t,next:t.#l,prev:t.#u,get head(){return t.#a},get tail(){return t.#h},free:t.#y,isBackgroundFetch:e=>t.#e(e),backgroundFetch:(e,i,s,n)=>t.#P(e,i,s,n),moveToTail:e=>t.#L(e),indexes:e=>t.#A(e),rindexes:e=>t.#v(e),isStale:e=>t.#p(e)}}get max(){return this.#o}get maxSize(){return this.#c}get calculatedSize(){return this.#b}get size(){return this.#n}get fetchMethod(){return this.#M}get memoMethod(){return this.#j}get dispose(){return this.#m}get onInsert(){return this.#D}get disposeAfter(){return this.#w}constructor(t){let{max:e=0,ttl:i,ttlResolution:s=1,ttlAutopurge:n,updateAgeOnGet:o,updateAgeOnHas:r,allowStale:h,dispose:a,onInsert:d,disposeAfter:f,noDisposeOnSet:p,noUpdateTTL:m,maxSize:T=0,maxEntrySize:w=0,sizeCalculation:y,fetchMethod:l,memoMethod:S,noDeleteOnFetchRejection:_,noDeleteOnStaleGet:b,allowStaleOnFetchRejection:g,allowStaleOnFetchAbort:A,ignoreFetchAbort:v,perf:R}=t;if(R!==void 0&&typeof R?.now!="function")throw new TypeError("perf option must have a now() method if specified");if(this.#S=R??P,e!==0&&!F(e))throw new TypeError("max option must be a nonnegative integer");let z=e?I(e):Array;if(!z)throw new Error("invalid max value: "+e);if(this.#o=e,this.#c=T,this.maxEntrySize=w||this.#c,this.sizeCalculation=y,this.sizeCalculation){if(!this.#c&&!this.maxEntrySize)throw new TypeError("cannot set sizeCalculation without setting maxSize or maxEntrySize");if(typeof this.sizeCalculation!="function")throw new TypeError("sizeCalculation set to non-function")}if(S!==void 0&&typeof S!="function")throw new TypeError("memoMethod must be a function if defined");if(this.#j=S,l!==void 0&&typeof l!="function")throw new TypeError("fetchMethod must be a function if specified");if(this.#M=l,this.#O=!!l,this.#s=new Map,this.#i=Array.from({length:e}).fill(void 0),this.#t=Array.from({length:e}).fill(void 0),this.#l=new z(e),this.#u=new z(e),this.#a=0,this.#h=0,this.#y=C.create(e),this.#n=0,this.#b=0,typeof a=="function"&&(this.#m=a),typeof d=="function"&&(this.#D=d),typeof f=="function"?(this.#w=f,this.#r=[]):(this.#w=void 0,this.#r=void 0),this.#T=!!this.#m,this.#U=!!this.#D,this.#f=!!this.#w,this.noDisposeOnSet=!!p,this.noUpdateTTL=!!m,this.noDeleteOnFetchRejection=!!_,this.allowStaleOnFetchRejection=!!g,this.allowStaleOnFetchAbort=!!A,this.ignoreFetchAbort=!!v,this.maxEntrySize!==0){if(this.#c!==0&&!F(this.#c))throw new TypeError("maxSize must be a positive integer if specified");if(!F(this.maxEntrySize))throw new TypeError("maxEntrySize must be a positive integer if specified");this.#X()}if(this.allowStale=!!h,this.noDeleteOnStaleGet=!!b,this.updateAgeOnGet=!!o,this.updateAgeOnHas=!!r,this.ttlResolution=F(s)||s===0?s:1,this.ttlAutopurge=!!n,this.ttl=i||0,this.ttl){if(!F(this.ttl))throw new TypeError("ttl must be a positive integer if specified");this.#H()}if(this.#o===0&&this.ttl===0&&this.#c===0)throw new TypeError("At least one of max, maxSize, or ttl is required");if(!this.ttlAutopurge&&!this.#o&&!this.#c){let E="LRU_CACHE_UNBOUNDED";N(E)&&(U.add(E),H("TTL caching without ttlAutopurge, max, or maxSize can result in unbounded memory consumption.","UnboundedCacheWarning",E,c))}}getRemainingTTL(t){return this.#s.has(t)?1/0:0}#H(){let t=new W(this.#o),e=new W(this.#o);this.#d=t,this.#F=e;let i=this.ttlAutopurge?Array.from({length:this.#o}):void 0;this.#g=i,this.#N=(r,h,a=this.#S.now())=>{e[r]=h!==0?a:0,t[r]=h,s(r,h)},this.#R=r=>{e[r]=t[r]!==0?this.#S.now():0,s(r,t[r])};let s=this.ttlAutopurge?(r,h)=>{if(i?.[r]&&(clearTimeout(i[r]),i[r]=void 0),h&&h!==0&&i){let a=setTimeout(()=>{this.#p(r)&&this.#z(this.#i[r],"expire")},h+1);a.unref&&a.unref(),i[r]=a}}:()=>{};this.#E=(r,h)=>{if(t[h]){let a=t[h],d=e[h];if(!a||!d)return;r.ttl=a,r.start=d,r.now=n||o();let f=r.now-d;r.remainingTTL=a-f}};let n=0,o=()=>{let r=this.#S.now();if(this.ttlResolution>0){n=r;let h=setTimeout(()=>n=0,this.ttlResolution);h.unref&&h.unref()}return r};this.getRemainingTTL=r=>{let h=this.#s.get(r);if(h===void 0)return 0;let a=t[h],d=e[h];if(!a||!d)return 1/0;let f=(n||o())-d;return a-f},this.#p=r=>{let h=e[r],a=t[r];return!!a&&!!h&&(n||o())-h>a}}#R=()=>{};#E=()=>{};#N=()=>{};#p=()=>!1;#X(){let t=new W(this.#o);this.#b=0,this.#_=t,this.#C=e=>{this.#b-=t[e],t[e]=0},this.#k=(e,i,s,n)=>{if(this.#e(i))return 0;if(!F(s))if(n){if(typeof n!="function")throw new TypeError("sizeCalculation must be a function");if(s=n(i,e),!F(s))throw new TypeError("sizeCalculation return invalid (expect positive integer)")}else throw new TypeError("invalid size value (must be positive integer). When maxSize or maxEntrySize is used, sizeCalculation or size must be set.");return s},this.#I=(e,i,s)=>{if(t[e]=i,this.#c){let n=this.#c-t[e];for(;this.#b>n;)this.#G(!0)}this.#b+=t[e],s&&(s.entrySize=i,s.totalCalculatedSize=this.#b)}}#C=t=>{};#I=(t,e,i)=>{};#k=(t,e,i,s)=>{if(i||s)throw new TypeError("cannot set size without setting maxSize or maxEntrySize on cache");return 0};*#A({allowStale:t=this.allowStale}={}){if(this.#n)for(let e=this.#h;this.#V(e)&&((t||!this.#p(e))&&(yield e),e!==this.#a);)e=this.#u[e]}*#v({allowStale:t=this.allowStale}={}){if(this.#n)for(let e=this.#a;this.#V(e)&&((t||!this.#p(e))&&(yield e),e!==this.#h);)e=this.#l[e]}#V(t){return t!==void 0&&this.#s.get(this.#i[t])===t}*entries(){for(let t of this.#A())this.#t[t]!==void 0&&this.#i[t]!==void 0&&!this.#e(this.#t[t])&&(yield[this.#i[t],this.#t[t]])}*rentries(){for(let t of this.#v())this.#t[t]!==void 0&&this.#i[t]!==void 0&&!this.#e(this.#t[t])&&(yield[this.#i[t],this.#t[t]])}*keys(){for(let t of this.#A()){let e=this.#i[t];e!==void 0&&!this.#e(this.#t[t])&&(yield e)}}*rkeys(){for(let t of this.#v()){let e=this.#i[t];e!==void 0&&!this.#e(this.#t[t])&&(yield e)}}*values(){for(let t of this.#A())this.#t[t]!==void 0&&!this.#e(this.#t[t])&&(yield this.#t[t])}*rvalues(){for(let t of this.#v())this.#t[t]!==void 0&&!this.#e(this.#t[t])&&(yield this.#t[t])}[Symbol.iterator](){return this.entries()}[Symbol.toStringTag]="LRUCache";find(t,e={}){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;if(n!==void 0&&t(n,this.#i[i],this))return this.#x(this.#i[i],e)}}forEach(t,e=this){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&t.call(e,n,this.#i[i],this)}}rforEach(t,e=this){for(let i of this.#v()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&t.call(e,n,this.#i[i],this)}}purgeStale(){let t=!1;for(let e of this.#v({allowStale:!0}))this.#p(e)&&(this.#z(this.#i[e],"expire"),t=!0);return t}info(t){let e=this.#s.get(t);if(e===void 0)return;let i=this.#t[e],s=this.#e(i)?i.__staleWhileFetching:i;if(s===void 0)return;let n={value:s};if(this.#d&&this.#F){let o=this.#d[e],r=this.#F[e];if(o&&r){let h=o-(this.#S.now()-r);n.ttl=h,n.start=Date.now()}}return this.#_&&(n.size=this.#_[e]),n}dump(){let t=[];for(let e of this.#A({allowStale:!0})){let i=this.#i[e],s=this.#t[e],n=this.#e(s)?s.__staleWhileFetching:s;if(n===void 0||i===void 0)continue;let o={value:n};if(this.#d&&this.#F){o.ttl=this.#d[e];let r=this.#S.now()-this.#F[e];o.start=Math.floor(Date.now()-r)}this.#_&&(o.size=this.#_[e]),t.unshift([i,o])}return t}load(t){this.clear();for(let[e,i]of t){if(i.start){let s=Date.now()-i.start;i.start=this.#S.now()-s}this.#W(e,i.value,i)}}set(t,e,i={}){let{status:s=u.metrics.hasSubscribers?{}:void 0}=i;i.status=s,s&&(s.op="set",s.key=t,e!==void 0&&(s.value=e));let n=this.#W(t,e,i);return s&&u.metrics.hasSubscribers&&u.metrics.publish(s),n}#W(t,e,i={}){let{ttl:s=this.ttl,start:n,noDisposeOnSet:o=this.noDisposeOnSet,sizeCalculation:r=this.sizeCalculation,status:h}=i;if(e===void 0)return h&&(h.set="deleted"),this.delete(t),this;let{noUpdateTTL:a=this.noUpdateTTL}=i;h&&!this.#e(e)&&(h.value=e);let d=this.#k(t,e,i.size||0,r,h);if(this.maxEntrySize&&d>this.maxEntrySize)return this.#z(t,"set"),h&&(h.set="miss",h.maxEntrySizeExceeded=!0),this;let f=this.#n===0?void 0:this.#s.get(t);if(f===void 0)f=this.#n===0?this.#h:this.#y.length!==0?this.#y.pop():this.#n===this.#o?this.#G(!1):this.#n,this.#i[f]=t,this.#t[f]=e,this.#s.set(t,f),this.#l[this.#h]=f,this.#u[f]=this.#h,this.#h=f,this.#n++,this.#I(f,d,h),h&&(h.set="add"),a=!1,this.#U&&this.#D?.(e,t,"add");else{this.#L(f);let p=this.#t[f];if(e!==p){if(this.#O&&this.#e(p)){p.__abortController.abort(new Error("replaced"));let{__staleWhileFetching:m}=p;m!==void 0&&!o&&(this.#T&&this.#m?.(m,t,"set"),this.#f&&this.#r?.push([m,t,"set"]))}else o||(this.#T&&this.#m?.(p,t,"set"),this.#f&&this.#r?.push([p,t,"set"]));if(this.#C(f),this.#I(f,d,h),this.#t[f]=e,h){h.set="replace";let m=p&&this.#e(p)?p.__staleWhileFetching:p;m!==void 0&&(h.oldValue=m)}}else h&&(h.set="update");this.#U&&this.onInsert?.(e,t,e===p?"update":"replace")}if(s!==0&&!this.#d&&this.#H(),this.#d&&(a||this.#N(f,s,n),h&&this.#E(h,f)),!o&&this.#f&&this.#r){let p=this.#r,m;for(;m=p?.shift();)this.#w?.(...m)}return this}pop(){try{for(;this.#n;){let t=this.#t[this.#a];if(this.#G(!0),this.#e(t)){if(t.__staleWhileFetching)return t.__staleWhileFetching}else if(t!==void 0)return t}}finally{if(this.#f&&this.#r){let t=this.#r,e;for(;e=t?.shift();)this.#w?.(...e)}}}#G(t){let e=this.#a,i=this.#i[e],s=this.#t[e];return this.#O&&this.#e(s)?s.__abortController.abort(new Error("evicted")):(this.#T||this.#f)&&(this.#T&&this.#m?.(s,i,"evict"),this.#f&&this.#r?.push([s,i,"evict"])),this.#C(e),this.#g?.[e]&&(clearTimeout(this.#g[e]),this.#g[e]=void 0),t&&(this.#i[e]=void 0,this.#t[e]=void 0,this.#y.push(e)),this.#n===1?(this.#a=this.#h=0,this.#y.length=0):this.#a=this.#l[e],this.#s.delete(i),this.#n--,e}has(t,e={}){let{status:i=u.metrics.hasSubscribers?{}:void 0}=e;e.status=i,i&&(i.op="has",i.key=t);let s=this.#Y(t,e);return u.metrics.hasSubscribers&&u.metrics.publish(i),s}#Y(t,e={}){let{updateAgeOnHas:i=this.updateAgeOnHas,status:s}=e,n=this.#s.get(t);if(n!==void 0){let o=this.#t[n];if(this.#e(o)&&o.__staleWhileFetching===void 0)return!1;if(this.#p(n))s&&(s.has="stale",this.#E(s,n));else return i&&this.#R(n),s&&(s.has="hit",this.#E(s,n)),!0}else s&&(s.has="miss");return!1}peek(t,e={}){let{status:i=D()?{}:void 0}=e;i&&(i.op="peek",i.key=t),e.status=i;let s=this.#J(t,e);return u.metrics.hasSubscribers&&u.metrics.publish(i),s}#J(t,e){let{status:i,allowStale:s=this.allowStale}=e,n=this.#s.get(t);if(n===void 0||!s&&this.#p(n)){i&&(i.peek=n===void 0?"miss":"stale");return}let o=this.#t[n],r=this.#e(o)?o.__staleWhileFetching:o;return i&&(r!==void 0?(i.peek="hit",i.value=r):i.peek="miss"),r}#P(t,e,i,s){let n=e===void 0?void 0:this.#t[e];if(this.#e(n))return n;let o=new AbortController,{signal:r}=i;r?.addEventListener("abort",()=>o.abort(r.reason),{signal:o.signal});let h={signal:o.signal,options:i,context:s},a=(w,y=!1)=>{let{aborted:l}=o.signal,S=i.ignoreFetchAbort&&w!==void 0,_=i.ignoreFetchAbort||!!(i.allowStaleOnFetchAbort&&w!==void 0);if(i.status&&(l&&!y?(i.status.fetchAborted=!0,i.status.fetchError=o.signal.reason,S&&(i.status.fetchAbortIgnored=!0)):i.status.fetchResolved=!0),l&&!S&&!y)return f(o.signal.reason,_);let b=m,g=this.#t[e];return(g===m||g===void 0&&S&&y)&&(w===void 0?b.__staleWhileFetching!==void 0?this.#t[e]=b.__staleWhileFetching:this.#z(t,"fetch"):(i.status&&(i.status.fetchUpdated=!0),this.#W(t,w,h.options))),w},d=w=>(i.status&&(i.status.fetchRejected=!0,i.status.fetchError=w),f(w,!1)),f=(w,y)=>{let{aborted:l}=o.signal,S=l&&i.allowStaleOnFetchAbort,_=S||i.allowStaleOnFetchRejection,b=_||i.noDeleteOnFetchRejection,g=m;if(this.#t[e]===m&&(!b||!y&&g.__staleWhileFetching===void 0?this.#z(t,"fetch"):S||(this.#t[e]=g.__staleWhileFetching)),_)return i.status&&g.__staleWhileFetching!==void 0&&(i.status.returnedStale=!0),g.__staleWhileFetching;if(g.__returned===g)throw w},p=(w,y)=>{let l=this.#M?.(t,n,h);l&&l instanceof Promise&&l.then(S=>w(S===void 0?void 0:S),y),o.signal.addEventListener("abort",()=>{(!i.ignoreFetchAbort||i.allowStaleOnFetchAbort)&&(w(void 0),i.allowStaleOnFetchAbort&&(w=S=>a(S,!0)))})};i.status&&(i.status.fetchDispatched=!0);let m=new Promise(p).then(a,d),T=Object.assign(m,{__abortController:o,__staleWhileFetching:n,__returned:void 0});return e===void 0?(this.#W(t,T,{...h.options,status:void 0}),e=this.#s.get(t)):this.#t[e]=T,T}#e(t){if(!this.#O)return!1;let e=t;return!!e&&e instanceof Promise&&e.hasOwnProperty("__staleWhileFetching")&&e.__abortController instanceof AbortController}fetch(t,e={}){let i=u.tracing.hasSubscribers,{status:s=D()?{}:void 0}=e;e.status=s,s&&e.context&&(s.context=e.context);let n=this.#q(t,e);return s&&D()&&i&&(s.trace=!0,u.tracing.tracePromise(()=>n,s).catch(()=>{})),n}async#q(t,e={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,ttl:o=this.ttl,noDisposeOnSet:r=this.noDisposeOnSet,size:h=0,sizeCalculation:a=this.sizeCalculation,noUpdateTTL:d=this.noUpdateTTL,noDeleteOnFetchRejection:f=this.noDeleteOnFetchRejection,allowStaleOnFetchRejection:p=this.allowStaleOnFetchRejection,ignoreFetchAbort:m=this.ignoreFetchAbort,allowStaleOnFetchAbort:T=this.allowStaleOnFetchAbort,context:w,forceRefresh:y=!1,status:l,signal:S}=e;if(l&&(l.op="fetch",l.key=t,y&&(l.forceRefresh=!0)),!this.#O)return l&&(l.fetch="get"),this.#x(t,{allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,status:l});let _={allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,ttl:o,noDisposeOnSet:r,size:h,sizeCalculation:a,noUpdateTTL:d,noDeleteOnFetchRejection:f,allowStaleOnFetchRejection:p,allowStaleOnFetchAbort:T,ignoreFetchAbort:m,status:l,signal:S},b=this.#s.get(t);if(b===void 0){l&&(l.fetch="miss");let g=this.#P(t,b,_,w);return g.__returned=g}else{let g=this.#t[b];if(this.#e(g)){let E=i&&g.__staleWhileFetching!==void 0;return l&&(l.fetch="inflight",E&&(l.returnedStale=!0)),E?g.__staleWhileFetching:g.__returned=g}let A=this.#p(b);if(!y&&!A)return l&&(l.fetch="hit"),this.#L(b),s&&this.#R(b),l&&this.#E(l,b),g;let v=this.#P(t,b,_,w),z=v.__staleWhileFetching!==void 0&&i;return l&&(l.fetch=A?"stale":"refresh",z&&A&&(l.returnedStale=!0)),z?v.__staleWhileFetching:v.__returned=v}}forceFetch(t,e={}){let i=u.tracing.hasSubscribers,{status:s=D()?{}:void 0}=e;e.status=s,s&&e.context&&(s.context=e.context);let n=this.#K(t,e);return s&&D()&&i&&(s.trace=!0,u.tracing.tracePromise(()=>n,s).catch(()=>{})),n}async#K(t,e={}){let i=await this.#q(t,e);if(i===void 0)throw new Error("fetch() returned undefined");return i}memo(t,e={}){let{status:i=u.metrics.hasSubscribers?{}:void 0}=e;e.status=i,i&&(i.op="memo",i.key=t,e.context&&(i.context=e.context));let s=this.#Q(t,e);return i&&(i.value=s),u.metrics.hasSubscribers&&u.metrics.publish(i),s}#Q(t,e={}){let i=this.#j;if(!i)throw new Error("no memoMethod provided to constructor");let{context:s,status:n,forceRefresh:o,...r}=e;n&&o&&(n.forceRefresh=!0);let h=this.#x(t,r),a=o||h===void 0;if(n&&(n.memo=a?"miss":"hit",a||(n.value=h)),!a)return h;let d=i(t,h,{options:r,context:s});return n&&(n.value=d),this.#W(t,d,r),d}get(t,e={}){let{status:i=u.metrics.hasSubscribers?{}:void 0}=e;e.status=i,i&&(i.op="get",i.key=t);let s=this.#x(t,e);return i&&(s!==void 0&&(i.value=s),u.metrics.hasSubscribers&&u.metrics.publish(i)),s}#x(t,e={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,status:o}=e,r=this.#s.get(t);if(r===void 0){o&&(o.get="miss");return}let h=this.#t[r],a=this.#e(h);return o&&this.#E(o,r),this.#p(r)?a?(o&&(o.get="stale-fetching"),i&&h.__staleWhileFetching!==void 0?(o&&(o.returnedStale=!0),h.__staleWhileFetching):void 0):(n||this.#z(t,"expire"),o&&(o.get="stale"),i?(o&&(o.returnedStale=!0),h):void 0):(o&&(o.get=a?"fetching":"hit"),this.#L(r),s&&this.#R(r),a?h.__staleWhileFetching:h)}#B(t,e){this.#u[e]=t,this.#l[t]=e}#L(t){t!==this.#h&&(t===this.#a?this.#a=this.#l[t]:this.#B(this.#u[t],this.#l[t]),this.#B(this.#h,t),this.#h=t)}delete(t){return this.#z(t,"delete")}#z(t,e){u.metrics.hasSubscribers&&u.metrics.publish({op:"delete",delete:e,key:t});let i=!1;if(this.#n!==0){let s=this.#s.get(t);if(s!==void 0)if(this.#g?.[s]&&(clearTimeout(this.#g?.[s]),this.#g[s]=void 0),i=!0,this.#n===1)this.#$(e);else{this.#C(s);let n=this.#t[s];if(this.#e(n)?n.__abortController.abort(new Error("deleted")):(this.#T||this.#f)&&(this.#T&&this.#m?.(n,t,e),this.#f&&this.#r?.push([n,t,e])),this.#s.delete(t),this.#i[s]=void 0,this.#t[s]=void 0,s===this.#h)this.#h=this.#u[s];else if(s===this.#a)this.#a=this.#l[s];else{let o=this.#u[s];this.#l[o]=this.#l[s];let r=this.#l[s];this.#u[r]=this.#u[s]}this.#n--,this.#y.push(s)}}if(this.#f&&this.#r?.length){let s=this.#r,n;for(;n=s?.shift();)this.#w?.(...n)}return i}clear(){return this.#$("delete")}#$(t){for(let e of this.#v({allowStale:!0})){let i=this.#t[e];if(this.#e(i))i.__abortController.abort(new Error("deleted"));else{let s=this.#i[e];this.#T&&this.#m?.(i,s,t),this.#f&&this.#r?.push([i,s,t])}}if(this.#s.clear(),this.#t.fill(void 0),this.#i.fill(void 0),this.#d&&this.#F){this.#d.fill(0),this.#F.fill(0);for(let e of this.#g??[])e!==void 0&&clearTimeout(e);this.#g?.fill(void 0)}if(this.#_&&this.#_.fill(0),this.#a=0,this.#h=0,this.#y.length=0,this.#b=0,this.#n=0,this.#f&&this.#r){let e=this.#r,i;for(;i=e?.shift();)this.#w?.(...i)}}};exports.LRUCache=x;
+"use strict";var j=(c,t)=>()=>(t||c((t={exports:{}}).exports,t),t.exports);var I=j(O=>{"use strict";Object.defineProperty(O,"__esModule",{value:!0});O.tracing=O.metrics=void 0;var U={hasSubscribers:!1};O.metrics=U;O.tracing=U});var P=j(D=>{"use strict";Object.defineProperty(D,"__esModule",{value:!0});D.defaultPerf=void 0;D.defaultPerf=typeof performance=="object"&&performance&&typeof performance.now=="function"?performance:Date});Object.defineProperty(exports,"__esModule",{value:!0});exports.LRUCache=void 0;var g=I(),N=P(),x=()=>g.metrics.hasSubscribers||g.tracing.hasSubscribers,k=new Set,G=typeof process=="object"&&process?process:{},V=(c,t,e,i)=>{typeof G.emitWarning=="function"?G.emitWarning(c,t,e,i):console.error(`[${e}] ${t}: ${c}`)},B=c=>!k.has(c);var T=c=>!!c&&c===Math.floor(c)&&c>0&&isFinite(c),H=c=>T(c)?c<=Math.pow(2,8)?Uint8Array:c<=Math.pow(2,16)?Uint16Array:c<=Math.pow(2,32)?Uint32Array:c<=Number.MAX_SAFE_INTEGER?W:null:null,W=class extends Array{constructor(t){super(t),this.fill(0)}},C=class c{heap;length;static#o=!1;static create(t){let e=H(t);if(!e)return[];c.#o=!0;let i=new c(t,e);return c.#o=!1,i}constructor(t,e){if(!c.#o)throw new TypeError("instantiate Stack using Stack.create(n)");this.heap=new e(t),this.length=0}push(t){this.heap[this.length++]=t}pop(){return this.heap[--this.length]}},L=class c{#o;#c;#m;#W;#S;#M;#j;#w;get perf(){return this.#w}ttl;ttlResolution;ttlAutopurge;updateAgeOnGet;updateAgeOnHas;allowStale;noDisposeOnSet;noUpdateTTL;maxEntrySize;sizeCalculation;noDeleteOnFetchRejection;noDeleteOnStaleGet;allowStaleOnFetchAbort;allowStaleOnFetchRejection;ignoreFetchAbort;backgroundFetchSize;#n;#b;#s;#i;#t;#l;#u;#a;#h;#y;#r;#_;#F;#d;#g;#T;#U;#f;#D;static unsafeExposeInternals(t){return{starts:t.#F,ttls:t.#d,autopurgeTimers:t.#g,sizes:t.#_,keyMap:t.#s,keyList:t.#i,valList:t.#t,next:t.#l,prev:t.#u,get head(){return t.#a},get tail(){return t.#h},free:t.#y,isBackgroundFetch:e=>t.#e(e),backgroundFetch:(e,i,s,n)=>t.#G(e,i,s,n),moveToTail:e=>t.#L(e),indexes:e=>t.#A(e),rindexes:e=>t.#z(e),isStale:e=>t.#p(e)}}get max(){return this.#o}get maxSize(){return this.#c}get calculatedSize(){return this.#b}get size(){return this.#n}get fetchMethod(){return this.#M}get memoMethod(){return this.#j}get dispose(){return this.#m}get onInsert(){return this.#W}get disposeAfter(){return this.#S}constructor(t){let{max:e=0,ttl:i,ttlResolution:s=1,ttlAutopurge:n,updateAgeOnGet:r,updateAgeOnHas:h,allowStale:a,dispose:o,onInsert:d,disposeAfter:y,noDisposeOnSet:_,noUpdateTTL:u,maxSize:p=0,maxEntrySize:f=0,sizeCalculation:b,fetchMethod:l,memoMethod:S,noDeleteOnFetchRejection:F,noDeleteOnStaleGet:w,allowStaleOnFetchRejection:m,allowStaleOnFetchAbort:A,ignoreFetchAbort:z,backgroundFetchSize:M=1,perf:v}=t;if(this.backgroundFetchSize=M,v!==void 0&&typeof v?.now!="function")throw new TypeError("perf option must have a now() method if specified");if(this.#w=v??N.defaultPerf,e!==0&&!T(e))throw new TypeError("max option must be a nonnegative integer");let E=e?H(e):Array;if(!E)throw new Error("invalid max value: "+e);if(this.#o=e,this.#c=p,this.maxEntrySize=f||this.#c,this.sizeCalculation=b,this.sizeCalculation){if(!this.#c&&!this.maxEntrySize)throw new TypeError("cannot set sizeCalculation without setting maxSize or maxEntrySize");if(typeof this.sizeCalculation!="function")throw new TypeError("sizeCalculation set to non-function")}if(S!==void 0&&typeof S!="function")throw new TypeError("memoMethod must be a function if defined");if(this.#j=S,l!==void 0&&typeof l!="function")throw new TypeError("fetchMethod must be a function if specified");if(this.#M=l,this.#U=!!l,this.#s=new Map,this.#i=Array.from({length:e}).fill(void 0),this.#t=Array.from({length:e}).fill(void 0),this.#l=new E(e),this.#u=new E(e),this.#a=0,this.#h=0,this.#y=C.create(e),this.#n=0,this.#b=0,typeof o=="function"&&(this.#m=o),typeof d=="function"&&(this.#W=d),typeof y=="function"?(this.#S=y,this.#r=[]):(this.#S=void 0,this.#r=void 0),this.#T=!!this.#m,this.#D=!!this.#W,this.#f=!!this.#S,this.noDisposeOnSet=!!_,this.noUpdateTTL=!!u,this.noDeleteOnFetchRejection=!!F,this.allowStaleOnFetchRejection=!!m,this.allowStaleOnFetchAbort=!!A,this.ignoreFetchAbort=!!z,this.maxEntrySize!==0){if(this.#c!==0&&!T(this.#c))throw new TypeError("maxSize must be a positive integer if specified");if(!T(this.maxEntrySize))throw new TypeError("maxEntrySize must be a positive integer if specified");this.#X()}if(this.allowStale=!!a,this.noDeleteOnStaleGet=!!w,this.updateAgeOnGet=!!r,this.updateAgeOnHas=!!h,this.ttlResolution=T(s)||s===0?s:1,this.ttlAutopurge=!!n,this.ttl=i||0,this.ttl){if(!T(this.ttl))throw new TypeError("ttl must be a positive integer if specified");this.#k()}if(this.#o===0&&this.ttl===0&&this.#c===0)throw new TypeError("At least one of max, maxSize, or ttl is required");if(!this.ttlAutopurge&&!this.#o&&!this.#c){let R="LRU_CACHE_UNBOUNDED";B(R)&&(k.add(R),V("TTL caching without ttlAutopurge, max, or maxSize can result in unbounded memory consumption.","UnboundedCacheWarning",R,c))}}getRemainingTTL(t){return this.#s.has(t)?1/0:0}#k(){let t=new W(this.#o),e=new W(this.#o);this.#d=t,this.#F=e;let i=this.ttlAutopurge?Array.from({length:this.#o}):void 0;this.#g=i,this.#H=(h,a,o=this.#w.now())=>{e[h]=a!==0?o:0,t[h]=a,s(h,a)},this.#R=h=>{e[h]=t[h]!==0?this.#w.now():0,s(h,t[h])};let s=this.ttlAutopurge?(h,a)=>{if(i?.[h]&&(clearTimeout(i[h]),i[h]=void 0),a&&a!==0&&i){let o=setTimeout(()=>{this.#p(h)&&this.#v(this.#i[h],"expire")},a+1);o.unref&&o.unref(),i[h]=o}}:()=>{};this.#E=(h,a)=>{if(t[a]){let o=t[a],d=e[a];if(!o||!d)return;h.ttl=o,h.start=d,h.now=n||r();let y=h.now-d;h.remainingTTL=o-y}};let n=0,r=()=>{let h=this.#w.now();if(this.ttlResolution>0){n=h;let a=setTimeout(()=>n=0,this.ttlResolution);a.unref&&a.unref()}return h};this.getRemainingTTL=h=>{let a=this.#s.get(h);if(a===void 0)return 0;let o=t[a],d=e[a];if(!o||!d)return 1/0;let y=(n||r())-d;return o-y},this.#p=h=>{let a=e[h],o=t[h];return!!o&&!!a&&(n||r())-a>o}}#R=()=>{};#E=()=>{};#H=()=>{};#p=()=>!1;#X(){let t=new W(this.#o);this.#b=0,this.#_=t,this.#x=e=>{this.#b-=t[e],t[e]=0},this.#N=(e,i,s,n)=>{if(!T(s)){if(this.#e(i))return this.backgroundFetchSize;if(n){if(typeof n!="function")throw new TypeError("sizeCalculation must be a function");if(s=n(i,e),!T(s))throw new TypeError("sizeCalculation return invalid (expect positive integer)")}else throw new TypeError("invalid size value (must be positive integer). When maxSize or maxEntrySize is used, sizeCalculation or size must be set.")}return s},this.#I=(e,i,s)=>{if(t[e]=i,this.#c){let n=this.#c-t[e];for(;this.#b>n;)this.#P(!0)}this.#b+=t[e],s&&(s.entrySize=i,s.totalCalculatedSize=this.#b)}}#x=t=>{};#I=(t,e,i)=>{};#N=(t,e,i,s)=>{if(i||s)throw new TypeError("cannot set size without setting maxSize or maxEntrySize on cache");return 0};*#A({allowStale:t=this.allowStale}={}){if(this.#n)for(let e=this.#h;this.#V(e)&&((t||!this.#p(e))&&(yield e),e!==this.#a);)e=this.#u[e]}*#z({allowStale:t=this.allowStale}={}){if(this.#n)for(let e=this.#a;this.#V(e)&&((t||!this.#p(e))&&(yield e),e!==this.#h);)e=this.#l[e]}#V(t){return t!==void 0&&this.#s.get(this.#i[t])===t}*entries(){for(let t of this.#A())this.#t[t]!==void 0&&this.#i[t]!==void 0&&!this.#e(this.#t[t])&&(yield[this.#i[t],this.#t[t]])}*rentries(){for(let t of this.#z())this.#t[t]!==void 0&&this.#i[t]!==void 0&&!this.#e(this.#t[t])&&(yield[this.#i[t],this.#t[t]])}*keys(){for(let t of this.#A()){let e=this.#i[t];e!==void 0&&!this.#e(this.#t[t])&&(yield e)}}*rkeys(){for(let t of this.#z()){let e=this.#i[t];e!==void 0&&!this.#e(this.#t[t])&&(yield e)}}*values(){for(let t of this.#A())this.#t[t]!==void 0&&!this.#e(this.#t[t])&&(yield this.#t[t])}*rvalues(){for(let t of this.#z())this.#t[t]!==void 0&&!this.#e(this.#t[t])&&(yield this.#t[t])}[Symbol.iterator](){return this.entries()}[Symbol.toStringTag]="LRUCache";find(t,e={}){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;if(n!==void 0&&t(n,this.#i[i],this))return this.#C(this.#i[i],e)}}forEach(t,e=this){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&t.call(e,n,this.#i[i],this)}}rforEach(t,e=this){for(let i of this.#z()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&t.call(e,n,this.#i[i],this)}}purgeStale(){let t=!1;for(let e of this.#z({allowStale:!0}))this.#p(e)&&(this.#v(this.#i[e],"expire"),t=!0);return t}info(t){let e=this.#s.get(t);if(e===void 0)return;let i=this.#t[e],s=this.#e(i)?i.__staleWhileFetching:i;if(s===void 0)return;let n={value:s};if(this.#d&&this.#F){let r=this.#d[e],h=this.#F[e];if(r&&h){let a=r-(this.#w.now()-h);n.ttl=a,n.start=Date.now()}}return this.#_&&(n.size=this.#_[e]),n}dump(){let t=[];for(let e of this.#A({allowStale:!0})){let i=this.#i[e],s=this.#t[e],n=this.#e(s)?s.__staleWhileFetching:s;if(n===void 0||i===void 0)continue;let r={value:n};if(this.#d&&this.#F){r.ttl=this.#d[e];let h=this.#w.now()-this.#F[e];r.start=Math.floor(Date.now()-h)}this.#_&&(r.size=this.#_[e]),t.unshift([i,r])}return t}load(t){this.clear();for(let[e,i]of t){if(i.start){let s=Date.now()-i.start;i.start=this.#w.now()-s}this.#O(e,i.value,i)}}set(t,e,i={}){let{status:s=g.metrics.hasSubscribers?{}:void 0}=i;i.status=s,s&&(s.op="set",s.key=t,e!==void 0&&(s.value=e),s.cache=this);let n=this.#O(t,e,i);return s&&g.metrics.hasSubscribers&&g.metrics.publish(s),n}#O(t,e,i,s){let{ttl:n=this.ttl,start:r,noDisposeOnSet:h=this.noDisposeOnSet,sizeCalculation:a=this.sizeCalculation,status:o}=i,d=this.#e(e);if(e===void 0)return o&&(o.set="deleted"),this.delete(t),this;let{noUpdateTTL:y=this.noUpdateTTL}=i;o&&!d&&(o.value=e);let _=this.#N(t,e,i.size||0,a,o);if(this.maxEntrySize&&_>this.maxEntrySize)return this.#v(t,"set"),o&&(o.set="miss",o.maxEntrySizeExceeded=!0),this;let u=this.#n===0?void 0:this.#s.get(t);if(u===void 0)u=this.#n===0?this.#h:this.#y.length!==0?this.#y.pop():this.#n===this.#o?this.#P(!1):this.#n,this.#i[u]=t,this.#t[u]=e,this.#s.set(t,u),this.#l[this.#h]=u,this.#u[u]=this.#h,this.#h=u,this.#n++,this.#I(u,_,o),o&&(o.set="add"),y=!1,this.#D&&!d&&this.#W?.(e,t,"add");else{this.#L(u);let p=this.#t[u];if(e!==p){if(!h)if(this.#e(p)){p!==s&&p.__abortController.abort(new Error("replaced"));let{__staleWhileFetching:f}=p;f!==void 0&&f!==e&&(this.#T&&this.#m?.(f,t,"set"),this.#f&&this.#r?.push([f,t,"set"]))}else this.#T&&this.#m?.(p,t,"set"),this.#f&&this.#r?.push([p,t,"set"]);if(this.#x(u),this.#I(u,_,o),this.#t[u]=e,!d){let f=p&&this.#e(p)?p.__staleWhileFetching:p,b=f===void 0?"add":e!==f?"replace":"update";o&&(o.set=b,f!==void 0&&(o.oldValue=f)),this.#D&&this.onInsert?.(e,t,b)}}else d||(o&&(o.set="update"),this.#D&&this.onInsert?.(e,t,"update"))}if(n!==0&&!this.#d&&this.#k(),this.#d&&(y||this.#H(u,n,r),o&&this.#E(o,u)),!h&&this.#f&&this.#r){let p=this.#r,f;for(;f=p?.shift();)this.#S?.(...f)}return this}pop(){try{for(;this.#n;){let t=this.#t[this.#a];if(this.#P(!0),this.#e(t)){if(t.__staleWhileFetching)return t.__staleWhileFetching}else if(t!==void 0)return t}}finally{if(this.#f&&this.#r){let t=this.#r,e;for(;e=t?.shift();)this.#S?.(...e)}}}#P(t){let e=this.#a,i=this.#i[e],s=this.#t[e],n=this.#e(s);n&&s.__abortController.abort(new Error("evicted"));let r=n?s.__staleWhileFetching:s;return(this.#T||this.#f)&&r!==void 0&&(this.#T&&this.#m?.(r,i,"evict"),this.#f&&this.#r?.push([r,i,"evict"])),this.#x(e),this.#g?.[e]&&(clearTimeout(this.#g[e]),this.#g[e]=void 0),t&&(this.#i[e]=void 0,this.#t[e]=void 0,this.#y.push(e)),this.#n===1?(this.#a=this.#h=0,this.#y.length=0):this.#a=this.#l[e],this.#s.delete(i),this.#n--,e}has(t,e={}){let{status:i=g.metrics.hasSubscribers?{}:void 0}=e;e.status=i,i&&(i.op="has",i.key=t,i.cache=this);let s=this.#Y(t,e);return g.metrics.hasSubscribers&&g.metrics.publish(i),s}#Y(t,e={}){let{updateAgeOnHas:i=this.updateAgeOnHas,status:s}=e,n=this.#s.get(t);if(n!==void 0){let r=this.#t[n];if(this.#e(r)&&r.__staleWhileFetching===void 0)return!1;if(this.#p(n))s&&(s.has="stale",this.#E(s,n));else return i&&this.#R(n),s&&(s.has="hit",this.#E(s,n)),!0}else s&&(s.has="miss");return!1}peek(t,e={}){let{status:i=x()?{}:void 0}=e;i&&(i.op="peek",i.key=t,i.cache=this),e.status=i;let s=this.#J(t,e);return g.metrics.hasSubscribers&&g.metrics.publish(i),s}#J(t,e){let{status:i,allowStale:s=this.allowStale}=e,n=this.#s.get(t);if(n===void 0||!s&&this.#p(n)){i&&(i.peek=n===void 0?"miss":"stale");return}let r=this.#t[n],h=this.#e(r)?r.__staleWhileFetching:r;return i&&(h!==void 0?(i.peek="hit",i.value=h):i.peek="miss"),h}#G(t,e,i,s){let n=e===void 0?void 0:this.#t[e];if(this.#e(n))return n;let r=new AbortController,{signal:h}=i;h?.addEventListener("abort",()=>r.abort(h.reason),{signal:r.signal});let a={signal:r.signal,options:i,context:s},o=(f,b=!1)=>{let{aborted:l}=r.signal,S=i.ignoreFetchAbort&&f!==void 0,F=i.ignoreFetchAbort||!!(i.allowStaleOnFetchAbort&&f!==void 0);if(i.status&&(l&&!b?(i.status.fetchAborted=!0,i.status.fetchError=r.signal.reason,S&&(i.status.fetchAbortIgnored=!0)):i.status.fetchResolved=!0),l&&!S&&!b)return y(r.signal.reason,F);let w=u,m=this.#t[e];return(m===u||m===void 0&&S&&b)&&(f===void 0?w.__staleWhileFetching!==void 0?this.#t[e]=w.__staleWhileFetching:this.#v(t,"fetch"):(i.status&&(i.status.fetchUpdated=!0),this.#O(t,f,a.options,w))),f},d=f=>(i.status&&(i.status.fetchRejected=!0,i.status.fetchError=f),y(f,!1)),y=(f,b)=>{let{aborted:l}=r.signal,S=l&&i.allowStaleOnFetchAbort,F=S||i.allowStaleOnFetchRejection,w=F||i.noDeleteOnFetchRejection,m=u;if(this.#t[e]===u&&(!w||!b&&m.__staleWhileFetching===void 0?this.#v(t,"fetch"):S||(this.#t[e]=m.__staleWhileFetching)),F)return i.status&&m.__staleWhileFetching!==void 0&&(i.status.returnedStale=!0),m.__staleWhileFetching;if(m.__returned===m)throw f},_=(f,b)=>{let l=this.#M?.(t,n,a);r.signal.addEventListener("abort",()=>{(!i.ignoreFetchAbort||i.allowStaleOnFetchAbort)&&(f(void 0),i.allowStaleOnFetchAbort&&(f=S=>o(S,!0)))}),l&&l instanceof Promise?l.then(S=>f(S===void 0?void 0:S),b):l!==void 0&&f(l)};i.status&&(i.status.fetchDispatched=!0);let u=new Promise(_).then(o,d),p=Object.assign(u,{__abortController:r,__staleWhileFetching:n,__returned:void 0});return e===void 0?(this.#O(t,p,{...a.options,status:void 0}),e=this.#s.get(t)):this.#t[e]=p,p}#e(t){if(!this.#U)return!1;let e=t;return!!e&&e instanceof Promise&&e.hasOwnProperty("__staleWhileFetching")&&e.__abortController instanceof AbortController}fetch(t,e={}){let i=g.tracing.hasSubscribers,{status:s=x()?{}:void 0}=e;e.status=s,s&&e.context&&(s.context=e.context);let n=this.#B(t,e);return s&&i&&(s.trace=!0,g.tracing.tracePromise(()=>n,s).catch(()=>{})),n}async#B(t,e={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,ttl:r=this.ttl,noDisposeOnSet:h=this.noDisposeOnSet,size:a=0,sizeCalculation:o=this.sizeCalculation,noUpdateTTL:d=this.noUpdateTTL,noDeleteOnFetchRejection:y=this.noDeleteOnFetchRejection,allowStaleOnFetchRejection:_=this.allowStaleOnFetchRejection,ignoreFetchAbort:u=this.ignoreFetchAbort,allowStaleOnFetchAbort:p=this.allowStaleOnFetchAbort,context:f,forceRefresh:b=!1,status:l,signal:S}=e;if(l&&(l.op="fetch",l.key=t,b&&(l.forceRefresh=!0),l.cache=this),!this.#U)return l&&(l.fetch="get"),this.#C(t,{allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,status:l});let F={allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,ttl:r,noDisposeOnSet:h,size:a,sizeCalculation:o,noUpdateTTL:d,noDeleteOnFetchRejection:y,allowStaleOnFetchRejection:_,allowStaleOnFetchAbort:p,ignoreFetchAbort:u,status:l,signal:S},w=this.#s.get(t);if(w===void 0){l&&(l.fetch="miss");let m=this.#G(t,w,F,f);return m.__returned=m}else{let m=this.#t[w];if(this.#e(m)){let E=i&&m.__staleWhileFetching!==void 0;return l&&(l.fetch="inflight",E&&(l.returnedStale=!0)),E?m.__staleWhileFetching:m.__returned=m}let A=this.#p(w);if(!b&&!A)return l&&(l.fetch="hit"),this.#L(w),s&&this.#R(w),l&&this.#E(l,w),m;let z=this.#G(t,w,F,f),v=z.__staleWhileFetching!==void 0&&i;return l&&(l.fetch=A?"stale":"refresh",v&&A&&(l.returnedStale=!0)),v?z.__staleWhileFetching:z.__returned=z}}forceFetch(t,e={}){let i=g.tracing.hasSubscribers,{status:s=x()?{}:void 0}=e;e.status=s,s&&e.context&&(s.context=e.context);let n=this.#K(t,e);return s&&i&&(s.trace=!0,g.tracing.tracePromise(()=>n,s).catch(()=>{})),n}async#K(t,e={}){let i=await this.#B(t,e);if(i===void 0)throw new Error("fetch() returned undefined");return i}memo(t,e={}){let{status:i=g.metrics.hasSubscribers?{}:void 0}=e;e.status=i,i&&(i.op="memo",i.key=t,e.context&&(i.context=e.context),i.cache=this);let s=this.#Q(t,e);return i&&(i.value=s),g.metrics.hasSubscribers&&g.metrics.publish(i),s}#Q(t,e={}){let i=this.#j;if(!i)throw new Error("no memoMethod provided to constructor");let{context:s,status:n,forceRefresh:r,...h}=e;n&&r&&(n.forceRefresh=!0);let a=this.#C(t,h),o=r||a===void 0;if(n&&(n.memo=o?"miss":"hit",o||(n.value=a)),!o)return a;let d=i(t,a,{options:h,context:s});return n&&(n.value=d),this.#O(t,d,h),d}get(t,e={}){let{status:i=g.metrics.hasSubscribers?{}:void 0}=e;e.status=i,i&&(i.op="get",i.key=t,i.cache=this);let s=this.#C(t,e);return i&&(s!==void 0&&(i.value=s),g.metrics.hasSubscribers&&g.metrics.publish(i)),s}#C(t,e={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,status:r}=e,h=this.#s.get(t);if(h===void 0){r&&(r.get="miss");return}let a=this.#t[h],o=this.#e(a);return r&&this.#E(r,h),this.#p(h)?o?(r&&(r.get="stale-fetching"),i&&a.__staleWhileFetching!==void 0?(r&&(r.returnedStale=!0),a.__staleWhileFetching):void 0):(n||this.#v(t,"expire"),r&&(r.get="stale"),i?(r&&(r.returnedStale=!0),a):void 0):(r&&(r.get=o?"fetching":"hit"),this.#L(h),s&&this.#R(h),o?a.__staleWhileFetching:a)}#q(t,e){this.#u[e]=t,this.#l[t]=e}#L(t){t!==this.#h&&(t===this.#a?this.#a=this.#l[t]:this.#q(this.#u[t],this.#l[t]),this.#q(this.#h,t),this.#h=t)}delete(t){return this.#v(t,"delete")}#v(t,e){g.metrics.hasSubscribers&&g.metrics.publish({op:"delete",delete:e,key:t,cache:this});let i=!1;if(this.#n!==0){let s=this.#s.get(t);if(s!==void 0)if(this.#g?.[s]&&(clearTimeout(this.#g?.[s]),this.#g[s]=void 0),i=!0,this.#n===1)this.#$(e);else{this.#x(s);let n=this.#t[s];if(this.#e(n)?n.__abortController.abort(new Error("deleted")):(this.#T||this.#f)&&(this.#T&&this.#m?.(n,t,e),this.#f&&this.#r?.push([n,t,e])),this.#s.delete(t),this.#i[s]=void 0,this.#t[s]=void 0,s===this.#h)this.#h=this.#u[s];else if(s===this.#a)this.#a=this.#l[s];else{let r=this.#u[s];this.#l[r]=this.#l[s];let h=this.#l[s];this.#u[h]=this.#u[s]}this.#n--,this.#y.push(s)}}if(this.#f&&this.#r?.length){let s=this.#r,n;for(;n=s?.shift();)this.#S?.(...n)}return i}clear(){return this.#$("delete")}#$(t){for(let e of this.#z({allowStale:!0})){let i=this.#t[e];if(this.#e(i))i.__abortController.abort(new Error("deleted"));else{let s=this.#i[e];this.#T&&this.#m?.(i,s,t),this.#f&&this.#r?.push([i,s,t])}}if(this.#s.clear(),this.#t.fill(void 0),this.#i.fill(void 0),this.#d&&this.#F){this.#d.fill(0),this.#F.fill(0);for(let e of this.#g??[])e!==void 0&&clearTimeout(e);this.#g?.fill(void 0)}if(this.#_&&this.#_.fill(0),this.#a=0,this.#h=0,this.#y.length=0,this.#b=0,this.#n=0,this.#f&&this.#r){let e=this.#r,i;for(;i=e?.shift();)this.#S?.(...i)}}};exports.LRUCache=L;
 //# sourceMappingURL=index.min.js.map
diff --git a/deps/npm/node_modules/lru-cache/dist/commonjs/node/diagnostics-channel.js b/deps/npm/node_modules/lru-cache/dist/commonjs/node/diagnostics-channel.js
new file mode 100644
index 00000000000000..30f39a05a5630c
--- /dev/null
+++ b/deps/npm/node_modules/lru-cache/dist/commonjs/node/diagnostics-channel.js
@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tracing = exports.metrics = void 0;
+// simple node version that imports from node builtin
+// this is built to both ESM and CommonJS on the 'node' import path
+const node_diagnostics_channel_1 = require("node:diagnostics_channel");
+exports.metrics = (0, node_diagnostics_channel_1.channel)('lru-cache:metrics');
+exports.tracing = (0, node_diagnostics_channel_1.tracingChannel)('lru-cache');
+//# sourceMappingURL=diagnostics-channel-node.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/lru-cache/dist/commonjs/node/index.js b/deps/npm/node_modules/lru-cache/dist/commonjs/node/index.js
new file mode 100644
index 00000000000000..6b8268b0ea9123
--- /dev/null
+++ b/deps/npm/node_modules/lru-cache/dist/commonjs/node/index.js
@@ -0,0 +1,1726 @@
+"use strict";
+/**
+ * @module LRUCache
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LRUCache = void 0;
+const diagnostics_channel_js_1 = require("./diagnostics-channel.js");
+const perf_js_1 = require("./perf.js");
+const hasSubscribers = () => diagnostics_channel_js_1.metrics.hasSubscribers || diagnostics_channel_js_1.tracing.hasSubscribers;
+const warned = new Set();
+/* c8 ignore start */
+const PROCESS = (typeof process === 'object' && !!process ?
+    process
+    : {});
+/* c8 ignore stop */
+const emitWarning = (msg, type, code, fn) => {
+    if (typeof PROCESS.emitWarning === 'function') {
+        PROCESS.emitWarning(msg, type, code, fn);
+    }
+    else {
+        //oxlint-disable-next-line no-console
+        console.error(`[${code}] ${type}: ${msg}`);
+    }
+};
+const shouldWarn = (code) => !warned.has(code);
+const TYPE = Symbol('type');
+const isPosInt = (n) => !!n && n === Math.floor(n) && n > 0 && isFinite(n);
+// This is a little bit ridiculous, tbh.
+// The maximum array length is 2^32-1 or thereabouts on most JS impls.
+// And well before that point, you're caching the entire world, I mean,
+// that's ~32GB of just integers for the next/prev links, plus whatever
+// else to hold that many keys and values.  Just filling the memory with
+// zeroes at init time is brutal when you get that big.
+// But why not be complete?
+// Maybe in the future, these limits will have expanded.
+/* c8 ignore start */
+const getUintArray = (max) => !isPosInt(max) ? null
+    : max <= Math.pow(2, 8) ? Uint8Array
+        : max <= Math.pow(2, 16) ? Uint16Array
+            : max <= Math.pow(2, 32) ? Uint32Array
+                : max <= Number.MAX_SAFE_INTEGER ? ZeroArray
+                    : null;
+/* c8 ignore stop */
+class ZeroArray extends Array {
+    constructor(size) {
+        super(size);
+        this.fill(0);
+    }
+}
+class Stack {
+    /* c8 ignore start - not sure why this is showing up uncovered?? */
+    heap;
+    /* c8 ignore stop */
+    length;
+    // private constructor
+    static #constructing = false;
+    static create(max) {
+        const HeapCls = getUintArray(max);
+        if (!HeapCls)
+            return [];
+        Stack.#constructing = true;
+        const s = new Stack(max, HeapCls);
+        Stack.#constructing = false;
+        return s;
+    }
+    constructor(max, HeapCls) {
+        /* c8 ignore start */
+        if (!Stack.#constructing) {
+            throw new TypeError('instantiate Stack using Stack.create(n)');
+        }
+        /* c8 ignore stop */
+        this.heap = new HeapCls(max);
+        this.length = 0;
+    }
+    push(n) {
+        this.heap[this.length++] = n;
+    }
+    pop() {
+        return this.heap[--this.length];
+    }
+}
+/**
+ * Default export, the thing you're using this module to get.
+ *
+ * The `K` and `V` types define the key and value types, respectively. The
+ * optional `FC` type defines the type of the `context` object passed to
+ * `cache.fetch()` and `cache.memo()`.
+ *
+ * Keys and values **must not** be `null` or `undefined`.
+ *
+ * All properties from the options object (with the exception of `max`,
+ * `maxSize`, `fetchMethod`, `memoMethod`, `dispose` and `disposeAfter`) are
+ * added as normal public members. (The listed options are read-only getters.)
+ *
+ * Changing any of these will alter the defaults for subsequent method calls.
+ */
+class LRUCache {
+    // options that cannot be changed without disaster
+    #max;
+    #maxSize;
+    #dispose;
+    #onInsert;
+    #disposeAfter;
+    #fetchMethod;
+    #memoMethod;
+    #perf;
+    /**
+     * {@link LRUCache.OptionsBase.perf}
+     */
+    get perf() {
+        return this.#perf;
+    }
+    /**
+     * {@link LRUCache.OptionsBase.ttl}
+     */
+    ttl;
+    /**
+     * {@link LRUCache.OptionsBase.ttlResolution}
+     */
+    ttlResolution;
+    /**
+     * {@link LRUCache.OptionsBase.ttlAutopurge}
+     */
+    ttlAutopurge;
+    /**
+     * {@link LRUCache.OptionsBase.updateAgeOnGet}
+     */
+    updateAgeOnGet;
+    /**
+     * {@link LRUCache.OptionsBase.updateAgeOnHas}
+     */
+    updateAgeOnHas;
+    /**
+     * {@link LRUCache.OptionsBase.allowStale}
+     */
+    allowStale;
+    /**
+     * {@link LRUCache.OptionsBase.noDisposeOnSet}
+     */
+    noDisposeOnSet;
+    /**
+     * {@link LRUCache.OptionsBase.noUpdateTTL}
+     */
+    noUpdateTTL;
+    /**
+     * {@link LRUCache.OptionsBase.maxEntrySize}
+     */
+    maxEntrySize;
+    /**
+     * {@link LRUCache.OptionsBase.sizeCalculation}
+     */
+    sizeCalculation;
+    /**
+     * {@link LRUCache.OptionsBase.noDeleteOnFetchRejection}
+     */
+    noDeleteOnFetchRejection;
+    /**
+     * {@link LRUCache.OptionsBase.noDeleteOnStaleGet}
+     */
+    noDeleteOnStaleGet;
+    /**
+     * {@link LRUCache.OptionsBase.allowStaleOnFetchAbort}
+     */
+    allowStaleOnFetchAbort;
+    /**
+     * {@link LRUCache.OptionsBase.allowStaleOnFetchRejection}
+     */
+    allowStaleOnFetchRejection;
+    /**
+     * {@link LRUCache.OptionsBase.ignoreFetchAbort}
+     */
+    ignoreFetchAbort;
+    /** {@link LRUCache.OptionsBase.backgroundFetchSize} */
+    backgroundFetchSize;
+    // computed properties
+    #size;
+    #calculatedSize;
+    #keyMap;
+    #keyList;
+    #valList;
+    #next;
+    #prev;
+    #head;
+    #tail;
+    #free;
+    #disposed;
+    #sizes;
+    #starts;
+    #ttls;
+    #autopurgeTimers;
+    #hasDispose;
+    #hasFetchMethod;
+    #hasDisposeAfter;
+    #hasOnInsert;
+    /**
+     * Do not call this method unless you need to inspect the
+     * inner workings of the cache.  If anything returned by this
+     * object is modified in any way, strange breakage may occur.
+     *
+     * These fields are private for a reason!
+     *
+     * @internal
+     */
+    static unsafeExposeInternals(c) {
+        return {
+            // properties
+            starts: c.#starts,
+            ttls: c.#ttls,
+            autopurgeTimers: c.#autopurgeTimers,
+            sizes: c.#sizes,
+            keyMap: c.#keyMap,
+            keyList: c.#keyList,
+            valList: c.#valList,
+            next: c.#next,
+            prev: c.#prev,
+            get head() {
+                return c.#head;
+            },
+            get tail() {
+                return c.#tail;
+            },
+            free: c.#free,
+            // methods
+            isBackgroundFetch: (p) => c.#isBackgroundFetch(p),
+            backgroundFetch: (k, index, options, context) => c.#backgroundFetch(k, index, options, context),
+            moveToTail: (index) => c.#moveToTail(index),
+            indexes: (options) => c.#indexes(options),
+            rindexes: (options) => c.#rindexes(options),
+            isStale: (index) => c.#isStale(index),
+        };
+    }
+    // Protected read-only members
+    /**
+     * {@link LRUCache.OptionsBase.max} (read-only)
+     */
+    get max() {
+        return this.#max;
+    }
+    /**
+     * {@link LRUCache.OptionsBase.maxSize} (read-only)
+     */
+    get maxSize() {
+        return this.#maxSize;
+    }
+    /**
+     * The total computed size of items in the cache (read-only)
+     */
+    get calculatedSize() {
+        return this.#calculatedSize;
+    }
+    /**
+     * The number of items stored in the cache (read-only)
+     */
+    get size() {
+        return this.#size;
+    }
+    /**
+     * {@link LRUCache.OptionsBase.fetchMethod} (read-only)
+     */
+    get fetchMethod() {
+        return this.#fetchMethod;
+    }
+    get memoMethod() {
+        return this.#memoMethod;
+    }
+    /**
+     * {@link LRUCache.OptionsBase.dispose} (read-only)
+     */
+    get dispose() {
+        return this.#dispose;
+    }
+    /**
+     * {@link LRUCache.OptionsBase.onInsert} (read-only)
+     */
+    get onInsert() {
+        return this.#onInsert;
+    }
+    /**
+     * {@link LRUCache.OptionsBase.disposeAfter} (read-only)
+     */
+    get disposeAfter() {
+        return this.#disposeAfter;
+    }
+    constructor(options) {
+        const { max = 0, ttl, ttlResolution = 1, ttlAutopurge, updateAgeOnGet, updateAgeOnHas, allowStale, dispose, onInsert, disposeAfter, noDisposeOnSet, noUpdateTTL, maxSize = 0, maxEntrySize = 0, sizeCalculation, fetchMethod, memoMethod, noDeleteOnFetchRejection, noDeleteOnStaleGet, allowStaleOnFetchRejection, allowStaleOnFetchAbort, ignoreFetchAbort, backgroundFetchSize = 1, perf, } = options;
+        this.backgroundFetchSize = backgroundFetchSize;
+        if (perf !== undefined) {
+            if (typeof perf?.now !== 'function') {
+                throw new TypeError('perf option must have a now() method if specified');
+            }
+        }
+        this.#perf = perf ?? perf_js_1.defaultPerf;
+        if (max !== 0 && !isPosInt(max)) {
+            throw new TypeError('max option must be a nonnegative integer');
+        }
+        const UintArray = max ? getUintArray(max) : Array;
+        if (!UintArray) {
+            throw new Error('invalid max value: ' + max);
+        }
+        this.#max = max;
+        this.#maxSize = maxSize;
+        this.maxEntrySize = maxEntrySize || this.#maxSize;
+        this.sizeCalculation = sizeCalculation;
+        if (this.sizeCalculation) {
+            if (!this.#maxSize && !this.maxEntrySize) {
+                throw new TypeError('cannot set sizeCalculation without setting maxSize or maxEntrySize');
+            }
+            if (typeof this.sizeCalculation !== 'function') {
+                throw new TypeError('sizeCalculation set to non-function');
+            }
+        }
+        if (memoMethod !== undefined && typeof memoMethod !== 'function') {
+            throw new TypeError('memoMethod must be a function if defined');
+        }
+        this.#memoMethod = memoMethod;
+        if (fetchMethod !== undefined && typeof fetchMethod !== 'function') {
+            throw new TypeError('fetchMethod must be a function if specified');
+        }
+        this.#fetchMethod = fetchMethod;
+        this.#hasFetchMethod = !!fetchMethod;
+        this.#keyMap = new Map();
+        this.#keyList = Array.from({ length: max }).fill(undefined);
+        this.#valList = Array.from({ length: max }).fill(undefined);
+        this.#next = new UintArray(max);
+        this.#prev = new UintArray(max);
+        this.#head = 0;
+        this.#tail = 0;
+        this.#free = Stack.create(max);
+        this.#size = 0;
+        this.#calculatedSize = 0;
+        if (typeof dispose === 'function') {
+            this.#dispose = dispose;
+        }
+        if (typeof onInsert === 'function') {
+            this.#onInsert = onInsert;
+        }
+        if (typeof disposeAfter === 'function') {
+            this.#disposeAfter = disposeAfter;
+            this.#disposed = [];
+        }
+        else {
+            this.#disposeAfter = undefined;
+            this.#disposed = undefined;
+        }
+        this.#hasDispose = !!this.#dispose;
+        this.#hasOnInsert = !!this.#onInsert;
+        this.#hasDisposeAfter = !!this.#disposeAfter;
+        this.noDisposeOnSet = !!noDisposeOnSet;
+        this.noUpdateTTL = !!noUpdateTTL;
+        this.noDeleteOnFetchRejection = !!noDeleteOnFetchRejection;
+        this.allowStaleOnFetchRejection = !!allowStaleOnFetchRejection;
+        this.allowStaleOnFetchAbort = !!allowStaleOnFetchAbort;
+        this.ignoreFetchAbort = !!ignoreFetchAbort;
+        // NB: maxEntrySize is set to maxSize if it's set
+        if (this.maxEntrySize !== 0) {
+            if (this.#maxSize !== 0) {
+                if (!isPosInt(this.#maxSize)) {
+                    throw new TypeError('maxSize must be a positive integer if specified');
+                }
+            }
+            if (!isPosInt(this.maxEntrySize)) {
+                throw new TypeError('maxEntrySize must be a positive integer if specified');
+            }
+            this.#initializeSizeTracking();
+        }
+        this.allowStale = !!allowStale;
+        this.noDeleteOnStaleGet = !!noDeleteOnStaleGet;
+        this.updateAgeOnGet = !!updateAgeOnGet;
+        this.updateAgeOnHas = !!updateAgeOnHas;
+        this.ttlResolution =
+            isPosInt(ttlResolution) || ttlResolution === 0 ? ttlResolution : 1;
+        this.ttlAutopurge = !!ttlAutopurge;
+        this.ttl = ttl || 0;
+        if (this.ttl) {
+            if (!isPosInt(this.ttl)) {
+                throw new TypeError('ttl must be a positive integer if specified');
+            }
+            this.#initializeTTLTracking();
+        }
+        // do not allow completely unbounded caches
+        if (this.#max === 0 && this.ttl === 0 && this.#maxSize === 0) {
+            throw new TypeError('At least one of max, maxSize, or ttl is required');
+        }
+        if (!this.ttlAutopurge && !this.#max && !this.#maxSize) {
+            const code = 'LRU_CACHE_UNBOUNDED';
+            if (shouldWarn(code)) {
+                warned.add(code);
+                const msg = 'TTL caching without ttlAutopurge, max, or maxSize can ' +
+                    'result in unbounded memory consumption.';
+                emitWarning(msg, 'UnboundedCacheWarning', code, LRUCache);
+            }
+        }
+    }
+    /**
+     * Return the number of ms left in the item's TTL. If item is not in cache,
+     * returns `0`. Returns `Infinity` if item is in cache without a defined TTL.
+     */
+    getRemainingTTL(key) {
+        return this.#keyMap.has(key) ? Infinity : 0;
+    }
+    #initializeTTLTracking() {
+        const ttls = new ZeroArray(this.#max);
+        const starts = new ZeroArray(this.#max);
+        this.#ttls = ttls;
+        this.#starts = starts;
+        const purgeTimers = this.ttlAutopurge ?
+            Array.from({
+                length: this.#max,
+            })
+            : undefined;
+        this.#autopurgeTimers = purgeTimers;
+        this.#setItemTTL = (index, ttl, start = this.#perf.now()) => {
+            starts[index] = ttl !== 0 ? start : 0;
+            ttls[index] = ttl;
+            setPurgetTimer(index, ttl);
+        };
+        this.#updateItemAge = index => {
+            starts[index] = ttls[index] !== 0 ? this.#perf.now() : 0;
+            setPurgetTimer(index, ttls[index]);
+        };
+        // clear out the purge timer if we're setting TTL to 0, and
+        // previously had a ttl purge timer running, so it doesn't
+        // fire unnecessarily. Don't need to do this if we're not doing
+        // autopurge.
+        const setPurgetTimer = !this.ttlAutopurge ?
+            () => { }
+            : (index, ttl) => {
+                if (purgeTimers?.[index]) {
+                    clearTimeout(purgeTimers[index]);
+                    purgeTimers[index] = undefined;
+                }
+                if (ttl && ttl !== 0 && purgeTimers) {
+                    const t = setTimeout(() => {
+                        if (this.#isStale(index)) {
+                            this.#delete(this.#keyList[index], 'expire');
+                        }
+                    }, ttl + 1);
+                    // unref() not supported on all platforms
+                    /* c8 ignore start */
+                    if (t.unref) {
+                        t.unref();
+                    }
+                    /* c8 ignore stop */
+                    purgeTimers[index] = t;
+                }
+            };
+        this.#statusTTL = (status, index) => {
+            if (ttls[index]) {
+                const ttl = ttls[index];
+                const start = starts[index];
+                /* c8 ignore start */
+                if (!ttl || !start) {
+                    return;
+                }
+                /* c8 ignore stop */
+                status.ttl = ttl;
+                status.start = start;
+                status.now = cachedNow || getNow();
+                const age = status.now - start;
+                status.remainingTTL = ttl - age;
+            }
+        };
+        // debounce calls to perf.now() to 1s so we're not hitting
+        // that costly call repeatedly.
+        let cachedNow = 0;
+        const getNow = () => {
+            const n = this.#perf.now();
+            if (this.ttlResolution > 0) {
+                cachedNow = n;
+                const t = setTimeout(() => (cachedNow = 0), this.ttlResolution);
+                // not available on all platforms
+                /* c8 ignore start */
+                if (t.unref) {
+                    t.unref();
+                }
+                /* c8 ignore stop */
+            }
+            return n;
+        };
+        this.getRemainingTTL = key => {
+            const index = this.#keyMap.get(key);
+            if (index === undefined) {
+                return 0;
+            }
+            const ttl = ttls[index];
+            const start = starts[index];
+            if (!ttl || !start) {
+                return Infinity;
+            }
+            const age = (cachedNow || getNow()) - start;
+            return ttl - age;
+        };
+        this.#isStale = index => {
+            const s = starts[index];
+            const t = ttls[index];
+            return !!t && !!s && (cachedNow || getNow()) - s > t;
+        };
+    }
+    // conditionally set private methods related to TTL
+    #updateItemAge = () => { };
+    #statusTTL = () => { };
+    #setItemTTL = () => { };
+    /* c8 ignore stop */
+    #isStale = () => false;
+    #initializeSizeTracking() {
+        const sizes = new ZeroArray(this.#max);
+        this.#calculatedSize = 0;
+        this.#sizes = sizes;
+        this.#removeItemSize = index => {
+            this.#calculatedSize -= sizes[index];
+            sizes[index] = 0;
+        };
+        this.#requireSize = (k, v, size, sizeCalculation) => {
+            if (!isPosInt(size)) {
+                // provisionally accept background fetches.
+                // actual value size will be checked when they return.
+                if (this.#isBackgroundFetch(v)) {
+                    // NB: this cannot occur if v.__staleWhileFetching is set,
+                    // because in that case, it would take on the size of the
+                    // existing entry that it temporarily replaces.
+                    return this.backgroundFetchSize;
+                }
+                if (sizeCalculation) {
+                    if (typeof sizeCalculation !== 'function') {
+                        throw new TypeError('sizeCalculation must be a function');
+                    }
+                    size = sizeCalculation(v, k);
+                    if (!isPosInt(size)) {
+                        throw new TypeError('sizeCalculation return invalid (expect positive integer)');
+                    }
+                }
+                else {
+                    throw new TypeError('invalid size value (must be positive integer). ' +
+                        'When maxSize or maxEntrySize is used, sizeCalculation ' +
+                        'or size must be set.');
+                }
+            }
+            return size;
+        };
+        this.#addItemSize = (index, size, status) => {
+            sizes[index] = size;
+            if (this.#maxSize) {
+                const maxSize = this.#maxSize - sizes[index];
+                while (this.#calculatedSize > maxSize) {
+                    this.#evict(true);
+                }
+            }
+            this.#calculatedSize += sizes[index];
+            if (status) {
+                status.entrySize = size;
+                status.totalCalculatedSize = this.#calculatedSize;
+            }
+        };
+    }
+    #removeItemSize = _i => { };
+    #addItemSize = (_i, _s, _st) => { };
+    #requireSize = (_k, _v, size, sizeCalculation) => {
+        if (size || sizeCalculation) {
+            throw new TypeError('cannot set size without setting maxSize or maxEntrySize on cache');
+        }
+        return 0;
+    };
+    *#indexes({ allowStale = this.allowStale } = {}) {
+        if (this.#size) {
+            for (let i = this.#tail; this.#isValidIndex(i);) {
+                if (allowStale || !this.#isStale(i)) {
+                    yield i;
+                }
+                if (i === this.#head) {
+                    break;
+                }
+                else {
+                    i = this.#prev[i];
+                }
+            }
+        }
+    }
+    *#rindexes({ allowStale = this.allowStale } = {}) {
+        if (this.#size) {
+            for (let i = this.#head; this.#isValidIndex(i);) {
+                if (allowStale || !this.#isStale(i)) {
+                    yield i;
+                }
+                if (i === this.#tail) {
+                    break;
+                }
+                else {
+                    i = this.#next[i];
+                }
+            }
+        }
+    }
+    #isValidIndex(index) {
+        return (index !== undefined &&
+            this.#keyMap.get(this.#keyList[index]) === index);
+    }
+    /**
+     * Return a generator yielding `[key, value]` pairs,
+     * in order from most recently used to least recently used.
+     */
+    *entries() {
+        for (const i of this.#indexes()) {
+            if (this.#valList[i] !== undefined &&
+                this.#keyList[i] !== undefined &&
+                !this.#isBackgroundFetch(this.#valList[i])) {
+                yield [this.#keyList[i], this.#valList[i]];
+            }
+        }
+    }
+    /**
+     * Inverse order version of {@link LRUCache.entries}
+     *
+     * Return a generator yielding `[key, value]` pairs,
+     * in order from least recently used to most recently used.
+     */
+    *rentries() {
+        for (const i of this.#rindexes()) {
+            if (this.#valList[i] !== undefined &&
+                this.#keyList[i] !== undefined &&
+                !this.#isBackgroundFetch(this.#valList[i])) {
+                yield [this.#keyList[i], this.#valList[i]];
+            }
+        }
+    }
+    /**
+     * Return a generator yielding the keys in the cache,
+     * in order from most recently used to least recently used.
+     */
+    *keys() {
+        for (const i of this.#indexes()) {
+            const k = this.#keyList[i];
+            if (k !== undefined && !this.#isBackgroundFetch(this.#valList[i])) {
+                yield k;
+            }
+        }
+    }
+    /**
+     * Inverse order version of {@link LRUCache.keys}
+     *
+     * Return a generator yielding the keys in the cache,
+     * in order from least recently used to most recently used.
+     */
+    *rkeys() {
+        for (const i of this.#rindexes()) {
+            const k = this.#keyList[i];
+            if (k !== undefined && !this.#isBackgroundFetch(this.#valList[i])) {
+                yield k;
+            }
+        }
+    }
+    /**
+     * Return a generator yielding the values in the cache,
+     * in order from most recently used to least recently used.
+     */
+    *values() {
+        for (const i of this.#indexes()) {
+            const v = this.#valList[i];
+            if (v !== undefined && !this.#isBackgroundFetch(this.#valList[i])) {
+                yield this.#valList[i];
+            }
+        }
+    }
+    /**
+     * Inverse order version of {@link LRUCache.values}
+     *
+     * Return a generator yielding the values in the cache,
+     * in order from least recently used to most recently used.
+     */
+    *rvalues() {
+        for (const i of this.#rindexes()) {
+            const v = this.#valList[i];
+            if (v !== undefined && !this.#isBackgroundFetch(this.#valList[i])) {
+                yield this.#valList[i];
+            }
+        }
+    }
+    /**
+     * Iterating over the cache itself yields the same results as
+     * {@link LRUCache.entries}
+     */
+    [Symbol.iterator]() {
+        return this.entries();
+    }
+    /**
+     * A String value that is used in the creation of the default string
+     * description of an object. Called by the built-in method
+     * `Object.prototype.toString`.
+     */
+    [Symbol.toStringTag] = 'LRUCache';
+    /**
+     * Find a value for which the supplied fn method returns a truthy value,
+     * similar to `Array.find()`. fn is called as `fn(value, key, cache)`.
+     */
+    find(fn, getOptions = {}) {
+        for (const i of this.#indexes()) {
+            const v = this.#valList[i];
+            const value = this.#isBackgroundFetch(v) ? v.__staleWhileFetching : v;
+            if (value === undefined)
+                continue;
+            if (fn(value, this.#keyList[i], this)) {
+                return this.#get(this.#keyList[i], getOptions);
+            }
+        }
+    }
+    /**
+     * Call the supplied function on each item in the cache, in order from most
+     * recently used to least recently used.
+     *
+     * `fn` is called as `fn(value, key, cache)`.
+     *
+     * If `thisp` is provided, function will be called in the `this`-context of
+     * the provided object, or the cache if no `thisp` object is provided.
+     *
+     * Does not update age or recenty of use, or iterate over stale values.
+     */
+    forEach(fn, thisp = this) {
+        for (const i of this.#indexes()) {
+            const v = this.#valList[i];
+            const value = this.#isBackgroundFetch(v) ? v.__staleWhileFetching : v;
+            if (value === undefined)
+                continue;
+            fn.call(thisp, value, this.#keyList[i], this);
+        }
+    }
+    /**
+     * The same as {@link LRUCache.forEach} but items are iterated over in
+     * reverse order.  (ie, less recently used items are iterated over first.)
+     */
+    rforEach(fn, thisp = this) {
+        for (const i of this.#rindexes()) {
+            const v = this.#valList[i];
+            const value = this.#isBackgroundFetch(v) ? v.__staleWhileFetching : v;
+            if (value === undefined)
+                continue;
+            fn.call(thisp, value, this.#keyList[i], this);
+        }
+    }
+    /**
+     * Delete any stale entries. Returns true if anything was removed,
+     * false otherwise.
+     */
+    purgeStale() {
+        let deleted = false;
+        for (const i of this.#rindexes({ allowStale: true })) {
+            if (this.#isStale(i)) {
+                this.#delete(this.#keyList[i], 'expire');
+                deleted = true;
+            }
+        }
+        return deleted;
+    }
+    /**
+     * Get the extended info about a given entry, to get its value, size, and
+     * TTL info simultaneously. Returns `undefined` if the key is not present.
+     *
+     * Unlike {@link LRUCache#dump}, which is designed to be portable and survive
+     * serialization, the `start` value is always the current timestamp, and the
+     * `ttl` is a calculated remaining time to live (negative if expired).
+     *
+     * Always returns stale values, if their info is found in the cache, so be
+     * sure to check for expirations (ie, a negative {@link LRUCache.Entry#ttl})
+     * if relevant.
+     */
+    info(key) {
+        const i = this.#keyMap.get(key);
+        if (i === undefined)
+            return undefined;
+        const v = this.#valList[i];
+        /* c8 ignore start - this isn't tested for the info function,
+         * but it's the same logic as found in other places. */
+        const value = this.#isBackgroundFetch(v) ? v.__staleWhileFetching : v;
+        if (value === undefined)
+            return undefined;
+        /* c8 ignore stop */
+        const entry = { value };
+        if (this.#ttls && this.#starts) {
+            const ttl = this.#ttls[i];
+            const start = this.#starts[i];
+            if (ttl && start) {
+                const remain = ttl - (this.#perf.now() - start);
+                entry.ttl = remain;
+                entry.start = Date.now();
+            }
+        }
+        if (this.#sizes) {
+            entry.size = this.#sizes[i];
+        }
+        return entry;
+    }
+    /**
+     * Return an array of [key, {@link LRUCache.Entry}] tuples which can be
+     * passed to {@link LRUCache#load}.
+     *
+     * The `start` fields are calculated relative to a portable `Date.now()`
+     * timestamp, even if `performance.now()` is available.
+     *
+     * Stale entries are always included in the `dump`, even if
+     * {@link LRUCache.OptionsBase.allowStale} is false.
+     *
+     * Note: this returns an actual array, not a generator, so it can be more
+     * easily passed around.
+     */
+    dump() {
+        const arr = [];
+        for (const i of this.#indexes({ allowStale: true })) {
+            const key = this.#keyList[i];
+            const v = this.#valList[i];
+            const value = this.#isBackgroundFetch(v) ? v.__staleWhileFetching : v;
+            if (value === undefined || key === undefined)
+                continue;
+            const entry = { value };
+            if (this.#ttls && this.#starts) {
+                entry.ttl = this.#ttls[i];
+                // always dump the start relative to a portable timestamp
+                // it's ok for this to be a bit slow, it's a rare operation.
+                const age = this.#perf.now() - this.#starts[i];
+                entry.start = Math.floor(Date.now() - age);
+            }
+            if (this.#sizes) {
+                entry.size = this.#sizes[i];
+            }
+            arr.unshift([key, entry]);
+        }
+        return arr;
+    }
+    /**
+     * Reset the cache and load in the items in entries in the order listed.
+     *
+     * The shape of the resulting cache may be different if the same options are
+     * not used in both caches.
+     *
+     * The `start` fields are assumed to be calculated relative to a portable
+     * `Date.now()` timestamp, even if `performance.now()` is available.
+     */
+    load(arr) {
+        this.clear();
+        for (const [key, entry] of arr) {
+            if (entry.start) {
+                // entry.start is a portable timestamp, but we may be using
+                // node's performance.now(), so calculate the offset, so that
+                // we get the intended remaining TTL, no matter how long it's
+                // been on ice.
+                //
+                // it's ok for this to be a bit slow, it's a rare operation.
+                const age = Date.now() - entry.start;
+                entry.start = this.#perf.now() - age;
+            }
+            this.#set(key, entry.value, entry);
+        }
+    }
+    /**
+     * Add a value to the cache.
+     *
+     * Note: if `undefined` is specified as a value, this is an alias for
+     * {@link LRUCache#delete}
+     *
+     * Fields on the {@link LRUCache.SetOptions} options param will override
+     * their corresponding values in the constructor options for the scope
+     * of this single `set()` operation.
+     *
+     * If `start` is provided, then that will set the effective start
+     * time for the TTL calculation. Note that this must be a previous
+     * value of `performance.now()` if supported, or a previous value of
+     * `Date.now()` if not.
+     *
+     * Options object may also include `size`, which will prevent
+     * calling the `sizeCalculation` function and just use the specified
+     * number if it is a positive integer, and `noDisposeOnSet` which
+     * will prevent calling a `dispose` function in the case of
+     * overwrites.
+     *
+     * If the `size` (or return value of `sizeCalculation`) for a given
+     * entry is greater than `maxEntrySize`, then the item will not be
+     * added to the cache.
+     *
+     * Will update the recency of the entry.
+     *
+     * If the value is `undefined`, then this is an alias for
+     * `cache.delete(key)`. `undefined` is never stored in the cache.
+     */
+    set(k, v, setOptions = {}) {
+        const { status = diagnostics_channel_js_1.metrics.hasSubscribers ? {} : undefined } = setOptions;
+        setOptions.status = status;
+        if (status) {
+            status.op = 'set';
+            status.key = k;
+            if (v !== undefined)
+                status.value = v;
+            status.cache = this;
+        }
+        const result = this.#set(k, v, setOptions);
+        if (status && diagnostics_channel_js_1.metrics.hasSubscribers) {
+            diagnostics_channel_js_1.metrics.publish(status);
+        }
+        return result;
+    }
+    #set(k, v, setOptions, bf) {
+        const { ttl = this.ttl, start, noDisposeOnSet = this.noDisposeOnSet, sizeCalculation = this.sizeCalculation, status, } = setOptions;
+        const isBF = this.#isBackgroundFetch(v);
+        if (v === undefined) {
+            if (status)
+                status.set = 'deleted';
+            this.delete(k);
+            return this;
+        }
+        let { noUpdateTTL = this.noUpdateTTL } = setOptions;
+        if (status && !isBF)
+            status.value = v;
+        const size = this.#requireSize(k, v, setOptions.size || 0, sizeCalculation, status);
+        // if the item doesn't fit, don't do anything
+        // NB: maxEntrySize set to maxSize by default
+        if (this.maxEntrySize && size > this.maxEntrySize) {
+            // have to delete, in case something is there already.
+            this.#delete(k, 'set');
+            if (status) {
+                status.set = 'miss';
+                status.maxEntrySizeExceeded = true;
+            }
+            return this;
+        }
+        let index = this.#size === 0 ? undefined : this.#keyMap.get(k);
+        if (index === undefined) {
+            // addition
+            index = (this.#size === 0 ? this.#tail
+                : this.#free.length !== 0 ? this.#free.pop()
+                    : this.#size === this.#max ? this.#evict(false)
+                        : this.#size);
+            this.#keyList[index] = k;
+            this.#valList[index] = v;
+            this.#keyMap.set(k, index);
+            this.#next[this.#tail] = index;
+            this.#prev[index] = this.#tail;
+            this.#tail = index;
+            this.#size++;
+            this.#addItemSize(index, size, status);
+            if (status)
+                status.set = 'add';
+            noUpdateTTL = false;
+            if (this.#hasOnInsert && !isBF) {
+                this.#onInsert?.(v, k, 'add');
+            }
+        }
+        else {
+            // update
+            // might be updating a background fetch!
+            this.#moveToTail(index);
+            const oldVal = this.#valList[index];
+            if (v !== oldVal) {
+                if (!noDisposeOnSet) {
+                    if (this.#isBackgroundFetch(oldVal)) {
+                        if (oldVal !== bf) {
+                            // setting over a background fetch, not merely resolving it.
+                            oldVal.__abortController.abort(new Error('replaced'));
+                        }
+                        const { __staleWhileFetching: s } = oldVal;
+                        if (s !== undefined && s !== v) {
+                            if (this.#hasDispose) {
+                                this.#dispose?.(s, k, 'set');
+                            }
+                            if (this.#hasDisposeAfter) {
+                                this.#disposed?.push([s, k, 'set']);
+                            }
+                        }
+                    }
+                    else {
+                        if (this.#hasDispose) {
+                            this.#dispose?.(oldVal, k, 'set');
+                        }
+                        if (this.#hasDisposeAfter) {
+                            this.#disposed?.push([oldVal, k, 'set']);
+                        }
+                    }
+                }
+                this.#removeItemSize(index);
+                this.#addItemSize(index, size, status);
+                this.#valList[index] = v;
+                if (!isBF) {
+                    const oldValue = oldVal && this.#isBackgroundFetch(oldVal) ?
+                        oldVal.__staleWhileFetching
+                        : oldVal;
+                    const setType = oldValue === undefined ? 'add'
+                        : v !== oldValue ? 'replace'
+                            : 'update';
+                    if (status) {
+                        status.set = setType;
+                        if (oldValue !== undefined)
+                            status.oldValue = oldValue;
+                    }
+                    if (this.#hasOnInsert) {
+                        this.onInsert?.(v, k, setType);
+                    }
+                }
+            }
+            else if (!isBF) {
+                if (status) {
+                    status.set = 'update';
+                }
+                if (this.#hasOnInsert) {
+                    this.onInsert?.(v, k, 'update');
+                }
+            }
+        }
+        if (ttl !== 0 && !this.#ttls) {
+            this.#initializeTTLTracking();
+        }
+        if (this.#ttls) {
+            if (!noUpdateTTL) {
+                this.#setItemTTL(index, ttl, start);
+            }
+            if (status)
+                this.#statusTTL(status, index);
+        }
+        if (!noDisposeOnSet && this.#hasDisposeAfter && this.#disposed) {
+            const dt = this.#disposed;
+            let task;
+            while ((task = dt?.shift())) {
+                this.#disposeAfter?.(...task);
+            }
+        }
+        return this;
+    }
+    /**
+     * Evict the least recently used item, returning its value or
+     * `undefined` if cache is empty.
+     */
+    pop() {
+        try {
+            while (this.#size) {
+                const val = this.#valList[this.#head];
+                this.#evict(true);
+                if (this.#isBackgroundFetch(val)) {
+                    if (val.__staleWhileFetching) {
+                        return val.__staleWhileFetching;
+                    }
+                }
+                else if (val !== undefined) {
+                    return val;
+                }
+            }
+        }
+        finally {
+            if (this.#hasDisposeAfter && this.#disposed) {
+                const dt = this.#disposed;
+                let task;
+                while ((task = dt?.shift())) {
+                    this.#disposeAfter?.(...task);
+                }
+            }
+        }
+    }
+    #evict(free) {
+        const head = this.#head;
+        const k = this.#keyList[head];
+        const v = this.#valList[head];
+        const isBF = this.#isBackgroundFetch(v);
+        if (isBF) {
+            v.__abortController.abort(new Error('evicted'));
+        }
+        const oldValue = isBF ? v.__staleWhileFetching : v;
+        if ((this.#hasDispose || this.#hasDisposeAfter) &&
+            oldValue !== undefined) {
+            if (this.#hasDispose) {
+                this.#dispose?.(oldValue, k, 'evict');
+            }
+            if (this.#hasDisposeAfter) {
+                this.#disposed?.push([oldValue, k, 'evict']);
+            }
+        }
+        this.#removeItemSize(head);
+        if (this.#autopurgeTimers?.[head]) {
+            clearTimeout(this.#autopurgeTimers[head]);
+            this.#autopurgeTimers[head] = undefined;
+        }
+        // if we aren't about to use the index, then null these out
+        if (free) {
+            this.#keyList[head] = undefined;
+            this.#valList[head] = undefined;
+            this.#free.push(head);
+        }
+        if (this.#size === 1) {
+            this.#head = this.#tail = 0;
+            this.#free.length = 0;
+        }
+        else {
+            this.#head = this.#next[head];
+        }
+        this.#keyMap.delete(k);
+        this.#size--;
+        return head;
+    }
+    /**
+     * Check if a key is in the cache, without updating the recency of use.
+     * Will return false if the item is stale, even though it is technically
+     * in the cache.
+     *
+     * Check if a key is in the cache, without updating the recency of
+     * use. Age is updated if {@link LRUCache.OptionsBase.updateAgeOnHas} is set
+     * to `true` in either the options or the constructor.
+     *
+     * Will return `false` if the item is stale, even though it is technically in
+     * the cache. The difference can be determined (if it matters) by using a
+     * `status` argument, and inspecting the `has` field.
+     *
+     * Will not update item age unless
+     * {@link LRUCache.OptionsBase.updateAgeOnHas} is set.
+     */
+    has(k, hasOptions = {}) {
+        const { status = diagnostics_channel_js_1.metrics.hasSubscribers ? {} : undefined } = hasOptions;
+        hasOptions.status = status;
+        if (status) {
+            status.op = 'has';
+            status.key = k;
+            status.cache = this;
+        }
+        const result = this.#has(k, hasOptions);
+        if (diagnostics_channel_js_1.metrics.hasSubscribers)
+            diagnostics_channel_js_1.metrics.publish(status);
+        return result;
+    }
+    #has(k, hasOptions = {}) {
+        const { updateAgeOnHas = this.updateAgeOnHas, status } = hasOptions;
+        const index = this.#keyMap.get(k);
+        if (index !== undefined) {
+            const v = this.#valList[index];
+            if (this.#isBackgroundFetch(v) &&
+                v.__staleWhileFetching === undefined) {
+                return false;
+            }
+            if (!this.#isStale(index)) {
+                if (updateAgeOnHas) {
+                    this.#updateItemAge(index);
+                }
+                if (status) {
+                    status.has = 'hit';
+                    this.#statusTTL(status, index);
+                }
+                return true;
+            }
+            else if (status) {
+                status.has = 'stale';
+                this.#statusTTL(status, index);
+            }
+        }
+        else if (status) {
+            status.has = 'miss';
+        }
+        return false;
+    }
+    /**
+     * Like {@link LRUCache#get} but doesn't update recency or delete stale
+     * items.
+     *
+     * Returns `undefined` if the item is stale, unless
+     * {@link LRUCache.OptionsBase.allowStale} is set.
+     */
+    peek(k, peekOptions = {}) {
+        const { status = hasSubscribers() ? {} : undefined } = peekOptions;
+        if (status) {
+            status.op = 'peek';
+            status.key = k;
+            status.cache = this;
+        }
+        peekOptions.status = status;
+        const result = this.#peek(k, peekOptions);
+        if (diagnostics_channel_js_1.metrics.hasSubscribers) {
+            diagnostics_channel_js_1.metrics.publish(status);
+        }
+        return result;
+    }
+    #peek(k, peekOptions) {
+        const { status, allowStale = this.allowStale } = peekOptions;
+        const index = this.#keyMap.get(k);
+        if (index === undefined || (!allowStale && this.#isStale(index))) {
+            if (status)
+                status.peek = index === undefined ? 'miss' : 'stale';
+            return undefined;
+        }
+        const v = this.#valList[index];
+        const val = this.#isBackgroundFetch(v) ? v.__staleWhileFetching : v;
+        if (status) {
+            if (val !== undefined) {
+                status.peek = 'hit';
+                status.value = val;
+            }
+            else {
+                status.peek = 'miss';
+            }
+        }
+        return val;
+    }
+    #backgroundFetch(k, index, options, context) {
+        const v = index === undefined ? undefined : this.#valList[index];
+        if (this.#isBackgroundFetch(v)) {
+            return v;
+        }
+        const ac = new AbortController();
+        const { signal } = options;
+        // when/if our AC signals, then stop listening to theirs.
+        signal?.addEventListener('abort', () => ac.abort(signal.reason), {
+            signal: ac.signal,
+        });
+        const fetchOpts = {
+            signal: ac.signal,
+            options,
+            context,
+        };
+        const cb = (v, updateCache = false) => {
+            const { aborted } = ac.signal;
+            const ignoreAbort = options.ignoreFetchAbort && v !== undefined;
+            const proceed = options.ignoreFetchAbort ||
+                !!(options.allowStaleOnFetchAbort && v !== undefined);
+            if (options.status) {
+                if (aborted && !updateCache) {
+                    options.status.fetchAborted = true;
+                    options.status.fetchError = ac.signal.reason;
+                    if (ignoreAbort)
+                        options.status.fetchAbortIgnored = true;
+                }
+                else {
+                    options.status.fetchResolved = true;
+                }
+            }
+            if (aborted && !ignoreAbort && !updateCache) {
+                return fetchFail(ac.signal.reason, proceed);
+            }
+            // either we didn't abort, and are still here, or we did, and ignored
+            const bf = p;
+            // if nothing else has been written there but we're set to update the
+            // cache and ignore the abort, or if it's still pending on this specific
+            // background request, then write it to the cache.
+            const vl = this.#valList[index];
+            if (vl === p || (vl === undefined && ignoreAbort && updateCache)) {
+                if (v === undefined) {
+                    if (bf.__staleWhileFetching !== undefined) {
+                        this.#valList[index] = bf.__staleWhileFetching;
+                    }
+                    else {
+                        this.#delete(k, 'fetch');
+                    }
+                }
+                else {
+                    if (options.status)
+                        options.status.fetchUpdated = true;
+                    this.#set(k, v, fetchOpts.options, bf);
+                }
+            }
+            return v;
+        };
+        const eb = (er) => {
+            if (options.status) {
+                options.status.fetchRejected = true;
+                options.status.fetchError = er;
+            }
+            // do not pass go, do not collect $200
+            return fetchFail(er, false);
+        };
+        const fetchFail = (er, proceed) => {
+            const { aborted } = ac.signal;
+            const allowStaleAborted = aborted && options.allowStaleOnFetchAbort;
+            const allowStale = allowStaleAborted || options.allowStaleOnFetchRejection;
+            const noDelete = allowStale || options.noDeleteOnFetchRejection;
+            const bf = p;
+            if (this.#valList[index] === p) {
+                // if we allow stale on fetch rejections, then we need to ensure that
+                // the stale value is not removed from the cache when the fetch fails.
+                const del = !noDelete || (!proceed && bf.__staleWhileFetching === undefined);
+                if (del) {
+                    this.#delete(k, 'fetch');
+                }
+                else if (!allowStaleAborted) {
+                    // still replace the *promise* with the stale value,
+                    // since we are done with the promise at this point.
+                    // leave it untouched if we're still waiting for an
+                    // aborted background fetch that hasn't yet returned.
+                    this.#valList[index] = bf.__staleWhileFetching;
+                }
+            }
+            if (allowStale) {
+                if (options.status && bf.__staleWhileFetching !== undefined) {
+                    options.status.returnedStale = true;
+                }
+                return bf.__staleWhileFetching;
+            }
+            else if (bf.__returned === bf) {
+                throw er;
+            }
+        };
+        const pcall = (res, rej) => {
+            const fmp = this.#fetchMethod?.(k, v, fetchOpts);
+            // ignored, we go until we finish, regardless.
+            // defer check until we are actually aborting,
+            // so fetchMethod can override.
+            ac.signal.addEventListener('abort', () => {
+                if (!options.ignoreFetchAbort || options.allowStaleOnFetchAbort) {
+                    res(undefined);
+                    // when it eventually resolves, update the cache.
+                    if (options.allowStaleOnFetchAbort) {
+                        res = v => cb(v, true);
+                    }
+                }
+            });
+            if (fmp && fmp instanceof Promise) {
+                fmp.then(v => res(v === undefined ? undefined : v), rej);
+            }
+            else if (fmp !== undefined) {
+                res(fmp);
+            }
+        };
+        if (options.status)
+            options.status.fetchDispatched = true;
+        const p = new Promise(pcall).then(cb, eb);
+        const bf = Object.assign(p, {
+            __abortController: ac,
+            __staleWhileFetching: v,
+            __returned: undefined,
+        });
+        if (index === undefined) {
+            // internal, don't expose status.
+            this.#set(k, bf, { ...fetchOpts.options, status: undefined });
+            index = this.#keyMap.get(k);
+        }
+        else {
+            // do not call #set, because we do not want to adjust its place
+            // in the lru queue, as it has not yet been "used". Also, we don't
+            // need to worry about evicting for size, because a background fetch
+            // over a stale value is treated as the same size as its stale value.
+            this.#valList[index] = bf;
+        }
+        return bf;
+    }
+    #isBackgroundFetch(p) {
+        if (!this.#hasFetchMethod)
+            return false;
+        const b = p;
+        return (!!b &&
+            b instanceof Promise &&
+            b.hasOwnProperty('__staleWhileFetching') &&
+            b.__abortController instanceof AbortController);
+    }
+    fetch(k, fetchOptions = {}) {
+        const ths = diagnostics_channel_js_1.tracing.hasSubscribers;
+        const { status = hasSubscribers() ? {} : undefined } = fetchOptions;
+        fetchOptions.status = status;
+        if (status && fetchOptions.context) {
+            status.context = fetchOptions.context;
+        }
+        const p = this.#fetch(k, fetchOptions);
+        if (status && ths) {
+            status.trace = true;
+            diagnostics_channel_js_1.tracing.tracePromise(() => p, status).catch(() => { });
+        }
+        return p;
+    }
+    async #fetch(k, fetchOptions = {}) {
+        const {
+        // get options
+        allowStale = this.allowStale, updateAgeOnGet = this.updateAgeOnGet, noDeleteOnStaleGet = this.noDeleteOnStaleGet,
+        // set options
+        ttl = this.ttl, noDisposeOnSet = this.noDisposeOnSet, size = 0, sizeCalculation = this.sizeCalculation, noUpdateTTL = this.noUpdateTTL,
+        // fetch exclusive options
+        noDeleteOnFetchRejection = this.noDeleteOnFetchRejection, allowStaleOnFetchRejection = this.allowStaleOnFetchRejection, ignoreFetchAbort = this.ignoreFetchAbort, allowStaleOnFetchAbort = this.allowStaleOnFetchAbort, context, forceRefresh = false, status, signal, } = fetchOptions;
+        if (status) {
+            status.op = 'fetch';
+            status.key = k;
+            if (forceRefresh)
+                status.forceRefresh = true;
+            status.cache = this;
+        }
+        if (!this.#hasFetchMethod) {
+            if (status)
+                status.fetch = 'get';
+            return this.#get(k, {
+                allowStale,
+                updateAgeOnGet,
+                noDeleteOnStaleGet,
+                status,
+            });
+        }
+        const options = {
+            allowStale,
+            updateAgeOnGet,
+            noDeleteOnStaleGet,
+            ttl,
+            noDisposeOnSet,
+            size,
+            sizeCalculation,
+            noUpdateTTL,
+            noDeleteOnFetchRejection,
+            allowStaleOnFetchRejection,
+            allowStaleOnFetchAbort,
+            ignoreFetchAbort,
+            status,
+            signal,
+        };
+        let index = this.#keyMap.get(k);
+        if (index === undefined) {
+            if (status)
+                status.fetch = 'miss';
+            const p = this.#backgroundFetch(k, index, options, context);
+            return (p.__returned = p);
+        }
+        else {
+            // in cache, maybe already fetching
+            const v = this.#valList[index];
+            if (this.#isBackgroundFetch(v)) {
+                const stale = allowStale && v.__staleWhileFetching !== undefined;
+                if (status) {
+                    status.fetch = 'inflight';
+                    if (stale)
+                        status.returnedStale = true;
+                }
+                return stale ? v.__staleWhileFetching : (v.__returned = v);
+            }
+            // if we force a refresh, that means do NOT serve the cached value,
+            // unless we are already in the process of refreshing the cache.
+            const isStale = this.#isStale(index);
+            if (!forceRefresh && !isStale) {
+                if (status)
+                    status.fetch = 'hit';
+                this.#moveToTail(index);
+                if (updateAgeOnGet) {
+                    this.#updateItemAge(index);
+                }
+                if (status)
+                    this.#statusTTL(status, index);
+                return v;
+            }
+            // ok, it is stale or a forced refresh, and not already fetching.
+            // refresh the cache.
+            const p = this.#backgroundFetch(k, index, options, context);
+            const hasStale = p.__staleWhileFetching !== undefined;
+            const staleVal = hasStale && allowStale;
+            if (status) {
+                status.fetch = isStale ? 'stale' : 'refresh';
+                if (staleVal && isStale)
+                    status.returnedStale = true;
+            }
+            return staleVal ? p.__staleWhileFetching : (p.__returned = p);
+        }
+    }
+    forceFetch(k, fetchOptions = {}) {
+        const ths = diagnostics_channel_js_1.tracing.hasSubscribers;
+        const { status = hasSubscribers() ? {} : undefined } = fetchOptions;
+        fetchOptions.status = status;
+        if (status && fetchOptions.context) {
+            status.context = fetchOptions.context;
+        }
+        const p = this.#forceFetch(k, fetchOptions);
+        if (status && ths) {
+            status.trace = true;
+            diagnostics_channel_js_1.tracing.tracePromise(() => p, status).catch(() => { });
+        }
+        return p;
+    }
+    async #forceFetch(k, fetchOptions = {}) {
+        const v = await this.#fetch(k, fetchOptions);
+        if (v === undefined)
+            throw new Error('fetch() returned undefined');
+        return v;
+    }
+    memo(k, memoOptions = {}) {
+        const { status = diagnostics_channel_js_1.metrics.hasSubscribers ? {} : undefined } = memoOptions;
+        memoOptions.status = status;
+        if (status) {
+            status.op = 'memo';
+            status.key = k;
+            if (memoOptions.context) {
+                status.context = memoOptions.context;
+            }
+            status.cache = this;
+        }
+        const result = this.#memo(k, memoOptions);
+        if (status)
+            status.value = result;
+        if (diagnostics_channel_js_1.metrics.hasSubscribers)
+            diagnostics_channel_js_1.metrics.publish(status);
+        return result;
+    }
+    #memo(k, memoOptions = {}) {
+        const memoMethod = this.#memoMethod;
+        if (!memoMethod) {
+            throw new Error('no memoMethod provided to constructor');
+        }
+        const { context, status, forceRefresh, ...options } = memoOptions;
+        if (status && forceRefresh)
+            status.forceRefresh = true;
+        const v = this.#get(k, options);
+        const refresh = forceRefresh || v === undefined;
+        if (status) {
+            status.memo = refresh ? 'miss' : 'hit';
+            if (!refresh)
+                status.value = v;
+        }
+        if (!refresh)
+            return v;
+        const vv = memoMethod(k, v, {
+            options,
+            context,
+        });
+        if (status)
+            status.value = vv;
+        this.#set(k, vv, options);
+        return vv;
+    }
+    /**
+     * Return a value from the cache. Will update the recency of the cache
+     * entry found.
+     *
+     * If the key is not found, get() will return `undefined`.
+     */
+    get(k, getOptions = {}) {
+        const { status = diagnostics_channel_js_1.metrics.hasSubscribers ? {} : undefined } = getOptions;
+        getOptions.status = status;
+        if (status) {
+            status.op = 'get';
+            status.key = k;
+            status.cache = this;
+        }
+        const result = this.#get(k, getOptions);
+        if (status) {
+            if (result !== undefined)
+                status.value = result;
+            if (diagnostics_channel_js_1.metrics.hasSubscribers)
+                diagnostics_channel_js_1.metrics.publish(status);
+        }
+        return result;
+    }
+    #get(k, getOptions = {}) {
+        const { allowStale = this.allowStale, updateAgeOnGet = this.updateAgeOnGet, noDeleteOnStaleGet = this.noDeleteOnStaleGet, status, } = getOptions;
+        const index = this.#keyMap.get(k);
+        if (index === undefined) {
+            if (status)
+                status.get = 'miss';
+            return undefined;
+        }
+        const value = this.#valList[index];
+        const fetching = this.#isBackgroundFetch(value);
+        if (status)
+            this.#statusTTL(status, index);
+        if (this.#isStale(index)) {
+            // delete only if not an in-flight background fetch
+            if (!fetching) {
+                if (!noDeleteOnStaleGet) {
+                    this.#delete(k, 'expire');
+                }
+                if (status)
+                    status.get = 'stale';
+                if (allowStale) {
+                    if (status)
+                        status.returnedStale = true;
+                    return value;
+                }
+                return undefined;
+            }
+            if (status)
+                status.get = 'stale-fetching';
+            if (allowStale && value.__staleWhileFetching !== undefined) {
+                if (status)
+                    status.returnedStale = true;
+                return value.__staleWhileFetching;
+            }
+            return undefined;
+        }
+        // not stale
+        if (status)
+            status.get = fetching ? 'fetching' : 'hit';
+        // if we're currently fetching it, we don't actually have it yet
+        // it's not stale, which means this isn't a staleWhileRefetching.
+        // If it's not stale, and fetching, AND has a __staleWhileFetching
+        // value, then that means the user fetched with {forceRefresh:true},
+        // so it's safe to return that value.
+        this.#moveToTail(index);
+        if (updateAgeOnGet) {
+            this.#updateItemAge(index);
+        }
+        return fetching ? value.__staleWhileFetching : value;
+    }
+    #connect(p, n) {
+        this.#prev[n] = p;
+        this.#next[p] = n;
+    }
+    #moveToTail(index) {
+        // if tail already, nothing to do
+        // if head, move head to next[index]
+        // else
+        //   move next[prev[index]] to next[index] (head has no prev)
+        //   move prev[next[index]] to prev[index]
+        // prev[index] = tail
+        // next[tail] = index
+        // tail = index
+        if (index !== this.#tail) {
+            if (index === this.#head) {
+                this.#head = this.#next[index];
+            }
+            else {
+                this.#connect(this.#prev[index], this.#next[index]);
+            }
+            this.#connect(this.#tail, index);
+            this.#tail = index;
+        }
+    }
+    /**
+     * Deletes a key out of the cache.
+     *
+     * Returns true if the key was deleted, false otherwise.
+     */
+    delete(k) {
+        return this.#delete(k, 'delete');
+    }
+    #delete(k, reason) {
+        if (diagnostics_channel_js_1.metrics.hasSubscribers) {
+            diagnostics_channel_js_1.metrics.publish({
+                op: 'delete',
+                delete: reason,
+                key: k,
+                cache: this,
+            });
+        }
+        let deleted = false;
+        if (this.#size !== 0) {
+            const index = this.#keyMap.get(k);
+            if (index !== undefined) {
+                if (this.#autopurgeTimers?.[index]) {
+                    clearTimeout(this.#autopurgeTimers?.[index]);
+                    this.#autopurgeTimers[index] = undefined;
+                }
+                deleted = true;
+                if (this.#size === 1) {
+                    this.#clear(reason);
+                }
+                else {
+                    this.#removeItemSize(index);
+                    const v = this.#valList[index];
+                    if (this.#isBackgroundFetch(v)) {
+                        v.__abortController.abort(new Error('deleted'));
+                    }
+                    else if (this.#hasDispose || this.#hasDisposeAfter) {
+                        if (this.#hasDispose) {
+                            this.#dispose?.(v, k, reason);
+                        }
+                        if (this.#hasDisposeAfter) {
+                            this.#disposed?.push([v, k, reason]);
+                        }
+                    }
+                    this.#keyMap.delete(k);
+                    this.#keyList[index] = undefined;
+                    this.#valList[index] = undefined;
+                    if (index === this.#tail) {
+                        this.#tail = this.#prev[index];
+                    }
+                    else if (index === this.#head) {
+                        this.#head = this.#next[index];
+                    }
+                    else {
+                        const pi = this.#prev[index];
+                        this.#next[pi] = this.#next[index];
+                        const ni = this.#next[index];
+                        this.#prev[ni] = this.#prev[index];
+                    }
+                    this.#size--;
+                    this.#free.push(index);
+                }
+            }
+        }
+        if (this.#hasDisposeAfter && this.#disposed?.length) {
+            const dt = this.#disposed;
+            let task;
+            while ((task = dt?.shift())) {
+                this.#disposeAfter?.(...task);
+            }
+        }
+        return deleted;
+    }
+    /**
+     * Clear the cache entirely, throwing away all values.
+     */
+    clear() {
+        return this.#clear('delete');
+    }
+    #clear(reason) {
+        for (const index of this.#rindexes({ allowStale: true })) {
+            const v = this.#valList[index];
+            if (this.#isBackgroundFetch(v)) {
+                v.__abortController.abort(new Error('deleted'));
+            }
+            else {
+                const k = this.#keyList[index];
+                if (this.#hasDispose) {
+                    this.#dispose?.(v, k, reason);
+                }
+                if (this.#hasDisposeAfter) {
+                    this.#disposed?.push([v, k, reason]);
+                }
+            }
+        }
+        this.#keyMap.clear();
+        void this.#valList.fill(undefined);
+        this.#keyList.fill(undefined);
+        if (this.#ttls && this.#starts) {
+            this.#ttls.fill(0);
+            this.#starts.fill(0);
+            for (const t of this.#autopurgeTimers ?? []) {
+                if (t !== undefined)
+                    clearTimeout(t);
+            }
+            this.#autopurgeTimers?.fill(undefined);
+        }
+        if (this.#sizes) {
+            this.#sizes.fill(0);
+        }
+        this.#head = 0;
+        this.#tail = 0;
+        this.#free.length = 0;
+        this.#calculatedSize = 0;
+        this.#size = 0;
+        if (this.#hasDisposeAfter && this.#disposed) {
+            const dt = this.#disposed;
+            let task;
+            while ((task = dt?.shift())) {
+                this.#disposeAfter?.(...task);
+            }
+        }
+    }
+}
+exports.LRUCache = LRUCache;
+//# sourceMappingURL=index.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/lru-cache/dist/commonjs/node/index.min.js b/deps/npm/node_modules/lru-cache/dist/commonjs/node/index.min.js
new file mode 100644
index 00000000000000..a03fc771913873
--- /dev/null
+++ b/deps/npm/node_modules/lru-cache/dist/commonjs/node/index.min.js
@@ -0,0 +1,2 @@
+"use strict";var j=(c,t)=>()=>(t||c((t={exports:{}}).exports,t),t.exports);var I=j(O=>{"use strict";Object.defineProperty(O,"__esModule",{value:!0});O.tracing=O.metrics=void 0;var U=require("node:diagnostics_channel");O.metrics=(0,U.channel)("lru-cache:metrics");O.tracing=(0,U.tracingChannel)("lru-cache")});var P=j(D=>{"use strict";Object.defineProperty(D,"__esModule",{value:!0});D.defaultPerf=void 0;D.defaultPerf=typeof performance=="object"&&performance&&typeof performance.now=="function"?performance:Date});Object.defineProperty(exports,"__esModule",{value:!0});exports.LRUCache=void 0;var g=I(),N=P(),C=()=>g.metrics.hasSubscribers||g.tracing.hasSubscribers,k=new Set,G=typeof process=="object"&&process?process:{},V=(c,t,e,i)=>{typeof G.emitWarning=="function"?G.emitWarning(c,t,e,i):console.error(`[${e}] ${t}: ${c}`)},q=c=>!k.has(c);var T=c=>!!c&&c===Math.floor(c)&&c>0&&isFinite(c),H=c=>T(c)?c<=Math.pow(2,8)?Uint8Array:c<=Math.pow(2,16)?Uint16Array:c<=Math.pow(2,32)?Uint32Array:c<=Number.MAX_SAFE_INTEGER?W:null:null,W=class extends Array{constructor(t){super(t),this.fill(0)}},x=class c{heap;length;static#o=!1;static create(t){let e=H(t);if(!e)return[];c.#o=!0;let i=new c(t,e);return c.#o=!1,i}constructor(t,e){if(!c.#o)throw new TypeError("instantiate Stack using Stack.create(n)");this.heap=new e(t),this.length=0}push(t){this.heap[this.length++]=t}pop(){return this.heap[--this.length]}},L=class c{#o;#c;#m;#W;#S;#M;#j;#w;get perf(){return this.#w}ttl;ttlResolution;ttlAutopurge;updateAgeOnGet;updateAgeOnHas;allowStale;noDisposeOnSet;noUpdateTTL;maxEntrySize;sizeCalculation;noDeleteOnFetchRejection;noDeleteOnStaleGet;allowStaleOnFetchAbort;allowStaleOnFetchRejection;ignoreFetchAbort;backgroundFetchSize;#n;#b;#s;#i;#t;#l;#u;#a;#h;#_;#r;#y;#F;#d;#g;#T;#U;#f;#D;static unsafeExposeInternals(t){return{starts:t.#F,ttls:t.#d,autopurgeTimers:t.#g,sizes:t.#y,keyMap:t.#s,keyList:t.#i,valList:t.#t,next:t.#l,prev:t.#u,get head(){return t.#a},get tail(){return t.#h},free:t.#_,isBackgroundFetch:e=>t.#e(e),backgroundFetch:(e,i,s,n)=>t.#G(e,i,s,n),moveToTail:e=>t.#L(e),indexes:e=>t.#A(e),rindexes:e=>t.#z(e),isStale:e=>t.#p(e)}}get max(){return this.#o}get maxSize(){return this.#c}get calculatedSize(){return this.#b}get size(){return this.#n}get fetchMethod(){return this.#M}get memoMethod(){return this.#j}get dispose(){return this.#m}get onInsert(){return this.#W}get disposeAfter(){return this.#S}constructor(t){let{max:e=0,ttl:i,ttlResolution:s=1,ttlAutopurge:n,updateAgeOnGet:r,updateAgeOnHas:h,allowStale:a,dispose:o,onInsert:d,disposeAfter:_,noDisposeOnSet:y,noUpdateTTL:u,maxSize:p=0,maxEntrySize:f=0,sizeCalculation:b,fetchMethod:l,memoMethod:S,noDeleteOnFetchRejection:F,noDeleteOnStaleGet:w,allowStaleOnFetchRejection:m,allowStaleOnFetchAbort:A,ignoreFetchAbort:z,backgroundFetchSize:M=1,perf:v}=t;if(this.backgroundFetchSize=M,v!==void 0&&typeof v?.now!="function")throw new TypeError("perf option must have a now() method if specified");if(this.#w=v??N.defaultPerf,e!==0&&!T(e))throw new TypeError("max option must be a nonnegative integer");let E=e?H(e):Array;if(!E)throw new Error("invalid max value: "+e);if(this.#o=e,this.#c=p,this.maxEntrySize=f||this.#c,this.sizeCalculation=b,this.sizeCalculation){if(!this.#c&&!this.maxEntrySize)throw new TypeError("cannot set sizeCalculation without setting maxSize or maxEntrySize");if(typeof this.sizeCalculation!="function")throw new TypeError("sizeCalculation set to non-function")}if(S!==void 0&&typeof S!="function")throw new TypeError("memoMethod must be a function if defined");if(this.#j=S,l!==void 0&&typeof l!="function")throw new TypeError("fetchMethod must be a function if specified");if(this.#M=l,this.#U=!!l,this.#s=new Map,this.#i=Array.from({length:e}).fill(void 0),this.#t=Array.from({length:e}).fill(void 0),this.#l=new E(e),this.#u=new E(e),this.#a=0,this.#h=0,this.#_=x.create(e),this.#n=0,this.#b=0,typeof o=="function"&&(this.#m=o),typeof d=="function"&&(this.#W=d),typeof _=="function"?(this.#S=_,this.#r=[]):(this.#S=void 0,this.#r=void 0),this.#T=!!this.#m,this.#D=!!this.#W,this.#f=!!this.#S,this.noDisposeOnSet=!!y,this.noUpdateTTL=!!u,this.noDeleteOnFetchRejection=!!F,this.allowStaleOnFetchRejection=!!m,this.allowStaleOnFetchAbort=!!A,this.ignoreFetchAbort=!!z,this.maxEntrySize!==0){if(this.#c!==0&&!T(this.#c))throw new TypeError("maxSize must be a positive integer if specified");if(!T(this.maxEntrySize))throw new TypeError("maxEntrySize must be a positive integer if specified");this.#X()}if(this.allowStale=!!a,this.noDeleteOnStaleGet=!!w,this.updateAgeOnGet=!!r,this.updateAgeOnHas=!!h,this.ttlResolution=T(s)||s===0?s:1,this.ttlAutopurge=!!n,this.ttl=i||0,this.ttl){if(!T(this.ttl))throw new TypeError("ttl must be a positive integer if specified");this.#k()}if(this.#o===0&&this.ttl===0&&this.#c===0)throw new TypeError("At least one of max, maxSize, or ttl is required");if(!this.ttlAutopurge&&!this.#o&&!this.#c){let R="LRU_CACHE_UNBOUNDED";q(R)&&(k.add(R),V("TTL caching without ttlAutopurge, max, or maxSize can result in unbounded memory consumption.","UnboundedCacheWarning",R,c))}}getRemainingTTL(t){return this.#s.has(t)?1/0:0}#k(){let t=new W(this.#o),e=new W(this.#o);this.#d=t,this.#F=e;let i=this.ttlAutopurge?Array.from({length:this.#o}):void 0;this.#g=i,this.#H=(h,a,o=this.#w.now())=>{e[h]=a!==0?o:0,t[h]=a,s(h,a)},this.#R=h=>{e[h]=t[h]!==0?this.#w.now():0,s(h,t[h])};let s=this.ttlAutopurge?(h,a)=>{if(i?.[h]&&(clearTimeout(i[h]),i[h]=void 0),a&&a!==0&&i){let o=setTimeout(()=>{this.#p(h)&&this.#v(this.#i[h],"expire")},a+1);o.unref&&o.unref(),i[h]=o}}:()=>{};this.#E=(h,a)=>{if(t[a]){let o=t[a],d=e[a];if(!o||!d)return;h.ttl=o,h.start=d,h.now=n||r();let _=h.now-d;h.remainingTTL=o-_}};let n=0,r=()=>{let h=this.#w.now();if(this.ttlResolution>0){n=h;let a=setTimeout(()=>n=0,this.ttlResolution);a.unref&&a.unref()}return h};this.getRemainingTTL=h=>{let a=this.#s.get(h);if(a===void 0)return 0;let o=t[a],d=e[a];if(!o||!d)return 1/0;let _=(n||r())-d;return o-_},this.#p=h=>{let a=e[h],o=t[h];return!!o&&!!a&&(n||r())-a>o}}#R=()=>{};#E=()=>{};#H=()=>{};#p=()=>!1;#X(){let t=new W(this.#o);this.#b=0,this.#y=t,this.#C=e=>{this.#b-=t[e],t[e]=0},this.#N=(e,i,s,n)=>{if(!T(s)){if(this.#e(i))return this.backgroundFetchSize;if(n){if(typeof n!="function")throw new TypeError("sizeCalculation must be a function");if(s=n(i,e),!T(s))throw new TypeError("sizeCalculation return invalid (expect positive integer)")}else throw new TypeError("invalid size value (must be positive integer). When maxSize or maxEntrySize is used, sizeCalculation or size must be set.")}return s},this.#I=(e,i,s)=>{if(t[e]=i,this.#c){let n=this.#c-t[e];for(;this.#b>n;)this.#P(!0)}this.#b+=t[e],s&&(s.entrySize=i,s.totalCalculatedSize=this.#b)}}#C=t=>{};#I=(t,e,i)=>{};#N=(t,e,i,s)=>{if(i||s)throw new TypeError("cannot set size without setting maxSize or maxEntrySize on cache");return 0};*#A({allowStale:t=this.allowStale}={}){if(this.#n)for(let e=this.#h;this.#V(e)&&((t||!this.#p(e))&&(yield e),e!==this.#a);)e=this.#u[e]}*#z({allowStale:t=this.allowStale}={}){if(this.#n)for(let e=this.#a;this.#V(e)&&((t||!this.#p(e))&&(yield e),e!==this.#h);)e=this.#l[e]}#V(t){return t!==void 0&&this.#s.get(this.#i[t])===t}*entries(){for(let t of this.#A())this.#t[t]!==void 0&&this.#i[t]!==void 0&&!this.#e(this.#t[t])&&(yield[this.#i[t],this.#t[t]])}*rentries(){for(let t of this.#z())this.#t[t]!==void 0&&this.#i[t]!==void 0&&!this.#e(this.#t[t])&&(yield[this.#i[t],this.#t[t]])}*keys(){for(let t of this.#A()){let e=this.#i[t];e!==void 0&&!this.#e(this.#t[t])&&(yield e)}}*rkeys(){for(let t of this.#z()){let e=this.#i[t];e!==void 0&&!this.#e(this.#t[t])&&(yield e)}}*values(){for(let t of this.#A())this.#t[t]!==void 0&&!this.#e(this.#t[t])&&(yield this.#t[t])}*rvalues(){for(let t of this.#z())this.#t[t]!==void 0&&!this.#e(this.#t[t])&&(yield this.#t[t])}[Symbol.iterator](){return this.entries()}[Symbol.toStringTag]="LRUCache";find(t,e={}){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;if(n!==void 0&&t(n,this.#i[i],this))return this.#x(this.#i[i],e)}}forEach(t,e=this){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&t.call(e,n,this.#i[i],this)}}rforEach(t,e=this){for(let i of this.#z()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&t.call(e,n,this.#i[i],this)}}purgeStale(){let t=!1;for(let e of this.#z({allowStale:!0}))this.#p(e)&&(this.#v(this.#i[e],"expire"),t=!0);return t}info(t){let e=this.#s.get(t);if(e===void 0)return;let i=this.#t[e],s=this.#e(i)?i.__staleWhileFetching:i;if(s===void 0)return;let n={value:s};if(this.#d&&this.#F){let r=this.#d[e],h=this.#F[e];if(r&&h){let a=r-(this.#w.now()-h);n.ttl=a,n.start=Date.now()}}return this.#y&&(n.size=this.#y[e]),n}dump(){let t=[];for(let e of this.#A({allowStale:!0})){let i=this.#i[e],s=this.#t[e],n=this.#e(s)?s.__staleWhileFetching:s;if(n===void 0||i===void 0)continue;let r={value:n};if(this.#d&&this.#F){r.ttl=this.#d[e];let h=this.#w.now()-this.#F[e];r.start=Math.floor(Date.now()-h)}this.#y&&(r.size=this.#y[e]),t.unshift([i,r])}return t}load(t){this.clear();for(let[e,i]of t){if(i.start){let s=Date.now()-i.start;i.start=this.#w.now()-s}this.#O(e,i.value,i)}}set(t,e,i={}){let{status:s=g.metrics.hasSubscribers?{}:void 0}=i;i.status=s,s&&(s.op="set",s.key=t,e!==void 0&&(s.value=e),s.cache=this);let n=this.#O(t,e,i);return s&&g.metrics.hasSubscribers&&g.metrics.publish(s),n}#O(t,e,i,s){let{ttl:n=this.ttl,start:r,noDisposeOnSet:h=this.noDisposeOnSet,sizeCalculation:a=this.sizeCalculation,status:o}=i,d=this.#e(e);if(e===void 0)return o&&(o.set="deleted"),this.delete(t),this;let{noUpdateTTL:_=this.noUpdateTTL}=i;o&&!d&&(o.value=e);let y=this.#N(t,e,i.size||0,a,o);if(this.maxEntrySize&&y>this.maxEntrySize)return this.#v(t,"set"),o&&(o.set="miss",o.maxEntrySizeExceeded=!0),this;let u=this.#n===0?void 0:this.#s.get(t);if(u===void 0)u=this.#n===0?this.#h:this.#_.length!==0?this.#_.pop():this.#n===this.#o?this.#P(!1):this.#n,this.#i[u]=t,this.#t[u]=e,this.#s.set(t,u),this.#l[this.#h]=u,this.#u[u]=this.#h,this.#h=u,this.#n++,this.#I(u,y,o),o&&(o.set="add"),_=!1,this.#D&&!d&&this.#W?.(e,t,"add");else{this.#L(u);let p=this.#t[u];if(e!==p){if(!h)if(this.#e(p)){p!==s&&p.__abortController.abort(new Error("replaced"));let{__staleWhileFetching:f}=p;f!==void 0&&f!==e&&(this.#T&&this.#m?.(f,t,"set"),this.#f&&this.#r?.push([f,t,"set"]))}else this.#T&&this.#m?.(p,t,"set"),this.#f&&this.#r?.push([p,t,"set"]);if(this.#C(u),this.#I(u,y,o),this.#t[u]=e,!d){let f=p&&this.#e(p)?p.__staleWhileFetching:p,b=f===void 0?"add":e!==f?"replace":"update";o&&(o.set=b,f!==void 0&&(o.oldValue=f)),this.#D&&this.onInsert?.(e,t,b)}}else d||(o&&(o.set="update"),this.#D&&this.onInsert?.(e,t,"update"))}if(n!==0&&!this.#d&&this.#k(),this.#d&&(_||this.#H(u,n,r),o&&this.#E(o,u)),!h&&this.#f&&this.#r){let p=this.#r,f;for(;f=p?.shift();)this.#S?.(...f)}return this}pop(){try{for(;this.#n;){let t=this.#t[this.#a];if(this.#P(!0),this.#e(t)){if(t.__staleWhileFetching)return t.__staleWhileFetching}else if(t!==void 0)return t}}finally{if(this.#f&&this.#r){let t=this.#r,e;for(;e=t?.shift();)this.#S?.(...e)}}}#P(t){let e=this.#a,i=this.#i[e],s=this.#t[e],n=this.#e(s);n&&s.__abortController.abort(new Error("evicted"));let r=n?s.__staleWhileFetching:s;return(this.#T||this.#f)&&r!==void 0&&(this.#T&&this.#m?.(r,i,"evict"),this.#f&&this.#r?.push([r,i,"evict"])),this.#C(e),this.#g?.[e]&&(clearTimeout(this.#g[e]),this.#g[e]=void 0),t&&(this.#i[e]=void 0,this.#t[e]=void 0,this.#_.push(e)),this.#n===1?(this.#a=this.#h=0,this.#_.length=0):this.#a=this.#l[e],this.#s.delete(i),this.#n--,e}has(t,e={}){let{status:i=g.metrics.hasSubscribers?{}:void 0}=e;e.status=i,i&&(i.op="has",i.key=t,i.cache=this);let s=this.#Y(t,e);return g.metrics.hasSubscribers&&g.metrics.publish(i),s}#Y(t,e={}){let{updateAgeOnHas:i=this.updateAgeOnHas,status:s}=e,n=this.#s.get(t);if(n!==void 0){let r=this.#t[n];if(this.#e(r)&&r.__staleWhileFetching===void 0)return!1;if(this.#p(n))s&&(s.has="stale",this.#E(s,n));else return i&&this.#R(n),s&&(s.has="hit",this.#E(s,n)),!0}else s&&(s.has="miss");return!1}peek(t,e={}){let{status:i=C()?{}:void 0}=e;i&&(i.op="peek",i.key=t,i.cache=this),e.status=i;let s=this.#J(t,e);return g.metrics.hasSubscribers&&g.metrics.publish(i),s}#J(t,e){let{status:i,allowStale:s=this.allowStale}=e,n=this.#s.get(t);if(n===void 0||!s&&this.#p(n)){i&&(i.peek=n===void 0?"miss":"stale");return}let r=this.#t[n],h=this.#e(r)?r.__staleWhileFetching:r;return i&&(h!==void 0?(i.peek="hit",i.value=h):i.peek="miss"),h}#G(t,e,i,s){let n=e===void 0?void 0:this.#t[e];if(this.#e(n))return n;let r=new AbortController,{signal:h}=i;h?.addEventListener("abort",()=>r.abort(h.reason),{signal:r.signal});let a={signal:r.signal,options:i,context:s},o=(f,b=!1)=>{let{aborted:l}=r.signal,S=i.ignoreFetchAbort&&f!==void 0,F=i.ignoreFetchAbort||!!(i.allowStaleOnFetchAbort&&f!==void 0);if(i.status&&(l&&!b?(i.status.fetchAborted=!0,i.status.fetchError=r.signal.reason,S&&(i.status.fetchAbortIgnored=!0)):i.status.fetchResolved=!0),l&&!S&&!b)return _(r.signal.reason,F);let w=u,m=this.#t[e];return(m===u||m===void 0&&S&&b)&&(f===void 0?w.__staleWhileFetching!==void 0?this.#t[e]=w.__staleWhileFetching:this.#v(t,"fetch"):(i.status&&(i.status.fetchUpdated=!0),this.#O(t,f,a.options,w))),f},d=f=>(i.status&&(i.status.fetchRejected=!0,i.status.fetchError=f),_(f,!1)),_=(f,b)=>{let{aborted:l}=r.signal,S=l&&i.allowStaleOnFetchAbort,F=S||i.allowStaleOnFetchRejection,w=F||i.noDeleteOnFetchRejection,m=u;if(this.#t[e]===u&&(!w||!b&&m.__staleWhileFetching===void 0?this.#v(t,"fetch"):S||(this.#t[e]=m.__staleWhileFetching)),F)return i.status&&m.__staleWhileFetching!==void 0&&(i.status.returnedStale=!0),m.__staleWhileFetching;if(m.__returned===m)throw f},y=(f,b)=>{let l=this.#M?.(t,n,a);r.signal.addEventListener("abort",()=>{(!i.ignoreFetchAbort||i.allowStaleOnFetchAbort)&&(f(void 0),i.allowStaleOnFetchAbort&&(f=S=>o(S,!0)))}),l&&l instanceof Promise?l.then(S=>f(S===void 0?void 0:S),b):l!==void 0&&f(l)};i.status&&(i.status.fetchDispatched=!0);let u=new Promise(y).then(o,d),p=Object.assign(u,{__abortController:r,__staleWhileFetching:n,__returned:void 0});return e===void 0?(this.#O(t,p,{...a.options,status:void 0}),e=this.#s.get(t)):this.#t[e]=p,p}#e(t){if(!this.#U)return!1;let e=t;return!!e&&e instanceof Promise&&e.hasOwnProperty("__staleWhileFetching")&&e.__abortController instanceof AbortController}fetch(t,e={}){let i=g.tracing.hasSubscribers,{status:s=C()?{}:void 0}=e;e.status=s,s&&e.context&&(s.context=e.context);let n=this.#q(t,e);return s&&i&&(s.trace=!0,g.tracing.tracePromise(()=>n,s).catch(()=>{})),n}async#q(t,e={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,ttl:r=this.ttl,noDisposeOnSet:h=this.noDisposeOnSet,size:a=0,sizeCalculation:o=this.sizeCalculation,noUpdateTTL:d=this.noUpdateTTL,noDeleteOnFetchRejection:_=this.noDeleteOnFetchRejection,allowStaleOnFetchRejection:y=this.allowStaleOnFetchRejection,ignoreFetchAbort:u=this.ignoreFetchAbort,allowStaleOnFetchAbort:p=this.allowStaleOnFetchAbort,context:f,forceRefresh:b=!1,status:l,signal:S}=e;if(l&&(l.op="fetch",l.key=t,b&&(l.forceRefresh=!0),l.cache=this),!this.#U)return l&&(l.fetch="get"),this.#x(t,{allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,status:l});let F={allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,ttl:r,noDisposeOnSet:h,size:a,sizeCalculation:o,noUpdateTTL:d,noDeleteOnFetchRejection:_,allowStaleOnFetchRejection:y,allowStaleOnFetchAbort:p,ignoreFetchAbort:u,status:l,signal:S},w=this.#s.get(t);if(w===void 0){l&&(l.fetch="miss");let m=this.#G(t,w,F,f);return m.__returned=m}else{let m=this.#t[w];if(this.#e(m)){let E=i&&m.__staleWhileFetching!==void 0;return l&&(l.fetch="inflight",E&&(l.returnedStale=!0)),E?m.__staleWhileFetching:m.__returned=m}let A=this.#p(w);if(!b&&!A)return l&&(l.fetch="hit"),this.#L(w),s&&this.#R(w),l&&this.#E(l,w),m;let z=this.#G(t,w,F,f),v=z.__staleWhileFetching!==void 0&&i;return l&&(l.fetch=A?"stale":"refresh",v&&A&&(l.returnedStale=!0)),v?z.__staleWhileFetching:z.__returned=z}}forceFetch(t,e={}){let i=g.tracing.hasSubscribers,{status:s=C()?{}:void 0}=e;e.status=s,s&&e.context&&(s.context=e.context);let n=this.#K(t,e);return s&&i&&(s.trace=!0,g.tracing.tracePromise(()=>n,s).catch(()=>{})),n}async#K(t,e={}){let i=await this.#q(t,e);if(i===void 0)throw new Error("fetch() returned undefined");return i}memo(t,e={}){let{status:i=g.metrics.hasSubscribers?{}:void 0}=e;e.status=i,i&&(i.op="memo",i.key=t,e.context&&(i.context=e.context),i.cache=this);let s=this.#Q(t,e);return i&&(i.value=s),g.metrics.hasSubscribers&&g.metrics.publish(i),s}#Q(t,e={}){let i=this.#j;if(!i)throw new Error("no memoMethod provided to constructor");let{context:s,status:n,forceRefresh:r,...h}=e;n&&r&&(n.forceRefresh=!0);let a=this.#x(t,h),o=r||a===void 0;if(n&&(n.memo=o?"miss":"hit",o||(n.value=a)),!o)return a;let d=i(t,a,{options:h,context:s});return n&&(n.value=d),this.#O(t,d,h),d}get(t,e={}){let{status:i=g.metrics.hasSubscribers?{}:void 0}=e;e.status=i,i&&(i.op="get",i.key=t,i.cache=this);let s=this.#x(t,e);return i&&(s!==void 0&&(i.value=s),g.metrics.hasSubscribers&&g.metrics.publish(i)),s}#x(t,e={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,status:r}=e,h=this.#s.get(t);if(h===void 0){r&&(r.get="miss");return}let a=this.#t[h],o=this.#e(a);return r&&this.#E(r,h),this.#p(h)?o?(r&&(r.get="stale-fetching"),i&&a.__staleWhileFetching!==void 0?(r&&(r.returnedStale=!0),a.__staleWhileFetching):void 0):(n||this.#v(t,"expire"),r&&(r.get="stale"),i?(r&&(r.returnedStale=!0),a):void 0):(r&&(r.get=o?"fetching":"hit"),this.#L(h),s&&this.#R(h),o?a.__staleWhileFetching:a)}#B(t,e){this.#u[e]=t,this.#l[t]=e}#L(t){t!==this.#h&&(t===this.#a?this.#a=this.#l[t]:this.#B(this.#u[t],this.#l[t]),this.#B(this.#h,t),this.#h=t)}delete(t){return this.#v(t,"delete")}#v(t,e){g.metrics.hasSubscribers&&g.metrics.publish({op:"delete",delete:e,key:t,cache:this});let i=!1;if(this.#n!==0){let s=this.#s.get(t);if(s!==void 0)if(this.#g?.[s]&&(clearTimeout(this.#g?.[s]),this.#g[s]=void 0),i=!0,this.#n===1)this.#$(e);else{this.#C(s);let n=this.#t[s];if(this.#e(n)?n.__abortController.abort(new Error("deleted")):(this.#T||this.#f)&&(this.#T&&this.#m?.(n,t,e),this.#f&&this.#r?.push([n,t,e])),this.#s.delete(t),this.#i[s]=void 0,this.#t[s]=void 0,s===this.#h)this.#h=this.#u[s];else if(s===this.#a)this.#a=this.#l[s];else{let r=this.#u[s];this.#l[r]=this.#l[s];let h=this.#l[s];this.#u[h]=this.#u[s]}this.#n--,this.#_.push(s)}}if(this.#f&&this.#r?.length){let s=this.#r,n;for(;n=s?.shift();)this.#S?.(...n)}return i}clear(){return this.#$("delete")}#$(t){for(let e of this.#z({allowStale:!0})){let i=this.#t[e];if(this.#e(i))i.__abortController.abort(new Error("deleted"));else{let s=this.#i[e];this.#T&&this.#m?.(i,s,t),this.#f&&this.#r?.push([i,s,t])}}if(this.#s.clear(),this.#t.fill(void 0),this.#i.fill(void 0),this.#d&&this.#F){this.#d.fill(0),this.#F.fill(0);for(let e of this.#g??[])e!==void 0&&clearTimeout(e);this.#g?.fill(void 0)}if(this.#y&&this.#y.fill(0),this.#a=0,this.#h=0,this.#_.length=0,this.#b=0,this.#n=0,this.#f&&this.#r){let e=this.#r,i;for(;i=e?.shift();)this.#S?.(...i)}}};exports.LRUCache=L;
+//# sourceMappingURL=index.min.js.map
diff --git a/deps/npm/node_modules/lru-cache/dist/commonjs/node/perf.js b/deps/npm/node_modules/lru-cache/dist/commonjs/node/perf.js
new file mode 100644
index 00000000000000..bd4c80f461d6c1
--- /dev/null
+++ b/deps/npm/node_modules/lru-cache/dist/commonjs/node/perf.js
@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultPerf = void 0;
+exports.defaultPerf = (typeof performance === 'object' &&
+    performance &&
+    typeof performance.now === 'function') ?
+    /* c8 ignore start - this gets covered, but c8 gets confused */
+    performance
+    : /* c8 ignore stop */ Date;
+//# sourceMappingURL=perf.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/lru-cache/dist/commonjs/perf.js b/deps/npm/node_modules/lru-cache/dist/commonjs/perf.js
new file mode 100644
index 00000000000000..bd4c80f461d6c1
--- /dev/null
+++ b/deps/npm/node_modules/lru-cache/dist/commonjs/perf.js
@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultPerf = void 0;
+exports.defaultPerf = (typeof performance === 'object' &&
+    performance &&
+    typeof performance.now === 'function') ?
+    /* c8 ignore start - this gets covered, but c8 gets confused */
+    performance
+    : /* c8 ignore stop */ Date;
+//# sourceMappingURL=perf.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/lru-cache/dist/esm/browser/diagnostics-channel.js b/deps/npm/node_modules/lru-cache/dist/esm/browser/diagnostics-channel.js
index 08ec4d4d484b44..37524f355f050c 100644
--- a/deps/npm/node_modules/lru-cache/dist/esm/browser/diagnostics-channel.js
+++ b/deps/npm/node_modules/lru-cache/dist/esm/browser/diagnostics-channel.js
@@ -1,4 +1,4 @@
 const dummy = { hasSubscribers: false };
 export const metrics = dummy;
 export const tracing = dummy;
-//# sourceMappingURL=diagnostics-channel-browser.mjs.map
\ No newline at end of file
+//# sourceMappingURL=diagnostics-channel-browser.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/lru-cache/dist/esm/browser/index.js b/deps/npm/node_modules/lru-cache/dist/esm/browser/index.js
index 11c8cd8dfbf5cf..114a4e9908390f 100644
--- a/deps/npm/node_modules/lru-cache/dist/esm/browser/index.js
+++ b/deps/npm/node_modules/lru-cache/dist/esm/browser/index.js
@@ -2,12 +2,8 @@
  * @module LRUCache
  */
 import { metrics, tracing } from './diagnostics-channel.js';
+import { defaultPerf } from './perf.js';
 const hasSubscribers = () => metrics.hasSubscribers || tracing.hasSubscribers;
-const defaultPerf = (typeof performance === 'object' &&
-    performance &&
-    typeof performance.now === 'function') ?
-    performance
-    : Date;
 const warned = new Set();
 /* c8 ignore start */
 const PROCESS = (typeof process === 'object' && !!process ?
@@ -49,7 +45,9 @@ class ZeroArray extends Array {
     }
 }
 class Stack {
+    /* c8 ignore start - not sure why this is showing up uncovered?? */
     heap;
+    /* c8 ignore stop */
     length;
     // private constructor
     static #constructing = false;
@@ -169,6 +167,8 @@ export class LRUCache {
      * {@link LRUCache.OptionsBase.ignoreFetchAbort}
      */
     ignoreFetchAbort;
+    /** {@link LRUCache.OptionsBase.backgroundFetchSize} */
+    backgroundFetchSize;
     // computed properties
     #size;
     #calculatedSize;
@@ -279,7 +279,8 @@ export class LRUCache {
         return this.#disposeAfter;
     }
     constructor(options) {
-        const { max = 0, ttl, ttlResolution = 1, ttlAutopurge, updateAgeOnGet, updateAgeOnHas, allowStale, dispose, onInsert, disposeAfter, noDisposeOnSet, noUpdateTTL, maxSize = 0, maxEntrySize = 0, sizeCalculation, fetchMethod, memoMethod, noDeleteOnFetchRejection, noDeleteOnStaleGet, allowStaleOnFetchRejection, allowStaleOnFetchAbort, ignoreFetchAbort, perf, } = options;
+        const { max = 0, ttl, ttlResolution = 1, ttlAutopurge, updateAgeOnGet, updateAgeOnHas, allowStale, dispose, onInsert, disposeAfter, noDisposeOnSet, noUpdateTTL, maxSize = 0, maxEntrySize = 0, sizeCalculation, fetchMethod, memoMethod, noDeleteOnFetchRejection, noDeleteOnStaleGet, allowStaleOnFetchRejection, allowStaleOnFetchAbort, ignoreFetchAbort, backgroundFetchSize = 1, perf, } = options;
+        this.backgroundFetchSize = backgroundFetchSize;
         if (perf !== undefined) {
             if (typeof perf?.now !== 'function') {
                 throw new TypeError('perf option must have a now() method if specified');
@@ -507,12 +508,15 @@ export class LRUCache {
             sizes[index] = 0;
         };
         this.#requireSize = (k, v, size, sizeCalculation) => {
-            // provisionally accept background fetches.
-            // actual value size will be checked when they return.
-            if (this.#isBackgroundFetch(v)) {
-                return 0;
-            }
             if (!isPosInt(size)) {
+                // provisionally accept background fetches.
+                // actual value size will be checked when they return.
+                if (this.#isBackgroundFetch(v)) {
+                    // NB: this cannot occur if v.__staleWhileFetching is set,
+                    // because in that case, it would take on the size of the
+                    // existing entry that it temporarily replaces.
+                    return this.backgroundFetchSize;
+                }
                 if (sizeCalculation) {
                     if (typeof sizeCalculation !== 'function') {
                         throw new TypeError('sizeCalculation must be a function');
@@ -879,6 +883,7 @@ export class LRUCache {
             status.key = k;
             if (v !== undefined)
                 status.value = v;
+            status.cache = this;
         }
         const result = this.#set(k, v, setOptions);
         if (status && metrics.hasSubscribers) {
@@ -886,8 +891,9 @@ export class LRUCache {
         }
         return result;
     }
-    #set(k, v, setOptions = {}) {
+    #set(k, v, setOptions, bf) {
         const { ttl = this.ttl, start, noDisposeOnSet = this.noDisposeOnSet, sizeCalculation = this.sizeCalculation, status, } = setOptions;
+        const isBF = this.#isBackgroundFetch(v);
         if (v === undefined) {
             if (status)
                 status.set = 'deleted';
@@ -895,7 +901,7 @@ export class LRUCache {
             return this;
         }
         let { noUpdateTTL = this.noUpdateTTL } = setOptions;
-        if (status && !this.#isBackgroundFetch(v))
+        if (status && !isBF)
             status.value = v;
         const size = this.#requireSize(k, v, setOptions.size || 0, sizeCalculation, status);
         // if the item doesn't fit, don't do anything
@@ -927,52 +933,68 @@ export class LRUCache {
             if (status)
                 status.set = 'add';
             noUpdateTTL = false;
-            if (this.#hasOnInsert) {
+            if (this.#hasOnInsert && !isBF) {
                 this.#onInsert?.(v, k, 'add');
             }
         }
         else {
             // update
+            // might be updating a background fetch!
             this.#moveToTail(index);
             const oldVal = this.#valList[index];
             if (v !== oldVal) {
-                if (this.#hasFetchMethod && this.#isBackgroundFetch(oldVal)) {
-                    oldVal.__abortController.abort(new Error('replaced'));
-                    const { __staleWhileFetching: s } = oldVal;
-                    if (s !== undefined && !noDisposeOnSet) {
+                if (!noDisposeOnSet) {
+                    if (this.#isBackgroundFetch(oldVal)) {
+                        if (oldVal !== bf) {
+                            // setting over a background fetch, not merely resolving it.
+                            oldVal.__abortController.abort(new Error('replaced'));
+                        }
+                        const { __staleWhileFetching: s } = oldVal;
+                        if (s !== undefined && s !== v) {
+                            if (this.#hasDispose) {
+                                this.#dispose?.(s, k, 'set');
+                            }
+                            if (this.#hasDisposeAfter) {
+                                this.#disposed?.push([s, k, 'set']);
+                            }
+                        }
+                    }
+                    else {
                         if (this.#hasDispose) {
-                            this.#dispose?.(s, k, 'set');
+                            this.#dispose?.(oldVal, k, 'set');
                         }
                         if (this.#hasDisposeAfter) {
-                            this.#disposed?.push([s, k, 'set']);
+                            this.#disposed?.push([oldVal, k, 'set']);
                         }
                     }
                 }
-                else if (!noDisposeOnSet) {
-                    if (this.#hasDispose) {
-                        this.#dispose?.(oldVal, k, 'set');
-                    }
-                    if (this.#hasDisposeAfter) {
-                        this.#disposed?.push([oldVal, k, 'set']);
-                    }
-                }
                 this.#removeItemSize(index);
                 this.#addItemSize(index, size, status);
                 this.#valList[index] = v;
-                if (status) {
-                    status.set = 'replace';
+                if (!isBF) {
                     const oldValue = oldVal && this.#isBackgroundFetch(oldVal) ?
                         oldVal.__staleWhileFetching
                         : oldVal;
-                    if (oldValue !== undefined)
-                        status.oldValue = oldValue;
+                    const setType = oldValue === undefined ? 'add'
+                        : v !== oldValue ? 'replace'
+                            : 'update';
+                    if (status) {
+                        status.set = setType;
+                        if (oldValue !== undefined)
+                            status.oldValue = oldValue;
+                    }
+                    if (this.#hasOnInsert) {
+                        this.onInsert?.(v, k, setType);
+                    }
                 }
             }
-            else if (status) {
-                status.set = 'update';
-            }
-            if (this.#hasOnInsert) {
-                this.onInsert?.(v, k, v === oldVal ? 'update' : 'replace');
+            else if (!isBF) {
+                if (status) {
+                    status.set = 'update';
+                }
+                if (this.#hasOnInsert) {
+                    this.onInsert?.(v, k, 'update');
+                }
             }
         }
         if (ttl !== 0 && !this.#ttls) {
@@ -1027,15 +1049,18 @@ export class LRUCache {
         const head = this.#head;
         const k = this.#keyList[head];
         const v = this.#valList[head];
-        if (this.#hasFetchMethod && this.#isBackgroundFetch(v)) {
+        const isBF = this.#isBackgroundFetch(v);
+        if (isBF) {
             v.__abortController.abort(new Error('evicted'));
         }
-        else if (this.#hasDispose || this.#hasDisposeAfter) {
+        const oldValue = isBF ? v.__staleWhileFetching : v;
+        if ((this.#hasDispose || this.#hasDisposeAfter) &&
+            oldValue !== undefined) {
             if (this.#hasDispose) {
-                this.#dispose?.(v, k, 'evict');
+                this.#dispose?.(oldValue, k, 'evict');
             }
             if (this.#hasDisposeAfter) {
-                this.#disposed?.push([v, k, 'evict']);
+                this.#disposed?.push([oldValue, k, 'evict']);
             }
         }
         this.#removeItemSize(head);
@@ -1082,6 +1107,7 @@ export class LRUCache {
         if (status) {
             status.op = 'has';
             status.key = k;
+            status.cache = this;
         }
         const result = this.#has(k, hasOptions);
         if (metrics.hasSubscribers)
@@ -1129,6 +1155,7 @@ export class LRUCache {
         if (status) {
             status.op = 'peek';
             status.key = k;
+            status.cache = this;
         }
         peekOptions.status = status;
         const result = this.#peek(k, peekOptions);
@@ -1211,7 +1238,7 @@ export class LRUCache {
                 else {
                     if (options.status)
                         options.status.fetchUpdated = true;
-                    this.#set(k, v, fetchOpts.options);
+                    this.#set(k, v, fetchOpts.options, bf);
                 }
             }
             return v;
@@ -1257,9 +1284,6 @@ export class LRUCache {
         };
         const pcall = (res, rej) => {
             const fmp = this.#fetchMethod?.(k, v, fetchOpts);
-            if (fmp && fmp instanceof Promise) {
-                fmp.then(v => res(v === undefined ? undefined : v), rej);
-            }
             // ignored, we go until we finish, regardless.
             // defer check until we are actually aborting,
             // so fetchMethod can override.
@@ -1272,6 +1296,12 @@ export class LRUCache {
                     }
                 }
             });
+            if (fmp && fmp instanceof Promise) {
+                fmp.then(v => res(v === undefined ? undefined : v), rej);
+            }
+            else if (fmp !== undefined) {
+                res(fmp);
+            }
         };
         if (options.status)
             options.status.fetchDispatched = true;
@@ -1287,6 +1317,10 @@ export class LRUCache {
             index = this.#keyMap.get(k);
         }
         else {
+            // do not call #set, because we do not want to adjust its place
+            // in the lru queue, as it has not yet been "used". Also, we don't
+            // need to worry about evicting for size, because a background fetch
+            // over a stale value is treated as the same size as its stale value.
             this.#valList[index] = bf;
         }
         return bf;
@@ -1308,11 +1342,9 @@ export class LRUCache {
             status.context = fetchOptions.context;
         }
         const p = this.#fetch(k, fetchOptions);
-        if (status && hasSubscribers()) {
-            if (ths) {
-                status.trace = true;
-                tracing.tracePromise(() => p, status).catch(() => { });
-            }
+        if (status && ths) {
+            status.trace = true;
+            tracing.tracePromise(() => p, status).catch(() => { });
         }
         return p;
     }
@@ -1329,6 +1361,7 @@ export class LRUCache {
             status.key = k;
             if (forceRefresh)
                 status.forceRefresh = true;
+            status.cache = this;
         }
         if (!this.#hasFetchMethod) {
             if (status)
@@ -1410,11 +1443,9 @@ export class LRUCache {
             status.context = fetchOptions.context;
         }
         const p = this.#forceFetch(k, fetchOptions);
-        if (status && hasSubscribers()) {
-            if (ths) {
-                status.trace = true;
-                tracing.tracePromise(() => p, status).catch(() => { });
-            }
+        if (status && ths) {
+            status.trace = true;
+            tracing.tracePromise(() => p, status).catch(() => { });
         }
         return p;
     }
@@ -1433,6 +1464,7 @@ export class LRUCache {
             if (memoOptions.context) {
                 status.context = memoOptions.context;
             }
+            status.cache = this;
         }
         const result = this.#memo(k, memoOptions);
         if (status)
@@ -1479,6 +1511,7 @@ export class LRUCache {
         if (status) {
             status.op = 'get';
             status.key = k;
+            status.cache = this;
         }
         const result = this.#get(k, getOptions);
         if (status) {
@@ -1577,6 +1610,7 @@ export class LRUCache {
                 op: 'delete',
                 delete: reason,
                 key: k,
+                cache: this,
             });
         }
         let deleted = false;
@@ -1657,7 +1691,7 @@ export class LRUCache {
             }
         }
         this.#keyMap.clear();
-        this.#valList.fill(undefined);
+        void this.#valList.fill(undefined);
         this.#keyList.fill(undefined);
         if (this.#ttls && this.#starts) {
             this.#ttls.fill(0);
diff --git a/deps/npm/node_modules/lru-cache/dist/esm/browser/index.min.js b/deps/npm/node_modules/lru-cache/dist/esm/browser/index.min.js
index 50dd21a570e15f..86618ad212c13e 100644
--- a/deps/npm/node_modules/lru-cache/dist/esm/browser/index.min.js
+++ b/deps/npm/node_modules/lru-cache/dist/esm/browser/index.min.js
@@ -1,2 +1,2 @@
