v5.10.0
With this, likely the last release of the npm@5.x series, we backport a number of features from 6.0.0. Contrary to Github at publication time, this is not the latest release. That honor belongs to 6.0.1, just below this. If you're using 6.0.1 there's nothing here you haven't seen before.
EXTENDED npm init
SCAFFOLDING
Thanks to the wonderful efforts of @jdalton of lodash fame, npm init
can now be used to invoke custom scaffolding tools!
You can now do things like npm init react-app
or npm init esm
to scaffold an npm package by running create-react-app
and create-esm
, respectively. This also adds an npm create
alias, to correspond to Yarn's yarn create
feature, which inspired this.
adc009ed4
f363edd04
f03b45fb2
13adcbb52
#20303 #20372 Add annpm init
feature that calls out tonpx
when invoked with positional arguments. (@jdalton)
DEPENDENCY AUDITING
This version of npm adds a new command, npm audit
, which will run a security audit of your project's dependency tree and notify you about any actions you may need to take.
The registry-side services required for this command to work will be available on the main npm registry in the coming weeks. Until then, you won't get much out of trying to use this on the CLI.
As part of this change, the npm CLI now sends scrubbed and cryptographically anonymized metadata about your dependency tree to your configured registry, to allow notifying you about the existence of critical security flaws. For details about how the CLI protects your privacy when it shares this metadata, see npm help audit
, or read the docs for npm audit
online. You can disable this altogether by doing npm config set audit false
, but will no longer benefit from the service.
c81dfb91b
npm-registry-fetch@1.1.1
(@iarna)b096f44a9
npm-audit-report@1.0.9
(@iarna)43b20b204
#20389 Add newnpm audit
command. (@iarna)49ddb3f56
#20389 Temporarily suppress git metadata till there's an opt-in. (@iarna)5f1129c4b
#20389 Document the new command. (@iarna)9a07b379d
#20389 Default audit to off when running the npm test suite itself. (@iarna)a6e2f1284
Make sure we hide stream errors on background audit submissions. Previously some classes of error could end up being displayed (harmlessly) during installs. (@iarna)aadbf3f46
Include session and scope in requests (as we do in other requests to the registry). (@iarna)7d43ddf63
Exit with non-zero status when vulnerabilities are found. So you can havenpm audit
as a test or prepublish step! (@iarna)bc3fc55fa
Verify lockfile integrity before running. You'd get an error either way, but this way it's faster and can give you more concrete instructions on how to fix it. (@iarna)2ac8edd42
Refuse to run in global mode. Audits require a lockfile and globals don't have one. Yet. (@iarna)3dcc240db
Timeout audit requests eventually. (@iarna)
CTRL-C OUT DURING PACKAGE EXTRACTION AS MUCH AS YOU WANT!
663d8b5e5
npm/lockfile#29lockfile@1.0.4
: Switches tosignal-exit
to detect abnormal exits and remove locks. (@Redsandro)
SHRONKWRAPS AND LACKFILES
If a published modules had legacy npm-shrinkwrap.json
we were saving ordinary registry dependencies (name@version
) to your package-lock.json
as https://
URLs instead of versions.
36f998411
When saving the lock-file compute how the dependency is being required instead of using_resolved
in thepackage.json
. This fixes the bug that was converting registry dependencies intohttps://
dependencies. (@iarna)113e1a3af
When encountering ahttps://
URL in our lockfiles that point at our default registry, extract the version and use them as registry dependencies. This lets us healpackage-lock.json
files produced by 6.0.0 (@iarna)
MORE package-lock.json
FORMAT CHANGES?!
074502916
#20384 Addfrom
field back into package-lock for git dependencies. This will give npm the information it needs to figure out whether git deps are valid, specially when running with legacy install metadata or in--package-lock-only
mode when there's nonode_modules
. This should help remove a significant amount of git-related churn on the lock-file. (@zkat)
DOCUMENTATION IMPROVEMENTS
e0235ebb6
#20384 Update the lock-file spec doc to mention that we now generate the from field forgit
-type dependencies. (@watilde)35de04676
#20408 Describe what the colors in outdated mean. (@teameh)
BUGFIXES
1b535cb9d
#20358npm install-test
(akanpm it
) will no longer generatepackage-lock.json
when running with--no-package-lock
orpackage-lock=false
. (@raymondfeng)268f7ac50
5f84ebdb6
c12e61431
#20390 Fix a scenario where a git dependency had a comittish associated with it that was not a complete commitid.npm
would never consider that entry in thepackage.json
as matching the entry in thepackage-lock.json
and this resulted in inappropriate pruning or reinstallation of git dependencies. This has been addressed in two ways, first, the addition of thefrom
field as described in #20384 means we can exactly match thepackage.json
. Second, when that's missing (when working with olderpackage-lock.json
files), we assume that the match is ok. (If it's not, we'll fix it up when a real installation is done.) (@iarna)
DOCS
7b13bf5e3
#20331 Fix broken link to 'private-modules' page. The redirect went away when the new npm website went up, but the new URL is better anyway. (@vipranarayan14)1c4ffddce
#20279 Document the--if-present
option fornpm run-script
. (@aleclarson)
DEPENDENCY UPDATES
815d91ce0
libnpx@10.2.0
(@zkat)02715f19f
update-notifier@2.5.0
(@alexccl)08c4ddd9e
tar@4.4.2
(@isaacs)53718cb12
tap@11.1.4
(@isaacs)0a20cf546
safe-buffer@5.1.2
(@feross)e8c8e844c
retry@0.12.0
(@tim-kos)76c7f21bd
read-package-tree@5.2.1
(@zkat)c8b0aa07b
query-string@6.1.0
(@sindresorhus)abfd366b4
npm-package-arg@6.1.0
(@zkat)bd29baf83
lock-verify@2.0.2
(@iarna)