Releases: npm/npm
v6.0.0-next.1
This release is a part of 6.0.0
v5.10.0-next.0
NEW FEATURES
32ec2f54b
#20257 Add shasum and integrity to the newnpm view
output. (@zkat)a22153be2
#20126 Addnpm cit
command that's equivalent ofnpm ci && npm t
that's equivalent ofnpm it
. (@SimenB)
BUG FIXES
-
089aeaf44
Fix a bug where OTPs passed in via the commandline would have leading zeros deleted resulted in authentication failures. (@iarna) -
6eaa860ea
Eliminate direct use ofnew Buffer
innpm
. While the use of it innpm
was safe, there are two other reasons for this change:- Node 10 emits warnings about its use.
- Users who require npm as a library (which they definitely should not do) can call the functions that call
new Buffer
in unsafe ways, if they try really hard.
(@iarna)
-
85900a294
Starting with 5.8.0 therequires
section of the lock-file saved version ranges instead of specific versions. Due to a bug, further actions on the same lock-file would result in the range being switched back to a version. This corrects that, keeping ranges when they appear. (@iarna) -
0dffa9c2a
609d6f6e1
08f81aa94
f8b76e076
6d609822d
59d080a22
Restore the ability to bundle dependencies that are uninstallable from the registry. This also eliminates needless registry lookups for bundled dependencies.Fixed a bug where attempting to install a dependency that is bundled inside another module without reinstalling that module would result in ENOENT errors. (@iarna)
-
db846c2d5
#20029 Allow packages with non-registry specifiers to follow the fast path that the we use with the lock-file for registry specifiers. This will improve install time especially when operating only on the package-lock (--package-lock-only
). (@zkat)Fix the a bug where
npm i --only=prod
could remove development dependencies from lock-file. (@iarna) -
3e12d2407
#20122 Improve the update-notifier messaging (borrowing ideas from pnpm) and eliminate false positives. (@zkat) -
f18be9b39
#20154 Let version succeed whenpackage-lock.json
is gitignored. (@nwoltman) -
ced29253d
#20212 Ensure that we only create anetc
directory if we are actually going to write files to it. (@buddydvd) -
8e21b19a8
#20140 Note in documentation thatpackage-lock.json
version gets touched bynpm version
. (@srl295) -
5d17c87d8
#20032 Fix bug where unauthenticated errors would get reported as both 404s and 401s, i.e.npm ERR! 404 Registry returned 401
. In these cases the error message will now be much more informative. (@iarna) -
05ff6c9b1
#20082 Allow optional @ prefix on scope withnpm team
commands for parity with other commands. (@bcoe) -
6bef53891
#19580 Improve messaging when two-factor authentication is required while publishing. (@jdeniau) -
155dab2bd
Fix a bug where optional status of a dependency was not being saved to the package-lock on the initial install. (@iarna) -
8d6a4cafc
a0937e9af
Ensure that--no-optional
does not remove optional dependencies from the lock-file. (@iarna)
DEPENDENCY UPDATES
8baa37551
zkat/cipm#46libcipm@1.6.2
: Detect binding.gyp for default install lifecycle. Let'snpm ci
work on projects that have their own C code. (@caleblloyd)323f74242
zkat/json-parse-better-errors#1json-parse-better-errors@1.0.2
(@Hoishin)d0cf1f11e
readable-stream@2.3.6
(@mcollina)9e9fdba5e
update-notifier@2.4.0
(@sindersorhus)57fa33870
marked@0.3.1
(@joshbruce)d2b20d34b
#20276node-gyp@3.6.2
2b5700679
zkat/npx#172libnpx@10.1.1
(@jdalton)
v6.0.0-next.0
Sometimes major releases are a big splash, sometimes they're something smaller. This is the latter kind. That said, we expect to keep this in release candidate status until Node 10 ships at the end of April. There will likely be a few more features for the 6.0.0 release line between now and then. We do expect to have a bigger one later this year though, so keep an eye out for npm@7
!
