deps: upgrade npm to 4.0.1

Checklist

• make -j8 test (UNIX), or vcbuild test nosign (Windows) passes
• tests and/or benchmarks are included
• documentation is changed or added
• commit message follows commit guidelines

Affected core subsystem(s)

• deps

Description of change

Hey y'all! #8977 (closed) was created a while back to track stuff surrounding this release, and I think it's a good decision to wait to do a minor bump later, rather than rush this release out in any way. Thanks a bunch for your patience!

As you can see, this is a semver-major bump for npm. That said, the actual impact of the release to the ecosystem is relatively small. Most certainly much smaller in impact than npm@3 was. We're still sniffing out a couple of issues and might even put together an npm@4.0.2 soon to iron that out before npm@4 becomes latest.

THIS IS NOT A FINAL RELEASE -- as mentioned in #8977 (closed), this is a preview of npm@4 so y'all can start testing and taking a look at changes and make sure everything looks good before considering including it with official node releases.

One more note: With the release of npm@4, we've decided to move both npm@2 and npm@3 to maintenance: that means we're unlikely to continue adding features to either of those, but will include critical patches, specially security patches, if something comes up. Regular bugfixes will not be done, as it's much better for our team to be able to focus on the latest release which we're standing behind. As far as Node Core is concerned, though, npm@2 continues what we consider to be a sort of LTS release for y'all's sake. Maintenance doesn't mean it's no longer maintained, and users should continue to have a working experience with npm@2 until node@4 leaves LTS. npm@3.10.9, which I'll be downstreaming soon, might end up being our last npm@3 release.

So without further ado, npm@4!

Breaking Changes

• npm search rewritten to stream results, and no longer supports sorting.
• npm scripts no longer prepend the path of the node executable used to run npm before running scripts. A --scripts-prepend-node-path option has been added to configure this behavior. (/cc @addaleax)
• prepublish has been deprecated, replaced by prepare. A prepublishOnly script has been temporarily added, which will only run on npm publish. NOTE: This change only affects users publishing new versions of their packages and developers installing through git and local deps. Registry installs should be (mostly) unaffected by this change.
• npm outdated exits with exit code 1 if it finds any outdated packages. (/cc @watilde)
• npm tag has been removed after a deprecation cycle. Use npm dist-tag.
• Partial shrinkwraps are no longer supported. npm-shrinkwrap.json is considered a complete installation manifest except for devDependencies. This will affect certain projects that relied heavily on this feature, most notably hapi.
• devDependencies are now included in npm-shrinkwrap.json by default. This should make the transition to npm@5 easier.

Other Notable Changes

• npm now sends two extra http headers to the registry (npm/npm#14129):
  • Npm-In-CI - whether npm was run within a Continuous Integration environment.
  • Npm-Scope - the scope of the toplevel package this installation is for. For example, if you have a @node/foo package, all dependency requests for that package will include @node in the header, even if those dependencies themselves are not scoped or are for a different scope.

Changelogs

• v3.10.9
• v4.0.0
• v4.0.1

r: @Fishrock123 r: @addaleax r: @jasnell