v5.5.0

Hey y'all, this is a big new feature release! We've got some security related goodies plus a some quality-of-life improvements for anyone who uses the public registry (so, virtually everyone).

The changes largely came together in one piece, so I'm just gonna leave the commit line here:

• f6ebf5e8b f97ad6a38 f644018e6 8af91528c 346a34260 Two factor authentication, profile editing and token management. (@iarna)

TWO FACTOR AUTHENTICATION

You can now enable two-factor authentication for your npm account. You can even do it from the CLI. In fact, you have to, for the time being:

npm profile enable-tfa

With the default two-factor authentication mode you'll be prompted to enter a one-time password when logging in, when publishing and when modifying access rights to your modules.

TOKEN MANAGEMENT

You can now create, list and delete authentication tokens from the comfort of the command line. Authentication tokens created this way can have NEW restrictions placed on them. For instance, you can create a read-only token to give to your CI. It will be able to download your private modules but it won't be able to publish or modify modules. You can also create tokens that can only be used from certain network addresses. This way you can lock down access to your corporate VPN or other trusted machines.

Deleting tokens isn't new, you could do it via the website but now you can do it via the CLI as well.

CHANGE YOUR PASSWORD, SET YOUR EMAIL

You can finally change your password from the CLI with npm profile set password! You can also update your email address with npm profile set email <address>. If you change your email address we'll send you a new verification email so you verify that its yours.

AND EVERYTHING ELSE ON YOUR PROFILE

You can also update all of the other attributes of your profile that previously you could only update via the website: fullname, homepage, freenode, twitter and github.

AVAILABLE STAND ALONE

All of these features were implemented in a stand alone library, so if you have use for them in your own project you can find them in npm-profile on the registry. There's also a little mini-cli written just for it at npm-profile-cli. You might also be interested in the API documentation for these new features: user profile editing and authentication.

BUG FIXES

• 5ee55dc71 install.sh: Drop support for upgrading from npm@1 as npm@5 can't run on any Node.js version that ships npm@1. This fixes an issue some folks were seeing when trying to upgrade using curl | http://npmjs.com/install.sh. (@iarna)
• 5cad1699a npm-lifecycle@1.0.3 Fix a bug where when more than one lifecycle script got queued to run, npm would crash. (@zkat)
• cd256cbb2 npm-packlist@1.1.9 Fix a bug where test directories would always be excluded from published modules. (@isaacs)
• 2a11f0215 Fix formatting of unsupported version warning (@iarna)

DEPENDENCY UPDATES

• 6d2a285a5 npm-registry-client@8.5.0
• 69e64e27b request@2.83.0
• 34e0f4209 abbrev@1.1.1
• 10d31739d aproba@1.2.0
• 2b02e86c0 meant@1.0.1
• b81fff808 rimraf@2.6.2: Fixes a long standing bug in rimraf's attempts to work around Windows limitations where it owns a file and can change its perms but can't remove it without first changing its perms. This may be an improvement for Windows users of npm under some circumstances. (@isaacs)

v5.4.2

This is a small bug fix release wrapping up most of the issues introduced with 5.4.0.

Bugs

• 0b28ac72d #18458 Fix a bug on Windows where rolling back of failed optional dependencies would fail. (@marcins)
• 3a1b29991 write-file-atomic@2.1.0 Revert update of write-file-atomic. There were changes made to it that were resulting in EACCES errors for many users. (@iarna)
• cd8687e12 Fix a bug where if npm decided it needed to move a module during an upgrade it would strip out much of the package.json. This would result in broken trees after package updates.
• 5bd0244ee #18385 Fix npm outdated when run on non-registry dependencies. (@joshclow) (@iarna)

Ux

• 339f17b1e Report unsupported node versions with greater granularity. (@iarna)

Docs

• b2ab6f43b #18397 Document that the default loglevel with npm@5 is notice. (@KenanY)
• e5aedcd82 #18372 In npm-config documentation, note that env vars use _ in place of -. (@jakubholynet)

v5.4.1

This is a very small bug fix release to fix a problem where permissions on installed binaries were being set incorrectly.

