v6.0.0-next.1

This release is a part of 6.0.0

v5.10.0-next.0

NEW FEATURES

• 32ec2f54b #20257 Add shasum and integrity to the new npm view output. (@zkat)
• a22153be2 #20126 Add npm cit command that's equivalent of npm ci && npm t that's equivalent of npm it. (@SimenB)

BUG FIXES

• 089aeaf44 Fix a bug where OTPs passed in via the commandline would have leading zeros deleted resulted in authentication failures. (@iarna)

• 6eaa860ea Eliminate direct use of new Buffer in npm. While the use of it in npm was safe, there are two other reasons for this change:

  1. Node 10 emits warnings about its use.
  2. Users who require npm as a library (which they definitely should not do) can call the functions that call new Buffer in unsafe ways, if they try really hard.
     (@iarna)

• 85900a294 Starting with 5.8.0 the requires section of the lock-file saved version ranges instead of specific versions. Due to a bug, further actions on the same lock-file would result in the range being switched back to a version. This corrects that, keeping ranges when they appear. (@iarna)

• 0dffa9c2a 609d6f6e1 08f81aa94 f8b76e076 6d609822d 59d080a22 Restore the ability to bundle dependencies that are uninstallable from the registry. This also eliminates needless registry lookups for bundled dependencies.

  Fixed a bug where attempting to install a dependency that is bundled inside another module without reinstalling that module would result in ENOENT errors. (@iarna)

• db846c2d5
  #20029 Allow packages with non-registry specifiers to follow the fast path that the we use with the lock-file for registry specifiers. This will improve install time especially when operating only on the package-lock (--package-lock-only). (@zkat)

  Fix the a bug where npm i --only=prod could remove development dependencies from lock-file. (@iarna)

• 3e12d2407 #20122 Improve the update-notifier messaging (borrowing ideas from pnpm) and eliminate false positives. (@zkat)

• f18be9b39 #20154 Let version succeed when package-lock.json is gitignored. (@nwoltman)

• ced29253d #20212 Ensure that we only create an etc directory if we are actually going to write files to it. (@buddydvd)

• 8e21b19a8 #20140 Note in documentation that package-lock.json version gets touched by npm version. (@srl295)

• 5d17c87d8 #20032 Fix bug where unauthenticated errors would get reported as both 404s and 401s, i.e. npm ERR! 404 Registry returned 401. In these cases the error message will now be much more informative. (@iarna)

• 05ff6c9b1 #20082 Allow optional @ prefix on scope with npm team commands for parity with other commands. (@bcoe)

• 6bef53891 #19580 Improve messaging when two-factor authentication is required while publishing. (@jdeniau)

• 155dab2bd Fix a bug where optional status of a dependency was not being saved to the package-lock on the initial install. (@iarna)

• 8d6a4cafc a0937e9af Ensure that --no-optional does not remove optional dependencies from the lock-file. (@iarna)

DEPENDENCY UPDATES

• 8baa37551 zkat/cipm#46 libcipm@1.6.2: Detect binding.gyp for default install lifecycle. Let's npm ci work on projects that have their own C code. (@caleblloyd)
• 323f74242 zkat/json-parse-better-errors#1 json-parse-better-errors@1.0.2 (@Hoishin)
• d0cf1f11e readable-stream@2.3.6 (@mcollina)
• 9e9fdba5e update-notifier@2.4.0 (@sindersorhus)
• 57fa33870 marked@0.3.1 (@joshbruce)
• d2b20d34b #20276 node-gyp@3.6.2
• 2b5700679 zkat/npx#172 libnpx@10.1.1 (@jdalton)

v6.0.0-next.0

Sometimes major releases are a big splash, sometimes they're something smaller. This is the latter kind. That said, we expect to keep this in release candidate status until Node 10 ships at the end of April. There will likely be a few more features for the 6.0.0 release line between now and then. We do expect to have a bigger one later this year though, so keep an eye out for npm@7!

BREAKING AVOID DEPRECATED

When selecting versions to install, we now avoid deprecated versions if possible. For example:

Module: example
Versions:
1.0.0
1.1.0
1.1.2
1.1.3 (deprecated)
1.2.0 (latest)

If you ask npm to install example@~1.1.0, npm will now give you 1.1.2.

