main/nodejs: move npm into a standalone aport
npm is bundled in Node.js, but it's a standalone project with its own release cycle and version number. main/nodejs provides LTS version of Node.js, so it includes old version of npm. Alpine build tools don't handle subpackages with pkgver different from the origin pkgver. Thus the current 'npm' subpackage has version 14.16.1-r0 (version of the Node.js) which is confusing, because the real version of the packaged 'npm' is 6.14.11. Moreover, npm has gazillion bundled dependencies, so there's a high risk of security vulnerabilities; using npm bundled in Node.js quite complicates security patching and requires rebuilding complete Node.js package. For these reasons, I think it will be better to split npm into a separate aport and provide the latest version instead of some arbitrary version bundled in the Node.js tarball. Actually, I planned this three years ago (see commit message in 244cc743), but forgot about it. There's one unpleasant consequence of this change - the latest npm version is 7.9.0 which is lower than 14.16.1 (version inherited from nodejs package). Since Alpine doesn't have "epoch" version as e.g. Fedora, there's nothing I can do about it beside informing the users (using nodejs.post-upgrade script).
Showing with 229 additions and 30 deletions