• 767ff6eee zkat/pacote#117 #18324 pacote@6.0.2 (@zkat)

v5.4.0

Here's another small big release, with a handful bunch of fixes and a couple of small new features! This release has been incubating rather longer than usual and it's grown quite a bit in that time. I'm also excited to say that it has contributions from 27 different folks, which is a new record for us. Our previous record was 5.1.0 at 21. Before that the record had been held by 1.3.16 since December of 2013.

If you can't get enough of the bleeding edge, I encourage you to check out our canary release of npm. Get it with npm install -g npmc. It's going to be seeing some exciting stuff in the next couple of weeks, starting with a rewriten npm dedupe, but moving on to… well, you'll just have to wait and find out.

PERFORMANCE

• d080379f6 pacote@6.0.1 Updates extract to use tar@4, which is much faster than the older tar@2. It reduces install times by as much as 10%. (@zkat)
• 4cd6a1774 0195c0a8c #16804 tar@4.0.1 Update publish to use tar@4. tar@4 brings many advantages over tar@2: It's faster, better tested and easier to work with. It also produces exactly the same byte-for-byte output when producing tarballs from the same set of files. This will have some nice carry on effects for things like caching builds from git. And finally, last but certainly not least, upgrading to it also let's us finally eliminate fstream—if you know what that is you'll know why we're so relieved. (@isaacs)

FEATURES

• 1ac470dd2 #10382 If you make a typo when writing a command now, npm will print a brief "did you mean..." message with some possible alternatives to what you meant. (@watilde)
• 20c46228d #12356 When running lifecycle scripts, INIT_CWD will now contain the original working directory that npm was executed from. Remember that you can use npm run-script even if you're not inside your package root directory! (@MichaelQQ)
• be91e1726 4e7c41f4a libnpx@9.6.0: Fixes a number of issues on Windows and adds support for several more languages: Korean, Norwegian (bokmål and nynorsk), Ukrainian, Serbian, Bahasa Indonesia, Polish, Dutch and Arabic. (@zkat)
• 2dec601c6 #17142 Add the new commit-hooks option to npm version so that you can disable commit hooks when committing the version bump. (@faazshift)
• bde151902 #14461 Make output from npm ping clear as to its success or failure. (@legodude17)

BUGFIXES

• b6d5549d2 #17844 Make package-lock.json sorting locale-agnostic. Previously, sorting would vary by locale, due to using localeCompare for key sorting. This'll give you a little package-lock.json churn as it reshuffles things, sorry! (@LotharSee)
• 44b98b9dd #17919 Fix a crash where npm prune --production would fail while removing .bin. (@fasterthanlime)
• c3d1d3ba8 #17816 Fail more smoothly when attempting to install an invalid package name. (@SamuelMarks)
• 55ac2fca8 #12784 Guard against stack overflows when marking packages as failed. (@vtravieso)
• 597cc0e4b #15087 Stop outputting progressbars or using color on dumb terminals. (@iarna)
• 7a7710ba7 #15088 Don't exclude modules that are both dev & prod when using npm ls --production. (@iarna)
• 867df2b02 #18164 Only do multiple procs on OSX for now. We've seen a handful of issues relating to this in Docker and in on Windows with antivirus. (@zkat)
• 23540af7b #18117 Some package managers would write spaces to the _from field in package.json's in the form of name @spec. This was causing npm to fail to interpret them. We now handle that correctly and doubly make sure we don't do that ourselves. (@IgorNadj)
• 0ef320cb4 #16634 Convert any bin script with a shbang a the start to Unix line-endings. (These sorts of scripts are not compatible with Windows line-endings even on Windows.) (@ScottFreeCode)
• 71191ca22 #16476 npm-lifecycle@1.0.2 Running an install with --ignore-scripts was resulting in the the package object being mutated to have the lifecycle scripts removed from it and that in turn was being written out to disk, causing further problems. This fixes that: No more mutation, no more unexpected changes. (@addaleax)
• 459fa9d51 npm/read-package-json#74 #17802 read-package-json@2.0.1 Use unix-style slashes for generated bin entries, which lets them be cross platform even when produced on Windows. (@iarna)
• 5ec72ab5b #18229 Make install.sh find nodejs on debian. (@cebe)

