v5.0.1

Hey y'all! Hope you're enjoying the new npm!

As you all know, fresh software that's gone through major overhauls tends to miss a lot of spots the old one used to handle well enough, and npm@5 is no exception. The CLI team will be doing faster release cycles that go directly to the latest tag for a couple of weeks while 5 stabilizes a bit and we're confident the common low-hanging fruit people are running into are all taken care of.

With that said: this is our first patch release! The biggest focus is fixing up a number of git-related issues that folks ran into right out the door. It also fixes other things, like some proxy/auth-related issues, and even has a neat speed boost! (You can expect more speed bumps in the coming releases as pending work starts landing, too!)

Thanks everyone who's been reporting issues and submitting patches!

BUGFIXES

• e61e68dac #16762 Make npm publish obey the --tag flag again. (@zkat)
• 923fd58d3
  #16749 Speed up installations by nearly 20% by... removing one line of code. (hah) (@mikesherov)
• 9aac984cb Guard against a particular failure mode for a bug still being hunted down. (@iarna)
• 80ab521f1 Pull in dependency updates for various core deps:
  • New pacote fixes several git-related bugs.
  • ssri update fixes crash on early node@4 versions.
  • make-fetch-happen update fixes proxy authentication issue.
  • npm-user-validate adds regex for blocking usernames with illegal chars.
    (@zkat)
• 7e5ce87b8 pacote@2.7.26: Fixes various other git issues related to commit hashes. (@zkat)
• acbe85bfc #16791 npm view was calling cb prematurely and giving partial output when called in a child process. (@zkat)
• ebafe48af #16750 Hamilpatch the Musical: Talk less, complete more. (@aredridel)

DOCUMENTATION

• dc2823a6c #16799 Document that package-lock.json is never allowed in tarballs. (@sonicdoe)
• f3cb84b44 #16771 Fix npm -l usage information for the test command. (@grawlinson)

OTHER CHANGES

• 661262309 #16756 remove unused argument (@Aladdin-ADD)
• c3e0b4287 #16296 preserve same name convention for command (@desfero)
• 9f814831d #16757 remove unused argument (@Aladdin-ADD)
• 3cb843239 minor linter fix (@zkat)

v5.0.0

Wowowowowow npm@5!

This release marks months of hard work for the young, scrappy, and hungry CLI team, and includes some changes we've been hoping to do for literally years. npm@5 takes npm a pretty big step forward, significantly improving its performance in almost all common situations, fixing a bunch of old errors due to the architecture, and just generally making it more robust and fault-tolerant. It comes with changes to make life easier for people doing monorepos, for users who want consistency/security guarantees, and brings semver support to git dependencies. See below for all the deets!

Breaking Changes

• Existing npm caches will no longer be used: you will have to redownload any cached packages. There is no tool or intention to reuse old caches. (#15666)

• npm install ./packages/subdir will now create a symlink instead of a regular installation. file://path/to/tarball.tgz will not change -- only directories are symlinked. (#15900)

• npm will now scold you if you capitalize its name. seriously it will fight you.

• npm will --save by default now. Additionally, package-lock.json will be automatically created unless an npm-shrinkwrap.json exists. (#15666)

• Git dependencies support semver through user/repo#semver:^1.2.3 (#15308) (#15666) (@sankethkatta)

• Git dependencies with prepare scripts will have their devDependencies installed, and npm install run in their directory before being packed.

• npm cache commands have been rewritten and don't really work anything like they did before. (#15666)

• --cache-min and --cache-max have been deprecated. (#15666)

• Running npm while offline will no longer insist on retrying network requests. npm will now immediately fall back to cache if possible, or fail. (#15666)

• package locks no longer exclude optionalDependencies that failed to build. This means package-lock.json and npm-shrinkwrap.json should now be cross-platform. (#15900)

• If you generated your package lock against registry A, and you switch to registry B, npm will now try to install the packages from registry B, instead of A. If you want to use different registries for different packages, use scope-specific registries (npm config set @myscope:registry=https://myownregist.ry/packages/). Different registries for different unscoped packages are not supported anymore.

• Shrinkwrap and package-lock no longer warn and exit without saving the lockfile.

• Local tarballs can now only be installed if they have a file extensions .tar, .tar.gz, or .tgz.

• A new loglevel, notice, has been added and set as default.

