deps: upgrade npm to 2.7.5

[othiym23]

This release of npm is a little more important than most, because it contains two security fixes:

• 300834e
tar@2.0.0: Normalize symbolic links that point to targets outside the
  extraction root. This prevents packages containing symbolic links from
  overwriting targets outside the expected paths for a package. Thanks to Tim
  Cuthbertson and the team at Lift
  Security for working with the npm team to identify
  this issue. (@othiym23)
• 0dc6875
semver@4.3.2: Package versions can be no more than 256 characters long.
  This prevents a situation in which parsing the version number can use
  exponentially more time and memory to parse, leading to a potential denial of
  service. Thanks to Adam Baldwin at Lift Security for bringing this to our
  attention. (@isaacs)

The severity is medium and the impact is low, at least for now. We have no evidence that either of these vulnerabilities were being exploited in the wild. All the same, it would be good to get people upgrading.

This version also contains two important fixes to npm's git / GitHub support:

• eab6184
  #7766 One last tweak to ensure that
  GitHub shortcuts work with private repositories.
  (@iarna)
• a840a13
  #7746 Only fix up git URL paths when
  there are paths to fix up. (@othiym23)

Unfortunately, npm@2.7.5 is missing the final piece of the git puzzle:

• b747593
  #7630 Don't automatically log all
  git failures as errors. maybeGithub needs to be able to fail without
  logging to support its fallback logic.
  (@othiym23)

In most cases, npm@2.7.5 will work fine with private GitHub repositories, but it will log an ugly and misleading message about what it's doing. The above change (which is part of npm@2.7.6) takes care of that, but I still don't think it's a good idea to jump the gun with npm releases. I could maybe be persuaded otherwise.

I've applied the two roll-up patches for improved node-gyp support already. All I need are some reviewers!

R=@piscisaureus
R=@Fishrock123

[Fishrock123]

Reviewing. Due to #1323 and the aforementioned fixes I'd like to get a release with this out within the next 48 hours or so. I'll also open a release proposal soon.

[Fishrock123]

// god, tar is so annoying

Hey, at least we aren't dealing with .psd files. :)

Looked over the code. In case anyone is wondering the diff is mostly:

• new tar (tarball handling) dep
• updated request

Getting some errors on test-npm though: https://gist.github.com/Fishrock123/06f00d64a30758a20f72

[othiym23]

@Fishrock123

Getting some errors on test-npm though: https://gist.github.com/Fishrock123/06f00d64a30758a20f72

That's due to HFS+ case folding and this line in io.js's .gitignore (TIL about git check-ignore --verbose!). To fix this, I ran

$  git config --unset-all core.ignorecase
$  git config --system core.ignorecase false

to make git stop following HFS+'s case-folding rules. Defaulting core.ignorecase to true on a per-platform basis is probably a bad idea, but I know from experience why git does it. Anyway, that's worked around the issue for me, and other OS X developers may want to do the same, and we might want to consider making that Debug/ rule less broad so that this is less likely to happen in the future.

[Fishrock123]

and we might want to consider making that Debug/ rule less broad so that this is less likely to happen in the future.

Is there a good way to do this without having to externally set more stuff? I don't really understand the issue, but maybe our .gitignore can be fixed?

[othiym23]

It could probably just be added to the contributor's guide that core.ignorecase be set to false for io.js checkouts, much like we do with whitespace=fix now.

Anyway, can I get some LGTMs so I can get this merged in time for the next release window?

[Fishrock123]

LGTM

[othiym23]

Landed in 5eb983e, dac903f, and efadffe. Thanks for the review, @Fishrock123!