DOCUMENTATION

• b019680db #10846 Remind users that they have to install missing peerDependencies manually. (@ryanflorence)
• 3aee5986a #17898 Minor punctuation fixes to the README. (@AndersDJohnson)
• e0d0a7e1d #17832 Fix grammar, format, and spelling in documentation for run-script. (@simonua)
• 3fd6a5f2f #17897 Add more info about using files with npm pack/npm publish. (@davidjgoss)
• f00cdc6eb #17785 Add a note about filenames for certificates on Windows, which use a different extension and file type. (@lgp1985)
• 0cea6f974 #18022 Clarify usage for the files field in package.json. (@xcambar)
• a0fdd1571 #15234 Clarify the behavior of the files array in the package-json docs. (@jbcpollak)
• cecd6aa5d #18137 Clarify interaction between npmignore and files in package.json. (@supertong)
• 6b8972039 #18044 Corrected the typo in package-locks docs. (@vikramnr)
• 6e012924f #17667 Fi...

v5.3.0

As mentioned before, we're continuing to do relatively rapid, smaller releases as we keep working on stomping out npm@5 issues! We've made a lot of progress since 5.0 already, and this release is no exception.

FEATURES

• 1e3a46944 #17616 Add --link filter option to npm ls. (@richardsimko)
• 33df0aaa libnpx@9.2.0 (@zkat):
  • 4 new languages - Czech, Italian, Turkish, and Chinese (Traditional)! This means npx is available in 14 different languages!
  • New --node-arg option lets you pass CLI arguments directly to node when the target binary is found to be a Node.js script.

BUGFIXES

• 33df0aaa
libnpx@9.2.0 (@zkat):
  • npx should now work on (most) Windows installs. A couple of issues remain.
  • Prevent auto-fallback from going into an infinite loop when npx disappears.
  • npx npx npx npx npx npx npx npx works again.
  • update-notifier will no longer run for the npx bundled with npm.
  • npx <cmd> in a subdirectory of your project should be able to find your node_modules/.bin now. Oops
• 8e979bf80 Revert change where npm stopped flattening modules that required peerDeps. This caused problems because folks were using peer deps to indicate that the target of the peer dep needed to be able to require the dependency and had been relying on the fact that peer deps didn't change the shape of the tree (as of npm@3). The fix that will actually work for people is for a peer dep to insist on never being installed deeper than the the thing it relies on. At the moment this is tricky because the thing the peer dep relies on may not yet have been added to the tree, so we don't know where it is. (@iarna)
• 7f28a77f3 #17733 Split remove and unbuild actions into two to get uninstall lifecycles and the removal of transitive symlinks during uninstallation to run in the right order. (@iarna)
• 637f2548f #17748 When rolling back use symlink project-relative path, fixing some issues with fs-vacuum getting confused while removing symlinked things. (@iarna)
• f153b5b22 #17706 Use semver to compare node versions in npm doctor instead of plain > comparison. (@leo-shopify)
• 542f7561 #17742 Fix issue where npm version would sometimes not commit package-locks. (@markpeterfejes)
• 51a9e63d #17777 Fix bug exposed by other bugfixes where the wrong package would be removed. (@iarna)

DOCUMENTATION

Have we mentioned we really like documentation patches? Keep sending them in! Small patches are just fine, and they're a great way to get started contributing to npm!

• fb42d55a9 #17728 Document semver git urls in package.json docs. (@sankethkatta)
• f398c700f #17684 Tweak heading hierarchy in package.json docs. (@sonicdoe)
• d5ad65e50 #17691 Explicitly document --no-save flag for uninstall. (@timneedham)

v5.2.0 (2017-07-05)

It's only been a couple of days but we've got some bug fixes we wanted to get out to you all. We also believe that npx is ready to be bundled with npm, which we're really excited about!

npx!!!

npx is a tool intended to help round out the experience of using packages from the npm registry — the same way npm makes it super easy to install and manage dependencies hosted on the registry, npx is meant to make it easy to use CLI tools and other executables hosted on the registry. It greatly simplifies a number of things that, until now, required a bit of ceremony to do with plain npm.