-var C={hasSubscribers:!1},S=C,W=C;var D=()=>S.hasSubscribers||W.hasSubscribers,I=typeof performance=="object"&&performance&&typeof performance.now=="function"?performance:Date,U=new Set,L=typeof process=="object"&&process?process:{},G=(u,e,t,i)=>{typeof L.emitWarning=="function"?L.emitWarning(u,e,t,i):console.error(`[${t}] ${e}: ${u}`)},P=u=>!U.has(u),V=Symbol("type"),F=u=>!!u&&u===Math.floor(u)&&u>0&&isFinite(u),j=u=>F(u)?u<=Math.pow(2,8)?Uint8Array:u<=Math.pow(2,16)?Uint16Array:u<=Math.pow(2,32)?Uint32Array:u<=Number.MAX_SAFE_INTEGER?O:null:null,O=class extends Array{constructor(e){super(e),this.fill(0)}},R=class u{heap;length;static#o=!1;static create(e){let t=j(e);if(!t)return[];u.#o=!0;let i=new u(e,t);return u.#o=!1,i}constructor(e,t){if(!u.#o)throw new TypeError("instantiate Stack using Stack.create(n)");this.heap=new t(e),this.length=0}push(e){this.heap[this.length++]=e}pop(){return this.heap[--this.length]}},M=class u{#o;#u;#w;#D;#S;#M;#U;#m;get perf(){return this.#m}ttl;ttlResolution;ttlAutopurge;updateAgeOnGet;updateAgeOnHas;allowStale;noDisposeOnSet;noUpdateTTL;maxEntrySize;sizeCalculation;noDeleteOnFetchRejection;noDeleteOnStaleGet;allowStaleOnFetchAbort;allowStaleOnFetchRejection;ignoreFetchAbort;#n;#b;#s;#i;#t;#a;#c;#l;#h;#y;#r;#_;#F;#d;#g;#T;#W;#f;#j;static unsafeExposeInternals(e){return{starts:e.#F,ttls:e.#d,autopurgeTimers:e.#g,sizes:e.#_,keyMap:e.#s,keyList:e.#i,valList:e.#t,next:e.#a,prev:e.#c,get head(){return e.#l},get tail(){return e.#h},free:e.#y,isBackgroundFetch:t=>e.#e(t),backgroundFetch:(t,i,s,n)=>e.#P(t,i,s,n),moveToTail:t=>e.#L(t),indexes:t=>e.#A(t),rindexes:t=>e.#z(t),isStale:t=>e.#p(t)}}get max(){return this.#o}get maxSize(){return this.#u}get calculatedSize(){return this.#b}get size(){return this.#n}get fetchMethod(){return this.#M}get memoMethod(){return this.#U}get dispose(){return this.#w}get onInsert(){return this.#D}get disposeAfter(){return this.#S}constructor(e){let{max:t=0,ttl:i,ttlResolution:s=1,ttlAutopurge:n,updateAgeOnGet:o,updateAgeOnHas:r,allowStale:h,dispose:l,onInsert:c,disposeAfter:f,noDisposeOnSet:g,noUpdateTTL:p,maxSize:T=0,maxEntrySize:w=0,sizeCalculation:y,fetchMethod:a,memoMethod:m,noDeleteOnFetchRejection:_,noDeleteOnStaleGet:b,allowStaleOnFetchRejection:d,allowStaleOnFetchAbort:A,ignoreFetchAbort:z,perf:x}=e;if(x!==void 0&&typeof x?.now!="function")throw new TypeError("perf option must have a now() method if specified");if(this.#m=x??I,t!==0&&!F(t))throw new TypeError("max option must be a nonnegative integer");let v=t?j(t):Array;if(!v)throw new Error("invalid max value: "+t);if(this.#o=t,this.#u=T,this.maxEntrySize=w||this.#u,this.sizeCalculation=y,this.sizeCalculation){if(!this.#u&&!this.maxEntrySize)throw new TypeError("cannot set sizeCalculation without setting maxSize or maxEntrySize");if(typeof this.sizeCalculation!="function")throw new TypeError("sizeCalculation set to non-function")}if(m!==void 0&&typeof m!="function")throw new TypeError("memoMethod must be a function if defined");if(this.#U=m,a!==void 0&&typeof a!="function")throw new TypeError("fetchMethod must be a function if specified");if(this.#M=a,this.#W=!!a,this.#s=new Map,this.#i=Array.from({length:t}).fill(void 0),this.#t=Array.from({length:t}).fill(void 0),this.#a=new v(t),this.#c=new v(t),this.#l=0,this.#h=0,this.#y=R.create(t),this.#n=0,this.#b=0,typeof l=="function"&&(this.#w=l),typeof c=="function"&&(this.#D=c),typeof f=="function"?(this.#S=f,this.#r=[]):(this.#S=void 0,this.#r=void 0),this.#T=!!this.#w,this.#j=!!this.#D,this.#f=!!this.#S,this.noDisposeOnSet=!!g,this.noUpdateTTL=!!p,this.noDeleteOnFetchRejection=!!_,this.allowStaleOnFetchRejection=!!d,this.allowStaleOnFetchAbort=!!A,this.ignoreFetchAbort=!!z,this.maxEntrySize!==0){if(this.#u!==0&&!F(this.#u))throw new TypeError("maxSize must be a positive integer if specified");if(!F(this.maxEntrySize))throw new TypeError("maxEntrySize must be a positive integer if specified");this.#X()}if(this.allowStale=!!h,this.noDeleteOnStaleGet=!!b,this.updateAgeOnGet=!!o,this.updateAgeOnHas=!!r,this.ttlResolution=F(s)||s===0?s:1,this.ttlAutopurge=!!n,this.ttl=i||0,this.ttl){if(!F(this.ttl))throw new TypeError("ttl must be a positive integer if specified");this.#H()}if(this.#o===0&&this.ttl===0&&this.#u===0)throw new TypeError("At least one of max, maxSize, or ttl is required");if(!this.ttlAutopurge&&!this.#o&&!this.#u){let E="LRU_CACHE_UNBOUNDED";P(E)&&(U.add(E),G("TTL caching without ttlAutopurge, max, or maxSize can result in unbounded memory consumption.","UnboundedCacheWarning",E,u))}}getRemainingTTL(e){return this.#s.has(e)?1/0:0}#H(){let e=new O(this.#o),t=new O(this.#o);this.#d=e,this.#F=t;let i=this.ttlAutopurge?Array.from({length:this.#o}):void 0;this.#g=i,this.#N=(r,h,l=this.#m.now())=>{t[r]=h!==0?l:0,e[r]=h,s(r,h)},this.#x=r=>{t[r]=e[r]!==0?this.#m.now():0,s(r,e[r])};let s=this.ttlAutopurge?(r,h)=>{if(i?.[r]&&(clearTimeout(i[r]),i[r]=void 0),h&&h!==0&&i){let l=setTimeout(()=>{this.#p(r)&&this.#v(this.#i[r],"expire")},h+1);l.unref&&l.unref(),i[r]=l}}:()=>{};this.#E=(r,h)=>{if(e[h]){let l=e[h],c=t[h];if(!l||!c)return;r.ttl=l,r.start=c,r.now=n||o();let f=r.now-c;r.remainingTTL=l-f}};let n=0,o=()=>{let r=this.#m.now();if(this.ttlResolution>0){n=r;let h=setTimeout(()=>n=0,this.ttlResolution);h.unref&&h.unref()}return r};this.getRemainingTTL=r=>{let h=this.#s.get(r);if(h===void 0)return 0;let l=e[h],c=t[h];if(!l||!c)return 1/0;let f=(n||o())-c;return l-f},this.#p=r=>{let h=t[r],l=e[r];return!!l&&!!h&&(n||o())-h>l}}#x=()=>{};#E=()=>{};#N=()=>{};#p=()=>!1;#X(){let e=new O(this.#o);this.#b=0,this.#_=e,this.#R=t=>{this.#b-=e[t],e[t]=0},this.#k=(t,i,s,n)=>{if(this.#e(i))return 0;if(!F(s))if(n){if(typeof n!="function")throw new TypeError("sizeCalculation must be a function");if(s=n(i,t),!F(s))throw new TypeError("sizeCalculation return invalid (expect positive integer)")}else throw new TypeError("invalid size value (must be positive integer). When maxSize or maxEntrySize is used, sizeCalculation or size must be set.");return s},this.#I=(t,i,s)=>{if(e[t]=i,this.#u){let n=this.#u-e[t];for(;this.#b>n;)this.#G(!0)}this.#b+=e[t],s&&(s.entrySize=i,s.totalCalculatedSize=this.#b)}}#R=e=>{};#I=(e,t,i)=>{};#k=(e,t,i,s)=>{if(i||s)throw new TypeError("cannot set size without setting maxSize or maxEntrySize on cache");return 0};*#A({allowStale:e=this.allowStale}={}){if(this.#n)for(let t=this.#h;this.#V(t)&&((e||!this.#p(t))&&(yield t),t!==this.#l);)t=this.#c[t]}*#z({allowStale:e=this.allowStale}={}){if(this.#n)for(let t=this.#l;this.#V(t)&&((e||!this.#p(t))&&(yield t),t!==this.#h);)t=this.#a[t]}#V(e){return e!==void 0&&this.#s.get(this.#i[e])===e}*entries(){for(let e of this.#A())this.#t[e]!==void 0&&this.#i[e]!==void 0&&!this.#e(this.#t[e])&&(yield[this.#i[e],this.#t[e]])}*rentries(){for(let e of this.#z())this.#t[e]!==void 0&&this.#i[e]!==void 0&&!this.#e(this.#t[e])&&(yield[this.#i[e],this.#t[e]])}*keys(){for(let e of this.#A()){let t=this.#i[e];t!==void 0&&!this.#e(this.#t[e])&&(yield t)}}*rkeys(){for(let e of this.#z()){let t=this.#i[e];t!==void 0&&!this.#e(this.#t[e])&&(yield t)}}*values(){for(let e of this.#A())this.#t[e]!==void 0&&!this.#e(this.#t[e])&&(yield this.#t[e])}*rvalues(){for(let e of this.#z())this.#t[e]!==void 0&&!this.#e(this.#t[e])&&(yield this.#t[e])}[Symbol.iterator](){return this.entries()}[Symbol.toStringTag]="LRUCache";find(e,t={}){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;if(n!==void 0&&e(n,this.#i[i],this))return this.#C(this.#i[i],t)}}forEach(e,t=this){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&e.call(t,n,this.#i[i],this)}}rforEach(e,t=this){for(let i of this.#z()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&e.call(t,n,this.#i[i],this)}}purgeStale(){let e=!1;for(let t of this.#z({allowStale:!0}))this.#p(t)&&(this.#v(this.#i[t],"expire"),e=!0);return e}info(e){let t=this.#s.get(e);if(t===void 0)return;let i=this.#t[t],s=this.#e(i)?i.__staleWhileFetching:i;if(s===void 0)return;let n={value:s};if(this.#d&&this.#F){let o=this.#d[t],r=this.#F[t];if(o&&r){let h=o-(this.#m.now()-r);n.ttl=h,n.start=Date.now()}}return this.#_&&(n.size=this.#_[t]),n}dump(){let e=[];for(let t of this.#A({allowStale:!0})){let i=this.#i[t],s=this.#t[t],n=this.#e(s)?s.__staleWhileFetching:s;if(n===void 0||i===void 0)continue;let o={value:n};if(this.#d&&this.#F){o.ttl=this.#d[t];let r=this.#m.now()-this.#F[t];o.start=Math.floor(Date.now()-r)}this.#_&&(o.size=this.#_[t]),e.unshift([i,o])}return e}load(e){this.clear();for(let[t,i]of e){if(i.start){let s=Date.now()-i.start;i.start=this.#m.now()-s}this.#O(t,i.value,i)}}set(e,t,i={}){let{status:s=S.hasSubscribers?{}:void 0}=i;i.status=s,s&&(s.op="set",s.key=e,t!==void 0&&(s.value=t));let n=this.#O(e,t,i);return s&&S.hasSubscribers&&S.publish(s),n}#O(e,t,i={}){let{ttl:s=this.ttl,start:n,noDisposeOnSet:o=this.noDisposeOnSet,sizeCalculation:r=this.sizeCalculation,status:h}=i;if(t===void 0)return h&&(h.set="deleted"),this.delete(e),this;let{noUpdateTTL:l=this.noUpdateTTL}=i;h&&!this.#e(t)&&(h.value=t);let c=this.#k(e,t,i.size||0,r,h);if(this.maxEntrySize&&c>this.maxEntrySize)return this.#v(e,"set"),h&&(h.set="miss",h.maxEntrySizeExceeded=!0),this;let f=this.#n===0?void 0:this.#s.get(e);if(f===void 0)f=this.#n===0?this.#h:this.#y.length!==0?this.#y.pop():this.#n===this.#o?this.#G(!1):this.#n,this.#i[f]=e,this.#t[f]=t,this.#s.set(e,f),this.#a[this.#h]=f,this.#c[f]=this.#h,this.#h=f,this.#n++,this.#I(f,c,h),h&&(h.set="add"),l=!1,this.#j&&this.#D?.(t,e,"add");else{this.#L(f);let g=this.#t[f];if(t!==g){if(this.#W&&this.#e(g)){g.__abortController.abort(new Error("replaced"));let{__staleWhileFetching:p}=g;p!==void 0&&!o&&(this.#T&&this.#w?.(p,e,"set"),this.#f&&this.#r?.push([p,e,"set"]))}else o||(this.#T&&this.#w?.(g,e,"set"),this.#f&&this.#r?.push([g,e,"set"]));if(this.#R(f),this.#I(f,c,h),this.#t[f]=t,h){h.set="replace";let p=g&&this.#e(g)?g.__staleWhileFetching:g;p!==void 0&&(h.oldValue=p)}}else h&&(h.set="update");this.#j&&this.onInsert?.(t,e,t===g?"update":"replace")}if(s!==0&&!this.#d&&this.#H(),this.#d&&(l||this.#N(f,s,n),h&&this.#E(h,f)),!o&&this.#f&&this.#r){let g=this.#r,p;for(;p=g?.shift();)this.#S?.(...p)}return this}pop(){try{for(;this.#n;){let e=this.#t[this.#l];if(this.#G(!0),this.#e(e)){if(e.__staleWhileFetching)return e.__staleWhileFetching}else if(e!==void 0)return e}}finally{if(this.#f&&this.#r){let e=this.#r,t;for(;t=e?.shift();)this.#S?.(...t)}}}#G(e){let t=this.#l,i=this.#i[t],s=this.#t[t];return this.#W&&this.#e(s)?s.__abortController.abort(new Error("evicted")):(this.#T||this.#f)&&(this.#T&&this.#w?.(s,i,"evict"),this.#f&&this.#r?.push([s,i,"evict"])),this.#R(t),this.#g?.[t]&&(clearTimeout(this.#g[t]),this.#g[t]=void 0),e&&(this.#i[t]=void 0,this.#t[t]=void 0,this.#y.push(t)),this.#n===1?(this.#l=this.#h=0,this.#y.length=0):this.#l=this.#a[t],this.#s.delete(i),this.#n--,t}has(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="has",i.key=e);let s=this.#Y(e,t);return S.hasSubscribers&&S.publish(i),s}#Y(e,t={}){let{updateAgeOnHas:i=this.updateAgeOnHas,status:s}=t,n=this.#s.get(e);if(n!==void 0){let o=this.#t[n];if(this.#e(o)&&o.__staleWhileFetching===void 0)return!1;if(this.#p(n))s&&(s.has="stale",this.#E(s,n));else return i&&this.#x(n),s&&(s.has="hit",this.#E(s,n)),!0}else s&&(s.has="miss");return!1}peek(e,t={}){let{status:i=D()?{}:void 0}=t;i&&(i.op="peek",i.key=e),t.status=i;let s=this.#J(e,t);return S.hasSubscribers&&S.publish(i),s}#J(e,t){let{status:i,allowStale:s=this.allowStale}=t,n=this.#s.get(e);if(n===void 0||!s&&this.#p(n)){i&&(i.peek=n===void 0?"miss":"stale");return}let o=this.#t[n],r=this.#e(o)?o.__staleWhileFetching:o;return i&&(r!==void 0?(i.peek="hit",i.value=r):i.peek="miss"),r}#P(e,t,i,s){let n=t===void 0?void 0:this.#t[t];if(this.#e(n))return n;let o=new AbortController,{signal:r}=i;r?.addEventListener("abort",()=>o.abort(r.reason),{signal:o.signal});let h={signal:o.signal,options:i,context:s},l=(w,y=!1)=>{let{aborted:a}=o.signal,m=i.ignoreFetchAbort&&w!==void 0,_=i.ignoreFetchAbort||!!(i.allowStaleOnFetchAbort&&w!==void 0);if(i.status&&(a&&!y?(i.status.fetchAborted=!0,i.status.fetchError=o.signal.reason,m&&(i.status.fetchAbortIgnored=!0)):i.status.fetchResolved=!0),a&&!m&&!y)return f(o.signal.reason,_);let b=p,d=this.#t[t];return(d===p||d===void 0&&m&&y)&&(w===void 0?b.__staleWhileFetching!==void 0?this.#t[t]=b.__staleWhileFetching:this.#v(e,"fetch"):(i.status&&(i.status.fetchUpdated=!0),this.#O(e,w,h.options))),w},c=w=>(i.status&&(i.status.fetchRejected=!0,i.status.fetchError=w),f(w,!1)),f=(w,y)=>{let{aborted:a}=o.signal,m=a&&i.allowStaleOnFetchAbort,_=m||i.allowStaleOnFetchRejection,b=_||i.noDeleteOnFetchRejection,d=p;if(this.#t[t]===p&&(!b||!y&&d.__staleWhileFetching===void 0?this.#v(e,"fetch"):m||(this.#t[t]=d.__staleWhileFetching)),_)return i.status&&d.__staleWhileFetching!==void 0&&(i.status.returnedStale=!0),d.__staleWhileFetching;if(d.__returned===d)throw w},g=(w,y)=>{let a=this.#M?.(e,n,h);a&&a instanceof Promise&&a.then(m=>w(m===void 0?void 0:m),y),o.signal.addEventListener("abort",()=>{(!i.ignoreFetchAbort||i.allowStaleOnFetchAbort)&&(w(void 0),i.allowStaleOnFetchAbort&&(w=m=>l(m,!0)))})};i.status&&(i.status.fetchDispatched=!0);let p=new Promise(g).then(l,c),T=Object.assign(p,{__abortController:o,__staleWhileFetching:n,__returned:void 0});return t===void 0?(this.#O(e,T,{...h.options,status:void 0}),t=this.#s.get(e)):this.#t[t]=T,T}#e(e){if(!this.#W)return!1;let t=e;return!!t&&t instanceof Promise&&t.hasOwnProperty("__staleWhileFetching")&&t.__abortController instanceof AbortController}fetch(e,t={}){let i=W.hasSubscribers,{status:s=D()?{}:void 0}=t;t.status=s,s&&t.context&&(s.context=t.context);let n=this.#B(e,t);return s&&D()&&i&&(s.trace=!0,W.tracePromise(()=>n,s).catch(()=>{})),n}async#B(e,t={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,ttl:o=this.ttl,noDisposeOnSet:r=this.noDisposeOnSet,size:h=0,sizeCalculation:l=this.sizeCalculation,noUpdateTTL:c=this.noUpdateTTL,noDeleteOnFetchRejection:f=this.noDeleteOnFetchRejection,allowStaleOnFetchRejection:g=this.allowStaleOnFetchRejection,ignoreFetchAbort:p=this.ignoreFetchAbort,allowStaleOnFetchAbort:T=this.allowStaleOnFetchAbort,context:w,forceRefresh:y=!1,status:a,signal:m}=t;if(a&&(a.op="fetch",a.key=e,y&&(a.forceRefresh=!0)),!this.#W)return a&&(a.fetch="get"),this.#C(e,{allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,status:a});let _={allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,ttl:o,noDisposeOnSet:r,size:h,sizeCalculation:l,noUpdateTTL:c,noDeleteOnFetchRejection:f,allowStaleOnFetchRejection:g,allowStaleOnFetchAbort:T,ignoreFetchAbort:p,status:a,signal:m},b=this.#s.get(e);if(b===void 0){a&&(a.fetch="miss");let d=this.#P(e,b,_,w);return d.__returned=d}else{let d=this.#t[b];if(this.#e(d)){let E=i&&d.__staleWhileFetching!==void 0;return a&&(a.fetch="inflight",E&&(a.returnedStale=!0)),E?d.__staleWhileFetching:d.__returned=d}let A=this.#p(b);if(!y&&!A)return a&&(a.fetch="hit"),this.#L(b),s&&this.#x(b),a&&this.#E(a,b),d;let z=this.#P(e,b,_,w),v=z.__staleWhileFetching!==void 0&&i;return a&&(a.fetch=A?"stale":"refresh",v&&A&&(a.returnedStale=!0)),v?z.__staleWhileFetching:z.__returned=z}}forceFetch(e,t={}){let i=W.hasSubscribers,{status:s=D()?{}:void 0}=t;t.status=s,s&&t.context&&(s.context=t.context);let n=this.#K(e,t);return s&&D()&&i&&(s.trace=!0,W.tracePromise(()=>n,s).catch(()=>{})),n}async#K(e,t={}){let i=await this.#B(e,t);if(i===void 0)throw new Error("fetch() returned undefined");return i}memo(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="memo",i.key=e,t.context&&(i.context=t.context));let s=this.#Q(e,t);return i&&(i.value=s),S.hasSubscribers&&S.publish(i),s}#Q(e,t={}){let i=this.#U;if(!i)throw new Error("no memoMethod provided to constructor");let{context:s,status:n,forceRefresh:o,...r}=t;n&&o&&(n.forceRefresh=!0);let h=this.#C(e,r),l=o||h===void 0;if(n&&(n.memo=l?"miss":"hit",l||(n.value=h)),!l)return h;let c=i(e,h,{options:r,context:s});return n&&(n.value=c),this.#O(e,c,r),c}get(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="get",i.key=e);let s=this.#C(e,t);return i&&(s!==void 0&&(i.value=s),S.hasSubscribers&&S.publish(i)),s}#C(e,t={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,status:o}=t,r=this.#s.get(e);if(r===void 0){o&&(o.get="miss");return}let h=this.#t[r],l=this.#e(h);return o&&this.#E(o,r),this.#p(r)?l?(o&&(o.get="stale-fetching"),i&&h.__staleWhileFetching!==void 0?(o&&(o.returnedStale=!0),h.__staleWhileFetching):void 0):(n||this.#v(e,"expire"),o&&(o.get="stale"),i?(o&&(o.returnedStale=!0),h):void 0):(o&&(o.get=l?"fetching":"hit"),this.#L(r),s&&this.#x(r),l?h.__staleWhileFetching:h)}#$(e,t){this.#c[t]=e,this.#a[e]=t}#L(e){e!==this.#h&&(e===this.#l?this.#l=this.#a[e]:this.#$(this.#c[e],this.#a[e]),this.#$(this.#h,e),this.#h=e)}delete(e){return this.#v(e,"delete")}#v(e,t){S.hasSubscribers&&S.publish({op:"delete",delete:t,key:e});let i=!1;if(this.#n!==0){let s=this.#s.get(e);if(s!==void 0)if(this.#g?.[s]&&(clearTimeout(this.#g?.[s]),this.#g[s]=void 0),i=!0,this.#n===1)this.#q(t);else{this.#R(s);let n=this.#t[s];if(this.#e(n)?n.__abortController.abort(new Error("deleted")):(this.#T||this.#f)&&(this.#T&&this.#w?.(n,e,t),this.#f&&this.#r?.push([n,e,t])),this.#s.delete(e),this.#i[s]=void 0,this.#t[s]=void 0,s===this.#h)this.#h=this.#c[s];else if(s===this.#l)this.#l=this.#a[s];else{let o=this.#c[s];this.#a[o]=this.#a[s];let r=this.#a[s];this.#c[r]=this.#c[s]}this.#n--,this.#y.push(s)}}if(this.#f&&this.#r?.length){let s=this.#r,n;for(;n=s?.shift();)this.#S?.(...n)}return i}clear(){return this.#q("delete")}#q(e){for(let t of this.#z({allowStale:!0})){let i=this.#t[t];if(this.#e(i))i.__abortController.abort(new Error("deleted"));else{let s=this.#i[t];this.#T&&this.#w?.(i,s,e),this.#f&&this.#r?.push([i,s,e])}}if(this.#s.clear(),this.#t.fill(void 0),this.#i.fill(void 0),this.#d&&this.#F){this.#d.fill(0),this.#F.fill(0);for(let t of this.#g??[])t!==void 0&&clearTimeout(t);this.#g?.fill(void 0)}if(this.#_&&this.#_.fill(0),this.#l=0,this.#h=0,this.#y.length=0,this.#b=0,this.#n=0,this.#f&&this.#r){let t=this.#r,i;for(;i=t?.shift();)this.#S?.(...i)}}};export{M as LRUCache};
+var L={hasSubscribers:!1},S=L,W=L;var M=typeof performance=="object"&&performance&&typeof performance.now=="function"?performance:Date;var D=()=>S.hasSubscribers||W.hasSubscribers,j=new Set,I=typeof process=="object"&&process?process:{},P=(u,e,t,i)=>{typeof I.emitWarning=="function"?I.emitWarning(u,e,t,i):console.error(`[${t}] ${e}: ${u}`)},k=u=>!j.has(u);var T=u=>!!u&&u===Math.floor(u)&&u>0&&isFinite(u),G=u=>T(u)?u<=Math.pow(2,8)?Uint8Array:u<=Math.pow(2,16)?Uint16Array:u<=Math.pow(2,32)?Uint32Array:u<=Number.MAX_SAFE_INTEGER?O:null:null,O=class extends Array{constructor(e){super(e),this.fill(0)}},R=class u{heap;length;static#o=!1;static create(e){let t=G(e);if(!t)return[];u.#o=!0;let i=new u(e,t);return u.#o=!1,i}constructor(e,t){if(!u.#o)throw new TypeError("instantiate Stack using Stack.create(n)");this.heap=new t(e),this.length=0}push(e){this.heap[this.length++]=e}pop(){return this.heap[--this.length]}},U=class u{#o;#c;#S;#O;#w;#M;#I;#m;get perf(){return this.#m}ttl;ttlResolution;ttlAutopurge;updateAgeOnGet;updateAgeOnHas;allowStale;noDisposeOnSet;noUpdateTTL;maxEntrySize;sizeCalculation;noDeleteOnFetchRejection;noDeleteOnStaleGet;allowStaleOnFetchAbort;allowStaleOnFetchRejection;ignoreFetchAbort;backgroundFetchSize;#n;#b;#s;#i;#t;#l;#u;#a;#h;#y;#r;#_;#F;#d;#g;#T;#U;#f;#x;static unsafeExposeInternals(e){return{starts:e.#F,ttls:e.#d,autopurgeTimers:e.#g,sizes:e.#_,keyMap:e.#s,keyList:e.#i,valList:e.#t,next:e.#l,prev:e.#u,get head(){return e.#a},get tail(){return e.#h},free:e.#y,isBackgroundFetch:t=>e.#e(t),backgroundFetch:(t,i,s,n)=>e.#P(t,i,s,n),moveToTail:t=>e.#L(t),indexes:t=>e.#A(t),rindexes:t=>e.#z(t),isStale:t=>e.#p(t)}}get max(){return this.#o}get maxSize(){return this.#c}get calculatedSize(){return this.#b}get size(){return this.#n}get fetchMethod(){return this.#M}get memoMethod(){return this.#I}get dispose(){return this.#S}get onInsert(){return this.#O}get disposeAfter(){return this.#w}constructor(e){let{max:t=0,ttl:i,ttlResolution:s=1,ttlAutopurge:n,updateAgeOnGet:r,updateAgeOnHas:h,allowStale:a,dispose:o,onInsert:d,disposeAfter:y,noDisposeOnSet:_,noUpdateTTL:c,maxSize:g=0,maxEntrySize:f=0,sizeCalculation:b,fetchMethod:l,memoMethod:w,noDeleteOnFetchRejection:F,noDeleteOnStaleGet:m,allowStaleOnFetchRejection:p,allowStaleOnFetchAbort:A,ignoreFetchAbort:z,backgroundFetchSize:C=1,perf:E}=e;if(this.backgroundFetchSize=C,E!==void 0&&typeof E?.now!="function")throw new TypeError("perf option must have a now() method if specified");if(this.#m=E??M,t!==0&&!T(t))throw new TypeError("max option must be a nonnegative integer");let v=t?G(t):Array;if(!v)throw new Error("invalid max value: "+t);if(this.#o=t,this.#c=g,this.maxEntrySize=f||this.#c,this.sizeCalculation=b,this.sizeCalculation){if(!this.#c&&!this.maxEntrySize)throw new TypeError("cannot set sizeCalculation without setting maxSize or maxEntrySize");if(typeof this.sizeCalculation!="function")throw new TypeError("sizeCalculation set to non-function")}if(w!==void 0&&typeof w!="function")throw new TypeError("memoMethod must be a function if defined");if(this.#I=w,l!==void 0&&typeof l!="function")throw new TypeError("fetchMethod must be a function if specified");if(this.#M=l,this.#U=!!l,this.#s=new Map,this.#i=Array.from({length:t}).fill(void 0),this.#t=Array.from({length:t}).fill(void 0),this.#l=new v(t),this.#u=new v(t),this.#a=0,this.#h=0,this.#y=R.create(t),this.#n=0,this.#b=0,typeof o=="function"&&(this.#S=o),typeof d=="function"&&(this.#O=d),typeof y=="function"?(this.#w=y,this.#r=[]):(this.#w=void 0,this.#r=void 0),this.#T=!!this.#S,this.#x=!!this.#O,this.#f=!!this.#w,this.noDisposeOnSet=!!_,this.noUpdateTTL=!!c,this.noDeleteOnFetchRejection=!!F,this.allowStaleOnFetchRejection=!!p,this.allowStaleOnFetchAbort=!!A,this.ignoreFetchAbort=!!z,this.maxEntrySize!==0){if(this.#c!==0&&!T(this.#c))throw new TypeError("maxSize must be a positive integer if specified");if(!T(this.maxEntrySize))throw new TypeError("maxEntrySize must be a positive integer if specified");this.#X()}if(this.allowStale=!!a,this.noDeleteOnStaleGet=!!m,this.updateAgeOnGet=!!r,this.updateAgeOnHas=!!h,this.ttlResolution=T(s)||s===0?s:1,this.ttlAutopurge=!!n,this.ttl=i||0,this.ttl){if(!T(this.ttl))throw new TypeError("ttl must be a positive integer if specified");this.#k()}if(this.#o===0&&this.ttl===0&&this.#c===0)throw new TypeError("At least one of max, maxSize, or ttl is required");if(!this.ttlAutopurge&&!this.#o&&!this.#c){let x="LRU_CACHE_UNBOUNDED";k(x)&&(j.add(x),P("TTL caching without ttlAutopurge, max, or maxSize can result in unbounded memory consumption.","UnboundedCacheWarning",x,u))}}getRemainingTTL(e){return this.#s.has(e)?1/0:0}#k(){let e=new O(this.#o),t=new O(this.#o);this.#d=e,this.#F=t;let i=this.ttlAutopurge?Array.from({length:this.#o}):void 0;this.#g=i,this.#H=(h,a,o=this.#m.now())=>{t[h]=a!==0?o:0,e[h]=a,s(h,a)},this.#D=h=>{t[h]=e[h]!==0?this.#m.now():0,s(h,e[h])};let s=this.ttlAutopurge?(h,a)=>{if(i?.[h]&&(clearTimeout(i[h]),i[h]=void 0),a&&a!==0&&i){let o=setTimeout(()=>{this.#p(h)&&this.#E(this.#i[h],"expire")},a+1);o.unref&&o.unref(),i[h]=o}}:()=>{};this.#v=(h,a)=>{if(e[a]){let o=e[a],d=t[a];if(!o||!d)return;h.ttl=o,h.start=d,h.now=n||r();let y=h.now-d;h.remainingTTL=o-y}};let n=0,r=()=>{let h=this.#m.now();if(this.ttlResolution>0){n=h;let a=setTimeout(()=>n=0,this.ttlResolution);a.unref&&a.unref()}return h};this.getRemainingTTL=h=>{let a=this.#s.get(h);if(a===void 0)return 0;let o=e[a],d=t[a];if(!o||!d)return 1/0;let y=(n||r())-d;return o-y},this.#p=h=>{let a=t[h],o=e[h];return!!o&&!!a&&(n||r())-a>o}}#D=()=>{};#v=()=>{};#H=()=>{};#p=()=>!1;#X(){let e=new O(this.#o);this.#b=0,this.#_=e,this.#R=t=>{this.#b-=e[t],e[t]=0},this.#N=(t,i,s,n)=>{if(!T(s)){if(this.#e(i))return this.backgroundFetchSize;if(n){if(typeof n!="function")throw new TypeError("sizeCalculation must be a function");if(s=n(i,t),!T(s))throw new TypeError("sizeCalculation return invalid (expect positive integer)")}else throw new TypeError("invalid size value (must be positive integer). When maxSize or maxEntrySize is used, sizeCalculation or size must be set.")}return s},this.#j=(t,i,s)=>{if(e[t]=i,this.#c){let n=this.#c-e[t];for(;this.#b>n;)this.#G(!0)}this.#b+=e[t],s&&(s.entrySize=i,s.totalCalculatedSize=this.#b)}}#R=e=>{};#j=(e,t,i)=>{};#N=(e,t,i,s)=>{if(i||s)throw new TypeError("cannot set size without setting maxSize or maxEntrySize on cache");return 0};*#A({allowStale:e=this.allowStale}={}){if(this.#n)for(let t=this.#h;this.#V(t)&&((e||!this.#p(t))&&(yield t),t!==this.#a);)t=this.#u[t]}*#z({allowStale:e=this.allowStale}={}){if(this.#n)for(let t=this.#a;this.#V(t)&&((e||!this.#p(t))&&(yield t),t!==this.#h);)t=this.#l[t]}#V(e){return e!==void 0&&this.#s.get(this.#i[e])===e}*entries(){for(let e of this.#A())this.#t[e]!==void 0&&this.#i[e]!==void 0&&!this.#e(this.#t[e])&&(yield[this.#i[e],this.#t[e]])}*rentries(){for(let e of this.#z())this.#t[e]!==void 0&&this.#i[e]!==void 0&&!this.#e(this.#t[e])&&(yield[this.#i[e],this.#t[e]])}*keys(){for(let e of this.#A()){let t=this.#i[e];t!==void 0&&!this.#e(this.#t[e])&&(yield t)}}*rkeys(){for(let e of this.#z()){let t=this.#i[e];t!==void 0&&!this.#e(this.#t[e])&&(yield t)}}*values(){for(let e of this.#A())this.#t[e]!==void 0&&!this.#e(this.#t[e])&&(yield this.#t[e])}*rvalues(){for(let e of this.#z())this.#t[e]!==void 0&&!this.#e(this.#t[e])&&(yield this.#t[e])}[Symbol.iterator](){return this.entries()}[Symbol.toStringTag]="LRUCache";find(e,t={}){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;if(n!==void 0&&e(n,this.#i[i],this))return this.#C(this.#i[i],t)}}forEach(e,t=this){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&e.call(t,n,this.#i[i],this)}}rforEach(e,t=this){for(let i of this.#z()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&e.call(t,n,this.#i[i],this)}}purgeStale(){let e=!1;for(let t of this.#z({allowStale:!0}))this.#p(t)&&(this.#E(this.#i[t],"expire"),e=!0);return e}info(e){let t=this.#s.get(e);if(t===void 0)return;let i=this.#t[t],s=this.#e(i)?i.__staleWhileFetching:i;if(s===void 0)return;let n={value:s};if(this.#d&&this.#F){let r=this.#d[t],h=this.#F[t];if(r&&h){let a=r-(this.#m.now()-h);n.ttl=a,n.start=Date.now()}}return this.#_&&(n.size=this.#_[t]),n}dump(){let e=[];for(let t of this.#A({allowStale:!0})){let i=this.#i[t],s=this.#t[t],n=this.#e(s)?s.__staleWhileFetching:s;if(n===void 0||i===void 0)continue;let r={value:n};if(this.#d&&this.#F){r.ttl=this.#d[t];let h=this.#m.now()-this.#F[t];r.start=Math.floor(Date.now()-h)}this.#_&&(r.size=this.#_[t]),e.unshift([i,r])}return e}load(e){this.clear();for(let[t,i]of e){if(i.start){let s=Date.now()-i.start;i.start=this.#m.now()-s}this.#W(t,i.value,i)}}set(e,t,i={}){let{status:s=S.hasSubscribers?{}:void 0}=i;i.status=s,s&&(s.op="set",s.key=e,t!==void 0&&(s.value=t),s.cache=this);let n=this.#W(e,t,i);return s&&S.hasSubscribers&&S.publish(s),n}#W(e,t,i,s){let{ttl:n=this.ttl,start:r,noDisposeOnSet:h=this.noDisposeOnSet,sizeCalculation:a=this.sizeCalculation,status:o}=i,d=this.#e(t);if(t===void 0)return o&&(o.set="deleted"),this.delete(e),this;let{noUpdateTTL:y=this.noUpdateTTL}=i;o&&!d&&(o.value=t);let _=this.#N(e,t,i.size||0,a,o);if(this.maxEntrySize&&_>this.maxEntrySize)return this.#E(e,"set"),o&&(o.set="miss",o.maxEntrySizeExceeded=!0),this;let c=this.#n===0?void 0:this.#s.get(e);if(c===void 0)c=this.#n===0?this.#h:this.#y.length!==0?this.#y.pop():this.#n===this.#o?this.#G(!1):this.#n,this.#i[c]=e,this.#t[c]=t,this.#s.set(e,c),this.#l[this.#h]=c,this.#u[c]=this.#h,this.#h=c,this.#n++,this.#j(c,_,o),o&&(o.set="add"),y=!1,this.#x&&!d&&this.#O?.(t,e,"add");else{this.#L(c);let g=this.#t[c];if(t!==g){if(!h)if(this.#e(g)){g!==s&&g.__abortController.abort(new Error("replaced"));let{__staleWhileFetching:f}=g;f!==void 0&&f!==t&&(this.#T&&this.#S?.(f,e,"set"),this.#f&&this.#r?.push([f,e,"set"]))}else this.#T&&this.#S?.(g,e,"set"),this.#f&&this.#r?.push([g,e,"set"]);if(this.#R(c),this.#j(c,_,o),this.#t[c]=t,!d){let f=g&&this.#e(g)?g.__staleWhileFetching:g,b=f===void 0?"add":t!==f?"replace":"update";o&&(o.set=b,f!==void 0&&(o.oldValue=f)),this.#x&&this.onInsert?.(t,e,b)}}else d||(o&&(o.set="update"),this.#x&&this.onInsert?.(t,e,"update"))}if(n!==0&&!this.#d&&this.#k(),this.#d&&(y||this.#H(c,n,r),o&&this.#v(o,c)),!h&&this.#f&&this.#r){let g=this.#r,f;for(;f=g?.shift();)this.#w?.(...f)}return this}pop(){try{for(;this.#n;){let e=this.#t[this.#a];if(this.#G(!0),this.#e(e)){if(e.__staleWhileFetching)return e.__staleWhileFetching}else if(e!==void 0)return e}}finally{if(this.#f&&this.#r){let e=this.#r,t;for(;t=e?.shift();)this.#w?.(...t)}}}#G(e){let t=this.#a,i=this.#i[t],s=this.#t[t],n=this.#e(s);n&&s.__abortController.abort(new Error("evicted"));let r=n?s.__staleWhileFetching:s;return(this.#T||this.#f)&&r!==void 0&&(this.#T&&this.#S?.(r,i,"evict"),this.#f&&this.#r?.push([r,i,"evict"])),this.#R(t),this.#g?.[t]&&(clearTimeout(this.#g[t]),this.#g[t]=void 0),e&&(this.#i[t]=void 0,this.#t[t]=void 0,this.#y.push(t)),this.#n===1?(this.#a=this.#h=0,this.#y.length=0):this.#a=this.#l[t],this.#s.delete(i),this.#n--,t}has(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="has",i.key=e,i.cache=this);let s=this.#Y(e,t);return S.hasSubscribers&&S.publish(i),s}#Y(e,t={}){let{updateAgeOnHas:i=this.updateAgeOnHas,status:s}=t,n=this.#s.get(e);if(n!==void 0){let r=this.#t[n];if(this.#e(r)&&r.__staleWhileFetching===void 0)return!1;if(this.#p(n))s&&(s.has="stale",this.#v(s,n));else return i&&this.#D(n),s&&(s.has="hit",this.#v(s,n)),!0}else s&&(s.has="miss");return!1}peek(e,t={}){let{status:i=D()?{}:void 0}=t;i&&(i.op="peek",i.key=e,i.cache=this),t.status=i;let s=this.#J(e,t);return S.hasSubscribers&&S.publish(i),s}#J(e,t){let{status:i,allowStale:s=this.allowStale}=t,n=this.#s.get(e);if(n===void 0||!s&&this.#p(n)){i&&(i.peek=n===void 0?"miss":"stale");return}let r=this.#t[n],h=this.#e(r)?r.__staleWhileFetching:r;return i&&(h!==void 0?(i.peek="hit",i.value=h):i.peek="miss"),h}#P(e,t,i,s){let n=t===void 0?void 0:this.#t[t];if(this.#e(n))return n;let r=new AbortController,{signal:h}=i;h?.addEventListener("abort",()=>r.abort(h.reason),{signal:r.signal});let a={signal:r.signal,options:i,context:s},o=(f,b=!1)=>{let{aborted:l}=r.signal,w=i.ignoreFetchAbort&&f!==void 0,F=i.ignoreFetchAbort||!!(i.allowStaleOnFetchAbort&&f!==void 0);if(i.status&&(l&&!b?(i.status.fetchAborted=!0,i.status.fetchError=r.signal.reason,w&&(i.status.fetchAbortIgnored=!0)):i.status.fetchResolved=!0),l&&!w&&!b)return y(r.signal.reason,F);let m=c,p=this.#t[t];return(p===c||p===void 0&&w&&b)&&(f===void 0?m.__staleWhileFetching!==void 0?this.#t[t]=m.__staleWhileFetching:this.#E(e,"fetch"):(i.status&&(i.status.fetchUpdated=!0),this.#W(e,f,a.options,m))),f},d=f=>(i.status&&(i.status.fetchRejected=!0,i.status.fetchError=f),y(f,!1)),y=(f,b)=>{let{aborted:l}=r.signal,w=l&&i.allowStaleOnFetchAbort,F=w||i.allowStaleOnFetchRejection,m=F||i.noDeleteOnFetchRejection,p=c;if(this.#t[t]===c&&(!m||!b&&p.__staleWhileFetching===void 0?this.#E(e,"fetch"):w||(this.#t[t]=p.__staleWhileFetching)),F)return i.status&&p.__staleWhileFetching!==void 0&&(i.status.returnedStale=!0),p.__staleWhileFetching;if(p.__returned===p)throw f},_=(f,b)=>{let l=this.#M?.(e,n,a);r.signal.addEventListener("abort",()=>{(!i.ignoreFetchAbort||i.allowStaleOnFetchAbort)&&(f(void 0),i.allowStaleOnFetchAbort&&(f=w=>o(w,!0)))}),l&&l instanceof Promise?l.then(w=>f(w===void 0?void 0:w),b):l!==void 0&&f(l)};i.status&&(i.status.fetchDispatched=!0);let c=new Promise(_).then(o,d),g=Object.assign(c,{__abortController:r,__staleWhileFetching:n,__returned:void 0});return t===void 0?(this.#W(e,g,{...a.options,status:void 0}),t=this.#s.get(e)):this.#t[t]=g,g}#e(e){if(!this.#U)return!1;let t=e;return!!t&&t instanceof Promise&&t.hasOwnProperty("__staleWhileFetching")&&t.__abortController instanceof AbortController}fetch(e,t={}){let i=W.hasSubscribers,{status:s=D()?{}:void 0}=t;t.status=s,s&&t.context&&(s.context=t.context);let n=this.#B(e,t);return s&&i&&(s.trace=!0,W.tracePromise(()=>n,s).catch(()=>{})),n}async#B(e,t={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,ttl:r=this.ttl,noDisposeOnSet:h=this.noDisposeOnSet,size:a=0,sizeCalculation:o=this.sizeCalculation,noUpdateTTL:d=this.noUpdateTTL,noDeleteOnFetchRejection:y=this.noDeleteOnFetchRejection,allowStaleOnFetchRejection:_=this.allowStaleOnFetchRejection,ignoreFetchAbort:c=this.ignoreFetchAbort,allowStaleOnFetchAbort:g=this.allowStaleOnFetchAbort,context:f,forceRefresh:b=!1,status:l,signal:w}=t;if(l&&(l.op="fetch",l.key=e,b&&(l.forceRefresh=!0),l.cache=this),!this.#U)return l&&(l.fetch="get"),this.#C(e,{allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,status:l});let F={allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,ttl:r,noDisposeOnSet:h,size:a,sizeCalculation:o,noUpdateTTL:d,noDeleteOnFetchRejection:y,allowStaleOnFetchRejection:_,allowStaleOnFetchAbort:g,ignoreFetchAbort:c,status:l,signal:w},m=this.#s.get(e);if(m===void 0){l&&(l.fetch="miss");let p=this.#P(e,m,F,f);return p.__returned=p}else{let p=this.#t[m];if(this.#e(p)){let v=i&&p.__staleWhileFetching!==void 0;return l&&(l.fetch="inflight",v&&(l.returnedStale=!0)),v?p.__staleWhileFetching:p.__returned=p}let A=this.#p(m);if(!b&&!A)return l&&(l.fetch="hit"),this.#L(m),s&&this.#D(m),l&&this.#v(l,m),p;let z=this.#P(e,m,F,f),E=z.__staleWhileFetching!==void 0&&i;return l&&(l.fetch=A?"stale":"refresh",E&&A&&(l.returnedStale=!0)),E?z.__staleWhileFetching:z.__returned=z}}forceFetch(e,t={}){let i=W.hasSubscribers,{status:s=D()?{}:void 0}=t;t.status=s,s&&t.context&&(s.context=t.context);let n=this.#K(e,t);return s&&i&&(s.trace=!0,W.tracePromise(()=>n,s).catch(()=>{})),n}async#K(e,t={}){let i=await this.#B(e,t);if(i===void 0)throw new Error("fetch() returned undefined");return i}memo(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="memo",i.key=e,t.context&&(i.context=t.context),i.cache=this);let s=this.#Q(e,t);return i&&(i.value=s),S.hasSubscribers&&S.publish(i),s}#Q(e,t={}){let i=this.#I;if(!i)throw new Error("no memoMethod provided to constructor");let{context:s,status:n,forceRefresh:r,...h}=t;n&&r&&(n.forceRefresh=!0);let a=this.#C(e,h),o=r||a===void 0;if(n&&(n.memo=o?"miss":"hit",o||(n.value=a)),!o)return a;let d=i(e,a,{options:h,context:s});return n&&(n.value=d),this.#W(e,d,h),d}get(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="get",i.key=e,i.cache=this);let s=this.#C(e,t);return i&&(s!==void 0&&(i.value=s),S.hasSubscribers&&S.publish(i)),s}#C(e,t={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,status:r}=t,h=this.#s.get(e);if(h===void 0){r&&(r.get="miss");return}let a=this.#t[h],o=this.#e(a);return r&&this.#v(r,h),this.#p(h)?o?(r&&(r.get="stale-fetching"),i&&a.__staleWhileFetching!==void 0?(r&&(r.returnedStale=!0),a.__staleWhileFetching):void 0):(n||this.#E(e,"expire"),r&&(r.get="stale"),i?(r&&(r.returnedStale=!0),a):void 0):(r&&(r.get=o?"fetching":"hit"),this.#L(h),s&&this.#D(h),o?a.__staleWhileFetching:a)}#$(e,t){this.#u[t]=e,this.#l[e]=t}#L(e){e!==this.#h&&(e===this.#a?this.#a=this.#l[e]:this.#$(this.#u[e],this.#l[e]),this.#$(this.#h,e),this.#h=e)}delete(e){return this.#E(e,"delete")}#E(e,t){S.hasSubscribers&&S.publish({op:"delete",delete:t,key:e,cache:this});let i=!1;if(this.#n!==0){let s=this.#s.get(e);if(s!==void 0)if(this.#g?.[s]&&(clearTimeout(this.#g?.[s]),this.#g[s]=void 0),i=!0,this.#n===1)this.#q(t);else{this.#R(s);let n=this.#t[s];if(this.#e(n)?n.__abortController.abort(new Error("deleted")):(this.#T||this.#f)&&(this.#T&&this.#S?.(n,e,t),this.#f&&this.#r?.push([n,e,t])),this.#s.delete(e),this.#i[s]=void 0,this.#t[s]=void 0,s===this.#h)this.#h=this.#u[s];else if(s===this.#a)this.#a=this.#l[s];else{let r=this.#u[s];this.#l[r]=this.#l[s];let h=this.#l[s];this.#u[h]=this.#u[s]}this.#n--,this.#y.push(s)}}if(this.#f&&this.#r?.length){let s=this.#r,n;for(;n=s?.shift();)this.#w?.(...n)}return i}clear(){return this.#q("delete")}#q(e){for(let t of this.#z({allowStale:!0})){let i=this.#t[t];if(this.#e(i))i.__abortController.abort(new Error("deleted"));else{let s=this.#i[t];this.#T&&this.#S?.(i,s,e),this.#f&&this.#r?.push([i,s,e])}}if(this.#s.clear(),this.#t.fill(void 0),this.#i.fill(void 0),this.#d&&this.#F){this.#d.fill(0),this.#F.fill(0);for(let t of this.#g??[])t!==void 0&&clearTimeout(t);this.#g?.fill(void 0)}if(this.#_&&this.#_.fill(0),this.#a=0,this.#h=0,this.#y.length=0,this.#b=0,this.#n=0,this.#f&&this.#r){let t=this.#r,i;for(;i=t?.shift();)this.#w?.(...i)}}};export{U as LRUCache};
 //# sourceMappingURL=index.min.js.map
diff --git a/deps/npm/node_modules/lru-cache/dist/esm/browser/perf.js b/deps/npm/node_modules/lru-cache/dist/esm/browser/perf.js
new file mode 100644
index 00000000000000..f21cd88c8692d7
--- /dev/null
+++ b/deps/npm/node_modules/lru-cache/dist/esm/browser/perf.js
@@ -0,0 +1,7 @@
+export const defaultPerf = (typeof performance === 'object' &&
+    performance &&
+    typeof performance.now === 'function') ?
+    /* c8 ignore start - this gets covered, but c8 gets confused */
+    performance
+    : /* c8 ignore stop */ Date;
+//# sourceMappingURL=perf.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/lru-cache/dist/esm/index.js b/deps/npm/node_modules/lru-cache/dist/esm/index.js
index 11c8cd8dfbf5cf..114a4e9908390f 100644
--- a/deps/npm/node_modules/lru-cache/dist/esm/index.js
+++ b/deps/npm/node_modules/lru-cache/dist/esm/index.js
@@ -2,12 +2,8 @@
  * @module LRUCache
  */
 import { metrics, tracing } from './diagnostics-channel.js';
+import { defaultPerf } from './perf.js';
 const hasSubscribers = () => metrics.hasSubscribers || tracing.hasSubscribers;
-const defaultPerf = (typeof performance === 'object' &&
-    performance &&
-    typeof performance.now === 'function') ?
-    performance
-    : Date;
 const warned = new Set();
 /* c8 ignore start */
 const PROCESS = (typeof process === 'object' && !!process ?
@@ -49,7 +45,9 @@ class ZeroArray extends Array {
     }
 }
 class Stack {
+    /* c8 ignore start - not sure why this is showing up uncovered?? */
     heap;
+    /* c8 ignore stop */
     length;
     // private constructor
     static #constructing = false;
@@ -169,6 +167,8 @@ export class LRUCache {
      * {@link LRUCache.OptionsBase.ignoreFetchAbort}
      */
     ignoreFetchAbort;
+    /** {@link LRUCache.OptionsBase.backgroundFetchSize} */
+    backgroundFetchSize;
     // computed properties
     #size;
     #calculatedSize;
@@ -279,7 +279,8 @@ export class LRUCache {
         return this.#disposeAfter;
     }
     constructor(options) {
-        const { max = 0, ttl, ttlResolution = 1, ttlAutopurge, updateAgeOnGet, updateAgeOnHas, allowStale, dispose, onInsert, disposeAfter, noDisposeOnSet, noUpdateTTL, maxSize = 0, maxEntrySize = 0, sizeCalculation, fetchMethod, memoMethod, noDeleteOnFetchRejection, noDeleteOnStaleGet, allowStaleOnFetchRejection, allowStaleOnFetchAbort, ignoreFetchAbort, perf, } = options;
+        const { max = 0, ttl, ttlResolution = 1, ttlAutopurge, updateAgeOnGet, updateAgeOnHas, allowStale, dispose, onInsert, disposeAfter, noDisposeOnSet, noUpdateTTL, maxSize = 0, maxEntrySize = 0, sizeCalculation, fetchMethod, memoMethod, noDeleteOnFetchRejection, noDeleteOnStaleGet, allowStaleOnFetchRejection, allowStaleOnFetchAbort, ignoreFetchAbort, backgroundFetchSize = 1, perf, } = options;
+        this.backgroundFetchSize = backgroundFetchSize;
         if (perf !== undefined) {
             if (typeof perf?.now !== 'function') {
                 throw new TypeError('perf option must have a now() method if specified');
@@ -507,12 +508,15 @@ export class LRUCache {
             sizes[index] = 0;
         };
         this.#requireSize = (k, v, size, sizeCalculation) => {
-            // provisionally accept background fetches.
-            // actual value size will be checked when they return.
-            if (this.#isBackgroundFetch(v)) {
-                return 0;
-            }
             if (!isPosInt(size)) {
+                // provisionally accept background fetches.
+                // actual value size will be checked when they return.
+                if (this.#isBackgroundFetch(v)) {
+                    // NB: this cannot occur if v.__staleWhileFetching is set,
+                    // because in that case, it would take on the size of the
+                    // existing entry that it temporarily replaces.
+                    return this.backgroundFetchSize;
+                }
                 if (sizeCalculation) {
                     if (typeof sizeCalculation !== 'function') {
                         throw new TypeError('sizeCalculation must be a function');
@@ -879,6 +883,7 @@ export class LRUCache {
             status.key = k;
             if (v !== undefined)
                 status.value = v;
+            status.cache = this;
         }
         const result = this.#set(k, v, setOptions);
         if (status && metrics.hasSubscribers) {
@@ -886,8 +891,9 @@ export class LRUCache {
         }
         return result;
     }
-    #set(k, v, setOptions = {}) {
+    #set(k, v, setOptions, bf) {
         const { ttl = this.ttl, start, noDisposeOnSet = this.noDisposeOnSet, sizeCalculation = this.sizeCalculation, status, } = setOptions;
+        const isBF = this.#isBackgroundFetch(v);
         if (v === undefined) {
             if (status)
                 status.set = 'deleted';
@@ -895,7 +901,7 @@ export class LRUCache {
             return this;
         }
         let { noUpdateTTL = this.noUpdateTTL } = setOptions;
-        if (status && !this.#isBackgroundFetch(v))
+        if (status && !isBF)
             status.value = v;
         const size = this.#requireSize(k, v, setOptions.size || 0, sizeCalculation, status);
         // if the item doesn't fit, don't do anything
@@ -927,52 +933,68 @@ export class LRUCache {
             if (status)
                 status.set = 'add';
             noUpdateTTL = false;
-            if (this.#hasOnInsert) {
+            if (this.#hasOnInsert && !isBF) {
                 this.#onInsert?.(v, k, 'add');
             }
         }
         else {
             // update
+            // might be updating a background fetch!
             this.#moveToTail(index);
             const oldVal = this.#valList[index];
             if (v !== oldVal) {
-                if (this.#hasFetchMethod && this.#isBackgroundFetch(oldVal)) {
-                    oldVal.__abortController.abort(new Error('replaced'));
-                    const { __staleWhileFetching: s } = oldVal;
-                    if (s !== undefined && !noDisposeOnSet) {
+                if (!noDisposeOnSet) {
+                    if (this.#isBackgroundFetch(oldVal)) {
+                        if (oldVal !== bf) {
+                            // setting over a background fetch, not merely resolving it.
+                            oldVal.__abortController.abort(new Error('replaced'));
+                        }
+                        const { __staleWhileFetching: s } = oldVal;
+                        if (s !== undefined && s !== v) {
+                            if (this.#hasDispose) {
+                                this.#dispose?.(s, k, 'set');
+                            }
+                            if (this.#hasDisposeAfter) {
+                                this.#disposed?.push([s, k, 'set']);
+                            }
+                        }
+                    }
+                    else {
                         if (this.#hasDispose) {
-                            this.#dispose?.(s, k, 'set');
+                            this.#dispose?.(oldVal, k, 'set');
                         }
                         if (this.#hasDisposeAfter) {
-                            this.#disposed?.push([s, k, 'set']);
+                            this.#disposed?.push([oldVal, k, 'set']);
                         }
                     }
                 }
-                else if (!noDisposeOnSet) {
-                    if (this.#hasDispose) {
-                        this.#dispose?.(oldVal, k, 'set');
-                    }
-                    if (this.#hasDisposeAfter) {
-                        this.#disposed?.push([oldVal, k, 'set']);
-                    }
-                }
                 this.#removeItemSize(index);
                 this.#addItemSize(index, size, status);
                 this.#valList[index] = v;
-                if (status) {
-                    status.set = 'replace';
+                if (!isBF) {
                     const oldValue = oldVal && this.#isBackgroundFetch(oldVal) ?
                         oldVal.__staleWhileFetching
                         : oldVal;
-                    if (oldValue !== undefined)
-                        status.oldValue = oldValue;
+                    const setType = oldValue === undefined ? 'add'
+                        : v !== oldValue ? 'replace'
+                            : 'update';
+                    if (status) {
+                        status.set = setType;
+                        if (oldValue !== undefined)
+                            status.oldValue = oldValue;
+                    }
+                    if (this.#hasOnInsert) {
+                        this.onInsert?.(v, k, setType);
+                    }
                 }
             }
-            else if (status) {
-                status.set = 'update';
-            }
-            if (this.#hasOnInsert) {
-                this.onInsert?.(v, k, v === oldVal ? 'update' : 'replace');
+            else if (!isBF) {
+                if (status) {
+                    status.set = 'update';
+                }
+                if (this.#hasOnInsert) {
+                    this.onInsert?.(v, k, 'update');
+                }
             }
         }
         if (ttl !== 0 && !this.#ttls) {
@@ -1027,15 +1049,18 @@ export class LRUCache {
         const head = this.#head;
         const k = this.#keyList[head];
         const v = this.#valList[head];
-        if (this.#hasFetchMethod && this.#isBackgroundFetch(v)) {
+        const isBF = this.#isBackgroundFetch(v);
+        if (isBF) {
             v.__abortController.abort(new Error('evicted'));
         }
-        else if (this.#hasDispose || this.#hasDisposeAfter) {
+        const oldValue = isBF ? v.__staleWhileFetching : v;
+        if ((this.#hasDispose || this.#hasDisposeAfter) &&
+            oldValue !== undefined) {
             if (this.#hasDispose) {
-                this.#dispose?.(v, k, 'evict');
+                this.#dispose?.(oldValue, k, 'evict');
             }
             if (this.#hasDisposeAfter) {
-                this.#disposed?.push([v, k, 'evict']);
+                this.#disposed?.push([oldValue, k, 'evict']);
             }
         }
         this.#removeItemSize(head);
@@ -1082,6 +1107,7 @@ export class LRUCache {
         if (status) {
             status.op = 'has';
             status.key = k;
+            status.cache = this;
         }
         const result = this.#has(k, hasOptions);
         if (metrics.hasSubscribers)
@@ -1129,6 +1155,7 @@ export class LRUCache {
         if (status) {
             status.op = 'peek';
             status.key = k;
+            status.cache = this;
         }
         peekOptions.status = status;
         const result = this.#peek(k, peekOptions);
@@ -1211,7 +1238,7 @@ export class LRUCache {
                 else {
                     if (options.status)
                         options.status.fetchUpdated = true;
-                    this.#set(k, v, fetchOpts.options);
+                    this.#set(k, v, fetchOpts.options, bf);
                 }
             }
             return v;
@@ -1257,9 +1284,6 @@ export class LRUCache {
         };
         const pcall = (res, rej) => {
             const fmp = this.#fetchMethod?.(k, v, fetchOpts);
-            if (fmp && fmp instanceof Promise) {
-                fmp.then(v => res(v === undefined ? undefined : v), rej);
-            }
             // ignored, we go until we finish, regardless.
             // defer check until we are actually aborting,
             // so fetchMethod can override.
@@ -1272,6 +1296,12 @@ export class LRUCache {
                     }
                 }
             });
+            if (fmp && fmp instanceof Promise) {
+                fmp.then(v => res(v === undefined ? undefined : v), rej);
+            }
+            else if (fmp !== undefined) {
+                res(fmp);
+            }
         };
         if (options.status)
             options.status.fetchDispatched = true;
@@ -1287,6 +1317,10 @@ export class LRUCache {
             index = this.#keyMap.get(k);
         }
         else {
+            // do not call #set, because we do not want to adjust its place
+            // in the lru queue, as it has not yet been "used". Also, we don't
+            // need to worry about evicting for size, because a background fetch
+            // over a stale value is treated as the same size as its stale value.
             this.#valList[index] = bf;
         }
         return bf;
@@ -1308,11 +1342,9 @@ export class LRUCache {
             status.context = fetchOptions.context;
         }
         const p = this.#fetch(k, fetchOptions);
-        if (status && hasSubscribers()) {
-            if (ths) {
-                status.trace = true;
-                tracing.tracePromise(() => p, status).catch(() => { });
-            }
+        if (status && ths) {
+            status.trace = true;
+            tracing.tracePromise(() => p, status).catch(() => { });
         }
         return p;
     }
@@ -1329,6 +1361,7 @@ export class LRUCache {
             status.key = k;
             if (forceRefresh)
                 status.forceRefresh = true;
+            status.cache = this;
         }
         if (!this.#hasFetchMethod) {
             if (status)
@@ -1410,11 +1443,9 @@ export class LRUCache {
             status.context = fetchOptions.context;
         }
         const p = this.#forceFetch(k, fetchOptions);
-        if (status && hasSubscribers()) {
-            if (ths) {
-                status.trace = true;
-                tracing.tracePromise(() => p, status).catch(() => { });
-            }
+        if (status && ths) {
+            status.trace = true;
+            tracing.tracePromise(() => p, status).catch(() => { });
         }
         return p;
     }
@@ -1433,6 +1464,7 @@ export class LRUCache {
             if (memoOptions.context) {
                 status.context = memoOptions.context;
             }
+            status.cache = this;
         }
         const result = this.#memo(k, memoOptions);
         if (status)
@@ -1479,6 +1511,7 @@ export class LRUCache {
         if (status) {
             status.op = 'get';
             status.key = k;
+            status.cache = this;
         }
         const result = this.#get(k, getOptions);
         if (status) {
@@ -1577,6 +1610,7 @@ export class LRUCache {
                 op: 'delete',
                 delete: reason,
                 key: k,
+                cache: this,
             });
         }
         let deleted = false;
@@ -1657,7 +1691,7 @@ export class LRUCache {
             }
         }
         this.#keyMap.clear();
-        this.#valList.fill(undefined);
+        void this.#valList.fill(undefined);
         this.#keyList.fill(undefined);
         if (this.#ttls && this.#starts) {
             this.#ttls.fill(0);
diff --git a/deps/npm/node_modules/lru-cache/dist/esm/index.min.js b/deps/npm/node_modules/lru-cache/dist/esm/index.min.js
index fab73dbf022822..5715ef55079b71 100644
--- a/deps/npm/node_modules/lru-cache/dist/esm/index.min.js
+++ b/deps/npm/node_modules/lru-cache/dist/esm/index.min.js
@@ -1,2 +1,2 @@
-var C={hasSubscribers:!1},S=C,A=C;import("node:diagnostics_channel").then(u=>{S=u.channel("lru-cache:metrics"),A=u.tracingChannel("lru-cache")}).catch(()=>{});var D=()=>S.hasSubscribers||A.hasSubscribers,I=typeof performance=="object"&&performance&&typeof performance.now=="function"?performance:Date,U=new Set,L=typeof process=="object"&&process?process:{},G=(u,e,t,i)=>{typeof L.emitWarning=="function"?L.emitWarning(u,e,t,i):console.error(`[${t}] ${e}: ${u}`)},P=u=>!U.has(u),V=Symbol("type"),F=u=>!!u&&u===Math.floor(u)&&u>0&&isFinite(u),j=u=>F(u)?u<=Math.pow(2,8)?Uint8Array:u<=Math.pow(2,16)?Uint16Array:u<=Math.pow(2,32)?Uint32Array:u<=Number.MAX_SAFE_INTEGER?O:null:null,O=class extends Array{constructor(e){super(e),this.fill(0)}},R=class u{heap;length;static#o=!1;static create(e){let t=j(e);if(!t)return[];u.#o=!0;let i=new u(e,t);return u.#o=!1,i}constructor(e,t){if(!u.#o)throw new TypeError("instantiate Stack using Stack.create(n)");this.heap=new t(e),this.length=0}push(e){this.heap[this.length++]=e}pop(){return this.heap[--this.length]}},M=class u{#o;#u;#w;#D;#S;#M;#U;#m;get perf(){return this.#m}ttl;ttlResolution;ttlAutopurge;updateAgeOnGet;updateAgeOnHas;allowStale;noDisposeOnSet;noUpdateTTL;maxEntrySize;sizeCalculation;noDeleteOnFetchRejection;noDeleteOnStaleGet;allowStaleOnFetchAbort;allowStaleOnFetchRejection;ignoreFetchAbort;#n;#b;#s;#i;#t;#a;#c;#l;#h;#y;#r;#_;#F;#d;#g;#T;#W;#f;#j;static unsafeExposeInternals(e){return{starts:e.#F,ttls:e.#d,autopurgeTimers:e.#g,sizes:e.#_,keyMap:e.#s,keyList:e.#i,valList:e.#t,next:e.#a,prev:e.#c,get head(){return e.#l},get tail(){return e.#h},free:e.#y,isBackgroundFetch:t=>e.#e(t),backgroundFetch:(t,i,s,n)=>e.#P(t,i,s,n),moveToTail:t=>e.#L(t),indexes:t=>e.#A(t),rindexes:t=>e.#z(t),isStale:t=>e.#p(t)}}get max(){return this.#o}get maxSize(){return this.#u}get calculatedSize(){return this.#b}get size(){return this.#n}get fetchMethod(){return this.#M}get memoMethod(){return this.#U}get dispose(){return this.#w}get onInsert(){return this.#D}get disposeAfter(){return this.#S}constructor(e){let{max:t=0,ttl:i,ttlResolution:s=1,ttlAutopurge:n,updateAgeOnGet:o,updateAgeOnHas:r,allowStale:h,dispose:l,onInsert:c,disposeAfter:f,noDisposeOnSet:g,noUpdateTTL:p,maxSize:T=0,maxEntrySize:w=0,sizeCalculation:y,fetchMethod:a,memoMethod:m,noDeleteOnFetchRejection:_,noDeleteOnStaleGet:b,allowStaleOnFetchRejection:d,allowStaleOnFetchAbort:z,ignoreFetchAbort:v,perf:x}=e;if(x!==void 0&&typeof x?.now!="function")throw new TypeError("perf option must have a now() method if specified");if(this.#m=x??I,t!==0&&!F(t))throw new TypeError("max option must be a nonnegative integer");let E=t?j(t):Array;if(!E)throw new Error("invalid max value: "+t);if(this.#o=t,this.#u=T,this.maxEntrySize=w||this.#u,this.sizeCalculation=y,this.sizeCalculation){if(!this.#u&&!this.maxEntrySize)throw new TypeError("cannot set sizeCalculation without setting maxSize or maxEntrySize");if(typeof this.sizeCalculation!="function")throw new TypeError("sizeCalculation set to non-function")}if(m!==void 0&&typeof m!="function")throw new TypeError("memoMethod must be a function if defined");if(this.#U=m,a!==void 0&&typeof a!="function")throw new TypeError("fetchMethod must be a function if specified");if(this.#M=a,this.#W=!!a,this.#s=new Map,this.#i=Array.from({length:t}).fill(void 0),this.#t=Array.from({length:t}).fill(void 0),this.#a=new E(t),this.#c=new E(t),this.#l=0,this.#h=0,this.#y=R.create(t),this.#n=0,this.#b=0,typeof l=="function"&&(this.#w=l),typeof c=="function"&&(this.#D=c),typeof f=="function"?(this.#S=f,this.#r=[]):(this.#S=void 0,this.#r=void 0),this.#T=!!this.#w,this.#j=!!this.#D,this.#f=!!this.#S,this.noDisposeOnSet=!!g,this.noUpdateTTL=!!p,this.noDeleteOnFetchRejection=!!_,this.allowStaleOnFetchRejection=!!d,this.allowStaleOnFetchAbort=!!z,this.ignoreFetchAbort=!!v,this.maxEntrySize!==0){if(this.#u!==0&&!F(this.#u))throw new TypeError("maxSize must be a positive integer if specified");if(!F(this.maxEntrySize))throw new TypeError("maxEntrySize must be a positive integer if specified");this.#X()}if(this.allowStale=!!h,this.noDeleteOnStaleGet=!!b,this.updateAgeOnGet=!!o,this.updateAgeOnHas=!!r,this.ttlResolution=F(s)||s===0?s:1,this.ttlAutopurge=!!n,this.ttl=i||0,this.ttl){if(!F(this.ttl))throw new TypeError("ttl must be a positive integer if specified");this.#H()}if(this.#o===0&&this.ttl===0&&this.#u===0)throw new TypeError("At least one of max, maxSize, or ttl is required");if(!this.ttlAutopurge&&!this.#o&&!this.#u){let W="LRU_CACHE_UNBOUNDED";P(W)&&(U.add(W),G("TTL caching without ttlAutopurge, max, or maxSize can result in unbounded memory consumption.","UnboundedCacheWarning",W,u))}}getRemainingTTL(e){return this.#s.has(e)?1/0:0}#H(){let e=new O(this.#o),t=new O(this.#o);this.#d=e,this.#F=t;let i=this.ttlAutopurge?Array.from({length:this.#o}):void 0;this.#g=i,this.#N=(r,h,l=this.#m.now())=>{t[r]=h!==0?l:0,e[r]=h,s(r,h)},this.#x=r=>{t[r]=e[r]!==0?this.#m.now():0,s(r,e[r])};let s=this.ttlAutopurge?(r,h)=>{if(i?.[r]&&(clearTimeout(i[r]),i[r]=void 0),h&&h!==0&&i){let l=setTimeout(()=>{this.#p(r)&&this.#v(this.#i[r],"expire")},h+1);l.unref&&l.unref(),i[r]=l}}:()=>{};this.#E=(r,h)=>{if(e[h]){let l=e[h],c=t[h];if(!l||!c)return;r.ttl=l,r.start=c,r.now=n||o();let f=r.now-c;r.remainingTTL=l-f}};let n=0,o=()=>{let r=this.#m.now();if(this.ttlResolution>0){n=r;let h=setTimeout(()=>n=0,this.ttlResolution);h.unref&&h.unref()}return r};this.getRemainingTTL=r=>{let h=this.#s.get(r);if(h===void 0)return 0;let l=e[h],c=t[h];if(!l||!c)return 1/0;let f=(n||o())-c;return l-f},this.#p=r=>{let h=t[r],l=e[r];return!!l&&!!h&&(n||o())-h>l}}#x=()=>{};#E=()=>{};#N=()=>{};#p=()=>!1;#X(){let e=new O(this.#o);this.#b=0,this.#_=e,this.#R=t=>{this.#b-=e[t],e[t]=0},this.#k=(t,i,s,n)=>{if(this.#e(i))return 0;if(!F(s))if(n){if(typeof n!="function")throw new TypeError("sizeCalculation must be a function");if(s=n(i,t),!F(s))throw new TypeError("sizeCalculation return invalid (expect positive integer)")}else throw new TypeError("invalid size value (must be positive integer). When maxSize or maxEntrySize is used, sizeCalculation or size must be set.");return s},this.#I=(t,i,s)=>{if(e[t]=i,this.#u){let n=this.#u-e[t];for(;this.#b>n;)this.#G(!0)}this.#b+=e[t],s&&(s.entrySize=i,s.totalCalculatedSize=this.#b)}}#R=e=>{};#I=(e,t,i)=>{};#k=(e,t,i,s)=>{if(i||s)throw new TypeError("cannot set size without setting maxSize or maxEntrySize on cache");return 0};*#A({allowStale:e=this.allowStale}={}){if(this.#n)for(let t=this.#h;this.#V(t)&&((e||!this.#p(t))&&(yield t),t!==this.#l);)t=this.#c[t]}*#z({allowStale:e=this.allowStale}={}){if(this.#n)for(let t=this.#l;this.#V(t)&&((e||!this.#p(t))&&(yield t),t!==this.#h);)t=this.#a[t]}#V(e){return e!==void 0&&this.#s.get(this.#i[e])===e}*entries(){for(let e of this.#A())this.#t[e]!==void 0&&this.#i[e]!==void 0&&!this.#e(this.#t[e])&&(yield[this.#i[e],this.#t[e]])}*rentries(){for(let e of this.#z())this.#t[e]!==void 0&&this.#i[e]!==void 0&&!this.#e(this.#t[e])&&(yield[this.#i[e],this.#t[e]])}*keys(){for(let e of this.#A()){let t=this.#i[e];t!==void 0&&!this.#e(this.#t[e])&&(yield t)}}*rkeys(){for(let e of this.#z()){let t=this.#i[e];t!==void 0&&!this.#e(this.#t[e])&&(yield t)}}*values(){for(let e of this.#A())this.#t[e]!==void 0&&!this.#e(this.#t[e])&&(yield this.#t[e])}*rvalues(){for(let e of this.#z())this.#t[e]!==void 0&&!this.#e(this.#t[e])&&(yield this.#t[e])}[Symbol.iterator](){return this.entries()}[Symbol.toStringTag]="LRUCache";find(e,t={}){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;if(n!==void 0&&e(n,this.#i[i],this))return this.#C(this.#i[i],t)}}forEach(e,t=this){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&e.call(t,n,this.#i[i],this)}}rforEach(e,t=this){for(let i of this.#z()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&e.call(t,n,this.#i[i],this)}}purgeStale(){let e=!1;for(let t of this.#z({allowStale:!0}))this.#p(t)&&(this.#v(this.#i[t],"expire"),e=!0);return e}info(e){let t=this.#s.get(e);if(t===void 0)return;let i=this.#t[t],s=this.#e(i)?i.__staleWhileFetching:i;if(s===void 0)return;let n={value:s};if(this.#d&&this.#F){let o=this.#d[t],r=this.#F[t];if(o&&r){let h=o-(this.#m.now()-r);n.ttl=h,n.start=Date.now()}}return this.#_&&(n.size=this.#_[t]),n}dump(){let e=[];for(let t of this.#A({allowStale:!0})){let i=this.#i[t],s=this.#t[t],n=this.#e(s)?s.__staleWhileFetching:s;if(n===void 0||i===void 0)continue;let o={value:n};if(this.#d&&this.#F){o.ttl=this.#d[t];let r=this.#m.now()-this.#F[t];o.start=Math.floor(Date.now()-r)}this.#_&&(o.size=this.#_[t]),e.unshift([i,o])}return e}load(e){this.clear();for(let[t,i]of e){if(i.start){let s=Date.now()-i.start;i.start=this.#m.now()-s}this.#O(t,i.value,i)}}set(e,t,i={}){let{status:s=S.hasSubscribers?{}:void 0}=i;i.status=s,s&&(s.op="set",s.key=e,t!==void 0&&(s.value=t));let n=this.#O(e,t,i);return s&&S.hasSubscribers&&S.publish(s),n}#O(e,t,i={}){let{ttl:s=this.ttl,start:n,noDisposeOnSet:o=this.noDisposeOnSet,sizeCalculation:r=this.sizeCalculation,status:h}=i;if(t===void 0)return h&&(h.set="deleted"),this.delete(e),this;let{noUpdateTTL:l=this.noUpdateTTL}=i;h&&!this.#e(t)&&(h.value=t);let c=this.#k(e,t,i.size||0,r,h);if(this.maxEntrySize&&c>this.maxEntrySize)return this.#v(e,"set"),h&&(h.set="miss",h.maxEntrySizeExceeded=!0),this;let f=this.#n===0?void 0:this.#s.get(e);if(f===void 0)f=this.#n===0?this.#h:this.#y.length!==0?this.#y.pop():this.#n===this.#o?this.#G(!1):this.#n,this.#i[f]=e,this.#t[f]=t,this.#s.set(e,f),this.#a[this.#h]=f,this.#c[f]=this.#h,this.#h=f,this.#n++,this.#I(f,c,h),h&&(h.set="add"),l=!1,this.#j&&this.#D?.(t,e,"add");else{this.#L(f);let g=this.#t[f];if(t!==g){if(this.#W&&this.#e(g)){g.__abortController.abort(new Error("replaced"));let{__staleWhileFetching:p}=g;p!==void 0&&!o&&(this.#T&&this.#w?.(p,e,"set"),this.#f&&this.#r?.push([p,e,"set"]))}else o||(this.#T&&this.#w?.(g,e,"set"),this.#f&&this.#r?.push([g,e,"set"]));if(this.#R(f),this.#I(f,c,h),this.#t[f]=t,h){h.set="replace";let p=g&&this.#e(g)?g.__staleWhileFetching:g;p!==void 0&&(h.oldValue=p)}}else h&&(h.set="update");this.#j&&this.onInsert?.(t,e,t===g?"update":"replace")}if(s!==0&&!this.#d&&this.#H(),this.#d&&(l||this.#N(f,s,n),h&&this.#E(h,f)),!o&&this.#f&&this.#r){let g=this.#r,p;for(;p=g?.shift();)this.#S?.(...p)}return this}pop(){try{for(;this.#n;){let e=this.#t[this.#l];if(this.#G(!0),this.#e(e)){if(e.__staleWhileFetching)return e.__staleWhileFetching}else if(e!==void 0)return e}}finally{if(this.#f&&this.#r){let e=this.#r,t;for(;t=e?.shift();)this.#S?.(...t)}}}#G(e){let t=this.#l,i=this.#i[t],s=this.#t[t];return this.#W&&this.#e(s)?s.__abortController.abort(new Error("evicted")):(this.#T||this.#f)&&(this.#T&&this.#w?.(s,i,"evict"),this.#f&&this.#r?.push([s,i,"evict"])),this.#R(t),this.#g?.[t]&&(clearTimeout(this.#g[t]),this.#g[t]=void 0),e&&(this.#i[t]=void 0,this.#t[t]=void 0,this.#y.push(t)),this.#n===1?(this.#l=this.#h=0,this.#y.length=0):this.#l=this.#a[t],this.#s.delete(i),this.#n--,t}has(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="has",i.key=e);let s=this.#Y(e,t);return S.hasSubscribers&&S.publish(i),s}#Y(e,t={}){let{updateAgeOnHas:i=this.updateAgeOnHas,status:s}=t,n=this.#s.get(e);if(n!==void 0){let o=this.#t[n];if(this.#e(o)&&o.__staleWhileFetching===void 0)return!1;if(this.#p(n))s&&(s.has="stale",this.#E(s,n));else return i&&this.#x(n),s&&(s.has="hit",this.#E(s,n)),!0}else s&&(s.has="miss");return!1}peek(e,t={}){let{status:i=D()?{}:void 0}=t;i&&(i.op="peek",i.key=e),t.status=i;let s=this.#J(e,t);return S.hasSubscribers&&S.publish(i),s}#J(e,t){let{status:i,allowStale:s=this.allowStale}=t,n=this.#s.get(e);if(n===void 0||!s&&this.#p(n)){i&&(i.peek=n===void 0?"miss":"stale");return}let o=this.#t[n],r=this.#e(o)?o.__staleWhileFetching:o;return i&&(r!==void 0?(i.peek="hit",i.value=r):i.peek="miss"),r}#P(e,t,i,s){let n=t===void 0?void 0:this.#t[t];if(this.#e(n))return n;let o=new AbortController,{signal:r}=i;r?.addEventListener("abort",()=>o.abort(r.reason),{signal:o.signal});let h={signal:o.signal,options:i,context:s},l=(w,y=!1)=>{let{aborted:a}=o.signal,m=i.ignoreFetchAbort&&w!==void 0,_=i.ignoreFetchAbort||!!(i.allowStaleOnFetchAbort&&w!==void 0);if(i.status&&(a&&!y?(i.status.fetchAborted=!0,i.status.fetchError=o.signal.reason,m&&(i.status.fetchAbortIgnored=!0)):i.status.fetchResolved=!0),a&&!m&&!y)return f(o.signal.reason,_);let b=p,d=this.#t[t];return(d===p||d===void 0&&m&&y)&&(w===void 0?b.__staleWhileFetching!==void 0?this.#t[t]=b.__staleWhileFetching:this.#v(e,"fetch"):(i.status&&(i.status.fetchUpdated=!0),this.#O(e,w,h.options))),w},c=w=>(i.status&&(i.status.fetchRejected=!0,i.status.fetchError=w),f(w,!1)),f=(w,y)=>{let{aborted:a}=o.signal,m=a&&i.allowStaleOnFetchAbort,_=m||i.allowStaleOnFetchRejection,b=_||i.noDeleteOnFetchRejection,d=p;if(this.#t[t]===p&&(!b||!y&&d.__staleWhileFetching===void 0?this.#v(e,"fetch"):m||(this.#t[t]=d.__staleWhileFetching)),_)return i.status&&d.__staleWhileFetching!==void 0&&(i.status.returnedStale=!0),d.__staleWhileFetching;if(d.__returned===d)throw w},g=(w,y)=>{let a=this.#M?.(e,n,h);a&&a instanceof Promise&&a.then(m=>w(m===void 0?void 0:m),y),o.signal.addEventListener("abort",()=>{(!i.ignoreFetchAbort||i.allowStaleOnFetchAbort)&&(w(void 0),i.allowStaleOnFetchAbort&&(w=m=>l(m,!0)))})};i.status&&(i.status.fetchDispatched=!0);let p=new Promise(g).then(l,c),T=Object.assign(p,{__abortController:o,__staleWhileFetching:n,__returned:void 0});return t===void 0?(this.#O(e,T,{...h.options,status:void 0}),t=this.#s.get(e)):this.#t[t]=T,T}#e(e){if(!this.#W)return!1;let t=e;return!!t&&t instanceof Promise&&t.hasOwnProperty("__staleWhileFetching")&&t.__abortController instanceof AbortController}fetch(e,t={}){let i=A.hasSubscribers,{status:s=D()?{}:void 0}=t;t.status=s,s&&t.context&&(s.context=t.context);let n=this.#B(e,t);return s&&D()&&i&&(s.trace=!0,A.tracePromise(()=>n,s).catch(()=>{})),n}async#B(e,t={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,ttl:o=this.ttl,noDisposeOnSet:r=this.noDisposeOnSet,size:h=0,sizeCalculation:l=this.sizeCalculation,noUpdateTTL:c=this.noUpdateTTL,noDeleteOnFetchRejection:f=this.noDeleteOnFetchRejection,allowStaleOnFetchRejection:g=this.allowStaleOnFetchRejection,ignoreFetchAbort:p=this.ignoreFetchAbort,allowStaleOnFetchAbort:T=this.allowStaleOnFetchAbort,context:w,forceRefresh:y=!1,status:a,signal:m}=t;if(a&&(a.op="fetch",a.key=e,y&&(a.forceRefresh=!0)),!this.#W)return a&&(a.fetch="get"),this.#C(e,{allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,status:a});let _={allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,ttl:o,noDisposeOnSet:r,size:h,sizeCalculation:l,noUpdateTTL:c,noDeleteOnFetchRejection:f,allowStaleOnFetchRejection:g,allowStaleOnFetchAbort:T,ignoreFetchAbort:p,status:a,signal:m},b=this.#s.get(e);if(b===void 0){a&&(a.fetch="miss");let d=this.#P(e,b,_,w);return d.__returned=d}else{let d=this.#t[b];if(this.#e(d)){let W=i&&d.__staleWhileFetching!==void 0;return a&&(a.fetch="inflight",W&&(a.returnedStale=!0)),W?d.__staleWhileFetching:d.__returned=d}let z=this.#p(b);if(!y&&!z)return a&&(a.fetch="hit"),this.#L(b),s&&this.#x(b),a&&this.#E(a,b),d;let v=this.#P(e,b,_,w),E=v.__staleWhileFetching!==void 0&&i;return a&&(a.fetch=z?"stale":"refresh",E&&z&&(a.returnedStale=!0)),E?v.__staleWhileFetching:v.__returned=v}}forceFetch(e,t={}){let i=A.hasSubscribers,{status:s=D()?{}:void 0}=t;t.status=s,s&&t.context&&(s.context=t.context);let n=this.#K(e,t);return s&&D()&&i&&(s.trace=!0,A.tracePromise(()=>n,s).catch(()=>{})),n}async#K(e,t={}){let i=await this.#B(e,t);if(i===void 0)throw new Error("fetch() returned undefined");return i}memo(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="memo",i.key=e,t.context&&(i.context=t.context));let s=this.#Q(e,t);return i&&(i.value=s),S.hasSubscribers&&S.publish(i),s}#Q(e,t={}){let i=this.#U;if(!i)throw new Error("no memoMethod provided to constructor");let{context:s,status:n,forceRefresh:o,...r}=t;n&&o&&(n.forceRefresh=!0);let h=this.#C(e,r),l=o||h===void 0;if(n&&(n.memo=l?"miss":"hit",l||(n.value=h)),!l)return h;let c=i(e,h,{options:r,context:s});return n&&(n.value=c),this.#O(e,c,r),c}get(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="get",i.key=e);let s=this.#C(e,t);return i&&(s!==void 0&&(i.value=s),S.hasSubscribers&&S.publish(i)),s}#C(e,t={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,status:o}=t,r=this.#s.get(e);if(r===void 0){o&&(o.get="miss");return}let h=this.#t[r],l=this.#e(h);return o&&this.#E(o,r),this.#p(r)?l?(o&&(o.get="stale-fetching"),i&&h.__staleWhileFetching!==void 0?(o&&(o.returnedStale=!0),h.__staleWhileFetching):void 0):(n||this.#v(e,"expire"),o&&(o.get="stale"),i?(o&&(o.returnedStale=!0),h):void 0):(o&&(o.get=l?"fetching":"hit"),this.#L(r),s&&this.#x(r),l?h.__staleWhileFetching:h)}#$(e,t){this.#c[t]=e,this.#a[e]=t}#L(e){e!==this.#h&&(e===this.#l?this.#l=this.#a[e]:this.#$(this.#c[e],this.#a[e]),this.#$(this.#h,e),this.#h=e)}delete(e){return this.#v(e,"delete")}#v(e,t){S.hasSubscribers&&S.publish({op:"delete",delete:t,key:e});let i=!1;if(this.#n!==0){let s=this.#s.get(e);if(s!==void 0)if(this.#g?.[s]&&(clearTimeout(this.#g?.[s]),this.#g[s]=void 0),i=!0,this.#n===1)this.#q(t);else{this.#R(s);let n=this.#t[s];if(this.#e(n)?n.__abortController.abort(new Error("deleted")):(this.#T||this.#f)&&(this.#T&&this.#w?.(n,e,t),this.#f&&this.#r?.push([n,e,t])),this.#s.delete(e),this.#i[s]=void 0,this.#t[s]=void 0,s===this.#h)this.#h=this.#c[s];else if(s===this.#l)this.#l=this.#a[s];else{let o=this.#c[s];this.#a[o]=this.#a[s];let r=this.#a[s];this.#c[r]=this.#c[s]}this.#n--,this.#y.push(s)}}if(this.#f&&this.#r?.length){let s=this.#r,n;for(;n=s?.shift();)this.#S?.(...n)}return i}clear(){return this.#q("delete")}#q(e){for(let t of this.#z({allowStale:!0})){let i=this.#t[t];if(this.#e(i))i.__abortController.abort(new Error("deleted"));else{let s=this.#i[t];this.#T&&this.#w?.(i,s,e),this.#f&&this.#r?.push([i,s,e])}}if(this.#s.clear(),this.#t.fill(void 0),this.#i.fill(void 0),this.#d&&this.#F){this.#d.fill(0),this.#F.fill(0);for(let t of this.#g??[])t!==void 0&&clearTimeout(t);this.#g?.fill(void 0)}if(this.#_&&this.#_.fill(0),this.#l=0,this.#h=0,this.#y.length=0,this.#b=0,this.#n=0,this.#f&&this.#r){let t=this.#r,i;for(;i=t?.shift();)this.#S?.(...i)}}};export{M as LRUCache};
+var L={hasSubscribers:!1},S=L,A=L;import("node:diagnostics_channel").then(c=>{S=c.channel("lru-cache:metrics"),A=c.tracingChannel("lru-cache")}).catch(()=>{});var M=typeof performance=="object"&&performance&&typeof performance.now=="function"?performance:Date;var D=()=>S.hasSubscribers||A.hasSubscribers,j=new Set,I=typeof process=="object"&&process?process:{},P=(c,e,t,i)=>{typeof I.emitWarning=="function"?I.emitWarning(c,e,t,i):console.error(`[${t}] ${e}: ${c}`)},k=c=>!j.has(c);var T=c=>!!c&&c===Math.floor(c)&&c>0&&isFinite(c),G=c=>T(c)?c<=Math.pow(2,8)?Uint8Array:c<=Math.pow(2,16)?Uint16Array:c<=Math.pow(2,32)?Uint32Array:c<=Number.MAX_SAFE_INTEGER?O:null:null,O=class extends Array{constructor(e){super(e),this.fill(0)}},R=class c{heap;length;static#o=!1;static create(e){let t=G(e);if(!t)return[];c.#o=!0;let i=new c(e,t);return c.#o=!1,i}constructor(e,t){if(!c.#o)throw new TypeError("instantiate Stack using Stack.create(n)");this.heap=new t(e),this.length=0}push(e){this.heap[this.length++]=e}pop(){return this.heap[--this.length]}},U=class c{#o;#c;#S;#O;#w;#M;#I;#m;get perf(){return this.#m}ttl;ttlResolution;ttlAutopurge;updateAgeOnGet;updateAgeOnHas;allowStale;noDisposeOnSet;noUpdateTTL;maxEntrySize;sizeCalculation;noDeleteOnFetchRejection;noDeleteOnStaleGet;allowStaleOnFetchAbort;allowStaleOnFetchRejection;ignoreFetchAbort;backgroundFetchSize;#n;#b;#s;#i;#t;#l;#u;#a;#h;#y;#r;#_;#F;#d;#g;#T;#U;#f;#x;static unsafeExposeInternals(e){return{starts:e.#F,ttls:e.#d,autopurgeTimers:e.#g,sizes:e.#_,keyMap:e.#s,keyList:e.#i,valList:e.#t,next:e.#l,prev:e.#u,get head(){return e.#a},get tail(){return e.#h},free:e.#y,isBackgroundFetch:t=>e.#e(t),backgroundFetch:(t,i,s,n)=>e.#P(t,i,s,n),moveToTail:t=>e.#L(t),indexes:t=>e.#A(t),rindexes:t=>e.#z(t),isStale:t=>e.#p(t)}}get max(){return this.#o}get maxSize(){return this.#c}get calculatedSize(){return this.#b}get size(){return this.#n}get fetchMethod(){return this.#M}get memoMethod(){return this.#I}get dispose(){return this.#S}get onInsert(){return this.#O}get disposeAfter(){return this.#w}constructor(e){let{max:t=0,ttl:i,ttlResolution:s=1,ttlAutopurge:n,updateAgeOnGet:r,updateAgeOnHas:h,allowStale:a,dispose:o,onInsert:d,disposeAfter:y,noDisposeOnSet:_,noUpdateTTL:u,maxSize:g=0,maxEntrySize:f=0,sizeCalculation:b,fetchMethod:l,memoMethod:w,noDeleteOnFetchRejection:F,noDeleteOnStaleGet:m,allowStaleOnFetchRejection:p,allowStaleOnFetchAbort:z,ignoreFetchAbort:E,backgroundFetchSize:C=1,perf:v}=e;if(this.backgroundFetchSize=C,v!==void 0&&typeof v?.now!="function")throw new TypeError("perf option must have a now() method if specified");if(this.#m=v??M,t!==0&&!T(t))throw new TypeError("max option must be a nonnegative integer");let W=t?G(t):Array;if(!W)throw new Error("invalid max value: "+t);if(this.#o=t,this.#c=g,this.maxEntrySize=f||this.#c,this.sizeCalculation=b,this.sizeCalculation){if(!this.#c&&!this.maxEntrySize)throw new TypeError("cannot set sizeCalculation without setting maxSize or maxEntrySize");if(typeof this.sizeCalculation!="function")throw new TypeError("sizeCalculation set to non-function")}if(w!==void 0&&typeof w!="function")throw new TypeError("memoMethod must be a function if defined");if(this.#I=w,l!==void 0&&typeof l!="function")throw new TypeError("fetchMethod must be a function if specified");if(this.#M=l,this.#U=!!l,this.#s=new Map,this.#i=Array.from({length:t}).fill(void 0),this.#t=Array.from({length:t}).fill(void 0),this.#l=new W(t),this.#u=new W(t),this.#a=0,this.#h=0,this.#y=R.create(t),this.#n=0,this.#b=0,typeof o=="function"&&(this.#S=o),typeof d=="function"&&(this.#O=d),typeof y=="function"?(this.#w=y,this.#r=[]):(this.#w=void 0,this.#r=void 0),this.#T=!!this.#S,this.#x=!!this.#O,this.#f=!!this.#w,this.noDisposeOnSet=!!_,this.noUpdateTTL=!!u,this.noDeleteOnFetchRejection=!!F,this.allowStaleOnFetchRejection=!!p,this.allowStaleOnFetchAbort=!!z,this.ignoreFetchAbort=!!E,this.maxEntrySize!==0){if(this.#c!==0&&!T(this.#c))throw new TypeError("maxSize must be a positive integer if specified");if(!T(this.maxEntrySize))throw new TypeError("maxEntrySize must be a positive integer if specified");this.#X()}if(this.allowStale=!!a,this.noDeleteOnStaleGet=!!m,this.updateAgeOnGet=!!r,this.updateAgeOnHas=!!h,this.ttlResolution=T(s)||s===0?s:1,this.ttlAutopurge=!!n,this.ttl=i||0,this.ttl){if(!T(this.ttl))throw new TypeError("ttl must be a positive integer if specified");this.#k()}if(this.#o===0&&this.ttl===0&&this.#c===0)throw new TypeError("At least one of max, maxSize, or ttl is required");if(!this.ttlAutopurge&&!this.#o&&!this.#c){let x="LRU_CACHE_UNBOUNDED";k(x)&&(j.add(x),P("TTL caching without ttlAutopurge, max, or maxSize can result in unbounded memory consumption.","UnboundedCacheWarning",x,c))}}getRemainingTTL(e){return this.#s.has(e)?1/0:0}#k(){let e=new O(this.#o),t=new O(this.#o);this.#d=e,this.#F=t;let i=this.ttlAutopurge?Array.from({length:this.#o}):void 0;this.#g=i,this.#H=(h,a,o=this.#m.now())=>{t[h]=a!==0?o:0,e[h]=a,s(h,a)},this.#D=h=>{t[h]=e[h]!==0?this.#m.now():0,s(h,e[h])};let s=this.ttlAutopurge?(h,a)=>{if(i?.[h]&&(clearTimeout(i[h]),i[h]=void 0),a&&a!==0&&i){let o=setTimeout(()=>{this.#p(h)&&this.#E(this.#i[h],"expire")},a+1);o.unref&&o.unref(),i[h]=o}}:()=>{};this.#v=(h,a)=>{if(e[a]){let o=e[a],d=t[a];if(!o||!d)return;h.ttl=o,h.start=d,h.now=n||r();let y=h.now-d;h.remainingTTL=o-y}};let n=0,r=()=>{let h=this.#m.now();if(this.ttlResolution>0){n=h;let a=setTimeout(()=>n=0,this.ttlResolution);a.unref&&a.unref()}return h};this.getRemainingTTL=h=>{let a=this.#s.get(h);if(a===void 0)return 0;let o=e[a],d=t[a];if(!o||!d)return 1/0;let y=(n||r())-d;return o-y},this.#p=h=>{let a=t[h],o=e[h];return!!o&&!!a&&(n||r())-a>o}}#D=()=>{};#v=()=>{};#H=()=>{};#p=()=>!1;#X(){let e=new O(this.#o);this.#b=0,this.#_=e,this.#R=t=>{this.#b-=e[t],e[t]=0},this.#N=(t,i,s,n)=>{if(!T(s)){if(this.#e(i))return this.backgroundFetchSize;if(n){if(typeof n!="function")throw new TypeError("sizeCalculation must be a function");if(s=n(i,t),!T(s))throw new TypeError("sizeCalculation return invalid (expect positive integer)")}else throw new TypeError("invalid size value (must be positive integer). When maxSize or maxEntrySize is used, sizeCalculation or size must be set.")}return s},this.#j=(t,i,s)=>{if(e[t]=i,this.#c){let n=this.#c-e[t];for(;this.#b>n;)this.#G(!0)}this.#b+=e[t],s&&(s.entrySize=i,s.totalCalculatedSize=this.#b)}}#R=e=>{};#j=(e,t,i)=>{};#N=(e,t,i,s)=>{if(i||s)throw new TypeError("cannot set size without setting maxSize or maxEntrySize on cache");return 0};*#A({allowStale:e=this.allowStale}={}){if(this.#n)for(let t=this.#h;this.#V(t)&&((e||!this.#p(t))&&(yield t),t!==this.#a);)t=this.#u[t]}*#z({allowStale:e=this.allowStale}={}){if(this.#n)for(let t=this.#a;this.#V(t)&&((e||!this.#p(t))&&(yield t),t!==this.#h);)t=this.#l[t]}#V(e){return e!==void 0&&this.#s.get(this.#i[e])===e}*entries(){for(let e of this.#A())this.#t[e]!==void 0&&this.#i[e]!==void 0&&!this.#e(this.#t[e])&&(yield[this.#i[e],this.#t[e]])}*rentries(){for(let e of this.#z())this.#t[e]!==void 0&&this.#i[e]!==void 0&&!this.#e(this.#t[e])&&(yield[this.#i[e],this.#t[e]])}*keys(){for(let e of this.#A()){let t=this.#i[e];t!==void 0&&!this.#e(this.#t[e])&&(yield t)}}*rkeys(){for(let e of this.#z()){let t=this.#i[e];t!==void 0&&!this.#e(this.#t[e])&&(yield t)}}*values(){for(let e of this.#A())this.#t[e]!==void 0&&!this.#e(this.#t[e])&&(yield this.#t[e])}*rvalues(){for(let e of this.#z())this.#t[e]!==void 0&&!this.#e(this.#t[e])&&(yield this.#t[e])}[Symbol.iterator](){return this.entries()}[Symbol.toStringTag]="LRUCache";find(e,t={}){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;if(n!==void 0&&e(n,this.#i[i],this))return this.#C(this.#i[i],t)}}forEach(e,t=this){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&e.call(t,n,this.#i[i],this)}}rforEach(e,t=this){for(let i of this.#z()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&e.call(t,n,this.#i[i],this)}}purgeStale(){let e=!1;for(let t of this.#z({allowStale:!0}))this.#p(t)&&(this.#E(this.#i[t],"expire"),e=!0);return e}info(e){let t=this.#s.get(e);if(t===void 0)return;let i=this.#t[t],s=this.#e(i)?i.__staleWhileFetching:i;if(s===void 0)return;let n={value:s};if(this.#d&&this.#F){let r=this.#d[t],h=this.#F[t];if(r&&h){let a=r-(this.#m.now()-h);n.ttl=a,n.start=Date.now()}}return this.#_&&(n.size=this.#_[t]),n}dump(){let e=[];for(let t of this.#A({allowStale:!0})){let i=this.#i[t],s=this.#t[t],n=this.#e(s)?s.__staleWhileFetching:s;if(n===void 0||i===void 0)continue;let r={value:n};if(this.#d&&this.#F){r.ttl=this.#d[t];let h=this.#m.now()-this.#F[t];r.start=Math.floor(Date.now()-h)}this.#_&&(r.size=this.#_[t]),e.unshift([i,r])}return e}load(e){this.clear();for(let[t,i]of e){if(i.start){let s=Date.now()-i.start;i.start=this.#m.now()-s}this.#W(t,i.value,i)}}set(e,t,i={}){let{status:s=S.hasSubscribers?{}:void 0}=i;i.status=s,s&&(s.op="set",s.key=e,t!==void 0&&(s.value=t),s.cache=this);let n=this.#W(e,t,i);return s&&S.hasSubscribers&&S.publish(s),n}#W(e,t,i,s){let{ttl:n=this.ttl,start:r,noDisposeOnSet:h=this.noDisposeOnSet,sizeCalculation:a=this.sizeCalculation,status:o}=i,d=this.#e(t);if(t===void 0)return o&&(o.set="deleted"),this.delete(e),this;let{noUpdateTTL:y=this.noUpdateTTL}=i;o&&!d&&(o.value=t);let _=this.#N(e,t,i.size||0,a,o);if(this.maxEntrySize&&_>this.maxEntrySize)return this.#E(e,"set"),o&&(o.set="miss",o.maxEntrySizeExceeded=!0),this;let u=this.#n===0?void 0:this.#s.get(e);if(u===void 0)u=this.#n===0?this.#h:this.#y.length!==0?this.#y.pop():this.#n===this.#o?this.#G(!1):this.#n,this.#i[u]=e,this.#t[u]=t,this.#s.set(e,u),this.#l[this.#h]=u,this.#u[u]=this.#h,this.#h=u,this.#n++,this.#j(u,_,o),o&&(o.set="add"),y=!1,this.#x&&!d&&this.#O?.(t,e,"add");else{this.#L(u);let g=this.#t[u];if(t!==g){if(!h)if(this.#e(g)){g!==s&&g.__abortController.abort(new Error("replaced"));let{__staleWhileFetching:f}=g;f!==void 0&&f!==t&&(this.#T&&this.#S?.(f,e,"set"),this.#f&&this.#r?.push([f,e,"set"]))}else this.#T&&this.#S?.(g,e,"set"),this.#f&&this.#r?.push([g,e,"set"]);if(this.#R(u),this.#j(u,_,o),this.#t[u]=t,!d){let f=g&&this.#e(g)?g.__staleWhileFetching:g,b=f===void 0?"add":t!==f?"replace":"update";o&&(o.set=b,f!==void 0&&(o.oldValue=f)),this.#x&&this.onInsert?.(t,e,b)}}else d||(o&&(o.set="update"),this.#x&&this.onInsert?.(t,e,"update"))}if(n!==0&&!this.#d&&this.#k(),this.#d&&(y||this.#H(u,n,r),o&&this.#v(o,u)),!h&&this.#f&&this.#r){let g=this.#r,f;for(;f=g?.shift();)this.#w?.(...f)}return this}pop(){try{for(;this.#n;){let e=this.#t[this.#a];if(this.#G(!0),this.#e(e)){if(e.__staleWhileFetching)return e.__staleWhileFetching}else if(e!==void 0)return e}}finally{if(this.#f&&this.#r){let e=this.#r,t;for(;t=e?.shift();)this.#w?.(...t)}}}#G(e){let t=this.#a,i=this.#i[t],s=this.#t[t],n=this.#e(s);n&&s.__abortController.abort(new Error("evicted"));let r=n?s.__staleWhileFetching:s;return(this.#T||this.#f)&&r!==void 0&&(this.#T&&this.#S?.(r,i,"evict"),this.#f&&this.#r?.push([r,i,"evict"])),this.#R(t),this.#g?.[t]&&(clearTimeout(this.#g[t]),this.#g[t]=void 0),e&&(this.#i[t]=void 0,this.#t[t]=void 0,this.#y.push(t)),this.#n===1?(this.#a=this.#h=0,this.#y.length=0):this.#a=this.#l[t],this.#s.delete(i),this.#n--,t}has(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="has",i.key=e,i.cache=this);let s=this.#Y(e,t);return S.hasSubscribers&&S.publish(i),s}#Y(e,t={}){let{updateAgeOnHas:i=this.updateAgeOnHas,status:s}=t,n=this.#s.get(e);if(n!==void 0){let r=this.#t[n];if(this.#e(r)&&r.__staleWhileFetching===void 0)return!1;if(this.#p(n))s&&(s.has="stale",this.#v(s,n));else return i&&this.#D(n),s&&(s.has="hit",this.#v(s,n)),!0}else s&&(s.has="miss");return!1}peek(e,t={}){let{status:i=D()?{}:void 0}=t;i&&(i.op="peek",i.key=e,i.cache=this),t.status=i;let s=this.#J(e,t);return S.hasSubscribers&&S.publish(i),s}#J(e,t){let{status:i,allowStale:s=this.allowStale}=t,n=this.#s.get(e);if(n===void 0||!s&&this.#p(n)){i&&(i.peek=n===void 0?"miss":"stale");return}let r=this.#t[n],h=this.#e(r)?r.__staleWhileFetching:r;return i&&(h!==void 0?(i.peek="hit",i.value=h):i.peek="miss"),h}#P(e,t,i,s){let n=t===void 0?void 0:this.#t[t];if(this.#e(n))return n;let r=new AbortController,{signal:h}=i;h?.addEventListener("abort",()=>r.abort(h.reason),{signal:r.signal});let a={signal:r.signal,options:i,context:s},o=(f,b=!1)=>{let{aborted:l}=r.signal,w=i.ignoreFetchAbort&&f!==void 0,F=i.ignoreFetchAbort||!!(i.allowStaleOnFetchAbort&&f!==void 0);if(i.status&&(l&&!b?(i.status.fetchAborted=!0,i.status.fetchError=r.signal.reason,w&&(i.status.fetchAbortIgnored=!0)):i.status.fetchResolved=!0),l&&!w&&!b)return y(r.signal.reason,F);let m=u,p=this.#t[t];return(p===u||p===void 0&&w&&b)&&(f===void 0?m.__staleWhileFetching!==void 0?this.#t[t]=m.__staleWhileFetching:this.#E(e,"fetch"):(i.status&&(i.status.fetchUpdated=!0),this.#W(e,f,a.options,m))),f},d=f=>(i.status&&(i.status.fetchRejected=!0,i.status.fetchError=f),y(f,!1)),y=(f,b)=>{let{aborted:l}=r.signal,w=l&&i.allowStaleOnFetchAbort,F=w||i.allowStaleOnFetchRejection,m=F||i.noDeleteOnFetchRejection,p=u;if(this.#t[t]===u&&(!m||!b&&p.__staleWhileFetching===void 0?this.#E(e,"fetch"):w||(this.#t[t]=p.__staleWhileFetching)),F)return i.status&&p.__staleWhileFetching!==void 0&&(i.status.returnedStale=!0),p.__staleWhileFetching;if(p.__returned===p)throw f},_=(f,b)=>{let l=this.#M?.(e,n,a);r.signal.addEventListener("abort",()=>{(!i.ignoreFetchAbort||i.allowStaleOnFetchAbort)&&(f(void 0),i.allowStaleOnFetchAbort&&(f=w=>o(w,!0)))}),l&&l instanceof Promise?l.then(w=>f(w===void 0?void 0:w),b):l!==void 0&&f(l)};i.status&&(i.status.fetchDispatched=!0);let u=new Promise(_).then(o,d),g=Object.assign(u,{__abortController:r,__staleWhileFetching:n,__returned:void 0});return t===void 0?(this.#W(e,g,{...a.options,status:void 0}),t=this.#s.get(e)):this.#t[t]=g,g}#e(e){if(!this.#U)return!1;let t=e;return!!t&&t instanceof Promise&&t.hasOwnProperty("__staleWhileFetching")&&t.__abortController instanceof AbortController}fetch(e,t={}){let i=A.hasSubscribers,{status:s=D()?{}:void 0}=t;t.status=s,s&&t.context&&(s.context=t.context);let n=this.#B(e,t);return s&&i&&(s.trace=!0,A.tracePromise(()=>n,s).catch(()=>{})),n}async#B(e,t={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,ttl:r=this.ttl,noDisposeOnSet:h=this.noDisposeOnSet,size:a=0,sizeCalculation:o=this.sizeCalculation,noUpdateTTL:d=this.noUpdateTTL,noDeleteOnFetchRejection:y=this.noDeleteOnFetchRejection,allowStaleOnFetchRejection:_=this.allowStaleOnFetchRejection,ignoreFetchAbort:u=this.ignoreFetchAbort,allowStaleOnFetchAbort:g=this.allowStaleOnFetchAbort,context:f,forceRefresh:b=!1,status:l,signal:w}=t;if(l&&(l.op="fetch",l.key=e,b&&(l.forceRefresh=!0),l.cache=this),!this.#U)return l&&(l.fetch="get"),this.#C(e,{allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,status:l});let F={allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,ttl:r,noDisposeOnSet:h,size:a,sizeCalculation:o,noUpdateTTL:d,noDeleteOnFetchRejection:y,allowStaleOnFetchRejection:_,allowStaleOnFetchAbort:g,ignoreFetchAbort:u,status:l,signal:w},m=this.#s.get(e);if(m===void 0){l&&(l.fetch="miss");let p=this.#P(e,m,F,f);return p.__returned=p}else{let p=this.#t[m];if(this.#e(p)){let W=i&&p.__staleWhileFetching!==void 0;return l&&(l.fetch="inflight",W&&(l.returnedStale=!0)),W?p.__staleWhileFetching:p.__returned=p}let z=this.#p(m);if(!b&&!z)return l&&(l.fetch="hit"),this.#L(m),s&&this.#D(m),l&&this.#v(l,m),p;let E=this.#P(e,m,F,f),v=E.__staleWhileFetching!==void 0&&i;return l&&(l.fetch=z?"stale":"refresh",v&&z&&(l.returnedStale=!0)),v?E.__staleWhileFetching:E.__returned=E}}forceFetch(e,t={}){let i=A.hasSubscribers,{status:s=D()?{}:void 0}=t;t.status=s,s&&t.context&&(s.context=t.context);let n=this.#K(e,t);return s&&i&&(s.trace=!0,A.tracePromise(()=>n,s).catch(()=>{})),n}async#K(e,t={}){let i=await this.#B(e,t);if(i===void 0)throw new Error("fetch() returned undefined");return i}memo(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="memo",i.key=e,t.context&&(i.context=t.context),i.cache=this);let s=this.#Q(e,t);return i&&(i.value=s),S.hasSubscribers&&S.publish(i),s}#Q(e,t={}){let i=this.#I;if(!i)throw new Error("no memoMethod provided to constructor");let{context:s,status:n,forceRefresh:r,...h}=t;n&&r&&(n.forceRefresh=!0);let a=this.#C(e,h),o=r||a===void 0;if(n&&(n.memo=o?"miss":"hit",o||(n.value=a)),!o)return a;let d=i(e,a,{options:h,context:s});return n&&(n.value=d),this.#W(e,d,h),d}get(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="get",i.key=e,i.cache=this);let s=this.#C(e,t);return i&&(s!==void 0&&(i.value=s),S.hasSubscribers&&S.publish(i)),s}#C(e,t={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,status:r}=t,h=this.#s.get(e);if(h===void 0){r&&(r.get="miss");return}let a=this.#t[h],o=this.#e(a);return r&&this.#v(r,h),this.#p(h)?o?(r&&(r.get="stale-fetching"),i&&a.__staleWhileFetching!==void 0?(r&&(r.returnedStale=!0),a.__staleWhileFetching):void 0):(n||this.#E(e,"expire"),r&&(r.get="stale"),i?(r&&(r.returnedStale=!0),a):void 0):(r&&(r.get=o?"fetching":"hit"),this.#L(h),s&&this.#D(h),o?a.__staleWhileFetching:a)}#$(e,t){this.#u[t]=e,this.#l[e]=t}#L(e){e!==this.#h&&(e===this.#a?this.#a=this.#l[e]:this.#$(this.#u[e],this.#l[e]),this.#$(this.#h,e),this.#h=e)}delete(e){return this.#E(e,"delete")}#E(e,t){S.hasSubscribers&&S.publish({op:"delete",delete:t,key:e,cache:this});let i=!1;if(this.#n!==0){let s=this.#s.get(e);if(s!==void 0)if(this.#g?.[s]&&(clearTimeout(this.#g?.[s]),this.#g[s]=void 0),i=!0,this.#n===1)this.#q(t);else{this.#R(s);let n=this.#t[s];if(this.#e(n)?n.__abortController.abort(new Error("deleted")):(this.#T||this.#f)&&(this.#T&&this.#S?.(n,e,t),this.#f&&this.#r?.push([n,e,t])),this.#s.delete(e),this.#i[s]=void 0,this.#t[s]=void 0,s===this.#h)this.#h=this.#u[s];else if(s===this.#a)this.#a=this.#l[s];else{let r=this.#u[s];this.#l[r]=this.#l[s];let h=this.#l[s];this.#u[h]=this.#u[s]}this.#n--,this.#y.push(s)}}if(this.#f&&this.#r?.length){let s=this.#r,n;for(;n=s?.shift();)this.#w?.(...n)}return i}clear(){return this.#q("delete")}#q(e){for(let t of this.#z({allowStale:!0})){let i=this.#t[t];if(this.#e(i))i.__abortController.abort(new Error("deleted"));else{let s=this.#i[t];this.#T&&this.#S?.(i,s,e),this.#f&&this.#r?.push([i,s,e])}}if(this.#s.clear(),this.#t.fill(void 0),this.#i.fill(void 0),this.#d&&this.#F){this.#d.fill(0),this.#F.fill(0);for(let t of this.#g??[])t!==void 0&&clearTimeout(t);this.#g?.fill(void 0)}if(this.#_&&this.#_.fill(0),this.#a=0,this.#h=0,this.#y.length=0,this.#b=0,this.#n=0,this.#f&&this.#r){let t=this.#r,i;for(;i=t?.shift();)this.#w?.(...i)}}};export{U as LRUCache};
 //# sourceMappingURL=index.min.js.map
diff --git a/deps/npm/node_modules/lru-cache/dist/esm/node/diagnostics-channel.js b/deps/npm/node_modules/lru-cache/dist/esm/node/diagnostics-channel.js
index d6d8c48f2be7db..f37e0baac5977d 100644
--- a/deps/npm/node_modules/lru-cache/dist/esm/node/diagnostics-channel.js
+++ b/deps/npm/node_modules/lru-cache/dist/esm/node/diagnostics-channel.js
@@ -1,7 +1,6 @@
 // simple node version that imports from node builtin
-// this gets compiled to a require() commonjs-style override,
-// not using top level await on a conditional dynamic import
+// this is built to both ESM and CommonJS on the 'node' import path
 import { tracingChannel, channel } from 'node:diagnostics_channel';
 export const metrics = channel('lru-cache:metrics');
 export const tracing = tracingChannel('lru-cache');
-//# sourceMappingURL=diagnostics-channel-node.mjs.map
\ No newline at end of file
+//# sourceMappingURL=diagnostics-channel-node.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/lru-cache/dist/esm/node/index.js b/deps/npm/node_modules/lru-cache/dist/esm/node/index.js
index 11c8cd8dfbf5cf..114a4e9908390f 100644
--- a/deps/npm/node_modules/lru-cache/dist/esm/node/index.js
+++ b/deps/npm/node_modules/lru-cache/dist/esm/node/index.js
@@ -2,12 +2,8 @@
  * @module LRUCache
  */
 import { metrics, tracing } from './diagnostics-channel.js';
+import { defaultPerf } from './perf.js';
 const hasSubscribers = () => metrics.hasSubscribers || tracing.hasSubscribers;
-const defaultPerf = (typeof performance === 'object' &&
-    performance &&
-    typeof performance.now === 'function') ?
-    performance
-    : Date;
 const warned = new Set();
 /* c8 ignore start */
 const PROCESS = (typeof process === 'object' && !!process ?
@@ -49,7 +45,9 @@ class ZeroArray extends Array {
     }
 }
 class Stack {
+    /* c8 ignore start - not sure why this is showing up uncovered?? */
     heap;
+    /* c8 ignore stop */
     length;
     // private constructor
     static #constructing = false;
@@ -169,6 +167,8 @@ export class LRUCache {
      * {@link LRUCache.OptionsBase.ignoreFetchAbort}
      */
     ignoreFetchAbort;
+    /** {@link LRUCache.OptionsBase.backgroundFetchSize} */
+    backgroundFetchSize;
     // computed properties
     #size;
     #calculatedSize;
@@ -279,7 +279,8 @@ export class LRUCache {
         return this.#disposeAfter;
     }
     constructor(options) {
-        const { max = 0, ttl, ttlResolution = 1, ttlAutopurge, updateAgeOnGet, updateAgeOnHas, allowStale, dispose, onInsert, disposeAfter, noDisposeOnSet, noUpdateTTL, maxSize = 0, maxEntrySize = 0, sizeCalculation, fetchMethod, memoMethod, noDeleteOnFetchRejection, noDeleteOnStaleGet, allowStaleOnFetchRejection, allowStaleOnFetchAbort, ignoreFetchAbort, perf, } = options;
+        const { max = 0, ttl, ttlResolution = 1, ttlAutopurge, updateAgeOnGet, updateAgeOnHas, allowStale, dispose, onInsert, disposeAfter, noDisposeOnSet, noUpdateTTL, maxSize = 0, maxEntrySize = 0, sizeCalculation, fetchMethod, memoMethod, noDeleteOnFetchRejection, noDeleteOnStaleGet, allowStaleOnFetchRejection, allowStaleOnFetchAbort, ignoreFetchAbort, backgroundFetchSize = 1, perf, } = options;
+        this.backgroundFetchSize = backgroundFetchSize;
         if (perf !== undefined) {
             if (typeof perf?.now !== 'function') {
                 throw new TypeError('perf option must have a now() method if specified');
@@ -507,12 +508,15 @@ export class LRUCache {
             sizes[index] = 0;
         };
         this.#requireSize = (k, v, size, sizeCalculation) => {
-            // provisionally accept background fetches.
-            // actual value size will be checked when they return.
-            if (this.#isBackgroundFetch(v)) {
-                return 0;
-            }
             if (!isPosInt(size)) {
+                // provisionally accept background fetches.
+                // actual value size will be checked when they return.
+                if (this.#isBackgroundFetch(v)) {
+                    // NB: this cannot occur if v.__staleWhileFetching is set,
+                    // because in that case, it would take on the size of the
+                    // existing entry that it temporarily replaces.
+                    return this.backgroundFetchSize;
+                }
                 if (sizeCalculation) {
                     if (typeof sizeCalculation !== 'function') {
                         throw new TypeError('sizeCalculation must be a function');
@@ -879,6 +883,7 @@ export class LRUCache {
             status.key = k;
             if (v !== undefined)
                 status.value = v;
+            status.cache = this;
         }
         const result = this.#set(k, v, setOptions);
         if (status && metrics.hasSubscribers) {
@@ -886,8 +891,9 @@ export class LRUCache {
         }
         return result;
     }
-    #set(k, v, setOptions = {}) {
+    #set(k, v, setOptions, bf) {
         const { ttl = this.ttl, start, noDisposeOnSet = this.noDisposeOnSet, sizeCalculation = this.sizeCalculation, status, } = setOptions;
+        const isBF = this.#isBackgroundFetch(v);
         if (v === undefined) {
             if (status)
                 status.set = 'deleted';
@@ -895,7 +901,7 @@ export class LRUCache {
             return this;
         }
         let { noUpdateTTL = this.noUpdateTTL } = setOptions;
-        if (status && !this.#isBackgroundFetch(v))
+        if (status && !isBF)
             status.value = v;
         const size = this.#requireSize(k, v, setOptions.size || 0, sizeCalculation, status);
         // if the item doesn't fit, don't do anything
@@ -927,52 +933,68 @@ export class LRUCache {
             if (status)
                 status.set = 'add';
             noUpdateTTL = false;
-            if (this.#hasOnInsert) {
+            if (this.#hasOnInsert && !isBF) {
                 this.#onInsert?.(v, k, 'add');
             }
         }
         else {
             // update
+            // might be updating a background fetch!
             this.#moveToTail(index);
             const oldVal = this.#valList[index];
             if (v !== oldVal) {
-                if (this.#hasFetchMethod && this.#isBackgroundFetch(oldVal)) {
-                    oldVal.__abortController.abort(new Error('replaced'));
-                    const { __staleWhileFetching: s } = oldVal;
-                    if (s !== undefined && !noDisposeOnSet) {
+                if (!noDisposeOnSet) {
+                    if (this.#isBackgroundFetch(oldVal)) {
+                        if (oldVal !== bf) {
+                            // setting over a background fetch, not merely resolving it.
+                            oldVal.__abortController.abort(new Error('replaced'));
+                        }
+                        const { __staleWhileFetching: s } = oldVal;
+                        if (s !== undefined && s !== v) {
+                            if (this.#hasDispose) {
+                                this.#dispose?.(s, k, 'set');
+                            }
+                            if (this.#hasDisposeAfter) {
+                                this.#disposed?.push([s, k, 'set']);
+                            }
+                        }
+                    }
+                    else {
                         if (this.#hasDispose) {
-                            this.#dispose?.(s, k, 'set');
+                            this.#dispose?.(oldVal, k, 'set');
                         }
                         if (this.#hasDisposeAfter) {
-                            this.#disposed?.push([s, k, 'set']);
+                            this.#disposed?.push([oldVal, k, 'set']);
                         }
                     }
                 }
-                else if (!noDisposeOnSet) {
-                    if (this.#hasDispose) {
-                        this.#dispose?.(oldVal, k, 'set');
-                    }
-                    if (this.#hasDisposeAfter) {
-                        this.#disposed?.push([oldVal, k, 'set']);
-                    }
-                }
                 this.#removeItemSize(index);
                 this.#addItemSize(index, size, status);
                 this.#valList[index] = v;
-                if (status) {
-                    status.set = 'replace';
+                if (!isBF) {
                     const oldValue = oldVal && this.#isBackgroundFetch(oldVal) ?
                         oldVal.__staleWhileFetching
                         : oldVal;
-                    if (oldValue !== undefined)
-                        status.oldValue = oldValue;
+                    const setType = oldValue === undefined ? 'add'
+                        : v !== oldValue ? 'replace'
+                            : 'update';
+                    if (status) {
+                        status.set = setType;
+                        if (oldValue !== undefined)
+                            status.oldValue = oldValue;
+                    }
+                    if (this.#hasOnInsert) {
+                        this.onInsert?.(v, k, setType);
+                    }
                 }
             }
-            else if (status) {
-                status.set = 'update';
-            }
-            if (this.#hasOnInsert) {
-                this.onInsert?.(v, k, v === oldVal ? 'update' : 'replace');
+            else if (!isBF) {
+                if (status) {
+                    status.set = 'update';
+                }
+                if (this.#hasOnInsert) {
+                    this.onInsert?.(v, k, 'update');
+                }
             }
         }
         if (ttl !== 0 && !this.#ttls) {
@@ -1027,15 +1049,18 @@ export class LRUCache {
         const head = this.#head;
         const k = this.#keyList[head];
         const v = this.#valList[head];
-        if (this.#hasFetchMethod && this.#isBackgroundFetch(v)) {
+        const isBF = this.#isBackgroundFetch(v);
+        if (isBF) {
             v.__abortController.abort(new Error('evicted'));
         }
-        else if (this.#hasDispose || this.#hasDisposeAfter) {
+        const oldValue = isBF ? v.__staleWhileFetching : v;
+        if ((this.#hasDispose || this.#hasDisposeAfter) &&
+            oldValue !== undefined) {
             if (this.#hasDispose) {
-                this.#dispose?.(v, k, 'evict');
+                this.#dispose?.(oldValue, k, 'evict');
             }
             if (this.#hasDisposeAfter) {
-                this.#disposed?.push([v, k, 'evict']);
+                this.#disposed?.push([oldValue, k, 'evict']);
             }
         }
         this.#removeItemSize(head);
@@ -1082,6 +1107,7 @@ export class LRUCache {
         if (status) {
             status.op = 'has';
             status.key = k;
+            status.cache = this;
         }
         const result = this.#has(k, hasOptions);
         if (metrics.hasSubscribers)
@@ -1129,6 +1155,7 @@ export class LRUCache {
         if (status) {
             status.op = 'peek';
             status.key = k;
+            status.cache = this;
         }
         peekOptions.status = status;
         const result = this.#peek(k, peekOptions);
@@ -1211,7 +1238,7 @@ export class LRUCache {
                 else {
                     if (options.status)
                         options.status.fetchUpdated = true;
-                    this.#set(k, v, fetchOpts.options);
+                    this.#set(k, v, fetchOpts.options, bf);
                 }
             }
             return v;
@@ -1257,9 +1284,6 @@ export class LRUCache {
         };
         const pcall = (res, rej) => {
             const fmp = this.#fetchMethod?.(k, v, fetchOpts);
-            if (fmp && fmp instanceof Promise) {
-                fmp.then(v => res(v === undefined ? undefined : v), rej);
-            }
             // ignored, we go until we finish, regardless.
             // defer check until we are actually aborting,
             // so fetchMethod can override.
@@ -1272,6 +1296,12 @@ export class LRUCache {
                     }
                 }
             });
+            if (fmp && fmp instanceof Promise) {
+                fmp.then(v => res(v === undefined ? undefined : v), rej);
+            }
+            else if (fmp !== undefined) {
+                res(fmp);
+            }
         };
         if (options.status)
             options.status.fetchDispatched = true;
@@ -1287,6 +1317,10 @@ export class LRUCache {
             index = this.#keyMap.get(k);
         }
         else {
+            // do not call #set, because we do not want to adjust its place
+            // in the lru queue, as it has not yet been "used". Also, we don't
+            // need to worry about evicting for size, because a background fetch
+            // over a stale value is treated as the same size as its stale value.
             this.#valList[index] = bf;
         }
         return bf;
@@ -1308,11 +1342,9 @@ export class LRUCache {
             status.context = fetchOptions.context;
         }
         const p = this.#fetch(k, fetchOptions);
-        if (status && hasSubscribers()) {
-            if (ths) {
-                status.trace = true;
-                tracing.tracePromise(() => p, status).catch(() => { });
-            }
+        if (status && ths) {
+            status.trace = true;
+            tracing.tracePromise(() => p, status).catch(() => { });
         }
         return p;
     }
@@ -1329,6 +1361,7 @@ export class LRUCache {
             status.key = k;
             if (forceRefresh)
                 status.forceRefresh = true;
+            status.cache = this;
         }
         if (!this.#hasFetchMethod) {
             if (status)
@@ -1410,11 +1443,9 @@ export class LRUCache {
             status.context = fetchOptions.context;
         }
         const p = this.#forceFetch(k, fetchOptions);
-        if (status && hasSubscribers()) {
-            if (ths) {
-                status.trace = true;
-                tracing.tracePromise(() => p, status).catch(() => { });
-            }
+        if (status && ths) {
+            status.trace = true;
+            tracing.tracePromise(() => p, status).catch(() => { });
         }
         return p;
     }
@@ -1433,6 +1464,7 @@ export class LRUCache {
             if (memoOptions.context) {
                 status.context = memoOptions.context;
             }
+            status.cache = this;
         }
         const result = this.#memo(k, memoOptions);
         if (status)
@@ -1479,6 +1511,7 @@ export class LRUCache {
         if (status) {
             status.op = 'get';
             status.key = k;
+            status.cache = this;
         }
         const result = this.#get(k, getOptions);
         if (status) {
@@ -1577,6 +1610,7 @@ export class LRUCache {
                 op: 'delete',
                 delete: reason,
                 key: k,
+                cache: this,
             });
         }
         let deleted = false;
@@ -1657,7 +1691,7 @@ export class LRUCache {
             }
         }
         this.#keyMap.clear();
-        this.#valList.fill(undefined);
+        void this.#valList.fill(undefined);
         this.#keyList.fill(undefined);
         if (this.#ttls && this.#starts) {
             this.#ttls.fill(0);
diff --git a/deps/npm/node_modules/lru-cache/dist/esm/node/index.min.js b/deps/npm/node_modules/lru-cache/dist/esm/node/index.min.js
index bd92365ef37894..84c4c3ec14ffa3 100644
--- a/deps/npm/node_modules/lru-cache/dist/esm/node/index.min.js
+++ b/deps/npm/node_modules/lru-cache/dist/esm/node/index.min.js
@@ -1,2 +1,2 @@
-import{tracingChannel as j,channel as I}from"node:diagnostics_channel";var S=I("lru-cache:metrics"),W=j("lru-cache");var D=()=>S.hasSubscribers||W.hasSubscribers,G=typeof performance=="object"&&performance&&typeof performance.now=="function"?performance:Date,M=new Set,C=typeof process=="object"&&process?process:{},P=(u,e,t,i)=>{typeof C.emitWarning=="function"?C.emitWarning(u,e,t,i):console.error(`[${t}] ${e}: ${u}`)},H=u=>!M.has(u),$=Symbol("type"),F=u=>!!u&&u===Math.floor(u)&&u>0&&isFinite(u),U=u=>F(u)?u<=Math.pow(2,8)?Uint8Array:u<=Math.pow(2,16)?Uint16Array:u<=Math.pow(2,32)?Uint32Array:u<=Number.MAX_SAFE_INTEGER?O:null:null,O=class extends Array{constructor(e){super(e),this.fill(0)}},R=class u{heap;length;static#o=!1;static create(e){let t=U(e);if(!t)return[];u.#o=!0;let i=new u(e,t);return u.#o=!1,i}constructor(e,t){if(!u.#o)throw new TypeError("instantiate Stack using Stack.create(n)");this.heap=new t(e),this.length=0}push(e){this.heap[this.length++]=e}pop(){return this.heap[--this.length]}},L=class u{#o;#u;#w;#D;#S;#M;#U;#m;get perf(){return this.#m}ttl;ttlResolution;ttlAutopurge;updateAgeOnGet;updateAgeOnHas;allowStale;noDisposeOnSet;noUpdateTTL;maxEntrySize;sizeCalculation;noDeleteOnFetchRejection;noDeleteOnStaleGet;allowStaleOnFetchAbort;allowStaleOnFetchRejection;ignoreFetchAbort;#n;#b;#s;#i;#t;#a;#c;#l;#h;#y;#r;#_;#F;#d;#g;#T;#W;#f;#j;static unsafeExposeInternals(e){return{starts:e.#F,ttls:e.#d,autopurgeTimers:e.#g,sizes:e.#_,keyMap:e.#s,keyList:e.#i,valList:e.#t,next:e.#a,prev:e.#c,get head(){return e.#l},get tail(){return e.#h},free:e.#y,isBackgroundFetch:t=>e.#e(t),backgroundFetch:(t,i,s,n)=>e.#P(t,i,s,n),moveToTail:t=>e.#L(t),indexes:t=>e.#A(t),rindexes:t=>e.#z(t),isStale:t=>e.#p(t)}}get max(){return this.#o}get maxSize(){return this.#u}get calculatedSize(){return this.#b}get size(){return this.#n}get fetchMethod(){return this.#M}get memoMethod(){return this.#U}get dispose(){return this.#w}get onInsert(){return this.#D}get disposeAfter(){return this.#S}constructor(e){let{max:t=0,ttl:i,ttlResolution:s=1,ttlAutopurge:n,updateAgeOnGet:o,updateAgeOnHas:r,allowStale:h,dispose:l,onInsert:c,disposeAfter:f,noDisposeOnSet:g,noUpdateTTL:p,maxSize:T=0,maxEntrySize:w=0,sizeCalculation:y,fetchMethod:a,memoMethod:m,noDeleteOnFetchRejection:_,noDeleteOnStaleGet:b,allowStaleOnFetchRejection:d,allowStaleOnFetchAbort:A,ignoreFetchAbort:z,perf:x}=e;if(x!==void 0&&typeof x?.now!="function")throw new TypeError("perf option must have a now() method if specified");if(this.#m=x??G,t!==0&&!F(t))throw new TypeError("max option must be a nonnegative integer");let v=t?U(t):Array;if(!v)throw new Error("invalid max value: "+t);if(this.#o=t,this.#u=T,this.maxEntrySize=w||this.#u,this.sizeCalculation=y,this.sizeCalculation){if(!this.#u&&!this.maxEntrySize)throw new TypeError("cannot set sizeCalculation without setting maxSize or maxEntrySize");if(typeof this.sizeCalculation!="function")throw new TypeError("sizeCalculation set to non-function")}if(m!==void 0&&typeof m!="function")throw new TypeError("memoMethod must be a function if defined");if(this.#U=m,a!==void 0&&typeof a!="function")throw new TypeError("fetchMethod must be a function if specified");if(this.#M=a,this.#W=!!a,this.#s=new Map,this.#i=Array.from({length:t}).fill(void 0),this.#t=Array.from({length:t}).fill(void 0),this.#a=new v(t),this.#c=new v(t),this.#l=0,this.#h=0,this.#y=R.create(t),this.#n=0,this.#b=0,typeof l=="function"&&(this.#w=l),typeof c=="function"&&(this.#D=c),typeof f=="function"?(this.#S=f,this.#r=[]):(this.#S=void 0,this.#r=void 0),this.#T=!!this.#w,this.#j=!!this.#D,this.#f=!!this.#S,this.noDisposeOnSet=!!g,this.noUpdateTTL=!!p,this.noDeleteOnFetchRejection=!!_,this.allowStaleOnFetchRejection=!!d,this.allowStaleOnFetchAbort=!!A,this.ignoreFetchAbort=!!z,this.maxEntrySize!==0){if(this.#u!==0&&!F(this.#u))throw new TypeError("maxSize must be a positive integer if specified");if(!F(this.maxEntrySize))throw new TypeError("maxEntrySize must be a positive integer if specified");this.#X()}if(this.allowStale=!!h,this.noDeleteOnStaleGet=!!b,this.updateAgeOnGet=!!o,this.updateAgeOnHas=!!r,this.ttlResolution=F(s)||s===0?s:1,this.ttlAutopurge=!!n,this.ttl=i||0,this.ttl){if(!F(this.ttl))throw new TypeError("ttl must be a positive integer if specified");this.#H()}if(this.#o===0&&this.ttl===0&&this.#u===0)throw new TypeError("At least one of max, maxSize, or ttl is required");if(!this.ttlAutopurge&&!this.#o&&!this.#u){let E="LRU_CACHE_UNBOUNDED";H(E)&&(M.add(E),P("TTL caching without ttlAutopurge, max, or maxSize can result in unbounded memory consumption.","UnboundedCacheWarning",E,u))}}getRemainingTTL(e){return this.#s.has(e)?1/0:0}#H(){let e=new O(this.#o),t=new O(this.#o);this.#d=e,this.#F=t;let i=this.ttlAutopurge?Array.from({length:this.#o}):void 0;this.#g=i,this.#N=(r,h,l=this.#m.now())=>{t[r]=h!==0?l:0,e[r]=h,s(r,h)},this.#x=r=>{t[r]=e[r]!==0?this.#m.now():0,s(r,e[r])};let s=this.ttlAutopurge?(r,h)=>{if(i?.[r]&&(clearTimeout(i[r]),i[r]=void 0),h&&h!==0&&i){let l=setTimeout(()=>{this.#p(r)&&this.#v(this.#i[r],"expire")},h+1);l.unref&&l.unref(),i[r]=l}}:()=>{};this.#E=(r,h)=>{if(e[h]){let l=e[h],c=t[h];if(!l||!c)return;r.ttl=l,r.start=c,r.now=n||o();let f=r.now-c;r.remainingTTL=l-f}};let n=0,o=()=>{let r=this.#m.now();if(this.ttlResolution>0){n=r;let h=setTimeout(()=>n=0,this.ttlResolution);h.unref&&h.unref()}return r};this.getRemainingTTL=r=>{let h=this.#s.get(r);if(h===void 0)return 0;let l=e[h],c=t[h];if(!l||!c)return 1/0;let f=(n||o())-c;return l-f},this.#p=r=>{let h=t[r],l=e[r];return!!l&&!!h&&(n||o())-h>l}}#x=()=>{};#E=()=>{};#N=()=>{};#p=()=>!1;#X(){let e=new O(this.#o);this.#b=0,this.#_=e,this.#R=t=>{this.#b-=e[t],e[t]=0},this.#k=(t,i,s,n)=>{if(this.#e(i))return 0;if(!F(s))if(n){if(typeof n!="function")throw new TypeError("sizeCalculation must be a function");if(s=n(i,t),!F(s))throw new TypeError("sizeCalculation return invalid (expect positive integer)")}else throw new TypeError("invalid size value (must be positive integer). When maxSize or maxEntrySize is used, sizeCalculation or size must be set.");return s},this.#I=(t,i,s)=>{if(e[t]=i,this.#u){let n=this.#u-e[t];for(;this.#b>n;)this.#G(!0)}this.#b+=e[t],s&&(s.entrySize=i,s.totalCalculatedSize=this.#b)}}#R=e=>{};#I=(e,t,i)=>{};#k=(e,t,i,s)=>{if(i||s)throw new TypeError("cannot set size without setting maxSize or maxEntrySize on cache");return 0};*#A({allowStale:e=this.allowStale}={}){if(this.#n)for(let t=this.#h;this.#V(t)&&((e||!this.#p(t))&&(yield t),t!==this.#l);)t=this.#c[t]}*#z({allowStale:e=this.allowStale}={}){if(this.#n)for(let t=this.#l;this.#V(t)&&((e||!this.#p(t))&&(yield t),t!==this.#h);)t=this.#a[t]}#V(e){return e!==void 0&&this.#s.get(this.#i[e])===e}*entries(){for(let e of this.#A())this.#t[e]!==void 0&&this.#i[e]!==void 0&&!this.#e(this.#t[e])&&(yield[this.#i[e],this.#t[e]])}*rentries(){for(let e of this.#z())this.#t[e]!==void 0&&this.#i[e]!==void 0&&!this.#e(this.#t[e])&&(yield[this.#i[e],this.#t[e]])}*keys(){for(let e of this.#A()){let t=this.#i[e];t!==void 0&&!this.#e(this.#t[e])&&(yield t)}}*rkeys(){for(let e of this.#z()){let t=this.#i[e];t!==void 0&&!this.#e(this.#t[e])&&(yield t)}}*values(){for(let e of this.#A())this.#t[e]!==void 0&&!this.#e(this.#t[e])&&(yield this.#t[e])}*rvalues(){for(let e of this.#z())this.#t[e]!==void 0&&!this.#e(this.#t[e])&&(yield this.#t[e])}[Symbol.iterator](){return this.entries()}[Symbol.toStringTag]="LRUCache";find(e,t={}){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;if(n!==void 0&&e(n,this.#i[i],this))return this.#C(this.#i[i],t)}}forEach(e,t=this){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&e.call(t,n,this.#i[i],this)}}rforEach(e,t=this){for(let i of this.#z()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&e.call(t,n,this.#i[i],this)}}purgeStale(){let e=!1;for(let t of this.#z({allowStale:!0}))this.#p(t)&&(this.#v(this.#i[t],"expire"),e=!0);return e}info(e){let t=this.#s.get(e);if(t===void 0)return;let i=this.#t[t],s=this.#e(i)?i.__staleWhileFetching:i;if(s===void 0)return;let n={value:s};if(this.#d&&this.#F){let o=this.#d[t],r=this.#F[t];if(o&&r){let h=o-(this.#m.now()-r);n.ttl=h,n.start=Date.now()}}return this.#_&&(n.size=this.#_[t]),n}dump(){let e=[];for(let t of this.#A({allowStale:!0})){let i=this.#i[t],s=this.#t[t],n=this.#e(s)?s.__staleWhileFetching:s;if(n===void 0||i===void 0)continue;let o={value:n};if(this.#d&&this.#F){o.ttl=this.#d[t];let r=this.#m.now()-this.#F[t];o.start=Math.floor(Date.now()-r)}this.#_&&(o.size=this.#_[t]),e.unshift([i,o])}return e}load(e){this.clear();for(let[t,i]of e){if(i.start){let s=Date.now()-i.start;i.start=this.#m.now()-s}this.#O(t,i.value,i)}}set(e,t,i={}){let{status:s=S.hasSubscribers?{}:void 0}=i;i.status=s,s&&(s.op="set",s.key=e,t!==void 0&&(s.value=t));let n=this.#O(e,t,i);return s&&S.hasSubscribers&&S.publish(s),n}#O(e,t,i={}){let{ttl:s=this.ttl,start:n,noDisposeOnSet:o=this.noDisposeOnSet,sizeCalculation:r=this.sizeCalculation,status:h}=i;if(t===void 0)return h&&(h.set="deleted"),this.delete(e),this;let{noUpdateTTL:l=this.noUpdateTTL}=i;h&&!this.#e(t)&&(h.value=t);let c=this.#k(e,t,i.size||0,r,h);if(this.maxEntrySize&&c>this.maxEntrySize)return this.#v(e,"set"),h&&(h.set="miss",h.maxEntrySizeExceeded=!0),this;let f=this.#n===0?void 0:this.#s.get(e);if(f===void 0)f=this.#n===0?this.#h:this.#y.length!==0?this.#y.pop():this.#n===this.#o?this.#G(!1):this.#n,this.#i[f]=e,this.#t[f]=t,this.#s.set(e,f),this.#a[this.#h]=f,this.#c[f]=this.#h,this.#h=f,this.#n++,this.#I(f,c,h),h&&(h.set="add"),l=!1,this.#j&&this.#D?.(t,e,"add");else{this.#L(f);let g=this.#t[f];if(t!==g){if(this.#W&&this.#e(g)){g.__abortController.abort(new Error("replaced"));let{__staleWhileFetching:p}=g;p!==void 0&&!o&&(this.#T&&this.#w?.(p,e,"set"),this.#f&&this.#r?.push([p,e,"set"]))}else o||(this.#T&&this.#w?.(g,e,"set"),this.#f&&this.#r?.push([g,e,"set"]));if(this.#R(f),this.#I(f,c,h),this.#t[f]=t,h){h.set="replace";let p=g&&this.#e(g)?g.__staleWhileFetching:g;p!==void 0&&(h.oldValue=p)}}else h&&(h.set="update");this.#j&&this.onInsert?.(t,e,t===g?"update":"replace")}if(s!==0&&!this.#d&&this.#H(),this.#d&&(l||this.#N(f,s,n),h&&this.#E(h,f)),!o&&this.#f&&this.#r){let g=this.#r,p;for(;p=g?.shift();)this.#S?.(...p)}return this}pop(){try{for(;this.#n;){let e=this.#t[this.#l];if(this.#G(!0),this.#e(e)){if(e.__staleWhileFetching)return e.__staleWhileFetching}else if(e!==void 0)return e}}finally{if(this.#f&&this.#r){let e=this.#r,t;for(;t=e?.shift();)this.#S?.(...t)}}}#G(e){let t=this.#l,i=this.#i[t],s=this.#t[t];return this.#W&&this.#e(s)?s.__abortController.abort(new Error("evicted")):(this.#T||this.#f)&&(this.#T&&this.#w?.(s,i,"evict"),this.#f&&this.#r?.push([s,i,"evict"])),this.#R(t),this.#g?.[t]&&(clearTimeout(this.#g[t]),this.#g[t]=void 0),e&&(this.#i[t]=void 0,this.#t[t]=void 0,this.#y.push(t)),this.#n===1?(this.#l=this.#h=0,this.#y.length=0):this.#l=this.#a[t],this.#s.delete(i),this.#n--,t}has(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="has",i.key=e);let s=this.#Y(e,t);return S.hasSubscribers&&S.publish(i),s}#Y(e,t={}){let{updateAgeOnHas:i=this.updateAgeOnHas,status:s}=t,n=this.#s.get(e);if(n!==void 0){let o=this.#t[n];if(this.#e(o)&&o.__staleWhileFetching===void 0)return!1;if(this.#p(n))s&&(s.has="stale",this.#E(s,n));else return i&&this.#x(n),s&&(s.has="hit",this.#E(s,n)),!0}else s&&(s.has="miss");return!1}peek(e,t={}){let{status:i=D()?{}:void 0}=t;i&&(i.op="peek",i.key=e),t.status=i;let s=this.#J(e,t);return S.hasSubscribers&&S.publish(i),s}#J(e,t){let{status:i,allowStale:s=this.allowStale}=t,n=this.#s.get(e);if(n===void 0||!s&&this.#p(n)){i&&(i.peek=n===void 0?"miss":"stale");return}let o=this.#t[n],r=this.#e(o)?o.__staleWhileFetching:o;return i&&(r!==void 0?(i.peek="hit",i.value=r):i.peek="miss"),r}#P(e,t,i,s){let n=t===void 0?void 0:this.#t[t];if(this.#e(n))return n;let o=new AbortController,{signal:r}=i;r?.addEventListener("abort",()=>o.abort(r.reason),{signal:o.signal});let h={signal:o.signal,options:i,context:s},l=(w,y=!1)=>{let{aborted:a}=o.signal,m=i.ignoreFetchAbort&&w!==void 0,_=i.ignoreFetchAbort||!!(i.allowStaleOnFetchAbort&&w!==void 0);if(i.status&&(a&&!y?(i.status.fetchAborted=!0,i.status.fetchError=o.signal.reason,m&&(i.status.fetchAbortIgnored=!0)):i.status.fetchResolved=!0),a&&!m&&!y)return f(o.signal.reason,_);let b=p,d=this.#t[t];return(d===p||d===void 0&&m&&y)&&(w===void 0?b.__staleWhileFetching!==void 0?this.#t[t]=b.__staleWhileFetching:this.#v(e,"fetch"):(i.status&&(i.status.fetchUpdated=!0),this.#O(e,w,h.options))),w},c=w=>(i.status&&(i.status.fetchRejected=!0,i.status.fetchError=w),f(w,!1)),f=(w,y)=>{let{aborted:a}=o.signal,m=a&&i.allowStaleOnFetchAbort,_=m||i.allowStaleOnFetchRejection,b=_||i.noDeleteOnFetchRejection,d=p;if(this.#t[t]===p&&(!b||!y&&d.__staleWhileFetching===void 0?this.#v(e,"fetch"):m||(this.#t[t]=d.__staleWhileFetching)),_)return i.status&&d.__staleWhileFetching!==void 0&&(i.status.returnedStale=!0),d.__staleWhileFetching;if(d.__returned===d)throw w},g=(w,y)=>{let a=this.#M?.(e,n,h);a&&a instanceof Promise&&a.then(m=>w(m===void 0?void 0:m),y),o.signal.addEventListener("abort",()=>{(!i.ignoreFetchAbort||i.allowStaleOnFetchAbort)&&(w(void 0),i.allowStaleOnFetchAbort&&(w=m=>l(m,!0)))})};i.status&&(i.status.fetchDispatched=!0);let p=new Promise(g).then(l,c),T=Object.assign(p,{__abortController:o,__staleWhileFetching:n,__returned:void 0});return t===void 0?(this.#O(e,T,{...h.options,status:void 0}),t=this.#s.get(e)):this.#t[t]=T,T}#e(e){if(!this.#W)return!1;let t=e;return!!t&&t instanceof Promise&&t.hasOwnProperty("__staleWhileFetching")&&t.__abortController instanceof AbortController}fetch(e,t={}){let i=W.hasSubscribers,{status:s=D()?{}:void 0}=t;t.status=s,s&&t.context&&(s.context=t.context);let n=this.#B(e,t);return s&&D()&&i&&(s.trace=!0,W.tracePromise(()=>n,s).catch(()=>{})),n}async#B(e,t={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,ttl:o=this.ttl,noDisposeOnSet:r=this.noDisposeOnSet,size:h=0,sizeCalculation:l=this.sizeCalculation,noUpdateTTL:c=this.noUpdateTTL,noDeleteOnFetchRejection:f=this.noDeleteOnFetchRejection,allowStaleOnFetchRejection:g=this.allowStaleOnFetchRejection,ignoreFetchAbort:p=this.ignoreFetchAbort,allowStaleOnFetchAbort:T=this.allowStaleOnFetchAbort,context:w,forceRefresh:y=!1,status:a,signal:m}=t;if(a&&(a.op="fetch",a.key=e,y&&(a.forceRefresh=!0)),!this.#W)return a&&(a.fetch="get"),this.#C(e,{allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,status:a});let _={allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,ttl:o,noDisposeOnSet:r,size:h,sizeCalculation:l,noUpdateTTL:c,noDeleteOnFetchRejection:f,allowStaleOnFetchRejection:g,allowStaleOnFetchAbort:T,ignoreFetchAbort:p,status:a,signal:m},b=this.#s.get(e);if(b===void 0){a&&(a.fetch="miss");let d=this.#P(e,b,_,w);return d.__returned=d}else{let d=this.#t[b];if(this.#e(d)){let E=i&&d.__staleWhileFetching!==void 0;return a&&(a.fetch="inflight",E&&(a.returnedStale=!0)),E?d.__staleWhileFetching:d.__returned=d}let A=this.#p(b);if(!y&&!A)return a&&(a.fetch="hit"),this.#L(b),s&&this.#x(b),a&&this.#E(a,b),d;let z=this.#P(e,b,_,w),v=z.__staleWhileFetching!==void 0&&i;return a&&(a.fetch=A?"stale":"refresh",v&&A&&(a.returnedStale=!0)),v?z.__staleWhileFetching:z.__returned=z}}forceFetch(e,t={}){let i=W.hasSubscribers,{status:s=D()?{}:void 0}=t;t.status=s,s&&t.context&&(s.context=t.context);let n=this.#K(e,t);return s&&D()&&i&&(s.trace=!0,W.tracePromise(()=>n,s).catch(()=>{})),n}async#K(e,t={}){let i=await this.#B(e,t);if(i===void 0)throw new Error("fetch() returned undefined");return i}memo(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="memo",i.key=e,t.context&&(i.context=t.context));let s=this.#Q(e,t);return i&&(i.value=s),S.hasSubscribers&&S.publish(i),s}#Q(e,t={}){let i=this.#U;if(!i)throw new Error("no memoMethod provided to constructor");let{context:s,status:n,forceRefresh:o,...r}=t;n&&o&&(n.forceRefresh=!0);let h=this.#C(e,r),l=o||h===void 0;if(n&&(n.memo=l?"miss":"hit",l||(n.value=h)),!l)return h;let c=i(e,h,{options:r,context:s});return n&&(n.value=c),this.#O(e,c,r),c}get(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="get",i.key=e);let s=this.#C(e,t);return i&&(s!==void 0&&(i.value=s),S.hasSubscribers&&S.publish(i)),s}#C(e,t={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,status:o}=t,r=this.#s.get(e);if(r===void 0){o&&(o.get="miss");return}let h=this.#t[r],l=this.#e(h);return o&&this.#E(o,r),this.#p(r)?l?(o&&(o.get="stale-fetching"),i&&h.__staleWhileFetching!==void 0?(o&&(o.returnedStale=!0),h.__staleWhileFetching):void 0):(n||this.#v(e,"expire"),o&&(o.get="stale"),i?(o&&(o.returnedStale=!0),h):void 0):(o&&(o.get=l?"fetching":"hit"),this.#L(r),s&&this.#x(r),l?h.__staleWhileFetching:h)}#$(e,t){this.#c[t]=e,this.#a[e]=t}#L(e){e!==this.#h&&(e===this.#l?this.#l=this.#a[e]:this.#$(this.#c[e],this.#a[e]),this.#$(this.#h,e),this.#h=e)}delete(e){return this.#v(e,"delete")}#v(e,t){S.hasSubscribers&&S.publish({op:"delete",delete:t,key:e});let i=!1;if(this.#n!==0){let s=this.#s.get(e);if(s!==void 0)if(this.#g?.[s]&&(clearTimeout(this.#g?.[s]),this.#g[s]=void 0),i=!0,this.#n===1)this.#q(t);else{this.#R(s);let n=this.#t[s];if(this.#e(n)?n.__abortController.abort(new Error("deleted")):(this.#T||this.#f)&&(this.#T&&this.#w?.(n,e,t),this.#f&&this.#r?.push([n,e,t])),this.#s.delete(e),this.#i[s]=void 0,this.#t[s]=void 0,s===this.#h)this.#h=this.#c[s];else if(s===this.#l)this.#l=this.#a[s];else{let o=this.#c[s];this.#a[o]=this.#a[s];let r=this.#a[s];this.#c[r]=this.#c[s]}this.#n--,this.#y.push(s)}}if(this.#f&&this.#r?.length){let s=this.#r,n;for(;n=s?.shift();)this.#S?.(...n)}return i}clear(){return this.#q("delete")}#q(e){for(let t of this.#z({allowStale:!0})){let i=this.#t[t];if(this.#e(i))i.__abortController.abort(new Error("deleted"));else{let s=this.#i[t];this.#T&&this.#w?.(i,s,e),this.#f&&this.#r?.push([i,s,e])}}if(this.#s.clear(),this.#t.fill(void 0),this.#i.fill(void 0),this.#d&&this.#F){this.#d.fill(0),this.#F.fill(0);for(let t of this.#g??[])t!==void 0&&clearTimeout(t);this.#g?.fill(void 0)}if(this.#_&&this.#_.fill(0),this.#l=0,this.#h=0,this.#y.length=0,this.#b=0,this.#n=0,this.#f&&this.#r){let t=this.#r,i;for(;i=t?.shift();)this.#S?.(...i)}}};export{L as LRUCache};
+import{tracingChannel as G,channel as P}from"node:diagnostics_channel";var S=P("lru-cache:metrics"),W=G("lru-cache");var L=typeof performance=="object"&&performance&&typeof performance.now=="function"?performance:Date;var D=()=>S.hasSubscribers||W.hasSubscribers,U=new Set,M=typeof process=="object"&&process?process:{},k=(u,e,t,i)=>{typeof M.emitWarning=="function"?M.emitWarning(u,e,t,i):console.error(`[${t}] ${e}: ${u}`)},H=u=>!U.has(u);var T=u=>!!u&&u===Math.floor(u)&&u>0&&isFinite(u),j=u=>T(u)?u<=Math.pow(2,8)?Uint8Array:u<=Math.pow(2,16)?Uint16Array:u<=Math.pow(2,32)?Uint32Array:u<=Number.MAX_SAFE_INTEGER?O:null:null,O=class extends Array{constructor(e){super(e),this.fill(0)}},R=class u{heap;length;static#o=!1;static create(e){let t=j(e);if(!t)return[];u.#o=!0;let i=new u(e,t);return u.#o=!1,i}constructor(e,t){if(!u.#o)throw new TypeError("instantiate Stack using Stack.create(n)");this.heap=new t(e),this.length=0}push(e){this.heap[this.length++]=e}pop(){return this.heap[--this.length]}},I=class u{#o;#c;#S;#O;#w;#M;#I;#m;get perf(){return this.#m}ttl;ttlResolution;ttlAutopurge;updateAgeOnGet;updateAgeOnHas;allowStale;noDisposeOnSet;noUpdateTTL;maxEntrySize;sizeCalculation;noDeleteOnFetchRejection;noDeleteOnStaleGet;allowStaleOnFetchAbort;allowStaleOnFetchRejection;ignoreFetchAbort;backgroundFetchSize;#n;#b;#s;#i;#t;#l;#u;#a;#h;#y;#r;#_;#F;#d;#g;#T;#U;#f;#x;static unsafeExposeInternals(e){return{starts:e.#F,ttls:e.#d,autopurgeTimers:e.#g,sizes:e.#_,keyMap:e.#s,keyList:e.#i,valList:e.#t,next:e.#l,prev:e.#u,get head(){return e.#a},get tail(){return e.#h},free:e.#y,isBackgroundFetch:t=>e.#e(t),backgroundFetch:(t,i,s,n)=>e.#P(t,i,s,n),moveToTail:t=>e.#L(t),indexes:t=>e.#A(t),rindexes:t=>e.#z(t),isStale:t=>e.#p(t)}}get max(){return this.#o}get maxSize(){return this.#c}get calculatedSize(){return this.#b}get size(){return this.#n}get fetchMethod(){return this.#M}get memoMethod(){return this.#I}get dispose(){return this.#S}get onInsert(){return this.#O}get disposeAfter(){return this.#w}constructor(e){let{max:t=0,ttl:i,ttlResolution:s=1,ttlAutopurge:n,updateAgeOnGet:r,updateAgeOnHas:h,allowStale:a,dispose:o,onInsert:d,disposeAfter:y,noDisposeOnSet:_,noUpdateTTL:c,maxSize:g=0,maxEntrySize:f=0,sizeCalculation:b,fetchMethod:l,memoMethod:w,noDeleteOnFetchRejection:F,noDeleteOnStaleGet:m,allowStaleOnFetchRejection:p,allowStaleOnFetchAbort:A,ignoreFetchAbort:z,backgroundFetchSize:C=1,perf:E}=e;if(this.backgroundFetchSize=C,E!==void 0&&typeof E?.now!="function")throw new TypeError("perf option must have a now() method if specified");if(this.#m=E??L,t!==0&&!T(t))throw new TypeError("max option must be a nonnegative integer");let v=t?j(t):Array;if(!v)throw new Error("invalid max value: "+t);if(this.#o=t,this.#c=g,this.maxEntrySize=f||this.#c,this.sizeCalculation=b,this.sizeCalculation){if(!this.#c&&!this.maxEntrySize)throw new TypeError("cannot set sizeCalculation without setting maxSize or maxEntrySize");if(typeof this.sizeCalculation!="function")throw new TypeError("sizeCalculation set to non-function")}if(w!==void 0&&typeof w!="function")throw new TypeError("memoMethod must be a function if defined");if(this.#I=w,l!==void 0&&typeof l!="function")throw new TypeError("fetchMethod must be a function if specified");if(this.#M=l,this.#U=!!l,this.#s=new Map,this.#i=Array.from({length:t}).fill(void 0),this.#t=Array.from({length:t}).fill(void 0),this.#l=new v(t),this.#u=new v(t),this.#a=0,this.#h=0,this.#y=R.create(t),this.#n=0,this.#b=0,typeof o=="function"&&(this.#S=o),typeof d=="function"&&(this.#O=d),typeof y=="function"?(this.#w=y,this.#r=[]):(this.#w=void 0,this.#r=void 0),this.#T=!!this.#S,this.#x=!!this.#O,this.#f=!!this.#w,this.noDisposeOnSet=!!_,this.noUpdateTTL=!!c,this.noDeleteOnFetchRejection=!!F,this.allowStaleOnFetchRejection=!!p,this.allowStaleOnFetchAbort=!!A,this.ignoreFetchAbort=!!z,this.maxEntrySize!==0){if(this.#c!==0&&!T(this.#c))throw new TypeError("maxSize must be a positive integer if specified");if(!T(this.maxEntrySize))throw new TypeError("maxEntrySize must be a positive integer if specified");this.#X()}if(this.allowStale=!!a,this.noDeleteOnStaleGet=!!m,this.updateAgeOnGet=!!r,this.updateAgeOnHas=!!h,this.ttlResolution=T(s)||s===0?s:1,this.ttlAutopurge=!!n,this.ttl=i||0,this.ttl){if(!T(this.ttl))throw new TypeError("ttl must be a positive integer if specified");this.#k()}if(this.#o===0&&this.ttl===0&&this.#c===0)throw new TypeError("At least one of max, maxSize, or ttl is required");if(!this.ttlAutopurge&&!this.#o&&!this.#c){let x="LRU_CACHE_UNBOUNDED";H(x)&&(U.add(x),k("TTL caching without ttlAutopurge, max, or maxSize can result in unbounded memory consumption.","UnboundedCacheWarning",x,u))}}getRemainingTTL(e){return this.#s.has(e)?1/0:0}#k(){let e=new O(this.#o),t=new O(this.#o);this.#d=e,this.#F=t;let i=this.ttlAutopurge?Array.from({length:this.#o}):void 0;this.#g=i,this.#H=(h,a,o=this.#m.now())=>{t[h]=a!==0?o:0,e[h]=a,s(h,a)},this.#D=h=>{t[h]=e[h]!==0?this.#m.now():0,s(h,e[h])};let s=this.ttlAutopurge?(h,a)=>{if(i?.[h]&&(clearTimeout(i[h]),i[h]=void 0),a&&a!==0&&i){let o=setTimeout(()=>{this.#p(h)&&this.#E(this.#i[h],"expire")},a+1);o.unref&&o.unref(),i[h]=o}}:()=>{};this.#v=(h,a)=>{if(e[a]){let o=e[a],d=t[a];if(!o||!d)return;h.ttl=o,h.start=d,h.now=n||r();let y=h.now-d;h.remainingTTL=o-y}};let n=0,r=()=>{let h=this.#m.now();if(this.ttlResolution>0){n=h;let a=setTimeout(()=>n=0,this.ttlResolution);a.unref&&a.unref()}return h};this.getRemainingTTL=h=>{let a=this.#s.get(h);if(a===void 0)return 0;let o=e[a],d=t[a];if(!o||!d)return 1/0;let y=(n||r())-d;return o-y},this.#p=h=>{let a=t[h],o=e[h];return!!o&&!!a&&(n||r())-a>o}}#D=()=>{};#v=()=>{};#H=()=>{};#p=()=>!1;#X(){let e=new O(this.#o);this.#b=0,this.#_=e,this.#R=t=>{this.#b-=e[t],e[t]=0},this.#N=(t,i,s,n)=>{if(!T(s)){if(this.#e(i))return this.backgroundFetchSize;if(n){if(typeof n!="function")throw new TypeError("sizeCalculation must be a function");if(s=n(i,t),!T(s))throw new TypeError("sizeCalculation return invalid (expect positive integer)")}else throw new TypeError("invalid size value (must be positive integer). When maxSize or maxEntrySize is used, sizeCalculation or size must be set.")}return s},this.#j=(t,i,s)=>{if(e[t]=i,this.#c){let n=this.#c-e[t];for(;this.#b>n;)this.#G(!0)}this.#b+=e[t],s&&(s.entrySize=i,s.totalCalculatedSize=this.#b)}}#R=e=>{};#j=(e,t,i)=>{};#N=(e,t,i,s)=>{if(i||s)throw new TypeError("cannot set size without setting maxSize or maxEntrySize on cache");return 0};*#A({allowStale:e=this.allowStale}={}){if(this.#n)for(let t=this.#h;this.#V(t)&&((e||!this.#p(t))&&(yield t),t!==this.#a);)t=this.#u[t]}*#z({allowStale:e=this.allowStale}={}){if(this.#n)for(let t=this.#a;this.#V(t)&&((e||!this.#p(t))&&(yield t),t!==this.#h);)t=this.#l[t]}#V(e){return e!==void 0&&this.#s.get(this.#i[e])===e}*entries(){for(let e of this.#A())this.#t[e]!==void 0&&this.#i[e]!==void 0&&!this.#e(this.#t[e])&&(yield[this.#i[e],this.#t[e]])}*rentries(){for(let e of this.#z())this.#t[e]!==void 0&&this.#i[e]!==void 0&&!this.#e(this.#t[e])&&(yield[this.#i[e],this.#t[e]])}*keys(){for(let e of this.#A()){let t=this.#i[e];t!==void 0&&!this.#e(this.#t[e])&&(yield t)}}*rkeys(){for(let e of this.#z()){let t=this.#i[e];t!==void 0&&!this.#e(this.#t[e])&&(yield t)}}*values(){for(let e of this.#A())this.#t[e]!==void 0&&!this.#e(this.#t[e])&&(yield this.#t[e])}*rvalues(){for(let e of this.#z())this.#t[e]!==void 0&&!this.#e(this.#t[e])&&(yield this.#t[e])}[Symbol.iterator](){return this.entries()}[Symbol.toStringTag]="LRUCache";find(e,t={}){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;if(n!==void 0&&e(n,this.#i[i],this))return this.#C(this.#i[i],t)}}forEach(e,t=this){for(let i of this.#A()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&e.call(t,n,this.#i[i],this)}}rforEach(e,t=this){for(let i of this.#z()){let s=this.#t[i],n=this.#e(s)?s.__staleWhileFetching:s;n!==void 0&&e.call(t,n,this.#i[i],this)}}purgeStale(){let e=!1;for(let t of this.#z({allowStale:!0}))this.#p(t)&&(this.#E(this.#i[t],"expire"),e=!0);return e}info(e){let t=this.#s.get(e);if(t===void 0)return;let i=this.#t[t],s=this.#e(i)?i.__staleWhileFetching:i;if(s===void 0)return;let n={value:s};if(this.#d&&this.#F){let r=this.#d[t],h=this.#F[t];if(r&&h){let a=r-(this.#m.now()-h);n.ttl=a,n.start=Date.now()}}return this.#_&&(n.size=this.#_[t]),n}dump(){let e=[];for(let t of this.#A({allowStale:!0})){let i=this.#i[t],s=this.#t[t],n=this.#e(s)?s.__staleWhileFetching:s;if(n===void 0||i===void 0)continue;let r={value:n};if(this.#d&&this.#F){r.ttl=this.#d[t];let h=this.#m.now()-this.#F[t];r.start=Math.floor(Date.now()-h)}this.#_&&(r.size=this.#_[t]),e.unshift([i,r])}return e}load(e){this.clear();for(let[t,i]of e){if(i.start){let s=Date.now()-i.start;i.start=this.#m.now()-s}this.#W(t,i.value,i)}}set(e,t,i={}){let{status:s=S.hasSubscribers?{}:void 0}=i;i.status=s,s&&(s.op="set",s.key=e,t!==void 0&&(s.value=t),s.cache=this);let n=this.#W(e,t,i);return s&&S.hasSubscribers&&S.publish(s),n}#W(e,t,i,s){let{ttl:n=this.ttl,start:r,noDisposeOnSet:h=this.noDisposeOnSet,sizeCalculation:a=this.sizeCalculation,status:o}=i,d=this.#e(t);if(t===void 0)return o&&(o.set="deleted"),this.delete(e),this;let{noUpdateTTL:y=this.noUpdateTTL}=i;o&&!d&&(o.value=t);let _=this.#N(e,t,i.size||0,a,o);if(this.maxEntrySize&&_>this.maxEntrySize)return this.#E(e,"set"),o&&(o.set="miss",o.maxEntrySizeExceeded=!0),this;let c=this.#n===0?void 0:this.#s.get(e);if(c===void 0)c=this.#n===0?this.#h:this.#y.length!==0?this.#y.pop():this.#n===this.#o?this.#G(!1):this.#n,this.#i[c]=e,this.#t[c]=t,this.#s.set(e,c),this.#l[this.#h]=c,this.#u[c]=this.#h,this.#h=c,this.#n++,this.#j(c,_,o),o&&(o.set="add"),y=!1,this.#x&&!d&&this.#O?.(t,e,"add");else{this.#L(c);let g=this.#t[c];if(t!==g){if(!h)if(this.#e(g)){g!==s&&g.__abortController.abort(new Error("replaced"));let{__staleWhileFetching:f}=g;f!==void 0&&f!==t&&(this.#T&&this.#S?.(f,e,"set"),this.#f&&this.#r?.push([f,e,"set"]))}else this.#T&&this.#S?.(g,e,"set"),this.#f&&this.#r?.push([g,e,"set"]);if(this.#R(c),this.#j(c,_,o),this.#t[c]=t,!d){let f=g&&this.#e(g)?g.__staleWhileFetching:g,b=f===void 0?"add":t!==f?"replace":"update";o&&(o.set=b,f!==void 0&&(o.oldValue=f)),this.#x&&this.onInsert?.(t,e,b)}}else d||(o&&(o.set="update"),this.#x&&this.onInsert?.(t,e,"update"))}if(n!==0&&!this.#d&&this.#k(),this.#d&&(y||this.#H(c,n,r),o&&this.#v(o,c)),!h&&this.#f&&this.#r){let g=this.#r,f;for(;f=g?.shift();)this.#w?.(...f)}return this}pop(){try{for(;this.#n;){let e=this.#t[this.#a];if(this.#G(!0),this.#e(e)){if(e.__staleWhileFetching)return e.__staleWhileFetching}else if(e!==void 0)return e}}finally{if(this.#f&&this.#r){let e=this.#r,t;for(;t=e?.shift();)this.#w?.(...t)}}}#G(e){let t=this.#a,i=this.#i[t],s=this.#t[t],n=this.#e(s);n&&s.__abortController.abort(new Error("evicted"));let r=n?s.__staleWhileFetching:s;return(this.#T||this.#f)&&r!==void 0&&(this.#T&&this.#S?.(r,i,"evict"),this.#f&&this.#r?.push([r,i,"evict"])),this.#R(t),this.#g?.[t]&&(clearTimeout(this.#g[t]),this.#g[t]=void 0),e&&(this.#i[t]=void 0,this.#t[t]=void 0,this.#y.push(t)),this.#n===1?(this.#a=this.#h=0,this.#y.length=0):this.#a=this.#l[t],this.#s.delete(i),this.#n--,t}has(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="has",i.key=e,i.cache=this);let s=this.#Y(e,t);return S.hasSubscribers&&S.publish(i),s}#Y(e,t={}){let{updateAgeOnHas:i=this.updateAgeOnHas,status:s}=t,n=this.#s.get(e);if(n!==void 0){let r=this.#t[n];if(this.#e(r)&&r.__staleWhileFetching===void 0)return!1;if(this.#p(n))s&&(s.has="stale",this.#v(s,n));else return i&&this.#D(n),s&&(s.has="hit",this.#v(s,n)),!0}else s&&(s.has="miss");return!1}peek(e,t={}){let{status:i=D()?{}:void 0}=t;i&&(i.op="peek",i.key=e,i.cache=this),t.status=i;let s=this.#J(e,t);return S.hasSubscribers&&S.publish(i),s}#J(e,t){let{status:i,allowStale:s=this.allowStale}=t,n=this.#s.get(e);if(n===void 0||!s&&this.#p(n)){i&&(i.peek=n===void 0?"miss":"stale");return}let r=this.#t[n],h=this.#e(r)?r.__staleWhileFetching:r;return i&&(h!==void 0?(i.peek="hit",i.value=h):i.peek="miss"),h}#P(e,t,i,s){let n=t===void 0?void 0:this.#t[t];if(this.#e(n))return n;let r=new AbortController,{signal:h}=i;h?.addEventListener("abort",()=>r.abort(h.reason),{signal:r.signal});let a={signal:r.signal,options:i,context:s},o=(f,b=!1)=>{let{aborted:l}=r.signal,w=i.ignoreFetchAbort&&f!==void 0,F=i.ignoreFetchAbort||!!(i.allowStaleOnFetchAbort&&f!==void 0);if(i.status&&(l&&!b?(i.status.fetchAborted=!0,i.status.fetchError=r.signal.reason,w&&(i.status.fetchAbortIgnored=!0)):i.status.fetchResolved=!0),l&&!w&&!b)return y(r.signal.reason,F);let m=c,p=this.#t[t];return(p===c||p===void 0&&w&&b)&&(f===void 0?m.__staleWhileFetching!==void 0?this.#t[t]=m.__staleWhileFetching:this.#E(e,"fetch"):(i.status&&(i.status.fetchUpdated=!0),this.#W(e,f,a.options,m))),f},d=f=>(i.status&&(i.status.fetchRejected=!0,i.status.fetchError=f),y(f,!1)),y=(f,b)=>{let{aborted:l}=r.signal,w=l&&i.allowStaleOnFetchAbort,F=w||i.allowStaleOnFetchRejection,m=F||i.noDeleteOnFetchRejection,p=c;if(this.#t[t]===c&&(!m||!b&&p.__staleWhileFetching===void 0?this.#E(e,"fetch"):w||(this.#t[t]=p.__staleWhileFetching)),F)return i.status&&p.__staleWhileFetching!==void 0&&(i.status.returnedStale=!0),p.__staleWhileFetching;if(p.__returned===p)throw f},_=(f,b)=>{let l=this.#M?.(e,n,a);r.signal.addEventListener("abort",()=>{(!i.ignoreFetchAbort||i.allowStaleOnFetchAbort)&&(f(void 0),i.allowStaleOnFetchAbort&&(f=w=>o(w,!0)))}),l&&l instanceof Promise?l.then(w=>f(w===void 0?void 0:w),b):l!==void 0&&f(l)};i.status&&(i.status.fetchDispatched=!0);let c=new Promise(_).then(o,d),g=Object.assign(c,{__abortController:r,__staleWhileFetching:n,__returned:void 0});return t===void 0?(this.#W(e,g,{...a.options,status:void 0}),t=this.#s.get(e)):this.#t[t]=g,g}#e(e){if(!this.#U)return!1;let t=e;return!!t&&t instanceof Promise&&t.hasOwnProperty("__staleWhileFetching")&&t.__abortController instanceof AbortController}fetch(e,t={}){let i=W.hasSubscribers,{status:s=D()?{}:void 0}=t;t.status=s,s&&t.context&&(s.context=t.context);let n=this.#B(e,t);return s&&i&&(s.trace=!0,W.tracePromise(()=>n,s).catch(()=>{})),n}async#B(e,t={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,ttl:r=this.ttl,noDisposeOnSet:h=this.noDisposeOnSet,size:a=0,sizeCalculation:o=this.sizeCalculation,noUpdateTTL:d=this.noUpdateTTL,noDeleteOnFetchRejection:y=this.noDeleteOnFetchRejection,allowStaleOnFetchRejection:_=this.allowStaleOnFetchRejection,ignoreFetchAbort:c=this.ignoreFetchAbort,allowStaleOnFetchAbort:g=this.allowStaleOnFetchAbort,context:f,forceRefresh:b=!1,status:l,signal:w}=t;if(l&&(l.op="fetch",l.key=e,b&&(l.forceRefresh=!0),l.cache=this),!this.#U)return l&&(l.fetch="get"),this.#C(e,{allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,status:l});let F={allowStale:i,updateAgeOnGet:s,noDeleteOnStaleGet:n,ttl:r,noDisposeOnSet:h,size:a,sizeCalculation:o,noUpdateTTL:d,noDeleteOnFetchRejection:y,allowStaleOnFetchRejection:_,allowStaleOnFetchAbort:g,ignoreFetchAbort:c,status:l,signal:w},m=this.#s.get(e);if(m===void 0){l&&(l.fetch="miss");let p=this.#P(e,m,F,f);return p.__returned=p}else{let p=this.#t[m];if(this.#e(p)){let v=i&&p.__staleWhileFetching!==void 0;return l&&(l.fetch="inflight",v&&(l.returnedStale=!0)),v?p.__staleWhileFetching:p.__returned=p}let A=this.#p(m);if(!b&&!A)return l&&(l.fetch="hit"),this.#L(m),s&&this.#D(m),l&&this.#v(l,m),p;let z=this.#P(e,m,F,f),E=z.__staleWhileFetching!==void 0&&i;return l&&(l.fetch=A?"stale":"refresh",E&&A&&(l.returnedStale=!0)),E?z.__staleWhileFetching:z.__returned=z}}forceFetch(e,t={}){let i=W.hasSubscribers,{status:s=D()?{}:void 0}=t;t.status=s,s&&t.context&&(s.context=t.context);let n=this.#K(e,t);return s&&i&&(s.trace=!0,W.tracePromise(()=>n,s).catch(()=>{})),n}async#K(e,t={}){let i=await this.#B(e,t);if(i===void 0)throw new Error("fetch() returned undefined");return i}memo(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="memo",i.key=e,t.context&&(i.context=t.context),i.cache=this);let s=this.#Q(e,t);return i&&(i.value=s),S.hasSubscribers&&S.publish(i),s}#Q(e,t={}){let i=this.#I;if(!i)throw new Error("no memoMethod provided to constructor");let{context:s,status:n,forceRefresh:r,...h}=t;n&&r&&(n.forceRefresh=!0);let a=this.#C(e,h),o=r||a===void 0;if(n&&(n.memo=o?"miss":"hit",o||(n.value=a)),!o)return a;let d=i(e,a,{options:h,context:s});return n&&(n.value=d),this.#W(e,d,h),d}get(e,t={}){let{status:i=S.hasSubscribers?{}:void 0}=t;t.status=i,i&&(i.op="get",i.key=e,i.cache=this);let s=this.#C(e,t);return i&&(s!==void 0&&(i.value=s),S.hasSubscribers&&S.publish(i)),s}#C(e,t={}){let{allowStale:i=this.allowStale,updateAgeOnGet:s=this.updateAgeOnGet,noDeleteOnStaleGet:n=this.noDeleteOnStaleGet,status:r}=t,h=this.#s.get(e);if(h===void 0){r&&(r.get="miss");return}let a=this.#t[h],o=this.#e(a);return r&&this.#v(r,h),this.#p(h)?o?(r&&(r.get="stale-fetching"),i&&a.__staleWhileFetching!==void 0?(r&&(r.returnedStale=!0),a.__staleWhileFetching):void 0):(n||this.#E(e,"expire"),r&&(r.get="stale"),i?(r&&(r.returnedStale=!0),a):void 0):(r&&(r.get=o?"fetching":"hit"),this.#L(h),s&&this.#D(h),o?a.__staleWhileFetching:a)}#$(e,t){this.#u[t]=e,this.#l[e]=t}#L(e){e!==this.#h&&(e===this.#a?this.#a=this.#l[e]:this.#$(this.#u[e],this.#l[e]),this.#$(this.#h,e),this.#h=e)}delete(e){return this.#E(e,"delete")}#E(e,t){S.hasSubscribers&&S.publish({op:"delete",delete:t,key:e,cache:this});let i=!1;if(this.#n!==0){let s=this.#s.get(e);if(s!==void 0)if(this.#g?.[s]&&(clearTimeout(this.#g?.[s]),this.#g[s]=void 0),i=!0,this.#n===1)this.#q(t);else{this.#R(s);let n=this.#t[s];if(this.#e(n)?n.__abortController.abort(new Error("deleted")):(this.#T||this.#f)&&(this.#T&&this.#S?.(n,e,t),this.#f&&this.#r?.push([n,e,t])),this.#s.delete(e),this.#i[s]=void 0,this.#t[s]=void 0,s===this.#h)this.#h=this.#u[s];else if(s===this.#a)this.#a=this.#l[s];else{let r=this.#u[s];this.#l[r]=this.#l[s];let h=this.#l[s];this.#u[h]=this.#u[s]}this.#n--,this.#y.push(s)}}if(this.#f&&this.#r?.length){let s=this.#r,n;for(;n=s?.shift();)this.#w?.(...n)}return i}clear(){return this.#q("delete")}#q(e){for(let t of this.#z({allowStale:!0})){let i=this.#t[t];if(this.#e(i))i.__abortController.abort(new Error("deleted"));else{let s=this.#i[t];this.#T&&this.#S?.(i,s,e),this.#f&&this.#r?.push([i,s,e])}}if(this.#s.clear(),this.#t.fill(void 0),this.#i.fill(void 0),this.#d&&this.#F){this.#d.fill(0),this.#F.fill(0);for(let t of this.#g??[])t!==void 0&&clearTimeout(t);this.#g?.fill(void 0)}if(this.#_&&this.#_.fill(0),this.#a=0,this.#h=0,this.#y.length=0,this.#b=0,this.#n=0,this.#f&&this.#r){let t=this.#r,i;for(;i=t?.shift();)this.#w?.(...i)}}};export{I as LRUCache};
 //# sourceMappingURL=index.min.js.map
diff --git a/deps/npm/node_modules/lru-cache/dist/esm/node/perf.js b/deps/npm/node_modules/lru-cache/dist/esm/node/perf.js
new file mode 100644
index 00000000000000..f21cd88c8692d7
--- /dev/null
+++ b/deps/npm/node_modules/lru-cache/dist/esm/node/perf.js
@@ -0,0 +1,7 @@
+export const defaultPerf = (typeof performance === 'object' &&
+    performance &&
+    typeof performance.now === 'function') ?
+    /* c8 ignore start - this gets covered, but c8 gets confused */
+    performance
+    : /* c8 ignore stop */ Date;
+//# sourceMappingURL=perf.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/lru-cache/dist/esm/perf.js b/deps/npm/node_modules/lru-cache/dist/esm/perf.js
new file mode 100644
index 00000000000000..f21cd88c8692d7
--- /dev/null
+++ b/deps/npm/node_modules/lru-cache/dist/esm/perf.js
@@ -0,0 +1,7 @@
+export const defaultPerf = (typeof performance === 'object' &&
+    performance &&
+    typeof performance.now === 'function') ?
+    /* c8 ignore start - this gets covered, but c8 gets confused */
+    performance
+    : /* c8 ignore stop */ Date;
+//# sourceMappingURL=perf.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/lru-cache/package.json b/deps/npm/node_modules/lru-cache/package.json
index b571016553e727..6ada2c211f2d6c 100644
--- a/deps/npm/node_modules/lru-cache/package.json
+++ b/deps/npm/node_modules/lru-cache/package.json
@@ -1,7 +1,7 @@
 {
   "name": "lru-cache",
   "description": "A cache object that deletes the least-recently-used items.",
-  "version": "11.3.5",
+  "version": "11.5.1",
   "author": "Isaac Z. Schlueter ",
   "keywords": [
     "mru",
@@ -34,25 +34,37 @@
   "types": "./dist/commonjs/index.d.ts",
   "tshy": {
     "esmDialects": [
-      "node",
-      "browser"
+      "browser",
+      "node"
+    ],
+    "commonjsDialects": [
+      "browser",
+      "node"
     ],
     "exports": {
       "./raw": "./src/index.ts",
       ".": {
         "import": {
-          "node": {
-            "types": "./dist/esm/node/index.d.ts",
-            "default": "./dist/esm/node/index.min.js"
-          },
           "browser": {
             "types": "./dist/esm/browser/index.d.ts",
             "default": "./dist/esm/browser/index.min.js"
           },
+          "node": {
+            "types": "./dist/esm/node/index.d.ts",
+            "default": "./dist/esm/node/index.min.js"
+          },
           "types": "./dist/esm/index.d.ts",
           "default": "./dist/esm/index.min.js"
         },
         "require": {
+          "browser": {
+            "types": "./dist/commonjs/browser/index.d.ts",
+            "default": "./dist/commonjs/browser/index.min.js"
+          },
+          "node": {
+            "types": "./dist/commonjs/node/index.d.ts",
+            "default": "./dist/commonjs/node/index.min.js"
+          },
           "types": "./dist/commonjs/index.d.ts",
           "default": "./dist/commonjs/index.min.js"
         }
@@ -66,15 +78,15 @@
   },
   "devDependencies": {
     "benchmark": "^2.1.4",
-    "esbuild": "^0.25.9",
+    "esbuild": "^0.28.0",
     "marked": "^4.2.12",
     "mkdirp": "^3.0.1",
-    "oxlint": "^1.58.0",
-    "oxlint-tsgolint": "^0.19.0",
-    "prettier": "^3.8.1",
-    "tap": "^21.6.3",
-    "tshy": "^4.1.1",
-    "typedoc": "^0.28.18"
+    "oxlint": "^1.65.0",
+    "oxlint-tsgolint": "^0.22.1",
+    "prettier": "^3.8.3",
+    "tap": "^21.7.4",
+    "tshy": "^4.1.2",
+    "typedoc": "^0.28.19"
   },
   "license": "BlueOak-1.0.0",
   "files": [
@@ -86,36 +98,52 @@
   "exports": {
     "./raw": {
       "import": {
-        "node": {
-          "types": "./dist/esm/node/index.d.ts",
-          "default": "./dist/esm/node/index.js"
-        },
         "browser": {
           "types": "./dist/esm/browser/index.d.ts",
           "default": "./dist/esm/browser/index.js"
         },
+        "node": {
+          "types": "./dist/esm/node/index.d.ts",
+          "default": "./dist/esm/node/index.js"
+        },
         "types": "./dist/esm/index.d.ts",
         "default": "./dist/esm/index.js"
       },
       "require": {
+        "browser": {
+          "types": "./dist/commonjs/browser/index.d.ts",
+          "default": "./dist/commonjs/browser/index.js"
+        },
+        "node": {
+          "types": "./dist/commonjs/node/index.d.ts",
+          "default": "./dist/commonjs/node/index.js"
+        },
         "types": "./dist/commonjs/index.d.ts",
         "default": "./dist/commonjs/index.js"
       }
     },
     ".": {
       "import": {
-        "node": {
-          "types": "./dist/esm/node/index.d.ts",
-          "default": "./dist/esm/node/index.min.js"
-        },
         "browser": {
           "types": "./dist/esm/browser/index.d.ts",
           "default": "./dist/esm/browser/index.min.js"
         },
+        "node": {
+          "types": "./dist/esm/node/index.d.ts",
+          "default": "./dist/esm/node/index.min.js"
+        },
         "types": "./dist/esm/index.d.ts",
         "default": "./dist/esm/index.min.js"
       },
       "require": {
+        "browser": {
+          "types": "./dist/commonjs/browser/index.d.ts",
+          "default": "./dist/commonjs/browser/index.min.js"
+        },
+        "node": {
+          "types": "./dist/commonjs/node/index.d.ts",
+          "default": "./dist/commonjs/node/index.min.js"
+        },
         "types": "./dist/commonjs/index.d.ts",
         "default": "./dist/commonjs/index.min.js"
       }
diff --git a/deps/npm/node_modules/make-fetch-happen/package.json b/deps/npm/node_modules/make-fetch-happen/package.json
index 1d06ac4889c3e3..92c48b45871586 100644
--- a/deps/npm/node_modules/make-fetch-happen/package.json
+++ b/deps/npm/node_modules/make-fetch-happen/package.json
@@ -1,6 +1,6 @@
 {
   "name": "make-fetch-happen",
-  "version": "15.0.5",
+  "version": "15.0.6",
   "description": "Opinionated, caching, retrying fetch client",
   "main": "lib/index.js",
   "files": [
diff --git a/deps/npm/node_modules/semver/README.md b/deps/npm/node_modules/semver/README.md
index f6503bfefd4640..c307e82d46ae44 100644
--- a/deps/npm/node_modules/semver/README.md
+++ b/deps/npm/node_modules/semver/README.md
@@ -56,6 +56,7 @@ const semverCompareLoose = require('semver/functions/compare-loose')
 const semverCompareBuild = require('semver/functions/compare-build')
 const semverSort = require('semver/functions/sort')
 const semverRsort = require('semver/functions/rsort')
+const semverTruncate = require('semver/functions/truncate')
 