By contrast, if you installed example@~1.1.3 then you'd get 1.1.3, as it's the only version that can match the range.

• 78bebc0ce #20151 Skip deprecated versions when possible. (@zkat)

BREAKING UPDATE AND OUTDATED

When npm install is finding a version to install, it first checks to see if the specifier you requested matches the latest tag. If it doesn't, then it looks for the highest version that does. This means you can do release candidates on tags other than latest and users won't see them unless they ask for them. Promoting them is as easy as setting the latest tag to point at them.

Historically npm update and npm outdated worked differently. They just looked for the most recent thing that matched the semver range, disregarding the latest tag. We're changing it to match npm install's behavior.

• 3aaa6ef42 Make update and outdated respect latest interaction with semver as install does. (@iarna)
• e5fbbd2c9 npm-pick-manifest@2.1.0 (@iarna)

PLUS ONE SMALLER PATCH

Technically this is a bug fix, but the change in behavior is enough of an edge case that I held off on bringing it in until a major version.

When we extract a binary and it starts with a shebang (or "hash bang"), that is, something like:

#!/usr/bin/env node

If the file has Windows line endings we strip them off of the first line. The reason for this is that shebangs are only used in Unix-like environments and the files with them can't be run if the shebang has a Windows line ending.

Previously we converted ALL line endings from Windows to Unix. With this patch we only convert the line with the shebang. (Node.js works just fine with either set of line endings.)

• 814658371 7265198eb bin-links@1.1.2: Only rewrite the CR after a shebang (if any) when fixing up CR/LFs. (@iarna)

BREAKING SUPPORTED NODE VERSIONS

Per our supported Node.js policy, we're dropping support for both Node 4 and Node 7, which are no longer supported by the Node.js project.

• 077cbe917 Drop support for Node 4 and Node 7. (@iarna)

DEPENDENCIES

• 478fbe2d0 iferr@1.0.0
• b18d88178 query-string@6.0.0
• e02fa7497 is-cidr@2.0.5
• c8f8564be 311e55512 standard@11.0.1

v5.9.0-next.0

Coming to you this week are a fancy new package view, pack/publish previews and a handful of bug fixes! Let's get right in!

NEW PACKAGE VIEW

There's a new npm view in town. You might it as npm info or npm show. The new output gives you a nicely summarized view that for most packages fits on one screen. If you ask it for --json you'll still get the same results, so your scripts should still work fine.

• 143cdbf13 #19910 Add humanized default view. (@zkat)
• ca84be91c #19910 tiny-relative-date@1.3.0 (@zkat)
• 9a5807c4f #19910 cli-columns@3.1.2 (@zkat)
• 23b4a4fac #19910 byte-size@4.0.2

PACK AND PUBLISH PREVIEWS

The npm pack and npm publish commands print out a summary of the files included in the package. They also both now take the --dry-run flag, so you can double check your .npmignore settings before doing a publish.

• 116e9d827 #19908 Add package previews to pack and publish. Also add --dry-run and --json flags. (@zkat)

MERGE CONFLICT, SMERGE CONFLICT

If you resolve a package-lock.json merge conflict with npm install we now suggest you setup a merge driver to handle these automatically for you. If you're reading this and you'd like to set it up now, run:

npx npm-merge-driver install -g

• 5ebe99719 #20071 suggest installing the merge driver (@zkat)

MISC BITS

• a05e27b71 Going forward, record requested ranges not versions in the package-lock. (@iarna)
• f721eec59 Add 10 to Node.js supported version list. It's not out yet, but soon my pretties... (@iarna)

DEPENDENCY UPDATES

• 40aabb94e libcipm@1.6.1: Fix bugs on docker and with some prepare scripts and npm ci. Fix a bug where script hooks wouldn't be called with npm ci. Fix a bug where npm ci and --prefix weren't compatible. (@isaacseymour) (@umarov) (@mikeshirov) (@billjanitsch)
• a85372e67 tar@4.4.1: Switch to safe-buffer and Buffer.from. (@isaacs) (@ChALkeR)
• 588eabd23 lru-cache@4.1.2
• 07f27ee89 qrcode-terminal@0.12.0
• 01e4e29bc request@2.85.0
• 344ba8819 worker-farm@1.6.0
• dc6df1bc4 validate-npm-package-license@3.0.3
• 97a976696 ssri@5.3.0
• 9b629d0c6 query-string@5.1.1

v5.8.0

Hey again, everyone! While last release was focused largely around PRs from the CLI team, this release is mostly pulling in community PRs in npm itself and its dependencies! We've got a good chunk of wonderful contributions for y'all, and even new features and performance improvements! 🎉