BREAKING AVOID DEPRECATED
When selecting versions to install, we now avoid deprecated versions if possible. For example:
Module: example
Versions:
1.0.0
1.1.0
1.1.2
1.1.3 (deprecated)
1.2.0 (latest)
If you ask npm
to install example@~1.1.0
, npm
will now give you 1.1.2
.
By contrast, if you installed example@~1.1.3
then you'd get 1.1.3
, as it's the only version that can match the range.
BREAKING UPDATE AND OUTDATED
When npm install
is finding a version to install, it first checks to see if the specifier you requested matches the latest
tag. If it doesn't, then it looks for the highest version that does. This means you can do release candidates on tags other than latest
and users won't see them unless they ask for them. Promoting them is as easy as setting the latest
tag to point at them.
Historically npm update
and npm outdated
worked differently. They just looked for the most recent thing that matched the semver range, disregarding the latest
tag. We're changing it to match npm install
's behavior.
3aaa6ef42
Make update and outdated respect latest interaction with semver as install does. (@iarna)e5fbbd2c9
npm-pick-manifest@2.1.0
(@iarna)
PLUS ONE SMALLER PATCH
Technically this is a bug fix, but the change in behavior is enough of an edge case that I held off on bringing it in until a major version.
When we extract a binary and it starts with a shebang (or "hash bang"), that is, something like:
#!/usr/bin/env node
If the file has Windows line endings we strip them off of the first line. The reason for this is that shebangs are only used in Unix-like environments and the files with them can't be run if the shebang has a Windows line ending.
Previously we converted ALL line endings from Windows to Unix. With this patch we only convert the line with the shebang. (Node.js works just fine with either set of line endings.)
814658371
7265198eb
bin-links@1.1.2
: Only rewrite the CR after a shebang (if any) when fixing up CR/LFs. (@iarna)
BREAKING SUPPORTED NODE VERSIONS
Per our supported Node.js policy, we're dropping support for both Node 4 and Node 7, which are no longer supported by the Node.js project.
DEPENDENCIES
v5.9.0-next.0
Coming to you this week are a fancy new package view, pack/publish previews and a handful of bug fixes! Let's get right in!
NEW PACKAGE VIEW
There's a new npm view
in town. You might it as npm info
or npm show
. The new output gives you a nicely summarized view that for most packages fits on one screen. If you ask it for --json
you'll still get the same results, so your scripts should still work fine.
143cdbf13
#19910 Add humanized default view. (@zkat)ca84be91c
#19910tiny-relative-date@1.3.0
(@zkat)9a5807c4f
#19910cli-columns@3.1.2
(@zkat)23b4a4fac
#19910byte-size@4.0.2
PACK AND PUBLISH PREVIEWS
The npm pack
and npm publish
commands print out a summary of the files included in the package. They also both now take the --dry-run
flag, so you can double check your .npmignore
settings before doing a publish.
116e9d827
#19908 Add package previews to pack and publish. Also add --dry-run and --json flags. (@zkat)
MERGE CONFLICT, SMERGE CONFLICT
If you resolve a package-lock.json
merge conflict with npm install
we now suggest you setup a merge driver to handle these automatically for you. If you're reading this and you'd like to set it up now, run:
npx npm-merge-driver install -g
MISC BITS
a05e27b71
Going forward, record requested ranges not versions in the package-lock. (@iarna)f721eec59
Add 10 to Node.js supported version list. It's not out yet, but soon my pretties... (@iarna)
DEPENDENCY UPDATES
40aabb94e
libcipm@1.6.1
: Fix bugs on docker and with someprepare
scripts andnpm ci
. Fix a bug where script hooks wouldn't be called withnpm ci
. Fix a bug wherenpm ci
and--prefix
weren't compatible. (@isaacseymour) (@umarov) (@mikeshirov) (@billjanitsch)a85372e67
tar@4.4.1
: Switch to safe-buffer and Buffer.from. (@isaacs) (@ChALkeR)588eabd23
lru-cache@4.1.2
07f27ee89
qrcode-terminal@0.12.0
01e4e29bc
request@2.85.0
344ba8819
worker-farm@1.6.0
dc6df1bc4
validate-npm-package-license@3.0.3
97a976696
ssri@5.3.0
9b629d0c6
query-string@5.1.1
v5.8.0
Hey again, everyone! While last release was focused largely around PRs from the CLI team, this release is mostly pulling in community PRs in npm itself and its dependencies! We've got a good chunk of wonderful contributions for y'all, and even new features and performance improvements! 🎉
We're hoping to continue our biweekly (as in every-other-week biweekly) release schedule from now on, so you should be seeing more steady npm releases from here on out. And that's good, 'cause we've got a ton of new stuff on our roadmap for this year. Keep an eye out for exciting news. 👀
FEATURES
2f513fe1c
#19904 Make a best-attempt at preserving line ending style when savingpackage.json
/package-lock.json
/npm-shrinkwrap.json
. This goes hand-in-hand with a previous patch to preserve detected indentation style. (@tuananh)d3cfd41a2
pacote@7.6.1
(@zkat)- Enable
file:
-basedresolved
URIs inpackage-lock.json
. - Retry git-based operations on certain types of failure.
