This will likely be reduced further with the goal that the audit process shouldn't noticibly slow down your builds regardless of your network situation.
npm init
SCAFFOLDINGThanks to the wonderful efforts of @jdalton of
lodash fame, npm init
can now be used to invoke custom scaffolding tools!
You can now do things like npm init react-app
or npm init esm
to scaffold an
npm package by running create-react-app
and create-esm
, respectively. This
also adds an npm create
alias, to correspond to Yarn's yarn create
feature,
which inspired this.
adc009ed4
f363edd04
f03b45fb2
13adcbb52
#20303
#20372
Add an npm init
feature that calls out to npx
when invoked with positional
arguments. (@jdalton)This version of npm adds a new command, npm audit
, which will run a security
audit of your project's dependency tree and notify you about any actions you may
need to take.
The registry-side services required for this command to work will be available on the main npm registry in the coming weeks. Until then, you won't get much out of trying to use this on the CLI.
As part of this change, the npm CLI now sends scrubbed and cryptographically
anonymized metadata about your dependency tree to your configured registry, to
allow notifying you about the existence of critical security flaws. For details
about how the CLI protects your privacy when it shares this metadata, see npm help audit
, or read the docs for npm audit
online. You
can disable this altogether by doing npm config set audit false
, but will no
longer benefit from the service.
c81dfb91b
npm-registry-fetch@1.1.1
(@iarna)b096f44a9
npm-audit-report@1.0.9
(@iarna)43b20b204
#20389
Add new npm audit
command.
(@iarna)49ddb3f56
#20389
Temporarily suppress git metadata till there's an opt-in.
(@iarna)5f1129c4b
#20389
Document the new command.
(@iarna)9a07b379d
#20389
Default audit to off when running the npm test suite itself.
(@iarna)a6e2f1284
Make sure we hide stream errors on background audit submissions. Previously some classes
of error could end up being displayed (harmlessly) during installs.
(@iarna)aadbf3f46
Include session and scope in requests (as we do in other requests to the registry).
(@iarna)7d43ddf63
Exit with non-zero status when vulnerabilities are found. So you can have npm audit
as a test or prepublish step!
(@iarna)bc3fc55fa
Verify lockfile integrity before running. You'd get an error either way, but this way it's
faster and can give you more concrete instructions on how to fix it.
(@iarna)2ac8edd42
Refuse to run in global mode. Audits require a lockfile and globals don't have one. Yet.
(@iarna)663d8b5e5
npm/lockfile#29
lockfile@1.0.4
:
Switches to signal-exit
to detect abnormal exits and remove locks.
(@Redsandro)If a published modules had legacy npm-shrinkwrap.json
we were saving
ordinary registry dependencies (name@version
) to your package-lock.json
as https://
URLs instead of versions.
36f998411
When saving the lock-file compute how the dependency is being required instead of using
_resolved
in the package.json
. This fixes the bug that was converting
registry dependencies into https://
dependencies.
(@iarna)113e1a3af
When encountering a https://
URL in our lockfiles that point at our default registry, extract
the version and use them as registry dependencies. This lets us heal
package-lock.json
files produced by 6.0.0
(@iarna)package-lock.json
FORMAT CHANGES?!074502916
#20384
Add from
field back into package-lock for git dependencies. This will give
npm the information it needs to figure out whether git deps are valid,
specially when running with legacy install metadata or in
--package-lock-only
mode when there's no node_modules
. This should help
remove a significant amount of git-related churn on the lock-file.
(@zkat)e0235ebb6
#20384
Update the lock-file spec doc to mention that we now generate the from field for git
-type dependencies.
(@watilde)35de04676
#20408
Describe what the colors in outdated mean.
(@teameh)1b535cb9d
#20358
npm install-test
(aka npm it
) will no longer generate package-lock.json
when running with --no-package-lock
or package-lock=false
.
(@raymondfeng)268f7ac50
5f84ebdb6
c12e61431
#20390
Fix a scenario where a git dependency had a comittish associated with it
that was not a complete commitid. npm
would never consider that entry
in the package.json
as matching the entry in the package-lock.json
and
this resulted in inappropriate pruning or reinstallation of git
dependencies. This has been addressed in two ways, first, the addition of the
from
field as described in #20384 means
we can exactly match the package.json
. Second, when that's missing (when working with
older package-lock.json
files), we assume that the match is ok. (If
it's not, we'll fix it up when a real installation is done.)
(@iarna)7b13bf5e3
#20331
Fix broken link to 'private-modules' page. The redirect went away when the new
npm website went up, but the new URL is better anyway.
(@vipranarayan14)1c4ffddce
#20279
Document the --if-present
option for npm run-script
.
(@aleclarson)815d91ce0
libnpx@10.2.0
(@zkat)02715f19f
update-notifier@2.5.0
(@alexccl)08c4ddd9e
tar@4.4.2
(@isaacs)53718cb12
tap@11.1.4
(@isaacs)0a20cf546
safe-buffer@5.1.2
(@feross)e8c8e844c
retry@0.12.0
(@tim-kos)76c7f21bd
read-package-tree@5.2.1
(@zkat)c8b0aa07b
query-string@6.1.0
(@sindresorhus)abfd366b4
npm-package-arg@6.1.0
(@zkat)bd29baf83
lock-verify@2.0.2
(@iarna)32ec2f54b
#20257
Add shasum and integrity to the new npm view
output.
(@zkat)a22153be2
#20126
Add npm cit
command that's equivalent of npm ci && npm t
that's equivalent of npm it
.
(@SimenB)089aeaf44
Fix a bug where OTPs passed in via the commandline would have leading
zeros deleted resulted in authentication failures.
(@iarna)
6eaa860ea
Eliminate direct use of new Buffer
in npm
. While the use of it in npm
was safe, there
are two other reasons for this change:
new Buffer
in unsafe ways, if they try
really hard.(@iarna)
85900a294
Starting with 5.8.0 the requires
section of the lock-file saved version ranges instead of
specific versions. Due to a bug, further actions on the same lock-file would result in the
range being switched back to a version. This corrects that, keeping ranges when they appear.
(@iarna)
0dffa9c2a
609d6f6e1
08f81aa94
f8b76e076
6d609822d
59d080a22
Restore the ability to bundle dependencies that are uninstallable from the
registry. This also eliminates needless registry lookups for bundled
dependencies.
Fixed a bug where attempting to install a dependency that is bundled inside another module without reinstalling that module would result in ENOENT errors. (@iarna)
db846c2d5
#20029
Allow packages with non-registry specifiers to follow the fast path that
the we use with the lock-file for registry specifiers. This will improve install time
especially when operating only on the package-lock (--package-lock-only
).
(@zkat)
Fix the a bug where npm i --only=prod
could remove development
dependencies from lock-file.
(@iarna)
3e12d2407
#20122
Improve the update-notifier messaging (borrowing ideas from pnpm) and
eliminate false positives.
(@zkat)
f18be9b39
#20154
Let version succeed when package-lock.json
is gitignored.
(@nwoltman)
ced29253d
#20212
Ensure that we only create an etc
directory if we are actually going to write files to it.
(@buddydvd)
8e21b19a8
#20140
Note in documentation that package-lock.json
version gets touched by npm version
.
(@srl295)
5d17c87d8
#20032
Fix bug where unauthenticated errors would get reported as both 404s and
401s, i.e. npm ERR! 404 Registry returned 401
. In these cases the error
message will now be much more informative.
(@iarna)
05ff6c9b1
#20082
Allow optional @ prefix on scope with npm team
commands for parity with other commands.
(@bcoe)
6bef53891
#19580
Improve messaging when two-factor authentication is required while publishing.
(@jdeniau)
155dab2bd
Fix a bug where optional status of a dependency was not being saved to
the package-lock on the initial install.
(@iarna)
8d6a4cafc
a0937e9af
Ensure that --no-optional
does not remove optional dependencies from the lock-file.
(@iarna)
8baa37551
zkat/cipm#46
libcipm@1.6.2
:
Detect binding.gyp for default install lifecycle. Let's npm ci
work on projects that
have their own C code.