We're hoping to continue our biweekly (as in every-other-week biweekly) release schedule from now on, so you should be seeing more steady npm releases from here on out. And that's good, 'cause we've got a ton of new stuff on our roadmap for this year. Keep an eye out for exciting news. 👀

FEATURES

• 2f513fe1c #19904 Make a best-attempt at preserving line ending style when saving package.json/package-lock.json/npm-shrinkwrap.json. This goes hand-in-hand with a previous patch to preserve detected indentation style. (@tuananh)
• d3cfd41a2 pacote@7.6.1 (@zkat)
  • Enable file:-based resolved URIs in package-lock.json.
  • Retry git-based operations on certain types of failure.
• ecfbb16dc #19929 Add support for the NO_COLOR standard. This gives a cross-application, consistent way of disabling ANSI color code output. Note that npm already supported this through --no-color or npm_config_color='false' configurations, so this is just another way to do it. (@chneukirchen)
• fc8761daf #19629 Give more detailed, contextual information when npm fails to parse package-lock.json and npm-shrinkwrap.json, instead of saying JSON parse error and leaving you out in the cold. (@JoshuaKGoldberg)
• 1d368e1e6 #19157 Add --no-proxy config option. Previously, you needed to use the NO_PROXY environment variable to use this feature -- now it's an actual npm option. (@Saturate)
• f0e998daa #18426 Do environment variable replacement in config files even for config keys or fragments of keys. (@misak113)
• 9847c82a8 #18384 Better error messaging and suggestions when users get EPERM/EACCES errors. (@chrisjpatty)
• b9d0c0c01 #19448 Holiday celebrations now include all JavaScripters, not just Node developers. (@isaacs)

NPM CI

I hope y'all have been having fun with npm ci so far! Since this is the first release since that went out, we've had a few fixes and improvements now that folks have actually gotten their hands on it! Benchmarks have been super promising so far, and I've gotten messages from a lot of you saying you've sped up your CI work by 2-5x in some cases! Have a good example? Tell us on Twitter!

npm ci is, right now, the fastest installer you can use in CI situations, so go check it out if you haven't already! We'll continue doing performance improvements on it, and a lot of those will help make npm install fast as well. 🏎😎

• 0d7f203d9 libcipm@1.6.0 (@zkat)

This libcipm release includes a number of improvements:

• PERFORMANCE Reduce calls to read-package-json and separate JSON update phase from man/bin linking phase. npm ci should be noticeably faster.
• FEATURE Progress bar now fills up as packages are installed, instead of sitting there doing nothing.
• BUGFIX Add support for --only and --also options.
• BUFGIX Linking binaries and running scripts in parallel was causing packages to sometimes clobber each other when hoisted, as well as potentially running too many run-sripts in parallel. This is now a serial operation, and it turns out to have had relatively little actual performance impact.
• BUGFIX Stop adding _from to directory deps (aka file:packages/my-dep).

BUGFIXES

• 58d2aa58d #20027 Use a specific mtime when packing tarballs instead of the beginning of epoch time. This should allow npm pack to generate tarballs with identical hashes for identical contents, while fixing issues with some zip implementations that do not support pre-1980 timestamps. (@isaacs)
• 4f319de1d Don't fall back to couch adduser if we didn't try couch login. (@iarna)
• c8230c9bb #19608 Fix issue where using the npm-bundled npx on Windows was invoking npx prefix (and downloading that package). (@laggingreflex)
• d70c01970 #18953 Avoid using code that depends on node@>=4 in the unsupported check, so npm can report the issue normally instead of syntax-crashing. (@deployable)