- Enable
ecfbb16dc
#19929 Add support for theNO_COLOR
standard. This gives a cross-application, consistent way of disabling ANSI color code output. Note that npm already supported this through--no-color
ornpm_config_color='false'
configurations, so this is just another way to do it. (@chneukirchen)fc8761daf
#19629 Give more detailed, contextual information when npm fails to parsepackage-lock.json
andnpm-shrinkwrap.json
, instead of sayingJSON parse error
and leaving you out in the cold. (@JoshuaKGoldberg)1d368e1e6
#19157 Add--no-proxy
config option. Previously, you needed to use theNO_PROXY
environment variable to use this feature -- now it's an actual npm option. (@Saturate)f0e998daa
#18426 Do environment variable replacement in config files even for config keys or fragments of keys. (@misak113)9847c82a8
#18384 Better error messaging and suggestions when users getEPERM
/EACCES
errors. (@chrisjpatty)b9d0c0c01
#19448 Holiday celebrations now include all JavaScripters, not just Node developers. (@isaacs)
NPM CI
I hope y'all have been having fun with npm ci
so far! Since this is the first release since that went out, we've had a few fixes and improvements now that folks have actually gotten their hands on it! Benchmarks have been super promising so far, and I've gotten messages from a lot of you saying you've sped up your CI work by 2-5x in some cases! Have a good example? Tell us on Twitter!
npm ci
is, right now, the fastest installer you can use in CI situations, so go check it out if you haven't already! We'll continue doing performance improvements on it, and a lot of those will help make npm install
fast as well. 🏎😎
This libcipm
release includes a number of improvements:
- PERFORMANCE Reduce calls to
read-package-json
and separate JSON update phase from man/bin linking phase.npm ci
should be noticeably faster. - FEATURE Progress bar now fills up as packages are installed, instead of sitting there doing nothing.
- BUGFIX Add support for
--only
and--also
options. - BUFGIX Linking binaries and running scripts in parallel was causing packages to sometimes clobber each other when hoisted, as well as potentially running too many run-sripts in parallel. This is now a serial operation, and it turns out to have had relatively little actual performance impact.
- BUGFIX Stop adding
_from
to directory deps (akafile:packages/my-dep
).
