From e497c3f5396b26148fbe6515fcbbfa867a83a437 Mon Sep 17 00:00:00 2001
From: Michael Smith <owlstronaut@github.com>
Date: Thu, 18 Jun 2026 14:30:22 -0700
Subject: [PATCH] deps: npm-profile@12.0.2

---
 node_modules/npm-profile/lib/index.js | 29 ++++++++++++++++++++++++++-
 node_modules/npm-profile/package.json | 10 ++++-----
 package-lock.json                     | 10 ++++-----
 package.json                          |  2 +-
 4 files changed, 39 insertions(+), 12 deletions(-)

diff --git a/node_modules/npm-profile/lib/index.js b/node_modules/npm-profile/lib/index.js
index 83ab5e1b46b68..734e08abb655f 100644
--- a/node_modules/npm-profile/lib/index.js
+++ b/node_modules/npm-profile/lib/index.js
@@ -49,6 +49,33 @@ const isValidUrl = u => {
   }
 }
 
+// npm's web-login response names the canonical npmjs registry in `doneUrl`, which a proxy/mirror forwards verbatim.
+// The poll would then hit npmjs.org instead of the proxy that holds the session, so rewrite only that npmjs host to the configured registry origin, preserving the path prefix and query string.
+// Any other done host is left untouched, since a non-npmjs canonical host cannot be inferred here and may be served intentionally.
+const CANONICAL_REGISTRY_HOST = 'registry.npmjs.org'
+
+// doneUrl is already validated by isValidUrl and registry is the origin a prior
+// POST /-/v1/login succeeded against, so both parse cleanly here.
+const replaceDoneUrlOrigin = (doneUrl, registry) => {
+  if (!registry) {
+    return doneUrl
+  }
+  const done = new URL(doneUrl)
+  if (done.hostname !== CANONICAL_REGISTRY_HOST) {
+    return doneUrl
+  }
+  const reg = new URL(registry)
+  done.protocol = reg.protocol
+  done.host = reg.host
+  const prefix = reg.pathname.replace(/\/$/, '')
+  if (prefix && prefix !== '/' &&
+      done.pathname !== prefix &&
+      !done.pathname.startsWith(prefix + '/')) {
+    done.pathname = prefix + done.pathname
+  }
+  return done.href
+}
+
 const webAuth = async (opener, opts, body) => {
   try {
     const res = await fetch('/-/v1/login', {
@@ -65,7 +92,7 @@ const webAuth = async (opener, opts, body) => {
       throw new WebLoginInvalidResponse('POST', res, content)
     }
 
-    return await webAuthOpener(opener, loginUrl, doneUrl, opts)
+    return await webAuthOpener(opener, loginUrl, replaceDoneUrlOrigin(doneUrl, opts.registry), opts)
   } catch (er) {
     if ((er.statusCode >= 400 && er.statusCode <= 499) || er.statusCode === 500) {
       throw new WebLoginNotSupported('POST', {
diff --git a/node_modules/npm-profile/package.json b/node_modules/npm-profile/package.json
index 0f97cc1efa193..bb7f23ec83121 100644
--- a/node_modules/npm-profile/package.json
+++ b/node_modules/npm-profile/package.json
@@ -1,13 +1,13 @@
 {
   "name": "npm-profile",
-  "version": "12.0.1",
+  "version": "12.0.2",
   "description": "Library for updating an npmjs.com profile",
   "keywords": [],
   "author": "GitHub Inc.",
   "license": "ISC",
   "dependencies": {
     "npm-registry-fetch": "^19.0.0",
-    "proc-log": "^6.0.0"
+    "proc-log": "^6.1.0"
   },
   "main": "./lib/index.js",
   "repository": {
@@ -19,8 +19,8 @@
     "lib/"
   ],
   "devDependencies": {
-    "@npmcli/eslint-config": "^5.0.0",
-    "@npmcli/template-oss": "4.27.1",
+    "@npmcli/eslint-config": "^7.0.0",
+    "@npmcli/template-oss": "5.1.1",
     "nock": "^13.5.6",
     "tap": "^16.0.1"
   },
@@ -46,7 +46,7 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.27.1",
+    "version": "5.1.1",
     "publish": true
   }
 }
diff --git a/package-lock.json b/package-lock.json
index d8a8ad629bfe9..b6b163ba39cb4 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -129,7 +129,7 @@
         "npm-install-checks": "^8.0.0",
         "npm-package-arg": "^13.0.2",
         "npm-pick-manifest": "^11.0.3",
-        "npm-profile": "^12.0.1",
+        "npm-profile": "^12.0.2",
         "npm-registry-fetch": "^19.1.1",
         "npm-user-validate": "^4.0.0",
         "p-map": "^7.0.4",
@@ -8443,14 +8443,14 @@
       }
     },
     "node_modules/npm-profile": {
-      "version": "12.0.1",
-      "resolved": "https://registry.npmjs.org/npm-profile/-/npm-profile-12.0.1.tgz",
-      "integrity": "sha512-Xs1mejJ1/9IKucCxdFMkiBJUre0xaxfCpbsO7DB7CadITuT4k68eI05HBlw4kj+Em1rsFMgeFNljFPYvPETbVQ==",
+      "version": "12.0.2",
+      "resolved": "https://registry.npmjs.org/npm-profile/-/npm-profile-12.0.2.tgz",
+      "integrity": "sha512-+OKkPvqvx83vRG8aIetzABI99e5uzZZ6HIS5zCr+oRPSuDL0Buk1KJh/LqyR0BuiWmLeDWGI77igNYipztLm1w==",
       "inBundle": true,
       "license": "ISC",
       "dependencies": {
         "npm-registry-fetch": "^19.0.0",
-        "proc-log": "^6.0.0"
+        "proc-log": "^6.1.0"
       },
       "engines": {
         "node": "^20.17.0 || >=22.9.0"
diff --git a/package.json b/package.json
index 3309782d55e6d..75aec59c42829 100644
--- a/package.json
+++ b/package.json
@@ -97,7 +97,7 @@
     "npm-install-checks": "^8.0.0",
     "npm-package-arg": "^13.0.2",
     "npm-pick-manifest": "^11.0.3",
-    "npm-profile": "^12.0.1",
+    "npm-profile": "^12.0.2",
     "npm-registry-fetch": "^19.1.1",
     "npm-user-validate": "^4.0.0",
     "p-map": "^7.0.4",