• One binary to rule them all: ./cli.js has been removed in favor of ./bin/npm-cli.js. In case you were doing something with ./cli.js itself. (#12096) (@watilde)

• Stub file removed (#16204) (@watilde)

• The "extremely legacy" _token couchToken has been removed. (#12986)

Feature Summary

Installer changes

• A new, standardised lockfile feature meant for cross-package-manager compatibility (package-lock.json), and a new format and semantics for shrinkwrap. (#16441)

• --save is no longer necessary. All installs will be saved by default. You can prevent saving with --no-save. Installing optional and dev deps is unchanged: use -D/--save-dev and -O/--save-optional if you want them saved into those fields instead. Note that since npm@3, npm will automatically update npm-shrinkwrap.json when you save: this will also be true for package-lock.json. (#15666)

• Installing a package directory now ends up creating a symlink and does the Right Thing™ as far as saving to and installing from the package lock goes. If you have a monorepo, this might make things much easier to work with, and probably a lot faster too. 😁 (#15900)

• Project-level (toplevel) preinstall scripts now run before anything else, and can modify node_modules before the CLI reads it.

• Two new scripts have been added, prepack and postpack, which will run on both npm pack and npm publish, but NOT on npm install (without arguments). Combined with the fact that prepublishOnly is run before the tarball is generated, this should round out the general story as far as putzing around with your code before publication.

• Git dependencies with prepare scripts will now have their devDependencies installed, and their prepare script executed as if under npm pack.

• Git dependencies now support semver-based matching: npm install git://github.com/npm/npm#semver:^5 (#15308, #15666)

• node-gyp now supports node-gyp.cmd on Windows (#14568)

• npm no longer blasts your screen with the whole installed tree. Instead, you'll see a summary report of the install that is much kinder on your shell real-estate. Specially for large projects. (#15914):

$ npm install
npm added 125, removed 32, updated 148 and moved 5 packages in 5.032s.
$

• --parseable and --json now work more consistently across various commands, particularly install and ls.

• Indentation is now detected and preserved for package.json, package-lock.json, and npm-shrinkwrap.json. If the package lock is missing, it will default to package.json's current indentation.

Publishing

• New publishes will now include both sha512 and sha1 checksums. Versions of npm from 5 onwards will use the strongest algorithm available to verify downloads. npm/npm-registry-client#157

Cache Rewrite!

We've been talking about rewriting the cache for a loooong time. So here it is. Lots of exciting stuff ahead. The rewrite will also enable some exciting future features, but we'll talk about those when they're actually in the works. #15666 is the main PR for all these changes. Additional PRs/commits are linked inline.

• Package metadata, package download, and caching infrastructure replaced.

• It's a bit faster. Hopefully it will be noticeable. 🤔

• With the shrinkwrap and package-lock changes, tarballs will be looked up in the cache by content address (and verified with it).

• Corrupted cache entries will automatically be removed and re-fetched on integrity check failure.

• npm CLI now supports tarball hashes with any hash function supported by Node.js. That is, it will use sha512 for tarballs from registries that send a sha512 checksum as the tarball hash. Publishing with sha512 is added by npm/npm-registry-client#157 and may be backfilled by the registry for older entries.

• Remote tarball requests are now cached. This means that even if you're missing the integrity field in your shrinkwrap or package-lock, npm will be able to install from the cache.

• Downloads for large packages are streamed in and out of disk. npm is now able to install packages of """any""" size without running out of memory. Support for publishing them is pending (due to registry limitations).

• Automatic fallback-to-offline mode. npm will seamlessly use your cache if you are offline, or if you lose access to a particular registry (for example, if you can no longer access a private npm repo, or if your git host is unavailable).

• A new --prefer-offline option will make npm skip any conditional requests (304 checks) for stale cache data, and only hit the network if something is missing from the cache.

• A new --prefer-online option that will force npm to revalidate cached data (with 304 checks), ignoring any staleness checks, and refreshing the cache with revalidated, fresh data.

• A new --offline option will force npm to use the cache or exit. It will error with an ENOTCACHED code if anything it tries to install isn't already in the cache.

• A new npm cache verify command that will garbage collect your cache, reducing disk usage for things you don't need (-handwave-), and will do full integrity verification on both the index and the content. This is also hooked into npm doctor as part of its larger suite of checking tools.