 // low-level comparators between versions
 const semverGt = require('semver/functions/gt')
@@ -399,12 +400,19 @@ nr         ::= '0' | ['1'-'9'] ( ['0'-'9'] ) *
 tilde      ::= '~' partial
 caret      ::= '^' partial
 qualifier  ::= ( '-' pre )? ( '+' build )?
-pre        ::= parts
-build      ::= parts
-parts      ::= part ( '.' part ) *
-part       ::= nr | [-0-9A-Za-z]+
+pre        ::= prepart ( '.' prepart ) *
+prepart    ::= nr | alphanumid
+build      ::= buildid ( '.' buildid ) *
+alphanumid ::= ( ['0'-'9'] ) * [-A-Za-z] [-0-9A-Za-z] *
+buildid    ::= [-0-9A-Za-z]+
 ```
 
+Note: Prerelease identifiers (`pre`) use `nr` for numeric parts, which
+disallows leading zeros (e.g., `1.2.3-00` is invalid). Build metadata
+identifiers (`build`) allow any alphanumeric string including leading
+zeros (e.g., `1.2.3+00` is valid). This matches the
+[SemVer 2.0.0 specification](https://semver.org/#spec-item-9).
+
 ## Functions
 
 All methods and classes take a final `options` object argument.  All
@@ -449,6 +457,12 @@ strings that they parse.
   or comparators intersect.
 * `parse(v)`: Attempt to parse a string as a semantic version, returning either
   a `SemVer` object or `null`.
+* `truncate(v, releaseType)`: Return the version with components _lower_
+  than `releaseType` dropped off, e.g.:
+  * `major` removes build & prerelease info and sets minor & patch to 0.
+  * `minor` removes build & prerelease info, and sets patch to 0
+  * `patch` removes build & prerelease info
+  * All prerelease types remove build info only
 
 ### Comparison
 
@@ -650,6 +664,7 @@ The following modules are available:
 * `require('semver/functions/rsort')`
 * `require('semver/functions/satisfies')`
 * `require('semver/functions/sort')`
+* `require('semver/functions/truncate')`
 * `require('semver/functions/valid')`
 * `require('semver/ranges/gtr')`
 * `require('semver/ranges/intersects')`
diff --git a/deps/npm/node_modules/semver/bin/semver.js b/deps/npm/node_modules/semver/bin/semver.js
index d62bfc0ecd5216..9ae8aadb95fbd9 100755
--- a/deps/npm/node_modules/semver/bin/semver.js
+++ b/deps/npm/node_modules/semver/bin/semver.js
@@ -46,6 +46,7 @@ const main = () => {
       a = a.slice(0, indexOfEqualSign)
       argv.unshift(value)
     }
+
     switch (a) {
       case '-rv': case '-rev': case '--rev': case '--reverse':
         reverse = true
@@ -60,15 +61,10 @@ const main = () => {
         versions.push(argv.shift())
         break
       case '-i': case '--inc': case '--increment':
-        switch (argv[0]) {
-          case 'major': case 'minor': case 'patch': case 'prerelease':
-          case 'premajor': case 'preminor': case 'prepatch':
-          case 'release':
-            inc = argv.shift()
-            break
-          default:
-            inc = 'patch'
-            break
+        if (semver.RELEASE_TYPES.includes(argv[0]) || (argv[0] === 'release')) {
+          inc = { value: argv.shift(), maybeErrantValue: null, option: a }
+        } else {
+          inc = { value: 'patch', maybeErrantValue: argv[0], option: a }
         }
         break
       case '--preid':
@@ -102,6 +98,14 @@ const main = () => {
 
   options = parseOptions({ loose, includePrerelease, rtl })
 
+  if (
+    inc &&
+    versions.includes(inc.maybeErrantValue) &&
+    !semver.valid(inc.maybeErrantValue, options)
+  ) {
+    console.warn(`Invalid value for ${inc.option}; defaulting to 'patch'. This may become a failure in future major versions.`)
+  }
+
   versions = versions.map((v) => {
     return coerce ? (semver.coerce(v, options) || { version: v }).version : v
   }).filter((v) => {
@@ -125,7 +129,7 @@ const main = () => {
   versions
     .sort((a, b) => semver[reverse ? 'rcompare' : 'compare'](a, b, options))
     .map(v => semver.clean(v, options))
-    .map(v => inc ? semver.inc(v, inc, options, identifier, identifierBase) : v)
+    .map(v => inc ? semver.inc(v, inc.value, options, identifier, identifierBase) : v)
     .forEach(v => console.log(v))
 }
 
diff --git a/deps/npm/node_modules/semver/classes/range.js b/deps/npm/node_modules/semver/classes/range.js
index 94629ce6f5df60..c2e605e5173601 100644
--- a/deps/npm/node_modules/semver/classes/range.js
+++ b/deps/npm/node_modules/semver/classes/range.js
@@ -98,6 +98,9 @@ class Range {
   }
 
   parseRange (range) {
+    // strip build metadata so it can't bleed into the version
+    range = range.replace(BUILDSTRIPRE, '')
+
     // memoize range parsing for performance.
     // this is a very hot path, and fully deterministic.
     const memoOpts =
@@ -223,6 +226,7 @@ const debug = require('../internal/debug')
 const SemVer = require('./semver')
 const {
   safeRe: re,
+  src,
   t,
   comparatorTrimReplace,
   tildeTrimReplace,
@@ -230,6 +234,9 @@ const {
 } = require('../internal/re')
 const { FLAG_INCLUDE_PRERELEASE, FLAG_LOOSE } = require('../internal/constants')
 
+// unbounded global build-metadata stripper used by parseRange
+const BUILDSTRIPRE = new RegExp(src[t.BUILD], 'g')
+
 const isNullSet = c => c.value === '<0.0.0-0'
 const isAny = c => c.value === ''
 
diff --git a/deps/npm/node_modules/semver/functions/truncate.js b/deps/npm/node_modules/semver/functions/truncate.js
new file mode 100644
index 00000000000000..8314e4e922a418
--- /dev/null
+++ b/deps/npm/node_modules/semver/functions/truncate.js
@@ -0,0 +1,48 @@
+'use strict'
+
+const parse = require('./parse')
+const constants = require('../internal/constants')
+const SemVer = require('../classes/semver')
+
+const truncate = (version, truncation, options) => {
+  if (!constants.RELEASE_TYPES.includes(truncation)) {
+    return null
+  }
+
+  const clonedVersion = cloneInputVersion(version, options)
+  return clonedVersion && doTruncation(clonedVersion, truncation)
+}
+
+const cloneInputVersion = (version, options) => {
+  const versionStringToParse = (
+    version instanceof SemVer ? version.version : version
+  )
+
+  return parse(versionStringToParse, options)
+}
+
+const doTruncation = (version, truncation) => {
+  if (isPrerelease(truncation)) {
+    return version.version
+  }
+
+  version.prerelease = []
+
+  switch (truncation) {
+    case 'major':
+      version.minor = 0
+      version.patch = 0
+      break
+    case 'minor':
+      version.patch = 0
+      break
+  }
+
+  return version.format()
+}
+
+const isPrerelease = (type) => {
+  return type.startsWith('pre')
+}
+
+module.exports = truncate
diff --git a/deps/npm/node_modules/semver/index.js b/deps/npm/node_modules/semver/index.js
index 285662acb32892..bc1f608ceaad3d 100644
--- a/deps/npm/node_modules/semver/index.js
+++ b/deps/npm/node_modules/semver/index.js
@@ -28,6 +28,7 @@ const gte = require('./functions/gte')
 const lte = require('./functions/lte')
 const cmp = require('./functions/cmp')
 const coerce = require('./functions/coerce')
+const truncate = require('./functions/truncate')
 const Comparator = require('./classes/comparator')
 const Range = require('./classes/range')
 const satisfies = require('./functions/satisfies')
@@ -66,6 +67,7 @@ module.exports = {
   lte,
   cmp,
   coerce,
+  truncate,
   Comparator,
   Range,
   satisfies,
diff --git a/deps/npm/node_modules/semver/internal/re.js b/deps/npm/node_modules/semver/internal/re.js
index 639fca89de8e63..2ec2c22c972d32 100644
--- a/deps/npm/node_modules/semver/internal/re.js
+++ b/deps/npm/node_modules/semver/internal/re.js
@@ -136,7 +136,7 @@ createToken('LOOSE', `^${src[t.LOOSEPLAIN]}$`)
 createToken('GTLT', '((?:<|>)?=?)')
 
 // Something like "2.*" or "1.2.x".
-// Note that "x.x" is a valid xRange identifer, meaning "any version"
+// Note that "x.x" is a valid xRange identifier, meaning "any version"
 // Only the first item is strictly required.
 createToken('XRANGEIDENTIFIERLOOSE', `${src[t.NUMERICIDENTIFIERLOOSE]}|x|X|\\*`)
 createToken('XRANGEIDENTIFIER', `${src[t.NUMERICIDENTIFIER]}|x|X|\\*`)
diff --git a/deps/npm/node_modules/semver/package.json b/deps/npm/node_modules/semver/package.json
index a84de916085998..6edb9ab49d9774 100644
--- a/deps/npm/node_modules/semver/package.json
+++ b/deps/npm/node_modules/semver/package.json
@@ -1,6 +1,6 @@
 {
   "name": "semver",
-  "version": "7.7.4",
+  "version": "7.8.1",
   "description": "The semantic version parser used by npm.",
   "main": "index.js",
   "scripts": {
@@ -15,7 +15,7 @@
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^6.0.0",
-    "@npmcli/template-oss": "4.29.0",
+    "@npmcli/template-oss": "5.0.0",
     "benchmark": "^2.1.4",
     "tap": "^16.0.0"
   },
@@ -52,7 +52,7 @@
   "author": "GitHub Inc.",
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.29.0",
+    "version": "5.0.0",
     "engines": ">=10",
     "distPaths": [
       "classes/",
diff --git a/deps/npm/node_modules/semver/range.bnf b/deps/npm/node_modules/semver/range.bnf
index d4c6ae0d76c9ac..a7a4bc37831127 100644
--- a/deps/npm/node_modules/semver/range.bnf
+++ b/deps/npm/node_modules/semver/range.bnf
@@ -10,7 +10,8 @@ nr         ::= '0' | [1-9] ( [0-9] ) *
 tilde      ::= '~' partial
 caret      ::= '^' partial
 qualifier  ::= ( '-' pre )? ( '+' build )?
-pre        ::= parts
-build      ::= parts
-parts      ::= part ( '.' part ) *
-part       ::= nr | [-0-9A-Za-z]+
+pre        ::= prepart ( '.' prepart ) *
+prepart    ::= nr | alphanumid
+build      ::= buildid ( '.' buildid ) *
+alphanumid ::= ( [0-9] ) * [A-Za-z-] [-0-9A-Za-z] *
+buildid    ::= [-0-9A-Za-z]+
diff --git a/deps/npm/node_modules/semver/ranges/subset.js b/deps/npm/node_modules/semver/ranges/subset.js
index 99f43218075c86..a949832329003b 100644
--- a/deps/npm/node_modules/semver/ranges/subset.js
+++ b/deps/npm/node_modules/semver/ranges/subset.js
@@ -174,7 +174,7 @@ const simpleSubset = (sub, dom, options) => {
         if (higher === c && higher !== gt) {
           return false
         }
-      } else if (gt.operator === '>=' && !satisfies(gt.semver, String(c), options)) {
+      } else if (gt.operator === '>=' && !c.test(gt.semver)) {
         return false
       }
     }
@@ -192,7 +192,7 @@ const simpleSubset = (sub, dom, options) => {
         if (lower === c && lower !== lt) {
           return false
         }
-      } else if (lt.operator === '<=' && !satisfies(lt.semver, String(c), options)) {
+      } else if (lt.operator === '<=' && !c.test(lt.semver)) {
         return false
       }
     }
diff --git a/deps/npm/node_modules/sigstore/dist/config.js b/deps/npm/node_modules/sigstore/dist/config.js
index e8b2392f97f236..373149fe22fb75 100644
--- a/deps/npm/node_modules/sigstore/dist/config.js
+++ b/deps/npm/node_modules/sigstore/dist/config.js
@@ -65,6 +65,12 @@ function createVerificationPolicy(options) {
     if (options.certificateIssuer) {
         policy.extensions = { issuer: options.certificateIssuer };
     }
+    if (options.certificateOIDs) {
+        policy.oids = Object.entries(options.certificateOIDs).map(([oid, value]) => ({
+            oid: { id: oid.split('.').map(Number) },
+            value: Buffer.from(value),
+        }));
+    }
     return policy;
 }
 // Instantiate the FulcioSigner based on the supplied options.
diff --git a/deps/npm/node_modules/sigstore/package.json b/deps/npm/node_modules/sigstore/package.json
index 5965f0889ca7db..e0acea6d96287e 100644
--- a/deps/npm/node_modules/sigstore/package.json
+++ b/deps/npm/node_modules/sigstore/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sigstore",
-  "version": "4.1.0",
+  "version": "4.1.1",
   "description": "code-signing for npm packages",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -29,17 +29,17 @@
   "devDependencies": {
     "@sigstore/rekor-types": "^4.0.0",
     "@sigstore/jest": "^0.0.0",
-    "@sigstore/mock": "^0.11.0",
-    "@tufjs/repo-mock": "^4.0.0",
+    "@sigstore/mock": "^0.12.1",
+    "@tufjs/repo-mock": "^4.0.1",
     "@types/make-fetch-happen": "^10.0.4"
   },
   "dependencies": {
     "@sigstore/bundle": "^4.0.0",
-    "@sigstore/core": "^3.1.0",
+    "@sigstore/core": "^3.2.1",
     "@sigstore/protobuf-specs": "^0.5.0",
-    "@sigstore/sign": "^4.1.0",
-    "@sigstore/tuf": "^4.0.1",
-    "@sigstore/verify": "^3.1.0"
+    "@sigstore/sign": "^4.1.1",
+    "@sigstore/tuf": "^4.0.2",
+    "@sigstore/verify": "^3.1.1"
   },
   "engines": {
     "node": "^20.17.0 || >=22.9.0"
diff --git a/deps/npm/node_modules/socks/package.json b/deps/npm/node_modules/socks/package.json
index a7a2a20190ad3a..078e21216b782e 100644
--- a/deps/npm/node_modules/socks/package.json
+++ b/deps/npm/node_modules/socks/package.json
@@ -1,14 +1,14 @@
 {
   "name": "socks",
   "private": false,
-  "version": "2.8.7",
+  "version": "2.8.9",
   "description": "Fully featured SOCKS proxy client supporting SOCKSv4, SOCKSv4a, and SOCKSv5. Includes Bind and Associate functionality.",
   "main": "build/index.js",
   "typings": "typings/index.d.ts",
   "homepage": "https://github.com/JoshGlazebrook/socks/",
   "repository": {
     "type": "git",
-    "url": "https://github.com/JoshGlazebrook/socks.git"
+    "url": "git+https://github.com/JoshGlazebrook/socks.git"
   },
   "bugs": {
     "url": "https://github.com/JoshGlazebrook/socks/issues"
@@ -44,7 +44,7 @@
     "typescript": "^5.3.3"
   },
   "dependencies": {
-    "ip-address": "^10.0.1",
+    "ip-address": "^10.1.1",
     "smart-buffer": "^4.2.0"
   },
   "scripts": {
diff --git a/deps/npm/node_modules/tar/dist/commonjs/index.min.js b/deps/npm/node_modules/tar/dist/commonjs/index.min.js
index 6563e9e669054d..5bdc937545e805 100644
--- a/deps/npm/node_modules/tar/dist/commonjs/index.min.js
+++ b/deps/npm/node_modules/tar/dist/commonjs/index.min.js
@@ -1,4 +1,4 @@
-"use strict";var d=(s,e)=>()=>(e||s((e={exports:{}}).exports,e),e.exports);var We=d(F=>{"use strict";var Oo=F&&F.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(F,"__esModule",{value:!0});F.Minipass=F.isWritable=F.isReadable=F.isStream=void 0;var Cr=typeof process=="object"&&process?process:{stdout:null,stderr:null},ts=require("node:events"),jr=Oo(require("node:stream")),Ro=require("node:string_decoder"),vo=s=>!!s&&typeof s=="object"&&(s instanceof Ht||s instanceof jr.default||(0,F.isReadable)(s)||(0,F.isWritable)(s));F.isStream=vo;var To=s=>!!s&&typeof s=="object"&&s instanceof ts.EventEmitter&&typeof s.pipe=="function"&&s.pipe!==jr.default.Writable.prototype.pipe;F.isReadable=To;var Do=s=>!!s&&typeof s=="object"&&s instanceof ts.EventEmitter&&typeof s.write=="function"&&typeof s.end=="function";F.isWritable=Do;var le=Symbol("EOF"),ue=Symbol("maybeEmitEnd"),_e=Symbol("emittedEnd"),kt=Symbol("emittingEnd"),ft=Symbol("emittedError"),jt=Symbol("closed"),Br=Symbol("read"),xt=Symbol("flush"),zr=Symbol("flushChunk"),K=Symbol("encoding"),Ue=Symbol("decoder"),O=Symbol("flowing"),dt=Symbol("paused"),qe=Symbol("resume"),R=Symbol("buffer"),I=Symbol("pipes"),v=Symbol("bufferLength"),Vi=Symbol("bufferPush"),Ut=Symbol("bufferShift"),N=Symbol("objectMode"),y=Symbol("destroyed"),$i=Symbol("error"),Xi=Symbol("emitData"),kr=Symbol("emitEnd"),Qi=Symbol("emitEnd2"),J=Symbol("async"),Ji=Symbol("abort"),qt=Symbol("aborted"),mt=Symbol("signal"),Pe=Symbol("dataListeners"),k=Symbol("discarded"),pt=s=>Promise.resolve().then(s),Po=s=>s(),No=s=>s==="end"||s==="finish"||s==="prefinish",Mo=s=>s instanceof ArrayBuffer||!!s&&typeof s=="object"&&s.constructor&&s.constructor.name==="ArrayBuffer"&&s.byteLength>=0,Lo=s=>!Buffer.isBuffer(s)&&ArrayBuffer.isView(s),Wt=class{src;dest;opts;ondrain;constructor(e,t,i){this.src=e,this.dest=t,this.opts=i,this.ondrain=()=>e[qe](),this.dest.on("drain",this.ondrain)}unpipe(){this.dest.removeListener("drain",this.ondrain)}proxyErrors(e){}end(){this.unpipe(),this.opts.end&&this.dest.end()}},es=class extends Wt{unpipe(){this.src.removeListener("error",this.proxyErrors),super.unpipe()}constructor(e,t,i){super(e,t,i),this.proxyErrors=r=>this.dest.emit("error",r),e.on("error",this.proxyErrors)}},Ao=s=>!!s.objectMode,Io=s=>!s.objectMode&&!!s.encoding&&s.encoding!=="buffer",Ht=class extends ts.EventEmitter{[O]=!1;[dt]=!1;[I]=[];[R]=[];[N];[K];[J];[Ue];[le]=!1;[_e]=!1;[kt]=!1;[jt]=!1;[ft]=null;[v]=0;[y]=!1;[mt];[qt]=!1;[Pe]=0;[k]=!1;writable=!0;readable=!0;constructor(...e){let t=e[0]||{};if(super(),t.objectMode&&typeof t.encoding=="string")throw new TypeError("Encoding and objectMode may not be used together");Ao(t)?(this[N]=!0,this[K]=null):Io(t)?(this[K]=t.encoding,this[N]=!1):(this[N]=!1,this[K]=null),this[J]=!!t.async,this[Ue]=this[K]?new Ro.StringDecoder(this[K]):null,t&&t.debugExposeBuffer===!0&&Object.defineProperty(this,"buffer",{get:()=>this[R]}),t&&t.debugExposePipes===!0&&Object.defineProperty(this,"pipes",{get:()=>this[I]});let{signal:i}=t;i&&(this[mt]=i,i.aborted?this[Ji]():i.addEventListener("abort",()=>this[Ji]()))}get bufferLength(){return this[v]}get encoding(){return this[K]}set encoding(e){throw new Error("Encoding must be set at instantiation time")}setEncoding(e){throw new Error("Encoding must be set at instantiation time")}get objectMode(){return this[N]}set objectMode(e){throw new Error("objectMode must be set at instantiation time")}get async(){return this[J]}set async(e){this[J]=this[J]||!!e}[Ji](){this[qt]=!0,this.emit("abort",this[mt]?.reason),this.destroy(this[mt]?.reason)}get aborted(){return this[qt]}set aborted(e){}write(e,t,i){if(this[qt])return!1;if(this[le])throw new Error("write after end");if(this[y])return this.emit("error",Object.assign(new Error("Cannot call write after a stream was destroyed"),{code:"ERR_STREAM_DESTROYED"})),!0;typeof t=="function"&&(i=t,t="utf8"),t||(t="utf8");let r=this[J]?pt:Po;if(!this[N]&&!Buffer.isBuffer(e)){if(Lo(e))e=Buffer.from(e.buffer,e.byteOffset,e.byteLength);else if(Mo(e))e=Buffer.from(e);else if(typeof e!="string")throw new Error("Non-contiguous data written to non-objectMode stream")}return this[N]?(this[O]&&this[v]!==0&&this[xt](!0),this[O]?this.emit("data",e):this[Vi](e),this[v]!==0&&this.emit("readable"),i&&r(i),this[O]):e.length?(typeof e=="string"&&!(t===this[K]&&!this[Ue]?.lastNeed)&&(e=Buffer.from(e,t)),Buffer.isBuffer(e)&&this[K]&&(e=this[Ue].write(e)),this[O]&&this[v]!==0&&this[xt](!0),this[O]?this.emit("data",e):this[Vi](e),this[v]!==0&&this.emit("readable"),i&&r(i),this[O]):(this[v]!==0&&this.emit("readable"),i&&r(i),this[O])}read(e){if(this[y])return null;if(this[k]=!1,this[v]===0||e===0||e&&e>this[v])return this[ue](),null;this[N]&&(e=null),this[R].length>1&&!this[N]&&(this[R]=[this[K]?this[R].join(""):Buffer.concat(this[R],this[v])]);let t=this[Br](e||null,this[R][0]);return this[ue](),t}[Br](e,t){if(this[N])this[Ut]();else{let i=t;e===i.length||e===null?this[Ut]():typeof i=="string"?(this[R][0]=i.slice(e),t=i.slice(0,e),this[v]-=e):(this[R][0]=i.subarray(e),t=i.subarray(0,e),this[v]-=e)}return this.emit("data",t),!this[R].length&&!this[le]&&this.emit("drain"),t}end(e,t,i){return typeof e=="function"&&(i=e,e=void 0),typeof t=="function"&&(i=t,t="utf8"),e!==void 0&&this.write(e,t),i&&this.once("end",i),this[le]=!0,this.writable=!1,(this[O]||!this[dt])&&this[ue](),this}[qe](){this[y]||(!this[Pe]&&!this[I].length&&(this[k]=!0),this[dt]=!1,this[O]=!0,this.emit("resume"),this[R].length?this[xt]():this[le]?this[ue]():this.emit("drain"))}resume(){return this[qe]()}pause(){this[O]=!1,this[dt]=!0,this[k]=!1}get destroyed(){return this[y]}get flowing(){return this[O]}get paused(){return this[dt]}[Vi](e){this[N]?this[v]+=1:this[v]+=e.length,this[R].push(e)}[Ut](){return this[N]?this[v]-=1:this[v]-=this[R][0].length,this[R].shift()}[xt](e=!1){do;while(this[zr](this[Ut]())&&this[R].length);!e&&!this[R].length&&!this[le]&&this.emit("drain")}[zr](e){return this.emit("data",e),this[O]}pipe(e,t){if(this[y])return e;this[k]=!1;let i=this[_e];return t=t||{},e===Cr.stdout||e===Cr.stderr?t.end=!1:t.end=t.end!==!1,t.proxyErrors=!!t.proxyErrors,i?t.end&&e.end():(this[I].push(t.proxyErrors?new es(this,e,t):new Wt(this,e,t)),this[J]?pt(()=>this[qe]()):this[qe]()),e}unpipe(e){let t=this[I].find(i=>i.dest===e);t&&(this[I].length===1?(this[O]&&this[Pe]===0&&(this[O]=!1),this[I]=[]):this[I].splice(this[I].indexOf(t),1),t.unpipe())}addListener(e,t){return this.on(e,t)}on(e,t){let i=super.on(e,t);if(e==="data")this[k]=!1,this[Pe]++,!this[I].length&&!this[O]&&this[qe]();else if(e==="readable"&&this[v]!==0)super.emit("readable");else if(No(e)&&this[_e])super.emit(e),this.removeAllListeners(e);else if(e==="error"&&this[ft]){let r=t;this[J]?pt(()=>r.call(this,this[ft])):r.call(this,this[ft])}return i}removeListener(e,t){return this.off(e,t)}off(e,t){let i=super.off(e,t);return e==="data"&&(this[Pe]=this.listeners("data").length,this[Pe]===0&&!this[k]&&!this[I].length&&(this[O]=!1)),i}removeAllListeners(e){let t=super.removeAllListeners(e);return(e==="data"||e===void 0)&&(this[Pe]=0,!this[k]&&!this[I].length&&(this[O]=!1)),t}get emittedEnd(){return this[_e]}[ue](){!this[kt]&&!this[_e]&&!this[y]&&this[R].length===0&&this[le]&&(this[kt]=!0,this.emit("end"),this.emit("prefinish"),this.emit("finish"),this[jt]&&this.emit("close"),this[kt]=!1)}emit(e,...t){let i=t[0];if(e!=="error"&&e!=="close"&&e!==y&&this[y])return!1;if(e==="data")return!this[N]&&!i?!1:this[J]?(pt(()=>this[Xi](i)),!0):this[Xi](i);if(e==="end")return this[kr]();if(e==="close"){if(this[jt]=!0,!this[_e]&&!this[y])return!1;let n=super.emit("close");return this.removeAllListeners("close"),n}else if(e==="error"){this[ft]=i,super.emit($i,i);let n=!this[mt]||this.listeners("error").length?super.emit("error",i):!1;return this[ue](),n}else if(e==="resume"){let n=super.emit("resume");return this[ue](),n}else if(e==="finish"||e==="prefinish"){let n=super.emit(e);return this.removeAllListeners(e),n}let r=super.emit(e,...t);return this[ue](),r}[Xi](e){for(let i of this[I])i.dest.write(e)===!1&&this.pause();let t=this[k]?!1:super.emit("data",e);return this[ue](),t}[kr](){return this[_e]?!1:(this[_e]=!0,this.readable=!1,this[J]?(pt(()=>this[Qi]()),!0):this[Qi]())}[Qi](){if(this[Ue]){let t=this[Ue].end();if(t){for(let i of this[I])i.dest.write(t);this[k]||super.emit("data",t)}}for(let t of this[I])t.end();let e=super.emit("end");return this.removeAllListeners("end"),e}async collect(){let e=Object.assign([],{dataLength:0});this[N]||(e.dataLength=0);let t=this.promise();return this.on("data",i=>{e.push(i),this[N]||(e.dataLength+=i.length)}),await t,e}async concat(){if(this[N])throw new Error("cannot concat in objectMode");let e=await this.collect();return this[K]?e.join(""):Buffer.concat(e,e.dataLength)}async promise(){return new Promise((e,t)=>{this.on(y,()=>t(new Error("stream destroyed"))),this.on("error",i=>t(i)),this.on("end",()=>e())})}[Symbol.asyncIterator](){this[k]=!1;let e=!1,t=async()=>(this.pause(),e=!0,{value:void 0,done:!0});return{next:()=>{if(e)return t();let r=this.read();if(r!==null)return Promise.resolve({done:!1,value:r});if(this[le])return t();let n,o,a=c=>{this.off("data",h),this.off("end",l),this.off(y,u),t(),o(c)},h=c=>{this.off("error",a),this.off("end",l),this.off(y,u),this.pause(),n({value:c,done:!!this[le]})},l=()=>{this.off("error",a),this.off("data",h),this.off(y,u),t(),n({done:!0,value:void 0})},u=()=>a(new Error("stream destroyed"));return new Promise((c,E)=>{o=E,n=c,this.once(y,u),this.once("error",a),this.once("end",l),this.once("data",h)})},throw:t,return:t,[Symbol.asyncIterator](){return this},[Symbol.asyncDispose]:async()=>{}}}[Symbol.iterator](){this[k]=!1;let e=!1,t=()=>(this.pause(),this.off($i,t),this.off(y,t),this.off("end",t),e=!0,{done:!0,value:void 0}),i=()=>{if(e)return t();let r=this.read();return r===null?t():{done:!1,value:r}};return this.once("end",t),this.once($i,t),this.once(y,t),{next:i,throw:t,return:t,[Symbol.iterator](){return this},[Symbol.dispose]:()=>{}}}destroy(e){if(this[y])return e?this.emit("error",e):this.emit(y),this;this[y]=!0,this[k]=!0,this[R].length=0,this[v]=0;let t=this;return typeof t.close=="function"&&!this[jt]&&t.close(),e?this.emit("error",e):this.emit(y),this}static get isStream(){return F.isStream}};F.Minipass=Ht});var Ke=d(W=>{"use strict";var xr=W&&W.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(W,"__esModule",{value:!0});W.WriteStreamSync=W.WriteStream=W.ReadStreamSync=W.ReadStream=void 0;var Fo=xr(require("events")),B=xr(require("fs")),Co=We(),Bo=B.default.writev,ye=Symbol("_autoClose"),$=Symbol("_close"),_t=Symbol("_ended"),p=Symbol("_fd"),is=Symbol("_finished"),fe=Symbol("_flags"),ss=Symbol("_flush"),as=Symbol("_handleChunk"),hs=Symbol("_makeBuf"),yt=Symbol("_mode"),Zt=Symbol("_needDrain"),Ge=Symbol("_onerror"),Ye=Symbol("_onopen"),rs=Symbol("_onread"),He=Symbol("_onwrite"),Ee=Symbol("_open"),V=Symbol("_path"),we=Symbol("_pos"),ee=Symbol("_queue"),Ze=Symbol("_read"),ns=Symbol("_readSize"),ce=Symbol("_reading"),wt=Symbol("_remain"),os=Symbol("_size"),Gt=Symbol("_write"),Ne=Symbol("_writing"),Yt=Symbol("_defaultFlag"),Me=Symbol("_errored"),Kt=class extends Co.Minipass{[Me]=!1;[p];[V];[ns];[ce]=!1;[os];[wt];[ye];constructor(e,t){if(t=t||{},super(t),this.readable=!0,this.writable=!1,typeof e!="string")throw new TypeError("path must be a string");this[Me]=!1,this[p]=typeof t.fd=="number"?t.fd:void 0,this[V]=e,this[ns]=t.readSize||16*1024*1024,this[ce]=!1,this[os]=typeof t.size=="number"?t.size:1/0,this[wt]=this[os],this[ye]=typeof t.autoClose=="boolean"?t.autoClose:!0,typeof this[p]=="number"?this[Ze]():this[Ee]()}get fd(){return this[p]}get path(){return this[V]}write(){throw new TypeError("this is a readable stream")}end(){throw new TypeError("this is a readable stream")}[Ee](){B.default.open(this[V],"r",(e,t)=>this[Ye](e,t))}[Ye](e,t){e?this[Ge](e):(this[p]=t,this.emit("open",t),this[Ze]())}[hs](){return Buffer.allocUnsafe(Math.min(this[ns],this[wt]))}[Ze](){if(!this[ce]){this[ce]=!0;let e=this[hs]();if(e.length===0)return process.nextTick(()=>this[rs](null,0,e));B.default.read(this[p],e,0,e.length,null,(t,i,r)=>this[rs](t,i,r))}}[rs](e,t,i){this[ce]=!1,e?this[Ge](e):this[as](t,i)&&this[Ze]()}[$](){if(this[ye]&&typeof this[p]=="number"){let e=this[p];this[p]=void 0,B.default.close(e,t=>t?this.emit("error",t):this.emit("close"))}}[Ge](e){this[ce]=!0,this[$](),this.emit("error",e)}[as](e,t){let i=!1;return this[wt]-=e,e>0&&(i=super.write(ethis[Ye](e,t))}[Ye](e,t){this[Yt]&&this[fe]==="r+"&&e&&e.code==="ENOENT"?(this[fe]="w",this[Ee]()):e?this[Ge](e):(this[p]=t,this.emit("open",t),this[Ne]||this[ss]())}end(e,t){return e&&this.write(e,t),this[_t]=!0,!this[Ne]&&!this[ee].length&&typeof this[p]=="number"&&this[He](null,0),this}write(e,t){return typeof e=="string"&&(e=Buffer.from(e,t)),this[_t]?(this.emit("error",new Error("write() after end()")),!1):this[p]===void 0||this[Ne]||this[ee].length?(this[ee].push(e),this[Zt]=!0,!1):(this[Ne]=!0,this[Gt](e),!0)}[Gt](e){B.default.write(this[p],e,0,e.length,this[we],(t,i)=>this[He](t,i))}[He](e,t){e?this[Ge](e):(this[we]!==void 0&&typeof t=="number"&&(this[we]+=t),this[ee].length?this[ss]():(this[Ne]=!1,this[_t]&&!this[is]?(this[is]=!0,this[$](),this.emit("finish")):this[Zt]&&(this[Zt]=!1,this.emit("drain"))))}[ss](){if(this[ee].length===0)this[_t]&&this[He](null,0);else if(this[ee].length===1)this[Gt](this[ee].pop());else{let e=this[ee];this[ee]=[],Bo(this[p],e,this[we],(t,i)=>this[He](t,i))}}[$](){if(this[ye]&&typeof this[p]=="number"){let e=this[p];this[p]=void 0,B.default.close(e,t=>t?this.emit("error",t):this.emit("close"))}}};W.WriteStream=Vt;var us=class extends Vt{[Ee](){let e;if(this[Yt]&&this[fe]==="r+")try{e=B.default.openSync(this[V],this[fe],this[yt])}catch(t){if(t?.code==="ENOENT")return this[fe]="w",this[Ee]();throw t}else e=B.default.openSync(this[V],this[fe],this[yt]);this[Ye](null,e)}[$](){if(this[ye]&&typeof this[p]=="number"){let e=this[p];this[p]=void 0,B.default.closeSync(e),this.emit("close")}}[Gt](e){let t=!0;try{this[He](null,B.default.writeSync(this[p],e,0,e.length,this[we])),t=!1}finally{if(t)try{this[$]()}catch{}}}};W.WriteStreamSync=us});var $t=d(b=>{"use strict";Object.defineProperty(b,"__esModule",{value:!0});b.dealias=b.isNoFile=b.isFile=b.isAsync=b.isSync=b.isAsyncNoFile=b.isSyncNoFile=b.isAsyncFile=b.isSyncFile=void 0;var zo=new Map([["C","cwd"],["f","file"],["z","gzip"],["P","preservePaths"],["U","unlink"],["strip-components","strip"],["stripComponents","strip"],["keep-newer","newer"],["keepNewer","newer"],["keep-newer-files","newer"],["keepNewerFiles","newer"],["k","keep"],["keep-existing","keep"],["keepExisting","keep"],["m","noMtime"],["no-mtime","noMtime"],["p","preserveOwner"],["L","follow"],["h","follow"],["onentry","onReadEntry"]]),ko=s=>!!s.sync&&!!s.file;b.isSyncFile=ko;var jo=s=>!s.sync&&!!s.file;b.isAsyncFile=jo;var xo=s=>!!s.sync&&!s.file;b.isSyncNoFile=xo;var Uo=s=>!s.sync&&!s.file;b.isAsyncNoFile=Uo;var qo=s=>!!s.sync;b.isSync=qo;var Wo=s=>!s.sync;b.isAsync=Wo;var Ho=s=>!!s.file;b.isFile=Ho;var Zo=s=>!s.file;b.isNoFile=Zo;var Go=s=>{let e=zo.get(s);return e||s},Yo=(s={})=>{if(!s)return{};let e={};for(let[t,i]of Object.entries(s)){let r=Go(t);e[r]=i}return e.chmod===void 0&&e.noChmod===!1&&(e.chmod=!0),delete e.noChmod,e};b.dealias=Yo});var Ve=d(Xt=>{"use strict";Object.defineProperty(Xt,"__esModule",{value:!0});Xt.makeCommand=void 0;var Et=$t(),Ko=(s,e,t,i,r)=>Object.assign((n=[],o,a)=>{Array.isArray(n)&&(o=n,n={}),typeof o=="function"&&(a=o,o=void 0),o=o?Array.from(o):[];let h=(0,Et.dealias)(n);if(r?.(h,o),(0,Et.isSyncFile)(h)){if(typeof a=="function")throw new TypeError("callback not supported for sync tar functions");return s(h,o)}else if((0,Et.isAsyncFile)(h)){let l=e(h,o);return a?l.then(()=>a(),a):l}else if((0,Et.isSyncNoFile)(h)){if(typeof a=="function")throw new TypeError("callback not supported for sync tar functions");return t(h,o)}else if((0,Et.isAsyncNoFile)(h)){if(typeof a=="function")throw new TypeError("callback only supported with file option");return i(h,o)}throw new Error("impossible options??")},{syncFile:s,asyncFile:e,syncNoFile:t,asyncNoFile:i,validate:r});Xt.makeCommand=Ko});var cs=d($e=>{"use strict";var Vo=$e&&$e.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty($e,"__esModule",{value:!0});$e.constants=void 0;var $o=Vo(require("zlib")),Xo=$o.default.constants||{ZLIB_VERNUM:4736};$e.constants=Object.freeze(Object.assign(Object.create(null),{Z_NO_FLUSH:0,Z_PARTIAL_FLUSH:1,Z_SYNC_FLUSH:2,Z_FULL_FLUSH:3,Z_FINISH:4,Z_BLOCK:5,Z_OK:0,Z_STREAM_END:1,Z_NEED_DICT:2,Z_ERRNO:-1,Z_STREAM_ERROR:-2,Z_DATA_ERROR:-3,Z_MEM_ERROR:-4,Z_BUF_ERROR:-5,Z_VERSION_ERROR:-6,Z_NO_COMPRESSION:0,Z_BEST_SPEED:1,Z_BEST_COMPRESSION:9,Z_DEFAULT_COMPRESSION:-1,Z_FILTERED:1,Z_HUFFMAN_ONLY:2,Z_RLE:3,Z_FIXED:4,Z_DEFAULT_STRATEGY:0,DEFLATE:1,INFLATE:2,GZIP:3,GUNZIP:4,DEFLATERAW:5,INFLATERAW:6,UNZIP:7,BROTLI_DECODE:8,BROTLI_ENCODE:9,Z_MIN_WINDOWBITS:8,Z_MAX_WINDOWBITS:15,Z_DEFAULT_WINDOWBITS:15,Z_MIN_CHUNK:64,Z_MAX_CHUNK:1/0,Z_DEFAULT_CHUNK:16384,Z_MIN_MEMLEVEL:1,Z_MAX_MEMLEVEL:9,Z_DEFAULT_MEMLEVEL:8,Z_MIN_LEVEL:-1,Z_MAX_LEVEL:9,Z_DEFAULT_LEVEL:-1,BROTLI_OPERATION_PROCESS:0,BROTLI_OPERATION_FLUSH:1,BROTLI_OPERATION_FINISH:2,BROTLI_OPERATION_EMIT_METADATA:3,BROTLI_MODE_GENERIC:0,BROTLI_MODE_TEXT:1,BROTLI_MODE_FONT:2,BROTLI_DEFAULT_MODE:0,BROTLI_MIN_QUALITY:0,BROTLI_MAX_QUALITY:11,BROTLI_DEFAULT_QUALITY:11,BROTLI_MIN_WINDOW_BITS:10,BROTLI_MAX_WINDOW_BITS:24,BROTLI_LARGE_MAX_WINDOW_BITS:30,BROTLI_DEFAULT_WINDOW:22,BROTLI_MIN_INPUT_BLOCK_BITS:16,BROTLI_MAX_INPUT_BLOCK_BITS:24,BROTLI_PARAM_MODE:0,BROTLI_PARAM_QUALITY:1,BROTLI_PARAM_LGWIN:2,BROTLI_PARAM_LGBLOCK:3,BROTLI_PARAM_DISABLE_LITERAL_CONTEXT_MODELING:4,BROTLI_PARAM_SIZE_HINT:5,BROTLI_PARAM_LARGE_WINDOW:6,BROTLI_PARAM_NPOSTFIX:7,BROTLI_PARAM_NDIRECT:8,BROTLI_DECODER_RESULT_ERROR:0,BROTLI_DECODER_RESULT_SUCCESS:1,BROTLI_DECODER_RESULT_NEEDS_MORE_INPUT:2,BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_PARAM_DISABLE_RING_BUFFER_REALLOCATION:0,BROTLI_DECODER_PARAM_LARGE_WINDOW:1,BROTLI_DECODER_NO_ERROR:0,BROTLI_DECODER_SUCCESS:1,BROTLI_DECODER_NEEDS_MORE_INPUT:2,BROTLI_DECODER_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_NIBBLE:-1,BROTLI_DECODER_ERROR_FORMAT_RESERVED:-2,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_META_NIBBLE:-3,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_ALPHABET:-4,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_SAME:-5,BROTLI_DECODER_ERROR_FORMAT_CL_SPACE:-6,BROTLI_DECODER_ERROR_FORMAT_HUFFMAN_SPACE:-7,BROTLI_DECODER_ERROR_FORMAT_CONTEXT_MAP_REPEAT:-8,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_1:-9,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_2:-10,BROTLI_DECODER_ERROR_FORMAT_TRANSFORM:-11,BROTLI_DECODER_ERROR_FORMAT_DICTIONARY:-12,BROTLI_DECODER_ERROR_FORMAT_WINDOW_BITS:-13,BROTLI_DECODER_ERROR_FORMAT_PADDING_1:-14,BROTLI_DECODER_ERROR_FORMAT_PADDING_2:-15,BROTLI_DECODER_ERROR_FORMAT_DISTANCE:-16,BROTLI_DECODER_ERROR_DICTIONARY_NOT_SET:-19,BROTLI_DECODER_ERROR_INVALID_ARGUMENTS:-20,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MODES:-21,BROTLI_DECODER_ERROR_ALLOC_TREE_GROUPS:-22,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MAP:-25,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_1:-26,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_2:-27,BROTLI_DECODER_ERROR_ALLOC_BLOCK_TYPE_TREES:-30,BROTLI_DECODER_ERROR_UNREACHABLE:-31},Xo))});var Ts=d(f=>{"use strict";var Qo=f&&f.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),Jo=f&&f.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),ea=f&&f.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;rs,fs=qr?.writable===!0||qr?.set!==void 0?s=>{Le.Buffer.concat=s?na:ra}:s=>{},Ae=Symbol("_superWrite"),Ie=class extends Error{code;errno;constructor(e,t){super("zlib: "+e.message,{cause:e}),this.code=e.code,this.errno=e.errno,this.code||(this.code="ZLIB_ERROR"),this.message="zlib: "+e.message,Error.captureStackTrace(this,t??this.constructor)}get name(){return"ZlibError"}};f.ZlibError=Ie;var ds=Symbol("flushFlag"),bt=class extends ia.Minipass{#e=!1;#i=!1;#s;#n;#r;#t;#o;get sawError(){return this.#e}get handle(){return this.#t}get flushFlag(){return this.#s}constructor(e,t){if(!e||typeof e!="object")throw new TypeError("invalid options for ZlibBase constructor");if(super(e),this.#s=e.flush??0,this.#n=e.finishFlush??0,this.#r=e.fullFlushFlag??0,typeof Ur[t]!="function")throw new TypeError("Compression method not supported: "+t);try{this.#t=new Ur[t](e)}catch(i){throw new Ie(i,this.constructor)}this.#o=i=>{this.#e||(this.#e=!0,this.close(),this.emit("error",i))},this.#t?.on("error",i=>this.#o(new Ie(i))),this.once("end",()=>this.close)}close(){this.#t&&(this.#t.close(),this.#t=void 0,this.emit("close"))}reset(){if(!this.#e)return(0,ms.default)(this.#t,"zlib binding closed"),this.#t.reset?.()}flush(e){this.ended||(typeof e!="number"&&(e=this.#r),this.write(Object.assign(Le.Buffer.alloc(0),{[ds]:e})))}end(e,t,i){return typeof e=="function"&&(i=e,t=void 0,e=void 0),typeof t=="function"&&(i=t,t=void 0),e&&(t?this.write(e,t):this.write(e)),this.flush(this.#n),this.#i=!0,super.end(i)}get ended(){return this.#i}[Ae](e){return super.write(e)}write(e,t,i){if(typeof t=="function"&&(i=t,t="utf8"),typeof e=="string"&&(e=Le.Buffer.from(e,t)),this.#e)return;(0,ms.default)(this.#t,"zlib binding closed");let r=this.#t._handle,n=r.close;r.close=()=>{};let o=this.#t.close;this.#t.close=()=>{},fs(!0);let a;try{let l=typeof e[ds]=="number"?e[ds]:this.#s;a=this.#t._processChunk(e,l),fs(!1)}catch(l){fs(!1),this.#o(new Ie(l,this.write))}finally{this.#t&&(this.#t._handle=r,r.close=n,this.#t.close=o,this.#t.removeAllListeners("error"))}this.#t&&this.#t.on("error",l=>this.#o(new Ie(l,this.write)));let h;if(a)if(Array.isArray(a)&&a.length>0){let l=a[0];h=this[Ae](Le.Buffer.from(l));for(let u=1;u{typeof r=="function"&&(n=r,r=this.flushFlag),this.flush(r),n?.()};try{this.handle.params(e,t)}finally{this.handle.flush=i}this.handle&&(this.#e=e,this.#i=t)}}}};f.Zlib=ie;var ps=class extends ie{constructor(e){super(e,"Deflate")}};f.Deflate=ps;var _s=class extends ie{constructor(e){super(e,"Inflate")}};f.Inflate=_s;var ws=class extends ie{#e;constructor(e){super(e,"Gzip"),this.#e=e&&!!e.portable}[Ae](e){return this.#e?(this.#e=!1,e[9]=255,super[Ae](e)):super[Ae](e)}};f.Gzip=ws;var ys=class extends ie{constructor(e){super(e,"Gunzip")}};f.Gunzip=ys;var Es=class extends ie{constructor(e){super(e,"DeflateRaw")}};f.DeflateRaw=Es;var bs=class extends ie{constructor(e){super(e,"InflateRaw")}};f.InflateRaw=bs;var Ss=class extends ie{constructor(e){super(e,"Unzip")}};f.Unzip=Ss;var Qt=class extends bt{constructor(e,t){e=e||{},e.flush=e.flush||te.constants.BROTLI_OPERATION_PROCESS,e.finishFlush=e.finishFlush||te.constants.BROTLI_OPERATION_FINISH,e.fullFlushFlag=te.constants.BROTLI_OPERATION_FLUSH,super(e,t)}},gs=class extends Qt{constructor(e){super(e,"BrotliCompress")}};f.BrotliCompress=gs;var Os=class extends Qt{constructor(e){super(e,"BrotliDecompress")}};f.BrotliDecompress=Os;var Jt=class extends bt{constructor(e,t){e=e||{},e.flush=e.flush||te.constants.ZSTD_e_continue,e.finishFlush=e.finishFlush||te.constants.ZSTD_e_end,e.fullFlushFlag=te.constants.ZSTD_e_flush,super(e,t)}},Rs=class extends Jt{constructor(e){super(e,"ZstdCompress")}};f.ZstdCompress=Rs;var vs=class extends Jt{constructor(e){super(e,"ZstdDecompress")}};f.ZstdDecompress=vs});var Zr=d(Xe=>{"use strict";Object.defineProperty(Xe,"__esModule",{value:!0});Xe.parse=Xe.encode=void 0;var oa=(s,e)=>{if(Number.isSafeInteger(s))s<0?ha(s,e):aa(s,e);else throw Error("cannot encode number outside of javascript safe integer range");return e};Xe.encode=oa;var aa=(s,e)=>{e[0]=128;for(var t=e.length;t>1;t--)e[t-1]=s&255,s=Math.floor(s/256)},ha=(s,e)=>{e[0]=255;var t=!1;s=s*-1;for(var i=e.length;i>1;i--){var r=s&255;s=Math.floor(s/256),t?e[i-1]=Wr(r):r===0?e[i-1]=0:(t=!0,e[i-1]=Hr(r))}},la=s=>{let e=s[0],t=e===128?ca(s.subarray(1,s.length)):e===255?ua(s):null;if(t===null)throw Error("invalid base256 encoding");if(!Number.isSafeInteger(t))throw Error("parsed number outside of javascript safe integer range");return t};Xe.parse=la;var ua=s=>{for(var e=s.length,t=0,i=!1,r=e-1;r>-1;r--){var n=Number(s[r]),o;i?o=Wr(n):n===0?o=n:(i=!0,o=Hr(n)),o!==0&&(t-=o*Math.pow(256,e-r-1))}return t},ca=s=>{for(var e=s.length,t=0,i=e-1;i>-1;i--){var r=Number(s[i]);r!==0&&(t+=r*Math.pow(256,e-i-1))}return t},Wr=s=>(255^s)&255,Hr=s=>(255^s)+1&255});var Ds=d(j=>{"use strict";Object.defineProperty(j,"__esModule",{value:!0});j.code=j.name=j.isName=j.isCode=void 0;var fa=s=>j.name.has(s);j.isCode=fa;var da=s=>j.code.has(s);j.isName=da;j.name=new Map([["0","File"],["","OldFile"],["1","Link"],["2","SymbolicLink"],["3","CharacterDevice"],["4","BlockDevice"],["5","Directory"],["6","FIFO"],["7","ContiguousFile"],["g","GlobalExtendedHeader"],["x","ExtendedHeader"],["A","SolarisACL"],["D","GNUDumpDir"],["I","Inode"],["K","NextFileHasLongLinkpath"],["L","NextFileHasLongPath"],["M","ContinuationFile"],["N","OldGnuLongPath"],["S","SparseFile"],["V","TapeVolumeHeader"],["X","OldExtendedHeader"]]);j.code=new Map(Array.from(j.name).map(s=>[s[1],s[0]]))});var Je=d(se=>{"use strict";var ma=se&&se.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),pa=se&&se.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),Gr=se&&se.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r=t+512))throw new Error("need 512 bytes for header");this.path=i?.path??Fe(e,t,100),this.mode=i?.mode??r?.mode??be(e,t+100,8),this.uid=i?.uid??r?.uid??be(e,t+108,8),this.gid=i?.gid??r?.gid??be(e,t+116,8),this.size=i?.size??r?.size??be(e,t+124,12),this.mtime=i?.mtime??r?.mtime??Ps(e,t+136,12),this.cksum=be(e,t+148,12),r&&this.#i(r,!0),i&&this.#i(i);let n=Fe(e,t+156,1);if(St.isCode(n)&&(this.#e=n||"0"),this.#e==="0"&&this.path.slice(-1)==="/"&&(this.#e="5"),this.#e==="5"&&(this.size=0),this.linkpath=Fe(e,t+157,100),e.subarray(t+257,t+265).toString()==="ustar\x0000")if(this.uname=i?.uname??r?.uname??Fe(e,t+265,32),this.gname=i?.gname??r?.gname??Fe(e,t+297,32),this.devmaj=i?.devmaj??r?.devmaj??be(e,t+329,8)??0,this.devmin=i?.devmin??r?.devmin??be(e,t+337,8)??0,e[t+475]!==0){let a=Fe(e,t+345,155);this.path=a+"/"+this.path}else{let a=Fe(e,t+345,130);a&&(this.path=a+"/"+this.path),this.atime=i?.atime??r?.atime??Ps(e,t+476,12),this.ctime=i?.ctime??r?.ctime??Ps(e,t+488,12)}let o=256;for(let a=t;a!(r==null||i==="path"&&t||i==="linkpath"&&t||i==="global"))))}encode(e,t=0){if(e||(e=this.block=Buffer.alloc(512)),this.#e==="Unsupported"&&(this.#e="0"),!(e.length>=t+512))throw new Error("need 512 bytes for header");let i=this.ctime||this.atime?130:155,r=_a(this.path||"",i),n=r[0],o=r[1];this.needPax=!!r[2],this.needPax=Ce(e,t,100,n)||this.needPax,this.needPax=Se(e,t+100,8,this.mode)||this.needPax,this.needPax=Se(e,t+108,8,this.uid)||this.needPax,this.needPax=Se(e,t+116,8,this.gid)||this.needPax,this.needPax=Se(e,t+124,12,this.size)||this.needPax,this.needPax=Ns(e,t+136,12,this.mtime)||this.needPax,e[t+156]=Number(this.#e.codePointAt(0)),this.needPax=Ce(e,t+157,100,this.linkpath)||this.needPax,e.write("ustar\x0000",t+257,8),this.needPax=Ce(e,t+265,32,this.uname)||this.needPax,this.needPax=Ce(e,t+297,32,this.gname)||this.needPax,this.needPax=Se(e,t+329,8,this.devmaj)||this.needPax,this.needPax=Se(e,t+337,8,this.devmin)||this.needPax,this.needPax=Ce(e,t+345,i,o)||this.needPax,e[t+475]!==0?this.needPax=Ce(e,t+345,155,o)||this.needPax:(this.needPax=Ce(e,t+345,130,o)||this.needPax,this.needPax=Ns(e,t+476,12,this.atime)||this.needPax,this.needPax=Ns(e,t+488,12,this.ctime)||this.needPax);let a=256;for(let h=t;h{let i=s,r="",n,o=Qe.posix.parse(s).root||".";if(Buffer.byteLength(i)<100)n=[i,r,!1];else{r=Qe.posix.dirname(i),i=Qe.posix.basename(i);do Buffer.byteLength(i)<=100&&Buffer.byteLength(r)<=e?n=[i,r,!1]:Buffer.byteLength(i)>100&&Buffer.byteLength(r)<=e?n=[i.slice(0,99),r,!0]:(i=Qe.posix.join(Qe.posix.basename(r),i),r=Qe.posix.dirname(r));while(r!==o&&n===void 0);n||(n=[s.slice(0,99),"",!0])}return n},Fe=(s,e,t)=>s.subarray(e,e+t).toString("utf8").replace(/\0.*/,""),Ps=(s,e,t)=>wa(be(s,e,t)),wa=s=>s===void 0?void 0:new Date(s*1e3),be=(s,e,t)=>Number(s[e])&128?Yr.parse(s.subarray(e,e+t)):Ea(s,e,t),ya=s=>isNaN(s)?void 0:s,Ea=(s,e,t)=>ya(parseInt(s.subarray(e,e+t).toString("utf8").replace(/\0.*$/,"").trim(),8)),ba={12:8589934591,8:2097151},Se=(s,e,t,i)=>i===void 0?!1:i>ba[t]||i<0?(Yr.encode(i,s.subarray(e,e+t)),!0):(Sa(s,e,t,i),!1),Sa=(s,e,t,i)=>s.write(ga(i,t),e,t,"ascii"),ga=(s,e)=>Oa(Math.floor(s).toString(8),e),Oa=(s,e)=>(s.length===e-1?s:new Array(e-s.length-1).join("0")+s+" ")+"\0",Ns=(s,e,t,i)=>i===void 0?!1:Se(s,e,t,i.getTime()/1e3),Ra=new Array(156).join("\0"),Ce=(s,e,t,i)=>i===void 0?!1:(s.write(i+Ra,e,t,"utf8"),i.length!==Buffer.byteLength(i)||i.length>t)});var ti=d(ei=>{"use strict";Object.defineProperty(ei,"__esModule",{value:!0});ei.Pax=void 0;var va=require("node:path"),Ta=Je(),Ls=class s{atime;mtime;ctime;charset;comment;gid;uid;gname;uname;linkpath;dev;ino;nlink;path;size;mode;global;constructor(e,t=!1){this.atime=e.atime,this.charset=e.charset,this.comment=e.comment,this.ctime=e.ctime,this.dev=e.dev,this.gid=e.gid,this.global=t,this.gname=e.gname,this.ino=e.ino,this.linkpath=e.linkpath,this.mtime=e.mtime,this.nlink=e.nlink,this.path=e.path,this.size=e.size,this.uid=e.uid,this.uname=e.uname}encode(){let e=this.encodeBody();if(e==="")return Buffer.allocUnsafe(0);let t=Buffer.byteLength(e),i=512*Math.ceil(1+t/512),r=Buffer.allocUnsafe(i);for(let n=0;n<512;n++)r[n]=0;new Ta.Header({path:("PaxHeader/"+(0,va.basename)(this.path??"")).slice(0,99),mode:this.mode||420,uid:this.uid,gid:this.gid,size:t,mtime:this.mtime,type:this.global?"GlobalExtendedHeader":"ExtendedHeader",linkpath:"",uname:this.uname||"",gname:this.gname||"",devmaj:0,devmin:0,atime:this.atime,ctime:this.ctime}).encode(r),r.write(e,512,t,"utf8");for(let n=t+512;n=Math.pow(10,o)&&(o+=1),o+n+r}static parse(e,t,i=!1){return new s(Da(Pa(e),t),i)}};ei.Pax=Ls;var Da=(s,e)=>e?Object.assign({},e,s):s,Pa=s=>s.replace(/\n$/,"").split(`
-`).reduce(Na,Object.create(null)),Na=(s,e)=>{let t=parseInt(e,10);if(t!==Buffer.byteLength(e)+1)return s;e=e.slice((t+" ").length);let i=e.split("="),r=i.shift();if(!r)return s;let n=r.replace(/^SCHILY\.(dev|ino|nlink)/,"$1"),o=i.join("=");return s[n]=/^([A-Z]+\.)?([mac]|birth|creation)time$/.test(n)?new Date(Number(o)*1e3):/^[0-9]+$/.test(o)?+o:o,s}});var et=d(ii=>{"use strict";Object.defineProperty(ii,"__esModule",{value:!0});ii.normalizeWindowsPath=void 0;var Ma=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform;ii.normalizeWindowsPath=Ma!=="win32"?s=>s:s=>s&&s.replaceAll(/\\/g,"/")});var ni=d(ri=>{"use strict";Object.defineProperty(ri,"__esModule",{value:!0});ri.ReadEntry=void 0;var La=We(),si=et(),As=class extends La.Minipass{extended;globalExtended;header;startBlockSize;blockRemain;remain;type;meta=!1;ignore=!1;path;mode;uid;gid;uname;gname;size=0;mtime;atime;ctime;linkpath;dev;ino;nlink;invalid=!1;absolute;unsupported=!1;constructor(e,t,i){switch(super({}),this.pause(),this.extended=t,this.globalExtended=i,this.header=e,this.remain=e.size??0,this.startBlockSize=512*Math.ceil(this.remain/512),this.blockRemain=this.startBlockSize,this.type=e.type,this.type){case"File":case"OldFile":case"Link":case"SymbolicLink":case"CharacterDevice":case"BlockDevice":case"Directory":case"FIFO":case"ContiguousFile":case"GNUDumpDir":break;case"NextFileHasLongLinkpath":case"NextFileHasLongPath":case"OldGnuLongPath":case"GlobalExtendedHeader":case"ExtendedHeader":case"OldExtendedHeader":this.meta=!0;break;default:this.ignore=!0}if(!e.path)throw new Error("no path provided for tar.ReadEntry");this.path=(0,si.normalizeWindowsPath)(e.path),this.mode=e.mode,this.mode&&(this.mode=this.mode&4095),this.uid=e.uid,this.gid=e.gid,this.uname=e.uname,this.gname=e.gname,this.size=this.remain,this.mtime=e.mtime,this.atime=e.atime,this.ctime=e.ctime,this.linkpath=e.linkpath?(0,si.normalizeWindowsPath)(e.linkpath):void 0,this.uname=e.uname,this.gname=e.gname,t&&this.#e(t),i&&this.#e(i,!0)}write(e){let t=e.length;if(t>this.blockRemain)throw new Error("writing more to entry than is appropriate");let i=this.remain,r=this.blockRemain;return this.remain=Math.max(0,i-t),this.blockRemain=Math.max(0,r-t),this.ignore?!0:i>=t?super.write(e):super.write(e.subarray(0,i))}#e(e,t=!1){e.path&&(e.path=(0,si.normalizeWindowsPath)(e.path)),e.linkpath&&(e.linkpath=(0,si.normalizeWindowsPath)(e.linkpath)),Object.assign(this,Object.fromEntries(Object.entries(e).filter(([i,r])=>!(r==null||i==="path"&&t))))}};ri.ReadEntry=As});var ai=d(oi=>{"use strict";Object.defineProperty(oi,"__esModule",{value:!0});oi.warnMethod=void 0;var Aa=(s,e,t,i={})=>{s.file&&(i.file=s.file),s.cwd&&(i.cwd=s.cwd),i.code=t instanceof Error&&t.code||e,i.tarCode=e,!s.strict&&i.recoverable!==!1?(t instanceof Error&&(i=Object.assign(t,i),t=t.message),s.emit("warn",e,t,i)):t instanceof Error?s.emit("error",Object.assign(t,i)):s.emit("error",Object.assign(new Error(`${e}: ${t}`),i))};oi.warnMethod=Aa});var pi=d(mi=>{"use strict";Object.defineProperty(mi,"__esModule",{value:!0});mi.Parser=void 0;var Ia=require("events"),Is=Ts(),Kr=Je(),Vr=ti(),Fa=ni(),Ca=ai(),Ba=1024*1024,ks=Buffer.from([31,139]),js=Buffer.from([40,181,47,253]),za=Math.max(ks.length,js.length),H=Symbol("state"),Be=Symbol("writeEntry"),de=Symbol("readEntry"),Fs=Symbol("nextEntry"),$r=Symbol("processEntry"),re=Symbol("extendedHeader"),gt=Symbol("globalExtendedHeader"),ge=Symbol("meta"),Xr=Symbol("emitMeta"),_=Symbol("buffer"),me=Symbol("queue"),Oe=Symbol("ended"),Cs=Symbol("emittedEnd"),ze=Symbol("emit"),S=Symbol("unzip"),hi=Symbol("consumeChunk"),li=Symbol("consumeChunkSub"),Bs=Symbol("consumeBody"),Qr=Symbol("consumeMeta"),Jr=Symbol("consumeHeader"),Ot=Symbol("consuming"),zs=Symbol("bufferConcat"),ui=Symbol("maybeEnd"),tt=Symbol("writing"),Re=Symbol("aborted"),ci=Symbol("onDone"),ke=Symbol("sawValidEntry"),fi=Symbol("sawNullBlock"),di=Symbol("sawEOF"),en=Symbol("closeStream"),ka=()=>!0,xs=class extends Ia.EventEmitter{file;strict;maxMetaEntrySize;filter;brotli;zstd;writable=!0;readable=!1;[me]=[];[_];[de];[Be];[H]="begin";[ge]="";[re];[gt];[Oe]=!1;[S];[Re]=!1;[ke];[fi]=!1;[di]=!1;[tt]=!1;[Ot]=!1;[Cs]=!1;constructor(e={}){super(),this.file=e.file||"",this.on(ci,()=>{(this[H]==="begin"||this[ke]===!1)&&this.warn("TAR_BAD_ARCHIVE","Unrecognized archive format")}),e.ondone?this.on(ci,e.ondone):this.on(ci,()=>{this.emit("prefinish"),this.emit("finish"),this.emit("end")}),this.strict=!!e.strict,this.maxMetaEntrySize=e.maxMetaEntrySize||Ba,this.filter=typeof e.filter=="function"?e.filter:ka;let t=e.file&&(e.file.endsWith(".tar.br")||e.file.endsWith(".tbr"));this.brotli=!(e.gzip||e.zstd)&&e.brotli!==void 0?e.brotli:t?void 0:!1;let i=e.file&&(e.file.endsWith(".tar.zst")||e.file.endsWith(".tzst"));this.zstd=!(e.gzip||e.brotli)&&e.zstd!==void 0?e.zstd:i?!0:void 0,this.on("end",()=>this[en]()),typeof e.onwarn=="function"&&this.on("warn",e.onwarn),typeof e.onReadEntry=="function"&&this.on("entry",e.onReadEntry)}warn(e,t,i={}){(0,Ca.warnMethod)(this,e,t,i)}[Jr](e,t){this[ke]===void 0&&(this[ke]=!1);let i;try{i=new Kr.Header(e,t,this[re],this[gt])}catch(r){return this.warn("TAR_ENTRY_INVALID",r)}if(i.nullBlock)this[fi]?(this[di]=!0,this[H]==="begin"&&(this[H]="header"),this[ze]("eof")):(this[fi]=!0,this[ze]("nullBlock"));else if(this[fi]=!1,!i.cksumValid)this.warn("TAR_ENTRY_INVALID","checksum failure",{header:i});else if(!i.path)this.warn("TAR_ENTRY_INVALID","path is required",{header:i});else{let r=i.type;if(/^(Symbolic)?Link$/.test(r)&&!i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath required",{header:i});else if(!/^(Symbolic)?Link$/.test(r)&&!/^(Global)?ExtendedHeader$/.test(r)&&i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath forbidden",{header:i});else{let n=this[Be]=new Fa.ReadEntry(i,this[re],this[gt]);if(!this[ke])if(n.remain){let o=()=>{n.invalid||(this[ke]=!0)};n.on("end",o)}else this[ke]=!0;n.meta?n.size>this.maxMetaEntrySize?(n.ignore=!0,this[ze]("ignoredEntry",n),this[H]="ignore",n.resume()):n.size>0&&(this[ge]="",n.on("data",o=>this[ge]+=o),this[H]="meta"):(this[re]=void 0,n.ignore=n.ignore||!this.filter(n.path,n),n.ignore?(this[ze]("ignoredEntry",n),this[H]=n.remain?"ignore":"header",n.resume()):(n.remain?this[H]="body":(this[H]="header",n.end()),this[de]?this[me].push(n):(this[me].push(n),this[Fs]())))}}}[en](){queueMicrotask(()=>this.emit("close"))}[$r](e){let t=!0;if(!e)this[de]=void 0,t=!1;else if(Array.isArray(e)){let[i,...r]=e;this.emit(i,...r)}else this[de]=e,this.emit("entry",e),e.emittedEnd||(e.on("end",()=>this[Fs]()),t=!1);return t}[Fs](){do;while(this[$r](this[me].shift()));if(this[me].length===0){let e=this[de];!e||e.flowing||e.size===e.remain?this[tt]||this.emit("drain"):e.once("drain",()=>this.emit("drain"))}}[Bs](e,t){let i=this[Be];if(!i)throw new Error("attempt to consume body without entry??");let r=i.blockRemain??0,n=r>=e.length&&t===0?e:e.subarray(t,t+r);return i.write(n),i.blockRemain||(this[H]="header",this[Be]=void 0,i.end()),n.length}[Qr](e,t){let i=this[Be],r=this[Bs](e,t);return!this[Be]&&i&&this[Xr](i),r}[ze](e,t,i){this[me].length===0&&!this[de]?this.emit(e,t,i):this[me].push([e,t,i])}[Xr](e){switch(this[ze]("meta",this[ge]),e.type){case"ExtendedHeader":case"OldExtendedHeader":this[re]=Vr.Pax.parse(this[ge],this[re],!1);break;case"GlobalExtendedHeader":this[gt]=Vr.Pax.parse(this[ge],this[gt],!0);break;case"NextFileHasLongPath":case"OldGnuLongPath":{let t=this[re]??Object.create(null);this[re]=t,t.path=this[ge].replace(/\0.*/,"");break}case"NextFileHasLongLinkpath":{let t=this[re]||Object.create(null);this[re]=t,t.linkpath=this[ge].replace(/\0.*/,"");break}default:throw new Error("unknown meta: "+e.type)}}abort(e){this[Re]=!0,this.emit("abort",e),this.warn("TAR_ABORT",e,{recoverable:!1})}write(e,t,i){if(typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,typeof t=="string"?t:"utf8")),this[Re])return i?.(),!1;if((this[S]===void 0||this.brotli===void 0&&this[S]===!1)&&e){if(this[_]&&(e=Buffer.concat([this[_],e]),this[_]=void 0),e.lengththis[hi](u)),this[S].on("error",u=>this.abort(u)),this[S].on("end",()=>{this[Oe]=!0,this[hi]()}),this[tt]=!0;let l=!!this[S][h?"end":"write"](e);return this[tt]=!1,i?.(),l}}this[tt]=!0,this[S]?this[S].write(e):this[hi](e),this[tt]=!1;let n=this[me].length>0?!1:this[de]?this[de].flowing:!0;return!n&&this[me].length===0&&this[de]?.once("drain",()=>this.emit("drain")),i?.(),n}[zs](e){e&&!this[Re]&&(this[_]=this[_]?Buffer.concat([this[_],e]):e)}[ui](){if(this[Oe]&&!this[Cs]&&!this[Re]&&!this[Ot]){this[Cs]=!0;let e=this[Be];if(e&&e.blockRemain){let t=this[_]?this[_].length:0;this.warn("TAR_BAD_ARCHIVE",`Truncated input (needed ${e.blockRemain} more bytes, only ${t} available)`,{entry:e}),this[_]&&e.write(this[_]),e.end()}this[ze](ci)}}[hi](e){if(this[Ot]&&e)this[zs](e);else if(!e&&!this[_])this[ui]();else if(e){if(this[Ot]=!0,this[_]){this[zs](e);let t=this[_];this[_]=void 0,this[li](t)}else this[li](e);for(;this[_]&&this[_]?.length>=512&&!this[Re]&&!this[di];){let t=this[_];this[_]=void 0,this[li](t)}this[Ot]=!1}(!this[_]||this[Oe])&&this[ui]()}[li](e){let t=0,i=e.length;for(;t+512<=i&&!this[Re]&&!this[di];)switch(this[H]){case"begin":case"header":this[Jr](e,t),t+=512;break;case"ignore":case"body":t+=this[Bs](e,t);break;case"meta":t+=this[Qr](e,t);break;default:throw new Error("invalid state: "+this[H])}t{"use strict";Object.defineProperty(_i,"__esModule",{value:!0});_i.stripTrailingSlashes=void 0;var ja=s=>{let e=s.length-1,t=-1;for(;e>-1&&s.charAt(e)==="/";)t=e,e--;return t===-1?s:s.slice(0,t)};_i.stripTrailingSlashes=ja});var st=d(C=>{"use strict";var xa=C&&C.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),Ua=C&&C.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),qa=C&&C.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r{let e=s.onReadEntry;s.onReadEntry=e?t=>{e(t),t.resume()}:t=>t.resume()},Ya=(s,e)=>{let t=new Map(e.map(n=>[(0,Us.stripTrailingSlashes)(n),!0])),i=s.filter,r=(n,o="")=>{let a=o||(0,tn.parse)(n).root||".",h;if(n===a)h=!1;else{let l=t.get(n);h=l!==void 0?l:r((0,tn.dirname)(n),a)}return t.set(n,h),h};s.filter=i?(n,o)=>i(n,o)&&r((0,Us.stripTrailingSlashes)(n)):n=>r((0,Us.stripTrailingSlashes)(n))};C.filesFilter=Ya;var Ka=s=>{let e=new yi.Parser(s),t=s.file,i;try{i=it.default.openSync(t,"r");let r=it.default.fstatSync(i),n=s.maxReadSize||16*1024*1024;if(r.size{let t=new yi.Parser(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,a)=>{t.on("error",a),t.on("end",o),it.default.stat(r,(h,l)=>{if(h)a(h);else{let u=new Ha.ReadStream(r,{readSize:i,size:l.size});u.on("error",a),u.pipe(t)}})})};C.list=(0,Za.makeCommand)(Ka,Va,s=>new yi.Parser(s),s=>new yi.Parser(s),(s,e)=>{e?.length&&(0,C.filesFilter)(s,e),s.noResume||Ga(s)})});var sn=d(Ei=>{"use strict";Object.defineProperty(Ei,"__esModule",{value:!0});Ei.modeFix=void 0;var $a=(s,e,t)=>(s&=4095,t&&(s=(s|384)&-19),e&&(s&256&&(s|=64),s&32&&(s|=8),s&4&&(s|=1)),s);Ei.modeFix=$a});var qs=d(bi=>{"use strict";Object.defineProperty(bi,"__esModule",{value:!0});bi.stripAbsolutePath=void 0;var Xa=require("node:path"),{isAbsolute:Qa,parse:rn}=Xa.win32,Ja=s=>{let e="",t=rn(s);for(;Qa(s)||t.root;){let i=s.charAt(0)==="/"&&s.slice(0,4)!=="//?/"?"/":t.root;s=s.slice(i.length),e+=i,t=rn(s)}return[e,s]};bi.stripAbsolutePath=Ja});var Hs=d(rt=>{"use strict";Object.defineProperty(rt,"__esModule",{value:!0});rt.decode=rt.encode=void 0;var Si=["|","<",">","?",":"],Ws=Si.map(s=>String.fromCodePoint(61440+Number(s.codePointAt(0)))),eh=new Map(Si.map((s,e)=>[s,Ws[e]])),th=new Map(Ws.map((s,e)=>[s,Si[e]])),ih=s=>Si.reduce((e,t)=>e.split(t).join(eh.get(t)),s);rt.encode=ih;var sh=s=>Ws.reduce((e,t)=>e.split(t).join(th.get(t)),s);rt.decode=sh});var tr=d(M=>{"use strict";var rh=M&&M.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),nh=M&&M.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),oh=M&&M.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;re?(s=(0,ne.normalizeWindowsPath)(s).replace(/^\.(\/|$)/,""),(0,ah.stripTrailingSlashes)(e)+"/"+s):(0,ne.normalizeWindowsPath)(s),lh=16*1024*1024,on=Symbol("process"),an=Symbol("file"),hn=Symbol("directory"),Gs=Symbol("symlink"),ln=Symbol("hardlink"),Rt=Symbol("header"),gi=Symbol("read"),Ys=Symbol("lstat"),Oi=Symbol("onlstat"),Ks=Symbol("onread"),Vs=Symbol("onreadlink"),$s=Symbol("openfile"),Xs=Symbol("onopenfile"),ve=Symbol("close"),Ri=Symbol("mode"),Qs=Symbol("awaitDrain"),Zs=Symbol("ondrain"),ae=Symbol("prefix"),vi=class extends cn.Minipass{path;portable;myuid=process.getuid&&process.getuid()||0;myuser=process.env.USER||"";maxReadSize;linkCache;statCache;preservePaths;cwd;strict;mtime;noPax;noMtime;prefix;fd;blockLen=0;blockRemain=0;buf;pos=0;remain=0;length=0;offset=0;win32;absolute;header;type;linkpath;stat;onWriteEntry;#e=!1;constructor(e,t={}){let i=(0,mn.dealias)(t);super(),this.path=(0,ne.normalizeWindowsPath)(e),this.portable=!!i.portable,this.maxReadSize=i.maxReadSize||lh,this.linkCache=i.linkCache||new Map,this.statCache=i.statCache||new Map,this.preservePaths=!!i.preservePaths,this.cwd=(0,ne.normalizeWindowsPath)(i.cwd||process.cwd()),this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.mtime=i.mtime,this.prefix=i.prefix?(0,ne.normalizeWindowsPath)(i.prefix):void 0,this.onWriteEntry=i.onWriteEntry,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let r=!1;if(!this.preservePaths){let[o,a]=(0,_n.stripAbsolutePath)(this.path);o&&typeof a=="string"&&(this.path=a,r=o)}this.win32=!!i.win32||process.platform==="win32",this.win32&&(this.path=hh.decode(this.path.replaceAll(/\\/g,"/")),e=e.replaceAll(/\\/g,"/")),this.absolute=(0,ne.normalizeWindowsPath)(i.absolute||nn.default.resolve(this.cwd,e)),this.path===""&&(this.path="./"),r&&this.warn("TAR_ENTRY_INFO",`stripping ${r} from absolute path`,{entry:this,path:r+this.path});let n=this.statCache.get(this.absolute);n?this[Oi](n):this[Ys]()}warn(e,t,i={}){return(0,wn.warnMethod)(this,e,t,i)}emit(e,...t){return e==="error"&&(this.#e=!0),super.emit(e,...t)}[Ys](){oe.default.lstat(this.absolute,(e,t)=>{if(e)return this.emit("error",e);this[Oi](t)})}[Oi](e){this.statCache.set(this.absolute,e),this.stat=e,e.isFile()||(e.size=0),this.type=uh(e),this.emit("stat",e),this[on]()}[on](){switch(this.type){case"File":return this[an]();case"Directory":return this[hn]();case"SymbolicLink":return this[Gs]();default:return this.end()}}[Ri](e){return(0,dn.modeFix)(e,this.type==="Directory",this.portable)}[ae](e){return yn(e,this.prefix)}[Rt](){if(!this.stat)throw new Error("cannot write header before stat");this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.onWriteEntry?.(this),this.header=new fn.Header({path:this[ae](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[ae](this.linkpath):this.linkpath,mode:this[Ri](this.stat.mode),uid:this.portable?void 0:this.stat.uid,gid:this.portable?void 0:this.stat.gid,size:this.stat.size,mtime:this.noMtime?void 0:this.mtime||this.stat.mtime,type:this.type==="Unsupported"?void 0:this.type,uname:this.portable?void 0:this.stat.uid===this.myuid?this.myuser:"",atime:this.portable?void 0:this.stat.atime,ctime:this.portable?void 0:this.stat.ctime}),this.header.encode()&&!this.noPax&&super.write(new pn.Pax({atime:this.portable?void 0:this.header.atime,ctime:this.portable?void 0:this.header.ctime,gid:this.portable?void 0:this.header.gid,mtime:this.noMtime?void 0:this.mtime||this.header.mtime,path:this[ae](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[ae](this.linkpath):this.linkpath,size:this.header.size,uid:this.portable?void 0:this.header.uid,uname:this.portable?void 0:this.header.uname,dev:this.portable?void 0:this.stat.dev,ino:this.portable?void 0:this.stat.ino,nlink:this.portable?void 0:this.stat.nlink}).encode());let e=this.header?.block;if(!e)throw new Error("failed to encode header");super.write(e)}[hn](){if(!this.stat)throw new Error("cannot create directory entry without stat");this.path.slice(-1)!=="/"&&(this.path+="/"),this.stat.size=0,this[Rt](),this.end()}[Gs](){oe.default.readlink(this.absolute,(e,t)=>{if(e)return this.emit("error",e);this[Vs](t)})}[Vs](e){this.linkpath=(0,ne.normalizeWindowsPath)(e),this[Rt](),this.end()}[ln](e){if(!this.stat)throw new Error("cannot create link entry without stat");this.type="Link",this.linkpath=(0,ne.normalizeWindowsPath)(nn.default.relative(this.cwd,e)),this.stat.size=0,this[Rt](),this.end()}[an](){if(!this.stat)throw new Error("cannot create file entry without stat");if(this.stat.nlink>1){let e=`${this.stat.dev}:${this.stat.ino}`,t=this.linkCache.get(e);if(t?.indexOf(this.cwd)===0)return this[ln](t);this.linkCache.set(e,this.absolute)}if(this[Rt](),this.stat.size===0)return this.end();this[$s]()}[$s](){oe.default.open(this.absolute,"r",(e,t)=>{if(e)return this.emit("error",e);this[Xs](t)})}[Xs](e){if(this.fd=e,this.#e)return this[ve]();if(!this.stat)throw new Error("should stat before calling onopenfile");this.blockLen=512*Math.ceil(this.stat.size/512),this.blockRemain=this.blockLen;let t=Math.min(this.blockLen,this.maxReadSize);this.buf=Buffer.allocUnsafe(t),this.offset=0,this.pos=0,this.remain=this.stat.size,this.length=this.buf.length,this[gi]()}[gi](){let{fd:e,buf:t,offset:i,length:r,pos:n}=this;if(e===void 0||t===void 0)throw new Error("cannot read file without first opening");oe.default.read(e,t,i,r,n,(o,a)=>{if(o)return this[ve](()=>this.emit("error",o));this[Ks](a)})}[ve](e=()=>{}){this.fd!==void 0&&oe.default.close(this.fd,e)}[Ks](e){if(e<=0&&this.remain>0){let r=Object.assign(new Error("encountered unexpected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[ve](()=>this.emit("error",r))}if(e>this.remain){let r=Object.assign(new Error("did not encounter expected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[ve](()=>this.emit("error",r))}if(!this.buf)throw new Error("should have created buffer prior to reading");if(e===this.remain)for(let r=e;rthis[Zs]())}[Qs](e){this.once("drain",e)}write(e,t,i){if(typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,typeof t=="string"?t:"utf8")),this.blockRemaine?this.emit("error",e):this.end());if(!this.buf)throw new Error("buffer lost somehow in ONDRAIN");this.offset>=this.length&&(this.buf=Buffer.allocUnsafe(Math.min(this.blockRemain,this.buf.length)),this.offset=0),this.length=this.buf.length-this.offset,this[gi]()}};M.WriteEntry=vi;var Js=class extends vi{sync=!0;[Ys](){this[Oi](oe.default.lstatSync(this.absolute))}[Gs](){this[Vs](oe.default.readlinkSync(this.absolute))}[$s](){this[Xs](oe.default.openSync(this.absolute,"r"))}[gi](){let e=!0;try{let{fd:t,buf:i,offset:r,length:n,pos:o}=this;if(t===void 0||i===void 0)throw new Error("fd and buf must be set in READ method");let a=oe.default.readSync(t,i,r,n,o);this[Ks](a),e=!1}finally{if(e)try{this[ve](()=>{})}catch{}}}[Qs](e){e()}[ve](e=()=>{}){this.fd!==void 0&&oe.default.closeSync(this.fd),e()}};M.WriteEntrySync=Js;var er=class extends cn.Minipass{blockLen=0;blockRemain=0;buf=0;pos=0;remain=0;length=0;preservePaths;portable;strict;noPax;noMtime;readEntry;type;prefix;path;mode;uid;gid;uname;gname;header;mtime;atime;ctime;linkpath;size;onWriteEntry;warn(e,t,i={}){return(0,wn.warnMethod)(this,e,t,i)}constructor(e,t={}){let i=(0,mn.dealias)(t);super(),this.preservePaths=!!i.preservePaths,this.portable=!!i.portable,this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.onWriteEntry=i.onWriteEntry,this.readEntry=e;let{type:r}=e;if(r==="Unsupported")throw new Error("writing entry that should be ignored");this.type=r,this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.prefix=i.prefix,this.path=(0,ne.normalizeWindowsPath)(e.path),this.mode=e.mode!==void 0?this[Ri](e.mode):void 0,this.uid=this.portable?void 0:e.uid,this.gid=this.portable?void 0:e.gid,this.uname=this.portable?void 0:e.uname,this.gname=this.portable?void 0:e.gname,this.size=e.size,this.mtime=this.noMtime?void 0:i.mtime||e.mtime,this.atime=this.portable?void 0:e.atime,this.ctime=this.portable?void 0:e.ctime,this.linkpath=e.linkpath!==void 0?(0,ne.normalizeWindowsPath)(e.linkpath):void 0,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let n=!1;if(!this.preservePaths){let[a,h]=(0,_n.stripAbsolutePath)(this.path);a&&typeof h=="string"&&(this.path=h,n=a)}this.remain=e.size,this.blockRemain=e.startBlockSize,this.onWriteEntry?.(this),this.header=new fn.Header({path:this[ae](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[ae](this.linkpath):this.linkpath,mode:this.mode,uid:this.portable?void 0:this.uid,gid:this.portable?void 0:this.gid,size:this.size,mtime:this.noMtime?void 0:this.mtime,type:this.type,uname:this.portable?void 0:this.uname,atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime}),n&&this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute path`,{entry:this,path:n+this.path}),this.header.encode()&&!this.noPax&&super.write(new pn.Pax({atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime,gid:this.portable?void 0:this.gid,mtime:this.noMtime?void 0:this.mtime,path:this[ae](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[ae](this.linkpath):this.linkpath,size:this.size,uid:this.portable?void 0:this.uid,uname:this.portable?void 0:this.uname,dev:this.portable?void 0:this.readEntry.dev,ino:this.portable?void 0:this.readEntry.ino,nlink:this.portable?void 0:this.readEntry.nlink}).encode());let o=this.header?.block;if(!o)throw new Error("failed to encode header");super.write(o),e.pipe(this)}[ae](e){return yn(e,this.prefix)}[Ri](e){return(0,dn.modeFix)(e,this.type==="Directory",this.portable)}write(e,t,i){typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,typeof t=="string"?t:"utf8"));let r=e.length;if(r>this.blockRemain)throw new Error("writing more to entry than is appropriate");return this.blockRemain-=r,super.write(e,i)}end(e,t,i){return this.blockRemain&&super.write(Buffer.alloc(this.blockRemain)),typeof e=="function"&&(i=e,t=void 0,e=void 0),typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,t??"utf8")),i&&this.once("finish",i),e?super.end(e,i):super.end(i),this}};M.WriteEntryTar=er;var uh=s=>s.isFile()?"File":s.isDirectory()?"Directory":s.isSymbolicLink()?"SymbolicLink":"Unsupported"});var En=d(ot=>{"use strict";Object.defineProperty(ot,"__esModule",{value:!0});ot.Node=ot.Yallist=void 0;var ir=class s{tail;head;length=0;static create(e=[]){return new s(e)}constructor(e=[]){for(let t of e)this.push(t)}*[Symbol.iterator](){for(let e=this.head;e;e=e.next)yield e.value}removeNode(e){if(e.list!==this)throw new Error("removing node which does not belong to this list");let t=e.next,i=e.prev;return t&&(t.prev=i),i&&(i.next=t),e===this.head&&(this.head=t),e===this.tail&&(this.tail=i),this.length--,e.next=void 0,e.prev=void 0,e.list=void 0,t}unshiftNode(e){if(e===this.head)return;e.list&&e.list.removeNode(e);let t=this.head;e.list=this,e.next=t,t&&(t.prev=e),this.head=e,this.tail||(this.tail=e),this.length++}pushNode(e){if(e===this.tail)return;e.list&&e.list.removeNode(e);let t=this.tail;e.list=this,e.prev=t,t&&(t.next=e),this.tail=e,this.head||(this.head=e),this.length++}push(...e){for(let t=0,i=e.length;t1)i=t;else if(this.head)r=this.head.next,i=this.head.value;else throw new TypeError("Reduce of empty list with no initial value");for(var n=0;r;n++)i=e(i,r.value,n),r=r.next;return i}reduceReverse(e,t){let i,r=this.tail;if(arguments.length>1)i=t;else if(this.tail)r=this.tail.prev,i=this.tail.value;else throw new TypeError("Reduce of empty list with no initial value");for(let n=this.length-1;r;n--)i=e(i,r.value,n),r=r.prev;return i}toArray(){let e=new Array(this.length);for(let t=0,i=this.head;i;t++)e[t]=i.value,i=i.next;return e}toArrayReverse(){let e=new Array(this.length);for(let t=0,i=this.tail;i;t++)e[t]=i.value,i=i.prev;return e}slice(e=0,t=this.length){t<0&&(t+=this.length),e<0&&(e+=this.length);let i=new s;if(tthis.length&&(t=this.length);let r=this.head,n=0;for(n=0;r&&nthis.length&&(t=this.length);let r=this.length,n=this.tail;for(;n&&r>t;r--)n=n.prev;for(;n&&r>e;r--,n=n.prev)i.push(n.value);return i}splice(e,t=0,...i){e>this.length&&(e=this.length-1),e<0&&(e=this.length+e);let r=this.head;for(let o=0;r&&o{"use strict";var mh=L&&L.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),ph=L&&L.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),_h=L&&L.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r1)throw new TypeError("gzip, brotli, zstd are mutually exclusive");if(e.gzip&&(typeof e.gzip!="object"&&(e.gzip={}),this.portable&&(e.gzip.portable=!0),this.zip=new sr.Gzip(e.gzip)),e.brotli&&(typeof e.brotli!="object"&&(e.brotli={}),this.zip=new sr.BrotliCompress(e.brotli)),e.zstd&&(typeof e.zstd!="object"&&(e.zstd={}),this.zip=new sr.ZstdCompress(e.zstd)),!this.zip)throw new Error("impossible");let t=this.zip;t.on("data",i=>super.write(i)),t.on("end",()=>super.end()),t.on("drain",()=>this[ar]()),this.on("resume",()=>t.resume())}else this.on("drain",this[ar]);this.noDirRecurse=!!e.noDirRecurse,this.follow=!!e.follow,this.noMtime=!!e.noMtime,e.mtime&&(this.mtime=e.mtime),this.filter=typeof e.filter=="function"?e.filter:()=>!0,this[X]=new yh.Yallist,this[Q]=0,this.jobs=Number(e.jobs)||4,this[Tt]=!1,this[vt]=!1}[vn](e){return super.write(e)}add(e){return this.write(e),this}end(e,t,i){return typeof e=="function"&&(i=e,e=void 0),typeof t=="function"&&(i=t,t=void 0),e&&this.add(e),this[vt]=!0,this[xe](),i&&i(),this}write(e){if(this[vt])throw new Error("write after end");return e instanceof Eh.ReadEntry?this[Sn](e):this[Di](e),this.flowing}[Sn](e){let t=(0,hr.normalizeWindowsPath)(On.default.resolve(this.cwd,e.path));if(!this.filter(e.path,e))e.resume();else{let i=new Dt(e.path,t);i.entry=new lr.WriteEntryTar(e,this[or](i)),i.entry.on("end",()=>this[nr](i)),this[Q]+=1,this[X].push(i)}this[xe]()}[Di](e){let t=(0,hr.normalizeWindowsPath)(On.default.resolve(this.cwd,e));this[X].push(new Dt(e,t)),this[xe]()}[ur](e){e.pending=!0,this[Q]+=1;let t=this.follow?"stat":"lstat";Li.default[t](e.absolute,(i,r)=>{e.pending=!1,this[Q]-=1,i?this.emit("error",i):this[Ti](e,r)})}[Ti](e,t){this.statCache.set(e.absolute,t),e.stat=t,this.filter(e.path,t)?t.isFile()&&t.nlink>1&&e===this[je]&&!this.linkCache.get(`${t.dev}:${t.ino}`)&&!this.sync&&this[rr](e):e.ignore=!0,this[xe]()}[cr](e){e.pending=!0,this[Q]+=1,Li.default.readdir(e.absolute,(t,i)=>{if(e.pending=!1,this[Q]-=1,t)return this.emit("error",t);this[Pi](e,i)})}[Pi](e,t){this.readdirCache.set(e.absolute,t),e.readdir=t,this[xe]()}[xe](){if(!this[Tt]){this[Tt]=!0;for(let e=this[X].head;e&&this[Q]this.warn(t,i,r),noPax:this.noPax,cwd:this.cwd,absolute:e.absolute,preservePaths:this.preservePaths,maxReadSize:this.maxReadSize,strict:this.strict,portable:this.portable,linkCache:this.linkCache,statCache:this.statCache,noMtime:this.noMtime,mtime:this.mtime,prefix:this.prefix,onWriteEntry:this.onWriteEntry}}[gn](e){this[Q]+=1;try{return new this[Mi](e.path,this[or](e)).on("end",()=>this[nr](e)).on("error",i=>this.emit("error",i))}catch(t){this.emit("error",t)}}[ar](){this[je]&&this[je].entry&&this[je].entry.resume()}[Ni](e){e.piped=!0,e.readdir&&e.readdir.forEach(r=>{let n=e.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[Di](o+r)});let t=e.entry,i=this.zip;if(!t)throw new Error("cannot pipe without source");i?t.on("data",r=>{i.write(r)||t.pause()}):t.on("data",r=>{super.write(r)||t.pause()})}pause(){return this.zip&&this.zip.pause(),super.pause()}warn(e,t,i={}){(0,bh.warnMethod)(this,e,t,i)}};L.Pack=Ai;var fr=class extends Ai{sync=!0;constructor(e){super(e),this[Mi]=lr.WriteEntrySync}pause(){}resume(){}[ur](e){let t=this.follow?"statSync":"lstatSync";this[Ti](e,Li.default[t](e.absolute))}[cr](e){this[Pi](e,Li.default.readdirSync(e.absolute))}[Ni](e){let t=e.entry,i=this.zip;if(e.readdir&&e.readdir.forEach(r=>{let n=e.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[Di](o+r)}),!t)throw new Error("Cannot pipe without source");i?t.on("data",r=>{i.write(r)}):t.on("data",r=>{super[vn](r)})}};L.PackSync=fr});var dr=d(at=>{"use strict";var Sh=at&&at.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(at,"__esModule",{value:!0});at.create=void 0;var Tn=Ke(),Dn=Sh(require("node:path")),Pn=st(),gh=Ve(),Fi=Ii(),Oh=(s,e)=>{let t=new Fi.PackSync(s),i=new Tn.WriteStreamSync(s.file,{mode:s.mode||438});t.pipe(i),Nn(t,e)},Rh=(s,e)=>{let t=new Fi.Pack(s),i=new Tn.WriteStream(s.file,{mode:s.mode||438});t.pipe(i);let r=new Promise((n,o)=>{i.on("error",o),i.on("close",n),t.on("error",o)});return Mn(t,e).catch(n=>t.emit("error",n)),r},Nn=(s,e)=>{e.forEach(t=>{t.charAt(0)==="@"?(0,Pn.list)({file:Dn.default.resolve(s.cwd,t.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(t)}),s.end()},Mn=async(s,e)=>{for(let t of e)t.charAt(0)==="@"?await(0,Pn.list)({file:Dn.default.resolve(String(s.cwd),t.slice(1)),noResume:!0,onReadEntry:i=>{s.add(i)}}):s.add(t);s.end()},vh=(s,e)=>{let t=new Fi.PackSync(s);return Nn(t,e),t},Th=(s,e)=>{let t=new Fi.Pack(s);return Mn(t,e).catch(i=>t.emit("error",i)),t};at.create=(0,gh.makeCommand)(Oh,Rh,vh,Th,(s,e)=>{if(!e?.length)throw new TypeError("no paths specified to add to archive")})});var jn=d(ht=>{"use strict";var Dh=ht&&ht.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(ht,"__esModule",{value:!0});ht.getWriteFlag=void 0;var In=Dh(require("fs")),Ph=process.env.__FAKE_PLATFORM__||process.platform,Fn=Ph==="win32",{O_CREAT:Cn,O_NOFOLLOW:Ln,O_TRUNC:Bn,O_WRONLY:zn}=In.default.constants,kn=Number(process.env.__FAKE_FS_O_FILENAME__)||In.default.constants.UV_FS_O_FILEMAP||0,Nh=Fn&&!!kn,Mh=512*1024,Lh=kn|Bn|Cn|zn,An=!Fn&&typeof Ln=="number"?Ln|Bn|Cn|zn:null;ht.getWriteFlag=An!==null?()=>An:Nh?s=>s"w"});var Un=d(he=>{"use strict";var xn=he&&he.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(he,"__esModule",{value:!0});he.chownrSync=he.chownr=void 0;var Bi=xn(require("node:fs")),Pt=xn(require("node:path")),mr=(s,e,t)=>{try{return Bi.default.lchownSync(s,e,t)}catch(i){if(i?.code!=="ENOENT")throw i}},Ci=(s,e,t,i)=>{Bi.default.lchown(s,e,t,r=>{i(r&&r?.code!=="ENOENT"?r:null)})},Ah=(s,e,t,i,r)=>{if(e.isDirectory())(0,he.chownr)(Pt.default.resolve(s,e.name),t,i,n=>{if(n)return r(n);let o=Pt.default.resolve(s,e.name);Ci(o,t,i,r)});else{let n=Pt.default.resolve(s,e.name);Ci(n,t,i,r)}},Ih=(s,e,t,i)=>{Bi.default.readdir(s,{withFileTypes:!0},(r,n)=>{if(r){if(r.code==="ENOENT")return i();if(r.code!=="ENOTDIR"&&r.code!=="ENOTSUP")return i(r)}if(r||!n.length)return Ci(s,e,t,i);let o=n.length,a=null,h=l=>{if(!a){if(l)return i(a=l);if(--o===0)return Ci(s,e,t,i)}};for(let l of n)Ah(s,l,e,t,h)})};he.chownr=Ih;var Fh=(s,e,t,i)=>{e.isDirectory()&&(0,he.chownrSync)(Pt.default.resolve(s,e.name),t,i),mr(Pt.default.resolve(s,e.name),t,i)},Ch=(s,e,t)=>{let i;try{i=Bi.default.readdirSync(s,{withFileTypes:!0})}catch(r){let n=r;if(n?.code==="ENOENT")return;if(n?.code==="ENOTDIR"||n?.code==="ENOTSUP")return mr(s,e,t);throw n}for(let r of i)Fh(s,r,e,t);return mr(s,e,t)};he.chownrSync=Ch});var qn=d(zi=>{"use strict";Object.defineProperty(zi,"__esModule",{value:!0});zi.CwdError=void 0;var pr=class extends Error{path;code;syscall="chdir";constructor(e,t){super(`${t}: Cannot cd into '${e}'`),this.path=e,this.code=t}get name(){return"CwdError"}};zi.CwdError=pr});var wr=d(ki=>{"use strict";Object.defineProperty(ki,"__esModule",{value:!0});ki.SymlinkError=void 0;var _r=class extends Error{path;symlink;syscall="symlink";code="TAR_SYMLINK_ERROR";constructor(e,t){super("TAR_SYMLINK_ERROR: Cannot extract through symbolic link"),this.symlink=e,this.path=t}get name(){return"SymlinkError"}};ki.SymlinkError=_r});var Yn=d(Te=>{"use strict";var Er=Te&&Te.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(Te,"__esModule",{value:!0});Te.mkdirSync=Te.mkdir=void 0;var Wn=Un(),x=Er(require("node:fs")),Bh=Er(require("node:fs/promises")),ji=Er(require("node:path")),Hn=qn(),pe=et(),Zn=wr(),zh=(s,e)=>{x.default.stat(s,(t,i)=>{(t||!i.isDirectory())&&(t=new Hn.CwdError(s,t?.code||"ENOTDIR")),e(t)})},kh=(s,e,t)=>{s=(0,pe.normalizeWindowsPath)(s);let i=e.umask??18,r=e.mode|448,n=(r&i)!==0,o=e.uid,a=e.gid,h=typeof o=="number"&&typeof a=="number"&&(o!==e.processUid||a!==e.processGid),l=e.preserve,u=e.unlink,c=(0,pe.normalizeWindowsPath)(e.cwd),E=(w,P)=>{w?t(w):P&&h?(0,Wn.chownr)(P,o,a,zt=>E(zt)):n?x.default.chmod(s,r,t):t()};if(s===c)return zh(s,E);if(l)return Bh.default.mkdir(s,{mode:r,recursive:!0}).then(w=>E(null,w??void 0),E);let A=(0,pe.normalizeWindowsPath)(ji.default.relative(c,s)).split("/");yr(c,A,r,u,c,void 0,E)};Te.mkdir=kh;var yr=(s,e,t,i,r,n,o)=>{if(e.length===0)return o(null,n);let a=e.shift(),h=(0,pe.normalizeWindowsPath)(ji.default.resolve(s+"/"+a));x.default.mkdir(h,t,Gn(h,e,t,i,r,n,o))},Gn=(s,e,t,i,r,n,o)=>a=>{a?x.default.lstat(s,(h,l)=>{if(h)h.path=h.path&&(0,pe.normalizeWindowsPath)(h.path),o(h);else if(l.isDirectory())yr(s,e,t,i,r,n,o);else if(i)x.default.unlink(s,u=>{if(u)return o(u);x.default.mkdir(s,t,Gn(s,e,t,i,r,n,o))});else{if(l.isSymbolicLink())return o(new Zn.SymlinkError(s,s+"/"+e.join("/")));o(a)}}):(n=n||s,yr(s,e,t,i,r,n,o))},jh=s=>{let e=!1,t;try{e=x.default.statSync(s).isDirectory()}catch(i){t=i?.code}finally{if(!e)throw new Hn.CwdError(s,t??"ENOTDIR")}},xh=(s,e)=>{s=(0,pe.normalizeWindowsPath)(s);let t=e.umask??18,i=e.mode|448,r=(i&t)!==0,n=e.uid,o=e.gid,a=typeof n=="number"&&typeof o=="number"&&(n!==e.processUid||o!==e.processGid),h=e.preserve,l=e.unlink,u=(0,pe.normalizeWindowsPath)(e.cwd),c=w=>{w&&a&&(0,Wn.chownrSync)(w,n,o),r&&x.default.chmodSync(s,i)};if(s===u)return jh(u),c();if(h)return c(x.default.mkdirSync(s,{mode:i,recursive:!0})??void 0);let D=(0,pe.normalizeWindowsPath)(ji.default.relative(u,s)).split("/"),A;for(let w=D.shift(),P=u;w&&(P+="/"+w);w=D.shift()){P=(0,pe.normalizeWindowsPath)(ji.default.resolve(P));try{x.default.mkdirSync(P,i),A=A||P}catch{let zt=x.default.lstatSync(P);if(zt.isDirectory())continue;if(l){x.default.unlinkSync(P),x.default.mkdirSync(P,i),A=A||P;continue}else if(zt.isSymbolicLink())return new Zn.SymlinkError(P,P+"/"+D.join("/"))}}return c(A)};Te.mkdirSync=xh});var Vn=d(xi=>{"use strict";Object.defineProperty(xi,"__esModule",{value:!0});xi.normalizeUnicode=void 0;var br=Object.create(null),Kn=1e4,lt=new Set,Uh=s=>{lt.has(s)?lt.delete(s):br[s]=s.normalize("NFD").toLocaleLowerCase("en").toLocaleUpperCase("en"),lt.add(s);let e=br[s],t=lt.size-Kn;if(t>Kn/10){for(let i of lt)if(lt.delete(i),delete br[i],--t<=0)break}return e};xi.normalizeUnicode=Uh});var Xn=d(Ui=>{"use strict";Object.defineProperty(Ui,"__esModule",{value:!0});Ui.PathReservations=void 0;var $n=require("node:path"),qh=Vn(),Wh=wi(),Hh=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,Zh=Hh==="win32",Gh=s=>s.split("/").slice(0,-1).reduce((t,i)=>{let r=t.at(-1);return r!==void 0&&(i=(0,$n.join)(r,i)),t.push(i||"/"),t},[]),Sr=class{#e=new Map;#i=new Map;#s=new Set;reserve(e,t){e=Zh?["win32 parallelization disabled"]:e.map(r=>(0,Wh.stripTrailingSlashes)((0,$n.join)((0,qh.normalizeUnicode)(r))));let i=new Set(e.map(r=>Gh(r)).reduce((r,n)=>r.concat(n)));this.#i.set(t,{dirs:i,paths:e});for(let r of e){let n=this.#e.get(r);n?n.push(t):this.#e.set(r,[t])}for(let r of i){let n=this.#e.get(r);if(!n)this.#e.set(r,[new Set([t])]);else{let o=n.at(-1);o instanceof Set?o.add(t):n.push(new Set([t]))}}return this.#r(t)}#n(e){let t=this.#i.get(e);if(!t)throw new Error("function does not have any path reservations");return{paths:t.paths.map(i=>this.#e.get(i)),dirs:[...t.dirs].map(i=>this.#e.get(i))}}check(e){let{paths:t,dirs:i}=this.#n(e);return t.every(r=>r&&r[0]===e)&&i.every(r=>r&&r[0]instanceof Set&&r[0].has(e))}#r(e){return this.#s.has(e)||!this.check(e)?!1:(this.#s.add(e),e(()=>this.#t(e)),!0)}#t(e){if(!this.#s.has(e))return!1;let t=this.#i.get(e);if(!t)throw new Error("invalid reservation");let{paths:i,dirs:r}=t,n=new Set;for(let o of i){let a=this.#e.get(o);if(!a||a?.[0]!==e)continue;let h=a[1];if(!h){this.#e.delete(o);continue}if(a.shift(),typeof h=="function")n.add(h);else for(let l of h)n.add(l)}for(let o of r){let a=this.#e.get(o),h=a?.[0];if(!(!a||!(h instanceof Set)))if(h.size===1&&a.length===1){this.#e.delete(o);continue}else if(h.size===1){a.shift();let l=a[0];typeof l=="function"&&n.add(l)}else h.delete(e)}return this.#s.delete(e),n.forEach(o=>this.#r(o)),!0}};Ui.PathReservations=Sr});var Qn=d(qi=>{"use strict";Object.defineProperty(qi,"__esModule",{value:!0});qi.umask=void 0;var Yh=()=>process.umask();qi.umask=Yh});var Ar=d(z=>{"use strict";var Kh=z&&z.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),Vh=z&&z.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),ho=z&&z.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r{if(!Ct)return m.default.unlink(s,e);let t=s+".DELETE."+(0,lo.randomBytes)(16).toString("hex");m.default.rename(s,t,i=>{if(i)return e(i);m.default.unlink(t,e)})},nl=s=>{if(!Ct)return m.default.unlinkSync(s);let e=s+".DELETE."+(0,lo.randomBytes)(16).toString("hex");m.default.renameSync(s,e),m.default.unlinkSync(e)},ao=(s,e,t)=>s!==void 0&&s===s>>>0?s:e!==void 0&&e===e>>>0?e:t,Zi=class extends Qh.Parser{[Or]=!1;[Ft]=!1;[Wi]=0;reservations=new el.PathReservations;transform;writable=!0;readable=!1;uid;gid;setOwner;preserveOwner;processGid;processUid;maxDepth;forceChown;win32;newer;keep;noMtime;preservePaths;unlink;cwd;strip;processUmask;umask;dmode;fmode;chmod;constructor(e={}){if(e.ondone=()=>{this[Or]=!0,this[Rr]()},super(e),this.transform=e.transform,this.chmod=!!e.chmod,typeof e.uid=="number"||typeof e.gid=="number"){if(typeof e.uid!="number"||typeof e.gid!="number")throw new TypeError("cannot set owner without number uid and gid");if(e.preserveOwner)throw new TypeError("cannot preserve owner in archive and also set owner explicitly");this.uid=e.uid,this.gid=e.gid,this.setOwner=!0}else this.uid=void 0,this.gid=void 0,this.setOwner=!1;this.preserveOwner=e.preserveOwner===void 0&&typeof e.uid!="number"?!!(process.getuid&&process.getuid()===0):!!e.preserveOwner,this.processUid=(this.preserveOwner||this.setOwner)&&process.getuid?process.getuid():void 0,this.processGid=(this.preserveOwner||this.setOwner)&&process.getgid?process.getgid():void 0,this.maxDepth=typeof e.maxDepth=="number"?e.maxDepth:sl,this.forceChown=e.forceChown===!0,this.win32=!!e.win32||Ct,this.newer=!!e.newer,this.keep=!!e.keep,this.noMtime=!!e.noMtime,this.preservePaths=!!e.preservePaths,this.unlink=!!e.unlink,this.cwd=(0,U.normalizeWindowsPath)(g.default.resolve(e.cwd||process.cwd())),this.strip=Number(e.strip)||0,this.processUmask=this.chmod?typeof e.processUmask=="number"?e.processUmask:(0,tl.umask)():0,this.umask=typeof e.umask=="number"?e.umask:this.processUmask,this.dmode=e.dmode||511&~this.umask,this.fmode=e.fmode||438&~this.umask,this.on("entry",t=>this[eo](t))}warn(e,t,i={}){return(e==="TAR_BAD_ARCHIVE"||e==="TAR_ABORT")&&(i.recoverable=!1),super.warn(e,t,i)}[Rr](){this[Or]&&this[Wi]===0&&(this.emit("prefinish"),this.emit("finish"),this.emit("end"))}[gr](e,t){let i=e[t],{type:r}=e;if(!i||this.preservePaths)return!0;let[n,o]=(0,Jh.stripAbsolutePath)(i),a=o.replaceAll(/\\/g,"/").split("/");if(a.includes("..")||Ct&&/^[a-z]:\.\.$/i.test(a[0]??"")){if(t==="path"||r==="Link")return this.warn("TAR_ENTRY_ERROR",`${t} contains '..'`,{entry:e,[t]:i}),!1;let h=g.default.posix.dirname(e.path),l=g.default.posix.normalize(g.default.posix.join(h,a.join("/")));if(l.startsWith("../")||l==="..")return this.warn("TAR_ENTRY_ERROR",`${t} escapes extraction directory`,{entry:e,[t]:i}),!1}return n&&(e[t]=String(o),this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute ${t}`,{entry:e,[t]:i})),!0}[no](e){let t=(0,U.normalizeWindowsPath)(e.path),i=t.split("/");if(this.strip){if(i.length=this.strip)e.linkpath=r.slice(this.strip).join("/");else return!1}i.splice(0,this.strip),e.path=i.join("/")}if(isFinite(this.maxDepth)&&i.length>this.maxDepth)return this.warn("TAR_ENTRY_ERROR","path excessively deep",{entry:e,path:t,depth:i.length,maxDepth:this.maxDepth}),!1;if(!this[gr](e,"path")||!this[gr](e,"linkpath"))return!1;if(e.absolute=g.default.isAbsolute(e.path)?(0,U.normalizeWindowsPath)(g.default.resolve(e.path)):(0,U.normalizeWindowsPath)(g.default.resolve(this.cwd,e.path)),!this.preservePaths&&typeof e.absolute=="string"&&e.absolute.indexOf(this.cwd+"/")!==0&&e.absolute!==this.cwd)return this.warn("TAR_ENTRY_ERROR","path escaped extraction target",{entry:e,path:(0,U.normalizeWindowsPath)(e.path),resolvedPath:e.absolute,cwd:this.cwd}),!1;if(e.absolute===this.cwd&&e.type!=="Directory"&&e.type!=="GNUDumpDir")return!1;if(this.win32){let{root:r}=g.default.win32.parse(String(e.absolute));e.absolute=r+Jn.encode(String(e.absolute).slice(r.length));let{root:n}=g.default.win32.parse(e.path);e.path=n+Jn.encode(e.path.slice(n.length))}return!0}[eo](e){if(!this[no](e))return e.resume();switch(Xh.default.equal(typeof e.absolute,"string"),e.type){case"Directory":case"GNUDumpDir":e.mode&&(e.mode=e.mode|448);case"File":case"OldFile":case"ContiguousFile":case"Link":case"SymbolicLink":return this[vr](e);default:return this[ro](e)}}[T](e,t){e.name==="CwdError"?this.emit("error",e):(this.warn("TAR_ENTRY_ERROR",e,{entry:t}),this[ut](),t.resume())}[De](e,t,i){(0,co.mkdir)((0,U.normalizeWindowsPath)(e),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:t},i)}[Lt](e){return this.forceChown||this.preserveOwner&&(typeof e.uid=="number"&&e.uid!==this.processUid||typeof e.gid=="number"&&e.gid!==this.processGid)||typeof this.uid=="number"&&this.uid!==this.processUid||typeof this.gid=="number"&&this.gid!==this.processGid}[At](e){return ao(this.uid,e.uid,this.processUid)}[It](e){return ao(this.gid,e.gid,this.processGid)}[Dr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.fmode,r=new $h.WriteStream(String(e.absolute),{flags:(0,uo.getWriteFlag)(e.size),mode:i,autoClose:!1});r.on("error",h=>{r.fd&&m.default.close(r.fd,()=>{}),r.write=()=>!0,this[T](h,e),t()});let n=1,o=h=>{if(h){r.fd&&m.default.close(r.fd,()=>{}),this[T](h,e),t();return}--n===0&&r.fd!==void 0&&m.default.close(r.fd,l=>{l?this[T](l,e):this[ut](),t()})};r.on("finish",()=>{let h=String(e.absolute),l=r.fd;if(typeof l=="number"&&e.mtime&&!this.noMtime){n++;let u=e.atime||new Date,c=e.mtime;m.default.futimes(l,u,c,E=>E?m.default.utimes(h,u,c,D=>o(D&&E)):o())}if(typeof l=="number"&&this[Lt](e)){n++;let u=this[At](e),c=this[It](e);typeof u=="number"&&typeof c=="number"&&m.default.fchown(l,u,c,E=>E?m.default.chown(h,u,c,D=>o(D&&E)):o())}o()});let a=this.transform&&this.transform(e)||e;a!==e&&(a.on("error",h=>{this[T](h,e),t()}),e.pipe(a)),a.pipe(r)}[Pr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.dmode;this[De](String(e.absolute),i,r=>{if(r){this[T](r,e),t();return}let n=1,o=()=>{--n===0&&(t(),this[ut](),e.resume())};e.mtime&&!this.noMtime&&(n++,m.default.utimes(String(e.absolute),e.atime||new Date,e.mtime,o)),this[Lt](e)&&(n++,m.default.chown(String(e.absolute),Number(this[At](e)),Number(this[It](e)),o)),o()})}[ro](e){e.unsupported=!0,this.warn("TAR_ENTRY_UNSUPPORTED",`unsupported entry type: ${e.type}`,{entry:e}),e.resume()}[io](e,t){let i=(0,U.normalizeWindowsPath)(g.default.relative(this.cwd,g.default.resolve(g.default.dirname(String(e.absolute)),String(e.linkpath)))).split("/");this[Mt](e,this.cwd,i,()=>this[Hi](e,String(e.linkpath),"symlink",t),r=>{this[T](r,e),t()})}[so](e,t){let i=(0,U.normalizeWindowsPath)(g.default.resolve(this.cwd,String(e.linkpath))),r=(0,U.normalizeWindowsPath)(String(e.linkpath)).split("/");this[Mt](e,this.cwd,r,()=>this[Hi](e,i,"link",t),n=>{this[T](n,e),t()})}[Mt](e,t,i,r,n){let o=i.shift();if(this.preservePaths||o===void 0)return r();let a=g.default.resolve(t,o);m.default.lstat(a,(h,l)=>{if(h)return r();if(l?.isSymbolicLink())return n(new fo.SymlinkError(a,g.default.resolve(a,i.join("/"))));this[Mt](e,a,i,r,n)})}[oo](){this[Wi]++}[ut](){this[Wi]--,this[Rr]()}[Nr](e){this[ut](),e.resume()}[Tr](e,t){return e.type==="File"&&!this.unlink&&t.isFile()&&t.nlink<=1&&!Ct}[vr](e){this[oo]();let t=[e.path];e.linkpath&&t.push(e.linkpath),this.reservations.reserve(t,i=>this[to](e,i))}[to](e,t){let i=a=>{t(a)},r=()=>{this[De](this.cwd,this.dmode,a=>{if(a){this[T](a,e),i();return}this[Ft]=!0,n()})},n=()=>{if(e.absolute!==this.cwd){let a=(0,U.normalizeWindowsPath)(g.default.dirname(String(e.absolute)));if(a!==this.cwd)return this[De](a,this.dmode,h=>{if(h){this[T](h,e),i();return}o()})}o()},o=()=>{m.default.lstat(String(e.absolute),(a,h)=>{if(h&&(this.keep||this.newer&&h.mtime>(e.mtime??h.mtime))){this[Nr](e),i();return}if(a||this[Tr](e,h))return this[Z](null,e,i);if(h.isDirectory()){if(e.type==="Directory"){let l=this.chmod&&e.mode&&(h.mode&4095)!==e.mode,u=c=>this[Z](c??null,e,i);return l?m.default.chmod(String(e.absolute),Number(e.mode),u):u()}if(e.absolute!==this.cwd)return m.default.rmdir(String(e.absolute),l=>this[Z](l??null,e,i))}if(e.absolute===this.cwd)return this[Z](null,e,i);rl(String(e.absolute),l=>this[Z](l??null,e,i))})};this[Ft]?n():r()}[Z](e,t,i){if(e){this[T](e,t),i();return}switch(t.type){case"File":case"OldFile":case"ContiguousFile":return this[Dr](t,i);case"Link":return this[so](t,i);case"SymbolicLink":return this[io](t,i);case"Directory":case"GNUDumpDir":return this[Pr](t,i)}}[Hi](e,t,i,r){m.default[i](t,String(e.absolute),n=>{n?this[T](n,e):(this[ut](),e.resume()),r()})}};z.Unpack=Zi;var Nt=s=>{try{return[null,s()]}catch(e){return[e,null]}},Mr=class extends Zi{sync=!0;[Z](e,t){return super[Z](e,t,()=>{})}[vr](e){if(!this[Ft]){let n=this[De](this.cwd,this.dmode);if(n)return this[T](n,e);this[Ft]=!0}if(e.absolute!==this.cwd){let n=(0,U.normalizeWindowsPath)(g.default.dirname(String(e.absolute)));if(n!==this.cwd){let o=this[De](n,this.dmode);if(o)return this[T](o,e)}}let[t,i]=Nt(()=>m.default.lstatSync(String(e.absolute)));if(i&&(this.keep||this.newer&&i.mtime>(e.mtime??i.mtime)))return this[Nr](e);if(t||this[Tr](e,i))return this[Z](null,e);if(i.isDirectory()){if(e.type==="Directory"){let o=this.chmod&&e.mode&&(i.mode&4095)!==e.mode,[a]=o?Nt(()=>{m.default.chmodSync(String(e.absolute),Number(e.mode))}):[];return this[Z](a,e)}let[n]=Nt(()=>m.default.rmdirSync(String(e.absolute)));this[Z](n,e)}let[r]=e.absolute===this.cwd?[]:Nt(()=>nl(String(e.absolute)));this[Z](r,e)}[Dr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.fmode,r=a=>{let h;try{m.default.closeSync(n)}catch(l){h=l}(a||h)&&this[T](a||h,e),t()},n;try{n=m.default.openSync(String(e.absolute),(0,uo.getWriteFlag)(e.size),i)}catch(a){return r(a)}let o=this.transform&&this.transform(e)||e;o!==e&&(o.on("error",a=>this[T](a,e)),e.pipe(o)),o.on("data",a=>{try{m.default.writeSync(n,a,0,a.length)}catch(h){r(h)}}),o.on("end",()=>{let a=null;if(e.mtime&&!this.noMtime){let h=e.atime||new Date,l=e.mtime;try{m.default.futimesSync(n,h,l)}catch(u){try{m.default.utimesSync(String(e.absolute),h,l)}catch{a=u}}}if(this[Lt](e)){let h=this[At](e),l=this[It](e);try{m.default.fchownSync(n,Number(h),Number(l))}catch(u){try{m.default.chownSync(String(e.absolute),Number(h),Number(l))}catch{a=a||u}}}r(a)})}[Pr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.dmode,r=this[De](String(e.absolute),i);if(r){this[T](r,e),t();return}if(e.mtime&&!this.noMtime)try{m.default.utimesSync(String(e.absolute),e.atime||new Date,e.mtime)}catch{}if(this[Lt](e))try{m.default.chownSync(String(e.absolute),Number(this[At](e)),Number(this[It](e)))}catch{}t(),e.resume()}[De](e,t){try{return(0,co.mkdirSync)((0,U.normalizeWindowsPath)(e),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:t})}catch(i){return i}}[Mt](e,t,i,r,n){if(this.preservePaths||i.length===0)return r();let o=t;for(let a of i){o=g.default.resolve(o,a);let[h,l]=Nt(()=>m.default.lstatSync(o));if(h)return r();if(l.isSymbolicLink())return n(new fo.SymlinkError(o,g.default.resolve(t,i.join("/"))))}r()}[Hi](e,t,i,r){let n=`${i}Sync`;try{m.default[n](t,String(e.absolute)),r(),e.resume()}catch(o){return this[T](o,e)}}};z.UnpackSync=Mr});var Ir=d(G=>{"use strict";var ol=G&&G.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),al=G&&G.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),hl=G&&G.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r{let e=new Gi.UnpackSync(s),t=s.file,i=po.default.statSync(t),r=s.maxReadSize||16*1024*1024;new mo.ReadStreamSync(t,{readSize:r,size:i.size}).pipe(e)},dl=(s,e)=>{let t=new Gi.Unpack(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,a)=>{t.on("error",a),t.on("close",o),po.default.stat(r,(h,l)=>{if(h)a(h);else{let u=new mo.ReadStream(r,{readSize:i,size:l.size});u.on("error",a),u.pipe(t)}})})};G.extract=(0,cl.makeCommand)(fl,dl,s=>new Gi.UnpackSync(s),s=>new Gi.Unpack(s),(s,e)=>{e?.length&&(0,ul.filesFilter)(s,e)})});var Yi=d(ct=>{"use strict";var _o=ct&&ct.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(ct,"__esModule",{value:!0});ct.replace=void 0;var wo=Ke(),q=_o(require("node:fs")),yo=_o(require("node:path")),Eo=Je(),bo=st(),ml=Ve(),pl=$t(),So=Ii(),_l=(s,e)=>{let t=new So.PackSync(s),i=!0,r,n;try{try{r=q.default.openSync(s.file,"r+")}catch(h){if(h?.code==="ENOENT")r=q.default.openSync(s.file,"w+");else throw h}let o=q.default.fstatSync(r),a=Buffer.alloc(512);e:for(n=0;no.size)break;n+=l,s.mtimeCache&&h.mtime&&s.mtimeCache.set(String(h.path),h.mtime)}i=!1,wl(s,t,n,r,e)}finally{if(i)try{q.default.closeSync(r)}catch{}}},wl=(s,e,t,i,r)=>{let n=new wo.WriteStreamSync(s.file,{fd:i,start:t});e.pipe(n),El(e,r)},yl=(s,e)=>{e=Array.from(e);let t=new So.Pack(s),i=(n,o,a)=>{let h=(D,A)=>{D?q.default.close(n,w=>a(D)):a(null,A)},l=0;if(o===0)return h(null,0);let u=0,c=Buffer.alloc(512),E=(D,A)=>{if(D||A===void 0)return h(D);if(u+=A,u<512&&A)return q.default.read(n,c,u,c.length-u,l+u,E);if(l===0&&c[0]===31&&c[1]===139)return h(new Error("cannot append to compressed archives"));if(u<512)return h(null,l);let w=new Eo.Header(c);if(!w.cksumValid)return h(null,l);let P=512*Math.ceil((w.size??0)/512);if(l+P+512>o||(l+=P+512,l>=o))return h(null,l);s.mtimeCache&&w.mtime&&s.mtimeCache.set(String(w.path),w.mtime),u=0,q.default.read(n,c,0,512,l,E)};q.default.read(n,c,0,512,l,E)};return new Promise((n,o)=>{t.on("error",o);let a="r+",h=(l,u)=>{if(l&&l.code==="ENOENT"&&a==="r+")return a="w+",q.default.open(s.file,a,h);if(l||!u)return o(l);q.default.fstat(u,(c,E)=>{if(c)return q.default.close(u,()=>o(c));i(u,E.size,(D,A)=>{if(D)return o(D);let w=new wo.WriteStream(s.file,{fd:u,start:A});t.pipe(w),w.on("error",o),w.on("close",n),bl(t,e)})})};q.default.open(s.file,a,h)})},El=(s,e)=>{e.forEach(t=>{t.charAt(0)==="@"?(0,bo.list)({file:yo.default.resolve(s.cwd,t.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(t)}),s.end()},bl=async(s,e)=>{for(let t of e)t.charAt(0)==="@"?await(0,bo.list)({file:yo.default.resolve(String(s.cwd),t.slice(1)),noResume:!0,onReadEntry:i=>s.add(i)}):s.add(t);s.end()};ct.replace=(0,ml.makeCommand)(_l,yl,()=>{throw new TypeError("file is required")},()=>{throw new TypeError("file is required")},(s,e)=>{if(!(0,pl.isFile)(s))throw new TypeError("file is required");if(s.gzip||s.brotli||s.zstd||s.file.endsWith(".br")||s.file.endsWith(".tbr"))throw new TypeError("cannot append to compressed archives");if(!e?.length)throw new TypeError("no paths specified to add/replace")})});var Fr=d(Ki=>{"use strict";Object.defineProperty(Ki,"__esModule",{value:!0});Ki.update=void 0;var Sl=Ve(),Bt=Yi();Ki.update=(0,Sl.makeCommand)(Bt.replace.syncFile,Bt.replace.asyncFile,Bt.replace.syncNoFile,Bt.replace.asyncNoFile,(s,e=[])=>{Bt.replace.validate?.(s,e),gl(s)});var gl=s=>{let e=s.filter;s.mtimeCache||(s.mtimeCache=new Map),s.filter=e?(t,i)=>e(t,i)&&!((s.mtimeCache?.get(t)??i.mtime??0)>(i.mtime??0)):(t,i)=>!((s.mtimeCache?.get(t)??i.mtime??0)>(i.mtime??0))}});var go=exports&&exports.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),Ol=exports&&exports.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),Y=exports&&exports.__exportStar||function(s,e){for(var t in s)t!=="default"&&!Object.prototype.hasOwnProperty.call(e,t)&&go(e,s,t)},Rl=exports&&exports.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r()=>(e||s((e={exports:{}}).exports,e),e.exports);var We=d(F=>{"use strict";var Ro=F&&F.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(F,"__esModule",{value:!0});F.Minipass=F.isWritable=F.isReadable=F.isStream=void 0;var Br=typeof process=="object"&&process?process:{stdout:null,stderr:null},ss=require("node:events"),jr=Ro(require("node:stream")),vo=require("node:string_decoder"),To=s=>!!s&&typeof s=="object"&&(s instanceof Zt||s instanceof jr.default||(0,F.isReadable)(s)||(0,F.isWritable)(s));F.isStream=To;var Do=s=>!!s&&typeof s=="object"&&s instanceof ss.EventEmitter&&typeof s.pipe=="function"&&s.pipe!==jr.default.Writable.prototype.pipe;F.isReadable=Do;var Po=s=>!!s&&typeof s=="object"&&s instanceof ss.EventEmitter&&typeof s.write=="function"&&typeof s.end=="function";F.isWritable=Po;var le=Symbol("EOF"),ue=Symbol("maybeEmitEnd"),_e=Symbol("emittedEnd"),xt=Symbol("emittingEnd"),ft=Symbol("emittedError"),jt=Symbol("closed"),zr=Symbol("read"),Ut=Symbol("flush"),kr=Symbol("flushChunk"),K=Symbol("encoding"),Ue=Symbol("decoder"),O=Symbol("flowing"),dt=Symbol("paused"),qe=Symbol("resume"),R=Symbol("buffer"),I=Symbol("pipes"),v=Symbol("bufferLength"),Xi=Symbol("bufferPush"),qt=Symbol("bufferShift"),N=Symbol("objectMode"),y=Symbol("destroyed"),Qi=Symbol("error"),Ji=Symbol("emitData"),xr=Symbol("emitEnd"),es=Symbol("emitEnd2"),J=Symbol("async"),ts=Symbol("abort"),Wt=Symbol("aborted"),mt=Symbol("signal"),Ne=Symbol("dataListeners"),k=Symbol("discarded"),pt=s=>Promise.resolve().then(s),No=s=>s(),Mo=s=>s==="end"||s==="finish"||s==="prefinish",Lo=s=>s instanceof ArrayBuffer||!!s&&typeof s=="object"&&s.constructor&&s.constructor.name==="ArrayBuffer"&&s.byteLength>=0,Ao=s=>!Buffer.isBuffer(s)&&ArrayBuffer.isView(s),Ht=class{src;dest;opts;ondrain;constructor(e,t,i){this.src=e,this.dest=t,this.opts=i,this.ondrain=()=>e[qe](),this.dest.on("drain",this.ondrain)}unpipe(){this.dest.removeListener("drain",this.ondrain)}proxyErrors(e){}end(){this.unpipe(),this.opts.end&&this.dest.end()}},is=class extends Ht{unpipe(){this.src.removeListener("error",this.proxyErrors),super.unpipe()}constructor(e,t,i){super(e,t,i),this.proxyErrors=r=>this.dest.emit("error",r),e.on("error",this.proxyErrors)}},Io=s=>!!s.objectMode,Fo=s=>!s.objectMode&&!!s.encoding&&s.encoding!=="buffer",Zt=class extends ss.EventEmitter{[O]=!1;[dt]=!1;[I]=[];[R]=[];[N];[K];[J];[Ue];[le]=!1;[_e]=!1;[xt]=!1;[jt]=!1;[ft]=null;[v]=0;[y]=!1;[mt];[Wt]=!1;[Ne]=0;[k]=!1;writable=!0;readable=!0;constructor(...e){let t=e[0]||{};if(super(),t.objectMode&&typeof t.encoding=="string")throw new TypeError("Encoding and objectMode may not be used together");Io(t)?(this[N]=!0,this[K]=null):Fo(t)?(this[K]=t.encoding,this[N]=!1):(this[N]=!1,this[K]=null),this[J]=!!t.async,this[Ue]=this[K]?new vo.StringDecoder(this[K]):null,t&&t.debugExposeBuffer===!0&&Object.defineProperty(this,"buffer",{get:()=>this[R]}),t&&t.debugExposePipes===!0&&Object.defineProperty(this,"pipes",{get:()=>this[I]});let{signal:i}=t;i&&(this[mt]=i,i.aborted?this[ts]():i.addEventListener("abort",()=>this[ts]()))}get bufferLength(){return this[v]}get encoding(){return this[K]}set encoding(e){throw new Error("Encoding must be set at instantiation time")}setEncoding(e){throw new Error("Encoding must be set at instantiation time")}get objectMode(){return this[N]}set objectMode(e){throw new Error("objectMode must be set at instantiation time")}get async(){return this[J]}set async(e){this[J]=this[J]||!!e}[ts](){this[Wt]=!0,this.emit("abort",this[mt]?.reason),this.destroy(this[mt]?.reason)}get aborted(){return this[Wt]}set aborted(e){}write(e,t,i){if(this[Wt])return!1;if(this[le])throw new Error("write after end");if(this[y])return this.emit("error",Object.assign(new Error("Cannot call write after a stream was destroyed"),{code:"ERR_STREAM_DESTROYED"})),!0;typeof t=="function"&&(i=t,t="utf8"),t||(t="utf8");let r=this[J]?pt:No;if(!this[N]&&!Buffer.isBuffer(e)){if(Ao(e))e=Buffer.from(e.buffer,e.byteOffset,e.byteLength);else if(Lo(e))e=Buffer.from(e);else if(typeof e!="string")throw new Error("Non-contiguous data written to non-objectMode stream")}return this[N]?(this[O]&&this[v]!==0&&this[Ut](!0),this[O]?this.emit("data",e):this[Xi](e),this[v]!==0&&this.emit("readable"),i&&r(i),this[O]):e.length?(typeof e=="string"&&!(t===this[K]&&!this[Ue]?.lastNeed)&&(e=Buffer.from(e,t)),Buffer.isBuffer(e)&&this[K]&&(e=this[Ue].write(e)),this[O]&&this[v]!==0&&this[Ut](!0),this[O]?this.emit("data",e):this[Xi](e),this[v]!==0&&this.emit("readable"),i&&r(i),this[O]):(this[v]!==0&&this.emit("readable"),i&&r(i),this[O])}read(e){if(this[y])return null;if(this[k]=!1,this[v]===0||e===0||e&&e>this[v])return this[ue](),null;this[N]&&(e=null),this[R].length>1&&!this[N]&&(this[R]=[this[K]?this[R].join(""):Buffer.concat(this[R],this[v])]);let t=this[zr](e||null,this[R][0]);return this[ue](),t}[zr](e,t){if(this[N])this[qt]();else{let i=t;e===i.length||e===null?this[qt]():typeof i=="string"?(this[R][0]=i.slice(e),t=i.slice(0,e),this[v]-=e):(this[R][0]=i.subarray(e),t=i.subarray(0,e),this[v]-=e)}return this.emit("data",t),!this[R].length&&!this[le]&&this.emit("drain"),t}end(e,t,i){return typeof e=="function"&&(i=e,e=void 0),typeof t=="function"&&(i=t,t="utf8"),e!==void 0&&this.write(e,t),i&&this.once("end",i),this[le]=!0,this.writable=!1,(this[O]||!this[dt])&&this[ue](),this}[qe](){this[y]||(!this[Ne]&&!this[I].length&&(this[k]=!0),this[dt]=!1,this[O]=!0,this.emit("resume"),this[R].length?this[Ut]():this[le]?this[ue]():this.emit("drain"))}resume(){return this[qe]()}pause(){this[O]=!1,this[dt]=!0,this[k]=!1}get destroyed(){return this[y]}get flowing(){return this[O]}get paused(){return this[dt]}[Xi](e){this[N]?this[v]+=1:this[v]+=e.length,this[R].push(e)}[qt](){return this[N]?this[v]-=1:this[v]-=this[R][0].length,this[R].shift()}[Ut](e=!1){do;while(this[kr](this[qt]())&&this[R].length);!e&&!this[R].length&&!this[le]&&this.emit("drain")}[kr](e){return this.emit("data",e),this[O]}pipe(e,t){if(this[y])return e;this[k]=!1;let i=this[_e];return t=t||{},e===Br.stdout||e===Br.stderr?t.end=!1:t.end=t.end!==!1,t.proxyErrors=!!t.proxyErrors,i?t.end&&e.end():(this[I].push(t.proxyErrors?new is(this,e,t):new Ht(this,e,t)),this[J]?pt(()=>this[qe]()):this[qe]()),e}unpipe(e){let t=this[I].find(i=>i.dest===e);t&&(this[I].length===1?(this[O]&&this[Ne]===0&&(this[O]=!1),this[I]=[]):this[I].splice(this[I].indexOf(t),1),t.unpipe())}addListener(e,t){return this.on(e,t)}on(e,t){let i=super.on(e,t);if(e==="data")this[k]=!1,this[Ne]++,!this[I].length&&!this[O]&&this[qe]();else if(e==="readable"&&this[v]!==0)super.emit("readable");else if(Mo(e)&&this[_e])super.emit(e),this.removeAllListeners(e);else if(e==="error"&&this[ft]){let r=t;this[J]?pt(()=>r.call(this,this[ft])):r.call(this,this[ft])}return i}removeListener(e,t){return this.off(e,t)}off(e,t){let i=super.off(e,t);return e==="data"&&(this[Ne]=this.listeners("data").length,this[Ne]===0&&!this[k]&&!this[I].length&&(this[O]=!1)),i}removeAllListeners(e){let t=super.removeAllListeners(e);return(e==="data"||e===void 0)&&(this[Ne]=0,!this[k]&&!this[I].length&&(this[O]=!1)),t}get emittedEnd(){return this[_e]}[ue](){!this[xt]&&!this[_e]&&!this[y]&&this[R].length===0&&this[le]&&(this[xt]=!0,this.emit("end"),this.emit("prefinish"),this.emit("finish"),this[jt]&&this.emit("close"),this[xt]=!1)}emit(e,...t){let i=t[0];if(e!=="error"&&e!=="close"&&e!==y&&this[y])return!1;if(e==="data")return!this[N]&&!i?!1:this[J]?(pt(()=>this[Ji](i)),!0):this[Ji](i);if(e==="end")return this[xr]();if(e==="close"){if(this[jt]=!0,!this[_e]&&!this[y])return!1;let n=super.emit("close");return this.removeAllListeners("close"),n}else if(e==="error"){this[ft]=i,super.emit(Qi,i);let n=!this[mt]||this.listeners("error").length?super.emit("error",i):!1;return this[ue](),n}else if(e==="resume"){let n=super.emit("resume");return this[ue](),n}else if(e==="finish"||e==="prefinish"){let n=super.emit(e);return this.removeAllListeners(e),n}let r=super.emit(e,...t);return this[ue](),r}[Ji](e){for(let i of this[I])i.dest.write(e)===!1&&this.pause();let t=this[k]?!1:super.emit("data",e);return this[ue](),t}[xr](){return this[_e]?!1:(this[_e]=!0,this.readable=!1,this[J]?(pt(()=>this[es]()),!0):this[es]())}[es](){if(this[Ue]){let t=this[Ue].end();if(t){for(let i of this[I])i.dest.write(t);this[k]||super.emit("data",t)}}for(let t of this[I])t.end();let e=super.emit("end");return this.removeAllListeners("end"),e}async collect(){let e=Object.assign([],{dataLength:0});this[N]||(e.dataLength=0);let t=this.promise();return this.on("data",i=>{e.push(i),this[N]||(e.dataLength+=i.length)}),await t,e}async concat(){if(this[N])throw new Error("cannot concat in objectMode");let e=await this.collect();return this[K]?e.join(""):Buffer.concat(e,e.dataLength)}async promise(){return new Promise((e,t)=>{this.on(y,()=>t(new Error("stream destroyed"))),this.on("error",i=>t(i)),this.on("end",()=>e())})}[Symbol.asyncIterator](){this[k]=!1;let e=!1,t=async()=>(this.pause(),e=!0,{value:void 0,done:!0});return{next:()=>{if(e)return t();let r=this.read();if(r!==null)return Promise.resolve({done:!1,value:r});if(this[le])return t();let n,o,a=c=>{this.off("data",h),this.off("end",l),this.off(y,u),t(),o(c)},h=c=>{this.off("error",a),this.off("end",l),this.off(y,u),this.pause(),n({value:c,done:!!this[le]})},l=()=>{this.off("error",a),this.off("data",h),this.off(y,u),t(),n({done:!0,value:void 0})},u=()=>a(new Error("stream destroyed"));return new Promise((c,E)=>{o=E,n=c,this.once(y,u),this.once("error",a),this.once("end",l),this.once("data",h)})},throw:t,return:t,[Symbol.asyncIterator](){return this},[Symbol.asyncDispose]:async()=>{}}}[Symbol.iterator](){this[k]=!1;let e=!1,t=()=>(this.pause(),this.off(Qi,t),this.off(y,t),this.off("end",t),e=!0,{done:!0,value:void 0}),i=()=>{if(e)return t();let r=this.read();return r===null?t():{done:!1,value:r}};return this.once("end",t),this.once(Qi,t),this.once(y,t),{next:i,throw:t,return:t,[Symbol.iterator](){return this},[Symbol.dispose]:()=>{}}}destroy(e){if(this[y])return e?this.emit("error",e):this.emit(y),this;this[y]=!0,this[k]=!0,this[R].length=0,this[v]=0;let t=this;return typeof t.close=="function"&&!this[jt]&&t.close(),e?this.emit("error",e):this.emit(y),this}static get isStream(){return F.isStream}};F.Minipass=Zt});var Ke=d(W=>{"use strict";var Ur=W&&W.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(W,"__esModule",{value:!0});W.WriteStreamSync=W.WriteStream=W.ReadStreamSync=W.ReadStream=void 0;var Co=Ur(require("events")),B=Ur(require("fs")),Bo=We(),zo=B.default.writev,ye=Symbol("_autoClose"),$=Symbol("_close"),_t=Symbol("_ended"),p=Symbol("_fd"),rs=Symbol("_finished"),fe=Symbol("_flags"),ns=Symbol("_flush"),ls=Symbol("_handleChunk"),us=Symbol("_makeBuf"),yt=Symbol("_mode"),Gt=Symbol("_needDrain"),Ge=Symbol("_onerror"),Ye=Symbol("_onopen"),os=Symbol("_onread"),He=Symbol("_onwrite"),Ee=Symbol("_open"),V=Symbol("_path"),we=Symbol("_pos"),ee=Symbol("_queue"),Ze=Symbol("_read"),as=Symbol("_readSize"),ce=Symbol("_reading"),wt=Symbol("_remain"),hs=Symbol("_size"),Yt=Symbol("_write"),Me=Symbol("_writing"),Kt=Symbol("_defaultFlag"),Le=Symbol("_errored"),Vt=class extends Bo.Minipass{[Le]=!1;[p];[V];[as];[ce]=!1;[hs];[wt];[ye];constructor(e,t){if(t=t||{},super(t),this.readable=!0,this.writable=!1,typeof e!="string")throw new TypeError("path must be a string");this[Le]=!1,this[p]=typeof t.fd=="number"?t.fd:void 0,this[V]=e,this[as]=t.readSize||16*1024*1024,this[ce]=!1,this[hs]=typeof t.size=="number"?t.size:1/0,this[wt]=this[hs],this[ye]=typeof t.autoClose=="boolean"?t.autoClose:!0,typeof this[p]=="number"?this[Ze]():this[Ee]()}get fd(){return this[p]}get path(){return this[V]}write(){throw new TypeError("this is a readable stream")}end(){throw new TypeError("this is a readable stream")}[Ee](){B.default.open(this[V],"r",(e,t)=>this[Ye](e,t))}[Ye](e,t){e?this[Ge](e):(this[p]=t,this.emit("open",t),this[Ze]())}[us](){return Buffer.allocUnsafe(Math.min(this[as],this[wt]))}[Ze](){if(!this[ce]){this[ce]=!0;let e=this[us]();if(e.length===0)return process.nextTick(()=>this[os](null,0,e));B.default.read(this[p],e,0,e.length,null,(t,i,r)=>this[os](t,i,r))}}[os](e,t,i){this[ce]=!1,e?this[Ge](e):this[ls](t,i)&&this[Ze]()}[$](){if(this[ye]&&typeof this[p]=="number"){let e=this[p];this[p]=void 0,B.default.close(e,t=>t?this.emit("error",t):this.emit("close"))}}[Ge](e){this[ce]=!0,this[$](),this.emit("error",e)}[ls](e,t){let i=!1;return this[wt]-=e,e>0&&(i=super.write(ethis[Ye](e,t))}[Ye](e,t){this[Kt]&&this[fe]==="r+"&&e&&e.code==="ENOENT"?(this[fe]="w",this[Ee]()):e?this[Ge](e):(this[p]=t,this.emit("open",t),this[Me]||this[ns]())}end(e,t){return e&&this.write(e,t),this[_t]=!0,!this[Me]&&!this[ee].length&&typeof this[p]=="number"&&this[He](null,0),this}write(e,t){return typeof e=="string"&&(e=Buffer.from(e,t)),this[_t]?(this.emit("error",new Error("write() after end()")),!1):this[p]===void 0||this[Me]||this[ee].length?(this[ee].push(e),this[Gt]=!0,!1):(this[Me]=!0,this[Yt](e),!0)}[Yt](e){B.default.write(this[p],e,0,e.length,this[we],(t,i)=>this[He](t,i))}[He](e,t){e?this[Ge](e):(this[we]!==void 0&&typeof t=="number"&&(this[we]+=t),this[ee].length?this[ns]():(this[Me]=!1,this[_t]&&!this[rs]?(this[rs]=!0,this[$](),this.emit("finish")):this[Gt]&&(this[Gt]=!1,this.emit("drain"))))}[ns](){if(this[ee].length===0)this[_t]&&this[He](null,0);else if(this[ee].length===1)this[Yt](this[ee].pop());else{let e=this[ee];this[ee]=[],zo(this[p],e,this[we],(t,i)=>this[He](t,i))}}[$](){if(this[ye]&&typeof this[p]=="number"){let e=this[p];this[p]=void 0,B.default.close(e,t=>t?this.emit("error",t):this.emit("close"))}}};W.WriteStream=$t;var fs=class extends $t{[Ee](){let e;if(this[Kt]&&this[fe]==="r+")try{e=B.default.openSync(this[V],this[fe],this[yt])}catch(t){if(t?.code==="ENOENT")return this[fe]="w",this[Ee]();throw t}else e=B.default.openSync(this[V],this[fe],this[yt]);this[Ye](null,e)}[$](){if(this[ye]&&typeof this[p]=="number"){let e=this[p];this[p]=void 0,B.default.closeSync(e),this.emit("close")}}[Yt](e){let t=!0;try{this[He](null,B.default.writeSync(this[p],e,0,e.length,this[we])),t=!1}finally{if(t)try{this[$]()}catch{}}}};W.WriteStreamSync=fs});var Xt=d(b=>{"use strict";Object.defineProperty(b,"__esModule",{value:!0});b.dealias=b.isNoFile=b.isFile=b.isAsync=b.isSync=b.isAsyncNoFile=b.isSyncNoFile=b.isAsyncFile=b.isSyncFile=void 0;var ko=new Map([["C","cwd"],["f","file"],["z","gzip"],["P","preservePaths"],["U","unlink"],["strip-components","strip"],["stripComponents","strip"],["keep-newer","newer"],["keepNewer","newer"],["keep-newer-files","newer"],["keepNewerFiles","newer"],["k","keep"],["keep-existing","keep"],["keepExisting","keep"],["m","noMtime"],["no-mtime","noMtime"],["p","preserveOwner"],["L","follow"],["h","follow"],["onentry","onReadEntry"]]),xo=s=>!!s.sync&&!!s.file;b.isSyncFile=xo;var jo=s=>!s.sync&&!!s.file;b.isAsyncFile=jo;var Uo=s=>!!s.sync&&!s.file;b.isSyncNoFile=Uo;var qo=s=>!s.sync&&!s.file;b.isAsyncNoFile=qo;var Wo=s=>!!s.sync;b.isSync=Wo;var Ho=s=>!s.sync;b.isAsync=Ho;var Zo=s=>!!s.file;b.isFile=Zo;var Go=s=>!s.file;b.isNoFile=Go;var Yo=s=>{let e=ko.get(s);return e||s},Ko=(s={})=>{if(!s)return{};let e={};for(let[t,i]of Object.entries(s)){let r=Yo(t);e[r]=i}return e.chmod===void 0&&e.noChmod===!1&&(e.chmod=!0),delete e.noChmod,e};b.dealias=Ko});var Ve=d(Qt=>{"use strict";Object.defineProperty(Qt,"__esModule",{value:!0});Qt.makeCommand=void 0;var Et=Xt(),Vo=(s,e,t,i,r)=>Object.assign((n=[],o,a)=>{Array.isArray(n)&&(o=n,n={}),typeof o=="function"&&(a=o,o=void 0),o=o?Array.from(o):[];let h=(0,Et.dealias)(n);if(r?.(h,o),(0,Et.isSyncFile)(h)){if(typeof a=="function")throw new TypeError("callback not supported for sync tar functions");return s(h,o)}else if((0,Et.isAsyncFile)(h)){let l=e(h,o);return a?l.then(()=>a(),a):l}else if((0,Et.isSyncNoFile)(h)){if(typeof a=="function")throw new TypeError("callback not supported for sync tar functions");return t(h,o)}else if((0,Et.isAsyncNoFile)(h)){if(typeof a=="function")throw new TypeError("callback only supported with file option");return i(h,o)}throw new Error("impossible options??")},{syncFile:s,asyncFile:e,syncNoFile:t,asyncNoFile:i,validate:r});Qt.makeCommand=Vo});var ds=d($e=>{"use strict";var $o=$e&&$e.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty($e,"__esModule",{value:!0});$e.constants=void 0;var Xo=$o(require("zlib")),Qo=Xo.default.constants||{ZLIB_VERNUM:4736};$e.constants=Object.freeze(Object.assign(Object.create(null),{Z_NO_FLUSH:0,Z_PARTIAL_FLUSH:1,Z_SYNC_FLUSH:2,Z_FULL_FLUSH:3,Z_FINISH:4,Z_BLOCK:5,Z_OK:0,Z_STREAM_END:1,Z_NEED_DICT:2,Z_ERRNO:-1,Z_STREAM_ERROR:-2,Z_DATA_ERROR:-3,Z_MEM_ERROR:-4,Z_BUF_ERROR:-5,Z_VERSION_ERROR:-6,Z_NO_COMPRESSION:0,Z_BEST_SPEED:1,Z_BEST_COMPRESSION:9,Z_DEFAULT_COMPRESSION:-1,Z_FILTERED:1,Z_HUFFMAN_ONLY:2,Z_RLE:3,Z_FIXED:4,Z_DEFAULT_STRATEGY:0,DEFLATE:1,INFLATE:2,GZIP:3,GUNZIP:4,DEFLATERAW:5,INFLATERAW:6,UNZIP:7,BROTLI_DECODE:8,BROTLI_ENCODE:9,Z_MIN_WINDOWBITS:8,Z_MAX_WINDOWBITS:15,Z_DEFAULT_WINDOWBITS:15,Z_MIN_CHUNK:64,Z_MAX_CHUNK:1/0,Z_DEFAULT_CHUNK:16384,Z_MIN_MEMLEVEL:1,Z_MAX_MEMLEVEL:9,Z_DEFAULT_MEMLEVEL:8,Z_MIN_LEVEL:-1,Z_MAX_LEVEL:9,Z_DEFAULT_LEVEL:-1,BROTLI_OPERATION_PROCESS:0,BROTLI_OPERATION_FLUSH:1,BROTLI_OPERATION_FINISH:2,BROTLI_OPERATION_EMIT_METADATA:3,BROTLI_MODE_GENERIC:0,BROTLI_MODE_TEXT:1,BROTLI_MODE_FONT:2,BROTLI_DEFAULT_MODE:0,BROTLI_MIN_QUALITY:0,BROTLI_MAX_QUALITY:11,BROTLI_DEFAULT_QUALITY:11,BROTLI_MIN_WINDOW_BITS:10,BROTLI_MAX_WINDOW_BITS:24,BROTLI_LARGE_MAX_WINDOW_BITS:30,BROTLI_DEFAULT_WINDOW:22,BROTLI_MIN_INPUT_BLOCK_BITS:16,BROTLI_MAX_INPUT_BLOCK_BITS:24,BROTLI_PARAM_MODE:0,BROTLI_PARAM_QUALITY:1,BROTLI_PARAM_LGWIN:2,BROTLI_PARAM_LGBLOCK:3,BROTLI_PARAM_DISABLE_LITERAL_CONTEXT_MODELING:4,BROTLI_PARAM_SIZE_HINT:5,BROTLI_PARAM_LARGE_WINDOW:6,BROTLI_PARAM_NPOSTFIX:7,BROTLI_PARAM_NDIRECT:8,BROTLI_DECODER_RESULT_ERROR:0,BROTLI_DECODER_RESULT_SUCCESS:1,BROTLI_DECODER_RESULT_NEEDS_MORE_INPUT:2,BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_PARAM_DISABLE_RING_BUFFER_REALLOCATION:0,BROTLI_DECODER_PARAM_LARGE_WINDOW:1,BROTLI_DECODER_NO_ERROR:0,BROTLI_DECODER_SUCCESS:1,BROTLI_DECODER_NEEDS_MORE_INPUT:2,BROTLI_DECODER_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_NIBBLE:-1,BROTLI_DECODER_ERROR_FORMAT_RESERVED:-2,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_META_NIBBLE:-3,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_ALPHABET:-4,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_SAME:-5,BROTLI_DECODER_ERROR_FORMAT_CL_SPACE:-6,BROTLI_DECODER_ERROR_FORMAT_HUFFMAN_SPACE:-7,BROTLI_DECODER_ERROR_FORMAT_CONTEXT_MAP_REPEAT:-8,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_1:-9,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_2:-10,BROTLI_DECODER_ERROR_FORMAT_TRANSFORM:-11,BROTLI_DECODER_ERROR_FORMAT_DICTIONARY:-12,BROTLI_DECODER_ERROR_FORMAT_WINDOW_BITS:-13,BROTLI_DECODER_ERROR_FORMAT_PADDING_1:-14,BROTLI_DECODER_ERROR_FORMAT_PADDING_2:-15,BROTLI_DECODER_ERROR_FORMAT_DISTANCE:-16,BROTLI_DECODER_ERROR_DICTIONARY_NOT_SET:-19,BROTLI_DECODER_ERROR_INVALID_ARGUMENTS:-20,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MODES:-21,BROTLI_DECODER_ERROR_ALLOC_TREE_GROUPS:-22,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MAP:-25,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_1:-26,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_2:-27,BROTLI_DECODER_ERROR_ALLOC_BLOCK_TYPE_TREES:-30,BROTLI_DECODER_ERROR_UNREACHABLE:-31},Qo))});var Ps=d(f=>{"use strict";var Jo=f&&f.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),ea=f&&f.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),ta=f&&f.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;rs,ms=Wr?.writable===!0||Wr?.set!==void 0?s=>{Ae.Buffer.concat=s?oa:na}:s=>{},Ie=Symbol("_superWrite"),Fe=class extends Error{code;errno;constructor(e,t){super("zlib: "+e.message,{cause:e}),this.code=e.code,this.errno=e.errno,this.code||(this.code="ZLIB_ERROR"),this.message="zlib: "+e.message,Error.captureStackTrace(this,t??this.constructor)}get name(){return"ZlibError"}};f.ZlibError=Fe;var ps=Symbol("flushFlag"),bt=class extends sa.Minipass{#e=!1;#i=!1;#s;#n;#r;#t;#o;get sawError(){return this.#e}get handle(){return this.#t}get flushFlag(){return this.#s}constructor(e,t){if(!e||typeof e!="object")throw new TypeError("invalid options for ZlibBase constructor");if(super(e),this.#s=e.flush??0,this.#n=e.finishFlush??0,this.#r=e.fullFlushFlag??0,typeof qr[t]!="function")throw new TypeError("Compression method not supported: "+t);try{this.#t=new qr[t](e)}catch(i){throw new Fe(i,this.constructor)}this.#o=i=>{this.#e||(this.#e=!0,this.close(),this.emit("error",i))},this.#t?.on("error",i=>this.#o(new Fe(i))),this.once("end",()=>this.close)}close(){this.#t&&(this.#t.close(),this.#t=void 0,this.emit("close"))}reset(){if(!this.#e)return(0,_s.default)(this.#t,"zlib binding closed"),this.#t.reset?.()}flush(e){this.ended||(typeof e!="number"&&(e=this.#r),this.write(Object.assign(Ae.Buffer.alloc(0),{[ps]:e})))}end(e,t,i){return typeof e=="function"&&(i=e,t=void 0,e=void 0),typeof t=="function"&&(i=t,t=void 0),e&&(t?this.write(e,t):this.write(e)),this.flush(this.#n),this.#i=!0,super.end(i)}get ended(){return this.#i}[Ie](e){return super.write(e)}write(e,t,i){if(typeof t=="function"&&(i=t,t="utf8"),typeof e=="string"&&(e=Ae.Buffer.from(e,t)),this.#e)return;(0,_s.default)(this.#t,"zlib binding closed");let r=this.#t._handle,n=r.close;r.close=()=>{};let o=this.#t.close;this.#t.close=()=>{},ms(!0);let a;try{let l=typeof e[ps]=="number"?e[ps]:this.#s;a=this.#t._processChunk(e,l),ms(!1)}catch(l){ms(!1),this.#o(new Fe(l,this.write))}finally{this.#t&&(this.#t._handle=r,r.close=n,this.#t.close=o,this.#t.removeAllListeners("error"))}this.#t&&this.#t.on("error",l=>this.#o(new Fe(l,this.write)));let h;if(a)if(Array.isArray(a)&&a.length>0){let l=a[0];h=this[Ie](Ae.Buffer.from(l));for(let u=1;u{typeof r=="function"&&(n=r,r=this.flushFlag),this.flush(r),n?.()};try{this.handle.params(e,t)}finally{this.handle.flush=i}this.handle&&(this.#e=e,this.#i=t)}}}};f.Zlib=ie;var ws=class extends ie{constructor(e){super(e,"Deflate")}};f.Deflate=ws;var ys=class extends ie{constructor(e){super(e,"Inflate")}};f.Inflate=ys;var Es=class extends ie{#e;constructor(e){super(e,"Gzip"),this.#e=e&&!!e.portable}[Ie](e){return this.#e?(this.#e=!1,e[9]=255,super[Ie](e)):super[Ie](e)}};f.Gzip=Es;var bs=class extends ie{constructor(e){super(e,"Gunzip")}};f.Gunzip=bs;var Ss=class extends ie{constructor(e){super(e,"DeflateRaw")}};f.DeflateRaw=Ss;var gs=class extends ie{constructor(e){super(e,"InflateRaw")}};f.InflateRaw=gs;var Os=class extends ie{constructor(e){super(e,"Unzip")}};f.Unzip=Os;var Jt=class extends bt{constructor(e,t){e=e||{},e.flush=e.flush||te.constants.BROTLI_OPERATION_PROCESS,e.finishFlush=e.finishFlush||te.constants.BROTLI_OPERATION_FINISH,e.fullFlushFlag=te.constants.BROTLI_OPERATION_FLUSH,super(e,t)}},Rs=class extends Jt{constructor(e){super(e,"BrotliCompress")}};f.BrotliCompress=Rs;var vs=class extends Jt{constructor(e){super(e,"BrotliDecompress")}};f.BrotliDecompress=vs;var ei=class extends bt{constructor(e,t){e=e||{},e.flush=e.flush||te.constants.ZSTD_e_continue,e.finishFlush=e.finishFlush||te.constants.ZSTD_e_end,e.fullFlushFlag=te.constants.ZSTD_e_flush,super(e,t)}},Ts=class extends ei{constructor(e){super(e,"ZstdCompress")}};f.ZstdCompress=Ts;var Ds=class extends ei{constructor(e){super(e,"ZstdDecompress")}};f.ZstdDecompress=Ds});var Gr=d(Xe=>{"use strict";Object.defineProperty(Xe,"__esModule",{value:!0});Xe.parse=Xe.encode=void 0;var aa=(s,e)=>{if(Number.isSafeInteger(s))s<0?la(s,e):ha(s,e);else throw Error("cannot encode number outside of javascript safe integer range");return e};Xe.encode=aa;var ha=(s,e)=>{e[0]=128;for(var t=e.length;t>1;t--)e[t-1]=s&255,s=Math.floor(s/256)},la=(s,e)=>{e[0]=255;var t=!1;s=s*-1;for(var i=e.length;i>1;i--){var r=s&255;s=Math.floor(s/256),t?e[i-1]=Hr(r):r===0?e[i-1]=0:(t=!0,e[i-1]=Zr(r))}},ua=s=>{let e=s[0],t=e===128?fa(s.subarray(1,s.length)):e===255?ca(s):null;if(t===null)throw Error("invalid base256 encoding");if(!Number.isSafeInteger(t))throw Error("parsed number outside of javascript safe integer range");return t};Xe.parse=ua;var ca=s=>{for(var e=s.length,t=0,i=!1,r=e-1;r>-1;r--){var n=Number(s[r]),o;i?o=Hr(n):n===0?o=n:(i=!0,o=Zr(n)),o!==0&&(t-=o*Math.pow(256,e-r-1))}return t},fa=s=>{for(var e=s.length,t=0,i=e-1;i>-1;i--){var r=Number(s[i]);r!==0&&(t+=r*Math.pow(256,e-i-1))}return t},Hr=s=>(255^s)&255,Zr=s=>(255^s)+1&255});var Ns=d(x=>{"use strict";Object.defineProperty(x,"__esModule",{value:!0});x.code=x.name=x.isName=x.isCode=void 0;var da=s=>x.name.has(s);x.isCode=da;var ma=s=>x.code.has(s);x.isName=ma;x.name=new Map([["0","File"],["","OldFile"],["1","Link"],["2","SymbolicLink"],["3","CharacterDevice"],["4","BlockDevice"],["5","Directory"],["6","FIFO"],["7","ContiguousFile"],["g","GlobalExtendedHeader"],["x","ExtendedHeader"],["A","SolarisACL"],["D","GNUDumpDir"],["I","Inode"],["K","NextFileHasLongLinkpath"],["L","NextFileHasLongPath"],["M","ContinuationFile"],["N","OldGnuLongPath"],["S","SparseFile"],["V","TapeVolumeHeader"],["X","OldExtendedHeader"]]);x.code=new Map(Array.from(x.name).map(s=>[s[1],s[0]]))});var Je=d(se=>{"use strict";var pa=se&&se.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),_a=se&&se.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),Yr=se&&se.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r=t+512))throw new Error("need 512 bytes for header");this.path=i?.path??Ce(e,t,100),this.mode=i?.mode??r?.mode??be(e,t+100,8),this.uid=i?.uid??r?.uid??be(e,t+108,8),this.gid=i?.gid??r?.gid??be(e,t+116,8),this.size=i?.size??r?.size??be(e,t+124,12),this.mtime=i?.mtime??r?.mtime??Ms(e,t+136,12),this.cksum=be(e,t+148,12),r&&this.#i(r,!0),i&&this.#i(i);let n=Ce(e,t+156,1);if(St.isCode(n)&&(this.#e=n||"0"),this.#e==="0"&&this.path.slice(-1)==="/"&&(this.#e="5"),this.#e==="5"&&(this.size=0),this.linkpath=Ce(e,t+157,100),e.subarray(t+257,t+265).toString()==="ustar\x0000")if(this.uname=i?.uname??r?.uname??Ce(e,t+265,32),this.gname=i?.gname??r?.gname??Ce(e,t+297,32),this.devmaj=i?.devmaj??r?.devmaj??be(e,t+329,8)??0,this.devmin=i?.devmin??r?.devmin??be(e,t+337,8)??0,e[t+475]!==0){let a=Ce(e,t+345,155);this.path=a+"/"+this.path}else{let a=Ce(e,t+345,130);a&&(this.path=a+"/"+this.path),this.atime=i?.atime??r?.atime??Ms(e,t+476,12),this.ctime=i?.ctime??r?.ctime??Ms(e,t+488,12)}let o=256;for(let a=t;a!(r==null||i==="path"&&t||i==="linkpath"&&t||i==="global"))))}encode(e,t=0){if(e||(e=this.block=Buffer.alloc(512)),this.#e==="Unsupported"&&(this.#e="0"),!(e.length>=t+512))throw new Error("need 512 bytes for header");let i=this.ctime||this.atime?130:155,r=wa(this.path||"",i),n=r[0],o=r[1];this.needPax=!!r[2],this.needPax=Be(e,t,100,n)||this.needPax,this.needPax=Se(e,t+100,8,this.mode)||this.needPax,this.needPax=Se(e,t+108,8,this.uid)||this.needPax,this.needPax=Se(e,t+116,8,this.gid)||this.needPax,this.needPax=Se(e,t+124,12,this.size)||this.needPax,this.needPax=Ls(e,t+136,12,this.mtime)||this.needPax,e[t+156]=Number(this.#e.codePointAt(0)),this.needPax=Be(e,t+157,100,this.linkpath)||this.needPax,e.write("ustar\x0000",t+257,8),this.needPax=Be(e,t+265,32,this.uname)||this.needPax,this.needPax=Be(e,t+297,32,this.gname)||this.needPax,this.needPax=Se(e,t+329,8,this.devmaj)||this.needPax,this.needPax=Se(e,t+337,8,this.devmin)||this.needPax,this.needPax=Be(e,t+345,i,o)||this.needPax,e[t+475]!==0?this.needPax=Be(e,t+345,155,o)||this.needPax:(this.needPax=Be(e,t+345,130,o)||this.needPax,this.needPax=Ls(e,t+476,12,this.atime)||this.needPax,this.needPax=Ls(e,t+488,12,this.ctime)||this.needPax);let a=256;for(let h=t;h{let i=s,r="",n,o=Qe.posix.parse(s).root||".";if(Buffer.byteLength(i)<100)n=[i,r,!1];else{r=Qe.posix.dirname(i),i=Qe.posix.basename(i);do Buffer.byteLength(i)<=100&&Buffer.byteLength(r)<=e?n=[i,r,!1]:Buffer.byteLength(i)>100&&Buffer.byteLength(r)<=e?n=[i.slice(0,99),r,!0]:(i=Qe.posix.join(Qe.posix.basename(r),i),r=Qe.posix.dirname(r));while(r!==o&&n===void 0);n||(n=[s.slice(0,99),"",!0])}return n},Ce=(s,e,t)=>s.subarray(e,e+t).toString("utf8").replace(/\0.*/,""),Ms=(s,e,t)=>ya(be(s,e,t)),ya=s=>s===void 0?void 0:new Date(s*1e3),be=(s,e,t)=>Number(s[e])&128?Kr.parse(s.subarray(e,e+t)):ba(s,e,t),Ea=s=>isNaN(s)?void 0:s,ba=(s,e,t)=>Ea(parseInt(s.subarray(e,e+t).toString("utf8").replace(/\0.*$/,"").trim(),8)),Sa={12:8589934591,8:2097151},Se=(s,e,t,i)=>i===void 0?!1:i>Sa[t]||i<0?(Kr.encode(i,s.subarray(e,e+t)),!0):(ga(s,e,t,i),!1),ga=(s,e,t,i)=>s.write(Oa(i,t),e,t,"ascii"),Oa=(s,e)=>Ra(Math.floor(s).toString(8),e),Ra=(s,e)=>(s.length===e-1?s:new Array(e-s.length-1).join("0")+s+" ")+"\0",Ls=(s,e,t,i)=>i===void 0?!1:Se(s,e,t,i.getTime()/1e3),va=new Array(156).join("\0"),Be=(s,e,t,i)=>i===void 0?!1:(s.write(i+va,e,t,"utf8"),i.length!==Buffer.byteLength(i)||i.length>t)});var ii=d(ti=>{"use strict";Object.defineProperty(ti,"__esModule",{value:!0});ti.Pax=void 0;var Ta=require("node:path"),Da=Je(),Is=class s{atime;mtime;ctime;charset;comment;gid;uid;gname;uname;linkpath;dev;ino;nlink;path;size;mode;global;constructor(e,t=!1){this.atime=e.atime,this.charset=e.charset,this.comment=e.comment,this.ctime=e.ctime,this.dev=e.dev,this.gid=e.gid,this.global=t,this.gname=e.gname,this.ino=e.ino,this.linkpath=e.linkpath,this.mtime=e.mtime,this.nlink=e.nlink,this.path=e.path,this.size=e.size,this.uid=e.uid,this.uname=e.uname}encode(){let e=this.encodeBody();if(e==="")return Buffer.allocUnsafe(0);let t=Buffer.byteLength(e),i=512*Math.ceil(1+t/512),r=Buffer.allocUnsafe(i);for(let n=0;n<512;n++)r[n]=0;new Da.Header({path:("PaxHeader/"+(0,Ta.basename)(this.path??"")).slice(0,99),mode:this.mode||420,uid:this.uid,gid:this.gid,size:t,mtime:this.mtime,type:this.global?"GlobalExtendedHeader":"ExtendedHeader",linkpath:"",uname:this.uname||"",gname:this.gname||"",devmaj:0,devmin:0,atime:this.atime,ctime:this.ctime}).encode(r),r.write(e,512,t,"utf8");for(let n=t+512;n=Math.pow(10,o)&&(o+=1),o+n+r}static parse(e,t,i=!1){return new s(Pa(Na(e),t),i)}};ti.Pax=Is;var Pa=(s,e)=>e?Object.assign({},e,s):s,Na=s=>s.replace(/\n$/,"").split(`
