Releases: npm/npm
v5.0.1
Hey y'all! Hope you're enjoying the new npm!
As you all know, fresh software that's gone through major overhauls tends to miss a lot of spots the old one used to handle well enough, and npm@5
is no exception. The CLI team will be doing faster release cycles that go directly to the latest
tag for a couple of weeks while 5 stabilizes a bit and we're confident the common low-hanging fruit people are running into are all taken care of.
With that said: this is our first patch release! The biggest focus is fixing up a number of git-related issues that folks ran into right out the door. It also fixes other things, like some proxy/auth-related issues, and even has a neat speed boost! (You can expect more speed bumps in the coming releases as pending work starts landing, too!)
Thanks everyone who's been reporting issues and submitting patches!
BUGFIXES
e61e68dac
#16762 Makenpm publish
obey the--tag
flag again. (@zkat)923fd58d3
#16749 Speed up installations by nearly 20% by... removing one line of code. (hah) (@mikesherov)9aac984cb
Guard against a particular failure mode for a bug still being hunted down. (@iarna)80ab521f1
Pull in dependency updates for various core deps:- New
pacote
fixes several git-related bugs. ssri
update fixes crash on early node@4 versions.make-fetch-happen
update fixes proxy authentication issue.npm-user-validate
adds regex for blocking usernames with illegal chars.
(@zkat)
- New
7e5ce87b8
pacote@2.7.26
: Fixes various other git issues related to commit hashes. (@zkat)acbe85bfc
#16791npm view
was callingcb
prematurely and giving partial output when called in a child process. (@zkat)ebafe48af
#16750 Hamilpatch the Musical: Talk less, complete more. (@aredridel)
DOCUMENTATION
dc2823a6c
#16799 Document thatpackage-lock.json
is never allowed in tarballs. (@sonicdoe)f3cb84b44
#16771 Fixnpm -l
usage information for thetest
command. (@grawlinson)
OTHER CHANGES
v5.0.0
Wowowowowow npm@5!
This release marks months of hard work for the young, scrappy, and hungry CLI team, and includes some changes we've been hoping to do for literally years. npm@5 takes npm a pretty big step forward, significantly improving its performance in almost all common situations, fixing a bunch of old errors due to the architecture, and just generally making it more robust and fault-tolerant. It comes with changes to make life easier for people doing monorepos, for users who want consistency/security guarantees, and brings semver support to git dependencies. See below for all the deets!
Breaking Changes
-
Existing npm caches will no longer be used: you will have to redownload any cached packages. There is no tool or intention to reuse old caches. (#15666)
-
npm install ./packages/subdir
will now create a symlink instead of a regular installation.file://path/to/tarball.tgz
will not change -- only directories are symlinked. (#15900) -
npm will now scold you if you capitalize its name. seriously it will fight you.
-
npm will
--save
by default now. Additionally,package-lock.json
will be automatically created unless annpm-shrinkwrap.json
exists. (#15666) -
Git dependencies support semver through
user/repo#semver:^1.2.3
(#15308) (#15666) (@sankethkatta) -
Git dependencies with
prepare
scripts will have theirdevDependencies
installed, andnpm install
run in their directory before being packed. -
npm cache
commands have been rewritten and don't really work anything like they did before. (#15666) -
--cache-min
and--cache-max
have been deprecated. (#15666) -
Running npm while offline will no longer insist on retrying network requests. npm will now immediately fall back to cache if possible, or fail. (#15666)
-
package locks no longer exclude
optionalDependencies
that failed to build. This means package-lock.json and npm-shrinkwrap.json should now be cross-platform. (#15900) -
If you generated your package lock against registry A, and you switch to registry B, npm will now try to install the packages from registry B, instead of A. If you want to use different registries for different packages, use scope-specific registries (
npm config set @myscope:registry=https://myownregist.ry/packages/
). Different registries for different unscoped packages are not supported anymore. -
Shrinkwrap and package-lock no longer warn and exit without saving the lockfile.