BUGFIXES
58d2aa58d
#20027 Use a specific mtime when packing tarballs instead of the beginning of epoch time. This should allownpm pack
to generate tarballs with identical hashes for identical contents, while fixing issues with somezip
implementations that do not support pre-1980 timestamps. (@isaacs)4f319de1d
Don't fall back to couch adduser if we didn't try couch login. (@iarna)c8230c9bb
#19608 Fix issue where using the npm-bundlednpx
on Windows was invokingnpx prefix
(and downloading that package). (@laggingreflex)d70c01970
#18953 Avoid using code that depends onnode@>=4
in theunsupported
check, so npm can report the issue normally instead of syntax-crashing. (@deployable)
DOCUMENTATION
4477ca2d9
marked@0.3.17
: Fixes issue preventing correct rendering of backticked strings. man pages should be rendering correctly now instead of having empty spaces wherever backticks were used. (@joshbruce)71076ebda
#19950 Add a note to install --production. (@kyranet)3a33400b8
#19957 nudge around some details in ci docs (@zkat)06038246a
#19893 Add a common open reason to the issue template. (@MrStonedOne)7376dd8af
#19870 Fix typo innpm-config.md
(@joebowbeer)5390ed4fa
#19858 Fix documented default value for config save option. It was still documented asfalse
, even thoughnpm@5.0.0
set it totrue
by default. (@nalinbhardwaj)dc36d850a
#19552 Reworknpm update
docs now that--save
is on by default. (@selbekk)5ec5dffc8
#19726 Clarify thatname
andversion
fields are optional if your package is not supposed to be installable as a dependency. (@ngarnier)046500994
#19676 Fix documented cache location on Windows. (@VladRassokhin)ffa84cd0f
#19475 Added example forhomepage
field frompackage.json
. (@cg-cnu)de72d9a18
#19307 Document therequires
field innpm help package-lock.json
. (@jcrben)35c4abded
#18976 Typo fix in coding style documentation. (@rinfan)0616fd22a
#19216 Addedit
section to description innpm-team.md
. (@WispProxy)c2bbaaa58
#19194 Tiny style fix innpm.md
. (@WispProxy)dcdfdcbb0
#19192 Document--development
flag innpm-ls.md
. (@WispProxy)- [
d7ff07135
](https://github.com/npm/npm/commit/...
v5.8.0-next.0
5.8.0-next.0
v5.7.1
This release reverts a patch that could cause some ownership changes on system files when running from some directories when also using sudo
. 😲
Thankfully, it only affected users running npm@next
, which is part of our staggered release system, which we use to prevent issues like this from going out into the wider world before we can catch them. Users on latest
would have never seen this!
The original patch was added to increase consistency and reliability of methods npm uses to avoid writing files as root
in places it shouldn't, but the change was applied in places that should have used regular mkdirp`. This release reverts that patch.
v5.7.0
Hey y'all, it's been a while. Expect our release rate to increase back to normal here, as we've got a lot in the pipeline. Right now we've got a bunch of things from folks at npm. In the next release we'll be focusing on user contributions and there are a lot of them queued up!
This release brings a bunch of exciting new features and bug fixes.
PACKAGE-LOCK GIT MERGE CONFLICT RESOLUTION
Allow npm install
to fix package-lock.json
and npm-shrinkwrap.json
files that have merge conflicts in them without your having to edit them. It works in conjunction with npm-merge-driver
to entirely eliminate package-lock merge conflicts.
NPM CI
The new npm ci
command installs from your lock-file ONLY. If your package.json
and your lock-file are out of sync then it will report an error.
It works by throwing away your node_modules
and recreating it from scratch.
Beyond guaranteeing you that you'll only get what is in your lock-file it's also much faster (2x-10x!) than npm install
when you don't start with a node_modules
.
As you may take from the name, we expect it to be a big boon to continuous integration environments. We also expect that folks who do production deploys from git tags will see major gains.