+`).reduce(Ma,Object.create(null)),Ma=(s,e)=>{let t=parseInt(e,10);if(t!==Buffer.byteLength(e)+1)return s;e=e.slice((t+" ").length);let i=e.split("="),r=i.shift();if(!r)return s;let n=r.replace(/^SCHILY\.(dev|ino|nlink)/,"$1"),o=i.join("=");return s[n]=/^([A-Z]+\.)?([mac]|birth|creation)time$/.test(n)?new Date(Number(o)*1e3):/^[0-9]+$/.test(o)?+o:o,s}});var et=d(si=>{"use strict";Object.defineProperty(si,"__esModule",{value:!0});si.normalizeWindowsPath=void 0;var La=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform;si.normalizeWindowsPath=La!=="win32"?s=>s:s=>s&&s.replaceAll(/\\/g,"/")});var oi=d(ni=>{"use strict";Object.defineProperty(ni,"__esModule",{value:!0});ni.ReadEntry=void 0;var Aa=We(),ri=et(),Fs=class extends Aa.Minipass{extended;globalExtended;header;startBlockSize;blockRemain;remain;type;meta=!1;ignore=!1;path;mode;uid;gid;uname;gname;size=0;mtime;atime;ctime;linkpath;dev;ino;nlink;invalid=!1;absolute;unsupported=!1;constructor(e,t,i){switch(super({}),this.pause(),this.extended=t,this.globalExtended=i,this.header=e,this.remain=e.size??0,this.startBlockSize=512*Math.ceil(this.remain/512),this.blockRemain=this.startBlockSize,this.type=e.type,this.type){case"File":case"OldFile":case"Link":case"SymbolicLink":case"CharacterDevice":case"BlockDevice":case"Directory":case"FIFO":case"ContiguousFile":case"GNUDumpDir":break;case"NextFileHasLongLinkpath":case"NextFileHasLongPath":case"OldGnuLongPath":case"GlobalExtendedHeader":case"ExtendedHeader":case"OldExtendedHeader":this.meta=!0;break;default:this.ignore=!0}if(!e.path)throw new Error("no path provided for tar.ReadEntry");this.path=(0,ri.normalizeWindowsPath)(e.path),this.mode=e.mode,this.mode&&(this.mode=this.mode&4095),this.uid=e.uid,this.gid=e.gid,this.uname=e.uname,this.gname=e.gname,this.size=this.remain,this.mtime=e.mtime,this.atime=e.atime,this.ctime=e.ctime,this.linkpath=e.linkpath?(0,ri.normalizeWindowsPath)(e.linkpath):void 0,this.uname=e.uname,this.gname=e.gname,t&&this.#e(t),i&&this.#e(i,!0)}write(e){let t=e.length;if(t>this.blockRemain)throw new Error("writing more to entry than is appropriate");let i=this.remain,r=this.blockRemain;return this.remain=Math.max(0,i-t),this.blockRemain=Math.max(0,r-t),this.ignore?!0:i>=t?super.write(e):super.write(e.subarray(0,i))}#e(e,t=!1){e.path&&(e.path=(0,ri.normalizeWindowsPath)(e.path)),e.linkpath&&(e.linkpath=(0,ri.normalizeWindowsPath)(e.linkpath)),Object.assign(this,Object.fromEntries(Object.entries(e).filter(([i,r])=>!(r==null||i==="path"&&t))))}};ni.ReadEntry=Fs});var hi=d(ai=>{"use strict";Object.defineProperty(ai,"__esModule",{value:!0});ai.warnMethod=void 0;var Ia=(s,e,t,i={})=>{s.file&&(i.file=s.file),s.cwd&&(i.cwd=s.cwd),i.code=t instanceof Error&&t.code||e,i.tarCode=e,!s.strict&&i.recoverable!==!1?(t instanceof Error&&(i=Object.assign(t,i),t=t.message),s.emit("warn",e,t,i)):t instanceof Error?s.emit("error",Object.assign(t,i)):s.emit("error",Object.assign(new Error(`${e}: ${t}`),i))};ai.warnMethod=Ia});var _i=d(pi=>{"use strict";Object.defineProperty(pi,"__esModule",{value:!0});pi.Parser=void 0;var Fa=require("events"),Cs=Ps(),Vr=Je(),$r=ii(),Ca=oi(),Ba=hi(),za=1024*1024,js=Buffer.from([31,139]),Us=Buffer.from([40,181,47,253]),ka=Math.max(js.length,Us.length),H=Symbol("state"),ze=Symbol("writeEntry"),de=Symbol("readEntry"),Bs=Symbol("nextEntry"),Xr=Symbol("processEntry"),re=Symbol("extendedHeader"),gt=Symbol("globalExtendedHeader"),ge=Symbol("meta"),Qr=Symbol("emitMeta"),_=Symbol("buffer"),me=Symbol("queue"),Oe=Symbol("ended"),zs=Symbol("emittedEnd"),ke=Symbol("emit"),S=Symbol("unzip"),li=Symbol("consumeChunk"),ui=Symbol("consumeChunkSub"),ks=Symbol("consumeBody"),Jr=Symbol("consumeMeta"),en=Symbol("consumeHeader"),Ot=Symbol("consuming"),xs=Symbol("bufferConcat"),ci=Symbol("maybeEnd"),tt=Symbol("writing"),Re=Symbol("aborted"),fi=Symbol("onDone"),xe=Symbol("sawValidEntry"),di=Symbol("sawNullBlock"),mi=Symbol("sawEOF"),tn=Symbol("closeStream"),xa=()=>!0,qs=class extends Fa.EventEmitter{file;strict;maxMetaEntrySize;filter;brotli;zstd;writable=!0;readable=!1;[me]=[];[_];[de];[ze];[H]="begin";[ge]="";[re];[gt];[Oe]=!1;[S];[Re]=!1;[xe];[di]=!1;[mi]=!1;[tt]=!1;[Ot]=!1;[zs]=!1;constructor(e={}){super(),this.file=e.file||"",this.on(fi,()=>{(this[H]==="begin"||this[xe]===!1)&&this.warn("TAR_BAD_ARCHIVE","Unrecognized archive format")}),e.ondone?this.on(fi,e.ondone):this.on(fi,()=>{this.emit("prefinish"),this.emit("finish"),this.emit("end")}),this.strict=!!e.strict,this.maxMetaEntrySize=e.maxMetaEntrySize||za,this.filter=typeof e.filter=="function"?e.filter:xa;let t=e.file&&(e.file.endsWith(".tar.br")||e.file.endsWith(".tbr"));this.brotli=!(e.gzip||e.zstd)&&e.brotli!==void 0?e.brotli:t?void 0:!1;let i=e.file&&(e.file.endsWith(".tar.zst")||e.file.endsWith(".tzst"));this.zstd=!(e.gzip||e.brotli)&&e.zstd!==void 0?e.zstd:i?!0:void 0,this.on("end",()=>this[tn]()),typeof e.onwarn=="function"&&this.on("warn",e.onwarn),typeof e.onReadEntry=="function"&&this.on("entry",e.onReadEntry)}warn(e,t,i={}){(0,Ba.warnMethod)(this,e,t,i)}[en](e,t){this[xe]===void 0&&(this[xe]=!1);let i;try{i=new Vr.Header(e,t,this[re],this[gt])}catch(r){return this.warn("TAR_ENTRY_INVALID",r)}if(i.nullBlock)this[di]?(this[mi]=!0,this[H]==="begin"&&(this[H]="header"),this[ke]("eof")):(this[di]=!0,this[ke]("nullBlock"));else if(this[di]=!1,!i.cksumValid)this.warn("TAR_ENTRY_INVALID","checksum failure",{header:i});else if(!i.path)this.warn("TAR_ENTRY_INVALID","path is required",{header:i});else{let r=i.type;if(/^(Symbolic)?Link$/.test(r)&&!i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath required",{header:i});else if(!/^(Symbolic)?Link$/.test(r)&&!/^(Global)?ExtendedHeader$/.test(r)&&i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath forbidden",{header:i});else{let n=this[ze]=new Ca.ReadEntry(i,this[re],this[gt]);if(!this[xe])if(n.remain){let o=()=>{n.invalid||(this[xe]=!0)};n.on("end",o)}else this[xe]=!0;n.meta?n.size>this.maxMetaEntrySize?(n.ignore=!0,this[ke]("ignoredEntry",n),this[H]="ignore",n.resume()):n.size>0&&(this[ge]="",n.on("data",o=>this[ge]+=o),this[H]="meta"):(this[re]=void 0,n.ignore=n.ignore||!this.filter(n.path,n),n.ignore?(this[ke]("ignoredEntry",n),this[H]=n.remain?"ignore":"header",n.resume()):(n.remain?this[H]="body":(this[H]="header",n.end()),this[de]?this[me].push(n):(this[me].push(n),this[Bs]())))}}}[tn](){queueMicrotask(()=>this.emit("close"))}[Xr](e){let t=!0;if(!e)this[de]=void 0,t=!1;else if(Array.isArray(e)){let[i,...r]=e;this.emit(i,...r)}else this[de]=e,this.emit("entry",e),e.emittedEnd||(e.on("end",()=>this[Bs]()),t=!1);return t}[Bs](){do;while(this[Xr](this[me].shift()));if(this[me].length===0){let e=this[de];!e||e.flowing||e.size===e.remain?this[tt]||this.emit("drain"):e.once("drain",()=>this.emit("drain"))}}[ks](e,t){let i=this[ze];if(!i)throw new Error("attempt to consume body without entry??");let r=i.blockRemain??0,n=r>=e.length&&t===0?e:e.subarray(t,t+r);return i.write(n),i.blockRemain||(this[H]="header",this[ze]=void 0,i.end()),n.length}[Jr](e,t){let i=this[ze],r=this[ks](e,t);return!this[ze]&&i&&this[Qr](i),r}[ke](e,t,i){this[me].length===0&&!this[de]?this.emit(e,t,i):this[me].push([e,t,i])}[Qr](e){switch(this[ke]("meta",this[ge]),e.type){case"ExtendedHeader":case"OldExtendedHeader":this[re]=$r.Pax.parse(this[ge],this[re],!1);break;case"GlobalExtendedHeader":this[gt]=$r.Pax.parse(this[ge],this[gt],!0);break;case"NextFileHasLongPath":case"OldGnuLongPath":{let t=this[re]??Object.create(null);this[re]=t,t.path=this[ge].replace(/\0.*/,"");break}case"NextFileHasLongLinkpath":{let t=this[re]||Object.create(null);this[re]=t,t.linkpath=this[ge].replace(/\0.*/,"");break}default:throw new Error("unknown meta: "+e.type)}}abort(e){this[Re]=!0,this.emit("abort",e),this.warn("TAR_ABORT",e,{recoverable:!1})}write(e,t,i){if(typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,typeof t=="string"?t:"utf8")),this[Re])return i?.(),!1;if((this[S]===void 0||this.brotli===void 0&&this[S]===!1)&&e){if(this[_]&&(e=Buffer.concat([this[_],e]),this[_]=void 0),e.lengththis[li](u)),this[S].on("error",u=>this.abort(u)),this[S].on("end",()=>{this[Oe]=!0,this[li]()}),this[tt]=!0;let l=!!this[S][h?"end":"write"](e);return this[tt]=!1,i?.(),l}}this[tt]=!0,this[S]?this[S].write(e):this[li](e),this[tt]=!1;let n=this[me].length>0?!1:this[de]?this[de].flowing:!0;return!n&&this[me].length===0&&this[de]?.once("drain",()=>this.emit("drain")),i?.(),n}[xs](e){e&&!this[Re]&&(this[_]=this[_]?Buffer.concat([this[_],e]):e)}[ci](){if(this[Oe]&&!this[zs]&&!this[Re]&&!this[Ot]){this[zs]=!0;let e=this[ze];if(e&&e.blockRemain){let t=this[_]?this[_].length:0;this.warn("TAR_BAD_ARCHIVE",`Truncated input (needed ${e.blockRemain} more bytes, only ${t} available)`,{entry:e}),this[_]&&e.write(this[_]),e.end()}this[ke](fi)}}[li](e){if(this[Ot]&&e)this[xs](e);else if(!e&&!this[_])this[ci]();else if(e){if(this[Ot]=!0,this[_]){this[xs](e);let t=this[_];this[_]=void 0,this[ui](t)}else this[ui](e);for(;this[_]&&this[_]?.length>=512&&!this[Re]&&!this[mi];){let t=this[_];this[_]=void 0,this[ui](t)}this[Ot]=!1}(!this[_]||this[Oe])&&this[ci]()}[ui](e){let t=0,i=e.length;for(;t+512<=i&&!this[Re]&&!this[mi];)switch(this[H]){case"begin":case"header":this[en](e,t),t+=512;break;case"ignore":case"body":t+=this[ks](e,t);break;case"meta":t+=this[Jr](e,t);break;default:throw new Error("invalid state: "+this[H])}t{"use strict";Object.defineProperty(wi,"__esModule",{value:!0});wi.stripTrailingSlashes=void 0;var ja=s=>{let e=s.length-1,t=-1;for(;e>-1&&s.charAt(e)==="/";)t=e,e--;return t===-1?s:s.slice(0,t)};wi.stripTrailingSlashes=ja});var st=d(C=>{"use strict";var Ua=C&&C.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),qa=C&&C.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),Wa=C&&C.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r{let e=s.onReadEntry;s.onReadEntry=e?t=>{e(t),t.resume()}:t=>t.resume()},Ka=(s,e)=>{let t=new Map(e.map(n=>[(0,Ws.stripTrailingSlashes)(n),!0])),i=s.filter,r=(n,o="")=>{let a=o||(0,sn.parse)(n).root||".",h;if(n===a)h=!1;else{let l=t.get(n);h=l!==void 0?l:r((0,sn.dirname)(n),a)}return t.set(n,h),h};s.filter=i?(n,o)=>i(n,o)&&r((0,Ws.stripTrailingSlashes)(n)):n=>r((0,Ws.stripTrailingSlashes)(n))};C.filesFilter=Ka;var Va=s=>{let e=new Ei.Parser(s),t=s.file,i;try{i=it.default.openSync(t,"r");let r=it.default.fstatSync(i),n=s.maxReadSize||16*1024*1024;if(r.size{let t=new Ei.Parser(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,a)=>{t.on("error",a),t.on("end",o),it.default.stat(r,(h,l)=>{if(h)a(h);else{let u=new Za.ReadStream(r,{readSize:i,size:l.size});u.on("error",a),u.pipe(t)}})})};C.list=(0,Ga.makeCommand)(Va,$a,s=>new Ei.Parser(s),s=>new Ei.Parser(s),(s,e)=>{e?.length&&(0,C.filesFilter)(s,e),s.noResume||Ya(s)})});var rn=d(bi=>{"use strict";Object.defineProperty(bi,"__esModule",{value:!0});bi.modeFix=void 0;var Xa=(s,e,t)=>(s&=4095,t&&(s=(s|384)&-19),e&&(s&256&&(s|=64),s&32&&(s|=8),s&4&&(s|=1)),s);bi.modeFix=Xa});var Hs=d(Si=>{"use strict";Object.defineProperty(Si,"__esModule",{value:!0});Si.stripAbsolutePath=void 0;var Qa=require("node:path"),{isAbsolute:Ja,parse:nn}=Qa.win32,eh=s=>{let e="",t=nn(s);for(;Ja(s)||t.root;){let i=s.charAt(0)==="/"&&s.slice(0,4)!=="//?/"?"/":t.root;s=s.slice(i.length),e+=i,t=nn(s)}return[e,s]};Si.stripAbsolutePath=eh});var Gs=d(rt=>{"use strict";Object.defineProperty(rt,"__esModule",{value:!0});rt.decode=rt.encode=void 0;var gi=["|","<",">","?",":"],Zs=gi.map(s=>String.fromCodePoint(61440+Number(s.codePointAt(0)))),th=new Map(gi.map((s,e)=>[s,Zs[e]])),ih=new Map(Zs.map((s,e)=>[s,gi[e]])),sh=s=>gi.reduce((e,t)=>e.split(t).join(th.get(t)),s);rt.encode=sh;var rh=s=>Zs.reduce((e,t)=>e.split(t).join(ih.get(t)),s);rt.decode=rh});var sr=d(M=>{"use strict";var nh=M&&M.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),oh=M&&M.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),ah=M&&M.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;re?(s=(0,ne.normalizeWindowsPath)(s).replace(/^\.(\/|$)/,""),(0,hh.stripTrailingSlashes)(e)+"/"+s):(0,ne.normalizeWindowsPath)(s),uh=16*1024*1024,an=Symbol("process"),hn=Symbol("file"),ln=Symbol("directory"),Ks=Symbol("symlink"),un=Symbol("hardlink"),Rt=Symbol("header"),Oi=Symbol("read"),Vs=Symbol("lstat"),Ri=Symbol("onlstat"),$s=Symbol("onread"),Xs=Symbol("onreadlink"),Qs=Symbol("openfile"),Js=Symbol("onopenfile"),ve=Symbol("close"),vi=Symbol("mode"),er=Symbol("awaitDrain"),Ys=Symbol("ondrain"),ae=Symbol("prefix"),Ti=class extends fn.Minipass{path;portable;myuid=process.getuid&&process.getuid()||0;myuser=process.env.USER||"";maxReadSize;linkCache;statCache;preservePaths;cwd;strict;mtime;noPax;noMtime;prefix;fd;blockLen=0;blockRemain=0;buf;pos=0;remain=0;length=0;offset=0;win32;absolute;header;type;linkpath;stat;onWriteEntry;#e=!1;constructor(e,t={}){let i=(0,pn.dealias)(t);super(),this.path=(0,ne.normalizeWindowsPath)(e),this.portable=!!i.portable,this.maxReadSize=i.maxReadSize||uh,this.linkCache=i.linkCache||new Map,this.statCache=i.statCache||new Map,this.preservePaths=!!i.preservePaths,this.cwd=(0,ne.normalizeWindowsPath)(i.cwd||process.cwd()),this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.mtime=i.mtime,this.prefix=i.prefix?(0,ne.normalizeWindowsPath)(i.prefix):void 0,this.onWriteEntry=i.onWriteEntry,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let r=!1;if(!this.preservePaths){let[o,a]=(0,wn.stripAbsolutePath)(this.path);o&&typeof a=="string"&&(this.path=a,r=o)}this.win32=!!i.win32||process.platform==="win32",this.win32&&(this.path=lh.decode(this.path.replaceAll(/\\/g,"/")),e=e.replaceAll(/\\/g,"/")),this.absolute=(0,ne.normalizeWindowsPath)(i.absolute||on.default.resolve(this.cwd,e)),this.path===""&&(this.path="./"),r&&this.warn("TAR_ENTRY_INFO",`stripping ${r} from absolute path`,{entry:this,path:r+this.path});let n=this.statCache.get(this.absolute);n?this[Ri](n):this[Vs]()}warn(e,t,i={}){return(0,yn.warnMethod)(this,e,t,i)}emit(e,...t){return e==="error"&&(this.#e=!0),super.emit(e,...t)}[Vs](){oe.default.lstat(this.absolute,(e,t)=>{if(e)return this.emit("error",e);this[Ri](t)})}[Ri](e){this.statCache.set(this.absolute,e),this.stat=e,e.isFile()||(e.size=0),this.type=ch(e),this.emit("stat",e),this[an]()}[an](){switch(this.type){case"File":return this[hn]();case"Directory":return this[ln]();case"SymbolicLink":return this[Ks]();default:return this.end()}}[vi](e){return(0,mn.modeFix)(e,this.type==="Directory",this.portable)}[ae](e){return En(e,this.prefix)}[Rt](){if(!this.stat)throw new Error("cannot write header before stat");this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.onWriteEntry?.(this),this.header=new dn.Header({path:this[ae](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[ae](this.linkpath):this.linkpath,mode:this[vi](this.stat.mode),uid:this.portable?void 0:this.stat.uid,gid:this.portable?void 0:this.stat.gid,size:this.stat.size,mtime:this.noMtime?void 0:this.mtime||this.stat.mtime,type:this.type==="Unsupported"?void 0:this.type,uname:this.portable?void 0:this.stat.uid===this.myuid?this.myuser:"",atime:this.portable?void 0:this.stat.atime,ctime:this.portable?void 0:this.stat.ctime}),this.header.encode()&&!this.noPax&&super.write(new _n.Pax({atime:this.portable?void 0:this.header.atime,ctime:this.portable?void 0:this.header.ctime,gid:this.portable?void 0:this.header.gid,mtime:this.noMtime?void 0:this.mtime||this.header.mtime,path:this[ae](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[ae](this.linkpath):this.linkpath,size:this.header.size,uid:this.portable?void 0:this.header.uid,uname:this.portable?void 0:this.header.uname,dev:this.portable?void 0:this.stat.dev,ino:this.portable?void 0:this.stat.ino,nlink:this.portable?void 0:this.stat.nlink}).encode());let e=this.header?.block;if(!e)throw new Error("failed to encode header");super.write(e)}[ln](){if(!this.stat)throw new Error("cannot create directory entry without stat");this.path.slice(-1)!=="/"&&(this.path+="/"),this.stat.size=0,this[Rt](),this.end()}[Ks](){oe.default.readlink(this.absolute,(e,t)=>{if(e)return this.emit("error",e);this[Xs](t)})}[Xs](e){this.linkpath=(0,ne.normalizeWindowsPath)(e),this[Rt](),this.end()}[un](e){if(!this.stat)throw new Error("cannot create link entry without stat");this.type="Link",this.linkpath=(0,ne.normalizeWindowsPath)(on.default.relative(this.cwd,e)),this.stat.size=0,this[Rt](),this.end()}[hn](){if(!this.stat)throw new Error("cannot create file entry without stat");if(this.stat.nlink>1){let e=`${this.stat.dev}:${this.stat.ino}`,t=this.linkCache.get(e);if(t?.indexOf(this.cwd)===0)return this[un](t);this.linkCache.set(e,this.absolute)}if(this[Rt](),this.stat.size===0)return this.end();this[Qs]()}[Qs](){oe.default.open(this.absolute,"r",(e,t)=>{if(e)return this.emit("error",e);this[Js](t)})}[Js](e){if(this.fd=e,this.#e)return this[ve]();if(!this.stat)throw new Error("should stat before calling onopenfile");this.blockLen=512*Math.ceil(this.stat.size/512),this.blockRemain=this.blockLen;let t=Math.min(this.blockLen,this.maxReadSize);this.buf=Buffer.allocUnsafe(t),this.offset=0,this.pos=0,this.remain=this.stat.size,this.length=this.buf.length,this[Oi]()}[Oi](){let{fd:e,buf:t,offset:i,length:r,pos:n}=this;if(e===void 0||t===void 0)throw new Error("cannot read file without first opening");oe.default.read(e,t,i,r,n,(o,a)=>{if(o)return this[ve](()=>this.emit("error",o));this[$s](a)})}[ve](e=()=>{}){this.fd!==void 0&&oe.default.close(this.fd,e)}[$s](e){if(e<=0&&this.remain>0){let r=Object.assign(new Error("encountered unexpected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[ve](()=>this.emit("error",r))}if(e>this.remain){let r=Object.assign(new Error("did not encounter expected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[ve](()=>this.emit("error",r))}if(!this.buf)throw new Error("should have created buffer prior to reading");if(e===this.remain)for(let r=e;rthis[Ys]())}[er](e){this.once("drain",e)}write(e,t,i){if(typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,typeof t=="string"?t:"utf8")),this.blockRemaine?this.emit("error",e):this.end());if(!this.buf)throw new Error("buffer lost somehow in ONDRAIN");this.offset>=this.length&&(this.buf=Buffer.allocUnsafe(Math.min(this.blockRemain,this.buf.length)),this.offset=0),this.length=this.buf.length-this.offset,this[Oi]()}};M.WriteEntry=Ti;var tr=class extends Ti{sync=!0;[Vs](){this[Ri](oe.default.lstatSync(this.absolute))}[Ks](){this[Xs](oe.default.readlinkSync(this.absolute))}[Qs](){this[Js](oe.default.openSync(this.absolute,"r"))}[Oi](){let e=!0;try{let{fd:t,buf:i,offset:r,length:n,pos:o}=this;if(t===void 0||i===void 0)throw new Error("fd and buf must be set in READ method");let a=oe.default.readSync(t,i,r,n,o);this[$s](a),e=!1}finally{if(e)try{this[ve](()=>{})}catch{}}}[er](e){e()}[ve](e=()=>{}){this.fd!==void 0&&oe.default.closeSync(this.fd),e()}};M.WriteEntrySync=tr;var ir=class extends fn.Minipass{blockLen=0;blockRemain=0;buf=0;pos=0;remain=0;length=0;preservePaths;portable;strict;noPax;noMtime;readEntry;type;prefix;path;mode;uid;gid;uname;gname;header;mtime;atime;ctime;linkpath;size;onWriteEntry;warn(e,t,i={}){return(0,yn.warnMethod)(this,e,t,i)}constructor(e,t={}){let i=(0,pn.dealias)(t);super(),this.preservePaths=!!i.preservePaths,this.portable=!!i.portable,this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.onWriteEntry=i.onWriteEntry,this.readEntry=e;let{type:r}=e;if(r==="Unsupported")throw new Error("writing entry that should be ignored");this.type=r,this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.prefix=i.prefix,this.path=(0,ne.normalizeWindowsPath)(e.path),this.mode=e.mode!==void 0?this[vi](e.mode):void 0,this.uid=this.portable?void 0:e.uid,this.gid=this.portable?void 0:e.gid,this.uname=this.portable?void 0:e.uname,this.gname=this.portable?void 0:e.gname,this.size=e.size,this.mtime=this.noMtime?void 0:i.mtime||e.mtime,this.atime=this.portable?void 0:e.atime,this.ctime=this.portable?void 0:e.ctime,this.linkpath=e.linkpath!==void 0?(0,ne.normalizeWindowsPath)(e.linkpath):void 0,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let n=!1;if(!this.preservePaths){let[a,h]=(0,wn.stripAbsolutePath)(this.path);a&&typeof h=="string"&&(this.path=h,n=a)}this.remain=e.size,this.blockRemain=e.startBlockSize,this.onWriteEntry?.(this),this.header=new dn.Header({path:this[ae](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[ae](this.linkpath):this.linkpath,mode:this.mode,uid:this.portable?void 0:this.uid,gid:this.portable?void 0:this.gid,size:this.size,mtime:this.noMtime?void 0:this.mtime,type:this.type,uname:this.portable?void 0:this.uname,atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime}),n&&this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute path`,{entry:this,path:n+this.path}),this.header.encode()&&!this.noPax&&super.write(new _n.Pax({atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime,gid:this.portable?void 0:this.gid,mtime:this.noMtime?void 0:this.mtime,path:this[ae](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[ae](this.linkpath):this.linkpath,size:this.size,uid:this.portable?void 0:this.uid,uname:this.portable?void 0:this.uname,dev:this.portable?void 0:this.readEntry.dev,ino:this.portable?void 0:this.readEntry.ino,nlink:this.portable?void 0:this.readEntry.nlink}).encode());let o=this.header?.block;if(!o)throw new Error("failed to encode header");super.write(o),e.pipe(this)}[ae](e){return En(e,this.prefix)}[vi](e){return(0,mn.modeFix)(e,this.type==="Directory",this.portable)}write(e,t,i){typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,typeof t=="string"?t:"utf8"));let r=e.length;if(r>this.blockRemain)throw new Error("writing more to entry than is appropriate");return this.blockRemain-=r,super.write(e,i)}end(e,t,i){return this.blockRemain&&super.write(Buffer.alloc(this.blockRemain)),typeof e=="function"&&(i=e,t=void 0,e=void 0),typeof t=="function"&&(i=t,t=void 0),typeof e=="string"&&(e=Buffer.from(e,t??"utf8")),i&&this.once("finish",i),e?super.end(e,i):super.end(i),this}};M.WriteEntryTar=ir;var ch=s=>s.isFile()?"File":s.isDirectory()?"Directory":s.isSymbolicLink()?"SymbolicLink":"Unsupported"});var bn=d(ot=>{"use strict";Object.defineProperty(ot,"__esModule",{value:!0});ot.Node=ot.Yallist=void 0;var rr=class s{tail;head;length=0;static create(e=[]){return new s(e)}constructor(e=[]){for(let t of e)this.push(t)}*[Symbol.iterator](){for(let e=this.head;e;e=e.next)yield e.value}removeNode(e){if(e.list!==this)throw new Error("removing node which does not belong to this list");let t=e.next,i=e.prev;return t&&(t.prev=i),i&&(i.next=t),e===this.head&&(this.head=t),e===this.tail&&(this.tail=i),this.length--,e.next=void 0,e.prev=void 0,e.list=void 0,t}unshiftNode(e){if(e===this.head)return;e.list&&e.list.removeNode(e);let t=this.head;e.list=this,e.next=t,t&&(t.prev=e),this.head=e,this.tail||(this.tail=e),this.length++}pushNode(e){if(e===this.tail)return;e.list&&e.list.removeNode(e);let t=this.tail;e.list=this,e.prev=t,t&&(t.next=e),this.tail=e,this.head||(this.head=e),this.length++}push(...e){for(let t=0,i=e.length;t1)i=t;else if(this.head)r=this.head.next,i=this.head.value;else throw new TypeError("Reduce of empty list with no initial value");for(var n=0;r;n++)i=e(i,r.value,n),r=r.next;return i}reduceReverse(e,t){let i,r=this.tail;if(arguments.length>1)i=t;else if(this.tail)r=this.tail.prev,i=this.tail.value;else throw new TypeError("Reduce of empty list with no initial value");for(let n=this.length-1;r;n--)i=e(i,r.value,n),r=r.prev;return i}toArray(){let e=new Array(this.length);for(let t=0,i=this.head;i;t++)e[t]=i.value,i=i.next;return e}toArrayReverse(){let e=new Array(this.length);for(let t=0,i=this.tail;i;t++)e[t]=i.value,i=i.prev;return e}slice(e=0,t=this.length){t<0&&(t+=this.length),e<0&&(e+=this.length);let i=new s;if(tthis.length&&(t=this.length);let r=this.head,n=0;for(n=0;r&&nthis.length&&(t=this.length);let r=this.length,n=this.tail;for(;n&&r>t;r--)n=n.prev;for(;n&&r>e;r--,n=n.prev)i.push(n.value);return i}splice(e,t=0,...i){e>this.length&&(e=this.length-1),e<0&&(e=this.length+e);let r=this.head;for(let o=0;r&&o{"use strict";var ph=L&&L.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),_h=L&&L.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),wh=L&&L.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r1)throw new TypeError("gzip, brotli, zstd are mutually exclusive");if(e.gzip&&(typeof e.gzip!="object"&&(e.gzip={}),this.portable&&(e.gzip.portable=!0),this.zip=new nr.Gzip(e.gzip)),e.brotli&&(typeof e.brotli!="object"&&(e.brotli={}),this.zip=new nr.BrotliCompress(e.brotli)),e.zstd&&(typeof e.zstd!="object"&&(e.zstd={}),this.zip=new nr.ZstdCompress(e.zstd)),!this.zip)throw new Error("impossible");let t=this.zip;t.on("data",i=>super.write(i)),t.on("end",()=>super.end()),t.on("drain",()=>this[hr]()),this.on("resume",()=>t.resume())}else this.on("drain",this[hr]);this.noDirRecurse=!!e.noDirRecurse,this.follow=!!e.follow,this.noMtime=!!e.noMtime,e.mtime&&(this.mtime=e.mtime),this.filter=typeof e.filter=="function"?e.filter:()=>!0,this[X]=new Eh.Yallist,this[Q]=0,this.jobs=Number(e.jobs)||4,this[Dt]=!1,this[vt]=!1}[Tn](e){return super.write(e)}add(e){return this.write(e),this}end(e,t,i){return typeof e=="function"&&(i=e,e=void 0),typeof t=="function"&&(i=t,t=void 0),e&&this.add(e),this[vt]=!0,this[je](),i&&i(),this}write(e){if(this[vt])throw new Error("write after end");return e instanceof bh.ReadEntry?this[gn](e):this[Ni](e),this.flowing}[gn](e){let t=(0,lr.normalizeWindowsPath)(Rn.default.resolve(this.cwd,e.path));if(!this.filter(e.path,e))e.resume();else{let i=new Pt(e.path,t);i.entry=new ur.WriteEntryTar(e,this[ar](i)),i.entry.on("end",()=>this[or](i)),this[Q]+=1,this[X].push(i)}this[je]()}[Ni](e){let t=(0,lr.normalizeWindowsPath)(Rn.default.resolve(this.cwd,e));this[X].push(new Pt(e,t)),this[je]()}[cr](e){e.pending=!0,this[Q]+=1;let t=this.follow?"stat":"lstat";Ii.default[t](e.absolute,(i,r)=>{e.pending=!1,this[Q]-=1,i?this.emit("error",i):this[Pi](e,r)})}[Pi](e,t){if(this.statCache.set(e.absolute,t),e.stat=t,!this.filter(e.path,t))e.ignore=!0;else if(t.isFile()&&t.nlink>1&&!this.linkCache.get(`${t.dev}:${t.ino}`)&&!this.sync)if(e===this[Te])this[Di](e);else{let i=`${t.dev}:${t.ino}`,r=this[Tt].get(i);r?r.push(e):this[Tt].set(i,[e]),e.pendingLink=!0,e.pending=!0}this[je]()}[fr](e){e.pending=!0,this[Q]+=1,Ii.default.readdir(e.absolute,(t,i)=>{if(e.pending=!1,this[Q]-=1,t)return this.emit("error",t);this[Mi](e,i)})}[Mi](e,t){this.readdirCache.set(e.absolute,t),e.readdir=t,this[je]()}[je](){if(!this[Dt]){this[Dt]=!0;for(let e=this[X].head;e&&this[Q]1){let i=`${t.dev}:${t.ino}`,r=this[Tt].get(i);if(r){this[Tt].delete(i);for(let n of r)n.pending=!1,this[Di](n)}}this[je]()}[Di](e){if(e.pending&&e.pendingLink&&e===this[Te]&&(e.pending=!1,e.pendingLink=!1),!e.pending){if(e.entry){e===this[Te]&&!e.piped&&this[Li](e);return}if(!e.stat){let t=this.statCache.get(e.absolute);t?this[Pi](e,t):this[cr](e)}if(e.stat&&!e.ignore){if(!this.noDirRecurse&&e.stat.isDirectory()&&!e.readdir){let t=this.readdirCache.get(e.absolute);if(t?this[Mi](e,t):this[fr](e),!e.readdir)return}if(e.entry=this[On](e),!e.entry){e.ignore=!0;return}e===this[Te]&&!e.piped&&this[Li](e)}}}[ar](e){return{onwarn:(t,i,r)=>this.warn(t,i,r),noPax:this.noPax,cwd:this.cwd,absolute:e.absolute,preservePaths:this.preservePaths,maxReadSize:this.maxReadSize,strict:this.strict,portable:this.portable,linkCache:this.linkCache,statCache:this.statCache,noMtime:this.noMtime,mtime:this.mtime,prefix:this.prefix,onWriteEntry:this.onWriteEntry}}[On](e){this[Q]+=1;try{return new this[Ai](e.path,this[ar](e)).on("end",()=>this[or](e)).on("error",i=>this.emit("error",i))}catch(t){this.emit("error",t)}}[hr](){this[Te]&&this[Te].entry&&this[Te].entry.resume()}[Li](e){e.piped=!0,e.readdir&&e.readdir.forEach(r=>{let n=e.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[Ni](o+r)});let t=e.entry,i=this.zip;if(!t)throw new Error("cannot pipe without source");i?t.on("data",r=>{i.write(r)||t.pause()}):t.on("data",r=>{super.write(r)||t.pause()})}pause(){return this.zip&&this.zip.pause(),super.pause()}warn(e,t,i={}){(0,Sh.warnMethod)(this,e,t,i)}};L.Pack=Fi;var dr=class extends Fi{sync=!0;constructor(e){super(e),this[Ai]=ur.WriteEntrySync}pause(){}resume(){}[cr](e){let t=this.follow?"statSync":"lstatSync";this[Pi](e,Ii.default[t](e.absolute))}[fr](e){this[Mi](e,Ii.default.readdirSync(e.absolute))}[Li](e){let t=e.entry,i=this.zip;if(e.readdir&&e.readdir.forEach(r=>{let n=e.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[Ni](o+r)}),!t)throw new Error("Cannot pipe without source");i?t.on("data",r=>{i.write(r)}):t.on("data",r=>{super[Tn](r)})}};L.PackSync=dr});var mr=d(at=>{"use strict";var gh=at&&at.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(at,"__esModule",{value:!0});at.create=void 0;var Dn=Ke(),Pn=gh(require("node:path")),Nn=st(),Oh=Ve(),Bi=Ci(),Rh=(s,e)=>{let t=new Bi.PackSync(s),i=new Dn.WriteStreamSync(s.file,{mode:s.mode||438});t.pipe(i),Mn(t,e)},vh=(s,e)=>{let t=new Bi.Pack(s),i=new Dn.WriteStream(s.file,{mode:s.mode||438});t.pipe(i);let r=new Promise((n,o)=>{i.on("error",o),i.on("close",n),t.on("error",o)});return Ln(t,e).catch(n=>t.emit("error",n)),r},Mn=(s,e)=>{e.forEach(t=>{t.charAt(0)==="@"?(0,Nn.list)({file:Pn.default.resolve(s.cwd,t.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(t)}),s.end()},Ln=async(s,e)=>{for(let t of e)t.charAt(0)==="@"?await(0,Nn.list)({file:Pn.default.resolve(String(s.cwd),t.slice(1)),noResume:!0,onReadEntry:i=>{s.add(i)}}):s.add(t);s.end()},Th=(s,e)=>{let t=new Bi.PackSync(s);return Mn(t,e),t},Dh=(s,e)=>{let t=new Bi.Pack(s);return Ln(t,e).catch(i=>t.emit("error",i)),t};at.create=(0,Oh.makeCommand)(Rh,vh,Th,Dh,(s,e)=>{if(!e?.length)throw new TypeError("no paths specified to add to archive")})});var jn=d(ht=>{"use strict";var Ph=ht&&ht.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(ht,"__esModule",{value:!0});ht.getWriteFlag=void 0;var Fn=Ph(require("fs")),Nh=process.env.__FAKE_PLATFORM__||process.platform,Cn=Nh==="win32",{O_CREAT:Bn,O_NOFOLLOW:An,O_TRUNC:zn,O_WRONLY:kn}=Fn.default.constants,xn=Number(process.env.__FAKE_FS_O_FILENAME__)||Fn.default.constants.UV_FS_O_FILEMAP||0,Mh=Cn&&!!xn,Lh=512*1024,Ah=xn|zn|Bn|kn,In=!Cn&&typeof An=="number"?An|zn|Bn|kn:null;ht.getWriteFlag=In!==null?()=>In:Mh?s=>s"w"});var qn=d(he=>{"use strict";var Un=he&&he.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(he,"__esModule",{value:!0});he.chownrSync=he.chownr=void 0;var ki=Un(require("node:fs")),Nt=Un(require("node:path")),pr=(s,e,t)=>{try{return ki.default.lchownSync(s,e,t)}catch(i){if(i?.code!=="ENOENT")throw i}},zi=(s,e,t,i)=>{ki.default.lchown(s,e,t,r=>{i(r&&r?.code!=="ENOENT"?r:null)})},Ih=(s,e,t,i,r)=>{if(e.isDirectory())(0,he.chownr)(Nt.default.resolve(s,e.name),t,i,n=>{if(n)return r(n);let o=Nt.default.resolve(s,e.name);zi(o,t,i,r)});else{let n=Nt.default.resolve(s,e.name);zi(n,t,i,r)}},Fh=(s,e,t,i)=>{ki.default.readdir(s,{withFileTypes:!0},(r,n)=>{if(r){if(r.code==="ENOENT")return i();if(r.code!=="ENOTDIR"&&r.code!=="ENOTSUP")return i(r)}if(r||!n.length)return zi(s,e,t,i);let o=n.length,a=null,h=l=>{if(!a){if(l)return i(a=l);if(--o===0)return zi(s,e,t,i)}};for(let l of n)Ih(s,l,e,t,h)})};he.chownr=Fh;var Ch=(s,e,t,i)=>{e.isDirectory()&&(0,he.chownrSync)(Nt.default.resolve(s,e.name),t,i),pr(Nt.default.resolve(s,e.name),t,i)},Bh=(s,e,t)=>{let i;try{i=ki.default.readdirSync(s,{withFileTypes:!0})}catch(r){let n=r;if(n?.code==="ENOENT")return;if(n?.code==="ENOTDIR"||n?.code==="ENOTSUP")return pr(s,e,t);throw n}for(let r of i)Ch(s,r,e,t);return pr(s,e,t)};he.chownrSync=Bh});var Wn=d(xi=>{"use strict";Object.defineProperty(xi,"__esModule",{value:!0});xi.CwdError=void 0;var _r=class extends Error{path;code;syscall="chdir";constructor(e,t){super(`${t}: Cannot cd into '${e}'`),this.path=e,this.code=t}get name(){return"CwdError"}};xi.CwdError=_r});var yr=d(ji=>{"use strict";Object.defineProperty(ji,"__esModule",{value:!0});ji.SymlinkError=void 0;var wr=class extends Error{path;symlink;syscall="symlink";code="TAR_SYMLINK_ERROR";constructor(e,t){super("TAR_SYMLINK_ERROR: Cannot extract through symbolic link"),this.symlink=e,this.path=t}get name(){return"SymlinkError"}};ji.SymlinkError=wr});var Kn=d(De=>{"use strict";var br=De&&De.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(De,"__esModule",{value:!0});De.mkdirSync=De.mkdir=void 0;var Hn=qn(),j=br(require("node:fs")),zh=br(require("node:fs/promises")),Ui=br(require("node:path")),Zn=Wn(),pe=et(),Gn=yr(),kh=(s,e)=>{j.default.stat(s,(t,i)=>{(t||!i.isDirectory())&&(t=new Zn.CwdError(s,t?.code||"ENOTDIR")),e(t)})},xh=(s,e,t)=>{s=(0,pe.normalizeWindowsPath)(s);let i=e.umask??18,r=e.mode|448,n=(r&i)!==0,o=e.uid,a=e.gid,h=typeof o=="number"&&typeof a=="number"&&(o!==e.processUid||a!==e.processGid),l=e.preserve,u=e.unlink,c=(0,pe.normalizeWindowsPath)(e.cwd),E=(w,P)=>{w?t(w):P&&h?(0,Hn.chownr)(P,o,a,kt=>E(kt)):n?j.default.chmod(s,r,t):t()};if(s===c)return kh(s,E);if(l)return zh.default.mkdir(s,{mode:r,recursive:!0}).then(w=>E(null,w??void 0),E);let A=(0,pe.normalizeWindowsPath)(Ui.default.relative(c,s)).split("/");Er(c,A,r,u,c,void 0,E)};De.mkdir=xh;var Er=(s,e,t,i,r,n,o)=>{if(e.length===0)return o(null,n);let a=e.shift(),h=(0,pe.normalizeWindowsPath)(Ui.default.resolve(s+"/"+a));j.default.mkdir(h,t,Yn(h,e,t,i,r,n,o))},Yn=(s,e,t,i,r,n,o)=>a=>{a?j.default.lstat(s,(h,l)=>{if(h)h.path=h.path&&(0,pe.normalizeWindowsPath)(h.path),o(h);else if(l.isDirectory())Er(s,e,t,i,r,n,o);else if(i)j.default.unlink(s,u=>{if(u)return o(u);j.default.mkdir(s,t,Yn(s,e,t,i,r,n,o))});else{if(l.isSymbolicLink())return o(new Gn.SymlinkError(s,s+"/"+e.join("/")));o(a)}}):(n=n||s,Er(s,e,t,i,r,n,o))},jh=s=>{let e=!1,t;try{e=j.default.statSync(s).isDirectory()}catch(i){t=i?.code}finally{if(!e)throw new Zn.CwdError(s,t??"ENOTDIR")}},Uh=(s,e)=>{s=(0,pe.normalizeWindowsPath)(s);let t=e.umask??18,i=e.mode|448,r=(i&t)!==0,n=e.uid,o=e.gid,a=typeof n=="number"&&typeof o=="number"&&(n!==e.processUid||o!==e.processGid),h=e.preserve,l=e.unlink,u=(0,pe.normalizeWindowsPath)(e.cwd),c=w=>{w&&a&&(0,Hn.chownrSync)(w,n,o),r&&j.default.chmodSync(s,i)};if(s===u)return jh(u),c();if(h)return c(j.default.mkdirSync(s,{mode:i,recursive:!0})??void 0);let D=(0,pe.normalizeWindowsPath)(Ui.default.relative(u,s)).split("/"),A;for(let w=D.shift(),P=u;w&&(P+="/"+w);w=D.shift()){P=(0,pe.normalizeWindowsPath)(Ui.default.resolve(P));try{j.default.mkdirSync(P,i),A=A||P}catch{let kt=j.default.lstatSync(P);if(kt.isDirectory())continue;if(l){j.default.unlinkSync(P),j.default.mkdirSync(P,i),A=A||P;continue}else if(kt.isSymbolicLink())return new Gn.SymlinkError(P,P+"/"+D.join("/"))}}return c(A)};De.mkdirSync=Uh});var $n=d(qi=>{"use strict";Object.defineProperty(qi,"__esModule",{value:!0});qi.normalizeUnicode=void 0;var Sr=Object.create(null),Vn=1e4,lt=new Set,qh=s=>{lt.has(s)?lt.delete(s):Sr[s]=s.normalize("NFD").toLocaleLowerCase("en").toLocaleUpperCase("en"),lt.add(s);let e=Sr[s],t=lt.size-Vn;if(t>Vn/10){for(let i of lt)if(lt.delete(i),delete Sr[i],--t<=0)break}return e};qi.normalizeUnicode=qh});var Qn=d(Wi=>{"use strict";Object.defineProperty(Wi,"__esModule",{value:!0});Wi.PathReservations=void 0;var Xn=require("node:path"),Wh=$n(),Hh=yi(),Zh=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,Gh=Zh==="win32",Yh=s=>s.split("/").slice(0,-1).reduce((t,i)=>{let r=t.at(-1);return r!==void 0&&(i=(0,Xn.join)(r,i)),t.push(i||"/"),t},[]),gr=class{#e=new Map;#i=new Map;#s=new Set;reserve(e,t){e=Gh?["win32 parallelization disabled"]:e.map(r=>(0,Hh.stripTrailingSlashes)((0,Xn.join)((0,Wh.normalizeUnicode)(r))));let i=new Set(e.map(r=>Yh(r)).reduce((r,n)=>r.concat(n)));this.#i.set(t,{dirs:i,paths:e});for(let r of e){let n=this.#e.get(r);n?n.push(t):this.#e.set(r,[t])}for(let r of i){let n=this.#e.get(r);if(!n)this.#e.set(r,[new Set([t])]);else{let o=n.at(-1);o instanceof Set?o.add(t):n.push(new Set([t]))}}return this.#r(t)}#n(e){let t=this.#i.get(e);if(!t)throw new Error("function does not have any path reservations");return{paths:t.paths.map(i=>this.#e.get(i)),dirs:[...t.dirs].map(i=>this.#e.get(i))}}check(e){let{paths:t,dirs:i}=this.#n(e);return t.every(r=>r&&r[0]===e)&&i.every(r=>r&&r[0]instanceof Set&&r[0].has(e))}#r(e){return this.#s.has(e)||!this.check(e)?!1:(this.#s.add(e),e(()=>this.#t(e)),!0)}#t(e){if(!this.#s.has(e))return!1;let t=this.#i.get(e);if(!t)throw new Error("invalid reservation");let{paths:i,dirs:r}=t,n=new Set;for(let o of i){let a=this.#e.get(o);if(!a||a?.[0]!==e)continue;let h=a[1];if(!h){this.#e.delete(o);continue}if(a.shift(),typeof h=="function")n.add(h);else for(let l of h)n.add(l)}for(let o of r){let a=this.#e.get(o),h=a?.[0];if(!(!a||!(h instanceof Set)))if(h.size===1&&a.length===1){this.#e.delete(o);continue}else if(h.size===1){a.shift();let l=a[0];typeof l=="function"&&n.add(l)}else h.delete(e)}return this.#s.delete(e),n.forEach(o=>this.#r(o)),!0}};Wi.PathReservations=gr});var Jn=d(Hi=>{"use strict";Object.defineProperty(Hi,"__esModule",{value:!0});Hi.umask=void 0;var Kh=()=>process.umask();Hi.umask=Kh});var Ir=d(z=>{"use strict";var Vh=z&&z.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),$h=z&&z.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),lo=z&&z.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r{if(!Bt)return m.default.unlink(s,e);let t=s+".DELETE."+(0,uo.randomBytes)(16).toString("hex");m.default.rename(s,t,i=>{if(i)return e(i);m.default.unlink(t,e)})},ol=s=>{if(!Bt)return m.default.unlinkSync(s);let e=s+".DELETE."+(0,uo.randomBytes)(16).toString("hex");m.default.renameSync(s,e),m.default.unlinkSync(e)},ho=(s,e,t)=>s!==void 0&&s===s>>>0?s:e!==void 0&&e===e>>>0?e:t,Yi=class extends Jh.Parser{[Rr]=!1;[Ct]=!1;[Zi]=0;reservations=new tl.PathReservations;transform;writable=!0;readable=!1;uid;gid;setOwner;preserveOwner;processGid;processUid;maxDepth;forceChown;win32;newer;keep;noMtime;preservePaths;unlink;cwd;strip;processUmask;umask;dmode;fmode;chmod;constructor(e={}){if(e.ondone=()=>{this[Rr]=!0,this[vr]()},super(e),this.transform=e.transform,this.chmod=!!e.chmod,typeof e.uid=="number"||typeof e.gid=="number"){if(typeof e.uid!="number"||typeof e.gid!="number")throw new TypeError("cannot set owner without number uid and gid");if(e.preserveOwner)throw new TypeError("cannot preserve owner in archive and also set owner explicitly");this.uid=e.uid,this.gid=e.gid,this.setOwner=!0}else this.uid=void 0,this.gid=void 0,this.setOwner=!1;this.preserveOwner=e.preserveOwner===void 0&&typeof e.uid!="number"?!!(process.getuid&&process.getuid()===0):!!e.preserveOwner,this.processUid=(this.preserveOwner||this.setOwner)&&process.getuid?process.getuid():void 0,this.processGid=(this.preserveOwner||this.setOwner)&&process.getgid?process.getgid():void 0,this.maxDepth=typeof e.maxDepth=="number"?e.maxDepth:rl,this.forceChown=e.forceChown===!0,this.win32=!!e.win32||Bt,this.newer=!!e.newer,this.keep=!!e.keep,this.noMtime=!!e.noMtime,this.preservePaths=!!e.preservePaths,this.unlink=!!e.unlink,this.cwd=(0,U.normalizeWindowsPath)(g.default.resolve(e.cwd||process.cwd())),this.strip=Number(e.strip)||0,this.processUmask=this.chmod?typeof e.processUmask=="number"?e.processUmask:(0,il.umask)():0,this.umask=typeof e.umask=="number"?e.umask:this.processUmask,this.dmode=e.dmode||511&~this.umask,this.fmode=e.fmode||438&~this.umask,this.on("entry",t=>this[to](t))}warn(e,t,i={}){return(e==="TAR_BAD_ARCHIVE"||e==="TAR_ABORT")&&(i.recoverable=!1),super.warn(e,t,i)}[vr](){this[Rr]&&this[Zi]===0&&(this.emit("prefinish"),this.emit("finish"),this.emit("end"))}[Or](e,t){let i=e[t],{type:r}=e;if(!i||this.preservePaths)return!0;let[n,o]=(0,el.stripAbsolutePath)(i),a=o.replaceAll(/\\/g,"/").split("/");if(a.includes("..")||Bt&&/^[a-z]:\.\.$/i.test(a[0]??"")){if(t==="path"||r==="Link")return this.warn("TAR_ENTRY_ERROR",`${t} contains '..'`,{entry:e,[t]:i}),!1;let h=g.default.posix.dirname(e.path),l=g.default.posix.normalize(g.default.posix.join(h,a.join("/")));if(l.startsWith("../")||l==="..")return this.warn("TAR_ENTRY_ERROR",`${t} escapes extraction directory`,{entry:e,[t]:i}),!1}return n&&(e[t]=String(o),this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute ${t}`,{entry:e,[t]:i})),!0}[oo](e){let t=(0,U.normalizeWindowsPath)(e.path),i=t.split("/");if(this.strip){if(i.length=this.strip)e.linkpath=r.slice(this.strip).join("/");else return!1}i.splice(0,this.strip),e.path=i.join("/")}if(isFinite(this.maxDepth)&&i.length>this.maxDepth)return this.warn("TAR_ENTRY_ERROR","path excessively deep",{entry:e,path:t,depth:i.length,maxDepth:this.maxDepth}),!1;if(!this[Or](e,"path")||!this[Or](e,"linkpath"))return!1;if(e.absolute=g.default.isAbsolute(e.path)?(0,U.normalizeWindowsPath)(g.default.resolve(e.path)):(0,U.normalizeWindowsPath)(g.default.resolve(this.cwd,e.path)),!this.preservePaths&&typeof e.absolute=="string"&&e.absolute.indexOf(this.cwd+"/")!==0&&e.absolute!==this.cwd)return this.warn("TAR_ENTRY_ERROR","path escaped extraction target",{entry:e,path:(0,U.normalizeWindowsPath)(e.path),resolvedPath:e.absolute,cwd:this.cwd}),!1;if(e.absolute===this.cwd&&e.type!=="Directory"&&e.type!=="GNUDumpDir")return!1;if(this.win32){let{root:r}=g.default.win32.parse(String(e.absolute));e.absolute=r+eo.encode(String(e.absolute).slice(r.length));let{root:n}=g.default.win32.parse(e.path);e.path=n+eo.encode(e.path.slice(n.length))}return!0}[to](e){if(!this[oo](e))return e.resume();switch(Qh.default.equal(typeof e.absolute,"string"),e.type){case"Directory":case"GNUDumpDir":e.mode&&(e.mode=e.mode|448);case"File":case"OldFile":case"ContiguousFile":case"Link":case"SymbolicLink":return this[Tr](e);default:return this[no](e)}}[T](e,t){e.name==="CwdError"?this.emit("error",e):(this.warn("TAR_ENTRY_ERROR",e,{entry:t}),this[ut](),t.resume())}[Pe](e,t,i){(0,fo.mkdir)((0,U.normalizeWindowsPath)(e),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:t},i)}[At](e){return this.forceChown||this.preserveOwner&&(typeof e.uid=="number"&&e.uid!==this.processUid||typeof e.gid=="number"&&e.gid!==this.processGid)||typeof this.uid=="number"&&this.uid!==this.processUid||typeof this.gid=="number"&&this.gid!==this.processGid}[It](e){return ho(this.uid,e.uid,this.processUid)}[Ft](e){return ho(this.gid,e.gid,this.processGid)}[Pr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.fmode,r=new Xh.WriteStream(String(e.absolute),{flags:(0,co.getWriteFlag)(e.size),mode:i,autoClose:!1});r.on("error",h=>{r.fd&&m.default.close(r.fd,()=>{}),r.write=()=>!0,this[T](h,e),t()});let n=1,o=h=>{if(h){r.fd&&m.default.close(r.fd,()=>{}),this[T](h,e),t();return}--n===0&&r.fd!==void 0&&m.default.close(r.fd,l=>{l?this[T](l,e):this[ut](),t()})};r.on("finish",()=>{let h=String(e.absolute),l=r.fd;if(typeof l=="number"&&e.mtime&&!this.noMtime){n++;let u=e.atime||new Date,c=e.mtime;m.default.futimes(l,u,c,E=>E?m.default.utimes(h,u,c,D=>o(D&&E)):o())}if(typeof l=="number"&&this[At](e)){n++;let u=this[It](e),c=this[Ft](e);typeof u=="number"&&typeof c=="number"&&m.default.fchown(l,u,c,E=>E?m.default.chown(h,u,c,D=>o(D&&E)):o())}o()});let a=this.transform&&this.transform(e)||e;a!==e&&(a.on("error",h=>{this[T](h,e),t()}),e.pipe(a)),a.pipe(r)}[Nr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.dmode;this[Pe](String(e.absolute),i,r=>{if(r){this[T](r,e),t();return}let n=1,o=()=>{--n===0&&(t(),this[ut](),e.resume())};e.mtime&&!this.noMtime&&(n++,m.default.utimes(String(e.absolute),e.atime||new Date,e.mtime,o)),this[At](e)&&(n++,m.default.chown(String(e.absolute),Number(this[It](e)),Number(this[Ft](e)),o)),o()})}[no](e){e.unsupported=!0,this.warn("TAR_ENTRY_UNSUPPORTED",`unsupported entry type: ${e.type}`,{entry:e}),e.resume()}[so](e,t){let i=(0,U.normalizeWindowsPath)(g.default.relative(this.cwd,g.default.resolve(g.default.dirname(String(e.absolute)),String(e.linkpath)))).split("/");this[Lt](e,this.cwd,i,()=>this[Gi](e,String(e.linkpath),"symlink",t),r=>{this[T](r,e),t()})}[ro](e,t){let i=(0,U.normalizeWindowsPath)(g.default.resolve(this.cwd,String(e.linkpath))),r=(0,U.normalizeWindowsPath)(String(e.linkpath)).split("/");this[Lt](e,this.cwd,r,()=>this[Gi](e,i,"link",t),n=>{this[T](n,e),t()})}[Lt](e,t,i,r,n){let o=i.shift();if(this.preservePaths||o===void 0)return r();let a=g.default.resolve(t,o);m.default.lstat(a,(h,l)=>{if(h)return r();if(l?.isSymbolicLink())return n(new mo.SymlinkError(a,g.default.resolve(a,i.join("/"))));this[Lt](e,a,i,r,n)})}[ao](){this[Zi]++}[ut](){this[Zi]--,this[vr]()}[Mr](e){this[ut](),e.resume()}[Dr](e,t){return e.type==="File"&&!this.unlink&&t.isFile()&&t.nlink<=1&&!Bt}[Tr](e){this[ao]();let t=[e.path];e.linkpath&&t.push(e.linkpath),this.reservations.reserve(t,i=>this[io](e,i))}[io](e,t){let i=a=>{t(a)},r=()=>{this[Pe](this.cwd,this.dmode,a=>{if(a){this[T](a,e),i();return}this[Ct]=!0,n()})},n=()=>{if(e.absolute!==this.cwd){let a=(0,U.normalizeWindowsPath)(g.default.dirname(String(e.absolute)));if(a!==this.cwd)return this[Pe](a,this.dmode,h=>{if(h){this[T](h,e),i();return}o()})}o()},o=()=>{m.default.lstat(String(e.absolute),(a,h)=>{if(h&&(this.keep||this.newer&&h.mtime>(e.mtime??h.mtime))){this[Mr](e),i();return}if(a||this[Dr](e,h))return this[Z](null,e,i);if(h.isDirectory()){if(e.type==="Directory"){let l=this.chmod&&e.mode&&(h.mode&4095)!==e.mode,u=c=>this[Z](c??null,e,i);return l?m.default.chmod(String(e.absolute),Number(e.mode),u):u()}if(e.absolute!==this.cwd)return m.default.rmdir(String(e.absolute),l=>this[Z](l??null,e,i))}if(e.absolute===this.cwd)return this[Z](null,e,i);nl(String(e.absolute),l=>this[Z](l??null,e,i))})};this[Ct]?n():r()}[Z](e,t,i){if(e){this[T](e,t),i();return}switch(t.type){case"File":case"OldFile":case"ContiguousFile":return this[Pr](t,i);case"Link":return this[ro](t,i);case"SymbolicLink":return this[so](t,i);case"Directory":case"GNUDumpDir":return this[Nr](t,i)}}[Gi](e,t,i,r){m.default[i](t,String(e.absolute),n=>{n?this[T](n,e):(this[ut](),e.resume()),r()})}};z.Unpack=Yi;var Mt=s=>{try{return[null,s()]}catch(e){return[e,null]}},Lr=class extends Yi{sync=!0;[Z](e,t){return super[Z](e,t,()=>{})}[Tr](e){if(!this[Ct]){let n=this[Pe](this.cwd,this.dmode);if(n)return this[T](n,e);this[Ct]=!0}if(e.absolute!==this.cwd){let n=(0,U.normalizeWindowsPath)(g.default.dirname(String(e.absolute)));if(n!==this.cwd){let o=this[Pe](n,this.dmode);if(o)return this[T](o,e)}}let[t,i]=Mt(()=>m.default.lstatSync(String(e.absolute)));if(i&&(this.keep||this.newer&&i.mtime>(e.mtime??i.mtime)))return this[Mr](e);if(t||this[Dr](e,i))return this[Z](null,e);if(i.isDirectory()){if(e.type==="Directory"){let o=this.chmod&&e.mode&&(i.mode&4095)!==e.mode,[a]=o?Mt(()=>{m.default.chmodSync(String(e.absolute),Number(e.mode))}):[];return this[Z](a,e)}let[n]=Mt(()=>m.default.rmdirSync(String(e.absolute)));this[Z](n,e)}let[r]=e.absolute===this.cwd?[]:Mt(()=>ol(String(e.absolute)));this[Z](r,e)}[Pr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.fmode,r=a=>{let h;try{m.default.closeSync(n)}catch(l){h=l}(a||h)&&this[T](a||h,e),t()},n;try{n=m.default.openSync(String(e.absolute),(0,co.getWriteFlag)(e.size),i)}catch(a){return r(a)}let o=this.transform&&this.transform(e)||e;o!==e&&(o.on("error",a=>this[T](a,e)),e.pipe(o)),o.on("data",a=>{try{m.default.writeSync(n,a,0,a.length)}catch(h){r(h)}}),o.on("end",()=>{let a=null;if(e.mtime&&!this.noMtime){let h=e.atime||new Date,l=e.mtime;try{m.default.futimesSync(n,h,l)}catch(u){try{m.default.utimesSync(String(e.absolute),h,l)}catch{a=u}}}if(this[At](e)){let h=this[It](e),l=this[Ft](e);try{m.default.fchownSync(n,Number(h),Number(l))}catch(u){try{m.default.chownSync(String(e.absolute),Number(h),Number(l))}catch{a=a||u}}}r(a)})}[Nr](e,t){let i=typeof e.mode=="number"?e.mode&4095:this.dmode,r=this[Pe](String(e.absolute),i);if(r){this[T](r,e),t();return}if(e.mtime&&!this.noMtime)try{m.default.utimesSync(String(e.absolute),e.atime||new Date,e.mtime)}catch{}if(this[At](e))try{m.default.chownSync(String(e.absolute),Number(this[It](e)),Number(this[Ft](e)))}catch{}t(),e.resume()}[Pe](e,t){try{return(0,fo.mkdirSync)((0,U.normalizeWindowsPath)(e),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:t})}catch(i){return i}}[Lt](e,t,i,r,n){if(this.preservePaths||i.length===0)return r();let o=t;for(let a of i){o=g.default.resolve(o,a);let[h,l]=Mt(()=>m.default.lstatSync(o));if(h)return r();if(l.isSymbolicLink())return n(new mo.SymlinkError(o,g.default.resolve(t,i.join("/"))))}r()}[Gi](e,t,i,r){let n=`${i}Sync`;try{m.default[n](t,String(e.absolute)),r(),e.resume()}catch(o){return this[T](o,e)}}};z.UnpackSync=Lr});var Fr=d(G=>{"use strict";var al=G&&G.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),hl=G&&G.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),ll=G&&G.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r{let e=new Ki.UnpackSync(s),t=s.file,i=_o.default.statSync(t),r=s.maxReadSize||16*1024*1024;new po.ReadStreamSync(t,{readSize:r,size:i.size}).pipe(e)},ml=(s,e)=>{let t=new Ki.Unpack(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,a)=>{t.on("error",a),t.on("close",o),_o.default.stat(r,(h,l)=>{if(h)a(h);else{let u=new po.ReadStream(r,{readSize:i,size:l.size});u.on("error",a),u.pipe(t)}})})};G.extract=(0,fl.makeCommand)(dl,ml,s=>new Ki.UnpackSync(s),s=>new Ki.Unpack(s),(s,e)=>{e?.length&&(0,cl.filesFilter)(s,e)})});var Vi=d(ct=>{"use strict";var wo=ct&&ct.__importDefault||function(s){return s&&s.__esModule?s:{default:s}};Object.defineProperty(ct,"__esModule",{value:!0});ct.replace=void 0;var yo=Ke(),q=wo(require("node:fs")),Eo=wo(require("node:path")),bo=Je(),So=st(),pl=Ve(),_l=Xt(),go=Ci(),wl=(s,e)=>{let t=new go.PackSync(s),i=!0,r,n;try{try{r=q.default.openSync(s.file,"r+")}catch(h){if(h?.code==="ENOENT")r=q.default.openSync(s.file,"w+");else throw h}let o=q.default.fstatSync(r),a=Buffer.alloc(512);e:for(n=0;no.size)break;n+=l,s.mtimeCache&&h.mtime&&s.mtimeCache.set(String(h.path),h.mtime)}i=!1,yl(s,t,n,r,e)}finally{if(i)try{q.default.closeSync(r)}catch{}}},yl=(s,e,t,i,r)=>{let n=new yo.WriteStreamSync(s.file,{fd:i,start:t});e.pipe(n),bl(e,r)},El=(s,e)=>{e=Array.from(e);let t=new go.Pack(s),i=(n,o,a)=>{let h=(D,A)=>{D?q.default.close(n,w=>a(D)):a(null,A)},l=0;if(o===0)return h(null,0);let u=0,c=Buffer.alloc(512),E=(D,A)=>{if(D||A===void 0)return h(D);if(u+=A,u<512&&A)return q.default.read(n,c,u,c.length-u,l+u,E);if(l===0&&c[0]===31&&c[1]===139)return h(new Error("cannot append to compressed archives"));if(u<512)return h(null,l);let w=new bo.Header(c);if(!w.cksumValid)return h(null,l);let P=512*Math.ceil((w.size??0)/512);if(l+P+512>o||(l+=P+512,l>=o))return h(null,l);s.mtimeCache&&w.mtime&&s.mtimeCache.set(String(w.path),w.mtime),u=0,q.default.read(n,c,0,512,l,E)};q.default.read(n,c,0,512,l,E)};return new Promise((n,o)=>{t.on("error",o);let a="r+",h=(l,u)=>{if(l&&l.code==="ENOENT"&&a==="r+")return a="w+",q.default.open(s.file,a,h);if(l||!u)return o(l);q.default.fstat(u,(c,E)=>{if(c)return q.default.close(u,()=>o(c));i(u,E.size,(D,A)=>{if(D)return o(D);let w=new yo.WriteStream(s.file,{fd:u,start:A});t.pipe(w),w.on("error",o),w.on("close",n),Sl(t,e)})})};q.default.open(s.file,a,h)})},bl=(s,e)=>{e.forEach(t=>{t.charAt(0)==="@"?(0,So.list)({file:Eo.default.resolve(s.cwd,t.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(t)}),s.end()},Sl=async(s,e)=>{for(let t of e)t.charAt(0)==="@"?await(0,So.list)({file:Eo.default.resolve(String(s.cwd),t.slice(1)),noResume:!0,onReadEntry:i=>s.add(i)}):s.add(t);s.end()};ct.replace=(0,pl.makeCommand)(wl,El,()=>{throw new TypeError("file is required")},()=>{throw new TypeError("file is required")},(s,e)=>{if(!(0,_l.isFile)(s))throw new TypeError("file is required");if(s.gzip||s.brotli||s.zstd||s.file.endsWith(".br")||s.file.endsWith(".tbr"))throw new TypeError("cannot append to compressed archives");if(!e?.length)throw new TypeError("no paths specified to add/replace")})});var Cr=d($i=>{"use strict";Object.defineProperty($i,"__esModule",{value:!0});$i.update=void 0;var gl=Ve(),zt=Vi();$i.update=(0,gl.makeCommand)(zt.replace.syncFile,zt.replace.asyncFile,zt.replace.syncNoFile,zt.replace.asyncNoFile,(s,e=[])=>{zt.replace.validate?.(s,e),Ol(s)});var Ol=s=>{let e=s.filter;s.mtimeCache||(s.mtimeCache=new Map),s.filter=e?(t,i)=>e(t,i)&&!((s.mtimeCache?.get(t)??i.mtime??0)>(i.mtime??0)):(t,i)=>!((s.mtimeCache?.get(t)??i.mtime??0)>(i.mtime??0))}});var Oo=exports&&exports.__createBinding||(Object.create?(function(s,e,t,i){i===void 0&&(i=t);var r=Object.getOwnPropertyDescriptor(e,t);(!r||("get"in r?!e.__esModule:r.writable||r.configurable))&&(r={enumerable:!0,get:function(){return e[t]}}),Object.defineProperty(s,i,r)}):(function(s,e,t,i){i===void 0&&(i=t),s[i]=e[t]})),Rl=exports&&exports.__setModuleDefault||(Object.create?(function(s,e){Object.defineProperty(s,"default",{enumerable:!0,value:e})}):function(s,e){s.default=e}),Y=exports&&exports.__exportStar||function(s,e){for(var t in s)t!=="default"&&!Object.prototype.hasOwnProperty.call(e,t)&&Oo(e,s,t)},vl=exports&&exports.__importStar||(function(){var s=function(e){return s=Object.getOwnPropertyNames||function(t){var i=[];for(var r in t)Object.prototype.hasOwnProperty.call(t,r)&&(i[i.length]=r);return i},s(e)};return function(e){if(e&&e.__esModule)return e;var t={};if(e!=null)for(var i=s(e),r=0;r 1 &&
-            job === this[CURRENT] &&
             !this.linkCache.get(`${stat.dev}:${stat.ino}`) &&
             !this.sync) {
-            // if it's not filtered, and it's a new File entry,
-            // jump the queue in case any pending Link entries are about
-            // to try to link to it. This prevents a hardlink from coming ahead
-            // of its target in the archive.
-            this[PROCESSJOB](job);
+            // if it's not filtered, and it's a new File entry, and next anyway
+            // process right away in case any pending Link entries are about
+            // to try to link to it.
+            if (job === this[CURRENT]) {
+                this[PROCESSJOB](job);
+            }
+            else {
+                // if it's NOT the current entry, it needs to be deferred,
+                // so that the link target can be built first.
+                const key = `${stat.dev}:${stat.ino}`;
+                const pending = this[PENDINGLINKS].get(key);
+                if (pending)
+                    pending.push(job);
+                else
+                    this[PENDINGLINKS].set(key, [job]);
+                job.pendingLink = true;
+                job.pending = true;
+            }
         }
         this[PROCESS]();
     }
@@ -334,12 +349,31 @@ class Pack extends minipass_1.Minipass {
     get [CURRENT]() {
         return this[QUEUE] && this[QUEUE].head && this[QUEUE].head.value;
     }
-    [JOBDONE](_job) {
+    [JOBDONE](job) {
         this[QUEUE].shift();
         this[JOBS] -= 1;
+        const { stat } = job;
+        if (stat && stat.isFile() && stat.nlink > 1) {
+            // might be a file with pending links
+            const key = `${stat.dev}:${stat.ino}`;
+            const pending = this[PENDINGLINKS].get(key);
+            if (pending) {
+                this[PENDINGLINKS].delete(key);
+                for (const job of pending) {
+                    job.pending = false;
+                    this[PROCESSJOB](job);
+                }
+            }
+        }
         this[PROCESS]();
     }
     [PROCESSJOB](job) {
+        if (job.pending && job.pendingLink && job === this[CURRENT]) {
+            // At least one of the links to this file are not being included
+            // in the tarball, so we need to just proceed.
+            job.pending = false;
+            job.pendingLink = false;
+        }
         if (job.pending) {
             return;
         }
diff --git a/deps/npm/node_modules/tar/dist/esm/index.min.js b/deps/npm/node_modules/tar/dist/esm/index.min.js
index 8b043cabab710d..89c9806c4bd74e 100644
--- a/deps/npm/node_modules/tar/dist/esm/index.min.js
+++ b/deps/npm/node_modules/tar/dist/esm/index.min.js
@@ -1,4 +1,4 @@
-var kr=Object.defineProperty;var vr=(s,t)=>{for(var e in t)kr(s,e,{get:t[e],enumerable:!0})};import Kr from"events";import I from"fs";import{EventEmitter as Ti}from"node:events";import Ns from"node:stream";import{StringDecoder as Mr}from"node:string_decoder";var Os=typeof process=="object"&&process?process:{stdout:null,stderr:null},Br=s=>!!s&&typeof s=="object"&&(s instanceof D||s instanceof Ns||Pr(s)||zr(s)),Pr=s=>!!s&&typeof s=="object"&&s instanceof Ti&&typeof s.pipe=="function"&&s.pipe!==Ns.Writable.prototype.pipe,zr=s=>!!s&&typeof s=="object"&&s instanceof Ti&&typeof s.write=="function"&&typeof s.end=="function",q=Symbol("EOF"),j=Symbol("maybeEmitEnd"),rt=Symbol("emittedEnd"),Le=Symbol("emittingEnd"),jt=Symbol("emittedError"),Ne=Symbol("closed"),Ts=Symbol("read"),Ae=Symbol("flush"),xs=Symbol("flushChunk"),z=Symbol("encoding"),Mt=Symbol("decoder"),b=Symbol("flowing"),Qt=Symbol("paused"),Bt=Symbol("resume"),_=Symbol("buffer"),A=Symbol("pipes"),g=Symbol("bufferLength"),yi=Symbol("bufferPush"),De=Symbol("bufferShift"),L=Symbol("objectMode"),w=Symbol("destroyed"),Ri=Symbol("error"),bi=Symbol("emitData"),Ls=Symbol("emitEnd"),_i=Symbol("emitEnd2"),Z=Symbol("async"),gi=Symbol("abort"),Ie=Symbol("aborted"),Jt=Symbol("signal"),yt=Symbol("dataListeners"),C=Symbol("discarded"),te=s=>Promise.resolve().then(s),Ur=s=>s(),Hr=s=>s==="end"||s==="finish"||s==="prefinish",Wr=s=>s instanceof ArrayBuffer||!!s&&typeof s=="object"&&s.constructor&&s.constructor.name==="ArrayBuffer"&&s.byteLength>=0,Gr=s=>!Buffer.isBuffer(s)&&ArrayBuffer.isView(s),Ce=class{src;dest;opts;ondrain;constructor(t,e,i){this.src=t,this.dest=e,this.opts=i,this.ondrain=()=>t[Bt](),this.dest.on("drain",this.ondrain)}unpipe(){this.dest.removeListener("drain",this.ondrain)}proxyErrors(t){}end(){this.unpipe(),this.opts.end&&this.dest.end()}},Oi=class extends Ce{unpipe(){this.src.removeListener("error",this.proxyErrors),super.unpipe()}constructor(t,e,i){super(t,e,i),this.proxyErrors=r=>this.dest.emit("error",r),t.on("error",this.proxyErrors)}},Zr=s=>!!s.objectMode,Yr=s=>!s.objectMode&&!!s.encoding&&s.encoding!=="buffer",D=class extends Ti{[b]=!1;[Qt]=!1;[A]=[];[_]=[];[L];[z];[Z];[Mt];[q]=!1;[rt]=!1;[Le]=!1;[Ne]=!1;[jt]=null;[g]=0;[w]=!1;[Jt];[Ie]=!1;[yt]=0;[C]=!1;writable=!0;readable=!0;constructor(...t){let e=t[0]||{};if(super(),e.objectMode&&typeof e.encoding=="string")throw new TypeError("Encoding and objectMode may not be used together");Zr(e)?(this[L]=!0,this[z]=null):Yr(e)?(this[z]=e.encoding,this[L]=!1):(this[L]=!1,this[z]=null),this[Z]=!!e.async,this[Mt]=this[z]?new Mr(this[z]):null,e&&e.debugExposeBuffer===!0&&Object.defineProperty(this,"buffer",{get:()=>this[_]}),e&&e.debugExposePipes===!0&&Object.defineProperty(this,"pipes",{get:()=>this[A]});let{signal:i}=e;i&&(this[Jt]=i,i.aborted?this[gi]():i.addEventListener("abort",()=>this[gi]()))}get bufferLength(){return this[g]}get encoding(){return this[z]}set encoding(t){throw new Error("Encoding must be set at instantiation time")}setEncoding(t){throw new Error("Encoding must be set at instantiation time")}get objectMode(){return this[L]}set objectMode(t){throw new Error("objectMode must be set at instantiation time")}get async(){return this[Z]}set async(t){this[Z]=this[Z]||!!t}[gi](){this[Ie]=!0,this.emit("abort",this[Jt]?.reason),this.destroy(this[Jt]?.reason)}get aborted(){return this[Ie]}set aborted(t){}write(t,e,i){if(this[Ie])return!1;if(this[q])throw new Error("write after end");if(this[w])return this.emit("error",Object.assign(new Error("Cannot call write after a stream was destroyed"),{code:"ERR_STREAM_DESTROYED"})),!0;typeof e=="function"&&(i=e,e="utf8"),e||(e="utf8");let r=this[Z]?te:Ur;if(!this[L]&&!Buffer.isBuffer(t)){if(Gr(t))t=Buffer.from(t.buffer,t.byteOffset,t.byteLength);else if(Wr(t))t=Buffer.from(t);else if(typeof t!="string")throw new Error("Non-contiguous data written to non-objectMode stream")}return this[L]?(this[b]&&this[g]!==0&&this[Ae](!0),this[b]?this.emit("data",t):this[yi](t),this[g]!==0&&this.emit("readable"),i&&r(i),this[b]):t.length?(typeof t=="string"&&!(e===this[z]&&!this[Mt]?.lastNeed)&&(t=Buffer.from(t,e)),Buffer.isBuffer(t)&&this[z]&&(t=this[Mt].write(t)),this[b]&&this[g]!==0&&this[Ae](!0),this[b]?this.emit("data",t):this[yi](t),this[g]!==0&&this.emit("readable"),i&&r(i),this[b]):(this[g]!==0&&this.emit("readable"),i&&r(i),this[b])}read(t){if(this[w])return null;if(this[C]=!1,this[g]===0||t===0||t&&t>this[g])return this[j](),null;this[L]&&(t=null),this[_].length>1&&!this[L]&&(this[_]=[this[z]?this[_].join(""):Buffer.concat(this[_],this[g])]);let e=this[Ts](t||null,this[_][0]);return this[j](),e}[Ts](t,e){if(this[L])this[De]();else{let i=e;t===i.length||t===null?this[De]():typeof i=="string"?(this[_][0]=i.slice(t),e=i.slice(0,t),this[g]-=t):(this[_][0]=i.subarray(t),e=i.subarray(0,t),this[g]-=t)}return this.emit("data",e),!this[_].length&&!this[q]&&this.emit("drain"),e}end(t,e,i){return typeof t=="function"&&(i=t,t=void 0),typeof e=="function"&&(i=e,e="utf8"),t!==void 0&&this.write(t,e),i&&this.once("end",i),this[q]=!0,this.writable=!1,(this[b]||!this[Qt])&&this[j](),this}[Bt](){this[w]||(!this[yt]&&!this[A].length&&(this[C]=!0),this[Qt]=!1,this[b]=!0,this.emit("resume"),this[_].length?this[Ae]():this[q]?this[j]():this.emit("drain"))}resume(){return this[Bt]()}pause(){this[b]=!1,this[Qt]=!0,this[C]=!1}get destroyed(){return this[w]}get flowing(){return this[b]}get paused(){return this[Qt]}[yi](t){this[L]?this[g]+=1:this[g]+=t.length,this[_].push(t)}[De](){return this[L]?this[g]-=1:this[g]-=this[_][0].length,this[_].shift()}[Ae](t=!1){do;while(this[xs](this[De]())&&this[_].length);!t&&!this[_].length&&!this[q]&&this.emit("drain")}[xs](t){return this.emit("data",t),this[b]}pipe(t,e){if(this[w])return t;this[C]=!1;let i=this[rt];return e=e||{},t===Os.stdout||t===Os.stderr?e.end=!1:e.end=e.end!==!1,e.proxyErrors=!!e.proxyErrors,i?e.end&&t.end():(this[A].push(e.proxyErrors?new Oi(this,t,e):new Ce(this,t,e)),this[Z]?te(()=>this[Bt]()):this[Bt]()),t}unpipe(t){let e=this[A].find(i=>i.dest===t);e&&(this[A].length===1?(this[b]&&this[yt]===0&&(this[b]=!1),this[A]=[]):this[A].splice(this[A].indexOf(e),1),e.unpipe())}addListener(t,e){return this.on(t,e)}on(t,e){let i=super.on(t,e);if(t==="data")this[C]=!1,this[yt]++,!this[A].length&&!this[b]&&this[Bt]();else if(t==="readable"&&this[g]!==0)super.emit("readable");else if(Hr(t)&&this[rt])super.emit(t),this.removeAllListeners(t);else if(t==="error"&&this[jt]){let r=e;this[Z]?te(()=>r.call(this,this[jt])):r.call(this,this[jt])}return i}removeListener(t,e){return this.off(t,e)}off(t,e){let i=super.off(t,e);return t==="data"&&(this[yt]=this.listeners("data").length,this[yt]===0&&!this[C]&&!this[A].length&&(this[b]=!1)),i}removeAllListeners(t){let e=super.removeAllListeners(t);return(t==="data"||t===void 0)&&(this[yt]=0,!this[C]&&!this[A].length&&(this[b]=!1)),e}get emittedEnd(){return this[rt]}[j](){!this[Le]&&!this[rt]&&!this[w]&&this[_].length===0&&this[q]&&(this[Le]=!0,this.emit("end"),this.emit("prefinish"),this.emit("finish"),this[Ne]&&this.emit("close"),this[Le]=!1)}emit(t,...e){let i=e[0];if(t!=="error"&&t!=="close"&&t!==w&&this[w])return!1;if(t==="data")return!this[L]&&!i?!1:this[Z]?(te(()=>this[bi](i)),!0):this[bi](i);if(t==="end")return this[Ls]();if(t==="close"){if(this[Ne]=!0,!this[rt]&&!this[w])return!1;let n=super.emit("close");return this.removeAllListeners("close"),n}else if(t==="error"){this[jt]=i,super.emit(Ri,i);let n=!this[Jt]||this.listeners("error").length?super.emit("error",i):!1;return this[j](),n}else if(t==="resume"){let n=super.emit("resume");return this[j](),n}else if(t==="finish"||t==="prefinish"){let n=super.emit(t);return this.removeAllListeners(t),n}let r=super.emit(t,...e);return this[j](),r}[bi](t){for(let i of this[A])i.dest.write(t)===!1&&this.pause();let e=this[C]?!1:super.emit("data",t);return this[j](),e}[Ls](){return this[rt]?!1:(this[rt]=!0,this.readable=!1,this[Z]?(te(()=>this[_i]()),!0):this[_i]())}[_i](){if(this[Mt]){let e=this[Mt].end();if(e){for(let i of this[A])i.dest.write(e);this[C]||super.emit("data",e)}}for(let e of this[A])e.end();let t=super.emit("end");return this.removeAllListeners("end"),t}async collect(){let t=Object.assign([],{dataLength:0});this[L]||(t.dataLength=0);let e=this.promise();return this.on("data",i=>{t.push(i),this[L]||(t.dataLength+=i.length)}),await e,t}async concat(){if(this[L])throw new Error("cannot concat in objectMode");let t=await this.collect();return this[z]?t.join(""):Buffer.concat(t,t.dataLength)}async promise(){return new Promise((t,e)=>{this.on(w,()=>e(new Error("stream destroyed"))),this.on("error",i=>e(i)),this.on("end",()=>t())})}[Symbol.asyncIterator](){this[C]=!1;let t=!1,e=async()=>(this.pause(),t=!0,{value:void 0,done:!0});return{next:()=>{if(t)return e();let r=this.read();if(r!==null)return Promise.resolve({done:!1,value:r});if(this[q])return e();let n,o,h=d=>{this.off("data",a),this.off("end",l),this.off(w,c),e(),o(d)},a=d=>{this.off("error",h),this.off("end",l),this.off(w,c),this.pause(),n({value:d,done:!!this[q]})},l=()=>{this.off("error",h),this.off("data",a),this.off(w,c),e(),n({done:!0,value:void 0})},c=()=>h(new Error("stream destroyed"));return new Promise((d,S)=>{o=S,n=d,this.once(w,c),this.once("error",h),this.once("end",l),this.once("data",a)})},throw:e,return:e,[Symbol.asyncIterator](){return this},[Symbol.asyncDispose]:async()=>{}}}[Symbol.iterator](){this[C]=!1;let t=!1,e=()=>(this.pause(),this.off(Ri,e),this.off(w,e),this.off("end",e),t=!0,{done:!0,value:void 0}),i=()=>{if(t)return e();let r=this.read();return r===null?e():{done:!1,value:r}};return this.once("end",e),this.once(Ri,e),this.once(w,e),{next:i,throw:e,return:e,[Symbol.iterator](){return this},[Symbol.dispose]:()=>{}}}destroy(t){if(this[w])return t?this.emit("error",t):this.emit(w),this;this[w]=!0,this[C]=!0,this[_].length=0,this[g]=0;let e=this;return typeof e.close=="function"&&!this[Ne]&&e.close(),t?this.emit("error",t):this.emit(w),this}static get isStream(){return Br}};var Vr=I.writev,ot=Symbol("_autoClose"),H=Symbol("_close"),ee=Symbol("_ended"),m=Symbol("_fd"),xi=Symbol("_finished"),J=Symbol("_flags"),Li=Symbol("_flush"),Ii=Symbol("_handleChunk"),Ci=Symbol("_makeBuf"),se=Symbol("_mode"),Fe=Symbol("_needDrain"),Ut=Symbol("_onerror"),Ht=Symbol("_onopen"),Ni=Symbol("_onread"),Pt=Symbol("_onwrite"),ht=Symbol("_open"),U=Symbol("_path"),nt=Symbol("_pos"),Y=Symbol("_queue"),zt=Symbol("_read"),Ai=Symbol("_readSize"),Q=Symbol("_reading"),ie=Symbol("_remain"),Di=Symbol("_size"),ke=Symbol("_write"),Rt=Symbol("_writing"),ve=Symbol("_defaultFlag"),bt=Symbol("_errored"),_t=class extends D{[bt]=!1;[m];[U];[Ai];[Q]=!1;[Di];[ie];[ot];constructor(t,e){if(e=e||{},super(e),this.readable=!0,this.writable=!1,typeof t!="string")throw new TypeError("path must be a string");this[bt]=!1,this[m]=typeof e.fd=="number"?e.fd:void 0,this[U]=t,this[Ai]=e.readSize||16*1024*1024,this[Q]=!1,this[Di]=typeof e.size=="number"?e.size:1/0,this[ie]=this[Di],this[ot]=typeof e.autoClose=="boolean"?e.autoClose:!0,typeof this[m]=="number"?this[zt]():this[ht]()}get fd(){return this[m]}get path(){return this[U]}write(){throw new TypeError("this is a readable stream")}end(){throw new TypeError("this is a readable stream")}[ht](){I.open(this[U],"r",(t,e)=>this[Ht](t,e))}[Ht](t,e){t?this[Ut](t):(this[m]=e,this.emit("open",e),this[zt]())}[Ci](){return Buffer.allocUnsafe(Math.min(this[Ai],this[ie]))}[zt](){if(!this[Q]){this[Q]=!0;let t=this[Ci]();if(t.length===0)return process.nextTick(()=>this[Ni](null,0,t));I.read(this[m],t,0,t.length,null,(e,i,r)=>this[Ni](e,i,r))}}[Ni](t,e,i){this[Q]=!1,t?this[Ut](t):this[Ii](e,i)&&this[zt]()}[H](){if(this[ot]&&typeof this[m]=="number"){let t=this[m];this[m]=void 0,I.close(t,e=>e?this.emit("error",e):this.emit("close"))}}[Ut](t){this[Q]=!0,this[H](),this.emit("error",t)}[Ii](t,e){let i=!1;return this[ie]-=t,t>0&&(i=super.write(tthis[Ht](t,e))}[Ht](t,e){this[ve]&&this[J]==="r+"&&t&&t.code==="ENOENT"?(this[J]="w",this[ht]()):t?this[Ut](t):(this[m]=e,this.emit("open",e),this[Rt]||this[Li]())}end(t,e){return t&&this.write(t,e),this[ee]=!0,!this[Rt]&&!this[Y].length&&typeof this[m]=="number"&&this[Pt](null,0),this}write(t,e){return typeof t=="string"&&(t=Buffer.from(t,e)),this[ee]?(this.emit("error",new Error("write() after end()")),!1):this[m]===void 0||this[Rt]||this[Y].length?(this[Y].push(t),this[Fe]=!0,!1):(this[Rt]=!0,this[ke](t),!0)}[ke](t){I.write(this[m],t,0,t.length,this[nt],(e,i)=>this[Pt](e,i))}[Pt](t,e){t?this[Ut](t):(this[nt]!==void 0&&typeof e=="number"&&(this[nt]+=e),this[Y].length?this[Li]():(this[Rt]=!1,this[ee]&&!this[xi]?(this[xi]=!0,this[H](),this.emit("finish")):this[Fe]&&(this[Fe]=!1,this.emit("drain"))))}[Li](){if(this[Y].length===0)this[ee]&&this[Pt](null,0);else if(this[Y].length===1)this[ke](this[Y].pop());else{let t=this[Y];this[Y]=[],Vr(this[m],t,this[nt],(e,i)=>this[Pt](e,i))}}[H](){if(this[ot]&&typeof this[m]=="number"){let t=this[m];this[m]=void 0,I.close(t,e=>e?this.emit("error",e):this.emit("close"))}}},Wt=class extends tt{[ht](){let t;if(this[ve]&&this[J]==="r+")try{t=I.openSync(this[U],this[J],this[se])}catch(e){if(e?.code==="ENOENT")return this[J]="w",this[ht]();throw e}else t=I.openSync(this[U],this[J],this[se]);this[Ht](null,t)}[H](){if(this[ot]&&typeof this[m]=="number"){let t=this[m];this[m]=void 0,I.closeSync(t),this.emit("close")}}[ke](t){let e=!0;try{this[Pt](null,I.writeSync(this[m],t,0,t.length,this[nt])),e=!1}finally{if(e)try{this[H]()}catch{}}}};import nr from"node:path";import Vt from"node:fs";import{dirname as xn,parse as Ln}from"path";var $r=new Map([["C","cwd"],["f","file"],["z","gzip"],["P","preservePaths"],["U","unlink"],["strip-components","strip"],["stripComponents","strip"],["keep-newer","newer"],["keepNewer","newer"],["keep-newer-files","newer"],["keepNewerFiles","newer"],["k","keep"],["keep-existing","keep"],["keepExisting","keep"],["m","noMtime"],["no-mtime","noMtime"],["p","preserveOwner"],["L","follow"],["h","follow"],["onentry","onReadEntry"]]),As=s=>!!s.sync&&!!s.file,Ds=s=>!s.sync&&!!s.file,Is=s=>!!s.sync&&!s.file,Cs=s=>!s.sync&&!s.file;var Fs=s=>!!s.file;var Xr=s=>{let t=$r.get(s);return t||s},re=(s={})=>{if(!s)return{};let t={};for(let[e,i]of Object.entries(s)){let r=Xr(e);t[r]=i}return t.chmod===void 0&&t.noChmod===!1&&(t.chmod=!0),delete t.noChmod,t};var K=(s,t,e,i,r)=>Object.assign((n=[],o,h)=>{Array.isArray(n)&&(o=n,n={}),typeof o=="function"&&(h=o,o=void 0),o=o?Array.from(o):[];let a=re(n);if(r?.(a,o),As(a)){if(typeof h=="function")throw new TypeError("callback not supported for sync tar functions");return s(a,o)}else if(Ds(a)){let l=t(a,o);return h?l.then(()=>h(),h):l}else if(Is(a)){if(typeof h=="function")throw new TypeError("callback not supported for sync tar functions");return e(a,o)}else if(Cs(a)){if(typeof h=="function")throw new TypeError("callback only supported with file option");return i(a,o)}throw new Error("impossible options??")},{syncFile:s,asyncFile:t,syncNoFile:e,asyncNoFile:i,validate:r});import{EventEmitter as _n}from"events";import Mi from"assert";import{Buffer as gt}from"buffer";import*as ks from"zlib";import qr from"zlib";var jr=qr.constants||{ZLIB_VERNUM:4736},M=Object.freeze(Object.assign(Object.create(null),{Z_NO_FLUSH:0,Z_PARTIAL_FLUSH:1,Z_SYNC_FLUSH:2,Z_FULL_FLUSH:3,Z_FINISH:4,Z_BLOCK:5,Z_OK:0,Z_STREAM_END:1,Z_NEED_DICT:2,Z_ERRNO:-1,Z_STREAM_ERROR:-2,Z_DATA_ERROR:-3,Z_MEM_ERROR:-4,Z_BUF_ERROR:-5,Z_VERSION_ERROR:-6,Z_NO_COMPRESSION:0,Z_BEST_SPEED:1,Z_BEST_COMPRESSION:9,Z_DEFAULT_COMPRESSION:-1,Z_FILTERED:1,Z_HUFFMAN_ONLY:2,Z_RLE:3,Z_FIXED:4,Z_DEFAULT_STRATEGY:0,DEFLATE:1,INFLATE:2,GZIP:3,GUNZIP:4,DEFLATERAW:5,INFLATERAW:6,UNZIP:7,BROTLI_DECODE:8,BROTLI_ENCODE:9,Z_MIN_WINDOWBITS:8,Z_MAX_WINDOWBITS:15,Z_DEFAULT_WINDOWBITS:15,Z_MIN_CHUNK:64,Z_MAX_CHUNK:1/0,Z_DEFAULT_CHUNK:16384,Z_MIN_MEMLEVEL:1,Z_MAX_MEMLEVEL:9,Z_DEFAULT_MEMLEVEL:8,Z_MIN_LEVEL:-1,Z_MAX_LEVEL:9,Z_DEFAULT_LEVEL:-1,BROTLI_OPERATION_PROCESS:0,BROTLI_OPERATION_FLUSH:1,BROTLI_OPERATION_FINISH:2,BROTLI_OPERATION_EMIT_METADATA:3,BROTLI_MODE_GENERIC:0,BROTLI_MODE_TEXT:1,BROTLI_MODE_FONT:2,BROTLI_DEFAULT_MODE:0,BROTLI_MIN_QUALITY:0,BROTLI_MAX_QUALITY:11,BROTLI_DEFAULT_QUALITY:11,BROTLI_MIN_WINDOW_BITS:10,BROTLI_MAX_WINDOW_BITS:24,BROTLI_LARGE_MAX_WINDOW_BITS:30,BROTLI_DEFAULT_WINDOW:22,BROTLI_MIN_INPUT_BLOCK_BITS:16,BROTLI_MAX_INPUT_BLOCK_BITS:24,BROTLI_PARAM_MODE:0,BROTLI_PARAM_QUALITY:1,BROTLI_PARAM_LGWIN:2,BROTLI_PARAM_LGBLOCK:3,BROTLI_PARAM_DISABLE_LITERAL_CONTEXT_MODELING:4,BROTLI_PARAM_SIZE_HINT:5,BROTLI_PARAM_LARGE_WINDOW:6,BROTLI_PARAM_NPOSTFIX:7,BROTLI_PARAM_NDIRECT:8,BROTLI_DECODER_RESULT_ERROR:0,BROTLI_DECODER_RESULT_SUCCESS:1,BROTLI_DECODER_RESULT_NEEDS_MORE_INPUT:2,BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_PARAM_DISABLE_RING_BUFFER_REALLOCATION:0,BROTLI_DECODER_PARAM_LARGE_WINDOW:1,BROTLI_DECODER_NO_ERROR:0,BROTLI_DECODER_SUCCESS:1,BROTLI_DECODER_NEEDS_MORE_INPUT:2,BROTLI_DECODER_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_NIBBLE:-1,BROTLI_DECODER_ERROR_FORMAT_RESERVED:-2,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_META_NIBBLE:-3,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_ALPHABET:-4,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_SAME:-5,BROTLI_DECODER_ERROR_FORMAT_CL_SPACE:-6,BROTLI_DECODER_ERROR_FORMAT_HUFFMAN_SPACE:-7,BROTLI_DECODER_ERROR_FORMAT_CONTEXT_MAP_REPEAT:-8,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_1:-9,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_2:-10,BROTLI_DECODER_ERROR_FORMAT_TRANSFORM:-11,BROTLI_DECODER_ERROR_FORMAT_DICTIONARY:-12,BROTLI_DECODER_ERROR_FORMAT_WINDOW_BITS:-13,BROTLI_DECODER_ERROR_FORMAT_PADDING_1:-14,BROTLI_DECODER_ERROR_FORMAT_PADDING_2:-15,BROTLI_DECODER_ERROR_FORMAT_DISTANCE:-16,BROTLI_DECODER_ERROR_DICTIONARY_NOT_SET:-19,BROTLI_DECODER_ERROR_INVALID_ARGUMENTS:-20,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MODES:-21,BROTLI_DECODER_ERROR_ALLOC_TREE_GROUPS:-22,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MAP:-25,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_1:-26,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_2:-27,BROTLI_DECODER_ERROR_ALLOC_BLOCK_TYPE_TREES:-30,BROTLI_DECODER_ERROR_UNREACHABLE:-31},jr));var Qr=gt.concat,vs=Object.getOwnPropertyDescriptor(gt,"concat"),Jr=s=>s,ki=vs?.writable===!0||vs?.set!==void 0?s=>{gt.concat=s?Jr:Qr}:s=>{},Ot=Symbol("_superWrite"),Gt=class extends Error{code;errno;constructor(t,e){super("zlib: "+t.message,{cause:t}),this.code=t.code,this.errno=t.errno,this.code||(this.code="ZLIB_ERROR"),this.message="zlib: "+t.message,Error.captureStackTrace(this,e??this.constructor)}get name(){return"ZlibError"}},vi=Symbol("flushFlag"),ne=class extends D{#t=!1;#i=!1;#s;#n;#r;#e;#o;get sawError(){return this.#t}get handle(){return this.#e}get flushFlag(){return this.#s}constructor(t,e){if(!t||typeof t!="object")throw new TypeError("invalid options for ZlibBase constructor");if(super(t),this.#s=t.flush??0,this.#n=t.finishFlush??0,this.#r=t.fullFlushFlag??0,typeof ks[e]!="function")throw new TypeError("Compression method not supported: "+e);try{this.#e=new ks[e](t)}catch(i){throw new Gt(i,this.constructor)}this.#o=i=>{this.#t||(this.#t=!0,this.close(),this.emit("error",i))},this.#e?.on("error",i=>this.#o(new Gt(i))),this.once("end",()=>this.close)}close(){this.#e&&(this.#e.close(),this.#e=void 0,this.emit("close"))}reset(){if(!this.#t)return Mi(this.#e,"zlib binding closed"),this.#e.reset?.()}flush(t){this.ended||(typeof t!="number"&&(t=this.#r),this.write(Object.assign(gt.alloc(0),{[vi]:t})))}end(t,e,i){return typeof t=="function"&&(i=t,e=void 0,t=void 0),typeof e=="function"&&(i=e,e=void 0),t&&(e?this.write(t,e):this.write(t)),this.flush(this.#n),this.#i=!0,super.end(i)}get ended(){return this.#i}[Ot](t){return super.write(t)}write(t,e,i){if(typeof e=="function"&&(i=e,e="utf8"),typeof t=="string"&&(t=gt.from(t,e)),this.#t)return;Mi(this.#e,"zlib binding closed");let r=this.#e._handle,n=r.close;r.close=()=>{};let o=this.#e.close;this.#e.close=()=>{},ki(!0);let h;try{let l=typeof t[vi]=="number"?t[vi]:this.#s;h=this.#e._processChunk(t,l),ki(!1)}catch(l){ki(!1),this.#o(new Gt(l,this.write))}finally{this.#e&&(this.#e._handle=r,r.close=n,this.#e.close=o,this.#e.removeAllListeners("error"))}this.#e&&this.#e.on("error",l=>this.#o(new Gt(l,this.write)));let a;if(h)if(Array.isArray(h)&&h.length>0){let l=h[0];a=this[Ot](gt.from(l));for(let c=1;c{typeof r=="function"&&(n=r,r=this.flushFlag),this.flush(r),n?.()};try{this.handle.params(t,e)}finally{this.handle.flush=i}this.handle&&(this.#t=t,this.#i=e)}}}};var Pe=class extends Be{#t;constructor(t){super(t,"Gzip"),this.#t=t&&!!t.portable}[Ot](t){return this.#t?(this.#t=!1,t[9]=255,super[Ot](t)):super[Ot](t)}};var ze=class extends Be{constructor(t){super(t,"Unzip")}},Ue=class extends ne{constructor(t,e){t=t||{},t.flush=t.flush||M.BROTLI_OPERATION_PROCESS,t.finishFlush=t.finishFlush||M.BROTLI_OPERATION_FINISH,t.fullFlushFlag=M.BROTLI_OPERATION_FLUSH,super(t,e)}},He=class extends Ue{constructor(t){super(t,"BrotliCompress")}},We=class extends Ue{constructor(t){super(t,"BrotliDecompress")}},Ge=class extends ne{constructor(t,e){t=t||{},t.flush=t.flush||M.ZSTD_e_continue,t.finishFlush=t.finishFlush||M.ZSTD_e_end,t.fullFlushFlag=M.ZSTD_e_flush,super(t,e)}},Ze=class extends Ge{constructor(t){super(t,"ZstdCompress")}},Ye=class extends Ge{constructor(t){super(t,"ZstdDecompress")}};import{posix as Zt}from"node:path";var Ms=(s,t)=>{if(Number.isSafeInteger(s))s<0?sn(s,t):en(s,t);else throw Error("cannot encode number outside of javascript safe integer range");return t},en=(s,t)=>{t[0]=128;for(var e=t.length;e>1;e--)t[e-1]=s&255,s=Math.floor(s/256)},sn=(s,t)=>{t[0]=255;var e=!1;s=s*-1;for(var i=t.length;i>1;i--){var r=s&255;s=Math.floor(s/256),e?t[i-1]=Ps(r):r===0?t[i-1]=0:(e=!0,t[i-1]=zs(r))}},Bs=s=>{let t=s[0],e=t===128?nn(s.subarray(1,s.length)):t===255?rn(s):null;if(e===null)throw Error("invalid base256 encoding");if(!Number.isSafeInteger(e))throw Error("parsed number outside of javascript safe integer range");return e},rn=s=>{for(var t=s.length,e=0,i=!1,r=t-1;r>-1;r--){var n=Number(s[r]),o;i?o=Ps(n):n===0?o=n:(i=!0,o=zs(n)),o!==0&&(e-=o*Math.pow(256,t-r-1))}return e},nn=s=>{for(var t=s.length,e=0,i=t-1;i>-1;i--){var r=Number(s[i]);r!==0&&(e+=r*Math.pow(256,t-i-1))}return e},Ps=s=>(255^s)&255,zs=s=>(255^s)+1&255;var Bi={};vr(Bi,{code:()=>Ke,isCode:()=>oe,isName:()=>hn,name:()=>he});var oe=s=>he.has(s),hn=s=>Ke.has(s),he=new Map([["0","File"],["","OldFile"],["1","Link"],["2","SymbolicLink"],["3","CharacterDevice"],["4","BlockDevice"],["5","Directory"],["6","FIFO"],["7","ContiguousFile"],["g","GlobalExtendedHeader"],["x","ExtendedHeader"],["A","SolarisACL"],["D","GNUDumpDir"],["I","Inode"],["K","NextFileHasLongLinkpath"],["L","NextFileHasLongPath"],["M","ContinuationFile"],["N","OldGnuLongPath"],["S","SparseFile"],["V","TapeVolumeHeader"],["X","OldExtendedHeader"]]),Ke=new Map(Array.from(he).map(s=>[s[1],s[0]]));var F=class{cksumValid=!1;needPax=!1;nullBlock=!1;block;path;mode;uid;gid;size;cksum;#t="Unsupported";linkpath;uname;gname;devmaj=0;devmin=0;atime;ctime;mtime;charset;comment;constructor(t,e=0,i,r){Buffer.isBuffer(t)?this.decode(t,e||0,i,r):t&&this.#i(t)}decode(t,e,i,r){if(e||(e=0),!t||!(t.length>=e+512))throw new Error("need 512 bytes for header");this.path=i?.path??Tt(t,e,100),this.mode=i?.mode??r?.mode??at(t,e+100,8),this.uid=i?.uid??r?.uid??at(t,e+108,8),this.gid=i?.gid??r?.gid??at(t,e+116,8),this.size=i?.size??r?.size??at(t,e+124,12),this.mtime=i?.mtime??r?.mtime??Pi(t,e+136,12),this.cksum=at(t,e+148,12),r&&this.#i(r,!0),i&&this.#i(i);let n=Tt(t,e+156,1);if(oe(n)&&(this.#t=n||"0"),this.#t==="0"&&this.path.slice(-1)==="/"&&(this.#t="5"),this.#t==="5"&&(this.size=0),this.linkpath=Tt(t,e+157,100),t.subarray(e+257,e+265).toString()==="ustar\x0000")if(this.uname=i?.uname??r?.uname??Tt(t,e+265,32),this.gname=i?.gname??r?.gname??Tt(t,e+297,32),this.devmaj=i?.devmaj??r?.devmaj??at(t,e+329,8)??0,this.devmin=i?.devmin??r?.devmin??at(t,e+337,8)??0,t[e+475]!==0){let h=Tt(t,e+345,155);this.path=h+"/"+this.path}else{let h=Tt(t,e+345,130);h&&(this.path=h+"/"+this.path),this.atime=i?.atime??r?.atime??Pi(t,e+476,12),this.ctime=i?.ctime??r?.ctime??Pi(t,e+488,12)}let o=256;for(let h=e;h!(r==null||i==="path"&&e||i==="linkpath"&&e||i==="global"))))}encode(t,e=0){if(t||(t=this.block=Buffer.alloc(512)),this.#t==="Unsupported"&&(this.#t="0"),!(t.length>=e+512))throw new Error("need 512 bytes for header");let i=this.ctime||this.atime?130:155,r=an(this.path||"",i),n=r[0],o=r[1];this.needPax=!!r[2],this.needPax=xt(t,e,100,n)||this.needPax,this.needPax=lt(t,e+100,8,this.mode)||this.needPax,this.needPax=lt(t,e+108,8,this.uid)||this.needPax,this.needPax=lt(t,e+116,8,this.gid)||this.needPax,this.needPax=lt(t,e+124,12,this.size)||this.needPax,this.needPax=zi(t,e+136,12,this.mtime)||this.needPax,t[e+156]=Number(this.#t.codePointAt(0)),this.needPax=xt(t,e+157,100,this.linkpath)||this.needPax,t.write("ustar\x0000",e+257,8),this.needPax=xt(t,e+265,32,this.uname)||this.needPax,this.needPax=xt(t,e+297,32,this.gname)||this.needPax,this.needPax=lt(t,e+329,8,this.devmaj)||this.needPax,this.needPax=lt(t,e+337,8,this.devmin)||this.needPax,this.needPax=xt(t,e+345,i,o)||this.needPax,t[e+475]!==0?this.needPax=xt(t,e+345,155,o)||this.needPax:(this.needPax=xt(t,e+345,130,o)||this.needPax,this.needPax=zi(t,e+476,12,this.atime)||this.needPax,this.needPax=zi(t,e+488,12,this.ctime)||this.needPax);let h=256;for(let a=e;a{let i=s,r="",n,o=Zt.parse(s).root||".";if(Buffer.byteLength(i)<100)n=[i,r,!1];else{r=Zt.dirname(i),i=Zt.basename(i);do Buffer.byteLength(i)<=100&&Buffer.byteLength(r)<=t?n=[i,r,!1]:Buffer.byteLength(i)>100&&Buffer.byteLength(r)<=t?n=[i.slice(0,99),r,!0]:(i=Zt.join(Zt.basename(r),i),r=Zt.dirname(r));while(r!==o&&n===void 0);n||(n=[s.slice(0,99),"",!0])}return n},Tt=(s,t,e)=>s.subarray(t,t+e).toString("utf8").replace(/\0.*/,""),Pi=(s,t,e)=>ln(at(s,t,e)),ln=s=>s===void 0?void 0:new Date(s*1e3),at=(s,t,e)=>Number(s[t])&128?Bs(s.subarray(t,t+e)):fn(s,t,e),cn=s=>isNaN(s)?void 0:s,fn=(s,t,e)=>cn(parseInt(s.subarray(t,t+e).toString("utf8").replace(/\0.*$/,"").trim(),8)),dn={12:8589934591,8:2097151},lt=(s,t,e,i)=>i===void 0?!1:i>dn[e]||i<0?(Ms(i,s.subarray(t,t+e)),!0):(un(s,t,e,i),!1),un=(s,t,e,i)=>s.write(mn(i,e),t,e,"ascii"),mn=(s,t)=>pn(Math.floor(s).toString(8),t),pn=(s,t)=>(s.length===t-1?s:new Array(t-s.length-1).join("0")+s+" ")+"\0",zi=(s,t,e,i)=>i===void 0?!1:lt(s,t,e,i.getTime()/1e3),En=new Array(156).join("\0"),xt=(s,t,e,i)=>i===void 0?!1:(s.write(i+En,t,e,"utf8"),i.length!==Buffer.byteLength(i)||i.length>e);import{basename as wn}from"node:path";var ct=class s{atime;mtime;ctime;charset;comment;gid;uid;gname;uname;linkpath;dev;ino;nlink;path;size;mode;global;constructor(t,e=!1){this.atime=t.atime,this.charset=t.charset,this.comment=t.comment,this.ctime=t.ctime,this.dev=t.dev,this.gid=t.gid,this.global=e,this.gname=t.gname,this.ino=t.ino,this.linkpath=t.linkpath,this.mtime=t.mtime,this.nlink=t.nlink,this.path=t.path,this.size=t.size,this.uid=t.uid,this.uname=t.uname}encode(){let t=this.encodeBody();if(t==="")return Buffer.allocUnsafe(0);let e=Buffer.byteLength(t),i=512*Math.ceil(1+e/512),r=Buffer.allocUnsafe(i);for(let n=0;n<512;n++)r[n]=0;new F({path:("PaxHeader/"+wn(this.path??"")).slice(0,99),mode:this.mode||420,uid:this.uid,gid:this.gid,size:e,mtime:this.mtime,type:this.global?"GlobalExtendedHeader":"ExtendedHeader",linkpath:"",uname:this.uname||"",gname:this.gname||"",devmaj:0,devmin:0,atime:this.atime,ctime:this.ctime}).encode(r),r.write(t,512,e,"utf8");for(let n=e+512;n=Math.pow(10,o)&&(o+=1),o+n+r}static parse(t,e,i=!1){return new s(Sn(yn(t),e),i)}},Sn=(s,t)=>t?Object.assign({},t,s):s,yn=s=>s.replace(/\n$/,"").split(`
-`).reduce(Rn,Object.create(null)),Rn=(s,t)=>{let e=parseInt(t,10);if(e!==Buffer.byteLength(t)+1)return s;t=t.slice((e+" ").length);let i=t.split("="),r=i.shift();if(!r)return s;let n=r.replace(/^SCHILY\.(dev|ino|nlink)/,"$1"),o=i.join("=");return s[n]=/^([A-Z]+\.)?([mac]|birth|creation)time$/.test(n)?new Date(Number(o)*1e3):/^[0-9]+$/.test(o)?+o:o,s};var bn=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,f=bn!=="win32"?s=>s:s=>s&&s.replaceAll(/\\/g,"/");var Yt=class extends D{extended;globalExtended;header;startBlockSize;blockRemain;remain;type;meta=!1;ignore=!1;path;mode;uid;gid;uname;gname;size=0;mtime;atime;ctime;linkpath;dev;ino;nlink;invalid=!1;absolute;unsupported=!1;constructor(t,e,i){switch(super({}),this.pause(),this.extended=e,this.globalExtended=i,this.header=t,this.remain=t.size??0,this.startBlockSize=512*Math.ceil(this.remain/512),this.blockRemain=this.startBlockSize,this.type=t.type,this.type){case"File":case"OldFile":case"Link":case"SymbolicLink":case"CharacterDevice":case"BlockDevice":case"Directory":case"FIFO":case"ContiguousFile":case"GNUDumpDir":break;case"NextFileHasLongLinkpath":case"NextFileHasLongPath":case"OldGnuLongPath":case"GlobalExtendedHeader":case"ExtendedHeader":case"OldExtendedHeader":this.meta=!0;break;default:this.ignore=!0}if(!t.path)throw new Error("no path provided for tar.ReadEntry");this.path=f(t.path),this.mode=t.mode,this.mode&&(this.mode=this.mode&4095),this.uid=t.uid,this.gid=t.gid,this.uname=t.uname,this.gname=t.gname,this.size=this.remain,this.mtime=t.mtime,this.atime=t.atime,this.ctime=t.ctime,this.linkpath=t.linkpath?f(t.linkpath):void 0,this.uname=t.uname,this.gname=t.gname,e&&this.#t(e),i&&this.#t(i,!0)}write(t){let e=t.length;if(e>this.blockRemain)throw new Error("writing more to entry than is appropriate");let i=this.remain,r=this.blockRemain;return this.remain=Math.max(0,i-e),this.blockRemain=Math.max(0,r-e),this.ignore?!0:i>=e?super.write(t):super.write(t.subarray(0,i))}#t(t,e=!1){t.path&&(t.path=f(t.path)),t.linkpath&&(t.linkpath=f(t.linkpath)),Object.assign(this,Object.fromEntries(Object.entries(t).filter(([i,r])=>!(r==null||i==="path"&&e))))}};var Lt=(s,t,e,i={})=>{s.file&&(i.file=s.file),s.cwd&&(i.cwd=s.cwd),i.code=e instanceof Error&&e.code||t,i.tarCode=t,!s.strict&&i.recoverable!==!1?(e instanceof Error&&(i=Object.assign(e,i),e=e.message),s.emit("warn",t,e,i)):e instanceof Error?s.emit("error",Object.assign(e,i)):s.emit("error",Object.assign(new Error(`${t}: ${e}`),i))};var gn=1024*1024,Zi=Buffer.from([31,139]),Yi=Buffer.from([40,181,47,253]),On=Math.max(Zi.length,Yi.length),B=Symbol("state"),Nt=Symbol("writeEntry"),et=Symbol("readEntry"),Ui=Symbol("nextEntry"),Us=Symbol("processEntry"),V=Symbol("extendedHeader"),ae=Symbol("globalExtendedHeader"),ft=Symbol("meta"),Hs=Symbol("emitMeta"),p=Symbol("buffer"),it=Symbol("queue"),dt=Symbol("ended"),Hi=Symbol("emittedEnd"),At=Symbol("emit"),y=Symbol("unzip"),Ve=Symbol("consumeChunk"),$e=Symbol("consumeChunkSub"),Wi=Symbol("consumeBody"),Ws=Symbol("consumeMeta"),Gs=Symbol("consumeHeader"),le=Symbol("consuming"),Gi=Symbol("bufferConcat"),Xe=Symbol("maybeEnd"),Kt=Symbol("writing"),ut=Symbol("aborted"),qe=Symbol("onDone"),Dt=Symbol("sawValidEntry"),je=Symbol("sawNullBlock"),Qe=Symbol("sawEOF"),Zs=Symbol("closeStream"),Tn=()=>!0,st=class extends _n{file;strict;maxMetaEntrySize;filter;brotli;zstd;writable=!0;readable=!1;[it]=[];[p];[et];[Nt];[B]="begin";[ft]="";[V];[ae];[dt]=!1;[y];[ut]=!1;[Dt];[je]=!1;[Qe]=!1;[Kt]=!1;[le]=!1;[Hi]=!1;constructor(t={}){super(),this.file=t.file||"",this.on(qe,()=>{(this[B]==="begin"||this[Dt]===!1)&&this.warn("TAR_BAD_ARCHIVE","Unrecognized archive format")}),t.ondone?this.on(qe,t.ondone):this.on(qe,()=>{this.emit("prefinish"),this.emit("finish"),this.emit("end")}),this.strict=!!t.strict,this.maxMetaEntrySize=t.maxMetaEntrySize||gn,this.filter=typeof t.filter=="function"?t.filter:Tn;let e=t.file&&(t.file.endsWith(".tar.br")||t.file.endsWith(".tbr"));this.brotli=!(t.gzip||t.zstd)&&t.brotli!==void 0?t.brotli:e?void 0:!1;let i=t.file&&(t.file.endsWith(".tar.zst")||t.file.endsWith(".tzst"));this.zstd=!(t.gzip||t.brotli)&&t.zstd!==void 0?t.zstd:i?!0:void 0,this.on("end",()=>this[Zs]()),typeof t.onwarn=="function"&&this.on("warn",t.onwarn),typeof t.onReadEntry=="function"&&this.on("entry",t.onReadEntry)}warn(t,e,i={}){Lt(this,t,e,i)}[Gs](t,e){this[Dt]===void 0&&(this[Dt]=!1);let i;try{i=new F(t,e,this[V],this[ae])}catch(r){return this.warn("TAR_ENTRY_INVALID",r)}if(i.nullBlock)this[je]?(this[Qe]=!0,this[B]==="begin"&&(this[B]="header"),this[At]("eof")):(this[je]=!0,this[At]("nullBlock"));else if(this[je]=!1,!i.cksumValid)this.warn("TAR_ENTRY_INVALID","checksum failure",{header:i});else if(!i.path)this.warn("TAR_ENTRY_INVALID","path is required",{header:i});else{let r=i.type;if(/^(Symbolic)?Link$/.test(r)&&!i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath required",{header:i});else if(!/^(Symbolic)?Link$/.test(r)&&!/^(Global)?ExtendedHeader$/.test(r)&&i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath forbidden",{header:i});else{let n=this[Nt]=new Yt(i,this[V],this[ae]);if(!this[Dt])if(n.remain){let o=()=>{n.invalid||(this[Dt]=!0)};n.on("end",o)}else this[Dt]=!0;n.meta?n.size>this.maxMetaEntrySize?(n.ignore=!0,this[At]("ignoredEntry",n),this[B]="ignore",n.resume()):n.size>0&&(this[ft]="",n.on("data",o=>this[ft]+=o),this[B]="meta"):(this[V]=void 0,n.ignore=n.ignore||!this.filter(n.path,n),n.ignore?(this[At]("ignoredEntry",n),this[B]=n.remain?"ignore":"header",n.resume()):(n.remain?this[B]="body":(this[B]="header",n.end()),this[et]?this[it].push(n):(this[it].push(n),this[Ui]())))}}}[Zs](){queueMicrotask(()=>this.emit("close"))}[Us](t){let e=!0;if(!t)this[et]=void 0,e=!1;else if(Array.isArray(t)){let[i,...r]=t;this.emit(i,...r)}else this[et]=t,this.emit("entry",t),t.emittedEnd||(t.on("end",()=>this[Ui]()),e=!1);return e}[Ui](){do;while(this[Us](this[it].shift()));if(this[it].length===0){let t=this[et];!t||t.flowing||t.size===t.remain?this[Kt]||this.emit("drain"):t.once("drain",()=>this.emit("drain"))}}[Wi](t,e){let i=this[Nt];if(!i)throw new Error("attempt to consume body without entry??");let r=i.blockRemain??0,n=r>=t.length&&e===0?t:t.subarray(e,e+r);return i.write(n),i.blockRemain||(this[B]="header",this[Nt]=void 0,i.end()),n.length}[Ws](t,e){let i=this[Nt],r=this[Wi](t,e);return!this[Nt]&&i&&this[Hs](i),r}[At](t,e,i){this[it].length===0&&!this[et]?this.emit(t,e,i):this[it].push([t,e,i])}[Hs](t){switch(this[At]("meta",this[ft]),t.type){case"ExtendedHeader":case"OldExtendedHeader":this[V]=ct.parse(this[ft],this[V],!1);break;case"GlobalExtendedHeader":this[ae]=ct.parse(this[ft],this[ae],!0);break;case"NextFileHasLongPath":case"OldGnuLongPath":{let e=this[V]??Object.create(null);this[V]=e,e.path=this[ft].replace(/\0.*/,"");break}case"NextFileHasLongLinkpath":{let e=this[V]||Object.create(null);this[V]=e,e.linkpath=this[ft].replace(/\0.*/,"");break}default:throw new Error("unknown meta: "+t.type)}}abort(t){this[ut]=!0,this.emit("abort",t),this.warn("TAR_ABORT",t,{recoverable:!1})}write(t,e,i){if(typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,typeof e=="string"?e:"utf8")),this[ut])return i?.(),!1;if((this[y]===void 0||this.brotli===void 0&&this[y]===!1)&&t){if(this[p]&&(t=Buffer.concat([this[p],t]),this[p]=void 0),t.lengththis[Ve](c)),this[y].on("error",c=>this.abort(c)),this[y].on("end",()=>{this[dt]=!0,this[Ve]()}),this[Kt]=!0;let l=!!this[y][a?"end":"write"](t);return this[Kt]=!1,i?.(),l}}this[Kt]=!0,this[y]?this[y].write(t):this[Ve](t),this[Kt]=!1;let n=this[it].length>0?!1:this[et]?this[et].flowing:!0;return!n&&this[it].length===0&&this[et]?.once("drain",()=>this.emit("drain")),i?.(),n}[Gi](t){t&&!this[ut]&&(this[p]=this[p]?Buffer.concat([this[p],t]):t)}[Xe](){if(this[dt]&&!this[Hi]&&!this[ut]&&!this[le]){this[Hi]=!0;let t=this[Nt];if(t&&t.blockRemain){let e=this[p]?this[p].length:0;this.warn("TAR_BAD_ARCHIVE",`Truncated input (needed ${t.blockRemain} more bytes, only ${e} available)`,{entry:t}),this[p]&&t.write(this[p]),t.end()}this[At](qe)}}[Ve](t){if(this[le]&&t)this[Gi](t);else if(!t&&!this[p])this[Xe]();else if(t){if(this[le]=!0,this[p]){this[Gi](t);let e=this[p];this[p]=void 0,this[$e](e)}else this[$e](t);for(;this[p]&&this[p]?.length>=512&&!this[ut]&&!this[Qe];){let e=this[p];this[p]=void 0,this[$e](e)}this[le]=!1}(!this[p]||this[dt])&&this[Xe]()}[$e](t){let e=0,i=t.length;for(;e+512<=i&&!this[ut]&&!this[Qe];)switch(this[B]){case"begin":case"header":this[Gs](t,e),e+=512;break;case"ignore":case"body":e+=this[Wi](t,e);break;case"meta":e+=this[Ws](t,e);break;default:throw new Error("invalid state: "+this[B])}e{let t=s.length-1,e=-1;for(;t>-1&&s.charAt(t)==="/";)e=t,t--;return e===-1?s:s.slice(0,e)};var Nn=s=>{let t=s.onReadEntry;s.onReadEntry=t?e=>{t(e),e.resume()}:e=>e.resume()},Ki=(s,t)=>{let e=new Map(t.map(n=>[mt(n),!0])),i=s.filter,r=(n,o="")=>{let h=o||Ln(n).root||".",a;if(n===h)a=!1;else{let l=e.get(n);a=l!==void 0?l:r(xn(n),h)}return e.set(n,a),a};s.filter=i?(n,o)=>i(n,o)&&r(mt(n)):n=>r(mt(n))},An=s=>{let t=new st(s),e=s.file,i;try{i=Vt.openSync(e,"r");let r=Vt.fstatSync(i),n=s.maxReadSize||16*1024*1024;if(r.size{let e=new st(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,h)=>{e.on("error",h),e.on("end",o),Vt.stat(r,(a,l)=>{if(a)h(a);else{let c=new _t(r,{readSize:i,size:l.size});c.on("error",h),c.pipe(e)}})})},It=K(An,Dn,s=>new st(s),s=>new st(s),(s,t)=>{t?.length&&Ki(s,t),s.noResume||Nn(s)});import fi from"fs";import $ from"fs";import $s from"path";var Vi=(s,t,e)=>(s&=4095,e&&(s=(s|384)&-19),t&&(s&256&&(s|=64),s&32&&(s|=8),s&4&&(s|=1)),s);import{win32 as In}from"node:path";var{isAbsolute:Cn,parse:Ys}=In,ce=s=>{let t="",e=Ys(s);for(;Cn(s)||e.root;){let i=s.charAt(0)==="/"&&s.slice(0,4)!=="//?/"?"/":e.root;s=s.slice(i.length),t+=i,e=Ys(s)}return[t,s]};var Je=["|","<",">","?",":"],$i=Je.map(s=>String.fromCodePoint(61440+Number(s.codePointAt(0)))),Fn=new Map(Je.map((s,t)=>[s,$i[t]])),kn=new Map($i.map((s,t)=>[s,Je[t]])),Xi=s=>Je.reduce((t,e)=>t.split(e).join(Fn.get(e)),s),Ks=s=>$i.reduce((t,e)=>t.split(e).join(kn.get(e)),s);var Js=(s,t)=>t?(s=f(s).replace(/^\.(\/|$)/,""),mt(t)+"/"+s):f(s),vn=16*1024*1024,Xs=Symbol("process"),qs=Symbol("file"),js=Symbol("directory"),ji=Symbol("symlink"),Qs=Symbol("hardlink"),fe=Symbol("header"),ti=Symbol("read"),Qi=Symbol("lstat"),ei=Symbol("onlstat"),Ji=Symbol("onread"),ts=Symbol("onreadlink"),es=Symbol("openfile"),is=Symbol("onopenfile"),pt=Symbol("close"),ii=Symbol("mode"),ss=Symbol("awaitDrain"),qi=Symbol("ondrain"),X=Symbol("prefix"),de=class extends D{path;portable;myuid=process.getuid&&process.getuid()||0;myuser=process.env.USER||"";maxReadSize;linkCache;statCache;preservePaths;cwd;strict;mtime;noPax;noMtime;prefix;fd;blockLen=0;blockRemain=0;buf;pos=0;remain=0;length=0;offset=0;win32;absolute;header;type;linkpath;stat;onWriteEntry;#t=!1;constructor(t,e={}){let i=re(e);super(),this.path=f(t),this.portable=!!i.portable,this.maxReadSize=i.maxReadSize||vn,this.linkCache=i.linkCache||new Map,this.statCache=i.statCache||new Map,this.preservePaths=!!i.preservePaths,this.cwd=f(i.cwd||process.cwd()),this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.mtime=i.mtime,this.prefix=i.prefix?f(i.prefix):void 0,this.onWriteEntry=i.onWriteEntry,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let r=!1;if(!this.preservePaths){let[o,h]=ce(this.path);o&&typeof h=="string"&&(this.path=h,r=o)}this.win32=!!i.win32||process.platform==="win32",this.win32&&(this.path=Ks(this.path.replaceAll(/\\/g,"/")),t=t.replaceAll(/\\/g,"/")),this.absolute=f(i.absolute||$s.resolve(this.cwd,t)),this.path===""&&(this.path="./"),r&&this.warn("TAR_ENTRY_INFO",`stripping ${r} from absolute path`,{entry:this,path:r+this.path});let n=this.statCache.get(this.absolute);n?this[ei](n):this[Qi]()}warn(t,e,i={}){return Lt(this,t,e,i)}emit(t,...e){return t==="error"&&(this.#t=!0),super.emit(t,...e)}[Qi](){$.lstat(this.absolute,(t,e)=>{if(t)return this.emit("error",t);this[ei](e)})}[ei](t){this.statCache.set(this.absolute,t),this.stat=t,t.isFile()||(t.size=0),this.type=Mn(t),this.emit("stat",t),this[Xs]()}[Xs](){switch(this.type){case"File":return this[qs]();case"Directory":return this[js]();case"SymbolicLink":return this[ji]();default:return this.end()}}[ii](t){return Vi(t,this.type==="Directory",this.portable)}[X](t){return Js(t,this.prefix)}[fe](){if(!this.stat)throw new Error("cannot write header before stat");this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.onWriteEntry?.(this),this.header=new F({path:this[X](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[X](this.linkpath):this.linkpath,mode:this[ii](this.stat.mode),uid:this.portable?void 0:this.stat.uid,gid:this.portable?void 0:this.stat.gid,size:this.stat.size,mtime:this.noMtime?void 0:this.mtime||this.stat.mtime,type:this.type==="Unsupported"?void 0:this.type,uname:this.portable?void 0:this.stat.uid===this.myuid?this.myuser:"",atime:this.portable?void 0:this.stat.atime,ctime:this.portable?void 0:this.stat.ctime}),this.header.encode()&&!this.noPax&&super.write(new ct({atime:this.portable?void 0:this.header.atime,ctime:this.portable?void 0:this.header.ctime,gid:this.portable?void 0:this.header.gid,mtime:this.noMtime?void 0:this.mtime||this.header.mtime,path:this[X](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[X](this.linkpath):this.linkpath,size:this.header.size,uid:this.portable?void 0:this.header.uid,uname:this.portable?void 0:this.header.uname,dev:this.portable?void 0:this.stat.dev,ino:this.portable?void 0:this.stat.ino,nlink:this.portable?void 0:this.stat.nlink}).encode());let t=this.header?.block;if(!t)throw new Error("failed to encode header");super.write(t)}[js](){if(!this.stat)throw new Error("cannot create directory entry without stat");this.path.slice(-1)!=="/"&&(this.path+="/"),this.stat.size=0,this[fe](),this.end()}[ji](){$.readlink(this.absolute,(t,e)=>{if(t)return this.emit("error",t);this[ts](e)})}[ts](t){this.linkpath=f(t),this[fe](),this.end()}[Qs](t){if(!this.stat)throw new Error("cannot create link entry without stat");this.type="Link",this.linkpath=f($s.relative(this.cwd,t)),this.stat.size=0,this[fe](),this.end()}[qs](){if(!this.stat)throw new Error("cannot create file entry without stat");if(this.stat.nlink>1){let t=`${this.stat.dev}:${this.stat.ino}`,e=this.linkCache.get(t);if(e?.indexOf(this.cwd)===0)return this[Qs](e);this.linkCache.set(t,this.absolute)}if(this[fe](),this.stat.size===0)return this.end();this[es]()}[es](){$.open(this.absolute,"r",(t,e)=>{if(t)return this.emit("error",t);this[is](e)})}[is](t){if(this.fd=t,this.#t)return this[pt]();if(!this.stat)throw new Error("should stat before calling onopenfile");this.blockLen=512*Math.ceil(this.stat.size/512),this.blockRemain=this.blockLen;let e=Math.min(this.blockLen,this.maxReadSize);this.buf=Buffer.allocUnsafe(e),this.offset=0,this.pos=0,this.remain=this.stat.size,this.length=this.buf.length,this[ti]()}[ti](){let{fd:t,buf:e,offset:i,length:r,pos:n}=this;if(t===void 0||e===void 0)throw new Error("cannot read file without first opening");$.read(t,e,i,r,n,(o,h)=>{if(o)return this[pt](()=>this.emit("error",o));this[Ji](h)})}[pt](t=()=>{}){this.fd!==void 0&&$.close(this.fd,t)}[Ji](t){if(t<=0&&this.remain>0){let r=Object.assign(new Error("encountered unexpected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[pt](()=>this.emit("error",r))}if(t>this.remain){let r=Object.assign(new Error("did not encounter expected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[pt](()=>this.emit("error",r))}if(!this.buf)throw new Error("should have created buffer prior to reading");if(t===this.remain)for(let r=t;rthis[qi]())}[ss](t){this.once("drain",t)}write(t,e,i){if(typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,typeof e=="string"?e:"utf8")),this.blockRemaint?this.emit("error",t):this.end());if(!this.buf)throw new Error("buffer lost somehow in ONDRAIN");this.offset>=this.length&&(this.buf=Buffer.allocUnsafe(Math.min(this.blockRemain,this.buf.length)),this.offset=0),this.length=this.buf.length-this.offset,this[ti]()}},si=class extends de{sync=!0;[Qi](){this[ei]($.lstatSync(this.absolute))}[ji](){this[ts]($.readlinkSync(this.absolute))}[es](){this[is]($.openSync(this.absolute,"r"))}[ti](){let t=!0;try{let{fd:e,buf:i,offset:r,length:n,pos:o}=this;if(e===void 0||i===void 0)throw new Error("fd and buf must be set in READ method");let h=$.readSync(e,i,r,n,o);this[Ji](h),t=!1}finally{if(t)try{this[pt](()=>{})}catch{}}}[ss](t){t()}[pt](t=()=>{}){this.fd!==void 0&&$.closeSync(this.fd),t()}},ri=class extends D{blockLen=0;blockRemain=0;buf=0;pos=0;remain=0;length=0;preservePaths;portable;strict;noPax;noMtime;readEntry;type;prefix;path;mode;uid;gid;uname;gname;header;mtime;atime;ctime;linkpath;size;onWriteEntry;warn(t,e,i={}){return Lt(this,t,e,i)}constructor(t,e={}){let i=re(e);super(),this.preservePaths=!!i.preservePaths,this.portable=!!i.portable,this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.onWriteEntry=i.onWriteEntry,this.readEntry=t;let{type:r}=t;if(r==="Unsupported")throw new Error("writing entry that should be ignored");this.type=r,this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.prefix=i.prefix,this.path=f(t.path),this.mode=t.mode!==void 0?this[ii](t.mode):void 0,this.uid=this.portable?void 0:t.uid,this.gid=this.portable?void 0:t.gid,this.uname=this.portable?void 0:t.uname,this.gname=this.portable?void 0:t.gname,this.size=t.size,this.mtime=this.noMtime?void 0:i.mtime||t.mtime,this.atime=this.portable?void 0:t.atime,this.ctime=this.portable?void 0:t.ctime,this.linkpath=t.linkpath!==void 0?f(t.linkpath):void 0,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let n=!1;if(!this.preservePaths){let[h,a]=ce(this.path);h&&typeof a=="string"&&(this.path=a,n=h)}this.remain=t.size,this.blockRemain=t.startBlockSize,this.onWriteEntry?.(this),this.header=new F({path:this[X](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[X](this.linkpath):this.linkpath,mode:this.mode,uid:this.portable?void 0:this.uid,gid:this.portable?void 0:this.gid,size:this.size,mtime:this.noMtime?void 0:this.mtime,type:this.type,uname:this.portable?void 0:this.uname,atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime}),n&&this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute path`,{entry:this,path:n+this.path}),this.header.encode()&&!this.noPax&&super.write(new ct({atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime,gid:this.portable?void 0:this.gid,mtime:this.noMtime?void 0:this.mtime,path:this[X](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[X](this.linkpath):this.linkpath,size:this.size,uid:this.portable?void 0:this.uid,uname:this.portable?void 0:this.uname,dev:this.portable?void 0:this.readEntry.dev,ino:this.portable?void 0:this.readEntry.ino,nlink:this.portable?void 0:this.readEntry.nlink}).encode());let o=this.header?.block;if(!o)throw new Error("failed to encode header");super.write(o),t.pipe(this)}[X](t){return Js(t,this.prefix)}[ii](t){return Vi(t,this.type==="Directory",this.portable)}write(t,e,i){typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,typeof e=="string"?e:"utf8"));let r=t.length;if(r>this.blockRemain)throw new Error("writing more to entry than is appropriate");return this.blockRemain-=r,super.write(t,i)}end(t,e,i){return this.blockRemain&&super.write(Buffer.alloc(this.blockRemain)),typeof t=="function"&&(i=t,e=void 0,t=void 0),typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,e??"utf8")),i&&this.once("finish",i),t?super.end(t,i):super.end(i),this}},Mn=s=>s.isFile()?"File":s.isDirectory()?"Directory":s.isSymbolicLink()?"SymbolicLink":"Unsupported";var ni=class s{tail;head;length=0;static create(t=[]){return new s(t)}constructor(t=[]){for(let e of t)this.push(e)}*[Symbol.iterator](){for(let t=this.head;t;t=t.next)yield t.value}removeNode(t){if(t.list!==this)throw new Error("removing node which does not belong to this list");let e=t.next,i=t.prev;return e&&(e.prev=i),i&&(i.next=e),t===this.head&&(this.head=e),t===this.tail&&(this.tail=i),this.length--,t.next=void 0,t.prev=void 0,t.list=void 0,e}unshiftNode(t){if(t===this.head)return;t.list&&t.list.removeNode(t);let e=this.head;t.list=this,t.next=e,e&&(e.prev=t),this.head=t,this.tail||(this.tail=t),this.length++}pushNode(t){if(t===this.tail)return;t.list&&t.list.removeNode(t);let e=this.tail;t.list=this,t.prev=e,e&&(e.next=t),this.tail=t,this.head||(this.head=t),this.length++}push(...t){for(let e=0,i=t.length;e1)i=e;else if(this.head)r=this.head.next,i=this.head.value;else throw new TypeError("Reduce of empty list with no initial value");for(var n=0;r;n++)i=t(i,r.value,n),r=r.next;return i}reduceReverse(t,e){let i,r=this.tail;if(arguments.length>1)i=e;else if(this.tail)r=this.tail.prev,i=this.tail.value;else throw new TypeError("Reduce of empty list with no initial value");for(let n=this.length-1;r;n--)i=t(i,r.value,n),r=r.prev;return i}toArray(){let t=new Array(this.length);for(let e=0,i=this.head;i;e++)t[e]=i.value,i=i.next;return t}toArrayReverse(){let t=new Array(this.length);for(let e=0,i=this.tail;i;e++)t[e]=i.value,i=i.prev;return t}slice(t=0,e=this.length){e<0&&(e+=this.length),t<0&&(t+=this.length);let i=new s;if(ethis.length&&(e=this.length);let r=this.head,n=0;for(n=0;r&&nthis.length&&(e=this.length);let r=this.length,n=this.tail;for(;n&&r>e;r--)n=n.prev;for(;n&&r>t;r--,n=n.prev)i.push(n.value);return i}splice(t,e=0,...i){t>this.length&&(t=this.length-1),t<0&&(t=this.length+t);let r=this.head;for(let o=0;r&&o1)throw new TypeError("gzip, brotli, zstd are mutually exclusive");if(t.gzip&&(typeof t.gzip!="object"&&(t.gzip={}),this.portable&&(t.gzip.portable=!0),this.zip=new Pe(t.gzip)),t.brotli&&(typeof t.brotli!="object"&&(t.brotli={}),this.zip=new He(t.brotli)),t.zstd&&(typeof t.zstd!="object"&&(t.zstd={}),this.zip=new Ze(t.zstd)),!this.zip)throw new Error("impossible");let e=this.zip;e.on("data",i=>super.write(i)),e.on("end",()=>super.end()),e.on("drain",()=>this[hs]()),this.on("resume",()=>e.resume())}else this.on("drain",this[hs]);this.noDirRecurse=!!t.noDirRecurse,this.follow=!!t.follow,this.noMtime=!!t.noMtime,t.mtime&&(this.mtime=t.mtime),this.filter=typeof t.filter=="function"?t.filter:()=>!0,this[W]=new ni,this[G]=0,this.jobs=Number(t.jobs)||4,this[pe]=!1,this[me]=!1}[rr](t){return super.write(t)}add(t){return this.write(t),this}end(t,e,i){return typeof t=="function"&&(i=t,t=void 0),typeof e=="function"&&(i=e,e=void 0),t&&this.add(t),this[me]=!0,this[Ft](),i&&i(),this}write(t){if(this[me])throw new Error("write after end");return t instanceof Yt?this[er](t):this[hi](t),this.flowing}[er](t){let e=f(sr.resolve(this.cwd,t.path));if(!this.filter(t.path,t))t.resume();else{let i=new di(t.path,e);i.entry=new ri(t,this[os](i)),i.entry.on("end",()=>this[ns](i)),this[G]+=1,this[W].push(i)}this[Ft]()}[hi](t){let e=f(sr.resolve(this.cwd,t));this[W].push(new di(t,e)),this[Ft]()}[as](t){t.pending=!0,this[G]+=1;let e=this.follow?"stat":"lstat";fi[e](t.absolute,(i,r)=>{t.pending=!1,this[G]-=1,i?this.emit("error",i):this[oi](t,r)})}[oi](t,e){this.statCache.set(t.absolute,e),t.stat=e,this.filter(t.path,e)?e.isFile()&&e.nlink>1&&t===this[Ct]&&!this.linkCache.get(`${e.dev}:${e.ino}`)&&!this.sync&&this[rs](t):t.ignore=!0,this[Ft]()}[ls](t){t.pending=!0,this[G]+=1,fi.readdir(t.absolute,(e,i)=>{if(t.pending=!1,this[G]-=1,e)return this.emit("error",e);this[ai](t,i)})}[ai](t,e){this.readdirCache.set(t.absolute,e),t.readdir=e,this[Ft]()}[Ft](){if(!this[pe]){this[pe]=!0;for(let t=this[W].head;t&&this[G]this.warn(e,i,r),noPax:this.noPax,cwd:this.cwd,absolute:t.absolute,preservePaths:this.preservePaths,maxReadSize:this.maxReadSize,strict:this.strict,portable:this.portable,linkCache:this.linkCache,statCache:this.statCache,noMtime:this.noMtime,mtime:this.mtime,prefix:this.prefix,onWriteEntry:this.onWriteEntry}}[ir](t){this[G]+=1;try{return new this[ci](t.path,this[os](t)).on("end",()=>this[ns](t)).on("error",i=>this.emit("error",i))}catch(e){this.emit("error",e)}}[hs](){this[Ct]&&this[Ct].entry&&this[Ct].entry.resume()}[li](t){t.piped=!0,t.readdir&&t.readdir.forEach(r=>{let n=t.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[hi](o+r)});let e=t.entry,i=this.zip;if(!e)throw new Error("cannot pipe without source");i?e.on("data",r=>{i.write(r)||e.pause()}):e.on("data",r=>{super.write(r)||e.pause()})}pause(){return this.zip&&this.zip.pause(),super.pause()}warn(t,e,i={}){Lt(this,t,e,i)}},kt=class extends Et{sync=!0;constructor(t){super(t),this[ci]=si}pause(){}resume(){}[as](t){let e=this.follow?"statSync":"lstatSync";this[oi](t,fi[e](t.absolute))}[ls](t){this[ai](t,fi.readdirSync(t.absolute))}[li](t){let e=t.entry,i=this.zip;if(t.readdir&&t.readdir.forEach(r=>{let n=t.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[hi](o+r)}),!e)throw new Error("Cannot pipe without source");i?e.on("data",r=>{i.write(r)}):e.on("data",r=>{super[rr](r)})}};var Un=(s,t)=>{let e=new kt(s),i=new Wt(s.file,{mode:s.mode||438});e.pipe(i),or(e,t)},Hn=(s,t)=>{let e=new Et(s),i=new tt(s.file,{mode:s.mode||438});e.pipe(i);let r=new Promise((n,o)=>{i.on("error",o),i.on("close",n),e.on("error",o)});return hr(e,t).catch(n=>e.emit("error",n)),r},or=(s,t)=>{t.forEach(e=>{e.charAt(0)==="@"?It({file:nr.resolve(s.cwd,e.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(e)}),s.end()},hr=async(s,t)=>{for(let e of t)e.charAt(0)==="@"?await It({file:nr.resolve(String(s.cwd),e.slice(1)),noResume:!0,onReadEntry:i=>{s.add(i)}}):s.add(e);s.end()},Wn=(s,t)=>{let e=new kt(s);return or(e,t),e},Gn=(s,t)=>{let e=new Et(s);return hr(e,t).catch(i=>e.emit("error",i)),e},Zn=K(Un,Hn,Wn,Gn,(s,t)=>{if(!t?.length)throw new TypeError("no paths specified to add to archive")});import Cr from"node:fs";import so from"node:assert";import{randomBytes as Ir}from"node:crypto";import u from"node:fs";import R from"node:path";import cr from"fs";var Yn=process.env.__FAKE_PLATFORM__||process.platform,fr=Yn==="win32",{O_CREAT:dr,O_NOFOLLOW:ar,O_TRUNC:ur,O_WRONLY:mr}=cr.constants,pr=Number(process.env.__FAKE_FS_O_FILENAME__)||cr.constants.UV_FS_O_FILEMAP||0,Kn=fr&&!!pr,Vn=512*1024,$n=pr|ur|dr|mr,lr=!fr&&typeof ar=="number"?ar|ur|dr|mr:null,cs=lr!==null?()=>lr:Kn?s=>s"w";import mi from"node:fs";import Ee from"node:path";var fs=(s,t,e)=>{try{return mi.lchownSync(s,t,e)}catch(i){if(i?.code!=="ENOENT")throw i}},ui=(s,t,e,i)=>{mi.lchown(s,t,e,r=>{i(r&&r?.code!=="ENOENT"?r:null)})},Xn=(s,t,e,i,r)=>{if(t.isDirectory())ds(Ee.resolve(s,t.name),e,i,n=>{if(n)return r(n);let o=Ee.resolve(s,t.name);ui(o,e,i,r)});else{let n=Ee.resolve(s,t.name);ui(n,e,i,r)}},ds=(s,t,e,i)=>{mi.readdir(s,{withFileTypes:!0},(r,n)=>{if(r){if(r.code==="ENOENT")return i();if(r.code!=="ENOTDIR"&&r.code!=="ENOTSUP")return i(r)}if(r||!n.length)return ui(s,t,e,i);let o=n.length,h=null,a=l=>{if(!h){if(l)return i(h=l);if(--o===0)return ui(s,t,e,i)}};for(let l of n)Xn(s,l,t,e,a)})},qn=(s,t,e,i)=>{t.isDirectory()&&us(Ee.resolve(s,t.name),e,i),fs(Ee.resolve(s,t.name),e,i)},us=(s,t,e)=>{let i;try{i=mi.readdirSync(s,{withFileTypes:!0})}catch(r){let n=r;if(n?.code==="ENOENT")return;if(n?.code==="ENOTDIR"||n?.code==="ENOTSUP")return fs(s,t,e);throw n}for(let r of i)qn(s,r,t,e);return fs(s,t,e)};import k from"node:fs";import jn from"node:fs/promises";import pi from"node:path";var we=class extends Error{path;code;syscall="chdir";constructor(t,e){super(`${e}: Cannot cd into '${t}'`),this.path=t,this.code=e}get name(){return"CwdError"}};var wt=class extends Error{path;symlink;syscall="symlink";code="TAR_SYMLINK_ERROR";constructor(t,e){super("TAR_SYMLINK_ERROR: Cannot extract through symbolic link"),this.symlink=t,this.path=e}get name(){return"SymlinkError"}};var Qn=(s,t)=>{k.stat(s,(e,i)=>{(e||!i.isDirectory())&&(e=new we(s,e?.code||"ENOTDIR")),t(e)})},Er=(s,t,e)=>{s=f(s);let i=t.umask??18,r=t.mode|448,n=(r&i)!==0,o=t.uid,h=t.gid,a=typeof o=="number"&&typeof h=="number"&&(o!==t.processUid||h!==t.processGid),l=t.preserve,c=t.unlink,d=f(t.cwd),S=(E,x)=>{E?e(E):x&&a?ds(x,o,h,xe=>S(xe)):n?k.chmod(s,r,e):e()};if(s===d)return Qn(s,S);if(l)return jn.mkdir(s,{mode:r,recursive:!0}).then(E=>S(null,E??void 0),S);let N=f(pi.relative(d,s)).split("/");ms(d,N,r,c,d,void 0,S)},ms=(s,t,e,i,r,n,o)=>{if(t.length===0)return o(null,n);let h=t.shift(),a=f(pi.resolve(s+"/"+h));k.mkdir(a,e,wr(a,t,e,i,r,n,o))},wr=(s,t,e,i,r,n,o)=>h=>{h?k.lstat(s,(a,l)=>{if(a)a.path=a.path&&f(a.path),o(a);else if(l.isDirectory())ms(s,t,e,i,r,n,o);else if(i)k.unlink(s,c=>{if(c)return o(c);k.mkdir(s,e,wr(s,t,e,i,r,n,o))});else{if(l.isSymbolicLink())return o(new wt(s,s+"/"+t.join("/")));o(h)}}):(n=n||s,ms(s,t,e,i,r,n,o))},Jn=s=>{let t=!1,e;try{t=k.statSync(s).isDirectory()}catch(i){e=i?.code}finally{if(!t)throw new we(s,e??"ENOTDIR")}},Sr=(s,t)=>{s=f(s);let e=t.umask??18,i=t.mode|448,r=(i&e)!==0,n=t.uid,o=t.gid,h=typeof n=="number"&&typeof o=="number"&&(n!==t.processUid||o!==t.processGid),a=t.preserve,l=t.unlink,c=f(t.cwd),d=E=>{E&&h&&us(E,n,o),r&&k.chmodSync(s,i)};if(s===c)return Jn(c),d();if(a)return d(k.mkdirSync(s,{mode:i,recursive:!0})??void 0);let T=f(pi.relative(c,s)).split("/"),N;for(let E=T.shift(),x=c;E&&(x+="/"+E);E=T.shift()){x=f(pi.resolve(x));try{k.mkdirSync(x,i),N=N||x}catch{let xe=k.lstatSync(x);if(xe.isDirectory())continue;if(l){k.unlinkSync(x),k.mkdirSync(x,i),N=N||x;continue}else if(xe.isSymbolicLink())return new wt(x,x+"/"+T.join("/"))}}return d(N)};import{join as br}from"node:path";var ps=Object.create(null),yr=1e4,$t=new Set,Rr=s=>{$t.has(s)?$t.delete(s):ps[s]=s.normalize("NFD").toLocaleLowerCase("en").toLocaleUpperCase("en"),$t.add(s);let t=ps[s],e=$t.size-yr;if(e>yr/10){for(let i of $t)if($t.delete(i),delete ps[i],--e<=0)break}return t};var to=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,eo=to==="win32",io=s=>s.split("/").slice(0,-1).reduce((e,i)=>{let r=e.at(-1);return r!==void 0&&(i=br(r,i)),e.push(i||"/"),e},[]),Ei=class{#t=new Map;#i=new Map;#s=new Set;reserve(t,e){t=eo?["win32 parallelization disabled"]:t.map(r=>mt(br(Rr(r))));let i=new Set(t.map(r=>io(r)).reduce((r,n)=>r.concat(n)));this.#i.set(e,{dirs:i,paths:t});for(let r of t){let n=this.#t.get(r);n?n.push(e):this.#t.set(r,[e])}for(let r of i){let n=this.#t.get(r);if(!n)this.#t.set(r,[new Set([e])]);else{let o=n.at(-1);o instanceof Set?o.add(e):n.push(new Set([e]))}}return this.#r(e)}#n(t){let e=this.#i.get(t);if(!e)throw new Error("function does not have any path reservations");return{paths:e.paths.map(i=>this.#t.get(i)),dirs:[...e.dirs].map(i=>this.#t.get(i))}}check(t){let{paths:e,dirs:i}=this.#n(t);return e.every(r=>r&&r[0]===t)&&i.every(r=>r&&r[0]instanceof Set&&r[0].has(t))}#r(t){return this.#s.has(t)||!this.check(t)?!1:(this.#s.add(t),t(()=>this.#e(t)),!0)}#e(t){if(!this.#s.has(t))return!1;let e=this.#i.get(t);if(!e)throw new Error("invalid reservation");let{paths:i,dirs:r}=e,n=new Set;for(let o of i){let h=this.#t.get(o);if(!h||h?.[0]!==t)continue;let a=h[1];if(!a){this.#t.delete(o);continue}if(h.shift(),typeof a=="function")n.add(a);else for(let l of a)n.add(l)}for(let o of r){let h=this.#t.get(o),a=h?.[0];if(!(!h||!(a instanceof Set)))if(a.size===1&&h.length===1){this.#t.delete(o);continue}else if(a.size===1){h.shift();let l=h[0];typeof l=="function"&&n.add(l)}else a.delete(t)}return this.#s.delete(t),n.forEach(o=>this.#r(o)),!0}};var _r=()=>process.umask();var gr=Symbol("onEntry"),ys=Symbol("checkFs"),Or=Symbol("checkFs2"),Rs=Symbol("isReusable"),P=Symbol("makeFs"),bs=Symbol("file"),_s=Symbol("directory"),Si=Symbol("link"),Tr=Symbol("symlink"),xr=Symbol("hardlink"),ye=Symbol("ensureNoSymlink"),Lr=Symbol("unsupported"),Nr=Symbol("checkPath"),Es=Symbol("stripAbsolutePath"),St=Symbol("mkdir"),O=Symbol("onError"),wi=Symbol("pending"),Ar=Symbol("pend"),Xt=Symbol("unpend"),ws=Symbol("ended"),Ss=Symbol("maybeClose"),gs=Symbol("skip"),Re=Symbol("doChown"),be=Symbol("uid"),_e=Symbol("gid"),ge=Symbol("checkedCwd"),ro=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,Oe=ro==="win32",no=1024,oo=(s,t)=>{if(!Oe)return u.unlink(s,t);let e=s+".DELETE."+Ir(16).toString("hex");u.rename(s,e,i=>{if(i)return t(i);u.unlink(e,t)})},ho=s=>{if(!Oe)return u.unlinkSync(s);let t=s+".DELETE."+Ir(16).toString("hex");u.renameSync(s,t),u.unlinkSync(t)},Dr=(s,t,e)=>s!==void 0&&s===s>>>0?s:t!==void 0&&t===t>>>0?t:e,qt=class extends st{[ws]=!1;[ge]=!1;[wi]=0;reservations=new Ei;transform;writable=!0;readable=!1;uid;gid;setOwner;preserveOwner;processGid;processUid;maxDepth;forceChown;win32;newer;keep;noMtime;preservePaths;unlink;cwd;strip;processUmask;umask;dmode;fmode;chmod;constructor(t={}){if(t.ondone=()=>{this[ws]=!0,this[Ss]()},super(t),this.transform=t.transform,this.chmod=!!t.chmod,typeof t.uid=="number"||typeof t.gid=="number"){if(typeof t.uid!="number"||typeof t.gid!="number")throw new TypeError("cannot set owner without number uid and gid");if(t.preserveOwner)throw new TypeError("cannot preserve owner in archive and also set owner explicitly");this.uid=t.uid,this.gid=t.gid,this.setOwner=!0}else this.uid=void 0,this.gid=void 0,this.setOwner=!1;this.preserveOwner=t.preserveOwner===void 0&&typeof t.uid!="number"?!!(process.getuid&&process.getuid()===0):!!t.preserveOwner,this.processUid=(this.preserveOwner||this.setOwner)&&process.getuid?process.getuid():void 0,this.processGid=(this.preserveOwner||this.setOwner)&&process.getgid?process.getgid():void 0,this.maxDepth=typeof t.maxDepth=="number"?t.maxDepth:no,this.forceChown=t.forceChown===!0,this.win32=!!t.win32||Oe,this.newer=!!t.newer,this.keep=!!t.keep,this.noMtime=!!t.noMtime,this.preservePaths=!!t.preservePaths,this.unlink=!!t.unlink,this.cwd=f(R.resolve(t.cwd||process.cwd())),this.strip=Number(t.strip)||0,this.processUmask=this.chmod?typeof t.processUmask=="number"?t.processUmask:_r():0,this.umask=typeof t.umask=="number"?t.umask:this.processUmask,this.dmode=t.dmode||511&~this.umask,this.fmode=t.fmode||438&~this.umask,this.on("entry",e=>this[gr](e))}warn(t,e,i={}){return(t==="TAR_BAD_ARCHIVE"||t==="TAR_ABORT")&&(i.recoverable=!1),super.warn(t,e,i)}[Ss](){this[ws]&&this[wi]===0&&(this.emit("prefinish"),this.emit("finish"),this.emit("end"))}[Es](t,e){let i=t[e],{type:r}=t;if(!i||this.preservePaths)return!0;let[n,o]=ce(i),h=o.replaceAll(/\\/g,"/").split("/");if(h.includes("..")||Oe&&/^[a-z]:\.\.$/i.test(h[0]??"")){if(e==="path"||r==="Link")return this.warn("TAR_ENTRY_ERROR",`${e} contains '..'`,{entry:t,[e]:i}),!1;let a=R.posix.dirname(t.path),l=R.posix.normalize(R.posix.join(a,h.join("/")));if(l.startsWith("../")||l==="..")return this.warn("TAR_ENTRY_ERROR",`${e} escapes extraction directory`,{entry:t,[e]:i}),!1}return n&&(t[e]=String(o),this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute ${e}`,{entry:t,[e]:i})),!0}[Nr](t){let e=f(t.path),i=e.split("/");if(this.strip){if(i.length=this.strip)t.linkpath=r.slice(this.strip).join("/");else return!1}i.splice(0,this.strip),t.path=i.join("/")}if(isFinite(this.maxDepth)&&i.length>this.maxDepth)return this.warn("TAR_ENTRY_ERROR","path excessively deep",{entry:t,path:e,depth:i.length,maxDepth:this.maxDepth}),!1;if(!this[Es](t,"path")||!this[Es](t,"linkpath"))return!1;if(t.absolute=R.isAbsolute(t.path)?f(R.resolve(t.path)):f(R.resolve(this.cwd,t.path)),!this.preservePaths&&typeof t.absolute=="string"&&t.absolute.indexOf(this.cwd+"/")!==0&&t.absolute!==this.cwd)return this.warn("TAR_ENTRY_ERROR","path escaped extraction target",{entry:t,path:f(t.path),resolvedPath:t.absolute,cwd:this.cwd}),!1;if(t.absolute===this.cwd&&t.type!=="Directory"&&t.type!=="GNUDumpDir")return!1;if(this.win32){let{root:r}=R.win32.parse(String(t.absolute));t.absolute=r+Xi(String(t.absolute).slice(r.length));let{root:n}=R.win32.parse(t.path);t.path=n+Xi(t.path.slice(n.length))}return!0}[gr](t){if(!this[Nr](t))return t.resume();switch(so.equal(typeof t.absolute,"string"),t.type){case"Directory":case"GNUDumpDir":t.mode&&(t.mode=t.mode|448);case"File":case"OldFile":case"ContiguousFile":case"Link":case"SymbolicLink":return this[ys](t);default:return this[Lr](t)}}[O](t,e){t.name==="CwdError"?this.emit("error",t):(this.warn("TAR_ENTRY_ERROR",t,{entry:e}),this[Xt](),e.resume())}[St](t,e,i){Er(f(t),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:e},i)}[Re](t){return this.forceChown||this.preserveOwner&&(typeof t.uid=="number"&&t.uid!==this.processUid||typeof t.gid=="number"&&t.gid!==this.processGid)||typeof this.uid=="number"&&this.uid!==this.processUid||typeof this.gid=="number"&&this.gid!==this.processGid}[be](t){return Dr(this.uid,t.uid,this.processUid)}[_e](t){return Dr(this.gid,t.gid,this.processGid)}[bs](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.fmode,r=new tt(String(t.absolute),{flags:cs(t.size),mode:i,autoClose:!1});r.on("error",a=>{r.fd&&u.close(r.fd,()=>{}),r.write=()=>!0,this[O](a,t),e()});let n=1,o=a=>{if(a){r.fd&&u.close(r.fd,()=>{}),this[O](a,t),e();return}--n===0&&r.fd!==void 0&&u.close(r.fd,l=>{l?this[O](l,t):this[Xt](),e()})};r.on("finish",()=>{let a=String(t.absolute),l=r.fd;if(typeof l=="number"&&t.mtime&&!this.noMtime){n++;let c=t.atime||new Date,d=t.mtime;u.futimes(l,c,d,S=>S?u.utimes(a,c,d,T=>o(T&&S)):o())}if(typeof l=="number"&&this[Re](t)){n++;let c=this[be](t),d=this[_e](t);typeof c=="number"&&typeof d=="number"&&u.fchown(l,c,d,S=>S?u.chown(a,c,d,T=>o(T&&S)):o())}o()});let h=this.transform&&this.transform(t)||t;h!==t&&(h.on("error",a=>{this[O](a,t),e()}),t.pipe(h)),h.pipe(r)}[_s](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.dmode;this[St](String(t.absolute),i,r=>{if(r){this[O](r,t),e();return}let n=1,o=()=>{--n===0&&(e(),this[Xt](),t.resume())};t.mtime&&!this.noMtime&&(n++,u.utimes(String(t.absolute),t.atime||new Date,t.mtime,o)),this[Re](t)&&(n++,u.chown(String(t.absolute),Number(this[be](t)),Number(this[_e](t)),o)),o()})}[Lr](t){t.unsupported=!0,this.warn("TAR_ENTRY_UNSUPPORTED",`unsupported entry type: ${t.type}`,{entry:t}),t.resume()}[Tr](t,e){let i=f(R.relative(this.cwd,R.resolve(R.dirname(String(t.absolute)),String(t.linkpath)))).split("/");this[ye](t,this.cwd,i,()=>this[Si](t,String(t.linkpath),"symlink",e),r=>{this[O](r,t),e()})}[xr](t,e){let i=f(R.resolve(this.cwd,String(t.linkpath))),r=f(String(t.linkpath)).split("/");this[ye](t,this.cwd,r,()=>this[Si](t,i,"link",e),n=>{this[O](n,t),e()})}[ye](t,e,i,r,n){let o=i.shift();if(this.preservePaths||o===void 0)return r();let h=R.resolve(e,o);u.lstat(h,(a,l)=>{if(a)return r();if(l?.isSymbolicLink())return n(new wt(h,R.resolve(h,i.join("/"))));this[ye](t,h,i,r,n)})}[Ar](){this[wi]++}[Xt](){this[wi]--,this[Ss]()}[gs](t){this[Xt](),t.resume()}[Rs](t,e){return t.type==="File"&&!this.unlink&&e.isFile()&&e.nlink<=1&&!Oe}[ys](t){this[Ar]();let e=[t.path];t.linkpath&&e.push(t.linkpath),this.reservations.reserve(e,i=>this[Or](t,i))}[Or](t,e){let i=h=>{e(h)},r=()=>{this[St](this.cwd,this.dmode,h=>{if(h){this[O](h,t),i();return}this[ge]=!0,n()})},n=()=>{if(t.absolute!==this.cwd){let h=f(R.dirname(String(t.absolute)));if(h!==this.cwd)return this[St](h,this.dmode,a=>{if(a){this[O](a,t),i();return}o()})}o()},o=()=>{u.lstat(String(t.absolute),(h,a)=>{if(a&&(this.keep||this.newer&&a.mtime>(t.mtime??a.mtime))){this[gs](t),i();return}if(h||this[Rs](t,a))return this[P](null,t,i);if(a.isDirectory()){if(t.type==="Directory"){let l=this.chmod&&t.mode&&(a.mode&4095)!==t.mode,c=d=>this[P](d??null,t,i);return l?u.chmod(String(t.absolute),Number(t.mode),c):c()}if(t.absolute!==this.cwd)return u.rmdir(String(t.absolute),l=>this[P](l??null,t,i))}if(t.absolute===this.cwd)return this[P](null,t,i);oo(String(t.absolute),l=>this[P](l??null,t,i))})};this[ge]?n():r()}[P](t,e,i){if(t){this[O](t,e),i();return}switch(e.type){case"File":case"OldFile":case"ContiguousFile":return this[bs](e,i);case"Link":return this[xr](e,i);case"SymbolicLink":return this[Tr](e,i);case"Directory":case"GNUDumpDir":return this[_s](e,i)}}[Si](t,e,i,r){u[i](e,String(t.absolute),n=>{n?this[O](n,t):(this[Xt](),t.resume()),r()})}},Se=s=>{try{return[null,s()]}catch(t){return[t,null]}},Te=class extends qt{sync=!0;[P](t,e){return super[P](t,e,()=>{})}[ys](t){if(!this[ge]){let n=this[St](this.cwd,this.dmode);if(n)return this[O](n,t);this[ge]=!0}if(t.absolute!==this.cwd){let n=f(R.dirname(String(t.absolute)));if(n!==this.cwd){let o=this[St](n,this.dmode);if(o)return this[O](o,t)}}let[e,i]=Se(()=>u.lstatSync(String(t.absolute)));if(i&&(this.keep||this.newer&&i.mtime>(t.mtime??i.mtime)))return this[gs](t);if(e||this[Rs](t,i))return this[P](null,t);if(i.isDirectory()){if(t.type==="Directory"){let o=this.chmod&&t.mode&&(i.mode&4095)!==t.mode,[h]=o?Se(()=>{u.chmodSync(String(t.absolute),Number(t.mode))}):[];return this[P](h,t)}let[n]=Se(()=>u.rmdirSync(String(t.absolute)));this[P](n,t)}let[r]=t.absolute===this.cwd?[]:Se(()=>ho(String(t.absolute)));this[P](r,t)}[bs](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.fmode,r=h=>{let a;try{u.closeSync(n)}catch(l){a=l}(h||a)&&this[O](h||a,t),e()},n;try{n=u.openSync(String(t.absolute),cs(t.size),i)}catch(h){return r(h)}let o=this.transform&&this.transform(t)||t;o!==t&&(o.on("error",h=>this[O](h,t)),t.pipe(o)),o.on("data",h=>{try{u.writeSync(n,h,0,h.length)}catch(a){r(a)}}),o.on("end",()=>{let h=null;if(t.mtime&&!this.noMtime){let a=t.atime||new Date,l=t.mtime;try{u.futimesSync(n,a,l)}catch(c){try{u.utimesSync(String(t.absolute),a,l)}catch{h=c}}}if(this[Re](t)){let a=this[be](t),l=this[_e](t);try{u.fchownSync(n,Number(a),Number(l))}catch(c){try{u.chownSync(String(t.absolute),Number(a),Number(l))}catch{h=h||c}}}r(h)})}[_s](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.dmode,r=this[St](String(t.absolute),i);if(r){this[O](r,t),e();return}if(t.mtime&&!this.noMtime)try{u.utimesSync(String(t.absolute),t.atime||new Date,t.mtime)}catch{}if(this[Re](t))try{u.chownSync(String(t.absolute),Number(this[be](t)),Number(this[_e](t)))}catch{}e(),t.resume()}[St](t,e){try{return Sr(f(t),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:e})}catch(i){return i}}[ye](t,e,i,r,n){if(this.preservePaths||i.length===0)return r();let o=e;for(let h of i){o=R.resolve(o,h);let[a,l]=Se(()=>u.lstatSync(o));if(a)return r();if(l.isSymbolicLink())return n(new wt(o,R.resolve(e,i.join("/"))))}r()}[Si](t,e,i,r){let n=`${i}Sync`;try{u[n](e,String(t.absolute)),r(),t.resume()}catch(o){return this[O](o,t)}}};var ao=s=>{let t=new Te(s),e=s.file,i=Cr.statSync(e),r=s.maxReadSize||16*1024*1024;new Me(e,{readSize:r,size:i.size}).pipe(t)},lo=(s,t)=>{let e=new qt(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,h)=>{e.on("error",h),e.on("close",o),Cr.stat(r,(a,l)=>{if(a)h(a);else{let c=new _t(r,{readSize:i,size:l.size});c.on("error",h),c.pipe(e)}})})},co=K(ao,lo,s=>new Te(s),s=>new qt(s),(s,t)=>{t?.length&&Ki(s,t)});import v from"node:fs";import Fr from"node:path";var fo=(s,t)=>{let e=new kt(s),i=!0,r,n;try{try{r=v.openSync(s.file,"r+")}catch(a){if(a?.code==="ENOENT")r=v.openSync(s.file,"w+");else throw a}let o=v.fstatSync(r),h=Buffer.alloc(512);t:for(n=0;no.size)break;n+=l,s.mtimeCache&&a.mtime&&s.mtimeCache.set(String(a.path),a.mtime)}i=!1,uo(s,e,n,r,t)}finally{if(i)try{v.closeSync(r)}catch{}}},uo=(s,t,e,i,r)=>{let n=new Wt(s.file,{fd:i,start:e});t.pipe(n),po(t,r)},mo=(s,t)=>{t=Array.from(t);let e=new Et(s),i=(n,o,h)=>{let a=(T,N)=>{T?v.close(n,E=>h(T)):h(null,N)},l=0;if(o===0)return a(null,0);let c=0,d=Buffer.alloc(512),S=(T,N)=>{if(T||N===void 0)return a(T);if(c+=N,c<512&&N)return v.read(n,d,c,d.length-c,l+c,S);if(l===0&&d[0]===31&&d[1]===139)return a(new Error("cannot append to compressed archives"));if(c<512)return a(null,l);let E=new F(d);if(!E.cksumValid)return a(null,l);let x=512*Math.ceil((E.size??0)/512);if(l+x+512>o||(l+=x+512,l>=o))return a(null,l);s.mtimeCache&&E.mtime&&s.mtimeCache.set(String(E.path),E.mtime),c=0,v.read(n,d,0,512,l,S)};v.read(n,d,0,512,l,S)};return new Promise((n,o)=>{e.on("error",o);let h="r+",a=(l,c)=>{if(l&&l.code==="ENOENT"&&h==="r+")return h="w+",v.open(s.file,h,a);if(l||!c)return o(l);v.fstat(c,(d,S)=>{if(d)return v.close(c,()=>o(d));i(c,S.size,(T,N)=>{if(T)return o(T);let E=new tt(s.file,{fd:c,start:N});e.pipe(E),E.on("error",o),E.on("close",n),Eo(e,t)})})};v.open(s.file,h,a)})},po=(s,t)=>{t.forEach(e=>{e.charAt(0)==="@"?It({file:Fr.resolve(s.cwd,e.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(e)}),s.end()},Eo=async(s,t)=>{for(let e of t)e.charAt(0)==="@"?await It({file:Fr.resolve(String(s.cwd),e.slice(1)),noResume:!0,onReadEntry:i=>s.add(i)}):s.add(e);s.end()},vt=K(fo,mo,()=>{throw new TypeError("file is required")},()=>{throw new TypeError("file is required")},(s,t)=>{if(!Fs(s))throw new TypeError("file is required");if(s.gzip||s.brotli||s.zstd||s.file.endsWith(".br")||s.file.endsWith(".tbr"))throw new TypeError("cannot append to compressed archives");if(!t?.length)throw new TypeError("no paths specified to add/replace")});var wo=K(vt.syncFile,vt.asyncFile,vt.syncNoFile,vt.asyncNoFile,(s,t=[])=>{vt.validate?.(s,t),So(s)}),So=s=>{let t=s.filter;s.mtimeCache||(s.mtimeCache=new Map),s.filter=t?(e,i)=>t(e,i)&&!((s.mtimeCache?.get(e)??i.mtime??0)>(i.mtime??0)):(e,i)=>!((s.mtimeCache?.get(e)??i.mtime??0)>(i.mtime??0))};export{F as Header,Et as Pack,di as PackJob,kt as PackSync,st as Parser,ct as Pax,Yt as ReadEntry,qt as Unpack,Te as UnpackSync,de as WriteEntry,si as WriteEntrySync,ri as WriteEntryTar,Zn as c,Zn as create,co as extract,Ki as filesFilter,It as list,vt as r,vt as replace,It as t,Bi as types,wo as u,wo as update,co as x};
+var vr=Object.defineProperty;var Mr=(s,t)=>{for(var e in t)vr(s,e,{get:t[e],enumerable:!0})};import Vr from"events";import I from"fs";import{EventEmitter as Li}from"node:events";import Ds from"node:stream";import{StringDecoder as Br}from"node:string_decoder";var Ts=typeof process=="object"&&process?process:{stdout:null,stderr:null},Pr=s=>!!s&&typeof s=="object"&&(s instanceof A||s instanceof Ds||zr(s)||Ur(s)),zr=s=>!!s&&typeof s=="object"&&s instanceof Li&&typeof s.pipe=="function"&&s.pipe!==Ds.Writable.prototype.pipe,Ur=s=>!!s&&typeof s=="object"&&s instanceof Li&&typeof s.write=="function"&&typeof s.end=="function",q=Symbol("EOF"),Q=Symbol("maybeEmitEnd"),rt=Symbol("emittedEnd"),Ne=Symbol("emittingEnd"),Qt=Symbol("emittedError"),De=Symbol("closed"),xs=Symbol("read"),Ae=Symbol("flush"),Ls=Symbol("flushChunk"),z=Symbol("encoding"),Mt=Symbol("decoder"),g=Symbol("flowing"),Jt=Symbol("paused"),Bt=Symbol("resume"),b=Symbol("buffer"),D=Symbol("pipes"),_=Symbol("bufferLength"),gi=Symbol("bufferPush"),Ie=Symbol("bufferShift"),L=Symbol("objectMode"),w=Symbol("destroyed"),bi=Symbol("error"),_i=Symbol("emitData"),Ns=Symbol("emitEnd"),Oi=Symbol("emitEnd2"),Z=Symbol("async"),Ti=Symbol("abort"),Ce=Symbol("aborted"),jt=Symbol("signal"),Rt=Symbol("dataListeners"),C=Symbol("discarded"),te=s=>Promise.resolve().then(s),Hr=s=>s(),Wr=s=>s==="end"||s==="finish"||s==="prefinish",Gr=s=>s instanceof ArrayBuffer||!!s&&typeof s=="object"&&s.constructor&&s.constructor.name==="ArrayBuffer"&&s.byteLength>=0,Zr=s=>!Buffer.isBuffer(s)&&ArrayBuffer.isView(s),ke=class{src;dest;opts;ondrain;constructor(t,e,i){this.src=t,this.dest=e,this.opts=i,this.ondrain=()=>t[Bt](),this.dest.on("drain",this.ondrain)}unpipe(){this.dest.removeListener("drain",this.ondrain)}proxyErrors(t){}end(){this.unpipe(),this.opts.end&&this.dest.end()}},xi=class extends ke{unpipe(){this.src.removeListener("error",this.proxyErrors),super.unpipe()}constructor(t,e,i){super(t,e,i),this.proxyErrors=r=>this.dest.emit("error",r),t.on("error",this.proxyErrors)}},Yr=s=>!!s.objectMode,Kr=s=>!s.objectMode&&!!s.encoding&&s.encoding!=="buffer",A=class extends Li{[g]=!1;[Jt]=!1;[D]=[];[b]=[];[L];[z];[Z];[Mt];[q]=!1;[rt]=!1;[Ne]=!1;[De]=!1;[Qt]=null;[_]=0;[w]=!1;[jt];[Ce]=!1;[Rt]=0;[C]=!1;writable=!0;readable=!0;constructor(...t){let e=t[0]||{};if(super(),e.objectMode&&typeof e.encoding=="string")throw new TypeError("Encoding and objectMode may not be used together");Yr(e)?(this[L]=!0,this[z]=null):Kr(e)?(this[z]=e.encoding,this[L]=!1):(this[L]=!1,this[z]=null),this[Z]=!!e.async,this[Mt]=this[z]?new Br(this[z]):null,e&&e.debugExposeBuffer===!0&&Object.defineProperty(this,"buffer",{get:()=>this[b]}),e&&e.debugExposePipes===!0&&Object.defineProperty(this,"pipes",{get:()=>this[D]});let{signal:i}=e;i&&(this[jt]=i,i.aborted?this[Ti]():i.addEventListener("abort",()=>this[Ti]()))}get bufferLength(){return this[_]}get encoding(){return this[z]}set encoding(t){throw new Error("Encoding must be set at instantiation time")}setEncoding(t){throw new Error("Encoding must be set at instantiation time")}get objectMode(){return this[L]}set objectMode(t){throw new Error("objectMode must be set at instantiation time")}get async(){return this[Z]}set async(t){this[Z]=this[Z]||!!t}[Ti](){this[Ce]=!0,this.emit("abort",this[jt]?.reason),this.destroy(this[jt]?.reason)}get aborted(){return this[Ce]}set aborted(t){}write(t,e,i){if(this[Ce])return!1;if(this[q])throw new Error("write after end");if(this[w])return this.emit("error",Object.assign(new Error("Cannot call write after a stream was destroyed"),{code:"ERR_STREAM_DESTROYED"})),!0;typeof e=="function"&&(i=e,e="utf8"),e||(e="utf8");let r=this[Z]?te:Hr;if(!this[L]&&!Buffer.isBuffer(t)){if(Zr(t))t=Buffer.from(t.buffer,t.byteOffset,t.byteLength);else if(Gr(t))t=Buffer.from(t);else if(typeof t!="string")throw new Error("Non-contiguous data written to non-objectMode stream")}return this[L]?(this[g]&&this[_]!==0&&this[Ae](!0),this[g]?this.emit("data",t):this[gi](t),this[_]!==0&&this.emit("readable"),i&&r(i),this[g]):t.length?(typeof t=="string"&&!(e===this[z]&&!this[Mt]?.lastNeed)&&(t=Buffer.from(t,e)),Buffer.isBuffer(t)&&this[z]&&(t=this[Mt].write(t)),this[g]&&this[_]!==0&&this[Ae](!0),this[g]?this.emit("data",t):this[gi](t),this[_]!==0&&this.emit("readable"),i&&r(i),this[g]):(this[_]!==0&&this.emit("readable"),i&&r(i),this[g])}read(t){if(this[w])return null;if(this[C]=!1,this[_]===0||t===0||t&&t>this[_])return this[Q](),null;this[L]&&(t=null),this[b].length>1&&!this[L]&&(this[b]=[this[z]?this[b].join(""):Buffer.concat(this[b],this[_])]);let e=this[xs](t||null,this[b][0]);return this[Q](),e}[xs](t,e){if(this[L])this[Ie]();else{let i=e;t===i.length||t===null?this[Ie]():typeof i=="string"?(this[b][0]=i.slice(t),e=i.slice(0,t),this[_]-=t):(this[b][0]=i.subarray(t),e=i.subarray(0,t),this[_]-=t)}return this.emit("data",e),!this[b].length&&!this[q]&&this.emit("drain"),e}end(t,e,i){return typeof t=="function"&&(i=t,t=void 0),typeof e=="function"&&(i=e,e="utf8"),t!==void 0&&this.write(t,e),i&&this.once("end",i),this[q]=!0,this.writable=!1,(this[g]||!this[Jt])&&this[Q](),this}[Bt](){this[w]||(!this[Rt]&&!this[D].length&&(this[C]=!0),this[Jt]=!1,this[g]=!0,this.emit("resume"),this[b].length?this[Ae]():this[q]?this[Q]():this.emit("drain"))}resume(){return this[Bt]()}pause(){this[g]=!1,this[Jt]=!0,this[C]=!1}get destroyed(){return this[w]}get flowing(){return this[g]}get paused(){return this[Jt]}[gi](t){this[L]?this[_]+=1:this[_]+=t.length,this[b].push(t)}[Ie](){return this[L]?this[_]-=1:this[_]-=this[b][0].length,this[b].shift()}[Ae](t=!1){do;while(this[Ls](this[Ie]())&&this[b].length);!t&&!this[b].length&&!this[q]&&this.emit("drain")}[Ls](t){return this.emit("data",t),this[g]}pipe(t,e){if(this[w])return t;this[C]=!1;let i=this[rt];return e=e||{},t===Ts.stdout||t===Ts.stderr?e.end=!1:e.end=e.end!==!1,e.proxyErrors=!!e.proxyErrors,i?e.end&&t.end():(this[D].push(e.proxyErrors?new xi(this,t,e):new ke(this,t,e)),this[Z]?te(()=>this[Bt]()):this[Bt]()),t}unpipe(t){let e=this[D].find(i=>i.dest===t);e&&(this[D].length===1?(this[g]&&this[Rt]===0&&(this[g]=!1),this[D]=[]):this[D].splice(this[D].indexOf(e),1),e.unpipe())}addListener(t,e){return this.on(t,e)}on(t,e){let i=super.on(t,e);if(t==="data")this[C]=!1,this[Rt]++,!this[D].length&&!this[g]&&this[Bt]();else if(t==="readable"&&this[_]!==0)super.emit("readable");else if(Wr(t)&&this[rt])super.emit(t),this.removeAllListeners(t);else if(t==="error"&&this[Qt]){let r=e;this[Z]?te(()=>r.call(this,this[Qt])):r.call(this,this[Qt])}return i}removeListener(t,e){return this.off(t,e)}off(t,e){let i=super.off(t,e);return t==="data"&&(this[Rt]=this.listeners("data").length,this[Rt]===0&&!this[C]&&!this[D].length&&(this[g]=!1)),i}removeAllListeners(t){let e=super.removeAllListeners(t);return(t==="data"||t===void 0)&&(this[Rt]=0,!this[C]&&!this[D].length&&(this[g]=!1)),e}get emittedEnd(){return this[rt]}[Q](){!this[Ne]&&!this[rt]&&!this[w]&&this[b].length===0&&this[q]&&(this[Ne]=!0,this.emit("end"),this.emit("prefinish"),this.emit("finish"),this[De]&&this.emit("close"),this[Ne]=!1)}emit(t,...e){let i=e[0];if(t!=="error"&&t!=="close"&&t!==w&&this[w])return!1;if(t==="data")return!this[L]&&!i?!1:this[Z]?(te(()=>this[_i](i)),!0):this[_i](i);if(t==="end")return this[Ns]();if(t==="close"){if(this[De]=!0,!this[rt]&&!this[w])return!1;let n=super.emit("close");return this.removeAllListeners("close"),n}else if(t==="error"){this[Qt]=i,super.emit(bi,i);let n=!this[jt]||this.listeners("error").length?super.emit("error",i):!1;return this[Q](),n}else if(t==="resume"){let n=super.emit("resume");return this[Q](),n}else if(t==="finish"||t==="prefinish"){let n=super.emit(t);return this.removeAllListeners(t),n}let r=super.emit(t,...e);return this[Q](),r}[_i](t){for(let i of this[D])i.dest.write(t)===!1&&this.pause();let e=this[C]?!1:super.emit("data",t);return this[Q](),e}[Ns](){return this[rt]?!1:(this[rt]=!0,this.readable=!1,this[Z]?(te(()=>this[Oi]()),!0):this[Oi]())}[Oi](){if(this[Mt]){let e=this[Mt].end();if(e){for(let i of this[D])i.dest.write(e);this[C]||super.emit("data",e)}}for(let e of this[D])e.end();let t=super.emit("end");return this.removeAllListeners("end"),t}async collect(){let t=Object.assign([],{dataLength:0});this[L]||(t.dataLength=0);let e=this.promise();return this.on("data",i=>{t.push(i),this[L]||(t.dataLength+=i.length)}),await e,t}async concat(){if(this[L])throw new Error("cannot concat in objectMode");let t=await this.collect();return this[z]?t.join(""):Buffer.concat(t,t.dataLength)}async promise(){return new Promise((t,e)=>{this.on(w,()=>e(new Error("stream destroyed"))),this.on("error",i=>e(i)),this.on("end",()=>t())})}[Symbol.asyncIterator](){this[C]=!1;let t=!1,e=async()=>(this.pause(),t=!0,{value:void 0,done:!0});return{next:()=>{if(t)return e();let r=this.read();if(r!==null)return Promise.resolve({done:!1,value:r});if(this[q])return e();let n,o,h=d=>{this.off("data",a),this.off("end",l),this.off(w,c),e(),o(d)},a=d=>{this.off("error",h),this.off("end",l),this.off(w,c),this.pause(),n({value:d,done:!!this[q]})},l=()=>{this.off("error",h),this.off("data",a),this.off(w,c),e(),n({done:!0,value:void 0})},c=()=>h(new Error("stream destroyed"));return new Promise((d,S)=>{o=S,n=d,this.once(w,c),this.once("error",h),this.once("end",l),this.once("data",a)})},throw:e,return:e,[Symbol.asyncIterator](){return this},[Symbol.asyncDispose]:async()=>{}}}[Symbol.iterator](){this[C]=!1;let t=!1,e=()=>(this.pause(),this.off(bi,e),this.off(w,e),this.off("end",e),t=!0,{done:!0,value:void 0}),i=()=>{if(t)return e();let r=this.read();return r===null?e():{done:!1,value:r}};return this.once("end",e),this.once(bi,e),this.once(w,e),{next:i,throw:e,return:e,[Symbol.iterator](){return this},[Symbol.dispose]:()=>{}}}destroy(t){if(this[w])return t?this.emit("error",t):this.emit(w),this;this[w]=!0,this[C]=!0,this[b].length=0,this[_]=0;let e=this;return typeof e.close=="function"&&!this[De]&&e.close(),t?this.emit("error",t):this.emit(w),this}static get isStream(){return Pr}};var $r=I.writev,ot=Symbol("_autoClose"),H=Symbol("_close"),ee=Symbol("_ended"),m=Symbol("_fd"),Ni=Symbol("_finished"),j=Symbol("_flags"),Di=Symbol("_flush"),ki=Symbol("_handleChunk"),Fi=Symbol("_makeBuf"),se=Symbol("_mode"),Fe=Symbol("_needDrain"),Ut=Symbol("_onerror"),Ht=Symbol("_onopen"),Ai=Symbol("_onread"),Pt=Symbol("_onwrite"),ht=Symbol("_open"),U=Symbol("_path"),nt=Symbol("_pos"),Y=Symbol("_queue"),zt=Symbol("_read"),Ii=Symbol("_readSize"),J=Symbol("_reading"),ie=Symbol("_remain"),Ci=Symbol("_size"),ve=Symbol("_write"),gt=Symbol("_writing"),Me=Symbol("_defaultFlag"),bt=Symbol("_errored"),_t=class extends A{[bt]=!1;[m];[U];[Ii];[J]=!1;[Ci];[ie];[ot];constructor(t,e){if(e=e||{},super(e),this.readable=!0,this.writable=!1,typeof t!="string")throw new TypeError("path must be a string");this[bt]=!1,this[m]=typeof e.fd=="number"?e.fd:void 0,this[U]=t,this[Ii]=e.readSize||16*1024*1024,this[J]=!1,this[Ci]=typeof e.size=="number"?e.size:1/0,this[ie]=this[Ci],this[ot]=typeof e.autoClose=="boolean"?e.autoClose:!0,typeof this[m]=="number"?this[zt]():this[ht]()}get fd(){return this[m]}get path(){return this[U]}write(){throw new TypeError("this is a readable stream")}end(){throw new TypeError("this is a readable stream")}[ht](){I.open(this[U],"r",(t,e)=>this[Ht](t,e))}[Ht](t,e){t?this[Ut](t):(this[m]=e,this.emit("open",e),this[zt]())}[Fi](){return Buffer.allocUnsafe(Math.min(this[Ii],this[ie]))}[zt](){if(!this[J]){this[J]=!0;let t=this[Fi]();if(t.length===0)return process.nextTick(()=>this[Ai](null,0,t));I.read(this[m],t,0,t.length,null,(e,i,r)=>this[Ai](e,i,r))}}[Ai](t,e,i){this[J]=!1,t?this[Ut](t):this[ki](e,i)&&this[zt]()}[H](){if(this[ot]&&typeof this[m]=="number"){let t=this[m];this[m]=void 0,I.close(t,e=>e?this.emit("error",e):this.emit("close"))}}[Ut](t){this[J]=!0,this[H](),this.emit("error",t)}[ki](t,e){let i=!1;return this[ie]-=t,t>0&&(i=super.write(tthis[Ht](t,e))}[Ht](t,e){this[Me]&&this[j]==="r+"&&t&&t.code==="ENOENT"?(this[j]="w",this[ht]()):t?this[Ut](t):(this[m]=e,this.emit("open",e),this[gt]||this[Di]())}end(t,e){return t&&this.write(t,e),this[ee]=!0,!this[gt]&&!this[Y].length&&typeof this[m]=="number"&&this[Pt](null,0),this}write(t,e){return typeof t=="string"&&(t=Buffer.from(t,e)),this[ee]?(this.emit("error",new Error("write() after end()")),!1):this[m]===void 0||this[gt]||this[Y].length?(this[Y].push(t),this[Fe]=!0,!1):(this[gt]=!0,this[ve](t),!0)}[ve](t){I.write(this[m],t,0,t.length,this[nt],(e,i)=>this[Pt](e,i))}[Pt](t,e){t?this[Ut](t):(this[nt]!==void 0&&typeof e=="number"&&(this[nt]+=e),this[Y].length?this[Di]():(this[gt]=!1,this[ee]&&!this[Ni]?(this[Ni]=!0,this[H](),this.emit("finish")):this[Fe]&&(this[Fe]=!1,this.emit("drain"))))}[Di](){if(this[Y].length===0)this[ee]&&this[Pt](null,0);else if(this[Y].length===1)this[ve](this[Y].pop());else{let t=this[Y];this[Y]=[],$r(this[m],t,this[nt],(e,i)=>this[Pt](e,i))}}[H](){if(this[ot]&&typeof this[m]=="number"){let t=this[m];this[m]=void 0,I.close(t,e=>e?this.emit("error",e):this.emit("close"))}}},Wt=class extends tt{[ht](){let t;if(this[Me]&&this[j]==="r+")try{t=I.openSync(this[U],this[j],this[se])}catch(e){if(e?.code==="ENOENT")return this[j]="w",this[ht]();throw e}else t=I.openSync(this[U],this[j],this[se]);this[Ht](null,t)}[H](){if(this[ot]&&typeof this[m]=="number"){let t=this[m];this[m]=void 0,I.closeSync(t),this.emit("close")}}[ve](t){let e=!0;try{this[Pt](null,I.writeSync(this[m],t,0,t.length,this[nt])),e=!1}finally{if(e)try{this[H]()}catch{}}}};import or from"node:path";import Vt from"node:fs";import{dirname as Ln,parse as Nn}from"path";var Xr=new Map([["C","cwd"],["f","file"],["z","gzip"],["P","preservePaths"],["U","unlink"],["strip-components","strip"],["stripComponents","strip"],["keep-newer","newer"],["keepNewer","newer"],["keep-newer-files","newer"],["keepNewerFiles","newer"],["k","keep"],["keep-existing","keep"],["keepExisting","keep"],["m","noMtime"],["no-mtime","noMtime"],["p","preserveOwner"],["L","follow"],["h","follow"],["onentry","onReadEntry"]]),As=s=>!!s.sync&&!!s.file,Is=s=>!s.sync&&!!s.file,Cs=s=>!!s.sync&&!s.file,ks=s=>!s.sync&&!s.file;var Fs=s=>!!s.file;var qr=s=>{let t=Xr.get(s);return t||s},re=(s={})=>{if(!s)return{};let t={};for(let[e,i]of Object.entries(s)){let r=qr(e);t[r]=i}return t.chmod===void 0&&t.noChmod===!1&&(t.chmod=!0),delete t.noChmod,t};var K=(s,t,e,i,r)=>Object.assign((n=[],o,h)=>{Array.isArray(n)&&(o=n,n={}),typeof o=="function"&&(h=o,o=void 0),o=o?Array.from(o):[];let a=re(n);if(r?.(a,o),As(a)){if(typeof h=="function")throw new TypeError("callback not supported for sync tar functions");return s(a,o)}else if(Is(a)){let l=t(a,o);return h?l.then(()=>h(),h):l}else if(Cs(a)){if(typeof h=="function")throw new TypeError("callback not supported for sync tar functions");return e(a,o)}else if(ks(a)){if(typeof h=="function")throw new TypeError("callback only supported with file option");return i(a,o)}throw new Error("impossible options??")},{syncFile:s,asyncFile:t,syncNoFile:e,asyncNoFile:i,validate:r});import{EventEmitter as _n}from"events";import Pi from"assert";import{Buffer as Ot}from"buffer";import*as vs from"zlib";import Qr from"zlib";var Jr=Qr.constants||{ZLIB_VERNUM:4736},M=Object.freeze(Object.assign(Object.create(null),{Z_NO_FLUSH:0,Z_PARTIAL_FLUSH:1,Z_SYNC_FLUSH:2,Z_FULL_FLUSH:3,Z_FINISH:4,Z_BLOCK:5,Z_OK:0,Z_STREAM_END:1,Z_NEED_DICT:2,Z_ERRNO:-1,Z_STREAM_ERROR:-2,Z_DATA_ERROR:-3,Z_MEM_ERROR:-4,Z_BUF_ERROR:-5,Z_VERSION_ERROR:-6,Z_NO_COMPRESSION:0,Z_BEST_SPEED:1,Z_BEST_COMPRESSION:9,Z_DEFAULT_COMPRESSION:-1,Z_FILTERED:1,Z_HUFFMAN_ONLY:2,Z_RLE:3,Z_FIXED:4,Z_DEFAULT_STRATEGY:0,DEFLATE:1,INFLATE:2,GZIP:3,GUNZIP:4,DEFLATERAW:5,INFLATERAW:6,UNZIP:7,BROTLI_DECODE:8,BROTLI_ENCODE:9,Z_MIN_WINDOWBITS:8,Z_MAX_WINDOWBITS:15,Z_DEFAULT_WINDOWBITS:15,Z_MIN_CHUNK:64,Z_MAX_CHUNK:1/0,Z_DEFAULT_CHUNK:16384,Z_MIN_MEMLEVEL:1,Z_MAX_MEMLEVEL:9,Z_DEFAULT_MEMLEVEL:8,Z_MIN_LEVEL:-1,Z_MAX_LEVEL:9,Z_DEFAULT_LEVEL:-1,BROTLI_OPERATION_PROCESS:0,BROTLI_OPERATION_FLUSH:1,BROTLI_OPERATION_FINISH:2,BROTLI_OPERATION_EMIT_METADATA:3,BROTLI_MODE_GENERIC:0,BROTLI_MODE_TEXT:1,BROTLI_MODE_FONT:2,BROTLI_DEFAULT_MODE:0,BROTLI_MIN_QUALITY:0,BROTLI_MAX_QUALITY:11,BROTLI_DEFAULT_QUALITY:11,BROTLI_MIN_WINDOW_BITS:10,BROTLI_MAX_WINDOW_BITS:24,BROTLI_LARGE_MAX_WINDOW_BITS:30,BROTLI_DEFAULT_WINDOW:22,BROTLI_MIN_INPUT_BLOCK_BITS:16,BROTLI_MAX_INPUT_BLOCK_BITS:24,BROTLI_PARAM_MODE:0,BROTLI_PARAM_QUALITY:1,BROTLI_PARAM_LGWIN:2,BROTLI_PARAM_LGBLOCK:3,BROTLI_PARAM_DISABLE_LITERAL_CONTEXT_MODELING:4,BROTLI_PARAM_SIZE_HINT:5,BROTLI_PARAM_LARGE_WINDOW:6,BROTLI_PARAM_NPOSTFIX:7,BROTLI_PARAM_NDIRECT:8,BROTLI_DECODER_RESULT_ERROR:0,BROTLI_DECODER_RESULT_SUCCESS:1,BROTLI_DECODER_RESULT_NEEDS_MORE_INPUT:2,BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_PARAM_DISABLE_RING_BUFFER_REALLOCATION:0,BROTLI_DECODER_PARAM_LARGE_WINDOW:1,BROTLI_DECODER_NO_ERROR:0,BROTLI_DECODER_SUCCESS:1,BROTLI_DECODER_NEEDS_MORE_INPUT:2,BROTLI_DECODER_NEEDS_MORE_OUTPUT:3,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_NIBBLE:-1,BROTLI_DECODER_ERROR_FORMAT_RESERVED:-2,BROTLI_DECODER_ERROR_FORMAT_EXUBERANT_META_NIBBLE:-3,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_ALPHABET:-4,BROTLI_DECODER_ERROR_FORMAT_SIMPLE_HUFFMAN_SAME:-5,BROTLI_DECODER_ERROR_FORMAT_CL_SPACE:-6,BROTLI_DECODER_ERROR_FORMAT_HUFFMAN_SPACE:-7,BROTLI_DECODER_ERROR_FORMAT_CONTEXT_MAP_REPEAT:-8,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_1:-9,BROTLI_DECODER_ERROR_FORMAT_BLOCK_LENGTH_2:-10,BROTLI_DECODER_ERROR_FORMAT_TRANSFORM:-11,BROTLI_DECODER_ERROR_FORMAT_DICTIONARY:-12,BROTLI_DECODER_ERROR_FORMAT_WINDOW_BITS:-13,BROTLI_DECODER_ERROR_FORMAT_PADDING_1:-14,BROTLI_DECODER_ERROR_FORMAT_PADDING_2:-15,BROTLI_DECODER_ERROR_FORMAT_DISTANCE:-16,BROTLI_DECODER_ERROR_DICTIONARY_NOT_SET:-19,BROTLI_DECODER_ERROR_INVALID_ARGUMENTS:-20,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MODES:-21,BROTLI_DECODER_ERROR_ALLOC_TREE_GROUPS:-22,BROTLI_DECODER_ERROR_ALLOC_CONTEXT_MAP:-25,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_1:-26,BROTLI_DECODER_ERROR_ALLOC_RING_BUFFER_2:-27,BROTLI_DECODER_ERROR_ALLOC_BLOCK_TYPE_TREES:-30,BROTLI_DECODER_ERROR_UNREACHABLE:-31},Jr));var jr=Ot.concat,Ms=Object.getOwnPropertyDescriptor(Ot,"concat"),tn=s=>s,Mi=Ms?.writable===!0||Ms?.set!==void 0?s=>{Ot.concat=s?tn:jr}:s=>{},Tt=Symbol("_superWrite"),Gt=class extends Error{code;errno;constructor(t,e){super("zlib: "+t.message,{cause:t}),this.code=t.code,this.errno=t.errno,this.code||(this.code="ZLIB_ERROR"),this.message="zlib: "+t.message,Error.captureStackTrace(this,e??this.constructor)}get name(){return"ZlibError"}},Bi=Symbol("flushFlag"),ne=class extends A{#t=!1;#i=!1;#s;#n;#r;#e;#o;get sawError(){return this.#t}get handle(){return this.#e}get flushFlag(){return this.#s}constructor(t,e){if(!t||typeof t!="object")throw new TypeError("invalid options for ZlibBase constructor");if(super(t),this.#s=t.flush??0,this.#n=t.finishFlush??0,this.#r=t.fullFlushFlag??0,typeof vs[e]!="function")throw new TypeError("Compression method not supported: "+e);try{this.#e=new vs[e](t)}catch(i){throw new Gt(i,this.constructor)}this.#o=i=>{this.#t||(this.#t=!0,this.close(),this.emit("error",i))},this.#e?.on("error",i=>this.#o(new Gt(i))),this.once("end",()=>this.close)}close(){this.#e&&(this.#e.close(),this.#e=void 0,this.emit("close"))}reset(){if(!this.#t)return Pi(this.#e,"zlib binding closed"),this.#e.reset?.()}flush(t){this.ended||(typeof t!="number"&&(t=this.#r),this.write(Object.assign(Ot.alloc(0),{[Bi]:t})))}end(t,e,i){return typeof t=="function"&&(i=t,e=void 0,t=void 0),typeof e=="function"&&(i=e,e=void 0),t&&(e?this.write(t,e):this.write(t)),this.flush(this.#n),this.#i=!0,super.end(i)}get ended(){return this.#i}[Tt](t){return super.write(t)}write(t,e,i){if(typeof e=="function"&&(i=e,e="utf8"),typeof t=="string"&&(t=Ot.from(t,e)),this.#t)return;Pi(this.#e,"zlib binding closed");let r=this.#e._handle,n=r.close;r.close=()=>{};let o=this.#e.close;this.#e.close=()=>{},Mi(!0);let h;try{let l=typeof t[Bi]=="number"?t[Bi]:this.#s;h=this.#e._processChunk(t,l),Mi(!1)}catch(l){Mi(!1),this.#o(new Gt(l,this.write))}finally{this.#e&&(this.#e._handle=r,r.close=n,this.#e.close=o,this.#e.removeAllListeners("error"))}this.#e&&this.#e.on("error",l=>this.#o(new Gt(l,this.write)));let a;if(h)if(Array.isArray(h)&&h.length>0){let l=h[0];a=this[Tt](Ot.from(l));for(let c=1;c{typeof r=="function"&&(n=r,r=this.flushFlag),this.flush(r),n?.()};try{this.handle.params(t,e)}finally{this.handle.flush=i}this.handle&&(this.#t=t,this.#i=e)}}}};var ze=class extends Pe{#t;constructor(t){super(t,"Gzip"),this.#t=t&&!!t.portable}[Tt](t){return this.#t?(this.#t=!1,t[9]=255,super[Tt](t)):super[Tt](t)}};var Ue=class extends Pe{constructor(t){super(t,"Unzip")}},He=class extends ne{constructor(t,e){t=t||{},t.flush=t.flush||M.BROTLI_OPERATION_PROCESS,t.finishFlush=t.finishFlush||M.BROTLI_OPERATION_FINISH,t.fullFlushFlag=M.BROTLI_OPERATION_FLUSH,super(t,e)}},We=class extends He{constructor(t){super(t,"BrotliCompress")}},Ge=class extends He{constructor(t){super(t,"BrotliDecompress")}},Ze=class extends ne{constructor(t,e){t=t||{},t.flush=t.flush||M.ZSTD_e_continue,t.finishFlush=t.finishFlush||M.ZSTD_e_end,t.fullFlushFlag=M.ZSTD_e_flush,super(t,e)}},Ye=class extends Ze{constructor(t){super(t,"ZstdCompress")}},Ke=class extends Ze{constructor(t){super(t,"ZstdDecompress")}};import{posix as Zt}from"node:path";var Bs=(s,t)=>{if(Number.isSafeInteger(s))s<0?rn(s,t):sn(s,t);else throw Error("cannot encode number outside of javascript safe integer range");return t},sn=(s,t)=>{t[0]=128;for(var e=t.length;e>1;e--)t[e-1]=s&255,s=Math.floor(s/256)},rn=(s,t)=>{t[0]=255;var e=!1;s=s*-1;for(var i=t.length;i>1;i--){var r=s&255;s=Math.floor(s/256),e?t[i-1]=zs(r):r===0?t[i-1]=0:(e=!0,t[i-1]=Us(r))}},Ps=s=>{let t=s[0],e=t===128?on(s.subarray(1,s.length)):t===255?nn(s):null;if(e===null)throw Error("invalid base256 encoding");if(!Number.isSafeInteger(e))throw Error("parsed number outside of javascript safe integer range");return e},nn=s=>{for(var t=s.length,e=0,i=!1,r=t-1;r>-1;r--){var n=Number(s[r]),o;i?o=zs(n):n===0?o=n:(i=!0,o=Us(n)),o!==0&&(e-=o*Math.pow(256,t-r-1))}return e},on=s=>{for(var t=s.length,e=0,i=t-1;i>-1;i--){var r=Number(s[i]);r!==0&&(e+=r*Math.pow(256,t-i-1))}return e},zs=s=>(255^s)&255,Us=s=>(255^s)+1&255;var zi={};Mr(zi,{code:()=>Ve,isCode:()=>oe,isName:()=>an,name:()=>he});var oe=s=>he.has(s),an=s=>Ve.has(s),he=new Map([["0","File"],["","OldFile"],["1","Link"],["2","SymbolicLink"],["3","CharacterDevice"],["4","BlockDevice"],["5","Directory"],["6","FIFO"],["7","ContiguousFile"],["g","GlobalExtendedHeader"],["x","ExtendedHeader"],["A","SolarisACL"],["D","GNUDumpDir"],["I","Inode"],["K","NextFileHasLongLinkpath"],["L","NextFileHasLongPath"],["M","ContinuationFile"],["N","OldGnuLongPath"],["S","SparseFile"],["V","TapeVolumeHeader"],["X","OldExtendedHeader"]]),Ve=new Map(Array.from(he).map(s=>[s[1],s[0]]));var k=class{cksumValid=!1;needPax=!1;nullBlock=!1;block;path;mode;uid;gid;size;cksum;#t="Unsupported";linkpath;uname;gname;devmaj=0;devmin=0;atime;ctime;mtime;charset;comment;constructor(t,e=0,i,r){Buffer.isBuffer(t)?this.decode(t,e||0,i,r):t&&this.#i(t)}decode(t,e,i,r){if(e||(e=0),!t||!(t.length>=e+512))throw new Error("need 512 bytes for header");this.path=i?.path??xt(t,e,100),this.mode=i?.mode??r?.mode??at(t,e+100,8),this.uid=i?.uid??r?.uid??at(t,e+108,8),this.gid=i?.gid??r?.gid??at(t,e+116,8),this.size=i?.size??r?.size??at(t,e+124,12),this.mtime=i?.mtime??r?.mtime??Ui(t,e+136,12),this.cksum=at(t,e+148,12),r&&this.#i(r,!0),i&&this.#i(i);let n=xt(t,e+156,1);if(oe(n)&&(this.#t=n||"0"),this.#t==="0"&&this.path.slice(-1)==="/"&&(this.#t="5"),this.#t==="5"&&(this.size=0),this.linkpath=xt(t,e+157,100),t.subarray(e+257,e+265).toString()==="ustar\x0000")if(this.uname=i?.uname??r?.uname??xt(t,e+265,32),this.gname=i?.gname??r?.gname??xt(t,e+297,32),this.devmaj=i?.devmaj??r?.devmaj??at(t,e+329,8)??0,this.devmin=i?.devmin??r?.devmin??at(t,e+337,8)??0,t[e+475]!==0){let h=xt(t,e+345,155);this.path=h+"/"+this.path}else{let h=xt(t,e+345,130);h&&(this.path=h+"/"+this.path),this.atime=i?.atime??r?.atime??Ui(t,e+476,12),this.ctime=i?.ctime??r?.ctime??Ui(t,e+488,12)}let o=256;for(let h=e;h!(r==null||i==="path"&&e||i==="linkpath"&&e||i==="global"))))}encode(t,e=0){if(t||(t=this.block=Buffer.alloc(512)),this.#t==="Unsupported"&&(this.#t="0"),!(t.length>=e+512))throw new Error("need 512 bytes for header");let i=this.ctime||this.atime?130:155,r=ln(this.path||"",i),n=r[0],o=r[1];this.needPax=!!r[2],this.needPax=Lt(t,e,100,n)||this.needPax,this.needPax=lt(t,e+100,8,this.mode)||this.needPax,this.needPax=lt(t,e+108,8,this.uid)||this.needPax,this.needPax=lt(t,e+116,8,this.gid)||this.needPax,this.needPax=lt(t,e+124,12,this.size)||this.needPax,this.needPax=Hi(t,e+136,12,this.mtime)||this.needPax,t[e+156]=Number(this.#t.codePointAt(0)),this.needPax=Lt(t,e+157,100,this.linkpath)||this.needPax,t.write("ustar\x0000",e+257,8),this.needPax=Lt(t,e+265,32,this.uname)||this.needPax,this.needPax=Lt(t,e+297,32,this.gname)||this.needPax,this.needPax=lt(t,e+329,8,this.devmaj)||this.needPax,this.needPax=lt(t,e+337,8,this.devmin)||this.needPax,this.needPax=Lt(t,e+345,i,o)||this.needPax,t[e+475]!==0?this.needPax=Lt(t,e+345,155,o)||this.needPax:(this.needPax=Lt(t,e+345,130,o)||this.needPax,this.needPax=Hi(t,e+476,12,this.atime)||this.needPax,this.needPax=Hi(t,e+488,12,this.ctime)||this.needPax);let h=256;for(let a=e;a{let i=s,r="",n,o=Zt.parse(s).root||".";if(Buffer.byteLength(i)<100)n=[i,r,!1];else{r=Zt.dirname(i),i=Zt.basename(i);do Buffer.byteLength(i)<=100&&Buffer.byteLength(r)<=t?n=[i,r,!1]:Buffer.byteLength(i)>100&&Buffer.byteLength(r)<=t?n=[i.slice(0,99),r,!0]:(i=Zt.join(Zt.basename(r),i),r=Zt.dirname(r));while(r!==o&&n===void 0);n||(n=[s.slice(0,99),"",!0])}return n},xt=(s,t,e)=>s.subarray(t,t+e).toString("utf8").replace(/\0.*/,""),Ui=(s,t,e)=>cn(at(s,t,e)),cn=s=>s===void 0?void 0:new Date(s*1e3),at=(s,t,e)=>Number(s[t])&128?Ps(s.subarray(t,t+e)):dn(s,t,e),fn=s=>isNaN(s)?void 0:s,dn=(s,t,e)=>fn(parseInt(s.subarray(t,t+e).toString("utf8").replace(/\0.*$/,"").trim(),8)),un={12:8589934591,8:2097151},lt=(s,t,e,i)=>i===void 0?!1:i>un[e]||i<0?(Bs(i,s.subarray(t,t+e)),!0):(mn(s,t,e,i),!1),mn=(s,t,e,i)=>s.write(pn(i,e),t,e,"ascii"),pn=(s,t)=>En(Math.floor(s).toString(8),t),En=(s,t)=>(s.length===t-1?s:new Array(t-s.length-1).join("0")+s+" ")+"\0",Hi=(s,t,e,i)=>i===void 0?!1:lt(s,t,e,i.getTime()/1e3),wn=new Array(156).join("\0"),Lt=(s,t,e,i)=>i===void 0?!1:(s.write(i+wn,t,e,"utf8"),i.length!==Buffer.byteLength(i)||i.length>e);import{basename as Sn}from"node:path";var ct=class s{atime;mtime;ctime;charset;comment;gid;uid;gname;uname;linkpath;dev;ino;nlink;path;size;mode;global;constructor(t,e=!1){this.atime=t.atime,this.charset=t.charset,this.comment=t.comment,this.ctime=t.ctime,this.dev=t.dev,this.gid=t.gid,this.global=e,this.gname=t.gname,this.ino=t.ino,this.linkpath=t.linkpath,this.mtime=t.mtime,this.nlink=t.nlink,this.path=t.path,this.size=t.size,this.uid=t.uid,this.uname=t.uname}encode(){let t=this.encodeBody();if(t==="")return Buffer.allocUnsafe(0);let e=Buffer.byteLength(t),i=512*Math.ceil(1+e/512),r=Buffer.allocUnsafe(i);for(let n=0;n<512;n++)r[n]=0;new k({path:("PaxHeader/"+Sn(this.path??"")).slice(0,99),mode:this.mode||420,uid:this.uid,gid:this.gid,size:e,mtime:this.mtime,type:this.global?"GlobalExtendedHeader":"ExtendedHeader",linkpath:"",uname:this.uname||"",gname:this.gname||"",devmaj:0,devmin:0,atime:this.atime,ctime:this.ctime}).encode(r),r.write(t,512,e,"utf8");for(let n=e+512;n=Math.pow(10,o)&&(o+=1),o+n+r}static parse(t,e,i=!1){return new s(yn(Rn(t),e),i)}},yn=(s,t)=>t?Object.assign({},t,s):s,Rn=s=>s.replace(/\n$/,"").split(`
