doc: add note re term-size commit on top of npm
Until npm updates update-notifier to a newer version, the dependency tree will contain a version of term-size that has an unsigned macOS binary. This will fail .pkg notarization and will result in failed release builds. We built and signed a term-size and contributed it back to the project for this purpose, but the dependency chain is long enough that it's not likely to be included in a new npm very quickly. Until it is, we need to cherry-pick commit d2f08a1b ontop of any npm updates to master and any other release branch that includes notarization.
The dependency chain is update-notifier -> boxen -> term-size. npm is on update-notifier@^2.5.0 but the latest is 4.1.0 and I can imagine it's a bit intimidating to just jump through those versions without grokking what's changed.
I've done this just now for master
after the update to npm@6.14.3 in 4a3ccd89.
You can see what a failure looks like in the latest master nightly if you have access to ci-release: https://ci-release.nodejs.org/job/iojs+release/5763/nodes=osx1015-release-pkg/
17:54:06 3 errors occurred:
17:54:06 * error for path "node-v14.0.0-nightly20200320f7771fffd0.pkg/npm-v6.14.3.pkg Contents/Payload/usr/local/lib/node_modules/npm/node_modules/term-size/vendor/macos/term-size": The binary is not signed.
17:54:06 * error for path "node-v14.0.0-nightly20200320f7771fffd0.pkg/npm-v6.14.3.pkg Contents/Payload/usr/local/lib/node_modules/npm/node_modules/term-size/vendor/macos/term-size": The signature does not include a secure timestamp.
17:54:06 * error for path "node-v14.0.0-nightly20200320f7771fffd0.pkg/npm-v6.14.3.pkg Contents/Payload/usr/local/lib/node_modules/npm/node_modules/term-size/vendor/macos/term-size": The executable does not have the hardened runtime enabled.
.pkg is missing from https://nodejs.org/download/nightly/v14.0.0-nightly20200320f7771fffd0/
@nodejs/build @nodejs/npm