(@caleblloyd)323f74242
zkat/json-parse-better-errors#1
json-parse-better-errors@1.0.2
(@Hoishin)d0cf1f11e
readable-stream@2.3.6
(@mcollina)9e9fdba5e
update-notifier@2.4.0
(@sindersorhus)57fa33870
marked@0.3.1
(@joshbruce)d2b20d34b
#20276
node-gyp@3.6.2
2b5700679
zkat/npx#172
libnpx@10.1.1
(@jdalton)Coming to you this week are a fancy new package view, pack/publish previews and a handful of bug fixes! Let's get right in!
There's a new npm view
in town. You might it as npm info
or npm show
.
The new output gives you a nicely summarized view that for most packages
fits on one screen. If you ask it for --json
you'll still get the same
results, so your scripts should still work fine.
143cdbf13
#19910
Add humanized default view.
(@zkat)ca84be91c
#19910
tiny-relative-date@1.3.0
(@zkat)9a5807c4f
#19910
cli-columns@3.1.2
(@zkat)23b4a4fac
#19910
byte-size@4.0.2
The npm pack
and npm publish
commands print out a summary of the files
included in the package. They also both now take the --dry-run
flag, so
you can double check your .npmignore
settings before doing a publish.
116e9d827
#19908
Add package previews to pack and publish. Also add --dry-run and --json
flags.
(@zkat)If you resolve a package-lock.json
merge conflict with npm install
we
now suggest you setup a merge driver to handle these automatically for you.
If you're reading this and you'd like to set it up now, run:
npx npm-merge-driver install -g
a05e27b71
Going forward, record requested ranges not versions in the package-lock.
(@iarna)f721eec59
Add 10 to Node.js supported version list. It's not out yet, but soon my pretties...
(@iarna)40aabb94e
libcipm@1.6.1
:
Fix bugs on docker and with some prepare
scripts and npm ci
.
Fix a bug where script hooks wouldn't be called with npm ci
.
Fix a bug where npm ci
and --prefix
weren't compatible.
(@isaacseymour)
(@umarov)
(@mikeshirov)
(@billjanitsch)a85372e67
tar@4.4.1
:
Switch to safe-buffer and Buffer.from.
(@isaacs)
(@ChALkeR)588eabd23
lru-cache@4.1.2
:07f27ee89
qrcode-terminal@0.12.0
:01e4e29bc
request@2.85.0
344ba8819
worker-farm@1.6.0
dc6df1bc4
validate-npm-package-license@3.0.3
97a976696
ssri@5.3.0
9b629d0c6
query-string@5.1.1
Hey again, everyone! While last release was focused largely around PRs from the CLI team, this release is mostly pulling in community PRs in npm itself and its dependencies! We've got a good chunk of wonderful contributions for y'all, and even new features and performance improvements! π
We're hoping to continue our biweekly (as in every-other-week biweekly) release schedule from now on, so you should be seeing more steady npm releases from here on out. And that's good, 'cause we've got a ton of new stuff on our roadmap for this year. Keep an eye out for exciting news. π
2f513fe1c
#19904
Make a best-attempt at preserving line ending style when saving
package.json
/package-lock.json
/npm-shrinkwrap.json
. This goes
hand-in-hand with a previous patch to preserve detected indentation style.
(@tuananh)d3cfd41a2
pacote@7.6.1
(@zkat)
file:
-based resolved
URIs in package-lock.json
.ecfbb16dc
#19929
Add support for the NO_COLOR
standard. This gives a
cross-application, consistent way of disabling ANSI color code output. Note
that npm already supported this through --no-color
or
npm_config_color='false'
configurations, so this is just another way to do
it.
(@chneukirchen)fc8761daf
#19629
Give more detailed, contextual information when npm fails to parse
package-lock.json
and npm-shrinkwrap.json
, instead of saying JSON parse error
and leaving you out in the cold.
(@JoshuaKGoldberg)1d368e1e6
#19157
Add --no-proxy
config option. Previously, you needed to use the NO_PROXY
environment variable to use this feature -- now it's an actual npm option.
(@Saturate)f0e998daa
#18426
Do environment variable replacement in config files even for config keys or
fragments of keys.
(@misak113)9847c82a8
#18384
Better error messaging and suggestions when users get EPERM
/EACCES
errors.
(@chrisjpatty)b9d0c0c01
#19448
Holiday celebrations now include all JavaScripters, not just Node developers.
(@isaacs)I hope y'all have been having fun with npm ci
so far! Since this is the first
release since that went out, we've had a few fixes and improvements now that
folks have actually gotten their hands on it! Benchmarks have been super
promising so far, and I've gotten messages from a lot of you saying you've sped
up your CI work by 2-5x in some cases! Have a good example? Tell us on
Twitter!
npm ci
is, right now, the fastest
installer
you can use in CI situations, so go check it out if you haven't already! We'll
continue doing performance improvements on it, and a lot of those will help make
npm install
fast as well. ππ
This libcipm
release includes a number of improvements:
read-package-json
and separate JSON update phase from man/bin linking phase. npm ci
should be noticeably faster.--only
and --also
options._from
to directory deps (aka file:packages/my-dep
).58d2aa58d
#20027
Use a specific mtime when packing tarballs instead of the beginning of epoch
time. This should allow npm pack
to generate tarballs with identical hashes
for identical contents, while fixing issues with some zip
implementations
that do not support pre-1980 timestamps.
(@isaacs)4f319de1d
Don't fall back to couch adduser if we didn't try couch login.
(@iarna)c8230c9bb
#19608
Fix issue where using the npm-bundled npx
on Windows was invoking npx prefix
(and downloading that package).
(@laggingreflex)d70c01970
#18953
Avoid using code that depends on node@>=4
in the unsupported
check, so npm
can report the issue normally instead of syntax-crashing.
(@deployable)4477ca2d9
marked@0.3.17
: Fixes issue preventing correct rendering of backticked
strings. man pages should be rendering correctly now instead of having empty
spaces wherever backticks were used.
(@joshbruce)71076ebda
#19950
Add a note to install --production.
(@kyranet)3a33400b8
#19957
nudge around some details in ci docs
(@zkat)06038246a
#19893
Add a common open reason to the issue template.
(@MrStonedOne)7376dd8af
#19870
Fix typo in npm-config.md
(@joebowbeer)5390ed4fa
#19858
Fix documented default value for config save option. It was still documented
as false
, even though npm@5.0.0
set it to true
by default.
(@nalinbhardwaj)dc36d850a
#19552
Rework npm update
docs now that --save
is on by default.
(@selbekk)5ec5dffc8
#19726
Clarify that name
and version
fields are optional if your package is not
supposed to be installable as a dependency.
(@ngarnier)046500994
#19676
Fix documented cache location on Windows.
(@VladRassokhin)ffa84cd0f
#19475
Added example for homepage
field from package.json
.
(@cg-cnu)de72d9a18
#19307
Document the requires
field in npm help package-lock.json
.
(@jcrben)35c4abded
#18976
Typo fix in coding style documentation.
(@rinfan)0616fd22a
#19216
Add edit
section to description in npm-team.md
.
(@WispProxy)c2bbaaa58
#19194
Tiny style fix in npm.md
.
(@WispProxy)dcdfdcbb0
#19192
Document --development
flag in npm-ls.md
.
(@WispProxy)d7ff07135
#18514
Make it so javascript
-> JavaScript
. This is important.
(@masonpawsey)7a8705113
#18407
Clarify the mechanics of the file
field in package.json
a bit.
(@bmacnaughton)b2a1cf084
#18382
Document the browser
field in
package.json
.
(@mxstbr)b8a48a959
#19907
Consolidate code for stringifying package.json
and package locks. Also adds
tests have been added to test that package[-lock].json
files are written to
disk with their original line endings.
(@nwoltman)b4f707d9f
#19879
Remove unused devDependency nock
from .gitignore
.
(@watilde)8150dd5f7
#16540
Stop doing an uninstall
when using make clean
.
(@metux)ab237a2a5
init-package-json@1.10.3
(@zkat)f6d668941
npm-lifecycle@2.0.1
(@zkat)882bfbdfa
npm-registry-client@8.5.1
(@zkat)6ae38055b
read-package-json@2.0.1
: Support git packed refs --all
mode.