+`).reduce(gn,Object.create(null)),gn=(s,t)=>{let e=parseInt(t,10);if(e!==Buffer.byteLength(t)+1)return s;t=t.slice((e+" ").length);let i=t.split("="),r=i.shift();if(!r)return s;let n=r.replace(/^SCHILY\.(dev|ino|nlink)/,"$1"),o=i.join("=");return s[n]=/^([A-Z]+\.)?([mac]|birth|creation)time$/.test(n)?new Date(Number(o)*1e3):/^[0-9]+$/.test(o)?+o:o,s};var bn=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,f=bn!=="win32"?s=>s:s=>s&&s.replaceAll(/\\/g,"/");var Yt=class extends A{extended;globalExtended;header;startBlockSize;blockRemain;remain;type;meta=!1;ignore=!1;path;mode;uid;gid;uname;gname;size=0;mtime;atime;ctime;linkpath;dev;ino;nlink;invalid=!1;absolute;unsupported=!1;constructor(t,e,i){switch(super({}),this.pause(),this.extended=e,this.globalExtended=i,this.header=t,this.remain=t.size??0,this.startBlockSize=512*Math.ceil(this.remain/512),this.blockRemain=this.startBlockSize,this.type=t.type,this.type){case"File":case"OldFile":case"Link":case"SymbolicLink":case"CharacterDevice":case"BlockDevice":case"Directory":case"FIFO":case"ContiguousFile":case"GNUDumpDir":break;case"NextFileHasLongLinkpath":case"NextFileHasLongPath":case"OldGnuLongPath":case"GlobalExtendedHeader":case"ExtendedHeader":case"OldExtendedHeader":this.meta=!0;break;default:this.ignore=!0}if(!t.path)throw new Error("no path provided for tar.ReadEntry");this.path=f(t.path),this.mode=t.mode,this.mode&&(this.mode=this.mode&4095),this.uid=t.uid,this.gid=t.gid,this.uname=t.uname,this.gname=t.gname,this.size=this.remain,this.mtime=t.mtime,this.atime=t.atime,this.ctime=t.ctime,this.linkpath=t.linkpath?f(t.linkpath):void 0,this.uname=t.uname,this.gname=t.gname,e&&this.#t(e),i&&this.#t(i,!0)}write(t){let e=t.length;if(e>this.blockRemain)throw new Error("writing more to entry than is appropriate");let i=this.remain,r=this.blockRemain;return this.remain=Math.max(0,i-e),this.blockRemain=Math.max(0,r-e),this.ignore?!0:i>=e?super.write(t):super.write(t.subarray(0,i))}#t(t,e=!1){t.path&&(t.path=f(t.path)),t.linkpath&&(t.linkpath=f(t.linkpath)),Object.assign(this,Object.fromEntries(Object.entries(t).filter(([i,r])=>!(r==null||i==="path"&&e))))}};var Nt=(s,t,e,i={})=>{s.file&&(i.file=s.file),s.cwd&&(i.cwd=s.cwd),i.code=e instanceof Error&&e.code||t,i.tarCode=t,!s.strict&&i.recoverable!==!1?(e instanceof Error&&(i=Object.assign(e,i),e=e.message),s.emit("warn",t,e,i)):e instanceof Error?s.emit("error",Object.assign(e,i)):s.emit("error",Object.assign(new Error(`${t}: ${e}`),i))};var On=1024*1024,Ki=Buffer.from([31,139]),Vi=Buffer.from([40,181,47,253]),Tn=Math.max(Ki.length,Vi.length),B=Symbol("state"),Dt=Symbol("writeEntry"),et=Symbol("readEntry"),Wi=Symbol("nextEntry"),Hs=Symbol("processEntry"),V=Symbol("extendedHeader"),ae=Symbol("globalExtendedHeader"),ft=Symbol("meta"),Ws=Symbol("emitMeta"),p=Symbol("buffer"),it=Symbol("queue"),dt=Symbol("ended"),Gi=Symbol("emittedEnd"),At=Symbol("emit"),y=Symbol("unzip"),$e=Symbol("consumeChunk"),Xe=Symbol("consumeChunkSub"),Zi=Symbol("consumeBody"),Gs=Symbol("consumeMeta"),Zs=Symbol("consumeHeader"),le=Symbol("consuming"),Yi=Symbol("bufferConcat"),qe=Symbol("maybeEnd"),Kt=Symbol("writing"),ut=Symbol("aborted"),Qe=Symbol("onDone"),It=Symbol("sawValidEntry"),Je=Symbol("sawNullBlock"),je=Symbol("sawEOF"),Ys=Symbol("closeStream"),xn=()=>!0,st=class extends _n{file;strict;maxMetaEntrySize;filter;brotli;zstd;writable=!0;readable=!1;[it]=[];[p];[et];[Dt];[B]="begin";[ft]="";[V];[ae];[dt]=!1;[y];[ut]=!1;[It];[Je]=!1;[je]=!1;[Kt]=!1;[le]=!1;[Gi]=!1;constructor(t={}){super(),this.file=t.file||"",this.on(Qe,()=>{(this[B]==="begin"||this[It]===!1)&&this.warn("TAR_BAD_ARCHIVE","Unrecognized archive format")}),t.ondone?this.on(Qe,t.ondone):this.on(Qe,()=>{this.emit("prefinish"),this.emit("finish"),this.emit("end")}),this.strict=!!t.strict,this.maxMetaEntrySize=t.maxMetaEntrySize||On,this.filter=typeof t.filter=="function"?t.filter:xn;let e=t.file&&(t.file.endsWith(".tar.br")||t.file.endsWith(".tbr"));this.brotli=!(t.gzip||t.zstd)&&t.brotli!==void 0?t.brotli:e?void 0:!1;let i=t.file&&(t.file.endsWith(".tar.zst")||t.file.endsWith(".tzst"));this.zstd=!(t.gzip||t.brotli)&&t.zstd!==void 0?t.zstd:i?!0:void 0,this.on("end",()=>this[Ys]()),typeof t.onwarn=="function"&&this.on("warn",t.onwarn),typeof t.onReadEntry=="function"&&this.on("entry",t.onReadEntry)}warn(t,e,i={}){Nt(this,t,e,i)}[Zs](t,e){this[It]===void 0&&(this[It]=!1);let i;try{i=new k(t,e,this[V],this[ae])}catch(r){return this.warn("TAR_ENTRY_INVALID",r)}if(i.nullBlock)this[Je]?(this[je]=!0,this[B]==="begin"&&(this[B]="header"),this[At]("eof")):(this[Je]=!0,this[At]("nullBlock"));else if(this[Je]=!1,!i.cksumValid)this.warn("TAR_ENTRY_INVALID","checksum failure",{header:i});else if(!i.path)this.warn("TAR_ENTRY_INVALID","path is required",{header:i});else{let r=i.type;if(/^(Symbolic)?Link$/.test(r)&&!i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath required",{header:i});else if(!/^(Symbolic)?Link$/.test(r)&&!/^(Global)?ExtendedHeader$/.test(r)&&i.linkpath)this.warn("TAR_ENTRY_INVALID","linkpath forbidden",{header:i});else{let n=this[Dt]=new Yt(i,this[V],this[ae]);if(!this[It])if(n.remain){let o=()=>{n.invalid||(this[It]=!0)};n.on("end",o)}else this[It]=!0;n.meta?n.size>this.maxMetaEntrySize?(n.ignore=!0,this[At]("ignoredEntry",n),this[B]="ignore",n.resume()):n.size>0&&(this[ft]="",n.on("data",o=>this[ft]+=o),this[B]="meta"):(this[V]=void 0,n.ignore=n.ignore||!this.filter(n.path,n),n.ignore?(this[At]("ignoredEntry",n),this[B]=n.remain?"ignore":"header",n.resume()):(n.remain?this[B]="body":(this[B]="header",n.end()),this[et]?this[it].push(n):(this[it].push(n),this[Wi]())))}}}[Ys](){queueMicrotask(()=>this.emit("close"))}[Hs](t){let e=!0;if(!t)this[et]=void 0,e=!1;else if(Array.isArray(t)){let[i,...r]=t;this.emit(i,...r)}else this[et]=t,this.emit("entry",t),t.emittedEnd||(t.on("end",()=>this[Wi]()),e=!1);return e}[Wi](){do;while(this[Hs](this[it].shift()));if(this[it].length===0){let t=this[et];!t||t.flowing||t.size===t.remain?this[Kt]||this.emit("drain"):t.once("drain",()=>this.emit("drain"))}}[Zi](t,e){let i=this[Dt];if(!i)throw new Error("attempt to consume body without entry??");let r=i.blockRemain??0,n=r>=t.length&&e===0?t:t.subarray(e,e+r);return i.write(n),i.blockRemain||(this[B]="header",this[Dt]=void 0,i.end()),n.length}[Gs](t,e){let i=this[Dt],r=this[Zi](t,e);return!this[Dt]&&i&&this[Ws](i),r}[At](t,e,i){this[it].length===0&&!this[et]?this.emit(t,e,i):this[it].push([t,e,i])}[Ws](t){switch(this[At]("meta",this[ft]),t.type){case"ExtendedHeader":case"OldExtendedHeader":this[V]=ct.parse(this[ft],this[V],!1);break;case"GlobalExtendedHeader":this[ae]=ct.parse(this[ft],this[ae],!0);break;case"NextFileHasLongPath":case"OldGnuLongPath":{let e=this[V]??Object.create(null);this[V]=e,e.path=this[ft].replace(/\0.*/,"");break}case"NextFileHasLongLinkpath":{let e=this[V]||Object.create(null);this[V]=e,e.linkpath=this[ft].replace(/\0.*/,"");break}default:throw new Error("unknown meta: "+t.type)}}abort(t){this[ut]=!0,this.emit("abort",t),this.warn("TAR_ABORT",t,{recoverable:!1})}write(t,e,i){if(typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,typeof e=="string"?e:"utf8")),this[ut])return i?.(),!1;if((this[y]===void 0||this.brotli===void 0&&this[y]===!1)&&t){if(this[p]&&(t=Buffer.concat([this[p],t]),this[p]=void 0),t.lengththis[$e](c)),this[y].on("error",c=>this.abort(c)),this[y].on("end",()=>{this[dt]=!0,this[$e]()}),this[Kt]=!0;let l=!!this[y][a?"end":"write"](t);return this[Kt]=!1,i?.(),l}}this[Kt]=!0,this[y]?this[y].write(t):this[$e](t),this[Kt]=!1;let n=this[it].length>0?!1:this[et]?this[et].flowing:!0;return!n&&this[it].length===0&&this[et]?.once("drain",()=>this.emit("drain")),i?.(),n}[Yi](t){t&&!this[ut]&&(this[p]=this[p]?Buffer.concat([this[p],t]):t)}[qe](){if(this[dt]&&!this[Gi]&&!this[ut]&&!this[le]){this[Gi]=!0;let t=this[Dt];if(t&&t.blockRemain){let e=this[p]?this[p].length:0;this.warn("TAR_BAD_ARCHIVE",`Truncated input (needed ${t.blockRemain} more bytes, only ${e} available)`,{entry:t}),this[p]&&t.write(this[p]),t.end()}this[At](Qe)}}[$e](t){if(this[le]&&t)this[Yi](t);else if(!t&&!this[p])this[qe]();else if(t){if(this[le]=!0,this[p]){this[Yi](t);let e=this[p];this[p]=void 0,this[Xe](e)}else this[Xe](t);for(;this[p]&&this[p]?.length>=512&&!this[ut]&&!this[je];){let e=this[p];this[p]=void 0,this[Xe](e)}this[le]=!1}(!this[p]||this[dt])&&this[qe]()}[Xe](t){let e=0,i=t.length;for(;e+512<=i&&!this[ut]&&!this[je];)switch(this[B]){case"begin":case"header":this[Zs](t,e),e+=512;break;case"ignore":case"body":e+=this[Zi](t,e);break;case"meta":e+=this[Gs](t,e);break;default:throw new Error("invalid state: "+this[B])}e{let t=s.length-1,e=-1;for(;t>-1&&s.charAt(t)==="/";)e=t,t--;return e===-1?s:s.slice(0,e)};var Dn=s=>{let t=s.onReadEntry;s.onReadEntry=t?e=>{t(e),e.resume()}:e=>e.resume()},$i=(s,t)=>{let e=new Map(t.map(n=>[mt(n),!0])),i=s.filter,r=(n,o="")=>{let h=o||Nn(n).root||".",a;if(n===h)a=!1;else{let l=e.get(n);a=l!==void 0?l:r(Ln(n),h)}return e.set(n,a),a};s.filter=i?(n,o)=>i(n,o)&&r(mt(n)):n=>r(mt(n))},An=s=>{let t=new st(s),e=s.file,i;try{i=Vt.openSync(e,"r");let r=Vt.fstatSync(i),n=s.maxReadSize||16*1024*1024;if(r.size{let e=new st(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,h)=>{e.on("error",h),e.on("end",o),Vt.stat(r,(a,l)=>{if(a)h(a);else{let c=new _t(r,{readSize:i,size:l.size});c.on("error",h),c.pipe(e)}})})},Ct=K(An,In,s=>new st(s),s=>new st(s),(s,t)=>{t?.length&&$i(s,t),s.noResume||Dn(s)});import ui from"fs";import $ from"fs";import Xs from"path";var Xi=(s,t,e)=>(s&=4095,e&&(s=(s|384)&-19),t&&(s&256&&(s|=64),s&32&&(s|=8),s&4&&(s|=1)),s);import{win32 as Cn}from"node:path";var{isAbsolute:kn,parse:Ks}=Cn,ce=s=>{let t="",e=Ks(s);for(;kn(s)||e.root;){let i=s.charAt(0)==="/"&&s.slice(0,4)!=="//?/"?"/":e.root;s=s.slice(i.length),t+=i,e=Ks(s)}return[t,s]};var ti=["|","<",">","?",":"],qi=ti.map(s=>String.fromCodePoint(61440+Number(s.codePointAt(0)))),Fn=new Map(ti.map((s,t)=>[s,qi[t]])),vn=new Map(qi.map((s,t)=>[s,ti[t]])),Qi=s=>ti.reduce((t,e)=>t.split(e).join(Fn.get(e)),s),Vs=s=>qi.reduce((t,e)=>t.split(e).join(vn.get(e)),s);var tr=(s,t)=>t?(s=f(s).replace(/^\.(\/|$)/,""),mt(t)+"/"+s):f(s),Mn=16*1024*1024,qs=Symbol("process"),Qs=Symbol("file"),Js=Symbol("directory"),ji=Symbol("symlink"),js=Symbol("hardlink"),fe=Symbol("header"),ei=Symbol("read"),ts=Symbol("lstat"),ii=Symbol("onlstat"),es=Symbol("onread"),is=Symbol("onreadlink"),ss=Symbol("openfile"),rs=Symbol("onopenfile"),pt=Symbol("close"),si=Symbol("mode"),ns=Symbol("awaitDrain"),Ji=Symbol("ondrain"),X=Symbol("prefix"),de=class extends A{path;portable;myuid=process.getuid&&process.getuid()||0;myuser=process.env.USER||"";maxReadSize;linkCache;statCache;preservePaths;cwd;strict;mtime;noPax;noMtime;prefix;fd;blockLen=0;blockRemain=0;buf;pos=0;remain=0;length=0;offset=0;win32;absolute;header;type;linkpath;stat;onWriteEntry;#t=!1;constructor(t,e={}){let i=re(e);super(),this.path=f(t),this.portable=!!i.portable,this.maxReadSize=i.maxReadSize||Mn,this.linkCache=i.linkCache||new Map,this.statCache=i.statCache||new Map,this.preservePaths=!!i.preservePaths,this.cwd=f(i.cwd||process.cwd()),this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.mtime=i.mtime,this.prefix=i.prefix?f(i.prefix):void 0,this.onWriteEntry=i.onWriteEntry,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let r=!1;if(!this.preservePaths){let[o,h]=ce(this.path);o&&typeof h=="string"&&(this.path=h,r=o)}this.win32=!!i.win32||process.platform==="win32",this.win32&&(this.path=Vs(this.path.replaceAll(/\\/g,"/")),t=t.replaceAll(/\\/g,"/")),this.absolute=f(i.absolute||Xs.resolve(this.cwd,t)),this.path===""&&(this.path="./"),r&&this.warn("TAR_ENTRY_INFO",`stripping ${r} from absolute path`,{entry:this,path:r+this.path});let n=this.statCache.get(this.absolute);n?this[ii](n):this[ts]()}warn(t,e,i={}){return Nt(this,t,e,i)}emit(t,...e){return t==="error"&&(this.#t=!0),super.emit(t,...e)}[ts](){$.lstat(this.absolute,(t,e)=>{if(t)return this.emit("error",t);this[ii](e)})}[ii](t){this.statCache.set(this.absolute,t),this.stat=t,t.isFile()||(t.size=0),this.type=Bn(t),this.emit("stat",t),this[qs]()}[qs](){switch(this.type){case"File":return this[Qs]();case"Directory":return this[Js]();case"SymbolicLink":return this[ji]();default:return this.end()}}[si](t){return Xi(t,this.type==="Directory",this.portable)}[X](t){return tr(t,this.prefix)}[fe](){if(!this.stat)throw new Error("cannot write header before stat");this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.onWriteEntry?.(this),this.header=new k({path:this[X](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[X](this.linkpath):this.linkpath,mode:this[si](this.stat.mode),uid:this.portable?void 0:this.stat.uid,gid:this.portable?void 0:this.stat.gid,size:this.stat.size,mtime:this.noMtime?void 0:this.mtime||this.stat.mtime,type:this.type==="Unsupported"?void 0:this.type,uname:this.portable?void 0:this.stat.uid===this.myuid?this.myuser:"",atime:this.portable?void 0:this.stat.atime,ctime:this.portable?void 0:this.stat.ctime}),this.header.encode()&&!this.noPax&&super.write(new ct({atime:this.portable?void 0:this.header.atime,ctime:this.portable?void 0:this.header.ctime,gid:this.portable?void 0:this.header.gid,mtime:this.noMtime?void 0:this.mtime||this.header.mtime,path:this[X](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[X](this.linkpath):this.linkpath,size:this.header.size,uid:this.portable?void 0:this.header.uid,uname:this.portable?void 0:this.header.uname,dev:this.portable?void 0:this.stat.dev,ino:this.portable?void 0:this.stat.ino,nlink:this.portable?void 0:this.stat.nlink}).encode());let t=this.header?.block;if(!t)throw new Error("failed to encode header");super.write(t)}[Js](){if(!this.stat)throw new Error("cannot create directory entry without stat");this.path.slice(-1)!=="/"&&(this.path+="/"),this.stat.size=0,this[fe](),this.end()}[ji](){$.readlink(this.absolute,(t,e)=>{if(t)return this.emit("error",t);this[is](e)})}[is](t){this.linkpath=f(t),this[fe](),this.end()}[js](t){if(!this.stat)throw new Error("cannot create link entry without stat");this.type="Link",this.linkpath=f(Xs.relative(this.cwd,t)),this.stat.size=0,this[fe](),this.end()}[Qs](){if(!this.stat)throw new Error("cannot create file entry without stat");if(this.stat.nlink>1){let t=`${this.stat.dev}:${this.stat.ino}`,e=this.linkCache.get(t);if(e?.indexOf(this.cwd)===0)return this[js](e);this.linkCache.set(t,this.absolute)}if(this[fe](),this.stat.size===0)return this.end();this[ss]()}[ss](){$.open(this.absolute,"r",(t,e)=>{if(t)return this.emit("error",t);this[rs](e)})}[rs](t){if(this.fd=t,this.#t)return this[pt]();if(!this.stat)throw new Error("should stat before calling onopenfile");this.blockLen=512*Math.ceil(this.stat.size/512),this.blockRemain=this.blockLen;let e=Math.min(this.blockLen,this.maxReadSize);this.buf=Buffer.allocUnsafe(e),this.offset=0,this.pos=0,this.remain=this.stat.size,this.length=this.buf.length,this[ei]()}[ei](){let{fd:t,buf:e,offset:i,length:r,pos:n}=this;if(t===void 0||e===void 0)throw new Error("cannot read file without first opening");$.read(t,e,i,r,n,(o,h)=>{if(o)return this[pt](()=>this.emit("error",o));this[es](h)})}[pt](t=()=>{}){this.fd!==void 0&&$.close(this.fd,t)}[es](t){if(t<=0&&this.remain>0){let r=Object.assign(new Error("encountered unexpected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[pt](()=>this.emit("error",r))}if(t>this.remain){let r=Object.assign(new Error("did not encounter expected EOF"),{path:this.absolute,syscall:"read",code:"EOF"});return this[pt](()=>this.emit("error",r))}if(!this.buf)throw new Error("should have created buffer prior to reading");if(t===this.remain)for(let r=t;rthis[Ji]())}[ns](t){this.once("drain",t)}write(t,e,i){if(typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,typeof e=="string"?e:"utf8")),this.blockRemaint?this.emit("error",t):this.end());if(!this.buf)throw new Error("buffer lost somehow in ONDRAIN");this.offset>=this.length&&(this.buf=Buffer.allocUnsafe(Math.min(this.blockRemain,this.buf.length)),this.offset=0),this.length=this.buf.length-this.offset,this[ei]()}},ri=class extends de{sync=!0;[ts](){this[ii]($.lstatSync(this.absolute))}[ji](){this[is]($.readlinkSync(this.absolute))}[ss](){this[rs]($.openSync(this.absolute,"r"))}[ei](){let t=!0;try{let{fd:e,buf:i,offset:r,length:n,pos:o}=this;if(e===void 0||i===void 0)throw new Error("fd and buf must be set in READ method");let h=$.readSync(e,i,r,n,o);this[es](h),t=!1}finally{if(t)try{this[pt](()=>{})}catch{}}}[ns](t){t()}[pt](t=()=>{}){this.fd!==void 0&&$.closeSync(this.fd),t()}},ni=class extends A{blockLen=0;blockRemain=0;buf=0;pos=0;remain=0;length=0;preservePaths;portable;strict;noPax;noMtime;readEntry;type;prefix;path;mode;uid;gid;uname;gname;header;mtime;atime;ctime;linkpath;size;onWriteEntry;warn(t,e,i={}){return Nt(this,t,e,i)}constructor(t,e={}){let i=re(e);super(),this.preservePaths=!!i.preservePaths,this.portable=!!i.portable,this.strict=!!i.strict,this.noPax=!!i.noPax,this.noMtime=!!i.noMtime,this.onWriteEntry=i.onWriteEntry,this.readEntry=t;let{type:r}=t;if(r==="Unsupported")throw new Error("writing entry that should be ignored");this.type=r,this.type==="Directory"&&this.portable&&(this.noMtime=!0),this.prefix=i.prefix,this.path=f(t.path),this.mode=t.mode!==void 0?this[si](t.mode):void 0,this.uid=this.portable?void 0:t.uid,this.gid=this.portable?void 0:t.gid,this.uname=this.portable?void 0:t.uname,this.gname=this.portable?void 0:t.gname,this.size=t.size,this.mtime=this.noMtime?void 0:i.mtime||t.mtime,this.atime=this.portable?void 0:t.atime,this.ctime=this.portable?void 0:t.ctime,this.linkpath=t.linkpath!==void 0?f(t.linkpath):void 0,typeof i.onwarn=="function"&&this.on("warn",i.onwarn);let n=!1;if(!this.preservePaths){let[h,a]=ce(this.path);h&&typeof a=="string"&&(this.path=a,n=h)}this.remain=t.size,this.blockRemain=t.startBlockSize,this.onWriteEntry?.(this),this.header=new k({path:this[X](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[X](this.linkpath):this.linkpath,mode:this.mode,uid:this.portable?void 0:this.uid,gid:this.portable?void 0:this.gid,size:this.size,mtime:this.noMtime?void 0:this.mtime,type:this.type,uname:this.portable?void 0:this.uname,atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime}),n&&this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute path`,{entry:this,path:n+this.path}),this.header.encode()&&!this.noPax&&super.write(new ct({atime:this.portable?void 0:this.atime,ctime:this.portable?void 0:this.ctime,gid:this.portable?void 0:this.gid,mtime:this.noMtime?void 0:this.mtime,path:this[X](this.path),linkpath:this.type==="Link"&&this.linkpath!==void 0?this[X](this.linkpath):this.linkpath,size:this.size,uid:this.portable?void 0:this.uid,uname:this.portable?void 0:this.uname,dev:this.portable?void 0:this.readEntry.dev,ino:this.portable?void 0:this.readEntry.ino,nlink:this.portable?void 0:this.readEntry.nlink}).encode());let o=this.header?.block;if(!o)throw new Error("failed to encode header");super.write(o),t.pipe(this)}[X](t){return tr(t,this.prefix)}[si](t){return Xi(t,this.type==="Directory",this.portable)}write(t,e,i){typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,typeof e=="string"?e:"utf8"));let r=t.length;if(r>this.blockRemain)throw new Error("writing more to entry than is appropriate");return this.blockRemain-=r,super.write(t,i)}end(t,e,i){return this.blockRemain&&super.write(Buffer.alloc(this.blockRemain)),typeof t=="function"&&(i=t,e=void 0,t=void 0),typeof e=="function"&&(i=e,e=void 0),typeof t=="string"&&(t=Buffer.from(t,e??"utf8")),i&&this.once("finish",i),t?super.end(t,i):super.end(i),this}},Bn=s=>s.isFile()?"File":s.isDirectory()?"Directory":s.isSymbolicLink()?"SymbolicLink":"Unsupported";var oi=class s{tail;head;length=0;static create(t=[]){return new s(t)}constructor(t=[]){for(let e of t)this.push(e)}*[Symbol.iterator](){for(let t=this.head;t;t=t.next)yield t.value}removeNode(t){if(t.list!==this)throw new Error("removing node which does not belong to this list");let e=t.next,i=t.prev;return e&&(e.prev=i),i&&(i.next=e),t===this.head&&(this.head=e),t===this.tail&&(this.tail=i),this.length--,t.next=void 0,t.prev=void 0,t.list=void 0,e}unshiftNode(t){if(t===this.head)return;t.list&&t.list.removeNode(t);let e=this.head;t.list=this,t.next=e,e&&(e.prev=t),this.head=t,this.tail||(this.tail=t),this.length++}pushNode(t){if(t===this.tail)return;t.list&&t.list.removeNode(t);let e=this.tail;t.list=this,t.prev=e,e&&(e.next=t),this.tail=t,this.head||(this.head=t),this.length++}push(...t){for(let e=0,i=t.length;e1)i=e;else if(this.head)r=this.head.next,i=this.head.value;else throw new TypeError("Reduce of empty list with no initial value");for(var n=0;r;n++)i=t(i,r.value,n),r=r.next;return i}reduceReverse(t,e){let i,r=this.tail;if(arguments.length>1)i=e;else if(this.tail)r=this.tail.prev,i=this.tail.value;else throw new TypeError("Reduce of empty list with no initial value");for(let n=this.length-1;r;n--)i=t(i,r.value,n),r=r.prev;return i}toArray(){let t=new Array(this.length);for(let e=0,i=this.head;i;e++)t[e]=i.value,i=i.next;return t}toArrayReverse(){let t=new Array(this.length);for(let e=0,i=this.tail;i;e++)t[e]=i.value,i=i.prev;return t}slice(t=0,e=this.length){e<0&&(e+=this.length),t<0&&(t+=this.length);let i=new s;if(ethis.length&&(e=this.length);let r=this.head,n=0;for(n=0;r&&nthis.length&&(e=this.length);let r=this.length,n=this.tail;for(;n&&r>e;r--)n=n.prev;for(;n&&r>t;r--,n=n.prev)i.push(n.value);return i}splice(t,e=0,...i){t>this.length&&(t=this.length-1),t<0&&(t=this.length+t);let r=this.head;for(let o=0;r&&o1)throw new TypeError("gzip, brotli, zstd are mutually exclusive");if(t.gzip&&(typeof t.gzip!="object"&&(t.gzip={}),this.portable&&(t.gzip.portable=!0),this.zip=new ze(t.gzip)),t.brotli&&(typeof t.brotli!="object"&&(t.brotli={}),this.zip=new We(t.brotli)),t.zstd&&(typeof t.zstd!="object"&&(t.zstd={}),this.zip=new Ye(t.zstd)),!this.zip)throw new Error("impossible");let e=this.zip;e.on("data",i=>super.write(i)),e.on("end",()=>super.end()),e.on("drain",()=>this[as]()),this.on("resume",()=>e.resume())}else this.on("drain",this[as]);this.noDirRecurse=!!t.noDirRecurse,this.follow=!!t.follow,this.noMtime=!!t.noMtime,t.mtime&&(this.mtime=t.mtime),this.filter=typeof t.filter=="function"?t.filter:()=>!0,this[W]=new oi,this[G]=0,this.jobs=Number(t.jobs)||4,this[Ee]=!1,this[me]=!1}[nr](t){return super.write(t)}add(t){return this.write(t),this}end(t,e,i){return typeof t=="function"&&(i=t,t=void 0),typeof e=="function"&&(i=e,e=void 0),t&&this.add(t),this[me]=!0,this[kt](),i&&i(),this}write(t){if(this[me])throw new Error("write after end");return t instanceof Yt?this[ir](t):this[li](t),this.flowing}[ir](t){let e=f(rr.resolve(this.cwd,t.path));if(!this.filter(t.path,t))t.resume();else{let i=new mi(t.path,e);i.entry=new ni(t,this[hs](i)),i.entry.on("end",()=>this[os](i)),this[G]+=1,this[W].push(i)}this[kt]()}[li](t){let e=f(rr.resolve(this.cwd,t));this[W].push(new mi(t,e)),this[kt]()}[ls](t){t.pending=!0,this[G]+=1;let e=this.follow?"stat":"lstat";ui[e](t.absolute,(i,r)=>{t.pending=!1,this[G]-=1,i?this.emit("error",i):this[ai](t,r)})}[ai](t,e){if(this.statCache.set(t.absolute,e),t.stat=e,!this.filter(t.path,e))t.ignore=!0;else if(e.isFile()&&e.nlink>1&&!this.linkCache.get(`${e.dev}:${e.ino}`)&&!this.sync)if(t===this[Et])this[hi](t);else{let i=`${e.dev}:${e.ino}`,r=this[pe].get(i);r?r.push(t):this[pe].set(i,[t]),t.pendingLink=!0,t.pending=!0}this[kt]()}[cs](t){t.pending=!0,this[G]+=1,ui.readdir(t.absolute,(e,i)=>{if(t.pending=!1,this[G]-=1,e)return this.emit("error",e);this[ci](t,i)})}[ci](t,e){this.readdirCache.set(t.absolute,e),t.readdir=e,this[kt]()}[kt](){if(!this[Ee]){this[Ee]=!0;for(let t=this[W].head;t&&this[G]1){let i=`${e.dev}:${e.ino}`,r=this[pe].get(i);if(r){this[pe].delete(i);for(let n of r)n.pending=!1,this[hi](n)}}this[kt]()}[hi](t){if(t.pending&&t.pendingLink&&t===this[Et]&&(t.pending=!1,t.pendingLink=!1),!t.pending){if(t.entry){t===this[Et]&&!t.piped&&this[fi](t);return}if(!t.stat){let e=this.statCache.get(t.absolute);e?this[ai](t,e):this[ls](t)}if(t.stat&&!t.ignore){if(!this.noDirRecurse&&t.stat.isDirectory()&&!t.readdir){let e=this.readdirCache.get(t.absolute);if(e?this[ci](t,e):this[cs](t),!t.readdir)return}if(t.entry=this[sr](t),!t.entry){t.ignore=!0;return}t===this[Et]&&!t.piped&&this[fi](t)}}}[hs](t){return{onwarn:(e,i,r)=>this.warn(e,i,r),noPax:this.noPax,cwd:this.cwd,absolute:t.absolute,preservePaths:this.preservePaths,maxReadSize:this.maxReadSize,strict:this.strict,portable:this.portable,linkCache:this.linkCache,statCache:this.statCache,noMtime:this.noMtime,mtime:this.mtime,prefix:this.prefix,onWriteEntry:this.onWriteEntry}}[sr](t){this[G]+=1;try{return new this[di](t.path,this[hs](t)).on("end",()=>this[os](t)).on("error",i=>this.emit("error",i))}catch(e){this.emit("error",e)}}[as](){this[Et]&&this[Et].entry&&this[Et].entry.resume()}[fi](t){t.piped=!0,t.readdir&&t.readdir.forEach(r=>{let n=t.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[li](o+r)});let e=t.entry,i=this.zip;if(!e)throw new Error("cannot pipe without source");i?e.on("data",r=>{i.write(r)||e.pause()}):e.on("data",r=>{super.write(r)||e.pause()})}pause(){return this.zip&&this.zip.pause(),super.pause()}warn(t,e,i={}){Nt(this,t,e,i)}},Ft=class extends wt{sync=!0;constructor(t){super(t),this[di]=ri}pause(){}resume(){}[ls](t){let e=this.follow?"statSync":"lstatSync";this[ai](t,ui[e](t.absolute))}[cs](t){this[ci](t,ui.readdirSync(t.absolute))}[fi](t){let e=t.entry,i=this.zip;if(t.readdir&&t.readdir.forEach(r=>{let n=t.path,o=n==="./"?"":n.replace(/\/*$/,"/");this[li](o+r)}),!e)throw new Error("Cannot pipe without source");i?e.on("data",r=>{i.write(r)}):e.on("data",r=>{super[nr](r)})}};var Hn=(s,t)=>{let e=new Ft(s),i=new Wt(s.file,{mode:s.mode||438});e.pipe(i),hr(e,t)},Wn=(s,t)=>{let e=new wt(s),i=new tt(s.file,{mode:s.mode||438});e.pipe(i);let r=new Promise((n,o)=>{i.on("error",o),i.on("close",n),e.on("error",o)});return ar(e,t).catch(n=>e.emit("error",n)),r},hr=(s,t)=>{t.forEach(e=>{e.charAt(0)==="@"?Ct({file:or.resolve(s.cwd,e.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(e)}),s.end()},ar=async(s,t)=>{for(let e of t)e.charAt(0)==="@"?await Ct({file:or.resolve(String(s.cwd),e.slice(1)),noResume:!0,onReadEntry:i=>{s.add(i)}}):s.add(e);s.end()},Gn=(s,t)=>{let e=new Ft(s);return hr(e,t),e},Zn=(s,t)=>{let e=new wt(s);return ar(e,t).catch(i=>e.emit("error",i)),e},Yn=K(Hn,Wn,Gn,Zn,(s,t)=>{if(!t?.length)throw new TypeError("no paths specified to add to archive")});import kr from"node:fs";import ro from"node:assert";import{randomBytes as Cr}from"node:crypto";import u from"node:fs";import R from"node:path";import fr from"fs";var Kn=process.env.__FAKE_PLATFORM__||process.platform,dr=Kn==="win32",{O_CREAT:ur,O_NOFOLLOW:lr,O_TRUNC:mr,O_WRONLY:pr}=fr.constants,Er=Number(process.env.__FAKE_FS_O_FILENAME__)||fr.constants.UV_FS_O_FILEMAP||0,Vn=dr&&!!Er,$n=512*1024,Xn=Er|mr|ur|pr,cr=!dr&&typeof lr=="number"?lr|mr|ur|pr:null,fs=cr!==null?()=>cr:Vn?s=>s<$n?Xn:"w":()=>"w";import Ei from"node:fs";import we from"node:path";var ds=(s,t,e)=>{try{return Ei.lchownSync(s,t,e)}catch(i){if(i?.code!=="ENOENT")throw i}},pi=(s,t,e,i)=>{Ei.lchown(s,t,e,r=>{i(r&&r?.code!=="ENOENT"?r:null)})},qn=(s,t,e,i,r)=>{if(t.isDirectory())us(we.resolve(s,t.name),e,i,n=>{if(n)return r(n);let o=we.resolve(s,t.name);pi(o,e,i,r)});else{let n=we.resolve(s,t.name);pi(n,e,i,r)}},us=(s,t,e,i)=>{Ei.readdir(s,{withFileTypes:!0},(r,n)=>{if(r){if(r.code==="ENOENT")return i();if(r.code!=="ENOTDIR"&&r.code!=="ENOTSUP")return i(r)}if(r||!n.length)return pi(s,t,e,i);let o=n.length,h=null,a=l=>{if(!h){if(l)return i(h=l);if(--o===0)return pi(s,t,e,i)}};for(let l of n)qn(s,l,t,e,a)})},Qn=(s,t,e,i)=>{t.isDirectory()&&ms(we.resolve(s,t.name),e,i),ds(we.resolve(s,t.name),e,i)},ms=(s,t,e)=>{let i;try{i=Ei.readdirSync(s,{withFileTypes:!0})}catch(r){let n=r;if(n?.code==="ENOENT")return;if(n?.code==="ENOTDIR"||n?.code==="ENOTSUP")return ds(s,t,e);throw n}for(let r of i)Qn(s,r,t,e);return ds(s,t,e)};import F from"node:fs";import Jn from"node:fs/promises";import wi from"node:path";var Se=class extends Error{path;code;syscall="chdir";constructor(t,e){super(`${e}: Cannot cd into '${t}'`),this.path=t,this.code=e}get name(){return"CwdError"}};var St=class extends Error{path;symlink;syscall="symlink";code="TAR_SYMLINK_ERROR";constructor(t,e){super("TAR_SYMLINK_ERROR: Cannot extract through symbolic link"),this.symlink=t,this.path=e}get name(){return"SymlinkError"}};var jn=(s,t)=>{F.stat(s,(e,i)=>{(e||!i.isDirectory())&&(e=new Se(s,e?.code||"ENOTDIR")),t(e)})},wr=(s,t,e)=>{s=f(s);let i=t.umask??18,r=t.mode|448,n=(r&i)!==0,o=t.uid,h=t.gid,a=typeof o=="number"&&typeof h=="number"&&(o!==t.processUid||h!==t.processGid),l=t.preserve,c=t.unlink,d=f(t.cwd),S=(E,x)=>{E?e(E):x&&a?us(x,o,h,Le=>S(Le)):n?F.chmod(s,r,e):e()};if(s===d)return jn(s,S);if(l)return Jn.mkdir(s,{mode:r,recursive:!0}).then(E=>S(null,E??void 0),S);let N=f(wi.relative(d,s)).split("/");ps(d,N,r,c,d,void 0,S)},ps=(s,t,e,i,r,n,o)=>{if(t.length===0)return o(null,n);let h=t.shift(),a=f(wi.resolve(s+"/"+h));F.mkdir(a,e,Sr(a,t,e,i,r,n,o))},Sr=(s,t,e,i,r,n,o)=>h=>{h?F.lstat(s,(a,l)=>{if(a)a.path=a.path&&f(a.path),o(a);else if(l.isDirectory())ps(s,t,e,i,r,n,o);else if(i)F.unlink(s,c=>{if(c)return o(c);F.mkdir(s,e,Sr(s,t,e,i,r,n,o))});else{if(l.isSymbolicLink())return o(new St(s,s+"/"+t.join("/")));o(h)}}):(n=n||s,ps(s,t,e,i,r,n,o))},to=s=>{let t=!1,e;try{t=F.statSync(s).isDirectory()}catch(i){e=i?.code}finally{if(!t)throw new Se(s,e??"ENOTDIR")}},yr=(s,t)=>{s=f(s);let e=t.umask??18,i=t.mode|448,r=(i&e)!==0,n=t.uid,o=t.gid,h=typeof n=="number"&&typeof o=="number"&&(n!==t.processUid||o!==t.processGid),a=t.preserve,l=t.unlink,c=f(t.cwd),d=E=>{E&&h&&ms(E,n,o),r&&F.chmodSync(s,i)};if(s===c)return to(c),d();if(a)return d(F.mkdirSync(s,{mode:i,recursive:!0})??void 0);let T=f(wi.relative(c,s)).split("/"),N;for(let E=T.shift(),x=c;E&&(x+="/"+E);E=T.shift()){x=f(wi.resolve(x));try{F.mkdirSync(x,i),N=N||x}catch{let Le=F.lstatSync(x);if(Le.isDirectory())continue;if(l){F.unlinkSync(x),F.mkdirSync(x,i),N=N||x;continue}else if(Le.isSymbolicLink())return new St(x,x+"/"+T.join("/"))}}return d(N)};import{join as br}from"node:path";var Es=Object.create(null),Rr=1e4,$t=new Set,gr=s=>{$t.has(s)?$t.delete(s):Es[s]=s.normalize("NFD").toLocaleLowerCase("en").toLocaleUpperCase("en"),$t.add(s);let t=Es[s],e=$t.size-Rr;if(e>Rr/10){for(let i of $t)if($t.delete(i),delete Es[i],--e<=0)break}return t};var eo=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,io=eo==="win32",so=s=>s.split("/").slice(0,-1).reduce((e,i)=>{let r=e.at(-1);return r!==void 0&&(i=br(r,i)),e.push(i||"/"),e},[]),Si=class{#t=new Map;#i=new Map;#s=new Set;reserve(t,e){t=io?["win32 parallelization disabled"]:t.map(r=>mt(br(gr(r))));let i=new Set(t.map(r=>so(r)).reduce((r,n)=>r.concat(n)));this.#i.set(e,{dirs:i,paths:t});for(let r of t){let n=this.#t.get(r);n?n.push(e):this.#t.set(r,[e])}for(let r of i){let n=this.#t.get(r);if(!n)this.#t.set(r,[new Set([e])]);else{let o=n.at(-1);o instanceof Set?o.add(e):n.push(new Set([e]))}}return this.#r(e)}#n(t){let e=this.#i.get(t);if(!e)throw new Error("function does not have any path reservations");return{paths:e.paths.map(i=>this.#t.get(i)),dirs:[...e.dirs].map(i=>this.#t.get(i))}}check(t){let{paths:e,dirs:i}=this.#n(t);return e.every(r=>r&&r[0]===t)&&i.every(r=>r&&r[0]instanceof Set&&r[0].has(t))}#r(t){return this.#s.has(t)||!this.check(t)?!1:(this.#s.add(t),t(()=>this.#e(t)),!0)}#e(t){if(!this.#s.has(t))return!1;let e=this.#i.get(t);if(!e)throw new Error("invalid reservation");let{paths:i,dirs:r}=e,n=new Set;for(let o of i){let h=this.#t.get(o);if(!h||h?.[0]!==t)continue;let a=h[1];if(!a){this.#t.delete(o);continue}if(h.shift(),typeof a=="function")n.add(a);else for(let l of a)n.add(l)}for(let o of r){let h=this.#t.get(o),a=h?.[0];if(!(!h||!(a instanceof Set)))if(a.size===1&&h.length===1){this.#t.delete(o);continue}else if(a.size===1){h.shift();let l=h[0];typeof l=="function"&&n.add(l)}else a.delete(t)}return this.#s.delete(t),n.forEach(o=>this.#r(o)),!0}};var _r=()=>process.umask();var Or=Symbol("onEntry"),Rs=Symbol("checkFs"),Tr=Symbol("checkFs2"),gs=Symbol("isReusable"),P=Symbol("makeFs"),bs=Symbol("file"),_s=Symbol("directory"),Ri=Symbol("link"),xr=Symbol("symlink"),Lr=Symbol("hardlink"),Re=Symbol("ensureNoSymlink"),Nr=Symbol("unsupported"),Dr=Symbol("checkPath"),ws=Symbol("stripAbsolutePath"),yt=Symbol("mkdir"),O=Symbol("onError"),yi=Symbol("pending"),Ar=Symbol("pend"),Xt=Symbol("unpend"),Ss=Symbol("ended"),ys=Symbol("maybeClose"),Os=Symbol("skip"),ge=Symbol("doChown"),be=Symbol("uid"),_e=Symbol("gid"),Oe=Symbol("checkedCwd"),no=process.env.TESTING_TAR_FAKE_PLATFORM||process.platform,Te=no==="win32",oo=1024,ho=(s,t)=>{if(!Te)return u.unlink(s,t);let e=s+".DELETE."+Cr(16).toString("hex");u.rename(s,e,i=>{if(i)return t(i);u.unlink(e,t)})},ao=s=>{if(!Te)return u.unlinkSync(s);let t=s+".DELETE."+Cr(16).toString("hex");u.renameSync(s,t),u.unlinkSync(t)},Ir=(s,t,e)=>s!==void 0&&s===s>>>0?s:t!==void 0&&t===t>>>0?t:e,qt=class extends st{[Ss]=!1;[Oe]=!1;[yi]=0;reservations=new Si;transform;writable=!0;readable=!1;uid;gid;setOwner;preserveOwner;processGid;processUid;maxDepth;forceChown;win32;newer;keep;noMtime;preservePaths;unlink;cwd;strip;processUmask;umask;dmode;fmode;chmod;constructor(t={}){if(t.ondone=()=>{this[Ss]=!0,this[ys]()},super(t),this.transform=t.transform,this.chmod=!!t.chmod,typeof t.uid=="number"||typeof t.gid=="number"){if(typeof t.uid!="number"||typeof t.gid!="number")throw new TypeError("cannot set owner without number uid and gid");if(t.preserveOwner)throw new TypeError("cannot preserve owner in archive and also set owner explicitly");this.uid=t.uid,this.gid=t.gid,this.setOwner=!0}else this.uid=void 0,this.gid=void 0,this.setOwner=!1;this.preserveOwner=t.preserveOwner===void 0&&typeof t.uid!="number"?!!(process.getuid&&process.getuid()===0):!!t.preserveOwner,this.processUid=(this.preserveOwner||this.setOwner)&&process.getuid?process.getuid():void 0,this.processGid=(this.preserveOwner||this.setOwner)&&process.getgid?process.getgid():void 0,this.maxDepth=typeof t.maxDepth=="number"?t.maxDepth:oo,this.forceChown=t.forceChown===!0,this.win32=!!t.win32||Te,this.newer=!!t.newer,this.keep=!!t.keep,this.noMtime=!!t.noMtime,this.preservePaths=!!t.preservePaths,this.unlink=!!t.unlink,this.cwd=f(R.resolve(t.cwd||process.cwd())),this.strip=Number(t.strip)||0,this.processUmask=this.chmod?typeof t.processUmask=="number"?t.processUmask:_r():0,this.umask=typeof t.umask=="number"?t.umask:this.processUmask,this.dmode=t.dmode||511&~this.umask,this.fmode=t.fmode||438&~this.umask,this.on("entry",e=>this[Or](e))}warn(t,e,i={}){return(t==="TAR_BAD_ARCHIVE"||t==="TAR_ABORT")&&(i.recoverable=!1),super.warn(t,e,i)}[ys](){this[Ss]&&this[yi]===0&&(this.emit("prefinish"),this.emit("finish"),this.emit("end"))}[ws](t,e){let i=t[e],{type:r}=t;if(!i||this.preservePaths)return!0;let[n,o]=ce(i),h=o.replaceAll(/\\/g,"/").split("/");if(h.includes("..")||Te&&/^[a-z]:\.\.$/i.test(h[0]??"")){if(e==="path"||r==="Link")return this.warn("TAR_ENTRY_ERROR",`${e} contains '..'`,{entry:t,[e]:i}),!1;let a=R.posix.dirname(t.path),l=R.posix.normalize(R.posix.join(a,h.join("/")));if(l.startsWith("../")||l==="..")return this.warn("TAR_ENTRY_ERROR",`${e} escapes extraction directory`,{entry:t,[e]:i}),!1}return n&&(t[e]=String(o),this.warn("TAR_ENTRY_INFO",`stripping ${n} from absolute ${e}`,{entry:t,[e]:i})),!0}[Dr](t){let e=f(t.path),i=e.split("/");if(this.strip){if(i.length=this.strip)t.linkpath=r.slice(this.strip).join("/");else return!1}i.splice(0,this.strip),t.path=i.join("/")}if(isFinite(this.maxDepth)&&i.length>this.maxDepth)return this.warn("TAR_ENTRY_ERROR","path excessively deep",{entry:t,path:e,depth:i.length,maxDepth:this.maxDepth}),!1;if(!this[ws](t,"path")||!this[ws](t,"linkpath"))return!1;if(t.absolute=R.isAbsolute(t.path)?f(R.resolve(t.path)):f(R.resolve(this.cwd,t.path)),!this.preservePaths&&typeof t.absolute=="string"&&t.absolute.indexOf(this.cwd+"/")!==0&&t.absolute!==this.cwd)return this.warn("TAR_ENTRY_ERROR","path escaped extraction target",{entry:t,path:f(t.path),resolvedPath:t.absolute,cwd:this.cwd}),!1;if(t.absolute===this.cwd&&t.type!=="Directory"&&t.type!=="GNUDumpDir")return!1;if(this.win32){let{root:r}=R.win32.parse(String(t.absolute));t.absolute=r+Qi(String(t.absolute).slice(r.length));let{root:n}=R.win32.parse(t.path);t.path=n+Qi(t.path.slice(n.length))}return!0}[Or](t){if(!this[Dr](t))return t.resume();switch(ro.equal(typeof t.absolute,"string"),t.type){case"Directory":case"GNUDumpDir":t.mode&&(t.mode=t.mode|448);case"File":case"OldFile":case"ContiguousFile":case"Link":case"SymbolicLink":return this[Rs](t);default:return this[Nr](t)}}[O](t,e){t.name==="CwdError"?this.emit("error",t):(this.warn("TAR_ENTRY_ERROR",t,{entry:e}),this[Xt](),e.resume())}[yt](t,e,i){wr(f(t),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:e},i)}[ge](t){return this.forceChown||this.preserveOwner&&(typeof t.uid=="number"&&t.uid!==this.processUid||typeof t.gid=="number"&&t.gid!==this.processGid)||typeof this.uid=="number"&&this.uid!==this.processUid||typeof this.gid=="number"&&this.gid!==this.processGid}[be](t){return Ir(this.uid,t.uid,this.processUid)}[_e](t){return Ir(this.gid,t.gid,this.processGid)}[bs](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.fmode,r=new tt(String(t.absolute),{flags:fs(t.size),mode:i,autoClose:!1});r.on("error",a=>{r.fd&&u.close(r.fd,()=>{}),r.write=()=>!0,this[O](a,t),e()});let n=1,o=a=>{if(a){r.fd&&u.close(r.fd,()=>{}),this[O](a,t),e();return}--n===0&&r.fd!==void 0&&u.close(r.fd,l=>{l?this[O](l,t):this[Xt](),e()})};r.on("finish",()=>{let a=String(t.absolute),l=r.fd;if(typeof l=="number"&&t.mtime&&!this.noMtime){n++;let c=t.atime||new Date,d=t.mtime;u.futimes(l,c,d,S=>S?u.utimes(a,c,d,T=>o(T&&S)):o())}if(typeof l=="number"&&this[ge](t)){n++;let c=this[be](t),d=this[_e](t);typeof c=="number"&&typeof d=="number"&&u.fchown(l,c,d,S=>S?u.chown(a,c,d,T=>o(T&&S)):o())}o()});let h=this.transform&&this.transform(t)||t;h!==t&&(h.on("error",a=>{this[O](a,t),e()}),t.pipe(h)),h.pipe(r)}[_s](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.dmode;this[yt](String(t.absolute),i,r=>{if(r){this[O](r,t),e();return}let n=1,o=()=>{--n===0&&(e(),this[Xt](),t.resume())};t.mtime&&!this.noMtime&&(n++,u.utimes(String(t.absolute),t.atime||new Date,t.mtime,o)),this[ge](t)&&(n++,u.chown(String(t.absolute),Number(this[be](t)),Number(this[_e](t)),o)),o()})}[Nr](t){t.unsupported=!0,this.warn("TAR_ENTRY_UNSUPPORTED",`unsupported entry type: ${t.type}`,{entry:t}),t.resume()}[xr](t,e){let i=f(R.relative(this.cwd,R.resolve(R.dirname(String(t.absolute)),String(t.linkpath)))).split("/");this[Re](t,this.cwd,i,()=>this[Ri](t,String(t.linkpath),"symlink",e),r=>{this[O](r,t),e()})}[Lr](t,e){let i=f(R.resolve(this.cwd,String(t.linkpath))),r=f(String(t.linkpath)).split("/");this[Re](t,this.cwd,r,()=>this[Ri](t,i,"link",e),n=>{this[O](n,t),e()})}[Re](t,e,i,r,n){let o=i.shift();if(this.preservePaths||o===void 0)return r();let h=R.resolve(e,o);u.lstat(h,(a,l)=>{if(a)return r();if(l?.isSymbolicLink())return n(new St(h,R.resolve(h,i.join("/"))));this[Re](t,h,i,r,n)})}[Ar](){this[yi]++}[Xt](){this[yi]--,this[ys]()}[Os](t){this[Xt](),t.resume()}[gs](t,e){return t.type==="File"&&!this.unlink&&e.isFile()&&e.nlink<=1&&!Te}[Rs](t){this[Ar]();let e=[t.path];t.linkpath&&e.push(t.linkpath),this.reservations.reserve(e,i=>this[Tr](t,i))}[Tr](t,e){let i=h=>{e(h)},r=()=>{this[yt](this.cwd,this.dmode,h=>{if(h){this[O](h,t),i();return}this[Oe]=!0,n()})},n=()=>{if(t.absolute!==this.cwd){let h=f(R.dirname(String(t.absolute)));if(h!==this.cwd)return this[yt](h,this.dmode,a=>{if(a){this[O](a,t),i();return}o()})}o()},o=()=>{u.lstat(String(t.absolute),(h,a)=>{if(a&&(this.keep||this.newer&&a.mtime>(t.mtime??a.mtime))){this[Os](t),i();return}if(h||this[gs](t,a))return this[P](null,t,i);if(a.isDirectory()){if(t.type==="Directory"){let l=this.chmod&&t.mode&&(a.mode&4095)!==t.mode,c=d=>this[P](d??null,t,i);return l?u.chmod(String(t.absolute),Number(t.mode),c):c()}if(t.absolute!==this.cwd)return u.rmdir(String(t.absolute),l=>this[P](l??null,t,i))}if(t.absolute===this.cwd)return this[P](null,t,i);ho(String(t.absolute),l=>this[P](l??null,t,i))})};this[Oe]?n():r()}[P](t,e,i){if(t){this[O](t,e),i();return}switch(e.type){case"File":case"OldFile":case"ContiguousFile":return this[bs](e,i);case"Link":return this[Lr](e,i);case"SymbolicLink":return this[xr](e,i);case"Directory":case"GNUDumpDir":return this[_s](e,i)}}[Ri](t,e,i,r){u[i](e,String(t.absolute),n=>{n?this[O](n,t):(this[Xt](),t.resume()),r()})}},ye=s=>{try{return[null,s()]}catch(t){return[t,null]}},xe=class extends qt{sync=!0;[P](t,e){return super[P](t,e,()=>{})}[Rs](t){if(!this[Oe]){let n=this[yt](this.cwd,this.dmode);if(n)return this[O](n,t);this[Oe]=!0}if(t.absolute!==this.cwd){let n=f(R.dirname(String(t.absolute)));if(n!==this.cwd){let o=this[yt](n,this.dmode);if(o)return this[O](o,t)}}let[e,i]=ye(()=>u.lstatSync(String(t.absolute)));if(i&&(this.keep||this.newer&&i.mtime>(t.mtime??i.mtime)))return this[Os](t);if(e||this[gs](t,i))return this[P](null,t);if(i.isDirectory()){if(t.type==="Directory"){let o=this.chmod&&t.mode&&(i.mode&4095)!==t.mode,[h]=o?ye(()=>{u.chmodSync(String(t.absolute),Number(t.mode))}):[];return this[P](h,t)}let[n]=ye(()=>u.rmdirSync(String(t.absolute)));this[P](n,t)}let[r]=t.absolute===this.cwd?[]:ye(()=>ao(String(t.absolute)));this[P](r,t)}[bs](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.fmode,r=h=>{let a;try{u.closeSync(n)}catch(l){a=l}(h||a)&&this[O](h||a,t),e()},n;try{n=u.openSync(String(t.absolute),fs(t.size),i)}catch(h){return r(h)}let o=this.transform&&this.transform(t)||t;o!==t&&(o.on("error",h=>this[O](h,t)),t.pipe(o)),o.on("data",h=>{try{u.writeSync(n,h,0,h.length)}catch(a){r(a)}}),o.on("end",()=>{let h=null;if(t.mtime&&!this.noMtime){let a=t.atime||new Date,l=t.mtime;try{u.futimesSync(n,a,l)}catch(c){try{u.utimesSync(String(t.absolute),a,l)}catch{h=c}}}if(this[ge](t)){let a=this[be](t),l=this[_e](t);try{u.fchownSync(n,Number(a),Number(l))}catch(c){try{u.chownSync(String(t.absolute),Number(a),Number(l))}catch{h=h||c}}}r(h)})}[_s](t,e){let i=typeof t.mode=="number"?t.mode&4095:this.dmode,r=this[yt](String(t.absolute),i);if(r){this[O](r,t),e();return}if(t.mtime&&!this.noMtime)try{u.utimesSync(String(t.absolute),t.atime||new Date,t.mtime)}catch{}if(this[ge](t))try{u.chownSync(String(t.absolute),Number(this[be](t)),Number(this[_e](t)))}catch{}e(),t.resume()}[yt](t,e){try{return yr(f(t),{uid:this.uid,gid:this.gid,processUid:this.processUid,processGid:this.processGid,umask:this.processUmask,preserve:this.preservePaths,unlink:this.unlink,cwd:this.cwd,mode:e})}catch(i){return i}}[Re](t,e,i,r,n){if(this.preservePaths||i.length===0)return r();let o=e;for(let h of i){o=R.resolve(o,h);let[a,l]=ye(()=>u.lstatSync(o));if(a)return r();if(l.isSymbolicLink())return n(new St(o,R.resolve(e,i.join("/"))))}r()}[Ri](t,e,i,r){let n=`${i}Sync`;try{u[n](e,String(t.absolute)),r(),t.resume()}catch(o){return this[O](o,t)}}};var lo=s=>{let t=new xe(s),e=s.file,i=kr.statSync(e),r=s.maxReadSize||16*1024*1024;new Be(e,{readSize:r,size:i.size}).pipe(t)},co=(s,t)=>{let e=new qt(s),i=s.maxReadSize||16*1024*1024,r=s.file;return new Promise((o,h)=>{e.on("error",h),e.on("close",o),kr.stat(r,(a,l)=>{if(a)h(a);else{let c=new _t(r,{readSize:i,size:l.size});c.on("error",h),c.pipe(e)}})})},fo=K(lo,co,s=>new xe(s),s=>new qt(s),(s,t)=>{t?.length&&$i(s,t)});import v from"node:fs";import Fr from"node:path";var uo=(s,t)=>{let e=new Ft(s),i=!0,r,n;try{try{r=v.openSync(s.file,"r+")}catch(a){if(a?.code==="ENOENT")r=v.openSync(s.file,"w+");else throw a}let o=v.fstatSync(r),h=Buffer.alloc(512);t:for(n=0;no.size)break;n+=l,s.mtimeCache&&a.mtime&&s.mtimeCache.set(String(a.path),a.mtime)}i=!1,mo(s,e,n,r,t)}finally{if(i)try{v.closeSync(r)}catch{}}},mo=(s,t,e,i,r)=>{let n=new Wt(s.file,{fd:i,start:e});t.pipe(n),Eo(t,r)},po=(s,t)=>{t=Array.from(t);let e=new wt(s),i=(n,o,h)=>{let a=(T,N)=>{T?v.close(n,E=>h(T)):h(null,N)},l=0;if(o===0)return a(null,0);let c=0,d=Buffer.alloc(512),S=(T,N)=>{if(T||N===void 0)return a(T);if(c+=N,c<512&&N)return v.read(n,d,c,d.length-c,l+c,S);if(l===0&&d[0]===31&&d[1]===139)return a(new Error("cannot append to compressed archives"));if(c<512)return a(null,l);let E=new k(d);if(!E.cksumValid)return a(null,l);let x=512*Math.ceil((E.size??0)/512);if(l+x+512>o||(l+=x+512,l>=o))return a(null,l);s.mtimeCache&&E.mtime&&s.mtimeCache.set(String(E.path),E.mtime),c=0,v.read(n,d,0,512,l,S)};v.read(n,d,0,512,l,S)};return new Promise((n,o)=>{e.on("error",o);let h="r+",a=(l,c)=>{if(l&&l.code==="ENOENT"&&h==="r+")return h="w+",v.open(s.file,h,a);if(l||!c)return o(l);v.fstat(c,(d,S)=>{if(d)return v.close(c,()=>o(d));i(c,S.size,(T,N)=>{if(T)return o(T);let E=new tt(s.file,{fd:c,start:N});e.pipe(E),E.on("error",o),E.on("close",n),wo(e,t)})})};v.open(s.file,h,a)})},Eo=(s,t)=>{t.forEach(e=>{e.charAt(0)==="@"?Ct({file:Fr.resolve(s.cwd,e.slice(1)),sync:!0,noResume:!0,onReadEntry:i=>s.add(i)}):s.add(e)}),s.end()},wo=async(s,t)=>{for(let e of t)e.charAt(0)==="@"?await Ct({file:Fr.resolve(String(s.cwd),e.slice(1)),noResume:!0,onReadEntry:i=>s.add(i)}):s.add(e);s.end()},vt=K(uo,po,()=>{throw new TypeError("file is required")},()=>{throw new TypeError("file is required")},(s,t)=>{if(!Fs(s))throw new TypeError("file is required");if(s.gzip||s.brotli||s.zstd||s.file.endsWith(".br")||s.file.endsWith(".tbr"))throw new TypeError("cannot append to compressed archives");if(!t?.length)throw new TypeError("no paths specified to add/replace")});var So=K(vt.syncFile,vt.asyncFile,vt.syncNoFile,vt.asyncNoFile,(s,t=[])=>{vt.validate?.(s,t),yo(s)}),yo=s=>{let t=s.filter;s.mtimeCache||(s.mtimeCache=new Map),s.filter=t?(e,i)=>t(e,i)&&!((s.mtimeCache?.get(e)??i.mtime??0)>(i.mtime??0)):(e,i)=>!((s.mtimeCache?.get(e)??i.mtime??0)>(i.mtime??0))};export{k as Header,wt as Pack,mi as PackJob,Ft as PackSync,st as Parser,ct as Pax,Yt as ReadEntry,qt as Unpack,xe as UnpackSync,de as WriteEntry,ri as WriteEntrySync,ni as WriteEntryTar,Yn as c,Yn as create,fo as extract,$i as filesFilter,Ct as list,vt as r,vt as replace,Ct as t,zi as types,So as u,So as update,fo as x};
 //# sourceMappingURL=index.min.js.map
diff --git a/deps/npm/node_modules/tar/dist/esm/pack.js b/deps/npm/node_modules/tar/dist/esm/pack.js
index ed87ffd49b787c..6eae0ee73bda00 100644
--- a/deps/npm/node_modules/tar/dist/esm/pack.js
+++ b/deps/npm/node_modules/tar/dist/esm/pack.js
@@ -15,6 +15,7 @@ export class PackJob {
     stat;
     readdir;
     pending = false;
+    pendingLink = false;
     ignore = false;
     piped = false;
     constructor(path, absolute) {
@@ -31,6 +32,7 @@ const EOF = Buffer.alloc(1024);
 const ONSTAT = Symbol('onStat');
 const ENDED = Symbol('ended');
 const QUEUE = Symbol('queue');
+const PENDINGLINKS = Symbol('queue');
 const CURRENT = Symbol('current');
 const PROCESS = Symbol('process');
 const PROCESSING = Symbol('processing');
@@ -82,6 +84,7 @@ export class Pack extends Minipass {
     // class, but then we'd have to be tracking the tail of the queue the
     // whole time, and Yallist just does that for us anyway.
     [QUEUE];
+    [PENDINGLINKS] = new Map();
     [JOBS] = 0;
     [PROCESSING] = false;
     [ENDED] = false;
@@ -239,14 +242,26 @@ export class Pack extends Minipass {
         }
         else if (stat.isFile() &&
             stat.nlink > 1 &&
-            job === this[CURRENT] &&
             !this.linkCache.get(`${stat.dev}:${stat.ino}`) &&
             !this.sync) {
-            // if it's not filtered, and it's a new File entry,
-            // jump the queue in case any pending Link entries are about
-            // to try to link to it. This prevents a hardlink from coming ahead
-            // of its target in the archive.
-            this[PROCESSJOB](job);
+            // if it's not filtered, and it's a new File entry, and next anyway
+            // process right away in case any pending Link entries are about
+            // to try to link to it.
+            if (job === this[CURRENT]) {
+                this[PROCESSJOB](job);
+            }
+            else {
+                // if it's NOT the current entry, it needs to be deferred,
+                // so that the link target can be built first.
+                const key = `${stat.dev}:${stat.ino}`;
+                const pending = this[PENDINGLINKS].get(key);
+                if (pending)
+                    pending.push(job);
+                else
+                    this[PENDINGLINKS].set(key, [job]);
+                job.pendingLink = true;
+                job.pending = true;
+            }
         }
         this[PROCESS]();
     }
@@ -294,12 +309,31 @@ export class Pack extends Minipass {
     get [CURRENT]() {
         return this[QUEUE] && this[QUEUE].head && this[QUEUE].head.value;
     }
-    [JOBDONE](_job) {
+    [JOBDONE](job) {
         this[QUEUE].shift();
         this[JOBS] -= 1;
+        const { stat } = job;
+        if (stat && stat.isFile() && stat.nlink > 1) {
+            // might be a file with pending links
+            const key = `${stat.dev}:${stat.ino}`;
+            const pending = this[PENDINGLINKS].get(key);
+            if (pending) {
+                this[PENDINGLINKS].delete(key);
+                for (const job of pending) {
+                    job.pending = false;
+                    this[PROCESSJOB](job);
+                }
+            }
+        }
         this[PROCESS]();
     }
     [PROCESSJOB](job) {
+        if (job.pending && job.pendingLink && job === this[CURRENT]) {
+            // At least one of the links to this file are not being included
+            // in the tarball, so we need to just proceed.
+            job.pending = false;
+            job.pendingLink = false;
+        }
         if (job.pending) {
             return;
         }
diff --git a/deps/npm/node_modules/tar/package.json b/deps/npm/node_modules/tar/package.json
index 55d21bcf0b535d..2ad5841e328515 100644
--- a/deps/npm/node_modules/tar/package.json
+++ b/deps/npm/node_modules/tar/package.json
@@ -2,7 +2,7 @@
   "author": "Isaac Z. Schlueter",
   "name": "tar",
   "description": "tar for node",
-  "version": "7.5.13",
+  "version": "7.5.15",
   "repository": {
     "type": "git",
     "url": "https://github.com/isaacs/node-tar.git"
@@ -38,13 +38,13 @@
     "events-to-array": "^2.0.3",
     "mutate-fs": "^2.1.1",
     "nock": "^13.5.4",
-    "oxlint": "^1.56.0",
-    "oxlint-tsgolint": "^0.17.0",
+    "oxlint": "^1.57.0",
+    "oxlint-tsgolint": "^0.17.3",
     "prettier": "^3.8.1",
     "rimraf": "^6.1.2",
     "tap": "^21.6.2",
     "tshy": "^3.3.2",
-    "typedoc": "^0.28.17"
+    "typedoc": "^0.28.18"
   },
   "license": "BlueOak-1.0.0",
   "engines": {
diff --git a/deps/npm/node_modules/undici/lib/dispatcher/agent.js b/deps/npm/node_modules/undici/lib/dispatcher/agent.js
index db2f817d0fe978..90b46fe3aeb4b4 100644
--- a/deps/npm/node_modules/undici/lib/dispatcher/agent.js
+++ b/deps/npm/node_modules/undici/lib/dispatcher/agent.js
@@ -24,7 +24,6 @@ function defaultFactory (origin, opts) {
 
 class Agent extends DispatcherBase {
   constructor ({ factory = defaultFactory, maxRedirections = 0, connect, ...options } = {}) {
-
     if (typeof factory !== 'function') {
       throw new InvalidArgumentError('factory must be a function.')
     }
diff --git a/deps/npm/node_modules/undici/lib/dispatcher/client-h1.js b/deps/npm/node_modules/undici/lib/dispatcher/client-h1.js
index 2b8fa05da29427..ef3d38ea4f2ed3 100644
--- a/deps/npm/node_modules/undici/lib/dispatcher/client-h1.js
+++ b/deps/npm/node_modules/undici/lib/dispatcher/client-h1.js
@@ -279,29 +279,71 @@ class Parser {
 
       const offset = llhttp.llhttp_get_error_pos(this.ptr) - currentBufferPtr
 
-      if (ret === constants.ERROR.PAUSED_UPGRADE) {
-        this.onUpgrade(data.slice(offset))
-      } else if (ret === constants.ERROR.PAUSED) {
-        this.paused = true
-        socket.unshift(data.slice(offset))
-      } else if (ret !== constants.ERROR.OK) {
-        const ptr = llhttp.llhttp_get_error_reason(this.ptr)
-        let message = ''
-        /* istanbul ignore else: difficult to make a test case for */
-        if (ptr) {
-          const len = new Uint8Array(llhttp.memory.buffer, ptr).indexOf(0)
-          message =
-            'Response does not match the HTTP/1.1 protocol (' +
-            Buffer.from(llhttp.memory.buffer, ptr, len).toString() +
-            ')'
+      if (ret !== constants.ERROR.OK) {
+        const body = data.subarray(offset)
+
+        if (ret === constants.ERROR.PAUSED_UPGRADE) {
+          this.onUpgrade(body)
+        } else if (ret === constants.ERROR.PAUSED) {
+          this.paused = true
+          socket.unshift(body)
+        } else {
+          throw this.createError(ret, body)
         }
-        throw new HTTPParserError(message, constants.ERROR[ret], data.slice(offset))
       }
     } catch (err) {
       util.destroy(socket, err)
     }
   }
 
+  finish () {
+    assert(currentParser === null)
+    assert(this.ptr != null)
+    assert(!this.paused)
+
+    const { llhttp } = this
+
+    let ret
+
+    try {
+      currentParser = this
+      ret = llhttp.llhttp_finish(this.ptr)
+    } finally {
+      currentParser = null
+    }
+
+    if (ret === constants.ERROR.OK) {
+      return null
+    }
+
+    if (ret === constants.ERROR.PAUSED || ret === constants.ERROR.PAUSED_UPGRADE) {
+      this.paused = true
+      return null
+    }
+
+    return this.createError(ret, EMPTY_BUF)
+  }
+
+  createError (ret, data) {
+    const { llhttp, contentLength, bytesRead } = this
+
+    if (contentLength && bytesRead !== parseInt(contentLength, 10)) {
+      return new ResponseContentLengthMismatchError()
+    }
+
+    const ptr = llhttp.llhttp_get_error_reason(this.ptr)
+    let message = ''
+    if (ptr) {
+      const len = new Uint8Array(llhttp.memory.buffer, ptr).indexOf(0)
+      message =
+        'Response does not match the HTTP/1.1 protocol (' +
+        Buffer.from(llhttp.memory.buffer, ptr, len).toString() +
+        ')'
+    }
+
+    return new HTTPParserError(message, constants.ERROR[ret], data)
+  }
+
   destroy () {
     assert(this.ptr != null)
     assert(currentParser == null)
@@ -673,8 +715,11 @@ async function connectH1 (client, socket) {
     // On Mac OS, we get an ECONNRESET even if there is a full body to be forwarded
     // to the user.
     if (err.code === 'ECONNRESET' && parser.statusCode && !parser.shouldKeepAlive) {
-      // We treat all incoming data so for as a valid response.
-      parser.onMessageComplete()
+      const parserErr = parser.finish()
+      if (parserErr) {
+        this[kError] = parserErr
+        this[kClient][kOnError](parserErr)
+      }
       return
     }
 
@@ -693,8 +738,10 @@ async function connectH1 (client, socket) {
     const parser = this[kParser]
 
     if (parser.statusCode && !parser.shouldKeepAlive) {
-      // We treat all incoming data so far as a valid response.
-      parser.onMessageComplete()
+      const parserErr = parser.finish()
+      if (parserErr) {
+        util.destroy(this, parserErr)
+      }
       return
     }
 
@@ -706,8 +753,7 @@ async function connectH1 (client, socket) {
 
     if (parser) {
       if (!this[kError] && parser.statusCode && !parser.shouldKeepAlive) {
-        // We treat all incoming data so far as a valid response.
-        parser.onMessageComplete()
+        this[kError] = parser.finish() || this[kError]
       }
 
       this[kParser].destroy()
diff --git a/deps/npm/node_modules/undici/package.json b/deps/npm/node_modules/undici/package.json
index 46cb9a8292618f..d1eef502c4169f 100644
--- a/deps/npm/node_modules/undici/package.json
+++ b/deps/npm/node_modules/undici/package.json
@@ -1,6 +1,6 @@
 {
   "name": "undici",
-  "version": "6.25.0",
+  "version": "6.26.0",
   "description": "An HTTP/1.1 client, written from scratch for Node.js",
   "homepage": "https://undici.nodejs.org",
   "bugs": {
diff --git a/deps/npm/package.json b/deps/npm/package.json
index 67186d5c05daa7..e600a3c0095246 100644
--- a/deps/npm/package.json
+++ b/deps/npm/package.json
@@ -1,5 +1,5 @@
 {
-  "version": "11.13.0",
+  "version": "11.16.0",
   "name": "npm",
   "description": "a package manager for JavaScript",
   "workspaces": [
@@ -52,8 +52,8 @@
   },
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
-    "@npmcli/arborist": "^9.4.3",
-    "@npmcli/config": "^10.8.1",
+    "@npmcli/arborist": "^9.7.0",
+    "@npmcli/config": "^10.10.0",
     "@npmcli/fs": "^5.0.0",
     "@npmcli/map-workspaces": "^5.0.3",
     "@npmcli/metavuln-calculator": "^9.0.3",
@@ -71,22 +71,22 @@
     "fs-minipass": "^3.0.3",
     "glob": "^13.0.6",
     "graceful-fs": "^4.2.11",
-    "hosted-git-info": "^9.0.2",
+    "hosted-git-info": "^9.0.3",
     "ini": "^6.0.0",
     "init-package-json": "^8.2.5",
     "is-cidr": "^6.0.4",
     "json-parse-even-better-errors": "^5.0.0",
     "libnpmaccess": "^10.0.3",
-    "libnpmdiff": "^8.1.6",
-    "libnpmexec": "^10.2.6",
-    "libnpmfund": "^7.0.20",
+    "libnpmdiff": "^8.1.9",
+    "libnpmexec": "^10.2.9",
+    "libnpmfund": "^7.0.23",
     "libnpmorg": "^8.0.1",
-    "libnpmpack": "^9.1.6",
-    "libnpmpublish": "^11.1.3",
+    "libnpmpack": "^9.1.9",
+    "libnpmpublish": "^11.2.0",
     "libnpmsearch": "^9.0.1",
     "libnpmteam": "^8.0.2",
-    "libnpmversion": "^8.0.3",
-    "make-fetch-happen": "^15.0.5",
+    "libnpmversion": "^8.0.4",
+    "make-fetch-happen": "^15.0.6",
     "minimatch": "^10.2.5",
     "minipass": "^7.1.3",
     "minipass-pipeline": "^1.2.4",
@@ -106,11 +106,11 @@
     "proc-log": "^6.1.0",
     "qrcode-terminal": "^0.12.0",
     "read": "^5.0.1",
-    "semver": "^7.7.4",
+    "semver": "^7.8.1",
     "spdx-expression-parse": "^4.0.0",
     "ssri": "^13.0.1",
     "supports-color": "^10.2.2",
-    "tar": "^7.5.13",
+    "tar": "^7.5.15",
     "text-table": "~0.2.0",
     "tiny-relative-date": "^2.0.2",
     "treeverse": "^3.0.0",
diff --git a/deps/npm/tap-snapshots/test/lib/commands/completion.js.test.cjs b/deps/npm/tap-snapshots/test/lib/commands/completion.js.test.cjs
index 43a99252d4200a..12f1c803cd7695 100644
--- a/deps/npm/tap-snapshots/test/lib/commands/completion.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/commands/completion.js.test.cjs
@@ -62,6 +62,7 @@ Array [
   String(
     access
     adduser
+    approve-scripts
     audit
     author
     add
@@ -105,10 +106,16 @@ Array [
     --repo
     --environment
     --env
+    --allow-publish
+    --allow-stage-publish
+    --allow-staged-publish
     --dry-run
     --json
     --registry
     --yes
+    --no-allow-publish
+    --no-allow-stage-publish
+    --no-allow-staged-publish
     --no-dry-run
     --no-json
     --no-yes
@@ -123,10 +130,16 @@ Array [
     --project
     --environment
     --env
+    --allow-publish
+    --allow-stage-publish
+    --allow-staged-publish
     --dry-run
     --json
     --registry
     --yes
+    --no-allow-publish
+    --no-allow-stage-publish
+    --no-allow-staged-publish
     --no-dry-run
     --no-json
     --no-yes
diff --git a/deps/npm/tap-snapshots/test/lib/commands/config.js.test.cjs b/deps/npm/tap-snapshots/test/lib/commands/config.js.test.cjs
index 6617b3a0827f76..829b64b3f800b6 100644
--- a/deps/npm/tap-snapshots/test/lib/commands/config.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/commands/config.js.test.cjs
@@ -16,7 +16,13 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "access": null,
   "all": false,
   "allow-same-version": false,
+  "allow-directory": "all",
+  "allow-file": "all",
   "allow-git": "all",
+  "allow-remote": "all",
+  "allow-scripts": [
+    ""
+  ],
   "also": null,
   "audit": true,
   "audit-level": null,
@@ -34,6 +40,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "cidr": null,
   "commit-hooks": true,
   "cpu": null,
+  "dangerously-allow-all-scripts": false,
   "depth": null,
   "description": true,
   "dev": false,
@@ -124,6 +131,8 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "pack-destination": ".",
   "packages": [],
   "parseable": false,
+  "allow-scripts-pending": false,
+  "allow-scripts-pin": true,
   "prefer-dedupe": false,
   "prefer-offline": false,
   "prefer-online": false,
@@ -164,6 +173,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "sign-git-commit": false,
   "sign-git-tag": false,
   "strict-peer-deps": false,
+  "strict-allow-scripts": false,
   "strict-ssl": true,
   "tag": "latest",
   "tag-version-prefix": "v",
@@ -192,8 +202,14 @@ exports[`test/lib/commands/config.js TAP config list --long > output matches sna
 _auth = (protected)
 access = null
 all = false
+allow-directory = "all"
+allow-file = "all"
 allow-git = "all"
+allow-remote = "all"
 allow-same-version = false
+allow-scripts = [""]
+allow-scripts-pending = false
+allow-scripts-pin = true
 also = null
 audit = true
 audit-level = null
@@ -213,6 +229,7 @@ cidr = null
 ; color = {COLOR}
 commit-hooks = true
 cpu = null
+dangerously-allow-all-scripts = false
 depth = null
 description = true
 dev = false
@@ -342,6 +359,7 @@ shell = "{SHELL}"
 shrinkwrap = true
 sign-git-commit = false
 sign-git-tag = false
+strict-allow-scripts = false
 strict-peer-deps = false
 strict-ssl = true
 tag = "latest"
diff --git a/deps/npm/tap-snapshots/test/lib/commands/publish.js.test.cjs b/deps/npm/tap-snapshots/test/lib/commands/publish.js.test.cjs
index e7507118a28f50..143d08dda8ff4b 100644
--- a/deps/npm/tap-snapshots/test/lib/commands/publish.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/commands/publish.js.test.cjs
@@ -87,23 +87,25 @@ Array [
 
 exports[`test/lib/commands/publish.js TAP json > new package json 1`] = `
 {
-  "id": "@npmcli/test-package@1.0.0",
-  "name": "@npmcli/test-package",
-  "version": "1.0.0",
-  "size": "{size}",
-  "unpackedSize": 95,
-  "shasum": "{sha}",
-  "integrity": "{integrity}",
-  "filename": "npmcli-test-package-1.0.0.tgz",
-  "files": [
-    {
-      "path": "package.json",
-      "size": "{size}",
-      "mode": 420
-    }
-  ],
-  "entryCount": 1,
-  "bundled": []
+  "@npmcli/test-package": {
+    "id": "@npmcli/test-package@1.0.0",
+    "name": "@npmcli/test-package",
+    "version": "1.0.0",
+    "size": "{size}",
+    "unpackedSize": 95,
+    "shasum": "{sha}",
+    "integrity": "{integrity}",
+    "filename": "npmcli-test-package-1.0.0.tgz",
+    "files": [
+      {
+        "path": "package.json",
+        "size": "{size}",
+        "mode": 420
+      }
+    ],
+    "entryCount": 1,
+    "bundled": []
+  }
 }
 `
 
@@ -154,6 +156,7 @@ Object {
   "man": Array [
     "man/man1/npm-access.1",
     "man/man1/npm-adduser.1",
+    "man/man1/npm-approve-scripts.1",
     "man/man1/npm-audit.1",
     "man/man1/npm-bugs.1",
     "man/man1/npm-cache.1",
@@ -161,6 +164,7 @@ Object {
     "man/man1/npm-completion.1",
     "man/man1/npm-config.1",
     "man/man1/npm-dedupe.1",
+    "man/man1/npm-deny-scripts.1",
     "man/man1/npm-deprecate.1",
     "man/man1/npm-diff.1",
     "man/man1/npm-dist-tag.1",
@@ -204,6 +208,7 @@ Object {
     "man/man1/npm-search.1",
     "man/man1/npm-set.1",
     "man/man1/npm-shrinkwrap.1",
+    "man/man1/npm-stage.1",
     "man/man1/npm-star.1",
     "man/man1/npm-stars.1",
     "man/man1/npm-start.1",
@@ -258,7 +263,7 @@ exports[`test/lib/commands/publish.js TAP no auth dry-run > must match snapshot
 
 exports[`test/lib/commands/publish.js TAP no auth dry-run > warns about auth being needed 1`] = `
 Array [
-  "This command requires you to be logged in to https://registry.npmjs.org/ (dry-run)",
+  "publish This command requires you to be logged in to https://registry.npmjs.org/ (dry-run)",
 ]
 `
 
@@ -266,6 +271,28 @@ exports[`test/lib/commands/publish.js TAP prioritize CLI flags over publishConfi
 + @npmcli/test-package@1.0.0
 `
 
+exports[`test/lib/commands/publish.js TAP private access > must match snapshot 1`] = `
+Array [
+  "package: @npm/test-package@1.0.0",
+  "Tarball Contents",
+  "55B package.json",
+  "Tarball Details",
+  "name: @npm/test-package",
+  "version: 1.0.0",
+  "filename: npm-test-package-1.0.0.tgz",
+  "package size: {size}",
+  "unpacked size: 55 B",
+  "shasum: {sha}",
+  "integrity: {integrity}
+  "total files: 1",
+  "Publishing to https://registry.npmjs.org/ with tag latest and restricted access",
+]
+`
+
+exports[`test/lib/commands/publish.js TAP private access > new package version 1`] = `
++ @npm/test-package@1.0.0
+`
+
 exports[`test/lib/commands/publish.js TAP public access > must match snapshot 1`] = `
 Array [
   "package: @npm/test-package@1.0.0",
diff --git a/deps/npm/tap-snapshots/test/lib/docs.js.test.cjs b/deps/npm/tap-snapshots/test/lib/docs.js.test.cjs
index 3db9e9d2473285..72671906850ee0 100644
--- a/deps/npm/tap-snapshots/test/lib/docs.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/docs.js.test.cjs
@@ -99,6 +99,7 @@ exports[`test/lib/docs.js TAP command list > commands 1`] = `
 Array [
   "access",
   "adduser",
+  "approve-scripts",
   "audit",
   "bugs",
   "cache",
@@ -106,6 +107,7 @@ Array [
   "completion",
   "config",
   "dedupe",
+  "deny-scripts",
   "deprecate",
   "diff",
   "dist-tag",
@@ -149,6 +151,7 @@ Array [
   "search",
   "set",
   "shrinkwrap",
+  "stage",
   "star",
   "stars",
   "start",
@@ -192,7 +195,7 @@ safer to use a registry-provided authentication bearer token stored in the
 
 * Default: 'public' for new packages, existing packages it will not change the
   current level
-* Type: null, "restricted", or "public"
+* Type: null, "restricted", "public", or "private"
 
 If you do not want your scoped package to be publicly viewable (and
 installable) set \`--access=restricted\`.
@@ -204,6 +207,8 @@ packages. Specifying a value of \`restricted\` or \`public\` during publish will
 change the access for an existing package the same way that \`npm access set
 status\` would.
 
+The value \`private\` is an alias for \`restricted\`.
+
 
 
 #### \`all\`
@@ -217,6 +222,42 @@ upon by the current project.
 
 
 
+#### \`allow-directory\`
+
+* Default: "all"
+* Type: "all", "none", or "root"
+
+Limits the ability for npm to install dependencies from directories. That
+is, dependencies that point to a directory instead of a version or semver
+range. Please note that this could leave your tree incomplete and some
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
+
+\`all\` allows any directories to be installed. \`none\` prevents any
+directories from being installed. \`root\` only allows directories defined in
+your project's package.json to be installed. Also allows directory
+dependencies to be used for other commands like \`npm view\`
+
+
+
+#### \`allow-file\`
+
+* Default: "all"
+* Type: "all", "none", or "root"
+
+Limits the ability for npm to install dependencies from tarball files. That
+is, dependencies that point to a local tarball file instead of a version or
+semver range. Please note that this could leave your tree incomplete and
+some packages may not function as intended or designed. Changing this
+setting will not remove dependencies that are already installed.
+
+\`all\` allows any tarball file to be installed. \`none\` prevents any tarball
+file from being installed. \`root\` only allows tarball files defined in your
+project's package.json to be installed. Also allows tarball file
+dependencies to be used for other commands like \`npm view\`
+
+
+
 #### \`allow-git\`
 
 * Default: "all"
@@ -225,12 +266,31 @@ upon by the current project.
 Limits the ability for npm to fetch dependencies from git references. That
 is, dependencies that point to a git repo instead of a version or semver
 range. Please note that this could leave your tree incomplete and some
-packages may not function as intended or designed.
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
 
 \`all\` allows any git dependencies to be fetched and installed. \`none\`
 prevents any git dependencies from being fetched and installed. \`root\` only
 allows git dependencies defined in your project's package.json to be fetched
-installed. Also allows git dependencies to be fetched for other commands
+and installed. Also allows git dependencies to be fetched for other commands
+like \`npm view\`
+
+
+
+#### \`allow-remote\`
+
+* Default: "all"
+* Type: "all", "none", or "root"
+
+Limits the ability for npm to fetch dependencies from urls. That is,
+dependencies that point to a tarball url instead of a version or semver
+range. Please note that this could leave your tree incomplete and some
+packages may not function as intended or designed. Changing this setting
+will not remove dependencies that are already installed.
+
+\`all\` allows any url to be installed. \`none\` prevents any url from being
+installed. \`root\` only allows urls defined in your project's package.json to
+be installed. Also allows url dependencies to be used for other commands
 like \`npm view\`
 
 
@@ -245,6 +305,51 @@ to the same value as the current version.
 
 
 
+#### \`allow-scripts\`
+
+* Default: ""
+* Type: String (can be set multiple times)
+
+Comma-separated list of packages whose install-time lifecycle scripts
+(\`preinstall\`, \`install\`, \`postinstall\`, and \`prepare\` for non-registry
+dependencies) are allowed to run.
+
+This setting is intended for one-off and global contexts: \`npm exec\`, \`npx\`,
+and \`npm install -g\`, where no project \`package.json\` is involved. For
+team-wide policy in a project, use the \`allowScripts\` field in
+\`package.json\` (which also supports explicit denials), or configure it in
+\`.npmrc\`. Passing \`--allow-scripts\` on the command line during a
+project-scoped \`npm install\`, \`ci\`, \`update\`, or \`rebuild\` is an error.
+
+Each name is matched against a dependency's resolved identity, not against
+the package's self-reported name. \`--ignore-scripts\` and
+\`--dangerously-allow-all-scripts\` both override this setting.
+
+
+
+#### \`allow-scripts-pending\`
+
+* Default: false
+* Type: Boolean
+
+List packages with install scripts that are not yet covered by the
+\`allowScripts\` policy, without modifying \`package.json\`. Only meaningful for
+\`npm approve-scripts\`.
+
+
+
+#### \`allow-scripts-pin\`
+
+* Default: true
+* Type: Boolean
+
+Write pinned (\`pkg@version\`) entries when approving install scripts. Set to
+\`false\` to write name-only entries that allow any version. Has no effect on
+\`npm deny-scripts\`, which always writes name-only entries regardless of this
+setting.
+
+
+
 #### \`audit\`
 
 * Default: true
@@ -292,7 +397,13 @@ If the requested version is a \`dist-tag\` and the given tag does not pass the
 will be used. For example, \`foo@latest\` might install \`foo@1.2\` even though
 \`latest\` is \`2.0\`.
 
-This config cannot be used with: \`min-release-age\`
+If \`before\` and \`min-release-age\` are both set in the same source, \`before\`
+wins (an explicit absolute date overrides a relative window). Across
+sources, the standard precedence applies (cli > env > project > user >
+global), so a higher-priority source can always relax or override a
+lower-priority one.
+
+
 
 #### \`bin-links\`
 
@@ -434,6 +545,18 @@ are same as \`cpu\` field of package.json, which comes from \`process.arch\`.
 
 
 
+#### \`dangerously-allow-all-scripts\`
+
+* Default: false
+* Type: Boolean
+
+If \`true\`, bypass the \`allowScripts\` policy entirely and run every
+dependency install script regardless of whether it was approved or denied.
+Intended as a migration escape hatch only; its use is strongly discouraged.
+\`--ignore-scripts\` still takes precedence over this setting.
+
+
+
 #### \`depth\`
 
 * Default: \`Infinity\` if \`--all\` is set; otherwise, \`0\`
@@ -1146,9 +1269,11 @@ are no versions available for the current set of dependencies, the command
 will error.
 
 This flag is a complement to \`before\`, which accepts an exact date instead
-of a relative number of days.
-
-This config cannot be used with: \`before\`
+of a relative number of days. The two may coexist (e.g. \`min-release-age\` in
+your \`.npmrc\` is preserved when npm internally spawns a sub-process with
+\`--before\` while preparing a \`git:\` or \`github:\` dependency); when both
+apply, \`before\` wins within a single source and across sources the standard
+precedence rules apply.
 
 This value is not exported to the environment for child processes.
 
@@ -1758,6 +1883,22 @@ this to work properly.
 
 
 
+#### \`strict-allow-scripts\`
+
+* Default: false
+* Type: Boolean
+
+If \`true\`, turn the install-script policy from a warning into a hard error:
+any dependency with install scripts not covered by \`allowScripts\` will fail
+the install instead of running with a notice.
+
+Dependencies explicitly denied with \`false\` in \`allowScripts\` are always
+silently skipped; this setting only affects unreviewed entries.
+\`--ignore-scripts\` and \`--dangerously-allow-all-scripts\` both override this
+setting.
+
+
+
 #### \`strict-peer-deps\`
 
 * Default: false
@@ -2259,7 +2400,11 @@ Array [
   "access",
   "all",
   "allow-same-version",
+  "allow-directory",
+  "allow-file",
   "allow-git",
+  "allow-remote",
+  "allow-scripts",
   "also",
   "audit",
   "audit-level",
@@ -2279,6 +2424,7 @@ Array [
   "color",
   "commit-hooks",
   "cpu",
+  "dangerously-allow-all-scripts",
   "depth",
   "description",
   "dev",
@@ -2368,6 +2514,8 @@ Array [
   "pack-destination",
   "packages",
   "parseable",
+  "allow-scripts-pending",
+  "allow-scripts-pin",
   "prefer-dedupe",
   "prefer-offline",
   "prefer-online",
@@ -2409,6 +2557,7 @@ Array [
   "sign-git-commit",
   "sign-git-tag",
   "strict-peer-deps",
+  "strict-allow-scripts",
   "strict-ssl",
   "tag",
   "tag-version-prefix",
@@ -2436,7 +2585,11 @@ Array [
   "access",
   "all",
   "allow-same-version",
+  "allow-directory",
+  "allow-file",
   "allow-git",
+  "allow-remote",
+  "allow-scripts",
   "also",
   "audit",
   "audit-level",
@@ -2456,6 +2609,7 @@ Array [
   "color",
   "commit-hooks",
   "cpu",
+  "dangerously-allow-all-scripts",
   "depth",
   "description",
   "dev",
@@ -2525,6 +2679,8 @@ Array [
   "pack-destination",
   "packages",
   "parseable",
+  "allow-scripts-pending",
+  "allow-scripts-pin",
   "prefer-dedupe",
   "prefer-offline",
   "prefer-online",
@@ -2565,6 +2721,7 @@ Array [
   "sign-git-commit",
   "sign-git-tag",
   "strict-peer-deps",
+  "strict-allow-scripts",
   "strict-ssl",
   "tag",
   "tag-version-prefix",
@@ -2617,8 +2774,14 @@ Object {
   "_auth": null,
   "access": null,
   "all": false,
+  "allowDirectory": "all",
+  "allowFile": "all",
   "allowGit": "all",
+  "allowRemote": "all",
   "allowSameVersion": false,
+  "allowScripts": Array [],
+  "allowScriptsPending": false,
+  "allowScriptsPin": true,
   "audit": true,
   "auditLevel": null,
   "authType": "web",
@@ -2634,6 +2797,7 @@ Object {
   "color": false,
   "commitHooks": true,
   "cpu": null,
+  "dangerouslyAllowAllScripts": false,
   "defaultTag": "latest",
   "depth": null,
   "diff": Array [],
@@ -2739,6 +2903,7 @@ Object {
   "signGitCommit": false,
   "signGitTag": false,
   "silent": false,
+  "strictAllowScripts": false,
   "strictPeerDeps": false,
   "strictSSL": true,
   "tagVersionPrefix": "v",
@@ -2876,6 +3041,46 @@ Note: This command is unaware of workspaces.
 #### \`auth-type\`
 `
 
+exports[`test/lib/docs.js TAP usage approve-scripts > must match snapshot 1`] = `
+Approve install scripts for specific dependencies
+
+Usage:
+npm approve-scripts  [ ...]
+npm approve-scripts --all
+npm approve-scripts --allow-scripts-pending
+
+Options:
+[-a|--all] [--allow-scripts-pending] [--no-allow-scripts-pin] [--json]
+
+  -a|--all
+    When running \`npm outdated\` and \`npm ls\`, setting \`--all\` will show
+
+  --allow-scripts-pending
+    List packages with install scripts that are not yet covered by the
+
+  --allow-scripts-pin
+    Write pinned (\`pkg@version\`) entries when approving install scripts.
+
+  --json
+    Whether or not to output JSON data, rather than the normal output.
+
+
+Run "npm help approve-scripts" for more info
+
+\`\`\`bash
+npm approve-scripts  [ ...]
+npm approve-scripts --all
+npm approve-scripts --allow-scripts-pending
+\`\`\`
+
+Note: This command is unaware of workspaces.
+
+#### \`all\`
+#### \`allow-scripts-pending\`
+#### \`allow-scripts-pin\`
+#### \`json\`
+`
+
 exports[`test/lib/docs.js TAP usage audit > must match snapshot 1`] = `
 Run a security audit
 
@@ -3051,8 +3256,11 @@ Options:
 [--global-style] [--omit  [--omit  ...]]
 [--include  [--include  ...]]
 [--strict-peer-deps] [--foreground-scripts] [--ignore-scripts]
-[--allow-git ] [--no-audit] [--no-bin-links] [--no-fund]
-[--dry-run]
+[--allow-directory ] [--allow-file ]
+[--allow-git ] [--allow-remote ]
+[--allow-scripts  [--allow-scripts  ...]]
+[--strict-allow-scripts] [--dangerously-allow-all-scripts] [--no-audit]
+[--no-bin-links] [--no-fund] [--dry-run]
 [-w|--workspace  [-w|--workspace  ...]]
 [--workspaces] [--include-workspace-root] [--install-links]
 
@@ -3080,9 +3288,27 @@ Options:
   --ignore-scripts
     If true, npm does not run scripts specified in package.json files.
 
+  --allow-directory
+    Limits the ability for npm to install dependencies from directories.
+
+  --allow-file
+    Limits the ability for npm to install dependencies from tarball files.
+
   --allow-git
     Limits the ability for npm to fetch dependencies from git references.
 
+  --allow-remote
+    Limits the ability for npm to fetch dependencies from urls.
+
+  --allow-scripts
+    Comma-separated list of packages whose install-time lifecycle scripts
+
+  --strict-allow-scripts
+    If \`true\`, turn the install-script policy from a warning into a hard
+
+  --dangerously-allow-all-scripts
+    If \`true\`, bypass the \`allowScripts\` policy entirely and run every
+
   --audit
     When "true" submit audit reports alongside the current npm command to the
 
@@ -3126,7 +3352,13 @@ aliases: clean-install, ic, install-clean, isntall-clean
 #### \`strict-peer-deps\`
 #### \`foreground-scripts\`
 #### \`ignore-scripts\`
+#### \`allow-directory\`
+#### \`allow-file\`
 #### \`allow-git\`
+#### \`allow-remote\`
+#### \`allow-scripts\`
+#### \`strict-allow-scripts\`
+#### \`dangerously-allow-all-scripts\`
 #### \`audit\`
 #### \`bin-links\`
 #### \`fund\`
@@ -3223,8 +3455,10 @@ Options:
 [--global-style] [--strict-peer-deps] [--no-package-lock]
 [--omit  [--omit  ...]]
 [--include  [--include  ...]]
-[--ignore-scripts] [--allow-git ] [--no-audit] [--no-bin-links]
-[--no-fund] [--dry-run]
+[--ignore-scripts] [--allow-directory ]
+[--allow-file ] [--allow-git ]
+[--allow-remote ] [--no-audit] [--no-bin-links] [--no-fund]
+[--dry-run]
 [-w|--workspace  [-w|--workspace  ...]]
 [--workspaces] [--include-workspace-root] [--install-links]
 
@@ -3252,9 +3486,18 @@ Options:
   --ignore-scripts
     If true, npm does not run scripts specified in package.json files.
 
+  --allow-directory
+    Limits the ability for npm to install dependencies from directories.
+
+  --allow-file
+    Limits the ability for npm to install dependencies from tarball files.
+
   --allow-git
     Limits the ability for npm to fetch dependencies from git references.
 
+  --allow-remote
+    Limits the ability for npm to fetch dependencies from urls.
+
   --audit
     When "true" submit audit reports alongside the current npm command to the
 
@@ -3298,7 +3541,10 @@ alias: ddp
 #### \`omit\`
 #### \`include\`
 #### \`ignore-scripts\`
+#### \`allow-directory\`
+#### \`allow-file\`
 #### \`allow-git\`
+#### \`allow-remote\`
 #### \`audit\`
 #### \`bin-links\`
 #### \`fund\`
@@ -3309,6 +3555,44 @@ alias: ddp
 #### \`install-links\`
 `
 
+exports[`test/lib/docs.js TAP usage deny-scripts > must match snapshot 1`] = `
+Deny install scripts for specific dependencies
+
+Usage:
+npm deny-scripts  [ ...]
+npm deny-scripts --all
+
+Options:
+[-a|--all] [--allow-scripts-pending] [--no-allow-scripts-pin] [--json]
+
+  -a|--all
+    When running \`npm outdated\` and \`npm ls\`, setting \`--all\` will show
+
+  --allow-scripts-pending
+    List packages with install scripts that are not yet covered by the
+
+  --allow-scripts-pin
+    Write pinned (\`pkg@version\`) entries when approving install scripts.
+
+  --json
+    Whether or not to output JSON data, rather than the normal output.
+
+
+Run "npm help deny-scripts" for more info
+
+\`\`\`bash
+npm deny-scripts  [ ...]
+npm deny-scripts --all
+\`\`\`
+
+Note: This command is unaware of workspaces.
+
+#### \`all\`
+#### \`allow-scripts-pending\`
+#### \`allow-scripts-pin\`
+#### \`json\`
+`
+
 exports[`test/lib/docs.js TAP usage deprecate > must match snapshot 1`] = `
 Deprecate a version of a package
 
@@ -3560,6 +3844,8 @@ Options:
 [--package  [--package  ...]] [-c|--call ]
 [-w|--workspace  [-w|--workspace  ...]]
 [--workspaces] [--include-workspace-root]
+[--allow-scripts  [--allow-scripts  ...]]
+[--strict-allow-scripts] [--dangerously-allow-all-scripts]
 
   --package
     The package or packages to install for [\`npm exec\`](/commands/npm-exec)
@@ -3576,6 +3862,15 @@ Options:
   --include-workspace-root
     Include the workspace root when workspaces are enabled for a command.
 
+  --allow-scripts
+    Comma-separated list of packages whose install-time lifecycle scripts
+
+  --strict-allow-scripts
+    If \`true\`, turn the install-script policy from a warning into a hard
+
+  --dangerously-allow-all-scripts
+    If \`true\`, bypass the \`allowScripts\` policy entirely and run every
+
 
 alias: x
 
@@ -3595,6 +3890,9 @@ alias: x
 #### \`workspace\`
 #### \`workspaces\`
 #### \`include-workspace-root\`
+#### \`allow-scripts\`
+#### \`strict-allow-scripts\`
+#### \`dangerously-allow-all-scripts\`
 `
 
 exports[`test/lib/docs.js TAP usage explain > must match snapshot 1`] = `
@@ -3948,9 +4246,13 @@ Options:
 [--global-style] [--omit  [--omit  ...]]
 [--include  [--include  ...]]
 [--strict-peer-deps] [--prefer-dedupe] [--no-package-lock] [--package-lock-only]
-[--foreground-scripts] [--ignore-scripts] [--allow-git ]
-[--no-audit] [--before |--min-release-age ] [--no-bin-links]
-[--no-fund] [--dry-run] [--cpu ] [--os ] [--libc ]
+[--foreground-scripts] [--ignore-scripts] [--allow-directory ]
+[--allow-file ] [--allow-git ]
+[--allow-remote ]
+[--allow-scripts  [--allow-scripts  ...]]
+[--strict-allow-scripts] [--dangerously-allow-all-scripts] [--no-audit]
+[--before ] [--min-release-age ] [--no-bin-links] [--no-fund]
+[--dry-run] [--cpu ] [--os ] [--libc ]
 [-w|--workspace  [-w|--workspace  ...]]
 [--workspaces] [--include-workspace-root] [--install-links]
 
@@ -3996,9 +4298,27 @@ Options:
   --ignore-scripts
     If true, npm does not run scripts specified in package.json files.
 
+  --allow-directory
+    Limits the ability for npm to install dependencies from directories.
+
+  --allow-file
+    Limits the ability for npm to install dependencies from tarball files.
+
   --allow-git
     Limits the ability for npm to fetch dependencies from git references.
 
+  --allow-remote
+    Limits the ability for npm to fetch dependencies from urls.
+
+  --allow-scripts
+    Comma-separated list of packages whose install-time lifecycle scripts
+
+  --strict-allow-scripts
+    If \`true\`, turn the install-script policy from a warning into a hard
+
+  --dangerously-allow-all-scripts
+    If \`true\`, bypass the \`allowScripts\` policy entirely and run every
+
   --audit
     When "true" submit audit reports alongside the current npm command to the
 
@@ -4063,7 +4383,13 @@ aliases: add, i, in, ins, inst, insta, instal, isnt, isnta, isntal, isntall
 #### \`package-lock-only\`
 #### \`foreground-scripts\`
 #### \`ignore-scripts\`
+#### \`allow-directory\`
+#### \`allow-file\`
 #### \`allow-git\`
+#### \`allow-remote\`
+#### \`allow-scripts\`
+#### \`strict-allow-scripts\`
+#### \`dangerously-allow-all-scripts\`
 #### \`audit\`
 #### \`before\`
 #### \`min-release-age\`
@@ -4090,8 +4416,11 @@ Options:
 [--global-style] [--omit  [--omit  ...]]
 [--include  [--include  ...]]
 [--strict-peer-deps] [--foreground-scripts] [--ignore-scripts]
-[--allow-git ] [--no-audit] [--no-bin-links] [--no-fund]
-[--dry-run]
+[--allow-directory ] [--allow-file ]
+[--allow-git ] [--allow-remote ]
+[--allow-scripts  [--allow-scripts  ...]]
+[--strict-allow-scripts] [--dangerously-allow-all-scripts] [--no-audit]
+[--no-bin-links] [--no-fund] [--dry-run]
 [-w|--workspace  [-w|--workspace  ...]]
 [--workspaces] [--include-workspace-root] [--install-links]
 
@@ -4119,9 +4448,27 @@ Options:
   --ignore-scripts
     If true, npm does not run scripts specified in package.json files.
 
+  --allow-directory
+    Limits the ability for npm to install dependencies from directories.
+
+  --allow-file
+    Limits the ability for npm to install dependencies from tarball files.
+
   --allow-git
     Limits the ability for npm to fetch dependencies from git references.
 
+  --allow-remote
+    Limits the ability for npm to fetch dependencies from urls.
+
+  --allow-scripts
+    Comma-separated list of packages whose install-time lifecycle scripts
+
+  --strict-allow-scripts
+    If \`true\`, turn the install-script policy from a warning into a hard
+
+  --dangerously-allow-all-scripts
+    If \`true\`, bypass the \`allowScripts\` policy entirely and run every
+
   --audit
     When "true" submit audit reports alongside the current npm command to the
 
@@ -4165,7 +4512,13 @@ aliases: cit, clean-install-test, sit
 #### \`strict-peer-deps\`
 #### \`foreground-scripts\`
 #### \`ignore-scripts\`
+#### \`allow-directory\`
+#### \`allow-file\`
 #### \`allow-git\`
+#### \`allow-remote\`
+#### \`allow-scripts\`
+#### \`strict-allow-scripts\`
+#### \`dangerously-allow-all-scripts\`
 #### \`audit\`
 #### \`bin-links\`
 #### \`fund\`
@@ -4189,9 +4542,13 @@ Options:
 [--global-style] [--omit  [--omit  ...]]
 [--include  [--include  ...]]
 [--strict-peer-deps] [--prefer-dedupe] [--no-package-lock] [--package-lock-only]
-[--foreground-scripts] [--ignore-scripts] [--allow-git ]
-[--no-audit] [--before |--min-release-age ] [--no-bin-links]
-[--no-fund] [--dry-run] [--cpu ] [--os ] [--libc ]
+[--foreground-scripts] [--ignore-scripts] [--allow-directory ]
+[--allow-file ] [--allow-git ]
+[--allow-remote ]
+[--allow-scripts  [--allow-scripts  ...]]
+[--strict-allow-scripts] [--dangerously-allow-all-scripts] [--no-audit]
+[--before ] [--min-release-age ] [--no-bin-links] [--no-fund]
+[--dry-run] [--cpu ] [--os ] [--libc ]
 [-w|--workspace  [-w|--workspace  ...]]
 [--workspaces] [--include-workspace-root] [--install-links]
 
@@ -4237,9 +4594,27 @@ Options:
   --ignore-scripts
     If true, npm does not run scripts specified in package.json files.
 
+  --allow-directory
+    Limits the ability for npm to install dependencies from directories.
+
+  --allow-file
+    Limits the ability for npm to install dependencies from tarball files.
+
   --allow-git
     Limits the ability for npm to fetch dependencies from git references.
 
+  --allow-remote
+    Limits the ability for npm to fetch dependencies from urls.
+
+  --allow-scripts
+    Comma-separated list of packages whose install-time lifecycle scripts
+
+  --strict-allow-scripts
+    If \`true\`, turn the install-script policy from a warning into a hard
+
+  --dangerously-allow-all-scripts
+    If \`true\`, bypass the \`allowScripts\` policy entirely and run every
+
   --audit
     When "true" submit audit reports alongside the current npm command to the
 
@@ -4304,7 +4679,13 @@ alias: it
 #### \`package-lock-only\`
 #### \`foreground-scripts\`
 #### \`ignore-scripts\`
+#### \`allow-directory\`
+#### \`allow-file\`
 #### \`allow-git\`
+#### \`allow-remote\`
+#### \`allow-scripts\`
+#### \`strict-allow-scripts\`
+#### \`dangerously-allow-all-scripts\`
 #### \`audit\`
 #### \`before\`
 #### \`min-release-age\`
@@ -4333,8 +4714,10 @@ Options:
 [--global-style] [--strict-peer-deps] [--no-package-lock]
 [--omit  [--omit  ...]]
 [--include  [--include  ...]]
-[--ignore-scripts] [--allow-git ] [--no-audit] [--no-bin-links]
-[--no-fund] [--dry-run]
+[--ignore-scripts] [--allow-directory ]
+[--allow-file ] [--allow-git ]
+[--allow-remote ] [--no-audit] [--no-bin-links] [--no-fund]
+[--dry-run]
 [-w|--workspace  [-w|--workspace  ...]]
 [--workspaces] [--include-workspace-root] [--install-links]
 
@@ -4371,9 +4754,18 @@ Options:
   --ignore-scripts
     If true, npm does not run scripts specified in package.json files.
 
+  --allow-directory
+    Limits the ability for npm to install dependencies from directories.
+
+  --allow-file
+    Limits the ability for npm to install dependencies from tarball files.
+
   --allow-git
     Limits the ability for npm to fetch dependencies from git references.
 
+  --allow-remote
+    Limits the ability for npm to fetch dependencies from urls.
+
   --audit
     When "true" submit audit reports alongside the current npm command to the
 
@@ -4420,7 +4812,10 @@ alias: ln
 #### \`omit\`
 #### \`include\`
 #### \`ignore-scripts\`
+#### \`allow-directory\`
+#### \`allow-file\`
 #### \`allow-git\`
+#### \`allow-remote\`
 #### \`audit\`
 #### \`bin-links\`
 #### \`fund\`
@@ -4739,7 +5134,7 @@ npm outdated [ ...]
 Options:
 [-a|--all] [--json] [-l|--long] [-p|--parseable] [-g|--global]
 [-w|--workspace  [-w|--workspace  ...]]
-[--before |--min-release-age ]
+[--before ] [--min-release-age ]
 
   -a|--all
     When running \`npm outdated\` and \`npm ls\`, setting \`--all\` will show
@@ -4762,6 +5157,9 @@ Options:
   --before
     If passed to \`npm install\`, will rebuild the npm tree such that only
 
+  --min-release-age
+    If set, npm will build the npm tree such that only versions that were
+
 
 Run "npm help outdated" for more info
 
@@ -5076,7 +5474,7 @@ Usage:
 npm publish 
 
 Options:
-[--tag ] [--access ] [--dry-run] [--otp ]
+[--tag ] [--access ] [--dry-run] [--otp ]
 [-w|--workspace  [-w|--workspace  ...]]
 [--workspaces] [--include-workspace-root] [--provenance|--provenance-file ]
 
@@ -5176,6 +5574,8 @@ npm rebuild [] ...]
 
 Options:
 [-g|--global] [--no-bin-links] [--foreground-scripts] [--ignore-scripts]
+[--allow-scripts  [--allow-scripts  ...]]
+[--strict-allow-scripts] [--dangerously-allow-all-scripts]
 [-w|--workspace  [-w|--workspace  ...]]
 [--workspaces] [--include-workspace-root] [--install-links]
 
@@ -5191,6 +5591,15 @@ Options:
   --ignore-scripts
     If true, npm does not run scripts specified in package.json files.
 
+  --allow-scripts
+    Comma-separated list of packages whose install-time lifecycle scripts
+
+  --strict-allow-scripts
+    If \`true\`, turn the install-script policy from a warning into a hard
+
+  --dangerously-allow-all-scripts
+    If \`true\`, bypass the \`allowScripts\` policy entirely and run every
+
   -w|--workspace
     Enable running a command in the context of the configured workspaces of the
 
@@ -5218,6 +5627,9 @@ alias: rb
 #### \`bin-links\`
 #### \`foreground-scripts\`
 #### \`ignore-scripts\`
+#### \`allow-scripts\`
+#### \`strict-allow-scripts\`
+#### \`dangerously-allow-all-scripts\`
 #### \`workspace\`
 #### \`workspaces\`
 #### \`include-workspace-root\`
@@ -5528,6 +5940,61 @@ Note: This command is unaware of workspaces.
 NO PARAMS
 `
 
+exports[`test/lib/docs.js TAP usage stage > must match snapshot 1`] = `
+Stage packages for publishing, deferring proof-of-presence (2FA) to a later point in time
+
+Usage:
+npm stage
+npm stage publish 
+npm stage list []
+npm stage view 
+npm stage approve 
+npm stage reject 
+npm stage download 
+
+Subcommands:
+  publish
+    Stage a package for publishing, deferring proof-of-presence (2FA) to a later point in time
+
+  list
+    List all staged package versions
+
+  view
+    View details of a specific staged package
+
+  approve
+    Approve a staged package, publishing it to the npm registry
+
+  reject
+    Reject a staged package, removing it from the registry
+
+  download
+    Download the tarball of a staged package for inspection
+
+Run "npm stage  --help" for more info on a subcommand.
+
+Run "npm help stage" for more info
+
+\`\`\`bash
+npm stage
+\`\`\`
+
+Note: This command is unaware of workspaces.
+
+#### Synopsis
+#### Flags
+#### Synopsis
+#### Flags
+#### Synopsis
+#### Flags
+#### Synopsis
+#### Flags
+#### Synopsis
+#### Flags
+#### Synopsis
+#### Flags
+`
+
 exports[`test/lib/docs.js TAP usage star > must match snapshot 1`] = `
 Mark your favorite packages
 
@@ -5804,9 +6271,9 @@ exports[`test/lib/docs.js TAP usage trust > must match snapshot 1`] = `
 Create a trusted relationship between a package and a OIDC provider
 
 Usage:
-npm trust github [package] --file [--repo|--repository] [--env|--environment] [-y|--yes]
-npm trust gitlab [package] --file [--project|--repo|--repository] [--env|--environment] [-y|--yes]
-npm trust circleci [package] --org-id  --project-id  --pipeline-definition-id  --vcs-origin  [--context-id ...] [-y|--yes]
+npm trust github [package] --file [--repo|--repository] [--env|--environment] [--allow-publish] [--allow-stage-publish] [-y|--yes]
+npm trust gitlab [package] --file [--project|--repo|--repository] [--env|--environment] [--allow-publish] [--allow-stage-publish] [-y|--yes]
+npm trust circleci [package] --org-id  --project-id  --pipeline-definition-id  --vcs-origin  [--context-id ...] [--allow-publish] [--allow-stage-publish] [-y|--yes]
 npm trust list [package]
 npm trust revoke [package] --id=
 
@@ -6006,8 +6473,11 @@ Options:
 [--omit  [--omit  ...]]
 [--include  [--include  ...]]
 [--strict-peer-deps] [--no-package-lock] [--foreground-scripts]
-[--ignore-scripts] [--no-audit] [--before |--min-release-age ]
-[--no-bin-links] [--no-fund] [--dry-run]
+[--ignore-scripts]
+[--allow-scripts  [--allow-scripts  ...]]
+[--strict-allow-scripts] [--dangerously-allow-all-scripts] [--no-audit]
+[--before ] [--min-release-age ] [--no-bin-links] [--no-fund]
+[--dry-run]
 [-w|--workspace  [-w|--workspace  ...]]
 [--workspaces] [--include-workspace-root] [--install-links]
 
@@ -6044,12 +6514,24 @@ Options:
   --ignore-scripts
     If true, npm does not run scripts specified in package.json files.
 
+  --allow-scripts
+    Comma-separated list of packages whose install-time lifecycle scripts
+
+  --strict-allow-scripts
+    If \`true\`, turn the install-script policy from a warning into a hard
+
+  --dangerously-allow-all-scripts
+    If \`true\`, bypass the \`allowScripts\` policy entirely and run every
+
   --audit
     When "true" submit audit reports alongside the current npm command to the
 
   --before
     If passed to \`npm install\`, will rebuild the npm tree such that only
 
+  --min-release-age
+    If set, npm will build the npm tree such that only versions that were
+
   --bin-links
     Tells npm to create symlinks (or \`.cmd\` shims on Windows) for package
 
@@ -6093,6 +6575,9 @@ aliases: u, up, upgrade, udpate
 #### \`package-lock\`
 #### \`foreground-scripts\`
 #### \`ignore-scripts\`
+#### \`allow-scripts\`
+#### \`strict-allow-scripts\`
+#### \`dangerously-allow-all-scripts\`
 #### \`audit\`
 #### \`before\`
 #### \`min-release-age\`
diff --git a/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs b/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs
index 888af047882fa7..dc1c95cd3c5763 100644
--- a/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/npm.js.test.cjs
@@ -31,16 +31,16 @@ npm help npm       more involved overview
 
 All commands:
 
-    access, adduser, audit, bugs, cache, ci, completion,
-    config, dedupe, deprecate, diff, dist-tag, docs, doctor,
-    edit, exec, explain, explore, find-dupes, fund, get, help,
-    help-search, init, install, install-ci-test, install-test,
-    link, ll, login, logout, ls, org, outdated, owner, pack,
-    ping, pkg, prefix, profile, prune, publish, query, rebuild,
-    repo, restart, root, run, sbom, search, set, shrinkwrap,
-    star, stars, start, stop, team, test, token, trust,
-    undeprecate, uninstall, unpublish, unstar, update, version,
-    view, whoami
+    access, adduser, approve-scripts, audit, bugs, cache, ci,
+    completion, config, dedupe, deny-scripts, deprecate, diff,
+    dist-tag, docs, doctor, edit, exec, explain, explore,
+    find-dupes, fund, get, help, help-search, init, install,
+    install-ci-test, install-test, link, ll, login, logout, ls,
+    org, outdated, owner, pack, ping, pkg, prefix, profile,
+    prune, publish, query, rebuild, repo, restart, root, run,
+    sbom, search, set, shrinkwrap, stage, star, stars, start,
+    stop, team, test, token, trust, undeprecate, uninstall,
+    unpublish, unstar, update, version, view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -69,9 +69,11 @@ npm help npm       more involved overview
 All commands:
 
     access, adduser,
-    audit, bugs, cache, ci,
+    approve-scripts, audit,
+    bugs, cache, ci,
     completion, config,
-    dedupe, deprecate, diff,
+    dedupe, deny-scripts,
+    deprecate, diff,
     dist-tag, docs, doctor,
     edit, exec, explain,
     explore, find-dupes,
@@ -87,13 +89,13 @@ All commands:
     query, rebuild, repo,
     restart, root, run,
     sbom, search, set,
-    shrinkwrap, star, stars,
-    start, stop, team, test,
-    token, trust,
-    undeprecate, uninstall,
-    unpublish, unstar,
-    update, version, view,
-    whoami
+    shrinkwrap, stage, star,
+    stars, start, stop,
+    team, test, token,
+    trust, undeprecate,
+    uninstall, unpublish,
+    unstar, update, version,
+    view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -122,9 +124,11 @@ npm help npm       more involved overview
 All commands:
 
     access, adduser,
-    audit, bugs, cache, ci,
+    approve-scripts, audit,
+    bugs, cache, ci,
     completion, config,
-    dedupe, deprecate, diff,
+    dedupe, deny-scripts,
+    deprecate, diff,
     dist-tag, docs, doctor,
     edit, exec, explain,
     explore, find-dupes,
@@ -140,13 +144,13 @@ All commands:
     query, rebuild, repo,
     restart, root, run,
     sbom, search, set,
-    shrinkwrap, star, stars,
-    start, stop, team, test,
-    token, trust,
-    undeprecate, uninstall,
-    unpublish, unstar,
-    update, version, view,
-    whoami
+    shrinkwrap, stage, star,
+    stars, start, stop,
+    team, test, token,
+    trust, undeprecate,
+    uninstall, unpublish,
+    unstar, update, version,
+    view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -174,16 +178,16 @@ npm help npm       more involved overview
 
 All commands:
 
-    access, adduser, audit, bugs, cache, ci, completion,
-    config, dedupe, deprecate, diff, dist-tag, docs, doctor,
-    edit, exec, explain, explore, find-dupes, fund, get, help,
-    help-search, init, install, install-ci-test, install-test,
-    link, ll, login, logout, ls, org, outdated, owner, pack,
-    ping, pkg, prefix, profile, prune, publish, query, rebuild,
-    repo, restart, root, run, sbom, search, set, shrinkwrap,
-    star, stars, start, stop, team, test, token, trust,
-    undeprecate, uninstall, unpublish, unstar, update, version,
-    view, whoami
+    access, adduser, approve-scripts, audit, bugs, cache, ci,
+    completion, config, dedupe, deny-scripts, deprecate, diff,
+    dist-tag, docs, doctor, edit, exec, explain, explore,
+    find-dupes, fund, get, help, help-search, init, install,
+    install-ci-test, install-test, link, ll, login, logout, ls,
+    org, outdated, owner, pack, ping, pkg, prefix, profile,
+    prune, publish, query, rebuild, repo, restart, root, run,
+    sbom, search, set, shrinkwrap, stage, star, stars, start,
+    stop, team, test, token, trust, undeprecate, uninstall,
+    unpublish, unstar, update, version, view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -212,9 +216,11 @@ npm help npm       more involved overview
 All commands:
 
     access, adduser,
-    audit, bugs, cache, ci,
+    approve-scripts, audit,
+    bugs, cache, ci,
     completion, config,
-    dedupe, deprecate, diff,
+    dedupe, deny-scripts,
+    deprecate, diff,
     dist-tag, docs, doctor,
     edit, exec, explain,
     explore, find-dupes,
@@ -230,13 +236,13 @@ All commands:
     query, rebuild, repo,
     restart, root, run,
     sbom, search, set,
-    shrinkwrap, star, stars,
-    start, stop, team, test,
-    token, trust,
-    undeprecate, uninstall,
-    unpublish, unstar,
-    update, version, view,
-    whoami
+    shrinkwrap, stage, star,
+    stars, start, stop,
+    team, test, token,
+    trust, undeprecate,
+    uninstall, unpublish,
+    unstar, update, version,
+    view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -265,9 +271,11 @@ npm help npm       more involved overview
 All commands:
 
     access, adduser,
-    audit, bugs, cache, ci,
+    approve-scripts, audit,
+    bugs, cache, ci,
     completion, config,
-    dedupe, deprecate, diff,
+    dedupe, deny-scripts,
+    deprecate, diff,
     dist-tag, docs, doctor,
     edit, exec, explain,
     explore, find-dupes,
@@ -283,13 +291,13 @@ All commands:
     query, rebuild, repo,
     restart, root, run,
     sbom, search, set,
-    shrinkwrap, star, stars,
-    start, stop, team, test,
-    token, trust,
-    undeprecate, uninstall,
-    unpublish, unstar,
-    update, version, view,
-    whoami
+    shrinkwrap, stage, star,
+    stars, start, stop,
+    team, test, token,
+    trust, undeprecate,
+    uninstall, unpublish,
+    unstar, update, version,
+    view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -317,10 +325,12 @@ npm help npm       more involved overview
 
 All commands:
 
-    access, adduser, audit,
+    access, adduser,
+    approve-scripts, audit,
     bugs, cache, ci,
     completion, config,
-    dedupe, deprecate, diff,
+    dedupe, deny-scripts,
+    deprecate, diff,
     dist-tag, docs, doctor,
     edit, exec, explain,
     explore, find-dupes,
@@ -335,8 +345,9 @@ All commands:
     query, rebuild, repo,
     restart, root, run, sbom,
     search, set, shrinkwrap,
-    star, stars, start, stop,
-    team, test, token, trust,
+    stage, star, stars,
+    start, stop, team, test,
+    token, trust,
     undeprecate, uninstall,
     unpublish, unstar,
     update, version, view,
@@ -368,16 +379,16 @@ npm help npm       more involved overview
 
 All commands:
 
-    access, adduser, audit, bugs, cache, ci, completion,
-    config, dedupe, deprecate, diff, dist-tag, docs, doctor,
-    edit, exec, explain, explore, find-dupes, fund, get, help,
-    help-search, init, install, install-ci-test, install-test,
-    link, ll, login, logout, ls, org, outdated, owner, pack,
-    ping, pkg, prefix, profile, prune, publish, query, rebuild,
-    repo, restart, root, run, sbom, search, set, shrinkwrap,
-    star, stars, start, stop, team, test, token, trust,
-    undeprecate, uninstall, unpublish, unstar, update, version,
-    view, whoami
+    access, adduser, approve-scripts, audit, bugs, cache, ci,
+    completion, config, dedupe, deny-scripts, deprecate, diff,
+    dist-tag, docs, doctor, edit, exec, explain, explore,
+    find-dupes, fund, get, help, help-search, init, install,
+    install-ci-test, install-test, link, ll, login, logout, ls,
+    org, outdated, owner, pack, ping, pkg, prefix, profile,
+    prune, publish, query, rebuild, repo, restart, root, run,
+    sbom, search, set, shrinkwrap, stage, star, stars, start,
+    stop, team, test, token, trust, undeprecate, uninstall,
+    unpublish, unstar, update, version, view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -405,16 +416,16 @@ npm help npm       more involved overview
 
 All commands:
 
-    access, adduser, audit, bugs, cache, ci, completion,
-    config, dedupe, deprecate, diff, dist-tag, docs, doctor,
-    edit, exec, explain, explore, find-dupes, fund, get, help,
-    help-search, init, install, install-ci-test, install-test,
-    link, ll, login, logout, ls, org, outdated, owner, pack,
-    ping, pkg, prefix, profile, prune, publish, query, rebuild,
-    repo, restart, root, run, sbom, search, set, shrinkwrap,
-    star, stars, start, stop, team, test, token, trust,
-    undeprecate, uninstall, unpublish, unstar, update, version,
-    view, whoami
+    access, adduser, approve-scripts, audit, bugs, cache, ci,
+    completion, config, dedupe, deny-scripts, deprecate, diff,
+    dist-tag, docs, doctor, edit, exec, explain, explore,
+    find-dupes, fund, get, help, help-search, init, install,
+    install-ci-test, install-test, link, ll, login, logout, ls,
+    org, outdated, owner, pack, ping, pkg, prefix, profile,
+    prune, publish, query, rebuild, repo, restart, root, run,
+    sbom, search, set, shrinkwrap, stage, star, stars, start,
+    stop, team, test, token, trust, undeprecate, uninstall,
+    unpublish, unstar, update, version, view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -442,16 +453,16 @@ npm help npm       more involved overview
 
 All commands:
 
-    access, adduser, audit, bugs, cache, ci, completion,
-    config, dedupe, deprecate, diff, dist-tag, docs, doctor,
-    edit, exec, explain, explore, find-dupes, fund, get, help,
-    help-search, init, install, install-ci-test, install-test,
-    link, ll, login, logout, ls, org, outdated, owner, pack,
-    ping, pkg, prefix, profile, prune, publish, query, rebuild,
-    repo, restart, root, run, sbom, search, set, shrinkwrap,
-    star, stars, start, stop, team, test, token, trust,
-    undeprecate, uninstall, unpublish, unstar, update, version,
-    view, whoami
+    access, adduser, approve-scripts, audit, bugs, cache, ci,
+    completion, config, dedupe, deny-scripts, deprecate, diff,
+    dist-tag, docs, doctor, edit, exec, explain, explore,
+    find-dupes, fund, get, help, help-search, init, install,
+    install-ci-test, install-test, link, ll, login, logout, ls,
+    org, outdated, owner, pack, ping, pkg, prefix, profile,
+    prune, publish, query, rebuild, repo, restart, root, run,
+    sbom, search, set, shrinkwrap, stage, star, stars, start,
+    stop, team, test, token, trust, undeprecate, uninstall,
+    unpublish, unstar, update, version, view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
diff --git a/deps/npm/tap-snapshots/test/lib/utils/sbom-cyclonedx.js.test.cjs b/deps/npm/tap-snapshots/test/lib/utils/sbom-cyclonedx.js.test.cjs
index 8bc81cc4f69c15..124478bc829938 100644
--- a/deps/npm/tap-snapshots/test/lib/utils/sbom-cyclonedx.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/utils/sbom-cyclonedx.js.test.cjs
@@ -142,6 +142,66 @@ exports[`test/lib/utils/sbom-cyclonedx.js TAP node - with duplicate deps > must
 }
 `
 
+exports[`test/lib/utils/sbom-cyclonedx.js TAP node - with duplicate edges to same dep > must match snapshot 1`] = `
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:00000000-0000-0000-0000-000000000000",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2020-01-01T00:00:00.000Z",
+    "lifecycles": [
+      {
+        "phase": "build"
+      }
+    ],
+    "tools": [
+      {
+        "vendor": "npm",
+        "name": "cli",
+        "version": "10.0.0 "
+      }
+    ],
+    "component": {
+      "bom-ref": "root@1.0.0",
+      "type": "library",
+      "name": "root",
+      "version": "1.0.0",
+      "scope": "required",
+      "author": "Author",
+      "purl": "pkg:npm/root@1.0.0",
+      "properties": [],
+      "externalReferences": []
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "dep1@0.0.1",
+      "type": "library",
+      "name": "dep1",
+      "version": "0.0.1",
+      "scope": "required",
+      "purl": "pkg:npm/dep1@0.0.1",
+      "properties": [],
+      "externalReferences": []
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "root@1.0.0",
+      "dependsOn": [
+        "dep1@0.0.1"
+      ]
+    },
+    {
+      "ref": "dep1@0.0.1",
+      "dependsOn": []
+    }
+  ]
+}
+`
+
 exports[`test/lib/utils/sbom-cyclonedx.js TAP single node - application package type > must match snapshot 1`] = `
 {
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
diff --git a/deps/npm/tap-snapshots/test/lib/utils/sbom-spdx.js.test.cjs b/deps/npm/tap-snapshots/test/lib/utils/sbom-spdx.js.test.cjs
index 26931d78124a70..6adb6d26de1435 100644
--- a/deps/npm/tap-snapshots/test/lib/utils/sbom-spdx.js.test.cjs
+++ b/deps/npm/tap-snapshots/test/lib/utils/sbom-spdx.js.test.cjs
@@ -271,6 +271,73 @@ exports[`test/lib/utils/sbom-spdx.js TAP node - with duplicate deps > must match
 }
 `
 
+exports[`test/lib/utils/sbom-spdx.js TAP node - with duplicate edges to same dep > must match snapshot 1`] = `
+{
+  "spdxVersion": "SPDX-2.3",
+  "dataLicense": "CC0-1.0",
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "root@1.0.0",
+  "documentNamespace": "docns",
+  "creationInfo": {
+    "created": "2020-01-01T00:00:00.000Z",
+    "creators": [
+      "Tool: npm/cli-10.0.0 "
+    ]
+  },
+  "documentDescribes": [
+    "SPDXRef-Package-root-1.0.0"
+  ],
+  "packages": [
+    {
+      "name": "root",
+      "SPDXID": "SPDXRef-Package-root-1.0.0",
+      "versionInfo": "1.0.0",
+      "packageFileName": "",
+      "downloadLocation": "NOASSERTION",
+      "filesAnalyzed": false,
+      "homepage": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:npm/root@1.0.0"
+        }
+      ]
+    },
+    {
+      "name": "dep1",
+      "SPDXID": "SPDXRef-Package-dep1-0.0.1",
+      "versionInfo": "0.0.1",
+      "packageFileName": "node_modules/dep1",
+      "downloadLocation": "NOASSERTION",
+      "filesAnalyzed": false,
+      "homepage": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:npm/dep1@0.0.1"
+        }
+      ]
+    }
+  ],
+  "relationships": [
+    {
+      "spdxElementId": "SPDXRef-DOCUMENT",
+      "relatedSpdxElement": "SPDXRef-Package-root-1.0.0",
+      "relationshipType": "DESCRIBES"
+    },
+    {
+      "spdxElementId": "SPDXRef-Package-dep1-0.0.1",
+      "relatedSpdxElement": "SPDXRef-Package-root-1.0.0",
+      "relationshipType": "DEPENDENCY_OF"
+    }
+  ]
+}
+`
+
 exports[`test/lib/utils/sbom-spdx.js TAP single node - application package type > must match snapshot 1`] = `
 {
   "spdxVersion": "SPDX-2.3",
diff --git a/deps/npm/test/lib/commands/approve-scripts.js b/deps/npm/test/lib/commands/approve-scripts.js
new file mode 100644
index 00000000000000..dde7a358b12e2b
--- /dev/null
+++ b/deps/npm/test/lib/commands/approve-scripts.js
@@ -0,0 +1,562 @@
+const t = require('tap')
+const fs = require('node:fs')
+const { resolve } = require('node:path')
+const _mockNpm = require('../../fixtures/mock-npm')
+
+const mockNpm = async (t, opts = {}) => {
+  return _mockNpm(t, opts)
+}
+
+const setupProject = ({ allowScripts, withScripts = ['canvas'] } = {}) => {
+  const pkg = {
+    name: 'host',
+    version: '1.0.0',
+    dependencies: Object.fromEntries(withScripts.map((n) => [n, '*'])),
+  }
+  if (allowScripts !== undefined) {
+    pkg.allowScripts = allowScripts
+  }
+
+  const lockPackages = { '': pkg }
+  const nodeModules = {}
+  for (const name of withScripts) {
+    const tarUrl = `https://registry.npmjs.org/${name}/-/${name}-1.0.0.tgz`
+    nodeModules[name] = {
+      'package.json': JSON.stringify({
+        name,
+        version: '1.0.0',
+        scripts: { install: 'echo install' },
+      }),
+    }
+    lockPackages[`node_modules/${name}`] = {
+      version: '1.0.0',
+      resolved: tarUrl,
+      hasInstallScript: true,
+    }
+  }
+
+  return {
+    'package.json': JSON.stringify(pkg, null, 2),
+    'package-lock.json': JSON.stringify({
+      name: pkg.name,
+      version: pkg.version,
+      lockfileVersion: 3,
+      requires: true,
+      packages: lockPackages,
+    }),
+    node_modules: nodeModules,
+  }
+}
+
+t.test('approve-scripts --pending lists unreviewed packages', async t => {
+  const { npm, joinedOutput } = await mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['canvas', 'sharp'] }),
+    config: { 'allow-scripts-pending': true },
+  })
+  await npm.exec('approve-scripts', [])
+  const out = joinedOutput()
+  t.match(out, /2 packages have install scripts not yet covered/)
+  t.match(out, /canvas@1\.0\.0/)
+  t.match(out, /sharp@1\.0\.0/)
+})
+
+t.test('approve-scripts --pending with no unreviewed says so', async t => {
+  const { npm, joinedOutput } = await mockNpm(t, {
+    prefixDir: setupProject({
+      allowScripts: { canvas: true },
+      withScripts: ['canvas'],
+    }),
+    config: { 'allow-scripts-pending': true },
+  })
+  await npm.exec('approve-scripts', [])
+  t.match(joinedOutput(), /No packages with unreviewed install scripts/)
+})
+
+t.test('approve-scripts  writes pinned entry by default', async t => {
+  const { npm, prefix } = await mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['canvas'] }),
+  })
+  await npm.exec('approve-scripts', ['canvas'])
+
+  const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+  t.strictSame(pkg.allowScripts, { 'canvas@1.0.0': true })
+})
+
+t.test('approve-scripts  --no-pin writes name-only entry', async t => {
+  const { npm, prefix } = await mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['canvas'] }),
+    config: { 'allow-scripts-pin': false },
+  })
+  await npm.exec('approve-scripts', ['canvas'])
+
+  const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+  t.strictSame(pkg.allowScripts, { canvas: true })
+})
+
+t.test('approve-scripts --all approves every unreviewed package', async t => {
+  const { npm, prefix } = await mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['canvas', 'sharp'] }),
+    config: { all: true },
+  })
+  await npm.exec('approve-scripts', [])
+
+  const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+  t.strictSame(pkg.allowScripts, {
+    'canvas@1.0.0': true,
+    'sharp@1.0.0': true,
+  })
+})
+
+t.test('approve-scripts errors on unknown package', async t => {
+  const { npm } = await mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['canvas'] }),
+  })
+  await t.rejects(
+    npm.exec('approve-scripts', ['not-installed']),
+    { code: 'ENOMATCH' }
+  )
+})
+
+t.test('approve-scripts respects existing deny entry', async t => {
+  const { npm, prefix, logs } = await mockNpm(t, {
+    prefixDir: setupProject({
+      withScripts: ['canvas'],
+      allowScripts: { canvas: false },
+    }),
+  })
+  await npm.exec('approve-scripts', ['canvas'])
+
+  const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+  // Deny wins; unchanged.
+  t.strictSame(pkg.allowScripts, { canvas: false })
+  t.match(logs.warn.byTitle('approve-scripts'), [/canvas is denied/])
+})
+
+t.test('approve-scripts requires positional args, --all, or --pending', async t => {
+  const { npm } = await mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['canvas'] }),
+  })
+  await t.rejects(npm.exec('approve-scripts', []), { code: 'EUSAGE' })
+})
+
+t.test('approve-scripts --pending cannot be combined with positional', async t => {
+  const { npm } = await mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['canvas'] }),
+    config: { 'allow-scripts-pending': true },
+  })
+  await t.rejects(npm.exec('approve-scripts', ['canvas']), { code: 'EUSAGE' })
+})
+
+t.test('approve-scripts fails on global', async t => {
+  const { npm } = await mockNpm(t, {
+    config: { global: true },
+  })
+  await t.rejects(npm.exec('approve-scripts', ['canvas']), { code: 'EGLOBAL' })
+})
+
+t.test('approve-scripts --json outputs structured summary', async t => {
+  const { npm, joinedOutput } = await mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['canvas'] }),
+    config: { json: true },
+  })
+  await npm.exec('approve-scripts', ['canvas'])
+  const parsed = JSON.parse(joinedOutput())
+  t.match(parsed, {
+    allowScripts: [{ name: 'canvas', changes: [{ key: 'canvas@1.0.0', change: 'added' }] }],
+  })
+})
+
+t.test('approve-scripts --all with no unreviewed packages prints message', async t => {
+  const { npm, joinedOutput } = await _mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({ name: 'host', version: '1.0.0' }),
+      'package-lock.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        lockfileVersion: 3,
+        requires: true,
+        packages: { '': { name: 'host', version: '1.0.0' } },
+      }),
+      node_modules: {},
+    },
+    config: { all: true },
+  })
+  await npm.exec('approve-scripts', [])
+  t.match(joinedOutput(), /No packages with unreviewed install scripts/)
+})
+
+t.test('approve-scripts  on a package already at the right pin is no-op', async t => {
+  const { npm, prefix, joinedOutput } = await _mockNpm(t, {
+    prefixDir: setupProject({
+      withScripts: ['canvas'],
+      allowScripts: { 'canvas@1.0.0': true },
+    }),
+  })
+  await npm.exec('approve-scripts', ['canvas'])
+
+  const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+  t.strictSame(pkg.allowScripts, { 'canvas@1.0.0': true })
+  t.match(joinedOutput(), /Nothing to approve/)
+})
+
+t.test('approve-scripts --pending with single package uses singular wording', async t => {
+  const { npm, joinedOutput } = await _mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['canvas'] }),
+    config: { 'allow-scripts-pending': true },
+  })
+  await npm.exec('approve-scripts', [])
+  t.match(joinedOutput(), /1 package has install scripts/)
+})
+
+t.test('approve-scripts --pending lists package with no version', async t => {
+  // Use a fixture where the lockfile records a synthetic node without a version
+  const { npm } = await _mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['canvas'] }),
+    config: { 'allow-scripts-pending': true },
+  })
+  await npm.exec('approve-scripts', [])
+  // Just exercising; no assertion needed for additional coverage.
+  t.pass()
+})
+
+t.test('approve-scripts groups multiple installed versions of the same package', async t => {
+  // Two versions of lodash exist in the tree; both have install scripts.
+  // groupByPackage should put them in the same group (hits the
+  // `if (!groups[key])` falsy branch on the second node).
+  const { npm, prefix } = await _mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        dependencies: { 'top-of-tree': '*' },
+      }),
+      'package-lock.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        lockfileVersion: 3,
+        requires: true,
+        packages: {
+          '': { name: 'host', version: '1.0.0', dependencies: { 'top-of-tree': '*' } },
+          'node_modules/lodash': {
+            version: '4.17.21',
+            resolved: 'https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz',
+            hasInstallScript: true,
+          },
+          'node_modules/top-of-tree': {
+            version: '1.0.0',
+            resolved: 'https://registry.npmjs.org/top-of-tree/-/top-of-tree-1.0.0.tgz',
+            dependencies: { lodash: '3.10.1' },
+          },
+          'node_modules/top-of-tree/node_modules/lodash': {
+            version: '3.10.1',
+            resolved: 'https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz',
+            hasInstallScript: true,
+          },
+        },
+      }),
+      node_modules: {
+        lodash: {
+          'package.json': JSON.stringify({
+            name: 'lodash',
+            version: '4.17.21',
+            scripts: { install: 'echo install' },
+          }),
+        },
+        'top-of-tree': {
+          'package.json': JSON.stringify({ name: 'top-of-tree', version: '1.0.0' }),
+          node_modules: {
+            lodash: {
+              'package.json': JSON.stringify({
+                name: 'lodash',
+                version: '3.10.1',
+                scripts: { install: 'echo install' },
+              }),
+            },
+          },
+        },
+      },
+    },
+  })
+  await npm.exec('approve-scripts', ['lodash'])
+
+  const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+  // Both versions get pinned.
+  t.strictSame(pkg.allowScripts, {
+    'lodash@3.10.1': true,
+    'lodash@4.17.21': true,
+  })
+})
+
+t.test('approve-scripts --pending handles node with no version', async t => {
+  // Exercise the ternary's falsy branch in runPending: `node.version ? '@'... : ''`
+  // when the node has no version field.
+  const mockSync = await _mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({ name: 'host', version: '1.0.0' }),
+      'package-lock.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        lockfileVersion: 3,
+        requires: true,
+        packages: { '': { name: 'host', version: '1.0.0' } },
+      }),
+      node_modules: {},
+    },
+    config: { 'allow-scripts-pending': true },
+    mocks: {
+      // Make the walker return a synthetic node with no version
+      '{LIB}/utils/check-allow-scripts.js': async () => [{
+        node: { packageName: 'no-version-pkg', name: 'no-version-pkg', version: undefined },
+        scripts: { install: 'do-stuff' },
+      }],
+    },
+  })
+  await mockSync.npm.exec('approve-scripts', [])
+  // Output should mention the package without an @version suffix.
+  t.match(mockSync.joinedOutput(), / no-version-pkg \(install: do-stuff\)/)
+})
+
+t.test('forbidden semver range in package.json#allowScripts is dropped with a warning', async t => {
+  // End-to-end: project declares a caret range in allowScripts. The
+  // resolver must drop the entry, emit a warning, and the matching node
+  // must remain unreviewed (listed by --pending).
+  const mock = await _mockNpm(t, {
+    prefixDir: setupProject({
+      withScripts: ['canvas'],
+      // ^0.33.0 is a forbidden range per RFC.
+      allowScripts: { 'canvas@^0.33.0': true },
+    }),
+    config: { 'allow-scripts-pending': true },
+  })
+  await mock.npm.exec('approve-scripts', [])
+
+  const warnings = mock.logs.warn.byTitle('allow-scripts')
+  t.ok(
+    warnings.some(m => /semver ranges/.test(m) && /canvas@\^0\.33\.0/.test(m)),
+    'resolver emits warning about forbidden range'
+  )
+  // canvas was installed with version 1.0.0 (setupProject default) and
+  // the forbidden allowlist entry was dropped, so canvas appears in the
+  // pending list.
+  t.match(mock.joinedOutput(), /canvas@1\.0\.0/)
+})
+
+t.test('approve-scripts --pending lists packages that only have binding.gyp', async t => {
+  // End-to-end: a package with no preinstall/install/postinstall but a
+  // binding.gyp on disk gets a synthetic `node-gyp rebuild` install
+  // script. The runtime isNodeGypPackage check must see it and surface
+  // the package in --pending output.
+  const mock = await _mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        dependencies: { 'native-pkg': '*' },
+      }),
+      'package-lock.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        lockfileVersion: 3,
+        requires: true,
+        packages: {
+          '': { name: 'host', version: '1.0.0', dependencies: { 'native-pkg': '*' } },
+          'node_modules/native-pkg': {
+            version: '1.0.0',
+            resolved: 'https://registry.npmjs.org/native-pkg/-/native-pkg-1.0.0.tgz',
+            // No hasInstallScript — the synthetic node-gyp injection is
+            // what we want this test to exercise.
+          },
+        },
+      }),
+      node_modules: {
+        'native-pkg': {
+          'package.json': JSON.stringify({ name: 'native-pkg', version: '1.0.0' }),
+          // The file that triggers isNodeGypPackage to return true.
+          'binding.gyp': '{}',
+        },
+      },
+    },
+    config: { 'allow-scripts-pending': true },
+  })
+  await mock.npm.exec('approve-scripts', [])
+
+  const out = mock.joinedOutput()
+  t.match(out, /native-pkg@1\.0\.0/, 'binding.gyp-only package appears in --pending')
+  t.match(out, /install: node-gyp rebuild/, 'synthetic node-gyp install is named')
+})
+
+t.test('approve-scripts --all skips bundled deps with a notice', async t => {
+  // Bundled deps cannot be allowlisted in Phase 1 (RFC defers their
+  // allowlisting to a follow-up). --all must not silently write a key
+  // derived from the bundled tarball's self-claimed identity.
+  const { npm, logs, prefix } = await _mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        dependencies: { 'parent-pkg': '*' },
+      }),
+      'package-lock.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        lockfileVersion: 3,
+        requires: true,
+        packages: {
+          '': { name: 'host', version: '1.0.0', dependencies: { 'parent-pkg': '*' } },
+          'node_modules/parent-pkg': {
+            version: '1.0.0',
+            resolved: 'https://registry.npmjs.org/parent-pkg/-/parent-pkg-1.0.0.tgz',
+            hasInstallScript: true,
+          },
+          'node_modules/parent-pkg/node_modules/inner': {
+            version: '1.0.0',
+            inBundle: true,
+            hasInstallScript: true,
+          },
+        },
+      }),
+      node_modules: {
+        'parent-pkg': {
+          'package.json': JSON.stringify({
+            name: 'parent-pkg',
+            version: '1.0.0',
+            scripts: { install: 'echo install' },
+            bundleDependencies: ['inner'],
+          }),
+          node_modules: {
+            inner: {
+              'package.json': JSON.stringify({
+                name: 'inner',
+                version: '1.0.0',
+                scripts: { install: 'echo bundled-install' },
+              }),
+            },
+          },
+        },
+      },
+    },
+    config: { all: true },
+  })
+  await npm.exec('approve-scripts', [])
+
+  const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+  // parent-pkg is approvable. inner is bundled and must be excluded.
+  t.equal(pkg.allowScripts['parent-pkg@1.0.0'], true,
+    'non-bundled parent gets approved')
+  t.notOk(Object.keys(pkg.allowScripts).some(k => k.startsWith('inner')),
+    'bundled inner is not approved')
+  t.match(logs.warn.byTitle('approve-scripts'), [/Skipping 1 bundled dependency/])
+})
+
+t.test('approve-scripts  positional is ignored', async t => {
+  // Same protection on the positional path: a user typing a bundled
+  // package name must not get a policy entry written.
+  const { npm } = await _mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        dependencies: { 'parent-pkg': '*' },
+      }),
+      'package-lock.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        lockfileVersion: 3,
+        requires: true,
+        packages: {
+          '': { name: 'host', version: '1.0.0', dependencies: { 'parent-pkg': '*' } },
+          'node_modules/parent-pkg': {
+            version: '1.0.0',
+            resolved: 'https://registry.npmjs.org/parent-pkg/-/parent-pkg-1.0.0.tgz',
+            hasInstallScript: true,
+          },
+          'node_modules/parent-pkg/node_modules/inner': {
+            version: '1.0.0',
+            inBundle: true,
+            hasInstallScript: true,
+          },
+        },
+      }),
+      node_modules: {
+        'parent-pkg': {
