npm: users should not run "npm update npm -g"

[ryandesign (Ryan Carsten Schmidt)]

According to the ​npm faq, users can update npm itself by running:

npm update npm -g

But we don't want users to do that; we want users to use MacPorts to upgrade software that was installed using MacPorts.

I see two approaches we could use:

1. Add a sentence to the notes field telling the user not to use "npm update npm -g"
   • Pros: easy to implement
   • Cons: easy for the user to ignore, forget, or overlook
2. Override "npm update npm -g" and replace it with a message advising the user to run "sudo port selfupdate && sudo port upgrade npm" instead
   • Pros: eliminates possibility for user error
   • Cons: harder to implement

I prefer option 2 if it's not too difficult. The ways I see of doing it are:

2. Override "npm update npm -g"
   1. Write a wrapper script around npm
      • Pros: changes to npm won't necessitate rewriting the wrapper
      • Cons: if npm accepts optional arguments, or arguments in arbitrary order, getting the argument parsing right in the wrapper will be involved
   2. Patch npm
      • Pros: avoids a layer of abstraction for all the other npm commands the user will run
      • Cons: new versions of npm may invalidate our patches and require us to rewrite them

A third possibility would be to get the developers of npm to include a configuration option to disable "npm update npm -g". Not sure if they would be willing to offer that.

[ci42]

2. Override "npm update npm -g"
   2. Patch npm

Done in r83821.