Adds new admin option “skipInstalls” that is applicable for npm-only for now (including lerna-npm). If set to false, Renovate will perform a full install of modules rather than `—package-lock-only`. This is necessary in some cases to work around bugs in npm.

Self-hosted bot users can set this option themselves on the bot’s config, but app users will require it to be enabled per-repository by the app admin.

Closes #2039

Rewrite of dependency extraction, particularly for npm. Paves way for easier addition of new package managers.

Closes #1882

There are times when an npm dependency has an update available yet the “npm/yarn/pnpm install” fails to find it, and the lock file can’t be generated. We check for this any time there’s a lock file error and abort the branch creation, hoping it fixes itself on the next run.

Closes #1666

Adds support for npm-shrinkwrap.json files.

Closes #67

Closes #1531

* Revert "fix: disable reusing existing package-lock.json when upgrading (#1530)"

This reverts commit 2728e399.

* switch from —package-lock-only to —ignore-scripts

Removing `--package-lock-only` option from npm installs due to https://github.com/npm/npm/issues/19852

Pretty sure this fixes #1495

Adds a config option to bot administrators called `exposeEnv`, for cases where repositories are trusted. If set to true, the bot's full `process.env` can be used for `.npmrc` variable substitution and is passed to child processes when generating lock files. Disabled by default, including in the App.

Use `upath` for windows-friendly path joins.

Closes #1203

Previously, upgrades with failing lock files were not raised as PRs. Usually this is because of missing private module configuration. Now, Renovate will raise a PR but add a comment warning of the error, with the error log. It's raised as a comment because we now won't need to regenerate the lock file error every run, and we don't want to "lose" it if the PR description gets updated.

Closes #600 

* refactor: await fs.readFile instead of sync version

* fix: replace fs and tmpDir sync with promises

* fix(deps): update dependency get-installed-path to v4.0.3

* fix

Now adds `stdout` and `stderr` from `npm` and `yarn` installs to the "Generated lockfile" log message, so that the exact versions of npm and yarn can be known in the default logs.

Closes #827

`npm` and `yarn` lockfile generation use promisified child process `exec` now instead of `spawnSync`.

This fix improves the way Renovate detects embedded/installed npm and yarn. It tries:
- locally installed npm or yarn
- npm or yarn embedded inside globally installed renovate
- globally installed npm or yarn
- global `yarn` or `npm` commands as fallback

Fixes #824 

* install npm from npm

* use embedded npm and remove versions checking

This is a major refactor of branch code to prepare for Yarn workspaces plus creating PRs for branches with failing lockfiles. Marked as "feature" to cause a minor version bump due to the moderate chance of accidentally breaking something.

Eliminating one more possibility for #707

tmpDir is now created once per-repository and package.json files are written and lockfiles generated based on the repo's directory structure. This way node_modules can be reused between branches in same run.

Closes #501

Closes #506 

Closes #226