• The new cache is very fault tolerant and supports concurrent access.

  • Multiple npm processes will not corrupt a shared cache.
  • Corrupted data will not be installed. Data is checked on both insertion and extraction, and treated as if it were missing if found to be corrupted. I will literally bake you a cookie if you manage to corrupt the cache in such a way that you end up with the wrong data in your installation (installer bugs notwithstanding).
  • npm cache clear is no longer useful f...

v4.6.1

v4.6.1 (2017-04-21)

A little release to tide you over while we hammer out the last bits for npm@5.

FEATURES

• d13c9b2f2 init-package-json@1.10.0: The name: prompt is now package name: to make this less ambiguous for new users.

  The default package name is now a valid package name. For example: If your package directory has mixed case, the default package name will be all lower case.

• f08c66323 #16213 Add --allow-same-version option to npm version so that you can use npm version to run your version lifecycles and tag your git repo without actually changing the version number in your package.json. (@lucastheisen)

• f5e8becd0 Timing has been added throughout the install implementation. You can see it by running a command with --loglevel=timing. You can also run commands with --timing which will write an npm-debug.log even on success and add an entry to _timing.json in your cache with the timing information from that run. (@iarna)

BUG FIXES

• 9c860f2ed #16021 Fix a crash in npm doctor when used with a registry that does not support the ping API endpoint. (@watilde)
• 65b9943e9 #16364 Shorten the ELIFECYCLE error message. The shorter error message should make it much easier to discern the actual cause of the error. (@j-f1)
• a87a4a835 npmlog@4.0.2: Fix flashing of the progress bar when your terminal is very narrow. (@iarna)
• 41c10974f write-file-atomic@1.3.2: Wait for fsync to complete before considering our file written to disk. This will improve certain sorts of Windows diagnostic problems.
• 2afa9240c #16336 Don't ham-it-up when expecting JSON. (@bdukes)

DOCUMENTATION FIXES

• 566f3eebe #16296 Use a single convention when referring to the <command> you're running. (@desfero)
• ccbb94934 #16267 Fix a missing space in the example package.json. (@famousgarkin)

DEPENDENCY UPDATES

• ebde4ea33 hosted-git-info@2.4.2
• c46ad71bb init-package-json@1.9.6
• d856d570d npm-registry-client@8.1.1
• 4a2e14436 readable-stream@2.2.9
• f0399138e normalize-package-data@2.3.8

v2.15.12

v2.15.12 (2017-03-24):

This version brings the latest node-gyp to a soon to be released Node.js 4.x. The node-gyp update is paticularly important to Windows folks due to its addition of Visual Studio 2017 support.

• cdd60e733 node-gyp@3.6.0: Improvements to how Python is located. New --devdir flag. Support for VS2017. Chakracore support on ARM. Remove path-array dependency, reducing size significantly. (@bnoordhuis) (@mhart) (@refack) (@kunalspathak)

v4.5.0

v4.5.0 (2017-03-24)

Welcome a wrinkle on npm's registry API!

Codename: Corgi

This release has some bug fixes, but it's mostly about bringing support for MUCH smaller package metadata. How much smaller? Well, for npm itself it reduces 416K of gzip compressed JSON to 24K.

As a user, all you have to do is update to get to use the new API. If you're interested in the details we've documented the changes in detail.

CORGUMENTS

Package metadata: now smaller. This means a smaller cache and less to download.

• 86dad0d74 Add support for filtered package metadata. (@iarna)
• 41789cffa npm-registry-client@8.1.0 (@iarna)

NO SHRINKWRAP, NO PROBLEM

Previously we needed to extract every package's tarball to look for an npm-shrinkwrap.json before we could begin working through what its dependencies were. This was one of the things stopping npm's network accesses from happening more concurrently. The new filtered package metadata provides a new key, _hasShrinkwrap. When that's set to false then we know we don't have to look for one.