(@zkat)89db703ae
readable-stream@2.3.5
(@mcollina)634dfa5f4
worker-farm@1.5.4
(@rvagg)92ad34439
hosted-git-info@2.6.0
(@zkat)75279c488
tar@4.4.0
(@isaacs)228aba276
write-file-atomic@2.3.0
(@iarna)006e9d272
libnpx@10.0.1
(@zkat)9985561e6
mississippi@3.0.0
(@bcomnes)1dc6b3b52
tap@11.1.2
(@isaacs)This release reverts a patch that could cause some ownership changes on system
files when running from some directories when also using sudo
. π²
Thankfully, it only affected users running npm@next
, which is part of our
staggered release system, which we use to prevent issues like this from going
out into the wider world before we can catch them. Users on latest
would have
never seen this!
The original patch was added to increase consistency and reliability of methods
npm uses to avoid writing files as root
in places it shouldn't, but the change
was applied in places that should have used regular mkdirp
. This release
reverts that patch.
74e149da6
#19883
Revert "*: Switch from mkdirp to correctMkdir to preserve perms and owners"
This reverts commit 94227e15
.
(@zkat)Hey y'all, it's been a while. Expect our release rate to increase back to normal here, as we've got a lot in the pipeline. Right now we've got a bunch of things from folks at npm. In the next release we'll be focusing on user contributions and there are a lot of them queued up!
This release brings a bunch of exciting new features and bug fixes.
Allow npm install
to fix package-lock.json
and npm-shrinkwrap.json
files that have merge conflicts in them without your having to edit them.
It works in conjunction with
npm-merge-driver
to
entirely eliminate package-lock merge conflicts.
The new npm ci
command installs from your lock-file ONLY. If your
package.json
and your lock-file are out of sync then it will report an error.
It works by throwing away your node_modules
and recreating it from scratch.
Beyond guaranteeing you that you'll only get what is in your lock-file it's
also much faster (2x-10x!) than npm install
when you don't start with a
node_modules
.
As you may take from the name, we expect it to be a big boon to continuous integration environments. We also expect that folks who do production deploys from git tags will see major gains.
4d418c21b
#19817
Include contributor count in installation summary.
(@kemitchell)17079c2a8
Require password to change email through npm profile
.
(@iarna)e7c5d226a
4f5327c05
#19780
Add support for web-based logins. This is not yet available on the registry, however.
(@isaacs)827951590
Handle running npm install package-name
with a node_modules
containing
packages without sufficient metadata to verify their origin. The only way
to get install packages like this is to use a non-npm
package manager.
Previously npm
removed any packages that it couldn't verify. Now it
will leave them untouched as long as you're not asking for a full install.
On a full install they will be reinstalled (but the same versions will be
maintained).
This will fix problems for folks who are using a third party package
manager to install packages that have postinstall
scripts that run
npm install
.
(@iarna)
3b305ee71
Only auto-prune on installs that will create a lock-file. This restores
npm@4
compatible behavior when the lock-file is disabled. When using a
lock-file npm
will continue to remove anything in your node_modules
that's not in your lock-file. (@iarna)
cec5be542
Fix bug where npm prune --production
would remove dev deps from the lock
file. It will now only remove them from node_modules
not from your lock
file.
(@iarna)
857dab03f
Fix bug where git dependencies would be removed or reinstalled when
installing other dependencies.
(@iarna)
a66e0cd03
For CIDR filtered tokens, allow comma separated CIDR ranges, as documented. Previously
you could only pass in multiple cidr ranges with multiple --cidr
command line options.
(@iarna)d259ab014
Fix token revocation when an OTP is required. Previously you had to pass
it in via --otp
. Now it will prompt you for an OTP like other
npm token
commands.
(@iarna)f8b1f6aec
Update token and profile commands to support legacy (username/password) authentication.
(The npm registry uses tokens, not username/password pairs, to authenticate commands.)
(@iarna)6954dfc19
Fix a bug where packages would get pushed deeper into the tree when upgrading without
an existing copy on disk. Having packages deeper in the tree ordinarily is harmless but
is not when peerDependencies are in play.
(@iarna)1ca916a1e
Fix bug where when switching from a linked module to a non-linked module, the dependencies
of the module wouldn't be installed on the first run of npm install
.
(@iarna)8c120ebb2
Fix integrity matching to eliminate spurious EINTEGRITY errors.
(@zkat)94227e15e
More consistently make directories using perm and ownership preserving features.
(@iarna)364b23c7f
f2049f9e7
cacache@10.0.4
(@zkat)d183d7675
find-npm-prefix@1.0.2
:
(@iarna)ffd6ea62c
fs-minipass@1.2.5
ee63b8a31
ini@1.3.5
(@isaacs)6f73f5509
JSONStream@1.3.2
(@dominictarr)26cd64869
9bc6230cf
libcipm@1.3.3
(@zkat)21a39be42
marked@0.3.1
:5
(@joshbruce)dabdf57b2
mississippi@2.0.0
2594c5867
npm-registry-couchapp@2.7.1
(@iarna)8abb3f230
osenv@0.1.5
(@isaacs)11a0b00bd
pacote@7.3.3
(@zkat)9b6bdb2c7
query-string@5.1.0
(@sindresorhus)d6d17d6b5
readable-stream@2.3.4
(@mcollina)51370aad5
semver@5.5.0
(@isaacs)0db14bac7
81da938ab
9999e83f8
ssri@5.2.4
(@zkat)f526992ab
tap@11.1.1
(@isaacs)be096b409
dc3059522
tar@4.3.3
6b552daac
uuid@3.2.1
(@broofa)8c9011b72
worker-farm@1.5.2
(@rvagg)You may have noticed this is a semver-minor bump. Wondering why? This is why!
bc263c3fd
#19054
Fully cross-platform package-lock.json
. Installing a failing optional
dependency on one platform no longer removes it from the dependency tree,
meaning that package-lock.json
should now be generated consistently across
platforms! π
(@iarna)f94fcbc50
#19160
Add --package-lock-only
config option. This makes it so you can generate a
target package-lock.json
without performing a full install of
node_modules
.
(@alopezsanchez)66d18280c
#19104
Add new --node-options
config to pass through a custom NODE_OPTIONS
for
lifecycle scripts.
(@bmeck)114d518c7
Ignore mtime when packing tarballs: This means that doing npm pack
on the
same repository should yield two tarballs with the same checksum. This will
also help prevent cache bloat when using git dependencies. In the future, this
will allow npm to explicitly cache git dependencies.
(@isaacs)Previously, it turns out npm broke on the latest Node, node@9
. We went ahead
and fixed it up so y'all should be able to use the latest npm again!
4ca695819
minizlib@1.0.4
: Fix node@9
incompatibility.
(@isaacs)c851bb503
tar@4.0.2
: Fix node@9
incompatibility.
(@isaacs)6caf23096
Remove "unsupported" warning for Node 9 now that things are fixed.
(@iarna)1930b0f8c
Update test matrix with node@8
LTS and node@9
.
(@iarna)b70321733
#18881
When dealing with a node_modules
that was created with older versions of npm
(and thus older versions of npa) we need to gracefully handle older spec
entries. Failing to do so results in us treating those packages as if they
were http remote deps, which results in invalid lock files with version
set
to tarball URLs. This should now be fixed.
(@iarna)2f9c5dd00
#18880
Stop overwriting version in package data on disk. This is another safeguard
against the version overwriting that's plagued some folks upgrading from older
package-locks.
(@iarna)
(@joshclow)a93e0a51d
#18846
Correctly save transitive dependencies when using npm update
in
package-lock.json
.
(@iarna)fdde7b649
#18825
Fix typo and concatenation in error handling.
(@alulsh)be67de7b9
#18711
Upgrade to bearer tokens from legacy auth when enabling 2FA.
(@iarna)bfdf0fd39
#19033
Fix issue where files with @
signs in their names would not get included
when packing tarballs.
(@zkat)b65b89bde
#19048
Fix problem where npm login
was ignoring various networking-related options,
such as custom certs.
(@wejendorp)8c194b86e
npm-packlist@1.1.10
: Include node_modules/
directories not in the root.