DOCUMENTATION

• 4477ca2d9 marked@0.3.17: Fixes issue preventing correct rendering of backticked strings. man pages should be rendering correctly now instead of having empty spaces wherever backticks were used. (@joshbruce)
• 71076ebda #19950 Add a note to install --production. (@kyranet)
• 3a33400b8 #19957 nudge around some details in ci docs (@zkat)
• 06038246a #19893 Add a common open reason to the issue template. (@MrStonedOne)
• 7376dd8af #19870 Fix typo in npm-config.md (@joebowbeer)
• 5390ed4fa #19858 Fix documented default value for config save option. It was still documented as false, even though npm@5.0.0 set it to true by default. (@nalinbhardwaj)
• dc36d850a #19552 Rework npm update docs now that --save is on by default. (@selbekk)
• 5ec5dffc8 #19726 Clarify that name and version fields are optional if your package is not supposed to be installable as a dependency. (@ngarnier)
• 046500994 #19676 Fix documented cache location on Windows. (@VladRassokhin)
• ffa84cd0f #19475 Added example for homepage field from package.json. (@cg-cnu)
• de72d9a18 #19307 Document the requires field in npm help package-lock.json. (@jcrben)
• 35c4abded #18976 Typo fix in coding style documentation. (@rinfan)
• 0616fd22a #19216 Add edit section to description in npm-team.md. (@WispProxy)
• c2bbaaa58 #19194 Tiny style fix in npm.md. (@WispProxy)
• dcdfdcbb0 #19192 Document --development flag in npm-ls.md. (@WispProxy)
• [d7ff07135](https://github.com/npm/npm/commit/...

v5.8.0-next.0

5.8.0-next.0

v5.7.1

This release reverts a patch that could cause some ownership changes on system files when running from some directories when also using sudo. 😲

Thankfully, it only affected users running npm@next, which is part of our staggered release system, which we use to prevent issues like this from going out into the wider world before we can catch them. Users on latest would have never seen this!

The original patch was added to increase consistency and reliability of methods npm uses to avoid writing files as root in places it shouldn't, but the change was applied in places that should have used regular mkdirp`. This release reverts that patch.

• 74e149da6 #19883 Revert "*: Switch from mkdirp to correctMkdir to preserve perms and owners" This reverts commit 94227e15. (@zkat)

v5.7.0

Hey y'all, it's been a while. Expect our release rate to increase back to normal here, as we've got a lot in the pipeline. Right now we've got a bunch of things from folks at npm. In the next release we'll be focusing on user contributions and there are a lot of them queued up!

This release brings a bunch of exciting new features and bug fixes.

PACKAGE-LOCK GIT MERGE CONFLICT RESOLUTION

Allow npm install to fix package-lock.json and npm-shrinkwrap.json files that have merge conflicts in them without your having to edit them. It works in conjunction with npm-merge-driver to entirely eliminate package-lock merge conflicts.

• e27674c22 Automatically resolve merge conflicts in lock-files. (@zkat)

NPM CI

The new npm ci command installs from your lock-file ONLY. If your package.json and your lock-file are out of sync then it will report an error.

It works by throwing away your node_modules and recreating it from scratch.

Beyond guaranteeing you that you'll only get what is in your lock-file it's also much faster (2x-10x!) than npm install when you don't start with a node_modules.

As you may take from the name, we expect it to be a big boon to continuous integration environments. We also expect that folks who do production deploys from git tags will see major gains.

• 5e4de9c99 Add new npm ci installer. (@zkat)

OTHER NEW FEATURES

• 4d418c21b #19817 Include contributor count in installation summary. (@kemitchell)
• 17079c2a8 Require password to change email through npm profile. (@iarna)
• e7c5d226a 4f5327c05 #19780 Add support for web-based logins. This is not yet available on the registry, however. (@isaacs)

BIG FIXES TO PRUNING

• 827951590 Handle running npm install package-name with a node_modules containing packages without sufficient metadata to verify their origin. The only way to get install packages like this is to use a non-npm package manager. Previously npm removed any packages that it couldn't verify. Now it will leave them untouched as long as you're not asking for a full install. On a full install they will be reinstalled (but the same versions will be maintained).