• 4f5060eb3 #15969 Add support for skipping npm-shrinkwrap.json extraction when the registry can affirm that one doesn't exist. (@iarna)

INTERRUPTING SCRIPTS

• 878aceb25 #16129 Better handle Ctrl-C while running scripts. npm will now no longer exit until the script it is running has exited. If you press Ctrl-C a second time it kill the script rather than just forwarding the Ctrl-C. (@jaridmargolin)

DEPENDENCY UPDATES:

• def75eebf hosted-git-info@2.4.1: Preserve case of the user name part of shortcut specifiers, previously they were lowercased. (@iarna)
• eb3789fd1 node-gyp@3.6.0: Add support for VS2017 and Chakracore improvements. (@refack) (@kunalspathak)
• 245e25315 readable-stream@2.2.6 (@mcollina)
• 30357ebc5 which@1.2.14 (@isaacs)

v4.4.4

v4.4.4 (2017-03-10)

😩😤😅 Okay! We have another next release for ya today. So, yes! With v4.4.3 we fixed the bug that made bundled scoped modules uninstallable. But somehow I overlooked the fact that we: A) were using these and B) that made upgrading to v4.4.3 impossible. 😭

So I've renamed those two scoped modules to no longer use scopes and we now have a shiny new test to ensure that scoped modules don't creep into our transitive deps and make it impossible to upgrade to npm.

(None of our woes applies to most of you all because most of you all don't use bundled dependencies. npm does because we want the published artifact to be installable without having to already have npm.)

• 2a7409fcb #16066 Ensure we aren't using any scoped modules. Because npms prior 4.4.3 can't install dependencies that have bundled scoped modules. This didn't show up sooner because they ALSO had a bug that caused bundled scoped modules to not be included in the bundle. (@iarna)
• eb4c70796 #16066 Switch to move-concurrently to remove scoped dependency (@iarna)

v4.4.3

v4.4.3 (2016-03-09)

This is a small patch release, mostly because the published tarball for v4.4.2 was missing a couple of modules, due to a bug involving scoped modules, bundled dependencies and legacy tree layouts.

There are a couple of other things here that happened to be ready to go. So without further ado…

BUG FIXES

• 3d80f8f70 npm/fs-vacuum#6 fs-vacuum@1.2.1: Make sure we never, ever remove home directories. Previously if your home directory was entirely empty then we might rmdir it. (@helio-frota)
• 1af85ca9f #16040 Fix bug where bundled transitive dependencies that happened to be installed under bundled scoped dependencies wouldn't be included in the tarball when building a package. (@iarna)
• 13c7fdc2e #16040 Fix a bug where bundled scoped dependencies couldn't be extracted. (@iarna)
• d6cde98c2 #16040 Stop printing ENOENT errors more than once. (@iarna)
• 722fbf0f6 #16040 Rewrite the extract action for greater clarity. Specifically, this involves moving things around structurally to do the same thing d0c6d194 did, but in a more comprehensive manner. This also fixes a long standing bug where errors from the move step would be eaten during this phase and as a result we would get mysterious crashes in the finalize phase when finalize tried to act on them. (@iarna)
• 6754dabb6 #16040 Flatten out @npmcorp/move's deps for backwards compatibility reasons. Versions prior to this one will fail to install any package that bundles a scoped dependency. This was responsible for ENOENT errors during the finalize phase. (@iarna)

DOC UPDATES

• fba51c582 #15960 Update troubleshooting and contribution guide links. (@watilde)

v4.4.2

This week, the focus on the release was mainly going through all of npm's deps that we manage ourselves, and making sure all their PRs and versions were up to date. That means there's a few fixes here and there. Nothing too big codewise, though.

The most exciting part of this release is probably our shiny new Contributing and Troubleshooting docs! @snopeks did some ✨fantastic✨ work hashing it out, and we're really hoping this is a nice big step towards making contributing to npm easier. The troubleshooting doc will also hopefully solve common issues for people! Do you think something is missing from it? File a PR and we'll add it! The current document is just a baseline for further editing and additions.

Also there's maybe a bit of an easter egg in this release. 'Cause those are fun and I'm a huge nerd. 😉

DOCUMENTATION AHOY

• 07e997a #15756 Overhaul CONTRIBUTING.md and add new TROUBLESHOOTING.md files. 🙌🏼 (@snopeks)
• 2f3e4b6 #15833 Mention the 24-hour unpublish policy on the main registry. (@carols10cents)

NOT REALLY FEATURES, NOT REALLY BUGFIXES. MORE LIKE TWEAKS? 🤔

• 84be534 #15888 Stop flattening ls-tree output. From now on, deduped deps will be marked as such in the place where they would've been before getting hoisted by the installer. (@iarna)
• e9a5dca #15967 Limit metadata fetches to 10 concurrent requests. (@iarna)
• 46aa9bc #15967 Limit concurrent installer actions to 10. (@iarna)