+          'package.json': JSON.stringify({
+            name: 'parent-pkg',
+            version: '1.0.0',
+            scripts: { install: 'echo install' },
+            bundleDependencies: ['inner'],
+          }),
+          node_modules: {
+            inner: {
+              'package.json': JSON.stringify({
+                name: 'inner',
+                version: '1.0.0',
+                scripts: { install: 'echo bundled' },
+              }),
+            },
+          },
+        },
+      },
+    },
+  })
+  await t.rejects(
+    npm.exec('approve-scripts', ['inner']),
+    { code: 'ENOMATCH' },
+    'typing the bundled package name does not match any approvable node'
+  )
+})
+
+t.test('approve-scripts --all with only bundled deps prints "no eligible" notice', async t => {
+  const { npm, logs, joinedOutput, prefix } = await _mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        dependencies: { 'parent-pkg': '*' },
+      }),
+      'package-lock.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        lockfileVersion: 3,
+        requires: true,
+        packages: {
+          '': { name: 'host', version: '1.0.0', dependencies: { 'parent-pkg': '*' } },
+          'node_modules/parent-pkg': {
+            version: '1.0.0',
+            resolved: 'https://registry.npmjs.org/parent-pkg/-/parent-pkg-1.0.0.tgz',
+            // parent-pkg has NO install scripts; only the bundled child does.
+          },
+          'node_modules/parent-pkg/node_modules/only-bundled': {
+            version: '1.0.0',
+            inBundle: true,
+            hasInstallScript: true,
+          },
+        },
+      }),
+      node_modules: {
+        'parent-pkg': {
+          'package.json': JSON.stringify({
+            name: 'parent-pkg',
+            version: '1.0.0',
+            bundleDependencies: ['only-bundled'],
+          }),
+          node_modules: {
+            'only-bundled': {
+              'package.json': JSON.stringify({
+                name: 'only-bundled',
+                version: '1.0.0',
+                scripts: { install: 'echo evil' },
+              }),
+            },
+          },
+        },
+      },
+    },
+    config: { all: true },
+  })
+  await npm.exec('approve-scripts', [])
+  t.match(joinedOutput(), /No packages eligible for approval/)
+  t.match(logs.warn.byTitle('approve-scripts'), [/Skipping 1 bundled dependency/])
+  // Ensure no policy entry was written.
+  const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+  t.notOk(pkg.allowScripts, 'no allowScripts written')
+})
diff --git a/deps/npm/test/lib/commands/config.js b/deps/npm/test/lib/commands/config.js
index 9a65e883cfebc1..8237ffff22a42a 100644
--- a/deps/npm/test/lib/commands/config.js
+++ b/deps/npm/test/lib/commands/config.js
@@ -582,6 +582,11 @@ t.test('config edit', async t => {
     },
   })
 
+  const inputEvents = []
+  const inputListener = (level) => inputEvents.push(level)
+  process.on('input', inputListener)
+  t.teardown(() => process.off('input', inputListener))
+
   await npm.exec('config', ['edit'])
 
   t.ok(editor.called, 'editor was spawned')
@@ -590,6 +595,7 @@ t.test('config edit', async t => {
     [join(home, '.npmrc')],
     'editor opened the user config file'
   )
+  t.same(inputEvents.slice(0, 2), ['start', 'end'], 'progress paused and resumed around editor')
 
   const contents = await fs.readFile(join(home, '.npmrc'), { encoding: 'utf8' })
   t.ok(contents.includes('foo=bar'), 'kept foo')
diff --git a/deps/npm/test/lib/commands/deny-scripts.js b/deps/npm/test/lib/commands/deny-scripts.js
new file mode 100644
index 00000000000000..fd9031c665d6a8
--- /dev/null
+++ b/deps/npm/test/lib/commands/deny-scripts.js
@@ -0,0 +1,163 @@
+const t = require('tap')
+const fs = require('node:fs')
+const { resolve } = require('node:path')
+const _mockNpm = require('../../fixtures/mock-npm')
+
+const setupProject = ({ allowScripts, withScripts = ['core-js'] } = {}) => {
+  const pkg = {
+    name: 'host',
+    version: '1.0.0',
+    dependencies: Object.fromEntries(withScripts.map((n) => [n, '*'])),
+  }
+  if (allowScripts !== undefined) {
+    pkg.allowScripts = allowScripts
+  }
+  const lockPackages = { '': pkg }
+  const nodeModules = {}
+  for (const name of withScripts) {
+    nodeModules[name] = {
+      'package.json': JSON.stringify({
+        name,
+        version: '1.0.0',
+        scripts: { install: 'echo install' },
+      }),
+    }
+    lockPackages[`node_modules/${name}`] = {
+      version: '1.0.0',
+      resolved: `https://registry.npmjs.org/${name}/-/${name}-1.0.0.tgz`,
+      hasInstallScript: true,
+    }
+  }
+  return {
+    'package.json': JSON.stringify(pkg, null, 2),
+    'package-lock.json': JSON.stringify({
+      name: pkg.name,
+      version: pkg.version,
+      lockfileVersion: 3,
+      requires: true,
+      packages: lockPackages,
+    }),
+    node_modules: nodeModules,
+  }
+}
+
+t.test('deny-scripts  writes name-only false entry', async t => {
+  const { npm, prefix } = await _mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['core-js'] }),
+  })
+  await npm.exec('deny-scripts', ['core-js'])
+
+  const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+  t.strictSame(pkg.allowScripts, { 'core-js': false })
+})
+
+t.test('deny-scripts  ignores --pin and always writes name-only', async t => {
+  const { npm, prefix } = await _mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['core-js'] }),
+    config: { 'allow-scripts-pin': true },
+  })
+  await npm.exec('deny-scripts', ['core-js'])
+
+  const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+  t.strictSame(pkg.allowScripts, { 'core-js': false })
+})
+
+t.test('deny-scripts  replaces existing pinned allow', async t => {
+  const { npm, prefix } = await _mockNpm(t, {
+    prefixDir: setupProject({
+      withScripts: ['core-js'],
+      allowScripts: { 'core-js@1.0.0': true },
+    }),
+  })
+  await npm.exec('deny-scripts', ['core-js'])
+
+  const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+  t.strictSame(pkg.allowScripts, { 'core-js': false })
+})
+
+t.test('deny-scripts --pending is rejected', async t => {
+  const { npm } = await _mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['core-js'] }),
+    config: { 'allow-scripts-pending': true },
+  })
+  await t.rejects(npm.exec('deny-scripts', []), { code: 'EUSAGE' })
+})
+
+t.test('deny-scripts --all denies every unreviewed package', async t => {
+  const { npm, prefix } = await _mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['core-js', 'telemetry'] }),
+    config: { all: true },
+  })
+  await npm.exec('deny-scripts', [])
+
+  const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+  t.strictSame(pkg.allowScripts, { 'core-js': false, telemetry: false })
+})
+
+t.test('deny-scripts errors on unknown package', async t => {
+  const { npm } = await _mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['core-js'] }),
+  })
+  await t.rejects(
+    npm.exec('deny-scripts', ['not-installed']),
+    { code: 'ENOMATCH' }
+  )
+})
+
+t.test('deny-scripts requires positional args or --all', async t => {
+  const { npm } = await _mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['core-js'] }),
+  })
+  await t.rejects(npm.exec('deny-scripts', []), { code: 'EUSAGE' })
+})
+
+t.test('deny-scripts --all with no unreviewed packages prints message', async t => {
+  const { npm, joinedOutput } = await _mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({ name: 'host', version: '1.0.0' }),
+      'package-lock.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        lockfileVersion: 3,
+        requires: true,
+        packages: { '': { name: 'host', version: '1.0.0' } },
+      }),
+      node_modules: {},
+    },
+    config: { all: true },
+  })
+  await npm.exec('deny-scripts', [])
+  t.match(joinedOutput(), /No packages with unreviewed install scripts/)
+})
+
+t.test('deny-scripts fails on global', async t => {
+  const { npm } = await _mockNpm(t, {
+    config: { global: true },
+  })
+  await t.rejects(npm.exec('deny-scripts', ['canvas']), { code: 'EGLOBAL' })
+})
+
+t.test('deny-scripts  on a package already denied is no-op', async t => {
+  const { npm, joinedOutput, prefix } = await _mockNpm(t, {
+    prefixDir: setupProject({
+      withScripts: ['core-js'],
+      allowScripts: { 'core-js': false },
+    }),
+  })
+  await npm.exec('deny-scripts', ['core-js'])
+  const pkg = JSON.parse(fs.readFileSync(resolve(prefix, 'package.json'), 'utf8'))
+  t.strictSame(pkg.allowScripts, { 'core-js': false })
+  t.match(joinedOutput(), /Nothing to deny/)
+})
+
+t.test('deny-scripts --json outputs structured summary', async t => {
+  const { npm, joinedOutput } = await _mockNpm(t, {
+    prefixDir: setupProject({ withScripts: ['core-js'] }),
+    config: { json: true },
+  })
+  await npm.exec('deny-scripts', ['core-js'])
+  const parsed = JSON.parse(joinedOutput())
+  t.match(parsed, {
+    allowScripts: [{ name: 'core-js', changes: [{ key: 'core-js', change: 'added' }] }],
+  })
+})
diff --git a/deps/npm/test/lib/commands/edit.js b/deps/npm/test/lib/commands/edit.js
index b55bb2df218ba2..915241c82f6da8 100644
--- a/deps/npm/test/lib/commands/edit.js
+++ b/deps/npm/test/lib/commands/edit.js
@@ -58,8 +58,14 @@ t.test('npm edit', async t => {
     : ['-c', 'testinstall']
   spawk.spawn(scriptShell, scriptArgs, { cwd: semverPath })
 
+  const inputEvents = []
+  const inputListener = (level) => inputEvents.push(level)
+  process.on('input', inputListener)
+  t.teardown(() => process.off('input', inputListener))
+
   await npm.exec('edit', ['semver'])
   t.match(joinedOutput(), 'rebuilt dependencies successfully')
+  t.same(inputEvents.slice(0, 2), ['start', 'end'], 'progress paused and resumed around editor')
 })
 
 t.test('rebuild failure', async t => {
diff --git a/deps/npm/test/lib/commands/exec.js b/deps/npm/test/lib/commands/exec.js
index 2a6d3f6b8e0aff..92ea993e3edfb2 100644
--- a/deps/npm/test/lib/commands/exec.js
+++ b/deps/npm/test/lib/commands/exec.js
@@ -303,3 +303,68 @@ t.test('can run packages with keywords', async t => {
     t.fail(err, 'should not throw')
   }
 })
+
+t.test('exec threads allowScripts policy from .npmrc through to libexec', async t => {
+  let capturedOpts
+  const fakeLibexec = async (opts) => {
+    capturedOpts = opts
+  }
+  const { npm } = await loadMockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({ name: 'host', version: '1.0.0' }),
+      '.npmrc': 'allow-scripts = canvas',
+    },
+    mocks: {
+      libnpmexec: fakeLibexec,
+    },
+  })
+  await npm.exec('exec', ['some-pkg'])
+  t.strictSame(capturedOpts.allowScripts, { canvas: true },
+    'allowScripts populated from .npmrc layer')
+})
+
+t.test('exec ignores project package.json#allowScripts (RFC: .npmrc-only)', async t => {
+  // Per RFC line 299, exec/npx consults only user/global .npmrc. Project
+  // package.json policy must NOT influence npx behaviour, even when the
+  // user is running npx inside a project that has its own allowScripts.
+  let capturedOpts
+  const { npm } = await loadMockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        allowScripts: { sharp: true },
+      }),
+    },
+    mocks: {
+      libnpmexec: async (opts) => {
+        capturedOpts = opts
+      },
+    },
+  })
+  await npm.exec('exec', ['some-pkg'])
+  // package.json policy is skipped; no other layer has policy; result is null.
+  t.equal(capturedOpts.allowScripts, null)
+})
+
+t.test('exec reads .npmrc policy even when project package.json has a different policy', async t => {
+  // .npmrc-tier policy wins because package.json is skipped entirely.
+  let capturedOpts
+  const { npm } = await loadMockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        allowScripts: { sharp: true },
+      }),
+      '.npmrc': 'allow-scripts = canvas',
+    },
+    mocks: {
+      libnpmexec: async (opts) => {
+        capturedOpts = opts
+      },
+    },
+  })
+  await npm.exec('exec', ['some-pkg'])
+  t.strictSame(capturedOpts.allowScripts, { canvas: true })
+})
diff --git a/deps/npm/test/lib/commands/install.js b/deps/npm/test/lib/commands/install.js
index 584690b68b5c62..2aa56a3dcd1759 100644
--- a/deps/npm/test/lib/commands/install.js
+++ b/deps/npm/test/lib/commands/install.js
@@ -242,6 +242,7 @@ t.test('exec commands', async t => {
     const { npm } = await loadMockNpm(t, {
       config: {
         'allow-git': 'none',
+        audit: false,
       },
     })
     await t.rejects(
@@ -257,7 +258,8 @@ t.test('exec commands', async t => {
   t.test('allow-git=root refuses non-root git dependency', async t => {
     const { npm } = await loadMockNpm(t, {
       config: {
-        'allow-git': 'none',
+        'allow-git': 'root',
+        audit: false,
       },
       prefixDir: {
         'package.json': JSON.stringify({ name: '@npmcli/test-package', version: '1.0.0' }),
@@ -268,7 +270,129 @@ t.test('exec commands', async t => {
     })
     await t.rejects(
       npm.exec('install', ['./abbrev']),
-      /Fetching packages of type "git" have been disabled/
+      /Fetching non-root packages of type "git" have been disabled/
+    )
+  })
+
+  t.test('allow-directory=none blocks default symlink install', async t => {
+    const { npm } = await loadMockNpm(t, {
+      config: {
+        'allow-directory': 'none',
+        audit: false,
+      },
+      prefixDir: {
+        'package.json': JSON.stringify({
+          name: '@npmcli/test-package',
+          version: '1.0.0',
+          dependencies: { 'dir-dep': 'file:./dir-dep' },
+        }),
+        'dir-dep': {
+          'package.json': JSON.stringify({ name: 'dir-dep', version: '1.0.0' }),
+        },
+      },
+    })
+    await t.rejects(
+      npm.exec('install', []),
+      {
+        code: 'EALLOWDIRECTORY',
+        message: 'Fetching packages of type "directory" have been disabled',
+      }
+    )
+  })
+
+  t.test('allow-directory=root permits top-level directory dependency', async t => {
+    const { npm } = await loadMockNpm(t, {
+      config: {
+        'allow-directory': 'root',
+        audit: false,
+      },
+      prefixDir: {
+        'package.json': JSON.stringify({
+          name: '@npmcli/test-package',
+          version: '1.0.0',
+          dependencies: { 'dir-dep': 'file:./dir-dep' },
+        }),
+        'dir-dep': {
+          'package.json': JSON.stringify({ name: 'dir-dep', version: '1.0.0' }),
+        },
+      },
+    })
+    await npm.exec('install', [])
+    const installedPkg = require(path.join(npm.prefix, 'node_modules', 'dir-dep', 'package.json'))
+    t.equal(installedPkg.name, 'dir-dep', 'dir-dep is installed and readable through node_modules')
+  })
+
+  t.test('allow-git=root soft-skips transitive optional git dependency', async t => {
+    const { npm } = await loadMockNpm(t, {
+      config: {
+        'allow-git': 'root',
+        audit: false,
+      },
+      prefixDir: {
+        'package.json': JSON.stringify({ name: '@npmcli/test-package', version: '1.0.0' }),
+        abbrev: {
+          'package.json': JSON.stringify({
+            name: 'abbrev',
+            version: '1.0.0',
+            optionalDependencies: { npm: 'npm/npm' },
+          }),
+        },
+      },
+    })
+    await npm.exec('install', ['./abbrev'])
+    t.ok(
+      fs.existsSync(path.join(npm.prefix, 'node_modules', 'abbrev', 'package.json')),
+      'abbrev (the legitimate parent) is installed'
+    )
+    t.notOk(
+      fs.existsSync(path.join(npm.prefix, 'node_modules', 'npm')),
+      'optional transitive git dep is silently skipped'
+    )
+  })
+
+  t.test('allow-remote=none does not block registry tarballs', async t => {
+    const { npm, registry } = await loadMockNpm(t, {
+      config: {
+        'allow-remote': 'none',
+        audit: false,
+      },
+      prefixDir: {
+        'package.json': JSON.stringify({
+          ...packageJson,
+          dependencies: { abbrev: '^1.0.0' },
+        }),
+        abbrev,
+      },
+    })
+    const manifest = registry.manifest({ name: 'abbrev' })
+    await registry.package({ manifest })
+    await registry.tarball({
+      manifest: manifest.versions['1.0.0'],
+      tarball: path.join(npm.prefix, 'abbrev'),
+    })
+    await npm.exec('install', [])
+    const installed = require(path.join(npm.prefix, 'node_modules', 'abbrev', 'package.json'))
+    t.equal(installed.name, 'abbrev', 'registry dep is installed despite allow-remote=none')
+  })
+
+  t.test('allow-remote=none still blocks a user-supplied remote URL', async t => {
+    const { npm } = await loadMockNpm(t, {
+      config: {
+        'allow-remote': 'none',
+        audit: false,
+      },
+      prefixDir: {
+        'package.json': JSON.stringify({
+          name: '@npmcli/test-package',
+          version: '1.0.0',
+          dependencies: { abbrev: 'https://registry.npmjs.org/abbrev/-/abbrev-2.0.0.tgz' },
+        }),
+      },
+    })
+    await t.rejects(
+      npm.exec('install', []),
+      { code: 'EALLOWREMOTE' },
+      'user-supplied remote URL is still blocked'
     )
   })
 })
diff --git a/deps/npm/test/lib/commands/publish.js b/deps/npm/test/lib/commands/publish.js
index ad528c2c8dd3ef..acf8c4c96a93d6 100644
--- a/deps/npm/test/lib/commands/publish.js
+++ b/deps/npm/test/lib/commands/publish.js
@@ -742,6 +742,27 @@ t.test('restricted access', async t => {
   t.matchSnapshot(logs.notice)
 })
 
+t.test('private access', async t => {
+  const packageJson = {
+    name: '@npm/test-package',
+    version: '1.0.0',
+  }
+  const { npm, joinedOutput, logs, registry } = await loadNpmWithRegistry(t, {
+    config: {
+      ...auth,
+      access: 'private',
+    },
+    prefixDir: {
+      'package.json': JSON.stringify(packageJson, null, 2),
+    },
+    authorization: token,
+  })
+  registry.publish('@npm/test-package', { packageJson, access: 'restricted' })
+  await npm.exec('publish', [])
+  t.matchSnapshot(joinedOutput(), 'new package version')
+  t.matchSnapshot(logs.notice)
+})
+
 t.test('public access', async t => {
   const { npm, joinedOutput, logs, registry } = await loadNpmWithRegistry(t, {
     config: {
diff --git a/deps/npm/test/lib/commands/rebuild.js b/deps/npm/test/lib/commands/rebuild.js
index 0062362b61329b..de91fd3471b4e1 100644
--- a/deps/npm/test/lib/commands/rebuild.js
+++ b/deps/npm/test/lib/commands/rebuild.js
@@ -221,3 +221,63 @@ t.test('completion', async t => {
   const res = await rebuild.completion({ conf: { argv: { remain: ['npm', 'rebuild'] } } })
   t.type(res, Array)
 })
+
+t.test('emits Phase 1 advisory warning for unreviewed install scripts', async t => {
+  const { npm, logs } = await setupMockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({ name: 'host', version: '1.0.0' }),
+      node_modules: {
+        canvas: {
+          'package.json': JSON.stringify({
+            name: 'canvas',
+            version: '1.0.0',
+            scripts: { install: 'echo install' },
+          }),
+        },
+      },
+    },
+  })
+  await npm.exec('rebuild', [])
+  t.match(
+    logs.warn.byTitle('rebuild'),
+    [/install scripts not yet covered by allowScripts/]
+  )
+})
+
+t.test('no advisory warning when allowScripts covers the package', async t => {
+  const { npm, logs } = await setupMockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        dependencies: { canvas: '1.0.0' },
+        allowScripts: { canvas: true },
+      }),
+      'package-lock.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        lockfileVersion: 3,
+        requires: true,
+        packages: {
+          '': { name: 'host', version: '1.0.0', dependencies: { canvas: '1.0.0' } },
+          'node_modules/canvas': {
+            version: '1.0.0',
+            resolved: 'https://registry.npmjs.org/canvas/-/canvas-1.0.0.tgz',
+            hasInstallScript: true,
+          },
+        },
+      }),
+      node_modules: {
+        canvas: {
+          'package.json': JSON.stringify({
+            name: 'canvas',
+            version: '1.0.0',
+            scripts: { install: 'echo install' },
+          }),
+        },
+      },
+    },
+  })
+  await npm.exec('rebuild', [])
+  t.strictSame(logs.warn.byTitle('rebuild'), [])
+})
diff --git a/deps/npm/test/lib/commands/stage/approve.js b/deps/npm/test/lib/commands/stage/approve.js
new file mode 100644
index 00000000000000..d62ea04d431014
--- /dev/null
+++ b/deps/npm/test/lib/commands/stage/approve.js
@@ -0,0 +1,72 @@
+const t = require('tap')
+const { load: loadMockNpm } = require('../../../fixtures/mock-npm.js')
+const MockRegistry = require('@npmcli/mock-registry')
+
+const token = 'test-auth-token'
+const authConfig = { '//registry.npmjs.org/:_authToken': token }
+const stageId = '1de6f3db-2ed9-4d72-b3dd-8f0e2b474a2f'
+
+t.test('approves a staged package', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: { ...authConfig, otp: '123456' },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.post(`/-/stage/${stageId}/approve`)
+    .reply(201, { message: 'Package version approved and published successfully.' })
+  await npm.exec('stage', ['approve', stageId])
+  t.match(joinedOutput(), /approved and published successfully/)
+})
+
+t.test('throws usageError without stage-id', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: authConfig,
+  })
+  await t.rejects(npm.exec('stage', ['approve']), {
+    code: 'EUSAGE',
+  })
+})
+
+t.test('throws on invalid uuid', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: authConfig,
+  })
+  await t.rejects(npm.exec('stage', ['approve', 'not-a-uuid']), {
+    message: /stage-id must be a valid UUID/,
+  })
+})
+
+t.test('throws on 404 (stage-id not found)', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: { ...authConfig, otp: '123456' },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.post(`/-/stage/${stageId}/approve`)
+    .reply(404, { error: 'Not found' })
+  await t.rejects(npm.exec('stage', ['approve', stageId]), {
+    statusCode: 404,
+  })
+})
+
+t.test('throws on 403 (not an owner)', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: { ...authConfig, otp: '123456' },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.post(`/-/stage/${stageId}/approve`)
+    .reply(403, { error: 'You do not have permission to approve this package' })
+  await t.rejects(npm.exec('stage', ['approve', stageId]), {
+    statusCode: 403,
+  })
+})
diff --git a/deps/npm/test/lib/commands/stage/download.js b/deps/npm/test/lib/commands/stage/download.js
new file mode 100644
index 00000000000000..807c1282edc863
--- /dev/null
+++ b/deps/npm/test/lib/commands/stage/download.js
@@ -0,0 +1,139 @@
+const t = require('tap')
+const fs = require('node:fs')
+const path = require('node:path')
+const { load: loadMockNpm } = require('../../../fixtures/mock-npm.js')
+const MockRegistry = require('@npmcli/mock-registry')
+const mockGlobals = require('@npmcli/mock-globals')
+const libpack = require('libnpmpack')
+
+const token = 'test-auth-token'
+const authConfig = { '//registry.npmjs.org/:_authToken': token }
+const stageId = '1de6f3db-2ed9-4d72-b3dd-8f0e2b474a2f'
+
+t.test('downloads a staged tarball', async t => {
+  const { npm, joinedOutput, prefix } = await loadMockNpm(t, {
+    config: authConfig,
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: '@npmcli/test-package',
+        version: '1.0.0',
+      }),
+      'index.js': 'module.exports = 42',
+    },
+  })
+  const tarballData = await libpack(prefix)
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.get(`/-/stage/${stageId}/tarball`)
+    .reply(200, tarballData, { 'content-type': 'application/octet-stream' })
+
+  mockGlobals(t, { 'process.cwd': () => prefix })
+
+  await npm.exec('stage', ['download', stageId])
+  const out = joinedOutput()
+  const expectedFilename = `npmcli-test-package-1.0.0-${stageId}.tgz`
+  t.match(out, expectedFilename)
+  t.ok(fs.existsSync(path.join(prefix, expectedFilename)))
+})
+
+t.test('downloads with --json', async t => {
+  const { npm, joinedOutput, prefix } = await loadMockNpm(t, {
+    config: { ...authConfig, json: true },
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: '@npmcli/test-package',
+        version: '1.0.0',
+      }),
+    },
+  })
+  const tarballData = await libpack(prefix)
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.get(`/-/stage/${stageId}/tarball`)
+    .reply(200, tarballData, { 'content-type': 'application/octet-stream' })
+
+  mockGlobals(t, { 'process.cwd': () => prefix })
+
+  await npm.exec('stage', ['download', stageId])
+  const out = joinedOutput()
+  t.notMatch(out, `npmcli-test-package-1.0.0-${stageId}.tgz`)
+  const expectedFilename = `npmcli-test-package-1.0.0-${stageId}.tgz`
+  t.ok(fs.existsSync(path.join(prefix, expectedFilename)))
+})
+
+t.test('throws usageError without stage-id', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: authConfig,
+  })
+  await t.rejects(npm.exec('stage', ['download']), {
+    code: 'EUSAGE',
+  })
+})
+
+t.test('throws on invalid uuid', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: authConfig,
+  })
+  await t.rejects(npm.exec('stage', ['download', 'not-a-uuid']), {
+    message: /stage-id must be a valid UUID/,
+  })
+})
+
+t.test('throws on 404 (stage-id not found)', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: authConfig,
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.get(`/-/stage/${stageId}/tarball`)
+    .reply(404, { error: 'Not found' })
+  await t.rejects(npm.exec('stage', ['download', stageId]), {
+    statusCode: 404,
+  })
+})
+
+t.test('throws on 403 (not an owner)', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: authConfig,
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.get(`/-/stage/${stageId}/tarball`)
+    .reply(403, { error: 'You do not have permission to download this package' })
+  await t.rejects(npm.exec('stage', ['download', stageId]), {
+    statusCode: 403,
+  })
+})
+
+t.test('throws when tarball has no package.json', async t => {
+  const { npm, prefix } = await loadMockNpm(t, {
+    config: authConfig,
+    prefixDir: {},
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  // Empty tar (two 512-byte zero blocks) has no entries
+  registry.nock.get(`/-/stage/${stageId}/tarball`)
+    .reply(200, Buffer.alloc(1024), { 'content-type': 'application/octet-stream' })
+
+  mockGlobals(t, { 'process.cwd': () => prefix })
+
+  await t.rejects(npm.exec('stage', ['download', stageId]), {
+    message: /Could not read package.json from tarball/,
+  })
+})
diff --git a/deps/npm/test/lib/commands/stage/index.js b/deps/npm/test/lib/commands/stage/index.js
new file mode 100644
index 00000000000000..bd81c7aab5e42e
--- /dev/null
+++ b/deps/npm/test/lib/commands/stage/index.js
@@ -0,0 +1,332 @@
+const t = require('tap')
+const { load: loadMockNpm } = require('../../../fixtures/mock-npm')
+const MockRegistry = require('@npmcli/mock-registry')
+const path = require('node:path')
+const fs = require('node:fs')
+
+const pkg = '@npmcli/test-package'
+const token = 'test-auth-token'
+const authConfig = { '//registry.npmjs.org/:_authToken': token }
+
+const pkgJson = {
+  name: pkg,
+  description: 'npm test package',
+  version: '1.0.0',
+}
+
+t.test('stages a package from cwd', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: authConfig,
+    prefixDir: {
+      'package.json': JSON.stringify(pkgJson),
+    },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.post('/-/stage/package/@npmcli%2ftest-package').reply(201, {})
+  await npm.exec('stage', ['publish'])
+  t.match(joinedOutput(), /\+ @npmcli\/test-package@1\.0\.0 \(staged\)/)
+})
+
+t.test('stages with --dry-run', async t => {
+  const { npm, joinedOutput, logs } = await loadMockNpm(t, {
+    config: { ...authConfig, 'dry-run': true },
+    prefixDir: {
+      'package.json': JSON.stringify(pkgJson),
+    },
+  })
+  await npm.exec('stage', ['publish'])
+  t.ok(logs.notice.some(n => /Staging to .* \(dry-run\)/.test(n)))
+  t.match(joinedOutput(), /\+ @npmcli\/test-package@1\.0\.0 \(staged\)/)
+})
+
+t.test('stages with --json', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: { ...authConfig, json: true },
+    prefixDir: {
+      'package.json': JSON.stringify(pkgJson),
+    },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.post('/-/stage/package/@npmcli%2ftest-package').reply(201, {})
+  await npm.exec('stage', ['publish'])
+  const out = JSON.parse(joinedOutput())
+  t.equal(out[pkg].name, pkg)
+  t.equal(out[pkg].version, '1.0.0')
+})
+
+t.test('stages with --json includes stageId', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: { ...authConfig, json: true },
+    prefixDir: {
+      'package.json': JSON.stringify(pkgJson),
+    },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  const stageId = 'f8e7a45b-7a5f-4f31-8e6d-9dd1c6ef38c0'
+  registry.nock.post('/-/stage/package/@npmcli%2ftest-package').reply(201, { stageId })
+  await npm.exec('stage', ['publish'])
+  const out = JSON.parse(joinedOutput())
+  t.equal(out[pkg].name, pkg)
+  t.equal(out[pkg].stageId, stageId)
+})
+
+t.test('completion returns subcommands', async t => {
+  const Stage = require('../../../../lib/commands/stage/index.js')
+  const res = await Stage.completion({ conf: { argv: { remain: ['npm', 'stage'] } } })
+  t.strictSame(res, ['publish', 'list', 'view', 'approve', 'reject', 'download'])
+})
+
+t.test('completion returns empty for subcommand', async t => {
+  const Stage = require('../../../../lib/commands/stage/index.js')
+  const res = await Stage.completion({ conf: { argv: { remain: ['npm', 'stage', 'publish'] } } })
+  t.strictSame(res, [])
+})
+
+t.test('throws on invalid semver tag', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: { ...authConfig, tag: '1.0.0' },
+    prefixDir: {
+      'package.json': JSON.stringify(pkgJson),
+    },
+  })
+  await t.rejects(npm.exec('stage', ['publish']), {
+    message: /Tag name must not be a valid SemVer range/,
+  })
+})
+
+t.test('throws ENEEDAUTH with no credentials', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: {},
+    prefixDir: {
+      'package.json': JSON.stringify(pkgJson),
+    },
+  })
+  await t.rejects(npm.exec('stage', ['publish']), {
+    code: 'ENEEDAUTH',
+  })
+})
+
+t.test('warns on --dry-run with no credentials', async t => {
+  const { npm, logs } = await loadMockNpm(t, {
+    config: { 'dry-run': true },
+    prefixDir: {
+      'package.json': JSON.stringify(pkgJson),
+    },
+  })
+  await npm.exec('stage', ['publish'])
+  t.match(logs.warn, [/requires you to be logged in.*\(dry-run\)/])
+})
+
+t.test('stages a package with positional arg', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: authConfig,
+    prefixDir: {
+      'package.json': JSON.stringify(pkgJson),
+    },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.post('/-/stage/package/@npmcli%2ftest-package').reply(201, {})
+  await npm.exec('stage', ['publish', '.'])
+  t.match(joinedOutput(), /\+ @npmcli\/test-package@1\.0\.0 \(staged\)/)
+})
+
+t.test('respects ignore-scripts', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: { ...authConfig, 'ignore-scripts': true },
+    prefixDir: {
+      'package.json': JSON.stringify({
+        ...pkgJson,
+        scripts: {
+          prepublishOnly: 'exit 1',
+          publish: 'exit 1',
+          postpublish: 'exit 1',
+        },
+      }),
+    },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.post('/-/stage/package/@npmcli%2ftest-package').reply(201, {})
+  await npm.exec('stage', ['publish'])
+  t.match(joinedOutput(), /\(staged\)/)
+})
+
+t.test('foreground-scripts can be set to false', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: { ...authConfig, 'foreground-scripts': false },
+    prefixDir: {
+      'package.json': JSON.stringify(pkgJson),
+    },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.post('/-/stage/package/@npmcli%2ftest-package').reply(201, {})
+  await npm.exec('stage', ['publish'])
+  t.match(joinedOutput(), /\(staged\)/)
+})
+
+t.test('runs lifecycle scripts', async t => {
+  const { npm, prefix } = await loadMockNpm(t, {
+    config: authConfig,
+    prefixDir: {
+      'package.json': JSON.stringify({
+        ...pkgJson,
+        scripts: {
+          prepublishOnly: 'touch scripts-prepublishonly',
+          publish: 'touch scripts-publish',
+          postpublish: 'touch scripts-postpublish',
+        },
+      }),
+    },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.post('/-/stage/package/@npmcli%2ftest-package').reply(201, {})
+  await npm.exec('stage', ['publish'])
+  t.equal(fs.existsSync(path.join(prefix, 'scripts-prepublishonly')), true)
+  t.equal(fs.existsSync(path.join(prefix, 'scripts-publish')), true)
+  t.equal(fs.existsSync(path.join(prefix, 'scripts-postpublish')), true)
+})
+
+t.test('respects publishConfig', async t => {
+  const alternateRegistry = 'https://other.registry.npmjs.org'
+  const { npm, joinedOutput, logs } = await loadMockNpm(t, {
+    config: {
+      [`${alternateRegistry.slice(6)}/:_authToken`]: 'test-other-token',
+    },
+    prefixDir: {
+      'package.json': JSON.stringify({
+        ...pkgJson,
+        publishConfig: {
+          registry: alternateRegistry,
+          other: 'unknown-key',
+        },
+      }),
+    },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: alternateRegistry,
+    authorization: 'test-other-token',
+  })
+  registry.nock.post('/-/stage/package/@npmcli%2ftest-package').reply(201, {})
+  await npm.exec('stage', ['publish'])
+  t.match(joinedOutput(), /\(staged\)/)
+  t.match(logs.warn, [/Unknown publishConfig/])
+})
+
+t.test('warns about auto-corrected package.json errors', async t => {
+  const { npm, logs } = await loadMockNpm(t, {
+    config: authConfig,
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: pkg,
+        version: '1.0.0',
+        repository: 'github:user/repo',
+      }),
+    },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.post('/-/stage/package/@npmcli%2ftest-package').reply(201, {})
+  await npm.exec('stage', ['publish'])
+  t.ok(logs.warn.some(w => /auto-corrected/.test(w)))
+  t.ok(logs.warn.some(w => /errors corrected/.test(w)))
+})
+
+t.test('stages with basic auth (username)', async t => {
+  const basic = Buffer.from('test-user:test-password').toString('base64')
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: {
+      '//registry.npmjs.org/:username': 'test-user',
+      '//registry.npmjs.org/:_password': Buffer.from('test-password').toString('base64'),
+    },
+    prefixDir: {
+      'package.json': JSON.stringify(pkgJson),
+    },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    basic,
+  })
+  registry.nock.post('/-/stage/package/@npmcli%2ftest-package').reply(201, {})
+  await npm.exec('stage', ['publish'])
+  t.match(joinedOutput(), /\(staged\)/)
+})
+
+t.test('stages with cert auth', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: {
+      '//registry.npmjs.org/:certfile': '/path/to/cert',
+      '//registry.npmjs.org/:keyfile': '/path/to/key',
+    },
+    prefixDir: {
+      'package.json': JSON.stringify(pkgJson),
+    },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+  })
+  registry.nock.post('/-/stage/package/@npmcli%2ftest-package').reply(201, {})
+  await npm.exec('stage', ['publish'])
+  t.match(joinedOutput(), /\(staged\)/)
+})
+
+t.test('throws EPRIVATE for private packages', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: authConfig,
+    prefixDir: {
+      'package.json': JSON.stringify({ ...pkgJson, private: true }),
+    },
+  })
+  await t.rejects(npm.exec('stage', ['publish']), {
+    code: 'EPRIVATE',
+  })
+})
+
+t.test('outputs stageId when returned', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: authConfig,
+    prefixDir: {
+      'package.json': JSON.stringify(pkgJson),
+    },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.post('/-/stage/package/@npmcli%2ftest-package').reply(201, { stageId: 'abc-123' })
+  await npm.exec('stage', ['publish'])
+  t.match(joinedOutput(), /staged with id abc-123/)
+})
diff --git a/deps/npm/test/lib/commands/stage/list.js b/deps/npm/test/lib/commands/stage/list.js
new file mode 100644
index 00000000000000..e66680db8277f2
--- /dev/null
+++ b/deps/npm/test/lib/commands/stage/list.js
@@ -0,0 +1,147 @@
+const t = require('tap')
+const { load: loadMockNpm } = require('../../../fixtures/mock-npm.js')
+const MockRegistry = require('@npmcli/mock-registry')
+
+const token = 'test-auth-token'
+const authConfig = { '//registry.npmjs.org/:_authToken': token }
+
+const stageItems = [
+  {
+    id: '1de6f3db-2ed9-4d72-b3dd-8f0e2b474a2f',
+    packageName: '@npmcli/example-package',
+    version: '1.2.3',
+    tag: 'latest',
+    createdAt: '2026-03-16T09:00:00.000Z',
+    actor: 'octocat',
+    actorType: 'user',
+    shasum: '4f7f5f1d5bcf2f72f6e4d6c4f3b2812d8a2f6c19',
+  },
+  {
+    id: 'f8e7a45b-7a5f-4f31-8e6d-9dd1c6ef38c0',
+    packageName: 'example-lib',
+    version: '0.4.0',
+    tag: 'next',
+    createdAt: '2026-03-15T18:22:11.000Z',
+    actor: 'npm-bot',
+    actorType: 'trusted automation',
+    shasum: '8eb3b4e9b6e3d0d2c86be1e6d4f43f4be62e80ad',
+  },
+]
+
+t.test('lists all staged packages', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: { ...authConfig },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.get('/-/stage?page=0&perPage=100')
+    .reply(200, { items: stageItems, page: 0, perPage: 100, total: 2 })
+  await npm.exec('stage', ['list'])
+  const out = joinedOutput()
+  t.match(out, 'package name: @npmcli/example-package')
+  t.match(out, 'package name: example-lib')
+  t.match(out, 'version: 1.2.3')
+  t.match(out, 'version: 0.4.0')
+})
+
+t.test('lists with package filter', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: { ...authConfig },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.get('/-/stage?page=0&perPage=100&package=%40npmcli%2Fexample-package')
+    .reply(200, { items: [stageItems[0]], page: 0, perPage: 100, total: 1 })
+  await npm.exec('stage', ['list', '@npmcli/example-package'])
+  const out = joinedOutput()
+  t.match(out, '@npmcli/example-package')
+  t.notMatch(out, 'example-lib')
+})
+
+t.test('lists with --json', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: { ...authConfig, json: true },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.get('/-/stage?page=0&perPage=100')
+    .reply(200, { items: stageItems, page: 0, perPage: 100, total: 2 })
+  await npm.exec('stage', ['list'])
+  const out = JSON.parse(joinedOutput())
+  t.equal(out.length, 2)
+  t.equal(out[0].packageName, '@npmcli/example-package')
+  t.equal(out[0].id, '1de6f3db-2ed9-4d72-b3dd-8f0e2b474a2f', 'uuid id is not redacted')
+})
+
+t.test('shows message when no packages', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: { ...authConfig },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.get('/-/stage?page=0&perPage=100')
+    .reply(200, { items: [], page: 0, perPage: 100, total: 0 })
+  await npm.exec('stage', ['list'])
+  t.match(joinedOutput(), 'No staged packages found.')
+})
+
+t.test('shows filtered message when no packages with filter', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: { ...authConfig },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.get('/-/stage?page=0&perPage=100&package=nonexistent')
+    .reply(200, { items: [], page: 0, perPage: 100, total: 0 })
+  await npm.exec('stage', ['list', 'nonexistent'])
+  t.match(joinedOutput(), 'No staged versions of package name "nonexistent".')
+})
+
+t.test('throws on version specifier', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: { ...authConfig },
+  })
+  await t.rejects(npm.exec('stage', ['list', 'area@1.0.0']), {
+    code: 'EUSAGE',
+  })
+})
+
+t.test('paginates through multiple pages', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: { ...authConfig },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  // page 0: 100 items, total 101
+  const page0Items = Array.from({ length: 100 }, (_, i) => ({
+    ...stageItems[0],
+    id: `id-${i}`,
+    version: `1.0.${i}`,
+  }))
+  registry.nock.get('/-/stage?page=0&perPage=100')
+    .reply(200, { items: page0Items, page: 0, perPage: 100, total: 101 })
+  registry.nock.get('/-/stage?page=1&perPage=100')
+    .reply(200, { items: [stageItems[1]], page: 1, perPage: 100, total: 101 })
+  await npm.exec('stage', ['list'])
+  const out = joinedOutput()
+  t.match(out, 'version: 1.0.0')
+  t.match(out, 'version: 0.4.0')
+})
diff --git a/deps/npm/test/lib/commands/stage/reject.js b/deps/npm/test/lib/commands/stage/reject.js
new file mode 100644
index 00000000000000..d021075a245230
--- /dev/null
+++ b/deps/npm/test/lib/commands/stage/reject.js
@@ -0,0 +1,72 @@
+const t = require('tap')
+const { load: loadMockNpm } = require('../../../fixtures/mock-npm.js')
+const MockRegistry = require('@npmcli/mock-registry')
+
+const token = 'test-auth-token'
+const authConfig = { '//registry.npmjs.org/:_authToken': token }
+const stageId = '1de6f3db-2ed9-4d72-b3dd-8f0e2b474a2f'
+
+t.test('rejects a staged package', async t => {
+  const { npm, joinedOutput, logs } = await loadMockNpm(t, {
+    config: { ...authConfig, otp: '123456' },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.delete(`/-/stage/${stageId}`).reply(204)
+  await npm.exec('stage', ['reject', stageId])
+  t.match(joinedOutput(), /has been rejected/)
+  t.match(logs.warn, [/permanently delete/])
+})
+
+t.test('throws usageError without stage-id', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: authConfig,
+  })
+  await t.rejects(npm.exec('stage', ['reject']), {
+    code: 'EUSAGE',
+  })
+})
+
+t.test('throws on invalid uuid', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: authConfig,
+  })
+  await t.rejects(npm.exec('stage', ['reject', 'not-a-uuid']), {
+    message: /stage-id must be a valid UUID/,
+  })
+})
+
+t.test('throws on 404 (stage-id not found)', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: { ...authConfig, otp: '123456' },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.delete(`/-/stage/${stageId}`)
+    .reply(404, { error: 'Not found' })
+  await t.rejects(npm.exec('stage', ['reject', stageId]), {
+    statusCode: 404,
+  })
+})
+
+t.test('throws on 403 (not an owner)', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: { ...authConfig, otp: '123456' },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.delete(`/-/stage/${stageId}`)
+    .reply(403, { error: 'You do not have permission to reject this package' })
+  await t.rejects(npm.exec('stage', ['reject', stageId]), {
+    statusCode: 403,
+  })
+})
diff --git a/deps/npm/test/lib/commands/stage/view.js b/deps/npm/test/lib/commands/stage/view.js
new file mode 100644
index 00000000000000..604caf98fb23b0
--- /dev/null
+++ b/deps/npm/test/lib/commands/stage/view.js
@@ -0,0 +1,100 @@
+const t = require('tap')
+const { load: loadMockNpm } = require('../../../fixtures/mock-npm.js')
+const MockRegistry = require('@npmcli/mock-registry')
+
+const token = 'test-auth-token'
+const authConfig = { '//registry.npmjs.org/:_authToken': token }
+
+const stageItem = {
+  id: '1de6f3db-2ed9-4d72-b3dd-8f0e2b474a2f',
+  packageName: '@npmcli/example-package',
+  version: '1.2.3',
+  tag: 'latest',
+  createdAt: '2026-03-16T09:00:00.000Z',
+  actor: 'octocat',
+  actorType: 'user',
+  shasum: '4f7f5f1d5bcf2f72f6e4d6c4f3b2812d8a2f6c19',
+}
+
+t.test('views a staged package', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: authConfig,
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.get(`/-/stage/${stageItem.id}`).reply(200, stageItem)
+  await npm.exec('stage', ['view', stageItem.id])
+  const out = joinedOutput()
+  t.match(out, /id:/)
+  t.match(out, 'package name: @npmcli/example-package')
+  t.match(out, 'version: 1.2.3')
+})
+
+t.test('views with --json', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: { ...authConfig, json: true },
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.get(`/-/stage/${stageItem.id}`).reply(200, stageItem)
+  await npm.exec('stage', ['view', stageItem.id])
+  const out = JSON.parse(joinedOutput())
+  t.ok(out.id)
+  t.equal(out.packageName, '@npmcli/example-package')
+})
+
+t.test('throws usageError without stage-id', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: authConfig,
+  })
+  await t.rejects(npm.exec('stage', ['view']), {
+    code: 'EUSAGE',
+  })
+})
+
+t.test('throws on invalid uuid', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: authConfig,
+  })
+  await t.rejects(npm.exec('stage', ['view', 'not-a-uuid']), {
+    message: /stage-id must be a valid UUID/,
+  })
+})
+
+t.test('throws on 404 (stage-id not found)', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: authConfig,
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.get(`/-/stage/${stageItem.id}`)
+    .reply(404, { error: 'Not found' })
+  await t.rejects(npm.exec('stage', ['view', stageItem.id]), {
+    statusCode: 404,
+  })
+})
+
+t.test('throws on 403 (not an owner)', async t => {
+  const { npm } = await loadMockNpm(t, {
+    config: authConfig,
+  })
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: token,
+  })
+  registry.nock.get(`/-/stage/${stageItem.id}`)
+    .reply(403, { error: 'You do not have permission to view this package' })
+  await t.rejects(npm.exec('stage', ['view', stageItem.id]), {
+    statusCode: 403,
+  })
+})
diff --git a/deps/npm/test/lib/commands/trust/circleci.js b/deps/npm/test/lib/commands/trust/circleci.js
index 1ceec9a6e5845f..51211785c57484 100644
--- a/deps/npm/test/lib/commands/trust/circleci.js
+++ b/deps/npm/test/lib/commands/trust/circleci.js
@@ -44,6 +44,7 @@ t.test('circleci with all options provided', async t => {
     '--pipeline-definition-id', '6ba7b810-9dad-11d1-80b4-00c04fd430c8',
     '--vcs-origin', 'github.com/owner/repo',
     '--context-id', '123e4567-e89b-12d3-a456-426614174000',
+    '--allow-publish',
   ])
 })
 
@@ -85,6 +86,7 @@ t.test('circleci without optional context-id', async t => {
     '--project-id', '7c9e6679-7425-40de-944b-e07fc1f90ae7',
     '--pipeline-definition-id', '6ba7b810-9dad-11d1-80b4-00c04fd430c8',
     '--vcs-origin', 'github.com/owner/repo',
+    '--allow-publish',
   ])
 })
 
@@ -128,6 +130,7 @@ t.test('circleci with multiple context-ids', async t => {
     '--vcs-origin', 'github.com/owner/repo',
     '--context-id', '123e4567-e89b-12d3-a456-426614174000',
     '--context-id', 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
+    '--allow-publish',
   ])
 })
 
@@ -152,6 +155,7 @@ t.test('circleci missing required org-id', async t => {
       '--project-id', '7c9e6679-7425-40de-944b-e07fc1f90ae7',
       '--pipeline-definition-id', '6ba7b810-9dad-11d1-80b4-00c04fd430c8',
       '--vcs-origin', 'github.com/owner/repo',
+      '--allow-publish',
     ]),
     { message: /org-id is required/ }
   )
@@ -178,6 +182,7 @@ t.test('circleci missing required project-id', async t => {
       '--org-id', '550e8400-e29b-41d4-a716-446655440000',
       '--pipeline-definition-id', '6ba7b810-9dad-11d1-80b4-00c04fd430c8',
       '--vcs-origin', 'github.com/owner/repo',
+      '--allow-publish',
     ]),
     { message: /project-id is required/ }
   )
@@ -204,6 +209,7 @@ t.test('circleci missing required pipeline-definition-id', async t => {
       '--org-id', '550e8400-e29b-41d4-a716-446655440000',
       '--project-id', '7c9e6679-7425-40de-944b-e07fc1f90ae7',
       '--vcs-origin', 'github.com/owner/repo',
+      '--allow-publish',
     ]),
     { message: /pipeline-definition-id is required/ }
   )
@@ -230,6 +236,7 @@ t.test('circleci missing required vcs-origin', async t => {
       '--org-id', '550e8400-e29b-41d4-a716-446655440000',
       '--project-id', '7c9e6679-7425-40de-944b-e07fc1f90ae7',
       '--pipeline-definition-id', '6ba7b810-9dad-11d1-80b4-00c04fd430c8',
+      '--allow-publish',
     ]),
     { message: /vcs-origin is required/ }
   )
@@ -257,6 +264,7 @@ t.test('circleci with invalid org-id uuid format', async t => {
       '--project-id', '7c9e6679-7425-40de-944b-e07fc1f90ae7',
       '--pipeline-definition-id', '6ba7b810-9dad-11d1-80b4-00c04fd430c8',
       '--vcs-origin', 'github.com/owner/repo',
+      '--allow-publish',
     ]),
     { message: /org-id must be a valid UUID/ }
   )
@@ -284,6 +292,7 @@ t.test('circleci with invalid vcs-origin format', async t => {
       '--project-id', '7c9e6679-7425-40de-944b-e07fc1f90ae7',
       '--pipeline-definition-id', '6ba7b810-9dad-11d1-80b4-00c04fd430c8',
       '--vcs-origin', 'invalid-format',
+      '--allow-publish',
     ]),
     { message: /vcs-origin must be in format 'provider\/owner\/repo'/ }
   )
@@ -311,6 +320,7 @@ t.test('circleci with vcs-origin containing scheme prefix', async t => {
       '--project-id', '7c9e6679-7425-40de-944b-e07fc1f90ae7',
       '--pipeline-definition-id', '6ba7b810-9dad-11d1-80b4-00c04fd430c8',
       '--vcs-origin', 'https://github.com/owner/repo',
+      '--allow-publish',
     ]),
     { message: /vcs-origin must not include a scheme/ }
   )
@@ -336,6 +346,7 @@ t.test('circleci missing package name', async t => {
       '--project-id', '7c9e6679-7425-40de-944b-e07fc1f90ae7',
       '--pipeline-definition-id', '6ba7b810-9dad-11d1-80b4-00c04fd430c8',
       '--vcs-origin', 'github.com/owner/repo',
+      '--allow-publish',
     ]),
     { message: /Package name must be specified either as an argument or in package.json file/ }
   )
diff --git a/deps/npm/test/lib/commands/trust/github.js b/deps/npm/test/lib/commands/trust/github.js
index a2b16d272bde15..6cc65bff354d00 100644
--- a/deps/npm/test/lib/commands/trust/github.js
+++ b/deps/npm/test/lib/commands/trust/github.js
@@ -35,7 +35,7 @@ t.test('github with all options provided', async t => {
 
   registry.trustCreate({ packageName })
 
-  await npm.exec('trust', ['github', packageName, '--yes', '--file', 'workflow.yml', '--repository', 'owner/repo', '--environment', 'production'])
+  await npm.exec('trust', ['github', packageName, '--yes', '--file', 'workflow.yml', '--repository', 'owner/repo', '--environment', 'production', '--allow-publish'])
 })
 
 t.test('github with invalid repository format', async t => {
@@ -61,7 +61,7 @@ t.test('github with invalid repository format', async t => {
   })
 
   await t.rejects(
-    npm.exec('trust', ['github', packageName, '--yes', '--file', 'workflow.yml', '--repository', 'invalid']),
+    npm.exec('trust', ['github', packageName, '--yes', '--file', 'workflow.yml', '--repository', 'invalid', '--allow-publish']),
     { message: /must be specified in the format owner\/repository/ }
   )
 })
@@ -89,7 +89,7 @@ t.test('github with file as path', async t => {
   })
 
   await t.rejects(
-    npm.exec('trust', ['github', packageName, '--yes', '--file', '.github/workflows/ci.yml', '--repository', 'owner/repo']),
+    npm.exec('trust', ['github', packageName, '--yes', '--file', '.github/workflows/ci.yml', '--repository', 'owner/repo', '--allow-publish']),
     { message: /must be just a file not a path/ }
   )
 })
@@ -124,7 +124,7 @@ t.test('github without environment', async t => {
 
   registry.trustCreate({ packageName })
 
-  await npm.exec('trust', ['github', packageName, '--yes', '--file', 'workflow.yml', '--repository', 'owner/repo'])
+  await npm.exec('trust', ['github', packageName, '--yes', '--file', 'workflow.yml', '--repository', 'owner/repo', '--allow-publish'])
 })
 
 t.test('bodyToOptions with all fields', t => {
diff --git a/deps/npm/test/lib/commands/trust/gitlab.js b/deps/npm/test/lib/commands/trust/gitlab.js
index 0b60196830c5f7..16f3804f978962 100644
--- a/deps/npm/test/lib/commands/trust/gitlab.js
+++ b/deps/npm/test/lib/commands/trust/gitlab.js
@@ -35,7 +35,7 @@ t.test('gitlab with all options provided', async t => {
 
   registry.trustCreate({ packageName })
 
-  await npm.exec('trust', ['gitlab', packageName, '--yes', '--file', '.gitlab-ci.yml', '--project', 'group/subgroup/repo', '--environment', 'production'])
+  await npm.exec('trust', ['gitlab', packageName, '--yes', '--file', '.gitlab-ci.yml', '--project', 'group/subgroup/repo', '--environment', 'production', '--allow-publish'])
 })
 
 t.test('gitlab with invalid project format', async t => {
@@ -61,7 +61,7 @@ t.test('gitlab with invalid project format', async t => {
   })
 
   await t.rejects(
-    npm.exec('trust', ['gitlab', packageName, '--yes', '--file', '.gitlab-ci.yml', '--project', 'invalid']),
+    npm.exec('trust', ['gitlab', packageName, '--yes', '--file', '.gitlab-ci.yml', '--project', 'invalid', '--allow-publish']),
     { message: /must be specified in the format/ }
   )
 })
@@ -89,7 +89,7 @@ t.test('gitlab with file as path', async t => {
   })
 
   await t.rejects(
-    npm.exec('trust', ['gitlab', packageName, '--yes', '--file', '.gitlab/ci.yml', '--project', 'group/repo']),
+    npm.exec('trust', ['gitlab', packageName, '--yes', '--file', '.gitlab/ci.yml', '--project', 'group/repo', '--allow-publish']),
     { message: /must be just a file not a path/ }
   )
 })
@@ -124,7 +124,7 @@ t.test('gitlab without environment', async t => {
 
   registry.trustCreate({ packageName })
 
-  await npm.exec('trust', ['gitlab', packageName, '--yes', '--file', '.gitlab-ci.yml', '--project', 'group/repo'])
+  await npm.exec('trust', ['gitlab', packageName, '--yes', '--file', '.gitlab-ci.yml', '--project', 'group/repo', '--allow-publish'])
 })
 
 t.test('bodyToOptions with all fields', t => {
diff --git a/deps/npm/test/lib/commands/update.js b/deps/npm/test/lib/commands/update.js
index a8c68bd65bb361..68067b8af8168f 100644
--- a/deps/npm/test/lib/commands/update.js
+++ b/deps/npm/test/lib/commands/update.js
@@ -95,3 +95,33 @@ t.test('completion', async t => {
   const res = await update.completion({ conf: { argv: { remain: ['npm', 'update'] } } })
   t.type(res, Array)
 })
+
+t.test('update threads allowScripts policy through to arborist', async t => {
+  // The reify step uses the resolved policy. The advisory warning is
+  // emitted from reifyFinish (already covered by install.js tests),
+  // so here we verify the call site populates opts.allowScripts.
+  let capturedOpts
+  const FakeArborist = function (opts) {
+    capturedOpts = opts
+    this.options = opts
+    this.actualTree = { inventory: new Map() }
+  }
+  FakeArborist.prototype.reify = async function () {}
+
+  const mock = await _mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'host',
+        version: '1.0.0',
+        allowScripts: { canvas: true },
+      }),
+    },
+    mocks: {
+      '@npmcli/arborist': FakeArborist,
+      '{LIB}/utils/reify-finish.js': async () => {},
+    },
+  })
+  await mock.npm.exec('update', [])
+  t.strictSame(capturedOpts.allowScripts, { canvas: true },
+    'opts.allowScripts populated from package.json')
+})
diff --git a/deps/npm/test/lib/trust-cmd.js b/deps/npm/test/lib/trust-cmd.js
index f0c52aadbd2c4a..57d70702818a52 100644
--- a/deps/npm/test/lib/trust-cmd.js
+++ b/deps/npm/test/lib/trust-cmd.js
@@ -32,7 +32,7 @@ t.test('trust-cmd via trust github with read function called', async t => {
 
   registry.trustCreate({ packageName })
 
-  await npm.exec('trust', ['github', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
+  await npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
 })
 
 t.test('trust-cmd via trust github with all options', async t => {
@@ -57,7 +57,77 @@ t.test('trust-cmd via trust github with all options', async t => {
 
   registry.trustCreate({ packageName })
 
-  await npm.exec('trust', ['github', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli', '--environment', 'production'])
+  await npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli', '--environment', 'production'])
+})
+
+t.test('trust-cmd via trust github with --allow-stage-publish', async t => {
+  const { npm } = await loadMockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: packageName,
+        version: '1.0.0',
+      }),
+    },
+    config: {
+      '//registry.npmjs.org/:_authToken': 'test-auth-token',
+      yes: true,
+    },
+  })
+
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: 'test-auth-token',
+  })
+
+  registry.trustCreate({ packageName })
+
+  await npm.exec('trust', ['github', '--allow-stage-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
+})
+
+t.test('trust-cmd via trust github with --allow-staged-publish alias', async t => {
+  const { npm } = await loadMockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: packageName,
+        version: '1.0.0',
+      }),
+    },
+    config: {
+      '//registry.npmjs.org/:_authToken': 'test-auth-token',
+      yes: true,
+    },
+  })
+
+  const registry = new MockRegistry({
+    tap: t,
+    registry: npm.config.get('registry'),
+    authorization: 'test-auth-token',
+  })
+
+  registry.trustCreate({ packageName })
+
+  await npm.exec('trust', ['github', '--allow-staged-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
+})
+
+t.test('trust-cmd via trust github missing permissions', async t => {
+  const { npm } = await loadMockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: packageName,
+        version: '1.0.0',
+      }),
+    },
+    config: {
+      '//registry.npmjs.org/:_authToken': 'test-auth-token',
+      yes: true,
+    },
+  })
+
+  await t.rejects(
+    npm.exec('trust', ['github', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli']),
+    { message: /At least one permission flag is required/ }
+  )
 })
 
 t.test('trust-cmd via trust github infers from package.json', async t => {
@@ -91,7 +161,7 @@ t.test('trust-cmd via trust github infers from package.json', async t => {
 
   registry.trustCreate({ packageName })
 
-  await npm.exec('trust', ['github', '--yes', '--file', 'workflow.yml'])
+  await npm.exec('trust', ['github', '--allow-publish', '--yes', '--file', 'workflow.yml'])
 })
 
 t.test('trust-cmd via trust github with dry-run', async t => {
@@ -108,7 +178,7 @@ t.test('trust-cmd via trust github with dry-run', async t => {
     },
   })
 
-  await npm.exec('trust', ['github', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
+  await npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
 
   t.ok(joinedOutput().includes('Establishing trust'), 'shows notice about establishing trust')
 })
@@ -122,7 +192,7 @@ t.test('trust-cmd via trust github missing package name', async t => {
   })
 
   await t.rejects(
-    npm.exec('trust', ['github', '--file', 'workflow.yml', '--repository', 'npm/cli']),
+    npm.exec('trust', ['github', '--allow-publish', '--file', 'workflow.yml', '--repository', 'npm/cli']),
     { message: /Package name must be specified/ },
     'throws when no package name'
   )
@@ -141,7 +211,7 @@ t.test('trust-cmd via trust github missing file', async t => {
   })
 
   await t.rejects(
-    npm.exec('trust', ['github', packageName, '--repository', 'npm/cli']),
+    npm.exec('trust', ['github', '--allow-publish', packageName, '--repository', 'npm/cli']),
     { message: /must be specified with the file option/ },
     'throws when no file'
   )
@@ -160,7 +230,7 @@ t.test('trust-cmd via trust github invalid file extension', async t => {
   })
 
   await t.rejects(
-    npm.exec('trust', ['github', packageName, '--file', 'workflow.txt', '--repository', 'npm/cli']),
+    npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.txt', '--repository', 'npm/cli']),
     { message: /must end in \.yml or \.yaml/ },
     'throws when file has wrong extension'
   )
@@ -179,7 +249,7 @@ t.test('trust-cmd via trust github missing repository', async t => {
   })
 
   await t.rejects(
-    npm.exec('trust', ['github', packageName, '--file', 'workflow.yml']),
+    npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml']),
     { message: /must be specified with repository option/ },
     'throws when no repository'
   )
@@ -200,7 +270,7 @@ t.test('trust-cmd via trust github with custom registry warning', async t => {
     },
   })
 
-  await npm.exec('trust', ['github', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
+  await npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
 
   t.ok(logs.warn.some(l => l.includes('may not support trusted publishing')), 'warns about custom registry')
 })
@@ -220,7 +290,7 @@ t.test('trust-cmd via trust github with --json', async t => {
     },
   })
 
-  await npm.exec('trust', ['github', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
+  await npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
 
   const output = joinedOutput()
   t.ok(output.includes(packageName), 'JSON output includes package name')
@@ -250,7 +320,7 @@ t.test('trust-cmd via trust github with user confirmation no', async t => {
   })
 
   await t.rejects(
-    npm.exec('trust', ['github', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli']),
+    npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli']),
     { message: 'User cancelled operation' },
     'throws when user declines'
   )
@@ -271,7 +341,7 @@ t.test('trust-cmd via trust github with --no-yes', async t => {
   })
 
   await t.rejects(
-    npm.exec('trust', ['github', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli']),
+    npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli']),
     { message: 'User cancelled operation' },
     'throws when --no-yes flag is set'
   )
@@ -300,7 +370,7 @@ t.test('trust-cmd via trust github with invalid answer', async t => {
   })
 
   await t.rejects(
-    npm.exec('trust', ['github', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli']),
+    npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli']),
     { message: 'User cancelled operation' },
     'throws when user gives invalid answer'
   )
@@ -336,7 +406,7 @@ t.test('trust-cmd via trust github with user confirmation Y uppercase', async t
 
   registry.trustCreate({ packageName })
 
-  await npm.exec('trust', ['github', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
+  await npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
 })
 
 t.test('trust-cmd via trust github with user enters empty string', async t => {
@@ -362,7 +432,7 @@ t.test('trust-cmd via trust github with user enters empty string', async t => {
   })
 
   await t.rejects(
-    npm.exec('trust', ['github', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli']),
+    npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli']),
     { message: 'User cancelled operation' },
     'throws when user enters empty string'
   )
@@ -383,7 +453,7 @@ t.test('trust-cmd via trust github with mismatched repo type', async t => {
   })
 
   await t.rejects(
-    npm.exec('trust', ['github', '--file', 'workflow.yml']),
+    npm.exec('trust', ['github', '--allow-publish', '--file', 'workflow.yml']),
     { message: /Repository in package.json is not a GitHub repository/ },
     'throws when repository type does not match provider'
   )
@@ -404,7 +474,7 @@ t.test('trust-cmd via trust github with mismatched repo type but flag provided',
     },
   })
 
-  await npm.exec('trust', ['github', '--file', 'workflow.yml', '--repository', 'owner/new-repo'])
+  await npm.exec('trust', ['github', '--allow-publish', '--file', 'workflow.yml', '--repository', 'owner/new-repo'])
 
   t.ok(logs.warn.some(l => l.includes('Repository in package.json is not a GitHub repository')), 'warns about repository type mismatch')
 })
@@ -424,7 +494,7 @@ t.test('trust-cmd via trust github with different repo in package.json', async t
     },
   })
 
-  await npm.exec('trust', ['github', '--file', 'workflow.yml', '--repository', 'owner/new-repo'])
+  await npm.exec('trust', ['github', '--allow-publish', '--file', 'workflow.yml', '--repository', 'owner/new-repo'])
 
   t.ok(logs.warn.some(l => l.includes('differs from provided')), 'warns about repository mismatch')
 })
@@ -459,7 +529,7 @@ t.test('trust-cmd via trust github with user confirmation yes spelled out', asyn
 
   registry.trustCreate({ packageName })
 
-  await npm.exec('trust', ['github', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
+  await npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
 })
 
 t.test('trust-cmd via trust github showing response with id and type', async t => {
@@ -500,7 +570,7 @@ t.test('trust-cmd via trust github showing response with id and type', async t =
     },
   })
 
-  await npm.exec('trust', ['github', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
+  await npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
 
   const output = joinedOutput()
   t.ok(output.includes('type:'), 'output shows type field')
@@ -520,7 +590,7 @@ t.test('trust-cmd via trust github missing repository when package name differs'
   })
 
   await t.rejects(
-    npm.exec('trust', ['github', packageName, '--file', 'workflow.yml']),
+    npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml']),
     { message: /must be specified with repository option/ },
     'throws when no repository and package name differs'
   )
@@ -619,7 +689,7 @@ t.test('trust-cmd via trust github showing fromPackageJson indicator', async t =
     },
   })
 
-  await npm.exec('trust', ['github', packageName, '--file', 'workflow.yml'])
+  await npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml'])
 
   const output = joinedOutput()
   t.ok(output.includes('from package.json'), 'output shows fromPackageJson indicator')
@@ -663,7 +733,7 @@ t.test('trust-cmd via trust github showing URLs for fields', async t => {
     },
   })
 
-  await npm.exec('trust', ['github', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
+  await npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli'])
 
   const output = joinedOutput()
   t.match(output, /https:\/\/github\.com\/npm\/cli\b/, 'output shows repository URL')
@@ -684,7 +754,7 @@ t.test('trust-cmd via trust github with yes=false flag', async t => {
   })
 
   await t.rejects(
-    npm.exec('trust', ['github', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli']),
+    npm.exec('trust', ['github', '--allow-publish', packageName, '--file', 'workflow.yml', '--repository', 'npm/cli']),
     { message: /User cancelled operation/ },
     'throws when yes is explicitly false'
   )
@@ -846,3 +916,28 @@ t.test('TrustCommand - logOptions with urls but all values are null', async t =>
   t.ok(output.includes('file'), 'shows file field')
   t.notOk(output.includes('Links to verify manually'), 'does not show links header when all urls are null')
 })
+
+t.test('formatPermissions with unknown permission falls back to raw value', t => {
+  const result = TrustCommand.formatPermissions(['unknownPermission'])
+  t.equal(result, 'unknownPermission', 'returns raw value for unknown permission')
+  t.end()
+})
+
+t.test('displayResponseBody with empty body', async t => {
+  const { npm, joinedOutput } = await loadMockNpm(t, {
+    config: {
+      '//registry.npmjs.org/:_authToken': 'test-auth-token',
+    },
+  })
+
+  class TestTrustCmd extends TrustCommand {
+    static name = 'test'
+    static description = 'Test command'
+  }
+
+  const cmd = new TestTrustCmd(npm)
+  cmd.displayResponseBody({ body: [], packageName: '@npmcli/test-package' })
+
+  const output = joinedOutput()
+  t.match(output, /No trust configurations found/, 'shows no configurations message')
+})
diff --git a/deps/npm/test/lib/utils/allow-scripts-writer.js b/deps/npm/test/lib/utils/allow-scripts-writer.js
new file mode 100644
index 00000000000000..56314f8eb5a521
--- /dev/null
+++ b/deps/npm/test/lib/utils/allow-scripts-writer.js
@@ -0,0 +1,637 @@
+const t = require('tap')
+const path = require('node:path')
+const {
+  applyApprovalForPackage,
+  applyDenyForPackage,
+  nameKeyFor,
+  versionedKeyFor,
+  isSingleVersionPin,
+} = require('../../../lib/utils/allow-scripts-writer.js')
+
+const node = (overrides = {}) => {
+  const name = overrides.name ?? overrides.packageName ?? 'pkg'
+  const packageName = overrides.packageName ?? name
+  const version = overrides.version ?? '1.0.0'
+  const urlPkg = packageName
+  return {
+    name,
+    packageName,
+    version,
+    resolved: overrides.resolved
+      ?? `https://registry.npmjs.org/${urlPkg}/-/${urlPkg}-${version}.tgz`,
+    location: overrides.location ?? `node_modules/${name}`,
+    isRegistryDependency: overrides.isRegistryDependency ?? true,
+  }
+}
+
+t.test('nameKeyFor / versionedKeyFor — registry', async t => {
+  const n = node({ name: 'canvas', version: '2.11.0' })
+  t.equal(nameKeyFor(n), 'canvas')
+  t.equal(versionedKeyFor(n), 'canvas@2.11.0')
+})
+
+t.test('nameKeyFor / versionedKeyFor — git', async t => {
+  const n = node({
+    name: 'bar',
+    resolved: 'git+ssh://git@github.com/foo/bar.git#deadbeefcafebabe1234567890abcdef12345678',
+  })
+  t.equal(nameKeyFor(n), 'github:foo/bar')
+  t.equal(versionedKeyFor(n), 'github:foo/bar#deadbeefcafebabe1234567890abcdef12345678')
+})
+
+t.test('nameKeyFor / versionedKeyFor — file', async t => {
+  const n = node({ name: 'local', resolved: 'file:../local' })
+  t.equal(nameKeyFor(n), 'file:../local')
+  t.equal(versionedKeyFor(n), 'file:../local')
+})
+
+t.test('isSingleVersionPin', async t => {
+  t.ok(isSingleVersionPin('pkg@1.2.3'))
+  t.notOk(isSingleVersionPin('pkg'))
+  t.notOk(isSingleVersionPin('pkg@^1'))
+  t.notOk(isSingleVersionPin('pkg@1.2.3 || 2.0.0'))
+  t.notOk(isSingleVersionPin('@@@bad'))
+})
+
+t.test('applyApprovalForPackage — empty allowScripts, --pin', async t => {
+  const { allowScripts, changes } = applyApprovalForPackage(
+    {},
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: true }
+  )
+  t.strictSame(allowScripts, { 'canvas@2.11.0': true })
+  t.strictSame(changes, [{ key: 'canvas@2.11.0', change: 'added' }])
+})
+
+t.test('applyApprovalForPackage — empty allowScripts, --no-pin', async t => {
+  const { allowScripts, changes } = applyApprovalForPackage(
+    {},
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: false }
+  )
+  t.strictSame(allowScripts, { canvas: true })
+  t.strictSame(changes, [{ key: 'canvas', change: 'added' }])
+})
+
+t.test('applyApprovalForPackage — stale pin rewritten to new installed version', async t => {
+  const { allowScripts, changes } = applyApprovalForPackage(
+    { 'canvas@2.10.0': true },
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: true }
+  )
+  t.strictSame(allowScripts, { 'canvas@2.11.0': true })
+  t.match(changes, [
+    { key: 'canvas@2.10.0', change: 'removed-stale' },
+    { key: 'canvas@2.11.0', change: 'added' },
+  ])
+})
+
+t.test('applyApprovalForPackage — multi-version disjunction is preserved', async t => {
+  const { allowScripts } = applyApprovalForPackage(
+    { 'canvas@2.10.0 || 2.11.0': true },
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: true }
+  )
+  t.strictSame(allowScripts, {
+    'canvas@2.10.0 || 2.11.0': true,
+    'canvas@2.11.0': true,
+  })
+})
+
+t.test('applyApprovalForPackage — already-allowed exact version is a no-op', async t => {
+  const { allowScripts, changes } = applyApprovalForPackage(
+    { 'canvas@2.11.0': true },
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: true }
+  )
+  t.strictSame(allowScripts, { 'canvas@2.11.0': true })
+  t.strictSame(changes, [])
+})
+
+t.test('applyApprovalForPackage — existing deny wins, returns warning', async t => {
+  const { allowScripts, changes, warning } = applyApprovalForPackage(
+    { canvas: false },
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: true }
+  )
+  t.strictSame(allowScripts, { canvas: false })
+  t.strictSame(changes, [])
+  t.match(warning, /canvas is denied/)
+})
+
+t.test('applyApprovalForPackage — versioned deny wins too', async t => {
+  const { changes, warning } = applyApprovalForPackage(
+    { 'canvas@2.11.0': false },
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: true }
+  )
+  t.strictSame(changes, [])
+  t.match(warning, /denied|versioned deny/)
+})
+
+t.test('applyApprovalForPackage — name-only existing, --no-pin no-op', async t => {
+  const { allowScripts, changes } = applyApprovalForPackage(
+    { canvas: true },
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: false }
+  )
+  t.strictSame(allowScripts, { canvas: true })
+  t.strictSame(changes, [])
+})
+
+t.test('applyApprovalForPackage — --no-pin downgrades pinned entry to name-only', async t => {
+  const { allowScripts } = applyApprovalForPackage(
+    { 'canvas@2.10.0': true },
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: false }
+  )
+  t.strictSame(allowScripts, { canvas: true })
+})
+
+t.test('applyApprovalForPackage — multiple installed versions write multiple pins', async t => {
+  const { allowScripts } = applyApprovalForPackage(
+    {},
+    [
+      node({ name: 'lodash', version: '4.17.21' }),
+      node({ name: 'lodash', version: '3.10.1' }),
+    ],
+    { pin: true }
+  )
+  t.strictSame(allowScripts, { 'lodash@3.10.1': true, 'lodash@4.17.21': true })
+})
+
+t.test('applyApprovalForPackage — keeps existing pin matching one installed, adds pin for other', async t => {
+  const { allowScripts } = applyApprovalForPackage(
+    { 'lodash@4.17.21': true },
+    [
+      node({ name: 'lodash', version: '4.17.21' }),
+      node({ name: 'lodash', version: '3.10.1' }),
+    ],
+    { pin: true }
+  )
+  t.strictSame(allowScripts, { 'lodash@3.10.1': true, 'lodash@4.17.21': true })
+})
+
+t.test('applyDenyForPackage — empty allowScripts adds name-only false', async t => {
+  const { allowScripts, changes } = applyDenyForPackage(
+    {},
+    [node({ name: 'core-js', version: '3.0.0' })]
+  )
+  t.strictSame(allowScripts, { 'core-js': false })
+  t.strictSame(changes, [{ key: 'core-js', change: 'added' }])
+})
+
+t.test('applyDenyForPackage — pinned allow is replaced by name-only deny', async t => {
+  const { allowScripts } = applyDenyForPackage(
+    { 'core-js@3.0.0': true },
+    [node({ name: 'core-js', version: '3.0.0' })]
+  )
+  t.strictSame(allowScripts, { 'core-js': false })
+})
+
+t.test('applyDenyForPackage — already-denied is a no-op', async t => {
+  const { changes } = applyDenyForPackage(
+    { 'core-js': false },
+    [node({ name: 'core-js', version: '3.0.0' })]
+  )
+  t.strictSame(changes, [])
+})
+
+t.test('applyDenyForPackage — name-only true is replaced by name-only false', async t => {
+  const { allowScripts } = applyDenyForPackage(
+    { 'core-js': true },
+    [node({ name: 'core-js', version: '3.0.0' })]
+  )
+  t.strictSame(allowScripts, { 'core-js': false })
+})
+
+t.test('applyApprovalForPackage — preserves unrelated entries', async t => {
+  const { allowScripts } = applyApprovalForPackage(
+    { other: true, 'unrelated@1.0.0': false },
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: true }
+  )
+  t.strictSame(allowScripts, {
+    other: true,
+    'unrelated@1.0.0': false,
+    'canvas@2.11.0': true,
+  })
+})
+
+t.test('applyApprovalForPackage — git node writes hosted shortcut with commit', async t => {
+  const { allowScripts } = applyApprovalForPackage(
+    {},
+    [node({
+      name: 'bar',
+      resolved: 'git+ssh://git@github.com/foo/bar.git#deadbeefcafebabe1234567890abcdef12345678',
+    })],
+    { pin: true }
+  )
+  t.strictSame(allowScripts, {
+    'github:foo/bar#deadbeefcafebabe1234567890abcdef12345678': true,
+  })
+})
+
+t.test('applyApprovalForPackage — git node --no-pin writes hosted shortcut without commit', async t => {
+  const { allowScripts } = applyApprovalForPackage(
+    {},
+    [node({
+      name: 'bar',
+      resolved: 'git+ssh://git@github.com/foo/bar.git#deadbeef',
+    })],
+    { pin: false }
+  )
+  t.strictSame(allowScripts, { 'github:foo/bar': true })
+})
+
+t.test('applyApprovalForPackage — file dep uses resolved as both keys', async t => {
+  const { allowScripts } = applyApprovalForPackage(
+    {},
+    [node({ name: 'local', resolved: 'file:../local' })],
+    { pin: true }
+  )
+  t.strictSame(allowScripts, { 'file:../local': true })
+})
+
+t.test('applyApprovalForPackage — empty nodes returns unchanged', async t => {
+  const { allowScripts, changes } = applyApprovalForPackage({ x: true }, [], { pin: true })
+  t.strictSame(allowScripts, { x: true })
+  t.strictSame(changes, [])
+})
+
+t.test('applyApprovalForPackage — name-only entry is replaced by pin (RFC table)', async t => {
+  const { allowScripts, changes } = applyApprovalForPackage(
+    { canvas: true },
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: true }
+  )
+  // Per RFC table: pkg: true + --pin must upgrade to pkg@x.y.z: true.
+  // Both entries left behind would be wrong.
+  t.strictSame(allowScripts, { 'canvas@2.11.0': true })
+  t.match(changes, [
+    { key: 'canvas@2.11.0', change: 'added' },
+    { key: 'canvas', change: 'replaced-by-pin' },
+  ])
+})
+
+t.test('applyApprovalForPackage — name-only + multi-version installs replaces with all pins', async t => {
+  const { allowScripts } = applyApprovalForPackage(
+    { lodash: true },
+    [
+      node({ name: 'lodash', version: '4.17.21' }),
+      node({ name: 'lodash', version: '3.10.1' }),
+    ],
+    { pin: true }
+  )
+  t.strictSame(allowScripts, { 'lodash@3.10.1': true, 'lodash@4.17.21': true })
+})
+
+t.test('applyApprovalForPackage — name-only is preserved when --no-pin', async t => {
+  const { allowScripts, changes } = applyApprovalForPackage(
+    { canvas: true },
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: false }
+  )
+  t.strictSame(allowScripts, { canvas: true })
+  t.strictSame(changes, [])
+})
+
+t.test('applyApprovalForPackage — name-only NOT dropped when no pinning could happen', async t => {
+  // Node has no version, so installedKeys is empty. The name-only entry
+  // must NOT be dropped or we silently lose the policy.
+  const noVersion = { name: 'pkg', packageName: 'pkg', version: undefined, resolved: 'https://registry.npmjs.org/pkg/-/pkg-1.tgz' }
+  const { allowScripts } = applyApprovalForPackage(
+    { pkg: true },
+    [noVersion],
+    { pin: true }
+  )
+  t.strictSame(allowScripts, { pkg: true })
+})
+
+t.test('applyApprovalForPackage — convergent: running twice gives the same result', async t => {
+  // Start with stale state including a name-only entry.
+  const start = { canvas: true, 'canvas@2.10.0': true }
+  const nodes = [node({ name: 'canvas', version: '2.11.0' })]
+
+  const run1 = applyApprovalForPackage(start, nodes, { pin: true })
+  const run2 = applyApprovalForPackage(run1.allowScripts, nodes, { pin: true })
+
+  t.strictSame(run1.allowScripts, { 'canvas@2.11.0': true })
+  t.strictSame(run2.allowScripts, { 'canvas@2.11.0': true })
+  t.strictSame(run2.changes, [], 'second run is a no-op')
+})
+
+t.test('applyApprovalForPackage — deny still wins even when name-only is upgraded', async t => {
+  const { allowScripts, warning } = applyApprovalForPackage(
+    { canvas: true, 'canvas@2.11.0': false },
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: true }
+  )
+  // Existing deny on the version blocks the approval.
+  t.strictSame(allowScripts, { canvas: true, 'canvas@2.11.0': false })
+  t.match(warning, /denied|versioned deny/)
+})
+
+t.test('keyTargetsNode — unparseable key returns false (via applyApproval)', async t => {
+  // An unparseable key in the existing object should be ignored.
+  const { allowScripts } = applyApprovalForPackage(
+    { '@@@invalid': true },
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: true }
+  )
+  t.equal(allowScripts['canvas@2.11.0'], true)
+  t.equal(allowScripts['@@@invalid'], true)
+})
+
+t.test('applyDenyForPackage — empty nodes array returns unchanged', async t => {
+  const { allowScripts, changes } = applyDenyForPackage({ existing: true }, [])
+  t.strictSame(allowScripts, { existing: true })
+  t.strictSame(changes, [])
+})
+
+t.test('applyDenyForPackage — node with no nameable identity is a no-op', async t => {
+  // A node whose resolved field is unparseable as a git URL and has no
+  // version/name produces a null name; the writer must short-circuit.
+  const weird = { name: '', packageName: '', version: undefined, resolved: undefined }
+  const { allowScripts, changes } = applyDenyForPackage({}, [weird])
+  t.strictSame(allowScripts, {})
+  t.strictSame(changes, [])
+})
+
+t.test('applyApprovalForPackage — file dep with deny entry blocks approval', async t => {
+  const { warning } = applyApprovalForPackage(
+    { 'file:../local': false },
+    [node({ name: 'local', resolved: 'file:../local' })],
+    { pin: true }
+  )
+  t.match(warning, /denied|versioned deny/)
+})
+
+t.test('applyApprovalForPackage — remote tarball deny blocks approval', async t => {
+  const remote = { name: 'pkg', packageName: 'pkg', version: '1.0.0', resolved: 'https://example.com/pkg.tgz' }
+  const { warning } = applyApprovalForPackage(
+    { 'https://example.com/pkg.tgz': false },
+    [remote],
+    { pin: true }
+  )
+  t.match(warning, /denied|versioned deny/)
+})
+
+t.test('applyApprovalForPackage — no-pin with no name produces no-op', async t => {
+  const weird = { name: '', packageName: '', resolved: 'git+ssh://no.parse' }
+  const { allowScripts, changes } = applyApprovalForPackage({}, [weird], { pin: false })
+  t.strictSame(allowScripts, {})
+  t.strictSame(changes, [])
+})
+
+t.test('applyApprovalForPackage — pin with no versioned key is a no-op', async t => {
+  const noVersion = { name: 'pkg', packageName: 'pkg', version: undefined, resolved: 'https://registry.npmjs.org/pkg/-/pkg-1.tgz' }
+  const { allowScripts, changes } = applyApprovalForPackage({}, [noVersion], { pin: true })
+  t.strictSame(allowScripts, {})
+  t.strictSame(changes, [])
+})
+
+t.test('applyApprovalForPackage — pin with no versioned key and existing name-only is no-op', async t => {
+  const noVersion = { name: 'pkg', packageName: 'pkg', version: undefined, resolved: 'https://registry.npmjs.org/pkg/-/pkg-1.tgz' }
+  const { changes } = applyApprovalForPackage({ pkg: true }, [noVersion], { pin: true })
+  t.strictSame(changes, [])
+})
+
+t.test('keyTargetsNode handles file with directory-typed key', async t => {
+  // A "directory" spec for a relative path.
+  const dirNode = { name: 'local', packageName: 'local', resolved: 'file:./local-dir' }
+  const { allowScripts } = applyApprovalForPackage(
+    {},
+    [dirNode],
+    { pin: true }
+  )
+  t.equal(allowScripts['file:./local-dir'], true)
+})
+
+t.test('nameKeyFor / versionedKeyFor — null node', async t => {
+  t.equal(nameKeyFor(null), null)
+  t.equal(versionedKeyFor(null), null)
+})
+
+t.test('nameKeyFor / versionedKeyFor — non-hosted git url returns null', async t => {
+  const n = { name: 'pkg', packageName: 'pkg', resolved: 'git+https://example.invalid/foo/bar.git#abc' }
+  t.equal(nameKeyFor(n), null)
+  t.equal(versionedKeyFor(n), null)
+})
+
+t.test('versionedKeyFor — absolute path resolved field', async t => {
+  const n = { name: 'pkg', packageName: 'pkg', resolved: '/abs/path/local' }
+  t.equal(versionedKeyFor(n), '/abs/path/local')
+  t.equal(nameKeyFor(n), '/abs/path/local')
+})
+
+t.test('applyApprovalForPackage — node.resolved parse error in keyTargetsNode is safe', async t => {
+  // An existing git-style key for a package whose own resolved field
+  // doesn't parse: the key just doesn't target anything.
+  const gitNode = node({
+    name: 'bar',
+    resolved: 'git+ssh://git@github.com/foo/bar.git#abc',
+  })
+  // Add an explicit unparseable existing entry.
+  const { allowScripts } = applyApprovalForPackage(
+    { 'github:other/other': true },
+    [gitNode],
+    { pin: true }
+  )
+  // Existing entry unchanged; new git entry added.
+  t.equal(allowScripts['github:other/other'], true)
+  t.equal(allowScripts['github:foo/bar#abc'], true)
+})
+
+t.test('keyTargetsNode — alias key does not target anything (via writer)', async t => {
+  // Alias-typed key falls through the switch default.
+  const { allowScripts } = applyApprovalForPackage(
+    { 'foo@npm:bar@1.0.0': true },
+    [node({ name: 'foo', packageName: 'foo', version: '1.0.0' })],
+    { pin: true }
+  )
+  // Alias entry untouched, new pin added separately.
+  t.equal(allowScripts['foo@npm:bar@1.0.0'], true)
+  t.equal(allowScripts['foo@1.0.0'], true)
+})
+t.test('keyTargetsNode handles tag-type key', async t => {
+  // 'canvas@latest' parses as type='tag'. The writer should treat it like
+  // a name-only match (any installed version of canvas).
+  const { allowScripts } = applyApprovalForPackage(
+    { 'canvas@latest': true },
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: true }
+  )
+  // The tag key targets the canvas node (same package name), so the
+  // 'canvas@2.11.0' pin gets added; tag key is preserved.
+  t.equal(allowScripts['canvas@latest'], true)
+  t.equal(allowScripts['canvas@2.11.0'], true)
+})
+
+t.test('keyTargetsNode handles file-type tarball key matching saveSpec', async t => {
+  // 'file:pkg.tgz' parses as type='file' with saveSpec='file:pkg.tgz'.
+  const tarballNode = {
+    name: 'pkg',
+    packageName: 'pkg',
+    version: '1.0.0',
+    resolved: 'file:pkg.tgz',
+  }
+  const { allowScripts } = applyApprovalForPackage(
+    { 'file:pkg.tgz': false },
+    [tarballNode],
+    { pin: true }
+  )
+  // saveSpec match: deny wins, no pin added.
+  t.equal(allowScripts['file:pkg.tgz'], false)
+})
+
+t.test('keyTargetsNode handles file-type tarball key matching fetchSpec', async t => {
+  // When node.resolved is an absolute path matching parsed.fetchSpec.
+  // Use path.resolve so the absolute path is platform-correct (npa
+  // parses POSIX-style `/abs/...` as a directory on Windows).
+  const absTgz = path.resolve('pkg.tgz')
+  const tarballNode = {
+    name: 'pkg',
+    packageName: 'pkg',
+    version: '1.0.0',
+    resolved: absTgz,
+  }
+  const { allowScripts, warning } = applyApprovalForPackage(
+    { './pkg.tgz': false },
+    [tarballNode],
+    { pin: true }
+  )
+  t.equal(allowScripts['./pkg.tgz'], false)
+  t.match(warning, /denied|versioned deny/)
+})
+
+t.test('versionedKeyFor — git node without committish', async t => {
+  // versionedKeyFor's ternary takes the "no committish" branch.
+  t.equal(
+    versionedKeyFor({
+      name: 'bar',
+      resolved: 'git+ssh://git@github.com/foo/bar.git',
+    }),
+    'github:foo/bar'
+  )
+})
+
+t.test('versionedKeyFor / nameKeyFor — absolute path resolved field', async t => {
+  // Hits the `resolved.startsWith('/')` branch in both helpers.
+  const n = { name: 'pkg', packageName: 'pkg', resolved: '/abs/local-dir' }
+  t.equal(versionedKeyFor(n), '/abs/local-dir')
+  t.equal(nameKeyFor(n), '/abs/local-dir')
+})
+
+t.test('keyTargetsNode — git key against a node with no resolved field', async t => {
+  // Defensive: if existing has a git-shaped key and the installed node
+  // has no resolved field, keyTargetsNode bails out and no policy entry
+  // can be derived from untrusted sources.
+  const noResolved = { name: 'bar', packageName: 'bar', resolved: undefined }
+  const { allowScripts } = applyApprovalForPackage(
+    { 'github:foo/bar': true },
+    [noResolved],
+    { pin: false }
+  )
+  // Existing entry untouched. No new key written: nameKeyFor returns
+  // null for a node with no trusted identity source.
+  t.equal(allowScripts['github:foo/bar'], true)
+  t.notOk('bar' in allowScripts, 'no entry written under attacker-controlled node.name')
+})
+
+t.test('applyApprovalForPackage — default args (no options object)', async t => {
+  // Hits the `{ pin = true } = {}` default-arg branch.
+  const { allowScripts } = applyApprovalForPackage(
+    {},
+    [node({ name: 'canvas', version: '2.11.0' })]
+  )
+  t.strictSame(allowScripts, { 'canvas@2.11.0': true })
+})
+
+t.test('applyApprovalForPackage — deny-wins warning when node has no name', async t => {
+  // Hits the `name || 'this package'` fallback in the warning message.
+  const noName = { name: '', packageName: '', resolved: 'git+ssh://no.parse' }
+  const { warning } = applyApprovalForPackage(
+    { 'github:foo/bar': false },
+    [noName],
+    { pin: true }
+  )
+  // No keys target this node (its resolved doesn't parse to a hosted URL),
+  // so deny-wins doesn't trigger. Result is no warning.
+  t.notOk(warning)
+})
+
+t.test('denyWarning branches on key shape per RFC §approve-scripts', async t => {
+  // Name-only deny: only remedy is to remove the entry.
+  const nameOnly = applyApprovalForPackage(
+    { canvas: false },
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: true }
+  )
+  t.match(nameOnly.warning, /remove the entry from allowScripts/)
+  t.notMatch(nameOnly.warning, /widen the deny/)
+
+  // Pinned deny on a different version: suggest both widen and remove.
+  const pinned = applyApprovalForPackage(
+    { 'canvas@2.10.0': false },
+    [node({ name: 'canvas', version: '2.10.0' })],
+    { pin: true }
+  )
+  t.match(pinned.warning, /versioned deny/)
+  t.match(pinned.warning, /npm deny-scripts canvas/)
+  t.match(pinned.warning, /widen the deny to all versions/)
+  t.match(pinned.warning, /remove the entry/)
+
+  // Multi-version deny disjunction: same as pinned (versioned).
+  const multi = applyApprovalForPackage(
+    { 'canvas@2.10.0 || 2.11.0': false },
+    [node({ name: 'canvas', version: '2.10.0' })],
+    { pin: true }
+  )
+  t.match(multi.warning, /versioned deny/)
+  t.match(multi.warning, /npm deny-scripts canvas/)
+})
+
+t.test('denyWarning: tag-type key (pkg@latest: false) is name-only', async t => {
+  // `canvas@latest` parses as type='tag'. Treat the same as a bare name.
+  const { warning } = applyApprovalForPackage(
+    { 'canvas@latest': false },
+    [node({ name: 'canvas', version: '2.11.0' })],
+    { pin: true }
+  )
+  t.match(warning, /remove the entry/)
+  t.notMatch(warning, /versioned deny/)
+})
+
+t.test('applyApprovalForPackage — multi-version entry + --pin=false adds name-only alongside', async t => {
+  // RFC table: existing `pkg@a.b.c || d.e.f: true` + installed `pkg@x.y.z`
+  // + --pin=false adds `pkg: true`. The multi-version disjunction stays
+  // (it captures intent the command can't infer), and the name-only
+  // entry is added.
+  const { allowScripts } = applyApprovalForPackage(
+    { 'canvas@1.0.0 || 2.0.0': true },
+    [node({ name: 'canvas', version: '3.0.0' })],
+    { pin: false }
+  )
+  t.strictSame(allowScripts, {
+    'canvas@1.0.0 || 2.0.0': true,
+    canvas: true,
+  })
+})
+
+t.test('versionedKeyFor — registry resolved that versionFromTgz cannot parse returns null', async t => {
+  // Private-registry mirror / alternate CDN URL shape that doesn't match
+  // the standard `/-/name-version.tgz` pattern. Exercises the log.silly
+  // breadcrumb path in versionedKeyFor, including each fallback branch
+  // of the `node.path || node.name || ''` label expression.
+  const resolved = 'https://private-mirror.example.com/blobs/abc123'
+  t.equal(versionedKeyFor({
+    path: '/fake/mystery', name: 'mystery', resolved, isRegistryDependency: true,
+  }), null, 'falls back when node has a path')
+  t.equal(versionedKeyFor({
+    name: 'mystery', resolved, isRegistryDependency: true,
+  }), null, 'falls back when node has only a name')
+  t.equal(versionedKeyFor({
+    resolved, isRegistryDependency: true,
+  }), null, 'falls back when node has neither path nor name')
+})
diff --git a/deps/npm/test/lib/utils/check-allow-scripts.js b/deps/npm/test/lib/utils/check-allow-scripts.js
new file mode 100644
index 00000000000000..8dea9674375df4
--- /dev/null
+++ b/deps/npm/test/lib/utils/check-allow-scripts.js
@@ -0,0 +1,263 @@
+const t = require('tap')
+
+const mockCheck = (t, mocks = {}) =>
+  t.mock('../../../lib/utils/check-allow-scripts.js', mocks)
+
+// Build a minimal "arborist tree" fixture for the walker.
+const arb = ({ nodes, allowScripts = null, ignoreScripts = false } = {}) => ({
+  options: { allowScripts, ignoreScripts },
+  actualTree: {
+    inventory: new Map(nodes.map((n, i) => [`node_modules/${n.name || `n${i}`}`, n])),
+  },
+})
+
+const node = ({
+  name = 'pkg',
+  packageName,
+  version = '1.0.0',
+  resolved,
+  scripts = {},
+  gypfile,
+  path: nodePath = `/fake/${name}`,
+  isProjectRoot = false,
+  isWorkspace = false,
+  isLink = false,
+  isRegistryDependency,
+} = {}) => {
+  const pkgName = packageName ?? name
+  const resolvedUrl = resolved
+    ?? `https://registry.npmjs.org/${pkgName}/-/${pkgName}-${version}.tgz`
+  // Default isRegistryDependency to match the shape of resolved: registry
+  // tarballs are registry, anything else (git, file, remote) is not.
+  const isReg = isRegistryDependency ?? /^https?:\/\/[^/]+\/.+\/-\/[^/]+-\d/.test(resolvedUrl)
+  return {
+    name,
+    packageName: pkgName,
+    version,
+    resolved: resolvedUrl,
+    location: `node_modules/${name}`,
+    isRegistryDependency: isReg,
+    path: nodePath,
+    isProjectRoot,
+    isWorkspace,
+    isLink,
+    package: { scripts, ...(gypfile !== undefined ? { gypfile } : {}) },
+  }
+}
+
+t.test('returns [] when ignoreScripts is set', async t => {
+  const checkAllowScripts = mockCheck(t)
+  const result = await checkAllowScripts({
+    arb: arb({
+      nodes: [node({ scripts: { install: 'do-stuff' } })],
+      ignoreScripts: true,
+    }),
+    npm: { flatOptions: {} },
+  })
+  t.strictSame(result, [])
+})
+
+t.test('returns [] when dangerouslyAllowAllScripts is set', async t => {
+  const checkAllowScripts = mockCheck(t)
+  const result = await checkAllowScripts({
+    arb: arb({ nodes: [node({ scripts: { install: 'do-stuff' } })] }),
+    npm: { flatOptions: { dangerouslyAllowAllScripts: true } },
+  })
+  t.strictSame(result, [])
+})
+
+t.test('skips project root, workspace, and linked nodes', async t => {
+  const checkAllowScripts = mockCheck(t)
+  const result = await checkAllowScripts({
+    arb: arb({
+      nodes: [
+        node({ name: 'root', scripts: { install: 'x' }, isProjectRoot: true }),
+        node({ name: 'ws', scripts: { install: 'x' }, isWorkspace: true }),
+        node({ name: 'linked', scripts: { install: 'x' }, isLink: true }),
+      ],
+    }),
+    npm: { flatOptions: {} },
+  })
+  t.strictSame(result, [])
+})
+
+t.test('skips nodes with no install-relevant scripts', async t => {
+  const checkAllowScripts = mockCheck(t)
+  const result = await checkAllowScripts({
+    arb: arb({
+      nodes: [node({ scripts: { test: 'jest' } })],
+    }),
+    npm: { flatOptions: {} },
+  })
+  t.strictSame(result, [])
+})
+
+t.test('includes nodes with preinstall/install/postinstall', async t => {
+  const checkAllowScripts = mockCheck(t)
+  const result = await checkAllowScripts({
+    arb: arb({
+      nodes: [
+        node({ name: 'a', scripts: { preinstall: 'pre' } }),
+        node({ name: 'b', scripts: { install: 'inst' } }),
+        node({ name: 'c', scripts: { postinstall: 'post' } }),
+      ],
+    }),
+    npm: { flatOptions: {} },
+  })
+  t.equal(result.length, 3)
+  t.strictSame(result[0].scripts, { preinstall: 'pre' })
+  t.strictSame(result[1].scripts, { install: 'inst' })
+  t.strictSame(result[2].scripts, { postinstall: 'post' })
+})
+
+t.test('prepare counts for non-registry sources only', async t => {
+  const checkAllowScripts = mockCheck(t)
+  const result = await checkAllowScripts({
+    arb: arb({
+      nodes: [
+        // registry: prepare ignored
+        node({
+          name: 'registry-pkg',
+          resolved: 'https://registry.npmjs.org/registry-pkg/-/registry-pkg-1.0.0.tgz',
+          scripts: { prepare: 'do' },
+        }),
+        // git: prepare counts
+        node({
+          name: 'git-pkg',
+          resolved: 'git+ssh://git@github.com/foo/bar.git#abcdef0123456789',
+          scripts: { prepare: 'do' },
+        }),
+      ],
+    }),
+    npm: { flatOptions: {} },
+  })
+  t.equal(result.length, 1)
+  t.equal(result[0].node.name, 'git-pkg')
+})
+
+t.test('detects synthetic node-gyp via binding.gyp runtime check', async t => {
+  const checkAllowScripts = mockCheck(t, {
+    '@npmcli/arborist/lib/install-scripts.js': async (n) => {
+      if (n.path === '/has-bindings') {
+        return { install: 'node-gyp rebuild' }
+      }
+      return {}
+    },
+  })
+
+  const result = await checkAllowScripts({
+    arb: arb({
+      nodes: [
+        node({ name: 'native', path: '/has-bindings' }),
+        node({ name: 'pure-js', path: '/no-bindings' }),
+      ],
+    }),
+    npm: { flatOptions: {} },
+  })
+  t.equal(result.length, 1)
+  t.equal(result[0].node.name, 'native')
+  t.strictSame(result[0].scripts, { install: 'node-gyp rebuild' })
+})
+
+t.test('skips node-gyp detection when gypfile is explicitly false', async t => {
+  // Mock returns no scripts to simulate the gypfile:false short-circuit
+  // inside getInstallScripts.
+  const checkAllowScripts = mockCheck(t, {
+    '@npmcli/arborist/lib/install-scripts.js': async () => ({}),
+  })
+
+  const result = await checkAllowScripts({
+    arb: arb({
+      nodes: [node({ name: 'opt-out', gypfile: false })],
+    }),
+    npm: { flatOptions: {} },
+  })
+  t.strictSame(result, [])
+})
+
+t.test('skips approved nodes', async t => {
+  const checkAllowScripts = mockCheck(t)
+  const result = await checkAllowScripts({
+    arb: arb({
+      nodes: [node({ name: 'allowed', scripts: { install: 'x' } })],
+      allowScripts: { allowed: true },
+    }),
+    npm: { flatOptions: {} },
+  })
+  t.strictSame(result, [])
+})
+
+t.test('skips denied nodes (false counts as reviewed)', async t => {
+  const checkAllowScripts = mockCheck(t)
+  const result = await checkAllowScripts({
+    arb: arb({
+      nodes: [node({ name: 'denied', scripts: { install: 'x' } })],
+      allowScripts: { denied: false },
+    }),
+    npm: { flatOptions: {} },
+  })
+  t.strictSame(result, [])
+})
+
+t.test('includes unreviewed nodes when policy is set but does not cover them', async t => {
+  const checkAllowScripts = mockCheck(t)
+  const result = await checkAllowScripts({
+    arb: arb({
+      nodes: [
+        node({ name: 'allowed', scripts: { install: 'x' } }),
+        node({ name: 'unreviewed', scripts: { install: 'y' } }),
+      ],
+      allowScripts: { allowed: true },
+    }),
+    npm: { flatOptions: {} },
+  })
+  t.equal(result.length, 1)
+  t.equal(result[0].node.name, 'unreviewed')
+})
+
+t.test('reports every install-script node when no policy is set', async t => {
+  const checkAllowScripts = mockCheck(t)
+  const result = await checkAllowScripts({
+    arb: arb({
+      nodes: [
+        node({ name: 'a', scripts: { install: 'x' } }),
+        node({ name: 'b', scripts: { postinstall: 'y' } }),
+      ],
+    }),
+    npm: { flatOptions: {} },
+  })
+  t.equal(result.length, 2)
+})
+
+t.test('survives missing actualTree', async t => {
+  const checkAllowScripts = mockCheck(t)
+  const result = await checkAllowScripts({
+    arb: { options: {} },
+    npm: { flatOptions: {} },
+  })
+  t.strictSame(result, [])
+})
+
+t.test('bundled dep with install scripts is reported as unreviewed regardless of policy', async t => {
+  const checkAllowScripts = mockCheck(t)
+  const bundled = node({
+    name: 'bundled-pkg',
+    version: '1.0.0',
+    resolved: undefined,
+    scripts: { install: 'do-stuff' },
+  })
+  bundled.inBundle = true
+
+  const result = await checkAllowScripts({
+    arb: arb({
+      nodes: [bundled],
+      // Policy explicitly allows the bundled name — the matcher should
+      // still return null and the walker should still flag the bundled
+      // dep as unreviewed.
+      allowScripts: { 'bundled-pkg': true },
+    }),
+    npm: { flatOptions: {} },
+  })
+  t.equal(result.length, 1, 'bundled dep flagged despite explicit allow entry')
+  t.equal(result[0].node, bundled)
+})
diff --git a/deps/npm/test/lib/utils/display.js b/deps/npm/test/lib/utils/display.js
index 89c4a855028490..b33ab69a365944 100644
--- a/deps/npm/test/lib/utils/display.js
+++ b/deps/npm/test/lib/utils/display.js
@@ -271,6 +271,35 @@ t.test('Display.clean', async (t) => {
   }
 })
 
+t.test('json output redacts by default', async t => {
+  // Do not set redact: false globally in the json flush path of display.js.
+  // If a command needs unredacted output (e.g. UUIDs), pass
+  // { [META]: true, redact: false } at the call site via output.standard().
+  const { META } = require('proc-log')
+  const { output, outputs, clearOutput } = await mockDisplay(t)
+
+  output.buffer({
+    url: 'https://registry.npmjs.org/',
+    id: '550e8400-e29b-41d4-a716-446655440000',
+  })
+  output.flush({ [META]: true, json: true })
+
+  t.equal(outputs.length, 1, 'one output')
+  const parsed = JSON.parse(outputs[0])
+  t.equal(parsed.id, '***', 'uuid values are redacted in json output')
+
+  // commands that need unredacted output should use output.standard
+  // with redact: false at the call site instead of disabling globally
+  clearOutput()
+  output.standard(
+    JSON.stringify({ id: '550e8400-e29b-41d4-a716-446655440000' }, null, 2),
+    { [META]: true, redact: false }
+  )
+  const inlineParsed = JSON.parse(outputs[0])
+  t.equal(inlineParsed.id, '550e8400-e29b-41d4-a716-446655440000',
+    'inline redact: false preserves uuid values')
+})
+
 t.test('prompt functionality', async t => {
   t.test('regular prompt completion works', async t => {
     const { input } = await mockDisplay(t)
diff --git a/deps/npm/test/lib/utils/key-values.js b/deps/npm/test/lib/utils/key-values.js
new file mode 100644
index 00000000000000..5e61f9e55fe596
--- /dev/null
+++ b/deps/npm/test/lib/utils/key-values.js
@@ -0,0 +1,84 @@
+const t = require('tap')
+const { logObject, logStageItem, defaultPredicate } = require('../../../lib/utils/key-values.js')
+const { load: loadMockNpm } = require('../../fixtures/mock-npm.js')
+
+t.test('defaultPredicate skips null and undefined', t => {
+  const chalk = { green: v => v }
+  t.equal(defaultPredicate('k', null, chalk), null)
+  t.equal(defaultPredicate('k', undefined, chalk), null)
+  t.equal(defaultPredicate('k', 'val', chalk), 'val')
+  t.end()
+})
+
+t.test('logObject json mode', async t => {
+  const { joinedOutput } = await loadMockNpm(t)
+  const chalk = { cyan: v => v, green: v => v }
+  logObject({ a: 1, b: 2 }, { chalk, json: true })
+  const out = JSON.parse(joinedOutput())
+  t.same(out, { a: 1, b: 2 })
+})
+
+t.test('logObject skips null values with default predicate', async t => {
+  const { joinedOutput } = await loadMockNpm(t)
+  const chalk = { cyan: v => v, green: v => v }
+  logObject({ a: 'yes', b: null, c: 'also' }, { chalk })
+  const out = joinedOutput()
+  t.match(out, /a: yes/)
+  t.match(out, /c: also/)
+  t.notMatch(out, /b:/)
+})
+
+t.test('logStageItem includes extra properties', async t => {
+  const { joinedOutput } = await loadMockNpm(t)
+  const chalk = { cyan: v => v, green: v => v }
+  logStageItem({
+    id: 'abc',
+    packageName: 'pkg',
+    version: '1.0.0',
+    tag: 'latest',
+    createdAt: '2026-01-01',
+    actor: 'user',
+    actorType: 'human',
+    shasum: 'sha1',
+    extra: 'bonus',
+  }, { chalk })
+  const out = joinedOutput()
+  t.match(out, /extra: bonus/)
+  t.match(out, /package name: pkg/)
+})
+
+t.test('logObject with custom predicate', async t => {
+  const { joinedOutput } = await loadMockNpm(t)
+  const chalk = { cyan: v => v, green: v => v }
+  logObject({ a: 'one', b: 'two' }, {
+    chalk,
+    predicate: (key, value) => `[${value}]`,
+  })
+  const out = joinedOutput()
+  t.match(out, /a: \[one\]/)
+  t.match(out, /b: \[two\]/)
+})
+
+t.test('logStageItem without actorType shows actor alone', async t => {
+  const { joinedOutput } = await loadMockNpm(t)
+  const chalk = { cyan: v => v, green: v => v }
+  logStageItem({
+    id: 'abc',
+    packageName: 'pkg',
+    version: '1.0.0',
+    tag: 'latest',
+    createdAt: '2026-01-01',
+    actor: 'user',
+    shasum: 'sha1',
+  }, { chalk })
+  const out = joinedOutput()
+  t.match(out, /staged by: user/)
+  t.notMatch(out, /\(/)
+})
+
+t.test('logObject with all values skipped produces no output', async t => {
+  const { joinedOutput } = await loadMockNpm(t)
+  const chalk = { cyan: v => v, green: v => v }
+  logObject({ a: null, b: undefined }, { chalk })
+  t.equal(joinedOutput(), '')
+})
diff --git a/deps/npm/test/lib/utils/reify-output.js b/deps/npm/test/lib/utils/reify-output.js
index 134951e40aabd1..b1bc92b1c77aed 100644
--- a/deps/npm/test/lib/utils/reify-output.js
+++ b/deps/npm/test/lib/utils/reify-output.js
@@ -448,3 +448,114 @@ t.test('prints dedupe difference on long', async t => {
 
   t.matchSnapshot(out, 'diff table')
 })
+
+t.test('prints unreviewed install scripts summary', async t => {
+  const mockReifyWithExtras = async (t, reify, extras, { command, ...config } = {}) => {
+    const mock = await mockNpm(t, { command, config })
+    Object.defineProperty(mock.npm, 'command', {
+      get () {
+        return command
+      },
+      enumerable: true,
+    })
+    reifyOutput(mock.npm, reify, extras)
+    mock.npm.finish()
+    return mock
+  }
+
+  const baseReify = {
+    actualTree: { name: 'host', inventory: { has: () => false } },
+    diff: { children: [] },
+  }
+
+  const unreviewedScripts = [
+    {
+      node: { packageName: 'canvas', name: 'canvas', version: '2.11.0', path: '/x/canvas' },
+      scripts: { install: 'node-gyp rebuild' },
+    },
+    {
+      node: { packageName: 'sharp', name: 'sharp', version: '0.33.2', path: '/x/sharp' },
+      scripts: { preinstall: 'pre', postinstall: 'post' },
+    },
+  ]
+
+  const mock = await mockReifyWithExtras(t, baseReify, { unreviewedScripts })
+  const warn = mock.logs.warn.byTitle('allow-scripts').join('\n')
+  t.match(warn, /2 packages have install scripts not yet covered/)
+  t.match(warn, /canvas@2\.11\.0 \(install: node-gyp rebuild\)/)
+  t.match(warn, /sharp@0\.33\.2 \(preinstall: pre; postinstall: post\)/)
+  t.match(warn, /npm approve-scripts --allow-scripts-pending/)
+})
+
+t.test('single unreviewed script uses singular wording', async t => {
+  const mockReifyWithExtras = async (t, reify, extras) => {
+    const mock = await mockNpm(t, {})
+    reifyOutput(mock.npm, reify, extras)
+    mock.npm.finish()
+    return mock
+  }
+
+  const mock = await mockReifyWithExtras(
+    t,
+    { actualTree: { inventory: { has: () => false } }, diff: { children: [] } },
+    {
+      unreviewedScripts: [{
+        node: { packageName: 'one', name: 'one', version: '1.0.0', path: '/x' },
+        scripts: { install: 'do' },
+      }],
+    }
+  )
+  t.match(mock.logs.warn.byTitle('allow-scripts').join('\n'), /1 package has install scripts/)
+})
+
+t.test('json output includes unreviewedScripts', async t => {
+  const mock = await mockNpm(t, { config: { json: true } })
+  reifyOutput(mock.npm, {
+    actualTree: { inventory: { size: 0 } },
+    diff: null,
+  }, {
+    unreviewedScripts: [{
+      node: { packageName: 'pkg', name: 'pkg', version: '1.0.0', path: '/x' },
+      scripts: { install: 'cmd' },
+    }],
+  })
+  mock.npm.finish()
+  const parsed = JSON.parse(mock.joinedOutput())
+  t.match(parsed.unreviewedScripts, [{
+    name: 'pkg',
+    version: '1.0.0',
+    path: '/x',
+    scripts: { install: 'cmd' },
+  }])
+})
+
+t.test('unreviewed script with node.name only (no packageName) still renders', async t => {
+  const mock = await mockNpm(t, {})
+  reifyOutput(mock.npm, {
+    actualTree: { inventory: { has: () => false } },
+    diff: { children: [] },
+  }, {
+    unreviewedScripts: [{
+      node: { name: 'fallback', path: '/x' }, // no packageName, no version
+      scripts: { install: 'cmd' },
+    }],
+  })
+  mock.npm.finish()
+  t.match(mock.logs.warn.byTitle('allow-scripts').join('\n'), / fallback \(install: cmd\)/)
+})
+
+t.test('json output includes node.name when packageName is missing', async t => {
+  const mock = await mockNpm(t, { config: { json: true } })
+  reifyOutput(mock.npm, {
+    actualTree: { inventory: { size: 0 } },
+    diff: null,
+  }, {
+    unreviewedScripts: [{
+      node: { name: 'fallback', path: '/x' },
+      scripts: { install: 'cmd' },
+    }],
+  })
+  mock.npm.finish()
+  const parsed = JSON.parse(mock.joinedOutput())
+  t.equal(parsed.unreviewedScripts[0].name, 'fallback')
+})
diff --git a/deps/npm/test/lib/utils/resolve-allow-scripts.js b/deps/npm/test/lib/utils/resolve-allow-scripts.js
new file mode 100644
index 00000000000000..0d6cdb8c040ac9
--- /dev/null
+++ b/deps/npm/test/lib/utils/resolve-allow-scripts.js
@@ -0,0 +1,347 @@
+const t = require('tap')
+const mockNpm = require('../../fixtures/mock-npm')
+const tmock = require('../../fixtures/tmock')
+
+const loadResolver = (t) => tmock(t, '{LIB}/utils/resolve-allow-scripts.js')
+
+// Helper that simulates config layering. `cliConfig` sets the value at
+// the 'cli' source; `npmrcConfig` sets it at the 'user' source. mockNpm
+// puts all `config` keys into the 'cli' source by default, so for npmrc
+// tests we use an .npmrc file instead.
+
+t.test('returns null when no policy is set anywhere', async t => {
+  const { npm } = await mockNpm(t, {
+    prefixDir: { 'package.json': JSON.stringify({ name: 'p' }) },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(npm)
+  t.strictSame(result, { policy: null, source: null })
+})
+
+t.test('global install: skips package.json but still consults CLI', async t => {
+  const { npm } = await mockNpm(t, {
+    config: { global: true, 'allow-scripts': 'canvas' },
+    prefixDir: { 'package.json': JSON.stringify({ name: 'p', allowScripts: { sharp: true } }) },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(npm)
+  t.equal(result.source, 'cli')
+  t.strictSame(result.policy, { canvas: true })
+})
+
+t.test('global install: skips package.json but still consults .npmrc', async t => {
+  const { npm } = await mockNpm(t, {
+    config: { global: true },
+    homeDir: { '.npmrc': 'allow-scripts = canvas' },
+    prefixDir: {
+      'package.json': JSON.stringify({ name: 'p', allowScripts: { sharp: true } }),
+    },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(npm)
+  t.equal(result.source, '.npmrc')
+  t.strictSame(result.policy, { canvas: true })
+})
+
+t.test('global install with no CLI or .npmrc returns null', async t => {
+  const { npm } = await mockNpm(t, {
+    config: { global: true },
+    prefixDir: { 'package.json': JSON.stringify({ name: 'p', allowScripts: { x: true } }) },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(npm)
+  t.strictSame(result, { policy: null, source: null })
+})
+
+t.test('reads from package.json when only package.json is set', async t => {
+  const { npm } = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'p',
+        allowScripts: { canvas: true, 'core-js': false, 'sharp@0.33.2': true },
+      }),
+    },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(npm)
+  t.equal(result.source, 'package.json')
+  t.strictSame(result.policy, { canvas: true, 'core-js': false, 'sharp@0.33.2': true })
+})
+
+t.test('--allow-scripts CLI flag is rejected in project-scoped installs', async t => {
+  const mock = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'p',
+        allowScripts: { sharp: true },
+      }),
+    },
+    // mock-npm puts all config keys at the 'cli' source.
+    config: { 'allow-scripts': 'canvas' },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  await t.rejects(
+    resolveAllowScripts(mock.npm),
+    { code: 'EALLOWSCRIPTS', message: /--allow-scripts is not allowed/ }
+  )
+})
+
+t.test('--allow-scripts CLI flag is accepted in global installs (RFC layer 1 wins)', async t => {
+  const mock = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'p',
+        allowScripts: { sharp: true },
+      }),
+    },
+    config: { 'allow-scripts': 'canvas', global: true },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(mock.npm)
+  t.equal(result.source, 'cli')
+  t.strictSame(result.policy, { canvas: true })
+})
+
+t.test('package.json wins over .npmrc setting (RFC layer 2 > layer 3)', async t => {
+  // Put the allow-scripts setting in an .npmrc file so it loads at the
+  // 'user' source, not 'cli'.
+  const mock = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'p',
+        allowScripts: { sharp: true },
+      }),
+      '.npmrc': 'allow-scripts = canvas',
+    },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(mock.npm)
+  t.equal(result.source, 'package.json')
+  t.strictSame(result.policy, { sharp: true })
+  t.match(
+    mock.logs.warn.byTitle('allow-scripts'),
+    [/\.npmrc allow-scripts setting is being ignored because package.json/]
+  )
+})
+
+t.test('.npmrc setting is used when nothing higher is set', async t => {
+  const { npm } = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({ name: 'p' }),
+      '.npmrc': 'allow-scripts = canvas, sharp',
+    },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(npm)
+  t.equal(result.source, '.npmrc')
+  t.strictSame(result.policy, { canvas: true, sharp: true })
+})
+
+t.test('--allow-scripts CLI flag is accepted via skipProjectConfig (npm exec)', async t => {
+  const mock = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({ name: 'p' }),
+      '.npmrc': 'allow-scripts = canvas',
+    },
+    config: { 'allow-scripts': 'sharp' },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(mock.npm, { skipProjectConfig: true })
+  t.equal(result.source, 'cli')
+  t.strictSame(result.policy, { sharp: true })
+  t.match(
+    mock.logs.warn.byTitle('allow-scripts'),
+    [/\.npmrc allow-scripts setting is being ignored because --allow-scripts/]
+  )
+})
+
+t.test('empty allowScripts object in package.json falls through to .npmrc', async t => {
+  const { npm } = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({ name: 'p', allowScripts: {} }),
+      '.npmrc': 'allow-scripts = canvas',
+    },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(npm)
+  t.equal(result.source, '.npmrc')
+  t.strictSame(result.policy, { canvas: true })
+})
+
+t.test('missing package.json with .npmrc setting uses .npmrc', async t => {
+  const { npm } = await mockNpm(t, {
+    prefixDir: {
+      '.npmrc': 'allow-scripts = canvas',
+    },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(npm)
+  t.equal(result.source, '.npmrc')
+  t.strictSame(result.policy, { canvas: true })
+})
+
+t.test('reads from npm.prefix, not cwd, so workspace sub-installs find root policy', async t => {
+  const { npm } = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'root',
+        workspaces: ['packages/*'],
+        allowScripts: { sharp: true },
+      }),
+      packages: {
+        sub: { 'package.json': JSON.stringify({ name: 'sub' }) },
+      },
+    },
+    chdir: ({ prefix }) => require('node:path').join(prefix, 'packages', 'sub'),
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(npm)
+  t.equal(result.source, 'package.json')
+  t.strictSame(result.policy, { sharp: true })
+})
+
+t.test('drops package.json entries with forbidden semver ranges and warns', async t => {
+  const mock = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'p',
+        allowScripts: {
+          'sharp@^0.33.0': true, // forbidden: caret range
+          'canvas@~2.11.0': true, // forbidden: tilde range
+          'core-js@>=3.0.0': true, // forbidden: gte range
+          'good@1.2.3': true, // OK: exact pin
+          'also-good': true, // OK: bare name
+          'disjunction@1.0.0 || 2.0.0': true, // OK: exact disjunction
+        },
+      }),
+    },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(mock.npm)
+  t.equal(result.source, 'package.json')
+  t.strictSame(result.policy, {
+    'good@1.2.3': true,
+    'also-good': true,
+    'disjunction@1.0.0 || 2.0.0': true,
+  })
+  const warnings = mock.logs.warn.byTitle('allow-scripts')
+  t.equal(warnings.filter(m => /semver ranges/.test(m)).length, 3)
+})
+
+t.test('drops package.json entries with dist-tag specs and warns', async t => {
+  const mock = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'p',
+        allowScripts: {
+          'sharp@latest': true, // forbidden: dist-tag
+          'canvas@next': true, // forbidden: dist-tag
+          'good@1.2.3': true, // OK: exact pin
+        },
+      }),
+    },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(mock.npm)
+  t.equal(result.source, 'package.json')
+  t.strictSame(result.policy, { 'good@1.2.3': true })
+  const warnings = mock.logs.warn.byTitle('allow-scripts')
+  t.equal(warnings.filter(m => /dist-tag specs/.test(m)).length, 2)
+})
+
+t.test('drops .npmrc forbidden ranges (and warns) but keeps valid entries', async t => {
+  const mock = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({ name: 'p' }),
+      '.npmrc': 'allow-scripts = canvas, sharp@^0.33.0, lodash@4.17.21',
+    },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(mock.npm)
+  t.equal(result.source, '.npmrc')
+  t.strictSame(result.policy, { canvas: true, 'lodash@4.17.21': true })
+  const warnings = mock.logs.warn.byTitle('allow-scripts')
+  t.ok(warnings.some(m => /sharp@\^0\.33\.0/.test(m) && /semver ranges/.test(m)))
+})
+
+t.test('drops package.json entries that fail npa parse', async t => {
+  const mock = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'p',
+        allowScripts: {
+          '@@@invalid@@@': true,
+          good: true,
+        },
+      }),
+    },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(mock.npm)
+  t.equal(result.source, 'package.json')
+  t.strictSame(result.policy, { good: true })
+  t.ok(mock.logs.warn.byTitle('allow-scripts').some(m => /unparseable/.test(m)))
+})
+
+t.test('returns null when all package.json entries are dropped as invalid', async t => {
+  const { npm } = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'p',
+        allowScripts: { 'sharp@^0.33.0': true },
+      }),
+    },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(npm)
+  t.strictSame(result, { policy: null, source: null })
+})
+
+t.test('skipProjectConfig: ignores package.json even when present', async t => {
+  // Per RFC line 299, exec/npx consults only user/global .npmrc.
+  const { npm } = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'p',
+        allowScripts: { sharp: true },
+      }),
+      '.npmrc': 'allow-scripts = canvas',
+    },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(npm, { skipProjectConfig: true })
+  // package.json is skipped, falls through to .npmrc.
+  t.equal(result.source, '.npmrc')
+  t.strictSame(result.policy, { canvas: true })
+})
+
+t.test('skipProjectConfig: CLI still wins over .npmrc', async t => {
+  const { npm } = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'p',
+        allowScripts: { sharp: true },
+      }),
+      '.npmrc': 'allow-scripts = canvas',
+    },
+    config: { 'allow-scripts': 'lodash' },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(npm, { skipProjectConfig: true })
+  t.equal(result.source, 'cli')
+  t.strictSame(result.policy, { lodash: true })
+})
+
+t.test('skipProjectConfig: returns null when only package.json is set', async t => {
+  const { npm } = await mockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'p',
+        allowScripts: { sharp: true },
+      }),
+    },
+  })
+  const resolveAllowScripts = loadResolver(t)
+  const result = await resolveAllowScripts(npm, { skipProjectConfig: true })
+  t.strictSame(result, { policy: null, source: null })
+})
diff --git a/deps/npm/test/lib/utils/sbom-cyclonedx.js b/deps/npm/test/lib/utils/sbom-cyclonedx.js
index fc30130f1fae72..ea569d41c57d8b 100644
--- a/deps/npm/test/lib/utils/sbom-cyclonedx.js
+++ b/deps/npm/test/lib/utils/sbom-cyclonedx.js
@@ -291,6 +291,25 @@ t.test('node - with duplicate deps', t => {
   t.end()
 })
 
+t.test('node - with duplicate edges to same dep', t => {
+  // A node can have multiple outgoing edges resolving to the same
+  // `name@version` (e.g. a direct `dep1: ^1` plus an alias
+  // `dep1-aliased: npm:dep1@^1`). The resulting `dependsOn` array must
+  // still contain each ref at most once, since CycloneDX 1.5 requires
+  // unique items.
+  const node = {
+    ...root,
+    edgesOut: [
+      { to: dep1 },
+      { to: dep1 },
+    ],
+  }
+  const res = cyclonedxOutput({ npm, nodes: [node, dep1] })
+  t.same(res.dependencies[0].dependsOn, ['dep1@0.0.1'])
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
 // Check that all of the generated test snapshots validate against the CycloneDX schema
 t.test('schema validation', t => {
   // Load schemas
diff --git a/deps/npm/test/lib/utils/sbom-spdx.js b/deps/npm/test/lib/utils/sbom-spdx.js
index cdeb68218ee332..d2599b0824510c 100644
--- a/deps/npm/test/lib/utils/sbom-spdx.js
+++ b/deps/npm/test/lib/utils/sbom-spdx.js
@@ -256,6 +256,27 @@ t.test('node - with duplicate deps', t => {
   t.end()
 })
 
+t.test('node - with duplicate edges to same dep', t => {
+  // A node can have multiple outgoing edges resolving to the same
+  // `name@version` of the same edge type (e.g. a direct `dep1: ^1` plus an
+  // alias `dep1-aliased: npm:dep1@^1`). The resulting relationships must
+  // still be unique per (source, target, type) triple.
+  const node = { ...root,
+    edgesOut: [
+      { to: dep1 },
+      { to: dep1 },
+    ] }
+  const res = spdxOutput({ npm, nodes: [node, dep1] })
+  const depRels = res.relationships.filter(
+    r => r.spdxElementId === 'SPDXRef-Package-dep1-0.0.1'
+      && r.relatedSpdxElement === 'SPDXRef-Package-root-1.0.0'
+      && r.relationshipType === 'DEPENDENCY_OF'
+  )
+  t.equal(depRels.length, 1)
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
 // Check that all of the generated test snapshots validate against the SPDX schema
 t.test('schema validation', t => {
   const ajv = new Ajv()
diff --git a/deps/npm/test/lib/utils/strict-allow-scripts-preflight.js b/deps/npm/test/lib/utils/strict-allow-scripts-preflight.js
new file mode 100644
index 00000000000000..e246c68998c451
--- /dev/null
+++ b/deps/npm/test/lib/utils/strict-allow-scripts-preflight.js
@@ -0,0 +1,191 @@
+const t = require('tap')
+
+const preflight = require('../../../lib/utils/strict-allow-scripts-preflight.js')
+
+// Build a node fixture that checkAllowScripts will pick up as "unreviewed":
+// registry-resolved, hasInstallScript true, not project root / workspace /
+// link, and no allowScripts entry covering it.
+const node = ({
+  name = 'pkg',
+  version = '1.0.0',
+  scripts = { install: 'node-gyp rebuild' },
+} = {}) => ({
+  name,
+  resolved: `https://registry.npmjs.org/${name}/-/${name}-${version}.tgz`,
+  hasInstallScript: !!Object.keys(scripts).length,
+  path: `/fake/${name}`,
+  isProjectRoot: false,
+  isWorkspace: false,
+  isLink: false,
+  package: { name, version, scripts },
+})
+
+const tree = (nodes) => ({
+  inventory: new Map(nodes.map((n, i) => [`node_modules/${n.name}-${i}`, n])),
+})
+
+const makeArb = ({ ideal, actual, allowScripts = null } = {}) => {
+  const arb = {
+    options: { allowScripts, ignoreScripts: false },
+    idealTree: ideal ?? null,
+    actualTree: actual ?? null,
+  }
+  arb.buildIdealTree = async () => arb.idealTree
+  return arb
+}
+
+t.test('no-op when strictAllowScripts is not set', async t => {
+  const arb = makeArb({ ideal: tree([node()]) })
+  await preflight({ arb, npm: { flatOptions: {} }, idealTreeOpts: {} })
+  t.pass('returned without throwing')
+})
+
+t.test('no-op when dangerouslyAllowAllScripts overrides', async t => {
+  const arb = makeArb({ ideal: tree([node()]) })
+  await preflight({
+    arb,
+    npm: { flatOptions: { strictAllowScripts: true, dangerouslyAllowAllScripts: true } },
+    idealTreeOpts: {},
+  })
+  t.pass('returned without throwing')
+})
+
+t.test('no-op when ignoreScripts overrides', async t => {
+  const arb = makeArb({ ideal: tree([node()]) })
+  arb.options.ignoreScripts = true
+  await preflight({
+    arb,
+    npm: { flatOptions: { strictAllowScripts: true } },
+    idealTreeOpts: {},
+  })
+  t.pass('returned without throwing')
+})
+
+t.test('throws when unreviewed install scripts exist (idealTree path)', async t => {
+  const arb = makeArb({ ideal: tree([node({ name: 'canvas' }), node({ name: 'sharp' })]) })
+  await t.rejects(
+    preflight({
+      arb,
+      npm: { flatOptions: { strictAllowScripts: true } },
+      idealTreeOpts: {},
+    }),
+    {
+      code: 'ESTRICTALLOWSCRIPTS',
+      message: /2 package\(s\) have install scripts not covered/,
+    }
+  )
+})
+
+t.test('passes when all install-script nodes are explicitly approved', async t => {
+  const arb = makeArb({
+    ideal: tree([node({ name: 'canvas' })]),
+    allowScripts: { canvas: true },
+  })
+  await preflight({
+    arb,
+    npm: { flatOptions: { strictAllowScripts: true } },
+    idealTreeOpts: {},
+  })
+  t.pass('no error thrown')
+})
+
+t.test('passes when all install-script nodes are explicitly denied', async t => {
+  const arb = makeArb({
+    ideal: tree([node({ name: 'canvas' })]),
+    allowScripts: { canvas: false },
+  })
+  await preflight({
+    arb,
+    npm: { flatOptions: { strictAllowScripts: true } },
+    idealTreeOpts: {},
+  })
+  t.pass('no error thrown')
+})
+
+t.test('skips buildIdealTree when arb.idealTree already exists (npm ci path)', async t => {
+  // `npm ci` builds the ideal tree before calling the preflight. The
+  // helper must not rebuild it.
+  const ideal = tree([node({ name: 'pre-built' })])
+  const arb = makeArb({ ideal, allowScripts: { 'pre-built': true } })
+  let buildCalls = 0
+  arb.buildIdealTree = async () => {
+    buildCalls++
+    return arb.idealTree
+  }
+  await preflight({
+    arb,
+    npm: { flatOptions: { strictAllowScripts: true } },
+    idealTreeOpts: {},
+  })
+  t.equal(buildCalls, 0, 'buildIdealTree was not called a second time')
+})
+
+t.test('builds the ideal tree when arb.idealTree is empty (npm install path)', async t => {
+  // `npm install` does not pre-build the ideal tree. The helper must
+  // build it so checkAllowScripts has something to walk.
+  const arb = makeArb({ allowScripts: { 'fresh-pkg': true } })
+  let buildCalls = 0
+  arb.buildIdealTree = async () => {
+    buildCalls++
+    arb.idealTree = tree([node({ name: 'fresh-pkg' })])
+  }
+  await preflight({
+    arb,
+    npm: { flatOptions: { strictAllowScripts: true } },
+    idealTreeOpts: {},
+  })
+  t.equal(buildCalls, 1, 'buildIdealTree was called once')
+})
+
+t.test('uses actualTree when idealTreeOpts is not provided (rebuild path)', async t => {
+  const arb = makeArb({ actual: tree([node({ name: 'rebuild-pkg' })]) })
+  await t.rejects(
+    preflight({
+      arb,
+      npm: { flatOptions: { strictAllowScripts: true } },
+    }),
+    {
+      code: 'ESTRICTALLOWSCRIPTS',
+      message: /rebuild-pkg@1\.0\.0/,
+    }
+  )
+})
+
+t.test('error message includes script bodies', async t => {
+  const arb = makeArb({
+    ideal: tree([node({ name: 'canvas', version: '2.11.0', scripts: { install: 'node-gyp rebuild' } })]),
+  })
+  await t.rejects(
+    preflight({
+      arb,
+      npm: { flatOptions: { strictAllowScripts: true } },
+      idealTreeOpts: {},
+    }),
+    { message: /canvas@2\.11\.0 \(install: node-gyp rebuild\)/ }
+  )
+})
+
+t.test('error label falls back to node.name when package.version is missing', async t => {
+  // Exercises the `version ? '${name}@${version}' : name` branch in the
+  // error formatter when a node has no package.version (and the name
+  // falls back to node.name via `node.package?.name || node.name`).
+  const bare = {
+    name: 'no-version-pkg',
+    resolved: 'https://registry.npmjs.org/no-version-pkg/-/no-version-pkg-1.0.0.tgz',
+    hasInstallScript: true,
+    path: '/fake/no-version-pkg',
+    isProjectRoot: false,
+    isWorkspace: false,
+    isLink: false,
+    package: { scripts: { install: 'node-gyp rebuild' } },
+  }
+  const arb = makeArb({ ideal: tree([bare]) })
+  await t.rejects(
+    preflight({
+      arb,
+      npm: { flatOptions: { strictAllowScripts: true } },
+      idealTreeOpts: {},
+    }),
+    { message: /no-version-pkg \(install: node-gyp rebuild\)/ }
+  )
+})
diff --git a/deps/npm/test/lib/utils/tar.js b/deps/npm/test/lib/utils/tar.js
index 85a95e57766855..3eff023ccec999 100644
--- a/deps/npm/test/lib/utils/tar.js
+++ b/deps/npm/test/lib/utils/tar.js
@@ -109,6 +109,20 @@ t.test('should log tarball contents with unicode', async (t) => {
   t.end()
 })
 
+t.test('logTar with json and no key emits bare tarball object', async (t) => {
+  const buffered = []
+  const logTar = tmock(t, '{LIB}/utils/tar.js', {
+    'proc-log': {
+      log: { notice: () => {} },
+      output: { buffer: (data) => buffered.push(data) },
+    },
+  }).logTar
+
+  const tarball = { name: 'my-pkg', version: '1.0.0' }
+  logTar(tarball, { json: true })
+  t.strictSame(buffered, [tarball], 'buffers the bare tarball when key is omitted')
+})
+
 t.test('should getContents of a tarball with only a package.json', async (t) => {
   const testDir = t.testdir({
     'package.json': JSON.stringify({
diff --git a/deps/npm/test/lib/utils/warn-workspace-allow-scripts.js b/deps/npm/test/lib/utils/warn-workspace-allow-scripts.js
new file mode 100644
index 00000000000000..c9a5727157c21e
--- /dev/null
+++ b/deps/npm/test/lib/utils/warn-workspace-allow-scripts.js
@@ -0,0 +1,108 @@
+const t = require('tap')
+const {
+  findWorkspaceAllowScripts,
+  warnWorkspaceAllowScripts,
+} = require('../../../lib/utils/warn-workspace-allow-scripts.js')
+
+const node = ({
+  name = 'pkg',
+  packageName,
+  isWorkspace = false,
+  isProjectRoot = false,
+  allowScripts,
+  path = `/fake/${name}`,
+} = {}) => ({
+  name,
+  packageName: packageName ?? name,
+  path,
+  isWorkspace,
+  isProjectRoot,
+  package: allowScripts !== undefined ? { allowScripts } : {},
+})
+
+const tree = (nodes) => ({
+  inventory: new Map(nodes.map((n, i) => [`node_modules/${n.name || `n${i}`}`, n])),
+})
+
+t.test('returns [] for empty tree', async t => {
+  t.strictSame(findWorkspaceAllowScripts(tree([])), [])
+})
+
+t.test('returns [] for missing tree', async t => {
+  t.strictSame(findWorkspaceAllowScripts(null), [])
+  t.strictSame(findWorkspaceAllowScripts(undefined), [])
+})
+
+t.test('ignores project root with allowScripts', async t => {
+  const t1 = tree([
+    node({ name: 'root', isProjectRoot: true, isWorkspace: true, allowScripts: { x: true } }),
+  ])
+  t.strictSame(findWorkspaceAllowScripts(t1), [])
+})
+
+t.test('ignores non-workspace dep with allowScripts', async t => {
+  const t1 = tree([
+    node({ name: 'dep', allowScripts: { x: true } }),
+  ])
+  t.strictSame(findWorkspaceAllowScripts(t1), [])
+})
+
+t.test('finds non-root workspace with allowScripts', async t => {
+  const ws = node({ name: 'ws', isWorkspace: true, allowScripts: { x: true } })
+  const t1 = tree([
+    node({ name: 'root', isProjectRoot: true, isWorkspace: true }),
+    ws,
+  ])
+  t.equal(findWorkspaceAllowScripts(t1).length, 1)
+  t.equal(findWorkspaceAllowScripts(t1)[0], ws)
+})
+
+t.test('finds workspace with empty allowScripts object too', async t => {
+  const ws = node({ name: 'ws', isWorkspace: true, allowScripts: {} })
+  t.equal(findWorkspaceAllowScripts(tree([ws])).length, 1)
+})
+
+t.test('warnWorkspaceAllowScripts emits one log.warn per offender', async t => {
+  const warnings = []
+  const listener = (level, ...args) => {
+    if (level === 'warn') {
+      warnings.push(args)
+    }
+  }
+  process.on('log', listener)
+  t.teardown(() => process.off('log', listener))
+
+  const t1 = tree([
+    node({ name: 'root', isProjectRoot: true, isWorkspace: true }),
+    node({ name: 'a', isWorkspace: true, allowScripts: { x: true } }),
+    node({ name: 'b', isWorkspace: true, allowScripts: { y: false } }),
+    node({ name: 'c', isWorkspace: true }), // no allowScripts; no warning
+  ])
+  warnWorkspaceAllowScripts(t1)
+
+  t.equal(warnings.length, 2)
+  t.match(warnings[0][1], /allowScripts in workspace a/)
+  t.match(warnings[1][1], /allowScripts in workspace b/)
+})
+
+t.test('warnWorkspaceAllowScripts uses node.name when packageName missing', async t => {
+  const warnings = []
+  const listener = (level, ...args) => {
+    if (level === 'warn') {
+      warnings.push(args)
+    }
+  }
+  process.on('log', listener)
+  t.teardown(() => process.off('log', listener))
+
+  // packageName undefined, name set
+  const ws = {
+    name: 'fallback-name',
+    path: '/x',
+    isWorkspace: true,
+    isProjectRoot: false,
+    package: { allowScripts: { x: true } },
+  }
+  warnWorkspaceAllowScripts({ inventory: new Map([['node_modules/ws', ws]]) })
+  t.match(warnings[0][1], /workspace fallback-name/)
+})
diff --git a/deps/openssl/openssl-cli.gypi b/deps/openssl/openssl-cli.gypi
index ae74be9a2b17d2..da03938f1d1a92 100644
--- a/deps/openssl/openssl-cli.gypi
+++ b/deps/openssl/openssl-cli.gypi
@@ -25,5 +25,15 @@
     ['enable_lto=="true"', {
       'ldflags': [ '-fno-lto' ],
     }],
+    ['node_with_ltcg=="true" or enable_lto=="true" or enable_thin_lto=="true"', {
+      'msvs_settings': {
+        'VCCLCompilerTool': {
+          'AdditionalOptions': ['-fno-lto'],
+        },
+        'VCLinkerTool': {
+          'AdditionalOptions': ['-fno-lto'],
+        },
+      },
+    }],
   ],
 }
diff --git a/deps/openssl/openssl.gyp b/deps/openssl/openssl.gyp
index ea3a2dc09ef29b..4d8d16f0e3c838 100644
--- a/deps/openssl/openssl.gyp
+++ b/deps/openssl/openssl.gyp
@@ -77,6 +77,16 @@
         ['enable_lto=="true"', {
           'ldflags': [ '-fno-lto' ],
         }],
+        ['node_with_ltcg=="true" or enable_lto=="true" or enable_thin_lto=="true"', {
+          'msvs_settings': {
+            'VCCLCompilerTool': {
+              'AdditionalOptions': ['-fno-lto'],
+            },
+            'VCLinkerTool': {
+              'AdditionalOptions': ['-fno-lto'],
+            },
+          },
+        }],
      ]
     }, {
       # openssl-fipsmodule target
diff --git a/deps/simdjson/simdjson.cpp b/deps/simdjson/simdjson.cpp
index cbcd9f1e6bc017..6fa9693596be0c 100644
--- a/deps/simdjson/simdjson.cpp
+++ b/deps/simdjson/simdjson.cpp
@@ -1,4 +1,4 @@
-/* auto-generated on 2026-04-03 15:25:03 -0400. version 4.6.1 Do not edit! */
+/* auto-generated on 2026-05-06 17:28:39 -0400. version 4.6.4 Do not edit! */
 /* including simdjson.cpp:  */
 /* begin file simdjson.cpp */
 #define SIMDJSON_SRC_SIMDJSON_CPP
diff --git a/deps/simdjson/simdjson.h b/deps/simdjson/simdjson.h
index 0a021531346106..b9befc5b17ed3c 100644
--- a/deps/simdjson/simdjson.h
+++ b/deps/simdjson/simdjson.h
@@ -1,4 +1,4 @@
-/* auto-generated on 2026-04-03 15:25:03 -0400. version 4.6.1 Do not edit! */
+/* auto-generated on 2026-05-06 17:28:39 -0400. version 4.6.4 Do not edit! */
 /* including simdjson.h:  */
 /* begin file simdjson.h */
 #ifndef SIMDJSON_H
@@ -2538,7 +2538,7 @@ namespace std {
 #define SIMDJSON_SIMDJSON_VERSION_H
 
 /** The version of simdjson being used (major.minor.revision) */
-#define SIMDJSON_VERSION "4.6.1"
+#define SIMDJSON_VERSION "4.6.4"
 
 namespace simdjson {
 enum {
@@ -2553,7 +2553,7 @@ enum {
   /**
    * The revision (major.minor.REVISION) of simdjson being used.
    */
-  SIMDJSON_VERSION_REVISION = 1
+  SIMDJSON_VERSION_REVISION = 4
 };
 } // namespace simdjson
 
@@ -39794,6 +39794,7 @@ simdjson_warn_unused simdjson_result extract_fractured_json(
 /* begin file simdjson/generic/builder/json_string_builder-inl.h for arm64 */
 #include 
 #include 
+#include 
 #include 
 #ifndef SIMDJSON_GENERIC_STRING_BUILDER_INL_H
 
@@ -40549,6 +40550,11 @@ simdjson_inline void string_builder::append(number_type v) noexcept {
 simdjson_inline void
 string_builder::escape_and_append(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the multiplication below.
+  if (input.size() > (std::numeric_limits::max)() / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(6 * input.size())) {
     position += write_string_escaped(input, buffer.get() + position);
   }
@@ -40557,6 +40563,11 @@ string_builder::escape_and_append(std::string_view input) noexcept {
 simdjson_inline void
 string_builder::escape_and_append_with_quotes(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the arithmetic below.
+  if (input.size() > ((std::numeric_limits::max)() - 2) / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(2 + 6 * input.size())) {
     buffer.get()[position++] = '"';
