CLI documentation update from CI

npm-cli-bot · npm-cli-bot · commit 28ce509b3ad5 · 2022-07-12T03:09:45.000Z
diff --git a/cli/v8 b/cli/v8
@@ -1 +1 @@
-Subproject commit ef8d2edd7da993f4086c85089952cd45834ac78b
+Subproject commit ac56fc41bc2f91f51c8438f98893121e7a92ee46
diff --git a/content/cli/v8/commands/npm-audit.md b/content/cli/v8/commands/npm-audit.md
@@ -21,7 +21,7 @@ github_path: docs/content/commands/npm-audit.md
 <!-- see lib/commands/audit.js -->
 
 ```bash
-npm audit [fix]
+npm audit [fix|signatures]
 ```
 
 <!-- automatically generated, do not edit manually -->
@@ -51,6 +51,17 @@ vulnerability is found. It may be useful in CI environments to include the
 will cause the command to fail. This option does not filter the report
 output, it simply changes the command's failure threshold.
 
+### Audit Signatures
+
+This command can also audit the integrity values of the packages in your
+tree against any signatures present in the registry they were downloaded
+from.  npm will attempt to download the keys from `/-/npm/v1/keys` on
+each the registry used to download any given package.  It will then
+check the `dist.signatures` object in the package itself, and verify the
+`sig` present there using the `keyid` there, matching it with a key
+returned from the registry.  The command for this is `npm audit
+signatures`
+
 ### Audit Endpoints
 
 There are two audit endpoints that npm may use to fetch vulnerability
diff --git a/content/cli/v8/commands/npm.md b/content/cli/v8/commands/npm.md
@@ -111,7 +111,7 @@ following help topics:
   done via [`npm install`](/cli/v8/commands/npm-install)
 * adduser:
   Create an account or log in.  When you do this, npm will store
-  credentials in the user config file config file.
+  credentials in the user config file.
 * publish:
   Use the [`npm publish`](/cli/v8/commands/npm-publish) command to upload your
   code to the registry.
diff --git a/content/cli/v8/configuring-npm/package-json.md b/content/cli/v8/configuring-npm/package-json.md
@@ -134,7 +134,7 @@ IDs](https://spdx.org/licenses/).  Ideally you should pick one that is
 
 If your package is licensed under multiple common licenses, use an [SPDX
 license expression syntax version 2.0
-string](https://www.npmjs.com/package/spdx), like this:
+string](https://spdx.dev/specifications/), like this:
 
 ```json
 {
diff --git a/content/cli/v8/using-npm/scripts.md b/content/cli/v8/using-npm/scripts.md
@@ -47,7 +47,7 @@ There are some special life cycle scripts that happen only in certain
 situations. These scripts happen in addition to the `pre<event>`, `post<event>`, and
 `<event>` scripts.
 
-* `prepare`, `prepublish`, `prepublishOnly`, `prepack`, `postpack`
+* `prepare`, `prepublish`, `prepublishOnly`, `prepack`, `postpack`, `dependencies`
 
 **prepare** (since `npm@4.0.0`)
 * Runs any time before the package is packed, i.e. during `npm publish`
@@ -79,6 +79,10 @@ situations. These scripts happen in addition to the `pre<event>`, `post<event>`,
 **postpack**
 * Runs AFTER the tarball has been generated but before it is moved to its final destination (if at all, publish does not save the tarball locally)
 
+**dependencies**
+* Runs AFTER any operations that modify the `node_modules` directory IF changes occurred.
+* Does NOT run in global mode
+
 #### Prepare and Prepublish
 
 **Deprecation Note: prepublish**
@@ -104,6 +108,10 @@ The advantage of doing these things at `prepublish` time is that they can be don
 * You don't need to rely on your users having `curl` or `wget` or
   other system tools on the target machines.
 
+#### Dependencies
+
+The `dependencies` script is run any time an `npm` command causes changes to the `node_modules` directory. It is run AFTER the changes have been applied and the `package.json` and `package-lock.json` files have been updated.
+
 ### Life Cycle Operation Order
 
 #### [`npm cache add`](/cli/v8/commands/npm-cache)
diff --git a/content/cli/v8/using-npm/workspaces.md b/content/cli/v8/using-npm/workspaces.md
@@ -65,7 +65,7 @@ structure of files and folders:
 ```
 .
 +-- node_modules
-|  `-- packages/a -> ../packages/a
+|  `-- a -> ../packages/a
 +-- package-lock.json
 +-- package.json
 `-- packages
@@ -120,15 +120,15 @@ respect the provided `workspace` configuration.
 
 Given the [specifities of how Node.js handles module resolution](https://nodejs.org/dist/latest-v14.x/docs/api/modules.html#modules_all_together) it's possible to consume any defined workspace
 by its declared `package.json` `name`. Continuing from the example defined
-above, let's also create a Node.js script that will require the `workspace-a`
+above, let's also create a Node.js script that will require the workspace `a`
 example module, e.g:
 
 ```
-// ./workspace-a/index.js
+// ./packages/a/index.js
 module.exports = 'a'
 
 // ./lib/index.js
-const moduleA = require('workspace-a')
+const moduleA = require('a')
 console.log(moduleA) // -> a
 ```
 

Original file line number	Diff line number	Diff line change
`@@ -134,7 +134,7 @@ IDs](https://spdx.org/licenses/). Ideally you should pick one that is`
`134`	`134`
`135`	`135`	`If your package is licensed under multiple common licenses, use an [SPDX`
`136`	`136`	`license expression syntax version 2.0`
`137`		`-string](https://www.npmjs.com/package/spdx), like this:`
	`137`	`+string](https://spdx.dev/specifications/), like this:`
`138`	`138`
`139`	`139`	```json
`140`	`140`	`{`