(@isaacs)d7ef6a20b
libnpx@9.7.1
: Fix some *nix binary path escaping issues.
(@zkat)981828466
cacache@10.0.1
: Fix fallback to copy-concurrently
when file move fails.
This might fix permissions and such issues on platforms that were getting
weird filesystem errors during install.
(@karolba)a0be6bafb
pacote@7.0.2
: Includes a bunch of fixes, specially for issues around git
dependencies. Shasum-related errors should be way less common now, too.
(@zkat)b80d650de
#19163
Fix a number of git and tarball specs and checksum errors.
(@zkat)cac225025
#19054
Don't count failed optionals when summarizing installed packages.
(@iarna)b1ec2885c
#18326
Stop truncating output of npm view
. This means, for example, that you no
longer need to use --json
when a package has a lot of versions, to see the
whole list.
(@SimenB)55a124e0a
#18884
Profile UX improvements: better messaging on unexpected responses, and stop
claiming we set passwords to null when resetting them.
(@iarna)635481c61
#18844
Improve error messaging for OTP/2FA.
(@iarna)52b142ed5
#19054
Stop running the same rollback multiple times. This should address issues
where Windows users saw strange failures when fsevents
failed to install.
(@iarna)798428b0b
#19172
bin-links@1.1.0
: Log the fact line endings are being changed upon install.
(@marcosscriven)Usually, we don't include internal refactor stuff in our release notes, but it's worth calling out some of them because they're part of a larger effort the CLI team and associates are undertaking to modularize npm itself so other package managers and associated tools can reuse all that code!
9d22c96b7
#18500
Extract bin-links and gentle-fs to a separate library. This will allow
external tools to do bin linking and certain fs operations in an
npm-compatible way!
(@mikesherov)015a7803b
#18883
Capture logging from log events on the process global. This allows npm to use
npmlog to report logging from external libraries like npm-profile
.
(@iarna)c930e98ad
npm-lifecycle@2.0.0
: Use our own node-gyp
. This means npm no longer needs
to pull some maneuvers to make sure node-gyp
is in the right place, and that
external packages using npm-lifecycle
will get working native builds without
having to do their own node-gyp
maneuvers.
(@zkochan)876f0c8f3
829893d61
#19099
find-npm-prefix@1.0.1
: npm's prefix-finding logic is now a standalone
module. That is, the logic that figures out where the root of your project is
if you've cd
'd into a subdirectory. Did you know you can run npm install
from these subdirectories, and it'll only affect the root? It works like git!
(@iarna)7ae12b21c
#18823
Fix spelling of the word authenticator. Because English is hard.
(@tmcw)5dfc3ab7b
#18742
Explicitly state 'github:foo/bar' as a valid shorthand for hosted git specs.
(@felicio)a9dc098a6
#18679
Add some documentation about the script-shell
config.
(@gszabo)24d7734d1
#18571
Change verboten
to forbidden
.
(@devmount)a8a45668f
#18568
Improve wording for the docs for the "engines" section of package.json files.
(@apitman)dbc7e5b60
#19118
Use valid JSON in example for bundledDependencies.
(@charmander)779339485
#19162
Remove trailing white space from npm access
docs.
(@WispProxy)0e7cac941
bluebird@3.5.1
(@petkaantonov)c4d5887d9
update-notifier@2.3.0
(@sindresorhus)eb19a9691
npm-package-arg@6.0.0
(@zkat)91d5dca96
npm-profile@2.0.5
(@iarna)8de66c46e
ssri@5.0.0
(@zkat)cfbc3ea69
worker-farm@1.5.1
(@rvagg)60c228160
query-string@5.0.1
(@sindresorhus)72cad8c66
copy-concurrently@1.0.5
(@iarna)A very quick, record time, patch release, of a bug fix to a (sigh) last minute bug fix.
Hey y'all, this is a big new feature release! We've got some security related goodies plus a some quality-of-life improvements for anyone who uses the public registry (so, virtually everyone).
The changes largely came together in one piece, so I'm just gonna leave the commit line here:
f6ebf5e8b
f97ad6a38
f644018e6
8af91528c
346a34260
Two factor authentication, profile editing and token management.
(@iarna)You can now enable two-factor authentication for your npm account. You can even do it from the CLI. In fact, you have to, for the time being:
npm profile enable-tfa
With the default two-factor authentication mode you'll be prompted to enter a one-time password when logging in, when publishing and when modifying access rights to your modules.
You can now create, list and delete authentication tokens from the comfort
of the command line. Authentication tokens created this way can have NEW
restrictions placed on them. For instance, you can create a read-only
token to give to your CI. It will be able to download your private modules
but it won't be able to publish or modify modules. You can also create
tokens that can only be used from certain network addresses. This way you
can lock down access to your corporate VPN or other trusted machines.
Deleting tokens isn't new, you could do it via the website but now you can do it via the CLI as well.
You can finally change your password from the CLI with npm profile set password
! You can also update your email address with npm profile set email <address>
. If you change your email address we'll send you a new
verification email so you verify that its yours.
You can also update all of the other attributes of your profile that
previously you could only update via the website: fullname
, homepage
,
freenode
, twitter
and github
.
All of these features were implemented in a stand alone library, so if you have use for them in your own project you can find them in npm-profile on the registry. There's also a little mini-cli written just for it at npm-profile-cli. You might also be interested in the API documentation for these new features: user profile editing and authentication.
5ee55dc71
install.sh: Drop support for upgrading from npm@1 as npm@5 can't run on
any Node.js version that ships npm@1. This fixes an issue some folks were seeing when trying
to upgrade using curl | http://npmjs.com/install.sh
.
(@iarna)5cad1699a
npm-lifecycle@1.0.3
Fix a bug where when more than one lifecycle script
got queued to run, npm would crash.
(@zkat)cd256cbb2
npm-packlist@1.1.9
Fix a bug where test directories would always be
excluded from published modules.
(@isaacs)2a11f0215
Fix formatting of unsupported version warning
(@iarna)6d2a285a5
npm-registry-client@8.5.0
69e64e27b
request@2.83.0
34e0f4209
abbrev@1.1.1
10d31739d
aproba@1.2.0
2b02e86c0
meant@1.0.1
b81fff808
rimraf@2.6.2
:
Fixes a long standing bug in rimraf's attempts to work around Windows limitations
where it owns a file and can change its perms but can't remove it without
first changing its perms. This may be an improvement for Windows users of npm under
some circumstances.
(@isaacs)This is a small bug fix release wrapping up most of the issues introduced with 5.4.0.
0b28ac72d
#18458
Fix a bug on Windows where rolling back of failed optional dependencies would fail.
(@marcins)3a1b29991
write-file-atomic@2.1.0
Revert update of write-file-atomic
. There were changes made to it
that were resulting in EACCES errors for many users.
(@iarna)cd8687e12
Fix a bug where if npm decided it needed to move a module during an upgrade it would strip
out much of the package.json
. This would result in broken trees after package updates.5bd0244ee
#18385
Fix npm outdated
when run on non-registry dependencies.
(@joshclow)
(@iarna)b2ab6f43b
#18397
Document that the default loglevel with npm@5
is notice
.
(@KenanY)e5aedcd82
#18372
In npm-config documentation, note that env vars use _ in place of -.
(@jakubholynet)This is a very small bug fix release to fix a problem where permissions on installed binaries were being set incorrectly.
767ff6eee
zkat/pacote#117
#18324
pacote@6.0.2
(@zkat)Here's another small big release, with a handful bunch of fixes and
a couple of small new features! This release has been incubating rather
longer than usual and it's grown quite a bit in that time. I'm also excited
to say that it has contributions from 27 different folks, which is a new
record for us. Our previous record was 5.1.0 at 21. Before that the record
had been held by 1.3.16 since December of 2013.
If you can't get enough of the bleeding edge, I encourage you to check out
our canary release of npm. Get it with npm install -g npmc
. It's going to
be seeing some exciting stuff in the next couple of weeks, starting with a
rewriten npm dedupe
, but moving on to⦠well, you'll just have to wait and
find out.
d080379f6
pacote@6.0.1
Updates extract to use tar@4, which is much faster than the
older tar@2. It reduces install times by as much as 10%.
