Skip to content
This repository has been archived by the owner on Aug 11, 2022. It is now read-only.

v5.6.0
Compare
Choose a tag to compare
@zkat zkat released this 28 Nov 03:45
· 355 commits to latest since this release
v5.6.0
This tag was signed with the committer’s verified signature.
zkat Kat Marchán
GPG key ID: AEB529C08A3C7E9E
Learn about vigilant mode.
5e426a7

Features!

You may have noticed this is a semver-minor bump. Wondering why? This is why!

  • bc263c3fd #19054 Fully cross-platform package-lock.json. Installing a failing optional dependency on one platform no longer removes it from the dependency tree, meaning that package-lock.json should now be generated consistently across platforms! 🎉 (@iarna)
  • f94fcbc50 #19160 Add --package-lock-only config option. This makes it so you can generate a target package-lock.json without performing a full install of node_modules. (@alopezsanchez)
  • 66d18280c #19104 Add new --node-options config to pass through a custom NODE_OPTIONS for lifecycle scripts. (@bmeck)
  • 114d518c7 Ignore mtime when packing tarballs: This means that doing npm pack on the same repository should yield two tarballs with the same checksum. This will also help prevent cache bloat when using git dependencies. In the future, this will allow npm to explicitly cache git dependencies. (@isaacs)

Node 9

Previously, it turns out npm broke on the latest Node, node@9. We went ahead and fixed it up so y'all should be able to use the latest npm again!

Bug Fixes

  • b70321733 #18881 When dealing with a node_modules that was created with older versions of npm (and thus older versions of npa) we need to gracefully handle older spec entries. Failing to do so results in us treating those packages as if they were http remote deps, which results in invalid lock files with version set to tarball URLs. This should now be fixed. (@iarna)
  • 2f9c5dd00 #18880 Stop overwriting version in package data on disk. This is another safeguard against the version overwriting that's plagued some folks upgrading from older package-locks. (@iarna) (@joshclow)
  • a93e0a51d #18846 Correctly save transitive dependencies when using npm update in package-lock.json. (@iarna)
  • fdde7b649 #18825 Fix typo and concatenation in error handling. (@alulsh)
  • be67de7b9 #18711 Upgrade to bearer tokens from legacy auth when enabling 2FA. (@iarna)
  • bfdf0fd39 #19033 Fix issue where files with @ signs in their names would not get included when packing tarballs. (@zkat)
  • b65b89bde #19048 Fix problem where npm login was ignoring various networking-related options, such as custom certs. (@wejendorp)
  • 8c194b86e npm-packlist@1.1.10: Include node_modules/ directories not in the root. (@isaacs)
  • d7ef6a20b libnpx@9.7.1: Fix some *nix binary path escaping issues. (@zkat)
  • 981828466 cacache@10.0.1: Fix fallback to copy-concurrently when file move fails. This might fix permissions and such issues on platforms that were getting weird filesystem errors during install. (@karolba)
  • a0be6bafb pacote@7.0.2: Includes a bunch of fixes, specially for issues around git dependencies. Shasum-related errors should be way less common now, too. (@zkat)
  • b80d650de #19163 Fix a number of git and tarball specs and checksum errors. (@zkat)
  • cac225025 #19054 Don't count failed optionals when summarizing installed packages. (@iarna)

UX

  • b1ec2885c #18326 Stop truncating output of npm view. This means, for example, that you no longer need to use --json when a package has a lot of versions, to see the whole list. (@SimenB)
  • 55a124e0a #18884 Profile UX improvements: better messaging on unexpected responses, and stop claiming we set passwords to null when resetting them. (@iarna)
  • 635481c61 #18844 Improve error messaging for OTP/2FA. (@iarna)
  • 52b142ed5 #19054 Stop running the same rollback multiple times. This should address issues where Windows users saw strange failures when fsevents failed to install. (@iarna)
  • 798428b0b #19172 bin-links@1.1.0: Log the fact line endings are being changed upon install. (@marcosscriven)

Refactors

Usually, we don't include internal refactor stuff in our release notes, but it's worth calling out some of them because they're part of a larger effort the CLI team and associates are undertaking to modularize npm itself so other package managers and associated tools can reuse all that code!

  • 9d22c96b7 #18500 Extract bin-links and gentle-fs to a separate library. This will allow external tools to do bin linking and certain fs operations in an npm-compatible way! (@mikesherov)
  • 015a7803b #18883 Capture logging from log events on the process global. This allows npm to use npmlog to report logging from external libraries like npm-profile. (@iarna)
  • c930e98ad npm-lifecycle@2.0.0: Use our own node-gyp. This means npm no longer needs to pull some maneuvers to make sure node-gyp is in the right place, and that external packages using npm-lifecycle will get working native builds without having to do their own node-gyp maneuvers. (@zkochan)
  • 876f0c8f3 829893d61 #19099 find-npm-prefix@1.0.1: npm's prefix-finding logic is now a standalone module. That is, the logic that figures out where the root of your project is if you've cd'd into a subdirectory. Did you know you can run npm install from these subdirectories, and it'll only affect the root? It works like git! (@iarna)

Docs

Dependency Bumps

Assets 2