  This will fix problems for folks who are using a third party package manager to install packages that have postinstall scripts that run npm install. (@iarna)

• 3b305ee71 Only auto-prune on installs that will create a lock-file. This restores npm@4 compatible behavior when the lock-file is disabled. When using a lock-file npm will continue to remove anything in your node_modules that's not in your lock-file. (@iarna)

• cec5be542 Fix bug where npm prune --production would remove dev deps from the lock file. It will now only remove them from node_modules not from your lock file. (@iarna)

• 857dab03f Fix bug where git dependencies would be removed or reinstalled when installing other dependencies. (@iarna)

BUG FIXES TO TOKENS AND PROFILES

• a66e0cd03 For CIDR filtered tokens, allow comma separated CIDR ranges, as documented. Previously you could only pass in multiple cidr ranges with multiple --cidr command line options. (@iarna)
• d259ab014 Fix token revocation when an OTP is required. Previously you had to pass it in via --otp. Now it will prompt you for an OTP like other npm token commands. (@iarna)
• f8b1f6aec Update token and profile commands to support legacy (username/password) authentication. (The npm registry uses tokens, not username/password pairs, to authenticate commands.) (@iarna)

OTHER BUG FIXES

• 6954dfc19 Fix a bug where packages would get pushed deeper into the tree when upgrading without an existing copy on disk. Having packages deeper in the tree ordinarily is harmless but is not when peerDependencies are in play. (@iarna)
• 1ca916a1e Fix bug where when switching from a linked module to a non-linked module, the dependencies of the module wouldn't be installed on the first run of npm install. (@iarna)
• 8c120ebb2 Fix integrity matching to eliminate spurious EINTEGRITY errors. (@zkat)
• 94227e15e More consistently make directories using perm and ownership preserving features. (@iarna)

DEPENDENCY UPDATES

• 364b23c7f f2049f9e7 cacache@10.0.4 (@zkat)
• d183d7675 find-npm-prefix@1.0.2: (@iarna)
• ffd6ea62c fs-minipass@1.2.5
• ee63b8a31 ini@1.3.5 (@isaacs)
• 6f73f5509 JSONStream@1.3.2 (@dominictarr)
• 26cd64869 9bc6230cf libcipm@1.3.3 (@zkat)
• 21a39be42 marked@0.3.1:5 (@joshbruce)
• dabdf57b2 mississippi@2.0.0
• 2594c5867 npm-registry-couchapp@2.7.1 (@iarna)
• 8abb3f230 osenv@0.1.5 (@isaacs)
• 11a0b00bd pacote@7.3.3 (@zkat)
• 9b6bdb2c7 query-string@5.1.0 (@sindresorhus)
• d6d17d6b5 readable-stream@2.3.4 (@mcollina)
• 51370aad5 semver@5.5.0 (@isaacs)
• 0db14bac7 81da938ab 9999e83f8 ssri@5.2.4 (@zkat)
• f526992ab tap@11.1.1 (@isaacs)
• be096b409 dc3059522 tar@4.3.3
• 6b552daac uuid@3.2.1 (@broofa)
• 8c9011b72 worker-farm@1.5.2 (@rvagg)

v5.6.0

Features!

You may have noticed this is a semver-minor bump. Wondering why? This is why!

• bc263c3fd #19054 Fully cross-platform package-lock.json. Installing a failing optional dependency on one platform no longer removes it from the dependency tree, meaning that package-lock.json should now be generated consistently across platforms! 🎉 (@iarna)
• f94fcbc50 #19160 Add --package-lock-only config option. This makes it so you can generate a target package-lock.json without performing a full install of node_modules. (@alopezsanchez)
• 66d18280c #19104 Add new --node-options config to pass through a custom NODE_OPTIONS for lifecycle scripts. (@bmeck)
• 114d518c7 Ignore mtime when packing tarballs: This means that doing npm pack on the same repository should yield two tarballs with the same checksum. This will also help prevent cache bloat when using git dependencies. In the future, this will allow npm to explicitly cache git dependencies. (@isaacs)

Node 9

Previously, it turns out npm broke on the latest Node, node@9. We went ahead and fixed it up so y'all should be able to use the latest npm again!