(@zkat)4cd6a1774
0195c0a8c
#16804
tar@4.0.1
Update publish to use tar@4. tar@4 brings many advantages
over tar@2: It's faster, better tested and easier to work with. It also
produces exactly the same byte-for-byte output when producing tarballs
from the same set of files. This will have some nice carry on effects for
things like caching builds from git. And finally, last but certainly not
least, upgrading to it also let's us finally eliminate fstream
βif
you know what that is you'll know why we're so relieved.
(@isaacs)1ac470dd2
#10382
If you make a typo when writing a command now, npm will print a brief "did you
mean..." message with some possible alternatives to what you meant.
(@watilde)20c46228d
#12356
When running lifecycle scripts, INIT_CWD
will now contain the original
working directory that npm was executed from. Remember that you can use npm run-script
even if you're not inside your package root directory!
(@MichaelQQ)be91e1726
4e7c41f4a
libnpx@9.6.0
: Fixes a number of issues on Windows and adds support for
several more languages: Korean, Norwegian (bokmΓ₯l and nynorsk), Ukrainian,
Serbian, Bahasa Indonesia, Polish, Dutch and Arabic.
(@zkat)2dec601c6
#17142
Add the new commit-hooks
option to npm version
so that you can disable commit
hooks when committing the version bump.
(@faazshift)bde151902
#14461
Make output from npm ping
clear as to its success or failure.
(@legodude17)b6d5549d2
#17844
Make package-lock.json sorting locale-agnostic. Previously, sorting would vary
by locale, due to using localeCompare
for key sorting. This'll give you
a little package-lock.json churn as it reshuffles things, sorry!
(@LotharSee)44b98b9dd
#17919
Fix a crash where npm prune --production
would fail while removing .bin
.
(@fasterthanlime)c3d1d3ba8
#17816
Fail more smoothly when attempting to install an invalid package name.
(@SamuelMarks)55ac2fca8
#12784
Guard against stack overflows when marking packages as failed.
(@vtravieso)597cc0e4b
#15087
Stop outputting progressbars or using color on dumb terminals.
(@iarna)7a7710ba7
#15088
Don't exclude modules that are both dev & prod when using npm ls --production
.
(@iarna)867df2b02
#18164
Only do multiple procs on OSX for now. We've seen a handful of issues
relating to this in Docker and in on Windows with antivirus.
(@zkat)23540af7b
#18117
Some package managers would write spaces to the _from field in package.json's in the
form of name @spec
. This was causing npm to fail to interpret them. We now handle that
correctly and doubly make sure we don't do that ourselves.
(@IgorNadj)0ef320cb4
#16634
Convert any bin script with a shbang a the start to Unix line-endings. (These sorts of scripts
are not compatible with Windows line-endings even on Windows.)
(@ScottFreeCode)71191ca22
#16476
npm-lifecycle@1.0.2
Running an install with --ignore-scripts
was resulting in the
the package object being mutated to have the lifecycle scripts removed from it and that
in turn was being written out to disk, causing further problems. This fixes that:
No more mutation, no more unexpected changes.
(@addaleax)459fa9d51
npm/read-package-json#74
#17802
read-package-json@2.0.1
Use unix-style slashes for generated bin
entries, which lets them be cross platform even when produced on Windows.
(@iarna)5ec72ab5b
#18229
Make install.sh find nodejs on debian.
(@cebe)b019680db
#10846
Remind users that they have to install missing peerDependencies
manually.
(@ryanflorence)3aee5986a
#17898
Minor punctuation fixes to the README.
(@AndersDJohnson)e0d0a7e1d
#17832
Fix grammar, format, and spelling in documentation for run-script
.
(@simonua)3fd6a5f2f
#17897
Add more info about using files
with npm pack
/npm publish
.
(@davidjgoss)f00cdc6eb
#17785
Add a note about filenames for certificates on Windows, which use a different
extension and file type.
(@lgp1985)0cea6f974
#18022
Clarify usage for the files
field in package.json
.
(@xcambar)a0fdd1571
#15234
Clarify the behavior of the files
array in the package-json docs.
(@jbcpollak)cecd6aa5d
#18137
Clarify interaction between npmignore and files in package.json.
(@supertong)6b8972039
#18044
Corrected the typo in package-locks docs.
(@vikramnr)6e012924f
#17667
Fix description of package.json in npm-scripts docs.
(@tripu)48d84171a
f60b05d63
semver@5.4.1
Perf improvements.
(@zkat)f4650b5d4
write-file-atomic@2.3.0
:
Serialize writes to the same file so that results are deterministic.
Cleanup tempfiles when process is interrupted or killed.
(@ferm10n)
(@iarna)96d78df98
80e2f4960
4f49f687b
07d2296b1
a267ab430
#18176
#18025
Move the lifecycle code out of npm into a separate library,
npm-lifecycle
. Shh, I didn't tell you this, but this
portends to some pretty cool stuff to come very soon now.
(@mikesherov)0933c7eaf
#18025
Force Travis to use Precise instead of Trusty. We have issues with our
couchdb setup and Trusty. =/
(@mikesherov)afb086230
#18138
Fix typos in files-and-ignores test.
(@supertong)3e6d11cde
#18175
Update dependencies to eliminate transitive dependencies with the WTFPL license, which
some more serious corporate lawyery types aren't super comfortable with.
(@zkat)ee4c9bd8a
#16474
The tests in test/tap/lifecycle-signal.js
, as well as the features
they are testing, are partially broken. This moves them from
being skipped in CI to being disabled only for certain platforms.
In particular, because npm
spawns its lifecycle scripts in a
shell, signals are not necessarily forwarded by the shell and
wonβt cause scripts to exit; also, shells may report the signal
they receive using their exit status, rather than terminating
themselves with a signal.
(@addaleax)9462e5d9c
#16547
Remove unused file: bin/read-package-json.js
(@metux)0756d687d
#16550
The build tools for the documentation need to be built/installed
before the documents, even with parallel builds.
Make has a simple mechanism which was made exactly for that:
target dependencies.
(@metux)As mentioned before, we're continuing to do relatively rapid, smaller releases
as we keep working on stomping out npm@5
issues! We've made a lot of progress
since 5.0 already, and this release is no exception.
1e3a46944
#17616
Add --link
filter option to npm ls
.
(@richardsimko)33df0aaa
libnpx@9.2.0
:
33df0aaa
libnpx@9.2.0
:
npx npx npx npx npx npx npx npx
works again.update-notifier
will no longer run for the npx bundled with npm.npx <cmd>
in a subdirectory of your project should be able to find your node_modules/.bin
now. Oops
(@zkat)8e979bf80
Revert change where npm stopped flattening modules that required peerDeps.
This caused problems because folks were using peer deps to indicate that the
target of the peer dep needed to be able to require the dependency and had
been relying on the fact that peer deps didn't change the shape of the tree
(as of npm@3).
The fix that will actually work for people is for a peer dep to insist on
never being installed deeper than the the thing it relies on. At the moment
this is tricky because the thing the peer dep relies on may not yet have
been added to the tree, so we don't know where it is.
(@iarna)7f28a77f3
#17733
Split remove and unbuild actions into two to get uninstall lifecycles and the
removal of transitive symlinks during uninstallation to run in the right
order.
(@iarna)637f2548f
#17748
When rolling back use symlink project-relative path, fixing some issues with
fs-vacuum
getting confused while removing symlinked things.
(@iarna)f153b5b22
#17706
Use semver to compare node versions in npm doctor instead of plain >
comparison.
(@leo-shopify)542f7561
#17742
Fix issue where npm version
would sometimes not commit package-locks.
(@markpeterfejes)51a9e63d
#17777
Fix bug exposed by other bugfixes where the wrong package would be removed.
(@iarna)Have we mentioned we really like documentation patches? Keep sending them in! Small patches are just fine, and they're a great way to get started contributing to npm!
fb42d55a9
#17728
Document semver git urls in package.json docs.
(@sankethkatta)f398c700f
#17684
Tweak heading hierarchy in package.json docs.
(@sonicdoe)d5ad65e50
#17691
Explicitly document --no-save
flag for uninstall.
