6.4.1
BUGFIXES
- Prevent blowing up on malformed responses from the npm audit
endpoint, such as with third-party registries.
- Fix NO_PROXY support by renaming npm-side config to --noproxy. The
environment variable should still work.
- Disable update-notifier checks when a CI environment is detected.
- Fix issue where postpack scripts would break if pack was used with
--dry-run.
DEPENDENCY BUMPS
- figgy-pudding@3.4.1
- cacache@11.2.0
- npm-packlist@1.1.11
- libcipm@2.0.2
- JSONStream@1.3.4
- npm-lifecycle@2.1.0
- npm-registry-client@8.6.0
- opener@1.5.0
- request@2.88.0
- tacks@1.2.7
- ci-info@1.4.0
- marked@0.5.0
DOCUMENTATION
- Mention registry terms of use in manpage and registry docs and
update language in README for it.
- Add documentation for --dry-run in install and pack docs.
- Update republish time and lightly reorganize republish info.
- Correct npm@6.4.0 release date in changelog.
- Align command descriptions in help text.
6.4.0
NEW FEATURES
- Search for authentication token defined by environment variables by
preventing the translation layer from env variable to npm option
from breaking :_authToken.
- Stop filtering out non-IPv4 addresses from local-addrs, making npm
actually use IPv6 addresses when it must.
- Configurable audit level for non-zero exit npm audit currently exits
with exit code 1 if any vulnerabilities are found of any level. Add
a flag of --audit-level to npm audit to allow it to pass if only
vulnerabilities below a certain level are found. Example: npm audit
--audit-level=high will exit with 0 if only low or moderate level
vulns are detected.
BUGFIXES
- Don't check for updates to npm when we are updating npm itself.
## v6.3.0 (2018-08-01):
- `figgy-pudding@3.2.0`
- `cacache@11.1.0`
## v6.3.0-next.0 (2018-07-25):
### NEW FEATURES
- `npm version` now supports a `--preid` option to specify the preid
for prereleases. For example, `npm version premajor --preid rc` will tag
a version like `2.0.0-rc.0`.
### MESSAGING IMPROVEMENTS
- Make `npm audit fix` message provide better instructions for
vulnerabilities that require manual review.
- Fix missing colon next to tarball url in new `npm view` output.
- Use the defaut OTP explanation everywhere except when the context is
"OTP-aware" (like when setting double-authentication). This improves
the overall CLI messaging when prompting for an OTP code.
### MISC
- Use the extracted `stringify-package` package.
- `wrappy` was previously added to dependencies in order to flatten
it, but we no longer do legacy-style for npm itself, so it has been
removed from `package.json`.
## v6.2.0 (2018-07-13):
### FEATURES
- Add support for tab-separated output for `npm audit` data with the
`--parseable` flag.
- Add new `sign-git-commit` config to control whether the git commit
itself gets signed, or just the tag (which is the default).
### FIXES
- Do not use `SET` to fetch the env in git-bash or Cygwin.
### DEPENDENCY BUMPS
- `request@2.81.0`: Downgraded to allow better deduplication. This
does introduce a bunch of `hoek`-related audit reports, but they don't
affect npm itself so we consider it safe. We'll upgrade `request` again
once `node-gyp` unpins it.
- `node-gyp@3.7.0`
_ `cli-table3@0.5.0`: `cli-table2` is unmaintained and required
`lodash`. With this dependency bump, we've removed `lodash` from our tree,
which cut back tarball size by another 300kb.
- `npm-audit-report@1.3.1`
- Add `cli-table3` to bundleDeps.
- Make `standard` happy.
## v6.2.0-next.1 (2018-07-05):
- Remove postinstall script that depended on source files, thus
preventing `npm@next` from being installable from the registry.
## v6.2.0-next.0 (2018-06-28):
### NEW FEATURES
- You can now disable the update notifier entirely by using
`--no-update-notifier` or setting it in your config with `npm config
set update-notifier false`.