     position += write_string_escaped(input, buffer.get() + position);
@@ -41878,6 +41889,7 @@ simdjson_warn_unused simdjson_result extract_fractured_json(
 /* begin file simdjson/generic/builder/json_string_builder-inl.h for fallback */
 #include 
 #include 
+#include 
 #include 
 #ifndef SIMDJSON_GENERIC_STRING_BUILDER_INL_H
 
@@ -42633,6 +42645,11 @@ simdjson_inline void string_builder::append(number_type v) noexcept {
 simdjson_inline void
 string_builder::escape_and_append(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the multiplication below.
+  if (input.size() > (std::numeric_limits::max)() / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(6 * input.size())) {
     position += write_string_escaped(input, buffer.get() + position);
   }
@@ -42641,6 +42658,11 @@ string_builder::escape_and_append(std::string_view input) noexcept {
 simdjson_inline void
 string_builder::escape_and_append_with_quotes(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the arithmetic below.
+  if (input.size() > ((std::numeric_limits::max)() - 2) / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(2 + 6 * input.size())) {
     buffer.get()[position++] = '"';
     position += write_string_escaped(input, buffer.get() + position);
@@ -44449,6 +44471,7 @@ simdjson_warn_unused simdjson_result extract_fractured_json(
 /* begin file simdjson/generic/builder/json_string_builder-inl.h for haswell */
 #include 
 #include 
+#include 
 #include 
 #ifndef SIMDJSON_GENERIC_STRING_BUILDER_INL_H
 
@@ -45204,6 +45227,11 @@ simdjson_inline void string_builder::append(number_type v) noexcept {
 simdjson_inline void
 string_builder::escape_and_append(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the multiplication below.
+  if (input.size() > (std::numeric_limits::max)() / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(6 * input.size())) {
     position += write_string_escaped(input, buffer.get() + position);
   }
@@ -45212,6 +45240,11 @@ string_builder::escape_and_append(std::string_view input) noexcept {
 simdjson_inline void
 string_builder::escape_and_append_with_quotes(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the arithmetic below.
+  if (input.size() > ((std::numeric_limits::max)() - 2) / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(2 + 6 * input.size())) {
     buffer.get()[position++] = '"';
     position += write_string_escaped(input, buffer.get() + position);
@@ -47020,6 +47053,7 @@ simdjson_warn_unused simdjson_result extract_fractured_json(
 /* begin file simdjson/generic/builder/json_string_builder-inl.h for icelake */
 #include 
 #include 
+#include 
 #include 
 #ifndef SIMDJSON_GENERIC_STRING_BUILDER_INL_H
 
@@ -47775,6 +47809,11 @@ simdjson_inline void string_builder::append(number_type v) noexcept {
 simdjson_inline void
 string_builder::escape_and_append(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the multiplication below.
+  if (input.size() > (std::numeric_limits::max)() / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(6 * input.size())) {
     position += write_string_escaped(input, buffer.get() + position);
   }
@@ -47783,6 +47822,11 @@ string_builder::escape_and_append(std::string_view input) noexcept {
 simdjson_inline void
 string_builder::escape_and_append_with_quotes(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the arithmetic below.
+  if (input.size() > ((std::numeric_limits::max)() - 2) / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(2 + 6 * input.size())) {
     buffer.get()[position++] = '"';
     position += write_string_escaped(input, buffer.get() + position);
@@ -49706,6 +49750,7 @@ simdjson_warn_unused simdjson_result extract_fractured_json(
 /* begin file simdjson/generic/builder/json_string_builder-inl.h for ppc64 */
 #include 
 #include 
+#include 
 #include 
 #ifndef SIMDJSON_GENERIC_STRING_BUILDER_INL_H
 
@@ -50461,6 +50506,11 @@ simdjson_inline void string_builder::append(number_type v) noexcept {
 simdjson_inline void
 string_builder::escape_and_append(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the multiplication below.
+  if (input.size() > (std::numeric_limits::max)() / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(6 * input.size())) {
     position += write_string_escaped(input, buffer.get() + position);
   }
@@ -50469,6 +50519,11 @@ string_builder::escape_and_append(std::string_view input) noexcept {
 simdjson_inline void
 string_builder::escape_and_append_with_quotes(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the arithmetic below.
+  if (input.size() > ((std::numeric_limits::max)() - 2) / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(2 + 6 * input.size())) {
     buffer.get()[position++] = '"';
     position += write_string_escaped(input, buffer.get() + position);
@@ -52709,6 +52764,7 @@ simdjson_warn_unused simdjson_result extract_fractured_json(
 /* begin file simdjson/generic/builder/json_string_builder-inl.h for westmere */
 #include 
 #include 
+#include 
 #include 
 #ifndef SIMDJSON_GENERIC_STRING_BUILDER_INL_H
 
@@ -53464,6 +53520,11 @@ simdjson_inline void string_builder::append(number_type v) noexcept {
 simdjson_inline void
 string_builder::escape_and_append(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the multiplication below.
+  if (input.size() > (std::numeric_limits::max)() / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(6 * input.size())) {
     position += write_string_escaped(input, buffer.get() + position);
   }
@@ -53472,6 +53533,11 @@ string_builder::escape_and_append(std::string_view input) noexcept {
 simdjson_inline void
 string_builder::escape_and_append_with_quotes(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the arithmetic below.
+  if (input.size() > ((std::numeric_limits::max)() - 2) / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(2 + 6 * input.size())) {
     buffer.get()[position++] = '"';
     position += write_string_escaped(input, buffer.get() + position);
@@ -55186,6 +55252,7 @@ simdjson_warn_unused simdjson_result extract_fractured_json(
 /* begin file simdjson/generic/builder/json_string_builder-inl.h for lsx */
 #include 
 #include 
+#include 
 #include 
 #ifndef SIMDJSON_GENERIC_STRING_BUILDER_INL_H
 
@@ -55941,6 +56008,11 @@ simdjson_inline void string_builder::append(number_type v) noexcept {
 simdjson_inline void
 string_builder::escape_and_append(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the multiplication below.
+  if (input.size() > (std::numeric_limits::max)() / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(6 * input.size())) {
     position += write_string_escaped(input, buffer.get() + position);
   }
@@ -55949,6 +56021,11 @@ string_builder::escape_and_append(std::string_view input) noexcept {
 simdjson_inline void
 string_builder::escape_and_append_with_quotes(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the arithmetic below.
+  if (input.size() > ((std::numeric_limits::max)() - 2) / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(2 + 6 * input.size())) {
     buffer.get()[position++] = '"';
     position += write_string_escaped(input, buffer.get() + position);
@@ -57686,6 +57763,7 @@ simdjson_warn_unused simdjson_result extract_fractured_json(
 /* begin file simdjson/generic/builder/json_string_builder-inl.h for lasx */
 #include 
 #include 
+#include 
 #include 
 #ifndef SIMDJSON_GENERIC_STRING_BUILDER_INL_H
 
@@ -58441,6 +58519,11 @@ simdjson_inline void string_builder::append(number_type v) noexcept {
 simdjson_inline void
 string_builder::escape_and_append(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the multiplication below.
+  if (input.size() > (std::numeric_limits::max)() / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(6 * input.size())) {
     position += write_string_escaped(input, buffer.get() + position);
   }
@@ -58449,6 +58532,11 @@ string_builder::escape_and_append(std::string_view input) noexcept {
 simdjson_inline void
 string_builder::escape_and_append_with_quotes(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the arithmetic below.
+  if (input.size() > ((std::numeric_limits::max)() - 2) / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(2 + 6 * input.size())) {
     buffer.get()[position++] = '"';
     position += write_string_escaped(input, buffer.get() + position);
@@ -60190,6 +60278,7 @@ simdjson_warn_unused simdjson_result extract_fractured_json(
 /* begin file simdjson/generic/builder/json_string_builder-inl.h for rvv_vls */
 #include 
 #include 
+#include 
 #include 
 #ifndef SIMDJSON_GENERIC_STRING_BUILDER_INL_H
 
@@ -60945,6 +61034,11 @@ simdjson_inline void string_builder::append(number_type v) noexcept {
 simdjson_inline void
 string_builder::escape_and_append(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the multiplication below.
+  if (input.size() > (std::numeric_limits::max)() / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(6 * input.size())) {
     position += write_string_escaped(input, buffer.get() + position);
   }
@@ -60953,6 +61047,11 @@ string_builder::escape_and_append(std::string_view input) noexcept {
 simdjson_inline void
 string_builder::escape_and_append_with_quotes(std::string_view input) noexcept {
   // escaping might turn a control character into \x00xx so 6 characters.
+  // Guard against size_t overflow in the arithmetic below.
+  if (input.size() > ((std::numeric_limits::max)() - 2) / 6) {
+    set_valid(false);
+    return;
+  }
   if (capacity_check(2 + 6 * input.size())) {
     buffer.get()[position++] = '"';
     position += write_string_escaped(input, buffer.get() + position);
@@ -63512,13 +63611,21 @@ class value {
   simdjson_inline simdjson_result at_path(std::string_view at_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard character (*) for arrays or ".*" for objects.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 protected:
   /**
@@ -63711,9 +63818,23 @@ struct simdjson_result : public arm64::implementation_si
   simdjson_inline simdjson_result current_depth() const noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 };
 
+// Forward-declare explicit specializations so MSVC /permissive- sees them before
+// any template instantiation that would resolve element.get(val) to the primary.
+template<> simdjson_inline error_code
+simdjson_result::get(
+    arm64::ondemand::value &out) noexcept;
+template<> simdjson_inline simdjson_result
+simdjson_result::get() noexcept;
+
 } // namespace simdjson
 
 #endif // SIMDJSON_GENERIC_ONDEMAND_VALUE_H
@@ -65052,8 +65173,6 @@ class parser {
   static simdjson_inline bool release_parser();
 
 private:
-  friend bool release_parser();
-  friend ondemand::parser& get_parser();
   /** Get the thread-local parser instance, allocates it if needed */
   static simdjson_inline simdjson_warn_unused std::unique_ptr& get_parser_instance();
   /** Get the thread-local parser instance, it might be null */
@@ -65216,13 +65335,21 @@ class array {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like "[*]" to match all array elements.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the array and returns a string_view instance corresponding to the
@@ -65346,7 +65473,13 @@ struct simdjson_result : public arm64::implementation_si
   simdjson_inline simdjson_result at(size_t index) noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   simdjson_inline simdjson_result raw_json() noexcept;
 #if SIMDJSON_SUPPORTS_CONCEPTS
   // TODO: move this code into object-inl.h
@@ -66246,21 +66379,24 @@ class document {
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    *
    * Supports wildcard patterns like "$.array[*]" or "$.object.*" to match multiple elements.
    *
-   * This method materializes all matching values into a vector.
    * The document will be consumed after this call.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern, or:
-   *         - INVALID_JSON_POINTER if the JSONPath cannot be parsed
-   *         - NO_SUCH_FIELD if a field does not exist
-   *         - INDEX_OUT_OF_BOUNDS if an array index is out of bounds
-   *         - INCORRECT_TYPE if path traversal encounters wrong type
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the document and returns a string_view instance corresponding to the
@@ -66481,7 +66617,13 @@ class document_reference {
   simdjson_inline simdjson_result raw_json_token() noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 private:
   document *doc{nullptr};
@@ -66567,7 +66709,13 @@ struct simdjson_result : public arm64::implementation
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -66652,7 +66800,13 @@ struct simdjson_result : public arm64::impl
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -67305,13 +67459,21 @@ class object {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like ".*" to match all object fields.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Reset the iterator so that we are pointing back at the
@@ -67461,7 +67623,13 @@ struct simdjson_result : public arm64::implementation_s
   simdjson_inline simdjson_result operator[](std::string_view key) && noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   inline simdjson_result reset() noexcept;
   inline simdjson_result is_empty() noexcept;
   inline simdjson_result count_fields() & noexcept;
@@ -68475,46 +68643,34 @@ inline simdjson_result array::at_path(std::string_view json_path) noexcep
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> array::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code array::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
   // Wildcard case
-  if(key=="*"){
-    for(auto element: *this){
-
-      if(element.error()){
-        return element.error();
-      }
-
-      if(remaining_path.empty()){
-        // Use value_unsafe() because we've already checked for errors above.
-        // The 'element' is a simdjson_result wrapper, and we need to extract
-        // the underlying value. value_unsafe() is safe here because error() returned false.
-        result.push_back(std::move(element).value_unsafe());
-
-      }else{
-        auto nested_result = element.at_path_with_wildcard(remaining_path);
-
-        if(nested_result.error()){
-          return nested_result.error();
-        }
-        // Same logic as above.
-        std::vector nested_matches = std::move(nested_result).value_unsafe();
-
-        result.insert(result.end(),
-                      std::make_move_iterator(nested_matches.begin()),
-                      std::make_move_iterator(nested_matches.end()));
+  if (key=="*"){
+    for(auto element: *this) {
+      value val;
+        SIMDJSON_TRY(element.get(val));
+      if (remaining_path.empty()) {
+        callback(val);
+      } else {
+        error_code err = element.for_each_at_path_with_wildcard(remaining_path, callback);
+        if(err) { return err; }
       }
     }
-    return result;
-  }else{
+    return SUCCESS;
+  } else {
     // Specific index case in which we access the element at the given index
-    size_t idx=0;
+    size_t idx = 0;
 
-    for(char c:key){
+    for (char c : key) {
       if(c < '0' || c > '9'){
         return INVALID_JSON_POINTER;
       }
@@ -68522,16 +68678,13 @@ inline simdjson_result> array::at_path_with_wildcard(std::str
     }
 
     auto element = at(idx);
-
-    if(element.error()){
-      return element.error();
-    }
-
-    if(remaining_path.empty()){
-      result.push_back(std::move(element).value_unsafe());
-      return result;
-    }else{
-      return element.at_path_with_wildcard(remaining_path);
+    value val;
+    SIMDJSON_TRY(element.get(val));
+    if (remaining_path.empty()){
+      callback(val);
+      return SUCCESS;
+    } else {
+      return element.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -68594,9 +68747,15 @@ simdjson_inline  simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 simdjson_inline  simdjson_result simdjson_result::raw_json() noexcept {
   if (error()) { return error(); }
@@ -69017,14 +69176,20 @@ simdjson_inline simdjson_result value::at_path(std::string_view json_path
   }
 }
 
-inline simdjson_result> value::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code value::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   json_type t;
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -69288,12 +69453,18 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(
-      std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code simdjson_result::for_each_at_path_with_wildcard(
+      std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
     return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 } // namespace simdjson
@@ -69669,8 +69840,14 @@ simdjson_inline simdjson_result document::at_path(std::string_view json_p
   }
 }
 
-simdjson_inline simdjson_result> document::at_path_with_wildcard(std::string_view json_path) noexcept {
-  rewind(); // Rewind the document each time at_path_with_wildcard is called
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
+  rewind(); // Rewind the document each time for_each_at_path_with_wildcard is called
   if (json_path.empty()) {
       return INVALID_JSON_POINTER;
   }
@@ -69678,9 +69855,9 @@ simdjson_inline simdjson_result> document::at_path_with_wildc
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -70017,9 +70194,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 #if SIMDJSON_STATIC_REFLECTION
@@ -70130,7 +70313,13 @@ simdjson_inline simdjson_result document_reference::get_number() noexcep
 simdjson_inline simdjson_result document_reference::raw_json_token() noexcept { return doc->raw_json_token(); }
 simdjson_inline simdjson_result document_reference::at_pointer(std::string_view json_pointer) noexcept { return doc->at_pointer(json_pointer); }
 simdjson_inline simdjson_result document_reference::at_path(std::string_view json_path) noexcept { return doc->at_path(json_path); }
-simdjson_inline simdjson_result> document_reference::at_path_with_wildcard(std::string_view json_path) noexcept { return doc->at_path_with_wildcard(json_path); }
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document_reference::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept { return doc->for_each_at_path_with_wildcard(json_path, std::forward(callback)); }
 simdjson_inline simdjson_result document_reference::raw_json() noexcept { return doc->raw_json();}
 simdjson_inline document_reference::operator document&() const noexcept { return *doc; }
 #if SIMDJSON_SUPPORTS_CONCEPTS && SIMDJSON_STATIC_REFLECTION
@@ -70395,11 +70584,17 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
       return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 #if SIMDJSON_STATIC_REFLECTION
 template
@@ -71977,9 +72172,13 @@ inline simdjson_result object::at_path(std::string_view json_path) noexce
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> object::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code object::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
@@ -71989,34 +72188,22 @@ inline simdjson_result> object::at_path_with_wildcard(std::st
     for (auto field : *this) {
       value val;
       SIMDJSON_TRY(field.value().get(val));
-
       if (remaining_path.empty()) {
-        result.push_back(std::move(val));
+        callback(val);
       } else {
-        auto nested_result = val.at_path_with_wildcard(remaining_path);
-
-        if (nested_result.error()) {
-          return nested_result.error();
-        }
-        // Extract and append all nested matches to our result
-        std::vector nested_vec;
-        SIMDJSON_TRY(std::move(nested_result).get(nested_vec));
-
-        result.insert(result.end(),
-                     std::make_move_iterator(nested_vec.begin()),
-                     std::make_move_iterator(nested_vec.end()));
+        SIMDJSON_TRY(val.for_each_at_path_with_wildcard(remaining_path, callback));
       }
     }
-    return result;
+    return SUCCESS;
   } else {
     value val;
     SIMDJSON_TRY(find_field(key).get(val));
 
     if (remaining_path.empty()) {
-      result.push_back(std::move(val));
-      return result;
+      callback(val);
+      return SUCCESS;
     } else {
-      return val.at_path_with_wildcard(remaining_path);
+      return val.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -72147,9 +72334,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 inline simdjson_result simdjson_result::reset() noexcept {
@@ -72530,7 +72723,7 @@ simdjson_inline simdjson_warn_unused ondemand::parser& parser::get_parser() {
   return *parser::get_parser_instance();
 }
 
-simdjson_inline bool release_parser() {
+simdjson_inline bool parser::release_parser() {
   auto &parser_instance = parser::get_threadlocal_parser_if_exists();
   if (parser_instance) {
     parser_instance.reset();
@@ -76788,13 +76981,21 @@ class value {
   simdjson_inline simdjson_result at_path(std::string_view at_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard character (*) for arrays or ".*" for objects.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 protected:
   /**
@@ -76987,9 +77188,23 @@ struct simdjson_result : public fallback::implementat
   simdjson_inline simdjson_result current_depth() const noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 };
 
+// Forward-declare explicit specializations so MSVC /permissive- sees them before
+// any template instantiation that would resolve element.get(val) to the primary.
+template<> simdjson_inline error_code
+simdjson_result::get(
+    fallback::ondemand::value &out) noexcept;
+template<> simdjson_inline simdjson_result
+simdjson_result::get() noexcept;
+
 } // namespace simdjson
 
 #endif // SIMDJSON_GENERIC_ONDEMAND_VALUE_H
@@ -78328,8 +78543,6 @@ class parser {
   static simdjson_inline bool release_parser();
 
 private:
-  friend bool release_parser();
-  friend ondemand::parser& get_parser();
   /** Get the thread-local parser instance, allocates it if needed */
   static simdjson_inline simdjson_warn_unused std::unique_ptr& get_parser_instance();
   /** Get the thread-local parser instance, it might be null */
@@ -78492,13 +78705,21 @@ class array {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like "[*]" to match all array elements.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the array and returns a string_view instance corresponding to the
@@ -78622,7 +78843,13 @@ struct simdjson_result : public fallback::implementat
   simdjson_inline simdjson_result at(size_t index) noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   simdjson_inline simdjson_result raw_json() noexcept;
 #if SIMDJSON_SUPPORTS_CONCEPTS
   // TODO: move this code into object-inl.h
@@ -79522,21 +79749,24 @@ class document {
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    *
    * Supports wildcard patterns like "$.array[*]" or "$.object.*" to match multiple elements.
    *
-   * This method materializes all matching values into a vector.
    * The document will be consumed after this call.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern, or:
-   *         - INVALID_JSON_POINTER if the JSONPath cannot be parsed
-   *         - NO_SUCH_FIELD if a field does not exist
-   *         - INDEX_OUT_OF_BOUNDS if an array index is out of bounds
-   *         - INCORRECT_TYPE if path traversal encounters wrong type
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the document and returns a string_view instance corresponding to the
@@ -79757,7 +79987,13 @@ class document_reference {
   simdjson_inline simdjson_result raw_json_token() noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 private:
   document *doc{nullptr};
@@ -79843,7 +80079,13 @@ struct simdjson_result : public fallback::implemen
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -79928,7 +80170,13 @@ struct simdjson_result : public fallback
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -80581,13 +80829,21 @@ class object {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like ".*" to match all object fields.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Reset the iterator so that we are pointing back at the
@@ -80737,7 +80993,13 @@ struct simdjson_result : public fallback::implementa
   simdjson_inline simdjson_result operator[](std::string_view key) && noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   inline simdjson_result reset() noexcept;
   inline simdjson_result is_empty() noexcept;
   inline simdjson_result count_fields() & noexcept;
@@ -81751,46 +82013,34 @@ inline simdjson_result array::at_path(std::string_view json_path) noexcep
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> array::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code array::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
   // Wildcard case
-  if(key=="*"){
-    for(auto element: *this){
-
-      if(element.error()){
-        return element.error();
-      }
-
-      if(remaining_path.empty()){
-        // Use value_unsafe() because we've already checked for errors above.
-        // The 'element' is a simdjson_result wrapper, and we need to extract
-        // the underlying value. value_unsafe() is safe here because error() returned false.
-        result.push_back(std::move(element).value_unsafe());
-
-      }else{
-        auto nested_result = element.at_path_with_wildcard(remaining_path);
-
-        if(nested_result.error()){
-          return nested_result.error();
-        }
-        // Same logic as above.
-        std::vector nested_matches = std::move(nested_result).value_unsafe();
-
-        result.insert(result.end(),
-                      std::make_move_iterator(nested_matches.begin()),
-                      std::make_move_iterator(nested_matches.end()));
+  if (key=="*"){
+    for(auto element: *this) {
+      value val;
+        SIMDJSON_TRY(element.get(val));
+      if (remaining_path.empty()) {
+        callback(val);
+      } else {
+        error_code err = element.for_each_at_path_with_wildcard(remaining_path, callback);
+        if(err) { return err; }
       }
     }
-    return result;
-  }else{
+    return SUCCESS;
+  } else {
     // Specific index case in which we access the element at the given index
-    size_t idx=0;
+    size_t idx = 0;
 
-    for(char c:key){
+    for (char c : key) {
       if(c < '0' || c > '9'){
         return INVALID_JSON_POINTER;
       }
@@ -81798,16 +82048,13 @@ inline simdjson_result> array::at_path_with_wildcard(std::str
     }
 
     auto element = at(idx);
-
-    if(element.error()){
-      return element.error();
-    }
-
-    if(remaining_path.empty()){
-      result.push_back(std::move(element).value_unsafe());
-      return result;
-    }else{
-      return element.at_path_with_wildcard(remaining_path);
+    value val;
+    SIMDJSON_TRY(element.get(val));
+    if (remaining_path.empty()){
+      callback(val);
+      return SUCCESS;
+    } else {
+      return element.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -81870,9 +82117,15 @@ simdjson_inline  simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 simdjson_inline  simdjson_result simdjson_result::raw_json() noexcept {
   if (error()) { return error(); }
@@ -82293,14 +82546,20 @@ simdjson_inline simdjson_result value::at_path(std::string_view json_path
   }
 }
 
-inline simdjson_result> value::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code value::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   json_type t;
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -82564,12 +82823,18 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(
-      std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code simdjson_result::for_each_at_path_with_wildcard(
+      std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
     return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 } // namespace simdjson
@@ -82945,8 +83210,14 @@ simdjson_inline simdjson_result document::at_path(std::string_view json_p
   }
 }
 
-simdjson_inline simdjson_result> document::at_path_with_wildcard(std::string_view json_path) noexcept {
-  rewind(); // Rewind the document each time at_path_with_wildcard is called
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
+  rewind(); // Rewind the document each time for_each_at_path_with_wildcard is called
   if (json_path.empty()) {
       return INVALID_JSON_POINTER;
   }
@@ -82954,9 +83225,9 @@ simdjson_inline simdjson_result> document::at_path_with_wildc
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -83293,9 +83564,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 #if SIMDJSON_STATIC_REFLECTION
@@ -83406,7 +83683,13 @@ simdjson_inline simdjson_result document_reference::get_number() noexcep
 simdjson_inline simdjson_result document_reference::raw_json_token() noexcept { return doc->raw_json_token(); }
 simdjson_inline simdjson_result document_reference::at_pointer(std::string_view json_pointer) noexcept { return doc->at_pointer(json_pointer); }
 simdjson_inline simdjson_result document_reference::at_path(std::string_view json_path) noexcept { return doc->at_path(json_path); }
-simdjson_inline simdjson_result> document_reference::at_path_with_wildcard(std::string_view json_path) noexcept { return doc->at_path_with_wildcard(json_path); }
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document_reference::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept { return doc->for_each_at_path_with_wildcard(json_path, std::forward(callback)); }
 simdjson_inline simdjson_result document_reference::raw_json() noexcept { return doc->raw_json();}
 simdjson_inline document_reference::operator document&() const noexcept { return *doc; }
 #if SIMDJSON_SUPPORTS_CONCEPTS && SIMDJSON_STATIC_REFLECTION
@@ -83671,11 +83954,17 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
       return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 #if SIMDJSON_STATIC_REFLECTION
 template
@@ -85253,9 +85542,13 @@ inline simdjson_result object::at_path(std::string_view json_path) noexce
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> object::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code object::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
@@ -85265,34 +85558,22 @@ inline simdjson_result> object::at_path_with_wildcard(std::st
     for (auto field : *this) {
       value val;
       SIMDJSON_TRY(field.value().get(val));
-
       if (remaining_path.empty()) {
-        result.push_back(std::move(val));
+        callback(val);
       } else {
-        auto nested_result = val.at_path_with_wildcard(remaining_path);
-
-        if (nested_result.error()) {
-          return nested_result.error();
-        }
-        // Extract and append all nested matches to our result
-        std::vector nested_vec;
-        SIMDJSON_TRY(std::move(nested_result).get(nested_vec));
-
-        result.insert(result.end(),
-                     std::make_move_iterator(nested_vec.begin()),
-                     std::make_move_iterator(nested_vec.end()));
+        SIMDJSON_TRY(val.for_each_at_path_with_wildcard(remaining_path, callback));
       }
     }
-    return result;
+    return SUCCESS;
   } else {
     value val;
     SIMDJSON_TRY(find_field(key).get(val));
 
     if (remaining_path.empty()) {
-      result.push_back(std::move(val));
-      return result;
+      callback(val);
+      return SUCCESS;
     } else {
-      return val.at_path_with_wildcard(remaining_path);
+      return val.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -85423,9 +85704,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 inline simdjson_result simdjson_result::reset() noexcept {
@@ -85806,7 +86093,7 @@ simdjson_inline simdjson_warn_unused ondemand::parser& parser::get_parser() {
   return *parser::get_parser_instance();
 }
 
-simdjson_inline bool release_parser() {
+simdjson_inline bool parser::release_parser() {
   auto &parser_instance = parser::get_threadlocal_parser_if_exists();
   if (parser_instance) {
     parser_instance.reset();
@@ -90551,13 +90838,21 @@ class value {
   simdjson_inline simdjson_result at_path(std::string_view at_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard character (*) for arrays or ".*" for objects.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 protected:
   /**
@@ -90750,9 +91045,23 @@ struct simdjson_result : public haswell::implementatio
   simdjson_inline simdjson_result current_depth() const noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 };
 
+// Forward-declare explicit specializations so MSVC /permissive- sees them before
+// any template instantiation that would resolve element.get(val) to the primary.
+template<> simdjson_inline error_code
+simdjson_result::get(
+    haswell::ondemand::value &out) noexcept;
+template<> simdjson_inline simdjson_result
+simdjson_result::get() noexcept;
+
 } // namespace simdjson
 
 #endif // SIMDJSON_GENERIC_ONDEMAND_VALUE_H
@@ -92091,8 +92400,6 @@ class parser {
   static simdjson_inline bool release_parser();
 
 private:
-  friend bool release_parser();
-  friend ondemand::parser& get_parser();
   /** Get the thread-local parser instance, allocates it if needed */
   static simdjson_inline simdjson_warn_unused std::unique_ptr& get_parser_instance();
   /** Get the thread-local parser instance, it might be null */
@@ -92255,13 +92562,21 @@ class array {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like "[*]" to match all array elements.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the array and returns a string_view instance corresponding to the
@@ -92385,7 +92700,13 @@ struct simdjson_result : public haswell::implementatio
   simdjson_inline simdjson_result at(size_t index) noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   simdjson_inline simdjson_result raw_json() noexcept;
 #if SIMDJSON_SUPPORTS_CONCEPTS
   // TODO: move this code into object-inl.h
@@ -93285,21 +93606,24 @@ class document {
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    *
    * Supports wildcard patterns like "$.array[*]" or "$.object.*" to match multiple elements.
    *
-   * This method materializes all matching values into a vector.
    * The document will be consumed after this call.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern, or:
-   *         - INVALID_JSON_POINTER if the JSONPath cannot be parsed
-   *         - NO_SUCH_FIELD if a field does not exist
-   *         - INDEX_OUT_OF_BOUNDS if an array index is out of bounds
-   *         - INCORRECT_TYPE if path traversal encounters wrong type
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the document and returns a string_view instance corresponding to the
@@ -93520,7 +93844,13 @@ class document_reference {
   simdjson_inline simdjson_result raw_json_token() noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 private:
   document *doc{nullptr};
@@ -93606,7 +93936,13 @@ struct simdjson_result : public haswell::implementa
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -93691,7 +94027,13 @@ struct simdjson_result : public haswell::
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -94344,13 +94686,21 @@ class object {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like ".*" to match all object fields.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Reset the iterator so that we are pointing back at the
@@ -94500,7 +94850,13 @@ struct simdjson_result : public haswell::implementati
   simdjson_inline simdjson_result operator[](std::string_view key) && noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   inline simdjson_result reset() noexcept;
   inline simdjson_result is_empty() noexcept;
   inline simdjson_result count_fields() & noexcept;
@@ -95514,46 +95870,34 @@ inline simdjson_result array::at_path(std::string_view json_path) noexcep
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> array::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code array::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
   // Wildcard case
-  if(key=="*"){
-    for(auto element: *this){
-
-      if(element.error()){
-        return element.error();
-      }
-
-      if(remaining_path.empty()){
-        // Use value_unsafe() because we've already checked for errors above.
-        // The 'element' is a simdjson_result wrapper, and we need to extract
-        // the underlying value. value_unsafe() is safe here because error() returned false.
-        result.push_back(std::move(element).value_unsafe());
-
-      }else{
-        auto nested_result = element.at_path_with_wildcard(remaining_path);
-
-        if(nested_result.error()){
-          return nested_result.error();
-        }
-        // Same logic as above.
-        std::vector nested_matches = std::move(nested_result).value_unsafe();
-
-        result.insert(result.end(),
-                      std::make_move_iterator(nested_matches.begin()),
-                      std::make_move_iterator(nested_matches.end()));
+  if (key=="*"){
+    for(auto element: *this) {
+      value val;
+        SIMDJSON_TRY(element.get(val));
+      if (remaining_path.empty()) {
+        callback(val);
+      } else {
+        error_code err = element.for_each_at_path_with_wildcard(remaining_path, callback);
+        if(err) { return err; }
       }
     }
-    return result;
-  }else{
+    return SUCCESS;
+  } else {
     // Specific index case in which we access the element at the given index
-    size_t idx=0;
+    size_t idx = 0;
 
-    for(char c:key){
+    for (char c : key) {
       if(c < '0' || c > '9'){
         return INVALID_JSON_POINTER;
       }
@@ -95561,16 +95905,13 @@ inline simdjson_result> array::at_path_with_wildcard(std::str
     }
 
     auto element = at(idx);
-
-    if(element.error()){
-      return element.error();
-    }
-
-    if(remaining_path.empty()){
-      result.push_back(std::move(element).value_unsafe());
-      return result;
-    }else{
-      return element.at_path_with_wildcard(remaining_path);
+    value val;
+    SIMDJSON_TRY(element.get(val));
+    if (remaining_path.empty()){
+      callback(val);
+      return SUCCESS;
+    } else {
+      return element.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -95633,9 +95974,15 @@ simdjson_inline  simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 simdjson_inline  simdjson_result simdjson_result::raw_json() noexcept {
   if (error()) { return error(); }
@@ -96056,14 +96403,20 @@ simdjson_inline simdjson_result value::at_path(std::string_view json_path
   }
 }
 
-inline simdjson_result> value::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code value::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   json_type t;
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -96327,12 +96680,18 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(
-      std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code simdjson_result::for_each_at_path_with_wildcard(
+      std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
     return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 } // namespace simdjson
@@ -96708,8 +97067,14 @@ simdjson_inline simdjson_result document::at_path(std::string_view json_p
   }
 }
 
-simdjson_inline simdjson_result> document::at_path_with_wildcard(std::string_view json_path) noexcept {
-  rewind(); // Rewind the document each time at_path_with_wildcard is called
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
+  rewind(); // Rewind the document each time for_each_at_path_with_wildcard is called
   if (json_path.empty()) {
       return INVALID_JSON_POINTER;
   }
@@ -96717,9 +97082,9 @@ simdjson_inline simdjson_result> document::at_path_with_wildc
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -97056,9 +97421,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 #if SIMDJSON_STATIC_REFLECTION
@@ -97169,7 +97540,13 @@ simdjson_inline simdjson_result document_reference::get_number() noexcep
 simdjson_inline simdjson_result document_reference::raw_json_token() noexcept { return doc->raw_json_token(); }
 simdjson_inline simdjson_result document_reference::at_pointer(std::string_view json_pointer) noexcept { return doc->at_pointer(json_pointer); }
 simdjson_inline simdjson_result document_reference::at_path(std::string_view json_path) noexcept { return doc->at_path(json_path); }
-simdjson_inline simdjson_result> document_reference::at_path_with_wildcard(std::string_view json_path) noexcept { return doc->at_path_with_wildcard(json_path); }
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document_reference::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept { return doc->for_each_at_path_with_wildcard(json_path, std::forward(callback)); }
 simdjson_inline simdjson_result document_reference::raw_json() noexcept { return doc->raw_json();}
 simdjson_inline document_reference::operator document&() const noexcept { return *doc; }
 #if SIMDJSON_SUPPORTS_CONCEPTS && SIMDJSON_STATIC_REFLECTION
@@ -97434,11 +97811,17 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
       return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 #if SIMDJSON_STATIC_REFLECTION
 template
@@ -99016,9 +99399,13 @@ inline simdjson_result object::at_path(std::string_view json_path) noexce
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> object::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code object::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
@@ -99028,34 +99415,22 @@ inline simdjson_result> object::at_path_with_wildcard(std::st
     for (auto field : *this) {
       value val;
       SIMDJSON_TRY(field.value().get(val));
-
       if (remaining_path.empty()) {
-        result.push_back(std::move(val));
+        callback(val);
       } else {
-        auto nested_result = val.at_path_with_wildcard(remaining_path);
-
-        if (nested_result.error()) {
-          return nested_result.error();
-        }
-        // Extract and append all nested matches to our result
-        std::vector nested_vec;
-        SIMDJSON_TRY(std::move(nested_result).get(nested_vec));
-
-        result.insert(result.end(),
-                     std::make_move_iterator(nested_vec.begin()),
-                     std::make_move_iterator(nested_vec.end()));
+        SIMDJSON_TRY(val.for_each_at_path_with_wildcard(remaining_path, callback));
       }
     }
-    return result;
+    return SUCCESS;
   } else {
     value val;
     SIMDJSON_TRY(find_field(key).get(val));
 
     if (remaining_path.empty()) {
-      result.push_back(std::move(val));
-      return result;
+      callback(val);
+      return SUCCESS;
     } else {
-      return val.at_path_with_wildcard(remaining_path);
+      return val.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -99186,9 +99561,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 inline simdjson_result simdjson_result::reset() noexcept {
@@ -99569,7 +99950,7 @@ simdjson_inline simdjson_warn_unused ondemand::parser& parser::get_parser() {
   return *parser::get_parser_instance();
 }
 
-simdjson_inline bool release_parser() {
+simdjson_inline bool parser::release_parser() {
   auto &parser_instance = parser::get_threadlocal_parser_if_exists();
   if (parser_instance) {
     parser_instance.reset();
@@ -104314,13 +104695,21 @@ class value {
   simdjson_inline simdjson_result at_path(std::string_view at_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard character (*) for arrays or ".*" for objects.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 protected:
   /**
@@ -104513,9 +104902,23 @@ struct simdjson_result : public icelake::implementatio
   simdjson_inline simdjson_result current_depth() const noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 };
 
+// Forward-declare explicit specializations so MSVC /permissive- sees them before
+// any template instantiation that would resolve element.get(val) to the primary.
+template<> simdjson_inline error_code
+simdjson_result::get(
+    icelake::ondemand::value &out) noexcept;
+template<> simdjson_inline simdjson_result
+simdjson_result::get() noexcept;
+
 } // namespace simdjson
 
 #endif // SIMDJSON_GENERIC_ONDEMAND_VALUE_H
@@ -105854,8 +106257,6 @@ class parser {
   static simdjson_inline bool release_parser();
 
 private:
-  friend bool release_parser();
-  friend ondemand::parser& get_parser();
   /** Get the thread-local parser instance, allocates it if needed */
   static simdjson_inline simdjson_warn_unused std::unique_ptr& get_parser_instance();
   /** Get the thread-local parser instance, it might be null */
@@ -106018,13 +106419,21 @@ class array {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like "[*]" to match all array elements.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the array and returns a string_view instance corresponding to the
@@ -106148,7 +106557,13 @@ struct simdjson_result : public icelake::implementatio
   simdjson_inline simdjson_result at(size_t index) noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   simdjson_inline simdjson_result raw_json() noexcept;
 #if SIMDJSON_SUPPORTS_CONCEPTS
   // TODO: move this code into object-inl.h
@@ -107048,21 +107463,24 @@ class document {
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    *
    * Supports wildcard patterns like "$.array[*]" or "$.object.*" to match multiple elements.
    *
-   * This method materializes all matching values into a vector.
    * The document will be consumed after this call.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern, or:
-   *         - INVALID_JSON_POINTER if the JSONPath cannot be parsed
-   *         - NO_SUCH_FIELD if a field does not exist
-   *         - INDEX_OUT_OF_BOUNDS if an array index is out of bounds
-   *         - INCORRECT_TYPE if path traversal encounters wrong type
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the document and returns a string_view instance corresponding to the
@@ -107283,7 +107701,13 @@ class document_reference {
   simdjson_inline simdjson_result raw_json_token() noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 private:
   document *doc{nullptr};
@@ -107369,7 +107793,13 @@ struct simdjson_result : public icelake::implementa
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -107454,7 +107884,13 @@ struct simdjson_result : public icelake::
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -108107,13 +108543,21 @@ class object {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like ".*" to match all object fields.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Reset the iterator so that we are pointing back at the
@@ -108263,7 +108707,13 @@ struct simdjson_result : public icelake::implementati
   simdjson_inline simdjson_result operator[](std::string_view key) && noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   inline simdjson_result reset() noexcept;
   inline simdjson_result is_empty() noexcept;
   inline simdjson_result count_fields() & noexcept;
@@ -109277,46 +109727,34 @@ inline simdjson_result array::at_path(std::string_view json_path) noexcep
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> array::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code array::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
   // Wildcard case
-  if(key=="*"){
-    for(auto element: *this){
-
-      if(element.error()){
-        return element.error();
-      }
-
-      if(remaining_path.empty()){
-        // Use value_unsafe() because we've already checked for errors above.
-        // The 'element' is a simdjson_result wrapper, and we need to extract
-        // the underlying value. value_unsafe() is safe here because error() returned false.
-        result.push_back(std::move(element).value_unsafe());
-
-      }else{
-        auto nested_result = element.at_path_with_wildcard(remaining_path);
-
-        if(nested_result.error()){
-          return nested_result.error();
-        }
-        // Same logic as above.
-        std::vector nested_matches = std::move(nested_result).value_unsafe();
-
-        result.insert(result.end(),
-                      std::make_move_iterator(nested_matches.begin()),
-                      std::make_move_iterator(nested_matches.end()));
+  if (key=="*"){
+    for(auto element: *this) {
+      value val;
+        SIMDJSON_TRY(element.get(val));
+      if (remaining_path.empty()) {
+        callback(val);
+      } else {
+        error_code err = element.for_each_at_path_with_wildcard(remaining_path, callback);
+        if(err) { return err; }
       }
     }
-    return result;
-  }else{
+    return SUCCESS;
+  } else {
     // Specific index case in which we access the element at the given index
-    size_t idx=0;
+    size_t idx = 0;
 
-    for(char c:key){
+    for (char c : key) {
       if(c < '0' || c > '9'){
         return INVALID_JSON_POINTER;
       }
@@ -109324,16 +109762,13 @@ inline simdjson_result> array::at_path_with_wildcard(std::str
     }
 
     auto element = at(idx);
-
-    if(element.error()){
-      return element.error();
-    }
-
-    if(remaining_path.empty()){
-      result.push_back(std::move(element).value_unsafe());
-      return result;
-    }else{
-      return element.at_path_with_wildcard(remaining_path);
+    value val;
+    SIMDJSON_TRY(element.get(val));
+    if (remaining_path.empty()){
+      callback(val);
+      return SUCCESS;
+    } else {
+      return element.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -109396,9 +109831,15 @@ simdjson_inline  simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 simdjson_inline  simdjson_result simdjson_result::raw_json() noexcept {
   if (error()) { return error(); }
@@ -109819,14 +110260,20 @@ simdjson_inline simdjson_result value::at_path(std::string_view json_path
   }
 }
 
-inline simdjson_result> value::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code value::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   json_type t;
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -110090,12 +110537,18 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(
-      std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code simdjson_result::for_each_at_path_with_wildcard(
+      std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
     return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 } // namespace simdjson
@@ -110471,8 +110924,14 @@ simdjson_inline simdjson_result document::at_path(std::string_view json_p
   }
 }
 
-simdjson_inline simdjson_result> document::at_path_with_wildcard(std::string_view json_path) noexcept {
-  rewind(); // Rewind the document each time at_path_with_wildcard is called
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
+  rewind(); // Rewind the document each time for_each_at_path_with_wildcard is called
   if (json_path.empty()) {
       return INVALID_JSON_POINTER;
   }
@@ -110480,9 +110939,9 @@ simdjson_inline simdjson_result> document::at_path_with_wildc
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -110819,9 +111278,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 #if SIMDJSON_STATIC_REFLECTION
@@ -110932,7 +111397,13 @@ simdjson_inline simdjson_result document_reference::get_number() noexcep
 simdjson_inline simdjson_result document_reference::raw_json_token() noexcept { return doc->raw_json_token(); }
 simdjson_inline simdjson_result document_reference::at_pointer(std::string_view json_pointer) noexcept { return doc->at_pointer(json_pointer); }
 simdjson_inline simdjson_result document_reference::at_path(std::string_view json_path) noexcept { return doc->at_path(json_path); }
-simdjson_inline simdjson_result> document_reference::at_path_with_wildcard(std::string_view json_path) noexcept { return doc->at_path_with_wildcard(json_path); }
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document_reference::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept { return doc->for_each_at_path_with_wildcard(json_path, std::forward(callback)); }
 simdjson_inline simdjson_result document_reference::raw_json() noexcept { return doc->raw_json();}
 simdjson_inline document_reference::operator document&() const noexcept { return *doc; }
 #if SIMDJSON_SUPPORTS_CONCEPTS && SIMDJSON_STATIC_REFLECTION
@@ -111197,11 +111668,17 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
       return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 #if SIMDJSON_STATIC_REFLECTION
 template
@@ -112779,9 +113256,13 @@ inline simdjson_result object::at_path(std::string_view json_path) noexce
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> object::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code object::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
@@ -112791,34 +113272,22 @@ inline simdjson_result> object::at_path_with_wildcard(std::st
     for (auto field : *this) {
       value val;
       SIMDJSON_TRY(field.value().get(val));
-
       if (remaining_path.empty()) {
-        result.push_back(std::move(val));
+        callback(val);
       } else {
-        auto nested_result = val.at_path_with_wildcard(remaining_path);
-
-        if (nested_result.error()) {
-          return nested_result.error();
-        }
-        // Extract and append all nested matches to our result
-        std::vector nested_vec;
-        SIMDJSON_TRY(std::move(nested_result).get(nested_vec));
-
-        result.insert(result.end(),
-                     std::make_move_iterator(nested_vec.begin()),
-                     std::make_move_iterator(nested_vec.end()));
+        SIMDJSON_TRY(val.for_each_at_path_with_wildcard(remaining_path, callback));
       }
     }
-    return result;
+    return SUCCESS;
   } else {
     value val;
     SIMDJSON_TRY(find_field(key).get(val));
 
     if (remaining_path.empty()) {
-      result.push_back(std::move(val));
-      return result;
+      callback(val);
+      return SUCCESS;
     } else {
-      return val.at_path_with_wildcard(remaining_path);
+      return val.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -112949,9 +113418,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 inline simdjson_result simdjson_result::reset() noexcept {
@@ -113332,7 +113807,7 @@ simdjson_inline simdjson_warn_unused ondemand::parser& parser::get_parser() {
   return *parser::get_parser_instance();
 }
 
-simdjson_inline bool release_parser() {
+simdjson_inline bool parser::release_parser() {
   auto &parser_instance = parser::get_threadlocal_parser_if_exists();
   if (parser_instance) {
     parser_instance.reset();
@@ -118192,13 +118667,21 @@ class value {
   simdjson_inline simdjson_result at_path(std::string_view at_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard character (*) for arrays or ".*" for objects.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 protected:
   /**
@@ -118391,9 +118874,23 @@ struct simdjson_result : public ppc64::implementation_si
   simdjson_inline simdjson_result current_depth() const noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 };
 
+// Forward-declare explicit specializations so MSVC /permissive- sees them before
+// any template instantiation that would resolve element.get(val) to the primary.
+template<> simdjson_inline error_code
+simdjson_result::get(
+    ppc64::ondemand::value &out) noexcept;
+template<> simdjson_inline simdjson_result
+simdjson_result::get() noexcept;
+
 } // namespace simdjson
 
 #endif // SIMDJSON_GENERIC_ONDEMAND_VALUE_H
@@ -119732,8 +120229,6 @@ class parser {
   static simdjson_inline bool release_parser();
 
 private:
-  friend bool release_parser();
-  friend ondemand::parser& get_parser();
   /** Get the thread-local parser instance, allocates it if needed */
   static simdjson_inline simdjson_warn_unused std::unique_ptr& get_parser_instance();
   /** Get the thread-local parser instance, it might be null */
@@ -119896,13 +120391,21 @@ class array {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like "[*]" to match all array elements.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the array and returns a string_view instance corresponding to the
@@ -120026,7 +120529,13 @@ struct simdjson_result : public ppc64::implementation_si
   simdjson_inline simdjson_result at(size_t index) noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   simdjson_inline simdjson_result raw_json() noexcept;
 #if SIMDJSON_SUPPORTS_CONCEPTS
   // TODO: move this code into object-inl.h
@@ -120926,21 +121435,24 @@ class document {
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    *
    * Supports wildcard patterns like "$.array[*]" or "$.object.*" to match multiple elements.
    *
-   * This method materializes all matching values into a vector.
    * The document will be consumed after this call.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern, or:
-   *         - INVALID_JSON_POINTER if the JSONPath cannot be parsed
-   *         - NO_SUCH_FIELD if a field does not exist
-   *         - INDEX_OUT_OF_BOUNDS if an array index is out of bounds
-   *         - INCORRECT_TYPE if path traversal encounters wrong type
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the document and returns a string_view instance corresponding to the
@@ -121161,7 +121673,13 @@ class document_reference {
   simdjson_inline simdjson_result raw_json_token() noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 private:
   document *doc{nullptr};
@@ -121247,7 +121765,13 @@ struct simdjson_result : public ppc64::implementation
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -121332,7 +121856,13 @@ struct simdjson_result : public ppc64::impl
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -121985,13 +122515,21 @@ class object {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like ".*" to match all object fields.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Reset the iterator so that we are pointing back at the
@@ -122141,7 +122679,13 @@ struct simdjson_result : public ppc64::implementation_s
   simdjson_inline simdjson_result operator[](std::string_view key) && noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   inline simdjson_result reset() noexcept;
   inline simdjson_result is_empty() noexcept;
   inline simdjson_result count_fields() & noexcept;
@@ -123155,46 +123699,34 @@ inline simdjson_result array::at_path(std::string_view json_path) noexcep
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> array::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code array::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
   // Wildcard case
-  if(key=="*"){
-    for(auto element: *this){
-
-      if(element.error()){
-        return element.error();
-      }
-
-      if(remaining_path.empty()){
-        // Use value_unsafe() because we've already checked for errors above.
-        // The 'element' is a simdjson_result wrapper, and we need to extract
-        // the underlying value. value_unsafe() is safe here because error() returned false.
-        result.push_back(std::move(element).value_unsafe());
-
-      }else{
-        auto nested_result = element.at_path_with_wildcard(remaining_path);
-
-        if(nested_result.error()){
-          return nested_result.error();
-        }
-        // Same logic as above.
-        std::vector nested_matches = std::move(nested_result).value_unsafe();
-
-        result.insert(result.end(),
-                      std::make_move_iterator(nested_matches.begin()),
-                      std::make_move_iterator(nested_matches.end()));
+  if (key=="*"){
+    for(auto element: *this) {
+      value val;
+        SIMDJSON_TRY(element.get(val));
+      if (remaining_path.empty()) {
+        callback(val);
+      } else {
+        error_code err = element.for_each_at_path_with_wildcard(remaining_path, callback);
+        if(err) { return err; }
       }
     }
-    return result;
-  }else{
+    return SUCCESS;
+  } else {
     // Specific index case in which we access the element at the given index
-    size_t idx=0;
+    size_t idx = 0;
 
-    for(char c:key){
+    for (char c : key) {
       if(c < '0' || c > '9'){
         return INVALID_JSON_POINTER;
       }
@@ -123202,16 +123734,13 @@ inline simdjson_result> array::at_path_with_wildcard(std::str
     }
 
     auto element = at(idx);
-
-    if(element.error()){
-      return element.error();
-    }
-
-    if(remaining_path.empty()){
-      result.push_back(std::move(element).value_unsafe());
-      return result;
-    }else{
-      return element.at_path_with_wildcard(remaining_path);
+    value val;
+    SIMDJSON_TRY(element.get(val));
+    if (remaining_path.empty()){
+      callback(val);
+      return SUCCESS;
+    } else {
+      return element.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -123274,9 +123803,15 @@ simdjson_inline  simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 simdjson_inline  simdjson_result simdjson_result::raw_json() noexcept {
   if (error()) { return error(); }
@@ -123697,14 +124232,20 @@ simdjson_inline simdjson_result value::at_path(std::string_view json_path
   }
 }
 
-inline simdjson_result> value::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code value::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   json_type t;
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -123968,12 +124509,18 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(
-      std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code simdjson_result::for_each_at_path_with_wildcard(
+      std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
     return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 } // namespace simdjson
@@ -124349,8 +124896,14 @@ simdjson_inline simdjson_result document::at_path(std::string_view json_p
   }
 }
 
-simdjson_inline simdjson_result> document::at_path_with_wildcard(std::string_view json_path) noexcept {
-  rewind(); // Rewind the document each time at_path_with_wildcard is called
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
+  rewind(); // Rewind the document each time for_each_at_path_with_wildcard is called
   if (json_path.empty()) {
       return INVALID_JSON_POINTER;
   }
@@ -124358,9 +124911,9 @@ simdjson_inline simdjson_result> document::at_path_with_wildc
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -124697,9 +125250,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 #if SIMDJSON_STATIC_REFLECTION
@@ -124810,7 +125369,13 @@ simdjson_inline simdjson_result document_reference::get_number() noexcep
 simdjson_inline simdjson_result document_reference::raw_json_token() noexcept { return doc->raw_json_token(); }
 simdjson_inline simdjson_result document_reference::at_pointer(std::string_view json_pointer) noexcept { return doc->at_pointer(json_pointer); }
 simdjson_inline simdjson_result document_reference::at_path(std::string_view json_path) noexcept { return doc->at_path(json_path); }
-simdjson_inline simdjson_result> document_reference::at_path_with_wildcard(std::string_view json_path) noexcept { return doc->at_path_with_wildcard(json_path); }
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document_reference::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept { return doc->for_each_at_path_with_wildcard(json_path, std::forward(callback)); }
 simdjson_inline simdjson_result document_reference::raw_json() noexcept { return doc->raw_json();}
 simdjson_inline document_reference::operator document&() const noexcept { return *doc; }
 #if SIMDJSON_SUPPORTS_CONCEPTS && SIMDJSON_STATIC_REFLECTION
@@ -125075,11 +125640,17 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
       return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 #if SIMDJSON_STATIC_REFLECTION
 template
@@ -126657,9 +127228,13 @@ inline simdjson_result object::at_path(std::string_view json_path) noexce
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> object::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code object::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
@@ -126669,34 +127244,22 @@ inline simdjson_result> object::at_path_with_wildcard(std::st
     for (auto field : *this) {
       value val;
       SIMDJSON_TRY(field.value().get(val));
-
       if (remaining_path.empty()) {
-        result.push_back(std::move(val));
+        callback(val);
       } else {
-        auto nested_result = val.at_path_with_wildcard(remaining_path);
-
-        if (nested_result.error()) {
-          return nested_result.error();
-        }
-        // Extract and append all nested matches to our result
-        std::vector nested_vec;
-        SIMDJSON_TRY(std::move(nested_result).get(nested_vec));
-
-        result.insert(result.end(),
-                     std::make_move_iterator(nested_vec.begin()),
-                     std::make_move_iterator(nested_vec.end()));
+        SIMDJSON_TRY(val.for_each_at_path_with_wildcard(remaining_path, callback));
       }
     }
-    return result;
+    return SUCCESS;
   } else {
     value val;
     SIMDJSON_TRY(find_field(key).get(val));
 
     if (remaining_path.empty()) {
-      result.push_back(std::move(val));
-      return result;
+      callback(val);
+      return SUCCESS;
     } else {
-      return val.at_path_with_wildcard(remaining_path);
+      return val.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -126827,9 +127390,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 inline simdjson_result simdjson_result::reset() noexcept {
@@ -127210,7 +127779,7 @@ simdjson_inline simdjson_warn_unused ondemand::parser& parser::get_parser() {
   return *parser::get_parser_instance();
 }
 
-simdjson_inline bool release_parser() {
+simdjson_inline bool parser::release_parser() {
   auto &parser_instance = parser::get_threadlocal_parser_if_exists();
   if (parser_instance) {
     parser_instance.reset();
@@ -132387,13 +132956,21 @@ class value {
   simdjson_inline simdjson_result at_path(std::string_view at_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard character (*) for arrays or ".*" for objects.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 protected:
   /**
@@ -132586,9 +133163,23 @@ struct simdjson_result : public westmere::implementat
   simdjson_inline simdjson_result current_depth() const noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 };
 
+// Forward-declare explicit specializations so MSVC /permissive- sees them before
+// any template instantiation that would resolve element.get(val) to the primary.
+template<> simdjson_inline error_code
+simdjson_result::get(
+    westmere::ondemand::value &out) noexcept;
+template<> simdjson_inline simdjson_result
+simdjson_result::get() noexcept;
+
 } // namespace simdjson
 
 #endif // SIMDJSON_GENERIC_ONDEMAND_VALUE_H
@@ -133927,8 +134518,6 @@ class parser {
   static simdjson_inline bool release_parser();
 
 private:
-  friend bool release_parser();
-  friend ondemand::parser& get_parser();
   /** Get the thread-local parser instance, allocates it if needed */
   static simdjson_inline simdjson_warn_unused std::unique_ptr& get_parser_instance();
   /** Get the thread-local parser instance, it might be null */
@@ -134091,13 +134680,21 @@ class array {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like "[*]" to match all array elements.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the array and returns a string_view instance corresponding to the
@@ -134221,7 +134818,13 @@ struct simdjson_result : public westmere::implementat
   simdjson_inline simdjson_result at(size_t index) noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   simdjson_inline simdjson_result raw_json() noexcept;
 #if SIMDJSON_SUPPORTS_CONCEPTS
   // TODO: move this code into object-inl.h
@@ -135121,21 +135724,24 @@ class document {
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    *
    * Supports wildcard patterns like "$.array[*]" or "$.object.*" to match multiple elements.
    *
-   * This method materializes all matching values into a vector.
    * The document will be consumed after this call.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern, or:
-   *         - INVALID_JSON_POINTER if the JSONPath cannot be parsed
-   *         - NO_SUCH_FIELD if a field does not exist
-   *         - INDEX_OUT_OF_BOUNDS if an array index is out of bounds
-   *         - INCORRECT_TYPE if path traversal encounters wrong type
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the document and returns a string_view instance corresponding to the
@@ -135356,7 +135962,13 @@ class document_reference {
   simdjson_inline simdjson_result raw_json_token() noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 private:
   document *doc{nullptr};
@@ -135442,7 +136054,13 @@ struct simdjson_result : public westmere::implemen
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -135527,7 +136145,13 @@ struct simdjson_result : public westmere
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -136180,13 +136804,21 @@ class object {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like ".*" to match all object fields.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Reset the iterator so that we are pointing back at the
@@ -136336,7 +136968,13 @@ struct simdjson_result : public westmere::implementa
   simdjson_inline simdjson_result operator[](std::string_view key) && noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   inline simdjson_result reset() noexcept;
   inline simdjson_result is_empty() noexcept;
   inline simdjson_result count_fields() & noexcept;
@@ -137350,46 +137988,34 @@ inline simdjson_result array::at_path(std::string_view json_path) noexcep
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> array::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code array::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
   // Wildcard case
-  if(key=="*"){
-    for(auto element: *this){
-
-      if(element.error()){
-        return element.error();
-      }
-
-      if(remaining_path.empty()){
-        // Use value_unsafe() because we've already checked for errors above.
-        // The 'element' is a simdjson_result wrapper, and we need to extract
-        // the underlying value. value_unsafe() is safe here because error() returned false.
-        result.push_back(std::move(element).value_unsafe());
-
-      }else{
-        auto nested_result = element.at_path_with_wildcard(remaining_path);
-
-        if(nested_result.error()){
-          return nested_result.error();
-        }
-        // Same logic as above.
-        std::vector nested_matches = std::move(nested_result).value_unsafe();
-
-        result.insert(result.end(),
-                      std::make_move_iterator(nested_matches.begin()),
-                      std::make_move_iterator(nested_matches.end()));
+  if (key=="*"){
+    for(auto element: *this) {
+      value val;
+        SIMDJSON_TRY(element.get(val));
+      if (remaining_path.empty()) {
+        callback(val);
+      } else {
+        error_code err = element.for_each_at_path_with_wildcard(remaining_path, callback);
+        if(err) { return err; }
       }
     }
-    return result;
-  }else{
+    return SUCCESS;
+  } else {
     // Specific index case in which we access the element at the given index
-    size_t idx=0;
+    size_t idx = 0;
 
-    for(char c:key){
+    for (char c : key) {
       if(c < '0' || c > '9'){
         return INVALID_JSON_POINTER;
       }
@@ -137397,16 +138023,13 @@ inline simdjson_result> array::at_path_with_wildcard(std::str
     }
 
     auto element = at(idx);
-
-    if(element.error()){
-      return element.error();
-    }
-
-    if(remaining_path.empty()){
-      result.push_back(std::move(element).value_unsafe());
-      return result;
-    }else{
-      return element.at_path_with_wildcard(remaining_path);
+    value val;
+    SIMDJSON_TRY(element.get(val));
+    if (remaining_path.empty()){
+      callback(val);
+      return SUCCESS;
+    } else {
+      return element.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -137469,9 +138092,15 @@ simdjson_inline  simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 simdjson_inline  simdjson_result simdjson_result::raw_json() noexcept {
   if (error()) { return error(); }
@@ -137892,14 +138521,20 @@ simdjson_inline simdjson_result value::at_path(std::string_view json_path
   }
 }
 
-inline simdjson_result> value::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code value::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   json_type t;
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -138163,12 +138798,18 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(
-      std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code simdjson_result::for_each_at_path_with_wildcard(
+      std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
     return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 } // namespace simdjson
@@ -138544,8 +139185,14 @@ simdjson_inline simdjson_result document::at_path(std::string_view json_p
   }
 }
 
-simdjson_inline simdjson_result> document::at_path_with_wildcard(std::string_view json_path) noexcept {
-  rewind(); // Rewind the document each time at_path_with_wildcard is called
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
+  rewind(); // Rewind the document each time for_each_at_path_with_wildcard is called
   if (json_path.empty()) {
       return INVALID_JSON_POINTER;
   }
@@ -138553,9 +139200,9 @@ simdjson_inline simdjson_result> document::at_path_with_wildc
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -138892,9 +139539,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 #if SIMDJSON_STATIC_REFLECTION
@@ -139005,7 +139658,13 @@ simdjson_inline simdjson_result document_reference::get_number() noexcep
 simdjson_inline simdjson_result document_reference::raw_json_token() noexcept { return doc->raw_json_token(); }
 simdjson_inline simdjson_result document_reference::at_pointer(std::string_view json_pointer) noexcept { return doc->at_pointer(json_pointer); }
 simdjson_inline simdjson_result document_reference::at_path(std::string_view json_path) noexcept { return doc->at_path(json_path); }
-simdjson_inline simdjson_result> document_reference::at_path_with_wildcard(std::string_view json_path) noexcept { return doc->at_path_with_wildcard(json_path); }
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document_reference::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept { return doc->for_each_at_path_with_wildcard(json_path, std::forward(callback)); }
 simdjson_inline simdjson_result document_reference::raw_json() noexcept { return doc->raw_json();}
 simdjson_inline document_reference::operator document&() const noexcept { return *doc; }
 #if SIMDJSON_SUPPORTS_CONCEPTS && SIMDJSON_STATIC_REFLECTION
@@ -139270,11 +139929,17 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
       return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 #if SIMDJSON_STATIC_REFLECTION
 template
@@ -140852,9 +141517,13 @@ inline simdjson_result object::at_path(std::string_view json_path) noexce
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> object::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code object::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
@@ -140864,34 +141533,22 @@ inline simdjson_result> object::at_path_with_wildcard(std::st
     for (auto field : *this) {
       value val;
       SIMDJSON_TRY(field.value().get(val));
-
       if (remaining_path.empty()) {
-        result.push_back(std::move(val));
+        callback(val);
       } else {
-        auto nested_result = val.at_path_with_wildcard(remaining_path);
-
-        if (nested_result.error()) {
-          return nested_result.error();
-        }
-        // Extract and append all nested matches to our result
-        std::vector nested_vec;
-        SIMDJSON_TRY(std::move(nested_result).get(nested_vec));
-
-        result.insert(result.end(),
-                     std::make_move_iterator(nested_vec.begin()),
-                     std::make_move_iterator(nested_vec.end()));
+        SIMDJSON_TRY(val.for_each_at_path_with_wildcard(remaining_path, callback));
       }
     }
-    return result;
+    return SUCCESS;
   } else {
     value val;
     SIMDJSON_TRY(find_field(key).get(val));
 
     if (remaining_path.empty()) {
-      result.push_back(std::move(val));
-      return result;
+      callback(val);
+      return SUCCESS;
     } else {
-      return val.at_path_with_wildcard(remaining_path);
+      return val.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -141022,9 +141679,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 inline simdjson_result simdjson_result::reset() noexcept {
@@ -141405,7 +142068,7 @@ simdjson_inline simdjson_warn_unused ondemand::parser& parser::get_parser() {
   return *parser::get_parser_instance();
 }
 
-simdjson_inline bool release_parser() {
+simdjson_inline bool parser::release_parser() {
   auto &parser_instance = parser::get_threadlocal_parser_if_exists();
   if (parser_instance) {
     parser_instance.reset();
@@ -146056,13 +146719,21 @@ class value {
   simdjson_inline simdjson_result at_path(std::string_view at_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard character (*) for arrays or ".*" for objects.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 protected:
   /**
@@ -146255,9 +146926,23 @@ struct simdjson_result : public lsx::implementation_simdjs
   simdjson_inline simdjson_result current_depth() const noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 };
 
+// Forward-declare explicit specializations so MSVC /permissive- sees them before
+// any template instantiation that would resolve element.get(val) to the primary.
+template<> simdjson_inline error_code
+simdjson_result::get(
+    lsx::ondemand::value &out) noexcept;
+template<> simdjson_inline simdjson_result
+simdjson_result::get() noexcept;
+
 } // namespace simdjson
 
 #endif // SIMDJSON_GENERIC_ONDEMAND_VALUE_H
@@ -147596,8 +148281,6 @@ class parser {
   static simdjson_inline bool release_parser();
 
 private:
-  friend bool release_parser();
-  friend ondemand::parser& get_parser();
   /** Get the thread-local parser instance, allocates it if needed */
   static simdjson_inline simdjson_warn_unused std::unique_ptr& get_parser_instance();
   /** Get the thread-local parser instance, it might be null */
@@ -147760,13 +148443,21 @@ class array {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like "[*]" to match all array elements.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the array and returns a string_view instance corresponding to the
@@ -147890,7 +148581,13 @@ struct simdjson_result : public lsx::implementation_simdjs
   simdjson_inline simdjson_result at(size_t index) noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   simdjson_inline simdjson_result raw_json() noexcept;
 #if SIMDJSON_SUPPORTS_CONCEPTS
   // TODO: move this code into object-inl.h
@@ -148790,21 +149487,24 @@ class document {
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    *
    * Supports wildcard patterns like "$.array[*]" or "$.object.*" to match multiple elements.
    *
-   * This method materializes all matching values into a vector.
    * The document will be consumed after this call.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern, or:
-   *         - INVALID_JSON_POINTER if the JSONPath cannot be parsed
-   *         - NO_SUCH_FIELD if a field does not exist
-   *         - INDEX_OUT_OF_BOUNDS if an array index is out of bounds
-   *         - INCORRECT_TYPE if path traversal encounters wrong type
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the document and returns a string_view instance corresponding to the
@@ -149025,7 +149725,13 @@ class document_reference {
   simdjson_inline simdjson_result raw_json_token() noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 private:
   document *doc{nullptr};
@@ -149111,7 +149817,13 @@ struct simdjson_result : public lsx::implementation_sim
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -149196,7 +149908,13 @@ struct simdjson_result : public lsx::implemen
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -149849,13 +150567,21 @@ class object {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like ".*" to match all object fields.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Reset the iterator so that we are pointing back at the
@@ -150005,7 +150731,13 @@ struct simdjson_result : public lsx::implementation_simdj
   simdjson_inline simdjson_result operator[](std::string_view key) && noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   inline simdjson_result reset() noexcept;
   inline simdjson_result is_empty() noexcept;
   inline simdjson_result count_fields() & noexcept;
@@ -151019,46 +151751,34 @@ inline simdjson_result array::at_path(std::string_view json_path) noexcep
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> array::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code array::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
   // Wildcard case
-  if(key=="*"){
-    for(auto element: *this){
-
-      if(element.error()){
-        return element.error();
-      }
-
-      if(remaining_path.empty()){
-        // Use value_unsafe() because we've already checked for errors above.
-        // The 'element' is a simdjson_result wrapper, and we need to extract
-        // the underlying value. value_unsafe() is safe here because error() returned false.
-        result.push_back(std::move(element).value_unsafe());
-
-      }else{
-        auto nested_result = element.at_path_with_wildcard(remaining_path);
-
-        if(nested_result.error()){
-          return nested_result.error();
-        }
-        // Same logic as above.
-        std::vector nested_matches = std::move(nested_result).value_unsafe();
-
-        result.insert(result.end(),
-                      std::make_move_iterator(nested_matches.begin()),
-                      std::make_move_iterator(nested_matches.end()));
+  if (key=="*"){
+    for(auto element: *this) {
+      value val;
+        SIMDJSON_TRY(element.get(val));
+      if (remaining_path.empty()) {
+        callback(val);
+      } else {
+        error_code err = element.for_each_at_path_with_wildcard(remaining_path, callback);
+        if(err) { return err; }
       }
     }
-    return result;
-  }else{
+    return SUCCESS;
+  } else {
     // Specific index case in which we access the element at the given index
-    size_t idx=0;
+    size_t idx = 0;
 
-    for(char c:key){
+    for (char c : key) {
       if(c < '0' || c > '9'){
         return INVALID_JSON_POINTER;
       }
@@ -151066,16 +151786,13 @@ inline simdjson_result> array::at_path_with_wildcard(std::str
     }
 
     auto element = at(idx);
-
-    if(element.error()){
-      return element.error();
-    }
-
-    if(remaining_path.empty()){
-      result.push_back(std::move(element).value_unsafe());
-      return result;
-    }else{
-      return element.at_path_with_wildcard(remaining_path);
+    value val;
+    SIMDJSON_TRY(element.get(val));
+    if (remaining_path.empty()){
+      callback(val);
+      return SUCCESS;
+    } else {
+      return element.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -151138,9 +151855,15 @@ simdjson_inline  simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 simdjson_inline  simdjson_result simdjson_result::raw_json() noexcept {
   if (error()) { return error(); }
@@ -151561,14 +152284,20 @@ simdjson_inline simdjson_result value::at_path(std::string_view json_path
   }
 }
 
-inline simdjson_result> value::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code value::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   json_type t;
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -151832,12 +152561,18 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(
-      std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code simdjson_result::for_each_at_path_with_wildcard(
+      std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
     return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 } // namespace simdjson
@@ -152213,8 +152948,14 @@ simdjson_inline simdjson_result document::at_path(std::string_view json_p
   }
 }
 
-simdjson_inline simdjson_result> document::at_path_with_wildcard(std::string_view json_path) noexcept {
-  rewind(); // Rewind the document each time at_path_with_wildcard is called
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
+  rewind(); // Rewind the document each time for_each_at_path_with_wildcard is called
   if (json_path.empty()) {
       return INVALID_JSON_POINTER;
   }
@@ -152222,9 +152963,9 @@ simdjson_inline simdjson_result> document::at_path_with_wildc
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -152561,9 +153302,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 #if SIMDJSON_STATIC_REFLECTION
@@ -152674,7 +153421,13 @@ simdjson_inline simdjson_result document_reference::get_number() noexcep
 simdjson_inline simdjson_result document_reference::raw_json_token() noexcept { return doc->raw_json_token(); }
 simdjson_inline simdjson_result document_reference::at_pointer(std::string_view json_pointer) noexcept { return doc->at_pointer(json_pointer); }
 simdjson_inline simdjson_result document_reference::at_path(std::string_view json_path) noexcept { return doc->at_path(json_path); }
-simdjson_inline simdjson_result> document_reference::at_path_with_wildcard(std::string_view json_path) noexcept { return doc->at_path_with_wildcard(json_path); }
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document_reference::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept { return doc->for_each_at_path_with_wildcard(json_path, std::forward(callback)); }
 simdjson_inline simdjson_result document_reference::raw_json() noexcept { return doc->raw_json();}
 simdjson_inline document_reference::operator document&() const noexcept { return *doc; }
 #if SIMDJSON_SUPPORTS_CONCEPTS && SIMDJSON_STATIC_REFLECTION
@@ -152939,11 +153692,17 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
       return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 #if SIMDJSON_STATIC_REFLECTION
 template
@@ -154521,9 +155280,13 @@ inline simdjson_result object::at_path(std::string_view json_path) noexce
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> object::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code object::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
@@ -154533,34 +155296,22 @@ inline simdjson_result> object::at_path_with_wildcard(std::st
     for (auto field : *this) {
       value val;
       SIMDJSON_TRY(field.value().get(val));
-
       if (remaining_path.empty()) {
-        result.push_back(std::move(val));
+        callback(val);
       } else {
-        auto nested_result = val.at_path_with_wildcard(remaining_path);
-
-        if (nested_result.error()) {
-          return nested_result.error();
-        }
-        // Extract and append all nested matches to our result
-        std::vector nested_vec;
-        SIMDJSON_TRY(std::move(nested_result).get(nested_vec));
-
-        result.insert(result.end(),
-                     std::make_move_iterator(nested_vec.begin()),
-                     std::make_move_iterator(nested_vec.end()));
+        SIMDJSON_TRY(val.for_each_at_path_with_wildcard(remaining_path, callback));
       }
     }
-    return result;
+    return SUCCESS;
   } else {
     value val;
     SIMDJSON_TRY(find_field(key).get(val));
 
     if (remaining_path.empty()) {
-      result.push_back(std::move(val));
-      return result;
+      callback(val);
+      return SUCCESS;
     } else {
-      return val.at_path_with_wildcard(remaining_path);
+      return val.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -154691,9 +155442,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 inline simdjson_result simdjson_result::reset() noexcept {
@@ -155074,7 +155831,7 @@ simdjson_inline simdjson_warn_unused ondemand::parser& parser::get_parser() {
   return *parser::get_parser_instance();
 }
 
-simdjson_inline bool release_parser() {
+simdjson_inline bool parser::release_parser() {
   auto &parser_instance = parser::get_threadlocal_parser_if_exists();
   if (parser_instance) {
     parser_instance.reset();
@@ -159748,13 +160505,21 @@ class value {
   simdjson_inline simdjson_result at_path(std::string_view at_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard character (*) for arrays or ".*" for objects.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 protected:
   /**
@@ -159947,9 +160712,23 @@ struct simdjson_result : public lasx::implementation_simd
   simdjson_inline simdjson_result current_depth() const noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 };
 
+// Forward-declare explicit specializations so MSVC /permissive- sees them before
+// any template instantiation that would resolve element.get(val) to the primary.
+template<> simdjson_inline error_code
+simdjson_result::get(
+    lasx::ondemand::value &out) noexcept;
+template<> simdjson_inline simdjson_result
+simdjson_result::get() noexcept;
+
 } // namespace simdjson
 
 #endif // SIMDJSON_GENERIC_ONDEMAND_VALUE_H
@@ -161288,8 +162067,6 @@ class parser {
   static simdjson_inline bool release_parser();
 
 private:
-  friend bool release_parser();
-  friend ondemand::parser& get_parser();
   /** Get the thread-local parser instance, allocates it if needed */
   static simdjson_inline simdjson_warn_unused std::unique_ptr& get_parser_instance();
   /** Get the thread-local parser instance, it might be null */
@@ -161452,13 +162229,21 @@ class array {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like "[*]" to match all array elements.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the array and returns a string_view instance corresponding to the
@@ -161582,7 +162367,13 @@ struct simdjson_result : public lasx::implementation_simd
   simdjson_inline simdjson_result at(size_t index) noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   simdjson_inline simdjson_result raw_json() noexcept;
 #if SIMDJSON_SUPPORTS_CONCEPTS
   // TODO: move this code into object-inl.h
@@ -162482,21 +163273,24 @@ class document {
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    *
    * Supports wildcard patterns like "$.array[*]" or "$.object.*" to match multiple elements.
    *
-   * This method materializes all matching values into a vector.
    * The document will be consumed after this call.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern, or:
-   *         - INVALID_JSON_POINTER if the JSONPath cannot be parsed
-   *         - NO_SUCH_FIELD if a field does not exist
-   *         - INDEX_OUT_OF_BOUNDS if an array index is out of bounds
-   *         - INCORRECT_TYPE if path traversal encounters wrong type
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the document and returns a string_view instance corresponding to the
@@ -162717,7 +163511,13 @@ class document_reference {
   simdjson_inline simdjson_result raw_json_token() noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 private:
   document *doc{nullptr};
@@ -162803,7 +163603,13 @@ struct simdjson_result : public lasx::implementation_s
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -162888,7 +163694,13 @@ struct simdjson_result : public lasx::implem
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -163541,13 +164353,21 @@ class object {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like ".*" to match all object fields.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Reset the iterator so that we are pointing back at the
@@ -163697,7 +164517,13 @@ struct simdjson_result : public lasx::implementation_sim
   simdjson_inline simdjson_result operator[](std::string_view key) && noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   inline simdjson_result reset() noexcept;
   inline simdjson_result is_empty() noexcept;
   inline simdjson_result count_fields() & noexcept;
@@ -164711,46 +165537,34 @@ inline simdjson_result array::at_path(std::string_view json_path) noexcep
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> array::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code array::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
   // Wildcard case
-  if(key=="*"){
-    for(auto element: *this){
-
-      if(element.error()){
-        return element.error();
-      }
-
-      if(remaining_path.empty()){
-        // Use value_unsafe() because we've already checked for errors above.
-        // The 'element' is a simdjson_result wrapper, and we need to extract
-        // the underlying value. value_unsafe() is safe here because error() returned false.
-        result.push_back(std::move(element).value_unsafe());
-
-      }else{
-        auto nested_result = element.at_path_with_wildcard(remaining_path);
-
-        if(nested_result.error()){
-          return nested_result.error();
-        }
-        // Same logic as above.
-        std::vector nested_matches = std::move(nested_result).value_unsafe();
-
-        result.insert(result.end(),
-                      std::make_move_iterator(nested_matches.begin()),
-                      std::make_move_iterator(nested_matches.end()));
+  if (key=="*"){
+    for(auto element: *this) {
+      value val;
+        SIMDJSON_TRY(element.get(val));
+      if (remaining_path.empty()) {
+        callback(val);
+      } else {
+        error_code err = element.for_each_at_path_with_wildcard(remaining_path, callback);
+        if(err) { return err; }
       }
     }
-    return result;
-  }else{
+    return SUCCESS;
+  } else {
     // Specific index case in which we access the element at the given index
-    size_t idx=0;
+    size_t idx = 0;
 
-    for(char c:key){
+    for (char c : key) {
       if(c < '0' || c > '9'){
         return INVALID_JSON_POINTER;
       }
@@ -164758,16 +165572,13 @@ inline simdjson_result> array::at_path_with_wildcard(std::str
     }
 
     auto element = at(idx);
-
-    if(element.error()){
-      return element.error();
-    }
-
-    if(remaining_path.empty()){
-      result.push_back(std::move(element).value_unsafe());
-      return result;
-    }else{
-      return element.at_path_with_wildcard(remaining_path);
+    value val;
+    SIMDJSON_TRY(element.get(val));
+    if (remaining_path.empty()){
+      callback(val);
+      return SUCCESS;
+    } else {
+      return element.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -164830,9 +165641,15 @@ simdjson_inline  simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 simdjson_inline  simdjson_result simdjson_result::raw_json() noexcept {
   if (error()) { return error(); }
@@ -165253,14 +166070,20 @@ simdjson_inline simdjson_result value::at_path(std::string_view json_path
   }
 }
 
-inline simdjson_result> value::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code value::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   json_type t;
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -165524,12 +166347,18 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(
-      std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code simdjson_result::for_each_at_path_with_wildcard(
+      std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
     return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 } // namespace simdjson
@@ -165905,8 +166734,14 @@ simdjson_inline simdjson_result document::at_path(std::string_view json_p
   }
 }
 
-simdjson_inline simdjson_result> document::at_path_with_wildcard(std::string_view json_path) noexcept {
-  rewind(); // Rewind the document each time at_path_with_wildcard is called
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
+  rewind(); // Rewind the document each time for_each_at_path_with_wildcard is called
   if (json_path.empty()) {
       return INVALID_JSON_POINTER;
   }
@@ -165914,9 +166749,9 @@ simdjson_inline simdjson_result> document::at_path_with_wildc
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -166253,9 +167088,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 #if SIMDJSON_STATIC_REFLECTION
@@ -166366,7 +167207,13 @@ simdjson_inline simdjson_result document_reference::get_number() noexcep
 simdjson_inline simdjson_result document_reference::raw_json_token() noexcept { return doc->raw_json_token(); }
 simdjson_inline simdjson_result document_reference::at_pointer(std::string_view json_pointer) noexcept { return doc->at_pointer(json_pointer); }
 simdjson_inline simdjson_result document_reference::at_path(std::string_view json_path) noexcept { return doc->at_path(json_path); }
-simdjson_inline simdjson_result> document_reference::at_path_with_wildcard(std::string_view json_path) noexcept { return doc->at_path_with_wildcard(json_path); }
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document_reference::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept { return doc->for_each_at_path_with_wildcard(json_path, std::forward(callback)); }
 simdjson_inline simdjson_result document_reference::raw_json() noexcept { return doc->raw_json();}
 simdjson_inline document_reference::operator document&() const noexcept { return *doc; }
 #if SIMDJSON_SUPPORTS_CONCEPTS && SIMDJSON_STATIC_REFLECTION
@@ -166631,11 +167478,17 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
       return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 #if SIMDJSON_STATIC_REFLECTION
 template
@@ -168213,9 +169066,13 @@ inline simdjson_result object::at_path(std::string_view json_path) noexce
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> object::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code object::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
@@ -168225,34 +169082,22 @@ inline simdjson_result> object::at_path_with_wildcard(std::st
     for (auto field : *this) {
       value val;
       SIMDJSON_TRY(field.value().get(val));
-
       if (remaining_path.empty()) {
-        result.push_back(std::move(val));
+        callback(val);
       } else {
-        auto nested_result = val.at_path_with_wildcard(remaining_path);
-
-        if (nested_result.error()) {
-          return nested_result.error();
-        }
-        // Extract and append all nested matches to our result
-        std::vector nested_vec;
-        SIMDJSON_TRY(std::move(nested_result).get(nested_vec));
-
-        result.insert(result.end(),
-                     std::make_move_iterator(nested_vec.begin()),
-                     std::make_move_iterator(nested_vec.end()));
+        SIMDJSON_TRY(val.for_each_at_path_with_wildcard(remaining_path, callback));
       }
     }
-    return result;
+    return SUCCESS;
   } else {
     value val;
     SIMDJSON_TRY(find_field(key).get(val));
 
     if (remaining_path.empty()) {
-      result.push_back(std::move(val));
-      return result;
+      callback(val);
+      return SUCCESS;
     } else {
-      return val.at_path_with_wildcard(remaining_path);
+      return val.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -168383,9 +169228,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 inline simdjson_result simdjson_result::reset() noexcept {
@@ -168766,7 +169617,7 @@ simdjson_inline simdjson_warn_unused ondemand::parser& parser::get_parser() {
   return *parser::get_parser_instance();
 }
 
-simdjson_inline bool release_parser() {
+simdjson_inline bool parser::release_parser() {
   auto &parser_instance = parser::get_threadlocal_parser_if_exists();
   if (parser_instance) {
     parser_instance.reset();
@@ -173444,13 +174295,21 @@ class value {
   simdjson_inline simdjson_result at_path(std::string_view at_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard character (*) for arrays or ".*" for objects.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 protected:
   /**
@@ -173643,9 +174502,23 @@ struct simdjson_result : public rvv_vls::implementatio
   simdjson_inline simdjson_result current_depth() const noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 };
 
+// Forward-declare explicit specializations so MSVC /permissive- sees them before
+// any template instantiation that would resolve element.get(val) to the primary.
+template<> simdjson_inline error_code
+simdjson_result::get(
+    rvv_vls::ondemand::value &out) noexcept;
+template<> simdjson_inline simdjson_result
+simdjson_result::get() noexcept;
+
 } // namespace simdjson
 
 #endif // SIMDJSON_GENERIC_ONDEMAND_VALUE_H
@@ -174984,8 +175857,6 @@ class parser {
   static simdjson_inline bool release_parser();
 
 private:
-  friend bool release_parser();
-  friend ondemand::parser& get_parser();
   /** Get the thread-local parser instance, allocates it if needed */
   static simdjson_inline simdjson_warn_unused std::unique_ptr& get_parser_instance();
   /** Get the thread-local parser instance, it might be null */
@@ -175148,13 +176019,21 @@ class array {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like "[*]" to match all array elements.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the array and returns a string_view instance corresponding to the
@@ -175278,7 +176157,13 @@ struct simdjson_result : public rvv_vls::implementatio
   simdjson_inline simdjson_result at(size_t index) noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   simdjson_inline simdjson_result raw_json() noexcept;
 #if SIMDJSON_SUPPORTS_CONCEPTS
   // TODO: move this code into object-inl.h
@@ -176178,21 +177063,24 @@ class document {
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    *
    * Supports wildcard patterns like "$.array[*]" or "$.object.*" to match multiple elements.
    *
-   * This method materializes all matching values into a vector.
    * The document will be consumed after this call.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern, or:
-   *         - INVALID_JSON_POINTER if the JSONPath cannot be parsed
-   *         - NO_SUCH_FIELD if a field does not exist
-   *         - INDEX_OUT_OF_BOUNDS if an array index is out of bounds
-   *         - INCORRECT_TYPE if path traversal encounters wrong type
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
    */
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Consumes the document and returns a string_view instance corresponding to the
@@ -176413,7 +177301,13 @@ class document_reference {
   simdjson_inline simdjson_result raw_json_token() noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
 private:
   document *doc{nullptr};
@@ -176499,7 +177393,13 @@ struct simdjson_result : public rvv_vls::implementa
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -176584,7 +177484,13 @@ struct simdjson_result : public rvv_vls::
 
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 #if SIMDJSON_STATIC_REFLECTION
   template
     requires(std::is_class_v && (sizeof...(FieldNames) > 0))
@@ -177237,13 +178143,21 @@ class object {
   inline simdjson_result at_path(std::string_view json_path) noexcept;
 
   /**
-   * Get all values matching the given JSONPath expression with wildcard support.
+   * Call the provided callback for each value matching the given JSONPath
+   * expression with wildcard support.
    * Supports wildcard patterns like ".*" to match all object fields.
    *
    * @param json_path JSONPath expression with wildcards
-   * @return Vector of values matching the wildcard pattern
+   * @param callback Function called for each matching value
+   * @return error_code indicating success or failure
   */
-  inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
 
   /**
    * Reset the iterator so that we are pointing back at the
@@ -177393,7 +178307,13 @@ struct simdjson_result : public rvv_vls::implementati
   simdjson_inline simdjson_result operator[](std::string_view key) && noexcept;
   simdjson_inline simdjson_result at_pointer(std::string_view json_pointer) noexcept;
   simdjson_inline simdjson_result at_path(std::string_view json_path) noexcept;
-  simdjson_inline simdjson_result> at_path_with_wildcard(std::string_view json_path) noexcept;
+#if SIMDJSON_SUPPORTS_CONCEPTS
+  template 
+    requires std::invocable
+#else
+  template 
+#endif
+  simdjson_inline error_code for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept;
   inline simdjson_result reset() noexcept;
   inline simdjson_result is_empty() noexcept;
   inline simdjson_result count_fields() & noexcept;
@@ -178407,46 +179327,34 @@ inline simdjson_result array::at_path(std::string_view json_path) noexcep
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> array::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code array::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
   // Wildcard case
-  if(key=="*"){
-    for(auto element: *this){
-
-      if(element.error()){
-        return element.error();
-      }
-
-      if(remaining_path.empty()){
-        // Use value_unsafe() because we've already checked for errors above.
-        // The 'element' is a simdjson_result wrapper, and we need to extract
-        // the underlying value. value_unsafe() is safe here because error() returned false.
-        result.push_back(std::move(element).value_unsafe());
-
-      }else{
-        auto nested_result = element.at_path_with_wildcard(remaining_path);
-
-        if(nested_result.error()){
-          return nested_result.error();
-        }
-        // Same logic as above.
-        std::vector nested_matches = std::move(nested_result).value_unsafe();
-
-        result.insert(result.end(),
-                      std::make_move_iterator(nested_matches.begin()),
-                      std::make_move_iterator(nested_matches.end()));
+  if (key=="*"){
+    for(auto element: *this) {
+      value val;
+        SIMDJSON_TRY(element.get(val));
+      if (remaining_path.empty()) {
+        callback(val);
+      } else {
+        error_code err = element.for_each_at_path_with_wildcard(remaining_path, callback);
+        if(err) { return err; }
       }
     }
-    return result;
-  }else{
+    return SUCCESS;
+  } else {
     // Specific index case in which we access the element at the given index
-    size_t idx=0;
+    size_t idx = 0;
 
-    for(char c:key){
+    for (char c : key) {
       if(c < '0' || c > '9'){
         return INVALID_JSON_POINTER;
       }
@@ -178454,16 +179362,13 @@ inline simdjson_result> array::at_path_with_wildcard(std::str
     }
 
     auto element = at(idx);
-
-    if(element.error()){
-      return element.error();
-    }
-
-    if(remaining_path.empty()){
-      result.push_back(std::move(element).value_unsafe());
-      return result;
-    }else{
-      return element.at_path_with_wildcard(remaining_path);
+    value val;
+    SIMDJSON_TRY(element.get(val));
+    if (remaining_path.empty()){
+      callback(val);
+      return SUCCESS;
+    } else {
+      return element.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -178526,9 +179431,15 @@ simdjson_inline  simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 simdjson_inline  simdjson_result simdjson_result::raw_json() noexcept {
   if (error()) { return error(); }
@@ -178949,14 +179860,20 @@ simdjson_inline simdjson_result value::at_path(std::string_view json_path
   }
 }
 
-inline simdjson_result> value::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code value::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   json_type t;
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -179220,12 +180137,18 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(
-      std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code simdjson_result::for_each_at_path_with_wildcard(
+      std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
     return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 } // namespace simdjson
@@ -179601,8 +180524,14 @@ simdjson_inline simdjson_result document::at_path(std::string_view json_p
   }
 }
 
-simdjson_inline simdjson_result> document::at_path_with_wildcard(std::string_view json_path) noexcept {
-  rewind(); // Rewind the document each time at_path_with_wildcard is called
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
+  rewind(); // Rewind the document each time for_each_at_path_with_wildcard is called
   if (json_path.empty()) {
       return INVALID_JSON_POINTER;
   }
@@ -179610,9 +180539,9 @@ simdjson_inline simdjson_result> document::at_path_with_wildc
   SIMDJSON_TRY(type().get(t));
   switch (t) {
   case json_type::array:
-      return (*this).get_array().at_path_with_wildcard(json_path);
+      return (*this).get_array().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   case json_type::object:
-      return (*this).get_object().at_path_with_wildcard(json_path);
+      return (*this).get_object().for_each_at_path_with_wildcard(json_path, std::forward(callback));
   default:
       return INVALID_JSON_POINTER;
   }
@@ -179949,9 +180878,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 #if SIMDJSON_STATIC_REFLECTION
@@ -180062,7 +180997,13 @@ simdjson_inline simdjson_result document_reference::get_number() noexcep
 simdjson_inline simdjson_result document_reference::raw_json_token() noexcept { return doc->raw_json_token(); }
 simdjson_inline simdjson_result document_reference::at_pointer(std::string_view json_pointer) noexcept { return doc->at_pointer(json_pointer); }
 simdjson_inline simdjson_result document_reference::at_path(std::string_view json_path) noexcept { return doc->at_path(json_path); }
-simdjson_inline simdjson_result> document_reference::at_path_with_wildcard(std::string_view json_path) noexcept { return doc->at_path_with_wildcard(json_path); }
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code document_reference::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept { return doc->for_each_at_path_with_wildcard(json_path, std::forward(callback)); }
 simdjson_inline simdjson_result document_reference::raw_json() noexcept { return doc->raw_json();}
 simdjson_inline document_reference::operator document&() const noexcept { return *doc; }
 #if SIMDJSON_SUPPORTS_CONCEPTS && SIMDJSON_STATIC_REFLECTION
@@ -180327,11 +181268,17 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) {
       return error();
   }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 #if SIMDJSON_STATIC_REFLECTION
 template
@@ -181909,9 +182856,13 @@ inline simdjson_result object::at_path(std::string_view json_path) noexce
   return at_pointer(json_pointer);
 }
 
-inline simdjson_result> object::at_path_with_wildcard(std::string_view json_path) noexcept {
-  std::vector result;
-
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+inline error_code object::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   auto result_pair = get_next_key_and_json_path(json_path);
   std::string_view key = result_pair.first;
   std::string_view remaining_path = result_pair.second;
@@ -181921,34 +182872,22 @@ inline simdjson_result> object::at_path_with_wildcard(std::st
     for (auto field : *this) {
       value val;
       SIMDJSON_TRY(field.value().get(val));
-
       if (remaining_path.empty()) {
-        result.push_back(std::move(val));
+        callback(val);
       } else {
-        auto nested_result = val.at_path_with_wildcard(remaining_path);
-
-        if (nested_result.error()) {
-          return nested_result.error();
-        }
-        // Extract and append all nested matches to our result
-        std::vector nested_vec;
-        SIMDJSON_TRY(std::move(nested_result).get(nested_vec));
-
-        result.insert(result.end(),
-                     std::make_move_iterator(nested_vec.begin()),
-                     std::make_move_iterator(nested_vec.end()));
+        SIMDJSON_TRY(val.for_each_at_path_with_wildcard(remaining_path, callback));
       }
     }
-    return result;
+    return SUCCESS;
   } else {
     value val;
     SIMDJSON_TRY(find_field(key).get(val));
 
     if (remaining_path.empty()) {
-      result.push_back(std::move(val));
-      return result;
+      callback(val);
+      return SUCCESS;
     } else {
-      return val.at_path_with_wildcard(remaining_path);
+      return val.for_each_at_path_with_wildcard(remaining_path, callback);
     }
   }
 }
@@ -182079,9 +183018,15 @@ simdjson_inline simdjson_result simdjson_result> simdjson_result::at_path_with_wildcard(std::string_view json_path) noexcept {
+#if SIMDJSON_SUPPORTS_CONCEPTS
+template 
+  requires std::invocable
+#else
+template 
+#endif
+simdjson_inline error_code simdjson_result::for_each_at_path_with_wildcard(std::string_view json_path, Func&& callback) noexcept {
   if (error()) { return error(); }
-  return first.at_path_with_wildcard(json_path);
+  return first.for_each_at_path_with_wildcard(json_path, std::forward(callback));
 }
 
 inline simdjson_result simdjson_result::reset() noexcept {
@@ -182462,7 +183407,7 @@ simdjson_inline simdjson_warn_unused ondemand::parser& parser::get_parser() {
   return *parser::get_parser_instance();
 }
 
-simdjson_inline bool release_parser() {
+simdjson_inline bool parser::release_parser() {
   auto &parser_instance = parser::get_threadlocal_parser_if_exists();
   if (parser_instance) {
     parser_instance.reset();
diff --git a/deps/sqlite/sqlite3.c b/deps/sqlite/sqlite3.c
index 91db04a9ecdc54..0c83f247e89464 100644
--- a/deps/sqlite/sqlite3.c
+++ b/deps/sqlite/sqlite3.c
@@ -1,6 +1,6 @@
 /******************************************************************************
 ** This file is an amalgamation of many separate C source files from SQLite
-** version 3.53.0.  By combining all the individual C code files into this
+** version 3.53.1.  By combining all the individual C code files into this
 ** single large file, the entire code can be compiled as a single translation
 ** unit.  This allows many compilers to do optimizations that would not be
 ** possible if the files were compiled separately.  Performance improvements
@@ -18,7 +18,7 @@
 ** separate file. This file contains only code for the core SQLite library.
 **
 ** The content in this amalgamation comes from Fossil check-in
-** 4525003a53a7fc63ca75c59b22c79608659c with changes in files:
+** c88b22011a54b4f6fbd149e9f8e4de77658c with changes in files:
 **
 **    
 */
@@ -467,12 +467,12 @@ extern "C" {
 ** [sqlite3_libversion_number()], [sqlite3_sourceid()],
 ** [sqlite_version()] and [sqlite_source_id()].
 */
-#define SQLITE_VERSION        "3.53.0"
-#define SQLITE_VERSION_NUMBER 3053000
-#define SQLITE_SOURCE_ID      "2026-04-09 11:41:38 4525003a53a7fc63ca75c59b22c79608659ca12f0131f52c18637f829977f20b"
-#define SQLITE_SCM_BRANCH     "trunk"
-#define SQLITE_SCM_TAGS       "release major-release version-3.53.0"
-#define SQLITE_SCM_DATETIME   "2026-04-09T11:41:38.498Z"
+#define SQLITE_VERSION        "3.53.1"
+#define SQLITE_VERSION_NUMBER 3053001
+#define SQLITE_SOURCE_ID      "2026-05-05 10:34:17 c88b22011a54b4f6fbd149e9f8e4de77658ce58143a1af0e3785e4e6475127e9"
+#define SQLITE_SCM_BRANCH     "branch-3.53"
+#define SQLITE_SCM_TAGS       "release version-3.53.1"
+#define SQLITE_SCM_DATETIME   "2026-05-05T10:34:17.344Z"
 
 /*
 ** CAPI3REF: Run-Time Library Version Numbers
@@ -32513,7 +32513,7 @@ static char *printfTempBuf(sqlite3_str *pAccum, sqlite3_int64 n){
     sqlite3StrAccumSetError(pAccum, SQLITE_TOOBIG);
     return 0;
   }
-  z = sqlite3DbMallocRaw(pAccum->db, n);
+  z = sqlite3_malloc(n);
   if( z==0 ){
     sqlite3StrAccumSetError(pAccum, SQLITE_NOMEM);
   }
@@ -32971,11 +32971,27 @@ SQLITE_API void sqlite3_str_vappendf(
 
         szBufNeeded = MAX(e2,0)+(i64)precision+(i64)width+10;
         if( cThousand && e2>0 ) szBufNeeded += (e2+2)/3;
-        if( sqlite3StrAccumEnlargeIfNeeded(pAccum, szBufNeeded) ){
-          width = length = 0;
-          break;
+        if( szBufNeeded + pAccum->nChar >= pAccum->nAlloc ){
+          if( pAccum->mxAlloc==0 && pAccum->accError==0 ){
+            /* Unable to allocate space in pAccum, perhaps because it
+            ** is coming from sqlite3_snprintf() or similar.  We'll have
+            ** to render into temporary space and the memcpy() it over. */
+            bufpt = sqlite3_malloc(szBufNeeded);
+            if( bufpt==0 ){
+              sqlite3StrAccumSetError(pAccum, SQLITE_NOMEM);
+              return;
+            }
+            zExtra = bufpt;
+          }else if( sqlite3StrAccumEnlarge(pAccum, szBufNeeded)zText + pAccum->nChar;
+          }
+        }else{
+          bufpt = pAccum->zText + pAccum->nChar;
         }
-        bufpt = zOut = pAccum->zText + pAccum->nChar;
+        zOut = bufpt;
 
         flag_dp = (precision>0 ?1:0) | flag_alternateform | flag_altform2;
         /* The sign in front of the number */
@@ -33076,14 +33092,22 @@ SQLITE_API void sqlite3_str_vappendf(
           }
           length = width;
         }
-        pAccum->nChar += length;
-        zOut[length] = 0;
 
-        /* Floating point conversions render directly into the output
-        ** buffer.  Hence, don't just break out of the switch().  Bypass the
-        ** output buffer writing that occurs after the switch() by continuing
-        ** to the next character in the format string. */
-        continue;
+        if( zExtra==0 ){
+          /* The result is being rendered directory into pAccum.  This
+          ** is the command and fast case */
+          pAccum->nChar += length;
+          zOut[length] = 0;
+          continue;
+        }else{
+          /* We were unable to render directly into pAccum because we
+          ** couldn't allocate sufficient memory.  We need to memcpy()
+          ** the rendering (or some prefix thereof) into the output
+          ** buffer. */
+          bufpt[0] = 0;
+          bufpt = zExtra;
+          break;
+        }
       }
       case etSIZE:
         if( !bArgList ){
@@ -33130,7 +33154,7 @@ SQLITE_API void sqlite3_str_vappendf(
             if( sqlite3StrAccumEnlargeIfNeeded(pAccum, nCopyBytes) ){
               break;
             }
-           sqlite3_str_append(pAccum,
+            sqlite3_str_append(pAccum,
                  &pAccum->zText[pAccum->nChar-nCopyBytes], nCopyBytes);
             precision -= nPrior;
             nPrior *= 2;
@@ -33646,7 +33670,7 @@ SQLITE_API void sqlite3_str_reset(StrAccum *p){
 ** of its content, all in one call.
 */
 SQLITE_API void sqlite3_str_free(sqlite3_str *p){
-  if( p ){
+  if( p!=0 && p!=&sqlite3OomStr ){
     sqlite3_str_reset(p);
     sqlite3_free(p);
   }
@@ -36792,15 +36816,20 @@ SQLITE_PRIVATE u8 sqlite3StrIHash(const char *z){
   return h;
 }
 
+#if !defined(SQLITE_DISABLE_INTRINSIC)               \
+  && (defined(__GNUC__) || defined(__clang__))       \
+  && (defined(__x86_64__) || defined(__aarch64__) || \
+      (defined(__riscv) && defined(__riscv_xlen) && (__riscv_xlen>32)))
+#define SQLITE_USE_UINT128
+#endif
+
 /*
 ** Two inputs are multiplied to get a 128-bit result.  Write the
 ** lower 64-bits of the result into *pLo, and return the high-order
 ** 64 bits.
 */
 static u64 sqlite3Multiply128(u64 a, u64 b, u64 *pLo){
-#if (defined(__GNUC__) || defined(__clang__)) \
-        && (defined(__x86_64__) || defined(__aarch64__) || defined(__riscv)) \
-        && !defined(SQLITE_DISABLE_INTRINSIC)
+#if defined(SQLITE_USE_UINT128)
   __uint128_t r = (__uint128_t)a * b;
   *pLo = (u64)r;
   return (u64)(r>>64);
@@ -36834,9 +36863,7 @@ static u64 sqlite3Multiply128(u64 a, u64 b, u64 *pLo){
 ** The lower 64 bits of A*B are discarded.
 */
 static u64 sqlite3Multiply160(u64 a, u32 aLo, u64 b, u32 *pLo){
-#if (defined(__GNUC__) || defined(__clang__)) \
-        && (defined(__x86_64__) || defined(__aarch64__) || defined(__riscv)) \
-        && !defined(SQLITE_DISABLE_INTRINSIC)
+#if defined(SQLITE_USE_UINT128)
   __uint128_t r = (__uint128_t)a * b;
   r += ((__uint128_t)aLo * b) >> 32;
   *pLo = (r>>32)&0xffffffff;
@@ -36874,6 +36901,8 @@ static u64 sqlite3Multiply160(u64 a, u32 aLo, u64 b, u32 *pLo){
 #endif
 }
 
+#undef SQLITE_USE_UINT128
+
 /*
 ** Return a u64 with the N-th bit set.
 */
@@ -56108,10 +56137,10 @@ SQLITE_API int sqlite3_deserialize(
   if( rc ) goto end_deserialize;
   db->init.iDb = (u8)iDb;
   db->init.reopenMemdb = 1;
-  rc = sqlite3_step(pStmt);
+  sqlite3_step(pStmt);
   db->init.reopenMemdb = 0;
-  if( rc!=SQLITE_DONE ){
-    rc = SQLITE_ERROR;
+  rc = sqlite3_finalize(pStmt);
+  if( rc!=SQLITE_OK ){
     goto end_deserialize;
   }
   p = memdbFromDbSchema(db, zSchema);
@@ -56132,7 +56161,6 @@ SQLITE_API int sqlite3_deserialize(
   }
 
 end_deserialize:
-  sqlite3_finalize(pStmt);
   if( pData && (mFlags & SQLITE_DESERIALIZE_FREEONCLOSE)!=0 ){
     sqlite3_free(pData);
   }
@@ -123122,7 +123150,9 @@ SQLITE_PRIVATE void sqlite3AlterDropConstraint(
   if( !pTab ) return;
 
   if( pCons ){
-    zArg = sqlite3MPrintf(db, "%.*Q", pCons->n, pCons->z);
+    char *z = sqlite3NameFromToken(db, pCons);
+    zArg = sqlite3MPrintf(db, "%Q", z);
+    sqlite3DbFree(db, z);
   }else{
     int iCol;
     if( alterFindCol(pParse, pTab, pCol, &iCol) ) return;
@@ -125504,6 +125534,16 @@ static void attachFunc(
     ** from sqlite3_deserialize() to close database db->init.iDb and
     ** reopen it as a MemDB */
     Btree *pNewBt = 0;
+
+    pNew = &db->aDb[db->init.iDb];
+    assert( pNew->pBt!=0 );
+    if( sqlite3BtreeTxnState(pNew->pBt)!=SQLITE_TXN_NONE
+     || sqlite3BtreeIsInBackup(pNew->pBt)
+    ){
+      rc = SQLITE_BUSY;
+      goto attach_error;
+    }
+
     pVfs = sqlite3_vfs_find("memdb");
     if( pVfs==0 ) return;
     rc = sqlite3BtreeOpen(pVfs, "x\0", db, &pNewBt, 0, SQLITE_OPEN_MAIN_DB);
@@ -125513,8 +125553,7 @@ static void attachFunc(
         /* Both the Btree and the new Schema were allocated successfully.
         ** Close the old db and update the aDb[] slot with the new memdb
         ** values.  */
-        pNew = &db->aDb[db->init.iDb];
-        if( ALWAYS(pNew->pBt) ) sqlite3BtreeClose(pNew->pBt);
+        sqlite3BtreeClose(pNew->pBt);
         pNew->pBt = pNewBt;
         pNew->pSchema = pNewSchema;
       }else{
@@ -156057,6 +156096,7 @@ static SQLITE_NOINLINE void existsToJoin(
    && !ExprHasProperty(pWhere, EP_OuterON|EP_InnerON)
    && ALWAYS(p->pSrc!=0)
    && p->pSrc->nSrcpLimit==0 || p->pLimit->pRight==0)
   ){
     if( pWhere->op==TK_AND ){
       Expr *pRight = pWhere->pRight;
@@ -156104,7 +156144,6 @@ static SQLITE_NOINLINE void existsToJoin(
           sqlite3TreeViewSelect(0, p, 0);
         }
 #endif
-        existsToJoin(pParse, p, pSubWhere);
       }
     }
   }
@@ -165946,7 +165985,7 @@ SQLITE_PRIVATE Bitmask sqlite3WhereCodeOneLoopStart(
     ** by this loop in the a[0] slot and all notReady tables in a[1..] slots.
     ** This becomes the SrcList in the recursive call to sqlite3WhereBegin().
     */
-    if( pWInfo->nLevel>1 ){
+    if( pWInfo->nLevel>1 || pTabItem->fg.fromExists ){
       int nNotReady;                 /* The number of notReady tables */
       SrcItem *origSrc;              /* Original list of tables */
       nNotReady = pWInfo->nLevel - iLevel - 1;
@@ -165959,6 +165998,13 @@ SQLITE_PRIVATE Bitmask sqlite3WhereCodeOneLoopStart(
       for(k=1; k<=nNotReady; k++){
         memcpy(&pOrTab->a[k], &origSrc[pLevel[k].iFrom], sizeof(pOrTab->a[k]));
       }
+
+      /* Clear the fromExists flag on the OR-optimized table entry so that
+      ** the calls to sqlite3WhereEnd() do not code early-exits after the
+      ** first row is visited. The early exit applies to this table's
+      ** overall loop - including the multiple OR branches and any WHERE
+      ** conditions not passed to the sub-loops - not to the sub-loops.  */
+      pOrTab->a[0].fg.fromExists = 0;
     }else{
       pOrTab = pWInfo->pTabList;
     }
@@ -166202,7 +166248,7 @@ SQLITE_PRIVATE Bitmask sqlite3WhereCodeOneLoopStart(
     assert( pLevel->op==OP_Return );
     pLevel->p2 = sqlite3VdbeCurrentAddr(v);
 
-    if( pWInfo->nLevel>1 ){ sqlite3DbFreeNN(db, pOrTab); }
+    if( pWInfo->pTabList!=pOrTab ){ sqlite3DbFreeNN(db, pOrTab); }
     if( !untestedTerms ) disableTerm(pLevel, pTerm);
   }else
 #endif /* SQLITE_OMIT_OR_OPTIMIZATION */
@@ -176127,27 +176173,11 @@ SQLITE_PRIVATE void sqlite3WhereEnd(WhereInfo *pWInfo){
       }
 #endif /* SQLITE_DISABLE_SKIPAHEAD_DISTINCT */
     }
-    if( pTabList->a[pLevel->iFrom].fg.fromExists
-     && (i==pWInfo->nLevel-1
-           || pTabList->a[pWInfo->a[i+1].iFrom].fg.fromExists==0)
-    ){
-      /* This is an EXISTS-to-JOIN optimization which is either the
-      ** inner-most loop, or the inner-most of a group of nested
-      ** EXISTS-to-JOIN optimization loops.  If this loop sees a successful
-      ** row, it should break out of itself as well as other EXISTS-to-JOIN
-      ** loops in which is is directly nested. */
-      int nOuter = 0; /* Nr of outer EXISTS that this one is nested within */
-      while( nOutera[pLevel[-nOuter-1].iFrom].fg.fromExists ) break;
-        nOuter++;
-      }
-      testcase( nOuter>0 );
-      sqlite3VdbeAddOp2(v, OP_Goto, 0, pLevel[-nOuter].addrBrk);
-      if( nOuter ){
-        VdbeComment((v, "EXISTS break %d..%d", i-nOuter, i));
-      }else{
-        VdbeComment((v, "EXISTS break %d", i));
-      }
+    if( pTabList->a[pLevel->iFrom].fg.fromExists ){
+      /* This is an EXISTS-to-JOIN optimization loop. If this loop sees a
+      ** successful row, it should break out of itself. */
+      sqlite3VdbeAddOp2(v, OP_Goto, 0, pLevel->addrBrk);
+      VdbeComment((v, "EXISTS break %d", i));
     }
     sqlite3VdbeResolveLabel(v, pLevel->addrCont);
     if( pLevel->op!=OP_Noop ){
@@ -184334,6 +184364,7 @@ static YYACTIONTYPE yy_reduce(
   yymsp[-4].minor.yy454 = sqlite3PExpr(pParse, TK_BETWEEN, yymsp[-4].minor.yy454, 0);
   if( yymsp[-4].minor.yy454 ){
     yymsp[-4].minor.yy454->x.pList = pList;
+    sqlite3ExprSetHeightAndFlags(pParse, yymsp[-4].minor.yy454);
   }else{
     sqlite3ExprListDelete(pParse->db, pList);
   }
@@ -233951,10 +233982,11 @@ static int sessionSerialLen(const u8 *a){
   int n;
   assert( a!=0 );
   e = *a;
-  if( e==0 || e==0xFF ) return 1;
-  if( e==SQLITE_NULL ) return 1;
   if( e==SQLITE_INTEGER || e==SQLITE_FLOAT ) return 9;
-  return sessionVarintGet(&a[1], &n) + 1 + n;
+  if( e==SQLITE_TEXT || e==SQLITE_BLOB ){
+    return sessionVarintGet(&a[1], &n) + 1 + n;
+  }
+  return 1;
 }
 
 /*
@@ -233977,17 +234009,17 @@ static unsigned int sessionChangeHash(
   u8 *a = aRecord;                /* Used to iterate through change record */
 
   for(i=0; inCol; i++){
-    int eType = *a;
     int isPK = pTab->abPK[i];
     if( bPkOnly && isPK==0 ) continue;
 
-    assert( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT
-         || eType==SQLITE_TEXT || eType==SQLITE_BLOB
-         || eType==SQLITE_NULL || eType==0
-    );
-
     if( isPK ){
-      a++;
+      int eType = *a++;
+
+      assert( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT
+           || eType==SQLITE_TEXT || eType==SQLITE_BLOB
+           || eType==SQLITE_NULL || eType==0
+      );
+
       h = sessionHashAppendType(h, eType);
       if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
         h = sessionHashAppendI64(h, sessionGetI64(a));
@@ -237015,9 +237047,11 @@ static int sessionChangesetBufferRecord(
         rc = sessionInputBuffer(pIn, nByte);
       }else if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
         nByte += 8;
+      }else if( eType!=0 && eType!=SQLITE_NULL ){
+        rc = SQLITE_CORRUPT_BKPT;
       }
     }
-    if( (pIn->iNext+nByte)>pIn->nData ){
+    if( rc==SQLITE_OK && (pIn->iNext+nByte)>pIn->nData ){
       rc = SQLITE_CORRUPT_BKPT;
     }
   }
@@ -238354,7 +238388,7 @@ static int sessionApplyOneOp(
     for(i=0; rc==SQLITE_OK && iabPK[i] || (bPatchset==0 && pOld) ){
+      if( pOld && (p->abPK[i] || bPatchset==0) ){
         rc = sessionBindValue(pUp, i*2+2, pOld);
       }
       if( rc==SQLITE_OK && pNew ){
@@ -263222,7 +263256,7 @@ static void fts5SourceIdFunc(
 ){
   assert( nArg==0 );
   UNUSED_PARAM2(nArg, apUnused);
-  sqlite3_result_text(pCtx, "fts5: 2026-04-09 11:41:38 4525003a53a7fc63ca75c59b22c79608659ca12f0131f52c18637f829977f20b", -1, SQLITE_TRANSIENT);
+  sqlite3_result_text(pCtx, "fts5: 2026-05-05 10:34:17 c88b22011a54b4f6fbd149e9f8e4de77658ce58143a1af0e3785e4e6475127e9", -1, SQLITE_TRANSIENT);
 }
 
 /*
diff --git a/deps/sqlite/sqlite3.h b/deps/sqlite/sqlite3.h
index 5d7f82b659140b..8ee26c99d86e6e 100644
--- a/deps/sqlite/sqlite3.h
+++ b/deps/sqlite/sqlite3.h
@@ -146,12 +146,12 @@ extern "C" {
 ** [sqlite3_libversion_number()], [sqlite3_sourceid()],
 ** [sqlite_version()] and [sqlite_source_id()].
 */
-#define SQLITE_VERSION        "3.53.0"
-#define SQLITE_VERSION_NUMBER 3053000
-#define SQLITE_SOURCE_ID      "2026-04-09 11:41:38 4525003a53a7fc63ca75c59b22c79608659ca12f0131f52c18637f829977f20b"
-#define SQLITE_SCM_BRANCH     "trunk"
-#define SQLITE_SCM_TAGS       "release major-release version-3.53.0"
-#define SQLITE_SCM_DATETIME   "2026-04-09T11:41:38.498Z"
+#define SQLITE_VERSION        "3.53.1"
+#define SQLITE_VERSION_NUMBER 3053001
+#define SQLITE_SOURCE_ID      "2026-05-05 10:34:17 c88b22011a54b4f6fbd149e9f8e4de77658ce58143a1af0e3785e4e6475127e9"
+#define SQLITE_SCM_BRANCH     "branch-3.53"
+#define SQLITE_SCM_TAGS       "release version-3.53.1"
+#define SQLITE_SCM_DATETIME   "2026-05-05T10:34:17.344Z"
 
 /*
 ** CAPI3REF: Run-Time Library Version Numbers
diff --git a/deps/uv/src/unix/fs.c b/deps/uv/src/unix/fs.c
index a26f2dc7fa4649..90cb40d98d47ab 100644
--- a/deps/uv/src/unix/fs.c
+++ b/deps/uv/src/unix/fs.c
@@ -460,27 +460,28 @@ static ssize_t uv__preadv_or_pwritev(int fd,
                                      off_t off,
                                      _Atomic uintptr_t* cache,
                                      int is_pread) {
-  ssize_t (*f)(int, const struct iovec*, uv__iovcnt, off_t);
-  void* p;
+  union {
+    ssize_t (*f)(int, const struct iovec*, uv__iovcnt, off_t);
+    void* p;
+  } u;
 
-  p = (void*) atomic_load_explicit(cache, memory_order_relaxed);
-  if (p == NULL) {
+  u.p = (void*) atomic_load_explicit(cache, memory_order_relaxed);
+  if (u.p == NULL) {
 #ifdef RTLD_DEFAULT
     /* Try _LARGEFILE_SOURCE version of preadv/pwritev first,
      * then fall back to the plain version, for libcs like musl.
      */
-    p = dlsym(RTLD_DEFAULT, is_pread ? "preadv64" : "pwritev64");
-    if (p == NULL)
-      p = dlsym(RTLD_DEFAULT, is_pread ? "preadv" : "pwritev");
+    u.p = dlsym(RTLD_DEFAULT, is_pread ? "preadv64" : "pwritev64");
+    if (u.p == NULL)
+      u.p = dlsym(RTLD_DEFAULT, is_pread ? "preadv" : "pwritev");
     dlerror();  /* Clear errors. */
 #endif  /* RTLD_DEFAULT */
-    if (p == NULL)
-      p = is_pread ? uv__preadv_emul : uv__pwritev_emul;
-    atomic_store_explicit(cache, (uintptr_t) p, memory_order_relaxed);
+    if (u.p == NULL)
+      u.f = is_pread ? uv__preadv_emul : uv__pwritev_emul;
+    atomic_store_explicit(cache, (uintptr_t) u.p, memory_order_relaxed);
   }
 
-  f = p;
-  return f(fd, bufs, nbufs, off);
+  return u.f(fd, bufs, nbufs, off);
 }
 
 
diff --git a/deps/uv/src/uv-common.c b/deps/uv/src/uv-common.c
index e5a7632909fc65..f1e8928d37ebf4 100644
--- a/deps/uv/src/uv-common.c
+++ b/deps/uv/src/uv-common.c
@@ -957,7 +957,7 @@ void uv_free_cpu_info(uv_cpu_info_t* cpu_infos, int count) {
   int i;
 
   for (i = 0; i < count; i++)
-    uv__free(cpu_infos[i].model);
+    uv__free((char*) cpu_infos[i].model);
 
   uv__free(cpu_infos);
 #endif  /* __linux__ */
diff --git a/deps/v8/src/codegen/external-reference.h b/deps/v8/src/codegen/external-reference.h
index 702dcf5618bc95..8c6e511f532619 100644
--- a/deps/v8/src/codegen/external-reference.h
+++ b/deps/v8/src/codegen/external-reference.h
@@ -364,6 +364,8 @@ enum class IsolateFieldId : uint8_t;
   IF_WASM(V, wasm_WebAssemblyExceptionGetArg,                                  \
           "wasm::WebAssemblyExceptionGetArg")                                  \
   IF_WASM(V, wasm_WebAssemblyExceptionIs, "wasm::WebAssemblyExceptionIs")      \
+  IF_WASM(V, wasm_WebAssemblyExceptionGetStack,                                \
+          "wasm::WebAssemblyExceptionGetStack")                                \
   IF_WASM(V, wasm_WebAssemblyGlobal, "wasm::WebAssemblyGlobal")                \
   IF_WASM(V, wasm_WebAssemblyGlobalGetValue,                                   \
           "wasm::WebAssemblyGlobalGetValue")                                   \
diff --git a/deps/v8/src/wasm/wasm-js.cc b/deps/v8/src/wasm/wasm-js.cc
index ef83a43ddc66b8..74328efe56136b 100644
--- a/deps/v8/src/wasm/wasm-js.cc
+++ b/deps/v8/src/wasm/wasm-js.cc
@@ -3054,6 +3054,15 @@ void WebAssemblyExceptionIsImpl(
   info.GetReturnValue().Set(tag_object->tag() == *tag);
 }
 
+void WebAssemblyExceptionGetStackImpl(
+    const v8::FunctionCallbackInfo& info) {
+  WasmJSApiScope js_api_scope{info, "WebAssembly.Exception.stack()"};
+  auto [isolate, i_isolate, thrower] = js_api_scope.isolates_and_thrower();
+  EXTRACT_THIS(exception, WasmExceptionPackage);
+
+  info.GetReturnValue().Set(v8::Undefined(isolate));
+}
+
 void WebAssemblyGlobalGetValueCommon(WasmJSApiScope& js_api_scope) {
   auto [isolate, i_isolate, thrower] = js_api_scope.isolates_and_thrower();
   auto& info = js_api_scope.callback_info();  // Needed by EXTRACT_THIS.
@@ -3494,6 +3503,7 @@ void WasmJs::PrepareForSnapshot(Isolate* isolate) {
   {
     DirectHandle exception_constructor = InstallConstructorFunc(
         isolate, webassembly, "Exception", wasm::WebAssemblyException);
+    exception_constructor->shared()->set_length(2);
     SetDummyInstanceTemplate(isolate, exception_constructor);
     DirectHandle exception_proto = SetupConstructor(
         isolate, exception_constructor, WASM_EXCEPTION_PACKAGE_TYPE,
@@ -3503,6 +3513,8 @@ void WasmJs::PrepareForSnapshot(Isolate* isolate) {
                 wasm::WebAssemblyExceptionGetArg, 2);
     InstallFunc(isolate, exception_proto, "is", wasm::WebAssemblyExceptionIs,
                 1);
+    InstallGetter(isolate, exception_proto, "stack",
+                  wasm::WebAssemblyExceptionGetStack);
     native_context->set_wasm_exception_constructor(*exception_constructor);
 
     DirectHandle initial_map(exception_constructor->initial_map(),
diff --git a/deps/v8/src/wasm/wasm-js.h b/deps/v8/src/wasm/wasm-js.h
index 73134148b0870a..9d136a5484c84e 100644
--- a/deps/v8/src/wasm/wasm-js.h
+++ b/deps/v8/src/wasm/wasm-js.h
@@ -33,6 +33,7 @@ V8_EXPORT_PRIVATE std::unique_ptr StartStreamingForTesting(
   V(WebAssemblyCompile)                    \
   V(WebAssemblyException)                  \
   V(WebAssemblyExceptionGetArg)            \
+  V(WebAssemblyExceptionGetStack)          \
   V(WebAssemblyExceptionIs)                \
   V(WebAssemblyGlobal)                     \
   V(WebAssemblyGlobalGetValue)             \
diff --git a/deps/v8/test/mjsunit/wasm/exceptions-api.js b/deps/v8/test/mjsunit/wasm/exceptions-api.js
index 25ba9c7e80ec27..9ceb2d506dfcbf 100644
--- a/deps/v8/test/mjsunit/wasm/exceptions-api.js
+++ b/deps/v8/test/mjsunit/wasm/exceptions-api.js
@@ -106,13 +106,19 @@ d8.file.execute("test/mjsunit/wasm/wasm-module-builder.js");
   print(arguments.callee.name);
   let tag = new WebAssembly.Tag({parameters: []});
   let exn = new WebAssembly.Exception(tag, []);
+  assertTrue('stack' in exn);
   assertEquals(undefined, exn.stack);
   exn = new WebAssembly.Exception(tag, [], {traceStack: false});
+  assertTrue('stack' in exn);
   assertEquals(undefined, exn.stack);
   exn = new WebAssembly.Exception(tag, [], {traceStack: true});
   assertTrue(exn.stack.indexOf(arguments.callee.name) > 0);
   assertThrows(() => new WebAssembly.Exception(tag, [], 0), TypeError,
                /Argument 2 is not an object/);
+  // The stack getter may only be used with a receiver that is a
+  // WebAssembly.Exception.
+  let proto = WebAssembly.Exception.prototype;
+  assertThrows(() => proto.stack, TypeError);
 })();
 
 (function TestCatchJSException() {
@@ -319,3 +325,7 @@ function TestGetArgHelper(types_str, types, values) {
   // Don't catch with implicit wrapping.
   assertThrowsEquals(() => instance.exports.test(obj), obj);
 })();
+
+(function TestExceptionConstructorLength() {
+  assertEquals(2, WebAssembly.Exception.length);
+})();
diff --git a/doc/api/assert.md b/doc/api/assert.md
index 463cd1ef8a7c3c..e0eed6098747d9 100644
--- a/doc/api/assert.md
+++ b/doc/api/assert.md
@@ -2036,7 +2036,7 @@ If no arguments are passed in at all `message` will be set to the string:
 Be aware that in the `repl` the error message will be different to the one
 thrown in a file! See below for further details.
 
-
+
 