(@timneedham)It's only been a couple of days but we've got some bug fixes we wanted to
get out to you all. We also believe that
npx
is ready to be bundled
with npm, which we're really excited about!
npx is a tool intended to help round out the experience of using packages from the npm registryβββthe same way npm makes it super easy to install and manage dependencies hosted on the registry, npx is meant to make it easy to use CLI tools and other executables hosted on the registry. It greatly simplifies a number of things that, until now, required a bit of ceremony to do with plain npm.
@zkat has a great introduction post to npx that I highly recommend you give a read
9fe905c39
#17652
Fix max callstack exceeded loops with trees with circular links.
(@iarna)c0a289b1b
#17606
Make sure that when write package.json and package-lock.json we always use unix path separators.
(@Standard8)1658b79ca
#17654
Make npm outdated
show results for globals again. Previously it never thought they were out of date.
(@iarna)06c154fd6
#17678
Stop flattening modules that have peer dependencies. We're making this
change to support scenarios where the module requiring a peer dependency
is flattened but the peer dependency itself is not, due to conflicts. In
those cases the module requiring the peer dep can't be flattened past the
location its peer dep was placed in. This initial fix is naive, never
flattening peer deps, and we can look into doing something more
sophisticated later on.
(@iarna)88aafee8b
#17677
There was an issue where updating a flattened dependency would sometimes
unflatten it. This only happened when the dependency had dependencies
that in turn required the original dependency.
(@iarna)b58ec8eab
#17626
Integrators who were building their own copies of npm ran into issues because
make install
and https://npmjs.com/install.sh weren't aware that
npm install
creates links now when given a directory to work on. This does not impact folks
installing npm with npm install -g npm
.
(@iarna)10bef735e
#17645
Fix some github issue links in the 5.1.0 changelog
(@schmod)85fa9dcb2
#17634
Fix typo in package-lock docs.
(@sonicdoe)688699bef
#17628
Recommend that folks looking for support join us on https://package.community/ or message
@npm_support on Twitter.
(@strugee)Hey y'all~
We've got some goodies for you here, including npm@5
's first semver-minor
release! This version includes a huge number of fixes, particularly for some of
the critical bugs users were running into after upgrading npm. You should
overall see a much more stable experience, and we're going to continue hacking
on fixes for the time being. Semver-major releases, specially for tools like
npm, are bound to cause some instability, and getting npm@5
stable is the CLI
team's top priority for now!
Not that bugfixes are the only things that landed, either: between improvements
that fell out of the bugfixes, and some really cool work by community members
like @mikesherov, npm@5.1.0
is twice as
fast as npm@5.0.0
in some benchmarks. We're not stopping there, either: you
can expect a steady stream of speed improvements over the course of the year.
It's not top priority, but we'll keep doing what we can to make sure npm saves
its users as much time as possible.
Hang on to your seats. At 100 commits, this release is a bit of a doozy. π
Semver-minor releases, of course, mean that there's a new feature somewhere, right? Here's what's bumping that number for us this time:
a09c1a69d
#16687
Allow customizing the shell used to execute run-script
s.
(@mmkal)4f45ba222
a48958598
901bef0e1
#17508
Add a new requires
field to package-lock.json
with information about the
logical dependency tree. This includes references to the specific version
each package is intended to see, and can be used for many things, such as
converting package-lock.json
to other lockfile
formats, various
optimizations, and verifying correctness of a package tree.
(@iarna)47e8fc8eb
#17508
Make npm ls
take package locks (and shrinkwraps) into account. This means
npm ls
can now be used to see which dependencies are
missing, so long as
a package lock has been previously generated with it in.
(@iarna)f0075e7ca
#17508
Take package.json
changes into account when running installs -- if you
remove or add a dependency to package.json
manually, npm will now pick that
up and update your tree and package lock accordingly.
(@iarna)83a5455aa
#17205
Add npm udpate
as an alias for npm update
, for symmetry with
install
/isntall
.
(@gdassori)57225d394
#17120
npm will no longer warn about preferGlobal
, and the option is now
deprecated.
(@zkat)82df7bb16
#17351
As some of you may already know npm build
doesn't do what a lot of people
expect: It's mainly an npm plumbing command, and is part of the more familiar
npm rebuild
command. That said, a lot of users assume that this is the way
to run an npm run-script
named build
, which is an incredibly common script
name to use. To clarify things for users, and encourage them to use npm run build
instead, npm will now warn if npm build
is run without any arguments.
(@lennym)59f86ef90
43be9d222
e906cdd98
#16633
npm now parallelizes tarball extraction across multiple child process workers.
This can significantly speed up installations, specially when installing from
cache, and will improve with number of processors.
(@zkat)e0849878d
#17441
Avoid building environment for empty lifecycle scripts. This change alone
accounted for as much as a 15% speed boost for npm installations by outright
skipping entire steps of the installer when not needed.
(@mikesherov)265c2544c
npm/hosted-git-info#24
hosted-git-info@2.5.0
: Add caching to fromURL
, which gets called many,
many times by the installer. This improved installation performance by around
10% on realistic application repositories.
(@mikesherov)901d26cb
npm/read-package-json#20
read-package-json@2.0.9
: Speed up installs by as much as 20% by
reintroducing a previously-removed cache and making it actually be correct
this time around.
(@mikesherov)44e37045d
Eliminate Bluebird.promisifyAll
from our codebase.
(@iarna)3b4681b53
#17508
Stop calling addBundle
on locked deps, speeding up the
package-lock.json
-based fast path.
(@iarna)package-lock.json
field, called requires
, which tracks which modules a given module requires.package.json
to trump the package-lock.json
.npm ls
now loads the shrinkwrap, which opens the door to showing a full tree of dependencies even when nothing is yet installed. (It doesn't do that yet though.)
(@iarna)656544c31
d21ab57c3
#16637
Fix some cases where npm prune
was leaving some dependencies unpruned if
to-be-pruned dependencies depended on them.
(@exogen)394436b09
#17552
Make refresh-package-json
re-verify the package platform. This fixes an
issue most notably experienced by Windows users using create-react-app
where
fsevents
would not short-circuit and cause a crash during its
otherwise-skipped native build phase.
(@zkat)9e5a94354
#17590
Fix an issue where npm@5
would crash when trying to remove packages
installed with npm@<5
.
(@iarna)c3b586aaf
#17141
Don't update the package.json when modifying packages that don't go there.
This was previously causing package.json
to get a "false": {}
field added.
(@iarna)d04a23de2
4a5b360d5
d9e53db48
pacote@2.7.38
:
e2f815f87
#17104
Write an empty str and wait for flush to exit to reduce issues with npm
exiting before all output is complete when it's a child process.
(@zkat)835fcec60
#17060
Make git repos with prepare scripts always install with both dev and prod
flags.
(@intellix)f1dc8a175
#16879
Fix support for always-auth
and _auth
. They are now both available in both
unscoped and registry-scoped configurations.
(@jozemlakar)ddd8a1ca2
Serialize package specs to prevent [object Object]
showing up in logs during
extraction.
(@zkat)99ef3b52c
#17505
Stop trying to commit updated npm-shrinkwrap.json
and package-lock.json
if
they're .gitignore
d.
(@zkat)58be2ec59
Make sure uid and gid are getting correctly set even when they're 0
. This
should fix some Docker-related issues with bad permissions/broken ownership.
(@rgrove)
(@zkat)9d1e3b6fa
#17506
Skip writing package.json and locks if on-disk version is identical to the new
one.
(@zkat)3fc6477a8
#17592
Fix an issue where npm install -g .
on a package with no name
field would
cause the entire global node_modules
directory to be replaced with a symlink
to $CWD
. lol.
(@iarna)06ba0a14a
#17591
Fix spurious removal reporting: if you tried to remove something that didn't
actually exist, npm would tell you it removed 1 package even though there was
nothing to do.
(@iarna)20ff05f8
#17629
When removing a link, keep dependencies installed inside of it instead of
removing them, if the link is outside the scope of the current project. This
fixes an issue where removing globally-linked packages would remove all their
dependencies in the source directory, as well as some ergonomic issues when
using links in other situations.
(@iarna)fd5fab595
#16441
Add spec for npm-shrinkwrap.json
and package-lock.json
from RFC.