- When `npm run-script <script>` fails due to a typo or missing
script, npm will now do a "did you mean?..." for scripts that do exist.
### BUGFIXES
- Fix the regular expression matching in `xcode_emulation` in
`node-gyp` to also handle version numbers with multiple-digit major
versions which would otherwise break under use of XCode 10.
- Stop trying to hoist/dedupe bundles dependencies.
- Add synopsis to brief help for `npm audit` and suppress trailing
newline.
- Exclude /.github directory from npm tarball.
- Add suggestion to use a temporary cache instead of `npm cache clear
--force`.
### DEPENDENCY SHUFFLE!
We did some reshuffling and moving around of npm's own dependencies.
This significantly reduces the total bundle size of the npm pack,
from 8MB to 4.8MB for the distributed tarball! We also moved around
what we actually commit to the repo as far as devDeps go.
- Flatten and dedupe our dependencies!
- Remove unused direct dependency `ansi-regex`.
- Reshuffle ansi-regex for better deduping.
- Reshuffle strip-ansi for better deduping.
- Reshuffle is-fullwidth-code-point for better deduping.
- Add fake-registry, npm-registry-mock replacement.
### DEPENDENCIES
- `tar@4.4.3`
- `pacote@8.1.6`
- `libcipm@2.0.0`
- `request@2.87.0`
- `which@1.3.1`
- `tar@4.4.4`
- `JSONStream@1.3.3`
- `is-cidr@2.0.6`
- `marked@0.4.0`
- `tap@12.0.1`
- `npm-profile@3.0.2`
- `uuid@3.3.2`
- NEW FEATURE: npm audit fix
- OTHER NEW audit FEATURES
- Add support for npm audit --json to print the report in JSON
format.
- Include number of audited packages in npm install summary output.
- Overhaul audit install and detail output format.
- NEW FEATURE: GIT DEPS AND npm init <pkg>!
- FIX WRITE AFTER END ERROR
- DETECT CHANGES IN GIT SPECIFIERS
- OTHER BUGFIXES
- When requesting the update of a direct dependency that was also a
transitive dependency to a version incompatible with the
transitive requirement and you had a lock-file but did not have a
node_modules folder then npm would fail to provide a new copy of the
transitive dependency, resulting in an invalid lock-file that could
not self heal.
- Cleanup output of npm ci summary report.
- Node.js now has a test that scans for things that look like
conflict markers in source code. This was triggering false
positives on a fixture in a test of npm's ability to heal lockfiles
with conflicts in them.
- Make the new npm view work when the license field is an object
instead of a string.
- Add support for environments (like Docker) where the expected
binary for opening external URLs is not available.
- Fix a spurious colon in the new update notifier message and add
support for the npm canary.
- Infer a version range when a package.json has a dist-tag instead
of a version range in one of its dependency specs. Previously,
this would cause dependencies to be flagged as invalid.
- Make sure scoped bundled deps are shown in the new publish
preview, too.
- Stop dropping size from metadata on npm cache verify.
- Fix nested command aliases.
- Make sure different versions of the Path env var on Windows all
get node_modules/.bin prepended when running lifecycle scripts.
6.0.1:
CTRL-C OUT DURING PACKAGE EXTRACTION AS MUCH AS YOU WANT!
lockfile@1.0.4: Switches to signal-exit to detect abnormal exits and remove locks.
SHRONKWRAPS AND LACKFILES
If a published modules had legacy npm-shrinkwrap.json we were saving ordinary registry dependencies (name@version) to your package-lock.json as https:// URLs instead of versions.
* When saving the lock-file compute how the dependency is being required instead of using _resolved in the package.json. This fixes the bug that was converting registry dependencies into https:// dependencies.
* When encountering a https:// URL in our lockfiles that point at our default registry, extract the version and use them as registry dependencies. This lets us heal package-lock.json files produced by 6.0.0
AUDIT AUDIT EVERYWHERE
You can't use it quite yet, but we do have a few last moment patches to npm audit to make it even better when it is turned on!