-
Local tarballs can now only be installed if they have a file extensions
.tar
,.tar.gz
, or.tgz
. -
A new loglevel,
notice
, has been added and set as default. -
One binary to rule them all:
./cli.js
has been removed in favor of./bin/npm-cli.js
. In case you were doing something with./cli.js
itself. (#12096) (@watilde) -
The "extremely legacy"
_token
couchToken has been removed. (#12986)
Feature Summary
Installer changes
-
A new, standardised lockfile feature meant for cross-package-manager compatibility (
package-lock.json
), and a new format and semantics for shrinkwrap. (#16441) -
--save
is no longer necessary. All installs will be saved by default. You can prevent saving with--no-save
. Installing optional and dev deps is unchanged: use-D/--save-dev
and-O/--save-optional
if you want them saved into those fields instead. Note that since npm@3, npm will automatically update npm-shrinkwrap.json when you save: this will also be true forpackage-lock.json
. (#15666) -
Installing a package directory now ends up creating a symlink and does the Right Thing™ as far as saving to and installing from the package lock goes. If you have a monorepo, this might make things much easier to work with, and probably a lot faster too. 😁 (#15900)
-
Project-level (toplevel)
preinstall
scripts now run before anything else, and can modifynode_modules
before the CLI reads it. -
Two new scripts have been added,
prepack
andpostpack
, which will run on bothnpm pack
andnpm publish
, but NOT onnpm install
(without arguments). Combined with the fact thatprepublishOnly
is run before the tarball is generated, this should round out the general story as far as putzing around with your code before publication. -
Git dependencies with
prepare
scripts will now have their devDependencies installed, and their prepare script executed as if undernpm pack
. -
Git dependencies now support semver-based matching:
npm install git://github.com/npm/npm#semver:^5
(#15308, #15666) -
node-gyp
now supportsnode-gyp.cmd
on Windows (#14568) -
npm no longer blasts your screen with the whole installed tree. Instead, you'll see a summary report of the install that is much kinder on your shell real-estate. Specially for large projects. (#15914):
$ npm install
npm added 125, removed 32, updated 148 and moved 5 packages in 5.032s.
$
-
--parseable
and--json
now work more consistently across various commands, particularlyinstall
andls
. -
Indentation is now detected and preserved for
package.json
,package-lock.json
, andnpm-shrinkwrap.json
. If the package lock is missing, it will default topackage.json
's current indentation.
Publishing
- New publishes will now include both
sha512
andsha1
checksums. Versions of npm from 5 onwards will use the strongest algorithm available to verify downloads. npm/npm-registry-client#157
Cache Rewrite!
We've been talking about rewriting the cache for a loooong time. So here it is. Lots of exciting stuff ahead. The rewrite will also enable some exciting future features, but we'll talk about those when they're actually in the works. #15666 is the main PR for all these changes. Additional PRs/commits are linked inline.
-
Package metadata, package download, and caching infrastructure replaced.
-
It's a bit faster. Hopefully it will be noticeable. 🤔
-
With the shrinkwrap and package-lock changes, tarballs will be looked up in the cache by content address (and verified with it).
-
Corrupted cache entries will automatically be removed and re-fetched on integrity check failure.
-
npm CLI now supports tarball hashes with any hash function supported by Node.js. That is, it will use
sha512
for tarballs from registries that send asha512
checksum as the tarball hash. Publishing withsha512
is added by npm/npm-registry-client#157 and may be backfilled by the registry for older entries. -
Remote tarball requests are now cached. This means that even if you're missing the
integrity
field in your shrinkwrap or package-lock, npm will be able to install from the cache. -
Downloads for large packages are streamed in and out of disk. npm is now able to install packages of """any""" size without running out of memory. Support for publishing them is pending (due to registry limitations).
-
Automatic fallback-to-offline mode. npm will seamlessly use your cache if you are offline, or if you lose access to a particular registry (for example, if you can no longer access a private npm repo, or if your git host is unavailable).
-
A new
--prefer-offline
option will make npm skip any conditional requests (304 checks) for stale cache data, and only hit the network if something is missing from the cache. -
A new
--prefer-online
option that will force npm to revalidate cached data (with 304 checks), ignoring any staleness checks, and refreshing the cache with revalidated, fresh data. -
A new
--offline
option will force npm to use the cache or exit. It will error with anENOTCACHED
code if anything it tries to install isn't already in the cache. -
A new
npm cache verify
command that will garbage collect your cache, reducing disk usage for things you don't need (-handwave-), and will do full integrity verification on both the index and the content. This is also hooked intonpm doctor
as part of its larger suite of checking tools. -
The new cache is very fault tolerant and supports concurrent access.