@zkat has a great introduction post to npx that I highly recommend you give a read

• fb040bee0 #17685 Bundle npx with npm itself. (@zkat)

BUG FIXES

• 9fe905c39 #17652 Fix max callstack exceeded loops with trees with circular links. (@iarna)
• c0a289b1b #17606 Make sure that when write package.json and package-lock.json we always use unix path separators. (@Standard8)
• 1658b79ca #17654 Make npm outdated show results for globals again. Previously it never thought they were out of date. (@iarna)
• 06c154fd6 #17678 Stop flattening modules that have peer dependencies. We're making this change to support scenarios where the module requiring a peer dependency is flattened but the peer dependency itself is not, due to conflicts. In those cases the module requiring the peer dep can't be flattened past the location its peer dep was placed in. This initial fix is naive, never flattening peer deps, and we can look into doing something more sophisticated later on. (@iarna)
• 88aafee8b #17677 There was an issue where updating a flattened dependency would sometimes unflatten it. This only happened when the dependency had dependencies that in turn required the original dependency. (@iarna)
• b58ec8eab #17626 Integrators who were building their own copies of npm ran into issues because make install and https://npmjs.com/install.sh weren't aware that npm install creates links now when given a directory to work on. This does not impact folks installing npm with npm install -g npm. (@iarna)

DOC FIXES

• 10bef735e #17645 Fix some github issue links in the 5.1.0 changelog (@schmod)
• 85fa9dcb2 #17634 Fix typo in package-lock docs. (@sonicdoe)
• 688699bef #17628 Recommend that folks looking for support join us on https://package.community/ or message @npm_support on Twitter. (@strugee)

v5.1.0

Hey y'all~

We've got some goodies for you here, including npm@5's first semver-minor release! This version includes a huge number of fixes, particularly for some of the critical bugs users were running into after upgrading npm. You should overall see a much more stable experience, and we're going to continue hacking on fixes for the time being. Semver-major releases, specially for tools like npm, are bound to cause some instability, and getting npm@5 stable is the CLI team's top priority for now!

Not that bugfixes are the only things that landed, either: between improvements that fell out of the bugfixes, and some really cool work by community members like @mikesherov, npm@5.1.0 is twice as fast as npm@5.0.0 in some benchmarks. We're not stopping there, either: you can expect a steady stream of speed improvements over the course of the year. It's not top priority, but we'll keep doing what we can to make sure npm saves its users as much time as possible.

Hang on to your seats. At 100 commits, this release is a bit of a doozy. 😎

FEATURES

Semver-minor releases, of course, mean that there's a new feature somewhere, right? Here's what's bumping that number for us this time:

• a09c1a69d #16687 Allow customizing the shell used to execute run-scripts. (@mmkal)
• 4f45ba222 a48958598 901bef0e1 #17508 Add a new requires field to package-lock.json with information about the logical dependency tree. This includes references to the specific version each package is intended to see, and can be used for many things, such as converting package-lock.json to other lockfile formats, various optimizations, and verifying correctness of a package tree. (@iarna)
• 47e8fc8eb #17508 Make npm ls take package locks (and shrinkwraps) into account. This means npm ls can now be used to see which dependencies are missing, so long as a package lock has been previously generated with it in. (@iarna)
• f0075e7ca #17508 Take package.json changes into account when running installs -- if you remove or add a dependency to package.json manually, npm will now pick that up and update your tree and package lock accordingly. (@iarna)
• 83a5455aa #17205 Add npm udpate as an alias for npm update, for symmetry with install/isntall. (@gdassori)
• 57225d394 #17120 npm will no longer warn about preferGlobal, and the option is now deprecated. (@zkat)
• 82df7bb16 #17351 As some of you may already know npm build doesn't do what a lot of people expect: It's mainly an npm plumbing command, and is part of the more familiar npm rebuild command. That said, a lot of users assume that this is the way to run an npm run-script named build, which is an incredibly common script name to use. To clarify things for users, and encourage them to use npm run build instead, npm will now warn if npm build is run without any arguments. (@lennym)

PERFORMANCE

• 59f86ef90 43be9d222 e906cdd98 #16633 npm now parallelizes tarball extraction across multiple child process workers. This can significantly speed up installations, specially when installing from cache, and will improve with number of processors. (@zkat)
• e0849878d #17441 Avoid building environment for empty lifecycle scripts. This change alone accounted for as much as a 15% speed boost for npm installations by outright skipping entire steps of the installer when not needed. (@mikesherov)
• 265c2544c npm/hosted-git-info#24 hosted-git-info@2.5.0: Add caching to fromURL, which gets called many, many times by the installer. This improved installation performance by around 10% on realistic application repositories. (@mikesherov)
• 901d26cb npm/read-package-json#20 read-package-json@2.0.9: Speed up installs by as much as 20% by reintroducing a previously-removed cache and making it actually be correct this time around. (@mikesherov)
• 44e37045d Eliminate Bluebird.promisifyAll from our codebase. (@iarna)
• 3b4681b53 #17508 Stop calling addBundle on locked deps, speeding up the package-lock.json-based fast path. (@iarna)