(@iarna)9589c1ccb
#17451
Fix typo in changelog.
(@watilde)f8e76d856
#17370
Correct the default prefix config path for Windows operating systems in the
documentation for npm folders.
(@kierendixon)d0f3b5a12
#17369
Fix npm-config
reference to userconfig
& globalconfig
environment
variables.
(@racztiborzoltan)87629880a
#17336
Remove note in docs about prepublish
being entirely removed.
(@Hirse)a1058afd9
#17169
Document --no-package-lock
flag.
(@leggsimon)32fc6e41a
#17250
Fix a typo in the shrinkwrap docs.
(@Zarel)f19bd3c8c
#17249
Fix a package-lock.json cross-reference link.
(@not-an-aardvark)153245edc
#17075
Fix a typo in npm-config
docs.
(@KennethKinLum)c9b534a14
#17074
Clarify config documention with multiple boolean flags.
(@KennethKinLum)e111b0a40
#16768
Document the -l
option to npm config list
.
(@happylynx)5a803ebad
#16548
Fix permissions for documentation files. Some of them had +x
set. (???)
(@metux)d57d4f48c
#17319
Document that the --silent
option for npm run-script
can be used to
suppress npm ERR!
output on errors.
(@styfle)Not all contributions need to be visible features, docs, or bugfixes! It's super helpful when community members go over our code and help clean it up, too!
9e5b76140
#17411
Convert all callback-style move
usage to use Promises.
(@vramana)0711c08f7
#17394
Remove unused argument in deepSortObject
.
(@vramana)7d650048c
#17563
Refactor some code to use Object.assign
.
(@vramana)993f673f0
#17600
Remove an old comment.
(@vramana)Hey y'all. This is another minor patch release with a variety of little fixes we've been accumulating~
f0a37ace9
Fix npm doctor
when hitting registries without ping
.
(@zkat)64f0105e8
Fix invalid format error when setting cache-related headers.
(@zkat)d2969c80e
Fix spurious EINTEGRITY
issue.
(@zkat)800cb2b4e
#17076
Use legacy from
field to improve upgrade experience from legacy shrinkwraps
and installs.
(@zkat)4100d47ea
#17007
Restore loose semver parsing to match older npm behavior when running into
invalid semver ranges in dependencies.
(@zkat)35316cce2
#17005
Emulate npm@4's behavior of simply marking the peerDep as invalid, instead of
crashing.
(@zkat)e7e8ee5c5
#16937
Workaround for separate bug where requested
was somehow null.
(@forivall)2d9629bb2
Better logging output for git errors.
(@zkat)2235aea73
More scp-url fixes: parsing only worked correctly when a committish was
present.
(@zkat)80c33cf5e
Standardize package permissions on tarball extraction, instead of using perms
from the tarball. This matches previous npm behavior and fixes a number of
incompatibilities in the wild.
(@zkat)2b1e40efb
Limit shallow cloning to hosts which are known to support it.
(@zkat)Happy Monday, y'all! We've got another npm release for you with the fruits of
our ongoing bugsquashing efforts. You can expect at least one more this week,
but probably more -- and as we announced last week, we'll be merging fixes more
rapidly into the npmc
canary so you can get everything as soon as possible!
Hope y'all are enjoying npm5 in the meantime, and don't hesitate to file issues for anything you find! The goal is to get this release rock-solid as soon as we can. π
6e12a5cc0
Bump several dependencies to get improvements and bugfixes:
cacache
: content files (the tarballs) are now read-only.pacote
: fix failing clones with bad heads, send extra TLS-related opts to proxy, enable global auth configurations and _auth
-based auth.ssri
: stop crashing with can't call method find of undefined
when running into a weird opts.integrity
/opts.algorithms
conflict during verification.
(@zkat)89cc8e3e1
#16917
Send ca
, cert
and key
config through to network layer.
(@colinrotherham)6a9b51c67
#16929
Send npm-session
header value with registry requests again.
(@zarenner)662a15ab7
Fix npm doctor
so it stop complaining about read-only content files in the
cache.
(@zkat)191d10a66
#16918
Clarify prepublish deprecation message.
(@Hirse)Here's another patch release, soon after the other!
This particular release includes a slew of fixes to npm's git support, which was causing some issues for a chunk of people, specially those who were using self-hosted/Enterprise repos. All of those should be back in working condition now.
There's another shiny thing you might wanna know about: npm has a Canary release
now! The npm5
experiment we did during our beta proved to be incredibly
successful: users were able to have a tight feedback loop between reports and
getting the bugfixes they needed, and the CLI team was able to roll out
experimental patches and have the community try them out right away. So we want
to keep doing that.
From now on, you'll be able to install the 'npm canary' with npm i -g npmc
.
This release will be a separate binary (npmc
. Because canary. Get it?), which
will update independently of the main CLI. Most of the time, this will track
release-next
or something close to it. We might occasionally toss experimental
branches in there to see if our more adventurous users run into anything
interesting with it. For example, the current canary (npmc@5.0.1-canary.6
)
includes an experimental multiproc
branch that parallelizes tarball
extraction across multiple processes.
If you find any issues while running the canary version, please report them and
let us know it came from npmc
! It would be tremendously helpful, and finding
things early is a huge reason to have it there. Happy hacking!
Just a heads up: We're preparing to do a massive cleanup of the issue tracker. It's been a long time since it was something we could really keep up with, and we didn't have a process for dealing with it that could actually be sustainable.
We're still sussing the details out, and we'll talk about it more when we're about to do it, but the plan is essentially to close old, abandoned issues and start over. We will also add some automation around issue management so that things that we can't keep up with don't just stay around forever.
Stay tuned!
1f26e9567
pacote@2.7.27
: Fixes installing committishes that look like semver, even
though they're not using the required #semver:
syntax.
(@zkat)85ea1e0b9
npm-package-arg@5.1.1
: This includes the npa git-parsing patch to make it so
non-hosted SCP-style identifiers are correctly handled. Previously, npa would
mangle them (even though hosted-git-info is doing the right thing for them).
(@zkat)The new summary output has been really well received! One downside that reared
its head as more people used it, though, is that it doesn't really tell you
anything about the toplevel versions it installed. So, if you did npm i -g foo
, it would just say "added 1 package". This patch by
@rmg keeps things concise while still telling you
what you got! So now, you'll see something like this:
$ npm i -g foo bar
+ foo@1.2.3
+ bar@3.2.1
added 234 packages in .005ms
362f9fd5b
#16899
For every package that is given as an argument to install, print the name and
version that was actually installed.
(@rmg)a47593a98
#16835
Fix a crash while installing with --no-shrinkwrap
.
(@jacknagel)89e0cb816
#16818
Fixes a spelling error in the docs. Because the CLI team has trouble spelling
"package", I guess.
(@ankon)c01fbc46e
#16895
Remove --save
from npm init
instructions, since it's now the default.
(@jhwohlgemuth)80c42d218
Guard against cycles when inflating bundles, as symlinks are bundles now.
(@iarna)7fe7f8665
#16674
Write the builtin config for npmc
, not just npm
. This is hardcoded for npm
self-installations and is needed for Canary to work right.
(@zkat)63df4fcdd
#16894
node-gyp@3.6.2
:
Fixes an issue parsing SDK versions on Windows, among other things.
(@refack)5bb15c3c4
read-package-tree@5.1.6
: Fixes some racyness while reading the tree.
(@iarna)a6f7a52e7
aproba@1.1.2
: Remove nested function declaration for speed up
(@mikesherov)Hey y'all! Hope you're enjoying the new npm!
As you all know, fresh software that's gone through major overhauls tends to
miss a lot of spots the old one used to handle well enough, and npm@5
is no
exception. The CLI team will be doing faster release cycles that go directly to
the latest
tag for a couple of weeks while 5 stabilizes a bit and we're
confident the common low-hanging fruit people are running into are all taken
care of.
With that said: this is our first patch release! The biggest focus is fixing up a number of git-related issues that folks ran into right out the door. It also fixes other things, like some proxy/auth-related issues, and even has a neat speed boost! (You can expect more speed bumps in the coming releases as pending work starts landing, too!)