- Multiple npm processes will not corrupt a shared cache.
- Corrupted data will not be installed. Data is checked on both insertion and extraction, and treated as if it were missing if found to be corrupted. I will literally bake you a cookie if you manage to corrupt the cache in such a way that you end up with the wrong data in your installation (installer bugs notwithstanding).
npm cache clear
is no longer useful f...
v4.6.1
v4.6.1 (2017-04-21)
A little release to tide you over while we hammer out the last bits for npm@5.
FEATURES
-
d13c9b2f2
init-package-json@1.10.0
: Thename:
prompt is nowpackage name:
to make this less ambiguous for new users.The default package name is now a valid package name. For example: If your package directory has mixed case, the default package name will be all lower case.
-
f08c66323
#16213 Add--allow-same-version
option tonpm version
so that you can usenpm version
to run your version lifecycles and tag your git repo without actually changing the version number in yourpackage.json
. (@lucastheisen) -
f5e8becd0
Timing has been added throughout the install implementation. You can see it by running a command with--loglevel=timing
. You can also run commands with--timing
which will write annpm-debug.log
even on success and add an entry to_timing.json
in your cache with the timing information from that run. (@iarna)
BUG FIXES
9c860f2ed
#16021 Fix a crash innpm doctor
when used with a registry that does not support theping
API endpoint. (@watilde)65b9943e9
#16364 Shorten the ELIFECYCLE error message. The shorter error message should make it much easier to discern the actual cause of the error. (@j-f1)a87a4a835
npmlog@4.0.2
: Fix flashing of the progress bar when your terminal is very narrow. (@iarna)41c10974f
write-file-atomic@1.3.2
: Wait forfsync
to complete before considering our file written to disk. This will improve certain sorts of Windows diagnostic problems.2afa9240c
#16336 Don't ham-it-up when expecting JSON. (@bdukes)
DOCUMENTATION FIXES
566f3eebe
#16296 Use a single convention when referring to the<command>
you're running. (@desfero)ccbb94934
#16267 Fix a missing space in the example package.json. (@famousgarkin)
DEPENDENCY UPDATES
v2.15.12
v2.15.12 (2017-03-24):
This version brings the latest node-gyp
to a soon to be released Node.js 4.x. The node-gyp
update is paticularly important to Windows folks due to its addition of Visual Studio 2017 support.
cdd60e733
node-gyp@3.6.0
: Improvements to how Python is located. New--devdir
flag. Support for VS2017. Chakracore support on ARM. Remove path-array dependency, reducing size significantly. (@bnoordhuis) (@mhart) (@refack) (@kunalspathak)
v4.5.0
v4.5.0 (2017-03-24)
Welcome a wrinkle on npm's registry API!
Codename: Corgi
This release has some bug fixes, but it's mostly about bringing support for MUCH smaller package metadata. How much smaller? Well, for npm itself it reduces 416K of gzip compressed JSON to 24K.
As a user, all you have to do is update to get to use the new API. If you're interested in the details we've documented the changes in detail.
CORGUMENTS
Package metadata: now smaller. This means a smaller cache and less to download.
86dad0d74
Add support for filtered package metadata. (@iarna)41789cffa
npm-registry-client@8.1.0
(@iarna)
NO SHRINKWRAP, NO PROBLEM
Previously we needed to extract every package's tarball to look for an npm-shrinkwrap.json
before we could begin working through what its dependencies were. This was one of the things stopping npm's network accesses from happening more concurrently. The new filtered package metadata provides a new key, _hasShrinkwrap
. When that's set to false
then we know we don't have to look for one.