BUGFIXES

• #17508 This is a big PR that fixes a variety of issues when installing from package locks. If you were previously having issues with missing dependencies or unwanted removals, this might have fixed it (@iarna):
  • It introduces a new package-lock.json field, called requires, which tracks which modules a given module requires.
  • It fixes #16839 which was caused by not having this information available, particularly when git dependencies were involved.
  • It fixes #16866, allowing the package.json to trump the package-lock.json.
  • npm ls now loads the shrinkwrap, which opens the door to showing a full tree of dependencies even when nothing is yet installed. (It doesn't do that yet though.)
• 656544c31 d21ab57c3 #16637 Fix some cases where npm prune was leaving some dependencies unpruned if to-be-pruned dependencies depended on them. (@exogen)
• 394436b09 #17552 Make refresh-package-json re-verify the package platform. This fixes an issue most notably experienced by Windows users using create-react-app where fsevents would not short-circuit and cause a crash during its otherwise-skipped native build phase. (@zkat)
• 9e5a94354 #17590 Fix an issue where npm@5 would crash when trying to remove packages installed with npm@<5. (@iarna)
• c3b586aaf #17141 Don't update the package.json when modifying packages that don't go there. This was previously causing package.json to get a "false": {} field added. (@iarna)
• d04a23de2 4a5b360d5 d9e53db48 pacote@2.7.38 (@colinrotherham, @zkat, @mcibique):
  • zkat/pacote#102 Fix issue with tar extraction and special characters.
  • Enable loose semver parsing in some missing corner cases.
• e2f815f87 #17104 Write an empty str and wait for flush to exit to reduce issues with npm exiting before all output is complete when it's a child process. (@zkat)
• 835fcec60 #17060 Make git repos with prepare scripts always install with both dev and prod flags. (@intellix)
• [`f1dc8a...

v5.0.4

Hey y'all. This is another minor patch release with a variety of little fixes we've been accumulating~

• f0a37ace9 Fix npm doctor when hitting registries without ping. (@zkat)
• 64f0105e8 Fix invalid format error when setting cache-related headers. ([@kat Marchán](https://github.com/Kat Marchán))
• d2969c80e Fix spurious EINTEGRITY issue. (@zkat)
• 800cb2b4e #17076 Use legacy from field to improve upgrade experience from legacy shrinkwraps and installs. (@zkat)
• 4100d47ea #17007 Restore loose semver parsing to match older npm behavior when running into invalid semver ranges in dependencies. (@zkat)
• 35316cce2 #17005 Emulate npm@4's behavior of simply marking the peerDep as invalid, instead of crashing. (@zkat)
• e7e8ee5c5 #16937 Workaround for separate bug where requested was somehow null. (@forivall)
• 2d9629bb2 Better logging output for git errors. (@zkat)
• 2235aea73 More scp-url fixes: parsing only worked correctly when a committish was present. (@zkat)
• 80c33cf5e Standardize package permissions on tarball extraction, instead of using perms from the tarball. This matches previous npm behavior and fixes a number of incompatibilities in the wild. (@zkat)
• 2b1e40efb Limit shallow cloning to hosts which are known to support it. (@zkat)

v5.0.3

Happy Monday, y'all! We've got another npm release for you with the fruits of our ongoing bugsquashing efforts. You can expect at least one more this week, but probably more -- and as we announced last week, we'll be merging fixes more rapidly into the npmc canary so you can get everything as soon as possible!