• 4ca695819 minizlib@1.0.4: Fix node@9 incompatibility. (@isaacs)
• c851bb503 tar@4.0.2: Fix node@9 incompatibility. (@isaacs)
• 6caf23096 Remove "unsupported" warning for Node 9 now that things are fixed. (@iarna)
• 1930b0f8c Update test matrix with node@8 LTS and node@9. (@iarna)

Bug Fixes

• b70321733 #18881 When dealing with a node_modules that was created with older versions of npm (and thus older versions of npa) we need to gracefully handle older spec entries. Failing to do so results in us treating those packages as if they were http remote deps, which results in invalid lock files with version set to tarball URLs. This should now be fixed. (@iarna)
• 2f9c5dd00 #18880 Stop overwriting version in package data on disk. This is another safeguard against the version overwriting that's plagued some folks upgrading from older package-locks. (@iarna) (@joshclow)
• a93e0a51d #18846 Correctly save transitive dependencies when using npm update in package-lock.json. (@iarna)
• fdde7b649 #18825 Fix typo and concatenation in error handling. (@alulsh)
• be67de7b9 #18711 Upgrade to bearer tokens from legacy auth when enabling 2FA. (@iarna)
• bfdf0fd39 #19033 Fix issue where files with @ signs in their names would not get included when packing tarballs. (@zkat)
• b65b89bde #19048 Fix problem where npm login was ignoring various networking-related options, such as custom certs. (@wejendorp)
• 8c194b86e npm-packlist@1.1.10: Include node_modules/ directories not in the root. (@isaacs)
• d7ef6a20b libnpx@9.7.1: Fix some *nix binary path escaping issues. (@zkat)
• 981828466 cacache@10.0.1: Fix fallback to copy-concurrently when file move fails. This might fix permissions and such issues on platforms that were getting weird filesystem errors during install. (@karolba)
• a0be6bafb pacote@7.0.2: Includes a bunch of fixes, specially for issues around git dependencies. Shasum-related errors should be way less common now, too. (@zkat)
• b80d650de #19163 Fix a number of git and tarball specs and checksum errors. (@zkat)
• cac225025 #19054 Don't count failed optionals when summarizing installed packages. (@iarna)

UX

• b1ec2885c #18326 Stop truncating output of npm view. This means, for example, that you no longer need to use --json when a package has a lot of versions, to see the whole list. (@SimenB)
• 55a124e0a #18884 Profile UX improvements: better messaging on unexpected responses, and stop claiming we set passwords to null when resetting them. (@iarna)
• 635481c61 #18844 Improve error messaging for OTP/2FA. (@iarna)
• 52b142ed5 #19054 Stop running the same rollback multiple times. This should address issues where Windows users saw strange failures when fsevents failed to install. (@iarna)
• 798428b0b #19172 bin-links@1.1.0: Log the fact line endings are being changed upon install. (@marcosscriven)

Refactors

Usually, we don't include internal refactor stuff in our release notes, but it's worth calling out some of them because they're part of a larger effort the CLI team and associates are undertaking to modularize npm itself so other package managers and associated tools can reuse all that code!

• 9d22c96b7 #18500 Extract bin-links and gentle-fs to a separate library. This will allow external tools to do bin linking and certain fs operations in an npm-compatible way! (@mikesherov)
• 015a7803b #18883 Capture logging from log events on the process global. This allows npm to use npmlog to report logging from external libraries like npm-profile. (@iarna)
• c930e98ad npm-lifecycle@2.0.0: Use our own node-gyp. This means npm no longer needs to pull some maneuvers to make sure node-gyp is in the right place, and that external packages using npm-lifecycle will get working native builds without having to do their own node-gyp maneuvers. (@zkochan)
• 876f0c8f3 829893d61 #19099 find-npm-prefix@1.0.1: npm's prefix-finding logic is now a standalone module. That is, the logic that figures out where the root of your project is if you've cd'd into a subdirectory. Did you know you can run npm install from these subdirectories, and it'll only affect the root? It works like git! (@iarna)

Docs

• 7ae12b21c #18823 Fix spelling of the word authenticator. Because English is hard. (@tmcw)
• 5dfc3ab7b [#18742](#18...

v5.5.1

A very quick, record time, patch release, of a bug fix to a (sigh) last minute bug fix.

• e628e058b
  Fix login to properly recognize OTP request and store bearer tokens.
  ([@rebecca Turner](https://github.com/Rebecca Turner))