4f5060eb3
#15969 Add support for skippingnpm-shrinkwrap.json
extraction when the registry can affirm that one doesn't exist. (@iarna)
INTERRUPTING SCRIPTS
878aceb25
#16129 Better handle Ctrl-C while running scripts.npm
will now no longer exit until the script it is running has exited. If you press Ctrl-C a second time it kill the script rather than just forwarding the Ctrl-C. (@jaridmargolin)
DEPENDENCY UPDATES:
def75eebf
hosted-git-info@2.4.1
: Preserve case of the user name part of shortcut specifiers, previously they were lowercased. (@iarna)eb3789fd1
node-gyp@3.6.0
: Add support for VS2017 and Chakracore improvements. (@refack) (@kunalspathak)245e25315
readable-stream@2.2.6
(@mcollina)30357ebc5
which@1.2.14
(@isaacs)
v4.4.4
v4.4.4 (2017-03-10)
😩😤😅 Okay! We have another next
release for ya today. So, yes! With v4.4.3 we fixed the bug that made bundled scoped modules uninstallable. But somehow I overlooked the fact that we: A) were using these and B) that made upgrading to v4.4.3 impossible. 😭
So I've renamed those two scoped modules to no longer use scopes and we now have a shiny new test to ensure that scoped modules don't creep into our transitive deps and make it impossible to upgrade to npm
.
(None of our woes applies to most of you all because most of you all don't use bundled dependencies. npm
does because we want the published artifact to be installable without having to already have npm
.)
2a7409fcb
#16066 Ensure we aren't using any scoped modules. Becausenpm
s prior 4.4.3 can't install dependencies that have bundled scoped modules. This didn't show up sooner because they ALSO had a bug that caused bundled scoped modules to not be included in the bundle. (@iarna)eb4c70796
#16066 Switch to move-concurrently to remove scoped dependency (@iarna)
v4.4.3
v4.4.3 (2016-03-09)
This is a small patch release, mostly because the published tarball for v4.4.2 was missing a couple of modules, due to a bug involving scoped modules, bundled dependencies and legacy tree layouts.
There are a couple of other things here that happened to be ready to go. So without further ado…
BUG FIXES
3d80f8f70
npm/fs-vacuum#6fs-vacuum@1.2.1
: Make sure we never, ever remove home directories. Previously if your home directory was entirely empty then we mightrmdir
it. (@helio-frota)1af85ca9f
#16040 Fix bug where bundled transitive dependencies that happened to be installed under bundled scoped dependencies wouldn't be included in the tarball when building a package. (@iarna)13c7fdc2e
#16040 Fix a bug where bundled scoped dependencies couldn't be extracted. (@iarna)d6cde98c2
#16040 Stop printingENOENT
errors more than once. (@iarna)722fbf0f6
#16040 Rewrite theextract
action for greater clarity. Specifically, this involves moving things around structurally to do the same thingd0c6d194
did, but in a more comprehensive manner. This also fixes a long standing bug where errors from the move step would be eaten during this phase and as a result we would get mysterious crashes in the finalize phase when finalize tried to act on them. (@iarna)6754dabb6
#16040 Flatten out@npmcorp/move
's deps for backwards compatibility reasons. Versions prior to this one will fail to install any package that bundles a scoped dependency. This was responsible forENOENT
errors during thefinalize
phase. (@iarna)
DOC UPDATES
v4.4.2
This week, the focus on the release was mainly going through all of npm's deps that we manage ourselves, and making sure all their PRs and versions were up to date. That means there's a few fixes here and there. Nothing too big codewise, though.
The most exciting part of this release is probably our shiny new Contributing and Troubleshooting docs! @snopeks did some ✨fantastic✨ work hashing it out, and we're really hoping this is a nice big step towards making contributing to npm easier. The troubleshooting doc will also hopefully solve common issues for people! Do you think something is missing from it? File a PR and we'll add it! The current document is just a baseline for further editing and additions.
