• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew style with your changes locally?
• Have you successfully run brew typecheck with your changes locally?
• Have you successfully run brew tests with your changes locally?

livecheck's Npm strategy is currently broken because the npmjs.com website is behind Cloudflare and upstream may have have changed their security settings, as we're now seeing 403 (Forbidden) responses. This modifies the strategy to check the latest version from registry.npmjs.org instead, which doesn't seem to have the same problem.

Besides fixing the strategy, this change has some side benefits:

• Checking the latest endpoint ensures that livecheck is tracking the version that's marked as "latest" on npm. In testing this, I saw one formula (yaml-language-server) where the version we're using is marked as "next" on npm and it's newer than "latest". We can revisit this approach if it becomes a problem in practice but it seems like a beneficial change on the surface.
• We have some formulae where the npm package has an excessive number of previous versions (hundreds or thousands) and the Npm strategy was having to download more data than we need just to find the latest version. The responses from the latest endpoint involve much less data transfer, so these checks seem pretty snappy now (granted, I can't do a real comparison as the current Npm strategy is broken).

I tested this across all the existing formulae that use the Npm strategy and the only issue I saw was with gemini-cli, where the version from the latest endpoint was temporarily a dev version instead of the version that was reported as "latest" on npmjs.com. registry.npmjs.org is now back to reporting the correct latest version, so this may be a package-specific issue relating to how Google publishes new versions.

It's something we should keep an eye on but if it only affects a small number of packages over time (e.g., fewer than five), we can simply address those by adding a livecheck block in the formula to check a different source (noting the issue in a comment). If it ends up being a regularly-occurring and widespread issue, then we'll have to go back to the drawing board. This seems to work as expected for all the other packages, so I think we're okay moving forward with this for now.