 ```mjs
 import assert from 'node:assert/strict';
@@ -2073,7 +2073,7 @@ assert.ok(0);
 //   assert.ok(0)
 ```
 
-
+
 
 ```cjs
 const assert = require('node:assert/strict');
diff --git a/doc/api/buffer.md b/doc/api/buffer.md
index a03b95c1ffe3c3..c8df6e64de8fdf 100644
--- a/doc/api/buffer.md
+++ b/doc/api/buffer.md
@@ -881,7 +881,7 @@ _may contain sensitive data_. Use [`buf.fill(0)`][`buf.fill()`] to initialize
 such `Buffer` instances with zeroes.
 
 When using [`Buffer.allocUnsafe()`][] to allocate new `Buffer` instances,
-allocations less than `Buffer.poolSize >>> 1` (4KiB when default poolSize is used) are sliced
+allocations less than `Buffer.poolSize >>> 1` (32KiB when default poolSize is used) are sliced
 from a single pre-allocated `Buffer`. This allows applications to avoid the
 garbage collection overhead of creating many individually allocated `Buffer`
 instances. This approach improves both performance and memory usage by
@@ -1513,9 +1513,13 @@ console.log(Buffer.isEncoding(''));
 
 
 
-* Type: {integer} **Default:** `8192`
+* Type: {integer} **Default:** `65536`
 
 This is the size (in bytes) of pre-allocated internal `Buffer` instances used
 for pooling. This value may be modified.
diff --git a/doc/api/cli.md b/doc/api/cli.md
index ca5126bfd2c09c..6eeb360419df83 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -974,7 +974,8 @@ added: v23.10.0
 If present, Node.js will look for a configuration file at the specified path.
 Node.js will read the configuration file and apply the settings. The
 configuration file should be a JSON file with the following structure. `vX.Y.Z`
-in the `$schema` must be replaced with the version of Node.js you are using.
+in the `$schema` must be replaced with the version of Node.js you are using or
+`latest-vX.x` for the latest version of that major release line.
 
 ```json
 {
diff --git a/doc/api/console.md b/doc/api/console.md
index f0669558abe385..804778bd5fa681 100644
--- a/doc/api/console.md
+++ b/doc/api/console.md
@@ -240,9 +240,7 @@ added: v8.3.0
 Maintains an internal counter specific to `label` and outputs to `stdout` the
 number of times `console.count()` has been called with the given `label`.
 
-
-
-```js
+```console
 > console.count()
 default: 1
 undefined
@@ -274,9 +272,7 @@ added: v8.3.0
 
 Resets the internal counter specific to `label`.
 
-
-
-```js
+```console
 > console.count('abc');
 abc: 1
 undefined
diff --git a/doc/api/crypto.md b/doc/api/crypto.md
index 13ae03dc608740..a9b1bafa6749eb 100644
--- a/doc/api/crypto.md
+++ b/doc/api/crypto.md
@@ -53,8 +53,6 @@ try {
 }
 ```
 
-
-
 When using the lexical ESM `import` keyword, the error can only be
 caught if a handler for `process.on('uncaughtException')` is registered
 _before_ any attempt to load the module is made (using, for instance,
@@ -6092,7 +6090,7 @@ changes:
 
 
 * `algorithm` {string | null | undefined}
-* `data` {ArrayBuffer|Buffer|TypedArray|DataView}
+* `data` {ArrayBuffer|Buffer|SharedArrayBuffer|TypedArray|DataView|string}
 * `key` {Object|string|ArrayBuffer|Buffer|TypedArray|DataView|KeyObject|CryptoKey}
 * `callback` {Function}
   * `err` {Error}
@@ -6224,9 +6222,9 @@ changes:
 
 
 * `algorithm` {string|null|undefined}
-* `data` {ArrayBuffer| Buffer|TypedArray|DataView}
+* `data` {ArrayBuffer|Buffer|SharedArrayBuffer|TypedArray|DataView|string}
 * `key` {Object|string|ArrayBuffer|Buffer|TypedArray|DataView|KeyObject|CryptoKey}
-* `signature` {ArrayBuffer|Buffer|TypedArray|DataView}
+* `signature` {ArrayBuffer|Buffer|SharedArrayBuffer|TypedArray|DataView}
 * `callback` {Function}
   * `err` {Error}
   * `result` {boolean}
@@ -6617,7 +6615,7 @@ See the [list of SSL OP Flags][] for details.
   
                                            
-    
diff --git a/doc/api/debugger.md b/doc/api/debugger.md
index 68fdf255a7ecd4..2fb579ca967d67 100644
--- a/doc/api/debugger.md
+++ b/doc/api/debugger.md
@@ -10,6 +10,14 @@ Node.js includes a command-line debugging utility. The Node.js debugger client
 is not a full-featured debugger, but simple stepping and inspection are
 possible.
 
+The debugger supports two modes of operation: [interactive mode][] and [non-interactive probe mode][].
+
+## Interactive mode
+
+```console
+$ node inspect [--port=] [ ...] [
                                            CircleCI context UUID to match
 
                                            
 
                                            --allow-publishfalseBooleanAllow npm publish for this trusted publisher configuration
                                            --allow-stage-publish, --allow-staged-publishfalseBooleanAllow npm stage publish for this trusted publisher configuration
                                            
 --dry-run
 false
 Boolean
                                            
   
                                            
     SSL_OP_DONT_INSERT_EMPTY_FRAGMENTSInstructs OpenSSL to disable a SSL 3.0/TLS 1.0 vulnerability
+    Instructs OpenSSL to disable an SSL 3.0/TLS 1.0 vulnerability
     workaround added in OpenSSL 0.9.6d.