BUGFIXES

• c3b994b #15901 Use EXDEV aware move instead of rename. This will allow moving across devices and moving when filesystems don't support renaming directories full of files. It might make folks using Docker a bit happier. (@iarna)
• 0de1a9c #15735 Autocomplete support for npm scripts with : colons in the name. (@beyondcompute)
• 84b0b92 #15874 Stop using undocumented res.writeHeader alias for res.writeHead. (@ChALkeR)
• 895ffe4 #15824 Fix empty versions column in npm search output. (@bcoe)
• 38c8d7a init-package-json@1.9.5: npm/init-package-json#61 Exclude existing devDependencies from being added to dependencies. Fixes #12260. (@addaleax)

v4.4.1

v4.4.1 (2017-03-06):

This is a quick little patch release to forgo the update notification checker if you're on an unsuported (but not otherwise broken) version of Node.js. Right now that means 0.10 or 0.12.

• 56ac249 #15864 Only use update-notifier on supported versions. (@legodude17)

v4.4.0

v4.4.0 (2017-02-23):

Aaaah, @iarna here, it's been a little while since I did one of these! This is a nice little release, we've got an update notifier, vastly less verbose error messages, new warnings on package metadata that will probably give you a bad day, and a sprinkling of bug fixes.

UPDATE NOTIFICATIONS

We now have a little nudge to update your npm, courtesy of update-notifier.

• 148ee66 #15774 npm will now check at start up to see if a newer version is available. It will check once a day. If you want to disable this, set optOut to true in ~/.config/configstore/update-notifier-npm.json. (@ceejbot)

LESS VERBOSE ERROR MESSAGES

npm has, for a long time, had very verbose error messages. There was a lot of info in there, including the cause of the error you were seeing but without a lot of experience reading them pulling that out was time consuming and difficult.

With this change the output is cut down substantially, centering the error message. So, for example if you try to npm run sdlkfj then the entire error you'll get will be:

npm ERR! missing script: sldkfj

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/rebecca/.npm/_logs/2017-02-24T00_41_36_988Z-debug.log

The CLI team has discussed cutting this down even further and stripping the npm ERR! prefix off those lines too. We'd appreciate your feedback on this!

• e544124 #15716 Make error output less verbose. (@iarna)
• 166bda9 #15716 Stop encouraging users to visit the issue tracker unless we know for certain that it's an npm bug. (@iarna)

OTHER NEW FEATURES

• 53412eb #15772 We now warn if you have a module listed in both dependencies and devDependencies. (@TedYav)
• 426b180 #15757 Default reporting metrics to default registry. Previously it defaulted to using https://registry.npmjs.org, now it will default to the result of npm config get registry. For most folks this won't actually change anything, but it means that folks who use a private registry will have metrics routed there by default. This has the potential to be interesting because it means that in the future private registry products (npme!) will be able to report on these metrics. (@iarna)

BUG FIXES

• 8ea0de9 #15716 Write logs for cb() never called errors.
• c4e83dc Make it so that errors while reading the existing node_modules tree can't result in installer crashes. (@iarna)
• 2690dc2 Update npm doctor to not treat broken symlinks in your global modules as a permission failure. This is particularly important if you link modules and your text editor uses the convention of creating symlinks from .#filename.js to a machine name and pid to lock files (eg emacs and compatible things). (@iarna)
• f4c3f48 #15777 Not exactly a bug, but change a parameterless .apply to .call. (@notarseniy)

DEPENDENCY UPDATES

• 549dcff rimraf@2.6.0: Retry EBUSY, ENOTEMPTY and EPERM on non-Windows platforms too. More reliable rimraf.sync on Windows. (@isaacs)
• 052dfb6 validate-npm-package-name@3.0.0: Remove ableist language in README. Stop allowing ~'!()* in package names. (@tomdale) (@chrisdickinson)
• 6663ea6 abbrev@1.1.0 (@isaacs)
• be6de9a opener@1.4.3 (@dominic)
• 900a5e3 readable-stream@2.2.3 (@RangerMauve) (@mcollina)
• c972a8b tacks@1.2.6 (@iarna)
• 85a36ef 7ac9265 tap@10.2.0 (@isaacs)