OTHER NEW FEATURES
4d418c21b
#19817 Include contributor count in installation summary. (@kemitchell)17079c2a8
Require password to change email throughnpm profile
. (@iarna)e7c5d226a
4f5327c05
#19780 Add support for web-based logins. This is not yet available on the registry, however. (@isaacs)
BIG FIXES TO PRUNING
-
827951590
Handle runningnpm install package-name
with anode_modules
containing packages without sufficient metadata to verify their origin. The only way to get install packages like this is to use a non-npm
package manager. Previouslynpm
removed any packages that it couldn't verify. Now it will leave them untouched as long as you're not asking for a full install. On a full install they will be reinstalled (but the same versions will be maintained).This will fix problems for folks who are using a third party package manager to install packages that have
postinstall
scripts that runnpm install
. (@iarna) -
3b305ee71
Only auto-prune on installs that will create a lock-file. This restoresnpm@4
compatible behavior when the lock-file is disabled. When using a lock-filenpm
will continue to remove anything in yournode_modules
that's not in your lock-file. (@iarna) -
cec5be542
Fix bug wherenpm prune --production
would remove dev deps from the lock file. It will now only remove them fromnode_modules
not from your lock file. (@iarna) -
857dab03f
Fix bug where git dependencies would be removed or reinstalled when installing other dependencies. (@iarna)
BUG FIXES TO TOKENS AND PROFILES
a66e0cd03
For CIDR filtered tokens, allow comma separated CIDR ranges, as documented. Previously you could only pass in multiple cidr ranges with multiple--cidr
command line options. (@iarna)d259ab014
Fix token revocation when an OTP is required. Previously you had to pass it in via--otp
. Now it will prompt you for an OTP like othernpm token
commands. (@iarna)f8b1f6aec
Update token and profile commands to support legacy (username/password) authentication. (The npm registry uses tokens, not username/password pairs, to authenticate commands.) (@iarna)
OTHER BUG FIXES
6954dfc19
Fix a bug where packages would get pushed deeper into the tree when upgrading without an existing copy on disk. Having packages deeper in the tree ordinarily is harmless but is not when peerDependencies are in play. (@iarna)1ca916a1e
Fix bug where when switching from a linked module to a non-linked module, the dependencies of the module wouldn't be installed on the first run ofnpm install
. (@iarna)8c120ebb2
Fix integrity matching to eliminate spurious EINTEGRITY errors. (@zkat)94227e15e
More consistently make directories using perm and ownership preserving features. (@iarna)
DEPENDENCY UPDATES
364b23c7f
f2049f9e7
cacache@10.0.4
(@zkat)d183d7675
find-npm-prefix@1.0.2
: (@iarna)ffd6ea62c
fs-minipass@1.2.5
ee63b8a31
ini@1.3.5
(@isaacs)6f73f5509
JSONStream@1.3.2
(@dominictarr)26cd64869
9bc6230cf
libcipm@1.3.3
(@zkat)21a39be42
marked@0.3.1
:5 (@joshbruce)dabdf57b2
mississippi@2.0.0
2594c5867
npm-registry-couchapp@2.7.1
(@iarna)8abb3f230
osenv@0.1.5
(@isaacs)11a0b00bd
pacote@7.3.3
(@zkat)9b6bdb2c7
query-string@5.1.0
(@sindresorhus)d6d17d6b5
readable-stream@2.3.4
(@mcollina)51370aad5
semver@5.5.0
(@isaacs)0db14bac7
81da938ab
9999e83f8
ssri@5.2.4
(@zkat)f526992ab
tap@11.1.1
(@isaacs)be096b409
dc3059522
tar@4.3.3
6b552daac
uuid@3.2.1
(@broofa)8c9011b72
worker-farm@1.5.2
(@rvagg)
v5.6.0
Features!
You may have noticed this is a semver-minor bump. Wondering why? This is why!
bc263c3fd
#19054 Fully cross-platformpackage-lock.json
. Installing a failing optional dependency on one platform no longer removes it from the dependency tree, meaning thatpackage-lock.json
should now be generated consistently across platforms! 🎉 (@iarna)f94fcbc50
#19160 Add--package-lock-only
config option. This makes it so you can generate a targetpackage-lock.json
without performing a full install ofnode_modules
. (@alopezsanchez)66d18280c
#19104 Add new--node-options
config to pass through a customNODE_OPTIONS
for lifecycle scripts. (@bmeck)114d518c7
Ignore mtime when packing tarballs: This means that doingnpm pack
on the same repository should yield two tarballs with the same checksum. This will also help prevent cache bloat when using git dependencies. In the future, this will allow npm to explicitly cache git dependencies. (@isaacs)
Node 9
Previously, it turns out npm broke on the latest Node, node@9
. We went ahead and fixed it up so y'all should be able to use the latest npm again!