Also there's maybe a bit of an easter egg in this release. 'Cause those are fun and I'm a huge nerd. 😉
DOCUMENTATION AHOY
07e997a
#15756 OverhaulCONTRIBUTING.md
and add newTROUBLESHOOTING.md
files. 🙌🏼 (@snopeks)2f3e4b6
#15833 Mention the 24-hour unpublish policy on the main registry. (@carols10cents)
NOT REALLY FEATURES, NOT REALLY BUGFIXES. MORE LIKE TWEAKS? 🤔
84be534
#15888 Stop flatteningls
-tree output. From now on, deduped deps will be marked as such in the place where they would've been before getting hoisted by the installer. (@iarna)e9a5dca
#15967 Limit metadata fetches to 10 concurrent requests. (@iarna)46aa9bc
#15967 Limit concurrent installer actions to 10. (@iarna)
BUGFIXES
c3b994b
#15901 Use EXDEV aware move instead of rename. This will allow moving across devices and moving when filesystems don't support renaming directories full of files. It might make folks using Docker a bit happier. (@iarna)0de1a9c
#15735 Autocomplete support for npm scripts with:
colons in the name. (@beyondcompute)84b0b92
#15874 Stop using undocumentedres.writeHeader
alias forres.writeHead
. (@ChALkeR)895ffe4
#15824 Fix empty versions column innpm search
output. (@bcoe)38c8d7a
init-package-json@1.9.5
: npm/init-package-json#61 Exclude existingdevDependencies
from being added todependencies
. Fixes #12260. (@addaleax)
v4.4.1
v4.4.1 (2017-03-06):
This is a quick little patch release to forgo the update notification checker if you're on an unsuported (but not otherwise broken) version of Node.js. Right now that means 0.10 or 0.12.
56ac249
#15864 Only useupdate-notifier
on supported versions. (@legodude17)
v4.4.0
v4.4.0 (2017-02-23):
Aaaah, @iarna here, it's been a little while since I did one of these! This is a nice little release, we've got an update notifier, vastly less verbose error messages, new warnings on package metadata that will probably give you a bad day, and a sprinkling of bug fixes.
UPDATE NOTIFICATIONS
We now have a little nudge to update your npm
, courtesy of update-notifier.
148ee66
#15774npm
will now check at start up to see if a newer version is available. It will check once a day. If you want to disable this, setoptOut
totrue
in~/.config/configstore/update-notifier-npm.json
. (@ceejbot)
LESS VERBOSE ERROR MESSAGES
npm
has, for a long time, had very verbose error messages. There was a lot of info in there, including the cause of the error you were seeing but without a lot of experience reading them pulling that out was time consuming and difficult.
With this change the output is cut down substantially, centering the error message. So, for example if you try to npm run sdlkfj
then the entire error you'll get will be:
npm ERR! missing script: sldkfj
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/rebecca/.npm/_logs/2017-02-24T00_41_36_988Z-debug.log
The CLI team has discussed cutting this down even further and stripping the npm ERR!
prefix off those lines too. We'd appreciate your feedback on this!
e544124
#15716 Make error output less verbose. (@iarna)166bda9
#15716 Stop encouraging users to visit the issue tracker unless we know for certain that it's an npm bug. (@iarna)
OTHER NEW FEATURES
53412eb
#15772 We now warn if you have a module listed in both dependencies and devDependencies. (@TedYav)426b180
#15757 Default reporting metrics to default registry. Previously it defaulted to usinghttps://registry.npmjs.org
, now it will default to the result ofnpm config get registry
. For most folks this won't actually change anything, but it means that folks who use a private registry will have metrics routed there by default. This has the potential to be interesting because it means that in the future private registry products (npme!) will be able to report on these metrics. (@iarna)
BUG FIXES
8ea0de9
#15716 Write logs forcb() never called
errors.c4e83dc
Make it so that errors while reading the existing node_modules tree can't result in installer crashes. (@iarna)2690dc2
Updatenpm doctor
to not treat broken symlinks in your global modules as a permission failure. This is particularly important if you link modules and your text editor uses the convention of creating symlinks from.#filename.js
to a machine name and pid to lock files (eg emacs and compatible things). (@iarna)f4c3f48
#15777 Not exactly a bug, but change a parameterless.apply
to.call
. (@notarseniy)
DEPENDENCY UPDATES
549dcff
rimraf@2.6.0
: Retry EBUSY, ENOTEMPTY and EPERM on non-Windows platforms too. More reliablerimraf.sync
on Windows. (@isaacs)052dfb6
validate-npm-package-name@3.0.0
: Remove ableist language in README. Stop allowing ~'!()* in package names. (@tomdale) (@chrisdickinson)6663ea6
abbrev@1.1.0
(@isaacs)be6de9a
opener@1.4.3
(@dominic)900a5e3
readable-stream@2.2.3
(@RangerMauve) (@mcollina)c972a8b
tacks@1.2.6
(@iarna)85a36ef
7ac9265
tap@10.2.0
(@isaacs)