v6.0.0

This release contains:

v6.0.0.next-1

There's two major features included with this release, along with a few miscellaneous fixes and changes.

EXTENDED npm init SCAFFOLDING

Thanks to the wonderful efforts of @jdalton of lodash fame, npm init can now be used to invoke custom scaffolding tools!

You can now do things like npm init react-app or npm init esm to scaffold an npm package by running create-react-app and create-esm, respectively. This also adds an npm create alias, to correspond to Yarn's yarn create feature, which
inspired this.

• 008a83642 ed81d1426 833046e45 #20303 Add an npm init feature that calls out to npx when invoked with positional arguments. (@jdalton)

DEPENDENCY AUDITING

This version of npm adds a new command, npm audit, which will run a security audit of your project's dependency tree and notify you about any actions you may need to take.

The registry-side services required for this command to work will be available on the main npm registry in the coming weeks. Until then, you won't get much out of trying to use this on the CLI.

As part of this change, the npm CLI now sends scrubbed and cryptographically anonymized metadata about your dependency tree to your configured registry, to allow notifying you about the existence of critical security flaws. For details about how the CLI protects your privacy when it shares this metadata, see npm help audit, or read the docs for npm audit online. You can disable this altogether by doing npm config set audit false, but will no longer benefit from the service.

• f4bc648ea #20389 npm-registry-fetch@1.1.0 (@iarna)
• 594d16987 #20389 npm-audit-report@1.0.5 (@iarna)
• 8c77dde74 1d8ac2492 552ff6d64 09c734803 #20389 Add new npm audit command. (@iarna)
• be393a290 #20389 Temporarily suppress git metadata till there's an opt-in. (@iarna)
• 8e713344f #20389 Document the new command. (@iarna)

MORE package-lock.json FORMAT CHANGES?!

• 820f74ae2 #20384 Add from field back into package-lock for git dependencies. This will give npm the information it needs to figure out whether git deps are valid, specially when running with legacy install metadata or in --package-lock-only mode when there's no node_modules. This should help remove a significant amount of git-related churn on the lock-file. (@zkat)

BUGFIXES

• 9d5d0a18a #20358 npm install-test (aka npm it) will no longer generate package-lock.json when running with --no-package-lock or package-lock=false. (@raymondfeng)
• e4ed976e2 2facb35fb 9c1eb945b #20390 Fix a scenario where a git dependency had a comittish associated with it that was not a complete commitid. npm would never consider that entry in the package.json as matching the entry in the package-lock.json and this resulted in inappropriate pruning or reinstallation of git dependencies. This has been addressed in two ways, first, the addition of the from field as described in #20384 means we can exactly match the package.json. Second, when that's missing (when working with older package-lock.json files), we assume that the match is ok. (If it's not, we'll fix it up when a real installation is done.) (@iarna)

DEPENDENCIES

• 1c1f89b73 libnpx@10.2.0 (@zkat)
• 242d8a647 pacote@8.1.0 (@zkat)

DOCS

• a1c77d614 #20331 Fix broken link to 'private-modules' page. The redirect went away when the new npm website went up, but the new URL is better anyway. (@vipranarayan14)
• ad7a5962d #20279 Document the --if-present option for npm run-script. (@aleclarson)

v6.0.0-next.0

NEW FEATURES

• a9e722118 #20256 Add support for managing npm webhooks. This brings over functionality previously provided by the wombat CLI. (@zkat)
• 8a1a64203 #20126 Add npm cit command that's equivalent of npm ci && npm t that's equivalent of npm it. (@SimenB)
• fe867aaf1 49d18b4d8 ff6b31f77 78eab3cda The requires field in your lock-file will be upgraded to use ranges from versions on your first use of npm. (@iarna)
• cf4d7b4de #20257 Add shasum and integrity to the new npm view output. (@zkat)

BUG FIXES

• 685764308 Fix a bug where OTPs passed in via the commandline would have leading zeros deleted resulted in authentication failures. (@iarna)

• 8f3faa323 6800f76ff ec90c06c7 825b5d2c6 4785f13fb bd16485f5 Restore the ability to bundle dependencies that are uninstallable from the registry. This also eliminates needless registry lookups for bundled dependencies.

  Fixed a bug where attempting to install a dependency that is bundled inside another module without reinstalling that module would result in ENOENT errors. (@iarna)

• 429498a8c #20029 Allow packages with non-registry specifiers to follow the fast path that the we use with the lock-file for registry specifiers. This will improve install time especially when operating only on the package-lock (--package-lock-only). (@zkat)

  Fix the a bug where npm i --only=prod could remove development dependencies from lock-file. (@iarna)

• 834b46ff4 #20122 Improve the update-notifier messaging (borrowing ideas from pnpm) and eliminate false positives. (@zkat)

• f9de7ef3a #20154 Let version succeed when package-lock.json is gitignored. (@nwoltman)

• f8ec52073 #20212 Ensure that we only create an etc directory if we are actually going to write files to it. (@buddydvd)

• ab489b753 #20140 Note in documentation that package-lock.json version gets touched by npm version. (@srl295)

• 857c2138d #20032 Fix bug where unauthenticated errors would get reported as both 404s and 401s, i.e. npm ERR! 404 Registry returned 401. In these cases the error message will now be much more informative. (@iarna)

• d2d290bca #20082 Allow optional @ prefix on scope with npm team commands for parity with other commands. (@bcoe)

• b5babf0a9 #19580 Improve messaging when two-factor authentication is required while publishing. (@jdeniau)

• 471ee1c5b 0da38b7b4 Fix a bug where optional status of a dependency was not being saved to the package-lock on the initial install. (@iarna)

• b3f98d8ba 9dea95e31 Ensure that --no-optional does not remove optional dependencies from the lock-file. (@iarna)

MISCELLANEOUS

• ec6b12099 Exclude all tests from the published version of npm itself. (@iarna)

DEPENDENCY UPDATES

• 73dc97455 zkat/cipm#46 libcipm@1.6.2: Detect binding.gyp for default install lifecycle. Let's npm ci work on projects that have their own C code. (@caleblloyd)
• 77c3f7a00 iferr@1.0.0
• dce733e37 zkat/json-parse-better-errors#1 json-parse-better-errors@1.0.2 (@Hoishin)
• c52765ff3 readable-stream@2.3.6 (@mcollina)
• e160adf9f update-notifier@2.4.0 (@sindersorhus)
• 9a9d7809e marked@0.3.1 (@joshbruce)
• f2fbd8577 #20256 figgy-pudding@2.0.1 (@zkat)
• 44972d53d #20256 libnpmhook@3.0.0 (@zkat)
• cfe562c58 #20276 node-gyp@3.6.2
• 3c0bbcb8e zkat/npx#172 libnpx@10.1.1 (@jdalton)
• 0573d91e5 zkat/cacache#128 cacache@11.0.1 (@zkat)
• 396afa99f figgy-pudding@3.1.0 (@zkat)
• e7f869c36 pacote@8.0.0 (@zkat)
• 77dac72df ssri@6.0.0 (@zkat)
• 0b802f2a0 retry@0.12.0 (@iarna)
• 4781b64bc libnpmhook@4.0.1 (@zkat)
• 7bdbaeea6 npm-package-arg@6.1.0 (@zkat)
• 5f2bf4222 read-package-tree@5.2.1 (@zkat)