4ca695819
minizlib@1.0.4
:Fix node@9
incompatibility. (@isaacs)c851bb503
tar@4.0.2
: Fixnode@9
incompatibility. (@isaacs)6caf23096
Remove "unsupported" warning for Node 9 now that things are fixed. (@iarna)1930b0f8c
Update test matrix withnode@8
LTS andnode@9
. (@iarna)
Bug Fixes
b70321733
#18881 When dealing with anode_modules
that was created with older versions of npm (and thus older versions of npa) we need to gracefully handle older spec entries. Failing to do so results in us treating those packages as if they were http remote deps, which results in invalid lock files withversion
set to tarball URLs. This should now be fixed. (@iarna)2f9c5dd00
#18880 Stop overwriting version in package data on disk. This is another safeguard against the version overwriting that's plagued some folks upgrading from older package-locks. (@iarna) (@joshclow)a93e0a51d
#18846 Correctly save transitive dependencies when usingnpm update
inpackage-lock.json
. (@iarna)fdde7b649
#18825 Fix typo and concatenation in error handling. (@alulsh)be67de7b9
#18711 Upgrade to bearer tokens from legacy auth when enabling 2FA. (@iarna)bfdf0fd39
#19033 Fix issue where files with@
signs in their names would not get included when packing tarballs. (@zkat)b65b89bde
#19048 Fix problem wherenpm login
was ignoring various networking-related options, such as custom certs. (@wejendorp)8c194b86e
npm-packlist@1.1.10
: Includenode_modules/
directories not in the root. (@isaacs)d7ef6a20b
libnpx@9.7.1
: Fix some *nix binary path escaping issues. (@zkat)981828466
cacache@10.0.1
: Fix fallback tocopy-concurrently
when file move fails. This might fix permissions and such issues on platforms that were getting weird filesystem errors during install. (@karolba)a0be6bafb
pacote@7.0.2
: Includes a bunch of fixes, specially for issues around git dependencies. Shasum-related errors should be way less common now, too. (@zkat)b80d650de
#19163 Fix a number of git and tarball specs and checksum errors. (@zkat)cac225025
#19054 Don't count failed optionals when summarizing installed packages. (@iarna)
UX
b1ec2885c
#18326 Stop truncating output ofnpm view
. This means, for example, that you no longer need to use--json
when a package has a lot of versions, to see the whole list. (@SimenB)55a124e0a
#18884 Profile UX improvements: better messaging on unexpected responses, and stop claiming we set passwords to null when resetting them. (@iarna)635481c61
#18844 Improve error messaging for OTP/2FA. (@iarna)52b142ed5
#19054 Stop running the same rollback multiple times. This should address issues where Windows users saw strange failures whenfsevents
failed to install. (@iarna)798428b0b
#19172bin-links@1.1.0
: Log the fact line endings are being changed upon install. (@marcosscriven)
Refactors
Usually, we don't include internal refactor stuff in our release notes, but it's worth calling out some of them because they're part of a larger effort the CLI team and associates are undertaking to modularize npm itself so other package managers and associated tools can reuse all that code!
9d22c96b7
#18500 Extract bin-links and gentle-fs to a separate library. This will allow external tools to do bin linking and certain fs operations in an npm-compatible way! (@mikesherov)015a7803b
#18883 Capture logging from log events on the process global. This allows npm to use npmlog to report logging from external libraries likenpm-profile
. (@iarna)c930e98ad
npm-lifecycle@2.0.0
: Use our ownnode-gyp
. This means npm no longer needs to pull some maneuvers to make surenode-gyp
is in the right place, and that external packages usingnpm-lifecycle
will get working native builds without having to do their ownnode-gyp
maneuvers. (@zkochan)876f0c8f3
829893d61
#19099find-npm-prefix@1.0.1
: npm's prefix-finding logic is now a standalone module. That is, the logic that figures out where the root of your project is if you'vecd
'd into a subdirectory. Did you know you can runnpm install
from these subdirectories, and it'll only affect the root? It works like git! (@iarna)