Hope y'all are enjoying npm5 in the meantime, and don't hesitate to file issues for anything you find! The goal is to get this release rock-solid as soon as we can. 💚

• 6e12a5cc0 Bump several dependencies to get improvements and bugfixes:
  • cacache: content files (the tarballs) are now read-only.
  • pacote: fix failing clones with bad heads, send extra TLS-related opts to proxy, enable global auth configurations and _auth-based auth.
  • ssri: stop crashing with can't call method find of undefined when running into a weird opts.integrity/opts.algorithms conflict during verification.
    (@zkat)
• 89cc8e3e1 #16917 Send ca, cert and key config through to network layer. (@colinrotherham)
• 6a9b51c67 #16929 Send npm-session header value with registry requests again. (@zarenner)
• 662a15ab7 Fix npm doctor so it stop complaining about read-only content files in the cache. (@zkat)
• 191d10a66 #16918 Clarify prepublish deprecation message. (@Hirse)

v5.0.2

v5.0.2 (2017-06-02)

Here's another patch release, soon after the other!

This particular release includes a slew of fixes to npm's git support, which was causing some issues for a chunk of people, specially those who were using self-hosted/Enterprise repos. All of those should be back in working condition now.

There's another shiny thing you might wanna know about: npm has a Canary release now! The npm5 experiment we did during our beta proved to be incredibly successful: users were able to have a tight feedback loop between reports and getting the bugfixes they needed, and the CLI team was able to roll out experimental patches and have the community try them out right away. So we want to keep doing that.

From now on, you'll be able to install the 'npm canary' with npm i -g npmc. This release will be a separate binary (npmc. Because canary. Get it?), which will update independently of the main CLI. Most of the time, this will track release-next or something close to it. We might occasionally toss experimental branches in there to see if our more adventurous users run into anything interesting with it. For example, the current canary (npmc@5.0.1-canary.6) includes an experimental multiproc branch that parallelizes tarball extraction across multiple processes.

If you find any issues while running the canary version, please report them and let us know it came from npmc! It would be tremendously helpful, and finding things early is a huge reason to have it there. Happy hacking!

A NOTE ABOUT THE ISSUE TRACKER

Just a heads up: We're preparing to do a massive cleanup of the issue tracker. It's been a long time since it was something we could really keep up with, and we didn't have a process for dealing with it that could actually be sustainable.

We're still sussing the details out, and we'll talk about it more when we're about to do it, but the plan is essentially to close old, abandoned issues and start over. We will also add some automation around issue management so that things that we can't keep up with don't just stay around forever.

Stay tuned!

GIT YOLO

• 1f26e9567 pacote@2.7.27: Fixes installing committishes that look like semver, even though they're not using the required #semver: syntax. (@zkat)
• 85ea1e0b9 npm-package-arg@5.1.1: This includes the npa git-parsing patch to make it so non-hosted SCP-style identifiers are correctly handled. Previously, npa would mangle them (even though hosted-git-info is doing the right thing for them). (@zkat)

COOL NEW OUTPUT

The new summary output has been really well received! One downside that reared its head as more people used it, though, is that it doesn't really tell you anything about the toplevel versions it installed. So, if you did npm i -g foo, it would just say "added 1 package". This patch by @rmg keeps things concise while still telling you what you got! So now, you'll see something like this:

$ npm i -g foo bar
+ foo@1.2.3
+ bar@3.2.1
added 234 packages in .005ms

• 362f9fd5b #16899 For every package that is given as an argument to install, print the name and version that was actually installed. (@rmg)

OTHER BUGFIXES

• a47593a98 #16835 Fix a crash while installing with --no-shrinkwrap. (@jacknagel)

DOC UPATES

• 89e0cb816 #16818 Fixes a spelling error in the docs. Because the CLI team has trouble spelling "package", I guess. (@ankon)
• c01fbc46e #16895 Remove --save from npm init instructions, since it's now the default. (@jhwohlgemuth)
• 80c42d218 Guard against cycles when inflating bundles, as symlinks are bundles now. (@iarna)
• 7fe7f8665 #16674 Write the builtin config for npmc, not just npm. This is hardcoded for npm self-installations and is needed for Canary to work right. (@zkat)

DEP UPDATES

• 63df4fcdd #16894 node-gyp@3.6.2: Fixes an issue parsing SDK versions on Windows, among other things. (@refack)
• 5bb15c3c4 read-package-tree@5.1.6: Fixes some racyness while reading the tree. (@iarna)
• a6f7a52e7 aproba@1.1.2: Remove nested function declaration for speed up (@mikesherov)