doc: add note re term-size commit on top of npm

[rvagg]

Until npm updates update-notifier to a newer version, the dependency
tree will contain a version of term-size that has an unsigned macOS
binary. This will fail .pkg notarization and will result in failed
release builds. We built and signed a term-size and contributed it back
to the project for this purpose, but the dependency chain is long enough
that it's not likely to be included in a new npm very quickly.
Until it is, we need to cherry-pick commit d2f08a1 ontop of any npm
updates to master and any other release branch that includes
notarization.

The dependency chain is update-notifier -> boxen -> term-size. npm is on update-notifier@^2.5.0 but the latest is 4.1.0 and I can imagine it's a bit intimidating to just jump through those versions without grokking what's changed.

I've done this just now for master after the update to npm@6.14.3 in 4a3ccd8.

You can see what a failure looks like in the latest master nightly if you have access to ci-release: https://ci-release.nodejs.org/job/iojs+release/5763/nodes=osx1015-release-pkg/

17:54:06 3 errors occurred:
17:54:06 	* error for path "node-v14.0.0-nightly20200320f7771fffd0.pkg/npm-v6.14.3.pkg Contents/Payload/usr/local/lib/node_modules/npm/node_modules/term-size/vendor/macos/term-size": The binary is not signed.
17:54:06 	* error for path "node-v14.0.0-nightly20200320f7771fffd0.pkg/npm-v6.14.3.pkg Contents/Payload/usr/local/lib/node_modules/npm/node_modules/term-size/vendor/macos/term-size": The signature does not include a secure timestamp.
17:54:06 	* error for path "node-v14.0.0-nightly20200320f7771fffd0.pkg/npm-v6.14.3.pkg Contents/Payload/usr/local/lib/node_modules/npm/node_modules/term-size/vendor/macos/term-size": The executable does not have the hardened runtime enabled.

.pkg is missing from https://nodejs.org/download/nightly/v14.0.0-nightly20200320f7771fffd0/

@nodejs/build @nodejs/npm

[rvagg]

.pkg in last nightly, after I ran the cherry-pick documented here, on master https://nodejs.org/download/nightly/v14.0.0-nightly20200322ecfb7b0988/

[sam-github]

@nodejs/npm This is a fair amount build tooling required in order to get a box drawn around some text saying "an npm update is available", is there any chance that this could be fixed?

Note that the dependency on the executable is unnecessary, the equivalent functionality is already present in Node.js as pure-js: sindresorhus/terminal-size#15 (comment)

@rvagg will the dependency on an unsigned executable make npm install -g npm not work on OS X Catalina?

[sam-github]

I'm not thrilled that this isn't getting fixed upstream, but that's out of our control, in the meantime, this is what we have to do.

[mhdawson]

LGTM, agree we Sam, not optimal but what we need to do for now.

[rvagg]

@rvagg will the dependency on an unsigned executable make npm install -g npm not work on OS X Catalina?

Nope! That's the fun of this (sarcasm), it's all about the .pkg building process, once it gets onto your machine then Gatekeeper butts out and you can change the on-disk files all you want. So for now, it only matter that macOS executables in our bundles are signed.

My guess is that this is only the beginning though, and maybe macOS is heading toward a container-style install system for packages, like Snaps are. It'll get interesting then. You can't overwrite the node Snap's npm with npm install -g npm as it is but I don't think I've seen any people complaining about that yet (probably because of Snap's being auto-updating so you don't really need to as long as we keep pushing out new versions of npm with Node).

[rvagg]

Landed in 10d8e26

[ruyadorno]

@rvagg thanks for the patch! @sam-github worry not, we're going to be bringing it upstream to npm@6 npm/cli#1053 so that you can get rid of the extra step 😊