Thanks everyone who's been reporting issues and submitting patches!
e61e68dac
#16762
Make npm publish
obey the --tag
flag again.
(@zkat)923fd58d3
#16749
Speed up installations by nearly 20% by... removing one line of code. (hah)
(@mikesherov)9aac984cb
Guard against a particular failure mode for a bug still being hunted down.
(@iarna)80ab521f1
Pull in dependency updates for various core deps:
pacote
fixes several git-related bugs.ssri
update fixes crash on early node@4 versions.make-fetch-happen
update fixes proxy authentication issue.npm-user-validate
adds regex for blocking usernames with illegal chars.
(@zkat)7e5ce87b8
pacote@2.7.26
:
Fixes various other git issues related to commit hashes.
(@zkat)acbe85bfc
#16791
npm view
was calling cb
prematurely and giving partial output when called
in a child process.
(@zkat)ebafe48af
#16750
Hamilpatch the Musical: Talk less, complete more.
(@aredridel)dc2823a6c
#16799
Document that package-lock.json
is never allowed in tarballs.
(@sonicdoe)f3cb84b44
#16771
Fix npm -l
usage information for the test
command.
(@grawlinson)661262309
#16756
remove unused argument
(@Aladdin-ADD)c3e0b4287
#16296
preserve same name convention for command
(@desfero)9f814831d
#16757
remove unused argument
(@Aladdin-ADD)3cb843239
minor linter fix
(@zkat)Wowowowowow npm@5!
This release marks months of hard work for the young, scrappy, and hungry CLI team, and includes some changes we've been hoping to do for literally years. npm@5 takes npm a pretty big step forward, significantly improving its performance in almost all common situations, fixing a bunch of old errors due to the architecture, and just generally making it more robust and fault-tolerant. It comes with changes to make life easier for people doing monorepos, for users who want consistency/security guarantees, and brings semver support to git dependencies. See below for all the deets!
Existing npm caches will no longer be used: you will have to redownload any cached packages. There is no tool or intention to reuse old caches. (#15666)
npm install ./packages/subdir
will now create a symlink instead of a regular installation. file://path/to/tarball.tgz
will not change -- only directories are symlinked. (#15900)
npm will now scold you if you capitalize its name. seriously it will fight you.
npm will --save
by default now. Additionally, package-lock.json
will be automatically created unless an npm-shrinkwrap.json
exists. (#15666)
Git dependencies support semver through user/repo#semver:^1.2.3
(#15308) (#15666) (@sankethkatta)
Git dependencies with prepare
scripts will have their devDependencies
installed, and npm install
run in their directory before being packed.
npm cache
commands have been rewritten and don't really work anything like they did before. (#15666)
--cache-min
and --cache-max
have been deprecated. (#15666)
Running npm while offline will no longer insist on retrying network requests. npm will now immediately fall back to cache if possible, or fail. (#15666)
package locks no longer exclude optionalDependencies
that failed to build. This means package-lock.json and npm-shrinkwrap.json should now be cross-platform. (#15900)
If you generated your package lock against registry A, and you switch to registry B, npm will now try to install the packages from registry B, instead of A. If you want to use different registries for different packages, use scope-specific registries (npm config set @myscope:registry=https://myownregist.ry/packages/
). Different registries for different unscoped packages are not supported anymore.
Shrinkwrap and package-lock no longer warn and exit without saving the lockfile.
Local tarballs can now only be installed if they have a file extensions .tar
, .tar.gz
, or .tgz
.
A new loglevel, notice
, has been added and set as default.
One binary to rule them all: ./cli.js
has been removed in favor of ./bin/npm-cli.js
. In case you were doing something with ./cli.js
itself. (#12096) (@watilde)
The "extremely legacy" _token
couchToken has been removed. (#12986)
A new, standardised lockfile feature meant for cross-package-manager compatibility (package-lock.json
), and a new format and semantics for shrinkwrap. (#16441)
--save
is no longer necessary. All installs will be saved by default. You can prevent saving with --no-save
. Installing optional and dev deps is unchanged: use -D/--save-dev
and -O/--save-optional
if you want them saved into those fields instead. Note that since npm@3, npm will automatically update npm-shrinkwrap.json when you save: this will also be true for package-lock.json
. (#15666)
Installing a package directory now ends up creating a symlink and does the Right Thingβ’ as far as saving to and installing from the package lock goes. If you have a monorepo, this might make things much easier to work with, and probably a lot faster too. π (#15900)
Project-level (toplevel) preinstall
scripts now run before anything else, and can modify node_modules
before the CLI reads it.
Two new scripts have been added, prepack
and postpack
, which will run on both npm pack
and npm publish
, but NOT on npm install
(without arguments). Combined with the fact that prepublishOnly
is run before the tarball is generated, this should round out the general story as far as putzing around with your code before publication.
Git dependencies with prepare
scripts will now have their devDependencies installed, and their prepare script executed as if under npm pack
.
Git dependencies now support semver-based matching: npm install git://github.com/npm/npm#semver:^5
(#15308, #15666)
node-gyp
now supports node-gyp.cmd
on Windows (#14568)
npm no longer blasts your screen with the whole installed tree. Instead, you'll see a summary report of the install that is much kinder on your shell real-estate. Specially for large projects. (#15914):
$ npm install
npm added 125, removed 32, updated 148 and moved 5 packages in 5.032s.
$
--parseable
and --json
now work more consistently across various commands, particularly install
and ls
.
Indentation is now detected and preserved for package.json
, package-lock.json
, and npm-shrinkwrap.json
. If the package lock is missing, it will default to package.json
's current indentation.
sha512
and sha1
checksums. Versions of npm from 5 onwards will use the strongest algorithm available to verify downloads. npm/npm-registry-client#157We've been talking about rewriting the cache for a loooong time. So here it is. Lots of exciting stuff ahead. The rewrite will also enable some exciting future features, but we'll talk about those when they're actually in the works. #15666 is the main PR for all these changes. Additional PRs/commits are linked inline.
Package metadata, package download, and caching infrastructure replaced.
It's a bit faster. Hopefully it will be noticeable. π€
With the shrinkwrap and package-lock changes, tarballs will be looked up in the cache by content address (and verified with it).
Corrupted cache entries will automatically be removed and re-fetched on integrity check failure.
npm CLI now supports tarball hashes with any hash function supported by Node.js. That is, it will use sha512
for tarballs from registries that send a sha512
checksum as the tarball hash. Publishing with sha512
is added by npm/npm-registry-client#157 and may be backfilled by the registry for older entries.
Remote tarball requests are now cached. This means that even if you're missing the integrity
field in your shrinkwrap or package-lock, npm will be able to install from the cache.
Downloads for large packages are streamed in and out of disk. npm is now able to install packages of """any""" size without running out of memory. Support for publishing them is pending (due to registry limitations).
Automatic fallback-to-offline mode. npm will seamlessly use your cache if you are offline, or if you lose access to a particular registry (for example, if you can no longer access a private npm repo, or if your git host is unavailable).
A new --prefer-offline
option will make npm skip any conditional requests (304 checks) for stale cache data, and only hit the network if something is missing from the cache.
A new --prefer-online
option that will force npm to revalidate cached data (with 304 checks), ignoring any staleness checks, and refreshing the cache with revalidated, fresh data.
A new --offline
option will force npm to use the cache or exit. It will error with an ENOTCACHED
code if anything it tries to install isn't already in the cache.
A new npm cache verify
command that will garbage collect your cache, reducing disk usage for things you don't need (-handwave-), and will do full integrity verification on both the index and the content. This is also hooked into npm doctor
as part of its larger suite of checking tools.
The new cache is very fault tolerant and supports concurrent access.
npm cache clear
is no longer useful for anything except clearing up disk space.Package metadata is cached separately per registry and package type: you can't have package name conflicts between locally-installed packages, private repo packages, and public repo packages. Identical tarball data will still be shared/deduplicated as long as their hashes match.
HTTP cache-related headers and features are "fully" (lol) supported for both metadata and tarball requests -- if you have your own registry, you can define your own cache settings the CLI will obey!
prepublishOnly
now runs before the tarball to publish is created, after prepare
has run.